A false sense of security


#1

I’m shocked that on forum like this no one is talking about HARDWARE also…What is point and motivation to run secure distro like this (or Tails,Heads,SubgraphOS) when you can’t trust your hardware. Did anyone here on Intel at least tried to cripple Intel ME? Your fellow (Italian) Nicolo Corna did awesome job in that respect. I don’t mean to be rude or disrespect work of Lorenzo and crew. BUT if we want be secure, software is just a cherry on the top…
A quote from spectre-meltdown-checker:
“A false sense of security is worse than no security at all”
make to question myself: "is this all worth it? “What do we know about our hardware, how it works and the most important question -for who it works?”
We are using TOR, VPN, encrypted HDDs, Firejail-ing everything…but for what? With all this we just tell to the world (Microsoft, Google, Yahoo, Facebook) that we don’t want to be monitored (unlike using Windows when we give them WILLINGLY by using proprietary software), but we unwillingly giving them a same thing IF THEY WANT TO by using THEIR proprietary hardware…
I know that these are hard questions to answer, but I can’t understand that we don’t have at least sub-forum on hardware matter…And this is not some rhetorical questions, THIS IS REALITY.


#2

Actually, Lorenzo has voiced his opinion on bare metal security and the important fact that at some point in time it must travel over some sort of physical path. We have notes pertaining to the spectre and meltdown vulnerabilities in this Blog post. I agree 100% that hardware security is equally important as software security if not more so due to physical access etc.


#3
  1. I think you maybe misinterpreting what Intel is playing around with, Intel ME is their own invention I doubt their goal is to break it, rather they’d like to find all the ways it can be broken before it gets broke.

  2. Because everyone is running on different kinds of machines making any sort of “hardware” related metapackages or whatever is really kind of impossible on the developers. Also alot of what deals with the hardware is either really obscure or involves a degree of physical access. As I see it there is little is terms of applications that can be created to address hardware based vulnerabilities outside of security audit type scripts(think lynis) or more documentation/education modules.

  3. To put it simply I think this post would be more effective if you had something (app/script/etc) to put forward if for no other reason to than to give an example of what you mean as much of what you talk about is issues of anonymity not hardware


#4

I’m not saying that Intel is trying to break their invention. I think it works perfectly fine. Just like AMD’s TrustZone. But for who? It’s there, no problem. But the problem is that you cannot disable it on the user side.

Isn’t this a secure distro also? Ofc I’m talk about anonymity and security. You can’t have those if u have untrusted and proprietary hardware. Do you feel more secure when using open source os on it? You don’t see correlation between security and hardware, but see between security and os? Why?

I’m saying that if we want more privacy, security, we must look for another more open hw options where people giving their effort to complete pcs (that are more up-to-date capable than refurbished Thinkpads with Libreboot from 2009) like MNT Reform, Novena laptop or Olimex’s Theres laptop etc.




https://mntmn.com/reform/
https://www.fsf.org/resources/hw/single-board-computers

#5

I’m not saying that Intel is trying to break their invention. I think it works perfectly fine. Just like AMD’s TrustZone. But for who? It’s there, no problem. But the problem is that you cannot disable it on the user side.

Well Intel would say they’re securing it for you but the real answer is who ever is paying them…I think many of these issues come down to macro-economics and market regulation. Would it be such a problem if there were more than one or a handful companies making all chipsets/boards/processors in the world? Perhaps but at least people would have more of a choice in what sort of creepy shadowy “management” software they want in their device. The projects you mentioned were interesting I will look into them more myself…but sadly these things are so rare. With all the open source software its about time we see more open source in hardware to but the problem is making it marketable…economics.

Now on another note we touched on I mention anonymity and security as seperate because ultimately they are different goals. We can become secure without being anonymous and vice versa. And no I wouldnt actually call parrot a privacy focused distro. Certainly not to the extent of Tails and Qubes.


#6

Parrot is not a privacy/security distro, rather it is an opensource distro that aims to be easier to configure and use for all levels of skill with a famous pentesting edition.


#7

But it’s more secure out of box than regular Debian, right? I mean as a daily driver, aside pentesting. With built-in firejail, Anonsurf, plus adding firewall it’s a reasonably secured distro… I’m sure that many of us use this distro as home workstation, as I saw at Distrowatch comments. I don’t want to bother with anonymity, and don’t need TOR 100% of time.


#8

It’s much more secure than any other type of debian you are correct. I was merely clarifying what parrot is because many people think we are only a privacy security distro but we are truly a workstation with a couple specialty editions like security, home (workstation/general) ARM (new image coming soon) etc. If you dont need the pentesting and anonymity tools (like tor and anonsurf) you would use the home edition


(jim smith) #9

I agree Nico, but if you want to be careful check for DNS leaks when you use Anon or Tor with
https://www.dnsleaktest.com/
I have had to change exit nodes many times to not leak to my ISP or Google.


#10

strange, using anonsurf or i2p i don’t have any leaks on your site and tried “extended test” multiples times. best way to do anonymous surf is to use tor browser directly instead of anonsurf + firefox.

anonsurf is not just about surfing while under tor, it’s all your system’s outgoing connection being under tor.

@librebot, there is librem from purism but it’s overpriced… they don’t even include wifi a.c and they put their laptop for 1400$+ with just 4gb ram and 128gb ssd, then they dare speak about privacy for ppl, how can ppl get privacy if it’s too far from their budget…
though hardware insecurity is present it’s a minority amongst attack vectors


#11

Purism is not an option. It’s not secure as they claim it is…
https://libreboot.org/faq.html#will-the-purism-laptops-be-supported

I already partially deblob IntelME wijt corna me_cleaner and from few MB it shrinked ME to few kB, so I hope its no big deal after… And That is more secure than Purism Laptop…
Infact, there are Libreboot laptops from Germany that are refurbished, added 8GB ram to it and with new display,SSD and also PC Workstation and Router (althought ALMOST fully open source hardware router is from Czech Republic called Turris Omnia) :
https://store.vikings.net/libre-friendly-hardware
and from Romania:
https://tehnoetic.com/index.php?route=common/home


#12

I know that Parrot want to be fully functional on most systems, but why we don’t have choice wheather we want proprietary drivers to be preinstalled on system or not? Even when I want to remove all unneeded drivers (except iucode-tool and intel microcode), it also removes few dependencies like parrot-drivers and that somehow make mess with my repository and I cant update Parrot after that…(src repository is checked also)


#13

you seem to know way more than me so i’ll listen your advices, thanks.

as for your second question, it annoyed me too that parrot is preinstalled with “non free” sources list, but it’s for usability, if it was to be preinstalled like debian (so without non-free), then after install you would not be able to use wifi, which means you will always have to find an ethernet cable, update, change repo to non-free and download your wanted driver for wifi.

you can always build your own parrot iso though, with non-free repo


#14

Well you do as long as you’re willing to forgoe the use of all the proprietary devices that those drivers help enable.
On your other point some of the central metapkgs have dummy variants you can install to use as a substitute so you can remove whatever you’re trying to without borking the system. Doesn’t always work that way in practice though.


(Nico Paul) #15

Your repository should be the parrot one if you want a secure OS. There is no possible way you could take the security measures set up around the official parrot repo. Its insanely rendundently secure past the point of paranoid secure. I would not worry too much about havi g any proprietary drivers because of the countless redundancies and containerization. Even your web traffic is most likely the safest it will ever be (we own and control all of our own CDN.


#16

Thanks. I previously changed DNS servers (on WAN side of my router) with some serversfrom OpenNIC. In resolv.conf they are in first place (and then comes servers from OS). So should I change it with Parrot servers only or leave as it is?


(Nico Paul) #17

if you changed it on your routers ip page change it back to whatever it was.


#18

Ok, but who would then resolv my dns requests? I don’t want my ISP to handle it. I know Palinuro added some screenshot of his config … But I don’t understand this mixture of my ISP and OpenNIC servers…

.Sorry (that’s why I wanted to remove my ISPs dns and add with some closest server from opennic.org)…


(Matt) #19

Some ISP and network administrators will block requests to alternative DNS servers, as they use it to filter content, and log sites you visit. So if you have a static ‘resolv.conf’ you wouldnt be able to access the internet on those networks.
Therefore if you use a laptop or portable device, you are better off accepting the DNS from the DHCP server (Provider/ ISP/ router).
Having more nameservers will make it faster, and will also allow you to reach more TLD’s

But if you are using a desktop, and dont want to use DNS provided by your DHCP server, then you can do this:


#20

Tanky you very much. Yes, I’m using desktop PC, and this solution works like a charm! :slight_smile:
I’m confused with that that there’s a DNS configuration on router on WAN side, on DHCP side and in an OS, so there are three places where you can edit (or mess) them…
Now on DHCP I leave blank adresses, on WAN it’s from my ISP and on parrotOS (or other devices that are using my wifi) it’s DNS servers from Parrot…
I suppose that’s it now.
I were previously trying to change it for my router too (on WAN side, but that way my all devices including PC would use it instantly), so I think it isn’t possible…and unnecessery, don’t u think?

P.S In that Palinuro’s example picture -did Robin round option rotate only Parrot dnss or all four of them (including dns suggested by provider)??? And If so -how? At which intervals?