
Inside the Operating System Edward Snowden Used to Evade the NSA - Osiris
http://www.wired.com/2014/04/tails
======
dmix
One important and often overlooked feature of Tails is when you shut it down
it wipes your system memory/RAM using sdmem.

Your encrypted data and sensitive files are often accessible via memory
forensics even if you shut your computer down. Including the websites you
visited. Your encryption keys can be in your computers memory for weeks and is
easily accessible via a memory dump.

This is why people say that with physical access your computer can always be
owned. Even if it's encrypted. Tails is the only one I know that handles this
attack vector by default.

[https://tails.boum.org/contribute/design/memory_erasure/](https://tails.boum.org/contribute/design/memory_erasure/)

~~~
acqq
Data can be retrieved from DRAM not after weeks (your claim is "even if you
shut your computer down (...) Your encryption keys can be in your computers
memory for weeks") but only

[http://en.wikipedia.org/wiki/Cold_boot_attack](http://en.wikipedia.org/wiki/Cold_boot_attack)

"in the seconds to minutes after power has been removed."

The reason is explained here:

[http://en.wikipedia.org/wiki/Memory_refresh](http://en.wikipedia.org/wiki/Memory_refresh)

And even the electrons from SRAM, which doesn't need refreshes and which was
for decades not used as "RAM" in the computers will leak away without the
power:

[http://en.wikipedia.org/wiki/Static_random-
access_memory](http://en.wikipedia.org/wiki/Static_random-access_memory)

"SRAM exhibits data remanence but it is still volatile in the conventional
sense that data is eventually lost when the memory is not powered."

Of course, if you never power off your computer but just reset it (the power
is never cut off) or if you shut it down and immediately power it up the
content of the RAM can really survive for much longer.

~~~
dmix
Thanks, this is true. Encryption keys can exist in memory for up to a week
[edit: or longer] in live memory with power on. This is well after they've
been used on the machine, or say after you close your Truecrypt volumes. The
vast majority of people rarely shutdown their laptops for extended periods of
time and often just suspend to disk, instead of a full power-off.

This is why it's good to power down or sdmem when you're finished working with
sensitive data.

On a full shutdown persistence is not as big of a risk, as the other commenter
pointed out, cold boots are mitigated by DDR3 similar to how modern SSDs with
TRIM make deleted data-recovery nearly impossible (such as Swap data which may
also contain encryption keys).

~~~
acqq
> Encryption keys can exist in memory for up to a week in live memory with
> power on.

No. After some high-enough RAM area contained the keys and you keep it powered
and your OS uses much less physical RAM than physically available there's no
hard limit. Just forget the "week."

~~~
dmix
Updated comment for HN pedanticism.

~~~
yohanatan
You really should replace the words 'for up to a week' with 'indefinitely'.
Mentioning a time limit at all is misleading in that context. This isn't
pedantry: it's mere correctness.

------
cloudwalking
Tails (The Amnesic Incognito Live System)
[http://en.wikipedia.org/wiki/The_Amnesic_Incognito_Live_Syst...](http://en.wikipedia.org/wiki/The_Amnesic_Incognito_Live_System),
a Debian fork which forces Tor for all outgoing and incoming connections.
Designed to be run from read-only media.

~~~
drzaiusapelord
So, is this proof that tor is not completely subverted by the NSA? Recent
articles here claim that the NSA has been deploying numerous nodes and can
analyze traffic from multiple nodes to compromise the user.

Or is this proof of tor being better than nothing?

~~~
toyg
The latter. The NSA didn't have to analyze anything: Snowden was not a known
target, and he revealed himself before any real manhunt or mass-analysis had
started.

------
jebus989
Impressive how much thought and work has gone into Tails development, e.g. it
has a surprisingly-convincing XP skin that hides the fact you're even using
Linux to the casual observer. Kudos to the devs.

~~~
danford
It's called GNOME 2 and it feels exactly like you're using Linux, which is a
great feeling. Kudos to the devs.

Edit: apparently I was mistaken. GNOME 2 is the default desktop, but there is
an XP skin. See comments below.

~~~
breakall
GP is referring to XP Camoflauge option in Tails.

[http://www.bitblokes.de/wp-
content/uploads/2013/02/tails-0-1...](http://www.bitblokes.de/wp-
content/uploads/2013/02/tails-0-17-04-xp-tarnung.jpg)

~~~
danford
Oh I see.. I just skimmed the Wikipedia article. That is very interesting.
Would come in handy in an environment where your superiors are looking over
your shoulder. I guess it can't be _that_ bad of an experience since it's
Linux underneath.

------
perlpimp
You can hack SD cards actually unlike the article states, Bunny's blog post
and presentation at Chaos Computer Congress mentions of this possibility. SD
cards have microcontrollers and with enough resources their guess flash media
can be subverted. Diversity of these controllers and variety of "proprietary"
standards the way these flash controllers work however can be the entropy that
makes SD controller hacking very unlikely - but you never know.

[http://www.bunniestudios.com/blog/?p=3554](http://www.bunniestudios.com/blog/?p=3554)

my 2c

~~~
agumonkey
also, in your hdd controller(s)
[http://spritesmods.com/?art=hddhack](http://spritesmods.com/?art=hddhack).

same stuff, too many cpu everywhere, making protocols meaningless.

~~~
dmix
And Macbooks can be hacked through the battery
[https://news.ycombinator.com/item?id=2796264](https://news.ycombinator.com/item?id=2796264)

------
devconsole
It's worth noting that Tails doesn't make you impervious. Tails uses Tor, and
Tor is vulnerable to NSA and GCHQ attacks. Specifically, they have the
capability of deanonymizing individual targets. I hypothesize that this
capability works by monitoring Tor traffic worldwide, then performing a timing
correlation between an origin and an endpoint.

Here's an example: Let's say (for the sake of example please) that the NSA can
passively monitor Google searches in realtime. Let's say you search for a
phrase that sets off their monitor: something like "a Tor user has Googled for
Snowden." They'd like to know who you are. How would they do that?

One way is to record the fact that from your home computer originated some Tor
traffic at almost the same time the Google search took place.

It's unclear exactly how they deanonymize Tor users, but one piece of info
that may corroborate my hypothesis is that in a Snowden screenshot, you can
see the NSA has a tab called "Tor Events" in one of their tools.

The need for websites to load quickly is Tor's Achilles heel, because it
enables timing correlation. The fact that few people use Tor exacerbates the
problem.

~~~
pavanky
> One way is to record the fact that from your home computer originated some
> Tor traffic at almost the same time the Google search took place.

This either implies someone already suspects you and are monitoring you or
that you are the only person searching on Google using Tor at that particular
moment. I find the latter hard to believe. Even if it is true, it can be
mitigated by more people using tor at the same time.

~~~
unhammer
You might want to run a non-exit node at your home. That way you have a lot of
Tor traffic all the time, and the one time you really do need anonymity, it
doesn't show up as anything unusual.

~~~
im3w1l
I don't quite know how this works, so forgive me if this is a stupid question,
but couldn't someone just take the difference between your inbound and
outbound tor traffic to find how much traffic originates from your computer?

~~~
sp332
They might know how much, but they wouldn't know which traffic was yours.

~~~
pavanky
The same is still true even if you do not run a tor node.

------
jonemo
Another Debian based boot-from-CD OS that used to be quite popular is Knoppix
[1]. I remember that was a big thing in the times of Win98 viruses when people
used it for system recovery. In Germany they distributed it as add-on to
computer magazines.

[1]
[https://en.wikipedia.org/wiki/Knoppix](https://en.wikipedia.org/wiki/Knoppix)

~~~
k-mcgrady
Knoppix was my first introduction to Linux. The boot-from-CD aspect amazed me.
At first the only thing I used it for was recovering data from a screwed up
Windows install but eventually I got more into it and started installing other
distress (starting with Ubuntu I think).

~~~
AJ007
For some perspective, this was back in the days where it was actually quite a
bit of work to get get linux configured and running correctly on your at home
desktop. Knoppix was quite a miracle.

~~~
dfc
Knoppix came out in 2000, a lot of time had passed since it was "actually
quite a bit of work to get get linux configured and running correctly on your
at _home desktop_." If you were mot using a thinkpad or ibook a laptop could
still cause some trouble.

~~~
k-mcgrady
I started using linux around 2004 and it still required quite a lot of
technical knowledge to get working. Drivers were a big issue around sound,
graphics, and network.

------
diziet
Some alternatives: Whonix: (vm isolated or hardware device isolated, tor)
[https://www.whonix.org/](https://www.whonix.org/) and Qubes OS: (sandboxing
different processes, needs torVM to do tor things) [http://qubes-
os.org/trac](http://qubes-os.org/trac)

A nice comparison:
[https://www.whonix.org/wiki/Comparison_with_Others](https://www.whonix.org/wiki/Comparison_with_Others)

~~~
higherpurpose
This table is also interesting:

[https://www.whonix.org/wiki/Comparison_with_Others#Attacks](https://www.whonix.org/wiki/Comparison_with_Others#Attacks)

------
SixSigma
Even wired don't know what an OS is. Or rather the definition of OS has
changed. A strange time when your industry jargon enters the popular lexicon
but always slightly twisted.

You can't even call yourself a Troll in the UK now without people thinking you
go on Facebook and mock the dead to their nearest and dearest.

~~~
timthorn
Yes, the BBC News at Ten told us that "the website Mumsnet has warned its 1.5
million users that their data may have been hacked as a result of the
Heartbleed computer bug. It's the first time the virus has been found on a
British website"

~~~
SixSigma
I have found the BBC's Technology reporting particularly irksome. Their
website is filled with re-hashed press releases. I even re-wrote an article
concerning turning urea into electricty for them to show what it _could_ have
been like if they had put half an hour's effort into it, naturally I didn't
even get a response.

~~~
timthorn
Of course not. They thought that you were taking the piss in a shocking way.

I did once mail a correction to a story about a new EU regulation which had
been a high profile item across BBC News. It was quite a fundamental thing,
and I got a short mail from a senior editor, thanking me and angrily lamenting
that it wasn't a difficult thing for his reporter to check, state of
journalists these days, etc etc. The story was changed.

\--edit: make a bad pun worse.

------
bch
> How do we now it isn’t some government plot designed to snare activists or
> criminals? A couple of ways, actually. One of the Snowden leaks show the NSA
> complaining about Tails in a Power Point Slide; if it’s bad for the NSA,
> it’s safe to say it’s good for privacy. And all of the Tails code is open
> source, so it can be inspected by anyone worried about foul play.

It does not follow that either, or both, of these points (Open source, an NSA
complaint slide) make this "snare proof". I'm _not_ saying that it isn't, but
there is no logic in the Wired article's assertions.

~~~
slantview
Yeah, safe and open source are not necessarily synonymous. (see openssl
"heartbleed")

------
blueskin_
I like the way I had to click the article to see what it was. I was wondering
if it'd be Tails or something. Yep.

------
gtirloni
_And naturally, nobody knows exactly who created it._

Shouldn't it be the opposite so we all know who we're relying on? It's the
same question I'd throw at Bitcoin.

~~~
joezydeco
I think users would prefer that covert government agencies not know where to
find the authors, either to avoid undue influence or surreptitious hacking of
their development machines to insert backdoors and other nefarious things.

Plus, as TFA states, the code is all out there in the open and able to be
reviewed. Does it matter who wrote it at that point?

------
trustlook
That reminds me the movie Captain America 2. Use such a USB based OS, enter an
Apple store and find a macbook. Literally an untraceable hacking.

------
slantview
A real inside look at it. /s

------
Gregorein
is website under ddos?

~~~
gulbrandr
HN-DDOS, probably.

------
xsace
Well it's not like Snowden managed to remain anonymous forever

~~~
steve19
You mean when he did a video interview? He managed to do what he did and leave
the country without being caught. I call that mission accomplished.

------
bluenose69
The article suggests security because "all of the Tails code is open source,
so it can be inspected by anyone worried about foul play."

Yeah, that worked out well for openssl.

~~~
aw3c2
Yes it did. The heartbleed bug was found during an audit of the open source of
openssl.

~~~
epo
The audit occurred because testing revealed the presence of a problem.
Shutting the stable door after the horse has bolted is no vindication of open
source.

~~~
infinity0
How would you have found the bug without it being open source? You think
companies pay for these open public audits on _proprietary software_?

~~~
sp332
The vulnerability was first found by a fuzzer, which would have worked equally
well on closed-source software. And I believe the fuzz tester (part of
Codenomicon's "Defensics") is also closed-source.

~~~
infinity0
You misunderstand - how would the public have found out about the results of
that audit? There is no incentive to release this information for a closed
product; very much the opposite.

