I agree with this view too. We just don't have enough developer time to worry about this *and* progress with more productive features. Even Tor, which has many times more resources than us, don't worry about swap/etc/whatever.
The theoretical scope of freenet design is to have secure and anonymous storage and transfer. (Everything unknown to you) is encrypted so that you can have plausible deniability if your machine gets seized and examined. There is no difference between running a node, and never using it to actually obtain stuff for yourself - you're still providing "the freenet service" to others. However, once you access data in a readable form, you've decrypted it. This is just like accessing anything on any other service (looking at web pages, reading email, etc). Your computer is going to cache it, leaving traces of what you've done. In this scenario, it's up to the individual what level of security they want. It can only be up to the individual - only they know what they've accessed, and can get in trouble for. Security that you don't need is just a waste of time and resources. Also, if we spend this much time on an issue out of our scope we're effectively DDoSing our own development time. So yes we should just drop "physical security". To do it properly we'll have to fuck with parts of people's machines we really shouldn't be fucking with; and if they are that paranoid (I am) they should just encrypt their entire disks, which will cover non-freenet stuff too. Obviously, we should try to make it clear (like Tor[1]) what Freenet DOES and DOES NOT do. "the freenet service" only tries to provide an anonymous/DDoS-resistant insert/request service, it doesn't try to protect you after you actually *get* that data. X [1] http://www.torproject.org/download.html.en#Warning On 01/08/10 00:30, Steve Oliver wrote: > That's a good point, stop worrying about the physical side of things because > it is a bit pointless. Perhaps just recommend that the user install > Truecrypt and refer them to the Truecrypt site, give them a strong warning > that if their drive is not encrypted, Freenet can't actually protect them > from physical attacks. > > > On Jul 31, 2010, at 9:52 AM, xor wrote: > >> On Friday 30 July 2010 04:29:54 pm Matthew Toseland wrote: >>> >>> 1. Offer to turn on encrypted swap in the installer. Keep encrypting >>> everything. Warn users about saving files out, and media files, and >>> work towards playing media files in an embedded (e.g. java) player that >>> doesn't use plaintext temp files. >> >> Offering to reconfigure swap to be encrypted is out of scope. And not >> possible on Windows >> >>> 2. Give up on encrypting anything on disk, and offer to install >>> TrueCrypt if it isn't already installed. >> >> Offering TrueCrypt is out of scope >> >> I see a third option: >> >> 3. Realize that most users have a real LOAD of stuff on their hard disks >> which could get them screwed. Get rid of physical security. Encrypting the >> Freenet stuff does not help because they will use browsers which cache >> dangerous stuff and do downloads of dangerous stuff etc. The really >> paranoid ones will use TrueCrypt anyway. And encryption makes stuff slow. >> >> I mean it IS nice that we have a physical security level but I wouldn't >> have offered that feature from the beginning on. >> >> If you want to be safe when your computer gets seized you absolutely have >> to do full disk encryption, something will ALWAYS leak out otherwise.
