Christopher Clements: > Is there really any way to be 100% sure that a project and/or team > member is not compromised?
No. This is why 3rd party audits of the source code is important. If the source code is not fully available to everyone, then it can not be fully audited. Tails has non-free software in it, making it impossible to audit the whole thing. I don't believe that Tails has been compromised, but sunshine is the best disinfectant. This is why Heads is exciting. From what I understand, it will have a smaller codebase (since systemd will not be included) and it will publish it's entire source code to everyone. Obviously, not everyone will be able to take that source code and audit it, since that is a specialized skill, but this does give users the ability (currently in theory, but hopefully in practice in the future) to pool their money to pay for regular complete 3rd party audits that publish their complete report. If the source code can get a clean bill of health on a regular basis, then people can compile it themselves with confidence. In the future, as with most software, the hope would be that the OS can also provide compiled binary versions with reproducible builds, so that multiple organizations can verify the integrity of the binaries that are published. In practice, this doesn't always happen in free software projects. Nonetheless, this is the path that a project can take to ensure that a piece of software has not been compromised by one or two developers that have been blackmailed or whatever else. > Also, (no disrespect meant, just an innocent question), > who are these types of distributions meant for, apart from > the paranoid, whistleblowers, drug lords, and high-profile criminals? > (Please don't think I'm lumping them all together.) This is a common question. The answer is, and I don't mean this is a mean way, you've been brainwashed by propaganda. https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse Don't worry, it happens to the best of us. Please understand though, this is a logical fallacy. https://en.wikipedia.org/wiki/Think_of_the_children While it will take a while to deprogram yourself, I suggest that you start by watching the Tor video, which is the 5th video on this page: http://motionensemble.de/ It has a big Tor logo on the default screenshot. Also, watch Citizen Four and read up on the Snowden revelations. > I honestly can't think of any legitimate, ethically sound use of "extreme > privacy" software apart from whistleblowing and sticking it to extremely > aggressive advertisers like AT&T's clients. Tor is not "extreme privacy". It is just regular privacy. If you don't agree, please tell me how you define "regular privacy". Privacy is a human right, explicitly defined in the UN Declaration of Human Rights: "Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." But let me, for argument's sake, say that you are correct for a second. If Tor is "extreme privacy" and it is only good for whistleblowers and sticking it to "little brother", wouldn't it make it easier to catch these whistleblowers if they were the only ones using the network? It is difficult to use Tor without your service provider knowing that you use it. If they were the only ones that use it, then they would be easily targeted. If plain ol' folks use Tor regularly, they can provide cover for those who use it in desperate situations. > As a curious "I have nothing to hide" type of guy, I'm wondering if > there are any other legitimate reasons to use this stuff, or is it > logical for "Big Brother" to simply add everyone who downloads Tor to > a watchlist? (That would include me, I guess, since I've used Kali > linux, which comes with Tor IIRC.) Privacy is the ability to choose what you reveal to the world. While you may not have anything to hide, you have the human right to decide what you reveal about yourself to the world. Big Brother and Little Brother are working together to create dossiers on everyone on the planet. This isn't paranoia. This has been well reported and only refuted by those who haven't been paying attention to the news. Here's a TLDR version: https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 This is only one program of a shockingly large number of programs that utilize centralized technology to map out people's entire lives and social networks. When you say that you don't understand why someone would take moderate steps, by using a slightly more difficult to use operating system for example, to balance the overwhelming amount of illegal warrantless surveillance by nation states and megacorps is naive. > Once again, these are just questions. I am not saying I'm against > "extreme privacy" stuff, I'm just curious; please don't fire me out of a > cannon into the sun or something. (I'm a filesystems guy, not a > communications guy.) I want to emphasize that I'm not trying to be mean by what I've said above, even if it seems as though I was. I appreciate that you are asking questions. You seem to legitimately be searching for the truth. The argument you are making, on my end, sounds about the same as arguing that using envelopes should be banned and that no mail should be delivered that doesn't have a 100% verified address of the sender. Also, courier services that don't check the passport of every package sender and receiver and pass the logs to the government should be banned. IP addresses are the passports or 100% verified address, in this analogy, that identify everything sent and received. Tor is a bike courier sending digital packages. Encryption is an envelope. Do you use envelopes? If so, what do you have to hide? The answer is probably nothing, but you are choosing what you want to reveal to the world. The internet has turned into a very dangerous place. Malicious actors (thieves, ex husbands, nation states, megacorps, your ISP) are trying to get your information and use it against you. Using Tor via a secure operating system, like Heads hopes to become, is a very moderate response when one realizes how vulnerable the average internet user is. This is metanoia, not paranoia. Peace & Blessings, Kurtis _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
