Posted on by Martin Flöser

KDE – the Prism Breaker

In times of prism, tempora and xkeyscore we have the good chance to differentiate our products as the true prism breaker

I just sent this to a KDE mailing list. And it’s true. The KDE Community’s software is:

  • community controlled, no US-controlled company can introduce “patriotic” changes
  • majority of developers are based outside the US, many in Europe and India (@devs: please provide your data for commit digest, 20 % unknown is too much)
  • our legal entity (KDE e.V.) is Germany based
  • we don’t send any of your data to our (or third party) servers (but you can opt in to shop in Amazon store in Amarok)
  • we provide software to encrypt and protect your communication (KMail, KGpg, Kleopatra and Kopete with OTR plugin)
  • we provide web browsers (rekonq, Konqueror) which are not controlled by an US corporation or US foundation
  • we provide a web browser rendering engine (KHTML/KJS) which is not controlled by an US corporation or US foundation
  • we live open standards with for example excellent ODF support (Calligra suite)
  • we provide a tablet operating system (Plasma Active) following the principle outlined above

And much, much more. If you are concerned about Prism & co consider using KDE software. For a full list of software also check out PRISM ? Break which also gives nice explanations why you shouldn’t use some free software.

28 Replies to “KDE – the Prism Breaker”

        1. I’m sorry I cannot help you there. I personally questioned the decision about OTR to kde-telepathy developers at Akademy and I will continue to bug them about it. If I had the time I would look into it myself.

          To make it quite clear: in the pre-prism time I also considered OTR as no longer being necessary as complete encryption of the transfer layer should have been enough. After prism we know that we need end-to-end encryption.

    2. I send encrypted emails all the time with KMail2, including to keys I have not signed or are not part of my WoT.

      Not sure about the SSL certs, as the websites pointed to in the bug report all worked for me in rekonq (though that could be due to proper system SSL configuration for all i know)

      1. Aron, most of the stuff is working now, but there are still problems and nobody is working on these issues or makes tests that it works probably.

        If you look at the SSL bug, nobody cared for almost 2 years. That’s the issue here.

        Security is boring stuff for some developers, I hope this will change.

        1. If you’re trying to say that KDE *currently* doesn’t care about security it doesn’t help your case to point to things that were an issue five years ago.

          There currently is an issue with verifying certificates in Konqueror that me and some others are trying to solve, but I can reproduce it even with the command line “openssl” tool, so I’m not sure it is even a KDE issue at this point.

          I’m not saying KDE has a perfect security record, but we do have developers who care about security-related issues.

      2. Crypto support in KMail has reliably worked for over a decade as every single mailinglist posting of mine over that period nicely demonstrates.

        Naturally commenters on blog post over generalize as has become common on any web based communication channel.

        KMail is in fact one of the very few email clients that come with first class crypto support out of the box, neither needing a third party addon nor being restricted to one specific crypto standard (e.g. GPG vs. SMIME/X509)

  2. Do you expect European or Indian governments to respect privacy more? The fact that no one knows about European snooping, doesn’t mean there isn’t any. Geographical location is not a good point for privacy concerns. The rest of the points are good.

    1. well we can only work with the evidence we have. We don’t have any evidence that European (except UK) or Indian government doesn’t respect privacy. As long as someone has not been convicted guilty, they have to be considered innocent.

      1. Sorry dude, given your name I’m guessing your German? Germany, a country with ~25% of the population of the U.S., runs over 3x more wiretaps every year compared to even the U.S. government.

        http://articles.baltimoresun.com/2006-03-16/news/0603160077_1_wiretaps-germany-berlin

        And that is just from 2006… what do you think has happened in the last 7 years?

        As a somewhat off-topic aside: People who look at SELinux (written in-part by the NSA) and start screaming about backdoors are looking in the wrong place. Do you really think the NSA would be stupid enough to splash its name and logo all over some magical backdoor where it would be trivial to find using grep? Get real. The supposedly “safe” contributions from a large number of anonymous sources are where you’d try to slip in a backdoor if you were the NSA.

        1. I’m sorry but I don’t know where the Baltimore Sun got their information from. I just checked in Wikipedia and those numbers are different. Also the article does get it pretty much wrong. It talks about that wire tapping is used to catch terrorists, while from the data in Wikipedia it is pretty obviously not the case (33 % is about drugs, doesn’t mention terrorismn at all). There is also a huge difference to Prism & co. Wire tapping is always only used against a suspect and has to be signed by a judge. There is no general wire tapping going on in Germany. The European Commission tried to establish data preservation of meta data for half a year but this law got destroyed in supreme court (I was one of 34939 people supporting this in front of the supreme court). So what the US government is currently doing in Germany against German people is violating German civil rights and there has been a German supreme court decision stating that such behavior is against our constitution. As a matter of fact I don’t care whether what the US does is legal from an US perspective. US law is pretty much irrelevant where I live.

  3. How dare you imply that Mozilla projects are less secure for the end user than any of the KDE alternatives, simply because they have their HQ in the US? Firefox has been on the ground floor of the fight for user freedom since day one, and their geographical location is irrelevant to that. Any idea where the FSF is headquartered, by the way?

      1. Eh, not really, since the original post still carries the implication that browsers and rendering engines from “US foundations” (of which Mozilla is one) are somehow inherently less secure or more likely to include malicious code than their KDE “kounterparts.”

        What target were you aiming at with “US foundations” if not Mozilla?

        1. I wanted to point out that there are alternatives if you don’t trust anything related to US.

          1. I suppose we’ll have to leave it at that, though you and I both know that KDE has plenty of GNU deps, for which all the copyrights are assigned to a US foundation.

            1. well I was mostly thinking about the tampering with SSL certs which had been in media last week. And there a browser with their own SSL cert cache is a much more interesting target than anything GNU provides.

    2. Having the headquarters in the US means being subject to their courts. Ergo, legally forced to comply with whatever a sealed court order demands (including orders to keep silent about it) at pain of contempt of court.

  4. I honestly couldnt care less where the people or foundations come from. Regionality has no relation here. As long as the source code is open and I compile it myself I always have the option of looking at it before doing so, an option I use frequently.

    The real danger comes from the systems where the public is not allowed to review and compile the source on their own.

    1. Did you ear before of Ken Thompson compiler hack ? If you are paranoid, you know that source code doesn’t help ! You need to live analyze your data. See what is going out, when, to whom and what is in memory at that time, and what is the runtime flow of your application. Without that level of information, you should not trust your computer so much for anything really confidential.

      That’s why I do think that not having debugging capability on a device for its owner is a security threat. Designing the system to be easy to audit and understand what is going. Making it hard to hide cover channel and compromised system is the way to go. There is still a lot to be solved here (even for open source software).

      The only reason that you can trust Free Software, in the sense that it is developed by an active community, is that the broad range of nationality working on the code make it hard for anyone to sneak something to obvious in. The direct link to a community of developers is right now the only security we have. If you are not involved in that community you can’t assess if your software, even Free, is or is not potentially compromised (Yes, it is a pledge to get involved in the development of the software you use, but ultimately if you care about your privacy, that what you should do).

  5. I prefer using KDE for a few reasons, but security is not one of them. The reasons given for choosing KDE from a security point of view are specious, to say the least. Should the NSA wish to target Linux users – and why should they not? – they have literally thousands of ways at their disposal without considering KDE or geographical locations. Besides, the British are serving up most all of the European Internet traffic already through the joint US/British Tempora program et cetera.

    Citing Germany and German laws as a guarantor of privacy is especially ridiculous, given how Germany has always, especially since 1870, ranked up their with the usual devious suspects Britain, France and USA.

    The real paranoid must start by writing their own compilers. Even that would not guarantee anything, of course, but it is the only glimmer of hope left for privacy on a computer.

  6. Related to security and privacy (U.S. or non-US).
    Ok, KDE is community. But what about Digia and Blue Systems? Can we trust them? Should we keep an eye on them, just in case? I’m not clear what is Blue Systems and what role it has in KDE.

    1. Also the code of Blue System and Digia employees gets peer reviewed. In the case of KDE we just go through review board like anybody else. Our commits trigger the notifications like anybody elses and if we would abuse our commit rights we would get punished like everybode else.

  7. What about some onlineservices wich will be used by some applications? E.g.
    1. amarok -> get Songtexts, Albumcovers
    2. marble -> get plans and information of some pois

    Are there certainly more services to bring „fantastic“ features to the user?

    In my opinion, this features are useful for some people, but at the minimum i would prefer to get informed of such things. Espescially of what services are used to bring this userexperience. E.g. i could not find anything about what sevices are used by marble.

    KDE-developers should pay more attention on informing the users on which internetsevices are used.

      1. It would be enouph, to put this information in the help and point on it at first startup. But this information must be mandatory.

Comments are closed.