design

Specifications to define a security model

Freepto design

Freepto is a linux system on USB sticks; it is meant to be usable while providing a secure system.
What usable and secure means, is explained below.

Note: the key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119

Security

Goals and guidelines

We especially care about ’’disk’’ security and ’’system’’ security; this means that we MUST NOT leak data in cleartext on the device, and that we want to avoid malware as much as possible.

On-the-wire security is welcome, and the most secure way of exchanging data SHOULD be used.
When there is a tradeoff between security and usability, the developers need to reach consensus about that particular choice.

DOs

These are security policies we are interested in:

  • User data MUST be encrypted
  • Secure network connections SHOULD be used by default, when possible
  • unsigned packages MUST NOT be used
  • Cold boot attacks SHOULD be mitigated

DONTs

These are things we do not really care about:

  • Hiding the fact that someone is using freepto
  • Browse the web anonymously (more on this below)

Please note that while these features are not needed for freepto, they can be implemented if they do not bring significant performance or usability problems with them

Anonimity

Goals and guidelines

Anonimity is NOT a goal for freepto. Freepto does not guarantee that the user will be anonymous in any way. Despite this, some anonimity-related tools (i.e. Tor) and configurations are provided, when they do not degrade the user experience.

DOs

  • Use and encourage Tor Hidden Services where it make sense (software with low-bandwidth required, some latency allowed). Remember that Tor Hidden Services provides two more additional features:
    • Server identity verification without relying on the broken CA model
    • The people running the server can be anonymous. Supporting hidden services encourages the anonimity of other people.
  • Provide anonimity-related software
  • Make clear to the user that anonimity cannot be provided just some specific software, and a whole anonimity-oriented system will be a better fit.

Usability

We define usability in terms of usecases; a user with no advanced knowledge should easily accomplish these tasks

Workflows

Navigation

Surfing the web MUST be straightforward; this includes connecting to wifi, watching video embedded in browsers and so on.

Mail

Mail configuration with a proper mail client MUST be easy:

  • a complete graphical mail user agent MUST be installed
  • it SHOULD support autodiscovery
  • it SHOULD support Tor Hidden services
  • it MAY support Tor proxying

GPG

All GPG tools MUST be already installed and integrated in the system; these tools SHOULD be preconfigured.

We do not suppose that our users already have a gpg key, so they need to

  • create a pair
  • upload to a keyserver
  • search, verify and sign other keys
  • write mails

All this MUST be possible with a graphical interface.

Jabber/OTR

A user MUST be able to run a Jabber client with OTR support, all from a graphical interface.
OTR auto-detection MUST be enabled, so that opportunistic encryption is performed.

TorBrowser Bundle

The user MUST be able to surf the web using tor in a simple way.

Automatic updates of such a critical software SHOULD be handled transparently to the user.

Persistence

The user must be able to use the usb stick just in the same way as a “normal” operative system: any change MUST be persisted across reboots.

Hardware

Freepto is targeted at x86 computers.

Boot

  • USB-FDD boot mode MAY be supported
  • USB-HDD MUST be supported
  • SHOULD support both BIOS and EFI (therefore including Intel-based Apple)

CPU

  • MUST Boot on i686 platforms
  • MUST support >4GB of RAM

Devices

  • MUST Support most common input devices (keyboards & mice)
  • MUST Support most common ethernet/wireless devices