SlideShare une entreprise Scribd logo

Liberté vs Tails: A Comparison of Two Anonymized Linux Distributions

Télécharger en tant que PPTX, PDF
A
antitree

Comparison of TAILS vs Liberte and their popularity counterparts Cables and Bitmessage. Presented at Rochester 2600.

Technologie
1  sur  40
Liberte vs Tails
Liberté Linux • Hardened, Gentoo-based, LiveUSB/CD, Linux distro • Fully(ish) anonymized • Similar in goal to TAILS • Designed for Anon specifically • Run by Maxim Kammerer (he is Crazy) • Uses Tor AND I2P
Features that make it different than TAILS • Anti-forensic memory erase on boot media extraction – Aimed to cold boot attacks • OTFE container using LUKS • Collect clock setting via Tor consensus – Makes sure that clock settings are not in the clear – He’s very proud of this • I2p communication over Tor so that it can traverse firewalls better
Features that make it different than TAILS • Mac address randomization • Custom consistent HTTP headers – Defends against browser fingerprinting • Harsher iptables rules • Grsecurity for inter-process security
The Big Features • The first Linux distro that uses UEFI – Secure boot – Hardware based verification of the operating system – If something new is on the system (malware) it won’t boot • Does not allow you to install ANY software • Forces a specific resolution • Cables Communication – Custom written P2P message exchange
TAILS
TAILS Linux • Debian based, LiveUSB/CD, Linux distro • Fully(ish) anonymized • Similar in goal to Liberte • Designed for the everyman • Run by Baum with the support of the Tor Project • Uses just Tor for anonymity (but has i2p installed)
Features that Make It Different Than Liberte • Regular updates – New versions are put out due to security issues or active development at least once a month – You can apt-get upgrade whenever you want • Uses standard LUKS for persistence and supports TrueCrypt • Contains a meta-data stripping tool – MAT • Uses Iceweasel (eventually TorBrowser) instead of janky Epiphany
The Big Features • Documentation and Support – Unlike liberte that hasn’t been updated since 2012 – New releases every month – Monetarily supported by Tor Project – Has a roadmap! – Has complete, up to date documentation, in many languages • Can temporarily install any software – Or manually build from source and install your own software
Tails “Quirks” • No lock screen, no screen saver – Even if you install a screensaver, there are other tty terminals that let you just log in • Persistent Media is only USB – That means virtualization products won’t be able to make a consistent partion
Cables: TL;DR • A secure, peer-to-peer based message exchange • Aims to be a decentralized eMail replacement • Not really good as instant messaging (See bitmessage)
Antitree presents: A Mouthful of Crypto An animated explanation of the Cables Address generation process OR
Generate a 8192 bit x.509 key Generate a SHA1 hash of that key This is your cables username gb24hw2hpihnj2eftkuz42fvp3l3nsoc Create a Tor hidden service 5rfvhdhbw7z4dcw6.onion This is your domain name @
Transport Mechanism • This is P2P so how does it exchange messages? • Via HTTP requests • The .onion service hosts a web interface • http://localhost:9080/{userid}
Crypto Bits • X.509 8192 bit certificate (ca.cer) • Signing key generated from ca.cer • Diffie-Hellman session key exchange for transport security • Cryptographic Message Syntax (CMS) for the format of message • Custom wrapper that lets you use Claws-Mail
INTERWEBz
Tor provides secure end to end encryption beween .onion hidden services
Wait • Diffie-Helman is a secure temporal key exchange • Used in this case to provide transport security • It provides a key exchange ON TOP of the hidden service transport mechanism
Diffie Hellman
BUT WHY?? • Why is Maxim adding a transport security mechanism on top of Tor? • Answer: Because he didn’t think Tor hidden services had enough crypto – SHA1 – deprecated – AES128 – deprecated – RSA-1024 – deprecated • Tor’s hidden services are not secure enough
Review • RSA 8192 x509 based secure message exchange • Uses HTTP requests over onion services to connect • Security on top of your security • Janky web service
Popularity • No one uses this • I think one of the reasons is the awkwardness of the name “Cables” • Although it’s inherently more anonymous than BitMessage, who cares because no one uses it
Bitmessage (actual logo)
Bitmessage • Secure, P2P based messaging • Similar to mixmaster style anonymity model(plausible deniability) • If bitcoin had a baby with email it would be Bitmessage • You can only decrypt messages sent to your public key
Message Encryption • Elliptic Curve Integrated Encryption Scheme • Elliptic Curve Diffie Hellman (ECDH) to generate a shared secret • AES256-CBC (PKCS#7) • Key-derivation-function using SHA512 • HMACSHA256
“Proof Of Work” • POW • In order to send a message, you have to compute something • Supposed to help mitigate spam because each message requires
Crypto • payload = time + streamnumber + encrypted • target = 2^64 / ((length of the payload in bytes + payloadLengthExtraBytes + 8) * averageProofOfWorkNonceTrialsPerByte) • initialHash = sha512(payload) • while trialValue > target: nonce = nonce + 1 resultHash = sha512(sha512( nonce + initialHash)) trialValue = int(resulthash[:8]) • Output: trialValue
Verification • The client receives the message and verifies that it has done enough work to send it to you • The goal is that for each person you send to, you have to send a POW • When you send to 100 people, it may take 3 hours • You can adjust the required POW to send to you
Protocol Encryption • It’s like some crazy bitcoin P2P network • Seems really complicated • I just don’t fucking know • https://bitmessage.org/wiki/ Protocol_specification
Bit Message Popularity • BitMessage is the most popular messaging exchange by far • Deepweb users like this as their favorite • Remember they are all using the same exact client and software and network to do this exchange • www.reddit.com/r/bitmessage
Summary • Liberte: Cutting edge but full of the jank • TAILS: Annoying but the best • Cables: Why are we even talking about it? • BitMessage: The most popular one, so it doesn’t matter how secure it is

Recommandé

Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_publicantitree
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 

Recommandé

Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_publicantitree
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 
Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stackDan Radez
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxSumit Singh
 
OpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaOpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaSean Roberts
 
Openstack Trunk Port
Openstack Trunk PortOpenstack Trunk Port
Openstack Trunk Portbenceromsics
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteCloudflare
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices ArchitectureIdan Fridman
 
Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0Anshul Patel
 
Kali linux summarised
Kali linux summarisedKali linux summarised
Kali linux summarisedSanchit Srivastava
 
An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twistedsdsern
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr David Lenwell
 
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Deepak Shetty
 
Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Dan Wendlandt
 
kali linux
kali linux kali linux
kali linux Avinash Hanwate
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueDianaWhitney4
 
A brief history of teledildonics
A brief history of teledildonicsA brief history of teledildonics
A brief history of teledildonicsDb Cooper
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 

Contenu connexe

Tendances

Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stackDan Radez
 
OpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaOpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaSean Roberts
 
Openstack Trunk Port
Openstack Trunk PortOpenstack Trunk Port
Openstack Trunk Portbenceromsics
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteCloudflare
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices ArchitectureIdan Fridman
 
Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0Anshul Patel
 
An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twistedsdsern
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr David Lenwell
 
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Deepak Shetty
 
Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Dan Wendlandt
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueDianaWhitney4
 

Tendances (20)

Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stack
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
OpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaOpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by Akanda
 
Openstack Trunk Port
Openstack Trunk PortOpenstack Trunk Port
Openstack Trunk Port
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices Architecture
 
Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0Linux kit meetup_v1.0.0
Linux kit meetup_v1.0.0
 
Kali linux summarised
Kali linux summarisedKali linux summarised
Kali linux summarised
 
An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twisted
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networking
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr OpenStack Neutron 201 1hr
OpenStack Neutron 201 1hr
 
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014Certificate based access type in openstack Manila @ openstack paris nov. 2014
Certificate based access type in openstack Manila @ openstack paris nov. 2014
 
Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)Quantum (OpenStack Meetup Feb 9th, 2012)
Quantum (OpenStack Meetup Feb 9th, 2012)
 
kali linux
kali linux kali linux
kali linux
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB Blue
 

En vedette

A brief history of teledildonics
A brief history of teledildonicsA brief history of teledildonics
A brief history of teledildonicsDb Cooper
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 
Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Db Cooper
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Initantitree
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600antitree
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting publicantitree
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sidesantitree
 
Image based automation
Image based automationImage based automation
Image based automationantitree
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15antitree
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 

En vedette (12)

A brief history of teledildonics
A brief history of teledildonicsA brief history of teledildonics
A brief history of teledildonics
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
 
Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Init
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting public
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sides
 
Image based automation
Image based automationImage based automation
Image based automation
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15
 
0x20 hack
0x20 hack0x20 hack
0x20 hack
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 

Similaire à Liberté vs Tails: A Comparison of Two Anonymized Linux Distributions

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
OSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think DifferentOSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think DifferentNATS
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityMiguel Pardal
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfNiharikaDubey17
 

Similaire à Liberté vs Tails: A Comparison of Two Anonymized Linux Distributions (20)

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
πP
πPπP
πP
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
OSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think DifferentOSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think Different
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 
Unit08
Unit08Unit08
Unit08
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 

Plus de antitree

Hardening ssh configurations
Hardening ssh configurationsHardening ssh configurations
Hardening ssh configurationsantitree
 
Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3antitree
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embeddedantitree
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityantitree
 
Lock picking barcamp
Lock picking barcampLock picking barcamp
Lock picking barcampantitree
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600antitree
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheepantitree
 
Hackerspaces
HackerspacesHackerspaces
Hackerspacesantitree
 
Intro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben WoodruffIntro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben Woodruffantitree
 
Anonymity Systems: Tor
Anonymity Systems: TorAnonymity Systems: Tor
Anonymity Systems: Torantitree
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijackingantitree
 

Plus de antitree (12)

Hardening ssh configurations
Hardening ssh configurationsHardening ssh configurations
Hardening ssh configurations
 
Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
 
Tor
TorTor
Tor
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence community
 
Lock picking barcamp
Lock picking barcampLock picking barcamp
Lock picking barcamp
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheep
 
Hackerspaces
HackerspacesHackerspaces
Hackerspaces
 
Intro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben WoodruffIntro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben Woodruff
 
Anonymity Systems: Tor
Anonymity Systems: TorAnonymity Systems: Tor
Anonymity Systems: Tor
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijacking
 

Dernier

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Liberté vs Tails: A Comparison of Two Anonymized Linux Distributions

  • 1.
  • 3.
  • 4. Liberté Linux • Hardened, Gentoo-based, LiveUSB/CD, Linux distro • Fully(ish) anonymized • Similar in goal to TAILS • Designed for Anon specifically • Run by Maxim Kammerer (he is Crazy) • Uses Tor AND I2P
  • 5.
  • 6.
  • 7.
  • 8. Features that make it different than TAILS • Anti-forensic memory erase on boot media extraction – Aimed to cold boot attacks • OTFE container using LUKS • Collect clock setting via Tor consensus – Makes sure that clock settings are not in the clear – He’s very proud of this • I2p communication over Tor so that it can traverse firewalls better
  • 9. Features that make it different than TAILS • Mac address randomization • Custom consistent HTTP headers – Defends against browser fingerprinting • Harsher iptables rules • Grsecurity for inter-process security
  • 10. The Big Features • The first Linux distro that uses UEFI – Secure boot – Hardware based verification of the operating system – If something new is on the system (malware) it won’t boot • Does not allow you to install ANY software • Forces a specific resolution • Cables Communication – Custom written P2P message exchange
  • 11. TAILS
  • 12. TAILS Linux • Debian based, LiveUSB/CD, Linux distro • Fully(ish) anonymized • Similar in goal to Liberte • Designed for the everyman • Run by Baum with the support of the Tor Project • Uses just Tor for anonymity (but has i2p installed)
  • 13.
  • 14. Features that Make It Different Than Liberte • Regular updates – New versions are put out due to security issues or active development at least once a month – You can apt-get upgrade whenever you want • Uses standard LUKS for persistence and supports TrueCrypt • Contains a meta-data stripping tool – MAT • Uses Iceweasel (eventually TorBrowser) instead of janky Epiphany
  • 15. The Big Features • Documentation and Support – Unlike liberte that hasn’t been updated since 2012 – New releases every month – Monetarily supported by Tor Project – Has a roadmap! – Has complete, up to date documentation, in many languages • Can temporarily install any software – Or manually build from source and install your own software
  • 16. Tails “Quirks” • No lock screen, no screen saver – Even if you install a screensaver, there are other tty terminals that let you just log in • Persistent Media is only USB – That means virtualization products won’t be able to make a consistent partion
  • 17. Cables: TL;DR • A secure, peer-to-peer based message exchange • Aims to be a decentralized eMail replacement • Not really good as instant messaging (See bitmessage)
  • 18. Antitree presents: A Mouthful of Crypto An animated explanation of the Cables Address generation process OR
  • 19. Generate a 8192 bit x.509 key Generate a SHA1 hash of that key This is your cables username gb24hw2hpihnj2eftkuz42fvp3l3nsoc Create a Tor hidden service 5rfvhdhbw7z4dcw6.onion This is your domain name @
  • 20. Transport Mechanism • This is P2P so how does it exchange messages? • Via HTTP requests • The .onion service hosts a web interface • http://localhost:9080/{userid}
  • 21. Crypto Bits • X.509 8192 bit certificate (ca.cer) • Signing key generated from ca.cer • Diffie-Hellman session key exchange for transport security • Cryptographic Message Syntax (CMS) for the format of message • Custom wrapper that lets you use Claws-Mail
  • 23. Tor provides secure end to end encryption beween .onion hidden services
  • 24. Wait • Diffie-Helman is a secure temporal key exchange • Used in this case to provide transport security • It provides a key exchange ON TOP of the hidden service transport mechanism
  • 26. BUT WHY?? • Why is Maxim adding a transport security mechanism on top of Tor? • Answer: Because he didn’t think Tor hidden services had enough crypto – SHA1 – deprecated – AES128 – deprecated – RSA-1024 – deprecated • Tor’s hidden services are not secure enough
  • 27. Review • RSA 8192 x509 based secure message exchange • Uses HTTP requests over onion services to connect • Security on top of your security • Janky web service
  • 28. Popularity • No one uses this • I think one of the reasons is the awkwardness of the name “Cables” • Although it’s inherently more anonymous than BitMessage, who cares because no one uses it
  • 30. Bitmessage • Secure, P2P based messaging • Similar to mixmaster style anonymity model(plausible deniability) • If bitcoin had a baby with email it would be Bitmessage • You can only decrypt messages sent to your public key
  • 31.
  • 32.
  • 33.
  • 34. Message Encryption • Elliptic Curve Integrated Encryption Scheme • Elliptic Curve Diffie Hellman (ECDH) to generate a shared secret • AES256-CBC (PKCS#7) • Key-derivation-function using SHA512 • HMACSHA256
  • 35. “Proof Of Work” • POW • In order to send a message, you have to compute something • Supposed to help mitigate spam because each message requires
  • 36. Crypto • payload = time + streamnumber + encrypted • target = 2^64 / ((length of the payload in bytes + payloadLengthExtraBytes + 8) * averageProofOfWorkNonceTrialsPerByte) • initialHash = sha512(payload) • while trialValue > target: nonce = nonce + 1 resultHash = sha512(sha512( nonce + initialHash)) trialValue = int(resulthash[:8]) • Output: trialValue
  • 37. Verification • The client receives the message and verifies that it has done enough work to send it to you • The goal is that for each person you send to, you have to send a POW • When you send to 100 people, it may take 3 hours • You can adjust the required POW to send to you
  • 38. Protocol Encryption • It’s like some crazy bitcoin P2P network • Seems really complicated • I just don’t fucking know • https://bitmessage.org/wiki/ Protocol_specification
  • 39. Bit Message Popularity • BitMessage is the most popular messaging exchange by far • Deepweb users like this as their favorite • Remember they are all using the same exact client and software and network to do this exchange • www.reddit.com/r/bitmessage
  • 40. Summary • Liberte: Cutting edge but full of the jank • TAILS: Annoying but the best • Cables: Why are we even talking about it? • BitMessage: The most popular one, so it doesn’t matter how secure it is