Tails

Kyle Rankin

Director of Engineering Operations

NCC Group Domain Services

http://greenfly.org/talks/security/tails.html

Agenda

• What is Tails?
• Why Use Tails?
• What Tails can do
• What Tails can't do
• How to get Tails
• Validating the Image
• Install the Image
• Demo: The Tails Desktop
• Demo: Encryption Tools
• Demo: Persistent Disk
• Questions?

What is Tails?

• Live DVD/USB Linux distribution
• Focused on privacy/anonymity
• All network traffic routed over Tor
• Browser w/ many security plugins
• Leaves no trace behind--RAM gets scrubbed at shutdown.

Why Use Tails?

• Some use cases:
• You are a regular person who cares about privacy
• You need to use someone else's computer securely
• You live in a repressive regime
• You need to handle sensitive information
• Why use Tails though?
• Properly securing a workstation is hard
• Just one mistake can identify you
• Hard to know which security tools to use
• Sometimes difficult to know if you are already compromised.

What Tails can do

• Set up a secure environment to use Tor
• Make it easier to use a browser securely
• Provide a locked-down, secure environment on an untrusted computer or network
• Ensure no data is left behind on a computer
• Put a lot of basic security/privacy/encryption tools all in one place.

What Tails can't do

• Protect you from a determined, well-funded adversary specifically targeting you, without extra security know-how
• Save you from yourself:
• Won't stop you from logging into facebook...
• Then buying drugs from Silk Road
• Prevent you from installing insecure software
• Block plaintext emails
• It won't make "password1" a good password
• It can't force you to validate the Tails ISO you download for tampering.

How to get Tails

• Easiest way: install from an existing, validated Tails install
• Harder way: download and validate the ISO yourself:
• Download the latest ISO from https://tails.boum.org (validate the cert)
• Download the corresponding .sig file
• Why .sig and not md5sum?
• md5sum validates the file you have matches the file the md5sum was generated for
• An attacker in the middle could tamper with the iso and md5sum in transit
• The .sig file is a GPG signature
• Proves both the ISO is complete, and that it came from Tails

Validating the Image

• A MITM attack could rewrite the sig. Must verify the .sig is legitimate
• First validate the .sig:
• If the Tails author is in your GPG web of trust, GPG can validate the .sig
• Otherwise, download .sig from different computers, different networks
• Run sha256sum against all .sig files, make sure they match
• (Optional) Import the Tails signing key from https://tails.boum.org/tails-signing.key:

$ cat tails-signing.key | gpg --keyid-format long --import
gpg: key 1202821CBE2CD9C1: public key "Tails developers 
 (signing key) " imported
 gpg: Total number processed: 1
 gpg:               imported: 1  (RSA: 1)

• Use GPG to verify the signature against the ISO:

$ gpg --keyid-format long --verify tails-i386-1.0.1.iso.sig tails-i386-1.0.1.iso
gpg: Signature made Sun 08 Jun 2014 12:32:53 PM PDT using RSA key ID BE2CD9C1
gpg: Good signature from "Tails developers (signing key) "
gpg:                 aka "T(A)ILS developers (signing key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0D24 B36A A9A2 A651 7878  7645 1202 821C BE2C D9C1

Install the Image

• DVD: Just burn the ISO to a DVD
• USB: more involved
• Install syslinux
• Insert USB drive and identify its device name (say /dev/sdc)
• Use isohybrid to modify the ISO to a usb-ready image:

$ cp tails-i386-1.0.1.iso tails-i386-1.0.1-isohybrid.iso
$ isohybrid tails-i386-1.0.1-isohybrid.iso --entry 4 --type 0x1c

• Use dd to image YOURDEVICE (such as /dev/sdc) with the ISO:

$ sudo dd if=tails-i386-1.0.1-isohybrid.iso of=YOURDEVICE bs=1M

• Note: To use a persistent volume, you need to create Tails from an existing Tails disk.

The Tails Desktop

• DEMO

Encryption Tools

• DEMO

Persistent Disk

• DEMO

Questions?

Additional Resources

• Official Tails site: https://tails.boum.org
• http://greenfly.org/talks/security/tails.html
• Tails above the Rest: the Installation
• Tails above the Rest, Part II
• Tails above the Rest, Part III