from Hacker News

Tails 2.0 is out

by rouma7 on 1/28/16, 4:05 PM with 76 comments

  • by AdmiralAsshat on 1/28/16, 4:49 PM

    Tor Browser 5.5 introduces protection against fingerprinting but due to an oversight it is not enabled in Tails 2.0. However, this is not so bad for Tails users since each Tails system has the same fonts installed, and hence will look identical, so this only means that it's easy to distinguish whether a user of Tor Browser 5.5 uses Tails or not. That is already easy given that Tails has the AdBlock Plus extension enabled, unlike the normal Tor Browser.

    I wonder why they opted to preload it with AdBlock Plus instead of uBlock Origin. I'm sure gorhill would certainly give his blessing, and by all measurements it is just as effective with way less overhead.

    Heck, they could go one step further and preload it with a uBlock Origin profile on a paranoid mode that proactively disables all JavaScript (last I remember using Tor I had to manually disable Javascript in the Firefox config).

  • by nikcub on 1/28/16, 5:23 PM

    I appreciate a lot of the work that the Tails guys do - but for a privacy and security focused distribution there are far too many included apps for my liking[1], which increases the attack surface. LibreOffice, Gimp and Audacity are just some of the apps - and many have a horrible history of vulnerabilities[2].

    When Tails has had vulnerabilities it is often with one of these included apps[6].

    The browser isn't sanboxed (it's in progress[3]), and the machine is still directly connected to the internet, so you're a single Firefox vulnerability and a drive-by download away from being deanonymized.

    It is also a shame that both OS X and Windows make it difficult to write an OS to an USB stick and boot from it - the install requires an intermediary Linux OS either on DVD or USB, which a lot of users won't get by.

    For a different approach, see Whonix[4] - a virtual machine based approach with an isolating proxy (very popular setup amongst black hats) and Qubes OS[4] which is built on Xen and runs processes in separate VM's

    [1] https://tails.boum.org/doc/about/features/index.en.html

    [2] https://www.cvedetails.com/vulnerability-list/vendor_id-1143...

    [3] https://wiki.mozilla.org/Security/Sandbox

    [4] https://www.whonix.org/

    [5] https://www.qubes-os.org/

    [6] https://blog.exodusintel.com/2014/07/23/silverbullets_and_fa...

  • by nxzero on 1/28/16, 5:07 PM

    Always been puzzled as to why the ISO release is provided by HTTP and not HTTPS; possible it doesn't make a difference, but if so, it's not clear why.

  • by 746F7475 on 1/29/16, 5:40 AM

    I'm sure I'm not first to question this, but if you download Tails or Tor browser or whatever, wouldn't that be sort of obvious? I mean it leaves traces. Then if you only use it to do something specific be it chat with friends, browse for porn, take part is activism or to buy illegal products for example wouldn't it be easy to see that: your computer went offline, then something new (Tails) went up, took anonymous connection to somewhere and then X happened, then Tails went away and your main OS/machine went back up.

    My main "inspiration" here is the fake bomb threat by the college kid to get out of mid terms, just before the email about the bomb was sent his IP downloaded Tor bundle. The service he was using also had the schools IP or something so administration could see it was sent from inside the school, but I think that is still valid concern. This kind of meta data about your actions can leak just as much information as actually seeing what you are doing.

    My question therefor would be: should more people use Tails as their "daily driver"? Would that make it more anonymous/private for the people like whistle blowers? My only idea at the moment would be to pay for two separate trusted VPN provider (don't know how you would vet that trustworthiness) with bitcoin, to keep your anonymity/privacy with them as well. Then pipe all your traffic through one of the VPNs all the time. Then when you need to use Tor, you would simply pipe it through that same VPN when you would emerge with rest of the clients from same point and then pipe your Tor traffic through the secondary VPN. This way you would still get the benefits of encrypted tunnels all the way through with benefit of Tors anonymizing and it might not be so obvious you are browsing Tor to your ISP or whatever.

    Maybe I'm thinking this is harder than it actually is

  • by Sleaker on 1/28/16, 9:18 PM

    Hmm inclusion/switch to systemd on something that purports to be a 'secure' OS for private browsing seems counter-intuitive.

  • by bphogan on 1/28/16, 4:45 PM

    Firefox refuses to let me look at this page because of a certificate problem.

    Not to go off on a rant, but this is what the "everyone must use https because we said so" edict is going to cause - it's not enough you use https, it has to be the right kind of https that involves a third party issuer of certs.

    Can anyone fix that issue or link to a different page please?

  • by sultansaladin on 1/28/16, 6:15 PM

    How secure is this os?

  • by awinter-py on 1/28/16, 8:15 PM

    Think twice before clicking this link. A bunch of non-crazy newspapers have reported that merely reading about privacy tools (tails & tor) will make you a link in the NSA surveillance graph.