
Tails 3.0 Released - sr2
https://tails.boum.org/news/version_3.0/index.en.html
======
d33
Those two changes seem particularly important:

* Tails 3.0 works on 64-bit computers only and not on 32-bit computers anymore. Dropping hardware support, even for a small portion of our user base, is always a hard decision to make but being 64-bit only has important security and reliability benefits. For example, to protect against some types of security exploits, support for the NX bit is compulsory and most binaries are hardened with PIE which allows ASLR.

* Update Tor Browser to 7.0 (based on Firefox 52 ESR) which is multiprocess and paves the way to content sandboxing. This should make it harder to exploit security vulnerabilities in the browser.

What do you guys think about dropping 32-bit?

~~~
skraelingjar
I wonder if this will effect journalists and activists in parts of the world
where old machines are still used (Africa, Middle East, parts of Asia). Not
being able to make use of newer browser versions (without updating every time
or taking the risk of using a persistent volume) could put them at greater
risk.

~~~
jwilk
Previous versions of Tails already had exuberant hardware requirements.

I guess privacy is only for the rich.

~~~
nextlevelwizard
Literally nothing is preventing you from creating your own secure Linux
installation on any hardware you've got.

~~~
ViViDboarder
Besides ones technical skills. Not all activists are knowledgeable enough to
just roll their own distro.

~~~
Sir_Substance
Beyond that, I thought it was now well understood that rolling ones own
security software is a terrible idea. Many eyeballs etc. Activists with the
technical skills /should not/ roll their own, they should definitely
contribute to existing projects.

------
slashink
This is great. I very much appreciate the work done by the contributors to the
Tails project and I trust & agree with their technical decisions for this
release. As Internet keeps getting more monitored, Tails serves as an
important tool in maintaining the balance of privacy and allowing for the
anonymous sharing of information going forward. Big thanks to the Tails team.

------
tptacek
For the love of Christ don't use Tor Browser. Every other modern browser,
including mainline Firefox, is safer.

~~~
metalliqaz
From another comment elsewhere in this thread:

> Update Tor Browser to 7.0 (based on Firefox 52 ESR) which is multiprocess
> and paves the way to content sandboxing. This should make it harder to
> exploit security vulnerabilities in the browser.

Firefox 52 ESR sounds like mainline Firefox to me.

~~~
tptacek
Literally the same version of Firefox as underpins Tor Browser will tend,
pretty much at all times, to be safer than Tor Browser. You can use the search
bar at the bottom of the page to find out why, or search the Internet for
"grugq tor browser" if you want more people explaining the issue.

~~~
jerheinze
> Literally the same version of Firefox as underpins Tor Browser will tend,
> pretty much at all times, to be safer than Tor Browser.

This is absolutely false. Especially if you're considering the alpha versions
which include Selfrando.

See "Real-world Exploits against the Tor Browser" pages 9-10 where they
conclude,

> The reason is that these function pointers are only accessed through an
> indirection layer, i.e., memory objects on the heap contain a pointer to a
> virtual table which is located in the code or data section of the
> application and contains a number of pointers to virtual functions. Since
> the attackers can only disclose the virtual table pointer, but not the
> virtual table itself, as it is not on the heap, they cannot disclose gadget
> addresses. Note that, when only ASLR is applied, the address of the virtual
> table is randomized with the same offset as the ROP gadgets. Therefore, such
> an attack can bypass ASLR but not selfrando.

> We therefore conclude that selfrando can thwart most real-world exploits.
> Attackers can only succeed in rare cases where they can disclose the
> complete heap and data section.

[1] : [https://people.torproject.org/~gk/misc/Selfrando-Tor-
Browser...](https://people.torproject.org/~gk/misc/Selfrando-Tor-Browser.pdf)

------
jwilk
[https://tails.boum.org/news/version_3.0/index.en.html#news-v...](https://tails.boum.org/news/version_3.0/index.en.html#news-
version-3.0.check) says you should run "uname -m" under Tails to see if "your
computer is 64-bit". How does that work? Does Tails automatically choose
kernel version appropriate for your hardware, or what?

~~~
jnbiche
> How does that work? Does Tails automatically choose kernel version
> appropriate for your hardware, or what?

No, you run `uname -m` and then download the appropriate version of Tails
(although it appears Tails 3.0 is only available on 64-bit now).

~~~
jwilk
I mean, "uname -m" gives you information about the kernel, not about the
hardware.

If "uname -m" says "i686" it means that your kernels is 32-bit (or pretends¹
to be so). It doesn't necessarily mean that your hardware is not capable of
running a 64-bit kernel.

So unless I'm missing something, the above procedure does not work correctly.
Instead, you should run something like this:

    
    
      $ lscpu | grep -w mode
      CPU op-mode(s):        32-bit, 64-bit
    
    

¹ [http://man7.org/linux/man-
pages/man8/i386.8.html](http://man7.org/linux/man-pages/man8/i386.8.html)

~~~
jnbiche
That's a fair point. I misunderstood your question.

------
rallycarre
I recently started using Tails so for security reasons cough _backdoor_
windows _ios_ cough,.. and found that it worked surprisely well. It has a disk
utility, liber office, and the drivers even worked for my wireless dongle!
Kudos to the Tails team!

------
an27
None of the machines available to me worked with the previous release, I guess
it's time to try again for the x64 subset...

------
hendry
[https://webconverger.com/](https://webconverger.com/) is still 32 bit and
keeps a clean slate.

------
claudiojulio
Tails should use Devuan. It does not have systemd. What do you think?

Translated automatically.

~~~
detaro
Assuming Debian Stretch still uses non-systemd networking configuration (which
was the default case in 8 at least), or Tails switches back to it, systemd
shouldn't impact what Tails tries to do in any way.

