Re: [Tails-dev] TAILS amd64 3.13 boot issue

[Peter N. Glaskowsky]

Perhaps even more significantly, you’re booting from a Sandisk 16GB what?

Is it a USB stick, an SD card, or something else?

The X200’s SD card slot is not bootable. It has to be initialized by the OS; 
the BIOS can’t do it.

If you use a USB to SD card adapter, it will probably boot, but it won’t be as 
convenient.

I use an X200 for Tails myself, but I use a USB stick instead.

Best,

. png

> On Apr 2, 2019, at 8:56 AM, segfault  wrote:
> 
> Hi,
> 
> Ron HulduNet - GM:
>> amd64 3.13
>> 
>> Lenovo Thinkpad X200 Tablet
>> 
>> Sandisk 16GB
>> 
>> 
>> Starts booting then stops at
>> BusyBox <...>
>> 
>> (initramfs) Unable to find a medium containing a live file system
> 
> how did you install Tails? Did you use the .iso or the .img? And did
> Tails fail to boot every time or did it work the first time?
> 
> Cheers
> ___
> Tails-dev mailing list
> Tails-dev@boum.org 
> https://www.autistici.org/mailman/listinfo/tails-dev 
> 
> To unsubscribe from this list, send an empty email to 
> tails-dev-unsubscr...@boum.org .

___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Regarding position

[Peter N. Glaskowsky]

I hope I don’t have to tell any of you DON’T OPEN THIS FILE.

.   png

> On Mar 12, 2019, at 2:39 PM, Angie Pirkle  wrote:
> 
> How's your day going?
> My name is Angie Pirkle and I'm interested in a job.
> 
> I've attached a copy of my resume.
> The password for the document is 1234
> 
> 
> Looking forward to hearing back from you!
> 
> --
> Angie Pirkle
> ___
> Tails-dev mailing list
> Tails-dev@boum.org
> https://www.autistici.org/mailman/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to 
> tails-dev-unsubscr...@boum.org.

___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] boot tails iso with grub

[Peter N. Glaskowsky]

> On Jan 25, 2019, at 2:10 AM, intrigeri  wrote:
> 
> I'd much rather see us work on
> making "installing and running Tails on an internal hard drive"
> a first-class citizen: it would benefit much more people.

I agree! As I’ve been saying for many years now. :-)

And the other thing I’ve been saying is that HD-resident Tails would be 
especially useful if it works on a Windows tablet, as there are still many of 
these priced around US $100. Such machines are cheap enough and small enough to 
act as companion devices for people who also have laptops.

While I’m thinking about it, it would be useful if Tails, while running from a 
hard disk, could still respond to the sudden removal of a USB flash drive in 
the usual way. The drive shouldn’t have to have anything on it, nor should it 
be necessary to mount it. Ideally, any kind of USB device connected to an 
external port should also be usable (a keyboard or mouse, for example). It 
should be enough to select a USB device from a panel icon so that the memory 
erasure procedure is triggered by a surprise removal.

Best regards,

. png

___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] boum

[Peter N. Glaskowsky]

> On Aug 18, 2016, at 02:45, Austin English  wrote:
> 
> I could see that, but I figured it better to respond than it lead to a 'loss 
> by default'.
> 

Quite reasonable. As long as no one tries to transact any business with him, 
there won't be any serious problems.

He might start spamming (or sell the email address to spammers) now that he 
knows the list is open, but we can deal with that if it happens.

Best,

.  png___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Adding KeepassX to Tails Startup; can it be done!

[Peter N. Glaskowsky]

> On Feb 28, 2016, at 11:31 PM, m...@riseup.net wrote:
> ...
> The first “C.L.P.P.S” password should be one the End-user has memorized. From 
> there they can either open the tails persistent volume or they can open a 
> second  C.L.P.P.S Database.  From there the password that opens the 
> persistent volume should be in upwards of ten to twenty thousand characters.

If a short password is used to unlock a keychain that contains a longer 
password,

A) the net security of the system is still constrained by the entropy in the 
short password, and

B) there is absolutely ZERO benefit to storing a long password in text form 
that will immediately be hashed down to a binary key for a bulk cipher. Just 
store the binary key.

Best regards,

.  png

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Hacking Team looking at Tails

[Peter N. Glaskowsky]

I can’t think of any obvious reason this shouldn’t be detectable. Attach a 
suspect USB stick, do not mount it, and compute secure hashes of the partitions.

If the Tails installer doesn’t reliably create consistent partitions, that’s 
something to consider fixing, if it can be fixed.

Even then, we could use an emulator to walk through the boot process on the 
suspect USB stick and see if any code gets executed that isn’t part of Tails.

.png

 On Jul 13, 2015, at 1:24 AM, intrigeri intrig...@boum.org wrote:
 
 Hi,
 
 [redirecting this discussion to tails-dev@boum.org, which is more
 suitable for this discussion = please drop tor-talk@ from the list of
 recipients when replying -- thanks!]
 
 I wrote (12 Jul 2015 13:06:15 GMT) :
 https://wikileaks.org/hackingteam/emails/emailid/25607#efmBTaBTh
 
 Below research points remain outstanding ... 
 
 VECTORS · Offline: [...]
 
 by translate.google.com but obviously not precise but concerning nonetheless.
 
 I got a translation made by a native speaker who's skilled in this
 area, quoting it below with my notes+todo inline.
 
 $native_speaker wrote:
 [EN] Below the feature that will be deployed for RCS10. The release is
 expected for [... not sure what does it means ...] (October)
 
 VECTORS:
 
 Offline:
 o   Infection of bootable usb keys from UEFI (Antonio)$ The infected usb
key will drop (release) a scout itself.
 
 This seams to mean that a corrupted UEFI firmware would modify a Tails
 device plugged in the machine to infect it. To me it looks like it's
 part of Tails can't protect against compromised hardware, modulo
 nitpicking wrt. whether firmware is software (which is correct
 strictly speaking), or a mere part of the computer hardware (which is
 also correct, from the PoV of a Tails system, as it's pre-existing to
 Tails starting). We have WIP to clarify our documentation in
 this respect.
 
 o   Infecting USB device which appears to be a bootable disk (Antonio +
Giovanni)§ It will drop (release) the scout, then it will run
a wipe.
 
 Seems to be the same, but from a running and already infected
 non-Tails OS, when a Tails USB stick is plugged in it. That's more
 concerning. We should check if we're communicating clearly enough
 that:
 
 * the OS used to install or upgrade a Tails device can corrupt it
 * plugging one's Tails device in an untrusted OS is dangerous
 
 o   Infection of Tails USB (Antonio)$ The infection will occur at runtime
 
 This seems to mean an running Tails infecting its boot device.
 Totally unclear if they had any remote idea of how to implement that,
 back then. Not much we can do about it that is not on our hardening
 milestone already, I guess.
 
 o   New NTFS driver for UEFI infection (Antonio)
 o   Persistent infection also on OSX and signed UEFI (Antonio)
 
 Network Injection:
 o   New set of external antennas for the TNI (Andrea)
 o   Creation o a mini-TNI (Andrea)$ transportable by a drone, without
 any melting constraints
 o   Creation of a micro-TNI (Andrea)$ HW of a mobile $ It will have a
 subset of the functionality
 
 Cheers,
 --
 intrigeri
 ___
 Tails-dev mailing list
 Tails-dev@boum.org
 https://mailman.boum.org/listinfo/tails-dev
 To unsubscribe from this list, send an empty email to 
 tails-dev-unsubscr...@boum.org.

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Hide internal drives when no admin password has been entered

[Peter N. Glaskowsky]

 On Jun 11, 2015, at 9:38 PM, tail...@ruggedinbox.com wrote:
 
 Please see this feature request in the Tails repository  Local storage 
 devices displayed- Tails DVD no admin 
 (https://labs.riseup.net/code/issues/9554) where intrigeri suggested raising 
 this issue on the mailing list.
 
 The basic premise being that hiding the internal drives in working in what I 
 call safe mode (booting with no admin privileges) to be more consistent 
 with Tails  goals and objectives of consistensy than it is to show them.


From a UX perspective, I am curious what the reasoning is behind the policy of 
associating access to local storage devices with the entry of an arbitrary 
admin password.

In reality, there is no particular connection there. We can presume someone 
somewhere has the legal or moral authority to access the internal drives, but 
we have no basis to conclude that the current user is or is not authorized.

This gives us two failure modes from one policy: A) an authorized user fails to 
gain access because he or she did not enter an admin password; B) an 
unauthorized user gains access by entering an admin password.

Because the policy connects unrelated concepts, it can also mislead users. 
Someone might boot Tails without an admin password, not see the local drives, 
and assume that because Tails is a security-oriented OS, it never shows 
internal drives. Or someone might assume that Tails is like other Linux live 
distros that always give access to internal drives based on booting once with 
an admin password.

I’m also curious whether internal storage devices are truly locked out if the 
current user didn’t enter an admin password. Is it just that we don’t 
auto-mount the filesystems, or is it more secure than that?

I think I’d prefer that we adopt a policy of not displaying the presence of (or 
auto-mounting) internal drives regardless of whether an admin password is 
entered at boot time.

If a password has been entered, we should provide an admin-only function, 
whether in the GUI or on the command line, or both, that allows users to 
discover and mount these drives.

If no password has been entered, this function should not be operable.

This solution avoids associating unrelated concepts and largely eliminates the 
potential for confusion.

I’m entirely willing to have my mind changed by better arguments, of course. :-)

.   png

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Hide internal drives when no admin password has been entered

[Peter N. Glaskowsky]

 On Jun 12, 2015, at 2:03 AM, intrigeri intrig...@boum.org wrote:
 
 Hi Peter,
 
 thanks for your input. Sadly, this discussion was erroneously started
 on tails-dev@, while it should have been started on tails-ux@ = let's
 wait for tail...@ruggedinbox.com to start it again in the right place,
 and then please resend your reply in that new thread. Sorry for
 the inconvenience.

Ah, you’re right! I should have checked. Thanks for letting me know, and yes, 
I’ll re-post.

Best,

.   png
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Truly Random Mac Changer

[Peter N. Glaskowsky]

 On May 8, 2015, at 10:20 AM, intrigeri intrig...@boum.org wrote:
 
 Source Valley wrote (08 May 2015 16:55:50 GMT) :
 There are countless example I can think of where one might need a truly 
 random mac
 changer, here is just one example: If I'm sitting in a coffee shop and I'm 
 the only
 one with a Unique first 3 octet wifi card, then it wouldn't be too difficult 
 to
 reveal who I am.
 
 I don't understand. May you please clarify?

I assume this is the usual issue that someone observing the network can look up 
an OUI, here for example:

https://www.wireshark.org/tools/oui-lookup.html

and if it turns out to be distinctive— for example, used only in certain 
Dell-branded laptops— it could potentially identify the user if he or she is 
the only user with such a machine in the coffee shop at that moment.

Instead of completely randomizing the OUI, it may be better to select one 
randomly from a list of commonly-used OUIs.

But since wireless activity is usually correlated with keyboard use, it may not 
take long for an observer to correlate a given MAC address with a particular 
user unless some amount of random masking activity is generated. (Does Tails do 
this? Should it?)

If the observer notices that the actual MAC address is inconsistent with the 
user’s hardware, it may raise suspicions. Changing only the device-specific 
portion of the MAC address avoids this issue.

. png

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Tails-like system for tablets

[Peter N. Glaskowsky]

 Consumer tablets are cheap enough that we should be
 thinking in terms of devoting the machine to Tails by installing the OS
 to the internal storage rather than a USB or SD card. 
 
 That is true. I think the hope was you could have a stock looking
 device, which you could switch into this mode for specific tasks, and
 then somehow switch out of it. Having a permanent TAILS device doesn't
 quite match the way people think of what TAILS is/does today. However, I
 agree we shouldn't get stuck on the boot device issue, and especially
 since there are  $100 tablets without base bands, asking people to have
 a dedicated device for something like this, is not a big deal.

And of course it’s just an option. An external boot device would still be 
preferred by many people.

 Otherwise, as mentioned in another thread, I think there is also a great
 possibility to focus on getting the actual current TAILS stack running
 on a Windows 8/10 compatible tablet, as opposed to some sort of
 semi-TAILS based on Android.

Right. That’s what I’m advocating, especially right now while these Bay Trail 
tablets are being so heavily subsidized by Intel. There’s just a bit of work to 
be done.

.png

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Tails-like system for tablets

[Peter N. Glaskowsky]

 On Apr 11, 2015, at 12:11 PM, Jeff Burdges burd...@gmail.com wrote:
 
 I skimmed the  TAILS Mobile via USB or dual-boot”  thread : 
 https://mailman.boum.org/pipermail/tails-dev/2014-January/004632.html
 
 Ignoring momentarily questions about USB boot : 
 
 Can we even secure a mobile device at the application, OS, and network level? 

My question is, why do we want to secure the _device_? Given that Tails is 
amnesiac and incognito” already, it seems to me that all we need is to secure 
_user data_ when the user is not physically securing the device. And of course 
it should be up to the user to decide what standard of physical security 
applies, which means we should provide options for user convenience features 
like PIN-based screen lock and device sleep (so users don’t have to enter a 
cryptographically strong password each time they return from a short break). 
Some users would rather have more security and less convenience; that’s fine. 
Some would rather bias the other way, and we should give them what they want, 
too.

 Afaik, there are four candidate mobile Linux distributions :  Ubuntu Touch, 
 Sailfish OS, Android/Replicant, and maybe FireFox OS.  I suppose iptables 
 could be used to restrict internet access to specific users on any of them, 
 but that’s only the beginning.

I’m not even sure user identity is something we need to keep track of. There 
isn’t multi-user support in Android or iOS as usually implemented. We could do 
something clever like check a Persistence password against multiple Persistence 
partitions to see if it matches any of them, I suppose.

I see that in other comments on that older thread, Thomas Benjamin (tomb at 
cryptocracy.net http://cryptocracy.net/) and others were discussing boot 
devices. Consumer tablets are cheap enough that we should be thinking in terms 
of devoting the machine to Tails by installing the OS to the internal storage 
rather than a USB or SD card. Obviously this requires a new user interface 
feature to trigger a sudden shutdown and memory wipe, but that isn’t difficult; 
it seems likely we could capture a Home+Volume-Down combo keypress. And in 
truth we don’t actually need to wipe the memory if critical user data is kept 
in encrypted RAM; we only need to wipe the key.

Tails doesn’t yet have boot-time touchscreen support, and there are some other 
issues to be worked through, but I haven’t seen any show stoppers. Most of this 
work has already been done on other distributions and shouldn’t be too 
difficult to bring into Tails.

So in summary I think Tails is already 98% ready to be a mobile OS like the 
ones you mentioned, and once ready, it would deliver a uniquely valuable user 
experience that would attract a much larger audience than it does today.

.  png

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] TAILS on Windows Tablets?

[Peter N. Glaskowsky]

 On Mar 19, 2015, at 9:38 AM, intrigeri intrig...@boum.org wrote:
 
 Hi Nathan,
 
 Nathan of Guardian wrote (19 Mar 2015 15:52:18 GMT) :
 Has anyone tried booting TAILS on this new class of cheap Windows 8.1
 tablets?
 
 Peter (Cc'd) has sent us some reports about it on tails...@boum.org
 (sic), some of it having also landed on
 https://labs.riseup.net/code/issues/6064#note-8 and further notes.

Basically, some Bay Trail tablets can get to GRUB readily enough, but it’ll 
take some more work to make them boot Tails.

 It seems viable and cheap. I haven't picked one up yet, but plan to
 shortly.
 
 Same here: https://tails.boum.org/blueprint/UEFI/32-bit/#hardware
 (mostly as part of adding support for 32-bit UEFI, but also to start
 getting some feeling of the amount of work needed to make Tails work
 on x86 touch devices -- I'm always asked about such things)
 
 My main fear is that it's still unclear which ones of those devices
 can cold-boot from USB, as opposed to starting Windows and then using
 the 'boot from USB' feature. I'll warmly welcome any report about
 it :)

My interest is in dedicating one of these tablets to Tails by installing the OS 
on the internal hard disk. They’re certainly cheap enough (under $70 delivered 
for the WinBook TW700) to make that a reasonable option for almost anyone.

That would require minor changes to the Tails installer so we can boot once 
from a USB flash drive or a USB DVD drive, then aim the installer at the 
internal storage. This makes the cold-boot question a non-issue and frees up a 
USB port while the system is running.

Most of these tablets have only one USB OTG port, which is also the only 
charging port, which is inconvenient for Tails running from USB. The user would 
have to set up a USB hub before booting in order to access a second USB device 
while running Tails, and simultaneous charging is generally not possible.

Fortunately the TW700 has two USB ports, which is a huge advantage here, but 
it’s the only one I know of that does.

I took some time today to go through the Bay Trail tablets I own to confirm 
which of them can cold-boot from USB:

Dell Venue 8 7000, a Bay Trail tablet with Android: Not yet.

The default configuration apparently has no way to boot from USB, but this web 
page:

http://unlock-bootloader.info/mp3-0/dell-venue-8-7000-6714.html 
http://unlock-bootloader.info/mp3-0/dell-venue-8-7000-6714.html

describes a procedure for unlocking the device’s bootloader, which might 
eventually make it possible to boot something other than Android. But it would 
probably take a lot of work.

HP Stream 8: Sort of.

Hold down Vol-, press Power for about a second, and release Vol- when the boot 
options screen comes up. That screen gives access to a Boot Device Options 
menu, BIOS Setup, and other functions. There’s even a nice little on-screen 
keyboard that shows all the keys necessary to use these screens. But…

When you get into the Boot Options Menu, you can select Boot from EFI File and 
push the soft Enter key… and then, with a Tails boot drive, it goes to a File 
Explorer screen to allow the user to choose between booting from the Tails 
volume and the NO VOLUME LABEL volume on the USB thumb drive. But there’s no 
way to press Enter! The Stream 8 has a capacitive Windows button on the bezel, 
and that just isn’t active at this point. There isn’t a timeout autoselect for 
the first (presumably correct) option, either.

Of course this all works fine if you hooked up an OTG-Type A adapter cable, a 
USB hub, your USB thumb drive, and a keyboard. But who wants to go through all 
that??

I’m sure this could be fixed in software, but it wouldn’t be worth creating a 
custom boot method just for one tablet.

Toshiba Encore 2: Yes.

With the machine cold, hold down the Vol+ button, then hold down the Power 
button, until the boot selection menu appears. Select the desired boot device 
and press the Windows key.

WinBook TW700: Yes, but…

The only way I’ve found to cold-boot the TW700 from USB is to configure the 
UEFI BIOS to put “USB HD” above the Windows Boot Manager or the internal eMMC 
storage. Then the USB device needs to be in the Type A port, not the Micro USB 
OTG port. Once those changes are made, the tablet will boot from USB without 
pushing any buttons, and you can still use the OTG port to power the tablet 
while running from Tails or other live USB OS. So this is a usable solution, 
and arguably superior to the other tablets for those who expect to use Tails 
more-or-less exclusively.

I’ve added these notes to https://labs.riseup.net/code/issues/6064 
https://labs.riseup.net/code/issues/6064 as well.

.  png

___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.