Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-28 Thread segfault 
Joanna Rutkowska:
> On Sat, Aug 27, 2016 at 06:54:10PM +, segfault wrote:
> The added value would be ensuring the unused portion of the disk blocks
> (occupied by the Tails partition) are not populated with some random garbage,
> which might be e.g. user's previous (unencrypted) content, such as... family
> pictures ;)

Ok, but data leakage and verification are different problems IMO. In the
tails-verifier I did not try to prevent data leakage or the other
possibility of using unverified parts as a hidden channel (which could
be used by malware), but only focus on modifications which could alter
the behavior of Tails (i.e. changes in boot code or files).
I think preventing data leakage and hidden channels is also desirable,
but because of the behavior of flash drives you mentioned, I think it is
hard to guarantee this.

> Generally, I think the Tails installer should at least ask the user to wipe 
> the
> disk with 'dd if=/dev/zero'. Admittedly, because of wear leveling mechanisms
> this might not be effective, because AFAIU modern flash memories would include
> (X*size) of the actual physical storage in order to expose (size) bytes of
> storage to the host, where X > 1. 

Right, so `dd if=/dev/zero` would not always protect from data leakage.
So I tend to disagree that we should do this in Tails Installer, because
it would make the installation process slower and might give a wrong
feeling of security.

> But perhaps if the wiping were repeated N times, where N = ceiling (X), with
> random content this time (in order to fool any optimizations by the device),
> then it should be fine?

Would this guarantee that every byte was overwritten? Wouldn't it be
possible that the same (size) bytes get overwritten multiple times but
the (X-1)*size other bytes stay the same?

Cheers
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-28 Thread Joanna Rutkowska 
On Sat, Aug 27, 2016 at 06:54:10PM +, segfault wrote:
> Hi,
> 
> somehow I missed this thread, just noticed it right now.
> 
> intrigeri:
> > Hi,
> >
> > thanks Joanna for raising this topic!
> >
> > I've just thought about it a little bit and I see no technical reason
> > that prevents us from resetting all timestamps in the filesystem to
> > some fixed value that depends only (if at all) on the version of Tails
> > being installed/upgraded, during some late stage of the
> > installation process.
> 
> I think you're right. I did not test if the modification date is indeed
> the only thing that differs, but I think Joanna is right, I don't see
> anything else that should differ. This would also make tails-verifier
> less complex, because we wouldn't have to look at each file but can
> check the whole partition at once, like Joanna suggested (although the
> file verification is not the complex part).
> 

The added value would be ensuring the unused portion of the disk blocks
(occupied by the Tails partition) are not populated with some random garbage,
which might be e.g. user's previous (unencrypted) content, such as... family
pictures ;)

Generally, I think the Tails installer should at least ask the user to wipe the
disk with 'dd if=/dev/zero'. Admittedly, because of wear leveling mechanisms
this might not be effective, because AFAIU modern flash memories would include
(X*size) of the actual physical storage in order to expose (size) bytes of
storage to the host, where X > 1. 

But perhaps if the wiping were repeated N times, where N = ceiling (X), with
random content this time (in order to fool any optimizations by the device),
then it should be fine?

Cheers,
joanna.


signature.asc
Description: PGP signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-27 Thread segfault 
Hi,

somehow I missed this thread, just noticed it right now.

intrigeri:
> Hi,
>
> thanks Joanna for raising this topic!
>
> I've just thought about it a little bit and I see no technical reason
> that prevents us from resetting all timestamps in the filesystem to
> some fixed value that depends only (if at all) on the version of Tails
> being installed/upgraded, during some late stage of the
> installation process.

I think you're right. I did not test if the modification date is indeed
the only thing that differs, but I think Joanna is right, I don't see
anything else that should differ. This would also make tails-verifier
less complex, because we wouldn't have to look at each file but can
check the whole partition at once, like Joanna suggested (although the
file verification is not the complex part).

>
> And it would be nice if tails-verifier looked at filesystem metadata
> as well as files content, if it doesn't yet. I bet it's cheaper to add
> this check than to prove that it's not needed :)

I can't find a source which explicitely states this, but I'm pretty sure
the modification date is the only file metadata available in unix' vfat
(beside the size, which is also checked with the hash sum). See for
example the full list of attributes in the FAT32 directory table [1] and
this short paragraph in wikipedia about unix' vfat driver [2].

[1]
https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Directory_entry
[2] https://en.wikipedia.org/wiki/FAT_filesystem_and_Linux#vfat

Currently I don't compare the dates, because they differ from the ones
on the ISO, so the verification would fail.

Cheers
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-24 Thread Random User 
On Mon, Aug 8, 2016, at 03:32 PM, Joanna Rutkowska wrote:
> Hello,
> 
> Is there any special reason why the partition where Tails installs itself
> is
> non-deterministic? It is thanks to differing timestamps on the
> filesystem.

What you have asked about sounds at least similar to an issue I had
reported on this list a while back. I had reported that the checksums
(sha256, sha1, md5, etc.) of the Tails partition (on USB, created by dd)
no longer matched that of the Tails ISO from which said partition was
written. I say "no longer" because there had been a time when these
values did match. That changed at some point with one of the releases
and the change remained for an extended period, through a number of
releases. Then, I believe with the latest release, Tails 2.5, the hashes
for the ISO and the partition of the installation written from the ISO
(via dd, on USB) once again were the same.

The cause of these changes remains a mystery to me.

> This posses a problem for a prudent user who would like to be able to
> verify
> Tails integrity, e.g. by typing:
> 
> dd if=/dev/sda1 | sha1sum

How is that different from "sha1sum /dev/sdX*"?

Isn't your version just a lengthier and less simple means of achieving
the identical end: obtaining the checksum of a given partition (in this
case, the sha1 of the partition that Tails installed itself on). Perhaps
I am missing something?

*X for the specific device value, which will obviously change

> This might be especially useful if one uses the stick on various
> computers and
> would like to verify if her USB stick holding Tails installs hasn't been
> modified (e.g. by a malicious BIOS). 

Or (and this is obviously applicable even when one always uses his Tails
device on the same computer) that the Tails partition itself was not
altered by a remote attacker (such as while one was online using Tails)
or even a local attacker (such as while one's Tails stick was left
unattended-- even if within a secured space, unless one can somehow be
sure that no one unauthorized entered said space). 

Now, of course, this means of verification is still possible even when
the hash of the (verified) ISO does /not/ match that of the partition
created from same ISO-- providing that one made sure to record the hash
of the Tails partition right after creating it (before using it for the
first time and before leaving the device it is contained-on unattended).
But when the checksums of the Tails partition match those of the ISO
that said partition was created from, then one has the additional
advantage of knowing that the actual writing/installation itself was
completed without error or corruption.   

>Yes, I'm aware that the first sector
> of the
> disk (/dev/sda) would still differ thanks to different partition sizes.

Right, meaning that an attacker in whatever form (including a
compromised BIOS or other hardware component) could leave the Tails
partition itself untouched, yet alter another section of the device.
 
What I therefore do, in addition to recording the checksum of the Tails
partition that I created from the ISO (/dev/sdX), is to /also/ record
the checksum of the /entire device/ (USB stick). In this way, I can
presumably be reasonably certain that my stick has not been tampered
with by verifying, at any given time (such as after using it or after
leaving it unattended) that the checksum for the full-device (/dev/sdX)
still matches the one I recorded just after installing Tails on it.

/Persistence/, of course, presents an exception to this; obviously, one
cannot expect the checksum for the persistence partition not to change
with each and every change, no matter how small and insignificant, that
the user makes to said partition. 

Having noted that, however, I must /also/ mention an experience I recall
with a USB stick that I had created, with a persistence partition, using
Tails Installer. If I recall correctly, I had found that after each use
of this USB stick to boot and run Tails, the hash for the persistence
partition would change-- /even when I had NOT enabled persistence (or
otherwise consciously accessed the persistence partition) for that
session. Although I do not know the reason for this behavior, I suspect
that it somehow may be very much related to the topic that Ms. Rutkowska
created this thread about.
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-10 Thread intrigeri 
Hi,

thanks Joanna for raising this topic!

I've just thought about it a little bit and I see no technical reason
that prevents us from resetting all timestamps in the filesystem to
some fixed value that depends only (if at all) on the version of Tails
being installed/upgraded, during some late stage of the
installation process.

And it would be nice if tails-verifier looked at filesystem metadata
as well as files content, if it doesn't yet. I bet it's cheaper to add
this check than to prove that it's not needed :)

Cheers,
-- 
intrigeri
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-10 Thread sajolida 
bertagaz:
> [ Ignoring some kind of private answer sent here although it doesn't
> belong to this list. ]
> 
> On Mon, Aug 08, 2016 at 09:32:17PM +0200, Joanna Rutkowska wrote:
>> Is there any special reason why the partition where Tails installs itself is
>> non-deterministic? It is thanks to differing timestamps on the filesystem.
>>
>> This posses a problem for a prudent user who would like to be able to verify
>> Tails integrity, e.g. by typing:
>>
>> dd if=/dev/sda1 | sha1sum
>>
>> This might be especially useful if one uses the stick on various computers 
>> and
>> would like to verify if her USB stick holding Tails installs hasn't been
>> modified (e.g. by a malicious BIOS). Yes, I'm aware that the first sector of 
>> the
>> disk (/dev/sda) would still differ thanks to different partition sizes.
> 
> Good question. Did you try and found out that only timestamps were
> different? If it is, good news, means it may not be so hard to fix.
> Would be nice if you could post your data on our bug tracker
> (https://labs.riseup.net/code/projects/tails).
> 
> So far we've been focusing on tails-verifier (ticket #7496, waiting for
> review...) for people to check their install, so I don't remember if we
> explored this.

Exactly. The technicalities of this are way over my head but I think
that segfault  already investigated all of this
while working on Tails Verifier [1] so he should be the one to talk to.

But if I remember correctly, he's super busy with other things right now
so maybe don't expect a quick answer (in the meantime, looking at the
code might help).

[1]: https://labs.riseup.net/code/issues/7496
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-08 Thread bertagaz 
Hi,

[ Ignoring some kind of private answer sent here although it doesn't
belong to this list. ]

On Mon, Aug 08, 2016 at 09:32:17PM +0200, Joanna Rutkowska wrote:
> Is there any special reason why the partition where Tails installs itself is
> non-deterministic? It is thanks to differing timestamps on the filesystem.
>
> This posses a problem for a prudent user who would like to be able to verify
> Tails integrity, e.g. by typing:
> 
> dd if=/dev/sda1 | sha1sum
>
> This might be especially useful if one uses the stick on various computers and
> would like to verify if her USB stick holding Tails installs hasn't been
> modified (e.g. by a malicious BIOS). Yes, I'm aware that the first sector of 
> the
> disk (/dev/sda) would still differ thanks to different partition sizes.

Good question. Did you try and found out that only timestamps were
different? If it is, good news, means it may not be so hard to fix.
Would be nice if you could post your data on our bug tracker
(https://labs.riseup.net/code/projects/tails).

So far we've been focusing on tails-verifier (ticket #7496, waiting for
review...) for people to check their install, so I don't remember if we
explored this.

Bert.
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-08 Thread Spencer 

Hi,



drwhax:
sexual attention.



It is very hurtful to have my intentions decided for me ):

If the snip of code wasn't enough context: I am a fan of dd hacks (:

And as was said to emmapeel privately, love is for everybody XD

I love you, too.

Wordlife,
Spencer



___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-08 Thread drwhax 
> Hi,

>>//>>/Joanna Rutkowska: />>/dd if=/dev/sda1 | sha1sum />>//
> I love you XD

> Wordlife,
> Spencer


Spencer,

I'll do this publicly, this is against our code of conduct, see
https://tails.boum.org/contribute/working_together/code_of_conduct/

Please refrain from unwanted sexual attention.

Sorry Joanna :(

Best,
Jurre
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Why Tails partition is non-deterministic?

2016-08-08 Thread Spencer 

Hi,



Joanna Rutkowska:
dd if=/dev/sda1 | sha1sum



I love you XD

Wordlife,
Spencer



___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Why Tails partition is non-deterministic?

2016-08-08 Thread Joanna Rutkowska 
Hello,

Is there any special reason why the partition where Tails installs itself is
non-deterministic? It is thanks to differing timestamps on the filesystem.

This posses a problem for a prudent user who would like to be able to verify
Tails integrity, e.g. by typing:

dd if=/dev/sda1 | sha1sum

This might be especially useful if one uses the stick on various computers and
would like to verify if her USB stick holding Tails installs hasn't been
modified (e.g. by a malicious BIOS). Yes, I'm aware that the first sector of the
disk (/dev/sda) would still differ thanks to different partition sizes.

Thanks,
joanna.


signature.asc
Description: PGP signature
___
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.