Christopher Clements:
> Is there really any way to be 100% sure that a project and/or team
> member is not compromised?

No. This is why 3rd party audits of the source code is important. If the
source code is not fully available to everyone, then it can not be fully
audited. Tails has non-free software in it, making it impossible to
audit the whole thing. I don't believe that Tails has been compromised,
but sunshine is the best disinfectant. This is why Heads is exciting.
>From what I understand, it will have a smaller codebase (since systemd
will not be included) and it will publish it's entire source code to
everyone. Obviously, not everyone will be able to take that source code
and audit it, since that is a specialized skill, but this does give
users the ability (currently in theory, but hopefully in practice in the
future) to pool their money to pay for regular complete 3rd party audits
that publish their complete report.

If the source code can get a clean bill of health on a regular basis,
then people can compile it themselves with confidence. In the future, as
with most software, the hope would be that the OS can also provide
compiled binary versions with reproducible builds, so that multiple
organizations can verify the integrity of the binaries that are published.

In practice, this doesn't always happen in free software projects.
Nonetheless, this is the path that a project can take to ensure that a
piece of software has not been compromised by one or two developers that
have been blackmailed or whatever else.

> Also, (no disrespect meant, just an innocent question),
> who are these types of distributions meant for, apart from
> the paranoid, whistleblowers, drug lords, and high-profile criminals?
> (Please don't think I'm lumping them all together.)

This is a common question. The answer is, and I don't mean this is a
mean way, you've been brainwashed by propaganda.
https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse

Don't worry, it happens to the best of us. Please understand though,
this is a logical fallacy.
https://en.wikipedia.org/wiki/Think_of_the_children

While it will take a while to deprogram yourself, I suggest that you
start by watching the Tor video, which is the 5th video on this page:
http://motionensemble.de/ It has a big Tor logo on the default
screenshot. Also, watch Citizen Four and read up on the Snowden revelations.

> I honestly can't think of any legitimate, ethically sound use of "extreme
> privacy" software apart from whistleblowing and sticking it to extremely
> aggressive advertisers like AT&T's clients.

Tor is not "extreme privacy". It is just regular privacy. If you don't
agree, please tell me how you define "regular privacy". Privacy is a
human right, explicitly defined in the UN Declaration of Human Rights:

"Article 12.

No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and
reputation. Everyone has the right to the protection of the law against
such interference or attacks."

But let me, for argument's sake, say that you are correct for a second.
If Tor is "extreme privacy" and it is only good for whistleblowers and
sticking it to "little brother", wouldn't it make it easier to catch
these whistleblowers if they were the only ones using the network? It is
difficult to use Tor without your service provider knowing that you use
it. If they were the only ones that use it, then they would be easily
targeted. If plain ol' folks use Tor regularly, they can provide cover
for those who use it in desperate situations.

> As a curious "I have nothing to hide" type of guy, I'm wondering if
> there are any other legitimate reasons to use this stuff, or is it
> logical for "Big Brother" to simply add everyone who downloads Tor to
> a watchlist? (That would include me, I guess, since I've used Kali
> linux, which comes with Tor IIRC.)

Privacy is the ability to choose what you reveal to the world. While you
may not have anything to hide, you have the human right to decide what
you reveal about yourself to the world. Big Brother and Little Brother
are working together to create dossiers on everyone on the planet. This
isn't paranoia. This has been well reported and only refuted by those
who haven't been paying attention to the news. Here's a TLDR version:
https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 This is
only one program of a shockingly large number of programs that utilize
centralized technology to map out people's entire lives and social
networks. When you say that you don't understand why someone would take
moderate steps, by using a slightly more difficult to use operating
system for example, to balance the overwhelming amount of illegal
warrantless surveillance by nation states and megacorps is naive.

> Once again, these are just questions. I am not saying I'm against
> "extreme privacy" stuff, I'm just curious; please don't fire me out of a
> cannon into the sun or something. (I'm a filesystems guy, not a
> communications guy.)

I want to emphasize that I'm not trying to be mean by what I've said
above, even if it seems as though I was. I appreciate that you are
asking questions. You seem to legitimately be searching for the truth.

The argument you are making, on my end, sounds about the same as arguing
that using envelopes should be banned and that no mail should be
delivered that doesn't have a 100% verified address of the sender. Also,
courier services that don't check the passport of every package sender
and receiver and pass the logs to the government should be banned. IP
addresses are the passports or 100% verified address, in this analogy,
that identify everything sent and received. Tor is a bike courier
sending digital packages. Encryption is an envelope.

Do you use envelopes? If so, what do you have to hide? The answer is
probably nothing, but you are choosing what you want to reveal to the world.

The internet has turned into a very dangerous place. Malicious actors
(thieves, ex husbands, nation states, megacorps, your ISP) are trying to
get your information and use it against you. Using Tor via a secure
operating system, like Heads hopes to become, is a very moderate
response when one realizes how vulnerable the average internet user is.
This is metanoia, not paranoia.

Peace & Blessings,
Kurtis