[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] Package Lists and Configuration

Johan Henselmans <johan at netsense.nl> writes:

> Thanks Nick, I have just read up on the FreedomBuddy
> project. (http://wiki.debian.org/Freedombox/FreedomBuddy).

Huh.  I didn't know that page existed.  Thanks, planetlarg.  It's
outdated, but there is no updated documentation (until after this
weekend, when the dust settles).

> That seems a solution, until your tor/GNUnet endpoint service is
> compromised, which seems not too hard, considering we are talking
> about bad guys not encumbered by legal restrictions.

Please define compromised.  I'm not being a pedantic jackass here, I'm
wondering what you mean exactly.  If the message you receive fails to
decrypt to your key, FBuddy ignores it, so it's unlikely that you'll
compromise FBuddy itself with malformed input.  If you mean someone
duplicating your Tor Hidden Service identity and posing as you, then
they can't read your messages without your key.  It's also difficult to
duplicate an identity without physically taking over the hosting box.

> Compromised GPG keys is the other problem.

Yeah.  Rule #1 of network security: if the attacker has physical access
to the box, you're screwed.  Nothing anyone can do can prevent that,
unless you avoid creating or using the service at all.

> I still have a GPG key created in 2001, which I am sure is on some
> keyservers. My sloppy security behavior ( the private key had been
> transported from server account to server account, some of which I am
> pretty sure they were compromised), combined with some rainbow-tables
> and other brute force attack scripts make it sure that my private key
> would be compromised by now-if anyone would be interested.

Then revoke or expire it, if you still have the password.  A compromised
12 year old key is just bad manners.

If users are determined to shoot themselves in the foot, we can't stop
them.  In order to preserve their software freedoms (and Asimov's laws),
we have to assume users mean to do what they're doing.  The best we can
do is to make key management as easy (or as secure, depending on the
user's request) as possible.

> A solution would be to make sure anyone would have a smart-card
> derived PGP key with opensc, so that if you can not find your smart
> card you should assume your key is compromised. That also poses the
> problem of losing ones precious would make your freedombox data lost.

You're free to go with whatever you're more comfortable with, it all
involves tradeoffs.  Me, I'm happy keeping a subkey (or single-purpose
key) on the box.  If the SSSS system [0] pans out and keys are never
written to disk, then whole keys are never hosted anywhere and the box
has to be captured alive, without ever losing power, significantly
raising the bar for attacks.

0: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2013-February/005106.html

> But perhaps you have already discussed that kind of setups.

I have, but I doubt I've convinced you.  Please, rebut!

Thanks for your time,
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130207/19d3b034/attachment.pgp>
Reply to: