Hi, Edward Snowden will be giving the keynote of this year's Libreplanet. I saw a video of him speaking at an IETF event, remotely. People had many questions, many technical.
So I was thinking that we, the libreboot community, could prepare a list of questions before the event. We would for instance explain what is libreboot and ask questions related to it. For instance I'm personally very interested in activists threat model, that includes resisting to targeted physical attacks. Currently, the most used setup (to my knowledge) to resist such attacks consists in: - An FSF certified computer with libreboot. - GRUB in the BIOS flash, that can open encrypted rootfs. - The full rootfs (including /boot) encrypted with LUKS. - GRUB password and nail polish/glue seals to prevent reflashing by an attacker. The idea is to create random patterns that would be hard to reproduce or restore if the seals are broken. Pictures of it are taken, and the users verifies that the pattern matches before entering the passphrase. - The laptop would be configured to prevent external connectors from providing DMA channels to the system's RAM, before the users enters the passphrase. - The embedded controller firmware is non-free, we should probably fix that. Another approach would be a chromebook-like security model combined with Tails instead of chromeOS. Unfortunately that's not implemented yet. I wondered how safe was the former kind of setup, for instance: -> Is the default aes-xts-plain64 cipher (with a 256 or 512 bit key size) resistant to malicious HDD firmware. Here the firmware would deliberately and actively try to attack the cryptography. I'm also supposing that the SATA interface won't give it access to the system's RAM, because its DMA is between the HDD and the SATA controller. I hope that there are no bugs that permits access to the system's RAM. Would authenticated cryptography affect it in any way? -> How to learn to not be able to give the HDD passphrase if we want to. Do the hands have to learn the passphrase but not the brain? And more generally: -> To what extent is the intelligence community targeting individual free software developers involved the development of privacy enhancing software. Is it always possible for such individual developer to know this is happening. To what extent does that affect the ability of such person to continue working on privacy enhancing software (where the individuals are aware of it, and when they are not)? -> What are the differences between handling the security of individual people and an organization. For instance an organization would tend to man in the middle TLS to look for data exfiltration. An individual would, on the contrary, use the tor-browser. What(between organizations and individuals) would be more efficient for activism. Here I'm assuming that surveillance makes activism less efficient. The question don't target any specific country or political system, so the answer might differ accordingly. Maybe someone has ideas to improve the list, and/or to add questions to it PS: Note that I can't come to libreplanet this year. Denis.
pgpKwGW28tzEW.pgp
Description: OpenPGP digital signature
