On Friday 03 April 2015 11:48:27 intrigeri wrote:
Hi intrigi,
> > It's also my belief that a solution be documented as soon as possible to
> > publicize to existing users on existing versions the risk and how to
> > mitigate it.
>
> Fully agreed. I believe BitingBird has added notes to this effect on
> an existing ticket, but I don't remember which one. BitingBird, will
> you take it from now on, and perhaps introduce Adam to our processes
> and tools to work on documentation?
Actually, I would like to bump this even further in the interest of full
prompt disclosure and risk minimization *right now*. This is an easy to miss
subtle information scope leak (even if transitory) and non tech adept people
are using TAILS in earnest (many if not most with large 3rd party mail
providers - the usual suspects). I think the web site should prominently
publish at least an informative warning immediately even if no tested full
mitigation exists right now.
There is enough external interest in using TAILS as publicity over deeper
vulnerability disclosures already (even those out of scope of the TAILS risk
domain).
See
http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/
Actually, I wrote to Kim about this particular article concerning scope of
this vulnerability wrt TAILS in particular and she replied:
On Wednesday 25 March 2015 21:42:46 Kim Zetter replied:
> As for why Tails was singled out, it was singled out by the
> researchers. They wanted to show how even a system that's entirely
> designed for stealth computing can be undermined. While you're right
> that other operating systems have a trusted relationship with the
> BIOS, Tails is marketed primarily for its security/privacy, whereas
> other operating systems aren't.
This is no criticism of Kim or Legbacore - I include the above in this thread
purely to underline the issue that in order to maintain the large goodwill and
trust in TAILS, an open disclosure process of existing issues must be in place
and I believe such a process is applicable to this issue. Better to say such
things out loud yourself rather than others appropriate for their own
purposes.
Shine,
Adam.
