Will ParanoidLinux Protect the Truly Paranoid? 236
ruphus13 writes "There are still places on the world where having anonymity might mean the difference between life and death. Covering one's tracks is considered to be of such paramount importance that we are now witnessing the rise of a Linux distro catering to the most paranoid. The 'alpha-alpha' version of ParanoidLinux is now out. But is this the best way to protect oneself? Couldn't it be easily circumvented? The article asks, 'Why is it necessary to put the applications and services designed to protect anonymity, to encrypt files, to make the user nameless and faceless, all together, in one distribution? Let's think in a truly paranoid manner. Wouldn't it be far easier for a nefarious government organization to target that distribution's repositories, mirror that singular distribution's disk images with files of its own design, and leave every last one of that distribution's users in the great wide open?' What should truly paranoid user do?"
Suggestion (Score:5, Insightful)
Re:Suggestion (Score:5, Funny)
Are you talking about me?
Re: (Score:2, Funny)
Re:Suggestion (Score:5, Informative)
Just because you're paranoid
doesn't mean they're not out to get you.
Remember, this is the same "they" that
are responsible for every negative thing
that affects you. They are very powerful,
and pretty much omniscient, and although
you are boring, they are not bored
observing and foiling your every move.
Re: (Score:2)
After the recent debates we(US'ians) know it its certain that the illuminati are not only tedious and uninspired but they can't even make original, decent movies. [note: illuminati==American government==Hollywood]
Re: (Score:2)
Plus it is more fun to mess with paranoid people.
Re:Suggestion (Score:5, Funny)
reminds me of this:
In The Know: Is The Government Spying On Paranoid Schizophrenics Enough?
http://www.theonion.com/content/video/in_the_know_is_the_government [theonion.com]
It's a fucking plot! (Score:2)
They are a part of the conspiriakii! They are trying to lull you into false security! GET OFF THE GRID! Burn your credit cards! Burn your drivers license! Burn your birth certificate! GO FAR AWAY!!!!
Re:Suggestion (Score:5, Funny)
The truly paranoid user should get some help...
So says one of the brainwashed masses. Have you considered that perhaps the only reason you don't believe that the government is reading and writing your thoughts is because you have been programmed to think that way? And have you considered that perhaps the paranoid aren't crazy but they only appear that way because you have been programmed to think that way?
Of course not! This level of introspection would require you to break free of your programming. And even if you were able to independently do so, without wearing a psychotronic radiation deflector beanie you would just be reprogrammed in an instant.
For the rest of us 'paranoids' I recommend that we hunker down and reinforce each others 'crazy' ideas. After all, we are the only ones who recognize our thoughts for what they are: sanity. And no, we don't consider our criticizing of the lack of introspection of the brainwashed masses to be hypocrisy because we *know* that we are right, unlike the brainwashed masses who are programmed to think that way.
Re: (Score:3, Funny)
Actually, I know for a fact that it is you who has been brainwashed into that state of paranoia: I work for a government agency which does that to people, simply for the entertainment value. Nice to see our out work here too: I rarely get to interact with our subjects!...
Where do you think those 700 thousand million dollars are going to? The whole crash thing is just cover up: that money is coming directly to us. I'll look up your file on Monday first thing in the morning.
Re: (Score:2)
I'm sorry, but i can't tell you... that the 700 billion (as in 700 thousand million for the non-retarded) go into our new project, to brainwash you into thinking you are brainwashing others, while in fact you live in gel filled containers in giant towers, with a giant probe up your ass. I heart it's for "power" or something. But I'm not sure what kind of "power".
Oh well... I have to take my blue pill and get started working. See you later...
Re: (Score:2)
You know how you take that blue pill and wake up 8 hours later with your hair smelling slightly of faeces?
Yeah, its not for power. One things for sure, its goddamn funny!
Back to tracking down that guy who leaked images to goatse.cx! Cyas!
Re: (Score:2)
>... Have you considered that perhaps the only reason you don't believe that the government is reading and writing your thoughts is because you have been programmed to think that way?
No. I never drink tap water.
Re: (Score:2)
I work for the company that makes Faradays cages. We make them out of plastic, because its cheaper :P
Comment removed (Score:4, Funny)
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:3, Funny)
Actually I'd probably be better off not knowing - it's probably someone from
Re: (Score:2)
It's Basement Cat, duh!
well (Score:2, Insightful)
What should truly paranoid user do?
get help?
Re:well (Score:5, Interesting)
What should truly paranoid user do?
get help?
get BSD?
Seriously, there is already an OS aimed at security... OpenBSD:
"Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography."
"Audit Process:
Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills."
Re: (Score:3, Informative)
Paranoid people need to ensure that things like Banshee in Gnome don't perform the "Similar Artists" lookup in case the RIAA is watching, or they are in a place where the internet is restricted, or where there taste in music could get them in trouble.
Then there is the issue of cached files, Gnome by default keeps a listing of all the files you open, it keeps a thumbnail of image that appears in Nautilus. You need to disable a
Re: (Score:3, Informative)
You must be secure FIRST.
Otherwise you are not anonymous.
For anonymity as well as security (Score:3, Interesting)
Someone could resurrect the Anonym.os [sourceforge.net] project, an OpenBSD live CD with anonymity tools.
Re: (Score:3, Funny)
God damn it, you gave me an excuse.
Re:well (Score:4, Funny)
Re: (Score:3, Funny)
but can the author be trusted?
Re: (Score:2, Funny)
Only if the self help book is self authored by the paranoid individual.
Re:well (Score:5, Funny)
OBVIOUSLY the paranoid individual will not allow anyone else to see the self help book, let alone publish it.
Also, the self help book will be written freehand in blood. Every time the paranoid reads the book they will DNA test the blood to ensure that it is their own blood. DNA tests are ofcourse done in house and using tools that the paranoid has already assembled based on research that they have done themselves.
Still, there is a risk of clone operatives... but isn't there always?
TinfoilHat is much better (Score:2, Funny)
Re: (Score:2, Funny)
It sets up fairly easily and once you've got it running no one will ever come near you again ... to harm you.
They just want you to think that tinfoilhats protect you. Actually, they work as antennas.
Re: (Score:3, Funny)
Don't forget the floor and to duct-tape the doors and windows.
No, no, no, it has to be red construction tape! [imdb.com]
Re: (Score:3, Informative)
LIES!!! User johndmartiniii (obviously an alias) wants us to use tinfoil as a signal blocker. Fortunately I have found a copy of the study on tinfoil the Reptoid scientific community tried to bury. It's On the Effectiveness of Aluminium Foil Helmets: An Empirical Study [mit.edu]
Re: (Score:2)
On the Effectiveness of Aluminium* Foil Helmets: An Empirical Study [mit.edu]
I can't believe that they didn't coat the tinfoil hats with wax!
Any paranoid knows that wax actually reflects all RF!
The whole experiment has to be redone with a wax coating. I suggest dipping each hat in a vat of candle wax with one extra as a control.
By the way, ear wax is not a substitute.
*Alumimium? MIT? Shouldn't that be Aluminum???
The obvious answer (Score:4, Funny)
Trust no one?
Re:The obvious answer (Score:4, Funny)
"Stay Alert! Trust No One! Keep Your Laser Handy!"
and
"Trust The Computer. The Computer is Your Friend."
Re: (Score:2, Funny)
Re: (Score:2)
"Citizen, please report to the R&D department for your mandatory volunteer program. Have a nice day"
(If you don't don't have UV clearance, don't read past this point. Reading the following text without UV clearance is considered treason)
But the best quote is still: All rules are optional, some are even more optional than the others.
Re: (Score:2)
Trust no one?
Nope. Trust yourself, trust Ivanova. Anybody else, shoot 'em.
Hermit (Score:5, Insightful)
A truly paranoid person would be suspicious of absolutely everyone and everything. That would mean writing your own OS on your own hardware etc etc.
Since this is impossible, go and live in hiding with no human contact or chance thereof.
Why would you download this 'super-safe' OS from some people you never met, through a public unencrypted network, if your life depended on it?
Chuck Moore has done this... (Score:4, Interesting)
I'd say he's well on his way to achieving this.
Re: (Score:2)
http://en.wikipedia.org/wiki/Charles_H._Moore [wikipedia.org] designed his own language (Forth), an OS, chip design software and designed his own CPUs.
I'd say he's well on his way to achieving this.
You would still be communicating through someone else's network though.
Are you relying on any chips from anyone else or are you constructing all the hardware yourself (including RAM, hard drive, network card etc)?
Point is, unless you build everything in the entire loop (including the machines on the other end of the link) you can't know that there aren't secret backdoors built in or eavesdroppers on your network. Even then, who says that what's on the other end of the link is the person you were supposed to
Re: (Score:2)
This one? Probably not. Maybe a later version. Trust in software and systems is built the same way trust in people is built: with time to wait for failures and exposure to the principles. Casual people will try it out first, find the problems, and then maybe in 5 years it'll be trustworthy enough to use.
Nothing is 100% trustable. There is a nonzero chance that your perfectly secure software will spontaneously reconfigure itself into a spying device for the Chinese, just based on the laws of probability
Re:Hermit (Score:4, Informative)
But there's no reason to ask whether or not the truly paranoid would be willing to use Paranoid Linux, because it's not aimed at them. It's just a clever name. It's aimed at people who actually have a rational fear that someone's out to get them. (Note that, if everyone really was out to get you, and you knew that they were, it would be impossible for you to be paranoid. The following is not an actual instance of Godwin's Law because I'm not using this to counteract anybody's argument, it's just an actual good example: while Hitler's often been described as paranoid, it would actually have been impossible for him to have been paranoid. Nearly every person in the world really did have potential reasons to be out to get him.)
So this is aimed at people like political dissenters in oppressive countries. They aren't paranoid, but in many ways they act like paranoid people, because it truly is possible, or even likely, that someone really is out to get them.
The main thing I worry about is that the mere presence of Paranoid Linux installed on your machine will be grounds for prosecuting you in the places where it's most needed. Is Paranoid Linux paranoid enough to make itself appear indistinguishable from Windows? Can Paranoid Linux run in the background as a stealth rootkit on Windows that you can't even find or access without secret, user-specifiable knowledge?
Re: (Score:2)
Why would you download this 'super-safe' OS from some people you never met, through a public unencrypted network, if your life depended on it?
As opposed to downloading (or buying) an OS from some people you never met through a public unencrypted network?
Seems like if my life depended on privacy this would be a pretty viable choice (at least once it's out of alpha).
Re: (Score:2)
Surely the person who truly wants to preserve their privacy, whether for legitimate or illegitimate reasons, legal or illegal, moral or immoral, would not want to draw attention to him/herself by using an OS that less than 1% of the world population uses?
Seems to me that using a homegrown OS, or even Linux, is tantamount to waving a big red banner labelled "Hey! I use a non-orthodox OS and am technically competent! I am likely to have secured my data in a comparatively unusual fashion!" Sure, technology lik
Re: (Score:2)
compile it where? using what?
Re: (Score:2)
I think you missed my point entirely, the compiler would have to hand coded in assembler, because a precompiled binary you could easily corrupt and inject stuff into your code.
So he would have to be able write a compiler in assembly (or atleast under stand it) then understand every language used in the OS.
Re: (Score:2)
Hand assemble. Not too hard. But then you need to trust there are no 'errata' (that's what they want you to call their super-spy code!) in the processor/bios/assorted hardware.
Re: (Score:2)
A compromised compiler can be maliciously modifying the compilation result of known programs (such as itself, a login program, etc).
But it cannot correctly modify programs in general. For that it would probably need to solve the Halting Problem.
Based on an idea from Cory's book (Score:4, Informative)
Re: (Score:3, Funny)
Pfffft (Score:2)
Get real (Score:2)
knock knock knock (Score:2)
.. we found you.. :-)
True open source question (Score:5, Insightful)
If you do not examine the source, how can you trust any piece of software? You are in effect agreeing to trust the unknown people that have looked at the source. Except in the case of a smallish distribution nobody may have actually looked into that particular distribution in any detail at all.
Of course, there is a greater issue of trust. If you accept chips made by unknown fabricators, do you know what microcode has been implemented? If you cannot examine the "source code" of the chips being used how can you actually trust that these chips are not doing things behind your back to reveal your identity and files?
So without a truly "open" computer, you are trusting a whole raft of unknown individuals and companies with your identity, your data, your reputation.
Moreover, if you are not knowledgeable about programming languages, using any computer is an act of utter faith with plenty of reason to not be so trusting. It is like climbing a mountain with a guide that only lost "a few" parties last year.
Re: (Score:2)
but how can you know the source code your running is what youve been shown?
even if you compile it all you have to assume your using a clean compiler.
Re: (Score:2, Insightful)
You implement your own compiler in assembly, on open chips, and then you compile a checked version of gcc with the compiler you built and go on from there.
Obviously. :p
Re:True open source question (Score:4, Interesting)
Ken Thompson talks about using untrusted compilers in his lecture, "Reflections on Trusting Trust" [bell-labs.com].
(See also: this [scienceblogs.com])
Re: (Score:3, Insightful)
Great, and really cool, thought experiment. However, you can hand-assemble fairly easily (I wouldn't, though) and then you don't even need to trust so much as an assembler.
For the paranoid but lazy - check the C source for spies, compile to assembler, check the assembler and make sure it matches the C code, then hand-assemble.
Or write your own quick and dirty C compiler, use it to compile GCC, then compile it with itself so you get the nifty optimizations.
Re: (Score:2)
.
It gets even better:
You've read the source.
Do you trust the people who taught you how to read the source?
Do you really understand what is going on here - not only on paper but in the real world?
For example: the code implements a cryptographic or routing algorithm that looks sound or at least plausible.
But you were never that strong in math or t
easy answer (Score:5, Insightful)
"What should truly paranoid user do?"
Stay off the internet.
Re: (Score:2)
"What should truly paranoid user do?"
Stay off the internet.
That's what Bernardo Provenzano, once boss of the Sicilian Mafia did until he got arrested, Maybe he'd have fared better with AES rather than his caesar cypher:
http://www.theregister.co.uk/2006/04/19/mafia_don_clueless_crypto/ [theregister.co.uk]
Re: (Score:2)
More like "start a newsletter".
Re: (Score:2)
Of course that sounds obvious, but it sounds too easy; therefore it must be exactly what they want us to do!
Borrow wifi - get someone to type for you (Score:5, Interesting)
1. Always borrow random open wifi access points,
in a geographic pattern not centered around your habitual location
2. Get a new unknowing assistant to type in roughly what you want to say each time. There are pattern detectors for your ways of expressing things.
3. Establish online identities such as gmail that have no tie whatsoever to any of your identity info or financial info
What do do? (Score:3, Informative)
What should truly paranoid user do?
Pull the tinfoil hat down tighter....
Quite Franky (Score:5, Funny)
This slashdot story was posted to get us to use Paranoid Linux, which can only mean that some one planted a backdoor in it.
Paranoia (Score:2, Insightful)
The truly paranoid are irrational and contradictory.
They do things like refuse to fly on planes because the government obviously staged 9/11 and killed all of those people on the planes, so they don't want to become a part of that. But they'll work in the same areas that would be likely targets if another round of 9/11-esque hijackings occurred. They do things wrap everything in tin foil to keep the mind control/thought reading beams out, but happily sit in conspiracy theory forums all day, and go to work
Re: (Score:3, Funny)
What? Who let the liberal arts major in here?
Just not in a public place. (Score:4, Interesting)
Re: (Score:2)
Wasn't this the idea behind the OS agnostic peekabooty, Tor, et. al.
Then again ctunnel rolled over faster than an SUV with Firestones [tgdaily.com] and their site still says "Ctunnel is here to protect your anonymity online!" Even though their approach, technology, and the fact that they even keep logs is pretty freaking stupid.
The truly paranoid shouldn't be online (Score:2, Funny)
Forget Linux, throw away all electronic devices, and follow these handy tips:
1. Preferably find a wife/husband related to you (the closer the better, because you can trust your blood kin more, but avoid anything closer than 3rd cousins if possible).
2. Squat on a large remote property you don't own (preferably somewhere considered by other folk to be inhabitable).
3. Have 10-50 kids (more than that and you might just be inviting mutiny).
4. Teach kids to how to hunt, fish, and guard the perimeter of the proper
Re: (Score:2)
"3. Have 10-50 kids (more than that and you might just be inviting mutiny)."
4. Let each of those kids have another 10-50 kids.
5. Outbreed the rest of the country eventually(or settle in Liechtenstein for quicker results)
6. Elect yourself as head of state or use your numbers to start a rebellion
7. Use your country to take over the world
8. ??????
9. Profit
(10. Realise that being paranoid pays off)
Feeble... (Score:2)
In any case an effort like this is, for the truly paranoid, feeble. The mechanisms available, proven mechanisms, are well known.
First of all you cannot trust any binary which was compiled with a toolchain which is not itself trusted at least as much as the code you are compiling. It is a well known fact that Ken Ritchie (IIRC it was he) added a block of code to pcc (the portable C compiler) which detected the compilation of the 'login' program and added a back door to it. Then he also added a piece of code
Sorry, Ken Thompson (brain fart...) (Score:3, Interesting)
"It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) asp
Re: (Score:2)
Re: (Score:2)
"Ken Ritchie (IIRC it was he)" - haha that's funny :)
Re: (Score:2)
"It would be at best VERY difficult to know that some similar technique was not used on any given distribution."
here is an interesting counter:
http://www.dwheeler.com/trusting-trust/ [dwheeler.com]
Even more troubling (Score:2)
In these jurisdictions.. wouldn't the fact that you've downloaded/used ParanoidLinux suggest you have something to hide, and hence need to be sent to a re-education though labour camp?
AC (Score:2)
I'm really disappointed this story was not submitted by Anonymous Coward.
This is probably not a unique source (Score:2)
If you don't or can't trust the single distribution's integrity, there's an easy alternative that no one seems to have mentioned. You can always check which tools ParanoidLinux includes and how they are conf
For the complacent, (Score:2)
It's worth pointing out that the USA and Canada are among jurisdictions where having anonymity might mean the difference between life and death, thanks to the existence of Extraordinary Rendition (for example the cases of Maher Arar, [www.cbc.ca] and other Canadian citizens who have been kidnapped and tortured at the US/Canada border) and Guantanamo Bay (where due process is suspended, and several inmates have died).
uh, (Score:2)
This is a non-issue! (Score:2)
Re: (Score:2)
Yeah, remember when some bozo was doing static code analysis on Debian's SSL implementation?
He removed a 'finding' that resulted in Debian generating very weak keys.
The flaw has been attributed to incompetence, but who is to say it wasn't malice?
I think there was another story that had something to do with some dirstro leaking the password to their package respository. Actually, I think that may have also beeen Debian.
Re: (Score:2)
A paranoid user should use this (Score:4, Interesting)
I think a lot of people misunderstand the concept of "single point of failure". With all of this stuff in one place, yes, there's only one place that attackers need to attack. But there's also only one place that defenders need to defend. The alternative is that all these security programs remain scattered in lots of places on the Internet. True, attackers probably won't be able to subvert more than a couple of those, but it only takes one flaw in your security for them to get you. If you subverted GPG, it doesn't matter much that TrueCrypt is still working for you. If someone subverted SSL, or DNS, and it doesn't matter much that the Linux Kernel is still secure. Best to get everything from one place, and make sure that one place is really, REALLY damn secure.
The 'alpha-alpha' version of ParanoidLinux? (Score:2)
What paranoid person uses a Beta let alone an Alpha? What is an alpha alpha anyway?
My understanding is:
- Beta = feature complete but bugs mean it's not to be relied on in a prod environment
- Alpha = not yet feature complete, no where near ready for prod
So does Alpha alpha mean vaporware?
Re: (Score:2)
Linux is too big to be secure. (Score:2)
The truly paranoid don't trust any code they can't verify themselves. Linux is too big to be secure.
Re: (Score:2)
Why stop there? Why assume that your CPU is secure? The truly paranoid don't trust any computer they didn't build themselves from transistors.
Re: (Score:2)
"truly paranoid need drugs not Linux."
The two are not mutually exclusive.
I grew up in a country like that... (Score:2)
so idea is not foreign to me. But having something that confidential on a laptop is not a good idea anyway.
And if the evil government suspects you have something important on your laptop, they won't even try to break in, they will go straight to torture until you tell them.
Re: (Score:2)
Re: (Score:2)
Use SSL. Should be safe. Or maybe a SFTP to the FTP server. These questions should seriously be asked. Try to be Eve and break( tap/alter/corrupt) the connection between Alice and Bob.
Re: (Score:2)
Right... so you wouldn't negotiate with the server. I'm not sure what you're saying. If you don't have a secure connection, you make do with no connection. There's no "oh well, I tried to do it securely, but it didn't work."
Re: (Score:2)
And my point was, and this is the point that cryptographers make all the time, if you cannot establish a secure channel for communicating information, do not communicate information. And yes, that may mean that you can't download a linux distribution.
"Use SSL" isn't necessarily the solution in all cases, but I'd be willing to bet that "use cryptography" is.
Re: (Score:3, Funny)
You forgot to scrub down your body with a high-level disinfectant (potentially traceable commensal bacteria on your skin). After that, you'll have to spend the rest of your life in a full-body skin garment (DNA from shed skin cells). And you'll have to wear a full-helmet respirator (exhaled trace chemicals from your bloodstream, potentially traceable). And your suit will have to contain and reprocess all your wastes (DNA from epithelial cells in your urine/feces). And you can never speak a word (identif
Re: (Score:2)
I thought the only way to be sure was to nuke it from orbit?