Re: [liberationtech] Privacy in Ubuntu 12.10
On 12-11-08 11:34 AM, Micah Lee wrote: > ... get encrypted. When you're not encrypting your whole hard drive, "evil > maid" style attacks become much easier. If someone gets physical access > to your computer for just a couple minutes, they can boot to a live cd > and replace your /usr/bin/ssh or /usr/bin/gpg with malicious versions. If someone gets physical access to your computer, all is lost, because they can replace the BIOS and/or the bootloader. The other points you make are valid. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy in Ubuntu 12.10
Micah Lee writes: > Before 12.10 the Ubuntu GUI installer only let you set up home directory > encryption using encryptfs, which is different than full disk > encryption. For anyone hoping to read about the details of this technology, you probably want the (possibly counterintuitive) spelling "eCryptfs". -- Seth Schoen Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy in Ubuntu 12.10
On 11/08/2012 05:18 AM, Niels ten Oever wrote: > Dear Micah, > > Small correction to your piece: Selecting full disk encryption in the > installer GUI was already possible in Ubuntu 12.04. > > The explanation wasn't as clear as it is now though. Before 12.10 the Ubuntu GUI installer only let you set up home directory encryption using encryptfs, which is different than full disk encryption. This option is still there in 12.10, and you can choose to use it as well as full disk encryption if you want (I can't see how it could help though). With encryptfs home directory encryption, all of the individual files in your home folder get stored encrypted on the disk, but a lot of data about your files still gets leaked. The directory structure, file size, timestamps, etc. don't get encrypted, only the contents of the files. And it's also only your home directory that gets encrypted, not your whole disk. So for example, if you have any mysql databases on your computer, that data gets stored in /var/lib/mysql and therefore won't get encrypted. When you're not encrypting your whole hard drive, "evil maid" style attacks become much easier. If someone gets physical access to your computer for just a couple minutes, they can boot to a live cd and replace your /usr/bin/ssh or /usr/bin/gpg with malicious versions. The full disk encryption that's offered in 12.10 uses luks and differs in many ways from encryptfs home directory encryption. It creates full encrypted file systems, which means that no meta data about the files on your computer get leaked. The key that's used to unlock the luks partitions are encrypted with a separate passphrase that isn't your user password, and you have to enter this each time you boot your computer, which is more secure since user passwords tend to not be long passphrases. -- Micah Lee https://twitter.com/micahflee -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy in Ubuntu 12.10
Thanks Douglas! I'm not exactly a neutral party, as I work with Micah at EFF, but I want to second your opinion and thank Micah in particular for his work on this issue. Back 18 months ago he was already explaining the alternate installer and pushing for default inclusion: https://www.eff.org/deeplinks/2011/05/help-bring-disk-encryption-ubuntu-live-cd So thanks Micah :-] -Parker On 11/8/12 11:48 AM, Douglas Lucas wrote: > I want to chime in here to thank EFF for encouraging Ubuntu to do this > and encourage everyone who appreciates it to donate to EFF: > https://supporters.eff.org/donate I'm sure many of us have had and > continue to have the experience of wanting to nudge someone over from OS > X or Windows to GNU/Linux and LUKS full disk encryption, but the process > got roadblocked at some point because using the alternate installer to > config the partitions and all for FDE was just too much of a hassle for > parties involved. Now FDE is just a tickbox in the default installer. > How cool is that? So again, donate! > > :-Douglas > > On 11/08/2012 01:34 PM, Micah Lee wrote: >> On 11/08/2012 05:18 AM, Niels ten Oever wrote: >>> Dear Micah, >>> >>> Small correction to your piece: Selecting full disk encryption in the >>> installer GUI was already possible in Ubuntu 12.04. >>> >>> The explanation wasn't as clear as it is now though. >> >> Before 12.10 the Ubuntu GUI installer only let you set up home directory >> encryption using encryptfs, which is different than full disk >> encryption. This option is still there in 12.10, and you can choose to >> use it as well as full disk encryption if you want (I can't see how it >> could help though). >> >> With encryptfs home directory encryption, all of the individual files in >> your home folder get stored encrypted on the disk, but a lot of data >> about your files still gets leaked. The directory structure, file size, >> timestamps, etc. don't get encrypted, only the contents of the files. >> And it's also only your home directory that gets encrypted, not your >> whole disk. So for example, if you have any mysql databases on your >> computer, that data gets stored in /var/lib/mysql and therefore won't >> get encrypted. When you're not encrypting your whole hard drive, "evil >> maid" style attacks become much easier. If someone gets physical access >> to your computer for just a couple minutes, they can boot to a live cd >> and replace your /usr/bin/ssh or /usr/bin/gpg with malicious versions. >> >> The full disk encryption that's offered in 12.10 uses luks and differs >> in many ways from encryptfs home directory encryption. It creates full >> encrypted file systems, which means that no meta data about the files on >> your computer get leaked. The key that's used to unlock the luks >> partitions are encrypted with a separate passphrase that isn't your user >> password, and you have to enter this each time you boot your computer, >> which is more secure since user passwords tend to not be long passphrases. >> >> >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Parker Higgins Activist Electronic Frontier Foundation https://eff.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy in Ubuntu 12.10
I want to chime in here to thank EFF for encouraging Ubuntu to do this and encourage everyone who appreciates it to donate to EFF: https://supporters.eff.org/donate I'm sure many of us have had and continue to have the experience of wanting to nudge someone over from OS X or Windows to GNU/Linux and LUKS full disk encryption, but the process got roadblocked at some point because using the alternate installer to config the partitions and all for FDE was just too much of a hassle for parties involved. Now FDE is just a tickbox in the default installer. How cool is that? So again, donate! :-Douglas On 11/08/2012 01:34 PM, Micah Lee wrote: > On 11/08/2012 05:18 AM, Niels ten Oever wrote: >> Dear Micah, >> >> Small correction to your piece: Selecting full disk encryption in the >> installer GUI was already possible in Ubuntu 12.04. >> >> The explanation wasn't as clear as it is now though. > > Before 12.10 the Ubuntu GUI installer only let you set up home directory > encryption using encryptfs, which is different than full disk > encryption. This option is still there in 12.10, and you can choose to > use it as well as full disk encryption if you want (I can't see how it > could help though). > > With encryptfs home directory encryption, all of the individual files in > your home folder get stored encrypted on the disk, but a lot of data > about your files still gets leaked. The directory structure, file size, > timestamps, etc. don't get encrypted, only the contents of the files. > And it's also only your home directory that gets encrypted, not your > whole disk. So for example, if you have any mysql databases on your > computer, that data gets stored in /var/lib/mysql and therefore won't > get encrypted. When you're not encrypting your whole hard drive, "evil > maid" style attacks become much easier. If someone gets physical access > to your computer for just a couple minutes, they can boot to a live cd > and replace your /usr/bin/ssh or /usr/bin/gpg with malicious versions. > > The full disk encryption that's offered in 12.10 uses luks and differs > in many ways from encryptfs home directory encryption. It creates full > encrypted file systems, which means that no meta data about the files on > your computer get leaked. The key that's used to unlock the luks > partitions are encrypted with a separate passphrase that isn't your user > password, and you have to enter this each time you boot your computer, > which is more secure since user passwords tend to not be long passphrases. > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy in Ubuntu 12.10
Dear Micah, Small correction to your piece: Selecting full disk encryption in the installer GUI was already possible in Ubuntu 12.04. The explanation wasn't as clear as it is now though. Cheers, Niels Niels ten Oever Programme Coordinator E: tenoe...@freepressunlimited.org M: +31 613846622 Jabber: n...@jabber.org A digital signature can be attached to this e-mail, you need openPGP software to verify it. See: http://is.gd/Y06WEs Key fingerprint = 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D 68E9 > -- > > Message: 3 > Date: Tue, 06 Nov 2012 16:40:50 -0800 > From: Micah Lee > To: liberationtech@lists.stanford.edu > Subject: [liberationtech] Privacy in Ubuntu 12.10 > Message-ID: <5099ae12.3000...@riseup.net> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, in case people on this list are interested I thought I'd share two > blog posts about Ubuntu 12.10 on EFF's blog. > > Last week I attacked Ubuntu for showing Amazon-affiliated ads to people > and leaking their search terms without giving users a chance to opt-in: > > https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks > > And today I wrote about how Ubuntu 12.10 includes Full Disk Encryption > options in the GUI installer thanks to user requests, and how this > relates to the resurgence of crypto-related activism: > > https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-disk-encryption > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech