Hacker News new | past | comments | ask | show | jobs | submit login
Tails 1.0 is out (boum.org)
241 points by conductor on April 29, 2014 | hide | past | favorite | 39 comments

more info:

"Tails or The Amnesic Incognito Live System is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity. It is the next iteration of development on the previous Gentoo-based Incognito Linux distribution. All its outgoing connections are forced to go through Tor, and direct (non-anonymous) connections are blocked. The system is designed to be booted as a live DVD or live USB, and will leave no trace (digital footprint) on the machine unless explicitly told to do so. The Tor Project has provided most of the financial support for development. Laura Poitras, Glenn Greenwald, and Barton Gellman have each said that Tails was an important tool they used in their work with Edward Snowden"


Thanks for posting this! I know I can just google it, but since the link from this item does absolutely nothing to just say what the hell Tails actually is, I probably wouldn't have bothered. Glad you posted this because it's actually good stuff to know about!

There was an interesting article a while back regarding Tails and Snowden's leak:


This also has some good information about some practical uses of Tails. Not sure much about the claims of the article and their truths (was an entertaining read though), but it gives some further details about Tails for the inquiring mind.

For anyone seriously considering Tails, do invest either in a laptop with a dvd drive and run rails off non writable storage, or use something like a hardware switchable write usb: http://www.amazon.com/Kanguru-Solutions-Flash-Write-Protect-...

Do note that write-protect switches often only ask that software not write to the drive (Host protect), and are not sufficient to protect against a malicious entity.

Unless an examination revealed otherwise it is wise to assume that the write protection media is a software protection, not a hardware protection.


SD cards have a physical switch to write-protect them, but the logic & protection is done in software.

For example, there's a project that provides replacement firmware for Canon cameras - http://chdk.wikia.com/wiki/CHDK - stored on the SD card. The new firmware is selected by moving the write-protect switch on the card. In either configuration, the camera can still save new photos to the storage.

I'd read that same SE thread a while back and concluded that write protect drive switches is a good solution I could trust!

It would be nice if their bootloader "just" loaded the entire image into RAM and let the user continue booting and running without the USB drive attached. Optical drives are on their way out, USB drives with a trustworthy write switch are obscure (if they exist at all) and this seems quite secure. I'm using scare quotes because I don't know how difficult this is.

It's quite common, though typically done for performance reasons: http://en.wikipedia.org/wiki/List_of_Linux_distributions_tha...

I agree that this seems like the best compromise: Have the bootloader load the squashfs (or whatever) to RAM, and then unmount and prompt you to remove the media before executing the kernel. In order to compromise that, you'd have to corrupt the process which creates the flash drive originally; if that's been achieved then it's game over regardless.

and running without the USB drive attached

That's how the Debian boot image works by default. You actually have to jump through some hoops to enable persistence.

So unless tails actively tries to be stupid it should be safe to remove the drive after the squashfs has been loaded during boot.

Tip: Most laptops have an SD card reader and most full size SDs still have write switches.

Also as SystemRescueCD does a load to RAM so it's certainly doable :)

This is not safe! The SD card write switches rely on the host to respect the state of the switch[0]

[0] http://www.electronics-lab.com/blog/?p=2620

Wow; I had no idea. -Thank you for the warning :)

Write switches on SD cards are not hardware specific, the host can choose to ignore them, unfortunately.

Unfortunately, many/most laptops do not support booting from SD cards. If you were to store the main image on an SD card, you'd still need a cd/dvd/usb drive to load the bootloader.

>Tip: Most laptops have an SD card reader

Not all of them will boot for you though. Mine doesn't.

Most will, they just see it as a USB device. The BIOS won't list it unless it is populated.

Internally they're fairly common. You can probably take a normal USB drive and find the write protect pin on the datasheet.

If you are going to use it on a DVD drive or otherwise then make sure your update it regularly (ie: download and burn a new DVD etc) to make sure your OS and various tools have the latest patches. Otherwise you are much more vulnerable. All the time people forget and end up using a very old version.

Could you expound on why?

An adversary could modify your image. It's possible that they could have your copy phone home through a non-anonymized route, revealing information about your identity.

They could also make it so that your route all information through their nodes, or eavesdrop through a built-in microphone or camera.

All sorts of nasty things, all with persistence between boots.

Interesting. Do you mean by physically accessing the USB drive and changing it, or software that waits to modify the USB drive once connected? Thank you!

I'm not sure what you are asking exactly.

I was talking about using a USB drive as the medium for your Tails Live"CD."

The point of Tails is that unless you explicitly take action to make changes or save files, nothing that you do will be persistent across restarts. The memory of the PC you were using is wiped, and the medium on which you store the Tails OS has not been modified. The next time you start Tails you will have a fresh copy. No personal information, no settings that could distinguish you from any other vanilla Tails user. You'll be presented with the same toolkit tailored to privacy and security every time.

If an attacker is able to compromise one session it is a problem, but maybe they didn't gather the intelligence they needed to de-anonymize you. Now, if they can make it so that your copy of Tails boots with their exploits already loaded, then there's a major problem.

Okay. I got you now. Thanks. I just didn't know how exactly the USB drive was going to get modified by an attacker.

You can get USB DVD drives pretty cheap these days. Probably not the most performant, but much cheaper than buying a new laptop.

You could also remove the hard drive. It's very easy to do and would prevent any accidental write.

Can't you get one of those U3 drives that appear as a USB DVD drive? It requires loads of time and special software to reflash, but I'm not sure if they're available any more.

Then again, a malicious actor may just go through the trouble of bypassing the protections.

The planned update to Wheezy is important because it brings an update to OpenSSL. Updating OpenSSL on Squeeze is time-consuming and buggy, and a later version is required to run several software packages including Bitmessage.

Does it make sense to run a Tails Virtualbox VM under a Linux host? (eg: Fedora)

No, the host isn't read-only, so if you have malware (which can see the VM and what its doing) you're fucked.

If you boot into tails, it's read-only.

That's the use case of Whonix.


Didn't know about this Physical Isolation feature[0] before. Does anyone have any idea how reliable this is?

[0]: https://www.whonix.org/wiki/Dev/Build_Documentation/Physical...

Only if you trust the host machine 100%. But you can never trust the host machine 100%.

If you did why would you be using TAILS?

For anonymity?

I can't wait for the pending UEFI support[1] so that I can use the official installer for Tails and boot with my Mac. Currently I have to use a custom installer[2] to get it to work.

[1] https://tails.boum.org/blueprint/UEFI/

[2] https://github.com/hellais/TAILS-OSX

Please don't start using it as your permanent OS. As soon as you start regular browsing in tails you are overdoing it.

Tails is excellent for posting anonymous information to the internet, as long as it is a one time thing. If you first browsed reddit, read your (g)mail or looked at facebook, you are still quite easily identifiable!

Did Edward Snowden really use it ?

Yes, according to this Wired article: http://www.wired.com/2014/04/tails/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact