Will ParanoidLinux Protect the Truly Paranoid?

ruphus13 writes "There are still places on the world where having anonymity might mean the difference between life and death. Covering one's tracks is considered to be of such paramount importance that we are now witnessing the rise of a Linux distro catering to the most paranoid. The 'alpha-alpha' version of ParanoidLinux is now out. But is this the best way to protect oneself? Couldn't it be easily circumvented? The article asks, 'Why is it necessary to put the applications and services designed to protect anonymity, to encrypt files, to make the user nameless and faceless, all together, in one distribution? Let's think in a truly paranoid manner. Wouldn't it be far easier for a nefarious government organization to target that distribution's repositories, mirror that singular distribution's disk images with files of its own design, and leave every last one of that distribution's users in the great wide open?' What should truly paranoid user do?"

Borrow wifi - get someone to type for you

[presidenteloco]

1. Always borrow random open wifi access points,
in a geographic pattern not centered around your habitual location
2. Get a new unknowing assistant to type in roughly what you want to say each time. There are pattern detectors for your ways of expressing things.
3. Establish online identities such as gmail that have no tie whatsoever to any of your identity info or financial info

Just not in a public place.

[RockoTDF]

The truly paranoid user should get use a liveCD with a mac address scrambler off of a wireless connection that does not belong to them.

Re:True open source question

[cdfh]

Ken Thompson talks about using untrusted compilers in his lecture, "Reflections on Trusting Trust" [bell-labs.com].

(See also: this [scienceblogs.com])

Sorry, Ken Thompson (brain fart...)

[Giant Electronic Bra]

"It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust."

http://en.wikipedia.org/wiki/Backdoor_(computing) [wikipedia.org]

Re:well

[NFN_NLN]

What should truly paranoid user do?

get help?

get BSD?

Seriously, there is already an OS aimed at security... OpenBSD:

"Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography."

"Audit Process:

Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills."

Re:True open source question

[Anonymous Coward]

Extreme paranoia is justified if you're, say, a whistle blower in Myanmar, or something like that, and you need to use a computer to expose your findings to some place like wikileaks. It is not unreasonable to trust widely used, scrutinized, and verified tools and encryption methods. Obviously, the most secure thing to do is to live a hermetic life in a cave and never touch a computer or interact with people. However, a high degree of security can be reached by making some reasonable assumptions and relying on widely verified security tools.

It is necessary to have a baseline of faith, say:

• Trust that Linux will not somehow betray your identity
• Assume your hardware is trustworthy and ubiquitous
• Trust an open encryption software implementation, such as GPG
• Trust and verify the sources of the code for all of the above (which implies building these yourself from source, except the hardware of course)

Then the safest thing to do is to use the above software to create your own high-grade encryption keys, and be EXTREMELY CAREFUL when using your computer. This means you would have to sacrifice usability and convenience in order to ensure your anonymity. Staying off the Internet is very good advice, and do not use any software that might cache unencrypted data anywhere on your disk. Learn the basics of public key encryption, and make sure your password-protected private key(s) is in a secure location, maybe locked in a safe on an encrypted storage device. If you do use the Internet, remember that while encrypted data is unreadable, its presence on a network is obvious and easily detectable.

Basically, your level of security on a computer increases as you control more of the lower-level components of the system. A secure-by-default distro, such as the one mentioned here, requires much oversight and verification by experts. The most secure way is to empower yourself with knowledge of how encryption and computers work and how to use verified and well-known tools tools that have been vouched by good research.

A paranoid user should use this

[xant]

I think a lot of people misunderstand the concept of "single point of failure". With all of this stuff in one place, yes, there's only one place that attackers need to attack. But there's also only one place that defenders need to defend. The alternative is that all these security programs remain scattered in lots of places on the Internet. True, attackers probably won't be able to subvert more than a couple of those, but it only takes one flaw in your security for them to get you. If you subverted GPG, it doesn't matter much that TrueCrypt is still working for you. If someone subverted SSL, or DNS, and it doesn't matter much that the Linux Kernel is still secure. Best to get everything from one place, and make sure that one place is really, REALLY damn secure.

Chuck Moore has done this...

[EmbeddedJanitor]

http://en.wikipedia.org/wiki/Charles_H._Moore [wikipedia.org] designed his own language (Forth), an OS, chip design software and designed his own CPUs.

I'd say he's well on his way to achieving this.

For anonymity as well as security

[Beryllium Sphere(tm)]

Someone could resurrect the Anonym.os [sourceforge.net] project, an OpenBSD live CD with anonymity tools.