Mempo Project: Security+Privacy

[This page is work-in-progress, possible typos and errors]

Home

Progress
[stage #1]:
~15%

WIP: planning, prototypes.

Mempo Project - Hardened Privacy Mempo description

Start

Mempo project aims to provide most secure and yet comfortable out-of-the-box computer for Desktop and Server,
to professionals, business, journalists, and every-day users avoiding PRISM-like spying.
Mempo Project is the answer to increasing surveillance of people, and endangered freedom of speech
- as well to other IT attacks, cracking by hackers, viruses. Even professional tools are not secure if there exist way around them for an attacker. Therefore - in Mempo, the best Privacy & Security tools are used together on all levels from kernel to Apps; preconfigured for VM+Tor+VPN, for virtualization and compartment
- all available in one-click fashion as Full Installable OS, Live-CD, or separate programs (sources and .deb files + deb-repo). Do I need Mempo? [read more...]
Comparison of existing systems with Mempo (as planned in Stage-1 and 2 - roadmap).
Mempo* System Tails Whonix QubesOS Gentoo-H

Live-CD/Primary-OS/Packets GrSecurity hardened Kernel GrSecurity max protection GrSecurity PAX, RBAC profiles Hardened compilations (fortify) Removed unsafe JIT code; PAX Patching ALL privacy problems Running any App in VM isolation Running any App in H-chroot jail Hardened VNC&Xnest isolation VM: easily toggle Tor, VPN VM: toggle Darknet, FW, Tunnel Tor, I2P, Freenet, VPN preconfigured Stacking networks e.g. VPN+I2P All Apps and System uses privacy Verify-build, multisign apt-get White-list AV and known-files DB Bitcoin/Altcoin/e-Currency Provides custom open hardware

wip /

wip

/ /

/ /

http://127.0.0.1:8888/...fiXFPRPKw3miEP1tXIi3Mz2BvfkKK1FsoATqAWi~NbY,DWl1hGrdJEpMT5-ofWBAH1HIYDauTNh8xilF8l2tCfE,AQACAAE/mempo/2/[2013/10/28 08:55:47]

Mempo Project: Security+Privacy Crowdfunding fixes, fast devel Real time threats warnings Buy prebuilt on most open hardware Paranoia-free lead developers

FAQ-1: To clear any initial miss-conceptions or questions: Mempo is: Light and fast Easy for non-technicals Modular addons Learning from Tails, Qubes-OS, Hardened-Gentoo ...but providing more Prefering GrSec+PAX over SE Linux Usable like regular Debian Developed inside Debian.org Usable on all Linux Usable on home-made PC As Primary OS As packets As Live-CD Flash/Wine/etc compatible (VM) At stage of prototyping To deliver custom hardware Always BSD/GPL/0-CC licensed Giving back to FOSS Cooperative! To be crowdfunded Apolitical User education focused Mempo description

All layers of security - the weakest link is the problem

How good is your super-secure encryption or network, if kernel rootkit can go around it?
Entire System - from hardware, kernel, throught system, VM creation, up to applications is secured. Each of the layers is created by researching and selecting best available software in given category. Programs are configured to use and reinforce each-other to fit nicelly (e.g. email uses Tor, Tor can use VPN, grsecurity contains any exploits,
apt-get uses all of above to be sure). User applications are also preconfigured and ready to use in most secure way.

Show technical details:

checkbox to open

click

Contact - developers, testers, translators, users

Everyone is invited to cooperate, users, developers, other distributions - please join our effort in creating more secure and privacy-respecting world.
IRC network: #mempo on irc.freenode.org(web)
irc.oftc.net(Tor) and irc2p(I2P) XMPP/Jabber: mempo@jit.si http://mempo.org - soon Website on GitHub
+
GitHub sources Freenet: Freesite Mempo-Official USK@fiXFPRPKw3mi /mempo/-1/ Freenet: Flog
Mempo-Blog Freenet: FMS
board freenet, linux as well as board mempo. Freenet: freemail
mempo@ym7rkpjwhfcpiqbh .freemail
EP1tXIi3Mz2BvfkKK1FsoATqAWi~NbY,DWl1hGrdJEpMT5-ofWBAH1HIYDauTNh8xilF8l2tCfE,AQACAAE bovz2gtiafthwmp6rmee6wmk3quekcvo2jgq

http://127.0.0.1:8888/...fiXFPRPKw3miEP1tXIi3Mz2BvfkKK1FsoATqAWi~NbY,DWl1hGrdJEpMT5-ofWBAH1HIYDauTNh8xilF8l2tCfE,AQACAAE/mempo/2/[2013/10/28 08:55:47]

Mempo Project: Security+Privacy

Mempo cooperation

Created in cooperation

Everyone interested is invited to join creation of the system.

We accept and even encourage developers that protect their privacy/security (although for some positions like code reviews a well known or real-life known people are needed too). Show credits (in progress - sign up):

click checkbox to open

Mempo roadmap
This project is ambitious in scope - it will be release in stages.

Stage 1

Addon to Debian that makes it hardened (Kernel, PAX) and allows easy, secure, private, compartment-based use for communication, publishing, e-currencies. Kernel: GrSecurity, PAX, on max settings Grsecurity profiles (like FW+AV rules) for main software Hardened-compilation of important software Executable code anti-troyan hardening of some applications (removing JIT), with allowing also the -fast version Firewall on Host Easy creation of VMs Easy execution of important applications in isolation (chroot, secured Xnest?) Easy toggle of VM settings: Tor, VPN, Darknet One-click access to no-censorship storage darknet: Freenet with FMS (boards) and Sone (twitter) One-click access to no-censorship darknet: including id3nt twitter, darknet-IRC (irc2p), darknet-chat (jabber?) One-click access to break-prism applications, many preconfigured for Tor where possible Repository Verificable builds Secure multi-signed build

Mempo source-code
Editing code is very easy. To edit this website over github:
For users with GitHub account: On https://github.com/mempo/mempo-websites use fork repository. $ git clone git@github.com:your-username/mempo-websites.git # download over Internet $ (edit files) # also git add new_file # if you added files $ git commit -a -m "your comment" $ git push # send over Internet

Git branches standard

For bigger sub-projects that need a release cycle: master - active development; On selected users - the semi-stable version. More stable versions marked with tags. alpha - frozen for internal tests beta - frozen for everyone to use and test stable - fully tested very stable version. Only bugfixes should go there, untill next release.

Threats to security and anonymity

Even most secure computer cannot protect user against all threats, especially, when user don't know much about them. This is why education is one of the most important modules of Mempo. Threats Possible results Mempo protection User sensitive Using PGP encrypted eMonitoring email, instant messaging communications by villans, data exposure mail communication, OTR governments, corporations User identity in instant messaging. compromised Using anonymizing IP/location discovery User identity networks like Tor, I2P, by villans, governments, corporations to find inconvenient journalists, Freenet to public posts, compromised bloggers.

http://127.0.0.1:8888/...fiXFPRPKw3miEP1tXIi3Mz2BvfkKK1FsoATqAWi~NbY,DWl1hGrdJEpMT5-ofWBAH1HIYDauTNh8xilF8l2tCfE,AQACAAE/mempo/2/[2013/10/28 08:55:47]

Mempo Project: Security+Privacy

articles. DNS protocol leak protection

https://www.dnsleaktest.com
https://www.grc.com/dns/dns.htm Password attack
Attacker for example tries to crack the password-protected file. ISP can log Using free, open DNS servers (OpenNIC and monitor project) your activity Passwords compromised. Using only strong passwords, replacing passwords with strong encryption keys whenever possible.

Computer stealing

Physical access to computer. Hard disk encryption Access to data on hard disk. Cleaning RAM memory Physical access to when going to shutdown, new SysRq (Panic computer. User sensitive button?), RFID blocking device data exposure

Powered computer stealing

Software backdoor
Part of program source code allowing to bypass authentication, securing illegal remote access to a computer, while attempting to Unauthorized Runnig application in remain undetected. access to the virtual machine intended
Detailed description: system only for this application. http://en.wikipedia.org/wiki/Backdoor_%28computing%29
Example: http://en.wikipedia.org/wiki/NSAKEY Hardware backdoor
Similar to software but built in computer hardware Rootkit
A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Detailed description: http://en.wikipedia.org/wiki/Rootkit
Examples: http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal Unauthorized Using access to the only. system open hardware

Using only open source firmware.

Trojan Horse
Imitates a normal application, but implements hidden to Unauthorized Running users, undesirable functions. access to the application
Detailed description: system, data, isolation https://en.wikipedia.org/wiki/Trojan_horse_%28computing%29 passwords theft
Example: Attacker can Identity Spoofing (IP Address Spoofing) access to the
Attacker may fake IP address so the victim thinks it is sent from a local network ? location that it is not actually from. with a valid IP address. Packet sniffing
Interception of data packets traversing a network

untrusted in strong

Passwords Using only encrypted compromised. communication, using User sensitive HTTPS Everywhere data exposure Attacker captures and modify messages in controlling communication. ? Attacker is eavesdropping encrypted communication. Cleaning RAM memory Private keys when going to shutdown, compromised. SysRq, RFID

Man-in-the-middle attack (hijacking)

Attacker is actively monitoring, communication between two victims.

capturing,

and

Cold-boot attack
Attack requiring physical access to computer, right after cold reboot.

http://127.0.0.1:8888/...fiXFPRPKw3miEP1tXIi3Mz2BvfkKK1FsoATqAWi~NbY,DWl1hGrdJEpMT5-ofWBAH1HIYDauTNh8xilF8l2tCfE,AQACAAE/mempo/2/[2013/10/28 08:55:47]

Mempo Project: Security+Privacy

Evil maid attack

Attack requiring physical access to computer which use disk encryption.

Passwords to encrypted ? volume compromised.

Education: Never trust Passwords Social engineering anyone with your compromised
Attacker uses persuasion or deception to gain access to information User sensitive passwords, private keys, systems. or sensitive data data exposure Phishing User sensitive
Attacker attempting to acquire information such as usernames, data exposure passwords, and credit card details by masquerading as a trustworthy ? Passwords entity in an electronic communication, e.g. bank website. Phishing is compromised typically carried out by email spoofing or instant messaging. User sensitive Quantum computer cryptography data exposure Multi-crypt with using QC
In the near future quantum computers will be powerful enough to break resistant cryptography Passwords some of presently popular cryptografic algorithms compromised DNS poisoning
Attack where DNS information is falsified. ... ? ... ? ...
BTC 15s3n39RT1kRh2GKU5EAE2FC1Tqjshm74p

http://127.0.0.1:8888/...fiXFPRPKw3miEP1tXIi3Mz2BvfkKK1FsoATqAWi~NbY,DWl1hGrdJEpMT5-ofWBAH1HIYDauTNh8xilF8l2tCfE,AQACAAE/mempo/2/[2013/10/28 08:55:47]