Tails documentation has a good comparison between DVD vs. USB install:
https://tails.boum.org/doc/first_steps/media/index.en.html [email protected]: > Thanks. Yes, actually I prefer the list since I wont be disclosing > anything sensitive anyway, and other users (and developers maybe) might > benefit from the discussion or join in:) > Email is pretty bad, but widespread, will still stick around for many > years to come, and much needed in this case, so our best bet right now > is to secure it as well as we can (any pointers appreciated, by the > way!) and hope for the best. > Note: I believe only personal file storage and some configuration files > are actually set to persist, whereas most of the OS is set to read-only > (in software), but there might of course be ways for malware to > circumvent this, since the USB technically is rewritable after all. > Also, Apparmor confinement of the browser and email client might help > mitigate such attacks too. I hope. > -- > M > > On 2015-03-10 23:07, J.M. Porup wrote: >> Hi Maggie, >> >> Well, OK. We can talk on-list if you like. :) >> >> IMHO, having dealt with targeted attacks, Tails on DVD with a storage >> USB is preferable to persistant Tail on USB. Depends on your threat >> model, of course, but the downside to Tails persistence is that whatever >> pwnage you experience also persists. >> >> And I think it would be trivial to pwn a persistent Tails instance with >> a properly crafted email payload, either via a webmail interface or via >> Claws. >> >> I don't know who your adversary is, or what tools you must have besides >> email, but it seems to me that storing your docs on a storage-only USB >> and running Tails on DVD would be much more secure. >> >> Jens >> >> [email protected]: >>> Thanks for your reply Jens, but this doesn't really help me. Is this >>> about email being inherently insecure or related to the email client >>> and/or imap (suggesting webmail instead)? >>> As for the former, it is a conscious compromize with the need to be >>> reachable and communicate with most of the world. Also, I am not very >>> tech-savvy but more so than the other intended users, so usability is a >>> very big deal here, as is features other than browsing the web, so >>> persistence is very appealing to me. If you could point more precisely >>> to the weaknesses in this setup and any suggestions for mitigating the >>> risks, it would help a lot. >>> -- >>> M >>> >>> On 2015-03-10 19:35, J.M. Porup wrote: >>>> Maggie, >>>> >>>> In my experience it is trivial for an APT to hack you via spam, >>>> malformed headers, or other naughty bits in an email. This makes Tails >>>> persistance a bug, not a feature. >>>> >>>> Who is your adversary? Are you a target? >>>> >>>> You may like to use Tails on DVD instead, with a non-Tails USB for >>>> local >>>> storage. >>>> >>>> just a thought... >>>> >>>> Jens >>>> >>>> -- >>>> J.M. Porup >>>> www.JMPorup.com >>>> >>>> 1442 C867 3E9D 14A1 58FC >>>> 2266 6AC3 56C1 D73A 6884 >>>> >>>> [email protected]: >>>>> Hi >>>>> >>>>> Thanks a bunch for working on Tails! I am new to this list so this >>>>> topic >>>>> may have been discussed previously, but anyway: I am looking to set up >>>>> several Tails-sticks with persistence for an NGO, all persistent >>>>> volumes >>>>> identically prepared with access to the same IMAP mail account and >>>>> pre-imported private PGP key, as well as other important documents, >>>>> etc. >>>>> Security and ease of use is vital, but as a bonus, this setup will >>>>> help >>>>> with internal democracy, since everyone has access to the same >>>>> information (at least initially - maybe even better in the future with >>>>> some syncing solution maybe) and communication channel, as well as >>>>> providing a kind of distributed backup solution for key data. >>>>> >>>>> This means I want to clone a lot of USB sticks, including the >>>>> persistent >>>>> volume! Since this may be a growing use case, it would be nice to have >>>>> such a feature in the Tails Installer eventually (maybe along the >>>>> lines >>>>> of https://tails.boum.org/blueprint/backups/#index7h2), but until then >>>>> the solution seems to be something like dd if=/dev/sdX of=/dev/sdY, >>>>> sdX >>>>> being the original prepared Tails USB stick with a preconfigured >>>>> persistent volume, and sdY being the USB stick to clone to >>>>> (obviously at >>>>> least as large in size as sdX). >>>>> >>>>> I have tried this successfully once (with two USB sticks of the exact >>>>> same model and size) and although it was painfully slow, I guess I can >>>>> live with that in lack of a better solution. I will probably try to >>>>> get >>>>> USB sticks of the exact same models and sizes, if I find one to be >>>>> working well and reasonably cheap, so if there may be any subtle >>>>> problems involved in using different models, I can overcome that, >>>>> but it >>>>> would be nice to get some advice here as well. >>>>> >>>>> On to more specific questions: >>>>> *Using dd seems scary with a potential to do serious damage if not >>>>> paying full attention to detail. Is there a safer recommended >>>>> solution? >>>>> *If using dd to accomplish this, what are the recommended options to >>>>> use? (A lot of different ones are given on various sites, but in >>>>> general >>>>> with little or no explanation as to why they were chosen.) >>>>> >>>>> Do you see any problems in general with the idea of copying the sticks >>>>> identically, bit by bit? Is there any benifit to manually creating >>>>> each >>>>> stick separately (although actually configured the exact same way)? >>>>> (Note: My idea is to use the same password for the persistent >>>>> volume on >>>>> each stick either way - this makes it possible to use a long complex >>>>> password that they can help eachother remember. Since the sticks will >>>>> all contain pretty much the same data, if one stick is compromized, so >>>>> is the data, so using the same password for each stick doesnt seem to >>>>> weaken security to me.) >>>>> On a more subtle note: Do you see any problems with say entropy? If >>>>> using the exact same models, cloned bit by bit, will it be too >>>>> deterministic so as to e.g. spoof the exact same mac address when >>>>> booting up on the same preconfigured network and cause any kind of >>>>> problems, or will the other computer hardware take care of this >>>>> somehow? >>>>> >>>>> It would be nice eventually to have some recommendations/best >>>>> practices >>>>> on the website for deploying Tails in in a smaller organization for >>>>> activism/journalism etc. >>>>> >>>>> Again, thanks for this awesome software! >>>>> Maggie >>>>> _______________________________________________ >>>>> tails-support mailing list >>>>> [email protected] >>>>> https://mailman.boum.org/listinfo/tails-support >>>>> To unsubscribe from this list, send an empty email to >>>>> [email protected]. >>> >>> _______________________________________________ >>> tails-support mailing list >>> [email protected] >>> https://mailman.boum.org/listinfo/tails-support >>> To unsubscribe from this list, send an empty email to >>> [email protected]. >> _______________________________________________ >> tails-support mailing list >> [email protected] >> https://mailman.boum.org/listinfo/tails-support >> To unsubscribe from this list, send an empty email to >> [email protected]. > > _______________________________________________ > tails-support mailing list > [email protected] > https://mailman.boum.org/listinfo/tails-support > To unsubscribe from this list, send an empty email to > [email protected]. _______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
