Tinfoil Hat Linux: A Distribution for the Paranoid 247
An Anonymous Coward writes: " Tinfoil Hat Linux is a distribution designed to allow the signing and encrypting of documents with the utmost in security. The floppy-image has numerous security features including: entering your passphrase via a video game style selection process to combat hardware keystroke loggers, turning the contrast of your screen down to foil prying eyes and cameras, and to run background PGP processes."
Hoax (Score:1, Funny)
Re:Hoax (Score:2, Interesting)
Actually, a floppy-based distro that can be used for really secure work is a great idea. I can keep a trusted environemnt with me at all times, and know what's going on (I never trust another person's computer when sitting down at it. I know how my machine is set up which gives me no cause to trust others!)
Re:Hoax (Score:5, Informative)
What is Tinfoil Hat linux ? It started as a secure, single floppy, bootable Linux distribution for storing PGP keys and then encrypting, signing and wiping files. At some point it became an exercise in over-engineering.
Tinfoil hat is useful if:
A: because I screwed up & wrote a nvram.md5 file to the floppy I then used as a master. I had to remove that file from every floppy. The result is that the MD5sum of the codecon floppies should be: 3608290765de7d5283a1a22813677a56
A: Type "contrast" at the command prompt, or play with ctheme.
A: Think of this as a linux kernel 1.0 . Yes, it's stable to the best of my ability, and has been tested, but not for very long or by many people.
A: Any 386DX or faster IBM compatible with more than 8 megs of RAM. Pretty much any PC made in the last 8 years will work fine.
A: anonymous AT nameless DOT cultists.net
A: The scripts, documentation, and the distribution as a collection are released under a modified BSD license [slashdot.org]. Obviously, other people's software in this distribution retain their original licenses.
Re:Hoax (Score:4, Funny)
>[...]
>Q: Why doesn't the floppy I got at codecon match the signature above?
> A: because I screwed up & wrote a nvram.md5 file to the floppy I then used as a master. I had to remove that file from every floppy. The result is that the MD5sum of the codecon floppies should be: 3608290765de7d5283a1a22813677a56
Hah! A likely story!
As if I'm gonna trust that They(tm) didn't h4x0r Slashdot and change the MD5sum in CitznFish's FAQ repost to the MD5sum for Magic Lantern Linux!
(For the record, I wear mine shiny side out. Shiny-side-in folks are nuts or part of the Conspiracy. Though I suppose I could transmit messages by switching back and forth between shiny-side-out and shiny-side in on a daily basis. Bandwidth would kinda suck, though. ;-)
Re:Hoax (Score:2, Funny)
But, how can you be sure your tin wasn't pre-tained? Do you mine the tin yourself? The Reynolds people have great influence over those who provide tin. And, if you're thinking of switching to aluminum, forget it. The Alcoa people are iluminati as well.
Re:Hoax (Score:2)
Yeah, but look at the front page of www.alcoa.com [alcoa.com]! You'll see "Reynolds Wrap" right there. Alcoa's taken over everything!
I was gonna say they were aluminati as opposed to illuminati (there's a difference, believe you me!), but then I saw Alcoa's corporate logo, and realized that it's nothing more than a stylized eye-in-the-pyramid.
Then I went to the Reynolds site. The aluminum starts out in Hot Springs, Arkanasa (Bill Clinton's home state!) Then, according to the site, the 30,000-pound aluminum coils that make Reynolds Wrap [reynoldskitchens.com] are turned into aluminum foil in two locations: Louisville, Kentucky and Richmond, Virginia. That's right! Richmond, VA! A stone's throw from CIA headquarters in Langley!
All that's left is to explain what the CIA is doing in fnord Louisville. It's all a conspiracy, I tell you, all a conspiracy! A great big giant conspir$^&}}!{!NO CARRIER.
Re:Hoax (Score:5, Informative)
It's rather tongue-in-cheek, and more of a tech demo of what can be done than a useful configuration, but it sure has loads of nifty ideas.
--
Evan
Re:Hoax (Score:2, Interesting)
Uh huh... (Score:5, Funny)
Re:Uh huh... (Score:4, Funny)
Re:Uh huh... (Score:2, Funny)
... and then what do you use it for?
I mean I've known people who are infactuated with Linux but....
Re:Uh huh... (Score:2, Funny)
:)
Say What? (Score:2)
So you not only make your own distribution, but you make your own userland tools? Unless yes to the above, your trusting someone.
Re:Say What? (Score:2)
Set up a "secure document" server / workstation... (Score:2)
I gotta try this when I get home. I guess you could have this as the workstation, and then have an OpenBSD box as a vault type NFS or something.
Faraday cage???? (Score:1)
You need instructions? (Score:3, Interesting)
Just surround your computer with a cage made of chicken wire.
The problem is that as soon as you have to connect to the world outside (like through a network cable... or a power cord) you break the cage, and you've pretty much defeated the whole purpose.
And don't tell me about the incredibly tiny radiation leakage from your monitor carried by the power cord! The Illuminati can still read it!
Re:You need instructions? (Score:2)
You aren't using microwave lasers to send power to and from your monitor through the cage? And you call yourself a paranoid nutball? You should be ashamed!
Re:You need instructions? (Score:2)
my tinfoil head mounted satellite dish!
Never mind............
Sorry. I'd assumed you'd already had the instructions downloaded into your head. I got mine yesterday...
In PDF format? (Score:2, Funny)
Paranoid
Delusional
Freak
HA HA!
I'm late I'm Late for a very important date
no thorazine and so I cry, I'm late I'm late I'm Late!
Re:Faraday cage???? (Score:2)
Re:Faraday cage???? (Score:2, Informative)
...or you can install this on a computer built to Tempest specs (http://www.eskimo.com/~joelm/xtempestsource.html) . Not only are these systems shielded with various metals in places (lead's a good choice), but some circuitry is reconfigured to make emissions less likely to be decoded remotely.
The main use for such hardware is for spyproofing your data. The business was booming around Desert Storm, but pretty much dried up after that. Apparently the Government figured they'd never need machines faster than 386's.
Tinfoil Hats (Score:1)
Also, it may be sampling error or psychosomatic effects, but I have never lost a chess game while wearing my Aluminum Foil Deflector Beanie.
Re:Tinfoil Hats (Score:2)
B) The real link to the zapatopi page returned this message to me: "Service Temporarily Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."
C) The link in question is also on the bottom of the main story page (ie, the Tinfoil Hat Linux).
D) The site at zapatopi has a discussion about Tin vs. Aluminum as well as which direction you should point the shinny side.
Great Marketing (Score:1)
I guess this is why it is called "Tinfoil Hat" and not "Wet Paper Bag Hat".
The most secure distribution... (Score:1, Funny)
Announced at CodeCon (Score:2, Informative)
This was announced at codecon. The author passed out about 50 floppies with the distribution on it.
Really good idea. I may have to run this on my laptop
UberSecureLinux (Score:5, Funny)
UberSecureLinux hopes to dispel the myths that RedHat 6.2 is one of the most hackable distributions of Linux.
Re:UberSecureLinux (Score:4, Funny)
USL is useless. Not only was it a pain to get my wireless networking installed on it, I followed instructions precisely, disconnected the PowerCord(TM), and evil hackers still got into my laptop!
(Incidently, I prefer this USL [undersedationlive.org], anyway).
--
Evan "insert SubGenius motto here" E.
Re:UberSecureLinux (Score:5, Funny)
Re:UberSecureLinux (and wireless) (Score:4, Funny)
No No No!
Re:UberSecureLinux (Score:2)
It's been a long day.
Copper cube ? (Score:5, Funny)
If at all possible, boot THL on a laptop & disconnect all external
cables, including the power & mouse. Turn off nearby
radios, including cell phones and microwaves. Put yourself
and the computer in a well grounded opaque copper cube. Download
your tinfoil hat plans from http://zapatopi.net/afdb.html.
Boot the floppy....
Where can I get well grounded opaque copper cube? Can't find any on ebay.
Re:Copper cube ? (Score:3, Funny)
The NSA has a big one -- but I don't think they'll share.
For the paranoid? (Score:4, Funny)
Do what I do. Compute ONLY in your head! They'll never get that data!!
Oh shit... the orderly is comi...
Re:For the paranoid? (Score:2)
Um, I think you are forgetting something... The Illuminati are the ones BEAMING THE THOUGHTS TELEPATHICALLY INTO YOUR HEAD, so they don't need to watch what you type, they are already know it!
Coka? Cola? (Score:5, Interesting)
Re:Coka? Cola? (Score:2)
Re:Coka? Cola? (Score:2)
Re:Coka? Cola? (Score:2)
Any system securable enough is also going to be so unusable from a get-shit-done perspective that criticizing some security feature as "difficult to cope with" implies that security breaches are easy to cope with.
Re:Coka? Cola? (Score:2)
I would however randomly position the character/icons on the screen so that the x,y coords of a click wouldn't be translatable into a specific character by coordinate
That's going to make it awfully difficult to enter a password isn't if there's no way to map a click to a symbol
Re:Coka? Cola? (Score:2)
Re:Coka? Cola? (Score:2)
Re:Coka? Cola? (Score:2)
I didn't say it was easy, but it would be nearly impossible through remote monitoring to figure out what the fuck was going on, which was the primary goal.
I think'd be a waste of time as a real-world system. Too hard, too complicated.
Re:Coka? Cola? (Score:2)
Re:Coka? Cola? (Score:2)
Re:Coka? Cola? (Score:2)
Re:Coka? Cola? (Score:2)
I think you are confused. The number of combinations of N characters in a character set of size Y is y^n, not 2^y*n (if order is significant and repetition is allowed, both of which are usually the case for passwords). ASCII does not have 2^128 characters; it has 128 (0x00 through 0x7F), but that's not necessarily equivalent to what one can type on a keyboard. If one could type all of them and only all of them on the keyboard, that would allow 128^n passwords of length n.
In any case, even with a relatively modest 80x25 grid (much like a standard DOS or Linux console screen), one can fit 80 * 25 = 2000 symbols on the screen, giving 2000^n possible combinations, provided one can come up with 2000 easily distinguishable symbols (well, the Chinese have done it) and display them in a resolution at which they could be distinguished.
If one just wanted to display 128 characters, one could use an 8 x 16 grid. That is hardly a challenge. Then the user can select whatever ASCII characters he/she wants to select in whatever order he/she wants to select them, again yielding 128^n possible passwords of length n.
Re:Coka? Cola? (Score:2)
But what would you do once you become blind trying to read your own screen?
Re:Coka? Cola? (Score:2)
White glove Linux (Score:2, Interesting)
Fired for Playing Games? (Score:5, Funny)
PHB: Johnson! Are you playing space-invaders again?
Johnson:
PHB: Oh.. Can I get one for my system, too? That looks fun!
/.'d already - Google to the rescue (Score:5, Informative)
Bootable cdroms (Score:3, Interesting)
PLAC - Portable Linux Auditing CD [sf.net]
LNX-BBC [lnx-bbc.org]
LBT [linuxcare.com]
Mark McGuire (Score:5, Funny)
Re:Mark McGuire (Score:3, Funny)
Re:Mark McGuire (Score:2)
Re:Mark McGuire (Score:2, Funny)
Re:Mark McGuire (Score:2)
Re:Mark McGuire (Score:2)
Another safety feature ... (Score:2, Funny)
I'm confused by the Tin Foil Hat Link (Score:2)
It seems to me that Liberals and Democrats have historically been supporters of an Individual's right to privacy. Which is what this Linux distro. aims to provide. So why put in an inflamatory reference like this?
Could that link be the best explanation of the origin of the "Tin Foil Hat"? I shure hope it isn't.
Re:I'm confused by the Tin Foil Hat Link (Score:2)
As for the election -- both sides tried to steal it. The Republicans succeeded, and Gore botched it (he'd have lost when he should have won if they'd done it his way). But that's a debate for another day (a year ago).
/Brian
Re:I'm confused by the Tin Foil Hat Link (Score:2)
Re:I'm confused by the Tin Foil Hat Link (Score:2)
The Libertarian party is the only political party I know of that takes a consistant, strong view on defending individual privacy rights.
Re:I'm confused by the Tin Foil Hat Link (Score:2)
Wierd Error (Score:2)
If *I* were the Illuminati (Score:3, Insightful)
I'd just put the spy code in the Bios. What else is distributed on every computer, and run every time they boot?
BWAHAAAAAHAAAA
Re:If *I* were the Illuminati (Score:3, Funny)
Uh... Memory chips? Realtime clock chips? Capacitors and resistors and power supplies?
Interesting side links.. (Score:2, Funny)
Recently, she wanted to give her Internet password to her husband so that he could get on line. However, she still wanted to be
able to exchange private messages with me that he would not be able to read. I, of course, introduced her to PGP.
Sorry, why the hell was that woman married? sorry but if you cant trust your spouse then you need to not be married, not ever get married, and probably even stop dating for that matter.
Re:Interesting side links.. (Score:2)
Seriously, though, maybe she (gasp!) married the wrong guy! Maybe they should get divorced.
Maybe he was a nice guy, once, and then he changed. It happens.
Re:Interesting side links.. (Score:2)
The better question is "Why would they share the same email account?"
There are lots of things I might email my sister that I wouldn't want my wife to see (such as "what do you think I should get her for our anniversary?")
Tempest fonts (Score:5, Interesting)
Even easier: LCD (was: Tempest fonts) (Score:4, Insightful)
Cat: All my fonts are not belong to Tempest
Captain: What you say!!
Captain: You know what you doing
http://www.linuxfromscratch.org/ (Score:4, Insightful)
To be truly secure, you need to build your own distribution. You need to understand what is being put on your system, and why. You need to be able to verify that the program that says it edits streams really does that, and does it without any funny business.
I ***know*** what it running on my system. I know this because I built the binaries myself. I know this because I can look at the source code and see what it does. This is the most beautiful feature of open source; the ability to let tinfoil hat wearers like myself have near-total assurance that our systems are running only the code we want them to run.
You don't get to say that if you're running Red Hat or Suse, or Windows or Mac. How do you know that any of these companies haven't been approached by the Feds and forced to include code that compromises your security and privacy?
Admittedly, it's going to be some time before I get to running KDE or Gnome. Of course, I can always install a standard distribution and see what is available today. But I appreciate the ability not to have to trust one of these distributions with my personal data, or my source code.
Actually, I'm still not to the point where I can run XFree86 yet, but EMACS using SVGATextMode [freshmeat.net] on new hardware is so obscenely fast, why should I care? Except when I want to look at naked women.
That's why I have a Mac.
Re:http://www.linuxfromscratch.org/ (Score:2)
Re:http://www.linuxfromscratch.org/ (Score:3, Interesting)
No doubt most of the new stuff available today only needs a
But in my mind that's no different than installing using somebody else's distribution.
I should fess up and say that I don't always use my installation, but that's mostly because my paycheck demands I use other code.
That doesn't change my lust for a system I can understand, down to the statement, and one that I have complete control over. I'm sure that a lot of you who've been with Linux forever you've acquired a sense for this a long time ago; I'm kind of new to the OS though, I've only been using it for a couple of years.
It's biggest attraction for me is that I get to be anal about learning it. Taking it one step at a time, and leaving nothing to chance.
So what if I don't have windows! Most everything I end up doing on the Mac or on Windows is all text-based anyways. Look at the interface for Visual C or Codewarrior on the Mac and tell me exactly what I'm missing when using something like EMACS on a screen that has a resolution of over 200 characters across.
Pretty colors? Alpha-blending? Anti-aliased fonts? It's all shit! It makes everything go slower, while making me put my nose up to the monitor so I can see what the fuck is going on!
Why do I need that?
Re:http://www.linuxfromscratch.org/ (Score:2)
Re:http://www.linuxfromscratch.org/ (Score:3, Interesting)
While we're at it, what about the CPU, and other support chips? Have you inspected the VHDL?
Re:http://www.linuxfromscratch.org/ (Score:3, Insightful)
I have a lot of faith in you guys, even though I realize that when the gcc source is broadcast that not everybody reads through every single expression.
But we're all single-stepping through the code it produces at some point.
I've seen people reporting compiler bugs that makes you wonder just what the fuck these people are doing. When you read the back-and-forth between the people who use the compilers and those who write them it's pretty clear who's on top.
Plus, there's Codewarrior, and Borland (is that right?) and there's always the archived compilers to compare against.
In short, it's all out there in the open, and there are like at least ten million eyeballs on the case.
I'm willing to risk letting the compiler prove me to be the fool.
Re:http://www.linuxfromscratch.org/ (Score:2)
Re:http://www.linuxfromscratch.org/ (Score:2)
Then again, the software contained in the stock LFS system is pretty minimal, and has been around forever.
The other thing I should mention is that at some point I want to put some machines on the Net and I am convinced that the best way to achieve security is through simplicity. By building your own system you know very well what is and isn't running on it.
Re:http://www.linuxfromscratch.org/ (Score:5, Insightful)
Re:http://www.linuxfromscratch.org/ (Score:5, Interesting)
Re:http://www.linuxfromscratch.org/ (Score:2)
Re:http://www.linuxfromscratch.org/ (Score:2)
Er, no!
Um, sort of.
glibc, gcc, emacs, gawk... there is some non-trivial code here, I'm not sure I'll ever understand gcc completely, for instance, but the others over time I'm sure I will learn.
This is why I haven't moved to XFree86 yet. It's going to be some time before I'm comfortable with even the few components contained within the basic linuxfromscratch distro.
I'm not committing myself to *understanding* it all, as much as I am being *comfortable* with it. In other words, if there's a program that has had its source out there for over ten years, and I can inspect all the patches made to it over that time, and see that nothing funky was inserted while at the same time noticing that none of you guys found anything funky with the code, well... where I come from that's good code.
You know, it's not like the effort to understand this code is a waste. There's a lot I've learned from even the simplest programs here.
Also, one of the things to remember when perusing this code is that the ratio of dangerous code to harmless code is fairly low. Which is to say, you don't need to spend a lot of time looking at whether somebody's pointer arithmetic is correct, but you do need to take a close look at the system calls, like when files are being played with.
I figure in another couple of years I'll have this shit down cold. Maybe to some it seems like I'm mastering the obvious... I see it more as building a sturdy foundation.
To each his own.
Another option (Score:3, Informative)
You gotta love... (Score:3, Funny)
The price of Keyghost Keylogger: $999.
it IS cheap (Score:2)
But to even the smallest corporation or local government, a thousand dollars is pocket change, particularly when you consider the value of the information that could be gained with such a device.
(and as the other poster pointed out, they're actually only $200, which does make it a viable option for getting at your roommate's pr0n (assuming you aren't clever enough to find a cheaper alternative))
Re:You gotta love... (Score:2)
Alright Ill bite, this is cooler, from their links (Score:2)
Ive heard about scavenging screenshots from computers a couple hundred feet away using the EM signal, but had serious questions on how easy this was.
The above link does it in reverse plays MP3's through your MONITOR as an antenna !!!
Now, that said, I have more of a belief in a tempest like system, guess its time to get my copy of tinfiol linux
What about monitor companies? (Score:2)
So basically, you're going back to the old days. If monitors keep getting better and better, we'll have to make the OS interface worse and worse to compensate. Then maybe monitor manufacturing companies, when they see that demand for their new products is through the floor, perhaps they will stop advancing their technology. And when that happens, we can all blame the halt in technological advancement on Microsoft's anticompetitive business practices!
Everyone use Tinfoil Hat Linux! Surely it is the key to defeating Microsoft!
If I was using this... (Score:2)
-----BEGIN PGP SIGNED MESSAGE----- (Score:4, Informative)
I'm the author of this program. It was intended as a clever
give away at code-con, but it should also be useful for other
people who carry their keys on floppy disks.
I hadn't intended a widespread distribution until I could put the kernel config
up & get a bunch of signatures on the signing key
Oh well.
In response to slashdot and the email flooding in:
The key will be up on keyservers shortly (if it isn't already. )
signatures to follow in the next few days. There isn't any TCP/IP
or network on this distribution, I'm not a christian redneck, keyghost
used to be cheaper, I can't fit tempest fonts on, since the console
is only greyscale. Direct FB fonts would be the answer, but I didn't do it.
And the "video game style" entry is clumsy, since I didn't want to re-invent
curses. It's all free if you want to improve it.
And now I'm about to get on a plane and be out of communication for a while
;-)
Slashcode is certain to break the signature, but here goes:
Anonymous
~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8csA+Fr26O2gKKPMRAp79AJ9/Ej1GyB2lnIxEPv2
uYFX2VCz3Bq9BPuv8kLGCQM=
=6oTm
-----END PGP SIGNATURE-----
Re:Free bundled DVDs? (Score:2, Funny)
Re:Free bundled DVDs? (Score:2)
Sneakers
Antitrust
Wargames
1984 (Yeah OK, the book is a lot better than the movie)
The Conversation
:)
Re:say what? (Score:2)
Re:say what? (Score:2)
It gets around this by not allowing users to input their passwords by using the letters on the keyboard. They use something similar to the arcade "Insert your name here:" interface where you move a cursor up and down to select the letters/numbers/symbols/spaces. It would probably start at a random place in the sequence too, so that the keylogger's capture of up x 15 down x 27 etc. is rendered useless.
Re:say what? (Score:3, Informative)
The keylogger will get all your other keystrokes, but not your GPG passphrase...maybe the onscreen keyboard can be invoked at other times too.
Re:defeating keystroke loggers (Score:2)
That won't work very well for a network login, TCP will packetize keys that are sent close to each other, throwing you off. I won't even attempt to think about how that work work over satellite, when I ssh, I usually type fast enough so that my keystrokes all get sent at once (the satellite has special proxy software that assumedly avoids sending lots of little packets).