Differences between revisions 12 and 13
Revision 12 as of 2013-12-18 11:32:10
Size: 5401
Editor: ?Mempo
Comment: copied ideas from IRC, thanks sl1nk
Revision 13 as of 2014-01-09 13:32:34
Size: 5431
Editor: ?Mempo
Comment: Added more information about Mempo project
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

{{attachment:banner2-2.png|Mempo}}
Line 7: Line 9:
{i} Learn about it on [[https://rawgithub.com/mempo/mempo-websites/master/mempo-main/html/index.html|Mempo webpage]]. Mempo system structure:
Line 9: Line 11:
{{https://rawgithub.com/vyrly/mempo-websites/master/mempo-main/html/images/banner2-2.png}} {{attachment:mempo-system-layers.png|Mempo system structure|width=700}}

{i} Learn more about it on [[https://rawgithub.com/mempo/mempo-websites/master/mempo-main/html/index.html|Mempo webpage]].
Line 13: Line 17:
 * DONE: [[Mempo/mempo-deb|mempo-deb]] fixed libpoco debian library   * DONE: [[Mempo/mempo-deb|mempo-deb]] fixed libpoco debian library
Line 34: Line 38:
 * [[IRC]] irc.oftc.net (in Tor secured network)   * [[IRC]] irc.oftc.net (in Tor secured network)
Line 41: Line 45:
 * [[Freenet]] freemail ( /!\ '''currently not used''' /!\ ) mempo@ym7rkpjwhfcpiqbhbovz2gtiafthwmp6rmee6wmk3quekcvo2jgq.freemail   * [[Freenet]] freemail ( /!\ '''currently not used''' /!\ ) mempo@ym7rkpjwhfcpiqbhbovz2gtiafthwmp6rmee6wmk3quekcvo2jgq.freemail
Line 56: Line 60:
 * - anyone has any such flags that could be added to the [[Mempo/mempo-deb]] package gnupg application and/or libpoco library? If yes then please form the git repo and try it and notify us here+irc.   * - anyone has any such flags that could be added to the [[Mempo/mempo-deb]] package gnupg application and/or libpoco library? If yes then please form the git repo and try it and notify us here+irc.
Line 64: Line 68:
{{{  {{{
Line 66: Line 70:
<sl1nk> Meanwhile download Debian, i looked your "Threats to security and 
anonymity" (https://rawgithub.com/mempo/*). I saw that you don't have a 
solution for Identity Spoofing, Man-in-the-middle attack, Evil Maid attack, 
<sl1nk> Meanwhile download Debian, i looked your "Threats to security and
anonymity" (https://rawgithub.com/mempo/*). I saw that you don't have a
solution for Identity Spoofing, Man-in-the-middle attack, Evil Maid attack,
Line 71: Line 75:
<sl1nk> There are two ways to stop the “evil maid” attack: keeping your boot 
partition on a flash drive you carry at all times, or using a checksum value of 
<sl1nk> There are two ways to stop the “evil maid” attack: keeping your boot
partition on a flash drive you carry at all times, or using a checksum value of
Line 74: Line 78:
<sl1nk> The only totally secure defense is to copy /boot onto a flash drive, 
install GRUB on that drive, and debug this until you can boot from the flash 
<sl1nk> The only totally secure defense is to copy /boot onto a flash drive,
install GRUB on that drive, and debug this until you can boot from the flash
Line 77: Line 81:
<sl1nk> IP spoofing is a technique where a host sends out packets which claim 
to be from another host. Since packet filtering makes decisions based on this 
source address, IP spoofing is uses to fool packet filters. It is also used to 
hide the identity of attackers using SYN attacks, Teardrop, Ping of Death and 
<sl1nk> IP spoofing is a technique where a host sends out packets which claim
to be from another host. Since packet filtering makes decisions based on this
source address, IP spoofing is uses to fool packet filters. It is also used to
hide the identity of attackers using SYN attacks, Teardrop, Ping of Death and
Line 82: Line 86:
<sl1nk> The best way to protect from IP spoofing is called Source Address  <sl1nk> The best way to protect from IP spoofing is called Source Address
Line 84: Line 88:
<sl1nk> turning on Source Address Verification at every boot is the right  <sl1nk> turning on Source Address Verification at every boot is the right
Line 86: Line 90:
<sl1nk> To do that, insert the following lines somewhere in your init scripts,  <sl1nk> To do that, insert the following lines somewhere in your init scripts,
Line 89: Line 93:
<sl1nk> If you cannot do this, you can manually insert rules to protect every  <sl1nk> If you cannot do this, you can manually insert rules to protect every
Line 91: Line 95:
<sl1nk> MitM-Attack, uses a technique called ARP spoofing, so you need to  <sl1nk> MitM-Attack, uses a technique called ARP spoofing, so you need to

Mempo Project - Hardened Privacy

Mempo

"⌘ Mempo project aims to provide most secure and yet comfortable out-of-the-box computer for Desktop and Server, to professionals, business, journalists, and every-day users avoiding PRISM-like spying. ⌘"

Mempo is a software project and open team of developers working with Debian and other communities and entities for above mentioned goal.

Mempo system structure:

Mempo system structure

{i} Learn more about it on Mempo webpage.

Current work (2013-12) includes:

  • DONE: ?mempo-deb fixed libpoco debian library

  • fixing/patching other Debian software as ?mempo-deb

  • hardened and verifiable kernel ?ReproducibleBuildsKernel

  • planning - see mempo.org website hosted in github

As of 2013-12 it is intended for Mempo to:

  • support and work inside of Debian project
  • in addition release distribution (remix/selection of packages) that includes:
  • - new software that is not yet accepted into Debian
  • - versions newer then in Debian
  • - release often

Mempo aims to be always Open FOSS, and put security as primary matter (e.g. at expense of usability or performance).

Project is in planning and prototyping stage, be patient :)

Contact

Variety of ways, for secure and privacy respecting communication.

Drafts

External:

Wishlist

  • Convince GCC upstream to enable security hardening flags by default
  • - or write wrapper script and set gcc_secure and alike compilers to be used for building sensitive/all packages?
    • see dpkg-buildflags, but that is useless for binaries built by users, the compiler should do hardening by default
  • - anyone has any such flags that could be added to the ?Mempo/mempo-deb package gnupg application and/or libpoco library? If yes then please form the git repo and try it and notify us here+irc.

  • - Same question for kernel flags, is it secure on this front by default? Does grsecurity turn on all the needed falgs, in addition to enabling some static check plugins?

Ideas

sl1nk various ideas (evil made, IP, MitM)

#mempo @ irc.freenode.org

<sl1nk> Meanwhile download Debian, i looked your "Threats to security and
anonymity" (https://rawgithub.com/mempo/*). I saw that you don't have a
solution for Identity Spoofing, Man-in-the-middle attack, Evil Maid attack,
phishing, DNS poisoning.
<sl1nk> That makes three categories of attacks, network, web and password
<sl1nk> There are two ways to stop the “evil maid” attack: keeping your boot
partition on a flash drive you carry at all times, or using a checksum value of
the boot sector and boot partition to detect it and change you passphrase.
<sl1nk> The only totally secure defense is to copy /boot onto a flash drive,
install GRUB on that drive, and debug this until you can boot from the flash
drive with the encrypted disk as the root filesytem.
<sl1nk> IP spoofing is a technique where a host sends out packets which claim
to be from another host. Since packet filtering makes decisions based on this
source address, IP spoofing is uses to fool packet filters. It is also used to
hide the identity of attackers using SYN attacks, Teardrop, Ping of Death and
others...
<sl1nk> The best way to protect from IP spoofing is called Source Address
Verification, and it is done by the routing code, and not firewalling at all.
<sl1nk> turning on Source Address Verification at every boot is the right
solution for you
<sl1nk> To do that, insert the following lines somewhere in your init scripts,
before any network interfaces are initialized http://pastecode.ru/8312/
<iRelay> Title: Pastecode Без названия (at pastecode.ru)
<sl1nk> If you cannot do this, you can manually insert rules to protect every
interface.
<sl1nk> MitM-Attack, uses a technique called ARP spoofing, so you need to
filtre/block it.
<sl1nk> With HTTPS or VPN for example.
<sl1nk> For Phishing and DNS poisoning is other way... ;.;

CategorySystemSecurity