Tails removed...

Tails removed .iso download links from their site because they thought their users were too stupid to verify a gpg signature.

They replaced it with a browser extension that downloads it and does the verification for you (It tests a SHA256 hash of the binary which it downloads from the browser extension authors site instead of doing a gpg web of trust verification).

The author of the extension itself is Giorgio Maone who "is sorry for inserting obfuscated malware into NoScript, which let ads/scripts pass through tens of thousands of its users filters" and promises he wont do it again: archive.is/HFYjp adblockplus.org/blog/attention-noscript-users

Why is tails punishing its users (just because some people didn't bother to check a gpg sig)? Why did they hire such an untrustworthy person for the job?

Why are they encouraging users to allow them code execution instead of just providing the .iso as a normal link? The alternative is to download it with bittorrent which exposes your IP to the swarm.

UPDATE: there is a massive issue with tails mirrors. see paste.debian.net/hidden/7270090c

Other urls found in this thread:

tails.boum.org/contribute/working_together/code_of_conduct/
hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/
helpnetsecurity.com/2015/07/01/researchers-point-out-the-holes-in-noscripts-default-whitelist/
paste.debian.net/hidden/7270090c
secure.informaction.com/ipecho
addons.mozilla.org/en-US/firefox/addon/noscript/privacy/
archive.is/DGgkW
dl.amnesia.boum.org/tails/stable/tails-i386-2.2.1/tails-i386-2.2.1.iso
en.wikipedia.org/wiki/Jacob_Appelbaum#Personal_life
youtube.com/watch?v=0SgGMj3Mf88
youtube.com/watch?v=fOwYgAS4TXE
onlineabuseprevention.org/letter-to-icann-july-2015/
dl.amnesia.boum.org/tails/stable

WTF! This is outrage.

if you disagree with tails you're OBVIOUSLY an NSA shill that is fear mongering or an MRA self loathing bigot
:^)

or gamergate

Thy even have Codes of Conduct now:
tails.boum.org/contribute/working_together/code_of_conduct/

too bad they don't follow it

have you even read it?

>>>/mgtow/

not really just skimmed it for the bold bits

If you didn't read it, they are going full SJW

;^)

wait WHAT THE FUCK

its ok he is "sorry" (for getting caught) and wont do it again!

yep
hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

see also this (much more recent) article.
helpnetsecurity.com/2015/07/01/researchers-point-out-the-holes-in-noscripts-default-whitelist/

you can go through your whitelist and audit it yourself, but there doesn't seem to be any way to change the way it interacts with subdomains

I don't know about alternatives, though ... probably should give RequestPolicy a go, but I'm too much in the habit of using NS

Nothing they said has anything to do with mgtow male feminist betafaggots

>>>/reddit/

As if your IP isn't exposed to the server when you directly download? I mean I don't necessarily support Tails in their decision but this is the most retarded fucking reasoning for not doing something I ever heard from a supposedly technologically minded individual.

the tails server/mirror. 1 or 2 ips.

the bittorrent swarm: any random fucker including people who want to see what IPs are downloading tails.

Does that answer your question?

Yes you're right, exposing your IP address to literally anyone who bothers connecting to the tracker is exactly the same as exposing your IP address to a single centralized server.

...

tails is tor dude lmao fuck off.

I am not sure if you're genuinely retarded or "trolling"

Isn't Tor TCP only?

They wanted to simplify downloads but they went overboard and actually made it more complicated.

They were probably inspired by Tor Browser's auto-updating (which whatever you think of it actually works well), but they flopped.

>UPDATE: there is a massive issue with tails mirrors. see paste.debian.net/hidden/7270090c

Wtf are you doing nigger you can't edit posts on this site

Because the NSA totally wouldn't be interested in who connects to tails' server.

It is.

Hey he kept his word, the feature he added later that sends details of LAN IPs you access to a remote server without asking isn't used to display ads :^)

??? SOURCE???

You're retarded.

They can't if you use Tor, but you can't use Tor to download over BitTorrent. So right now, it will be very difficult to get your tails .iso without broadcasting your IP.

>NoScript 2.0rc5 and above extends its protection against DNS rebinding to those attacks which specifically target your router's external (WAN) IP address. In order to protect it, NoScript needs to detect the WAN IP currently exposed to internet web sites by your HTTP requests: for this purpose, NoScript sends a completely anonymous query to the secure.informaction.com/ipecho web service, which provides back this information on a secure channel, typically once a day.

addons.mozilla.org/en-US/firefox/addon/noscript/privacy/

I remember years ago opening up firefox and watching the addresses it connected to, figuring out which belonged to which 'security' addon. By the end of that experience a lot of garbage was uninstalled.

Why can't be both?

Who says it's mine in the first place?

So it's got part of a proper definition of a botent, just lovely.

Tails confirmed for
Status:
DEPRECATED

Tails is deprecated
everyone move onto literally another linux distrobution that can run as a live distro

Well users are too stupid to verify a gpg signature, but making the process even more complicated and easier to subvert doesn't help.

You don't know what a botnet is, do you. It's not sending data to NoScript HQ, or to Google, or the NSA - It's making an ipecho query. A secure one at that, seeing as it's over HTTPS

Holy shit, such faggotry. How can you faggots use shit like this?

Unlike many browsers, Firefox doesn't always isolate an add-on’s functions.

archive.is/DGgkW - [arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/]

You're still not getting the point, before all of this crap, you were able to download the .ico over Tor, plain and simple.

But now you either:
a. go through the weird new process of downloading the image from their server
b. get it through BitTorrent, exposing your IP

Of course you can hide your IP when downloading the torrent, but it's still making things harder when they shouldn't have to be.

In this step, you will download the latest Tails ISO image and verify it using the Tails signing key. Download the ISO image: wget --continue dl.amnesia.boum.org/tails/stable/tails-i386-2.2.1/tails-i386-2.2.1.iso

it is HTTP not HTTPS.

lol.

but the image is verified good once you download it so what difference does that make?

Stfu. This coc Frasco is madness here on tech. WHO GIVES A FUCK. Linus gives zero. No one would push him because he codes in c better then the rest.

Because no suck program will intercept the packet stream and inject a infected .iso

but an infected .iso wouldn't verify. that's the whole point of signing it

Yes goyim, just ignore them, nothing could possibly go wrong.

the browser extension doesn't check GPG signature, it checks a SHA256 sum.

Why were they making users check with GPG instead the much much easier task of just running a SHA256 hash on the file and checking?

but where do you get the checksum from? if you download it from the same source (compromised website or over mitm'd http) then it still doesn't help

a gpg signature can only be made by someone with the private key. a hash can be made by anyone. if tails devs aren't stupid (i'm not sure anymore) they would make the signature on a seperate machine so a website compromise would be obvious when the signature doesn't match. if they do it with just a hash the attacker can just change the hash file at the same time

yet a GPG signature magically fixes this?

nah mate

also since we are getting technical:

tails isos are hosted on mirrors (different servers, not run by the actual tor guys) that somehow have the same domain name as the tor site - I do not know what their rational for doing this is... but that is why the iso is a http [not https] download.

the signature/hash is hosted with https though, so surely it's magically safe because we know the central certificate authority model is looking out for us. /s

Take your samefagging and ebin deprecated maymay with you to >>>/reddit/.

More like
amrite?

obviously you have to to verify their key out of band the first time you use it. once their identity is established you can download all future releases from 3rd party mirrors and verify they haven't been fucked with


nice

You can download with BitTorrent

Good thing tbh.

See

A solution to your none problem.

no one ever uploads malicious torrents :^)

The amount of stupidity in this thread from both sides is why I dislike avid supporters of Tor. I wouldn't mind a backdoor in Tor, maybe then the feds will v& all the retards and they'll finally shut the fuck up. Oh wait! Tor is funded by the government and was started by the US Navy LOL LOL LOL

By the way, if you call me a jewish shill. This is your reminder that jews develop Tor. en.wikipedia.org/wiki/Jacob_Appelbaum#Personal_life

tl;dr I2P OR GTFO

The fuck are you on about m8?

This is news to who? Just wait till you find out about ARPANET.

I thought you poltards believed that jews run the government

He also wants the shitlords out of the community, shitposter-kun.

youtube.com/watch?v=0SgGMj3Mf88
See 4:50 to 4:55, tl;dr

good goy
good goy

Wow ikr, everyone that isn't a fullblown dick every every second of their being is a l00ser fag LOL amirite guise??

SIEG HIEL
SIEG HIEL

LOL BAN DIS JACOB XD

NIGGERS XD

ayy

Funny thing is that no one gave two shits about Holla Forums boogeymen here until /g/ arrrived last year.

so where does he actuall say that? certainly not 4:50-4:55 anyway

Wrong link, hurr.
youtube.com/watch?v=fOwYgAS4TXE

What's the point of Tails, again?

oh so you're crying because you can't abuse the devs and expect them to put up with you
i thought you might be complaining about something real

Good thing that you can't be abusive to men and that the "abuse" was targeted at real devs instead of "packagers active in the privacy space" like Erinn Clark, right?

Sounds like they're as tired of the "jews develop tor" meme as the rest of us.

I give a shit. There was a brief period in 2014 in between Holla Forums banning gg and moot cucking Holla Forums where threads didn't get derailed by fucktards. It was a glorious time.

Was that the same period when there was a holocaust denial thread on the front page for a week, and there wasn't a single idiot getting triggered by hot opinions who posted in it?

If you actually kept to your own thread it wouldn't be a problem. Same with bronies and pedos on Holla Forums. But then here you are derailing a thread about shitty security with some bullshit about jews.

What ever happened to Deutschland den Deutschen? Can't we just have Holla Forums threads for techies?

I'm neither from Holla Forums, nor the user who posted about Jews. My first post ITT was here .

If you want that, either get /a/'s moderation or /tg/'s Holla Forumsitical leanings. Either way, it's probably too late.

Oh, my bad. So what's the story with the Erinn Clark thing anyway? I heard the bit about Andrea Shepard getting shit on twitter and she seems ok. Like, she was against banning that guy from lambdaconf for example. It doesn't really sound that bad to want people to stop posting crazy rants on your dev mailing list.

Pretty much what I said: Diversity hire from Debian Women, started as a packager and key signer before being relocated to the "privacy space", no one ever said anything about it despite Tor having competent female devs, and the only Tor dev other than Appelbaum mentioned on /g/. Like Andrea Sheperd however, I don't think the hacker known as 4chan targeted her, but she did back the methwhale's money laundering scheme.

onlineabuseprevention.org/letter-to-icann-july-2015/

bump because massive retarded decision.
Education would have been better than removing the links out right.

I agree

christ on a bike

A bittorrent swarm (with GPG) and a Firefox only addon that only checks the 256sum of in binary file is some how safer? Firefox's addon's have never ever had issues, not even recently where addons could highjack the feature's of other addons due to the lack of a sandbox. Nope never. Who checks the far bottom right hand corner though? Usually the only things there are (R) and (C). Also who usually follow steps these days, what with super important fast pace lives and such? Reading? GTO nerd.Hopefully obvious sarcasm.

Being this triggered by a single word

isnt tails just a shitty live iso that happens to run everything in tor

couldn't you do that with anything fucking live iso and just install tor?

you wouldn't know if you were leaking sensitive data. tails only has the one network available so everything goes through it. installing and configuring all the privacy enabled tools would also get annoying if you had to do it every time

If Anons haven't figured it out from you can still download from dl.amnesia.boum.org/tails/stable even though it's fucktarded how hidden it now is.


Obvious troll.

Fuck man I hope Tails and Whonix switch to a non-systemd soon

but i bet they'll never do it

starting to think Holla Forums is just that dumb

Something fishy is going on. It seems very odd that they would outright call the direct download unsafe and then try to direct all the users to install a browser add on which can be used in invade your privacy.

i prefer whonix in qubes. you can set up a tails like disposable vm so it discards changes when you close it

This.
This doesn't make any sense.

18:05 < riskc> when clicking on "install tails" on tails.boum.org, it reads "Installing Tails can be quite long but we hope you will still have a good time :)". Well, the process is artificially prolonged by the site maintainers. Why does one have to click oneself through a big wizard and is not just presented a direct iso dl link like in the past??

|
|>
|
|3
|

|
|
|
|3=>
|

The backdoor will be found soon. You'll see it soooonnnn (tm).

The devs are narcissists fam

|
|
|
|3=
|

~snip~, thanks for your business go guy