Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday September 23 2016, @12:55AM   Printer-friendly
from the time-for-ACs-to-update dept.

Release 2.6 of TAILS (The Amnesic Incognito Live System) has been announced: https://blog.torproject.org/blog/tails-26-out.

TAILS is believed to be one of the most secure ways currently in use on the internet of protecting your identity, although it is possible to compromise information if it is used used incorrectly.

Their home page is https://tails.boum.org/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by Anonymous Coward on Friday September 23 2016, @12:57AM

    by Anonymous Coward on Friday September 23 2016, @12:57AM (#405354)
    • (Score: 0) by Anonymous Coward on Friday September 23 2016, @01:20AM

      by Anonymous Coward on Friday September 23 2016, @01:20AM (#405370)

      You provided a service to you fellow human beings, have a bump...

      • (Score: 2) by JNCF on Friday September 23 2016, @02:37AM

        by JNCF (4317) on Friday September 23 2016, @02:37AM (#405391) Journal

        >>405370
        >have a bump

        That's not how this comment system works, /b/tard.

        • (Score: 2, Touché) by DannyB on Friday September 23 2016, @02:40PM

          by DannyB (5839) Subscriber Badge on Friday September 23 2016, @02:40PM (#405553) Journal

          I think /var/opt/tard would not pollute the top level name space with "b".

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 5, Informative) by melikamp on Friday September 23 2016, @05:22AM

    by melikamp (1886) on Friday September 23 2016, @05:22AM (#405431) Journal

    TAILS is believed to be one of the most secure ways currently in use on the internet of protecting your identity, although it is possible to compromise information if it is used used incorrectly.

    At the same time, TAILS is known to distribute a kernel containing proprietary & closed source software, including but not limited to network adapter firmware, which almost certainly contains spyware. Their development team is known [boum.org] to have no opinion on whether this issue poses a security risk; they refuse to even discuss this topic, let alone warn their users, or provide an option of running something like Linux-libre. A system with network-facing non-free component is not secure by any stretch of imagination, unless we are talking about the security of parties which are hostile to OS users. To claim that an OS aims at preserving privacy, as TAILS does, is a bold-faced lie in the presence of these blobs. Users are better off using something like the free version of Debian, or better yet, anything approved by FSF, on pure technical grounds. What they say is either a lie or a show of utmost incompetence in all things security.

    • (Score: 2) by butthurt on Friday September 23 2016, @07:54AM

      by butthurt (6141) on Friday September 23 2016, @07:54AM (#405457) Journal

      Why do you write "almost certainly contains spyware" rather than "could conceivably contain spyware"?

      • (Score: 3, Insightful) by melikamp on Friday September 23 2016, @02:59PM

        by melikamp (1886) on Friday September 23 2016, @02:59PM (#405558) Journal
        Because distributing spyware is legal and profitable, and the law enforcement around the world encourages it, as long as they get the digest. Everyone is doing it: Microsoft, Apple, Google, Facebook, and every app maker. Only an idiot wouldn't do.
        • (Score: 2) by butthurt on Friday September 23 2016, @11:36PM

          by butthurt (6141) on Friday September 23 2016, @11:36PM (#405763) Journal

          > Because distributing spyware is legal [...]

          In what country is it legal to do so without informed consent?

          Attempting or gaining access to someone's computer without their consent or knowledge is criminally illegal according to computer crime laws, such as the United States Computer Fraud and Abuse Act and the United Kingdom's Computer Misuse Act.

          --http://www.spamlaws.com/spyware-laws.html

          > Everyone is doing it: Microsoft, Apple, Google, Facebook, and every app maker.

          You seem to have changed the subject to spyware in general, including software that is installed with informed consent.

          The concern you initially raised was about loadable firmware in the Linux kernel, as used in Tails, spying upon people without their consent. Certainly it's possible, but do you know of even one example of that?

    • (Score: 4, Interesting) by janrinok on Friday September 23 2016, @08:36AM

      by janrinok (52) Subscriber Badge on Friday September 23 2016, @08:36AM (#405467) Journal

      which almost certainly contains spyware

      Which is the same as saying you don't actually know that it contains spyware.

      to be one of the most secure ways

      It doesn't claim that it is totally secure, so it might be that your criticism is justified. However, it is one of the most secure OS because it does prevent you from compromising your data or personal information in lots of ways. Are you able to name a more secure OS?

      You are free to monitor the data passing into and out of your system in order to detect the 'spyware' communicating with another system using suitable software such as Wireshark etc. Many people do just this. None have made any claims supported by evidence that such software is operating. By all means continue to use your OS of choice - be it a BSD, another version of Linux or (giggle) Windows. While most of these suggestions have some merit, using TAILS is perhaps the easiest for most people to set up and use.

      You linked to the boum.org mailing list [boum.org] to provide corroboration of your claims. The link is an email submitted to the list claiming the very same assertions that are made here. I can only speculate as to whether you are one and the same submitter. However, it is worth considering the responses that the questions received:

      We have actual users. If they can't use Tails on their current, real-world hardware, then likely they'll use something else, that has just the same amount of binary firmware blobs, except it won't have any of Tails properties that some people find worthwhile.

      I found the entire sequence of email exchanges far more informative than your assertion in the comment here. I encourage others to read them before adding to this particular thread. Software drivers are used throughout the software industry but no-one has yet substantiated a claim that TAILS is being compromised by such software.

      Please make a submission with your own preferred way of providing a high level of anonymity and security using an OS of your choice. I can accept that you do not want to use TAILS or Linux, and we are not suggesting that you should, but if you have a better working solution then please share it with us so that others can benefit from it. I can almost guarantee that such a submission will hit the front page and the community will gladly discuss the benefits (or otherwise) of your solution.

      • (Score: 3, Interesting) by butthurt on Friday September 23 2016, @12:06PM

        by butthurt (6141) on Friday September 23 2016, @12:06PM (#405496) Journal

        We discussed this last month. I wrote something incorrect about OpenBSD and didn't bother to post a correction.

        https://soylentnews.org/comments.pl?sid=14828&threshold=-1&commentsort=0&mode=improvedthreaded&cid=383634#commentwrap [soylentnews.org]

        Anyway, OpenBSD doesn't, in my estimation, attain the standard the OP wants upheld in regard to "binary blobs." There are operating systems that do, Trisquel for example. As I mentioned last month, I don't know of other operating systems besides Tails that have an emphasis on anonymity. One would be left to one's own devices in configuring a general-purpose operating system for anonymity. That could be prone to error.

        The "hardware that [has] been compromised by design" that AC #383634 mentioned is commonplace. Malicious firmware can be permanently burned in a ROM. It doesn't have to be loadable from a "binary blob." Both situations ought to be addressed if one wants open, auditable, trustworthy hardware.

        • (Score: 2) by janrinok on Friday September 23 2016, @12:30PM

          by janrinok (52) Subscriber Badge on Friday September 23 2016, @12:30PM (#405500) Journal

          Agreed. I'm not sure you realise that I was replying to the OP, not to your post. However, he might have a specially configured version of, say, OpenBSD which is using TOR at all times and from which he has stripped all closed source drivers. Maybe, .... or maybe not. Like you, I suspect that he has nothing better to offer. If he has then I would like to try it.

          I have tried Trisquel but I didn't like it very much. Nothing wrong with it but my way of working and it did not get along.

          • (Score: 1) by butthurt on Friday September 23 2016, @11:49PM

            by butthurt (6141) on Friday September 23 2016, @11:49PM (#405768) Journal

            I didn't think you were replying to my post. I mainly wanted to inform you that exactly the same concern had been raised and discussed before.

      • (Score: 4, Interesting) by melikamp on Friday September 23 2016, @03:21PM

        by melikamp (1886) on Friday September 23 2016, @03:21PM (#405565) Journal

        Which is the same as saying you don't actually know that it contains spyware.

        What is your point? If someone hands you a legal contract or a confession, which you can only sign without reading, you will sign it, right? Because you sure as hell have no evidence there's anything wrong with it, besides the fact you cannot read it? And what are you going to say when the same person who handed you that contract claims that one of his primary aims is transparency? And when you point out how ludicrous is this claim, he'll just shrug his shoulders and move on to chasing other clients, making the same false claims.

        TAILS may have some design elements which would make any OS more secure, but it is silly to believe TAILS is more secure than some of the libre distributions. The dev team does not seem to understand what "security" means: when compared to house security, what they do for your privacy is equivalent to drawing your window shades, all the while bugging your phone line. They are either incompetent, or they knowingly abuse users' trust in exchange for pop ratings. Since they chose to ignore my comments and my suggestions almost entirely, I am beginning to think it's the latter. I would not be criticizing them for their technical incompetence, but it's their attitude towards users that puts me over the edge.

        I already shared my solution: get them heads out of the sand, warn users with big red letters they are being fools using non-free drivers, and provide a libre option as default, with the intention of making it the only option down the road.

        • (Score: 2) by janrinok on Friday September 23 2016, @05:31PM

          by janrinok (52) Subscriber Badge on Friday September 23 2016, @05:31PM (#405628) Journal

          Well, your CPU 'could' contain a bomb! You cannot open your CPU chip and check that there isn't something tucked away in there. Are you going to throw your computer away? Or, perhaps, you will apply some commonsense and consider that no CPUs have been shown to explode, that some degree of measured response is perhaps justified until evidence to the contrary is found, and that the assertion that the CPU does contain a bomb is incorrect. Most sensible people have chosen the latter path.

          I note that your solution requires someone else to do the work to counter a claim that appears to be entirely unfounded. Have you got any evidence whatsoever of drivers in Linux compromising system security? Why don't you tell us what you do to ensure your security and privacy; do you really have a system that contains no drivers at all or have you personally written all the drivers that you require? Nobody has detected driver software in Linux in general or TAILS in particular 'phoning home'. TAILS themselves make no claim that software is perfectly secure. TAILS is, I contend, better than many other Linux distros and certainly better than any Microsoft offering.

          You are free to ignore TAILS' description of their software. But I think that it is quite misleading of you to suggest a speculative claim without any evidence to support it. And even if you are correct, others are perfectly entitled to continue to use TAILS for all of the other security features that it includes.

          get them heads out of the sand, warn users with big red letters they are being fools using non-free drivers, and provide a libre option as default, with the intention of making it the only option down the road.

          So how much do you contribute to these libre drivers that are so necessary? You must already use them in your own system, surely you have shared them, haven't you? There are thousands of items that require drivers and I'm sure all distributions would welcome someone who will write such things for the general good of internet users.

          • (Score: 2) by melikamp on Friday September 23 2016, @06:16PM

            by melikamp (1886) on Friday September 23 2016, @06:16PM (#405646) Journal

            Well, your CPU 'could' contain a bomb! You cannot open your CPU chip and check that there isn't something tucked away in there. Are you going to throw your computer away? Or, perhaps, you will apply some commonsense and consider that no CPUs have been shown to explode, that some degree of measured response is perhaps justified until evidence to the contrary is found, and that the assertion that the CPU does contain a bomb is incorrect. Most sensible people have chosen the latter path.

            Hahaha, that's cute. A wee little difference between a bomb and a spyware though is that bombs are actually illegal and won't fit in CPU, while spyware is expressly legal, encouraged and abused by the law enforcement, and will fit onto a CPU just fine. And yes, obviously I will use a CPU I cannot inspect if I have no other choice, but this is not what TAILS does. What they do is they advertize their OS onto users, and have the audacity to claim that their major goal is users' privacy.

            You keep saying I don't have support for my claim that network blobs very likely contain spyware and/or backdoors, even though I cite precendent over and over and over again: Google, Microsoft, Apple, Juniper, Facebook, SONY, Adobe, Amazon, every commercial cell phone manufacturer, every wireless provider, and the list goes on... They all openly distribute, use, and abuse spyware as we speak. To shift the burden of proof on me in this case is the pinnacle of naivete. This is like going back to 1850 and telling me I have to prove that each particular snake oil is ineffective before I can criticize the peddlers. If the network card manufacturer's deliberate decision to obscure the code does not raise a red flag for you, then you probably believe their excuses about guarding their "intellectual property". It's about time we stopped eating this shit. There is absolutely no sense in concealing the code which simply won't work or even be useful in any other device. The only conceivable reason for secrecy here is the surreptitious introduction of spyware and other malicious features.

            So how much do you contribute to these libre drivers that are so necessary?

            This is a personal attack, and it does not help your argument. No one can meaningfully contribute to libre drivers other than by reverse-engineering hostile hardware, and there are laws on the books against that.

            • (Score: 2) by janrinok on Friday September 23 2016, @07:09PM

              by janrinok (52) Subscriber Badge on Friday September 23 2016, @07:09PM (#405663) Journal

              even though I cite precedent over and over and over again

              Well, go on then, in Linux like I said, because we are discussing the TAILS OS. It is of little relevance to point out that Windows or a mobile phone has had a problem, TAILS is not designed to operate on either of those systems. And, although I have searched, I cannot find any substantiated claim that shows that binary blob malware has compromised a Linux system. It is theoretically possible, but so is a bomb in the CPU or hidden microphones on the motherboard. But there is no need to get into a panic about such possibilities because, so far, there is no evidence that they actually exist. So don't stop buying commercial motherboards or using your computer only in a sound-proofed room.

              This is a personal attack,

              Well, it is not intended as one. But, as you have obviously solved the problem for your own system by whatever means, please share it so that we can all benefit. Or is your warning of doom and gloom just conjecture?

              I've looked at your commenting history and it has usually been measured and reasonable. However, I cannot understand, nor can I accept at face value, your assertion that TAILS is the spawn of the devil and offers nothing to help users secure their information from most forms of monitoring. Of course, a large multi-billion dollar SIGINT organisation might be able to crack it for specific users, but if that is your enemy then you shouldn't be relying on TAILS alone. One time pads and additional counter-traffic-analysis techniques should also be employed as a minimum. But police forces or ISPs cannot spend that sort of money trying to identify what every TAILS user is downloading. Usually, there has to be a specific need for a SIGINT organisation to become involved. And, without evidence to the contrary, I suspect that most people can sleep soundly in their beds even if they are a regular TAILS user. They are certainly no worse off than any other Linux user who is probably using the same driver software.

              • (Score: 2) by melikamp on Saturday September 24 2016, @01:15AM

                by melikamp (1886) on Saturday September 24 2016, @01:15AM (#405793) Journal

                Man, they are not a spawn of the devil. I told them to their face, as you can read on baum.org, I respect their effort and believe there is a dire need for an OS with exactly the features they advertize. At the same time, I cannot simply walk by when their claims are in such disagreement with their practices. I try to limit my criticism to specific issues they have: Linux blobs, no alternative, no desire to educate their own users. I may be piling on the FUD gravy, OK, but it's about time the masses of users woke up to the very real shit-cake just below the gravy: claims of privacy and/or security are incompatible with nonfree software, and projects that still do not get it must be dragged through the mud in full public view. Only then we can hope for some positive change. Please consider also I am only after TAILS because there's real potential there, and I want this issue to get fixed, for the sake of their users, present and future. Heck, I'd probably start using TAILS myself.

                I understand all you say about the hardware, and I am very unhappy I cannot 3d-print my computers from free blueprints. I run a 100% libre OS, and I wish it was libre all the way down to electrons. But using nonfree hardware (or software) is totally different from passing it onto users, accompanied by false and/or misleading claims. It is far from clear just how risky or invasive the current blobs are, but the real issue here is that TAILS developers need to recognize a fatal fail in their methodology. Unlike you, they flatly refuse to assess these risks. You seem to believe the blobs are in fact safe and you say so, and back it up with arguments, while TAILS devs (self-proclaimed security/privacy specialists) flatly refused to discuss these questions.

                • (Score: 2) by janrinok on Saturday September 24 2016, @08:27AM

                  by janrinok (52) Subscriber Badge on Saturday September 24 2016, @08:27AM (#405885) Journal

                  While I think that your aims are laudable, I believe that they are misdirected. The problems with producing open source software drivers are many. Firstly, you mention the fact that reverse engineering is illegal in your own country. Fortunately, this appears to be limited to a very small number of countries and US law is not applicable in most places around the world. Secondly, manufacturers want to keep their competitive edge and thus are unwilling in many cases to reveal sufficient technical details to enable others to write the necessary drivers. While this is aimed at potential competitors it also prevents Linux devs from producing the most efficient drivers that are an equal to commercial offerings. Finally, no manufacturer is going to put any effort into writing drivers for older devices even if they can be persuaded to produce them for new products - which in itself is hard for them to do as there is little to no profit in it. But this isn't the fault of TAILS any more than it is the fault of any other particular distro. In order to work with the maximum number of devices, Linux (and Windows, Android etc) have to provide older drivers that are no longer supported. Directing your rather forthright questions at TAILS was, in my opinion, almost doomed to receive the response it did.

                  Any company being caught sending data via a means intended to be covert (at least outside of the US) would find themselves unable to justify their business strategy. The EU has very strong laws about sending unnecessary data about users, an act for which several companies have found themselves being heavily fined. Their business interests would also be significantly hit. Remember the Sony Rootkit? I don't suppose anyone will be in a hurry to emulate their disastrous attempts at planting unauthorised software on private computers. However, several security firms make some good money by monitoring exactly what is being sent via networks and I don't believe that any such attempt to send data via a network would remain undetected for very long. There is a theoretical risk but it has not been seen being used, and similar risks also exist in other firmware e.g. hard drive management software inside the drive itself. These risks are faced by all OS, and insisting the the TAILS' devs have their head in the sand is unjustified and unwarranted. There are plenty of other potential risks which the TAILS' devs can address and that is the reason for the 2.6 release.

                  If you were to create an action group to address the problem of closed source software you would have my support and, I suspect, the support of many in our community and the wider world. However, I do not think that you are helping your case by directing your comments to TAILS in particular, particularly as there is no evidence of any actual current risk from the drivers in question. Nevertheless, there will always be code inside your computer that you cannot inspect or control; CPU microcode, hard drive and graphics card firmware, hidden BIOS firmware etc. I agree that we should endeavour to replace as much as possible with open source, libre software but we are unlikely to ever achieve 100%. That doesn't mean we shouldn't try but it will take a lot more than pointing the finger at any particular distro.

  • (Score: 3, Funny) by DannyB on Friday September 23 2016, @02:43PM

    by DannyB (5839) Subscriber Badge on Friday September 23 2016, @02:43PM (#405554) Journal

    Isn't Windows 10 the most secure way to keep all of your personal information, habits, browsing history, photos private between just you and Microsoft*?

    * and Microsoft's carefully selected third party partners

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.