[Trisquel-users] Julian Assange: Debian Is Owned By The NSA

nux at blueyonder.co.uk nux at blueyonder.co.uk
Wed Aug 13 09:55:50 CEST 2014

A bit late in the day, but...

If you were going to compromise a distro then Debian and Red Hat would be the  
obvious ones to go for as they're more or less the root distros of all others  
(Arch and Slackware aside). Compromise Debian and you compromise Ubuntu and  
all it's spin offs. Compromise Red Hat and you have the Corporate sector in  
the palm of your hand. That's a lot of distros and a lot of data that's yours  
for the taking.
Further - given that the current kernel has around 15 million lines of code  
in it, just how many hundreds of millions of lines of code are in the average  
distro? And these are all watched? All the time? And everyone watching them  
is 100% open hearted, honest and uncorruptible? Seems a little unlikely.  
Particularly given the fact that much of what is in GNU/Linux is Corporately  
developed or payrolled and the levels of double-mindedness that Corporate  
employees display are more than well documented.
There is the now infamous incident where Linus Torvalds was asked if he had  
been approached by the NSA and he said "no" whilst nodding. And it all seems  
so gentlemanly, as though they said "We don't suppose you'd be willing to  
compromise the kernel? No? We didn't think so, oh well it was worth a try"  
and not "if you value your children's lives, you'll do as you're told" or,  
far more likely, they found someone on the kernel dev team who had a  
weakness, or need of money and as such was turnable. And no one is going to  
submit a patch with the P.S - "I've been approached by the NSA and they asked  
me to put a back door in this, so be aware..."
And even if none of this is true, fear and suspicion will destroy a community  
far more effectively than infiltrating it will. So a whisper here and a  
carefully crafted blog post there and suddenly everyone's behaving like that  
scene in the Clint Eastwood movie where we're all standing in a graveyard,  
eyeing each other warily, hands hovering over guns, waiting for someone to  
make the first move. Divide and rule has been practiced for millenia and  
whilst those who practice such methods have millenia of archives and manuals  
on how to do it, those who resist seem to have to relearn, from the ground  
up, in each and every generation.

That said, it's now known that backdoors are being built into the hardware  
and are deisnged to be OS agnostic, so it matters little whether Debian has  
been compromised, if it's running on compromised hardware. And to my mind,  
the development of OS agnostic backdoors in the hardware is a direct response  
to OpenSource software. "Think you've outsmarted us, just because you use  

I read the article and the lengthy debate. It comes down to paranoia (a very  
healthy attitude considering all we now know) vs trust. All the arguments for  
trust are based on an appeal to the majority or on a specific lack of  
evidence of corruption. Neither are valid arguments.

So, either I learn all the necessary languages and then audit the code myself  
(for who else can I really trust?) or I have to 'hope for the best' despite  
overwhelming evidence to the contrary. The former is impossible and the  
latter is no choice worth making. I have zero expectations of privacy.  
Regardless of what software I use, there is no escape from State  
surveillance. Even if there was a 100% clean OS, my ISP is spying on me  
anyway. This post I'm typing on my nice 100% libre OS, will still be sent  
through servers, in a series of packets and it's almost certain that they can  
be read by those I have not given permission to.

So why bother at all then?

For me, it's about personal morality. I believe in marriage, but I don't  
entertain ideas that because I believe in marriage that this will lead to an  
end to one night stands, or divorce. But neither will I say "marriage is  
going out of fashion so I won't bother either". I tend to regard the majority  
as unsavable. They are blind, deaf and dumb; deprived of the wherewithall to  
make informed decisions and programmed to despise those who do. So all we  
have is our little corner of the world and it's good to find others who feel  
the same way, albeit in varying degrees. But changing the world for the  
better? Not going to happen. That doesn't mean don't try, it just means be  
realistic about our chances and be ruthlessly discerning over who says what  
and why. If your first reaction to "Debian owned by the NSA" was anger, then  
you're almost certainly not thinking straight about the deeper issues. The  
title was intentionally provocative, to get people to read it, to try to get  
people to think beyond the badges and sales slogans that we're all familiar  
with and over which we should, by now, be very questioning, regardless of who  
states them. When a High Street Bank says "the name you can trust" anyone who  
watches the news will fall about laughing. Even the Co-Op bank (here in the  
UK) has abandoned ethical practices and is now going down the Corporate  
dishonesty route. Why should Debian be any different? Becuse it uses the  
words "open source"? So do Microsoft.

Should there be a panel of code reviewers? Yes. Could they be trusted? For  
about a week or two, then suspicion would have to return, because such a body  
would arguably be a target for compromise and as such would be compromised,  
as every other body set up to "keep an eye on things" has been. Corporate law  
has to be changed and that requires a legislature that is also not  
compromised and that in itself is a problem as old as humanity.

All of which is a long winded way of saying, to my mind, suspicion is the  
default setting. If you can prove trustworthiness to me then so much the  
better, but it's for you to prove I can trust something and not for me to  
prove that you cannot trust it. Because the evidence for the argument that  
very little is not compromised is all around us.

More information about the Trisquel-users mailing list