Aug 13 2020
Aug 12 2020
After running a bunch of tcp ping tests, the conclusion is this attack
is not really effective against TCP like ICMP. The latency is much lower
for TCP pings and though it slightly decreases with cpu stress it is not
consistent. Reloading pages in TBB with cpu stress
on/off does not impact latency readings while doing so with tc
attached has massive latency foot prints - implying it will ironically make such attacks much easier in addition to degrading performance.
Aug 7 2020
Cyrus recommends adding delays per packet to disrupt inter-packet patterns that remain. The command can be fine tuned as such:
Aug 1 2020
The good news is I think I've figured out the equivalent tc-netem command looking the slot parameter in the manual:
May 30 2020
Ticket above closed and convo moved to tails-dev.
Apr 23 2020
Feb 14 2020
Dec 23 2019
Dec 11 2019
It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.
Or skip nftables and use Berkeley Packet Filter (BPF)?
Nov 21 2019
Not a problem anymore.
Nov 6 2019
Oct 21 2019
Added requested NFTables example from duclicsic #netfilter freenode.
Oct 17 2019
Starting with Bullseye nftables will be the default:
Oct 15 2019
Oct 13 2019
Analysis by Cyrus cited here for completion:
Oct 6 2019
Reported build failures:
When an implementation is decided, let's decide if we can include this in security-misc for use on Linux hosts and Kicksecure. We would need some way in detecting the active NIC since on wireless systems wlan0 is the interface of choice and not eth0
tc-netem is a utility that is part of the iproute2 package in Debian. It leverages functionality already built into Linux and userspace utilities to simulate networks including packet delays and loss.
Aug 11 2019
Aug 9 2019
install electrum appimage by default:
Jul 6 2019
Jun 27 2019
Will keep watching what Tails is doing.
May 12 2019
Maybe there is no need. It's just when Tails has a ticket, we should
check it at Whonix too. Thank you for looking into this, too!
The way it is now looks fine. Why would it need to be changed?
madaidan added a comment.> https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things. Wouldn't using a fake machine-id e.g. a bunch of zeroes fix this?
May 11 2019
https://lists.ubuntu.com/archives/apparmor/2016-February/009371.html says it is used for various things so it might break some things.
May 10 2019
Would it cause any issues if the machine-id was just deleted or replaced with a bunch of 0s?
Apr 6 2019
Unfortunately, not possible.
Feb 2 2019
The concept was documented for operational use. Auto Guard de-duplication considered too complex to deploy and manual checking is enough.
Jan 16 2019
Jan 13 2019
Jan 6 2019
Jan 4 2019
Done. You can close this ticket once you agree with edits.
Jan 2 2019
Dec 28 2018
From this size comparison on Debian wiki, I think the best and most secure option is the smallest and most minimal one: micro-httpd
Dec 22 2018
We still have the warning on https://www.whonix.org/wiki/Onion_Services.