SoylentNews is people
SoylentNews
Tails Linux 2.5 is out (Aug 2, 2016).
Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.
It is a complete operating system designed to be used from a DVD, USB stick, or SD card independently of the computer's original operating system. It is Free Software and based on Debian GNU/Linux.
Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc
= Announcements:
https://tails.boum.org/news/version_2.5/index.en.html
https://twitter.com/Tails_live/status/760516381905448968
https://mailman.boum.org/pipermail/amnesia-news/2016-August/000110.html
https://twitter.com/torproject/status/760516806587117568
[Continues...]
Useful links:
- Download / Burning Tails on a DVD: (See also: "Direct Downloads")
https://tails.boum.org/install/dvd/index.en.html- Download and verify using OpenPGP:
https://tails.boum.org/install/download/openpgp/index.en.html- Download / and verify the Tails ISO image (#2):
https://tails.boum.org/install/download/- Numerous security holes in Tails 2.4:
https://tails.boum.org/security/Numerous_security_holes_in_2.4/index.en.html- About:
https://tails.boum.org/about/index.en.html- News:
https://tails.boum.org/news/index.en.html- Getting Started:
https://tails.boum.org/getting_started/index.en.html- First steps with Tails:
https://tails.boum.org/doc/first_steps/index.en.html- Documentation:
https://tails.boum.org/doc/index.en.html
(Score: 2, Insightful) by Anonymous Coward on Wednesday August 03 2016, @04:13PM
How many of the Tails users are using it on hardware that hasn't been compromised by design?
(Score: 2) by hendrikboom on Wednesday August 03 2016, @04:57PM
And how much hardware that *is* compromised by design is capable of running Tails?
(Score: 3, Informative) by DannyB on Wednesday August 03 2016, @05:07PM
"Active Management Technology": The obscure remote control in some Intel hardware [fsf.org]
Intel x86s hide another CPU that can take over your machine (you can't audit it) [boingboing.net]
Executive Summary:
The processor on your motherboard, right now, already has another "management engine" processor on the chip. The microprocessor won't run unless the management engine says everything is okay. And everything is only "okay", if the management engine is running a secret closed blob of software.
Paranoid yet?
The one thing I learned in 2013 from the Snowden revelations was that no matter how outlandish, how ridiculously paranoid I might try to adjust my aluminum headwear, things are already worse than I think.
Studies show that people who choose to have more birthdays live longer.
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @05:20PM
And remember kids: it's not because you're paranoid, that they're not out to get you!
(Score: 1, Informative) by Anonymous Coward on Wednesday August 03 2016, @05:41PM
And it's only a matter of time until some blackhat figures out what magic packets to send the AMT chip to take over your system. It'll be an unfixable, permanent, zero-day rootkit installed across some huge fraction of the world's general purpose computers. It *is* that already, but it just happens to be controlled by Intel and whatever nation states they've given access to--assume whatever Intel can do Five Eyes also has access to that same capability.
(Score: 2) by DannyB on Wednesday August 03 2016, @07:35PM
I would suggest that some nation's intelligence services already have that permanent zero-day rootkit for all Intel / AMD processors. But I won't suggest it. Because that would sound crazy and paranoid.
. . . and if they don't like it, we'll build the rootkits into their hardware. And we'll make them pay for it . . .
Studies show that people who choose to have more birthdays live longer.
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @05:47PM
Cool.
Use a NIC that isn't built into the motherboard.
Problem solved.
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @05:58PM
Intel is a common supplier of NIC chips, too.
(Score: 2) by DannyB on Wednesday August 03 2016, @07:43PM
How do you know that when your PC is off, that this management engine doesn't still get power? PC's haven't had actual mechanical power cut off switches for a long time now. When your PC is off, suppose that chip within a chip could control any hardware that the main processor could control. That could include powering up, accessing the disk, the network, etc.
If I wanted to really sound paranoid, I could suggest that maybe the power supply could be commanded to briefly fully power everything except for any fans and any video output. (That would require such a mechanism to exist.) Then after a brief time, just shut back down. You wouldn't hear anything. You wouldn't see anything. (Except maybe for a few blinks of an LED on your 3rd party network card.)
But that would sound like crazy talk.
I know that management of large fleets of computers is an important function. But if all of this were for some noble purpose, then why all the closed source black binary blob secrecy? And why not be able to fully cut off these functions in a secure manner on PCs that are not joined to some large fleet of centrally managed systems? Like your home PC.
Studies show that people who choose to have more birthdays live longer.
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @08:26PM
Your power supply will have a real power switch that really, truly, cuts power from the machine. No software could ever bypass that.
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @08:31PM
What's to say a low power processor can't work for a couple of hours on a capacitor charge, or for longer on the clock battery?
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @10:47PM
Use an Atheros chipset.
God, you sound like you've never written a device driver or built an IC before.
(Score: 2) by hendrikboom on Saturday August 13 2016, @06:36PM
What's special about the atheros chipset? Is it somehow immune to all that?
(Score: 2) by frojack on Wednesday August 03 2016, @11:23PM
See plug. Pull plug.
Makes me think some old 486 motherboard might make the best gateway router.
No, you are mistaken. I've always had this sig.
(Score: 2) by urza9814 on Thursday August 04 2016, @11:15PM
Laptops don't, but I've yet to see a single desktop system without a mechanical power switch -- usually wired directly to the mains input -- on the back of the power supply...
(Score: 2) by butthurt on Wednesday August 03 2016, @07:36PM
Recent AMD processors have similar features, for example DASH.
http://developer.amd.com/tools-and-sdks/cpu-development/tools-for-dmtf-dash/ [amd.com]
(Score: 1) by toddestan on Friday August 05 2016, @03:03AM
So what's the best processor out there that's not compromised? My hunch is that it's almost certainly an AMD processor, but which one? My guess would be that the Socket A, which was the last pure 32-bit AMD line, is likely safe. What about the 64-bit processors?
(Score: 3, Insightful) by melikamp on Wednesday August 03 2016, @06:01PM
A lot, and Tails project appears to be willfully blind to the issue. They distribute close-source blobs within Linux kernel, and when I tried to get them to evaluate the risk of distributing spyware, they flatly refused to discuss the subject at all.
https://mailman.boum.org/pipermail/tails-support/2016-March/000345.html [boum.org]
Personally, I cannot recommend Tails to anyone seeking elevated privacy of communications. The dev team does not seem to understand what privacy is, or just oblivious about risk assessment.
(Score: 2) by butthurt on Wednesday August 03 2016, @07:29PM
[...] when I tried to get them to evaluate the risk of distributing spyware, they flatly refused to discuss the subject at all.
No one quantified the risk. However, someone with a boum.org e-mail address did respond: [boum.org]
We have actual users. If they can't use Tails on their current, real-world hardware, then likely they'll use something else, that has just the same amount of binary firmware blobs, except it won't have any of Tails properties that some people find worthwhile.
There used to be something called Anonym.OS which was like Tails, but based on OpenBSD. The OpenBSD project at the time (and still, I assume) did not include closed-source drivers.
https://en.m.wikipedia.org/wiki/Anonym.OS [wikipedia.org]
I'm not aware of any OS similar to Tails that is actively maintained.
When one has a choice in the matter, choosing hardware for which there are open-source drivers will obviate the need for proprietary drivers. Hence they won't be loaded.
(Score: 2) by melikamp on Thursday August 04 2016, @12:14AM
OpenBSD has the same problem as Linux: it distributes non-free, sourceless firmwares. Last time I personally checked there was at least one such network driver within the base install. I maintain that some of these network blobs already contain spyware, and that all of them should be regarded as containing malware. In the modern legal climate, when the law enforcement insists on backdoors, and prosecutors go after reverse engineers rather than actual crackers like SONY and Amazon, who break into millions of computers in broad daylight, it it crazy to suppose these blobs are spyware-free. Tails devs, just like many other parties ostensibly concerned with user privacy and security, apparently think this argument is rubbish (alternatively, they are in cahoots with the spies). In my personal view, they are deceiving their users, not just themselves, and no one is safe using their products.
A member of Tails dev team indeed replied to me, and you posted a relevant quote. This does not address any of my questions, though, it just explains, the best I can tell, that their users do not care, so Tails devs do not care either. That is fine, but I still think Tails devs should know better than their users about privacy and security, but it appears they do not, or may be they think Tails popularity is more important than informing users that their kernel is compromised by multiple malevolent parties on day 0. This is flagrant incompetence at best, and with respect to their main goal, too.
My advice to privacy seekers, stick with free+libre software.
(Score: 2) by butthurt on Thursday August 04 2016, @01:19AM
OpenBSD has the same problem as Linux: it distributes non-free, sourceless firmwares.
You may be right--I haven't personally checked. Do you recall which driver it is that has the binary blob? A 2006 On Lamp article said:
OpenBSD attempts to convince vendors to release documentation and often reverse-engineers around the need for blobs. OpenBSD remains blob-free.
--http://www.onlamp.com/pub/a/bsd/2006/04/27/openbsd-3_9.html [onlamp.com]
[...] it [is] crazy to suppose these blobs are spyware-free.
[...]
My advice to privacy seekers, stick with free+libre software.
The blobs, as I said, are loaded only on hardware that requires them. If we choose hardware that doesn't require loadable firmware or a closed-source driver, that hardware may instead have closed-source firmware that is burned into a ROM; it too may harbour malware. The Talos Secure Workstation [raptorengineering.com] comes with "schematics and libre (fully open and auditable) firmware" but is costly. Richard Stallman uses an old Thinkpad [stallman.org] with an open-source BIOS; it may well have non-free firmware in ROM.
(Score: 2) by melikamp on Thursday August 04 2016, @01:56AM
For OpenBSD, see /etc/firmware/atu-license in base. The word "blob" has no strict meaning, and OpenBSD people seem to use to mean main CPU binary, hence their claim is OK, while they still distribute non-free, sourceless software. Actually. if you look at Atmel license carefully, it says that you cannot distribute in source, so reverse-engineering is pointless.
What you say about device use is true, and we all make compromises and even RMS uses other people's spy-phones. What RMS doesn't do is he doesn't distribute non-free, sourceless privacy software to others, while telling them it is the state of the art.
(Score: 2) by frojack on Thursday August 04 2016, @12:10AM
I found it an interesting thread to read. Especially because it was close to home for a software product I worked on in a former job.
The package used encrypted communications links over untrusted networks. It handled large financial transactions and transmitted account numbers and authentication data, etc.
When asked about the encryption, we would provide the design documents and our source code of the encryption routines, and references to the books written by experts stating exactly how to do this type of encryption.
But in the end, our product ran on Windows machines, and we were a small shop without a Phd in sight. We were not going to roll our own, and our routines all ended up calling Windows crypto-APIs to do the actual encryption.
And we told customers this, and showed the customers our code. We demonstrated that we did our part correctly and carefully. Then handed it off to windows APIs. Clear text in. Gibberish out. Gibberish in. Clear text out.
Did we trust the windows crypto library? No of course not. And even if we did, its Windows for Christ sake! Could we rewrite windows? No. Would they replace windows? No.
We never got to the point of talking about hardware or binary blobs. What would be the point? What possible route around those is there?
In the end we simply stated we used the best crypto that Microsoft had to offer, and we did it by the book. We left it at that.
What more can a small programming team do?
In the end, you are a fish, swimming in a barrel. You can zig and zag, but you are still in a barrel not of your making.
The software was quite successful and sold well. They still sell it today.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by melikamp on Thursday August 04 2016, @12:29AM
Absolutely, there is often a room for compromise, and additional layers of security are not a waste, even in the face of total insecurity elsewhere. But what drives me bananas about projects like Tails (serving blobs) or Tor (serving a Windoze client) is their refusal to even acknowledge this is terrible. All they have to do is write on their website with big red letters:
The Windows client is provided, but it's next to useless, since Windows rats out your every move.
The default Linux kernel is probably compromized, please use Linux-libre kernel if your hardware supports it. (Incidentally, Tails does not support Linux-libre, even though it would be trivial for a project that big.)
They are not even selling a product, they got nothing to lose except committed non-free software users who already gave up their privacy anyway. But when I talked to either team, I was more or less stonewalled: none of this seems to concern them. Unless they really are oblivious to these issues, they must know their product has terrible deficiencies, but they will not admit it to their users.
(Score: 3, Insightful) by n1 on Wednesday August 03 2016, @04:21PM
I've asked other editors their thoughts on this....
My personal opinion is, although we do get the submissions, I don't think we need to run a story on every slightly major TAILS release that happens. I don't think it's helpful or particularly informative.
This year we've done stories on the releases of versions: 2.0.1, 2.2, 2.3, 2.4 and now 2.5
We don't do this for any other project, while TAILS might be more worthy than most, it's not newsworthy every time they do a release.
(Score: 2) by takyon on Wednesday August 03 2016, @04:29PM
It's always a good time to talk about a piece of software that is under sustained attack by governments.
After the Appelbaum ousting, can the Tor Project be trusted? Or does Tor need to adopt a new core system [soylentnews.org] to mitigate today's attacks?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Jeremiah Cornelius on Wednesday August 03 2016, @04:35PM
He's a probable rapist, not a probable mole.
You're betting on the pantomime horse...
(Score: 2) by AndyTheAbsurd on Wednesday August 03 2016, @05:02PM
People with skeletons in their closet are easy to blackmail (assuming the blackmailer knows how to get the skeletons out of the closet). Of course, now that this particular skeleton is seeing the light of the day, it may actually be more difficult to blackmail Appelbaum.
Please note my username before responding. You may have been trolled.
(Score: 2) by janrinok on Wednesday August 03 2016, @05:03PM
My own view is that a fair number of our users use Tails regularly - we even provide an Onion Router address for those who wish to maintain their anonymity while they access this site. Boron serves our TOR Hidden Services if my memory is correct. As each Tails release usually identifies some weaknesses in the previous versions it is vital that users keep up to date.
This is not the same as any other software release - individuals are not relying on Debian, Slack or Windows to provide the same level of security and privacy.
Nevertheless, if our members don't want it, then we should stop reporting it.
(Score: 2) by frojack on Wednesday August 03 2016, @05:06PM
This year we've done stories on the releases of versions: 2.0.1, 2.2, 2.3, 2.4 and now 2.5
I agree, it gets way more coverage than it deserves. Further, each new release denounces the past release as being full of security holes.
Still it costs us nothing to cover an OS that at lease tries to be on the user's side.
Frequent security patches says they are at least trying to keep it secure, but it also says they are terrible at spotting any of these holes themselves.
Short of writing the OS from scratch, there is probably no way for the Tails team to find every hole. Maybe basing it on OpenBSD and their obsession with security would make more sense then Debian.
I have Tails on a USB stick, but I've spent far more time installing it than actually using it. I personally see very few use cases for Tails. Unless you frequent public libraries and other sources of borrowed machines, carrying your OS around on a thumb drive provides precious little protection, privacy, or security when everything upstream is increasingly compromised.
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by mcgrew on Wednesday August 03 2016, @05:07PM
I'm glad you ran it, I'm shopping distros right now. Just bought a very old laptop that will serve a purpose new ones can't, and since it runs XP it will need a new OS. Plus, I have kubuntu dual-boot on this one and I absolutely HATE what they did to KDE. Dumbasses are trying to be Microsoft, screwing up the interface for no reason other than to change it.
Carbon, The only element in the known universe to ever gain sentience
(Score: 2) by janrinok on Wednesday August 03 2016, @05:41PM
Unless you use full disk encryption, I would not recommend using Tails as an installed OS. Even then, it is not the best of choices. Anyone with access to your computer can still find out more about your activities than you might wish to be the case. Using it from a USB drive or CD means that there is nothing at all on the computer once you have finished using it. Having an empty computer and always booting it from an external device (CD/DVD/USB) would be workable I guess.
Having said that, if local police/law enforcement are already demanding your passwords, it is probably a little bit to late - you were obviously not as anonymous as you previously thought...
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @05:57PM
"Unless you use full disk encryption"
This is 2016. Who *isn't* running full disk encryption?
(Score: 2) by janrinok on Wednesday August 03 2016, @06:25PM
Well, it seems that some are using it without realising that it is worthless - they have already given the keys to someone else.
And I'll take a wild guess and suggest that many who use the more popular linux distros will not have set up full disk encryption. They might encrypt their home directory, or they might encrypt specific files, but not very many will have used LUKS to create a fully secure system. And that is only as secure as the now infamous $5 wrench...
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @08:55PM
I don't encrypt my Linux install, not even the home folder. Why?
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @09:28PM
With an encrypted hard disk (or home folder), if someone steals your computer, they may have your device but they won't have your data.
With an un-encrypted hard disk, they have both.
And 'full disk encryption' set up to auto-unlock when you boot without you having to do anything is worthless. I don't even understand why that exists. They'll tell you that the key is in the TPM and safe but the key is also handed out to anyone asking for it on boot time. The key being in the TPM is there to 'protect' your data if the HD is removed from the device.
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @11:24PM
A $5 wrench doesn't work. As soon as you see it, you know they will kill you either way.
(Score: 0) by Anonymous Coward on Thursday August 04 2016, @08:24PM
At which point the goal for most people becomes not to avoid death, but to avoid extreme pain and suffering. Ask Kenneth Trentadue [truthinjustice.org] about the details.
(Score: 2) by mcgrew on Friday August 05 2016, @05:18PM
I'm not worried about access to my files, I live alone and my doors stay locked. I'm just checking out different distros.
Carbon, The only element in the known universe to ever gain sentience
(Score: 0) by Anonymous Coward on Wednesday August 03 2016, @11:16PM
Please continue to post TAILS updates, as it is useful to be reminded of its existence and where it's up to. Most software updates are uninteresting compared to TAILS.
(Score: 2) by number6 on Wednesday August 03 2016, @09:51PM
I have never used Tails and do not offer any proof about the statement highlighted in bold . . .
(Score: 0) by Anonymous Coward on Thursday August 04 2016, @08:27PM
Using old software with (presumably) known, unfixed vulnerabilities is generally not a defense against crackers.
(Score: 1) by driven on Thursday August 04 2016, @01:02AM
How does a clean install do on browserprint.info?
(Score: 0) by Anonymous Coward on Thursday August 04 2016, @07:12AM
I came to Tails 1.x at some point. I looked, I downloaded, I installed on a test laptop.
Verdict: meh
Just one meh, not even a two meh distro.
Then, somewhat predicatably, I freed up some disk space...