Nowadays, privacy does not hold much value when it comes to the privacy of our data on our digital devices or on the internet. In the past few weeks, we learned that everyone who tries to maintain privacy on the net is under suspicion which is all the more reason to try to keep our data, contacts, communications, and whereabouts on the internet anonymous and hidden from prying eyes as much as possible. This holds true even more for people that are more exposed like human rights activists, journalists, lawyers, and even doctors. Some of the distributions that try to assist us with this build on the Tor network.
One of these distributions is Tails, based on Debian Testing. It had a formidable boost when whistleblower Edward Snowden revealed, that he used Tails to stay anonymous. The latest release is Tails 1.1 which was released on July 22. We are going to show you how to set it up on a device like a USB memory stick or a SD card. The term ‘installing’ is used by the Tails project in this context, but technically this is only partially correct. The easiest way of using Tails is to just copy the bootable image to the device using the linux command dd as opposed to real installations to USB devices. If you want a read-only device for anonymously surfing the internet, that will suffice. If you need a setup that you can also write to and save your work on, the setup is a little bit more complicated, as the Tails installer only works from inside Tails. We will test both ways of ‘installing’ Tails.
Download and verify
The acronym Tails spells out to “The Amnesic Incognito Live System”, where the extent of “Amnesic” is up to the user. In it’s default configuration, Tails will leave no traces of your session after you shut it down. You can use persistency with Tails and determine what to save and what to discard. The image for Tails 1.1 weighs in at a little more than 1 GB and comes in 32-bit only. You need a USB device with at least four GB capacity. After downloading the image, as well as the cryptographic signature from the projects website, make sure you verify the image against the signature. Open a shell as user and cd to the directory in which you downloaded the key. Then import the Tails signing key with the following commands:
gpg --keyid-format long --import tails-signing.key
The output should look something like this:
gpg: key 1202821CBE2CD9C1: public key "Tails developers (signing key)
" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1
You might see a message at the end saying:
gpg: no ultimately trusted keys found
This is of no importance for the verification of the ISO image but refers to you not having created a gpg key for yourself yet. Should you not be in the directory with the image yet, move there now and verify the image:
gpg --keyid-format long --verify tails-i386-1.1.iso.sig tails-i386-1.1.iso
The output looks like:
gpg: Signature made Sat 30 Apr 2011 10:53:23 AM CEST gpg: using RSA key 1202821CBE2CD9C1 gpg: Good signature from "Tails developers (signing key)
You might also see something like this:.
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1
In both cases, your image is verified as good. The warning just tells you that you did not sign the Tails signing key with your personal key. Your ISO image is not verified if you see a line like:
gpg: BAD signature from "Tails developers (signing key)
For more information see “how to use gpg to verify integrity of the tar balls“.
Different ways of installing Tails
Now that we have an image we can trust (as long as we trust the Tails developers), we can move on to write it to your device. Connect the device to a USB port and run fdisk -l as root to find out the device name. Identifying it by its size in the output should be easy. Using that device name, write the image to the device:
isohybrid /path/to/image --entry 4 --type 0x1c
dd if=/path/to/image of=/dev/sdX bs=16M
The latter will write the image to the USB device and wipe out any data that was on the device before.
Critical note: Make very sure, that /dev/sdX points to the right device. In the command you have to substitute X with the actual character, like for instance sdb or sdf.
The process will only take a couple of minutes. When your prompt returns, the USB stick is ready. Instead of a USB device you can also burn the image to a DVD. If surfing the net or communicating safely is all you need, you are set up now. In case you want a writable device that you can save your work on, you need to walk the extra mile. You will also need two USB devices or DVD media. We will get to that part when we talk about the Tails Installer.
When booting up your machine with your USB stick attached, you will be prompted to boot straight into Tails or look into some settings beforehand (see fig.01). When booting to Tails for the first time it makes sense to look into these settings. You can set an administrative password or enable a Windows XP camouflage mode (or “Windows 8 camouflage mode” in latest version) that will not give away that you are using Linux when in public. Spoofing MAC addresses will assist in hiding your geographical location. Last, but not least, you can preconfigure your network connection and then proceed booting into a Gnome 2 environment (see fig.02).
For a start, you are informed that a connection to the Tor network is being established. After a short while, you will be notified that you can now use your browser anonymously. The desktop offers a clean look and if you are familiar with Gnome you will feel at home right away. The underlying system being Debian, system administration runs along those lines. The Debian kernel that Tails 1.1 ships is 3.14. The rest of the system is mainly a mixture of Debian 7 “Wheezy” with single packages from the unstable and even the experimental repositories.
A lot of software comes preinstalled, including Libre Office, Iceweasel browser, Pidgin messenger, Claws Mail, and many other general, useful packages from the Debian archives. On top of that, you will find the additions that the developers of Tails made to help you keep your privacy and anonymity. Predominantly, this is the Tor software bundle, enhanced with Vidalia to handle Tor settings graphically, Torbutton, which disables many types of active content in your browser, and HTTPS Everywhere to transparently enable SSL-encrypted connections wherever possible. Mandatory tools like NoScript and AdBlock Plus are also part of the package. Encryption and Privacy are enhanced by the addition of TrueCrypt, Palimpset, GnuPG, Monkeysign, KeePassX, and more.
Strolling through the menu reveals more custom additions like the Tails Installer or a tool to configure a persistent volume to make your device writable and save work from your session. Both are found under Applications – Tails. The Tails Installer offers three ways to install or upgrade Tails. The first one is called “Clone & Install” and will copy the running Tails onto a second USB stick or SD card. This is required if you want to enable persistent data storage on the device and it will take from three to five minutes. This will create a 2.5 GB partition on the device. Tails will use ~ 915 MB, and leave 1.6 GB free space on a 4 GB device, of which 1.3 GB is used for persistency.
The second choice is entitled “Clone & Upgrade” and will copy the running Tails onto an already installed Tails device. Other partitions on that stick will be preserved. That will not work if the stick you are targeting was ‘installed’ manually using dd. In that case, you need to use the option “Clone & Install” first. The third option is “Upgrade from ISO” which allows you to upgrade to a new version of Tails on an already installed device. You need to download the image you want to upgrade to onto the device and point the installer to it.
After running the first option and Tails is installed on a second USB device, boot from that device. You now have the option to upgrade to a newer release, if there is one, by using the third option in the installer. Now lets configure your device for persistent storage. The persistent volume will be an encrypted partition protected by a passphrase. Each time you boot you can chose if you want to use that partition during your session or not. First enter a passphrase and hit the “Create” button. The setup process takes only a minute and prompts you to chose what kind of files you want to allow to be stored in the encrypted partition. Be careful not to lose your passphrase, as it is the only way to access data on that partition. You can change your passphrase as long as you know the original one. You can also delete the persistence file or copy it to a new install of Tails. You will need to reboot to make the changes become effective. As you can see, during login you are asked if you want to boot a writable session or not.
Knowledge is power – reading the documentation
Tails is now set up to run your connections through the Tor network and to safely store data on your device. Pidgin messenger is set up to use Off-the-Record-Messaging (OTR) to allow for safe authenticated and encrypted conversations. On the panel to the right you might want to rightclick the onion icon. This will allow you to configure Tor in an advanced way. Next to that, are icons to encrypt the clipboard or use a virtual keyboard.
Tails is a fully fledged distribution that you can carry around to help you with privacy and anonymity on computers you do not trust or also at home. You have to be aware that using Tor will slow down your internet connection to a degree, where your mileage will vary greatly. During our tests, I downloaded a new image of Tails. The first try indicated it would take 1.5 days. A second and third tries estimated it would take an hour and then 23 minutes, respectively. The latter is quite normal for the given connection and an image size of one GB.
Tails can help you in your quest for anonymity as long as you understand that Tails, and specifically Tor, isn’t the perfect anonymity or privacy solution. It has several important limitations and risks which you should be aware of if you’re going to use it. The last Tor node, the exit node where your traffic leaves the Tor network and enters the open Internet, can be monitored. In the last few weeks we were given proof that it actually is. If your destination is an unencrypted website or service, it is possible that your hops from here on in are being spied on.
If from the exit node you enter a website like Gmail or any other site using HTTPS, anyone spying on the exit node will see where you go, but that is it. Some exit nodes might be run by government agencies. Researchers in 2007 proved this to be a way to intercept email traffic by running exit nodes themselves.
Tails has thorough documentation and it’s worth reading. The more so if you are not very familiar with the concepts that Tails and Tor use to give you privacy. Unfortunately, privacy these days does not come without knowledge, and the more you know, the safer you are going to be. That in mind, Tails helps with the first steps.
Software is buggy – free software is fixed in a timely manner
Users of Tails – or any system that tries to help with keeping private things private and themselves anonymous – should be clear that there is no perfect anonymity nor security and there never will be. Just within the past two days there were reports of vulnerabilities against Tails and the Tor network. The report about a Zero-Day-Exploit against Tails describes a flaw in the component i2p, which is an alternative to Tor. In Tails though, according to their documentation, i2p is not activated by default.
The Tor project faces a similar situation with a security problem that could de-anonymize a big number of Tor users with as little as a $3.000 investment.
Editor’s note: This post is about anonymity and not about security. Tor can be easily used to see sensitive data by exit nodes. Do not mistake Tor’s anonymity for security.