[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Libreboot] Libreplanet keynote questions
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
[Libreboot] Libreplanet keynote questions |
|
Date: |
Tue, 15 Mar 2016 20:59:43 +0100 |
Hi,
Edward Snowden will be giving the keynote of this year's Libreplanet.
I saw a video of him speaking at an IETF event, remotely. People had
many questions, many technical.
So I was thinking that we, the libreboot community, could prepare a
list of questions before the event.
We would for instance explain what is libreboot and ask questions
related to it.
For instance I'm personally very interested in activists threat model,
that includes resisting to targeted physical attacks.
Currently, the most used setup (to my knowledge) to resist such attacks
consists in:
- An FSF certified computer with libreboot.
- GRUB in the BIOS flash, that can open encrypted rootfs.
- The full rootfs (including /boot) encrypted with LUKS.
- GRUB password and nail polish/glue seals to prevent reflashing by an
attacker. The idea is to create random patterns that would be hard
to reproduce or restore if the seals are broken. Pictures of it are
taken, and the users verifies that the pattern matches before
entering the passphrase.
- The laptop would be configured to prevent external connectors from
providing DMA channels to the system's RAM, before the users enters
the passphrase.
- The embedded controller firmware is non-free, we should probably fix
that.
Another approach would be a chromebook-like security model combined
with Tails instead of chromeOS. Unfortunately that's not implemented
yet.
I wondered how safe was the former kind of setup, for instance:
-> Is the default aes-xts-plain64 cipher (with a 256 or 512 bit key
size) resistant to malicious HDD firmware. Here the firmware would
deliberately and actively try to attack the cryptography. I'm also
supposing that the SATA interface won't give it access to the
system's RAM, because its DMA is between the HDD and the SATA
controller. I hope that there are no bugs that permits access to
the system's RAM.
Would authenticated cryptography affect it in any way?
-> How to learn to not be able to give the HDD passphrase if we want to.
Do the hands have to learn the passphrase but not the brain?
And more generally:
-> To what extent is the intelligence community targeting individual
free software developers involved the development of privacy
enhancing software.
Is it always possible for such individual developer to know this is
happening.
To what extent does that affect the ability of such person to
continue working on privacy enhancing software (where the individuals
are aware of it, and when they are not)?
-> What are the differences between handling the security of individual
people and an organization.
For instance an organization would tend to man in the middle TLS to
look for data exfiltration.
An individual would, on the contrary, use the tor-browser.
What(between organizations and individuals) would be more efficient
for activism. Here I'm assuming that surveillance makes activism
less efficient.
The question don't target any specific country or political system, so
the answer might differ accordingly.
Maybe someone has ideas to improve the list, and/or to add questions to
it
PS: Note that I can't come to libreplanet this year.
Denis.
pgpJeZJ1hKT3Z.pgp
Description: OpenPGP digital signature
- [Libreboot] Libreplanet keynote questions,
Denis 'GNUtoo' Carikli <=