Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday August 03 2016, @03:53PM   Printer-friendly
from the AC's-dream dept.

Tails Linux 2.5 is out (Aug 2, 2016).

Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.

It is a complete operating system designed to be used from a DVD, USB stick, or SD card independently of the computer's original operating system. It is Free Software and based on Debian GNU/Linux.

Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc

= Announcements:
https://tails.boum.org/news/version_2.5/index.en.html
https://twitter.com/Tails_live/status/760516381905448968
https://mailman.boum.org/pipermail/amnesia-news/2016-August/000110.html
https://twitter.com/torproject/status/760516806587117568

[Continues...]

Useful links:


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Wednesday August 03 2016, @04:13PM

    by Anonymous Coward on Wednesday August 03 2016, @04:13PM (#383634)

    How many of the Tails users are using it on hardware that hasn't been compromised by design?

    Starting Score:    0  points
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 2) by hendrikboom on Wednesday August 03 2016, @04:57PM

    by hendrikboom (1125) Subscriber Badge on Wednesday August 03 2016, @04:57PM (#383658) Homepage Journal

    And how much hardware that *is* compromised by design is capable of running Tails?

    • (Score: 3, Informative) by DannyB on Wednesday August 03 2016, @05:07PM

      by DannyB (5839) Subscriber Badge on Wednesday August 03 2016, @05:07PM (#383663) Journal
      Since hardware compromised by design has been in common mainstream use for a while now, a better question is whether hardware that is NOT compromised by design is able to run Tails.

      "Active Management Technology": The obscure remote control in some Intel hardware [fsf.org]

      Intel x86s hide another CPU that can take over your machine (you can't audit it) [boingboing.net]

      Executive Summary:

      The processor on your motherboard, right now, already has another "management engine" processor on the chip. The microprocessor won't run unless the management engine says everything is okay. And everything is only "okay", if the management engine is running a secret closed blob of software.

      Paranoid yet?

      The one thing I learned in 2013 from the Snowden revelations was that no matter how outlandish, how ridiculously paranoid I might try to adjust my aluminum headwear, things are already worse than I think.
      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 0) by Anonymous Coward on Wednesday August 03 2016, @05:20PM

        by Anonymous Coward on Wednesday August 03 2016, @05:20PM (#383675)

        And remember kids: it's not because you're paranoid, that they're not out to get you!

      • (Score: 1, Informative) by Anonymous Coward on Wednesday August 03 2016, @05:41PM

        by Anonymous Coward on Wednesday August 03 2016, @05:41PM (#383687)

        And it's only a matter of time until some blackhat figures out what magic packets to send the AMT chip to take over your system. It'll be an unfixable, permanent, zero-day rootkit installed across some huge fraction of the world's general purpose computers. It *is* that already, but it just happens to be controlled by Intel and whatever nation states they've given access to--assume whatever Intel can do Five Eyes also has access to that same capability.

        • (Score: 2) by DannyB on Wednesday August 03 2016, @07:35PM

          by DannyB (5839) Subscriber Badge on Wednesday August 03 2016, @07:35PM (#383730) Journal

          I would suggest that some nation's intelligence services already have that permanent zero-day rootkit for all Intel / AMD processors. But I won't suggest it. Because that would sound crazy and paranoid.

          . . . and if they don't like it, we'll build the rootkits into their hardware. And we'll make them pay for it . . .

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 0) by Anonymous Coward on Wednesday August 03 2016, @05:47PM

        by Anonymous Coward on Wednesday August 03 2016, @05:47PM (#383689)

        Cool.

        Use a NIC that isn't built into the motherboard.

        Problem solved.

        • (Score: 0) by Anonymous Coward on Wednesday August 03 2016, @05:58PM

          by Anonymous Coward on Wednesday August 03 2016, @05:58PM (#383693)

          Intel is a common supplier of NIC chips, too.

        • (Score: 2) by DannyB on Wednesday August 03 2016, @07:43PM

          by DannyB (5839) Subscriber Badge on Wednesday August 03 2016, @07:43PM (#383732) Journal

          How do you know that when your PC is off, that this management engine doesn't still get power? PC's haven't had actual mechanical power cut off switches for a long time now. When your PC is off, suppose that chip within a chip could control any hardware that the main processor could control. That could include powering up, accessing the disk, the network, etc.

          If I wanted to really sound paranoid, I could suggest that maybe the power supply could be commanded to briefly fully power everything except for any fans and any video output. (That would require such a mechanism to exist.) Then after a brief time, just shut back down. You wouldn't hear anything. You wouldn't see anything. (Except maybe for a few blinks of an LED on your 3rd party network card.)

          But that would sound like crazy talk.

          I know that management of large fleets of computers is an important function. But if all of this were for some noble purpose, then why all the closed source black binary blob secrecy? And why not be able to fully cut off these functions in a secure manner on PCs that are not joined to some large fleet of centrally managed systems? Like your home PC.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
          • (Score: 0) by Anonymous Coward on Wednesday August 03 2016, @08:26PM

            by Anonymous Coward on Wednesday August 03 2016, @08:26PM (#383750)

            Your power supply will have a real power switch that really, truly, cuts power from the machine. No software could ever bypass that.

            • (Score: 0) by Anonymous Coward on Wednesday August 03 2016, @08:31PM

              by Anonymous Coward on Wednesday August 03 2016, @08:31PM (#383751)

              What's to say a low power processor can't work for a couple of hours on a capacitor charge, or for longer on the clock battery?

          • (Score: 0) by Anonymous Coward on Wednesday August 03 2016, @10:47PM

            by Anonymous Coward on Wednesday August 03 2016, @10:47PM (#383803)

            Use an Atheros chipset.

            God, you sound like you've never written a device driver or built an IC before.

          • (Score: 2) by frojack on Wednesday August 03 2016, @11:23PM

            by frojack (1554) on Wednesday August 03 2016, @11:23PM (#383816) Journal

            See plug. Pull plug.

            Makes me think some old 486 motherboard might make the best gateway router.

            --
            No, you are mistaken. I've always had this sig.
          • (Score: 2) by urza9814 on Thursday August 04 2016, @11:15PM

            by urza9814 (3954) on Thursday August 04 2016, @11:15PM (#384300) Journal

            How do you know that when your PC is off, that this management engine doesn't still get power? PC's haven't had actual mechanical power cut off switches for a long time now.

            Laptops don't, but I've yet to see a single desktop system without a mechanical power switch -- usually wired directly to the mains input -- on the back of the power supply...

      • (Score: 2) by butthurt on Wednesday August 03 2016, @07:36PM

        by butthurt (6141) on Wednesday August 03 2016, @07:36PM (#383731) Journal

        Recent AMD processors have similar features, for example DASH.

        http://developer.amd.com/tools-and-sdks/cpu-development/tools-for-dmtf-dash/ [amd.com]

      • (Score: 1) by toddestan on Friday August 05 2016, @03:03AM

        by toddestan (4982) on Friday August 05 2016, @03:03AM (#384360)

        So what's the best processor out there that's not compromised? My hunch is that it's almost certainly an AMD processor, but which one? My guess would be that the Socket A, which was the last pure 32-bit AMD line, is likely safe. What about the 64-bit processors?

  • (Score: 3, Insightful) by melikamp on Wednesday August 03 2016, @06:01PM

    by melikamp (1886) on Wednesday August 03 2016, @06:01PM (#383695) Journal

    A lot, and Tails project appears to be willfully blind to the issue. They distribute close-source blobs within Linux kernel, and when I tried to get them to evaluate the risk of distributing spyware, they flatly refused to discuss the subject at all.

    https://mailman.boum.org/pipermail/tails-support/2016-March/000345.html [boum.org]

    Personally, I cannot recommend Tails to anyone seeking elevated privacy of communications. The dev team does not seem to understand what privacy is, or just oblivious about risk assessment.

    • (Score: 2) by butthurt on Wednesday August 03 2016, @07:29PM

      by butthurt (6141) on Wednesday August 03 2016, @07:29PM (#383725) Journal

      [...] when I tried to get them to evaluate the risk of distributing spyware, they flatly refused to discuss the subject at all.

      No one quantified the risk. However, someone with a boum.org e-mail address did respond: [boum.org]

      We have actual users. If they can't use Tails on their current, real-world hardware, then likely they'll use something else, that has just the same amount of binary firmware blobs, except it won't have any of Tails properties that some people find worthwhile.

      There used to be something called Anonym.OS which was like Tails, but based on OpenBSD. The OpenBSD project at the time (and still, I assume) did not include closed-source drivers.

      https://en.m.wikipedia.org/wiki/Anonym.OS [wikipedia.org]

      I'm not aware of any OS similar to Tails that is actively maintained.

      When one has a choice in the matter, choosing hardware for which there are open-source drivers will obviate the need for proprietary drivers. Hence they won't be loaded.

      • (Score: 2) by melikamp on Thursday August 04 2016, @12:14AM

        by melikamp (1886) on Thursday August 04 2016, @12:14AM (#383832) Journal

        OpenBSD has the same problem as Linux: it distributes non-free, sourceless firmwares. Last time I personally checked there was at least one such network driver within the base install. I maintain that some of these network blobs already contain spyware, and that all of them should be regarded as containing malware. In the modern legal climate, when the law enforcement insists on backdoors, and prosecutors go after reverse engineers rather than actual crackers like SONY and Amazon, who break into millions of computers in broad daylight, it it crazy to suppose these blobs are spyware-free. Tails devs, just like many other parties ostensibly concerned with user privacy and security, apparently think this argument is rubbish (alternatively, they are in cahoots with the spies). In my personal view, they are deceiving their users, not just themselves, and no one is safe using their products.

        A member of Tails dev team indeed replied to me, and you posted a relevant quote. This does not address any of my questions, though, it just explains, the best I can tell, that their users do not care, so Tails devs do not care either. That is fine, but I still think Tails devs should know better than their users about privacy and security, but it appears they do not, or may be they think Tails popularity is more important than informing users that their kernel is compromised by multiple malevolent parties on day 0. This is flagrant incompetence at best, and with respect to their main goal, too.

        My advice to privacy seekers, stick with free+libre software.

        • (Score: 2) by butthurt on Thursday August 04 2016, @01:19AM

          by butthurt (6141) on Thursday August 04 2016, @01:19AM (#383865) Journal

          OpenBSD has the same problem as Linux: it distributes non-free, sourceless firmwares.

          You may be right--I haven't personally checked. Do you recall which driver it is that has the binary blob? A 2006 On Lamp article said:

          OpenBSD attempts to convince vendors to release documentation and often reverse-engineers around the need for blobs. OpenBSD remains blob-free.

          --http://www.onlamp.com/pub/a/bsd/2006/04/27/openbsd-3_9.html [onlamp.com]

          [...] it [is] crazy to suppose these blobs are spyware-free.
          [...]
          My advice to privacy seekers, stick with free+libre software.

          The blobs, as I said, are loaded only on hardware that requires them. If we choose hardware that doesn't require loadable firmware or a closed-source driver, that hardware may instead have closed-source firmware that is burned into a ROM; it too may harbour malware. The Talos Secure Workstation [raptorengineering.com] comes with "schematics and libre (fully open and auditable) firmware" but is costly. Richard Stallman uses an old Thinkpad [stallman.org] with an open-source BIOS; it may well have non-free firmware in ROM.

          • (Score: 2) by melikamp on Thursday August 04 2016, @01:56AM

            by melikamp (1886) on Thursday August 04 2016, @01:56AM (#383882) Journal

            For OpenBSD, see /etc/firmware/atu-license in base. The word "blob" has no strict meaning, and OpenBSD people seem to use to mean main CPU binary, hence their claim is OK, while they still distribute non-free, sourceless software. Actually. if you look at Atmel license carefully, it says that you cannot distribute in source, so reverse-engineering is pointless.

            What you say about device use is true, and we all make compromises and even RMS uses other people's spy-phones. What RMS doesn't do is he doesn't distribute non-free, sourceless privacy software to others, while telling them it is the state of the art.

    • (Score: 2) by frojack on Thursday August 04 2016, @12:10AM

      by frojack (1554) on Thursday August 04 2016, @12:10AM (#383830) Journal

      I found it an interesting thread to read. Especially because it was close to home for a software product I worked on in a former job.

      The package used encrypted communications links over untrusted networks. It handled large financial transactions and transmitted account numbers and authentication data, etc.

      When asked about the encryption, we would provide the design documents and our source code of the encryption routines, and references to the books written by experts stating exactly how to do this type of encryption.

      But in the end, our product ran on Windows machines, and we were a small shop without a Phd in sight. We were not going to roll our own, and our routines all ended up calling Windows crypto-APIs to do the actual encryption.

      And we told customers this, and showed the customers our code. We demonstrated that we did our part correctly and carefully. Then handed it off to windows APIs. Clear text in. Gibberish out. Gibberish in. Clear text out.

      Did we trust the windows crypto library? No of course not. And even if we did, its Windows for Christ sake! Could we rewrite windows? No. Would they replace windows? No.

      We never got to the point of talking about hardware or binary blobs. What would be the point? What possible route around those is there?

      In the end we simply stated we used the best crypto that Microsoft had to offer, and we did it by the book. We left it at that.
      What more can a small programming team do?

      In the end, you are a fish, swimming in a barrel. You can zig and zag, but you are still in a barrel not of your making.

      The software was quite successful and sold well. They still sell it today.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Interesting) by melikamp on Thursday August 04 2016, @12:29AM

        by melikamp (1886) on Thursday August 04 2016, @12:29AM (#383842) Journal

        Absolutely, there is often a room for compromise, and additional layers of security are not a waste, even in the face of total insecurity elsewhere. But what drives me bananas about projects like Tails (serving blobs) or Tor (serving a Windoze client) is their refusal to even acknowledge this is terrible. All they have to do is write on their website with big red letters:

        The Windows client is provided, but it's next to useless, since Windows rats out your every move.

        The default Linux kernel is probably compromized, please use Linux-libre kernel if your hardware supports it. (Incidentally, Tails does not support Linux-libre, even though it would be trivial for a project that big.)

        They are not even selling a product, they got nothing to lose except committed non-free software users who already gave up their privacy anyway. But when I talked to either team, I was more or less stonewalled: none of this seems to concern them. Unless they really are oblivious to these issues, they must know their product has terrible deficiencies, but they will not admit it to their users.