Re: [Tails-dev] vpwned + greeter

Delete this message

Reply to this message
Author: Jurre van Bergen
Date:  
To: tails-dev
Old-Topics: Re: [Tails-dev] vpwned
Subject: Re: [Tails-dev] vpwned + greeter
On 11/02/2014 12:48 AM, intrigeri wrote:
> Hi,
>
> Jacob Appelbaum wrote (24 Jul 2014 01:16:26 GMT) :
>> I've waited a while for folks to read it and I think at this point,
>> we're at year two or so of waiting. It seems like the easy thing is to
>> simply give up and advocate for a fix with a simple patch.
> I have to admit I'm still affected by my vague memories of what I felt
> while reasoning about it two years ago, that is not being convinced
> that the attacks described in the paper were part of what Tails is
> seriously trying to protect against (as in: if an attacker can do
> that, then they possibly have other, and maybe easier ways to do it
> even if we kill access to RFC1918 addresses). Unfortunately, I've let
> it in the shape of very incomplete and not publishable notes back
> then, never came back to it, and have been feeling bad about it ever
> since. Yay.
>
> I've sent these notes to Jurre, who's recently volunteered to think
> this through. I'd love to see this happen anyway, but after two years
> of waiting for it, maybe we should stop blocking on it and move on.
> (Yes, it can take me a looong time to change my mind. You've not seen
> it all yet.)


I've thought it true, but i've been lazy and not sending out my
thoughts. Luckily, it seems that we had similar thoughts, yay.

I'm not an UX person but I see the following solution(s) living next to
each other if needed. Coming from a security point of view, I believe
it's better to enable things than to disable things. Most of our users
might not understand the risks associated to attacks described in vpwned
and dma capable devices. We therefor, shouldn't make them vulnerable by
default but rather by choice and document in a clear way what the risks
associated to it are.

I'd also rather not advocate for a way to enable through out a session,
it's like having intercourse and deciding, gosh, we're ready to go but
we're out of condoms, but whatever, just this one time. The implications
might be for a lifetime.

1) When I boot Tails, i'm presented with an option to allow local
traffic or not.
2) When I boot Tails, i'm presented with an option to allow certain
local traffic like SSH and printing and the rest not.
3) When I boot Tails, i'm presented with an option to be able to login
to a captive portal, only this IP is whitelisted on the firewall rules
and the rest is blocked.

I think my aim with providing these options is that, when you boot a
computer, you often know what you're going to do with it or what you
want access to or not. The same would go for allowing devices which are
DMA capable like firewire, thunderbolt, pcmcia and others.

I guess that, the longer you use Tails, say a couple of hours, the more
likely it *could* become you might be targeted by an adversary. If you
would then half way allow access to a local network, who knows what
might happen to the user or how more likely it could become that vpnwed

My 0,02 for now, I would be more than happy to hear critique!

Jurre