[tor-talk] NSA TAO Exploit of Whonix Qubes - EGOTISTICALSHALLOT - Martin Peck

coderman coderman at gmail.com
Sun Dec 7 11:38:56 UTC 2014

On 12/7/14, carlo von lynX <lynX at time.to.get.psyced.org> wrote:
> ...
> This question may spell a change of topic, but wouldn't
> it make much more sense to introduce backdoors into debian,
> gaining thus access to any derivate distribution?

exploits are developed at all levels of the system. from attacking
applications, to subverting operating system updates and package
management, down to compromising random number generator instructions.

some of these techniques are more complicated than others. some may
involve active triggers vs. always affecting all users. some may
require a window of opportunity, while others can be launched at any
time. and so on...

would compromising Debian upstream be easier?  probably, but it would
also be more visible.

> I know that currently 13600 packages of debian can be built
> reproducible [1], but does that mean that at least those are
> being distributed with reproducible binaries? I assume not.

this is two concerns:

1) if built packages can be verified independently. (reproducible builds)
2) if packages are distributed to users securely. (signatures on pkgs, etc.)

you need to cover both, of course. but they only address part of the
problem.  a vulnerable application that is reproducibly built, and
properly signed, and verified before installation, is still

> My current state of information is such that any source-code
> based distribution is less likely to be affected by backdoors
> until debian and all derivates indeed ship reproducible binaries.
> If Whonix can be rebuilt from source, so can Qubes OS?

how do you securely distribute sources to be built?  a source based
distribution has different trade-offs, rather than being immune to

you can of course build any of these from source. (all of them open source).

> Why bother with Whonix or TAILS specifically? Making use of
> backdoors is in any case risky since folks like us may have
> the competence to notice those activities going on... and
> possibly document how they work.

some vulnerabilities are specific to a single build or architecture,
some are specific to configuration, some are specific to opportune
timing or position, and so on.

which route is chosen, backdoor or exploit, varies by situation, and
of course, the visibility of either varies quite a bit too.

> But what do I know. The more I dig into this, the more I gather
> how much I am left in the dark.

if there's one thing we've learned the last few years, it is that all
avenues are pursued. backdoors and exploits both, and at all levels,
from operating system to end user applications.

best regards,

More information about the tor-talk mailing list