Re: [Tails-dev] Risks of Additional Software feature (was Re…

Delete this message

Reply to this message
Author: duc01k
Date:  
To: tails-dev
Subject: Re: [Tails-dev] Risks of Additional Software feature (was Re: decentralized ethereum wallet)
Opened a bug: https://gitlab.tails.boum.org/tails/tails/-/issues/18232

duc01k--- via Tails-dev:
> syster via Tails-dev:
> > Take in mind that installing additional software can reduce the
> security of Tails and could even deanonymize you.
> >
>
> This line really got me spooked. It doesn't say in the documentation
> (https://tails.boum.org/doc/first_steps/additional_software/index.en.html)
> that you can potentially be deanonymized by installing additional software.
>
> I read it again after Syster's additional warning and I began to feel a
> lot less comfortable with the idea of ever installing additional software.
>
> Can a dev please confirm exactly how likely it is to be 'deanonymized'
> by installing additional software? Also is it a problem inherent in
> using the feature at all or is it dependent on the software a user
> chooses to install?
>
> I think the Documentation should be revised so users can be more
> informed about the risks of using the Additional Software feature.
>
> Here are the relevant statements from the Additional Software
> documentation webpage:
>
>> :Warning Sign: The packages included in Tails are carefully tested for
>> security. Installing additional packages might break the security
>> built in Tails, so be careful with what you install.
>
> I think this is a fair warning to begin with because the bullet points
> below are designed to provide more clarity on what the warning refers to.
>
>> Packages that use the network need to be configured to go through Tor.
>> They are otherwise blocked from accessing the network.
>
> This is a good, strong statement that makes me feel comfortable
> installing software that doesn't seem to have any network connection
> requirements, and comfortable that software with some network connection
> requirements should be blocked from the Internet by default.
>
>> Some software might, for example, modify the firewall and break the
>> security built in Tails. But other software like games or office tools
>> are probably fine.
>
> This statement is less helpful. It warns me the firewall might be
> affected somehow and how dangerous this is, but it doesn't advise me how
> to spot the kind of software that might do this. The way it's phrased
> also makes me wonder if this is the only way software can 'break the
> security built in Tails' or if there are other ways. If there are other
> ways, how do I spot these types of change?  Then it uses the words
> 'probably fine' to describe games and office tools, without helping a
> user decide which games and office tools might not be 'fine'. As a user
> the lack of information leaves me less comfortable using this feature.
>
>> Software not officially included in Tails might have not been tested
>> for security. We also cannot provide support or documentation for it.
>
> This statement is also less helpful. What kind of 'security' does it
> mean - the kind that might accidentally affect Tails (like the bullet
> point above warns about) or does it refer to potential malware or just
> software that needs to be secure (like a password manager) but might not
> be up to a good standard? The lack of clarity makes me even less
> comfortable using this feature.
>
>> Only applications that are packaged for Debian can be installed and
>> they are under public scrutiny.
>
> I think this is supposed to be a statement to encourage users to feel
> more comfortable using this feature after the last two bullet points,
> but it's not phrased very well for that. If it began with 'However,' it
> might be better.
>
> I realize that users have to manage their own security and that there's
> only so much the Tails devs can do, but the lack of information about
> the risks of installing additional software leaves me as a user feeling
> as though the feature shouldn't be used except as a last resort, and
> even then only with crossed fingers. But then the devs often refer
> people to use this feature in the mailing list and elsewhere so they
> seem to feel happy it's safe. It's confusing.
>
> Regards.
>
>> February 12, 2021 8:02 AM, "Fanta" <fanta@???
>> (mailto:fanta@onionmail.org?to=%22Fanta%22%20<fanta@???>)>
>> wrote:
>>     hi guys
>>
>>     is there any chance to see ethereum wallet with erc tokens
>> available in tails like electrum bitcoin wallet?
>>
>>     that would be great
>>
>>     best regards
>>
>>
>> _______________________________________________
>> Tails-dev mailing list
>> Tails-dev@???
>> https://www.autistici.org/mailman/listinfo/tails-dev
>> To unsubscribe from this list, send an empty email to
>> Tails-dev-unsubscribe@???.
>>
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://www.autistici.org/mailman/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.