Can Debian 8 connect to the Internet behind my back? [closed]

This is the right kind of question. It shows that you are thinking like a Debian user.

Answer: Yes, your system can automatically connect to the network. This is because [a] your system has the capability to connect and [b] your system has the capability to do things automatically. However, no, it won't connect to the network behind your back. (Note to readers: connecting to and accessing the network are two different things. The question asks about connection, but of course access can also be relevant. Once the system is connected, unless the sysadmin has restricted access via iptables(8) or the like, any user or agent on the system is able to access the network.)

There probably is no simple way to explain this, but I think that your question is important. I will attempt to illuminate at least the main points of an answer.

DEBIAN PACKAGES AND ROOT PRIVILEGES

As you know, the Debian 8 release includes tens of thousands of software packages. Some of these packages are self-configured at installation to exercise root privileges, some are not; but there is nothing in the package manager to prevent any particular package from self-configuring to exercise root privileges.

With root privileges, a package can do anything, including activating and using network interfaces. Most packages self-configure to deny themselves and their users root access, but some packages need root access and the package manager allows this.

If you acquire DEB-packaged software from an untrusted source (which is seldom necessary to do), and if the software turns out to be malicious, the Debian system is not designed to protect you against this. This is why the normal use of the Debian system is to install only the software Debian distributes. Of course, you can also install software you have developed yourself (this is normal) or have good reason to trust (be careful: ask, why isn't the software officially distributed by Debian); this is up to you.

The Debian system imposes no technical restriction to stop any particular package from self-configuring at installation to exercise root privileges later. A typical case is the mailserver Exim4, whose executable /usr/sbin/exim4 has the file modes -rwsr-xr-x, in which the s means that the executable runs with root privileges. If, hypothetically, one suspected Debian 8's Exim4 packages, one would not install them. But then if one generally suspected Debian, one would not run Debian GNU/Linux at all, would one? We'll talk more in a moment about why it is reasonable to trust Debian.

Acting outside the official Debian Project, if I wrote a straightforward spy program to surreptitiously upload the contents of your home directory and of your /var/log/ to my host every night at 2 a.m., automatically connecting to the network for that purpose; if I gave you this package and, despite APT's warning to you that the package lacked an official Debian signature, you nevertheless chose to install it; then no security barrier would remain. Literally nothing in the Debian system would protect you. The digital signature is the line of defense.

So, this raises a larger question: how does Debian stop its Developers from preparing, signing and uploading malicious software packages?

DEBIAN DEVELOPERS

Every package Debian distributes has been digitally signed and uploaded by an official, known Debian Developer. There are about 1000 Debian Developers; none is anonymous; all except in a few exceptional cases have been met and verified by the Debian Project in person, face-to-face; none is admitted until requirements have been met and a probation period has been filled. This is good enough a procedure for Google and Steam to run its servers off Debian. Whether it is good enough for you is for you to judge. Debian's personnel system has remained effective for over 20 years but is not theoretically impossible to breach. (Indeed, if I may digress, it is an interesting question whether major state intelligence services have patiently embedded agents as Debian Developers! This is just speculation, for no such instance is known, but it occurs to me that it would probably constitute spy malpractice if major state intelligence agencies had not done so. Debian has no effective procedures of which I know to combat this hazard—except that the source code is all open, so if the embedded agent, having been activated by his chief, began uploading malicious code, well, once the malicious code were detected by any user who submitted a security report, the code would be traced by the Debian Project back to the agent within a matter of hours. So, unless wholly passive, the agent would have to be careful. But that is enough digression. Let us return to the topic.)

If an alternate, effective, more secure way of doing things were known, the Debian Project would probably be using it.

NETWORK INTERFACES AND AUTOMATIC ACCESS

Okay, so let's assume that you trust the corps of Debian Developers. If you install a package like Exim4, whose purpose is to provide and exercise Internet services automatically, then you must expect that the package will use a network interface if a network interface is active. However, Exim4 will not activate a network interface itself.

Of course, there are packages like network-manager and ifupdown whose principal purpose is precisely to activate and deactivate network interfaces. The former will automatically activate a network interface in connection with the use of a graphical desktop, so you might uninstall network-manager if this is a concern.

However, if there exists a Debian package whose principal purpose is other than to activate and deactivate network interfaces, which nevertheless activates and deactivates interfaces, I have never heard of it.

THE DEBIAN MINDSET

All the above is to let you know that Debian Developers overwhelmingly think like you do about this. They don't want their systems connecting to the network without their knowledge any more than you do. Indeed, they usually don't want their systems even accessing an active network connection unexpectedly. On the other hand, there is a lot of software available in Debian—most of which was written upstream by persons who are not themselves Debian Developers—and there is no formal Debian policy to prohibit a particular package from automatically contacting to an upstream server for some suitable purpose. (For what suitable purpose? Say, to access an online documentation wiki when the user presses the F1 key.)

Debian Developers just don't package software that sneakily tracks the user. There isn't a formal policy, but this is because no one in Debian even thinks that sneakily tracking the user might be an okay thing to do.

And since the Debian Project is not a for-profit business, there exists no motive to corrupt Debian in this respect.

PARTIAL EXCEPTIONS

Now, there are a few packages that are openly designed, and advertised, for automatic background access and reporting (but not automatic background connection). If you install these packages, and if a network interface is active, then you get the automatic functionality you have installed. The most significant examples of which I know are the packages popularity-contest and unattended-upgrades. Also, in your configuration file /etc/apt/sources.list may be entries to fetch security updates and volatile updates. Delete these (as I have done on one machine I own) and those updates won't happen.

REMARKS

So, Debian is fundamentally not a system like Android. Unlike Android, Debian is not designed to restrict and control unvetted apps. Debian depends on trust in the Developer who has signed a package. Twenty years of experience suggest that the trust is well placed, but, at any rate, that is how the system works.