Re: [Tails-dev] Debian popularity contest
adrelanos: > The Debian *popularity-contest* package popcon is **disabled** Tails. > [...] > > Letting Tails users vote in popcon in a privacy friendly way is a > desirable goal. Sorry but I don't think everyone will agree on that. Most would say that Tails should send as little as possible information on its users to the world. Thanks for the detailed analysis... but unfortunately I think it's unnecessary. Occam's razor often leads to more readable documentation. -- Ague pgp4e07euQvpv.pgp Description: PGP signature ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Debian popularity contest
The Debian *popularity-contest* package popcon is **disabled** Tails. [popcon readme](http://popcon.debian.org/README) | [popcon faq](http://popcon.debian.org/FAQ) | [popcon bugs](http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=popularity-contest) | [popularity contest mailing list](http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/popcon-developers) | [popularity contest mailing list: Drop atime and ctime for privacy reasons possible?](http://lists.alioth.debian.org/pipermail/popcon-developers/2012-October/002172.html) Letting Tails users vote in popcon in a privacy friendly way is a desirable goal. Tails has quite some users, would have some weight in popcon and would also contribute to the estimation of Linux users (linuxcounter). However, the obstacles of activating popcon in Tails are too big. Some privacy considerations and reasons why it's disabled: * The connection would obviously need to go over it's own Tor circuit (stream isolation). At the moment popcon tries to go through http and if it fails (no internet connectivity) it goes into the mail queue. (sendmail) Sendmail probable works though TransPort, but I don't know if it can be torified for proper stream isolation. * (From the popcon readme) "*Each popularity-contest host is identified by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf).*" - This would allow to enumerate a quite good guess about the amount number of Tails users. We are not sure if boum.org or boum.org's internet service provider could already have an insight about that or about any other negative implications. * MY_HOSTID would probable get created at Tails build time and all Tails users would have the same MY_HOSTID, which would make it useless. A new MY_HOSTID would have to be created at first boot of Tails. * Popcon runs at a random day. Good. * If the machine is powered on: it runs at at 6:47, which is bad, because a local adversary (ISP or hotspot) could guess popcon runs over Tor which would likely be a Tails user. * If the machine as powered off at 6:47, it sends the report later, only if anachron is installed. It shouldn't run instantly after powering on, also for fingerprinting reasons. The time would have to be truly randomized. * The transmission is not encrypted, see [popularity-contest should encrypt contents](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480860) and it's not planed to encrypt it. Malicious Tor exit nodes could modify the transmission, but this is only a minor issue. Such malicious Tor exit nodes could send fake transmissions on their own. * It's questionable if and if yes, how long Debian will accept popularity contest transmissions from Tor exit nodes. There is potential for electoral fraud. * Few Live CD related issues: * Creating MY_HOSTID at run time for users who do not use persistence and who do not run the system for weeks without reboot, which is assumed to be quite a big percentage of Tails users wouldn't allow them to vote in popcon. (That requires recent access time and older creation time of an application.) * A persistent MY_HOSTID for users who do not run the system for weeks without reboot, wouldn't help either. Even when using persistence, most files are not persistent (binaries, /usr/bin/dpkg and so on, there is no need for them to be persistent). Therefore the last accessed time (atime) would be lost after reboot. Tails would have to remember and restore the atime, which would have to be an opt-in, because it has privacy implications. For these reasons it's not a good idea to add popcon to Tails. If you have suggestions or a different view, please get in contact. Without serious amounts of help from the popcon developers or contributors it won't happen. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Debian popularity contest
adrelanos wrote (26 Oct 2012 15:58:44 GMT) : >> First, Tails has no outgoing SMTP client configured by default, >> so popcon would not work out of the box. > It tries http first. Thanks for correcting me. > I considered it for Whonix today and it's a real bad idea to add it. > Reasons are listed here: > https://sourceforge.net/p/whonix/wiki/Security/#popularity-contest > If you are interested I could adjust it for Tails and add it to the > Tails design. I'd be very thankful if contributed such an adapted version. Sending it here first would be preferred. BTW, it's "popcon", not "popcorn" :) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Debian popularity contest
intrigeri: > Hi, > > adrelanos wrote (26 Oct 2012 10:42:48 GMT) : >> did you consider participating with Tails in Debian popularity >> contest? (popcorn) > > I don't remember doing more than disabling it, > as a way to avoid having to think about it. > >> I saw you disabled it, but couldn't find an explanation in >> the Design. > > First, Tails has no outgoing SMTP client configured by default, > so popcon would not work out of the box. It tries http first. > Second, even if Tails had the needed facility, I'm unsure Debian mail > servers would accept email coming from Tor exit nodes. Valid point. > I suppose we > could setup a dedicated limited SMTP relay as we have for WhisperBack, > but that is quite some effort to setup and maintain. Personally, I'm > not interested in doing this work. > > Third, I like Tails not to call home by default, > and only then, we can make exceptions when we feel it safe and needed > (e.g. the security issue check). I considered it for Whonix today and it's a real bad idea to add it. Reasons are listed here: https://sourceforge.net/p/whonix/wiki/Security/#popularity-contest If you are interested I could adjust it for Tails and add it to the Tails design. Cheers, adrelanos ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Debian popularity contest
Hi, adrelanos wrote (26 Oct 2012 10:42:48 GMT) : > did you consider participating with Tails in Debian popularity > contest? (popcorn) I don't remember doing more than disabling it, as a way to avoid having to think about it. > I saw you disabled it, but couldn't find an explanation in > the Design. First, Tails has no outgoing SMTP client configured by default, so popcon would not work out of the box. Second, even if Tails had the needed facility, I'm unsure Debian mail servers would accept email coming from Tor exit nodes. I suppose we could setup a dedicated limited SMTP relay as we have for WhisperBack, but that is quite some effort to setup and maintain. Personally, I'm not interested in doing this work. Third, I like Tails not to call home by default, and only then, we can make exceptions when we feel it safe and needed (e.g. the security issue check). Cheers! ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
