[Whonix-devel] Introduction - Rick

WhonixQubes whonixqubes at riseup.net
Fri Jan 30 10:21:27 CET 2015 

On 2015-01-30 1:19 am, secretsocket at nym.hush.com wrote:
> Thank-you.  I have plenty of reading to do.  I have read a little and
> have been aware of Qubes (and the invisible things).
> 
> I do have a little question though, and I would be VERY interested to
> read any and all considered opinions on the matter but...does it not
> concern anyone that the NSA is one of the top 10 contributors to the
> Xen project?  Also, more generally, what about SElinux? or any other
> project that gets worked on by those who do everything possible to
> have full visibility of everyone.  For me NSA code running on my
> computer makes me very unhappy.  I don't want *any* of it.  I wish I
> had a better understanding of the motivations of both this contributor
> as well as why anyone would accept anything from them.
> 
> I have a real hard time buying the line that they are trying to
> protect American business interests when it's been shown they work
> very hard to *comprimise* it.  I am refereing to the shenanigans
> revolving request for backdoors in commercial products and trying to
> weaken encryption standards.
> 
> Being a Qubes,  developer I am hoping you have wrestled with this and
> have some insight.
> 
> Anyway thanks again for this helpful reply.  Please give me a little
> time to review this material.  I don't want to polute the board.
> 
> Regards,
> Rick



Good question, Rick.

And, no problem, please do take your time to get well oriented. :)


I look at it like this...

Could Xen be compromised? Yes.

Could Linux be compromised? Yes.

Could Debian or other distros be compromised? Yes.

Could pretty much any other widely used code be compromised? Yes.

Their infiltration and exploit programs go so far, including corrupting 
human beings, that no publicly available code is out of the question.

However, with that in mind, then I segment my perspective like this...


1.

Where do they get the most return on investment?

I think the *higher* priority systems targeted for backdooring/etc are 
going to align with market share.

So I think that Windows, Mac, iOS, Android, Linux, etc are all notably 
*higher* priority targets for infiltration than Xen or Qubes, due to 
getting to then own many orders of magnitude more systems/humans 
throughout the world.

Broad return on investment for compromising Xen or Qubes is much much 
lower, by comparison. And so Xen or Qubes is likely *less* of a target 
for compromise.


2.

Where do they effectively hide the bad code?

In the Linux kernel, there are tens of millions of lines of code to hide 
a compromise in.

Xen only has ~1% of the LOC footprint of Linux to hide bad code in, so 
it is much more auditable for security than most other operating 
systems.


3.

Even though they publicly contribute code to Xen, Linux, etc, I think 
that they are *more likely* to do their fundamental exploits covertly 
under alternative identities.

Because if multiple major compromises came out under their official 
name, then they would completely ruin their name and public acceptance 
of their publicly contributed code attached to their official identity.

So I think it is *more likely* that they use alternative identities when 
compromising code in such systems.

And, thus, *EVERY* major system, especially those with the highest 
market share and overgrown footprints are likely being "contributed to" 
with bad code, specifically using covert identities.

So, I don't see Xen as being a special target, just because of the fact 
that they also openly and publicly contribute code to it under their 
official name.

They do have a dual mission to protect and infect, so I would expect 
them either way to be contributing clean code to systems as well. But, 
IMO, likely have a policy of typically not linking their fundamental 
code exploits to their official public reputation. And they have more 
than enough resources to establish and build false trust through many 
alternative long-term code contributor identities.


4.

Another key mode of attack is through secondary software packages or 
drivers beyond the kernel.

With a monolithic system like Linux, etc, why not also just target 
widely installed software packages that get escalated system privileges?

By design, with Qubes, the core system components are further broken up 
into separate isolated security domains.

So it is a fundamentally tougher architectural challenge to compromise 
software in the Qubes system that will then compromise the entire 
system.


5.

The Qubes team hand picks each software component that goes into Qubes 
Dom0. They keep the software profile extra lean by comparison, and I 
think they probably compile all software packages from source, and offer 
them via their own signed update repository.

Compare this lean profile of software and trust to the massive software 
and maintainer organizational chart of other, especially monolithic 
kernel distros, where there are tons more open doors to easily 
infiltrate.


6.

Qubes is slow to update Xen on purpose.

I've read that Joanna believes that, except for critical security 
patches, Xen should not be frequently updated.

I think part of this is so that there is time for vetting and trust to 
be established for the Xen code base underlying Qubes.


7.

The Qubes team, along with other Xen devs, are generally on top of Xen 
security and personally rely upon it themselves.

The ITL devs personally have a history with exposing exploitable code in 
Xen (ironically one of them in a disabled by default NSA module -- I 
haven't looked into if it was suspected to be intentional or not).

See the following:

Good 2011 interview with Joanna, where she answers this question on page 
3:

"What happens if there’s a vulnerability in Xen and you can break out of 
the hypervisor?"

- 
http://www.tomshardware.com/reviews/qubes-os-joanna-rutkowska-windows,3009.html

2008 ITL Blackhat presentations:

- http://invisiblethingslab.com/resources/bh08

2008 Blog: Our Xen 0wning Trilogy Highlights:

- 
http://theinvisiblethings.blogspot.com/2008/08/our-xen-0wning-trilogy-highlights.html


Some other good information contained here:

- http://invisiblethingslab.com/resources


So these are some of the perspectives I hold that still makes me at 
least as, if not more, confident in using Qubes compared to something 
like Linux, where any garden variety hacker, not to mention 
state-sponsored, can own me through something as simple as a Firefox 
0day or malformed document. Or, with state-sponsored, probably right out 
of the box with all the massive amount of software and code in typical 
bloated Linux distros.

To me, for the list of reasons mentioned, Linux distros, VirtualBox, etc 
look much more risky than Xen or Qubes. And forget about commercial 
OSes.

Though I'd love to learn of an even better alternative than Qubes or 
understand why Linux, etc is likely *not* or *less* compromised than 
Xen.

I'm just unaware of a better alternative.


Cheers,

WhonixQubes

More information about the Whonix-devel mailing list