On Mon, Jun 15, 2015 at 12:48:38AM +0000, Nobody III wrote:
Basically, it looks like Genode is about the only way to be NSA-proof. Yes, the NSA will likely be able to tell that you're using Genode, but they won't be as able to hack it as with Tails.
Let's not assume there's a silver bullet for security. It's all about threat modelling, which in turn is all about resources and data. No operating system will protect you against hardware implants, not even Genode.
Tails' threat model is designed to avoid unwillingly giving off distinguishing data about the user in communication sessions or to storage. It does this quite well I think. I'm not sure how Genode could help here.
If you haven't read up on Qubes, you should. It's a brilliant system that has a design I think Genode is suited for, and perhaps what you're looking for. Using that design I'd run a desktop with isolated workspaces, mostly offline. For the small amount of applications that I connect online with, I'd give them access to Tor as their only network source and a limited file system. If the applications are compromised, they wouldn't be able to do much aside from thrash about before I force them to quit.
Qubes OS separates its applications in to a number of partitioned domains which doesn't really seem that optimal. In the above example with Qubes I'd probably have all the net applications running in a single domain meaning if my web browser was exploited then my other applications such as my instant messenger and email could be compromised too. Luckily it wouldn't compromise my other domains containing things like my personal documents and programming projects.
I think Genode could replace the idea of partitioned domains with some kind of per-process resource policies, meaning I wouldn't have to decide what applications shouldn't share but instead what they should. In this case they'd all have access to the Tor daemon and their own per-process file system but not each other, further reducing the TCB. From a user's point of view there's still partitioning, but it's at the resource level rather than domain level.
Of course if you wanted to run GNU applications you could use virtual machines as domains in a similar manner to what Qubes OS actually does, though you lose the benefits of reducing the size of your TCB to the necessary parts. This would actually be a good stepping stone until Genode has more applications.