Mempo Project - Hardened Privacy

Mempo

"⌘ Mempo project aims to provide most secure and yet comfortable out-of-the-box computer for Desktop and Server, to professionals, business, journalists, and every-day users avoiding PRISM-like spying. ⌘"

Mempo is a software project and open team of developers working with Debian and other communities and entities for above mentioned goal.

This is Work in Progress in pre-alpha. Please read source code if you run this for important purposes, until we complete code reviews.

Source code is quite small, we try to have small differences to known-trusted developers and FOSS projects that we modify/repack.

Mempo system structure

Mempo system structure

{i} Learn more about it on Mempo webpage.

See below for Download and Install instructions.

Install Mempo

This is work in progress, but is usable right now :)

Steps:

In ?future installation will be made very easy for everyone.

Downloads

Now Mempo exists as source code in various repositories. Later we will release ready .deb (signed and verifiable) and finally own .deb-repository or in Debian repositories.

By low-security we mean that code is not so thoroughly reviewed yet, or is developed/uploaded from not super-secured computers. But we do develop only on Linux/FOSS, encryption is always used etc - but still we known it's less then perfect.

So this is same as "normal/high" security by common standards :)

Integration with Debian

Mempo team will:

Install with Debian:

Done work

Current work

As of 2014-01:

Plan

As of 2014-01 it is intended for Mempo to:

Mempo aims to be always Open FOSS, and put security as primary matter (e.g. at expense of usability or performance).

Project is in planning and prototyping stage, be patient :)

Found a bug or problem? Why not help us by getting involved:

Get Involved

Micro tasks:

nr

hardness

required

task

?#task1

trivial

Wheezy 64bit, 10 GB hdd, root

1) Build our SameKernel by following instructions there. 2) Contact us with the .deb files created there and sha1sum of them 3) If build instructions where not clear tell us.

?#task2

trivial

Wheezy, user

1) Build our ?Mempo/mempo-deb by following instructions there. 2) Tell us if it worked ; Extra: 3) If on amd64, check the checksums of files are they as expected 4) With root you can install the .deb with dpkg -i foo.deb and use the created programs and test if they work fully (review sources first, or use it on test computer)

Future

The project is a huge amount of work. If you want our work to progress faster, you can do any of following:

Security topics

Privacy

Privacy is strongly protected by software that is included in Mempo. You can also contact us to discuss development or report bugs in a secure and privacy-respecting way. For anonymous talk try tor (with OFTC) or i2p (irc2p) in the Contact section.

Contact

?Contact with us: variety of ways, for secure and privacy respecting communication.

Drafts

External:

Variants

There will be variants, as planned in https://github.com/mempo/deterministic-kernel/blob/master/doc/mempo-variant.txt - versions of mempo that very in security level (e.g. versions of kernel).

Variant good

Good protection. For Desktop. All grsecurity is used, except kmem/IOports.

Therefore video cards should work (on open-source drivers, binary blobs might not work).

/!\ binary gfx drivers will mostly not run (and would ruin security anyway)

Variant goodsrv

Good+ protection. For Server (or compatible desktop). All grsecurity is used, including kmem/IOports.

Therefore video cards only with best drivers will work (might require new/patched Xorg to not use IOports) - recommended for Intel gfx (as of 2013-11 probably requires patching Xorg). /!\ most gfx drivers might not work (in graphical mode) until patched /!\ binary gfx drivers are basically guaranteed to not run (and would ruin security anyway)

Wishlist

Ideas

sl1nk various ideas (evil made, IP, MitM)

#mempo @ irc.freenode.org

<sl1nk> Meanwhile download Debian, i looked your "Threats to security and
anonymity" (https://rawgithub.com/mempo/*). I saw that you don't have a
solution for Identity Spoofing, Man-in-the-middle attack, Evil Maid attack,
phishing, DNS poisoning.
<sl1nk> That makes three categories of attacks, network, web and password
<sl1nk> There are two ways to stop the “evil maid” attack: keeping your boot
partition on a flash drive you carry at all times, or using a checksum value of
the boot sector and boot partition to detect it and change you passphrase.
<sl1nk> The only totally secure defense is to copy /boot onto a flash drive,
install GRUB on that drive, and debug this until you can boot from the flash
drive with the encrypted disk as the root filesytem.
<sl1nk> IP spoofing is a technique where a host sends out packets which claim
to be from another host. Since packet filtering makes decisions based on this
source address, IP spoofing is uses to fool packet filters. It is also used to
hide the identity of attackers using SYN attacks, Teardrop, Ping of Death and
others...
<sl1nk> The best way to protect from IP spoofing is called Source Address
Verification, and it is done by the routing code, and not firewalling at all.
<sl1nk> turning on Source Address Verification at every boot is the right
solution for you
<sl1nk> To do that, insert the following lines somewhere in your init scripts,
before any network interfaces are initialized http://pastecode.ru/8312/
<iRelay> Title: Pastecode Без названия (at pastecode.ru)
<sl1nk> If you cannot do this, you can manually insert rules to protect every
interface.
<sl1nk> MitM-Attack, uses a technique called ARP spoofing, so you need to
filtre/block it.
<sl1nk> With HTTPS or VPN for example.
<sl1nk> For Phishing and DNS poisoning is other way... ;.;

CategorySystemSecurity