[Freedombox-discuss] Package Lists and Configuration
Johan Henselmans
johan at netsense.nl
Fri Feb 8 11:23:39 UTC 2013
On 8 feb. 2013, at 04:38, "Nick M. Daly" <nick.m.daly at gmail.com> wrote:
> Johan Henselmans <johan at netsense.nl> writes:
>
>> Thanks Nick, I have just read up on the FreedomBuddy
>> project. (http://wiki.debian.org/Freedombox/FreedomBuddy).
>
> Huh. I didn't know that page existed. Thanks, planetlarg. It's
> outdated, but there is no updated documentation (until after this
> weekend, when the dust settles).
>
>> That seems a solution, until your tor/GNUnet endpoint service is
>> compromised, which seems not too hard, considering we are talking
>> about bad guys not encumbered by legal restrictions.
>
> Please define compromised. I'm not being a pedantic jackass here, I'm
> wondering what you mean exactly. If the message you receive fails to
> decrypt to your key, FBuddy ignores it, so it's unlikely that you'll
> compromise FBuddy itself with malformed input. If you mean someone
> duplicating your Tor Hidden Service identity and posing as you, then
> they can't read your messages without your key. It's also difficult to
> duplicate an identity without physically taking over the hosting box.
>
Sorry, I meant purely on an IP-level. Organization suspects unwanted stuff regarding organization going on, tracks Tor/Gnunet servers inside area on which it exerts power, then takes over routers before Tor/Gnunet server, pinpoints Tor/Gnunet boxes.
With the amount of routers that routinely are compromised, the area in which an organization can exert power has to be presumed bigger than its geographic boundaries.
I was thinking of a mesh network (wifi, 3G, Zigbee) of dirt-cheap boxes that might be randomly distributed to locations, turned on and off in a random way to prevent triangular pinpointing to make it harder to get to the users box. Perhaps tor/gnunet servers configured in such a way would already do the trick. I am not familiar with the build-up time of a tor network, if that would be feasible. I have just bought some extra Raspberries with Wi-Pi wifi plugs (next to my dreamplug, ionics stratus/guruplug) and some other el-cheapo hardware, and could do some testing, if it is worth the effort.
Or has somebody already been doing some testing on such a setup?
>> Compromised GPG keys is the other problem.
>
> Yeah. Rule #1 of network security: if the attacker has physical access
> to the box, you're screwed. Nothing anyone can do can prevent that,
> unless you avoid creating or using the service at all.
>
>> I still have a GPG key created in 2001, which I am sure is on some
>> keyservers. My sloppy security behavior ( the private key had been
>> transported from server account to server account, some of which I am
>> pretty sure they were compromised), combined with some rainbow-tables
>> and other brute force attack scripts make it sure that my private key
>> would be compromised by now-if anyone would be interested.
>
> Then revoke or expire it, if you still have the password. A compromised
> 12 year old key is just bad manners.
>
I just used it as an example. I don't use that key anymore, I know irony is hard to transmit in an email conversation: I am just using myself as the clueless user, instead of pretending to be a know-it-all security expert.
> If users are determined to shoot themselves in the foot, we can't stop
> them. In order to preserve their software freedoms (and Asimov's laws),
> we have to assume users mean to do what they're doing. The best we can
> do is to make key management as easy (or as secure, depending on the
> user's request) as possible.
>
Absolutely,
>> A solution would be to make sure anyone would have a smart-card
>> derived PGP key with opensc, so that if you can not find your smart
>> card you should assume your key is compromised. That also poses the
>> problem of losing ones precious would make your freedombox data lost.
>
> You're free to go with whatever you're more comfortable with, it all
> involves tradeoffs. Me, I'm happy keeping a subkey (or single-purpose
> key) on the box. If the SSSS system [0] pans out and keys are never
> written to disk, then whole keys are never hosted anywhere and the box
> has to be captured alive, without ever losing power, significantly
> raising the bar for attacks.
>
> 0: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2013-February/005106.html
>
>> But perhaps you have already discussed that kind of setups.
>
> I have, but I doubt I've convinced you. Please, rebut!
>
Sorry for taking so much time. I am just trying to come up with scenarios that might compromise the whole effort. The subkey approach seems to be fine.
Something unique one might have and something one might know, I was always taught would be the combination. I'll see if I can get a smart card reader of some sort running against the dreamplug setup, and try to get some pgp/opensc running against that.
If there is anyone around that has already been doing that, please let me know, so not to duplicate efforts.
> Thanks for your time,
> Nick
Johan Henselmans
johan at netsense.nl
More information about the Freedombox-discuss
mailing list