Dear developers of tails,
My security infrastructure has suffered a significant setback since
you have decided to separate usb and cd images. I need a read only image
that can be booted from a read only usb stick or in my case from a
read-only sdcard used with an sdcard reader that supports write
protection. This is very important. I do not want my tails media to
become tampered whenever a singleton tails session has been cracked. It
is known that intelligence services hunt especially for tor and tails
users as anyone who uses encryption is suspicious. With todays browsers
it is very easy to crack a system for intelligence services who have
several zero days exploits by hand. Even worse when your system has
become cracked and you want to download a subsequent tor version that
download will be tampered as well. Besides this your security system
using signing with very new keys is a very bad decision. If you have to
download the key file with https the whole download is not more secure
than an arbitrary https download. The way out would be to offer
SHA512sums which can be checked independently whenever you know the iso
size. With SHA512sums you can download tails with one tails version and
then download just the SHA512sums with another tails version. Currently
I have to download the iso twice and compare both. I do not trust your
gpg keys. Even when they are new they will be cracked within a few
milliseconds if you decide to store those keys on an online machine
where you also use a browser or an email program. I do not trust your
gpg key because you have actually failed to set up a trustworthy offline
strategy which will need to be described on your homepage
tails.boum.org. Anyway I believe the SHA512sum to be the more easy,
simple and therefore also to be the more reliable tool to check the
integrity of a download. f.i. You can note the SHA512sum on a sheet of
paper (and I was regularely doing this) which is impossible for a gpg
signature. A recent download of OpenBSD showed me once more how
important download security is. The tampered download was uncovered by
sha256sums and not by the signing tool signify. Currently the only way
out for tails is to have a copy of the usb image on another read only
media and to compare after every boot (very laborious, uff!).
Unfortunately using a CD is not a real option for my case. Besides the
fact that burning new read only CDs produces a lot of litter CDs are a
way bigger and larger than sdcards. It is a fact that I need to carry
the sdcards with me as personnel from secret services used to enter my
home regularely. I have noted this by a handle of my window to be
changed very oftenly when I left (I have asserted that no one else was
at home during the time in question). Secondly I had used an offline
computer after 2011 to analyse a cracked system. One day when I came
back I found that computer with an overwritten parition table.
At least I believe that supplying a modified DVD image (which is read
only to its content) that does also boot from USB sticks by a modified
bootloader should not be that hard to do. The USB image does in a fact
boot right after the GUI dialog for selecting the language but then it
hangs on a read only medium when you want to get into the GUI for the
browser and the console.
I have prepared some material for you on my home page concerning
gpg-security and alledged problems with intelligence services (they can
easily enter your home when you take your mobile phone with you; can´t
they?):
https://www.elstel.org/CyberAttack-elstel.html.en
https://www.elstel.org/software/GnuPG-usage.html.en
Please keep me updated about any planned changes/ countermeasures for
tails!
Yours Sincerely,
Elmar Stellnberger
