[Tails-dev] Risks of Additional Software feature (was Re: d…

Delete this message

Reply to this message
Author: duc01k
Date:  
To: tails-dev
Old-Topics: Re: [Tails-dev] decentralized ethereum wallet
Subject: [Tails-dev] Risks of Additional Software feature (was Re: decentralized ethereum wallet)
syster via Tails-dev:
> Take in mind that installing additional software can reduce the

security of Tails and could even deanonymize you.
>


This line really got me spooked. It doesn't say in the documentation
(https://tails.boum.org/doc/first_steps/additional_software/index.en.html)
that you can potentially be deanonymized by installing additional software.

I read it again after Syster's additional warning and I began to feel a
lot less comfortable with the idea of ever installing additional software.

Can a dev please confirm exactly how likely it is to be 'deanonymized'
by installing additional software? Also is it a problem inherent in
using the feature at all or is it dependent on the software a user
chooses to install?

I think the Documentation should be revised so users can be more
informed about the risks of using the Additional Software feature.

Here are the relevant statements from the Additional Software
documentation webpage:

> :Warning Sign: The packages included in Tails are carefully tested for security. Installing additional packages might break the security built in Tails, so be careful with what you install.


I think this is a fair warning to begin with because the bullet points
below are designed to provide more clarity on what the warning refers to.

> Packages that use the network need to be configured to go through Tor. They are otherwise blocked from accessing the network.


This is a good, strong statement that makes me feel comfortable
installing software that doesn't seem to have any network connection
requirements, and comfortable that software with some network connection
requirements should be blocked from the Internet by default.

> Some software might, for example, modify the firewall and break the security built in Tails. But other software like games or office tools are probably fine.


This statement is less helpful. It warns me the firewall might be
affected somehow and how dangerous this is, but it doesn't advise me how
to spot the kind of software that might do this. The way it's phrased
also makes me wonder if this is the only way software can 'break the
security built in Tails' or if there are other ways. If there are other
ways, how do I spot these types of change? Then it uses the words
'probably fine' to describe games and office tools, without helping a
user decide which games and office tools might not be 'fine'. As a user
the lack of information leaves me less comfortable using this feature.

> Software not officially included in Tails might have not been tested for security. We also cannot provide support or documentation for it.


This statement is also less helpful. What kind of 'security' does it
mean - the kind that might accidentally affect Tails (like the bullet
point above warns about) or does it refer to potential malware or just
software that needs to be secure (like a password manager) but might not
be up to a good standard? The lack of clarity makes me even less
comfortable using this feature.

> Only applications that are packaged for Debian can be installed and they are under public scrutiny.


I think this is supposed to be a statement to encourage users to feel
more comfortable using this feature after the last two bullet points,
but it's not phrased very well for that. If it began with 'However,' it
might be better.

I realize that users have to manage their own security and that there's
only so much the Tails devs can do, but the lack of information about
the risks of installing additional software leaves me as a user feeling
as though the feature shouldn't be used except as a last resort, and
even then only with crossed fingers. But then the devs often refer
people to use this feature in the mailing list and elsewhere so they
seem to feel happy it's safe. It's confusing.

Regards.

> February 12, 2021 8:02 AM, "Fanta" <fanta@??? (mailto:fanta@onionmail.org?to=%22Fanta%22%20<fanta@???>)> wrote:
>     hi guys

>
>     is there any chance to see ethereum wallet with erc tokens available in tails like electrum bitcoin wallet?

>
>     that would be great

>
>     best regards

>
>
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://www.autistici.org/mailman/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to Tails-dev-unsubscribe@???.
>