Is probe machine forensics risk in scope for initial release?

[nathan-at-least]

Synopsis

One of the potential Threats is Probe Operator Usage Exposure From Local Forensics.

Is this concern in scope for the initial release?

Close Criteria

Either:

1. Decide it is out of scope, in which case we should put a note in the ooni-probe distribution's README that users should be aware that this risk is not addressed by this ooni release; or
2. Decide it is in scope, in which case we should add a document in the ooni-probe distribution that explains what traces ooni-probe leaves on a user's machine, and how they might go about sanitizing that data.

Also, update User Features in use cases to reflect the decision.

[hellais]

Regarding the Use case "If the Probe Operator is sensitive to forensics risk, they take precautions to sanitize the probe machine or network infrastructure", I have a feeling this is out of scope regarding ooni-probe. I think that this is for sure something worth thinking about while developing the software, I don't think it deserves a use case in itself, like doesn't "the system is secure against remote code execution", since the mitigation there is good coding (no buffer overflows).

[nathan-at-least]

On Mon, Jul 15, 2013 at 9:27 AM, Arturo Filastò notifications@github.comwrote:

Regarding the Use case "If the Probe Operator is sensitive to forensics risk, they take precautions to sanitize the probe machine or network infrastructure", I have a feeling this is out of scope regarding ooni-probe. I think that this is for sure something worth thinking about while developing the software, I don't think it deserves a use case in itself, like doesn't "the system is secure against remote code execution", since the mitigation there is good coding (no buffer overflows).

— Reply to this email directly or view it on GitHubhttps://github.com/TheTorProject/ooni-probe/issues/145#issuecomment-20981679 .

That sounds entirely reasonable. In that case, I'd like to add this to the README or somewhere obvious and distributed with ooni-probe:

""" Note: ooni-probe takes no precautions to protect the install target machine from forensics analysis. If the fact that you have installed or used ooni probe is a liability for you, please be aware of this risk. """

-then close this ticket. Is that reasonable?

I feel this is slightly different from buffer overflows, because most software has an implicit disclaimer along the lines of "Note: This software, like all software, may be vulnerable to buffer overflows or other common exploit techniques. The developers try to notice and repair such vulnerabilities. Please be aware of this risk."

For example of why it is different, consider the use case of TorBrowser, where it might be reasonable to have a disclaimer like: "Note: This software attempts to protect you against some forms of forensics analysis. Someone examining your machine after you have used TorBrowser will be able to determine that you've installed TorBrowser, but they should be unable to recover site history, cookies, text field contents, etc..." OTOH, the implicit buffer overflow disclaimer would be the same for TorBrowser.

I figure the disclaimer can't hurt, and it might help save someone from some trouble. Also, if I read that disclaimer in software I would get a warm fuzzy feeling that at least the devs are thinking about that kind of issue.

[hellais]

This is done in master of ooni-probe, by adding the text suggested by @daira