<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">This is all fine, but seriously the
outcome should be just use Qubes - what other game is there in
town?<br>
<br>
With a modest amount of EP funding and institutional support to
customize, within 6mths MEPs could have the most secure
installable FLOSS laptop OS in world, with a suite of EP apps
locked down in separate VMs, on Debian template, using SplitGPG in
T-Bird, and Disposable VMs by default for opening attachments.
That means an attack surface ~100x less than any other desktop OS.
With a seamless Windows HVM for compatibility if they really need.<br>
<br>
BTW - I pitched Qubes to DIGIT, but given the cold shoulder - I
think they were frightened to go down road of exploring systemic
vuln of Windows installed base<br>
<br>
Caspar<br>
(Qubes Policy Adviser)<br>
<br>
On 04/14/15 13:30, JOSEFSSON Erik wrote:<br>
</div>
<blockquote
cite="mid:4B654B63C9A4614EA1F088B2490E8F3A5D975178@UCEXLWP009.ep.parl.union.eu"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoPlainText">Dear all,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Please find below a draft text for
proposing that the EU should allocate money under the Pilot
Project budget line for developing a threat model for MEPs.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">A glimpse of what was decided to spend
money on last year can be found in the first Commission
interim report on the implementation of Pilot Projects and
Preparatory Actions 2015:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><a moz-do-not-send="true"
href="http://www.europarl.europa.eu/meetdocs/2014_2019/documents/imco/dv/first_iterim_report_2015_03_04_/first_iterim_report_2015_03_04_en.pdf">http://www.europarl.europa.eu/meetdocs/2014_2019/documents/imco/dv/first_iterim_report_2015_03_04_/first_iterim_report_2015_03_04_en.pdf</a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Comments on the text below are most
welcome , in particular if made in public on
<a moz-do-not-send="true" href="mailto:hub@icg.greens-efa.eu">hub@icg.greens-efa.eu</a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Budget estimates for the Pilot Project
as described would also be very helpful.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thank you for your time.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">//Erik<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">***<o:p></o:p></p>
<p class="MsoPlainText">A Threat Model for MEPs<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Every citizen needs to understand how to
use new technology in a safe way[1]. MEPs are not different in
that regard. They too need to master both their internal and
external communications in a way so that they do not put
anyone or anything at risk, including themselves[2].<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The purpose of this Pilot Project is to
increase the understanding of threats to safe communications.
It will do so by developing a threat model for MEPs that takes
into account EP specific procedural, institutional and
constitutional constraints[3] as well as the threat from
internal and external adversaries both at work, during travel
and at home. Further, the threat model shall be construed so
that its assessments can be independently verified and
validated by any third party[4].<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoNormal">The threat model will be accompanied with a
recommendation with regards to measures MEPs can take to
mitigate identified threats, in particular measures including
the use of Free Software, Open Standards and Encryption. In
addition, the recommendation shall include an overview of
which of the measures that could enable European businesses
and institutions to better master their internal and external
communications.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The Pilot Project will also make a
comparative study of how the average MEP communication tools
inventory performs further to the recommendation in comparison
with a reference inventory strictly based on Open Standards
and purely built from Free Software, and, if possible at the
time, Open Hardware[5].<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">[1] Surveillance Self-Defense <a
moz-do-not-send="true"
href="https://ssd.eff.org/en/glossary/threat-model">
https://ssd.eff.org/en/glossary/threat-model</a><o:p></o:p></p>
<p class="MsoPlainText">[2] LIBE Committee Inquiry on Electronic
Mass Surveillance of EU Citizens (see e.g. point 101)
<a moz-do-not-send="true"
href="https://polcms.secure.europarl.europa.eu/cmsdata/upload/7d8972f0-e532-4b12-89a5-e97b39eec3be/att_20141016ATT91322-206135629551064330.pdf">https://polcms.secure.europarl.europa.eu/cmsdata/upload/7d8972f0-e532-4b12-89a5-e97b39eec3be/att_20141016ATT91322-206135629551064330.pdf</a><o:p></o:p></p>
<p class="MsoPlainText">[3] Ensuring utmost transparency - Free
Software and Open Standards under the Rules of Procedure of
the European Parliament
<a moz-do-not-send="true"
href="http://www.greens-efa.eu/fileadmin/dam/Documents/Studies/eut-print.pdf">http://www.greens-efa.eu/fileadmin/dam/Documents/Studies/eut-print.pdf</a><o:p></o:p></p>
<p class="MsoPlainText">[4] Software verification and validation
according to Wikipedia
<a moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/Software_verification_and_validation">https://en.wikipedia.org/wiki/Software_verification_and_validation</a><o:p></o:p></p>
<p class="MsoPlainText">[5] FreedomBox v0.3 Released! <a
moz-do-not-send="true"
href="https://www.freedomboxfoundation.org/news/FreedomBox-0.3/index.en.html">https://www.freedomboxfoundation.org/news/FreedomBox-0.3/index.en.html</a><o:p></o:p></p>
<p class="MsoPlainText">***<o:p></o:p></p>
</div>
</blockquote>
<br>
</body>
</html>