Mempo Project - Hardened Privacy

Mempo

"⌘ Mempo project aims to provide most secure and yet comfortable out-of-the-box computer for Desktop and Server, to professionals, business, journalists, and every-day users avoiding PRISM-like spying. ⌘"

Mempo is a software project and open team of developers working with Debian and other communities and entities for above mentioned goal.

This is Work in Progress in pre-alpha. Please read source code if you run this for important purposes, until we complete code reviews.

Source code is quite small, we try to have small differences to known-trusted developers and FOSS projects that we modify/repack.

Mempo system structure

Mempo system structure

{i} Learn more about it on Mempo webpage.

See below for Download and Install instructions.

Downloads

Now Mempo exists as source code in various repositories. Later we will release ready .deb (signed and verifiable) and finally own .deb-repository or in Debian repositories.

By low-security we mean that code is not so thoroughly reviewed yet, or is developed/uploaded from not super-secured computers. But we do develop only on Linux/FOSS, encryption is always used etc - but still we known it's less then perfect.

So this is same as "normal/high" security by common standards :)

Integration with Debian

Mempo team will:

Install with Debian:

Done work

Current work

As of 2014-01:

Plan

As of 2014-01 it is intended for Mempo to:

Mempo aims to be always Open FOSS, and put security as primary matter (e.g. at expense of usability or performance).

Project is in planning and prototyping stage, be patient :)

Found a bug or problem? Why not help us by getting involved:

Get Involved

Micro tasks:

nr

hardness

required

task

?#task1

trivial

Wheezy 64bit, 10 GB hdd, root

1) Build our SameKernel by following instructions there. 2) Contact us with the .deb files created there and sha1sum of them 3) If build instructions where not clear tell us.

?#task2

trivial

Wheezy, user

1) Build our ?Mempo/mempo-deb by following instructions there. 2) Tell us if it worked ; Extra: 3) If on amd64, check the checksums of files are they as expected 4) With root you can install the .deb with dpkg -i foo.deb and use the created programs and test if they work fully (review sources first, or use it on test computer)

Security topics

Contact

?Contact with us: variety of ways, for secure and privacy respecting communication.

Drafts

External:

Wishlist

Ideas

sl1nk various ideas (evil made, IP, MitM)

#mempo @ irc.freenode.org

<sl1nk> Meanwhile download Debian, i looked your "Threats to security and
anonymity" (https://rawgithub.com/mempo/*). I saw that you don't have a
solution for Identity Spoofing, Man-in-the-middle attack, Evil Maid attack,
phishing, DNS poisoning.
<sl1nk> That makes three categories of attacks, network, web and password
<sl1nk> There are two ways to stop the “evil maid” attack: keeping your boot
partition on a flash drive you carry at all times, or using a checksum value of
the boot sector and boot partition to detect it and change you passphrase.
<sl1nk> The only totally secure defense is to copy /boot onto a flash drive,
install GRUB on that drive, and debug this until you can boot from the flash
drive with the encrypted disk as the root filesytem.
<sl1nk> IP spoofing is a technique where a host sends out packets which claim
to be from another host. Since packet filtering makes decisions based on this
source address, IP spoofing is uses to fool packet filters. It is also used to
hide the identity of attackers using SYN attacks, Teardrop, Ping of Death and
others...
<sl1nk> The best way to protect from IP spoofing is called Source Address
Verification, and it is done by the routing code, and not firewalling at all.
<sl1nk> turning on Source Address Verification at every boot is the right
solution for you
<sl1nk> To do that, insert the following lines somewhere in your init scripts,
before any network interfaces are initialized http://pastecode.ru/8312/
<iRelay> Title: Pastecode Без названия (at pastecode.ru)
<sl1nk> If you cannot do this, you can manually insert rules to protect every
interface.
<sl1nk> MitM-Attack, uses a technique called ARP spoofing, so you need to
filtre/block it.
<sl1nk> With HTTPS or VPN for example.
<sl1nk> For Phishing and DNS poisoning is other way... ;.;

CategorySystemSecurity