Re: [T(A)ILS-dev] Specification and security design document

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The T\(A\)ILS public development discussion list
Subject: Re: [T(A)ILS-dev] Specification and security design document
Hi,

alan@??? wrote (20 Dec 2010 22:10:24 GMT) :

> Just a few comments, even thought I don't know everything about
> Tails' internals.


Thank you for such valuable input.

> 1. First, about what you call the « post-mortem analysis ». I like the
> term but I want to know whether it is a canonical term for security
> experts or something that might need a bit more explanation.


I think the keyword here is forensics. Could go instead of analysis.

> Then, apart from the threat model, the document is not very explicit
> about this issue. There might not be much to say but I think that it
> should at least be mentioned in the requirements, part 2 :
> - What is required for a PELD to prevent from post-mortem analysis?
> - How do we think this should be provided?


I agree, we should improve this.

> Again in part 3, while presenting the implementation we should explain
> more about what Tails does to achieve that. There is a paragraph on
> host system RAM but I guess we can find more to explain, like :
>   - I could imagine that some LiveDistros detect the swap areas and use
>     them.  Do we ? ;)


Hints to the one who will write this part:

- not using live-boot's swapon option
- config/chroot_local-hooks/03-noswap
- config/chroot_local-hooks/05-disable_swapon

>   - I could imagine that some LiveDistros read the disks and possibly
>     mount the available partitions automatically. Same thing.


Hints to the one who will write this part:

- grep nopersistent config/amnesia
- probably a few GConf settings in
config/chroot_local-includes/usr/share/amnesia/gconf/

>   - I wonder how Tails addresses the requirements in 2.1.2, for example
>     this one : « The usage of encrypted removable storage devices (such
>     as USB sticks) should be encouraged. »


> I think this whole post-mortem analysis thingie is the real difference
> to put forward while talking to the Tor people ; bringing their privacy
> concerns further than just the Internet connection. You can be a Tor
> freak and get the same Tor configuration as Tails on your own system
> but you won't get the same post-mortem analysis protection.


I agree, we should insist a bit on this topic.

> 2. In 3.2.3, there is :


> - [cryptsetup](http://code.google.com/p/cryptsetup/) ensures storage
> encryption using [LUKS](http://en.wikipedia.org/wiki/LUKS)


> Should we rather say 'offers' instead of 'ensures'.


Agreed.

> Is Tails using LUKS if not asked to do so ?


It is not.

Bye,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Who wants a world in which the guarantee that we shall not
| die of starvation would entail the risk of dying of boredom ?