On Friday 03 April 2015 11:48:27 intrigeri wrote: Hi intrigi,
> > It's also my belief that a solution be documented as soon as possible to > > publicize to existing users on existing versions the risk and how to > > mitigate it. > > Fully agreed. I believe BitingBird has added notes to this effect on > an existing ticket, but I don't remember which one. BitingBird, will > you take it from now on, and perhaps introduce Adam to our processes > and tools to work on documentation? Actually, I would like to bump this even further in the interest of full prompt disclosure and risk minimization *right now*. This is an easy to miss subtle information scope leak (even if transitory) and non tech adept people are using TAILS in earnest (many if not most with large 3rd party mail providers - the usual suspects). I think the web site should prominently publish at least an informative warning immediately even if no tested full mitigation exists right now. There is enough external interest in using TAILS as publicity over deeper vulnerability disclosures already (even those out of scope of the TAILS risk domain). See http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/ Actually, I wrote to Kim about this particular article concerning scope of this vulnerability wrt TAILS in particular and she replied: On Wednesday 25 March 2015 21:42:46 Kim Zetter replied: > As for why Tails was singled out, it was singled out by the > researchers. They wanted to show how even a system that's entirely > designed for stealth computing can be undermined. While you're right > that other operating systems have a trusted relationship with the > BIOS, Tails is marketed primarily for its security/privacy, whereas > other operating systems aren't. This is no criticism of Kim or Legbacore - I include the above in this thread purely to underline the issue that in order to maintain the large goodwill and trust in TAILS, an open disclosure process of existing issues must be in place and I believe such a process is applicable to this issue. Better to say such things out loud yourself rather than others appropriate for their own purposes. Shine, Adam.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
