Re: [DNG] Airwalled updating

2018-05-08 Thread Florian Zieboll 
On Sun, 6 May 2018 12:11:14 -0700
spiralofhope  wrote:

> There's another stage of paranoia, where the offline box cannot have..
> 
>   - audio (possibly inaudible signals?, unresearched)
>   - USB functionality (radio transmission, demonstrated)


USB is interesting also from another point of view, as a rogue USB
device (like the thumb drive or hard disk used for the transfer of
updates and "legitimate" files) could be used to infect the offline
machine with malware and, after that, as a hidden channel to transfer
data from and to that machine.


libre Grüße,

Florian


-- 
  \
   \\
\ \
|  |
  /  \
 |   ILS SONT FOUS|
 |CES ROMAINS!|
  \__/



pgpqMiCN2DZ6L.pgp
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Airwalled updating

2018-05-06 Thread spiralofhope 
On Sun, 6 May 2018 12:37:12 +0200
Florian Zieboll  wrote:

> I just found that the "offline" documentation in the apt-doc package,
> 
> /usr/share/doc/apt-doc/offline.html/index.html

Confirmed, thanks a lot.  I see 1.0.9.8.4, copyright 1999 though.


---


> For all three solutions I am wondering, at which stage (i.e. on which
> machine: online or offline) the integrity of the packages (and of the
> release file!) get checked.

I have this same concern.

Part of the reason for airwalling is security, but I figure that since
data only goes in, then it's not too much of concern if packages are
untrustworthy, so long as they don't corrupt local data (backups, duh),
have upgrades break functionality (gtk+ menu item underlining, I'm
looking at you), and it remains offline no matter what.

There's another stage of paranoia, where the offline box cannot have..

  - audio (possibly inaudible signals?, unresearched)
  - USB functionality (radio transmission, demonstrated)
  - .. and whatever concerns still relevant from TEMPEST (unresearched)

Additional offline-access concerns exist (encryption is done, but also
compromised peripherals), but that's not my focus at this point.

I just find this gap to be as sensible a practice as having a bedroom
in a house separate from an office downtown; be social out in the
world, with some quaint assumptions of privacy, yet maintain some sort
of more-actual privacy with works created, maintained or otherwise
stored offline.

-

People paste chapters of their books-in-progress into online grammar
checkers.  Hell (and I don't have any), people actually keep sex tapes
on their _phones_ ..
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Airwalled updating

2018-05-06 Thread Florian Zieboll 
On Sat, 5 May 2018 18:16:42 -0700
spiralofhope  wrote:


> That's likely the direction I'll go in, although I do see there are
> others interested in such endeavours:
> 
>   https://dev1galaxy.org/viewtopic.php?id=746


Hello, Hope-Bender^^

I just found that the "offline" documentation in the apt-doc package,
referenced by Miroslav in his "2017-07-15 22:59" edit, provides two
simple possibilities of keeping an airwalled machine updated without the
help of extra software:

/usr/share/doc/apt-doc/offline.html/index.html

For all three solutions I am wondering, at which stage (i.e. on which
machine: online or offline) the integrity of the packages (and of the
release file!) get checked. But it's too sunny a day (and not enough
reason for me to paranoia) to find out now :-)

libre Grüße,

Florian


-- 
  \
   \\
\ \
|  |
  /  \
 |   ILS SONT FOUX|
 |CES ROMAINS!|
  \__/



pgp_4IL4P9vbD.pgp
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Airwalled updating (apt-offline)

2018-05-05 Thread spiralofhope 
re. apt-offline:

  http://rickysarraf.github.io/apt-offline/
  https://github.com/rickysarraf/apt-offline

I found old notes.  I have to audit this project, then it'll be here:

  https://github.com/spiralofhope/shell-random/tree/master/live/apt-offline

Those notes will be old and possibly broken until I take another pass
at it when I install the upcoming Devuan ascii.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Airwalled updating

2018-05-05 Thread spiralofhope 
On Sun, 6 May 2018 00:55:10 +0200
Florian Zieboll  wrote:

> Not actively, but I used to use the apt-offline tool with Debian for a
> while - and it worked, IIRC, well and quite simple.

I did some looking, and confirmed that I had been using apt-offline.[1]
I hunted it down and found that it's still an active project:

  http://rickysarraf.github.io/apt-offline/
  https://github.com/rickysarraf/apt-offline

--

That's likely the direction I'll go in, although I do see there are
others interested in such endeavours:

  https://dev1galaxy.org/viewtopic.php?id=746

--

[1] It didn't note a website in its README.  How.. odd.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Airwalled updating

2018-05-05 Thread Florian Zieboll 
On Sat, 5 May 2018 15:00:34 -0700
spiralofhope  wrote:

> I had airwalled [1] updating working on Debian variants (Lubuntu at
> least) some years ago, and I intend to pursue it again once ascii is
> out (or if I use the beta).
> 
> I searched this mailing list and did not find any topical
> conversation. Is anyone here actively doing such a thing?


Not actively, but I used to use the apt-offline tool with Debian for a
while - and it worked, IIRC, well and quite simple.

Libre Grüße,

Florian


-- 
  \
   \\
\ \
|  |
  /  \
 |   ILS SONT FOUX|
 |CES ROMAINS!|
  \__/



pgpbWty66o010.pgp
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Airwalled updating

2018-05-05 Thread golinux 

On 2018-05-05 17:00, spiralofhope wrote:

I had airwalled [1] updating working on Debian variants (Lubuntu at
least) some years ago, and I intend to pursue it again once ascii is
out (or if I use the beta).

I searched this mailing list and did not find any topical conversation.
Is anyone here actively doing such a thing?

-

I have some old scripts that I borrowed from then-quiet projects, and
it all ought to work still.

Pretty simple stuff:

  1. offline:  run offline-script, generate log
  2. online:   bring offline-script log
  3. online:   run online-script, referencing offline-log, download
   packages
  4. offline:  bring packages, update packages

(I don't know my stuff, but I get the impression that if all my tools
were broken, I could eventually re-create this process myself.)

--

  [1] https://en.wikipedia.org/wiki/Air_gap_%28networking%29
  This is the sneakernet updating of an offline box:
  https://en.wikipedia.org/wiki/Sneakernet
___



On the dev1galaxy forum miroR has written extensively about airgapping.  
That's all way beyond me but you might find something interesting there.


golinux
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng