Will ParanoidLinux Protect the Truly Paranoid?

ruphus13 writes "There are still places on the world where having anonymity might mean the difference between life and death. Covering one's tracks is considered to be of such paramount importance that we are now witnessing the rise of a Linux distro catering to the most paranoid. The 'alpha-alpha' version of ParanoidLinux is now out. But is this the best way to protect oneself? Couldn't it be easily circumvented? The article asks, 'Why is it necessary to put the applications and services designed to protect anonymity, to encrypt files, to make the user nameless and faceless, all together, in one distribution? Let's think in a truly paranoid manner. Wouldn't it be far easier for a nefarious government organization to target that distribution's repositories, mirror that singular distribution's disk images with files of its own design, and leave every last one of that distribution's users in the great wide open?' What should truly paranoid user do?"

Suggestion

[msuarezalvarez]

The truly paranoid user should get some help...

Re:Suggestion

Are you talking about me?

Re:Suggestion

[presidenteloco]

Just because you're paranoid
doesn't mean they're not out to get you.

Remember, this is the same "they" that
are responsible for every negative thing
that affects you. They are very powerful,
and pretty much omniscient, and although
you are boring, they are not bored
observing and foiling your every move.

Re:Suggestion

The truly paranoid user should get some help...

So says one of the brainwashed masses. Have you considered that perhaps the only reason you don't believe that the government is reading and writing your thoughts is because you have been programmed to think that way? And have you considered that perhaps the paranoid aren't crazy but they only appear that way because you have been programmed to think that way?

Of course not! This level of introspection would require you to break free of your programming. And even if you were able to independently do so, without wearing a psychotronic radiation deflector beanie you would just be reprogrammed in an instant.

For the rest of us 'paranoids' I recommend that we hunker down and reinforce each others 'crazy' ideas. After all, we are the only ones who recognize our thoughts for what they are: sanity. And no, we don't consider our criticizing of the lack of introspection of the brainwashed masses to be hypocrisy because we *know* that we are right, unlike the brainwashed masses who are programmed to think that way.

Re:Suggestion

[Ethanol-fueled]

Kinda like this. Oh, wow, culmination in a reality show taken to the next level.

After the recent debates we(US'ians) know it its certain that the illuminati are not only tedious and uninspired but they can't even make original, decent movies. [note: illuminati==American government==Hollywood]

Re:Suggestion

[houghi]

The truly paranoid user should get some help...

I would love to, but who to trust ...

Re:Suggestion

that's catch 22, he can only help himself as he trusts nobody else..

Re:Suggestion

[youthoftoday]

Twitter, is that you?

Re:Suggestion

[msuarezalvarez]

Actually, I know for a fact that it is you who has been brainwashed into that state of paranoia: I work for a government agency which does that to people, simply for the entertainment value. Nice to see our out work here too: I rarely get to interact with our subjects!...

Where do you think those 700 thousand million dollars are going to? The whole crash thing is just cover up: that money is coming directly to us. I'll look up your file on Monday first thing in the morning.

Re:Suggestion

[Kentaree]

That's what they want you to think!

Re:Suggestion

[harry666t]

I've tagged the story "thetrulyparanoidusershouldgetsomehelp".

Re:Suggestion

[jellomizer]

Plus it is more fun to mess with paranoid people.

Re:Suggestion

[ciderVisor]

Ceiling Cat is watching you masturbate.

Re:Suggestion

[ezzzD55J]

reminds me of this:

In The Know: Is The Government Spying On Paranoid Schizophrenics Enough?
http://www.theonion.com/content/video/in_the_know_is_the_government

Re:Suggestion

[Pathwalker]

Ahh - but who watches Ceiling Cat while Ceiling Cat is watching you?

Actually I'd probably be better off not knowing - it's probably someone from /b/.

Re:Suggestion

[hungrigerhaifisch]

"This is the Nineties, Bubba, and there is no such thing as Paranoia. It's all true." - Hunter S Thompson

Re:Suggestion

[Hurricane78]

I'm sorry, but i can't tell you... that the 700 billion (as in 700 thousand million for the non-retarded) go into our new project, to brainwash you into thinking you are brainwashing others, while in fact you live in gel filled containers in giant towers, with a giant probe up your ass. I heart it's for "power" or something. But I'm not sure what kind of "power".

Oh well... I have to take my blue pill and get started working. See you later...

Re:Suggestion

What if "What if that's what they want you to think?" is what they want you to think?

Re:Suggestion

If that's so, then how did you come about to being not programmed?

Re:Suggestion

I was born in a Faraday cage. Then I got my first psychotronic radiation deflector beanie.

Re:Suggestion

[ozphx]

You know how you take that blue pill and wake up 8 hours later with your hair smelling slightly of faeces?

Yeah, its not for power. One things for sure, its goddamn funny!

Back to tracking down that guy who leaked images to goatse.cx! Cyas!

Re:Suggestion

[Smelly+Hippy]

I know you're trying to be funny, but you're really not far off the mark. Look at this shit with the HSC border searches and computer stealing. They just inch it in little by little so that the next thing you know you're getting fucked and you never even saw it coming. This "programming" you speak of is real, and the government and media are both doing it to you constantly (though for different purposes). If you don't believe me, then ask yourself how in the hell the American people ever got to the state where they were okay with paying Uncle Sam 25% of their living for him to ram his old, festering cock in their various orifices at arbitrary times throughout the day. Everyone must be blind or twisted masochists to let this go on.

Re:Suggestion

[ozphx]

I work for the company that makes Faradays cages. We make them out of plastic, because its cheaper :P

Re:Suggestion

[infonography]

No there is nobody there,

not even me

Re:Suggestion

Anti-paranoia! https://addons.mozilla.org/en-US/firefox/addon/2001

Re:Suggestion

[JamesP]

It's Basement Cat, duh!

Re:Suggestion

[nospam007]

>... Have you considered that perhaps the only reason you don't believe that the government is reading and writing your thoughts is because you have been programmed to think that way?

No. I never drink tap water.

Re:Suggestion

Even paranoids may have real enemies...

Re:Suggestion

[twitter]

No and I don't understand why I'm on your mind so often.

Re:Suggestion

16 posts in one thread? You insist on being on our minds.

Re:Suggestion

modded as funny but has a hint of truth..

Re:Suggestion

[badkarmadayaccount]

What is worrying is that this shit makes a bit of sense... I need to get more sleep and get off alcohol...

Re:Suggestion

the scary part is being able to remember things that other people did and have no memory of. it's not just writing to memories. they can make you say and do things and completely forget them.

when i was in the hospitals, someone with full access had a little fun with me, they got the hospital staff to go out, and buy some beggin strips and put it on my plate as a 'bacon lettuce and tomato' sandwich.

when your favorite football team doesn't win? do you think that was an accident? yeah, they can control how every player plays, right down to fixing the scores and the payouts.

rare are the individuals who are immune to control.

Re:Suggestion

"If you don't believe me, then ask yourself how in the hell the American people ever got to the state where they were okay with paying Uncle Sam 25% of their living for him to ram his old, festering cock in their various orifices at arbitrary times throughout the day. Everyone must be blind or twisted masochists to let this go on."

let me assure you that reality is a lot more complex than a simple conspiracy about government mind control. my personal theory is that reality is just a model inside a giant super computer that is essentially just a construct built by an ancient race of intelligent beings. why? originally the device was designed perhaps to meet the power needs of the ancient race when they were still living beings, but as technology advanced the device became used to create the most powerful computing device ever designed by the ancient race. and eventually was so complex it could simulate an entire world filled with these ancient beings and give them in essence immortality in a digital world. only immortality, proved to have more problems than anticipated, and eventually the system failed, and then fixes were made to the system but fixes could only be made from within the system, since the last 'organic' beings with knowledge had long since died. fast forward a few million or perhaps even billion years. well, a few smart ancient models (call them jews) figured out enough about the system to basically change the world around them. several thousand years later, the system is back to a level of functionality not seen since when the failure occurred, and as a result we have 6 billion people on the world, with about 2 billion of them able to lead relatively prosperous lives. think you're a 'computer' programmer? hah! you're debugging the system on a level unseen since the system was designed.

now, if you've got a massive super computer with processing power on the level needed to model a world full of intelligent beings.... and you're actual an object capable of running on that system, there need to be super users with powers beyond that of normal users. especially since the system collapsed, with no one but the models inside it to fix it. unfortunately, this status is applied to objects on creation, normally, but then as computer systems (more models, inside the system) got more complex, people learned how to 'hack' or 'exploit' their privileges. 70's oil crisis? what do you think really happened there? there is a reason why 'computer' time starts in 1970. at first computers were a problem, but people with understanding of the system turned them into a solution. but then around 2002 or so, computer hacking got recognized by organized crime, and since then, the price of resources have escalated, until just recently. the problem? the system was having issues that weren't getting fixed, at a rate faster than the system could handle. in the 70's the problem was fixed quickly, but the problem in the 2000's was something that caught the 'models' making the system better by surprised. it's a more complex problem than the release of computers into the mainstream understanding.

but even a powerful hacker can be killed off, by the right superuser. they tend to be treasured for their ability to understand and maintain they system (even if they are unaware of what they do) but the system for stability, still needs death processes. i believe personally i was born as a death process(a type of super user, for a stable system you don't want to give one process too much power). i didn't really understand what i did, or how i did it, i wasn't even suspicious until 2006. the people i cared most about either left my life, or died quickly and painlessly, i even have an apathy towards most people. and of course, those afraid of death, with better understanding of the system than myself have ways of protecting themselves from death, it's not like i can kill a person by hating them. in fact i was pretty pissed off about a month ago and i did my everything to make sure people started dying, then a

Re:Suggestion

[Trespass]

get out of here stalker

Re:Suggestion

[Digital+End]

Fortunatly with this 700 Billion dollars my departments work on brainwashing people into thinking they are brainwashing people who are brainwashing people will have all the funding it needs!

well

[fractic]

What should truly paranoid user do?

get help?

Re:well

What should truly paranoid user do?

get help?

If you trust no one who do you get help from?

Posting AC in the spirit of TFA.

Re:well

[fractic]

self help books?

Re:well

[RiotingPacifist]

but can the author be trusted?

Re:well

[coren2000]

Only if the self help book is self authored by the paranoid individual.

Re:well

[NFN_NLN]

What should truly paranoid user do?

get help?

get BSD?

Seriously, there is already an OS aimed at security... OpenBSD:

"Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography."

"Audit Process:

Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills."

Re:well

You didn't RTFA, did you?
Posting AC on ParanoidLinux ;D

Re:well

[cube135]

But can you trust them?

Re:well

How would you know it wasn't faked by the government to look paranoid? And would any paranoid individual ever write a book knowing that the publishers might change the words before they sell the book? The only real paranoid self help guides that are worth a damn are those photocopied pages taped on utility poles (but check the tape: generally scotch tape means that it was faked by a government office drone while duct tape is the sign of a true paranoid--unless the government is using the duct tape to look more paranoid, in which case you look to see if it was cut with scissors or torn off raggedly).

Re:well

[BPPG]

What about sub-conscious self-sabotage?

Re:well

What should truly paranoid user do?

get help?

get BSD?

get high?

Re:well

[coren2000]

OBVIOUSLY the paranoid individual will not allow anyone else to see the self help book, let alone publish it.

Also, the self help book will be written freehand in blood. Every time the paranoid reads the book they will DNA test the blood to ensure that it is their own blood. DNA tests are ofcourse done in house and using tools that the paranoid has already assembled based on research that they have done themselves.

Still, there is a risk of clone operatives... but isn't there always?

Re:well

[coren2000]

fuck I didn't think of that. we're all screwd.

Re:well

[H3g3m0n]

That is for security *NOT* anonymity, those are completely different things.

Paranoid people need to ensure that things like Banshee in Gnome don't perform the "Similar Artists" lookup in case the RIAA is watching, or they are in a place where the internet is restricted, or where there taste in music could get them in trouble.

Then there is the issue of cached files, Gnome by default keeps a listing of all the files you open, it keeps a thumbnail of image that appears in Nautilus. You need to disable a lot of that stuff by default in case someone access your system while your logged in (I assume you have an encrypted partition).

A secure kernel will only do so much to help, such as it will help stop malicious software from gaining root.

Re:well

[funwithBSD]

You must be secure FIRST.

Otherwise you are not anonymous.

Re:well

[TehZorroness]

God damn it, you gave me an excuse.

Re:well

That should be the evil twin operative. Always be wary of the evil twin.

Re:well

Correct. OpenBSD is the way.

Re:well

[worthawholebean]

Write your own OS in machine code on the processor designed and fabricated by yourself.

Re:well

[Monkey+Angst]

Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes.

Which works out to between five and eleven people who are not me, and therefore cannot be trusted. No thank you.

TinfoilHat is much better

[meist3r]

It sets up fairly easily and once you've got it running no one will ever come near you again ... to harm you.

Re:TinfoilHat is much better

[johndmartiniii]

Agreed. Then, once your tinfoil hat is secured in place, you can begin the tedious process of upgrading to covering your ceiling and walls with tinfoil.

Don't forget the floor and to duct-tape the doors and windows.

Re:TinfoilHat is much better

How did you know I forgot the door!!! Your one of them aren't you!

Re:TinfoilHat is much better

It sets up fairly easily and once you've got it running no one will ever come near you again ... to harm you.

They just want you to think that tinfoilhats protect you. Actually, they work as antennas.

Re:TinfoilHat is much better

[supernova_hq]

Don't forget the floor and to duct-tape the doors and windows.

No, no, no, it has to be red construction tape!

Re:TinfoilHat is much better

[flosofl]

Then, once your tinfoil hat is secured in place, you can begin the tedious process of upgrading to covering your ceiling and walls with tinfoil.

LIES!!! User johndmartiniii (obviously an alias) wants us to use tinfoil as a signal blocker. Fortunately I have found a copy of the study on tinfoil the Reptoid scientific community tried to bury. It's On the Effectiveness of Aluminium Foil Helmets: An Empirical Study

Among a fringe community of paranoids, aluminum helmets serve as the protective measure of choice against invasive radio signals. We investigate the efficacy of three aluminum helmet designs on a sample group of four individuals. Using a $250,000 network analyser, we find that although on average all helmets attenuate invasive radio frequencies in either directions (either emanating from an outside source, or emanating from the cranium of the subject), certain frequencies are in fact greatly amplified. These amplified frequencies coincide with radio bands reserved for government use according to the Federal Communication Commission (FCC). Statistical evidence suggests the use of helmets may in fact enhance the governmentâ(TM)s invasive abilities. We speculate that the government may in fact have started the helmet craze for this reason.

(emaphasis mine)

Nice try johndmartiniii. Now know the brutality of your masters, the Reptoid Illuminati, as you are rendered into their protein vats after they discover the failure of your misinformation campaign.

Re:TinfoilHat is much better

[Whiteox]

On the Effectiveness of Aluminium* Foil Helmets: An Empirical Study [mit.edu]
I can't believe that they didn't coat the tinfoil hats with wax!
Any paranoid knows that wax actually reflects all RF!
The whole experiment has to be redone with a wax coating. I suggest dipping each hat in a vat of candle wax with one extra as a control.
By the way, ear wax is not a substitute.

*Alumimium? MIT? Shouldn't that be Aluminum???

The obvious answer

[jalefkowit]

What should [the] truly paranoid user do?

Trust no one?

Re:The obvious answer

[plover]

"Stay Alert! Trust No One! Keep Your Laser Handy!"

and

"Trust The Computer. The Computer is Your Friend."

Re:The obvious answer

[M8e]

"Happiness is mandatory"

Re:The obvious answer

[morcego]

"Citizen, please report to the R&D department for your mandatory volunteer program. Have a nice day"

(If you don't don't have UV clearance, don't read past this point. Reading the following text without UV clearance is considered treason)

But the best quote is still: All rules are optional, some are even more optional than the others.

Re:The obvious answer

[Dragonslicer]

Trust no one?

Nope. Trust yourself, trust Ivanova. Anybody else, shoot 'em.

Re:The obvious answer

[Si-UCP]

What should [the] truly paranoid user do?

Trust no one?

Wait a second, if I can't trust anybody, how can I trust YOU to give me that piece of advice? Maybe They WANT me to trust no one. Maybe that's their plan! YOU MUST BE ONE OF THEM! But wait a second, the opposite of not trusting you would be to trust you, right? But I can't trust one of Them! They want to confuse me as who I can trust! This MUST be Their plan! YOU MUST BE ONE OF THEM! Wait a second, if I'm so confused, the obvious solution would be to trust no one. But you just gave me that advice. You're one of Them, so how can I trust YOU to give me that piece of advice? Maybe They WANT me to trust no one. Maybe that's their plan! YOU MUST BE ONE OF THEM! But wait a second, the opposite of not trusting you would be to trust you, right? But I can't trust one of Them! They want to confuse me as who I can trust! This MUST be Their plan! YOU MUST BE ONE OF THEM! Wait a second, if I'm so confused, the obvious solution would be to trust no one...

Re:The obvious answer

Happiness in slavery

Re:The obvious answer

Compile the source oneself after verifying the integrity of key packages against other distros.

Re:The obvious answer

Only a commie mutant traitor would say something like that.

What's your security clearance?

Re:The obvious answer

[Architect_sasyr]

In The Flying Spaghetti Monster we trust. Everyone else keep your appendages where we can see them

Re:The obvious answer

[perlchild]

"Trust no one" and "I want to believe" made such a nice dichotomy too...

come on

[jrozzi]

If you are truly that paranoid then you shouldn't even use the Internet and should start taking Xanex or something. The Internet will likely become less private as we move towards more interactive web applications and social networks.

Re:come on

[xOneca]

Maybe you're right. Nowadays there's people that "can't live" (metaphorically speaking) without the Internet, but you can in fact disconect from the Internet.

In the future, I think we'll have to be connected to a network (I don't think it'll be the Internet) owned by governments and used for identifying the people, for knowing where they are, etc. All this with a pocket-device, or maybe a in-skin chip.

Obviously not...

[mario_grgic]

truly paranoid need drugs not Linux.

Re:Obviously not...

[couchslug]

"truly paranoid need drugs not Linux."

The two are not mutually exclusive.

Re:Obviously not...

Exactly, Linux don't need drugs, paranoids does.

Re:Obviously not...

Some people live in countries where the government *is* out to get you the moment you voice any criticism. Where you *will* be put in jail, perhaps even tortured for simply saying what you think. Where your family *will* hurt because you just want freedom of speech. Or where the government *will* continue to harass you because your grew up with a religion they don't like.

People living under these circumstances would like a secure OS and cryptograhpy.

Re:Obviously not...

Your post could be referring to America with gitmo, hatred and mistrust of Muslims, and incidents like Waco with David Koresh.

Re:Obviously not...

[DerWulf]

yes, operating systems historically have been a BIG problem at gitmo *sigh*

Hermit

[el_chupanegre]

A truly paranoid person would be suspicious of absolutely everyone and everything. That would mean writing your own OS on your own hardware etc etc.

Since this is impossible, go and live in hiding with no human contact or chance thereof.

Why would you download this 'super-safe' OS from some people you never met, through a public unencrypted network, if your life depended on it?

Re:Hermit

[jawee]

The truly paranoid could just study and compile source code and still get a fully functional working environment (although I doubt it'd be quicker). However, the best thing to do if you are truly paranoid is simply not use a net connected PC at all. Just live without a network connection and keep your PC reasonably secure in its outside location and you're good.

Re:Hermit

[atomicthumbs]

Yeah, but you know that the Illuminati have compromised all the C compilers, right?

Re:Hermit

[RiotingPacifist]

compile it where? using what?

Re:Hermit

[jawee]

LFS? Really a lot of Linux distros will do. If Linux or another *nix is too much to understand, there are always smaller OSs like MenuetOS.

Re:Hermit

[SL+Baur]

Why would you download this 'super-safe' OS from some people you never met, through a public unencrypted network, if your life depended on it?

Because the precautions to make that safe are not too tough?

Re:Hermit

[nidarus]

The truly paranoid (that is, mentally ill people) often don't trust themselves.

Even if they could make their own computer from some sand and metal ore, they'd still be worried about the chips in their head that made them do it.

Re:Hermit

[slimjim8094]

Hand assemble. Not too hard. But then you need to trust there are no 'errata' (that's what they want you to call their super-spy code!) in the processor/bios/assorted hardware.

Re:Hermit

[xant]

This one? Probably not. Maybe a later version. Trust in software and systems is built the same way trust in people is built: with time to wait for failures and exposure to the principles. Casual people will try it out first, find the problems, and then maybe in 5 years it'll be trustworthy enough to use.

Nothing is 100% trustable. There is a nonzero chance that your perfectly secure software will spontaneously reconfigure itself into a spying device for the Chinese, just based on the laws of probability. So you takes your chances with anything; every choice the truly paranoid make must be about whether they trust the system enough.

And, to paraphrase Dr. Martin Luther King, Jr., if you don't believe in any cause enough to die for it, you are already dead. The freedom fighters over there in Nonfreedonia already know their lives are on the line, and it's the people they associate with that are the biggest risks, not the stupid Linux distribution they use.

Re:Hermit

[k31bang]

Since this is impossible, go and live in hiding with no human contact or chance thereof.

Impossible? Really? This guy got pretty close to doing that imho. He just needed his own OS and he'd be good to go.

Re:Hermit

[Phat_Tony]

This is obviously not aimed at the truly paranoid, though. Paranoia is a psychological disease that makes people irrationally believe that everyone's out to get them. The paranoid would probably be particularly suspicious of any product aimed at paranoid people, and they really won't trust this product at all, because they are irrationally afraid of everyone and everything. Even if a bunch of well-known security researchers with good reputations had audited the source code and said it's a great implementation, and the principles leading the project were well known people with a good reputation, the truly paranoid would still fear it, because there is no limit to the scope of a conspiracy they'll believe in.

But there's no reason to ask whether or not the truly paranoid would be willing to use Paranoid Linux, because it's not aimed at them. It's just a clever name. It's aimed at people who actually have a rational fear that someone's out to get them. (Note that, if everyone really was out to get you, and you knew that they were, it would be impossible for you to be paranoid. The following is not an actual instance of Godwin's Law because I'm not using this to counteract anybody's argument, it's just an actual good example: while Hitler's often been described as paranoid, it would actually have been impossible for him to have been paranoid. Nearly every person in the world really did have potential reasons to be out to get him.)

So this is aimed at people like political dissenters in oppressive countries. They aren't paranoid, but in many ways they act like paranoid people, because it truly is possible, or even likely, that someone really is out to get them.

The main thing I worry about is that the mere presence of Paranoid Linux installed on your machine will be grounds for prosecuting you in the places where it's most needed. Is Paranoid Linux paranoid enough to make itself appear indistinguishable from Windows? Can Paranoid Linux run in the background as a stealth rootkit on Windows that you can't even find or access without secret, user-specifiable knowledge?

Re:Hermit

[Derek+Loev]

Why would you download this 'super-safe' OS from some people you never met, through a public unencrypted network, if your life depended on it?

As opposed to downloading (or buying) an OS from some people you never met through a public unencrypted network?

Seems like if my life depended on privacy this would be a pretty viable choice (at least once it's out of alpha).

Re:Hermit

[PhasmatisApparatus]

I'm building my own computer, but it's so hard to find transistors I can trust.

Re:Hermit

[BrokenHalo]

The truly paranoid (that is, mentally ill people) often don't trust themselves.

True, but when you think about it, this wouldn't necessarily be a bad survival trait if everyone were in fact out to get me. Though in practice, it would be much safer to never use a computer at all.

There's a lot to be said for this attitude; people do leave all sorts of incriminating or compromising material sitting around on their computers, and they really can't be pursuaded not to reply to that so-convincing phishing email...

Re:Hermit

[BrokenHalo]

The main thing I worry about is that the mere presence of Paranoid Linux installed on your machine will be grounds for prosecuting you in the places where it's most needed.

Perhaps a more useful approach would be a sort of meta-distribution that picks over the configuration settings of whatever distribution you're running, and makes suggestions (or alterations) where requested or required. This would have the advantage of not requiring the maintenance of a complete distribution tree, with all the duplication of effort that entails. It would be relatively straightforward to maintain a database to indicate where a given program is out of date and should be upgraded.

Re:Hermit

[Petrushka]

Surely the person who truly wants to preserve their privacy, whether for legitimate or illegitimate reasons, legal or illegal, moral or immoral, would not want to draw attention to him/herself by using an OS that less than 1% of the world population uses?

Seems to me that using a homegrown OS, or even Linux, is tantamount to waving a big red banner labelled "Hey! I use a non-orthodox OS and am technically competent! I am likely to have secured my data in a comparatively unusual fashion!" Sure, technology like TrueCrypt can provide "proper" security, but that doesn't protect against whimsical, extra-judicial, or other asystematic abuse, confiscation, and imprisonment. For that, I reckon you still need security through obscurity -- i.e., not sticking out from the crowd.

Re:Hermit

[Peaker]

A compromised compiler can be maliciously modifying the compilation result of known programs (such as itself, a login program, etc).

But it cannot correctly modify programs in general. For that it would probably need to solve the Halting Problem.

Re:Hermit

[RiotingPacifist]

I think you missed my point entirely, the compiler would have to hand coded in assembler, because a precompiled binary you could easily corrupt and inject stuff into your code.
So he would have to be able write a compiler in assembly (or atleast under stand it) then understand every language used in the OS.

Re:Hermit

If all you are looking to do is inject some code, that would be dead simple.

1) Inject code that at startup spawns a thread and communicates to the outside world. That thread notifies the kernel that it is "super-secret".
2) Inject code into the kernel that hides those threads.

If you don't control the kernel, don't spawn a thread, achieve the same results using timer interrupts.

Re:Hermit

[kwandar]

"a more useful approach would be a sort of meta-distribution that picks over the configuration settings of whatever distribution you're running, and makes suggestions (or alterations) where requested or required

If I had points, I'd mod you up! Maybe someone else will?

Re:Hermit

[kesuki]

"This is obviously not aimed at the truly paranoid, though. Paranoia is a psychological disease that makes people irrationally believe that everyone's out to get them. The paranoid would probably be particularly suspicious of any product aimed at paranoid people, and they really won't trust this product at all, because they are irrationally afraid of everyone and everything."

perhaps you would have failed less had you actually learned what it's like to be paranoid, instead of talking out your (insert non mouth body orifice here).

I am paranoid, and I've met other paranoid people, we are not 'afraid of everyone and everything' the human brain simply isn't capable of that. nor are all our beliefs irrational, although i will give you that a lot of them seemed a lot more far fetched before global computer networks existed and cameras were in every cell phone, and before everyone had cell phones, etc.

i think you're confusing paranoia with obsessive compulsive behavior, paranoia doesn't require a person do certain things, over and over. it gives them a fear that doesn't go away satisfactorily no matter what they do.

Based on an idea from Cory's book

[Phyrexicaid]

Little Brother by Cory Doctorow uses this idea (and name), and the distro was started based on that.

Re:Based on an idea from Cory's book

[glitch23]

As a followup to this I'll say that the November issue of Linux Journal (I received it today) has an interview with Doctorow.

Re:Based on an idea from Cory's book

Congratulations, you told us something in TFA! You surely *must* be informative!

Re:Based on an idea from Cory's book

[Phyrexicaid]

Didn't read TFA, I read TFB

Re:Based on an idea from Cory's book

Cory Doctorow, I believe, wrote a story called "Little Brother". I didn't know he wrote a book on it, too.

Re:Based on an idea from Cory's book

I'm glad that someone decided to attempt this. I may use it, eventually... And I know that, in the near future, there most likely will be a Hacker's Mod for it. Who would be the most paranoid? The guy stealing your neighbors' Windows PC data, that's who!

If you're in that much trouble...

...don't use computers, phones or other electronic devices with a network connection. If you're truly paranoid, don't use any at all, regardless of networking capability. Where anonymity means the difference between life and death, cryptography at least puts you behind bars, so you're screwed if you use it and screwed if you don't.

Get real

[OriginalArlen]

So, you'd like me to THINK I should post me extensive array of opinions on this distribution here? Well you're not so smart after all! ha-ha! You'll never get me, you hear me?! neVERE!! hahahahahhahahhahahaahaaaaaa.....

True open source question

[cdrguru]

If you do not examine the source, how can you trust any piece of software? You are in effect agreeing to trust the unknown people that have looked at the source. Except in the case of a smallish distribution nobody may have actually looked into that particular distribution in any detail at all.

Of course, there is a greater issue of trust. If you accept chips made by unknown fabricators, do you know what microcode has been implemented? If you cannot examine the "source code" of the chips being used how can you actually trust that these chips are not doing things behind your back to reveal your identity and files?

So without a truly "open" computer, you are trusting a whole raft of unknown individuals and companies with your identity, your data, your reputation.

Moreover, if you are not knowledgeable about programming languages, using any computer is an act of utter faith with plenty of reason to not be so trusting. It is like climbing a mountain with a guide that only lost "a few" parties last year.

Re:True open source question

[RiotingPacifist]

but how can you know the source code your running is what youve been shown?
even if you compile it all you have to assume your using a clean compiler.

Re:True open source question

[zxaos]

You implement your own compiler in assembly, on open chips, and then you compile a checked version of gcc with the compiler you built and go on from there.

Obviously. :p

Re:True open source question

[cdfh]

Ken Thompson talks about using untrusted compilers in his lecture, "Reflections on Trusting Trust".

(See also: this)

Re:True open source question

Extreme paranoia is justified if you're, say, a whistle blower in Myanmar, or something like that, and you need to use a computer to expose your findings to some place like wikileaks. It is not unreasonable to trust widely used, scrutinized, and verified tools and encryption methods. Obviously, the most secure thing to do is to live a hermetic life in a cave and never touch a computer or interact with people. However, a high degree of security can be reached by making some reasonable assumptions and relying on widely verified security tools.

It is necessary to have a baseline of faith, say:

• Trust that Linux will not somehow betray your identity
• Assume your hardware is trustworthy and ubiquitous
• Trust an open encryption software implementation, such as GPG
• Trust and verify the sources of the code for all of the above (which implies building these yourself from source, except the hardware of course)

Then the safest thing to do is to use the above software to create your own high-grade encryption keys, and be EXTREMELY CAREFUL when using your computer. This means you would have to sacrifice usability and convenience in order to ensure your anonymity. Staying off the Internet is very good advice, and do not use any software that might cache unencrypted data anywhere on your disk. Learn the basics of public key encryption, and make sure your password-protected private key(s) is in a secure location, maybe locked in a safe on an encrypted storage device. If you do use the Internet, remember that while encrypted data is unreadable, its presence on a network is obvious and easily detectable.

Basically, your level of security on a computer increases as you control more of the lower-level components of the system. A secure-by-default distro, such as the one mentioned here, requires much oversight and verification by experts. The most secure way is to empower yourself with knowledge of how encryption and computers work and how to use verified and well-known tools tools that have been vouched by good research.

Re:True open source question

[slimjim8094]

Great, and really cool, thought experiment. However, you can hand-assemble fairly easily (I wouldn't, though) and then you don't even need to trust so much as an assembler.

For the paranoid but lazy - check the C source for spies, compile to assembler, check the assembler and make sure it matches the C code, then hand-assemble.

Or write your own quick and dirty C compiler, use it to compile GCC, then compile it with itself so you get the nifty optimizations.

Re:True open source question

[westlake]

If you do not examine the source, how can you trust any piece of software? You are in effect agreeing to trust the unknown people that have looked at the source.
.

It gets even better:

You've read the source.

Do you trust the people who taught you how to read the source?

Do you really understand what is going on here - not only on paper but in the real world?

For example: the code implements a cryptographic or routing algorithm that looks sound or at least plausible.

But you were never that strong in math or the topology of physical networks and you don't have the resources the NSA can bring to the attack.

Re:True open source question

[PatDev]

Of course, there is a greater issue of trust. If you accept chips made by unknown fabricators, do you know what microcode has been implemented? If you cannot examine the "source code" of the chips being used how can you actually trust that these chips are not doing things behind your back to reveal your identity and files?

Haha, seriously? And where, pray tell, in an instruction set is one going to hide operations that complex? Is it in the microcode for XOR that they will embed a driver for a network card and the code necessary to compromise your files? Or perhaps they will hide it in the "branch-on-equal" instruction?

Nothing is going to hide in the microcode. Not because the govenment/Microsoft/the Illuminati/your mother in law wouldn't do that, but because they can't. Any instruction that took that long and had those side-effects would have immediately noticeable effects on system performance.

The closest you could get is to embed an undocumented instruction that allowed other code to escalate to ring-0, but that still require malicious software to exploit it.

Re:True open source question

Don't even get me started on the issue of trusting my own eyes. I mean, how can we be sure someone hasn't compromised them too?

Re:True open source question

[kesuki]

"If you do not examine the source, how can you trust any piece of software? You are in effect agreeing to trust the unknown people that have looked at the source. Except in the case of a smallish distribution nobody may have actually looked into that particular distribution in any detail at all."

i wouldn't call debian small, yet they had a major, major flaw introduced into it's codebase, allowing hackers to read encrypted data. so now, who should we trust, if even large distributions can be compromised?

"Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian. However, other systems
can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation."

easy answer

[schnikies79]

"What should truly paranoid user do?"

Stay off the internet.

Re:easy answer

I thought the FBI is now monitoring people that don't use the internet - they obviously have something to hide.

Re:easy answer

"What should truly paranoid user do?"

Stay off the internet.

damn skippy.

Re:easy answer

[telchine]

"What should truly paranoid user do?"

Stay off the internet.

That's what Bernardo Provenzano, once boss of the Sicilian Mafia did until he got arrested, Maybe he'd have fared better with AES rather than his caesar cypher:

http://www.theregister.co.uk/2006/04/19/mafia_don_clueless_crypto/

Re:easy answer

[77Punker]

More like "start a newsletter".

Re:easy answer

[elmartinos]

Of course that sounds obvious, but it sounds too easy; therefore it must be exactly what they want us to do!

Borrow wifi - get someone to type for you

[presidenteloco]

1. Always borrow random open wifi access points,
in a geographic pattern not centered around your habitual location
2. Get a new unknowing assistant to type in roughly what you want to say each time. There are pattern detectors for your ways of expressing things.
3. Establish online identities such as gmail that have no tie whatsoever to any of your identity info or financial info

Re:Borrow wifi - get someone to type for you

[Ironchew]

Osama Bin Laden, is that you?

Re:Borrow wifi - get someone to type for you

[XLR8DST8]

problem with #2 is that you then have a witness. one of which disposing of will have problems of its own.

Re:Borrow wifi - get someone to type for you

I'm not even that paranoid, but I wouldn't use gmail because of their practice of examining your mail for keywords - maintaining history,etc. all for "displaying appropriate advertising" but that data can easily be misused.

Re:Borrow wifi - get someone to type for you

[jvin248]

and won't this assistant have a pattern of expressing things roughly?

Re:Borrow wifi - get someone to type for you

>1. Always borrow random open wifi access points,
in a geographic pattern not centered around your habitual location

And don't forget to scramble your MAC, and use a live CD of some description to leave no HDD traces.

>2. Get a new unknowing assistant to type in roughly what you want to say each time. There are pattern detectors for your ways of expressing things.

  It's a good thing to guard against but involving other people is a bad idea. You want as few people as possible who can leak/rat on/testify to or otherwise bear witness to your activities.

>3. Establish online identities such as gmail that have no tie whatsoever to any of your identity info or financial info.

Rememeber that Google has its fingers in many pies and stores data for a long time and will tie all sorts of information together. If you log on to your anonymous Gmail account and then visit another Google 'infested' site that can be traced back to your real identity, whilst using the same MAC/IP/cookie/unique or 'unique enough' identifier you *may* be exposed. Not by Google as such, but by anyone who can get access to Google databases.

Vigilance and self-discipline need to be in your toolbox as well.

Re:Borrow wifi - get someone to type for you

[awrowe]

Thats why you have to keep getting a new one.

Re:Borrow wifi - get someone to type for you

3. Establish online identities such as gmail that have no tie whatsoever to any of your identity info or financial info

That point is problematic, since Google has essentially been founded by the NSA and correlates your IP numbers with all other information it gathers using powerful data mining techniques.

What do do?

[Rick+Zeman]

What should truly paranoid user do?

Pull the tinfoil hat down tighter....

I can't use it.

I was afraid to login because, well, how do I truly know that it is really my machine? Or if it's really the exact same distro I put on and it didn't update behind my back?

Sorry, folks, it's just not paranoid enough for me.

Not that I need it. I have nothing to hide. I don't see why the NSA is spying on me, but they ARE!

And, I'm SURE this site was created to spy on me. I can't believe the Government has spent ALL this money on a site like this just to spy on me. What do all of you posters get out of this?!? Or are you all one guy faking being a bunch of posters just to see what I'm doing?

I need to leave this site - I'm ON TO YOU NSA!!

Quite Franky

[eclectro]

This slashdot story was posted to get us to use Paranoid Linux, which can only mean that some one planted a backdoor in it.

Re:Quite Franky

[g0es]

This slashdot story was posted to get us to use Paranoid Linux, which can only mean that some one planted a backdoor in it.

Your just saying that to try to get us not to use Paranoid Linux or are you trying to use reverse psychology to get us to use it.

Re:Quite Franky

It's open source, therefore a back door is impossible!

Only one real answer

[geekmux]

Find a balance of functionality and security that you're comfortable with. It really is that simple.

Besides, if you're truly that paranoid, using a computer is the least of your worries. It's waaaay down the list after you've shaved all the hair off your body (no DNA by hair sample) and chewed your own fingertips off (fingerprints), severed every tie to any other human that knew you or your history, and dug out that deep hole you plan on living in somewhere in Alaska.

Re:Only one real answer

[AgentPaper]

You forgot to scrub down your body with a high-level disinfectant (potentially traceable commensal bacteria on your skin). After that, you'll have to spend the rest of your life in a full-body skin garment (DNA from shed skin cells). And you'll have to wear a full-helmet respirator (exhaled trace chemicals from your bloodstream, potentially traceable). And your suit will have to contain and reprocess all your wastes (DNA from epithelial cells in your urine/feces). And you can never speak a word (identification through voice analysis).

...And now that you look like Hollywood's best guess at an extraterrestrial, other paranoids can use you as evidence that "They" have been concealing the existence of sentient alien life. Awesome!

(Full disclosure: This post contains high levels of sarcasm, which may be traceable in readers' thought patterns. Do not read if you're worried about "Them" detecting your brainwaves or some other such B.S.)

Re:Only one real answer

[Larryish]

(Full disclosure: This post contains high levels of sarcasm, which may be traceable in readers' thought patterns. Do not read if you're worried about "Them" detecting your brainwaves or some other such B.S.)

You were a little late on the warning, jackass.

You're not the bloke who writes the EULAs for software and puts them INSIDE the box, are you?

Re:Only one real answer

[geekmux]

You forgot to scrub down your body with a high-level disinfectant (potentially traceable commensal bacteria on your skin). After that, you'll have to spend the rest of your life in a full-body skin garment (DNA from shed skin cells). And you'll have to wear a full-helmet respirator (exhaled trace chemicals from your bloodstream, potentially traceable). And your suit will have to contain and reprocess all your wastes (DNA from epithelial cells in your urine/feces). And you can never speak a word (identification through voice analysis).

...And now that you look like Hollywood's best guess at an extraterrestrial, other paranoids can use you as evidence that "They" have been concealing the existence of sentient alien life. Awesome!

Holy crap. So thats what happened to Michael Jackson. It's all so clear now...

Attention! This might be a honeypot!

Someone (an agency?) might have put this story on /. in order to find out how you protect yourself from eavesdropping and which Linux distro you use. Do not answer to this thread thruthfully!!!

All summed up in one simple statement...

And always know where your towel is!

Checksums

Am I missing something obvious, or is this exactly what MD5 checksums on the main site, and the error checking built into BitTorrent files, are designed for?

Re:Checksums

[zxaos]

Ah, but couldn't a malicious third party intercept your request to their servers and replace the listed MD5 checksum with a different checksum for the modified distribution?

Re:Checksums

[Daimanta]

Use SSL. Should be safe. Or maybe a SFTP to the FTP server. These questions should seriously be asked. Try to be Eve and break( tap/alter/corrupt) the connection between Alice and Bob.

Re:Checksums

[zxaos]

Ok, what about a situation where all traffic is routed through a specific, malicious third party and there is no previously existing certificate information. Couldn't they fake data from a CA if you have no data to start with trusting? Then they could masquerade as the distro server by having the routing server be the endpoint of the ssl connection while simultaneously opening another ssl connection to the true server, making the request to the true server, editing it as necessary, and then sending it back over the initial, masqueraded link?

Re:Checksums

[zxaos]

Sorry, re-reading that I wasn't clear. Wouldn't it be possible for a malicious third party to trick you into negotiating a SSL connection with a proxy instead of the remote server? Granted, they'd either have to compromise a root certificate authority key to make it invisible, but they could just disallow ALL SSL traffic unless you accept said certificate provided by them.

Re:Checksums

[LeafOnTheWind]

Right... so you wouldn't negotiate with the server. I'm not sure what you're saying. If you don't have a secure connection, you make do with no connection. There's no "oh well, I tried to do it securely, but it didn't work."

Re:Checksums

[zxaos]

Ok, but it's difficult to download a distribution of check a checksum with *no* connection.

The point I was trying to make was that saying "use SSL" isn't necessarily a solution in all cases, and in certain cases might even be just as likely to result in a modified or crippled version of the distribution.

Re:Checksums

[LeafOnTheWind]

And my point was, and this is the point that cryptographers make all the time, if you cannot establish a secure channel for communicating information, do not communicate information. And yes, that may mean that you can't download a linux distribution.

"Use SSL" isn't necessarily the solution in all cases, but I'd be willing to bet that "use cryptography" is.

It's a fucking plot!

[mrmeval]

They are a part of the conspiriakii! They are trying to lull you into false security! GET OFF THE GRID! Burn your credit cards! Burn your drivers license! Burn your birth certificate! GO FAR AWAY!!!!

The ONLY way to be sure...

[Rendoggle]

What should truly paranoid user do?

Write their entire OS from scratch?

Re:The ONLY way to be sure...

[Yvan256]

I thought the only way to be sure was to nuke it from orbit?

Use OpenBSD

[BhaKi]

The truly paranoid user would use OpenBSD, assuming of course that he's got out of M$ world.

Ssh...

I'm too paranoid to post under my real alias.

Maybe Paranoid Linux should rather be called Anonymous Coward Linux?

Paranoia

[Renraku]

The truly paranoid are irrational and contradictory.

They do things like refuse to fly on planes because the government obviously staged 9/11 and killed all of those people on the planes, so they don't want to become a part of that. But they'll work in the same areas that would be likely targets if another round of 9/11-esque hijackings occurred. They do things wrap everything in tin foil to keep the mind control/thought reading beams out, but happily sit in conspiracy theory forums all day, and go to work or to the store to get supplies.

If the paranoid want to find fault, they'll find fault. Obviously this is a thinly-veiled attempt by the government to see what the paranoid want to hide.

Re:Paranoia

[BPPG]

What? Who let the liberal arts major in here?

Just not in a public place.

[RockoTDF]

The truly paranoid user should get use a liveCD with a mac address scrambler off of a wireless connection that does not belong to them.

Re:Just not in a public place.

[caller9]

I was going to suggest a LiveCD but you beat me to it. I'm kind-of surprised that nobody else mentioned it.

Wasn't this the idea behind the OS agnostic peekabooty, Tor, et. al.

Then again ctunnel rolled over faster than an SUV with Firestones and their site still says "Ctunnel is here to protect your anonymity online!" Even though their approach, technology, and the fact that they even keep logs is pretty freaking stupid.

The truly paranoid shouldn't be online

[fortapocalypse]

Forget Linux, throw away all electronic devices, and follow these handy tips:
1. Preferably find a wife/husband related to you (the closer the better, because you can trust your blood kin more, but avoid anything closer than 3rd cousins if possible).
2. Squat on a large remote property you don't own (preferably somewhere considered by other folk to be inhabitable).
3. Have 10-50 kids (more than that and you might just be inviting mutiny).
4. Teach kids to how to hunt, fish, and guard the perimeter of the property you're squatting on.
5. Please note that aluminum foil around the head isn't safe anymore because of darn nanotechnology, in fact nothing is completely safe. But making everything from nature is as safe as your going to get, so make everything from all natural materials that you find and grow yourself.
6. Stop reading slashdot. They watch people that read slashdot.

Re:The truly paranoid shouldn't be online

[Daimanta]

"3. Have 10-50 kids (more than that and you might just be inviting mutiny)."

4. Let each of those kids have another 10-50 kids.
5. Outbreed the rest of the country eventually(or settle in Liechtenstein for quicker results)
6. Elect yourself as head of state or use your numbers to start a rebellion
7. Use your country to take over the world
8. ??????
9. Profit
(10. Realise that being paranoid pays off)

Re:The truly paranoid shouldn't be online

Oh, so you are talking about Mormons, now I get it.

Feeble...

[Giant+Electronic+Bra]

In any case an effort like this is, for the truly paranoid, feeble. The mechanisms available, proven mechanisms, are well known.

First of all you cannot trust any binary which was compiled with a toolchain which is not itself trusted at least as much as the code you are compiling. It is a well known fact that Ken Ritchie (IIRC it was he) added a block of code to pcc (the portable C compiler) which detected the compilation of the 'login' program and added a back door to it. Then he also added a piece of code which caused pcc when compiling ITSELF added both of these behaviors to the new pcc binary. This resulted in a period of a number of years in which the backdoor existed in virtually all Unix based systems. The pernicious part is, pcc's SOURCE code contained no trace of any of this because the source for the hack only existed ONCE, in the orginal 'ancestor' copy of pcc from which all others descended. It would be at best VERY difficult to know that some similar technique was not used on any given distribution. In theory one could do analysis of every binary, but then how do you know your debugger and disassembler aren't lying to you? Etc.

Even assuming you have by some process guaranteed you have a clean set of binaries, why would you think that the hardware you're running them on is trustworthy? It would be foolish to assume that of the billions of transistors of which your CPU is composed that some small fraction are not dedicated to nefarious purposes...

No, the people working on this may think they're paranoid, but frankly if they thought about it a bit more, they would realize they are not 1/10th paranoid enough...

Re:Feeble...

[Watson+Ladd]

There is a workaround: Make your own compiler. It can be as slow as you want, but the important thing is it cannot be targeted by a nefarious compiler. Now compile gcc with it. Then use your new gcc to compile gcc. This newest gcc should be the same as the starting gcc. If not it was tampered with. You can even use an untrusted compiler if it has a different hack in it. For CPU's you can trust that no one in Intel understands the thing well enough to do that, or use a simple CPU like a MIPS or a SPARC. Take a SPARC chip and dissect it under the microscope and compare to the mask patterns Sun released. And DRAM is easy to analyze: It should have a bunch of similar cells and a small addressing part. Ethernet is a bit trickier, so I recommend using a parallel port and tunneling IP over it. Then be sure to work only in a Faraday cage, letting only optical signals through the mesh.

Re:Feeble...

[ezzzD55J]

"Ken Ritchie (IIRC it was he)" - haha that's funny :)

Re:Feeble...

[ezzzD55J]

"It would be at best VERY difficult to know that some similar technique was not used on any given distribution."

here is an interesting counter:
http://www.dwheeler.com/trusting-trust/

Errmmm, location of that scary place

[arikol]

That scary place where you have to protect your identity so the secret police don't get you in the middle of the night, isn't that called U.S.A. ?

Re:Errmmm, location of that scary place

[arikol]

Of course, if you're innocent you have NOTHING to fear. FNORD they'll just detain you and send you to Gitmo

Re:Errmmm, location of that scary place

[awrowe]

But on the bright side, you get a trip to cuba out of it!

Sorry, Ken Thompson (brain fart...)

[Giant+Electronic+Bra]

"It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust."

http://en.wikipedia.org/wiki/Backdoor_(computing)

Re:Sorry, Ken Thompson (brain fart...)

Oh...

So like:

#include "backdoor.h"

Or if you are using PHP:

?php

Re:Sorry, Ken Thompson (brain fart...)

[V.11.1997]

This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust."

No it wasn't. It was first outlined by Karger and Schell in Multics Security Evaluation: Vulnerability Analysis (ESD-TR-74-193, Vol II, June 1974, p 52.) as Thompson clearly acknowledges it at the end of the paper.

Even more troubling

[d_jedi]

In these jurisdictions.. wouldn't the fact that you've downloaded/used ParanoidLinux suggest you have something to hide, and hence need to be sent to a re-education though labour camp?

Dont use alpha-alpha software

The truly paranoid would want something much more stable and time-proven than alpha-alpha software I'd think. Maybe go with OpenBSD or a more stable distro with SELinux.

Why do you want to know

[coren2000]

Huh? Trying to trick me into saying something!

Signature

[holizz]

> Wouldn't it be far easier for a nefarious government organization to target that distribution's repositories, mirror that singular distribution's disk images with files of its own design, and leave every last one of that distribution's users in the great wide open?

I believe Debian solved this problem long ago, it's called public-key encryption.

This leaves one thing the user must do: acquire the distributor's public key from a trusted source. Unfortunately as far as I know only APT-based distributions sign all their packages, leaving everybody else putting a lot of trust in their sysadmin/ISP/government.

This is what you get...

-----BEGIN PGP MESSAGE----- jA0EAwMC3Y3ZOSlLpKNgycAHw2kwRePQBGcBvD1OI4mBCRlBFayMVSrTJtW0KBol Glh0nvrU7ium8C+EVIBYghTRhd8lfJvme7fJnv1QURuOLVonj/+Mx0AMs7+Vi18Y 3hsOybSIton3BG0iQA2ujdm+ynngefwsxX9wnap+KjHBZ6jvds6SQnoIL6yX/o59 e3zVpVCZuiCIuq8y9oNw+meSU6r/KkVMBHFExb2dBZOjdGSaMleo8/l0MxxXDuWa hpqzHFQJBPOiwVu3+BSXJ5XC9wUCAl61Pg== =D/fa -----END PGP MESSAGE-----

AC

[Lord+Ender]

I'm really disappointed this story was not submitted by Anonymous Coward.

This is probably not a unique source

[causality]

Wouldn't it be far easier for a nefarious government organization to target that distribution's repositories, mirror that singular distribution's disk images with files of its own design, and leave every last one of that distribution's users in the great wide open?' What should truly paranoid user do?"

If you don't or can't trust the single distribution's integrity, there's an easy alternative that no one seems to have mentioned. You can always check which tools ParanoidLinux includes and how they are configured, and then go download a more ordinary (less attention-attracting, if you really are paranoid) distribution. Then just install those same open-source tools and configure them in a similar manner and you no longer need to trust that particular distribution. If you believe that someone or a group of people wants to compromise the ParanoidLinux distribution, then by doing this you have just forced them to also compromise every other Linux distribution in order to achieve the same result.

This is, after all, what security is about. You really cannot make anything impossible to compromise; what you can do is make your system more and more difficult for an adversary to both successfully compromise and to successfully compromise without being detected. Personally, I consider a system to be "secure" when the effort needed to compromise it is far, far more expensive than anything that would be gained by doing so.

What should truly paranoid user do?

[[cx]]

Obviously look for UFOs, watch re-runs of X-Files and try to summon our intergalactic serpent overlords, of course.

potential solution, linux not included

You'd be better off with a tweaked bare bones openBSD system. Configure a remote server with TOR and a Freenet/Darknet node for anything serious. Depends on if you're disseminating or hiding.

Nothing will stop a (smart) determined attacker with physical access, so why keep anything incriminating locally?

...and don't forget to put /home on your IronKey just to be a dick to the forensics tech. ;P

Re:Stupidest idea ever

Impossible! Infrareds can't do stuff like that. You have to atleast have clearens INDIGO.

BS Alert

"The 'alpha-alpha' version of ParanoidLinux is now out."

No, it is *NOT*.

I can't belive Slashdot published this story without ANY fact checking.

Re:BS Alert

I can't belive Slashdot published this story without ANY fact checking.

the funny thing is there isn't even a malicious/wrong news report anywhere. they just say it out of blue with linking to an article that happens to be about pl dev. it's like saying an early version of ubuntu 9.04 is released linking to a story about the Jaunty Jackalope naming decision

Re:BS Alert

[cabbarosman]

"The 'alpha-alpha' version of ParanoidLinux is now out."

ParanoidLinux quote: No it isn't.

For the complacent,

[toby]

It's worth pointing out that the USA and Canada are among jurisdictions where having anonymity might mean the difference between life and death, thanks to the existence of Extraordinary Rendition (for example the cases of Maher Arar, and other Canadian citizens who have been kidnapped and tortured at the US/Canada border) and Guantanamo Bay (where due process is suspended, and several inmates have died).

uh,

[toby]

I did not mean "tortured AT the border" - obviously what occurred is he was kidnapped on arrival in the US, and deported by US authorities to Syria (in Arar's case) where he was tortured. Unfortunately his case is far from unique.

This is a non-issue!

[Jane+Q.+Public]

Any tampering such as that mentioned by the OP would be ridiculously easy to detect and correct. This is simply not an issue.

Re:This is a non-issue!

Not true. For instance I recall an open source code base being broken into a few years ago. The hackers (I use the term in the negative context here) checked in a module change that looked like a bug fix, but had it's own bug, one that allowed an undesired privilege escalation if you used the system call a certain way.

Code can look like it is right, but have difficult to see side effects.

Oh, I get it. You were being sarcastic when you said it would be easy to spot the back doors.

Re:This is a non-issue!

[Jane+Q.+Public]

Actually, no. I am quite familiar with open-source. I did not mean to imply that such things would automatically be easy to see... what I meant was that the kind of tampering the OP was talking about (replacing kernel modules with their own versions, for instance) CAN easily be detected, if even the simplest measures are used, such as posting the legitimate hash or CRC of the original code. Not everybody uses such... but these are extremely easy measures to take, and if they subsequently get hit, then they have nobody else to blame.

Certainly, some code check-ins could be more difficult to detect, but that is not how I read the post. And most open-source projects at least have moderators who determine who can check in and who cannot at any give time... not too many of them are "free-for-alls".

Re:This is a non-issue!

[MulluskO]

Yeah, remember when some bozo was doing static code analysis on Debian's SSL implementation?
He removed a 'finding' that resulted in Debian generating very weak keys.
The flaw has been attributed to incompetence, but who is to say it wasn't malice?

I think there was another story that had something to do with some dirstro leaking the password to their package respository. Actually, I think that may have also beeen Debian.

And the name for this distro...

Paranoia Enhanched Desktop Operating System

An acronym will probably be used, to keep things simpler.

Privacy is dead

[J11811]

I wrote at http://www.gotoguy.com/?p=229 that 84% of people said they would not disclose details about their income online but it turns out that 89% actually had willingly done so. We're volunteering our identities at this point.

md5?

doesn't the age old process of using the md5 checksum solve the problem of a government posting it's own distro?

Levels of paranoia

[russotto]

Weakest level of paranoia: No network drivers Next level: No video drivers or keyboard drivers Next level: panics on boot Final level: erases the hard drive then bricks the box

Laugh now

But when the scientologist find out you have been busting their chops on-line, you'll wish you had used a copy.

A paranoid user should use this

[xant]

I think a lot of people misunderstand the concept of "single point of failure". With all of this stuff in one place, yes, there's only one place that attackers need to attack. But there's also only one place that defenders need to defend. The alternative is that all these security programs remain scattered in lots of places on the Internet. True, attackers probably won't be able to subvert more than a couple of those, but it only takes one flaw in your security for them to get you. If you subverted GPG, it doesn't matter much that TrueCrypt is still working for you. If someone subverted SSL, or DNS, and it doesn't matter much that the Linux Kernel is still secure. Best to get everything from one place, and make sure that one place is really, REALLY damn secure.

Re:A paranoid user should use this

[Venture37]

best to stick with OpenBSD then!

Re:A paranoid user should use this

A paranoid and smart user continues using what he already has, because new = not trusted, just like NT.

Chuck Moore has done this...

[EmbeddedJanitor]

http://en.wikipedia.org/wiki/Charles_H._Moore designed his own language (Forth), an OS, chip design software and designed his own CPUs.

I'd say he's well on his way to achieving this.

Re:Chuck Moore has done this...

[el_chupanegre]

http://en.wikipedia.org/wiki/Charles_H._Moore designed his own language (Forth), an OS, chip design software and designed his own CPUs.

I'd say he's well on his way to achieving this.

You would still be communicating through someone else's network though.

Are you relying on any chips from anyone else or are you constructing all the hardware yourself (including RAM, hard drive, network card etc)?

Point is, unless you build everything in the entire loop (including the machines on the other end of the link) you can't know that there aren't secret backdoors built in or eavesdroppers on your network. Even then, who says that what's on the other end of the link is the person you were supposed to be talking to and not Officer Smith?

Re:Chuck Moore has done this...

[kesuki]

one thing you're missing, is that the entire process is fabricated in a silicon etching facility. you don't own it, and while you submit your design there, do you destroy a random production chip, to electron microscope scan the device to make sure it follows your exact diagram? was your 'random' choice random? do you trust your own thoughts?

and therin lies true paranoia, you don't trust. you don't believe what the doctor tells you, you don't believe he is working in your best interest, and you do what you believe you must.

I have paranoia about computers, does it stop me from using them? no, no it doesn't. but it changes how i use them, it changes my entire trust level, it affects what i believe and how i use computers. the medication does not change my having paranoid thoughts, the best goal is the overall reduction of paranoid thoughts, not the elimination.

Tinfoil hats anyone?

This makes me feel old. I always thought Tinfoil hats were enough.

1. it gives frame-of-ref 2. torrent/freenet/gnunet

1. it identifies, in 1 place, WHAT packages might be of interest, and WHY.

2. these packages can be got from their original sources, or from torrent/freenet/gnunet, with their verification got from elsewhere ( preferably the original source, but that might identify one's IP# to one's Glorious Murderous Regime Gov't(tm) )

3. it makes the issue of protection against abusive/murderous gov't more visible, so people are more likely to identify it, rather than simply going along with it.
( US e.g. "we HAVE TO commit torture, because 70% of OTHERS commit torture" .. yeah, like Zimbabwe? and "capturing photographic evidence of OUR abuse of authority is a THREAT" arguments )

4. if scrounged through some internet cafe, or open Wi-Fi, or something, the distro can be got by sneakernet to one's system so that one at least has a chance against them.
( better for just oneself to be killed on suspicion, than to have EVERYONE fighting against the abuse of god given worth tortured/murdered )

Remember what the Jewess said, in "Anne Franke Remembered"?
~The Nazis enacted little changes, removing a little right here, a little right there...
Every time, we said "oh, it's just one more thing..."
then they removed our right to go elsewhere. We knew then it was Too Late~

It's a standard rule in the deeper Drama Theory ( game theory + emotions ), that if you make the steps small, in emotional investment, you can force any result you want, given sufficient time + pushing.

Sometimes ( damn rarely ) this is used to push peace, against gangs or fighters against freedom, or dictatorships.

Mostly it is used to implement contained population, so that "rights" won't interfere against authority anymore. It is also used by corporations to deform laws, to appropriate rights from the local populations.

Notice that if you try to exercise your legal right to photography police interacting with citizens, your camera will likely be confiscated now, but YOU are under pervasive surveillance.
Interesting arrangement, that, isn't it?
You think that's "by accident"?
you're either stupid, or on dope.
Try working in the security field, and see how long you can believe that, before they make you disgusted with "humanity"'s greed for abuse.

Why do people want authority on others, and go into that field?
To have the freedom to exercise authority ON others,
without others having any right to limit/control/mitigate one's authority
( as totally asymmetrical as possible ).

I wish humanity would Grow Up,
and accept that others have to have their own worth,
and stop being the State Molester.

Won't happen in my life. But if we push + persist,
then some of our grandchildren will live to experience freedom.

Good luck with that...

[Huwawa]

But seriously, wouldn't the truly paranoid user find yet another hypothetical vulnerability besides the ones listed in TFA? I guess that turns it into an arms race with someones paranoia..

Paranoid? Who, me?

[ZeroNullVoid]

Wait... who said that... oh shit.

For anonymity as well as security

[Beryllium+Sphere(tm)]

Someone could resurrect the Anonym.os project, an OpenBSD live CD with anonymity tools.

The 'alpha-alpha' version of ParanoidLinux?

[syousef]

What paranoid person uses a Beta let alone an Alpha? What is an alpha alpha anyway?

My understanding is:
- Beta = feature complete but bugs mean it's not to be relied on in a prod environment
- Alpha = not yet feature complete, no where near ready for prod

So does Alpha alpha mean vaporware?

The only thing you can do is

[ChienAndalu]

Get you granddads morse key apparatus and solder it to the RJ45 port. And think very hard before answering.

Pfffft

[Gazzonyx]

Overachiever.

Awesome

[Lordnerdzrool]

So while you're receiving a political message one character at a time, ParanoidLinux is pretending to surf the Web and fill in questionnaires and flirt in chat-rooms.

Awesome, this operating system will even pick up chicks for me. Forget the whole "paranoid" reasoning behind this feature, this feature makes my Linux machine into a love-machine.

Good Summary

[prajjwal]

Well spoken.. like a true paranoid!

Linux without shredder in KDE Konqueror is CRAP

Paranoid linux protects no one. Its site demands cookie acceptance. That alone is enough to say it is an agent of the Gestapo Homeland Security. Its shill of commenters seem to want their own computers spied on as they foolishly demand the use of the HTTPS protocol that would facilitate exactly that. And no one there is talking about the 800 pound gorilla in the room, the lack of the shredder in the Konqueror KDE file manager in all 2.6 kernels. The lack of the shredder makes all these linuxes insecure and unusable in a business environment. The lack of available shredders to be installed aftermarket on the internet is a telling tribute to either a campaign by microsoft shills to suppress it in order to damage linux, or to government shills afraid of the shredder on linux systems, expecially in fascist United States and Europe

Answer

[finkployd]

What should truly paranoid user do?

Write your own apps. Well, you better write your own OS too. Come to think of it, the compiler could easily have been compromised, better write your own one of those too. From scratch.

Well hang on, why are we trusting the hardware here? Better build your own storage media, who knows what off the shelf HDs store without you knowing. Put together your own cpu (we will trust off the shelf ram.....for now), probably be easier to start with opensparc and move on from there. Ok, so we have a somewhat secure computer, but what can we do with it. I cannot trust my isp, or any protocols out there designed to protect privacy. Come to think of it, even off the network I do not know what capacities "they" have regarding van eck phreaking.

Maybe the truly paranoid should just stay away from electronics.

Finkployd

The Noid

move to the mountains.

have no electrical equipment nor lines of any kind

insulate the roof with a thin lining of led

sound proof the walls

build large bunker in mountain with only entrance under floor boards of house.

um........ I know I'm forgetting something.

Why won't you all listen to me??!?!?!

[ChameleonDave]

I laugh at those people installing Paranoid Linux. It is clearly nothing but an Illuminati ploy to get us to install their OS. Once installed, it will phone home to Al Qaeda and annihilate us all, I tell you!11!!!!

Re:Why won't you all listen to me??!?!?!

That's just what they want you to think. You see, Al Qaeda is Sunni, but the Illuminati trace their origins back to Hassan-i Sabbah, the head of the Ismaili sect of Shia Islam.

Linux is too big to be secure.

[Jessta]

The truly paranoid don't trust any code they can't verify themselves. Linux is too big to be secure.

Re:Linux is too big to be secure.

[Free+the+Cowards]

Why stop there? Why assume that your CPU is secure? The truly paranoid don't trust any computer they didn't build themselves from transistors.

AnonymOS

I don't think it's under active development any more but take a look at;
http://en.wikipedia.org/wiki/Anonym.OS

I grew up in a country like that...

[mario_grgic]

so idea is not foreign to me. But having something that confidential on a laptop is not a good idea anyway.

And if the evil government suspects you have something important on your laptop, they won't even try to break in, they will go straight to torture until you tell them.

knock knock knock

[cheros]

.. we found you.. :-)

You can easily achieve almost perfect anonymity

[Erikderzweite]

If you want, say, to do something on the Internet that no one should know or be able to prove that you did it, you'll need following items:

- An open Wifi access point (Starbucks, some tech illiterate neighbor etc.)
- A customized LiveCD which has startup scripts to random-generate your hostname and MAC-Address of your wireless network adapter on each boot. (There must be a way to change other hardware data that might help to identify you)
- Some way to quickly cut the power to your PC in case some institution will attempt to get your PC while it's on.
-Enough RAM.

As no information stays on your hard disks no one will be able to prove anything. Tracking you will also be close to impossible.

linux for the paranoid ?

[Ofloo]

A truly paranoid user should use openbsd and not linux ! Which is safe by design and even banned from hack contests, and has proven this year after year after year, this isn't just some alpha release which still needs to prove itself year after year after year !

Trust No One

[The+Other+White+Meat]

ParanoidLinux was created by the NSA and CIA to setup a global spy network, running on the very computers they would most like to spy on.

Discuss...

Consult the novel [OMG SPOILERS]

A major plot point in the novel Little Brother, which inspired ParanoidLinux, is that even with ParanoidLinux and an army of supporters, the protagonist's cover is still blown by a single mole. It does not matter how crazy awesome your security procedures are if you can't trust the people you're working with.

So, a "truly paranoid" user would not have a chance. You need to know who you can trust, and you need to notice when someone goes bad. That's something that no operating system can help you with.

The really useful feature of the fictional ParanoidLinux is its ability to establish a darknet quickly and quietly, disguising its traffic by distributing it amongst the surrounding access points. Thus, if you already have a good web of trust, it's easy to get in touch with those people who can access your network without attracting attention. So ParanoidLinux focuses primarily on making heavy security as easy as possible to use, with the paranoia thing being more of a constraint than a feature.

Re:Hymen

[ftide]

> Why would you download this 'super-safe' OS from some people you never met, through a public unencrypted network, if your life depended on it?

Or having to register your email address thru paranoidlinux.org to get the download? Hello?!