Re: [Tails-dev] Anonymous Blogging with WordPress and Tor
El 01/07/11 15:41, intrigeri escribió: sajolida wrote (01 Jul 2011 08:50:24 GMT) : I'm ready to this work if we find it interesting. I felt the same as you when I read this text a few weeks ago. I'm all for you to suggest them some enhancements and point them to Tails. Beware not becoming by error the primary maintainer of this document, though ;) Bye, Hi, Here is the draft of the email I'm planning to send to the author of this guide. I'd like to have a quick review from you before sending it. × × × Hi, This week I found out about your document called « Anonymous Blogging with WordPress and Tor » and read it carefully and with interest. I'm part of the team developing Tails, a live CD or live USB that aims at preserving your privacy and anonymity; first, by redirecting all outgoing traffic to Tor, and second, by taking special to leave no trace on the computer you're using unless you ask it explicitly, see: http://tails.boum.org/ Tails is now listed by The Tor Project as it's recommended live distribution, see: https://www.torproject.org/projects/projects.html.en I would like to suggest you trying out Tails and possibly adapting some part of your guide to using it. I believe it would make parts of it easier to document and also improve the overall solution that you're proposing. I'll tell you why. Trusting your OS A central vision of Tails is that it is crucial to trust, as a whole, the operating system that you are using if you're planning to do any sensitive task on a computer, like protecting your anonymity or working on sensitive documents. For example, on page 8, I agree with you when you advocate the use of Firefox over Internet Explorer but following the same assumption you should not advocate the use of Tor from Windows. The operating system is the central piece of software managing all your applications, having direct access to your files, your disks, your network interfaces, etc. If you can't trust your OS, any security measure that you try to build on top of it is bound to be flawed. The assumption of Tails regarding this is that you'd better trust open source software, in our case Debian GNU/Linux on which Tails is based and which is quite well know to be reactive on security issues than proprietary software like Windows, quite well know for just the opposite. Plus, since Tails is a live distribution, the OS is restarted in its original state at every use so that viruses, buggy software or misuse can't affect the system on the long run, especially if run from a read-only support like a CD. This is how we try to provide an improved level of trust on the OS and then build security measures at the application level on top of that. Regarding your document, that would resolve the issue you're mentioning on page 1 and provide you an OS easier to trust against keyloggers and viruses. About secure deletion - When writing documentation about security measures it's both hard to know where to stop and at the same time be sure you wrote enough. For example, on page 20 you advise to use securely delete posts after publishing them. This means that you include in the thread model of the people reading your document that the computer they use could be seize and investigate by forensics in search of traces from those documents. Tails could help you addressing better this thread by: - ensuring that every document written during a Tails session won't leave any trace on the computer since it's a live distribution running from RAM and that it takes special care to not leave any trace on the local storage of the computer unless asked explicitly, - being shipped already with tools for secure deletion — then actually documenting how to use them would be shorter and easier. For example, when you're saying on page 21 « Write your blog post offline. Not only is this a good way to keep from losing a post if your browser crashes or your net connection goes down, it means you can compose your posts somewhere more private than a cybercafe. », if using normal operating systems, you are very likely to leave traces of the document on both your machine and the public one. Plus, it would be a good idea to suggest the users safe ways to carry their drafts from one machine to another, for example: 1. Using an encrypted USB stick. That would be something else to document well since actually securely delete a single file on a USB is much more problematic that on a hard drive, see : http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf Tails provide tools to fully encrypt USB sticks. 2. Saving the drafts in the disposable mailbox. That might be a better solution if it is encrypted using FireGPG. Tails also comes with FireGPG installed. Furthermore, it is good to advertise the securely deletion of files but then to be coherent you should also advertise the secure deletion of the browser history. And this is much harder
Re: [Tails-dev] Anonymous Blogging with WordPress and Tor
Hi, Nice email, I did some corrections though. bert. On Mon, Jul 04, 2011 at 09:38:57AM +0200, sajolida wrote: Hi, Here is the draft of the email I'm planning to send to the author of this guide. I'd like to have a quick review from you before sending it. × × × Hi, This week I found out about your document called « Anonymous Blogging with WordPress and Tor » and read it carefully and with interest. I'm part of the team developing Tails, a live CD or live USB that aims at preserving your privacy and anonymity; first, by redirecting all outgoing traffic to Tor, and second, by taking special to leave no trace on the computer you're using unless you ask it explicitly, see: http://tails.boum.org/ Tails is now listed by The Tor Project as it's recommended live distribution, see: https://www.torproject.org/projects/projects.html.en I would like to suggest you trying out Tails and possibly adapting some part of your guide to using it. I believe it would make parts of it easier to document and also improve the overall solution that you're proposing. I'll tell you why. Trusting your OS A central vision of Tails is that it is crucial to trust, as a whole, the operating system that you are using if you're planning to do any sensitive task on a computer, like protecting your anonymity or working on sensitive documents. For example, on page 8, I agree with you when you advocate the use of Firefox over Internet Explorer but following the same assumption you should not advocate the use of Tor from Windows. The operating system is the central piece of software managing all your applications, having direct access to your files, your disks, your network interfaces, etc. If you can't trust your OS, any security measure that you try to build on top of it is bound to be flawed. The assumption of Tails regarding this is that you'd better trust open source software, in our case Debian GNU/Linux on which Tails is based and which is quite well know to be reactive on security issues than proprietary software like Windows, quite well know for just the opposite. Plus, since Tails is a live distribution, the OS is restarted in its original state at every use so that viruses, buggy software or misuse can't affect the system on the long run, especially if run from a read-only support like a CD. This is how we try to provide an improved level of trust on the OS and then build security measures at the application level on top of that. Regarding your document, that would resolve the issue you're mentioning on page 1 and provide you an OS easier to trust against keyloggers and viruses. About secure deletion - When writing documentation about security measures it's both hard to know where to stop and at the same time be sure you wrote enough. For example, on page 20 you advise to use securely delete posts after publishing them. This means that you include in the thread model of the people reading your document that the computer they use could be seize and investigate by forensics in search of traces from those documents. For example, on page 20, you advise to securely delete files used for the post after publishing it. (or something like that) could be seized and investigated by forensics experts Tails could help you addressing better this thread by: - ensuring that every document written during a Tails session won't leave any trace on the computer since it's a live distribution running from RAM and that it takes special care to not leave any trace on the local storage of the computer unless asked explicitly, - being shipped already with tools for secure deletion — then actually documenting how to use them would be shorter and easier. For example, when you're saying on page 21 « Write your blog post offline. Not only is this a good way to keep from losing a post if your browser crashes or your net connection goes down, it means you can compose your posts somewhere more private than a cybercafe. », if using normal operating systems, you are very likely to leave traces of the document on both your machine and the public one. Plus, it would be a good idea to suggest the users safe ways to carry their drafts from one machine to another, for example: to suggest to users 1. Using an encrypted USB stick. That would be something else to document well since actually securely delete a single file on a USB is much more problematic that on a hard drive, see : http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf Tails provide tools to fully encrypt USB sticks. 2. Saving the drafts in the disposable mailbox. That might be a better solution if it is encrypted using FireGPG. Tails also comes with FireGPG installed. Furthermore, it is good to advertise the securely deletion of files but then to be coherent you should also advertise the secure
Re: [Tails-dev] integrate walkthrough in doc-rework
El 17/06/11 18:15, a...@boum.org escribió: Hi, The walkthrough, originally imported from Incognito, is out of sync with Tails for a long time. Some progress have been made to solve that issue: - in master branch: the out-of-sync parts have been clearly marked as outdated. This is already available online on Tails website; - in doc-rework branch: the walkthrough have been splitted into different pages which are partially merged with the rest of Tails documentation. Some of these pages have already been reviewed according to current Tails status. This is still a work-in-progress, but a first review is already welcome, as well as contributions if you're inclined. Cheers, Hi, Thank you for doing that. It's a nice bootstrap for the work to be done on the doc. I just had a look at the first section « About Tails ». As you already mentioned, at the moment in it there is basically: - Parts that could be merged into /doc/warning. - Other bits that are already addressed by /about. Plus, this secion is called « About Tails » almost like the page called « About » which is a bit confusing. - The first part of the /doc/about/anonymity page which I don't like that much. If people reading the doc up to this point still need to know « why they need anonymity » we should rather point them to torproject.org. - A similar thing goes for the main /doc/introduction. It sounds like the usual blabla to my ears and something that's not really worth reading. So do we agree on rescuing what needs to be rescued into the /about and /doc/warning pages and getting rid of all the rest? It'll remain until the end of time in the git history of course in case we feel nostalgic at some point ;) -- sajolida signature.asc Description: OpenPGP digital signature ___ tails-dev mailing list tails-dev@boum.org https://boum.org/mailman/listinfo/tails-dev