Choose style:

Author Topic: Sources and how to build peppermint  (Read 6269 times)

0 Members and 1 Guest are viewing this topic.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26325
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Sources and how to build peppermint
« Reply #30 on: April 27, 2017, 08:44:39 pm »
Aims and motivations: Been using peppermint as a guest in vmware VM's since the beginning of your distro, with windows as the host. Now windows is becoming spyware so I want to switch to an open-source host such as peppermint, and an open-source hypervisor such as virtualbox for my VM's. But even in open-source there is the possibility that the binaries you get from repositories have spyware functionality added that does not appear in the source code of C, C++, assembler or whatever you get from the repos as source code. So to be sure I want to build peppermint myself, from the public source code that is less likely to contain spyware functionality because that would destroy the reputation of peppermint. And build ubuntu too. And debian if need be. Nothing must be downloaded as a binary. Kinda like linuxfromscratch.com. Would make it minimal too. The advantage of debian/ubuntu/peppermint compared to linux from scratch is you automatically get informed of security updates.

Okay I get that .. a bit paranoid but then sometimes they ARE out to get you :)

Well the original source code (and patches) for all Ubuntu and Peppermint packages IS available, so there's nothing stopping you building each package and comparing the binaries to check that they were indeed created from the source you're being shown.

It actually raises an interesting question - As Peppermint uses launchpad for our Peppermint specific packages, and you cannot upload pre-compiled binaries to launchpad instead you upload the source package and it gets compiled into the finished package on the launchpad servers, theoretically Ubuntu could inject code into our binaries as they're compiled.

I'm pretty sure if they did that, someone would immediately get shot though .. and it would be super easy to spot.

Then again, how do you know the GNU compilers themselves aren't injecting code (which would be harder to spot without seeing the source code, which you could  never be 100% sure was the ACTUAL source code) .. as I said, you can never be 100% sure of anything, it's all about degree, watching for the unexpected, and intentional obfuscation.
« Last Edit: April 27, 2017, 08:46:56 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Ulysses_

  • Jr. Member
  • **
  • Posts: 43
  • Karma: 0
  • New Forum User
    • View Profile
Re: Sources and how to build peppermint
« Reply #31 on: April 28, 2017, 02:13:11 pm »
Quote
only VM's see the internet and only through a physical USB-to-ethernet adaptor that is virtually plugged into a VM.
Can anyone explain that to a "virtual n00b"?  ???

It's when you plug one of the following to your computer and windows has no driver for it so it does not work (but even if it did you could still go to the Device Manager and disable it or even remove the driver if you're technical enough) so no internet access for the host, no microsoft spyware updates. But vmware can give the device to a virtual machine and if the operating system of the virtual machine has a driver for it, as linux does, then only the virtual machine can access the internet:

http://www.ebay.com/itm/USB-3-0-to-10-100-1000-Mbps-Gigabit-RJ45-Ethernet-LAN-Network-Adapter-For-PC-/332120241187

For extra security I do not use this device on a linux guest but on a bsd-based pfsense guest, that is a gateway that allows other virtual machines to have access to the internet through virtual network interfaces and virtual cables between the virtual machines.
« Last Edit: April 28, 2017, 02:33:09 pm by Ulysses_ »

Offline Ulysses_

  • Jr. Member
  • **
  • Posts: 43
  • Karma: 0
  • New Forum User
    • View Profile
Re: Sources and how to build peppermint
« Reply #32 on: April 28, 2017, 02:25:28 pm »
The catch is, you do not know if vmware has a backdoor that allows full control of the host from the virtual machine, which would negate the above strategy. Hence the need for open source throughout.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26325
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Sources and how to build peppermint
« Reply #33 on: April 28, 2017, 02:31:47 pm »
I think the biggest security/privacy concerns these days are going to be implemented in hardware such as the "Trusted Platform Module" and the like .. completely bypassing software security, and ensured for the life of the PC.
« Last Edit: April 28, 2017, 02:34:40 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Ulysses_

  • Jr. Member
  • **
  • Posts: 43
  • Karma: 0
  • New Forum User
    • View Profile
Re: Sources and how to build peppermint
« Reply #34 on: April 28, 2017, 03:07:03 pm »
Do you have any information that points to hardware like that not needing the drivers and an operating system to spy on you?

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26325
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Sources and how to build peppermint
« Reply #35 on: April 28, 2017, 03:09:58 pm »
https://en.wikipedia.org/wiki/Trusted_Platform_Module

My point is that if the hardware is running software/firmware independently of the OS (and it's encrypted, and remote capable) there's zero protection.

I'm not saying this is the case, YET, but we're heading that way.
« Last Edit: April 28, 2017, 03:59:55 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Ulysses_

  • Jr. Member
  • **
  • Posts: 43
  • Karma: 0
  • New Forum User
    • View Profile
Re: Sources and how to build peppermint
« Reply #36 on: April 28, 2017, 03:15:26 pm »
Where does it say that such hardware can be harmful even if software does not use it?

Offline Ulysses_

  • Jr. Member
  • **
  • Posts: 43
  • Karma: 0
  • New Forum User
    • View Profile
Re: Sources and how to build peppermint
« Reply #37 on: April 28, 2017, 03:31:58 pm »
Here's a more likely scenario. Some computers, such as mine, do not allow you to disable Secure Boot in the UEFI settings at boot time. Therefore you are forced to use an operating system with a kernel approved by Microsoft and signed by Microsoft, which ubuntu and certain other distros are for the time being but libre distros may not be, either now or in the future. Therefore only a few approved kernels will be allowed to exist eventually, and these kernels will be forced to include spyware functionality and it's checkmate.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26325
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Sources and how to build peppermint
« Reply #38 on: April 28, 2017, 04:19:58 pm »
So you don't think it would be MUCH easier for governments and corporations to implement spyware in hardware .. completely sidestepping the OS, not requiring complicity from the software developers, running underneath the OS so effectively undetectable in software, and irremovable by the users without bricking the system ?

And you don't think we're already moving in that direction where the waters have already been tested in court with who has the rights to modify hardware (such as Xbox and Playstation, and mobile phones), and that it's okay for devices and/or software to spy on you as long as you agree at point of sale (but there are little to no options).

In fact if your BIOS (or some other discreet chip) were "phoning home" your keystrokes right now would you know ?

Now I REPEAT, I'm NOT saying TPM is currently that technology (so stop asking me to provide "proof" that it is), but it is capable of "remote attestation" (google it), the tech exists and the legalities of deployment have all been pretty well established in case law.

I'd be fairly certain it's coming and you're not going to be able to do much about it once it arrives.

Okay, taking my tin hat off now :)
« Last Edit: April 28, 2017, 04:23:42 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Ulysses_

  • Jr. Member
  • **
  • Posts: 43
  • Karma: 0
  • New Forum User
    • View Profile
Re: Sources and how to build peppermint
« Reply #39 on: April 28, 2017, 04:42:05 pm »
Of course what you say is true, and malicious hardware would have to be connected to the ethernet adapter. So countermeasures are possible, if components such as a usb to ethernet adapter can be clear of malicious hardware.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26325
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Sources and how to build peppermint
« Reply #40 on: April 28, 2017, 04:48:41 pm »
IF being the operative word .. but when they get around to this do you think they'll give you such an easy "out" as USB (or do you think only USB devices that conform will be flagged as "Trusted" and therefore be allowed to work) ? ;)

The ONLY way to be sure would be to not connect it AT ALL .. and even then you'd probably have to electromagnetically isolate it.

Anyway my point was .. there is NO way to fire up a computer and be certain you're secure.

If you want to compile everything and check all the binaries match .. good for you, godspeed and happy hunting :)

https://www.google.com/patents/WO2010151102A1?cl=en

[EDIT]

BTW, If you find anything untoward during your experimenting with upstream packages please let us know.
« Last Edit: April 28, 2017, 05:22:04 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2002
  • Karma: 344
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Sources and how to build peppermint
« Reply #41 on: April 28, 2017, 05:19:13 pm »
The catch is, you do not know if vmware has a backdoor that allows full control of the host from the virtual machine, which would negate the above strategy. Hence the need for open source throughout.
Thanks for the explanation, and the above was the reason I was asking about it.

Offline Ulysses_

  • Jr. Member
  • **
  • Posts: 43
  • Karma: 0
  • New Forum User
    • View Profile
Re: Sources and how to build peppermint
« Reply #42 on: April 28, 2017, 05:27:21 pm »
No claim was ever made here that now and forever one can be certain they're secure. It is an arms race between free people and bullies. As in all arms races, neither side knows in full what all the other side's capabilities are at any time.

The USB to ethernet to a VM trick of mine is really just an obscurity tactic, counting on not getting too much atttention online.

Curiously, people switch their minds off and change topic when they hear it, so that's an added advantage. That's what I've seen elsewhere, not here.
« Last Edit: April 28, 2017, 05:36:00 pm by Ulysses_ »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26325
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Sources and how to build peppermint
« Reply #43 on: April 28, 2017, 05:39:08 pm »
Yep, you're only paranoid if they're not out to get you ;)

I have no problem with what you're attempting here, and would be very interested in your findings .. that said Peppermint makes no claims to be 100% "clean" in any sense .. that claim would be impossible to prove and therefore possibly misleading (not being intentionally misleading is the only thing I can promise) ;)

As with any "distro" we can only "guarantee" our own code and ethics .. we cannot absolutely guarantee code not authored by us that's part of this distribution, in that there has to be a certain amount of upstream trust healthily balanced against community involvement and scrutiny.
(scrutinise away my friend .. it all helps everyone in the end).
« Last Edit: April 28, 2017, 05:50:31 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline zebedeeboss

  • Global Moderator
  • Hero
  • *****
  • Posts: 3145
  • Karma: 567
  • Life first... Peppermint a close 2nd :)
    • View Profile
  • Peppermint version(s): P10 / P9 Respin
Re: Sources and how to build peppermint
« Reply #44 on: April 29, 2017, 01:30:33 am »
I got a headache now - Thanks Guys  :-\  :-\  :-\
Be Kind Whenever Possible...   It is Always Possible - Dalai Lama

Linux User #565092
P10 x64 Desktop - AMD Threadrippe 2950X - 64Gb RAM - NVIDIA RTX2080Ti 11Gb - 1 x 43" 1 x 27" 4k 3840x2160 - 1 x 34" 5120x2160
P10 x64 Laptop - i7-7700HQ - 8Gb RAM - Nvidia GTX1050 4Gb - 15.6" HD 1920x1080