SoylentNews is people
SoylentNews
Tails Linux 2.5 is out (Aug 2, 2016).
Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.
It is a complete operating system designed to be used from a DVD, USB stick, or SD card independently of the computer's original operating system. It is Free Software and based on Debian GNU/Linux.
Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc
= Announcements:
https://tails.boum.org/news/version_2.5/index.en.html
https://twitter.com/Tails_live/status/760516381905448968
https://mailman.boum.org/pipermail/amnesia-news/2016-August/000110.html
https://twitter.com/torproject/status/760516806587117568
[Continues...]
Useful links:
- Download / Burning Tails on a DVD: (See also: "Direct Downloads")
https://tails.boum.org/install/dvd/index.en.html- Download and verify using OpenPGP:
https://tails.boum.org/install/download/openpgp/index.en.html- Download / and verify the Tails ISO image (#2):
https://tails.boum.org/install/download/- Numerous security holes in Tails 2.4:
https://tails.boum.org/security/Numerous_security_holes_in_2.4/index.en.html- About:
https://tails.boum.org/about/index.en.html- News:
https://tails.boum.org/news/index.en.html- Getting Started:
https://tails.boum.org/getting_started/index.en.html- First steps with Tails:
https://tails.boum.org/doc/first_steps/index.en.html- Documentation:
https://tails.boum.org/doc/index.en.html
(Score: 3, Insightful) by melikamp on Wednesday August 03 2016, @06:01PM
A lot, and Tails project appears to be willfully blind to the issue. They distribute close-source blobs within Linux kernel, and when I tried to get them to evaluate the risk of distributing spyware, they flatly refused to discuss the subject at all.
https://mailman.boum.org/pipermail/tails-support/2016-March/000345.html [boum.org]
Personally, I cannot recommend Tails to anyone seeking elevated privacy of communications. The dev team does not seem to understand what privacy is, or just oblivious about risk assessment.
(Score: 2) by butthurt on Wednesday August 03 2016, @07:29PM
[...] when I tried to get them to evaluate the risk of distributing spyware, they flatly refused to discuss the subject at all.
No one quantified the risk. However, someone with a boum.org e-mail address did respond: [boum.org]
We have actual users. If they can't use Tails on their current, real-world hardware, then likely they'll use something else, that has just the same amount of binary firmware blobs, except it won't have any of Tails properties that some people find worthwhile.
There used to be something called Anonym.OS which was like Tails, but based on OpenBSD. The OpenBSD project at the time (and still, I assume) did not include closed-source drivers.
https://en.m.wikipedia.org/wiki/Anonym.OS [wikipedia.org]
I'm not aware of any OS similar to Tails that is actively maintained.
When one has a choice in the matter, choosing hardware for which there are open-source drivers will obviate the need for proprietary drivers. Hence they won't be loaded.
(Score: 2) by melikamp on Thursday August 04 2016, @12:14AM
OpenBSD has the same problem as Linux: it distributes non-free, sourceless firmwares. Last time I personally checked there was at least one such network driver within the base install. I maintain that some of these network blobs already contain spyware, and that all of them should be regarded as containing malware. In the modern legal climate, when the law enforcement insists on backdoors, and prosecutors go after reverse engineers rather than actual crackers like SONY and Amazon, who break into millions of computers in broad daylight, it it crazy to suppose these blobs are spyware-free. Tails devs, just like many other parties ostensibly concerned with user privacy and security, apparently think this argument is rubbish (alternatively, they are in cahoots with the spies). In my personal view, they are deceiving their users, not just themselves, and no one is safe using their products.
A member of Tails dev team indeed replied to me, and you posted a relevant quote. This does not address any of my questions, though, it just explains, the best I can tell, that their users do not care, so Tails devs do not care either. That is fine, but I still think Tails devs should know better than their users about privacy and security, but it appears they do not, or may be they think Tails popularity is more important than informing users that their kernel is compromised by multiple malevolent parties on day 0. This is flagrant incompetence at best, and with respect to their main goal, too.
My advice to privacy seekers, stick with free+libre software.
(Score: 2) by butthurt on Thursday August 04 2016, @01:19AM
OpenBSD has the same problem as Linux: it distributes non-free, sourceless firmwares.
You may be right--I haven't personally checked. Do you recall which driver it is that has the binary blob? A 2006 On Lamp article said:
OpenBSD attempts to convince vendors to release documentation and often reverse-engineers around the need for blobs. OpenBSD remains blob-free.
--http://www.onlamp.com/pub/a/bsd/2006/04/27/openbsd-3_9.html [onlamp.com]
[...] it [is] crazy to suppose these blobs are spyware-free.
[...]
My advice to privacy seekers, stick with free+libre software.
The blobs, as I said, are loaded only on hardware that requires them. If we choose hardware that doesn't require loadable firmware or a closed-source driver, that hardware may instead have closed-source firmware that is burned into a ROM; it too may harbour malware. The Talos Secure Workstation [raptorengineering.com] comes with "schematics and libre (fully open and auditable) firmware" but is costly. Richard Stallman uses an old Thinkpad [stallman.org] with an open-source BIOS; it may well have non-free firmware in ROM.
(Score: 2) by melikamp on Thursday August 04 2016, @01:56AM
For OpenBSD, see /etc/firmware/atu-license in base. The word "blob" has no strict meaning, and OpenBSD people seem to use to mean main CPU binary, hence their claim is OK, while they still distribute non-free, sourceless software. Actually. if you look at Atmel license carefully, it says that you cannot distribute in source, so reverse-engineering is pointless.
What you say about device use is true, and we all make compromises and even RMS uses other people's spy-phones. What RMS doesn't do is he doesn't distribute non-free, sourceless privacy software to others, while telling them it is the state of the art.
(Score: 2) by frojack on Thursday August 04 2016, @12:10AM
I found it an interesting thread to read. Especially because it was close to home for a software product I worked on in a former job.
The package used encrypted communications links over untrusted networks. It handled large financial transactions and transmitted account numbers and authentication data, etc.
When asked about the encryption, we would provide the design documents and our source code of the encryption routines, and references to the books written by experts stating exactly how to do this type of encryption.
But in the end, our product ran on Windows machines, and we were a small shop without a Phd in sight. We were not going to roll our own, and our routines all ended up calling Windows crypto-APIs to do the actual encryption.
And we told customers this, and showed the customers our code. We demonstrated that we did our part correctly and carefully. Then handed it off to windows APIs. Clear text in. Gibberish out. Gibberish in. Clear text out.
Did we trust the windows crypto library? No of course not. And even if we did, its Windows for Christ sake! Could we rewrite windows? No. Would they replace windows? No.
We never got to the point of talking about hardware or binary blobs. What would be the point? What possible route around those is there?
In the end we simply stated we used the best crypto that Microsoft had to offer, and we did it by the book. We left it at that.
What more can a small programming team do?
In the end, you are a fish, swimming in a barrel. You can zig and zag, but you are still in a barrel not of your making.
The software was quite successful and sold well. They still sell it today.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by melikamp on Thursday August 04 2016, @12:29AM
Absolutely, there is often a room for compromise, and additional layers of security are not a waste, even in the face of total insecurity elsewhere. But what drives me bananas about projects like Tails (serving blobs) or Tor (serving a Windoze client) is their refusal to even acknowledge this is terrible. All they have to do is write on their website with big red letters:
The Windows client is provided, but it's next to useless, since Windows rats out your every move.
The default Linux kernel is probably compromized, please use Linux-libre kernel if your hardware supports it. (Incidentally, Tails does not support Linux-libre, even though it would be trivial for a project that big.)
They are not even selling a product, they got nothing to lose except committed non-free software users who already gave up their privacy anyway. But when I talked to either team, I was more or less stonewalled: none of this seems to concern them. Unless they really are oblivious to these issues, they must know their product has terrible deficiencies, but they will not admit it to their users.