Privacy - A New Hope Through Tails

by Brainwaste

"The evils of tyranny are rarely seen but by him who resist it." - John Hay

In this era of new totalitarianism, state sponsored surveillance, and with what the government and ISPs can do legally (and illegally) to spy on you these days, it makes sense to protect your computer data and communications.  We all want to avoid the prying eyes of intrusive data surveillance programs.  You have probably heard about the NSA surveillance program PRISM, which has openly been used to conduct illegal spying on U.S. citizens.  And with the recent attempt by the FBI to pressure Internet providers to install surveillance software that can intercept metadata in real-time, who knows where the abuses will end?

The FBI and other federal authorities are used by those in power as a political weapon against hackers and those who embrace a free thinking ideology.  Apple, Google, and Micro$oft are all part of PRISM, so I strongly recommend avoiding their proprietary operating systems.

Chrome, Internet Explorer, and Safari are not recommended.  Instead, you should use Mozilla Firefox or the Tor Browser Bundle.

There are a lot of sick dudes out there.  There are a lot of real sick motherf*ckers going around debating which is a better computer operating system for protecting your online privacy: Linux or Window$.  Hopefully, this article will put the debate to rest.  Risk is a variable in any activity, but the objective here is to limit our vulnerability.  The goal here is to work on a computer while limiting the risk of exposing our credentials and private data, as well as being anonymous.

So how can we achieve all this?  By having a separate operating system which is used solely for sensitive computing.  Why is the operating system important?  Because virtually all of the data-stealing malware in circulation in the wild today is built to attack Windoze$ systems, and will not run on non-Window$ computers.  For security purposes, almost any Linux OS is superior to Winblow$, but a general purpose Linux distribution does not make an ideal solution for security, and security hardening a general purpose Linux distribution requires skills that most people don't have.  So the solution here is to use a Linux live CD distribution.

The beauty of Linux live CD distributions is that they can turn a Windoze-based PC temporarily into a Linux computer, as live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive.

Programs on a live CD are loaded into system memory, and any changes - such as browsing history or other activity - are completely wiped away after the machine is shut down.  To return to Winblow$, simply remove the live CD from the drive and reboot.  Thus, malware that is designed to steal data from a Window$-based system will not load or work when the user is booting from a live CD.

Even if the Windoze$ OS on the underlying hard drive is totally infected with a virus or Trojan, the malware cannot capture any information when booting with a Linux live CD this way.

The main reason to use a bootable live CD is it's not persistent, unlike a hard drive install or a persistent bootable USB flash drive, offering the most security and privacy because absolutely nothing remains when the CD is shut down.  Although a persistent install of Linux is better because it's a more secure OS, using a non-persistent system is the best because not even your browsing history will be saved when the system is shut down.  Absolutely nothing is saved when it is shut down, not even apps you have installed.  Linux never stores as much information as Windows and a live CD stores even less.  Even if you have Linux installed to the hard drive, using a live CD or a non-persistent USB Linux bootable distribution would give you the best protection of all.  If your PC can be booted off a USB thumb drive, it is also possible to put the "live" Linux distribution on a USB thumb drive, eliminating the need for a CD.  Most distribution have an option to create a bootable USB thumb drive.  The advantage is that a bootable USB stick is faster than a CD.

A bootable live Linux USB thumb drive can be very effective for security, but there are important differences in implementation one should be aware of.  Bootable USBs come in two flavors: persistent and non-persistent.  Thumb drives made with persistence means the software can be modified and changes occurring in one session will carry forward to the next.  For security, persistence is undesirable because an attack in one session can corrupt actions taken in subsequent user sessions, compromising system integrity.

Further, off-the-shelf Linux distros like Ubuntu and Linux Mint are not designed for security.  They are designed to be general purpose OSes with extra packages included for email, office productivity, multimedia, photo editing, and Flash which are all known to be vulnerable to attack.  These packages increase the attack surface of the device, making it undesirable for security.  Also, the typical OTS Linux distribution is designed to boot with all ports open and local networking open by default.  This is a major security vulnerability because it makes the system vulnerable to attack by other infected machines on the same LAN.

There are three basic types of threats to your data:

1. Data that is stored on your computer.
2. Data on the wire - your data that is transmitted over/on the Internet.
3. Data that is stored by third-parties like your Internet service provider and by the sites that you visit.

VPNs and web proxies are a joke as they both do not provide any real online privacy protection.  To save our online privacy, we cannot woo false Gods or evoke half measures.

All is not lost, as there exists a new hope to protect and preserve our online privacy and anonymity.  And that is Tails: The Amnesic Incognito Live System.  Tails is a Debian Live CD/USB/SDHC flash card for almost any x86/x64 system.  Tails neutralizes all of the above types of threats to your data.  Tails can be run on most computers independently of whatever the installed operating system is and is perfect for conducting sensitive activities from untrusted computers without leaving a local record of your surfing activities.

First of all, Tails is designed out-of-the box to be non-persistent, meaning every boot creates a separate yet exactly identical working environment.  It is purpose-built for the task of privacy and uses a small fingerprint to minimize its attack surface.  Tails boots up fast and the boot menu offers the user a choice of eleven languages for use on the system.

Once Tails has booted, Tor automatically launches itself.  All network traffic is routed through Tor, so you will be able to surf the Internet and access websites even behind the most restrictive firewalls.  It is impossible for applications to connect to the Internet with your real IP.  Thus, Tails is perfect for those who want to bypass Internet censorship imposed by corrupt governments whose internal politics repress freedom.

I2P traffic is routed through Tor so you can browse websites with a proxy IP without any configuration.  You can visit .i2p websites not accessible from the regular Internet.  The user is provided with Vidalia as a GUI for Tor and Firefox as a web browser.  Flash and many other options which make it easy to track your IP address or load code are turned off by default.

Firefox comes with a bunch of privacy add-ons like HTTPS Everywhere, Adblock Plus, Cookie Monster, FoxyProxy Standard, and NoScript.  All cookies are treated as session cookies by default.  The CS Lite extension provides more fine-tuned cookie control for those who want it.  These add-ons give you real privacy protection: encryption, protection from tracking cookies, script prevention, etc.  Further, Linux stores lasting configuration and cache data in "dotfiles" in the home directory (just files or directories whose names start with a period), but these files are not stored in the Tails Live CD.  No trace is left on local storage devices unless explicitly asked.

Tails comes with a "camouflage option" which makes the default GNOME desktop look like Windows XP.  I always use this option, as no one will suspect what I am doing.  If any Geheime Staatspolizei types happen to be shoulder surfing on my activities, the XP desktop allays their suspicions.  Tails comes with Aircrack-ng, a non-graphical tool for checking the security of your Wi-Fi network.

Tails also can be used in "safe" environment mode.  The user is provided with all the necessary software to view/edit files: OpenOffice, Audacity, GIMP, and more are all included in the distro.  With these you are able to edit office files, watch videos, record sounds... all without leaving any trace of your activities on the physical computer.  The default file manager to navigate through your folders is Nautilus.  The Nautilus file manager has been installed with extensions for securely wiping files.  You can delete files and be sure that no one can recover them.

A simple right-click on a file, and then "Wipe" will do the trick.  The file will be erased and the space written over with random data so as to make data recovery impossible.  You can create a persistent storage volume on a Tails USB with: Tails > Configure Persistent Volume, and delete it just as easily with Tails > Delete Persistent Volume.

A copy-paste manager and a virtual keyboard are two programs in the System Tray.  The virtual keyboard is very useful in case the computer you are working on physically records what you are typing with a keystroke logger.  The copy-paste manager is useful, but if you forget to erase it at the end of your session, it does present a security risk: it might contain email addresses, URLs, passwords, and any information that was copied into the clipboard can be accessed.

Network Manager for easy network configuration, Simple Scan, and SANE for scanner support, as well as Shamir's Secret Sharing for encryption are all included.

I also use Tails for secure communications.  The IM/chat client Pidgin comes by default with the Off-the-Record plug-in which encrypts your messages.  I also use the Claws Mail email client with OpenPGP encryption.  In addition, Tails can be used for the encryption of physical drives and folders with the program TrueCrypt for a LUKS encryption.  I understand that the developer is working on including a MAC changer program, but that it is not currently operational.

Cold boot attacks are also defeated.  When you shut down your computer, the RAM will take several minutes to completely erase its contents.  A cold boot attack is when someone makes use of this delay to recover all of the contents of RAM, which translates to almost everything you've done during your session.  Tails automatically wipes and fills RAM with random data at the end of your session.

I have also used Tails on an SD memory card which I can use on many different laptops, as some laptops and netbooks don't have optical drives.  If you do decide to use Tails on a laptop, I'd urge you to plug the notebook into a router via a networking cable, as opposed to trying to access the Web with the live CD using a wireless connection.  Networking a laptop on a wireless connection while using a live CD distribution may be easy if you are not on an encrypted (WEP or WEP/WPA2) wireless network, but attempting to do this on an encrypted network is not for the Linux newbie.

So the Tails setup contains absolutely no personal information or files, and no software installed on it or services that are accessed from it can be tracked back to any one specific individual or organization.  In the United Surveillance States, Big Brother knows everything.  But not if you are using Tails.

Links

• tails.boum.org - Tails 0.21
• cryptome.org/2013/07/nsa-tracking/nsa-tracking.htm - Some details of NSA email and phone tracking programs.