Keystones of OpSec
Using a secure operating system and public key cryptography will get you some way towards that cloak of data invisibility…
On this month’s DVD is Tails, The Amnesiac Incognito Live system. Tails takes privacy seriously (so should you, really). It’s a live system, so it doesn’t touch your hard drive. If you look at the Tails website ( https://tails.boum.org) you’ll see that the installation instructions are pretty involved. For example, installing from Windows or an unsupported Linux requires not one but two USB sticks.
Even before you get to this stage there are lengthy instructions for verifying your download via, ideally, the Web of Trust or, less ideally, via a browser extension. It’s possible to not worry about any of this and run Tails straight from the DVD, but it’s worth taking some time to verify the ISO. There are instructions for doing just this, and optionally making a Tails USB stick in the guide below. Running Tails from the DVD or by dd’ing (or using a tool such as Etcher) the image to a USB stick won’t enable you to create an encrypted persistent storage volume. Such storage is useful if you want to store keys, additional packages or configuration files. You may not want persistent storage, leaving no trace has its benefits, in which case just ignore the last step below. Note that Tails 3.6 may have been released by the time you read this (it’s scheduled for mid-March), in which case the verification will fail. In the interests of security, you should definitely download the new one if this is the case.
Tails is more or less a one-stop shop for staying below the snoopers’ radar. It’s based on Debian, and as such all of the technologies and trickery it uses, could be incorporated into your favourite Linux distribution. But there’s very good reason not to do this. All those programs that run on your average desktop present an increased attack surface. For another, most users store all kinds of things in their home directories: documents, recent downloads, bookmarks, configuration files. If a rogue bit of code gets loose, all of these can be accessed and used to find out more about the host system and its user. By using Tails correctly, you become a little bit less like a person and more like a ghost.
You might feel safe trusting the contents of our disc, but it’s worth being prudent. Of course, we’ve checked the signatures on the Tails ISO, but can you trust us? Even if you think we’re of impeccable character, can we trust the disc replicators? It’s far fetched that someone would tamper with the ISO (making these things is so fiddly), but the point is you
can’t hand over the trust responsibilities to someone else, or rather you can, but unless you trust them and all the people they trust implicitly, you’re not really gaining anything. If you want to verify the ISO using the Web of Trust you should definitely first check out John Lane’s tutorials in LXF223 and
224. The idea is to establish a trust path from your key back to the Tails signing key. In the absence of a GPG trust path, some modicum of security can be gleaned by using a browser extension to verify the download, as we’ve done in Step 3 below. You should be aware that if the Tails website is compromised this approach won’t help you detect any kind of sabotage, since the signing key, signatures and ISO could all be modified consistently. Only through the web of trust can this kind of treason be uncloaked.
GPG signing
Verifying a signature via the Web of Trust increases security. If you, or anyone in that path, just blindly place trust, then the whole system breaks down. You may as well save time and place your trust in the certificate authority that provides the HTTPS certificates for Tail’s website, and the people that maintain said website. With that trust in place, it means you can reasonably believe the website you downloaded the ISO from is under the control of the Tails team and, after a simple checksum verification, hasn’t been tampered with.
Of course, websites do get hacked, and once an attacker has control it’s trivial to point downloads to a compromised ISO complete with matching checksum. This is exactly what happened to Linux Mint a couple of years ago. For this reason checksums are only useful for testing integrity or to detect corrupted downloads. Signatures go further because they’re hard to forge, so long as you’re sure a given public key belongs to a given person or entity, and so long as that entity is in control of their private key. These caveats are important. If you just take someone’s word that a given public key belongs to someone, then you don’t gain any extra security over verifying checksums. To be absolutely sure, you should only trust a public key that someone gives you in person.
GPG ( GnuPrivacyGuard) is a cornerstone of privacy, and using it to verify the Tails ISO signature will serve as a good introduction. Public key cryptography is a strange thing to get your head around, since if done correctly it enables two people who have never met to establish a secure channel to communicate over. At a high level, public key crypto relies on users having two keys: a public one (which everyone should know about) and a private one (which the user should protect with their life). The first step is to generate a keypair: $ gpg –gen-key
You’ll be asked for some details. The email address you provide doesn’t have to be valid, but it should be if you’re planning on using this key officially. If you upload the key to a public key server, then you’re effectively making these details public, so think carefully before doing so. You’ll also be asked to provide a password to protect this key. Your keys, and the public keys of those deal with, are stored in a “keyring” located in the ~/.gnupg directory.
Next we need to fetch the tails signature and the tails signing key. We’ll assume these and the ISO will all go in your home directory. $ wget https://tails.boum.org/tails-signing.key $ wget https://tails.boum.org/torrents/files/tails-amd64-3.5.iso.sig
Next we’ll install the debian-keyring package and import both the Tails signing key and Debian developer Gregor Herrmann’s key: $ sudo apt install debian-keyring $ gpg –import < tails-signing.key $ gpg --keyring=/usr/share/keyrings/debian-keyring.gpg – export gregor.herrmann@comodo.priv.at | gpg --import
Gregor has signed the Tails key, which we can check with the following: $ gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F
It’s a good idea, but somewhat arduous, to use long-form keys like this. Using just the short form (the last 16 digits) runs the risk of validating against a maliciously crafted key. However, you can copy and paste from the output of gpg – list-keys . The output will the line sig! 0xBB3A68018649AA06 2015-02-04 gregor herrmann <gregor.herrmann@comodo.priv.at> which shows the Gregor has indeed signed this key (the key itself is signed some 1,600 times, but GPG only shows signatures from keys in our keyring). We’ll now locally sign the key, since we trust it: $ gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F
You’ll be asked to sign all text IDs and prompted for your key’s password. Now, we have all the pieces in place to verify the signature for the ISO image: $ gpg --keyid-format 0xlong --verify tails-amd64-3.5.iso.sig tails-amd64-3.5.iso
After a nail biting few seconds, you should see gpg: Good signature from “Tails developers <tails@boum. org>” [full] gpg: aka “Tails developers (offline long-term identity key) <tails@boum.org>” [full] and we can trust in our Tails ISO.
“Tails is more or less a one-stop shop for staying below the snoopers’ radar”