Re: [Tails-dev] Why Tails partition is non-deterministic?
Joanna Rutkowska: > On Sat, Aug 27, 2016 at 06:54:10PM +, segfault wrote: > The added value would be ensuring the unused portion of the disk blocks > (occupied by the Tails partition) are not populated with some random garbage, > which might be e.g. user's previous (unencrypted) content, such as... family > pictures ;) Ok, but data leakage and verification are different problems IMO. In the tails-verifier I did not try to prevent data leakage or the other possibility of using unverified parts as a hidden channel (which could be used by malware), but only focus on modifications which could alter the behavior of Tails (i.e. changes in boot code or files). I think preventing data leakage and hidden channels is also desirable, but because of the behavior of flash drives you mentioned, I think it is hard to guarantee this. > Generally, I think the Tails installer should at least ask the user to wipe > the > disk with 'dd if=/dev/zero'. Admittedly, because of wear leveling mechanisms > this might not be effective, because AFAIU modern flash memories would include > (X*size) of the actual physical storage in order to expose (size) bytes of > storage to the host, where X > 1. Right, so `dd if=/dev/zero` would not always protect from data leakage. So I tend to disagree that we should do this in Tails Installer, because it would make the installation process slower and might give a wrong feeling of security. > But perhaps if the wiping were repeated N times, where N = ceiling (X), with > random content this time (in order to fool any optimizations by the device), > then it should be fine? Would this guarantee that every byte was overwritten? Wouldn't it be possible that the same (size) bytes get overwritten multiple times but the (X-1)*size other bytes stay the same? Cheers ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
On Sat, Aug 27, 2016 at 06:54:10PM +, segfault wrote: > Hi, > > somehow I missed this thread, just noticed it right now. > > intrigeri: > > Hi, > > > > thanks Joanna for raising this topic! > > > > I've just thought about it a little bit and I see no technical reason > > that prevents us from resetting all timestamps in the filesystem to > > some fixed value that depends only (if at all) on the version of Tails > > being installed/upgraded, during some late stage of the > > installation process. > > I think you're right. I did not test if the modification date is indeed > the only thing that differs, but I think Joanna is right, I don't see > anything else that should differ. This would also make tails-verifier > less complex, because we wouldn't have to look at each file but can > check the whole partition at once, like Joanna suggested (although the > file verification is not the complex part). > The added value would be ensuring the unused portion of the disk blocks (occupied by the Tails partition) are not populated with some random garbage, which might be e.g. user's previous (unencrypted) content, such as... family pictures ;) Generally, I think the Tails installer should at least ask the user to wipe the disk with 'dd if=/dev/zero'. Admittedly, because of wear leveling mechanisms this might not be effective, because AFAIU modern flash memories would include (X*size) of the actual physical storage in order to expose (size) bytes of storage to the host, where X > 1. But perhaps if the wiping were repeated N times, where N = ceiling (X), with random content this time (in order to fool any optimizations by the device), then it should be fine? Cheers, joanna. signature.asc Description: PGP signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
Hi, somehow I missed this thread, just noticed it right now. intrigeri: > Hi, > > thanks Joanna for raising this topic! > > I've just thought about it a little bit and I see no technical reason > that prevents us from resetting all timestamps in the filesystem to > some fixed value that depends only (if at all) on the version of Tails > being installed/upgraded, during some late stage of the > installation process. I think you're right. I did not test if the modification date is indeed the only thing that differs, but I think Joanna is right, I don't see anything else that should differ. This would also make tails-verifier less complex, because we wouldn't have to look at each file but can check the whole partition at once, like Joanna suggested (although the file verification is not the complex part). > > And it would be nice if tails-verifier looked at filesystem metadata > as well as files content, if it doesn't yet. I bet it's cheaper to add > this check than to prove that it's not needed :) I can't find a source which explicitely states this, but I'm pretty sure the modification date is the only file metadata available in unix' vfat (beside the size, which is also checked with the hash sum). See for example the full list of attributes in the FAT32 directory table [1] and this short paragraph in wikipedia about unix' vfat driver [2]. [1] https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Directory_entry [2] https://en.wikipedia.org/wiki/FAT_filesystem_and_Linux#vfat Currently I don't compare the dates, because they differ from the ones on the ISO, so the verification would fail. Cheers ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
On Mon, Aug 8, 2016, at 03:32 PM, Joanna Rutkowska wrote: > Hello, > > Is there any special reason why the partition where Tails installs itself > is > non-deterministic? It is thanks to differing timestamps on the > filesystem. What you have asked about sounds at least similar to an issue I had reported on this list a while back. I had reported that the checksums (sha256, sha1, md5, etc.) of the Tails partition (on USB, created by dd) no longer matched that of the Tails ISO from which said partition was written. I say "no longer" because there had been a time when these values did match. That changed at some point with one of the releases and the change remained for an extended period, through a number of releases. Then, I believe with the latest release, Tails 2.5, the hashes for the ISO and the partition of the installation written from the ISO (via dd, on USB) once again were the same. The cause of these changes remains a mystery to me. > This posses a problem for a prudent user who would like to be able to > verify > Tails integrity, e.g. by typing: > > dd if=/dev/sda1 | sha1sum How is that different from "sha1sum /dev/sdX*"? Isn't your version just a lengthier and less simple means of achieving the identical end: obtaining the checksum of a given partition (in this case, the sha1 of the partition that Tails installed itself on). Perhaps I am missing something? *X for the specific device value, which will obviously change > This might be especially useful if one uses the stick on various > computers and > would like to verify if her USB stick holding Tails installs hasn't been > modified (e.g. by a malicious BIOS). Or (and this is obviously applicable even when one always uses his Tails device on the same computer) that the Tails partition itself was not altered by a remote attacker (such as while one was online using Tails) or even a local attacker (such as while one's Tails stick was left unattended-- even if within a secured space, unless one can somehow be sure that no one unauthorized entered said space). Now, of course, this means of verification is still possible even when the hash of the (verified) ISO does /not/ match that of the partition created from same ISO-- providing that one made sure to record the hash of the Tails partition right after creating it (before using it for the first time and before leaving the device it is contained-on unattended). But when the checksums of the Tails partition match those of the ISO that said partition was created from, then one has the additional advantage of knowing that the actual writing/installation itself was completed without error or corruption. >Yes, I'm aware that the first sector > of the > disk (/dev/sda) would still differ thanks to different partition sizes. Right, meaning that an attacker in whatever form (including a compromised BIOS or other hardware component) could leave the Tails partition itself untouched, yet alter another section of the device. What I therefore do, in addition to recording the checksum of the Tails partition that I created from the ISO (/dev/sdX), is to /also/ record the checksum of the /entire device/ (USB stick). In this way, I can presumably be reasonably certain that my stick has not been tampered with by verifying, at any given time (such as after using it or after leaving it unattended) that the checksum for the full-device (/dev/sdX) still matches the one I recorded just after installing Tails on it. /Persistence/, of course, presents an exception to this; obviously, one cannot expect the checksum for the persistence partition not to change with each and every change, no matter how small and insignificant, that the user makes to said partition. Having noted that, however, I must /also/ mention an experience I recall with a USB stick that I had created, with a persistence partition, using Tails Installer. If I recall correctly, I had found that after each use of this USB stick to boot and run Tails, the hash for the persistence partition would change-- /even when I had NOT enabled persistence (or otherwise consciously accessed the persistence partition) for that session. Although I do not know the reason for this behavior, I suspect that it somehow may be very much related to the topic that Ms. Rutkowska created this thread about. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
Hi, thanks Joanna for raising this topic! I've just thought about it a little bit and I see no technical reason that prevents us from resetting all timestamps in the filesystem to some fixed value that depends only (if at all) on the version of Tails being installed/upgraded, during some late stage of the installation process. And it would be nice if tails-verifier looked at filesystem metadata as well as files content, if it doesn't yet. I bet it's cheaper to add this check than to prove that it's not needed :) Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
bertagaz: > [ Ignoring some kind of private answer sent here although it doesn't > belong to this list. ] > > On Mon, Aug 08, 2016 at 09:32:17PM +0200, Joanna Rutkowska wrote: >> Is there any special reason why the partition where Tails installs itself is >> non-deterministic? It is thanks to differing timestamps on the filesystem. >> >> This posses a problem for a prudent user who would like to be able to verify >> Tails integrity, e.g. by typing: >> >> dd if=/dev/sda1 | sha1sum >> >> This might be especially useful if one uses the stick on various computers >> and >> would like to verify if her USB stick holding Tails installs hasn't been >> modified (e.g. by a malicious BIOS). Yes, I'm aware that the first sector of >> the >> disk (/dev/sda) would still differ thanks to different partition sizes. > > Good question. Did you try and found out that only timestamps were > different? If it is, good news, means it may not be so hard to fix. > Would be nice if you could post your data on our bug tracker > (https://labs.riseup.net/code/projects/tails). > > So far we've been focusing on tails-verifier (ticket #7496, waiting for > review...) for people to check their install, so I don't remember if we > explored this. Exactly. The technicalities of this are way over my head but I think that segfaultalready investigated all of this while working on Tails Verifier [1] so he should be the one to talk to. But if I remember correctly, he's super busy with other things right now so maybe don't expect a quick answer (in the meantime, looking at the code might help). [1]: https://labs.riseup.net/code/issues/7496 ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
Hi, [ Ignoring some kind of private answer sent here although it doesn't belong to this list. ] On Mon, Aug 08, 2016 at 09:32:17PM +0200, Joanna Rutkowska wrote: > Is there any special reason why the partition where Tails installs itself is > non-deterministic? It is thanks to differing timestamps on the filesystem. > > This posses a problem for a prudent user who would like to be able to verify > Tails integrity, e.g. by typing: > > dd if=/dev/sda1 | sha1sum > > This might be especially useful if one uses the stick on various computers and > would like to verify if her USB stick holding Tails installs hasn't been > modified (e.g. by a malicious BIOS). Yes, I'm aware that the first sector of > the > disk (/dev/sda) would still differ thanks to different partition sizes. Good question. Did you try and found out that only timestamps were different? If it is, good news, means it may not be so hard to fix. Would be nice if you could post your data on our bug tracker (https://labs.riseup.net/code/projects/tails). So far we've been focusing on tails-verifier (ticket #7496, waiting for review...) for people to check their install, so I don't remember if we explored this. Bert. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
Hi, drwhax: sexual attention. It is very hurtful to have my intentions decided for me ): If the snip of code wasn't enough context: I am a fan of dd hacks (: And as was said to emmapeel privately, love is for everybody XD I love you, too. Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
> Hi, >>//>>/Joanna Rutkowska: />>/dd if=/dev/sda1 | sha1sum />>// > I love you XD > Wordlife, > Spencer Spencer, I'll do this publicly, this is against our code of conduct, see https://tails.boum.org/contribute/working_together/code_of_conduct/ Please refrain from unwanted sexual attention. Sorry Joanna :( Best, Jurre ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Why Tails partition is non-deterministic?
Hi, Joanna Rutkowska: dd if=/dev/sda1 | sha1sum I love you XD Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Why Tails partition is non-deterministic?
Hello, Is there any special reason why the partition where Tails installs itself is non-deterministic? It is thanks to differing timestamps on the filesystem. This posses a problem for a prudent user who would like to be able to verify Tails integrity, e.g. by typing: dd if=/dev/sda1 | sha1sum This might be especially useful if one uses the stick on various computers and would like to verify if her USB stick holding Tails installs hasn't been modified (e.g. by a malicious BIOS). Yes, I'm aware that the first sector of the disk (/dev/sda) would still differ thanks to different partition sizes. Thanks, joanna. signature.asc Description: PGP signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.