5

Intel wireless network adapter in my computer requires a non-free driver to work. I don't want to install non-free software to my debian system. However it is a notebook and without wireless network it is not very useful for me.

I wonder how risky is to install this driver with regard to surveillance. I mean, do you think it is actually possible that wireless network driver may act maliciously and let some authority or third party collect the data my computer transfers via wireless network?

I suspect that such behavior would cause a scandal if detected, therefore it seems unlikely to me to some extent. On the other hand we have become more familiar with scandals about big IT companies in recent years.

Or is this question fundamentally meaningless because hardware may act maliciously by itself and there is nothing we can do about it, which makes using non-free or free driver irrelevant?

Do you think it would be meaningful not to use wireless network hardware installed to my notebook but try instead to find another solution because of this non-free driver?

Luke
  • 173
  • 6

3 Answers3

4

A closed binary is harder to audit than something you have source for, so technically you add some risk by doing this.

However, you may already be taking equal or greater risks:

As always, you must evaluate your threat model and assess the risk for yourself.

Graham Hill
  • 15,394
  • 37
  • 62
2

Commercial software, read as in closed source, has not been subjected to the same scrutiny as its free(and open source) counterpart. Unless every instruction or every line of code has been reviewed the possibility that there may be a side functionality that may be categorised as malicious is there.

Richard Stallman shed some light on one of Ubuntu's features that involved uploading user searches to a third party by default, without asking for consent.

Another example I can think of is adware which shipped with lenovo machines. There were also hardware backdoors found on some boxes provided by the same manufacturer.

It's pretty unlikely that you need a proprietary driver for wireless to work. What notebook are you using?

Sebi
  • 1,391
  • 9
  • 16
  • It is a Toshiba notebook. Please check this page to see information about the non-free Intel wireless driver that I need to install: https://wiki.debian.org/iwlwifi – Luke Sep 30 '15 at 09:09
  • There's also a good question on how to install it here: http://unix.stackexchange.com/questions/164696/debiankde-cant-get-wireless-to-work . Non-free in debian terms means "are not compliant with the Debian Free Software Guidelines (DFSG) or are encumbered by patents or other legal issues that make their distribution problematic" – Sebi Sep 30 '15 at 09:26
1

Let's rephrase your question: You are afraid of installing a software driver but are not afraid of plugging closed-source hardware into your network. A software driver can be reverse-engineered rather easily, reverse-engineering a hardware device would require much more effort and equipment. The actual decision to leak data may go either way.

My advice to you would be to read the EULA and privacy policy very carefully, both for the device and the driver. Most companies with semi-competent legal departments would put disclaimers and caveats in small print that shields them from litigation and should in fact alert users to the possible danger.

You should also minimize the closed-source software you install: a driver package, but not superfluous fancy GUI front-ends, for instance.

What's more, you should check where the driver comes from: you'd like TLS secured connection while downloading, checking the certificates against a MITM attack, verifying if the signatures match the package, and reading around on the forums for others' experience.

NB: If the data you process are that sensitive that you won't trust the NSA/GCHQ to handle them, buying a laptop that's connected to the Internet and has a wireless card is in itself a reckless act.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50