Re: How secure is an installation with with no non-free packages?
On Fri, 2013-09-13 at 09:57 +0900, Joel Rees wrote: On Fri, Sep 13, 2013 at 8:42 AM, adrelanos adrela...@riseup.net wrote: adrelanos: How secure is a Debian installation packages installed only from main, none from contrib or non-free? It will lack for example the firmware-linux-nonfree package and the intel-microcode / amd-microcode package. At least the microcode one is security relevant? Are there any other packages which might be important to have installed for security reasons? I mean, how secure is it in comparison with those packages installed vs not having them installed? I apologize, I didn't want to start a discussion of Open Source vs closed source. (Feel free to have it, I am delighted to read your thoughts on it, but I'd be also happy about an answer to the question I meant to ask but failed to properly state.) Sorry for not asking clear in the first place. To rephrase my original question: How vulnerable is Debian installation without intel-microcode / amd-microcode package? No one knows. We can only guess. Our guess includes an assumption that Intel or AMD would or would not deliberately sabotage their products at the instigation of an organization like the Chinese/Taiwanese government or the NSA or some similar equivalent or not-so-equivalent secret organization. Ken Thompson gave us the archetype response on this question when he described a way to grandfather a backdoor password into (the libraries used by) a C compiler such that it would not show in the source but would be present in the object. I assume you have read his essay on trusting trust? (1) All we can say for sure is that anything that is open is inherently more open than anything that is closed. (2) Anything we didn't build ourselves may be deliberately sabotaged. (3) Anything we do build ourselves will have accidental gaping holes. (4) When we work with friends, we can do more than when we work alone. None of that tells us how bad Intel and AMD are screwing up, and which directions they are running with the ball in the hardware camp. They are primarily concerned with features that sell or otherwise obviously make them money. Until sometime in the future (closer now than a year ago), security does not sell, does not obviously make them money. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. 4.1: and when we share our sources (not just in the sense of giving away, but using the same codebase), we exposed ourselves together and share the same risks. We stand together. There is no such a thing as absolute security (Many et al). Only 3 letter agencies believe, or pretend to, on such crap. Life in inherently chaos and change. This dream of absolute control serves to keep us docile servants of private interests. Free software does not promise perfect security, it offers a different perspective on software development motifs which battles the long going effort to subdue users and keep them that way. But battles are not won overnight, they are a life path the we set to follow and endure, without any guarantees other than that we will die anyway. Free software is a path, not the One Final Answer. That would be 42. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1379093741.555.30.camel@tagesuhu-pc
Re: How secure is an installation with with no non-free packages?
On 13/09/2013, Jonathan Perry-Houts jperryho...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My understanding of the microcode binary blobs is that they provide updates to your processor / BIOS that usually have no free alternative. So basically, your BIOS is probably already non-free and you might as well have the latest version... so yes, installing the firmware-linux-nonfree package is probably wise. This page has a little more information on what microcode is and why these binary blobs are unfortunately often necessary: https://wiki.archlinux.org/index.php/Microcode Someone with more specific knowledge should feel free to chime in here as I am not an expert on this subject. I am also not an expert (not by a long shot!) but believe this page may be of interest to people reading this discussion thread: http://www.fsf.org/campaigns/free-bios.html Regards, Sam -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAD-JurLk=ivauo-9pn6afvdx3crtal0nlusprlw5m7uau4z...@mail.gmail.com
How secure is an installation with with no non-free packages?
How secure is a Debian installation packages installed only from main, none from contrib or non-free? It will lack for example the firmware-linux-nonfree package and the intel-microcode / amd-microcode package. At least the microcode one is security relevant? Are there any other packages which might be important to have installed for security reasons? I mean, how secure is it in comparison with those packages installed vs not having them installed? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/523234f5.1090...@riseup.net
Re: How secure is an installation with with no non-free packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not everyone has to individually audit their own code unless they're just ridiculously paranoid. It's true that serious bugs can go by unnoticed. Another example would be that SSL debacle in Debian a few years back. That thing slipped by without anyone noticing it for years. I still trust that more people have looked at the GNU/Linux code than have ever seen most of the closed Intel/AMD code. I also know that people auditing open code are more likely to point out when something's wrong than developers working on closed code in a company. Maybe that's naive but I'm definitely more comfortable with it. On 09/12/2013 03:01 PM, Jordon Bedwell wrote: On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts jperryho...@gmail.com wrote: I can't speak to those packages specifically but I think the answer you'll get from most people, especially in this community, is that non-free software is inherently insecure because you can't know exactly what it is doing. Thus, a fully free system such as Debian with only main enabled or Trisquel or so is, in principle, more trustworthy than any system running non-free code. That said, free code can of course have bugs and security holes too. It's probably less likely, with a community of thousands auditing it versus a closed group of developers, but it happens. This falls on the assumption that people actually audit the open source software they use, which most of the time is not the case because they have the same mentality you imply you have: with thousands auditing it, why should I? it must be secure... by that logic with millions auditing Android we shouldn't have had the recently huge crypto issue in Android right? You know, the one that slipped by for years. We shouldn't have had several other bugs that were years unnoticed in other software. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSMjxZAAoJEGe6xJ1FYRpRBh8H/2AnDaFqMwQiyHyrTczh7kjF HBd7M9bloNu9Vn+Ch2s79ofQBcLZ61y+bxau4D8cb/sWEpjBHdfzfJ6xGFWntlBL NCsEuXOI7out+s0xxIsIRtXGjlS7riY2vnr9CCLsy2mgeN62DFkgzrg907jwI0Cz onEdC3P1hDRZ9g8WkF/oozWTX4IEl+eberE6tAQeO95Cf0r7FWDQe7lvoj2+PTVE zgrChcEb7pW/aKh9NbrZNIjET/Zu9X/xPxE3LujYfu6nDfvXBCemNFL+BJ72IL7W fT9wY6iFCynKxPkhS2NhN9qF8E0R1wNpP3FQ07QSzEjMUsVTECmDAy9zSEi+l8E= =Tyg6 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52323c5a.7020...@gmail.com
Re: How secure is an installation with with no non-free packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I still don't see why this should make me trust closed code more. For all I know Intel's code is full of lines like that, or worse. On 09/12/2013 03:15 PM, Jann Horn wrote: On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote: On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts jperryho...@gmail.com wrote: I can't speak to those packages specifically but I think the answer you'll get from most people, especially in this community, is that non-free software is inherently insecure because you can't know exactly what it is doing. Thus, a fully free system such as Debian with only main enabled or Trisquel or so is, in principle, more trustworthy than any system running non-free code. That said, free code can of course have bugs and security holes too. It's probably less likely, with a community of thousands auditing it versus a closed group of developers, but it happens. This falls on the assumption that people actually audit the open source software they use, which most of the time is not the case because they have the same mentality you imply you have: with thousands auditing it, why should I? it must be secure... by that logic with millions auditing Android we shouldn't have had the recently huge crypto issue in Android right? You know, the one that slipped by for years. We shouldn't have had several other bugs that were years unnoticed in other software. Exactly. There's a bunch of simple-to-spot mistakes in open source software because nobody actually reads the source. Android has/had a bunch of such mistakes for quite a while: Reuse of IVs in a block cipher, simple filesystem races, missing input sanitation, missing delimiters... a lot of this is really simple stuff that anyone reading the code should be able to spot. Often, coders who don't have a lot of experience with security just write their code and maybe add a comment TODO check the security of this, I have no idea about it. Or I copy-pasted this security check, but I'm not really sure about how well-written it is. And then that comment usually stays forever. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSMj7+AAoJEGe6xJ1FYRpRzEIH/2IOcUgMg3d604IidmhW7zEJ l11eDFwEbmspr1j/wnPW5ToAoiMSMrccYkpE2cR+4MVurejxy0sDxQ9E8SDXs4OV KcvDOSHMAFdT9PwTJIC4N+I9v/G+7UrpfPf43U0Ju+r8dwpDpnXS38gzgJoRQaYz aXYiaq67JgonxLwjibArAqarswA61aGpnglgtIKWgcoApQ2yjhm3bmqYEfNe4Uyr dtfwMxQg25QOlBNyJGKKL5aZSD5Qfa9tvGtvUBB4cpJDJTqy6VY0R9rtNxwPb1f0 5ul64oi+kofdFMtmyKtCRLQQzQ0xftG4mm2L47WzMGYT/N5Rmr8p9AsXPn3Cvq4= =iDdS -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52323eff.4010...@gmail.com
Re: How secure is an installation with with no non-free packages?
On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote: On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts jperryho...@gmail.com wrote: I can't speak to those packages specifically but I think the answer you'll get from most people, especially in this community, is that non-free software is inherently insecure because you can't know exactly what it is doing. Thus, a fully free system such as Debian with only main enabled or Trisquel or so is, in principle, more trustworthy than any system running non-free code. That said, free code can of course have bugs and security holes too. It's probably less likely, with a community of thousands auditing it versus a closed group of developers, but it happens. This falls on the assumption that people actually audit the open source software they use, which most of the time is not the case because they have the same mentality you imply you have: with thousands auditing it, why should I? it must be secure... by that logic with millions auditing Android we shouldn't have had the recently huge crypto issue in Android right? You know, the one that slipped by for years. We shouldn't have had several other bugs that were years unnoticed in other software. Exactly. There's a bunch of simple-to-spot mistakes in open source software because nobody actually reads the source. Android has/had a bunch of such mistakes for quite a while: Reuse of IVs in a block cipher, simple filesystem races, missing input sanitation, missing delimiters... a lot of this is really simple stuff that anyone reading the code should be able to spot. Often, coders who don't have a lot of experience with security just write their code and maybe add a comment TODO check the security of this, I have no idea about it. Or I copy-pasted this security check, but I'm not really sure about how well-written it is. And then that comment usually stays forever. signature.asc Description: Digital signature
Re: How secure is an installation with with no non-free packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I can't speak to those packages specifically but I think the answer you'll get from most people, especially in this community, is that non-free software is inherently insecure because you can't know exactly what it is doing. Thus, a fully free system such as Debian with only main enabled or Trisquel or so is, in principle, more trustworthy than any system running non-free code. That said, free code can of course have bugs and security holes too. It's probably less likely, with a community of thousands auditing it versus a closed group of developers, but it happens. On 09/12/2013 02:41 PM, adrelanos wrote: How secure is a Debian installation packages installed only from main, none from contrib or non-free? It will lack for example the firmware-linux-nonfree package and the intel-microcode / amd-microcode package. At least the microcode one is security relevant? Are there any other packages which might be important to have installed for security reasons? I mean, how secure is it in comparison with those packages installed vs not having them installed? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSMjmyAAoJEGe6xJ1FYRpRWkUH/iy9/Kyu8SP/ymdAFcWw1eMj G1+0Jbt8L3iu3wRrvwmcofY+OVx4bAvPZWy4F6Q02UO42SYGHV9r09Rni1ESLxML d2ktMOzdMILjqrAJwC0K9SP1crCBZs/dUIr6xW6ZxlYI8FDJiFS0O75GSTTrQH3S G44jtXNkkfjVHayXpRx06xcGy2C2eAHA+BT5EMcmli8nh6/XhTp+qJE9hVzmDk2t uu0FOPWF4ksW0hGIogKizc/Ltk1Zm28/kXSHwIst7jolMjlE4EKDcH0iyZXoSh6r 6vjPsecjoxGNlS5PTXQ8uA/j42rhBZnSl3+InbHnJ3Qf1m0AFCDzJcgv71VWh58= =Z1G3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/523239b3.7090...@gmail.com
Re: How secure is an installation with with no non-free packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Read my first email, I never said that anyone should trust open source software to be perfect. I said that closed software is inherently untrustworthy. If you disagree, I'd like to hear why. On 09/12/2013 04:25 PM, Jordon Bedwell wrote: On Thu, Sep 12, 2013 at 5:23 PM, Jonathan Perry-Houts jperryho...@gmail.com wrote: I still don't see why this should make me trust closed code more. For all I know Intel's code is full of lines like that, or worse. It's not about getting you to like closed or open source software more, it's about getting you to realize that open source software can and probably is just as vulnerable as closed source software. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSMk9SAAoJEGe6xJ1FYRpROZcIAKw2/IZ6VYStTJTdcI95VCOC KPGFax5dQgSId9uKIfUSt9+pXr5ZX7ootDG/QOgt4u8gi5MF2qXiWV7MswPlCCOU IJ77YOLCCASZ3ZFKeGCGrc1OV/swcwaAkeL5nbS8YEibK/BqqFvaYnCTGJtl0Y4p R5PrRHTx6IeKjiZSg8nAK6gTvlJI8YxsceItMgDTqcLCyRdYCOlFe0Tm96uq4EaA 8mBw5fx4qkDLu50cZwzJ15Al/rqxBIR92AhCsBTaYYULN4wiq67DjS/xotj3ssZg 152l4R0AsLAFXVVWI/y187qiT6h1A5oyM2e0l6Nfx/PRZlnBLlPUutzEFeWUTl0= =ZQuW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52324f54.5010...@gmail.com
Re: How secure is an installation with with no non-free packages?
On Thu, Sep 12, 2013 at 5:23 PM, Jonathan Perry-Houts jperryho...@gmail.com wrote: I still don't see why this should make me trust closed code more. For all I know Intel's code is full of lines like that, or worse. It's not about getting you to like closed or open source software more, it's about getting you to realize that open source software can and probably is just as vulnerable as closed source software. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnyrt8amqdh3enuqtmkw7lp61qdopzxary+rvx4vsmf...@mail.gmail.com
Re: How secure is an installation with with no non-free packages?
adrelanos: How secure is a Debian installation packages installed only from main, none from contrib or non-free? It will lack for example the firmware-linux-nonfree package and the intel-microcode / amd-microcode package. At least the microcode one is security relevant? Are there any other packages which might be important to have installed for security reasons? I mean, how secure is it in comparison with those packages installed vs not having them installed? I apologize, I didn't want to start a discussion of Open Source vs closed source. (Feel free to have it, I am delighted to read your thoughts on it, but I'd be also happy about an answer to the question I meant to ask but failed to properly state.) Sorry for not asking clear in the first place. To rephrase my original question: How vulnerable is Debian installation without intel-microcode / amd-microcode package? Are there other contrib and/or non-free packages, similar to the microcode package, which make the system vulnerable, if not installed? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52325160.1000...@riseup.net
Re: How secure is an installation with with no non-free packages?
On 09/12/2013 07:12 PM, adrelanos wrote: To rephrase my original question: How vulnerable is Debian installation without intel-microcode / amd-microcode package? Are there other contrib and/or non-free packages, similar to the microcode package, which make the system vulnerable, if not installed? The reason why you can't install Debian directly from a WiFi with some manufacturers is precisely that we do not ship non-free nor contrib software by default in our Debian installation different to what does other distributions like Ubuntu (no offense meant). So no, there's no other contrib/non-free packages there. When there's something we ask you. In fact you have to add contrib and non-free to your repository sources.list for this very same reason. -- The Debian Project - http://debian.org/ Jose Luis Rivas - http://joseluisrivas.net/#ghostbar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5232614a.7050...@debian.org
Re: How secure is an installation with with no non-free packages?
On Fri, Sep 13, 2013 at 8:42 AM, adrelanos adrela...@riseup.net wrote: adrelanos: How secure is a Debian installation packages installed only from main, none from contrib or non-free? It will lack for example the firmware-linux-nonfree package and the intel-microcode / amd-microcode package. At least the microcode one is security relevant? Are there any other packages which might be important to have installed for security reasons? I mean, how secure is it in comparison with those packages installed vs not having them installed? I apologize, I didn't want to start a discussion of Open Source vs closed source. (Feel free to have it, I am delighted to read your thoughts on it, but I'd be also happy about an answer to the question I meant to ask but failed to properly state.) Sorry for not asking clear in the first place. To rephrase my original question: How vulnerable is Debian installation without intel-microcode / amd-microcode package? No one knows. We can only guess. Our guess includes an assumption that Intel or AMD would or would not deliberately sabotage their products at the instigation of an organization like the Chinese/Taiwanese government or the NSA or some similar equivalent or not-so-equivalent secret organization. Ken Thompson gave us the archetype response on this question when he described a way to grandfather a backdoor password into (the libraries used by) a C compiler such that it would not show in the source but would be present in the object. I assume you have read his essay on trusting trust? (1) All we can say for sure is that anything that is open is inherently more open than anything that is closed. (2) Anything we didn't build ourselves may be deliberately sabotaged. (3) Anything we do build ourselves will have accidental gaping holes. (4) When we work with friends, we can do more than when we work alone. None of that tells us how bad Intel and AMD are screwing up, and which directions they are running with the ball in the hardware camp. They are primarily concerned with features that sell or otherwise obviously make them money. Until sometime in the future (closer now than a year ago), security does not sell, does not obviously make them money. rant-mode That's the short-sightedness of capital based economy when interest-holders are not well-versed in the technological details of a company's products or of the impact that product has in the market and where it gets used. I hate to bring up the G-word again, but we humans work beyond the edge of our abilities, we end up depending on someone being more than human. And we refuse to accept the limitations of working within our abilities, just like we refuse to believe we are as limited as we are. Fortunately, G?? (or the universe) seems to have given us room to make mistakes in this way, up to a point. Our next big mistake is to hope that the natural consequences (or punishments of G??) will never catch up to us. /rant-mode Are there other contrib and/or non-free packages, similar to the microcode package, which make the system vulnerable, if not installed? Depends on what you're using the system for. Wish I could say more, but we are really just barely beginning to scratch the surface of building a stable computer technology. And the big boys are all about intellectual property right now, and as long as they are playing those games, we aren't going to get any further on what you need to be able to answer that question, essentially a database of function vs. package vs. target use, and the interplay thereof. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAAr43iN-ieCCU0jQvW6Hi9qcKTbKTBnn7=shtvx89vfxseq...@mail.gmail.com
Re: How secure is an installation with with no non-free packages?
I am not Debian, but I am in rant-mode on this subject today, so bear with me -- On Fri, Sep 13, 2013 at 10:02 AM, adrelanos adrela...@riseup.net wrote: Jose Luis Rivas: So no, there's no other contrib/non-free packages there. I didn't want to imply, that there are preinstalled. The reason why you can't install Debian directly from a WiFi with some manufacturers is precisely that we do not ship non-free nor contrib software by default in our Debian installation different to what does other distributions like Ubuntu (no offense meant). And this is fine and I don't want to go into that political vs convenience discussion either. You can't avoid it now. (Thanks to NSA and Intel deciding to boogie together. Let the children boogie.) So we have the (intel/amd)-microcode and the firmware-linux-nonfree package which should be installed to improve security? Are there any other packages of this type? We'd like to say they are unique. They are unique in that they are the CPU, but any binary blob required by the hardware you are using is going to have the same set of problems, and most of them, even when we move the drivers out of the kernel, are going to have the capability of subverting the whole box. We'd like to say that it's all Intel's fault for pushing the market so far so fast, but we can only say they have been a major contributor to the problem. (We have, also, each one of us.) What would you do if there was an exploit in the wild, which uses an vulnerability in (intel/amd)? Do you mean, in the cpu itself, or in the microcode? Let's say any website could prepare some html code which would trigger a remote code execution. Ergo, on vulnerable CPU/microcode combinations. One that can only be fixed by having the (intel/amd)-microcode package installed. So you're thinking the CPU, but which level of microcode? Is this a possible scenario? Of course. Especially now that the bad guys have tools that allow them to build targeted tools fairly easily. What would you (Debian) do in this case? Do you mean, would Debian fold up and go away if the only way to provide a secure OS were to be to include certain non-free packages by default? They already do (as Jose Luis Riva indicated). It just requires a certain amount of action on your part so that they can limit the amount of non-free stuff you have to load. At the very least, AMD machines do not need Intel microcode, and vice-versa. That's why it's important to have more than one major CPU vendor, even if Intel's bragging that they have beaten everyone else on all technical fronts had any merits whatsoever. (It doesn't. They haven't even come close. Their current excesses are catching up to them now.) (I am not suggesting anything here, I am just interested in those questions.) And I suppose I am not contributing anything meaningful to the conversation. Sorry, but this is a pet peeve of mine. We can't afford the results when microprocessors become this complex, and one of the reasons I hate Intel is that they have pushed the complexity so hard to maintain their market advantage, and it just makes a mess of the industry. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAAr43iMfQByPp=+O+2B0Y1JLA7Ynwu7EkvcxLygPud_3FP=c...@mail.gmail.com
Re: How secure is an installation with with no non-free packages?
Jose Luis Rivas: So no, there's no other contrib/non-free packages there. I didn't want to imply, that there are preinstalled. The reason why you can't install Debian directly from a WiFi with some manufacturers is precisely that we do not ship non-free nor contrib software by default in our Debian installation different to what does other distributions like Ubuntu (no offense meant). And this is fine and I don't want to go into that political vs convenience discussion either. So we have the (intel/amd)-microcode and the firmware-linux-nonfree package which should be installed to improve security? Are there any other packages of this type? What would you do if there was an exploit in the wild, which uses an vulnerability in (intel/amd)? Let's say any website could prepare some html code which would trigger a remote code execution. One that can only be fixed by having the (intel/amd)-microcode package installed. Is this a possible scenario? What would you (Debian) do in this case? (I am not suggesting anything here, I am just interested in those questions.) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52326419.2070...@riseup.net
Re: How secure is an installation with with no non-free packages?
Okay, thank you for your reply! Convinces me. Joel Rees: I assume you have read his essay on trusting trust? Yes, but I am not claiming, that I fully understand it. rant-mode Not perceived as rant at all. Are there other contrib and/or non-free packages, similar to the microcode package, which make the system vulnerable, if not installed? Depends on what you're using the system for. I was just asking generally and I think we have already identified three packages of that type. Wish I could say more, but we are really just barely beginning to scratch the surface of building a stable computer technology. Yes, the more I dig into one topic, the open questions remain and them stronger the conclusion we're totally screwed becomes. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52326643.3000...@riseup.net
Re: How secure is an installation with with no non-free packages?
On Fri, Sep 13, 2013 at 10:11 AM, adrelanos adrela...@riseup.net wrote: [...] Yes, the more I dig into one topic, the open questions remain and them stronger the conclusion we're totally screwed becomes. We've always been screwed. I'd say, ever since the 6809 faded away, but what I'd mean is ever since we moved from 8-bit to 32-bit systems. But, no, the problem is not the increased complexity, it's pushing the industry into a range of complexity where we have no tools to deal with the complexity. Don't let it turn you paranoid or cynical, just learn what you can, deal with it as you can, and keep doing what you can. And don't hope there is a magic bullet. With Intel, it's like our star pitcher has been caught trying to throw the game. I could use a war metaphor instead, but the point is not to give up. It's to adjust our ideas about whom we can trust and start adjusting our behavior accordingly. And build tools to help us contain the damage. I'm not sure what we can do concerning the microcode. The tools we need will require going against Intel's shrink-wrap agreements, but I think we can claim unconscionable clauses and such. Probing the microcode and breaking the key for the update mechanism are high-priority. It's a Pandora's box, but the NSA has forced our hand. If the ARM consortium won't help us out here, by avoiding the stupid excesses Intel has gone to, we'll eventually have to develop several industrially viable fully open/libre/free CPU cores. (Several, for specialized target applications, and so that we can avoid the monoculture issues.) -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAAr43iMaZQ639ftb0cPmTd3Rv11Vd2-G=F4uu+POqFT6O=i...@mail.gmail.com
Re: How secure is an installation with with no non-free packages?
Joel Rees: I am not Debian, but I am in rant-mode on this subject today, so bear with me -- On Fri, Sep 13, 2013 at 10:02 AM, adrelanos adrela...@riseup.net wrote: Jose Luis Rivas: So no, there's no other contrib/non-free packages there. I didn't want to imply, that there are preinstalled. The reason why you can't install Debian directly from a WiFi with some manufacturers is precisely that we do not ship non-free nor contrib software by default in our Debian installation different to what does other distributions like Ubuntu (no offense meant). And this is fine and I don't want to go into that political vs convenience discussion either. You can't avoid it now. (Thanks to NSA and Intel deciding to boogie together. Let the children boogie.) So we have the (intel/amd)-microcode and the firmware-linux-nonfree package which should be installed to improve security? Are there any other packages of this type? We'd like to say they are unique. They are unique in that they are the CPU, but any binary blob required by the hardware you are using is going to have the same set of problems, and most of them, even when we move the drivers out of the kernel, are going to have the capability of subverting the whole box. We'd like to say that it's all Intel's fault for pushing the market so far so fast, but we can only say they have been a major contributor to the problem. (We have, also, each one of us.) What would you do if there was an exploit in the wild, which uses an vulnerability in (intel/amd)? Do you mean, in the cpu itself, or in the microcode? Microcode. (I guess if the vulnerability can not be fixed with some kind of firmware upgrade and is used in the wild, that would be a reason to get it replaced for free or being required to buy a new one.) Let's say any website could prepare some html code which would trigger a remote code execution. Ergo, on vulnerable CPU/microcode combinations. One that can only be fixed by having the (intel/amd)-microcode package installed. So you're thinking the CPU, but which level of microcode? No idea. Is this a possible scenario? Of course. Especially now that the bad guys have tools that allow them to build targeted tools fairly easily. What would you (Debian) do in this case? Do you mean, I don't try to mean anything in this thread. :) Just asking questions. would Debian fold up and go away if the only way to provide a secure OS were to be to include certain non-free packages by default? And no, I think discontinuing Debian for such reasons is extremely unlikely and many actions seem to be much more likely - I may not be able to guess what you are going to do, hence I am asking. They already do (as Jose Luis Riva indicated). It just requires a certain amount of action on your part so that they can limit the amount of non-free stuff you have to load. At the very least, AMD machines do not need Intel microcode, and vice-versa. Yes, that is very nice. That's why it's important to have more than one major CPU vendor, Sure, I am not against having 10 or more per country either. I believe monopolies are almost always bad. even if Intel's bragging that they have beaten everyone else on all technical fronts had any merits whatsoever. (It doesn't. They haven't even come close. Their current excesses are catching up to them now.) (I am not suggesting anything here, I am just interested in those questions.) And I suppose I am not contributing anything meaningful to the conversation. Happy to read your thoughts. Sorry, but this is a pet peeve of mine. Understandably. It's a terrible pity. None of that is the fault of Debian, you're doing fine providing a Free operating system and I am not asking you to fix the rest of the world as well. Good to be aware of it, however. We can't afford the results when microprocessors become this complex, and one of the reasons I hate Intel is that they have pushed the complexity so hard to maintain their market advantage, and it just makes a mess of the industry. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52327254.7030...@riseup.net
Re: How secure is an installation with with no non-free packages?
On 09/12/2013 08:32 PM, adrelanos wrote: So we have the (intel/amd)-microcode and the firmware-linux-nonfree package which should be installed to improve security? Are there any other packages of this type? Who said they improve security? We don't know what they are. And I doubt they will patch a backdoor at this moment, specially when you don't know what the hell they have in your hardware. So my guess is that it's more likely their microcode is inserting a backdoor instead of patching it. What would you do if there was an exploit in the wild, which uses an vulnerability in (intel/amd)? Let's say any website could prepare some html code which would trigger a remote code execution. One that can only be fixed by having the (intel/amd)-microcode package installed. I doubt there's HTML code with the ability to trigger remote code execution. More likely some JavaScript which is still hard at CPU level or an iframe downloading things. This will depend on vulnerability from all levels to go into the CPU, which is a hard combination to get in the open-source world. But let's say it's available an exploit like that: we are an universal operating system because we do not only support x86/x86_64. My suggestion would be: change your arch. I already own several ARM-machines, I suggest you buy something like this just in case. Is this a possible scenario? Everything is possible. What would you (Debian) do in this case? I don't know. We are a community, and I'm not a spokeperson for Debian although I'm a Debian Developer. I can't answer this. -- The Debian Project - http://debian.org/ Jose Luis Rivas - http://joseluisrivas.net/#ghostbar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/523273f1.8070...@debian.org
Re: How secure is an installation with with no non-free packages?
On Thu, Sep 12, 2013 at 9:03 PM, adrelanos adrela...@riseup.net wrote: Microcode. (I guess if the vulnerability can not be fixed with some kind of firmware upgrade and is used in the wild, that would be a reason to get it replaced for free or being required to buy a new one.) I'm not a lawyer but even I know a vendor like Intel or AMD cannot require you to buy a new processor as long as it's under warranty, and security/performance issues do count as a warranty issue... they do microcode updates now to avoid having to recall because of that type of situation not to mention the numerous other benefits such as fast shipping and other stuff. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnzeqg4-8qcyxrybwjanqrumpevsxtlges3mrhxjwt5...@mail.gmail.com
Re: How secure is an installation with with no non-free packages?
On Thu, Sep 12, 2013 at 11:41 PM, adrelanos wrote: How secure is a Debian installation packages installed only from main, none from contrib or non-free? Install and run debsecan on such a system to find out about the known vulnerabilities. For the unknown ones you have to audit the code running on your system and the potential code paths. Probably start with the Linux kernel. It will lack for example the firmware-linux-nonfree package and the intel-microcode / amd-microcode package. At least the microcode one is security relevant? Are there any other packages which might be important to have installed for security reasons? No known issues for these: https://security-tracker.debian.org/tracker/source-package/intel-microcode https://security-tracker.debian.org/tracker/source-package/amd-microcode One issue for the Broadcom BCM4325 and BCM4329 Wi-Fi firmware, not affected by Debian: https://security-tracker.debian.org/tracker/source-package/firmware-nonfree https://security-tracker.debian.org/tracker/CVE-2012-2619 http://bugs.debian.org/694716 I mean, how secure is it in comparison with those packages installed vs not having them installed? There is no way to judge that objectively since we don't have the code for them, don't know what the updates do and most of these are for unknown CPU architectures. Despite that, there has been some work on microcode reverse engineering: http://inertiawar.com/microcode/ I guess the rest of the thread covered the philosophical/theoretical side of things. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6E4mOjJX+HByVmd01y4zi=bemyfcjc0zkozprhujer...@mail.gmail.com