I am not sure sdwdate-gui would be a strong enough notification if networking was actually blocked if sdwdate did not succeed yet.

Shipping kloak in Whonix stable for a few releases already.

After running a bunch of tcp ping tests, the conclusion is this attack
is not really effective against TCP like ICMP. The latency is much lower
for TCP pings and though it slightly decreases with cpu stress it is not
consistent. Reloading pages in TBB with cpu stress
on/off does not impact latency readings while doing so with tc
attached has massive latency foot prints - implying it will ironically make such attacks much easier in addition to degrading performance.

Cyrus recommends adding delays per packet to disrupt inter-packet patterns that remain. The command can be fine tuned as such:

The good news is I think I've figured out the equivalent tc-netem command looking the slot parameter in the manual:

Ticket above closed and convo moved to tails-dev.

An interesting product that triggers a system wipe if the cable is pulled:

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Would an audit denyrule for /boot be useful for the sake of audit?

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.

/boot/ is already unreadable.

• An analysis of TCP secure SN generation in Linux and its privacy issues
• Tirdad kernel module for random ISN generation

This was done. If not, please create specific tickets where it isn't done.

https://redmine.tails.boum.org/code/issues/17156

Analysis by Cyrus cited here for completion:

An alternative proposal for editing ISNs without involving the kernel:

Implemented for some time now.

Reported build failures:

When an implementation is decided, let's decide if we can include this in security-misc for use on Linux hosts and Kicksecure. We would need some way in detecting the active NIC since on wireless systems wlan0 is the interface of choice and not eth0

tc-netem is a utility that is part of the iproute2 package in Debian. It leverages functionality already built into Linux and userspace utilities to simulate networks including packet delays and loss.

In T543#18086, @HulaHoop wrote:

@Patrick What is the status of integration?

@Patrick What is the status of integration? Since we have kloak this is also a great defense to have. There is a script on there for packing as a deb:

release kloak v0.2

Many code enhancements were recently added by its author.

To build a package with qubes-builder, you need to add Makefile.builder file with just one line: DEBIAN_BUILD_DIRS := debian. This will tell qubes-builder that given repository contains Debian package.
Alternatively, if that would be too much of a problem, it should be easy to add an option that do auto detection (probably just looks for debian directory).

With TPO infrastructure using onions, its now a good idea to switch tb-updater to check for version info and downloads to these more secure mirrors.

https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235

https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235

https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235

https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235

We can now grab the browser tarball from the TPO onion instead which makes this ticket obsolete. Close if you concur.

This should be fixed by default in the next build.

linking to forum:

He was busy those past few months and thought there was no interest. @Patrick Expect a new release this coming week.

Ping:
https://github.com/vmonaco/kloak/issues/10

Why not ping him first? Its a waste of good work otherwise.

Dead upstream.