[Whonix-devel] Introduction - Rick
whonixqubes at riseup.net
Fri Jan 30 10:21:27 CET 2015
On 2015-01-30 1:19 am, secretsocket at nym.hush.com wrote:
> Thank-you. I have plenty of reading to do. I have read a little and
> have been aware of Qubes (and the invisible things).
> I do have a little question though, and I would be VERY interested to
> read any and all considered opinions on the matter but...does it not
> concern anyone that the NSA is one of the top 10 contributors to the
> Xen project? Also, more generally, what about SElinux? or any other
> project that gets worked on by those who do everything possible to
> have full visibility of everyone. For me NSA code running on my
> computer makes me very unhappy. I don't want *any* of it. I wish I
> had a better understanding of the motivations of both this contributor
> as well as why anyone would accept anything from them.
> I have a real hard time buying the line that they are trying to
> protect American business interests when it's been shown they work
> very hard to *comprimise* it. I am refereing to the shenanigans
> revolving request for backdoors in commercial products and trying to
> weaken encryption standards.
> Being a Qubes, developer I am hoping you have wrestled with this and
> have some insight.
> Anyway thanks again for this helpful reply. Please give me a little
> time to review this material. I don't want to polute the board.
Good question, Rick.
And, no problem, please do take your time to get well oriented. :)
I look at it like this...
Could Xen be compromised? Yes.
Could Linux be compromised? Yes.
Could Debian or other distros be compromised? Yes.
Could pretty much any other widely used code be compromised? Yes.
Their infiltration and exploit programs go so far, including corrupting
human beings, that no publicly available code is out of the question.
However, with that in mind, then I segment my perspective like this...
Where do they get the most return on investment?
I think the *higher* priority systems targeted for backdooring/etc are
going to align with market share.
So I think that Windows, Mac, iOS, Android, Linux, etc are all notably
*higher* priority targets for infiltration than Xen or Qubes, due to
getting to then own many orders of magnitude more systems/humans
throughout the world.
Broad return on investment for compromising Xen or Qubes is much much
lower, by comparison. And so Xen or Qubes is likely *less* of a target
Where do they effectively hide the bad code?
In the Linux kernel, there are tens of millions of lines of code to hide
a compromise in.
Xen only has ~1% of the LOC footprint of Linux to hide bad code in, so
it is much more auditable for security than most other operating
Even though they publicly contribute code to Xen, Linux, etc, I think
that they are *more likely* to do their fundamental exploits covertly
under alternative identities.
Because if multiple major compromises came out under their official
name, then they would completely ruin their name and public acceptance
of their publicly contributed code attached to their official identity.
So I think it is *more likely* that they use alternative identities when
compromising code in such systems.
And, thus, *EVERY* major system, especially those with the highest
market share and overgrown footprints are likely being "contributed to"
with bad code, specifically using covert identities.
So, I don't see Xen as being a special target, just because of the fact
that they also openly and publicly contribute code to it under their
They do have a dual mission to protect and infect, so I would expect
them either way to be contributing clean code to systems as well. But,
IMO, likely have a policy of typically not linking their fundamental
code exploits to their official public reputation. And they have more
than enough resources to establish and build false trust through many
alternative long-term code contributor identities.
Another key mode of attack is through secondary software packages or
drivers beyond the kernel.
With a monolithic system like Linux, etc, why not also just target
widely installed software packages that get escalated system privileges?
By design, with Qubes, the core system components are further broken up
into separate isolated security domains.
So it is a fundamentally tougher architectural challenge to compromise
software in the Qubes system that will then compromise the entire
The Qubes team hand picks each software component that goes into Qubes
Dom0. They keep the software profile extra lean by comparison, and I
think they probably compile all software packages from source, and offer
them via their own signed update repository.
Compare this lean profile of software and trust to the massive software
and maintainer organizational chart of other, especially monolithic
kernel distros, where there are tons more open doors to easily
Qubes is slow to update Xen on purpose.
I've read that Joanna believes that, except for critical security
patches, Xen should not be frequently updated.
I think part of this is so that there is time for vetting and trust to
be established for the Xen code base underlying Qubes.
The Qubes team, along with other Xen devs, are generally on top of Xen
security and personally rely upon it themselves.
The ITL devs personally have a history with exposing exploitable code in
Xen (ironically one of them in a disabled by default NSA module -- I
haven't looked into if it was suspected to be intentional or not).
See the following:
Good 2011 interview with Joanna, where she answers this question on page
"What happens if there’s a vulnerability in Xen and you can break out of
2008 ITL Blackhat presentations:
2008 Blog: Our Xen 0wning Trilogy Highlights:
Some other good information contained here:
So these are some of the perspectives I hold that still makes me at
least as, if not more, confident in using Qubes compared to something
like Linux, where any garden variety hacker, not to mention
state-sponsored, can own me through something as simple as a Firefox
0day or malformed document. Or, with state-sponsored, probably right out
of the box with all the massive amount of software and code in typical
bloated Linux distros.
To me, for the list of reasons mentioned, Linux distros, VirtualBox, etc
look much more risky than Xen or Qubes. And forget about commercial
Though I'd love to learn of an even better alternative than Qubes or
understand why Linux, etc is likely *not* or *less* compromised than
I'm just unaware of a better alternative.
More information about the Whonix-devel