Re: [Tails-dev] deficiency: MAT does not remove metadata fro…

Borrar esta mensaxe

Responder a esta mensaxe
Autor: sajolida
Data:  
Para: The Tails public development discussion list, christian.pietsch
Asunto: Re: [Tails-dev] deficiency: MAT does not remove metadata from images embedded in PDF
Christian Pietsch:
> Dear Tails developers,


Hi!

> as you rely on MAT, the Metadata Anonymization Toolkit, I would like
> to make you aware of a deficiency in MAT's current metadata removal
> algorithm for PDF. In short, it is non-recursive. This means it cannot
> remove metadata in images (and possibly other files) embedded in PDF
> files. Be sure to re-check output files after using MAT.


Oops!

> htgoebel who discovered this bug reported it as a feature request in
> early February <https://labs.riseup.net/code/issues/11067> but it
> received no attention until I emailed jvoisin in early May.


Thanks you for reporting this and pinging jvoisin hard enough. I also
think that's an important one.

> Until this bug is fixed, htgoebel and I think it important to educate
> Tails users about it. That is why we published an article about Tails,
> MAT and this bug on the Digitalcourage website in English and German:
> [en] https://digitalcourage.de/blog/2016/using-tails-be-careful-embedded-metadata
> [de] https://digitalcourage.de/blog/2016/sicherheitsluecke-in-mat-tails-wird-geschlossen


Great. We should look at this and discuss if we want to add this to the
known issues. I won't have time to work on this myself next week but I
try the others to decide what's most relevant.

As a general and theoretical note, we can't really afford tracking and
documenting all bugs in the upstream software that is included in Tails.
But we should also allow ourselves some exceptions when relevant. Here
for example, it's a security issue that affects some of our core use
cases so I think it's worth it.

> Digitalcourage is a privacy and digital rights NGO known for handing
> out Big Brother Awards in Germany. It also runs a Tor exit node and an
> anti-censorship DNS server. htgoebel and I are volunteers there.


We met some of you in 32C3 I think.