[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Hardened Debian Security Focused Distribution - Feedback Wanted!

To: debian-derivatives-request@xxxxxxxxxxxxxxxx, tor-talk@xxxxxxxxxxxxxxxxxxxx, fulldisclosure@xxxxxxxxxxxx, liberationtech <liberationtech@xxxxxxxxxxxxxxxxxx>
Subject: [tor-talk] Hardened Debian Security Focused Distribution - Feedback Wanted!
From: TNT BOM BOM <bo0od@xxxxxxxxxx>
Date: Thu, 27 Sep 2018 07:10:00 +0000
Cc: Patrick Schleizer <adrelanos@xxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 27 Sep 2018 03:10:50 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1538032237; bh=SvY4hTnQ+We7bnVBUKr42TPxuJslrc4TfcFXIxSMN5c=; h=From:Subject:To:Cc:Date:From; b=HNQ8FXccsKGmUjs/J2hmYfOoEuQiJC1bFqlkvrZeQGSBGBkIqlZrDhW6cvrbJTIHH 1b/Js2zdDhdUGIyY0MjGCVOokkewLh4tKEzCUiWtNmRdKaG5wy3/MPsOBN+khtINq2 dBMQeGaIfPR1j9mxanil/aRYFV6STs4tI/ynM67I=
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

=== scope ===

* will be initially released for VMs (VirtualBox, Qubes, maybe KVM)
* “sudo apt-get install hardened-debian-cli” will be possible on bare
metal Debian hosts, in other words installations of Debian can be easily
converted into Hardened Debian by installing the hardened-debian-cli or
other hardened debian package
* maybe later available as ISO for installation on hardware depending on
community interest and support

=== hardening by default in Hardened Debian version 1 ===

* install haveged by default for better entropy
* sdwdate (https://github.com/Whonix/sdwdate) rather than insecure NTP
(https://www.whonix.org/wiki/Dev/TimeSync)
* security-misc (https://github.com/Whonix/security-misc) - (deactivates
previews in Dolphin; deactivates previews
in Nautilus; deactivates TCP timestamps; deactivates Netfilter’s
connection tracking helper;)
* open-link-confirmation
* enable apparmor by default
* available apparmor profiles
(https://github.com/Whonix?utf8=%E2%9C%93&q=apparmor-profile&type=&language=)
* hopefully spectre / meltdown resistant by default
(https://forums.whonix.org/t/whonix-vulerable-due-to-missing-processor-microcode-packages-spectre-meltdown-retpoline-l1-terminal-fault-l1tf/5739)

=== hardening by default in Hardened Debian version 2 ===

* hardened browser (https://www.whonix.org/wiki/Tor_Browser_without_Tor
Tor Browser without Tor)

=== hardening by default in Hardened Debian version 3 ===

* better kernel version
(https://forums.whonix.org/t/kernel-versions-and-security/5791)

=== usability by default ===

* https://github.com/Whonix/shared-folder-help 2
* https://github.com/Whonix/usability-misc 2

=== desktop environment ===

- initially will be available most likely for:

* CLI only (console only, no desktop environment)
* KDE

- Later on likely for:

* XFCE

=== vision ===

* computer security community is larger than computer anonymity
community - we can work on a shared interest that is security
* we apply as many security settings by default
* we apply as much as default from
* Hardened Debian will be the base for Whonix - Anonymous Operating
System (https://www.whonix.org/wiki/System_Hardening_Checklist Whonix is
applying most of above already anyhow)

=== development status of version 1 ===

* approximately 50% done
* meta package "hardened-debian-kde" and "hardened-debian-cli" exist -
https://github.com/Whonix/anon-meta-packages/blob/master/debian/control
* most packages working (since reused from Whonix)
* build script ready (--flavor hardened-debian-kde / --hardened-debian-cli)
* builds successfully

=== temporary homepage ===
* https://www.whonix.org/wiki/Hardened_Debian

=== Questions ===

* Are you interested in Hardened Debian? What do you think? What would
you like to see? Any suggestions?
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Hardened Debian Security Focused Distribution - Feedback Wanted!
  - From: john doe

Prev by Author: Re: [tor-talk] alt-svc supported by TBB
Next by Author: Re: [tor-talk] Tor browser and VPN or web proxy
Previous by thread: Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History
Next by thread: Re: [tor-talk] Hardened Debian Security Focused Distribution - Feedback Wanted!
Index(es):
- Author
- Thread