Re: [DNG] [ann] heads 0.0 is out!
Quoting Arnt Karlsen (a...@iaksess.no): > ..now, can we build on heads to get a safe alternative to > https://qubes-os.org/ ? Pretty please? Qubes is a near-essential tool for Operations high-security work, and about the only serious design flaw is the one Arnt points to. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ann] heads 0.0 is out!
On Tue, 28 Feb 2017 22:21:49 +0100, Adam wrote in message <20170228212149.spuhnetb623om...@angband.pl>: > On Tue, Feb 28, 2017 at 04:06:16PM -0500, Hendrik Boom wrote: > > On Tue, Feb 28, 2017 at 09:12:34PM +0100, parazyd wrote: > > > heads 0.0 is out! > > > It finally happened and it's not vaporware! > > > > It's out, it's not vaporware, it boots into a VM or bare hardware > > from USB, but... > > > > What Is It? > > Ever heard of Tails? > > An independent remake (not a fork!) of Tails is an awesome thing. Not > because of details like systemd (which is really harmful only on a > system you need to actively administer), degradation of its user > interface because of relying on Gnome3 being also only a minor > concern. ..the probably easier way to defeat heads, is run it on systemd hosts like https://qubes-os.org/ ;o) ..now, can we build on heads to get a safe alternative to https://qubes-os.org/ ? -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ann] heads 0.0 is out!
Christopher Clements: > Is there really any way to be 100% sure that a project and/or team > member is not compromised? No. This is why 3rd party audits of the source code is important. If the source code is not fully available to everyone, then it can not be fully audited. Tails has non-free software in it, making it impossible to audit the whole thing. I don't believe that Tails has been compromised, but sunshine is the best disinfectant. This is why Heads is exciting. From what I understand, it will have a smaller codebase (since systemd will not be included) and it will publish it's entire source code to everyone. Obviously, not everyone will be able to take that source code and audit it, since that is a specialized skill, but this does give users the ability (currently in theory, but hopefully in practice in the future) to pool their money to pay for regular complete 3rd party audits that publish their complete report. If the source code can get a clean bill of health on a regular basis, then people can compile it themselves with confidence. In the future, as with most software, the hope would be that the OS can also provide compiled binary versions with reproducible builds, so that multiple organizations can verify the integrity of the binaries that are published. In practice, this doesn't always happen in free software projects. Nonetheless, this is the path that a project can take to ensure that a piece of software has not been compromised by one or two developers that have been blackmailed or whatever else. > Also, (no disrespect meant, just an innocent question), > who are these types of distributions meant for, apart from > the paranoid, whistleblowers, drug lords, and high-profile criminals? > (Please don't think I'm lumping them all together.) This is a common question. The answer is, and I don't mean this is a mean way, you've been brainwashed by propaganda. https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse Don't worry, it happens to the best of us. Please understand though, this is a logical fallacy. https://en.wikipedia.org/wiki/Think_of_the_children While it will take a while to deprogram yourself, I suggest that you start by watching the Tor video, which is the 5th video on this page: http://motionensemble.de/ It has a big Tor logo on the default screenshot. Also, watch Citizen Four and read up on the Snowden revelations. > I honestly can't think of any legitimate, ethically sound use of "extreme > privacy" software apart from whistleblowing and sticking it to extremely > aggressive advertisers like AT's clients. Tor is not "extreme privacy". It is just regular privacy. If you don't agree, please tell me how you define "regular privacy". Privacy is a human right, explicitly defined in the UN Declaration of Human Rights: "Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." But let me, for argument's sake, say that you are correct for a second. If Tor is "extreme privacy" and it is only good for whistleblowers and sticking it to "little brother", wouldn't it make it easier to catch these whistleblowers if they were the only ones using the network? It is difficult to use Tor without your service provider knowing that you use it. If they were the only ones that use it, then they would be easily targeted. If plain ol' folks use Tor regularly, they can provide cover for those who use it in desperate situations. > As a curious "I have nothing to hide" type of guy, I'm wondering if > there are any other legitimate reasons to use this stuff, or is it > logical for "Big Brother" to simply add everyone who downloads Tor to > a watchlist? (That would include me, I guess, since I've used Kali > linux, which comes with Tor IIRC.) Privacy is the ability to choose what you reveal to the world. While you may not have anything to hide, you have the human right to decide what you reveal about yourself to the world. Big Brother and Little Brother are working together to create dossiers on everyone on the planet. This isn't paranoia. This has been well reported and only refuted by those who haven't been paying attention to the news. Here's a TLDR version: https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 This is only one program of a shockingly large number of programs that utilize centralized technology to map out people's entire lives and social networks. When you say that you don't understand why someone would take moderate steps, by using a slightly more difficult to use operating system for example, to balance the overwhelming amount of illegal warrantless surveillance by nation states and megacorps is naive. > Once again, these are just questions. I am not saying I'm against > "extreme privacy" stuff, I'm just curious; please don't fire me out of a > cannon into the
Re: [DNG] [ann] heads 0.0 is out!
Quoting Christopher Clements (bcn...@gmail.com): > Is there really any way to be 100% sure that a project and/or team > member is not compromised? Surprisingly, sometimes interesting discussions about security are possible after the newcomer establishes that the answer to this basic question is always and everywhere 'no', in order to get it out of the way. > I honestly can't think of any legitimate, ethically sound use of "extreme > privacy" software apart from whistleblowing and sticking it to extremely > aggressive advertisers like AT's clients. Do you have drapes (or equivalent) in your bedroom windows? ;-> ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ann] heads 0.0 is out!
On Tue, Feb 28, 2017 at 10:21:49PM +0100, Adam Borowski wrote: On Tue, Feb 28, 2017 at 04:06:16PM -0500, Hendrik Boom wrote: On Tue, Feb 28, 2017 at 09:12:34PM +0100, parazyd wrote: > heads 0.0 is out! > It finally happened and it's not vaporware! It's out, it's not vaporware, it boots into a VM or bare hardware from USB, but... What Is It? Ever heard of Tails? An independent remake (not a fork!) of Tails is an awesome thing. Not because of details like systemd (which is really harmful only on a system you need to actively administer), degradation of its user interface because of relying on Gnome3 being also only a minor concern. The big reason are rumours about Tails being infiltrated by US bad guys, and backdoored. Those rumours may be or may not be true -- I seriously hope they are not -- but there's no way to prove a negative. If I was a spook, taking over a Tails developer would be a really, really high on my list of priorities, and it's not that hard to recruit/bribe/threaten the family of/hack/etc one of a team. Conversely, if I was a spook but failed at that task, I'd badmouth Tails to make potential dissidents fear using it... Thus, a from-scratch remake gives a chance to avoid either the risk of Tails being really subverted, or false allegations of it being subverted. ... but what keeps heads from having the same problem? Is there really any way to be 100% sure that a project and/or team member is not compromised? Also, (no disrespect meant, just an innocent question), who are these types of distributions meant for, apart from the paranoid, whistleblowers, drug lords, and high-profile criminals? (Please don't think I'm lumping them all together.) I honestly can't think of any legitimate, ethically sound use of "extreme privacy" software apart from whistleblowing and sticking it to extremely aggressive advertisers like AT's clients. As a curious "I have nothing to hide" type of guy, I'm wondering if there are any other legitimate reasons to use this stuff, or is it logical for "Big Brother" to simply add everyone who downloads Tor to a watchlist? (That would include me, I guess, since I've used Kali linux, which comes with Tor IIRC.) Once again, these are just questions. I am not saying I'm against "extreme privacy" stuff, I'm just curious; please don't fire me out of a cannon into the sun or something. (I'm a filesystems guy, not a communications guy.) -- GPG Key: 0769 AFCF 681E F61E 2137 F4CB 5044 1726 610D 5AE0 signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ann] heads 0.0 is out!
On Tue, Feb 28, 2017 at 04:06:16PM -0500, Hendrik Boom wrote: > On Tue, Feb 28, 2017 at 09:12:34PM +0100, parazyd wrote: > > heads 0.0 is out! > > It finally happened and it's not vaporware! > > It's out, it's not vaporware, it boots into a VM or bare hardware > from USB, but... > > What Is It? Ever heard of Tails? An independent remake (not a fork!) of Tails is an awesome thing. Not because of details like systemd (which is really harmful only on a system you need to actively administer), degradation of its user interface because of relying on Gnome3 being also only a minor concern. The big reason are rumours about Tails being infiltrated by US bad guys, and backdoored. Those rumours may be or may not be true -- I seriously hope they are not -- but there's no way to prove a negative. If I was a spook, taking over a Tails developer would be a really, really high on my list of priorities, and it's not that hard to recruit/bribe/threaten the family of/hack/etc one of a team. Conversely, if I was a spook but failed at that task, I'd badmouth Tails to make potential dissidents fear using it... Thus, a from-scratch remake gives a chance to avoid either the risk of Tails being really subverted, or false allegations of it being subverted. -- ⢀⣴⠾⠻⢶⣦⠀ Meow! ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ Collisions shmolisions, let's see them find a collision or second ⠈⠳⣄ preimage for double rot13! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ann] heads 0.0 is out!
On Tue, 28 Feb 2017, Hendrik Boom wrote: > On Tue, Feb 28, 2017 at 09:12:34PM +0100, parazyd wrote: > > heads 0.0 is out! > > It finally happened and it's not vaporware! > > It's out, it's not vaporware, it boots into a VM or bare hardware > from USB, but... > > What Is It? You continue looking at the website :p https://heads.dyne.org/ https://heads.dyne.org/about.html -- ~ parazyd GPG: 0333 7671 FDE7 5BB6 A85E C91F B876 CB44 FA1B 0274 signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ann] heads 0.0 is out!
On Tue, Feb 28, 2017 at 09:12:34PM +0100, parazyd wrote: > heads 0.0 is out! > It finally happened and it's not vaporware! It's out, it's not vaporware, it boots into a VM or bare hardware from USB, but... What Is It? -- hendrik > > heads 0.0 is a preview live CD of what heads is going to be about. > This release is not intended to be used from a security point of > view, but as a showcase and testing point of view. > > I am not even completely sure everything is torified, but hey, > that's what testing is for, no? > > So please, download the ISO from the downloads link in the above > navbar and abuse the hell out of it :) > > Throughout a certain period, bugs will be fixed within the build > system, and patched releases will be released without announcement. > So check regularly for 0.0.x releases on the downloads page... > > But first, read some notes on it all: > > Booting the ISO can be done with some virtualization like qemu or > VirtualBox, or it can be dd-ed to a USB flash drive and booted on > a laptop. It can be burned to optical media as well. > > The MATE desktop environment is not yet included in this release, > only AwesomeWM is installed. You can install other environments > easily by yourself. > > When booted, you will be presented with instructions on how to > login, and start a graphical environment. Keep in mind the root > password is shown only once and you will have to reboot if you > lose access to it. > > https://heads.dyne.org/download/ > > -- > ~ parazyd > GPG: 0333 7671 FDE7 5BB6 A85E C91F B876 CB44 FA1B 0274 > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] [ann] heads 0.0 is out!
heads 0.0 is out! It finally happened and it's not vaporware! heads 0.0 is a preview live CD of what heads is going to be about. This release is not intended to be used from a security point of view, but as a showcase and testing point of view. I am not even completely sure everything is torified, but hey, that's what testing is for, no? So please, download the ISO from the downloads link in the above navbar and abuse the hell out of it :) Throughout a certain period, bugs will be fixed within the build system, and patched releases will be released without announcement. So check regularly for 0.0.x releases on the downloads page... But first, read some notes on it all: Booting the ISO can be done with some virtualization like qemu or VirtualBox, or it can be dd-ed to a USB flash drive and booted on a laptop. It can be burned to optical media as well. The MATE desktop environment is not yet included in this release, only AwesomeWM is installed. You can install other environments easily by yourself. When booted, you will be presented with instructions on how to login, and start a graphical environment. Keep in mind the root password is shown only once and you will have to reboot if you lose access to it. https://heads.dyne.org/download/ -- ~ parazyd GPG: 0333 7671 FDE7 5BB6 A85E C91F B876 CB44 FA1B 0274 signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng