[tor-talk] Qubes? debian? binary? reproducible? (was: EGOTISTICAL something)

carlo von lynX lynX at time.to.get.psyced.org
Sun Dec 7 16:43:26 UTC 2014

On Sun, Dec 07, 2014 at 04:53:20AM -0800, coderman wrote:
> finding backdoors or vulnerabilities a problem for every
> implementation, open source or not.  source based or not. reproducible
> builds or not.

And still it is much harder to sneak something into the official
codebase in plain view of anyone with a healthy pair of eyeballs
than to just put it there in binary form. No proof. No risk.
Guaranteed success. Hacktivists will even advertize it for you!

Please don't insist comparing climbing a skyscraper to taking the 
elevator. It really isn't the same.

> it's hard to not get depressed at the current state of technology and
> software. we must do everything better!

The first step is to maintain rationality over paranoia.
Everything may be broken, but we need to prioritize and put the least
realistic scenarios aside. The attacker always uses the easiest ones.

> >> 1) if built packages can be verified independently. (reproducible builds)
> >> 2) if packages are distributed to users securely. (signatures on pkgs,
> >> etc.)
> >
> > Not really, (2) has to happen in any case - but if you distribute binaries
> > that comply to (1) then you get both advantages.
> "Not really" - do you mean they are not separate? or that everyone
> should do #1 correctly, and get #2 for free?

I wasn't talking of (2) because that is a given which isn't questioned
anywhere. I was only talking of (1). I don't know why you bring (2) into
the discussion as if there was any problem with that. Unless you are
using Microsoft Windows, there is not.

> > So why talk of the harder class of vulnerabilities if we haven't fixed
> > the easier to fix class of vulnerabilities yet? Insecure binaries.
> > I am talking of getting rid of the easier to introduce vulnerabilities.
> this comes up in many circles, "why fix Y when we can't even do X well?"
> as stated again, we should be doing everything better. but if you fix
> the easy vulns, the hard ones all of the sudden become focus.

Legitimately so, still the attacker has a much harder time.
I don't understand why you reject plausible prioritization.
By throwing all problems into one big basket you defocus.

> as an example, it used to be you could ignore active
> monkey-in-the-middle threats in most situations, because they were
> difficult and rare.  with the advent of wireless networks,
> sophisticated tools, and easy access MitM became not-uncommon.

Did I say something so harsh by stating that we should be more
careful with debian and binary distributions in general?

> > Gentoo provides cryptographic hashes for all tars and zips it uses
> > for over ten years now. It's really no black magic.
> i was speaking more to signatures and key distribution that validating
> digests. where did you get the list of hashes? who was it signed by?
> would you know if private keys were stolen and your list was a
> forgery? etc.

Yes, gentoo has been lax on that for many years.
Now it supports gpg-signed portage updates, so that problem is fixed.

Every time a source code dares to contain a backdoor, there would
be a responsible you can grill. And since gentoo doesn't maintain the
source codes itself, a gentoo maintainer would have to hide it in the
additional patch files. Good luck with that! Certainly more difficult
than the challenge a debian package maintainer has: upload binary
executable. Done. Keep backdoor patch hidden in an airgapped truecrypt.

> i like gentoo, yet i see why others have a preference for pre-built as well.

Sure, I can't get it to run anymore. Probably too many USE flags.
It's a shame too little people care for maximizing the security of
their computing stack. We need distributions that compile fully
from source, and we need them to compile reproducible so that it
is fine to distribute them also in binary form. Debian is working
on it, but we're not there yet. Here in the Tor developer zone
everyone looks at every check-in into the git like a hawk, yet
the large majority of Tor users has a binary coming from somewhere.
It's inconsequent. Like putting a large chain on the front door
while the back door is held by a kitchen cupboard magnet.

> the most usable source based distribution still needs to be built, and
> that is both time consuming and resource intensive, comparatively.

Guix, please lead the way.
Give us a new reproducible distro soon!

> you emerge from a stage1 boostrap as well, don't you?  per Ken
> Thompson, and "On trusting trust", this rabbit hole goes quite deep.

Let's say you use an offline Linux from 2007 to bootstrap your source
code based OS from scratch. Just because in theory you have to recompile
the compiler with different compilers a certain number of times to be
sure there can't be a backdoor in it, why be so paranoid? Expecting a
system to be able to backdoor the compilation of another system is
overkill compared to the simplicity of just using a system which has
been backdoored for the purposes of being used as is.

I mean, let's stick to reality - the attacker loves simple and easy
straightforward things. They would bribe a debian package maintainer
in half a second, why should they come up with a way to make gcc introduce
backdoors as it compiles somebody else's linux kernel?
That's far too much work!!

So let's please prioritize the threats. Using somebody else's binary
is a threat. Crosscompiling a linux from scratch for yourself is likely
to be safe because the attack vector is just too much effort to prepare.
After all the backdoors we may be having in our binary distributions are
all of the cyber warfare emergency kind. Using them in a bulk surveillance
style would be too visible and we would all know about it.

> > Yes, that's why I question all non-reproducible binary distributions.
> question everything!  (the sources, the default configurations, the
> distribution, ...)
> because, as i like to say in this thread, we need to do everything better.

Which isn't a helpful way to put it.
We got to have priorities.
And we can use our brains to set them.

> P.S. this topic is getting pretty off-topic. perhaps general
> discussion on software insecurity could continue in depth elsewhere if
> you wish.

It is still about Whonix + Qubes OS being a special target for attack
and the question why one would make a TAO effort at such an exotic
platform if it is much cheaper to put backdoors into debian binaries?

Given that Whonix + Qubes OS still use debian binaries, which I am
not sure of. Concerning the anonymization architecture Whonix + Qubes
OS is certainly the most advanced thing I've ever seen.


More information about the tor-talk mailing list