intrigeri:
> The issue about the exact delay that was raised (5 minutes starting
> when, 1 minute starting at the same time as GDM, anything else?) is
> still in need of a conclusion.
One minute is enough for the "oh, I forgot to plug in the network
card" case. I'd still be more in favor of 5 to h
hi,
intrigeri wrote (12 Oct 2012 09:27:35 GMT) :
> Hi,
> intrigeri wrote (28 Sep 2012 15:27:50 GMT) :
>>> * de-activate PCMCIA and ExpressCard on systems that don't have any
>>> PCMCIA or ExpressCard devices after running for 5 minutes. This is
>>> going to byte some users, but probably only
On Mon, Oct 15, 2012 at 6:30 PM, Abel Luck wrote:
> Nevertheless, my point (repeating myself here), is that there should be
> a zero-second window option regardless, for those that care. Moreover,
> that option does not have to significantly affect the UX.
You can already do that if the distribut
Ague Mill:
> On Mon, Oct 15, 2012 at 02:47:05PM +, Abel Luck wrote:
>> intrigeri:
>>> Hi,
>>>
>>> Jacob Appelbaum wrote (13 Oct 2012 11:02:17 GMT) :
As this is a modular kernel - is there a reason not to simply add
a "enable firewire" widget?
>>>
>>> There are several I can see:
>>>
>
On Mon, Oct 15, 2012 at 02:47:05PM +, Abel Luck wrote:
> intrigeri:
> > Hi,
> >
> > Jacob Appelbaum wrote (13 Oct 2012 11:02:17 GMT) :
> >> As this is a modular kernel - is there a reason not to simply add
> >> a "enable firewire" widget?
> >
> > There are several I can see:
> >
> > * It is
intrigeri:
> Hi,
>
> Jacob Appelbaum wrote (13 Oct 2012 11:02:17 GMT) :
>> As this is a modular kernel - is there a reason not to simply add
>> a "enable firewire" widget?
>
> There are several I can see:
>
> * It is a UX failure every time someone has to go out of their way to
> have Tails wo
On Sun, Oct 14, 2012 at 11:38 PM, Maxim Kammerer wrote:
> there is currently no other way to
> enable physical DMA in Firewire than via firewire_sbp2 or via
> unfiltered physical DMA (enabled by CONFIG_FIREWIRE_OHCI_REMOTE_DMA).
Ah, there is also CONFIG_PROVIDE_OHCI1394_DMA_INIT +
ohci1394_dma=ea
On Sun, Oct 14, 2012 at 9:57 PM, Steve Weis wrote:
> There are two alternative driver stacks (e.g. ieee1394 and firewire-core)
> and the docs talk about them both interchangeably. It's a bit confusing. The
> CONFIG_FIREWIRE_OHCI_REMOTE_DMA kernel hacking option may only be relevant
> to the legacy
Hi Maxim. I did not completely power off the system when I tried the test.
I did a warm reset and booted to a USB drive.
I'm not sure about the inconsistency with the debugging-via-ohci1394 docs.
There are two alternative driver stacks (e.g. ieee1394 and firewire-core)
and the docs talk about them
On Sat, Oct 13, 2012 at 5:18 AM, Maxim Kammerer wrote:
> On Sat, Oct 13, 2012 at 5:04 AM, Steve Weis wrote:
>> I think the kernel is working as expected. Debian and Ubuntu are both also
>> vulnerable by default, since FireWire modules are loaded automatically.
>
> From Documentation/debugging-via
Hi,
Jacob Appelbaum wrote (13 Oct 2012 11:02:17 GMT) :
> As this is a modular kernel - is there a reason not to simply add
> a "enable firewire" widget?
There are several I can see:
* It is a UX failure every time someone has to go out of their way to
have Tails work with their hardware.
* Eve
Ague Mill:
> On Fri, Oct 12, 2012 at 06:15:07PM -0700, Steve Weis wrote:
>> Hi. I booted Tails' latest release and was able to scrape memory contents
>> via FireWire. All the necessary firewire modules are enabled by default and
>> Inception worked out of the box. This would let someone root a mach
On Fri, Oct 12, 2012 at 06:15:07PM -0700, Steve Weis wrote:
> Hi. I booted Tails' latest release and was able to scrape memory contents
> via FireWire. All the necessary firewire modules are enabled by default and
> Inception worked out of the box. This would let someone root a machine
> through, s
On Sat, Oct 13, 2012 at 5:04 AM, Steve Weis wrote:
> I think the kernel is working as expected. Debian and Ubuntu are both also
> vulnerable by default, since FireWire modules are loaded automatically.
>From Documentation/debugging-via-ohci1394.txt:
“The alternative firewire-ohci driver in driver
I think the kernel is working as expected. Debian and Ubuntu are both also
vulnerable by default, since FireWire modules are loaded automatically.
I can send some fix suggestions if you like.
On Oct 12, 2012 7:35 PM, "Maxim Kammerer" wrote:
> On Sat, Oct 13, 2012 at 3:15 AM, Steve Weis wrote:
>
On Sat, Oct 13, 2012 at 3:15 AM, Steve Weis wrote:
> Hi. I booted Tails' latest release and was able to scrape memory contents
> via FireWire. All the necessary firewire modules are enabled by default and
> Inception worked out of the box. This would let someone root a machine
> through, say, a da
Hi. I booted Tails' latest release and was able to scrape memory contents
via FireWire. All the necessary firewire modules are enabled by default and
Inception worked out of the box. This would let someone root a machine
through, say, a daisy chained thunderbolt monitor.
I'd either remove support
Maxim Kammerer:
> On Sat, Oct 13, 2012 at 1:30 AM, Jacob Appelbaum
> wrote:
>> I would add Thunderbolt to the list as well:
>> http://www.breaknenter.org/2012/02/adventures-with-daisy-in-thunderbolt-dma-land-hacking-macs-through-the-thunderbolt-interface/
>
>>
> As far as I can see, all these at
On Sat, Oct 13, 2012 at 1:30 AM, Jacob Appelbaum wrote:
> I would add Thunderbolt to the list as well:
> http://www.breaknenter.org/2012/02/adventures-with-daisy-in-thunderbolt-dma-land-hacking-macs-through-the-thunderbolt-interface/
As far as I can see, all these attacks (PCMCIA, ExpressCard,
Th
Alan:
> Hi,
>
>>> * de-activate PCMCIA and ExpressCard on systems that don't have any
>>> PCMCIA or ExpressCard devices after running for 5 minutes. This is
>>> going to byte some users, but probably only the first time.
>>
>> I am strongly inclined towards this one, for PCMCIA, ExpressCard
>>
Hi,
>> * de-activate PCMCIA and ExpressCard on systems that don't have any
>> PCMCIA or ExpressCard devices after running for 5 minutes. This is
>> going to byte some users, but probably only the first time.
>
> I am strongly inclined towards this one, for PCMCIA, ExpressCard
> FireWire and ev
Hi,
intrigeri wrote (28 Sep 2012 15:27:50 GMT) :
>> * de-activate PCMCIA and ExpressCard on systems that don't have any
>> PCMCIA or ExpressCard devices after running for 5 minutes. This is
>> going to byte some users, but probably only the first time.
> I am strongly inclined towards this on
Hi,
a...@boum.org wrote (26 Sep 2012 17:44:34 GMT) :
> We didn't reach a conclusion on this topic. The page on pcmcia is
> still tagged "discuss".
Thank you for resurrecting this discussion!
It's unclear to me what exact part of it you intended to resurrect,
but anyway, I guess it's good to have
On Wed, Sep 26, 2012 at 07:44:34PM +0200, a...@boum.org wrote:
> Issue: 32bit PCMCIA gets DMA. It is thus usable by an adversary for
> external bus memory forensics on a running Tails.
>
> Question: we now have to discuss what usability vs.
> security balance we want.
>
> Ideas:
>
> * If a firew
Hi,
We didn't reach a conclusion on this topic. The page on pcmcia is still
tagged "discuss".
Issue: 32bit PCMCIA gets DMA. It is thus usable by an adversary for
external bus memory forensics on a running Tails.
Question: we now have to discuss what usability vs.
security balance we want.
Ide
intrigeri:
> Hi,
>
> Jacob Appelbaum wrote (22 Aug 2012 21:01:22 GMT) :
>> Pop up a dialog and ask "hey, you want to use firewire?" - at least
>> if they had enabled a password, they will have to bypass a screen
>> lock or authenticate to enable full memory forensics.
>
> I'm not sure I understan
Hi,
Jacob Appelbaum wrote (22 Aug 2012 21:01:22 GMT) :
> Pop up a dialog and ask "hey, you want to use firewire?" - at least
> if they had enabled a password, they will have to bypass a screen
> lock or authenticate to enable full memory forensics.
I'm not sure I understand clearly what you are s
Hi,
>> I'd still go for [...]
> A possible middle-ground could be to [...]
FWIW, I've created a parent ticket for these issues, and pasted the
various implementation ideas in there:
todo/protect_against_external_bus_memory_forensics
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcana
> >> Also, what about pcmcia/pccard/express card?
> >
> > Sorry, we still have not discussed what usability vs. security balance
> > we want in this area. For the record, these are tracked there:
> > https://tails.boum.org/todo/disable_expresscard__63__/
> > https://tails.boum.org/todo/disable
Hi Jake,
Jacob wrote (late 2011):
>> Disable all firewire kernel modules. This will help fight against
>> forensics programs that will attempt to suck out memory with the
>> internal firewire or a cardbus/pcmcia card.
And ta...@boum.org replied (05 Jan 2012 23:54:40 GMT) :
> Recent Linux kernels
Hi,
(Please Cc: any subsequent reply to the public tails-dev@boum.org ML.)
> Disable all firewire kernel modules. This will help fight against
> forensics programs that will attempt to suck out memory with the
> internal firewire or a cardbus/pcmcia card.
> Disable all pcmcia kernel modules; we
31 matches
Mail list logo
