5619
Comment:
|
5605
|
Deletions are marked like this. | Additions are marked like this. |
Line 23: | Line 23: |
* hardened and verifiable kernel [[ReproducibleBuildsKernel]] | * hardened and verifiable kernel [[SameKernel]] |
Mempo Project - Hardened Privacy
"⌘ Mempo project aims to provide most secure and yet comfortable out-of-the-box computer for Desktop and Server, to professionals, business, journalists, and every-day users avoiding PRISM-like spying. ⌘"
Mempo is a software project and open team of developers working with Debian and other communities and entities for above mentioned goal.
Mempo system structure:
Learn more about it on Mempo webpage.
Done work:
Current work (2014-01) includes:
fixing/patching other Debian software as ?mempo-deb
hardened and verifiable kernel SameKernel
planning - see mempo.org website hosted in github
As of 2014-01 it is intended for Mempo to:
- support and work inside of Debian project
- in addition release distribution (remix/selection of packages) that includes:
- - new software that is not yet accepted into Debian
- - versions newer then in Debian
- - release often
Mempo aims to be always Open FOSS, and put security as primary matter (e.g. at expense of usability or performance).
Project is in planning and prototyping stage, be patient
Contact
Variety of ways, for secure and privacy respecting communication.
IRC network: #mempo on irc.freenode.org (normal web)
IRC irc.oftc.net (in Tor secured network)
XMPP/Jabber chat contact mempo@jit.si
http://mempo.org - soon!
https://rawgithub.com/mempo/mempo-websites/master/mempo-main/html/index.html
Freenet Freesite Mempo-Official on freenet-address: USK@fiXFPRPKw3miEP1tXIi3Mz2BvfkKK1FsoATqAWi~NbY,DWl1hGrdJEpMT5-ofWBAH1HIYDauTNh8xilF8l2tCfE,AQACAAE/mempo/-1/
Freenet+FMS_application on FMS boards: mempo, freenet, linux.
Freenet freemail ( currently not used ) mempo@ym7rkpjwhfcpiqbhbovz2gtiafthwmp6rmee6wmk3quekcvo2jgq.freemail
- other users: please consider also contacting following users available e.g. on IRC: vyrly, rfree
Drafts
provided (packaged, distributed) fix to Debian libpoco that was stopping external open-source program (FMS) from working in Debian 7 https://github.com/mempo/mempo-deb
External:
provided verification build script wrapper for Freenet https://github.com/mempo/freenet-extra
Wishlist
- Convince GCC upstream to enable security hardening flags by default
- - or write wrapper script and set gcc_secure and alike compilers to be used for building sensitive/all packages?
- see dpkg-buildflags, but that is useless for binaries built by users, the compiler should do hardening by default
- anyone has any such flags that could be added to the ?Mempo/mempo-deb package gnupg application and/or libpoco library? If yes then please form the git repo and try it and notify us here+irc.
- - Same question for kernel flags, is it secure on this front by default? Does grsecurity turn on all the needed falgs, in addition to enabling some static check plugins?
Ideas
sl1nk various ideas (evil made, IP, MitM)
#mempo @ irc.freenode.org
<sl1nk> Meanwhile download Debian, i looked your "Threats to security and anonymity" (https://rawgithub.com/mempo/*). I saw that you don't have a solution for Identity Spoofing, Man-in-the-middle attack, Evil Maid attack, phishing, DNS poisoning. <sl1nk> That makes three categories of attacks, network, web and password <sl1nk> There are two ways to stop the “evil maid” attack: keeping your boot partition on a flash drive you carry at all times, or using a checksum value of the boot sector and boot partition to detect it and change you passphrase. <sl1nk> The only totally secure defense is to copy /boot onto a flash drive, install GRUB on that drive, and debug this until you can boot from the flash drive with the encrypted disk as the root filesytem. <sl1nk> IP spoofing is a technique where a host sends out packets which claim to be from another host. Since packet filtering makes decisions based on this source address, IP spoofing is uses to fool packet filters. It is also used to hide the identity of attackers using SYN attacks, Teardrop, Ping of Death and others... <sl1nk> The best way to protect from IP spoofing is called Source Address Verification, and it is done by the routing code, and not firewalling at all. <sl1nk> turning on Source Address Verification at every boot is the right solution for you <sl1nk> To do that, insert the following lines somewhere in your init scripts, before any network interfaces are initialized http://pastecode.ru/8312/ <iRelay> Title: Pastecode Без названия (at pastecode.ru) <sl1nk> If you cannot do this, you can manually insert rules to protect every interface. <sl1nk> MitM-Attack, uses a technique called ARP spoofing, so you need to filtre/block it. <sl1nk> With HTTPS or VPN for example. <sl1nk> For Phishing and DNS poisoning is other way... ;.;