Disclaimer, i'm not a developer of Tails. Dear Elmar,
As you might understand, keeping *everyone* up-to-date individually is very laborious about upcoming changes. However, you can follow a long on the bugtracker. For example: https://redmine.tails.boum.org/code/projects/tails/issues?query_id=310 these are good indication for what might happen in the upcoming release (3.14). All the best, Jurre On 3/30/19 6:05 PM, Elmar Stellnberger wrote: > Dear developers of tails, > > My security infrastructure has suffered a significant setback since > you have decided to separate usb and cd images. I need a read only > image that can be booted from a read only usb stick or in my case from > a read-only sdcard used with an sdcard reader that supports write > protection. This is very important. I do not want my tails media to > become tampered whenever a singleton tails session has been cracked. > It is known that intelligence services hunt especially for tor and > tails users as anyone who uses encryption is suspicious. With todays > browsers it is very easy to crack a system for intelligence services > who have several zero days exploits by hand. Even worse when your > system has become cracked and you want to download a subsequent tor > version that download will be tampered as well. Besides this your > security system using signing with very new keys is a very bad > decision. If you have to download the key file with https the whole > download is not more secure than an arbitrary https download. The way > out would be to offer SHA512sums which can be checked independently > whenever you know the iso size. With SHA512sums you can download tails > with one tails version and then download just the SHA512sums with > another tails version. Currently I have to download the iso twice and > compare both. I do not trust your gpg keys. Even when they are new > they will be cracked within a few milliseconds if you decide to store > those keys on an online machine where you also use a browser or an > email program. I do not trust your gpg key because you have actually > failed to set up a trustworthy offline strategy which will need to be > described on your homepage tails.boum.org. Anyway I believe the > SHA512sum to be the more easy, simple and therefore also to be the > more reliable tool to check the integrity of a download. f.i. You can > note the SHA512sum on a sheet of paper (and I was regularely doing > this) which is impossible for a gpg signature. A recent download of > OpenBSD showed me once more how important download security is. The > tampered download was uncovered by sha256sums and not by the signing > tool signify. Currently the only way out for tails is to have a copy > of the usb image on another read only media and to compare after every > boot (very laborious, uff!). Unfortunately using a CD is not a real > option for my case. Besides the fact that burning new read only CDs > produces a lot of litter CDs are a way bigger and larger than sdcards. > It is a fact that I need to carry the sdcards with me as personnel > from secret services used to enter my home regularely. I have noted > this by a handle of my window to be changed very oftenly when I left > (I have asserted that no one else was at home during the time in > question). Secondly I had used an offline computer after 2011 to > analyse a cracked system. One day when I came back I found that > computer with an overwritten parition table. > At least I believe that supplying a modified DVD image (which is > read only to its content) that does also boot from USB sticks by a > modified bootloader should not be that hard to do. The USB image does > in a fact boot right after the GUI dialog for selecting the language > but then it hangs on a read only medium when you want to get into the > GUI for the browser and the console. > > I have prepared some material for you on my home page concerning > gpg-security and alledged problems with intelligence services (they > can easily enter your home when you take your mobile phone with you; > can´t they?): > > https://www.elstel.org/CyberAttack-elstel.html.en > https://www.elstel.org/software/GnuPG-usage.html.en > > Please keep me updated about any planned changes/ countermeasures > for tails! > > Yours Sincerely, > Elmar Stellnberger > > > > > > > _______________________________________________ > Tails-dev mailing list > Tails-dev@boum.org > https://www.autistici.org/mailman/listinfo/tails-dev > To unsubscribe from this list, send an empty email to > tails-dev-unsubscr...@boum.org. _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.