subject:"How secure is an installation with with no non\-free packages\?"

Jose Luis Rivas:
> On 09/12/2013 08:32 PM, adrelanos wrote:
>> So we have the (intel/amd)-microcode and the firmware-linux-nonfree
>> package which should be installed to improve security? Are there any
>> other packages of this type?
>
> Who said they improve security?

Quote:
Jonathan Perry-Houts
(This thread.)

> so yes, installing the
firmware-linux-nonfree package is probably wise.

And no one challenged this statement. Possibly I misunderstood him, but
since this thread is a question with security context on the security
mailing list I came to that conclusion.

AND

Quote:
ANNOUNCEMENT: Intel processor microcode security update
(On this list, few days ago.)

> 1. It fixes a critical erratum, classified by Intel as a security issue,
> that affects any server running 32-bit VMs in PAE mode.
>
> Erratum AAK167/BT248: "If a logical processor has EPT (Extended Page
> Tables) enabled, is using 32-bit PAE paging, and accesses the
> virtual-APIC page then a complex sequence of internal processor
> micro-architectural events may cause an incorrect address
translation or
> machine check on either logical processor.  This erratum may result in
> unexpected faults, an uncorrectable TLB error logged in
> IA32_MCI_STATUS.MCACOD bits [15:0], a guest or hypervisor crash, or
> other unpredictable system behavior"

Sounds like this could be potentially used as remote exploit, Intel
doesn't really know itself or doesn't want to say.

> We don't know what they are. And I doubt
> they will patch a backdoor at this moment,

[Not sure we use the terms in the same way. When I refer to
vulnerability, I mean a mistake which can lead to unauthorized code
execution. When I refer to a backdoor, I refer to something which has
been deliberately planted to get unauthorized access. Of course, a
backdoor could be implemented by looking like a mistake (vulnerability).
- Therefore I think patching a backdoor is less likely than patching a
vulnerability - because the backdoor should stay?]

I meant, patching a vulnerability. [speculation]But well, maybe someone
has put a backdoor in before, and now they've spotted it and patched it
or have to patch it because they suspect someone has found it or will
find it soon.[/speculation]

> specially when you don't know
> what the hell they have in your hardware.

> So my guess is that it's more
> likely their microcode is inserting a backdoor instead of patching it.

Maybe. Although, I'd speculate, that this is unlikely. What about the
likelihood, that it came with a backdoor in the first place?

Or maybe they backdoor could not be exploited in all cases and now they
are improving it? =)

>>
>> What would you do if there was an exploit in the wild, which uses an
>> vulnerability in (intel/amd)? Let's say any website could prepare some
>> html code which would trigger a remote code execution. One that can only
>> be fixed by having the (intel/amd)-microcode package installed.
>
> I doubt there's HTML code with the ability to trigger remote code
> execution. More likely some JavaScript which is still hard at CPU level
> or an iframe downloading things. This will depend on vulnerability from
> all levels to go into the CPU, which is a hard combination to get in the
> open-source world. But let's say it's available an exploit like that: we
> are an universal operating system because we do not only support
> x86/x86_64. My suggestion would be: change your arch.
>
> I already own several ARM-machines, I suggest you buy something like
> this just in case.

Interesting.

>>
>> Is this a possible scenario?
>
> Everything is possible.
>>
>> What would you (Debian) do in this case?
>
> I don't know. We are a community, and I'm not a spokeperson for Debian
> although I'm a Debian Developer. I can't answer this.

You stated your opinion, all I was asking for. I know, I shouldn't
expect a community consensus from such a theoretical question. Was just
was interested in some individual opinions.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/523283e2.6040...@riseup.net

Re: How secure is an installation with with no non-free packages?

2013-09-12 Thread Pedro Worcel

> Who said they improve security? We don't know what they are. And I doubt
> they will patch a backdoor at this moment, specially when you don't know
> what the hell they have in your hardware. So my guess is that it's more
> likely their microcode is inserting a backdoor instead of patching it

Are there some sort of release notes for these patches?

2013/9/13 Jordon Bedwell 

> On Thu, Sep 12, 2013 at 9:03 PM, adrelanos  wrote:
> > Microcode. (I guess if the vulnerability can not be fixed with some kind
> > of firmware upgrade and is used in the wild, that would be a reason to
> > get it replaced for free or being required to buy a new one.)
>
> I'm not a lawyer but even I know a vendor like Intel or AMD cannot
> "require" you to buy a new processor as long as it's under warranty,
> and security/performance issues do count as a warranty issue... they
> do microcode updates now to avoid having to recall because of that
> type of situation not to mention the numerous other benefits such as
> fast shipping and other stuff.
>
>
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> http://lists.debian.org/cam5xqnzeqg4-8qcyxrybwjanqrumpevsxtlges3mrhxjwt5...@mail.gmail.com
>
>


-- 
GPG: http://is.gd/droope

Re: How secure is an installation with with no non-free packages?

On Thu, Sep 12, 2013 at 9:29 PM, Pedro Worcel  wrote:
>> Who said they improve security? We don't know what they are. And I doubt
>> they will patch a backdoor at this moment, specially when you don't know
>> what the hell they have in your hardware. So my guess is that it's more
>> likely their microcode is inserting a backdoor instead of patching it
>
> Are there some sort of release notes for these patches?

Not really, with Intel life is pretty vague and closed off, unless
they're busy doing propaganda:
https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=23166&keyword=%22microcode%22&lang=eng
that's about what you get...


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cam5xqnwc2b6iooqlnpsws4dpufsycoga3kruzcooslpsg0r...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

On Thu, Sep 12, 2013 at 9:03 PM, adrelanos  wrote:
> Microcode. (I guess if the vulnerability can not be fixed with some kind
> of firmware upgrade and is used in the wild, that would be a reason to
> get it replaced for free or being required to buy a new one.)

I'm not a lawyer but even I know a vendor like Intel or AMD cannot
"require" you to buy a new processor as long as it's under warranty,
and security/performance issues do count as a warranty issue... they
do microcode updates now to avoid having to recall because of that
type of situation not to mention the numerous other benefits such as
fast shipping and other stuff.

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cam5xqnzeqg4-8qcyxrybwjanqrumpevsxtlges3mrhxjwt5...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

2013-09-12 Thread Jose Luis Rivas

On 09/12/2013 08:32 PM, adrelanos wrote:
> So we have the (intel/amd)-microcode and the firmware-linux-nonfree
> package which should be installed to improve security? Are there any
> other packages of this type?

Who said they improve security? We don't know what they are. And I doubt
they will patch a backdoor at this moment, specially when you don't know
what the hell they have in your hardware. So my guess is that it's more
likely their microcode is inserting a backdoor instead of patching it.

> 
> What would you do if there was an exploit in the wild, which uses an
> vulnerability in (intel/amd)? Let's say any website could prepare some
> html code which would trigger a remote code execution. One that can only
> be fixed by having the (intel/amd)-microcode package installed.

I doubt there's HTML code with the ability to trigger remote code
execution. More likely some JavaScript which is still hard at CPU level
or an iframe downloading things. This will depend on vulnerability from
all levels to go into the CPU, which is a hard combination to get in the
open-source world. But let's say it's available an exploit like that: we
are an universal operating system because we do not only support
x86/x86_64. My suggestion would be: change your arch.

I already own several ARM-machines, I suggest you buy something like
this just in case.
> 
> Is this a possible scenario?

Everything is possible.
> 
> What would you (Debian) do in this case?

I don't know. We are a community, and I'm not a spokeperson for Debian
although I'm a Debian Developer. I can't answer this.

-- 
The Debian Project - http://debian.org/
Jose Luis Rivas - http://joseluisrivas.net/#ghostbar

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/523273f1.8070...@debian.org

Re: How secure is an installation with with no non-free packages?

Joel Rees:
> I am not Debian, but I am in rant-mode on this subject today, so bear with me 
> --
> 
> On Fri, Sep 13, 2013 at 10:02 AM, adrelanos  wrote:
>> Jose Luis Rivas:
>>> So no, there's no other contrib/non-free packages there.
>>
>> I didn't want to imply, that there are preinstalled.
>>
>>> The reason why you can't install Debian directly from a WiFi with some
>>> manufacturers is precisely that we do not ship non-free nor contrib
>>> software by default in our Debian installation different to what does
>>> other distributions like Ubuntu (no offense meant).
>>
>> And this is fine and I don't want to go into that political vs
>> convenience discussion either.
> 
> You can't avoid it now. (Thanks to NSA and Intel deciding to boogie
> together. Let the children boogie.)
> 
>> So we have the (intel/amd)-microcode and the firmware-linux-nonfree
>> package which should be installed to improve security? Are there any
>> other packages of this type?
> 
> We'd like to say they are unique.
> 
> They are unique in that they are the CPU, but any binary blob required
> by the hardware you are using is going to have the same set of
> problems, and most of them, even when we move the drivers out of the
> kernel, are going to have the capability of subverting the whole box.
> 
> We'd like to say that it's all Intel's fault for pushing the market so
> far so fast, but we can only say they have been a major contributor to
> the problem. (We have, also, each one of us.)
> 
>> What would you do if there was an exploit in the wild, which uses an
>> vulnerability in (intel/amd)?
> 
> Do you mean, in the cpu itself, or in the microcode?

Microcode. (I guess if the vulnerability can not be fixed with some kind
of firmware upgrade and is used in the wild, that would be a reason to
get it replaced for free or being required to buy a new one.)

>> Let's say any website could prepare some
>> html code which would trigger a remote code execution.
> 
> Ergo, on vulnerable CPU/microcode combinations.
> 
>> One that can only
>> be fixed by having the (intel/amd)-microcode package installed.
> 
> So you're thinking the CPU, but which level of microcode?

No idea.

>> Is this a possible scenario?
> 
> Of course. Especially now that the "bad guys" have tools that allow
> them to build targeted tools fairly easily.
> 
>> What would you (Debian) do in this case?
> 
> Do you mean,

I don't try to mean anything in this thread. :) Just asking questions.

> would Debian fold up and go away if the only way to
> provide a secure OS were to be to include certain non-free packages by
> default?

And no, I think discontinuing Debian for such reasons is extremely
unlikely and many actions seem to be much more likely - I may not be
able to guess what you are going to do, hence I am asking.

> They already do (as Jose Luis Riva indicated). It just requires a
> certain amount of action on your part so that they can limit the
> amount of non-free stuff you have to load.

> At the very least, AMD machines do not need Intel microcode, and
> vice-versa.

Yes, that is very nice.

> That's why it's important to have more than one major CPU
> vendor,

Sure, I am not against having 10 or more per country either. I believe
monopolies are almost always bad.

> even if Intel's bragging that they have beaten everyone else
> on all technical fronts had any merits whatsoever. (It doesn't. They
> haven't even come close. Their current excesses are catching up to
> them now.)
> 
>> (I am not suggesting anything here, I am just interested in those
>> questions.)

> And I suppose I am not contributing anything meaningful to the
> conversation.

Happy to read your thoughts.

> Sorry, but this is a pet peeve of mine.

Understandably. It's a terrible pity. None of that is the fault of
Debian, you're doing fine providing a Free operating system and I am not
asking you to fix the rest of the world as well. Good to be aware of it,
however.

> We can't afford
> the results when microprocessors become this complex, and one of the
> reasons I hate Intel is that they have pushed the complexity so hard
> to maintain their "market advantage", and it just makes a mess of the
> industry.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52327254.7030...@riseup.net

Re: How secure is an installation with with no non-free packages?

2013-09-12 Thread Joel Rees

On Fri, Sep 13, 2013 at 10:11 AM, adrelanos wrote:
> [...]
> Yes, the more I dig into one topic, the open questions remain and them
> stronger the conclusion "we're totally screwed" becomes.

We've always been screwed. I'd say, ever since the 6809 faded away,
but what I'd mean is ever since we moved from 8-bit to 32-bit systems.
But, no, the problem is not the increased complexity, it's pushing the
industry into a range of complexity where we have no tools to deal
with the complexity.

Don't let it turn you paranoid or cynical, just learn what you can,
deal with it as you can, and keep doing what you can.

And don't hope there is a magic bullet.

With Intel, it's like our star pitcher has been caught trying to throw
the game.

I could use a war metaphor instead, but the point is not to give up.
It's to adjust our ideas about whom we can trust and start adjusting
our behavior accordingly.

And build tools to help us contain the damage. I'm not sure what we
can do concerning the microcode. The tools we need will require going
against Intel's shrink-wrap agreements, but I think we can claim
unconscionable clauses and such. Probing the microcode and breaking
the key for the update mechanism are high-priority. It's a Pandora's
box, but the NSA has forced our hand.

If the ARM consortium won't help us out here, by avoiding the stupid
excesses Intel has gone to, we'll eventually have to develop several
industrially viable fully open/libre/free CPU cores. (Several, for
specialized target applications, and so that we can avoid the
monoculture issues.)

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.

--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/CAAr43iMaZQ639ftb0cPmTd3Rv11Vd2-G=F4uu+POqFT6O=i...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

Okay, thank you for your reply! Convinces me.

Joel Rees:
> I assume you have read his essay on
> trusting trust?

Yes, but I am not claiming, that I fully understand it.

> 

Not perceived as rant at all.

>> Are there other contrib and/or non-free packages, similar to the
>> microcode package, which make the system vulnerable, if not installed?
> 
> Depends on what you're using the system for.

I was just asking generally and I think we have already identified three
packages of that type.

> Wish I could say more, but we are really just barely beginning to
scratch the surface of building a stable computer technology.

Yes, the more I dig into one topic, the open questions remain and them
stronger the conclusion "we're totally screwed" becomes.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52326643.3000...@riseup.net

Re: How secure is an installation with with no non-free packages?

Jose Luis Rivas:
> So no, there's no other contrib/non-free packages there.

I didn't want to imply, that there are preinstalled.

> The reason why you can't install Debian directly from a WiFi with some
> manufacturers is precisely that we do not ship non-free nor contrib
> software by default in our Debian installation different to what does
> other distributions like Ubuntu (no offense meant).

And this is fine and I don't want to go into that political vs
convenience discussion either.

So we have the (intel/amd)-microcode and the firmware-linux-nonfree
package which should be installed to improve security? Are there any
other packages of this type?

What would you do if there was an exploit in the wild, which uses an
vulnerability in (intel/amd)? Let's say any website could prepare some
html code which would trigger a remote code execution. One that can only
be fixed by having the (intel/amd)-microcode package installed.

Is this a possible scenario?

What would you (Debian) do in this case?

(I am not suggesting anything here, I am just interested in those
questions.)


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52326419.2070...@riseup.net

Re: How secure is an installation with with no non-free packages?

2013-09-12 Thread Joel Rees

I am not Debian, but I am in rant-mode on this subject today, so bear with me --

On Fri, Sep 13, 2013 at 10:02 AM, adrelanos  wrote:
> Jose Luis Rivas:
>> So no, there's no other contrib/non-free packages there.
>
> I didn't want to imply, that there are preinstalled.
>
>> The reason why you can't install Debian directly from a WiFi with some
>> manufacturers is precisely that we do not ship non-free nor contrib
>> software by default in our Debian installation different to what does
>> other distributions like Ubuntu (no offense meant).
>
> And this is fine and I don't want to go into that political vs
> convenience discussion either.

You can't avoid it now. (Thanks to NSA and Intel deciding to boogie
together. Let the children boogie.)

> So we have the (intel/amd)-microcode and the firmware-linux-nonfree
> package which should be installed to improve security? Are there any
> other packages of this type?

We'd like to say they are unique.

They are unique in that they are the CPU, but any binary blob required
by the hardware you are using is going to have the same set of
problems, and most of them, even when we move the drivers out of the
kernel, are going to have the capability of subverting the whole box.

We'd like to say that it's all Intel's fault for pushing the market so
far so fast, but we can only say they have been a major contributor to
the problem. (We have, also, each one of us.)

> What would you do if there was an exploit in the wild, which uses an
> vulnerability in (intel/amd)?

Do you mean, in the cpu itself, or in the microcode?

> Let's say any website could prepare some
> html code which would trigger a remote code execution.

Ergo, on vulnerable CPU/microcode combinations.

> One that can only
> be fixed by having the (intel/amd)-microcode package installed.

So you're thinking the CPU, but which level of microcode?

> Is this a possible scenario?

Of course. Especially now that the "bad guys" have tools that allow
them to build targeted tools fairly easily.

> What would you (Debian) do in this case?

Do you mean, would Debian fold up and go away if the only way to
provide a secure OS were to be to include certain non-free packages by
default?

They already do (as Jose Luis Riva indicated). It just requires a
certain amount of action on your part so that they can limit the
amount of non-free stuff you have to load.

At the very least, AMD machines do not need Intel microcode, and
vice-versa. That's why it's important to have more than one major CPU
vendor, even if Intel's bragging that they have beaten everyone else
on all technical fronts had any merits whatsoever. (It doesn't. They
haven't even come close. Their current excesses are catching up to
them now.)

> (I am not suggesting anything here, I am just interested in those
> questions.)

And I suppose I am not contributing anything meaningful to the
conversation. Sorry, but this is a pet peeve of mine. We can't afford
the results when microprocessors become this complex, and one of the
reasons I hate Intel is that they have pushed the complexity so hard
to maintain their "market advantage", and it just makes a mess of the
industry.

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iMfQByPp=+O+2B0Y1JLA7Ynwu7EkvcxLygPud_3FP=c...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

2013-09-12 Thread Joel Rees

On Fri, Sep 13, 2013 at 8:42 AM, adrelanos  wrote:
> adrelanos:
>> How secure is a Debian installation packages installed only from main,
>> none from contrib or non-free?
>>
>> It will lack for example the firmware-linux-nonfree package and the
>> intel-microcode / amd-microcode package. At least the microcode one is
>> security relevant? Are there any other packages which might be important
>> to have installed for security reasons?
>>
>> I mean, how secure is it in comparison with those packages installed vs
>> not having them installed?
>>
>>
>
> I apologize, I didn't want to start a discussion of Open Source vs
> closed source. (Feel free to have it, I am delighted to read your
> thoughts on it, but I'd be also happy about an answer to the question I
> meant to ask but failed to properly state.) Sorry for not asking clear
> in the first place.
>
> To rephrase my original question:
>
> How vulnerable is Debian installation without intel-microcode /
> amd-microcode package?

No one knows.

We can only guess. Our guess includes an assumption that Intel or AMD
would or would not deliberately sabotage their products at the
instigation of an organization like the Chinese/Taiwanese government
or the NSA or some similar equivalent or not-so-equivalent secret
organization.

Ken Thompson gave us the archetype response on this question when he
described a way to grandfather a backdoor password into (the libraries
used by) a C compiler such that it would not show in the source but
would be present in the object. I assume you have read his essay on
trusting trust?

(1) All we can say for sure is that anything that is open is
inherently more open than anything that is closed.

(2) Anything we didn't build ourselves may be deliberately sabotaged.

(3) Anything we do build ourselves will have accidental gaping holes.

(4) When we work with friends, we can do more than when we work alone.

None of that tells us how bad Intel and AMD are screwing up, and which
directions they are running with the ball in the hardware camp. They
are primarily concerned with features that sell or otherwise obviously
make them money. Until sometime in the future (closer now than a year
ago), security does not sell, does not obviously make them money.

That's the short-sightedness of capital based economy when
interest-holders are not well-versed in the technological details of a
company's products or of the impact that product has in the market and
where it gets used. I hate to bring up the G-word again, but we humans
work beyond the edge of our abilities, we end up depending on someone
being more than human. And we refuse to accept the limitations of
working within our abilities, just like we refuse to believe we are as
limited as we are. Fortunately, G?? (or the universe) seems to have
given us room to make mistakes in this way, up to a point. Our next
big mistake is to hope that the natural consequences (or punishments
of G??) will never catch up to us.

> Are there other contrib and/or non-free packages, similar to the
> microcode package, which make the system vulnerable, if not installed?

Depends on what you're using the system for.

Wish I could say more, but we are really just barely beginning to
scratch the surface of building a stable computer technology. And the
big boys are all about intellectual property right now, and as long as
they are playing those games, we aren't going to get any further on
what you need to be able to answer that question, essentially a
database of function vs. package vs. target use, and the interplay
thereof.

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iN-ieCCU0jQvW6Hi9qcKTbKTBnn7=shtvx89vfxseq...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

2013-09-12 Thread Jose Luis Rivas

On 09/12/2013 07:12 PM, adrelanos wrote:
> To rephrase my original question:
> 
> How vulnerable is Debian installation without intel-microcode /
> amd-microcode package?
> 
> Are there other contrib and/or non-free packages, similar to the
> microcode package, which make the system vulnerable, if not installed?
> 
> 

The reason why you can't install Debian directly from a WiFi with some
manufacturers is precisely that we do not ship non-free nor contrib
software by default in our Debian installation different to what does
other distributions like Ubuntu (no offense meant).

So no, there's no other contrib/non-free packages there. When there's
something we ask you. In fact you have to add contrib and non-free to
your repository sources.list for this very same reason.

-- 
The Debian Project - http://debian.org/
Jose Luis Rivas - http://joseluisrivas.net/#ghostbar

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5232614a.7050...@debian.org

Re: How secure is an installation with with no non-free packages?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

My understanding of the microcode binary blobs is that they provide
updates to your processor / BIOS that usually have no free
alternative. So basically, your BIOS is probably already non-free and
you might as well have the latest version... so yes, installing the
firmware-linux-nonfree package is probably wise.

This page has a little more information on what microcode is and why
these binary blobs are unfortunately often necessary:
https://wiki.archlinux.org/index.php/Microcode

Someone with more specific knowledge should feel free to chime in here
as I am not an expert on this subject.

Cheers,

On 09/12/2013 04:42 PM, adrelanos wrote:
> adrelanos:
>> How secure is a Debian installation packages installed only from
>> main, none from contrib or non-free?
>> 
>> It will lack for example the firmware-linux-nonfree package and
>> the intel-microcode / amd-microcode package. At least the
>> microcode one is security relevant? Are there any other packages
>> which might be important to have installed for security reasons?
>> 
>> I mean, how secure is it in comparison with those packages
>> installed vs not having them installed?
>> 
>> 
> 
> I apologize, I didn't want to start a discussion of Open Source vs 
> closed source. (Feel free to have it, I am delighted to read your 
> thoughts on it, but I'd be also happy about an answer to the
> question I meant to ask but failed to properly state.) Sorry for
> not asking clear in the first place.
> 
> To rephrase my original question:
> 
> How vulnerable is Debian installation without intel-microcode / 
> amd-microcode package?
> 
> Are there other contrib and/or non-free packages, similar to the 
> microcode package, which make the system vulnerable, if not
> installed?
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSMlooAAoJEGe6xJ1FYRpRi4kH/1FR0n9PB7Sg69Kzw17yDxgB
UiO1P8QzWkNq8oT+lnFf+nZjz/4AxelpiQK6qG5H2tPyUAu9/21F7z7p15KGSTxJ
Sn2fhtCSOfWp8XEqUdCr3/H7TYvhHy0NGUSSyO0yWUKsJeqq+PXmhhuGLG52OZJB
BK5lqnKugSiPQygz9J4fL5+U1aSAsbLZ/dhwU3TR29s9G+TQ7qSCqqu85GiAyVNS
0dH+/5FLSZkjGDwa1M430Z9SM6fJTzZKW7X9AvfeaKV4gdIHVkh1tZCmjH3aDABR
2DtZLEhRpC2cKsIbYC+VM5GJwuUpMQWX8aiYpZPn1KT96Gq8cQUJ3OYJMjHXB+o=
=xeKz
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52325a2a.6000...@gmail.com

Re: How secure is an installation with with no non-free packages?

adrelanos:
> How secure is a Debian installation packages installed only from main,
> none from contrib or non-free?
> 
> It will lack for example the firmware-linux-nonfree package and the
> intel-microcode / amd-microcode package. At least the microcode one is
> security relevant? Are there any other packages which might be important
> to have installed for security reasons?
> 
> I mean, how secure is it in comparison with those packages installed vs
> not having them installed?
> 
> 

I apologize, I didn't want to start a discussion of Open Source vs
closed source. (Feel free to have it, I am delighted to read your
thoughts on it, but I'd be also happy about an answer to the question I
meant to ask but failed to properly state.) Sorry for not asking clear
in the first place.

To rephrase my original question:

How vulnerable is Debian installation without intel-microcode /
amd-microcode package?

Are there other contrib and/or non-free packages, similar to the
microcode package, which make the system vulnerable, if not installed?


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52325160.1000...@riseup.net

Re: How secure is an installation with with no non-free packages?

On Thu, Sep 12, 2013 at 5:23 PM, Jonathan Perry-Houts
 wrote:
> I still don't see why this should make me trust closed code more. For
> all I know Intel's code is full of lines like that, or worse.

It's not about getting you to like closed or open source software
more, it's about getting you to realize that open source software can
and probably is just as vulnerable as closed source software.

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cam5xqnyrt8amqdh3enuqtmkw7lp61qdopzxary+rvx4vsmf...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Read my first email, I never said that anyone should trust open source
software to be perfect. I said that closed software is inherently
untrustworthy. If you disagree, I'd like to hear why.

On 09/12/2013 04:25 PM, Jordon Bedwell wrote:
> On Thu, Sep 12, 2013 at 5:23 PM, Jonathan Perry-Houts 
>  wrote:
>> I still don't see why this should make me trust closed code more.
>> For all I know Intel's code is full of lines like that, or
>> worse.
> 
> It's not about getting you to like closed or open source software 
> more, it's about getting you to realize that open source software
> can and probably is just as vulnerable as closed source software.
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSMk9SAAoJEGe6xJ1FYRpROZcIAKw2/IZ6VYStTJTdcI95VCOC
KPGFax5dQgSId9uKIfUSt9+pXr5ZX7ootDG/QOgt4u8gi5MF2qXiWV7MswPlCCOU
IJ77YOLCCASZ3ZFKeGCGrc1OV/swcwaAkeL5nbS8YEibK/BqqFvaYnCTGJtl0Y4p
R5PrRHTx6IeKjiZSg8nAK6gTvlJI8YxsceItMgDTqcLCyRdYCOlFe0Tm96uq4EaA
8mBw5fx4qkDLu50cZwzJ15Al/rqxBIR92AhCsBTaYYULN4wiq67DjS/xotj3ssZg
152l4R0AsLAFXVVWI/y187qiT6h1A5oyM2e0l6Nfx/PRZlnBLlPUutzEFeWUTl0=
=ZQuW
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52324f54.5010...@gmail.com

Re: How secure is an installation with with no non-free packages?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I can't speak to those packages specifically but I think the answer
you'll get from most people, especially in this community, is that
non-free software is inherently insecure because you can't know
exactly what it is doing. Thus, a fully free system such as Debian
with only main enabled or Trisquel or so is, in principle, more
trustworthy than any system running non-free code.

That said, free code can of course have bugs and security holes too.
It's probably less likely, with a community of thousands auditing it
versus a closed group of developers, but it happens.

On 09/12/2013 02:41 PM, adrelanos wrote:
> How secure is a Debian installation packages installed only from
> main, none from contrib or non-free?
> 
> It will lack for example the firmware-linux-nonfree package and
> the intel-microcode / amd-microcode package. At least the microcode
> one is security relevant? Are there any other packages which might
> be important to have installed for security reasons?
> 
> I mean, how secure is it in comparison with those packages
> installed vs not having them installed?
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSMjmyAAoJEGe6xJ1FYRpRWkUH/iy9/Kyu8SP/ymdAFcWw1eMj
G1+0Jbt8L3iu3wRrvwmcofY+OVx4bAvPZWy4F6Q02UO42SYGHV9r09Rni1ESLxML
d2ktMOzdMILjqrAJwC0K9SP1crCBZs/dUIr6xW6ZxlYI8FDJiFS0O75GSTTrQH3S
G44jtXNkkfjVHayXpRx06xcGy2C2eAHA+BT5EMcmli8nh6/XhTp+qJE9hVzmDk2t
uu0FOPWF4ksW0hGIogKizc/Ltk1Zm28/kXSHwIst7jolMjlE4EKDcH0iyZXoSh6r
6vjPsecjoxGNlS5PTXQ8uA/j42rhBZnSl3+InbHnJ3Qf1m0AFCDzJcgv71VWh58=
=Z1G3
-END PGP SIGNATURE-

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/523239b3.7090...@gmail.com

Re: How secure is an installation with with no non-free packages?

2013-09-12 Thread Jann Horn

On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote:
> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts
>  wrote:
> > I can't speak to those packages specifically but I think the answer
> > you'll get from most people, especially in this community, is that
> > non-free software is inherently insecure because you can't know
> > exactly what it is doing. Thus, a fully free system such as Debian
> > with only main enabled or Trisquel or so is, in principle, more
> > trustworthy than any system running non-free code.
> >
> > That said, free code can of course have bugs and security holes too.
> > It's probably less likely, with a community of thousands auditing it
> > versus a closed group of developers, but it happens.
> 
> This falls on the assumption that people actually audit the open
> source software they use, which most of the time is not the case
> because they have the same mentality you imply you have: "with
> thousands auditing it, why should I? it must be secure"... by that
> logic with millions auditing Android we shouldn't have had the
> recently huge crypto issue in Android right?  You know, the one that
> slipped by for years.  We shouldn't have had several other bugs that
> were years unnoticed in other software.

Exactly. There's a bunch of simple-to-spot mistakes in open source software
because nobody actually reads the source. Android has/had a bunch of such
mistakes for quite a while: Reuse of IVs in a block cipher, simple filesystem
races, missing input sanitation, missing delimiters... a lot of this is really
simple stuff that anyone reading the code should be able to spot.

Often, coders who don't have a lot of experience with security just write their
code and maybe add a comment "TODO check the security of this, I have no idea
about it". Or "I copy-pasted this security check, but I'm not really sure about
how well-written it is". And then that comment usually stays forever.

signature.asc
Description: Digital signature

Re: How secure is an installation with with no non-free packages?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I still don't see why this should make me trust closed code more. For
all I know Intel's code is full of lines like that, or worse.

On 09/12/2013 03:15 PM, Jann Horn wrote:
> On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote:
>> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts 
>>  wrote:
>>> I can't speak to those packages specifically but I think the
>>> answer you'll get from most people, especially in this
>>> community, is that non-free software is inherently insecure
>>> because you can't know exactly what it is doing. Thus, a fully
>>> free system such as Debian with only main enabled or Trisquel
>>> or so is, in principle, more trustworthy than any system
>>> running non-free code.
>>> 
>>> That said, free code can of course have bugs and security holes
>>> too. It's probably less likely, with a community of thousands
>>> auditing it versus a closed group of developers, but it
>>> happens.
>> 
>> This falls on the assumption that people actually audit the open 
>> source software they use, which most of the time is not the case 
>> because they have the same mentality you imply you have: "with 
>> thousands auditing it, why should I? it must be secure"... by
>> that logic with millions auditing Android we shouldn't have had
>> the recently huge crypto issue in Android right?  You know, the
>> one that slipped by for years.  We shouldn't have had several
>> other bugs that were years unnoticed in other software.
> 
> Exactly. There's a bunch of simple-to-spot mistakes in open source
> software because nobody actually reads the source. Android has/had
> a bunch of such mistakes for quite a while: Reuse of IVs in a block
> cipher, simple filesystem races, missing input sanitation, missing
> delimiters... a lot of this is really simple stuff that anyone
> reading the code should be able to spot.
> 
> Often, coders who don't have a lot of experience with security just
> write their code and maybe add a comment "TODO check the security
> of this, I have no idea about it". Or "I copy-pasted this security
> check, but I'm not really sure about how well-written it is". And
> then that comment usually stays forever.
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSMj7+AAoJEGe6xJ1FYRpRzEIH/2IOcUgMg3d604IidmhW7zEJ
l11eDFwEbmspr1j/wnPW5ToAoiMSMrccYkpE2cR+4MVurejxy0sDxQ9E8SDXs4OV
KcvDOSHMAFdT9PwTJIC4N+I9v/G+7UrpfPf43U0Ju+r8dwpDpnXS38gzgJoRQaYz
aXYiaq67JgonxLwjibArAqarswA61aGpnglgtIKWgcoApQ2yjhm3bmqYEfNe4Uyr
dtfwMxQg25QOlBNyJGKKL5aZSD5Qfa9tvGtvUBB4cpJDJTqy6VY0R9rtNxwPb1f0
5ul64oi+kofdFMtmyKtCRLQQzQ0xftG4mm2L47WzMGYT/N5Rmr8p9AsXPn3Cvq4=
=iDdS
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52323eff.4010...@gmail.com

Re: How secure is an installation with with no non-free packages?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Not everyone has to individually audit their own code unless they're
just ridiculously paranoid. It's true that serious bugs can go by
unnoticed. Another example would be that SSL debacle in Debian a few
years back. That thing slipped by without anyone noticing it for years.

I still trust that more people have looked at the GNU/Linux code than
have ever seen most of the closed Intel/AMD code. I also know that
people auditing open code are more likely to point out when
something's wrong than developers working on closed code in a company.
Maybe that's naive but I'm definitely more comfortable with it.

On 09/12/2013 03:01 PM, Jordon Bedwell wrote:
> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts 
>  wrote:
>> I can't speak to those packages specifically but I think the
>> answer you'll get from most people, especially in this community,
>> is that non-free software is inherently insecure because you
>> can't know exactly what it is doing. Thus, a fully free system
>> such as Debian with only main enabled or Trisquel or so is, in
>> principle, more trustworthy than any system running non-free
>> code.
>> 
>> That said, free code can of course have bugs and security holes
>> too. It's probably less likely, with a community of thousands
>> auditing it versus a closed group of developers, but it happens.
> 
> This falls on the assumption that people actually audit the open 
> source software they use, which most of the time is not the case 
> because they have the same mentality you imply you have: "with 
> thousands auditing it, why should I? it must be secure"... by that 
> logic with millions auditing Android we shouldn't have had the 
> recently huge crypto issue in Android right?  You know, the one
> that slipped by for years.  We shouldn't have had several other
> bugs that were years unnoticed in other software.
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSMjxZAAoJEGe6xJ1FYRpRBh8H/2AnDaFqMwQiyHyrTczh7kjF
HBd7M9bloNu9Vn+Ch2s79ofQBcLZ61y+bxau4D8cb/sWEpjBHdfzfJ6xGFWntlBL
NCsEuXOI7out+s0xxIsIRtXGjlS7riY2vnr9CCLsy2mgeN62DFkgzrg907jwI0Cz
onEdC3P1hDRZ9g8WkF/oozWTX4IEl+eberE6tAQeO95Cf0r7FWDQe7lvoj2+PTVE
zgrChcEb7pW/aKh9NbrZNIjET/Zu9X/xPxE3LujYfu6nDfvXBCemNFL+BJ72IL7W
fT9wY6iFCynKxPkhS2NhN9qF8E0R1wNpP3FQ07QSzEjMUsVTECmDAy9zSEi+l8E=
=Tyg6
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52323c5a.7020...@gmail.com

Re: How secure is an installation with with no non-free packages?

On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts
 wrote:
> I can't speak to those packages specifically but I think the answer
> you'll get from most people, especially in this community, is that
> non-free software is inherently insecure because you can't know
> exactly what it is doing. Thus, a fully free system such as Debian
> with only main enabled or Trisquel or so is, in principle, more
> trustworthy than any system running non-free code.
>
> That said, free code can of course have bugs and security holes too.
> It's probably less likely, with a community of thousands auditing it
> versus a closed group of developers, but it happens.

This falls on the assumption that people actually audit the open
source software they use, which most of the time is not the case
because they have the same mentality you imply you have: "with
thousands auditing it, why should I? it must be secure"... by that
logic with millions auditing Android we shouldn't have had the
recently huge crypto issue in Android right?  You know, the one that
slipped by for years.  We shouldn't have had several other bugs that
were years unnoticed in other software.

-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAM5XQnxKLL3F4YGiLjHB_hccc4u8u+qBQ=T=obu6flyvdrs...@mail.gmail.com

How secure is an installation with with no non-free packages?