Delivery-Date: Sun, 07 Dec 2014 06:00:18 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D6D1F1E0349;
	Sun,  7 Dec 2014 06:00:16 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 943F9319CA;
	Sun,  7 Dec 2014 11:00:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id E7AE1319C5
 for <tor-talk@lists.torproject.org>; Sun,  7 Dec 2014 11:00:05 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id FmrmVvP_3O6y for <tor-talk@lists.torproject.org>;
 Sun,  7 Dec 2014 11:00:05 +0000 (UTC)
Received: from lo.psyced.org (lost.in.psyced.org [188.40.42.221])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "lo.tobij.de", Issuer "lo.tobij.de" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 8ECD5319B9
 for <tor-talk@lists.torproject.org>; Sun,  7 Dec 2014 11:00:05 +0000 (UTC)
X-Greylist: delayed 562 seconds by postgrey-1.34 at eugeni;
 Sun, 07 Dec 2014 11:00:05 UTC
Received: from lo.psyced.org (localhost [127.0.0.1])
 by lo.psyced.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id sB7AoeDo028845
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
 for <tor-talk@lists.torproject.org>; Sun, 7 Dec 2014 11:50:41 +0100
Received: (from lynx@localhost)
 by lo.psyced.org (8.14.3/8.14.3/Submit) id sB7Aoeoq028844
 for tor-talk@lists.torproject.org; Sun, 7 Dec 2014 11:50:40 +0100
Date: Sun, 7 Dec 2014 11:50:40 +0100
From: carlo von lynX <lynX@time.to.get.psyced.org>
To: tor-talk@lists.torproject.org
Message-ID: <20141207105039.GA28271@lo.psyced.org>
References: <20141207023823.15123l26w3vbay2o@www.vfemail.net>
 <CAJVRA1RaBkxNGLmTSSDOLSNijeTYX0EohOOeCw+LLMfeDJJ-kg@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAJVRA1RaBkxNGLmTSSDOLSNijeTYX0EohOOeCw+LLMfeDJJ-kg@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [tor-talk] NSA TAO Exploit of Whonix Qubes - EGOTISTICALSHALLOT
 - Martin Peck
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Sun, Dec 07, 2014 at 02:27:44AM -0800, coderman wrote:
> Whonix on Qubes OS represents defense in depth unlike any other
> system. as such, it is a likely target, like Tails and the Tor Browser
> before it.

This question may spell a change of topic, but wouldn't
it make much more sense to introduce backdoors into debian,
gaining thus access to any derivate distribution?

I know that currently 13600 packages of debian can be built
reproducible [1], but does that mean that at least those are
being distributed with reproducible binaries? I assume not.

My current state of information is such that any source-code
based distribution is less likely to be affected by backdoors
until debian and all derivates indeed ship reproducible binaries.
If Whonix can be rebuilt from source, so can Qubes OS?

Why bother with Whonix or TAILS specifically? Making use of
backdoors is in any case risky since folks like us may have
the competence to notice those activities going on... and
possibly document how they work.

But what do I know. The more I dig into this, the more I gather
how much I am left in the dark.


[1] https://jenkins.debian.net/userContent/reproducible.html


-- 
	    http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

