Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday April 20, @09:04PM   Printer-friendly
from the choose-your-headphones-wisely dept.

The Tails project announced the release of version 2.12 of the operating system which focuses on "privacy and anonymity."

The new version includes Gnome Sound Recorder, removes I2P, runs on version 4.9.13 of the Linux kernel, and as per usual remedies "numerous security holes" in the previous release. Distro Watch has additional coverage.

Related story:
TAILS 2.11: The Last Release to Support the I2P Anonymizing Network


Original Submission

Related Stories

TAILS 2.11: The Last Release to Support the I2P Anonymizing Network 6 comments

TAILS, The Amnesic Incognito Live System, is a privacy-centric Linux distro based on Debian.

Softpedia reports

Tails 2.11 [will] be the last [version] to ship with the I2P anonymizing network software. I2P 0.9.25 is included in Tails 2.11, and it's already a very old version. The decision was made because the Tails team don't have the time to maintain I2P in their distribution.

[...] Two new features have been added in today's Tails 2.11 release, namely a notification to inform users that the upcoming Tails 3.0 Live CD won't start on a very old computer with a 32-bit processor, as well as another notification which will warn you that the I2P software will be removed in the next version, Tails 2.12.

Tails 2.11 also comes with the Tor Browser 6.5.1 anonymous web browser, and includes a bunch of security fixes for the infamous local root privilege escalation (CVE-2017-6074) by disabling the dccp module. Additionally, Linux kernel 4.8.15 was installed to prevent the GNOME desktop environment from freezing on Intel GM965/GL960 GPUs.

[It also] addresses an issue with the Tor Browser that did not display the offline warning when attempting to open the local documentation of Tails, as well as a rare problem that caused automatic upgrades to be applied incorrectly.

Previous: TAILS 3.0 Will Require a 64-Bit Processor


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Interesting) by Anonymous Coward on Thursday April 20, @09:19PM (10 children)

    by Anonymous Coward on Thursday April 20, @09:19PM (#497065)

    What about the (confirmed from CIA leaks) security hole known as "systemd"?
    Oh mention that and you get banned from their IRC.

    • (Score: 0) by Anonymous Coward on Thursday April 20, @09:21PM

      by Anonymous Coward on Thursday April 20, @09:21PM (#497067)

      I get banned from IRC for mentioning I use xrdp because "it's not Linux enough."

    • (Score: 1, Interesting) by Anonymous Coward on Thursday April 20, @09:25PM (2 children)

      by Anonymous Coward on Thursday April 20, @09:25PM (#497072)

      There were two separate projects to either get in i2pd (c++ variant) or update the java i2p (same that has been in since pre-Snowden) both of which got shot down by the Tails project managers.

      At this point there have been discussions about instead creating a new darknet 'tails-like' distro to both replace it and provide both Tor and I2P network support without reliance on a probably compromised 'privacy' distribution.

      • (Score: 2) by butthurt on Friday April 21, @12:29AM (1 child)

        by butthurt (6141) on Friday April 21, @12:29AM (#497140) Journal

        > [...] two separate projects [...] got shot down [...]

        Where may we can read more about this?

        > [...] a new darknet 'tails-like' distro [...]

        A good starting point may be Whonix running within Qubes OS. You'd need to integrate I2P.

        https://www.qubes-os.org/doc/whonix/ [qubes-os.org]

        • (Score: 2) by Scruffy Beard 2 on Friday April 21, @05:37AM

          by Scruffy Beard 2 (6030) on Friday April 21, @05:37AM (#497255)

          Found an e-mail thread saying the was concern about undiscovered 0-days in the I2p software. Not entirely clear why I2P would get singled out though.

          [Tails-dev] What to do about I2P in Tails? [boum.org]

          So, the main goals I have in mind are:

            1. making it harder, for an attacker who compromises I2P running in
                  Tails, to upgrade their attack to anything non-I2P;

            2. making it harder, for someone attacking a Tails user's web
                  browsing over Tor, to take advantage of bugs in the I2P router
                  console;

            3. protecting the Tails users who don't intend to use I2P at all,
                  from vulnerabilities in I2P, by making it harder, for an attacker,
                  to start I2P in Tails, or to trick a user into doing it.

    • (Score: 0) by Anonymous Coward on Thursday April 20, @09:25PM (5 children)

      by Anonymous Coward on Thursday April 20, @09:25PM (#497073)

      Would love a source on that.

      • (Score: 1, Funny) by Scruffy Beard 2 on Thursday April 20, @10:04PM (4 children)

        by Scruffy Beard 2 (6030) on Thursday April 20, @10:04PM (#497087)

        In my brief searching, it looks like all of the publicly-available information is speculation.

        I guess systemd is so bad [agwa.name] that people are wondering if it is malice, rather than incompetence.

        • (Score: 0) by Anonymous Coward on Friday April 21, @02:37AM (3 children)

          by Anonymous Coward on Friday April 21, @02:37AM (#497189)

          Given the rapid scope creep and the rapid widespread adoption that is exactly what it seems like. Seems like a massively successful campaign, it won over the majority of users who don't see a problem. The lies about modularity (technically possible but practically not) and just about every weird core system replacement just scream takeover. I do hope I'm wrong, but for now I'm gonna do my best to avoid it.

          • (Score: 2) by Scruffy Beard 2 on Friday April 21, @02:52AM (2 children)

            by Scruffy Beard 2 (6030) on Friday April 21, @02:52AM (#497194)

            Even more creepy is Firefox requiring PulseAudio [mozilla.org] starting with version 52. Pulseaudio of course pulls in systemd.

            • (Score: 0) by Anonymous Coward on Friday April 21, @05:28AM

              by Anonymous Coward on Friday April 21, @05:28AM (#497251)

              On one hand it is creepy, on another hand Linux suffers from a fractured ecosystem that makes it hard for software to support. Firefox made a decision to bake DRM into their browser to support businesses like Netflix etc. who rely on securing content. So, is it all about making life easier for developers which incidentally makes it easier to compromise systems? Etc. etc. It is a tangled web (haha) and I sure wish we had some clarity.

              Ah well, I'll stick to my soap box and the marginal efforts to avoid the worst of it.

            • (Score: 0) by Anonymous Coward on Friday April 21, @10:11AM

              by Anonymous Coward on Friday April 21, @10:11AM (#497324)

              That "accidentally" is created by Poettered too.. just as that other CIA trojan called system'd according to the latest wiki something with holes ;)

              Maybe it's just so that if( any_stuff == Poettered ) { printf("You are compromised!\n"); }
              Which means Red Hat is also in the sphere of influence.
              And guess what.. the Chairman of Red Hat is a former Chairman of the Joint Chiefs of Staff.
              Bingo!

              And for Google..
              Google is owned by Alphabet Inc.
              That is chaired by Eric Schmidt since 2011.
              United States Secretary of Defense appointed Schmidt as DoD Innovation Advisory Board in 2016.
              And Schmidt has invested in The Groundwork and Timshel which in turn is associated with Hillary Clinton.
              Bingo!

              Accidentally NIST happens to get their elliptic curve wrong in 2004, hmm!

              See any trend here?

  • (Score: 0, Funny) by Anonymous Coward on Thursday April 20, @09:19PM (2 children)

    by Anonymous Coward on Thursday April 20, @09:19PM (#497066)

    Can't prove all the sexy moans are from underage girls!

    • (Score: 0) by Anonymous Coward on Thursday April 20, @09:22PM (1 child)

      by Anonymous Coward on Thursday April 20, @09:22PM (#497070)

      Chipmunk noises are totally hot.

      • (Score: 2) by bob_super on Thursday April 20, @10:35PM

        by bob_super (1357) on Thursday April 20, @10:35PM (#497096)

        That's what Japanese porn producers seem to think.

  • (Score: 1, Insightful) by Anonymous Coward on Thursday April 20, @11:18PM (14 children)

    by Anonymous Coward on Thursday April 20, @11:18PM (#497113)

    and as per usual remedies "numerous security holes" in the previous release.

    And we're supposed to trust this for security? lololol

    • (Score: 1, Funny) by Anonymous Coward on Friday April 21, @12:14AM (8 children)

      by Anonymous Coward on Friday April 21, @12:14AM (#497131)
      As opposed to what? Proprietary software whose bugs are fixable only by the developers when they can be arsed to do it? Proprietary software which can’t be examined not just for bugs but for actual malign behaviour, and whose security guarantee is basically: “trust us”?
      • (Score: 2) by melikamp on Friday April 21, @12:31AM (7 children)

        by melikamp (1886) on Friday April 21, @12:31AM (#497143) Journal

        Good point. Tails is done by people who seem to believe that user privacy & security is compatible with non-free software, which they happily redistribute. They are also liars, claiming that Tails is free software according to FSF, which FSF expressly denies. We can be sure it's not a mistake, but a defiant lie, since I reported this bug a year ago, and reported it again just a few weeks ago, and Tails stonewalled it completely.

        https://tails.boum.org/ [boum.org] - free software claim, which takes you to
        https://tails.boum.org/doc/about/license/index.en.html [boum.org] - "free software" link to FSF definition
        https://www.gnu.org/distros/common-distros.en.html#Tails [gnu.org]

        Luckily, there's now a Heads project, which is a Tails counterpart aiming for actual user privacy & security.

        https://heads.dyne.org/ [dyne.org]

        • (Score: 3, Interesting) by butthurt on Friday April 21, @01:42AM (5 children)

          by butthurt (6141) on Friday April 21, @01:42AM (#497168) Journal

          At your third link (GNU site) I read:

          Tails uses the vanilla version of Linux, which contains nonfree firmware blobs.

          At your second link (Tails project site):

          However, Tails includes non-free firmware in order to work on as much hardware as possible.

          ...so they've disclosed that. If they would say "except for the non-free firmware included, Tails is free software" rather than "Tails is free software, however it includes non-free firmware" they would be telling the truth. Would it compromise your anonymity to direct us to your bug report on the topic? If you expressed yourself there in the same tone as you have here, that may be the reason your concern--which is obviously valid--wasn't properly addressed.

          • (Score: 3, Informative) by melikamp on Friday April 21, @02:06AM (4 children)

            by melikamp (1886) on Friday April 21, @02:06AM (#497177) Journal

            I didn't say they didn't disclose blobs, I said their front page is lying to their users. They know it is factually incorrect, but they choose not to fix it, and they refuse to discuss it. My tone was and is irrelevant: they should have fixed this bug regardless, for the sake of their users and potential users who are looking at their front page, the moment they became aware of it, because what they are saying is incorrect. And since they know they falsely claim that they are free software by FSF's definition, it's a lie, regardless of my tone.

            I am not saying this because I have a grudge against them or something, I really don't give a flying fuck what they do at this point, unless they fix these issues, which I would applaud. I am just warning current and potential users of Tails about two simple facts: the project leadership is incompetent (blobs for privacy!), and is OK with lying to users with big bold letters on the front page. My original inquiry:

            https://mailman.boum.org/pipermail/tails-support/2016-March/000345.html [boum.org]

            And by the way, if you think my tone is at fault, please, take a few minutes out of your busy schedule and report this bug properly. This would wipe my nose, no? I would be quite glad if this bug was fixed, regardless of how, but they literally won't talk to me no more, and they never had. They absolutely refused to comment on either issue, do you see?

            https://labs.riseup.net/code/issues/5393#note-10 [riseup.net]

            • (Score: 2) by Scruffy Beard 2 on Friday April 21, @09:07AM (1 child)

              by Scruffy Beard 2 (6030) on Friday April 21, @09:07AM (#497311)

              Maybe the blobs don't need malware because modern systems are inherently insecure, regardless.

              If I wanted to add a back-door to a NIC, I would have it listen for a 128bit number (hashed with the MAC address), and then read any instructions from the payload. As a bonus, you can require cryptographic signatures as well: but that would probably at least double the footprint of the malware portion of the image.

              • (Score: 3, Informative) by melikamp on Saturday April 22, @05:26AM

                by melikamp (1886) on Saturday April 22, @05:26AM (#497798) Journal
                I totally agree, and given the miniaturization trend, we can now expect any amount of code even in a tiny spec of silicon. Our #1 concern should be a fully free stack that can 3d-print general-purpose 3d-printers, which can print computers, among other things.
            • (Score: 2) by butthurt on Friday April 21, @08:55PM (1 child)

              by butthurt (6141) on Friday April 21, @08:55PM (#497584) Journal

              > They absolutely refused to comment on either issue, do you see?

              Thank you for the links. In the mailing list discussion I see replies from two writers, "intrigeri" and "ForgottenBeast" who have addresses at boum.org and riseup.net. I would assume that those are members of the project (because the project's Web sites are on those hosts).

              https://mailman.boum.org/pipermail/tails-support/2016-March/000347.html [boum.org]
              https://mailman.boum.org/pipermail/tails-support/2016-March/000361.html [boum.org]
              https://mailman.boum.org/pipermail/tails-support/2016-March/000372.html [boum.org]
              https://mailman.boum.org/pipermail/tails-support/2016-March/000380.html [boum.org]

              • (Score: 2) by melikamp on Saturday April 22, @02:19AM

                by melikamp (1886) on Saturday April 22, @02:19AM (#497738) Journal

                I don't know whether ForgottenBeast is affiliated with Tails, but his answer does not address my question. I asked them for an estimate of the amount of malware they distribute, and he told me that an actively and massively exploited backdoor would have probably been detected fast. I tend to agree, but it does nothing to answer my question.

                With his last post intrigeri explicitly refused to issue any comment whatsoever.

                It's an implicit wontfix, or so it seems to me. I would even say, they actually seem to believe the risk is zero, and there is no malware or (reported to law enforcement) zero-days in those blobs, but for some reason they also refuse to state that explicitly :)

        • (Score: 2) by hemocyanin on Friday April 21, @07:44AM

          by hemocyanin (186) Subscriber Badge on Friday April 21, @07:44AM (#497297)

          Thank you, very interested in heads.

    • (Score: 3, Insightful) by frojack on Friday April 21, @12:30AM (4 children)

      by frojack (1554) Subscriber Badge on Friday April 21, @12:30AM (#497142) Journal

      You know what Admiral Akbar said.....

      I'm beginning to think Tails is just flypaper. A new release every month, because the old one is full of flies (bugs).

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 1, Offtopic) by butthurt on Friday April 21, @01:59AM (3 children)

        by butthurt (6141) on Friday April 21, @01:59AM (#497173) Journal

        In the summary, I gave a hyperlink to the list of bugs that were corrected. Like a typical Linux distribution, Tails is largely cobbled together from software developed by others. The first 12 bugs were in that software, and the last 2 were specific to Tails itself. Had they simply cobbled together the third-party software without making any mistakes, there still would have been reason for the update. What would you have them do differently, or what alternative do you deem more secure?

        • (Score: 0) by Anonymous Coward on Friday April 21, @06:48AM (2 children)

          by Anonymous Coward on Friday April 21, @06:48AM (#497270)

          The problem is that we are in the era of misinformation, spies, lies and hacking. Tails is being advocated as the one-stop privacy solution which paradoxically makes it suspect. One of the main problems is the pace at which software is changed, you can't guarantee that vulnerabilities aren't introduced with any given patch.

          I feel like we've reached a point where we can stop relying on the latest new-shiny features and should really start focusing on creating secure software that stops changing. For example, systemd. A massive new codebase that is constantly changing and affects the core functionality of linux systems. Sure it makes things easier, but for a secure distro it should be avoided for the next decade until it can be more properly vetted.

          • (Score: 2) by kaszz on Friday April 21, @10:19AM (1 child)

            by kaszz (4211) on Friday April 21, @10:19AM (#497326) Journal

            The BIG problem is that new hardware requires new code and so does demands for new ways to handle resources. Get rid of hardware changes and user demands for new-shiny and you will eventually have your fully open sourced machine.
            And at least mobile machines eventually wear out and need replacement.

            Any tip on a ARM and x86 machine where firmware, BIOS code, and system layout is fully documented and completely which is auditable?

            • (Score: 0) by Anonymous Coward on Friday April 21, @01:19PM

              by Anonymous Coward on Friday April 21, @01:19PM (#497376)

              Yes, lets stopping trying to improve things. The horse-drawn carriage was the pinnacle of transportation vehicles.

  • (Score: 1, Insightful) by Anonymous Coward on Thursday April 20, @11:37PM (2 children)

    by Anonymous Coward on Thursday April 20, @11:37PM (#497121)

    So they really are not serious about security.

    • (Score: 1, Flamebait) by butthurt on Friday April 21, @12:12AM (1 child)

      by butthurt (6141) on Friday April 21, @12:12AM (#497130) Journal

      Previously they'd offered both Tor and I2P; with this change (explained in the previous story) Tor is the only anonymising proxy on offer in Tails. Are you suggesting that Tor is notably less secure than I2P? If so, why? If not, what do you mean?

      • (Score: 0) by Anonymous Coward on Friday April 21, @10:21AM

        by Anonymous Coward on Friday April 21, @10:21AM (#497328)

        There are some hints in that direction.

  • (Score: 2) by urza9814 on Friday April 21, @12:43PM (1 child)

    by urza9814 (3954) Subscriber Badge on Friday April 21, @12:43PM (#497370) Journal

    So they've got Tor, they're removing I2P...what about Freenet? If I were to use a darknet that would definitely be my first choice, then I2P, then Tor. My problem with Tor is that it was designed as a proxy with the darknet stuff bolted on after, which worries me a bit. And Tor and I2P both, if I'm not mistaken, require you to continually run a server on your own system if you want to host something on the darknet. With Freenet everything is distributed, so even if an attacker is able to coordinate multiple nodes to trace back where the file is coming from, that still isn't the person who actually uploaded the thing. So it feels like that should be more secure, although I'll admit I don't entirely know what I'm talking about here :)

    Of course, the "down" side of Freenet is you can only upload static content. Although even when I used it many years ago there were some workarounds for that so there's probably more now...I dunno, anyone actually know the state of Freenet these days? I've been gone since the 0.5/0.7 split but it seems to still be active...

(1)