heads (lower case h) does much the same thing as Tails but without systemd or non-free software:
''heads is a GNU/Linux liveCD distribution aimed at people who like the aspect of controlling their privacy and anonymity on the Internet. You might have heard of Tails as a similar GNU/Linux distribution. heads was born as an answer to Tails, since Tails is using systemd as an init system and also contains non-free software.
In heads, the init of choice is not systemd. systemd is a huge piece of software that, while being free software, has not been audited for security since its creation. Being big as it is, it is hard to do so, and as time goes, it's becoming even tougher to audit systemd. We do not aim to disrespect or get into the controversy on why systemd is a bad choice. We just do not wish to use it.
Another important thing is that heads uses only free software, while Tails continues using non-free software. Non-free software can not be audited and as such cannot guarantee you security or anonymity.''
A rather unfortunate name collision, at first I thought this project (targeting tamper evident attestation pre-boot) had vastly expanded its scope: https://osresearch.net/
> Another important thing is that heads uses only free software, while Tails continues using non-free software. Non-free software can not be audited and as such cannot guarantee you security or anonymity.
Latest version of heads is 4 years old so not sure how much security those developers can guarantee.
It would be cool for ARM support. I'm not sure how hard that is but seems like it's hit or miss for various linux distros if you can get them to run on apple silicon.
This stuff is really cool but in a world with IME it's sadly, moot. What good does a secure OS do you if the hardware has a fully embedded OS tied to both your keyboard and Ethernet adapter such that it can transparently send and receive anything you are doing?
How many adversaries have the ability to act on that risk? I hate the security defeatism that is rampant across the space. The perfect is the enemy of the good and all that. Unless your threat model includes nation state adversaries (or individuals/orgs with similar levels of skill and funding) explicitly targeting you, worrying about IME/PSP is probably completely unwarranted. Unless I'm unaware of active exploitation campaigns against these systems, in which case I would love to learn more.
Edit: Don't get me wrong, I would love to see a world where the entire system is open from hardware on up. Unfortunately I don't know that we'll get there without some substantial shifts in humanity as a whole.
If you don't want anyone knowing who you are you're stuck using only public wifi anyway. Who cares if they build a profile around a piece of hardware? As long as they can't link it to a real human it's not really an issue.
decrypt, no, however it has visibility of the entire memory and so can read from pages backing the VM containing pre-encryption and post-decrypted content.
Presumably that means that it could detect known strings in raw memory from a known embedded list. I believe it would be unlikely to use network to obtain some kind of real time list, we would know about it if this was the case. It might be possible to push updated bad string lists embedded encrypted in firmware.
Seems like reasonably good solution for vacations when I need to take with me my work laptop, but I want to also work on my personal projects, without dragging second laptop?
Depends on where you live and your company. In the US, the laptop is company property, and so is anything you produce on it barring some other agreement.
I think this is less true to an extent in Europe, where at least some countries establish privacy rights to employees when using company equipment- at least when it comes to Internet browsing history and private emails. I'm not sure if creative works like personal side projects would also be protected.
Really though, when it comes to using company time or property for personal gain, the only real answer is "talk to your lawyer".
from legal perspective definitely, usually its phrase "as long as its created during work time or with work equipment or its work related" its property of the company.
I am asking more from technical point of view, e.g. I guess the tech companies at least will have booting from usb blocked completely, or it triggers some bitlocker type lock
I'm not too familiar with big tech companies blocking booting from USB, though it is a pretty common practice in the finance sector, iirc.
There's an apocryphal story of a security researcher who was tasked by a bank to break in if he could. He littered CD's around the parking lot (or was it USB drives? I forget) back when auto-run was a thing. Employees saw the disks on the ground, picked them up wondering what they were, and inserted them in their work computers to find out. Tada! Access granted. As such, Big Corporate companies (finance, insurance, retail, etc) tend to lock down their computers pretty hard... tech companies less so, I think.
2. One doesn't have to fully get rid of systemd. It's "merely" a matter of breaking the dependencies on it, which is a rather small technical burden. A distribution could do that and barely notice (well, ok, other than the fact that it will now have to offer Unix'ish utilities it used to have and which systemd replaced; but those are optional too).
3. The more it expands to take over the entire lower part of userspace, the more it will squeeze out people who want to do work in that space. All those people are enough to sustain and grow a non-systemd ecosystem. I tend to assume developers will prefer it in the long run.
4. Longer-term: Non-monolithic dbus-utilizing lower-userspace facilities. These should be able to get to a state where one can switch from systemd to them with relative ease and without losing the useful capabilities of systemd. At least, that's according to my very rough understanding of things.
''heads is a GNU/Linux liveCD distribution aimed at people who like the aspect of controlling their privacy and anonymity on the Internet. You might have heard of Tails as a similar GNU/Linux distribution. heads was born as an answer to Tails, since Tails is using systemd as an init system and also contains non-free software.
In heads, the init of choice is not systemd. systemd is a huge piece of software that, while being free software, has not been audited for security since its creation. Being big as it is, it is hard to do so, and as time goes, it's becoming even tougher to audit systemd. We do not aim to disrespect or get into the controversy on why systemd is a bad choice. We just do not wish to use it.
Another important thing is that heads uses only free software, while Tails continues using non-free software. Non-free software can not be audited and as such cannot guarantee you security or anonymity.''
https://heads.dyne.org/about.html