Re: [liberationtech] Tails ISO verification extension for Firefox
Hi Giovanni, Giovanni Pellerano wrote (19 Apr 2015 19:58:36 GMT) : > while developing GlobaLeaks (https://github.com/globaleaks/GlobaLeaks) > and developing our end-to-end encryption ideas where we would need > verify Javascript signing and collaborating with SecureDrop people in > relation to shared topics we ended in discussing exactly the same need > you are explaining but a little more generic in relation to projects > signing/integrity; [...] The Code Signing Everywhere project seems strongly targeted at verifying webapp code. So, I don't really understand how it's more generic than the idea sajolida mentioned: one project is specific to verifying webapps code, while the other one is specific to downloading files to the filesystem and verifying them. I'll be happy to stand corrected if I missed something :) Now, perhaps both ideas could somehow converge. I suspect the UX and interface side of things would be the hardest part, given the very different use cases, despite the fact that some lower-level bits and processes, that happen under the hood, could be shared (this remains to be checked: e.g. it might be that the hooks provided by Firefox add-on/plugins API for one use case and the other are vastly different -- I've no idea). > You find here the root document of the tentative specification [...] Thanks for the pointers! Cheers, -- intrigeri -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] [announce] Tails HackFest, July 5-6, Paris, France
Hi, Join us at the Tails HackFest, 2014! July 5-6, 2014 -- Paris, France Description and goals = Join us to make online anonymity and digital privacy usable by the masses! Whether you're a writer, a software developer, a designer, a system administrator or just plain interested, come learn about the challenges faced by Tails, and how you can be part of the solution. The Tails HackFest will bring together anyone interested in making Tails more usable and more secure. This open event will be an intense mix of teaching, drawing, coding, sharing, learning and celebrating. Logistics = * Where: the venue for the event is IRILL, Paris, France (https://www.irill.org/about/information-for-guests). * Dates: Saturday, July 5, 2014 - Sunday, July 6, 2014 * Time: 10 AM - 10 PM * Registration: if you want to attend, please consider dropping us a note about it. This is optional, but would help organizing this event. * Contact: , #tails-hackfest on irc.oftc.net * Details, scheduling and updates: https://tails.boum.org/blueprint/HackFest_2014_Paris/ What is Tails? == Tails is a live operating system that can be started on almost any computer from a DVD, USB stick, or SD card. It is Free Software, and based on Debian GNU/Linux. Tails provides a platform to solve many surveillance problems by "doing the right thing" out of the box by default, protecting even less tech-savvy users from the most likely and highest impact risks. It aims at preserving privacy and anonymity, and helps to: * use the Internet anonymously and circumvent censorship; all connections to the Internet are forced to go through the Tor network; * leave no trace on the computer being used unless the user asks it explicitly; * use state-of-the-art cryptographic tools to encrypt files, emails and instant messaging. Tails is about usability: every feature and software is ready-to-use, thoroughly documented, and translated into many languages. Tails is about cooperation: all products are released as Free and Open Source Software, and shared with other projects whenever possible. People use Tails to write books and create movies. People use Tails to chat off-the-record, browse the web anonymously and share sensitive documents. Many people depend on Tails to do their daily work, if not simply to stay alive. Looking forward to meet you on July 5-6! No doubt you'll find a great way to contribute to Tails, regardless of what your field of expertise is! Host and sponsors = Many thanks to Debian, IRILL, Mozilla and the Tor project for supporting this event! Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] A Static Website Generator fit for Tails
Hi, I would go with ikiwiki, keeping it installed thanks to the additional software persistence feature: https://tails.boum.org/doc/first_steps/persistence/configure/ Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] uVirtus Linux, encrypted OS for Syria
Lorenzo Franceschi -Bicchierai wrote (27 Sep 2013 14:23:34 GMT) : > What do you guys think about this project? It is hard to think about an OS before we can read the source code and try the product, so what follows should be taken with a grain of salt. Apart of the configuration management (with the interesting idea of using obfsproxy without Tor to retrieve a list of VPN servers that are not blocked yet), the networking setup seems to be the usual one-hop proxy that we know is pretty weak as far as anonymity is concerned. That's why adventurous statements such as "the secure operating system" and "offers anonymity through the untraceable VPN connection" trigger red warning lights in my head. I hope the user documentation will display the relevant warnings prominently to avoid putting users at risk. Still, with my Tails developer hat on, I can't wait to have a closer look at the result, and I hope we can share some tools and work with the uVirtus team :) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Linux distribution on encrypted USB?
Hi, Moon Jones wrote (11 Sep 2013 19:20:30 GMT) : > Yes. I did the same upgrade and it worked in an instant. I was so happy > everything > was ok. If I recall well, only three upgrades can be done, than I'll have to > migrate > the data by hand. This (or something similar) will be correct once we deploy incremental upgrades in the wild (presumably by the end of the year). Until then, Tails does full system upgrades while preserving user persistent data; so, there is no such limit yet. > So I'm trying to avoid customising Tails for every day use. This would be my advice in general, unless one has good understanding of the Tails design (and of Debian, and of [...]) and can guess what the actual consequences of a change would be. I suspect that having one's changes merged into mainline Tails may be the best strategy, when it's relevant. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Other distros like Ubuntu Privacy Remix?
Blibbet wrote (03 Sep 2013 17:35:52 GMT) : > One really nice feature of UPR is how it bundles TAILs to a single distro, so > you can > dual-boot TAILS or UPR, depending on your offline/online needs. In the past, this dual-boot distribution has sometimes been lagging behind Tails releases by a few months, putting users at risk, and sometimes with no answer to the concerned messages we sent to the UPR team about that. I haven't checked recently, so there's some hope that it is better these days, though. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Other distros like Ubuntu Privacy Remix?
Hi, Moon Jones wrote (03 Sep 2013 12:10:22 GMT) : > I stumbled upon UPR these last days. It does not work on my machines. But the > idea > sounds good. Yet I could not find anything like it. Tails comes close, but the > network is enabled. Someone could add a boot option to Tails, that disables the network. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Hi, Maxim Kammerer wrote (06 Aug 2013 09:52:36 GMT) : > Tails references upstream advisories, or at least did so in the past. > https://tails.boum.org/security/Numerous_security_holes_in_0.18/ Right, and we have no plan to stop doing this. What we've been doing for years when releasing a new Tails that fixes security issues (that is, basically every single one we've put out) is: 1. Users are told "your version of Tails has known security issue" on startup if needed; this one has a link to a security announce like the one Maxim pointed to. 2. We issue a release announcement, such as https://tails.boum.org/news/version_0.19/, that starts with "All users must upgrade as soon as possible", but doesn't point to the corresponding security advisory. After reading this thread, I wonder if we should perhaps change this, and have this sentence link to the security advisory. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Metadata Cleanup trough File Format Convertion?
Hi, Griffin Boyce wrote (17 Jul 2013 21:40:57 GMT) : > PDFs are an interesting situation, because they have metadata, and the > files within have metadata, and even embedded fonts can have metadata that > could reveal the source of the document. IIRC the MAT [1] uses an interesting trick: rendering the PDF on a Cairo surface. [1] https://mat.boum.org/ or apt-get install mat Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] secure download tool - doesn't exist?!?
Hi, Jonathan Wilkes wrote (03 Jul 2013 18:26:11 GMT) : > Are there security updates that don't use "Valid-Until"? As far as official Debian repositories are concerned: none that I know of. It's quite different among 3rd-party repositories, though (that's what I was implicitly referring to, sorry for being unclear). > The remaining question is this: what is an example of a potential attack that > exploits the absence of a "Valid-Until" header in a stable release? A stable > version > of Debian is canonical, so there is nothing for an attacker to replay unless > it's from a previous version of Debian which has a different key and, > therefore, > would set off alarm bells from apt. Point-releases modify the stable suite. I believe some bugfixes and no-DSA security updates are shipped via point-release, without flowing through DSA + -security. That's perhaps not a big deal, though. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] [Tails-dev] secure download tool - doesn't exist?!?
Hi, adrelanos wrote (03 Jul 2013 13:20:46 GMT) : > intrigeri: >> Other than this, our current take on it is, I believe, making it >> easier to verify OpenPGP detached signatures. E.g. we're working to >> make it work flawlessly on the GNOME desktop. > So you're working with Debian/upstream to integrate OpenPGP verification > better into the operating system? We are currently only working on making it easier to verify detached OpenPGP signatures on the GNOME desktop. That's all :) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] secure download tool - doesn't exist?!?
Hi, Jonathan Wilkes wrote (02 Jul 2013 21:57:01 GMT) : > On 07/02/2013 12:46 PM, Jonathan Wilkes wrote: >> On 07/02/2013 04:51 AM, intrigeri wrote: >>> + verify that the signed file you've downloaded is actually the >>>version you intended to download, and not an older, also properly >>>signed one. [...] >> Does Debian's "Valid-Until" field in the release files solve this problem? > After getting some help on #debian-apt, I can at least say that the > "Valid-Until" > field in the release file for Debian security updates is indeed intended to > address > replay attacks. The Valid-Until mechanism (when it's used by the APT repository at all) typically ensures an attacker can't hide available security updates for more than a week. This is sometimes good enough. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] secure download tool - doesn't exist?!?
Hi, adrelanos wrote (01 Jul 2013 18:03:01 GMT) : > Goal: > - big file downloads > - at least as secure as TLS > - at least as simple as a regular download using a browser > - not using TLS itself (too expensive) for bulk download > The problem: [...] + verify that the signed file you've downloaded is actually the version you intended to download, and not an older, also properly signed one. See tools that take this into account: - Thandy (already mentioned by Moritz) - our design for incremental updates: https://tails.boum.org/todo/incremental_upgrades/ - TUF: https://www.updateframework.com/ Other than this, our current take on it is, I believe, making it easier to verify OpenPGP detached signatures. E.g. we're working to make it work flawlessly on the GNOME desktop. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Fwd: [g...@pryzby.org: Ubuntu, Dash, Shuttleworth and privacy]
Hi, Julian Oliver wrote (20 Feb 2013 16:27:24 GMT) : > Did you file a bug? It doesn't look like you did. You should do it. The program Maxim was talking of is not part of Debian. ... and I agree it's totally unclear if that “Debian security administrator” was anything but a random system administrator who happens to use Debian, who cares about security, and who likes creating new honorific titles. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech