Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday April 20 2017, @09:04PM   Printer-friendly
from the choose-your-headphones-wisely dept.

The Tails project announced the release of version 2.12 of the operating system which focuses on "privacy and anonymity."

The new version includes Gnome Sound Recorder, removes I2P, runs on version 4.9.13 of the Linux kernel, and as per usual remedies "numerous security holes" in the previous release. Distro Watch has additional coverage.

Related story:
TAILS 2.11: The Last Release to Support the I2P Anonymizing Network


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Thursday April 20 2017, @11:18PM (14 children)

    by Anonymous Coward on Thursday April 20 2017, @11:18PM (#497113)

    and as per usual remedies "numerous security holes" in the previous release.

    And we're supposed to trust this for security? lololol

    Starting Score:    0  points
    Moderation   +1  
       Troll=1, Insightful=1, Touché=1, Total=3
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 1, Funny) by Anonymous Coward on Friday April 21 2017, @12:14AM (8 children)

    by Anonymous Coward on Friday April 21 2017, @12:14AM (#497131)
    As opposed to what? Proprietary software whose bugs are fixable only by the developers when they can be arsed to do it? Proprietary software which can’t be examined not just for bugs but for actual malign behaviour, and whose security guarantee is basically: “trust us”?
    • (Score: 2) by melikamp on Friday April 21 2017, @12:31AM (7 children)

      by melikamp (1886) on Friday April 21 2017, @12:31AM (#497143) Journal

      Good point. Tails is done by people who seem to believe that user privacy & security is compatible with non-free software, which they happily redistribute. They are also liars, claiming that Tails is free software according to FSF, which FSF expressly denies. We can be sure it's not a mistake, but a defiant lie, since I reported this bug a year ago, and reported it again just a few weeks ago, and Tails stonewalled it completely.

      https://tails.boum.org/ [boum.org] - free software claim, which takes you to
      https://tails.boum.org/doc/about/license/index.en.html [boum.org] - "free software" link to FSF definition
      https://www.gnu.org/distros/common-distros.en.html#Tails [gnu.org]

      Luckily, there's now a Heads project, which is a Tails counterpart aiming for actual user privacy & security.

      https://heads.dyne.org/ [dyne.org]

      • (Score: 3, Interesting) by butthurt on Friday April 21 2017, @01:42AM (5 children)

        by butthurt (6141) on Friday April 21 2017, @01:42AM (#497168) Journal

        At your third link (GNU site) I read:

        Tails uses the vanilla version of Linux, which contains nonfree firmware blobs.

        At your second link (Tails project site):

        However, Tails includes non-free firmware in order to work on as much hardware as possible.

        ...so they've disclosed that. If they would say "except for the non-free firmware included, Tails is free software" rather than "Tails is free software, however it includes non-free firmware" they would be telling the truth. Would it compromise your anonymity to direct us to your bug report on the topic? If you expressed yourself there in the same tone as you have here, that may be the reason your concern--which is obviously valid--wasn't properly addressed.

        • (Score: 3, Informative) by melikamp on Friday April 21 2017, @02:06AM (4 children)

          by melikamp (1886) on Friday April 21 2017, @02:06AM (#497177) Journal

          I didn't say they didn't disclose blobs, I said their front page is lying to their users. They know it is factually incorrect, but they choose not to fix it, and they refuse to discuss it. My tone was and is irrelevant: they should have fixed this bug regardless, for the sake of their users and potential users who are looking at their front page, the moment they became aware of it, because what they are saying is incorrect. And since they know they falsely claim that they are free software by FSF's definition, it's a lie, regardless of my tone.

          I am not saying this because I have a grudge against them or something, I really don't give a flying fuck what they do at this point, unless they fix these issues, which I would applaud. I am just warning current and potential users of Tails about two simple facts: the project leadership is incompetent (blobs for privacy!), and is OK with lying to users with big bold letters on the front page. My original inquiry:

          https://mailman.boum.org/pipermail/tails-support/2016-March/000345.html [boum.org]

          And by the way, if you think my tone is at fault, please, take a few minutes out of your busy schedule and report this bug properly. This would wipe my nose, no? I would be quite glad if this bug was fixed, regardless of how, but they literally won't talk to me no more, and they never had. They absolutely refused to comment on either issue, do you see?

          https://labs.riseup.net/code/issues/5393#note-10 [riseup.net]

          • (Score: 2) by Scruffy Beard 2 on Friday April 21 2017, @09:07AM (1 child)

            by Scruffy Beard 2 (6030) on Friday April 21 2017, @09:07AM (#497311)

            Maybe the blobs don't need malware because modern systems are inherently insecure, regardless.

            If I wanted to add a back-door to a NIC, I would have it listen for a 128bit number (hashed with the MAC address), and then read any instructions from the payload. As a bonus, you can require cryptographic signatures as well: but that would probably at least double the footprint of the malware portion of the image.

            • (Score: 3, Informative) by melikamp on Saturday April 22 2017, @05:26AM

              by melikamp (1886) on Saturday April 22 2017, @05:26AM (#497798) Journal
              I totally agree, and given the miniaturization trend, we can now expect any amount of code even in a tiny spec of silicon. Our #1 concern should be a fully free stack that can 3d-print general-purpose 3d-printers, which can print computers, among other things.
          • (Score: 2) by butthurt on Friday April 21 2017, @08:55PM (1 child)

            by butthurt (6141) on Friday April 21 2017, @08:55PM (#497584) Journal

            > They absolutely refused to comment on either issue, do you see?

            Thank you for the links. In the mailing list discussion I see replies from two writers, "intrigeri" and "ForgottenBeast" who have addresses at boum.org and riseup.net. I would assume that those are members of the project (because the project's Web sites are on those hosts).

            https://mailman.boum.org/pipermail/tails-support/2016-March/000347.html [boum.org]
            https://mailman.boum.org/pipermail/tails-support/2016-March/000361.html [boum.org]
            https://mailman.boum.org/pipermail/tails-support/2016-March/000372.html [boum.org]
            https://mailman.boum.org/pipermail/tails-support/2016-March/000380.html [boum.org]

            • (Score: 2) by melikamp on Saturday April 22 2017, @02:19AM

              by melikamp (1886) on Saturday April 22 2017, @02:19AM (#497738) Journal

              I don't know whether ForgottenBeast is affiliated with Tails, but his answer does not address my question. I asked them for an estimate of the amount of malware they distribute, and he told me that an actively and massively exploited backdoor would have probably been detected fast. I tend to agree, but it does nothing to answer my question.

              With his last post intrigeri explicitly refused to issue any comment whatsoever.

              It's an implicit wontfix, or so it seems to me. I would even say, they actually seem to believe the risk is zero, and there is no malware or (reported to law enforcement) zero-days in those blobs, but for some reason they also refuse to state that explicitly :)

      • (Score: 2) by hemocyanin on Friday April 21 2017, @07:44AM

        by hemocyanin (186) on Friday April 21 2017, @07:44AM (#497297) Journal

        Thank you, very interested in heads.

  • (Score: 3, Insightful) by frojack on Friday April 21 2017, @12:30AM (4 children)

    by frojack (1554) on Friday April 21 2017, @12:30AM (#497142) Journal

    You know what Admiral Akbar said.....

    I'm beginning to think Tails is just flypaper. A new release every month, because the old one is full of flies (bugs).

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 1, Offtopic) by butthurt on Friday April 21 2017, @01:59AM (3 children)

      by butthurt (6141) on Friday April 21 2017, @01:59AM (#497173) Journal

      In the summary, I gave a hyperlink to the list of bugs that were corrected. Like a typical Linux distribution, Tails is largely cobbled together from software developed by others. The first 12 bugs were in that software, and the last 2 were specific to Tails itself. Had they simply cobbled together the third-party software without making any mistakes, there still would have been reason for the update. What would you have them do differently, or what alternative do you deem more secure?

      • (Score: 0) by Anonymous Coward on Friday April 21 2017, @06:48AM (2 children)

        by Anonymous Coward on Friday April 21 2017, @06:48AM (#497270)

        The problem is that we are in the era of misinformation, spies, lies and hacking. Tails is being advocated as the one-stop privacy solution which paradoxically makes it suspect. One of the main problems is the pace at which software is changed, you can't guarantee that vulnerabilities aren't introduced with any given patch.

        I feel like we've reached a point where we can stop relying on the latest new-shiny features and should really start focusing on creating secure software that stops changing. For example, systemd. A massive new codebase that is constantly changing and affects the core functionality of linux systems. Sure it makes things easier, but for a secure distro it should be avoided for the next decade until it can be more properly vetted.

        • (Score: 2) by kaszz on Friday April 21 2017, @10:19AM (1 child)

          by kaszz (4211) on Friday April 21 2017, @10:19AM (#497326) Journal

          The BIG problem is that new hardware requires new code and so does demands for new ways to handle resources. Get rid of hardware changes and user demands for new-shiny and you will eventually have your fully open sourced machine.
          And at least mobile machines eventually wear out and need replacement.

          Any tip on a ARM and x86 machine where firmware, BIOS code, and system layout is fully documented and completely which is auditable?

          • (Score: 0) by Anonymous Coward on Friday April 21 2017, @01:19PM

            by Anonymous Coward on Friday April 21 2017, @01:19PM (#497376)

            Yes, lets stopping trying to improve things. The horse-drawn carriage was the pinnacle of transportation vehicles.