[Tails-support] questions about tails

john smith qweqweqwe314314 at gmail.com
Fri Mar 18 17:40:36 CET 2016


These questions are addressed to the Tails Team. Everyone is welcome to
discuss, but I am particularly interested in the devs' opinions, so if
you are a member of the Tails Team replying to these questions, please
identify yourself as such.

These questions were originally posted in private support lists. First
in tails-support-private at boum.org on 2016-02-24, but no reply of any
kind was given. They were then posted in tails at boum.org on 2016-03-06,
and no reply of any kind was given. Now I am using this public list on
the assumption that my prior attempts simply did not reach any Tails
Team members. Each time I edit the questions for clarity, but they
remain essentially the same.

-------------------------------------------------------------------

Dear Tails team,


I really hope you will take time to think about my questions, since I
cannot be the only one asking them. I am rather convinced that many of
your users are wondering about these things as well. I sincerely hope
that nothing in this email will be perceived as offensive or
disrespectful, and that includes my tone. Whatever comes next, I am
personally grateful to you for your ongoing effort to build an operating
system tailored to provide its users with elevated levels of privacy and
security.

-------------------------------------------------------------------

What do you think are the chances that Tails distributes malware along
with the Linux kernel? Before you answer, please consider the following
points.

Linux kernel contains megabytes of just the closed source network card
firmware, which would not need any access to a main CPU in order to be
effective spyware. It also contains many more megabytes of other
firmware, and all of that code is actually capable of gaining the access
to the main RAM and the main CPU via the DMA mechanism.
http://www.stewin.org/papers/dimvap15-stewin.pdf

Any closed source firmware distributor can insert spyware and/or
backdoors at any time, virtually without consequences, do you agree? The
examples are many, so let's take one of the most recent ones, involving
Juniper Networks. They basically declared themselves heroes after
removing a backdoor, which they themselves were in the best position to
insert. They faced no repercussions of legal nature.

In general, the "respected" software vendors can't get arrested in this
town. Starting with SONY rootkit case, and to this day, the law
enforcement seems to be just fine with computer crimes of absolutely any
magnitude, as long as they are committed by large corporations, rather
than individual basement-dwellers. The law enforcement is also openly
warm towards the firms which are willing to work with them on making a
panopticon society a reality by depriving all computer users of privacy
and security.

In this legal climate, no "respected" network card manufacturer would
get in trouble if malware was suddenly discovered inside a
reverse-engineered blob, do you agree? Big firms have done so in the
past, every single time. They could get away with any of the following
excuses:

(1) We were compelled by law enforcement
(2) We were cracked by Russian/Jewish/Chinese/Iranian/... criminals
(3) We were sabotaged by an employee we are now unable to id
(4) It's a feature inserted in good faith, never meant to be abused

(The last one is my absolute favorite :)

At any rate, they would just issue a "fixed" blob, just like Juniper.
Scary quotes because there would be no way to see whether a "fixed" blob
contains malware. So here's another sub-question: in this hypothetical
situation, and if the blob was OKayed by the Linux project, would you
then redistribute the "fixed" blob too?

Of course, it is far more likely they'll never have to explain anything,
as long as the malware is well designed.

So once again, the biggest question I have is:

How would you quantify the chances of you currently redistributing
malware, and more specifically spyware along with the Linux kernel?

-------------------------------------------------------------------

Here is a related question, Tails claims:


Tails is a live system that aims to preserve your privacy and
anonymity.

How is this claim compatible with distributing the absolute mystery
code, which runs within users' network cards? To be more specific, what
is the point of supporting network interfaces and other peripherals,
when each one of them offers an unprecedented attack surface, virtually
rendering all of your privacy-related achievements worthless?

-------------------------------------------------------------------

My final barrage of questions concerns your claims about free software.
Your front page claims with really big letters:


FREE SOFTWARE Tails is Free Software.

Your statements on a linked page seem to directly contradict each other:


Tails is Free Software released under the GNU/GPL (version 3 or
above).

However, Tails includes non-free firmware in order to work on as much
hardware as possible.

What do you mean by "free software"? It cannot possibly be what FSF
calls "free software", or what OSI calls "open source software", since
what you call "firmware" is software in every sense of the word, and you
admit you distribute non-free firmware as a part of Tails.

Are you claiming that firmware is not software, even though it runs on
users' CPU and RAM (albeit auxiliary ones)?

The first one of these statements, "Tails is Free Software...", links to
an FSF page, implying that here you use the term "free software" in the
same sense as they do, and yet FSF does not consider Tails to be free
software, a fact you must be aware of:

[ http://www.gnu.org/distros/common-distros.en.html ]

How would you characterize your statement "Tails is Free Software"? An
honest mistake, a defiant lie, or something else entirely?


More information about the tails-support mailing list