Re: [Tails-dev] vpwned + greeter

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Old-Topics: Re: [Tails-dev] vpwned + greeter
Subject: Re: [Tails-dev] vpwned + greeter
Hi,

[given this is an old thread, I'll be quoting more widely than usual.]

anonym wrote (02 Dec 2014 13:10:53 GMT) :
> I think there arguments both for and against allowing post-session
> security decisions (and I'm trying to be a bit more general here):


> * Pro 1: if people are frequently frustrated by some security decision,
> they will train a tendency to always pick the less secure option without
> thinking. Having to reboot to redo the decision is frustrating. Allowing
> it to happen during the session removes that frustration, and may make
> the user more happy to pick the default, more secure option.


> * Pro 2: with post-session decisions, the insecure option can be enabled
> temporarily, only when needed, reducing the duration of exposure. At
> least it is much less frustrating compared to yet another reboot. (This
> doesn't make sense in some cases, like compromised hardware with DMA
> access, which presumably would run it's attack immediately.)


> * Con 1: if the Live user account is compromised during the session, the
> attacker can make these decisions, potentially deepening the compromise
> further.


> * Con 2: at least some things are much harder to implement in such a
> dynamic way (allowing/disallowing LAN ports is easy, though).


I'm curious how it is "easy" to implement this with good UX.

> I'm sure there are more pros and cons, and I think we need to identify
> these and weigh them against each other. As for the feature in question,
> I think "Pro 1" and "Pro 2" are individually stronger than "Con 1", and
> "Con 2" doesn't even apply.


It seems to me this call for something like
https://github.com/subgraph/fw-daemon

... that now has some Debian packaging:
https://github.com/subgraph/fw-daemon/tree/debian

See
https://mailman.boum.org/pipermail/tails-dev/2015-December/009959.html
for more pointers on this topic.

I wonder if we should go directly this way, or if it's still worth
getting ourselves safer (but static) defaults, as suggested a year
ago:
https://mailman.boum.org/pipermail/tails-dev/2015-January/007820.html
+ the Gobby idea:
https://mailman.boum.org/pipermail/tails-dev/2015-January/007824.html
(the captive portal idea from this last mail makes me think we should
simply give the Unsafe Browser full access to the LAN)

Anyone wants to try out Subgraph Application Firewall (fw-daemon) in
the context of Tails?

Cheers!
--
intrigeri