Re: [Tails-ux] Prompt before compromise

Delete this message

Reply to this message
Autor: sajolida
Data:  
A: Tails user experience & user interface design
Assumpte: Re: [Tails-ux] Prompt before compromise
u:
>> We know that persistence is useful, but it can leak information.
>> For example, a machine that can automatically log into a known
>> Wi-Fi network will respond when the known SSID is broadcast by an
>> adversary. (Many other examples could be given here, and should
>> probably be explained in some detail here:
>> https://tails.boum.org/doc/first_steps/persistence/warnings/index.en.html
>> <https://tails.boum.org/doc/first_steps/persistence/warnings/index.en.html>
>> .)


Sure, your proposal sounds reasonable. Still, I'll like to work first on
identifying better which information persistence can leak. And whether
this should rather be avoided in the first place. Then only, if it
cannot be avoided and if this corresponds to a real problem, then we
should mention this to the user.

In the case of the auto-connection to the network. This was not the case
in Tails prior to version 1.1. See
https://labs.riseup.net/code/issues/7165. When switching to Tails Wheezy
we wondered whether this was a desirable feature or not. Feel free to
add more info to that ticket.

Actually, now that we have MAC spoofing enabled by default, this
auto-connection only leaks the fact that "someone" is connecting to this
network but shouldn't contain any personally identifying information.
What other threat are you worried about? Apart from the edge case of WPA
Enterprise with unique user credentials.

> I let sajolida answer as he knows the documentation very well. If
> not yet mentioned anywhere, we should open a bug on Redmine here:
> https://labs.riseup.net/code/projects/tails/issues/new
>
>> It would be interesting to design the system so that before it
>> takes actions that are known to create a risk of leaking
>> information about the user, the user gets a prompt. For example,
>> add dialogs that say “Join known Wi-Fi network <SSID>?” or “Install
>> apps AAA, BBB, and CCC?” or “Connect to printer <NAME>?”


Regarding installing apps AAA, note that this is only known by the Tor
exit node and the Debian mirror serving those packages at the exit side
of Tor, so there's no way of knowing who is doing that and where they
are. So I don't think that this is really problematic.

At most it could relate to https://labs.riseup.net/code/issues/8143. But
if I understand this ticket correctly, this relates more to installing
those apps in the first place (and possibly providing rogue packages)
than identifying who is doing this and from where.

Regarding the printer example, I don't have enough technical insight to
know if having a printer configured in persistence implies actively
probing it on start. Possibly, and if so then your workaround would be
worth exploring. That would be worth being asked on tails-dev.

Any other example?

> Although, that would mean that on every boot, I will have many
> little windows or notifications which i need to click on. This might
> be very annoying, especially if you use Tails on a daily basis.


I hope that we won't come up with *many* privacy issues with the current
persistent setup :)

--
sajolida