[Freedombox-discuss] [EPFSUG] DRAFT Pilot Project: A Threat Model for MEPs

Tue Apr 14 11:50:02 UTC 2015

This is all fine, but seriously the outcome should be just use Qubes -
what other game is there in town?

With a modest amount of EP funding and institutional support to
customize, within 6mths MEPs could have the most secure installable
FLOSS laptop OS in world, with a suite of EP apps locked down in
separate VMs, on Debian template, using SplitGPG in T-Bird, and
Disposable VMs by default for opening attachments. That means an attack
surface ~100x less than any other desktop OS. With a seamless Windows
HVM for compatibility if they really need.

BTW - I pitched Qubes to DIGIT, but given the cold shoulder - I think
they were frightened to go down road of exploring systemic vuln of
Windows installed base

Caspar
(Qubes Policy Adviser)

On 04/14/15 13:30, JOSEFSSON Erik wrote:
>
> Dear all,
>
>  
>
> Please find below a draft text for proposing that the EU should
> allocate money under the Pilot Project budget line for developing a
> threat model for MEPs.
>
>  
>
> A glimpse of what was decided to spend money on last year can be found
> in the first Commission interim report on the implementation of Pilot
> Projects and Preparatory Actions 2015:
>
>  
>
> http://www.europarl.europa.eu/meetdocs/2014_2019/documents/imco/dv/first_iterim_report_2015_03_04_/first_iterim_report_2015_03_04_en.pdf
>
>  
>
> Comments on the text below are most welcome , in particular if made in
> public on hub at icg.greens-efa.eu <mailto:hub at icg.greens-efa.eu>
>
>  
>
> Budget estimates for the Pilot Project as described would also be very
> helpful.
>
>  
>
> Thank you for your time.
>
>  
>
> //Erik
>
>  
>
> ***
>
> A Threat Model for MEPs
>
>  
>
> Every citizen needs to understand how to use new technology in a safe
> way[1]. MEPs are not different in that regard. They too need to master
> both their internal and external communications in a way so that they
> do not put anyone or anything at risk, including themselves[2].
>
>  
>
> The purpose of this Pilot Project is to increase the understanding of
> threats to safe communications. It will do so by developing a threat
> model for MEPs that takes into account EP specific procedural,
> institutional and constitutional constraints[3] as well as the threat
> from internal and external adversaries both at work, during travel and
> at home. Further, the threat model shall be construed so that its
> assessments can be independently verified and validated by any third
> party[4].
>
>  
>
> The threat model will be accompanied with a recommendation with
> regards to measures MEPs can take to mitigate identified threats, in
> particular measures including the use of Free Software, Open Standards
> and Encryption. In addition, the recommendation shall include an
> overview of which of the measures that could enable European
> businesses and institutions to better master their internal and
> external communications.
>
>  
>
> The Pilot Project will also make a comparative study of how the
> average MEP communication tools inventory performs further to the
> recommendation in comparison with a reference inventory strictly based
> on Open Standards and purely built from Free Software, and, if
> possible at the time, Open Hardware[5].
>
>  
>
> [1] Surveillance Self-Defense
> https://ssd.eff.org/en/glossary/threat-model
> <https://ssd.eff.org/en/glossary/threat-model>
>
> [2] LIBE Committee Inquiry on Electronic Mass Surveillance of EU
> Citizens (see e.g. point 101)
> https://polcms.secure.europarl.europa.eu/cmsdata/upload/7d8972f0-e532-4b12-89a5-e97b39eec3be/att_20141016ATT91322-206135629551064330.pdf
>
> [3] Ensuring utmost transparency - Free Software and Open Standards
> under the Rules of Procedure of the European Parliament
> http://www.greens-efa.eu/fileadmin/dam/Documents/Studies/eut-print.pdf
>
> [4] Software verification and validation according to Wikipedia
> https://en.wikipedia.org/wiki/Software_verification_and_validation
>
> [5] FreedomBox v0.3 Released!
> https://www.freedomboxfoundation.org/news/FreedomBox-0.3/index.en.html
>
> ***
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20150414/2b86932b/attachment.html>