Re: [Tails-dev] Debian popularity contest

このメッセージを削除

このメッセージに返信
著者: adrelanos
日付:  
To: tails-dev
題目: Re: [Tails-dev] Debian popularity contest
The Debian *popularity-contest* package popcon is **disabled** Tails.

[popcon readme](http://popcon.debian.org/README) | [popcon
faq](http://popcon.debian.org/FAQ) | [popcon
bugs](http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=popularity-contest)
| [popularity contest mailing

list](http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/popcon-developers)
| [popularity contest mailing list: Drop atime and ctime for privacy

reasons
possible?](http://lists.alioth.debian.org/pipermail/popcon-developers/2012-October/002172.html)

Letting Tails users vote in popcon in a privacy friendly way is a
desirable goal. Tails has quite some users, would have some weight in
popcon and would also contribute to the estimation of Linux users
(linuxcounter). However, the obstacles of activating popcon in Tails are
too big.

Some privacy considerations and reasons why it's disabled:

* The connection would obviously need to go over it's own Tor circuit
(stream isolation). At the moment popcon tries to go through http and if
it fails (no internet connectivity) it goes into the mail queue.
(sendmail) Sendmail probable works though TransPort, but I don't know if
it can be torified for proper stream isolation.
* (From the popcon readme) "*Each popularity-contest host is identified
by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf).*" -
This would allow to enumerate a quite good guess about the amount number
of Tails users. We are not sure if boum.org or boum.org's internet
service provider could already have an insight about that or about any
other negative implications.
* MY_HOSTID would probable get created at Tails build time and all Tails
users would have the same MY_HOSTID, which would make it useless. A new
MY_HOSTID would have to be created at first boot of Tails.
* Popcon runs at a random day. Good.
* If the machine is powered on: it runs at at 6:47, which is bad,
because a local adversary (ISP or hotspot) could guess popcon runs over
Tor which would likely be a Tails user.
* If the machine as powered off at 6:47, it sends the report later, only
if anachron is installed. It shouldn't run instantly after powering on,
also for fingerprinting reasons. The time would have to be truly randomized.
* The transmission is not encrypted, see [popularity-contest should
encrypt
contents](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480860) and
it's not planed to encrypt it. Malicious Tor exit nodes could modify the
transmission, but this is only a minor issue. Such malicious Tor exit
nodes could send fake transmissions on their own.
* It's questionable if and if yes, how long Debian will accept
popularity contest transmissions from Tor exit nodes. There is potential
for electoral fraud.
* Few Live CD related issues:
    * Creating MY_HOSTID at run time for users who do not use persistence
and who do not run the system for weeks without reboot, which is assumed
to be quite a big percentage of Tails users wouldn't allow them to vote
in popcon. (That requires recent access time and older creation time of
an application.)
    * A persistent MY_HOSTID for users who do not run the system for weeks
without reboot, wouldn't help either. Even when using persistence, most
files are not persistent (binaries, /usr/bin/dpkg and so on, there is no
need for them to be persistent). Therefore the last accessed time
(atime) would be lost after reboot. Tails would have to remember and
restore the atime, which would have to be an opt-in, because it has
privacy implications.


For these reasons it's not a good idea to add popcon to Tails. If you
have suggestions or a different view, please get in contact. Without
serious amounts of help from the popcon developers or contributors it
won't happen.