著者: Jacob Appelbaum 日付: To: tails-dev 題目: Re: [Tails-dev] Tails: pcmcia / firewire / etc.
Ague Mill: > On Fri, Oct 12, 2012 at 06:15:07PM -0700, Steve Weis wrote:
>> Hi. I booted Tails' latest release and was able to scrape memory contents
>> via FireWire. All the necessary firewire modules are enabled by default and
>> Inception worked out of the box. This would let someone root a machine
>> through, say, a daisy chained thunderbolt monitor.
>>
>> I'd either remove support from the kernel, blacklist the modules in
>> modprobe, or disable support with a boot param.
>
> We can't just do that. Tails is also meant to be a safe environment to
> produce sensitive documents. Being able to retrieve a video from a DV
> camera, edit it and send it online is a use case Tails should support.
>
I'd hardly call this safe. I mean, sure - those video people are safely
able to download videos over firewire - but for every person that does
that, how many people will be vulnerable to DMA attacks without even
having a clue about firewire?
> From the recent discussions regarding ExpressCards and the likes, it
> looks like we are moving to a common pattern of "you have 5 minutes to
> plug things on those ports that can be dangerous, otherwise, they will
> be disabled". This should work for FireWire too, even if it feels more
> cumbersome to me than for an expansion card.
>
As this is a modular kernel - is there a reason not to simply add a
"enable firewire" widget? That way everyone is secure by default and
when someone wishes to enable it, someone will be able to be notified of
the danger they have just enabled?