Tails removed .iso download links from their site because they thought their users were too stupid to verify a gpg signature.
They replaced it with a browser extension that downloads it and does the verification for you (It tests a SHA256 hash of the binary which it downloads from the browser extension authors site instead of doing a gpg web of trust verification).
The author of the extension itself is Giorgio Maone who "is sorry for inserting obfuscated malware into NoScript, which let ads/scripts pass through tens of thousands of its users filters" and promises he wont do it again: archive.is/HFYjpadblockplus.org/blog/attention-noscript-users
Why is tails punishing its users (just because some people didn't bother to check a gpg sig)? Why did they hire such an untrustworthy person for the job?
Why are they encouraging users to allow them code execution instead of just providing the .iso as a normal link? The alternative is to download it with bittorrent which exposes your IP to the swarm.
you can go through your whitelist and audit it yourself, but there doesn't seem to be any way to change the way it interacts with subdomains
I don't know about alternatives, though ... probably should give RequestPolicy a go, but I'm too much in the habit of using NS
Elijah Parker
Nothing they said has anything to do with mgtow male feminist betafaggots
Nicholas Johnson
>>>/reddit/
Carter Cook
As if your IP isn't exposed to the server when you directly download? I mean I don't necessarily support Tails in their decision but this is the most retarded fucking reasoning for not doing something I ever heard from a supposedly technologically minded individual.
Jace Edwards
the tails server/mirror. 1 or 2 ips.
the bittorrent swarm: any random fucker including people who want to see what IPs are downloading tails.
Does that answer your question?
Jeremiah Powell
Yes you're right, exposing your IP address to literally anyone who bothers connecting to the tracker is exactly the same as exposing your IP address to a single centralized server.
Cameron Miller
...
Lincoln Cruz
tails is tor dude lmao fuck off.
Bentley Foster
I am not sure if you're genuinely retarded or "trolling"
Jack Wilson
Isn't Tor TCP only?
Robert Jackson
They wanted to simplify downloads but they went overboard and actually made it more complicated.
They were probably inspired by Tor Browser's auto-updating (which whatever you think of it actually works well), but they flopped.
Wtf are you doing nigger you can't edit posts on this site
Camden Roberts
Because the NSA totally wouldn't be interested in who connects to tails' server.
Elijah Allen
It is.
Noah Peterson
Hey he kept his word, the feature he added later that sends details of LAN IPs you access to a remote server without asking isn't used to display ads :^)
James Rodriguez
??? SOURCE???
Ian Thomas
You're retarded.
Aiden Parker
They can't if you use Tor, but you can't use Tor to download over BitTorrent. So right now, it will be very difficult to get your tails .iso without broadcasting your IP.
Josiah Carter
>NoScript 2.0rc5 and above extends its protection against DNS rebinding to those attacks which specifically target your router's external (WAN) IP address. In order to protect it, NoScript needs to detect the WAN IP currently exposed to internet web sites by your HTTP requests: for this purpose, NoScript sends a completely anonymous query to the secure.informaction.com/ipecho web service, which provides back this information on a secure channel, typically once a day.
I remember years ago opening up firefox and watching the addresses it connected to, figuring out which belonged to which 'security' addon. By the end of that experience a lot of garbage was uninstalled.
Isaac Jackson
Why can't be both?
Who says it's mine in the first place?
So it's got part of a proper definition of a botent, just lovely.
Luis Scott
Tails confirmed for Status: DEPRECATED
Jordan Cox
Tails is deprecated everyone move onto literally another linux distrobution that can run as a live distro
Kevin Gonzalez
Well users are too stupid to verify a gpg signature, but making the process even more complicated and easier to subvert doesn't help.
Hudson Smith
You don't know what a botnet is, do you. It's not sending data to NoScript HQ, or to Google, or the NSA - It's making an ipecho query. A secure one at that, seeing as it's over HTTPS
Cooper Peterson
Holy shit, such faggotry. How can you faggots use shit like this?
Jaxson Bennett
Unlike many browsers, Firefox doesn't always isolate an add-on’s functions.
but the image is verified good once you download it so what difference does that make?
Blake Thomas
Stfu. This coc Frasco is madness here on tech. WHO GIVES A FUCK. Linus gives zero. No one would push him because he codes in c better then the rest.
Julian Martinez
Because no suck program will intercept the packet stream and inject a infected .iso
Andrew Baker
but an infected .iso wouldn't verify. that's the whole point of signing it
Jacob Martin
Yes goyim, just ignore them, nothing could possibly go wrong.
Isaiah Walker
the browser extension doesn't check GPG signature, it checks a SHA256 sum.
Why were they making users check with GPG instead the much much easier task of just running a SHA256 hash on the file and checking?
Jace Roberts
but where do you get the checksum from? if you download it from the same source (compromised website or over mitm'd http) then it still doesn't help
a gpg signature can only be made by someone with the private key. a hash can be made by anyone. if tails devs aren't stupid (i'm not sure anymore) they would make the signature on a seperate machine so a website compromise would be obvious when the signature doesn't match. if they do it with just a hash the attacker can just change the hash file at the same time
Cameron Rodriguez
yet a GPG signature magically fixes this?
nah mate
Isaiah Sanders
also since we are getting technical:
tails isos are hosted on mirrors (different servers, not run by the actual tor guys) that somehow have the same domain name as the tor site - I do not know what their rational for doing this is... but that is why the iso is a http [not https] download.
the signature/hash is hosted with https though, so surely it's magically safe because we know the central certificate authority model is looking out for us. /s
Daniel Flores
Take your samefagging and ebin deprecated maymay with you to >>>/reddit/.
Leo Ross
More like amrite?
Austin Myers
obviously you have to to verify their key out of band the first time you use it. once their identity is established you can download all future releases from 3rd party mirrors and verify they haven't been fucked with
nice
Oliver Brooks
You can download with BitTorrent
Good thing tbh.
Jason Perry
See
A solution to your none problem.
Gabriel Flores
no one ever uploads malicious torrents :^)
Connor Campbell
The amount of stupidity in this thread from both sides is why I dislike avid supporters of Tor. I wouldn't mind a backdoor in Tor, maybe then the feds will v& all the retards and they'll finally shut the fuck up. Oh wait! Tor is funded by the government and was started by the US Navy LOL LOL LOL
oh so you're crying because you can't abuse the devs and expect them to put up with you i thought you might be complaining about something real
Connor Anderson
Good thing that you can't be abusive to men and that the "abuse" was targeted at real devs instead of "packagers active in the privacy space" like Erinn Clark, right?
Luke Green
Sounds like they're as tired of the "jews develop tor" meme as the rest of us.
I give a shit. There was a brief period in 2014 in between Holla Forums banning gg and moot cucking Holla Forums where threads didn't get derailed by fucktards. It was a glorious time.
Oliver Cook
Was that the same period when there was a holocaust denial thread on the front page for a week, and there wasn't a single idiot getting triggered by hot opinions who posted in it?
James Williams
If you actually kept to your own thread it wouldn't be a problem. Same with bronies and pedos on Holla Forums. But then here you are derailing a thread about shitty security with some bullshit about jews.
What ever happened to Deutschland den Deutschen? Can't we just have Holla Forums threads for techies?
Alexander Reyes
I'm neither from Holla Forums, nor the user who posted about Jews. My first post ITT was here .
If you want that, either get /a/'s moderation or /tg/'s Holla Forumsitical leanings. Either way, it's probably too late.
Christopher Ward
Oh, my bad. So what's the story with the Erinn Clark thing anyway? I heard the bit about Andrea Shepard getting shit on twitter and she seems ok. Like, she was against banning that guy from lambdaconf for example. It doesn't really sound that bad to want people to stop posting crazy rants on your dev mailing list.
Jack Fisher
Pretty much what I said: Diversity hire from Debian Women, started as a packager and key signer before being relocated to the "privacy space", no one ever said anything about it despite Tor having competent female devs, and the only Tor dev other than Appelbaum mentioned on /g/. Like Andrea Sheperd however, I don't think the hacker known as 4chan targeted her, but she did back the methwhale's money laundering scheme.
bump because massive retarded decision. Education would have been better than removing the links out right.
Carter Miller
I agree
Michael Clark
christ on a bike
Lucas Cox
A bittorrent swarm (with GPG) and a Firefox only addon that only checks the 256sum of in binary file is some how safer? Firefox's addon's have never ever had issues, not even recently where addons could highjack the feature's of other addons due to the lack of a sandbox. Nope never. Who checks the far bottom right hand corner though? Usually the only things there are (R) and (C). Also who usually follow steps these days, what with super important fast pace lives and such? Reading? GTO nerd.Hopefully obvious sarcasm.
Henry Price
Being this triggered by a single word
Ryan Ross
isnt tails just a shitty live iso that happens to run everything in tor
couldn't you do that with anything fucking live iso and just install tor?
Connor Baker
you wouldn't know if you were leaking sensitive data. tails only has the one network available so everything goes through it. installing and configuring all the privacy enabled tools would also get annoying if you had to do it every time
Cameron Rogers
If Anons haven't figured it out from you can still download from dl.amnesia.boum.org/tails/stable even though it's fucktarded how hidden it now is.
Obvious troll.
Landon Baker
Fuck man I hope Tails and Whonix switch to a non-systemd soon
but i bet they'll never do it
Jonathan Sanders
starting to think Holla Forums is just that dumb
Grayson Barnes
Something fishy is going on. It seems very odd that they would outright call the direct download unsafe and then try to direct all the users to install a browser add on which can be used in invade your privacy.
Christopher Turner
i prefer whonix in qubes. you can set up a tails like disposable vm so it discards changes when you close it
Joseph Lewis
This. This doesn't make any sense.
Dominic Jones
18:05 < riskc> when clicking on "install tails" on tails.boum.org, it reads "Installing Tails can be quite long but we hope you will still have a good time :)". Well, the process is artificially prolonged by the site maintainers. Why does one have to click oneself through a big wizard and is not just presented a direct iso dl link like in the past??
Nicholas Ward
| |> | |3 |
Carson Reyes
| | | |3=> |
Jeremiah Sanchez
The backdoor will be found soon. You'll see it soooonnnn (tm).