Ague Mill: > On Fri, Oct 12, 2012 at 06:15:07PM -0700, Steve Weis wrote: >> Hi. I booted Tails' latest release and was able to scrape memory contents >> via FireWire. All the necessary firewire modules are enabled by default and >> Inception worked out of the box. This would let someone root a machine >> through, say, a daisy chained thunderbolt monitor. >> >> I'd either remove support from the kernel, blacklist the modules in >> modprobe, or disable support with a boot param. > > We can't just do that. Tails is also meant to be a safe environment to > produce sensitive documents. Being able to retrieve a video from a DV > camera, edit it and send it online is a use case Tails should support. >
I'd hardly call this safe. I mean, sure - those video people are safely able to download videos over firewire - but for every person that does that, how many people will be vulnerable to DMA attacks without even having a clue about firewire? > From the recent discussions regarding ExpressCards and the likes, it > looks like we are moving to a common pattern of "you have 5 minutes to > plug things on those ports that can be dangerous, otherwise, they will > be disabled". This should work for FireWire too, even if it feels more > cumbersome to me than for an expansion card. > As this is a modular kernel - is there a reason not to simply add a "enable firewire" widget? That way everyone is secure by default and when someone wishes to enable it, someone will be able to be notified of the danger they have just enabled? All the best, Jacob _______________________________________________ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
