Snowden Used the Linux Distro Designed For Internet Anonymity

Hugh Pickens DOT Com writes: "When Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. Now Klint Finley reports that Snowden also used The Amnesic Incognito Live System (Tails) to keep his communications out of the NSA's prying eyes. Tails is a kind of computer-in-a-box using a version of the Linux operating system optimized for anonymity that you install on a DVD or USB drive, boot your computer from and you're pretty close to anonymous on the internet. 'Snowden, Greenwald and their collaborator, documentary film maker Laura Poitras, used it because, by design, Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'

The developers of Tails are, appropriately, anonymous. They're protecting their identities, in part, to help protect the code from government interference. 'The NSA has been pressuring free software projects and developers in various ways,' the group says. But since we don't know who wrote Tails, how do we know it isn't some government plot designed to snare activists or criminals? A couple of ways, actually. One of the Snowden leaks show the NSA complaining about Tails in a Power Point Slide; if it's bad for the NSA, it's safe to say it's good for privacy. And all of the Tails code is open source, so it can be inspected by anyone worried about foul play. 'With Tails,' say the distro developers, 'we provide a tongue and a pen protected by state-of-the-art cryptography to guarantee basic human rights and allow journalists worldwide to work and communicate freely and without fear of reprisal.'"

The NSA is becoming a new God for "True Believers"

[mythosaz]

What's that? Have any unknown in your life? Just insert the NSA?

Don't have the source code? The NSA must be behind it.
Don't know who spread a worm? Must be the NSA.
Don't know who authored BitCoin? NSA.
Don't know who packaged up TAILS? NSA.

The NSA sent his heavenly son to die for our sins.

Well, If the NSA Can't Crack It, Ya Right

[LifesABeach]

Well, at least it will slow down the other Adam Henrey's with their personal, "needs." Where can I download a copy, today's a good day to start again.

Re:Well, If the NSA Can't Crack It, Ya Right

[CanHasDIY]

https://tails.boum.org/downloa...

Re:Well, If the NSA Can't Crack It, Ya Right

Link that works? Wondering now about whether it is /.'d, or down for other reasons...

Re:Well, If the NSA Can't Crack It, Ya Right

[DarwinSurvivor]

I don't know what's funnier. A broken link in a slashdot post, or someone trusting a slashdot post as the correct location to acquire said security software.

Re:Well, If the NSA Can't Crack It, Ya Right

[Nimey]

I've been seeding the 0.23 version since it came out. Here's the magnet link:
magnet:?xt=urn:btih:B7EE06A2568630EED830CFFBF45B6BFD5DE796D4&dn=tails-i386-0.23&tr=http%3a%2f%2ftorrent.gresille.org%2fannounce

Re:Well, If the NSA Can't Crack It, Ya Right

[X0563511]

I've never once seen a browser do that, and if I did I would stop using it immediately. That's a huge security issue.

Re:Well, If the NSA Can't Crack It, Ya Right

[sumdumass]

IE, firefox, opera, chrome, all do it. Unless you have no script or something like it running. I suppose it can be turned off in the browser settings somewhere.

Not sure what the security issue would be. You still have to click the link. It would be no more insecure than having a link present.

Cue NSA infilatration in 3...2....

[NotDrWho]

May want to keep an eye out in the development community of the OS for a sudden influx of programmers "just wanting to help out." Or existing members suddenly driving new sports cars and acting strange.

Re:Cue NSA infilatration in 3...2....

[RGRistroph]

We, the open source and freedom-loving community, may need an organized task force to keep track of these programmers, track their incomes, and store their communications -- just for future reference in case something comes up and a mole is suspected, not an actual search as the Constitution defines it, of course. Similar to the Apache Foundation and other Foundations for Open Source causes, but tasked with keeping our communications secure, and breaking the other side's communications where feasiable. We'll have to keep the existence of the Association secret as much as possible of course, and thus also hide it's budget in small items spread accross the other Foundations. They'll archive all the repos and mailing lists and IRC channels and any other communication medium, but advances in technology make the storage on that scale cheaper. We might have to rent a large building out somewhere that has cheap land and few pesky curious tresspassers, Utah or something. We'll just refer to it as No Such Association for now. A small and expedient measure given the threats of our times.

Re:Cue NSA infilatration in 3...2....

[rcamans]

Isn't the phrase "programmers acting strange" redundant?

Tails is awesome

[Midnight_Falcon]

And the anonymous authors of the package deserve a medal.

The CIA etc notes that its employees 'serve in silence,' surely this team has advanced the cause of freedom and liberty more than them, in silence.

Re:Tails is awesome

[BreakBad]

..and pretty cool masks.

Re:Tails is awesome

[cold+fjord]

... surely this team has advanced the cause of freedom and liberty more than them, in silence.

I'm pretty sure that the answer to that is no. "Tails" isn't more than a few years old. The CIA was fighting communist dictatorships for decades, and before that its predecessor the OSS fought the Nazis.

Re:Tails is awesome

[Midnight_Falcon]

Do you really believe that load? The CIA was formed to be an instrument of executive power with minimal accountability, and is one of many intelligence organizations in the United States. While it was fighting communist dictatorships it was also trying to steal the presidential election on behald of Nixon (Watergate), and potentially facilitating the sales of drugs in the USA to finance Iran-Contra. Their SAD divison helped illegally expand the Vietnam War into Cambodia, and use chemical weapons whose effects are still being felt today.

Also, none of the employees at the present CIA were around to have anything to do with fighting the Nazis.

Re:Tails is awesome

[cold+fjord]

How many of the present CIA had anything to do with Vietnam? Iran Contra? See, I can play that game too.

Watergate was Nixon's own men, not the CIA.

Were the North Vietnamese in Cambodia and using it to attack South Vietnam? Yes. Are you claiming that Cambodia was outside its rights to ask for assistance against the North Vietnamese occupation of its territory?

Now maybe you can tell me, how much did the Tails project help dissidents against the Communist governments of Poland, USSR, Hungary, Czechoslovakia, and many others? What did the Tails project do to defeat Communist takeover attempts in free European countries like Greece? Nothing.

What I wrote has the irritating quality of being true.

Re:Tails is awesome

[Midnight_Falcon]

Actually, many present CIA employees were around for Vietnam and Iran-Contra..notably, a recent director, Porter Goss -- who was a career CIA employee. Those who were low-level agents at the agency are now in higher positions, and they were around for that time -- albeit it is unkown whether they were involved with those operations. You didn't fact check your statement at all before making it. The reason my statement is true is because of time disparity -- 70 years since the Nazis fell means that any CIA agent would have to be 90+ years old to have been around for that.

Now maybe you can tell me, how much did the Tails project help dissidents against the Communist governments of Poland, USSR, Hungary, Czechoslovakia, and many others? What did the Tails project do to defeat Communist takeover attempts in free European countries like Greece? Nothing.

It didn't exist then and neither did the internet. Today, it would help bring down the "Iron Curtain" and be a valuable instrument in these areas. The CIA also didn't do this out of the goodness of their heart or do defend "freedom" -- they were doing it to expand U.S. power and influence in Europe and check the influence of Russia.

Are you claiming that Cambodia was outside its rights to ask for assistance against the North Vietnamese occupation of its territory?

Cambodia never did this. Can you find a source that says that? And I don't mean their powerless government-in-exile asking for military assisntace, if that was legal, then the Dali Lama could authorize the U.S. to invade Tibet.

The CIA was involved and Nixon's men were former CIA agents.

Heres' a reference

What I wrote has the irritating quality of being true.

No, everyone is entitled to their own opinion, not their own facts. You've invented your own facts for the purposes of rebuttal, which is quite irritating.

Re:Tails is awesome

[cold+fjord]

Former CIA agents are not current CIA agents.

As the Cambodian situation became worse, the Cambodian government sought military assistance from the United States and South Vietnam.

-- Across the Border: Sanctuaries in Cambodia and Laos

The US was out of South Vietnam in 1975. That is nearly 40 years ago. I doubt there are many CIA agents that were working in Vietnam still working at the CIA. Iran Contra is also well into the past. And once again, a former Director of CIA is not a current Director or employee.

The internet certainly did exist in the 1980s. But you basically concede my point then. Tails had nothing to do with the actual fight for freedom that was the struggle against communism let alone the Nazis. The real contributor to freedom was the CIA, not the small Tails project only a few years old.

I look forward to you identifying the relevant facts. You would then be less irritated and probably no be proposing such nonsense.

Re:Tails is awesome

[Midnight_Falcon]

Former CIA agents are not current CIA agents.

As the Cambodian situation became worse, the Cambodian government sought military assistance from the United States and South Vietnam.

-- Across the Border: Sanctuaries in Cambodia and Laos

This is an official military source that misses the point that the "government" of Cambodia was not de facto sovereign at the time, nor legal..the request came from Lon Nol, a pro-US general who was just installed in a coup d'etat.

The US was out of South Vietnam in 1975. That is nearly 40 years ago. I doubt there are many CIA agents that were working in Vietnam still working at the CIA.

They'd be 60-70 years old but it's still quite possible. The CIA doesn't really publish lists of employees so this can be checked.

Iran Contra is also well into the past. And once again, a former Director of CIA is not a current Director or employee.

The internet certainly did exist in the 1980s.

Yes, but mostly as U.S-only network, it would be more accurate to say the "Internet did not exist in the way we know it today". CERN and Europe didn't largely uplink into the TCP/IP-based internet until 1989..post-Berlin Wall.

The real contributor to freedom was the CIA, not the small Tails project only a few years old.

If you think that the CIA contributed to "freedom" then you speak propaganda only. The CIA contributed to realpolitik, and only came to create "freedom" in places that mattered to the U.S.'s strategic interests. In the same way the KGB helped enforce a "prison of states" around Eastern Europe, the CIA helped foster a similar situation in South America. See Guatemalan Coup . Let's not forget also about Chile and Grenada. Also, the CIA helped stifle dissent in America and reduce American political freedoms during thist ime. Reference: Operation CHAOS

Re:Tails is awesome

[anagama]

Today, Cold Fjord and the NSA _are_ the Nazis.

Re:Tails is awesome

[Midnight_Falcon]

Let's also not forget one of the first things the CIA did in Post-WWI America.. Project MKULTRA How does giving people LSD in mind-control experiments help anyone's freedom? Seems like something that would be described in Arendt's Origins of Totalitarianism

Re:Tails is awesome

[Midnight_Falcon]

s/WWI/WWII/g

Re:Tails is awesome

[anagama]

not believing in the god of state

You have to be joking. There is no bigger defender of the state, the status quo, and the Anit-American activities of the NSA than you. I don't think there is a more statist asshole on all of Slashdot than you are, so I suppose we should add "deluded" to your list of faults now too.

Re:Tails is awesome

[anagama]

Jesus -- I haven't done acid since my college days a quarter century ago. You should lay off it.

Big Lie -- you're whole post is this. You try to take on the mantle of a freedom loving defender of American virtue, when the fucking straight fact is, you are the biggest NSA shill there is, and the NSA is one of the biggest threats to the US Constitution in the entire world. We also have other Executive branch things that are pretty fucking bad, but the NSA is anti-constitution, thus anti-American, and your support for the NSA makes YOU anti-American.

Re:Tails is awesome

[cold+fjord]

... when the fucking straight fact is..

First you call me Nazi, now you're back to "NSA shill." More crooked words from you, more lies as you continue your assault on the truth like the fascist you are. You have to rely upon name calling instead of argument because the simple straight facts are so devastating to your position. The simple fact is that the NSA is nothing more than a US government intelligence under the Department of Defense that looks for a list of things given to it by the rest of the government. It isn't the secret police. It isn't the Stasi. It doesn't have arrest powers. Congress holds its purse strings and writes the laws it must comply with. The President appoints its leaders. It has to answer to the courts. It plays a vital role in protecting the US. And ultimately that is why you can't stand it: it protects the United States and it is part of the military. You can't stand the "status quo" and want the country moved in an extreme direction. "Omabaisaneocon"??? Really? Like many extremists you are content to use the protections of the Constitution as both shield and club to conduct "lawfare" until your faction has the power to alter things more to its liking.

General George Washington was a spy master that the head of British intelligence complained "out spied" him. Benjamin Franking opened the mail of other colonists for intelligence purposes. You ignore that history because it is inconvenient. You are against US intelligence vital to protecting the country. You are at best a self-hating American and an example of Oikophobia if not an outright anti-American, and in either case a fascist.

Re:Tails is awesome

[cffrost]

I will grant you I am often the one-eyed milkman [...]

Fixed that for ya.

Re:The NSA is becoming a new God for "True Believe

[Russ1642]

Well for a start we know that the NSA exists. I can go on but what I've just said pretty much destroys the analogy.

Re:Anonymous on the internet?

[Midnight_Falcon]

Tails bakes in a routing table that makes all traffic go over Tor. It also has built-in I2P support. So, while ISPs can look at your traffic, it becomes quite a tough nut to crack to figure out what you're actually doing. Attacks are possible, but require exponentially more sophistication and resources than just tracking an IP.

Re:NSA boogeyman

[Midnight_Falcon]

Go on YouTube and listen Jacob Appelbaum's (a Tor developer) videos. Something about NSA agents peering into his girlfriend's window at night and various other intimidation tactics..and that's just him..

Almost

[s.petry]

Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'

Traffic sniffing does not require files on the target and this is the biggest source of data for agencies like the NSA. It may protect you from key loggers being installed (unless they were inserted ahead of time).

I'm pretty sure that part of Snowden's leaked information showed that exploits are occurring at the hardware level as well as software. Entry points like LOM modules were explicitly called out in the leaked presentations.

I'd agree that forensics becomes extremely difficult, if not impossible (memory analysis can still occur). I don't agree that the systems are immune to malicious software at least in a general sense. Immunity would require a lot of control for the hardware running the OS, and monitoring to make sure things have not been tampered with. Relying on a repository build of an OS imaged is still a target for potential a MITM attack feeding a user a kitted image.

It's all good in my opinion, I'm just being picky about the terminology chosen. Immunity implies absolute safety, and very little in the world is absolute.

Re:Almost

[lister+king+of+smeg]

Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'

Traffic sniffing does not require files on the target and this is the biggest source of data for agencies like the NSA. It may protect you from key loggers being installed (unless they were inserted ahead of time).

All traffic sniffing will do is show they are talking to a TOR entree node. Everything is wrapped in multiple layeres of encryption between you and each of the nodes in between. Maybe they could tell from traffic analysis what type of traffic it is based on traffic profiling, streaming your pr0n over to will have a different profile than browseing a webpage wich will in tun be different than ssh, but they still won't know the end point and what the content is.

I'm pretty sure that part of Snowden's leaked information showed that exploits are occurring at the hardware level as well as software. Entry points like LOM modules were explicitly called out in the leaked presentations.

Yes but they would have to have had access to your computer to insert the hardware bugs. If you say pick up a cheap laptop at walmart paid for with cash they won't know who has it, and would not have inserted the bugs as they could not have known who would end up wih the computer.

I'd agree that forensics becomes extremely difficult, if not impossible (memory analysis can still occur).

if they are doing memory analysis thy have the computer in their posesion already and you probably have a much larger issues to worry over.

I don't agree that the systems are immune to malicious software at least in a general sense. Immunity would require a lot of control for the hardware running the OS, and monitoring to make sure things have not been tampered with.

Technically true. However you have to trust something, and as long as there has been know oppertunity to tamper with the computer you can assume your safe for most things.

Relying on a repository build of an OS imaged is still a target for potential a MITM attack feeding a user a kitted image.

That is why we have cryptographic signatures on repositories and iso images. If they can break a 4092 bit key in polynomial time we are f***ed anyway

Re:Almost

[s.petry]

All traffic sniffing will do is show they are talking to a TOR entree node. Everything is wrapped in multiple layeres of encryption between you and each of the nodes in between. Maybe they could tell from traffic analysis what type of traffic it is based on traffic profiling, streaming your pr0n over to will have a different profile than browseing a webpage wich will in tun be different than ssh, but they still won't know the end point and what the content is.

Um, no! I am not sure how much you know about network security, but I sniff packets all the time and decrypt traffic. If you have a private key this is simple to do. With a massive computer, I can store conversations and brute force a key lateer. This was made easier by the NSA introducing some weak algorithms into encryption protocols. Even without those weaknesses, it is possible to brute force. We are better today after knowing about introduced weaknesses, but still not immune.

Yes but they would have to have had access to your computer to insert the hardware bugs. If you say pick up a cheap laptop at walmart paid for with cash they won't know who has it, and would not have inserted the bugs as they could not have known who would end up wih the computer.

Unfortunately the exploits do not always require physical access. It would certainly take more computer than you suggest, the devices in the leaked presentation are server class machines. Your recommendation for using a cheap PC is good. Personally I build my own more powerful PCs for that same reason.

if they are doing memory analysis thy have the computer in their posesion already and you probably have a much larger issues to worry over.

This same issue exists with someone running forensics on your hard drive. The OS running on Read Only media minimizes the footprint drastically, it does not remove the footprint completely.

That is why we have cryptographic signatures on repositories and iso images. If they can break a 4092 bit key in polynomial time we are f***ed anyway

Now I'm more unsure of your security experience and knowledge. If I make a cloned Distro package and host my own MITM web site, I can use my own key and users would not know necessarily. Looks like chicken, tastes like chicken and all that. It's expensive to do, but happened already (whistle blowers reported this too).

As mentioned previously, I'm not saying the system is bad. I'm claiming is not the best terminology, and a person reading TFA is possibly mislead by the chosen terminology.

Re:Almost

[AmiMoJo]

Tor mitigates traffic analysis attacks by padding data, generating extra random packets, combining packets it is forwarding or splitting them up again etc.

Re:Almost

[fafalone]

All traffic sniffing will do is show they are talking to a TOR entree node. Everything is wrapped in multiple layeres of encryption between you and each of the nodes in between. Maybe they could tell from traffic analysis what type of traffic it is based on traffic profiling, streaming your pr0n over to will have a different profile than browseing a webpage wich will in tun be different than ssh, but they still won't know the end point and what the content is.

Assuming you can view every page and do what you need to do without ever turning on Javascript. Which is quite the tall order. For example, there is no e-mail service on this planet that allows signup and use without JS turned on for at least one step or payment (this sounds ridiculous, but go and try it. There used to be. They've all been changed or shut down.). And it's been clearly established all it takes is one malicious script to unmask your IP while on tor.

Yes but they would have to have had access to your computer to insert the hardware bugs. If you say pick up a cheap laptop at walmart paid for with cash they won't know who has it, and would not have inserted the bugs as they could not have known who would end up wih the computer.

Actually they would have a picture of your face and could go from there. A component serial number is discovered, which leads to the manufacturer, which leads to what store sold it; then their inventory systems can tell you what time it was sold, then you can match that up to security camera footage. This has been documented with burner phones, no reason it couldn't be done with computers.

Technically true. However you have to trust something, and as long as there has been know oppertunity to tamper with the computer you can assume your safe for most things.

It's like you missed the last year and still think this stuff is the fantasy of conspiracy nuts. Or work for the NSA and want to lull everyone into thinking they're safe.

That is why we have cryptographic signatures on repositories and iso images. If they can break a 4092 bit key in polynomial time we are f***ed anyway

Yes because that's the weak part. *sigh*

Re:Anonymous

[lister+king+of+smeg]

Incognito Linux did not impress me. You can be more anonymous using Backtrack.

ah no.

Backtrack is for cracking not staying anonamous.
Tails routes all of your traffic through TOR and keeps you anonymous as long as you don't share anything reveling.

Re:Anonymous on the internet?

[Wycliffe]

makes all traffic go over Tor.

Doesn't this slow things down considerably? Can you do normal activities like ssh or youtube in this type of setup?

Re:Anonymous on the internet?

[Desler]

Or simply requires taking control of some servers.

The Distant Future, Considered

[SuperKendall]

how do we know it isn't some government plot designed to snare activists or criminals? A couple of ways, actually. One of the Snowden leaks show the NSA complaining about Tails in a Power Point Slide

And that, ladies and gentleman, is how you play the Really Long Game.

Re:The NSA is becoming a new God for "True Believe

[theskipper]

Well, personally my first thought after reading the summary was "but how do you trust the BIOS?" A few years ago I'd have immediately said that's conspiracy theory and dismissed it (along with the other items you listed). But after a year of exposure to the Snowden and RSA revelations and everything else, it pains me to say these NSA questions aren't so far fetched any more.

Sure they may not be probable but they could be possible. No matter how rational you think you are, it really messes with one's mind. Subtle paranoia, if you will.

Re:The NSA is becoming a new God for "True Believe

[MrNickname]

That sounds like something the NSA would post.

Re:NSA boogeyman

[Blakey+Rat]

A Tor developer? Being paranoid? Shocking!

No, I'm sorry, when I say "evidence" what I mean is, and try to follow along here, "evidence". Not anecdotes. Not scary bumping noises in the night. Evidence.

Comment subjects suck

[caluml]

And it's Slashdotted.

NSA 'compaining' about tails

[spasm]

NSA 'compaining' about tails? Oh, no, please don't throw me in that briar patch!

http://americanfolklore.net/fo...

Re:NSA 'compaining' about tails

[bluefoxlucid]

Well it's too slow. Sonic is faster.

Amnesic?

[caluml]

The Amnesic Operating System. Shouldn't it be amnesiac? Or is this another English/American English difference like aluminium?

Re:Amnesic?

[CanHasDIY]

The Amnesic Operating System.

Shouldn't it be amnesiac?

Nope - an amnesiac is a noun that refers to a person suffering from amnesia; "amnesic" is an adjective that means "exhibits properties of amnesia," which can apply to more than just the human psyche.

Re:Amnesic?

No, it's a part of speech difference. "Amnesiac" is a noun; "amnesic" is an adjective. On both sides of the pond.

Re:Amnesic?

[caluml]

Interesting - so an amnesiac would also be amnesic? Are there any other words that have similar examples like this?

Re:Amnesic?

[un1nsp1red]

A manic maniac?

The government should pass a law!

[Vinegar+Joe]

Snowden would have had a much harder time had he been using legal Microsoft products.

Re:The NSA is becoming a new God for "True Believe

[Lazere]

"We cannot confirm or deny the existence of an organization allegedly named the NSA."

Re:From an NSA powerpoint slide?

And don't forget the fact that 99.9% of the people out there aren't as interesting as they think they are. Most would be very disappointed to find out that the NSA actually doesn't give a fuck about them, and that would be a blow to their egos. Back in the 90's when they caught Ted Kazinski, they got a hold of his "hit list." There were CEO's and such who actually felt slighted that they weren't on that list. Kind of a shot to their inflated egos.

Re:The NSA is becoming a new God for "True Believe

[Jeremiah+Cornelius]

Turn on your Heartbleed,
Let it shine, wherever you go
Let it make a happy glow
For the NSA to see...

Re:Anonymous on the internet?

SSH? of course. Youtube? Generally, no. Using flash over tor is contraindicated anyway, due to potential leaks, though html5 shouldn't be a problem, other than the general latency of tor slowing it down to a crawl.

TAILS is a live system (that's what the LS at the end of the name stands for), and isn't meant to be run as a primary system, but rather only when doing otherwise sensitive things. Not that youtube isn't sensitive in some locations, but for now, the TOR network just can't handle that kind of load. Conventional VPN's are about the best option in those cases, but naturally, figuring out how much you trust your security over a vpn to avoid whatever kind of penalty there is for viewing youtube videos in your country is something for anyone going that route to consider.

What a shame

[cold+fjord]

What do you bet that "Tails" used OpenSSL as part of its security?

Re:What a shame

[Midnight_Falcon]

It did, but a version that was NOT vulnerable to heartbleed since tails tracks debian-oldstable. Also, there is no use case for running a web server that people can exploit heartbleed on via tails.

Re:What a shame

[Midnight_Falcon]

Can you explain how heartbleed would be exploited in such a circumstance?

Re:What a shame

[F.Ultra]

Heartbleed is a server exploit

Re:What a shame

[cold+fjord]

True but I doubt that it matters that much since another client talking to the same vulnerable server could compromise the server keys and potentially allow intercepts of other client communications.

Re:What a shame

[Midnight_Falcon]

Yes, it matters a lot and renders the use of OpenSSL in Tails being a security issue moot -- any client would have this issue. Additionally, Tails' security practices also enforce use of things like Perfect Forward Secrecy when available. Also, most Tor nodes utilize PFS between nodes. Again, Tails' security architecture helps defend users against zero-day exploits.

Re:What a shame

[Qzukk]

Just like a malicious client can suck data out of a vulnerable server, the same can work in reverse, though clients tend not to keep an SSL connection open any longer than they need to (unless, it's IMAPS or FTPS or chat or some other application with persistent connections).

If you suck the private key out of a bank webserver's RAM, then perform a MITM attack on the bank users using the bank's own certificate, not only can you get their bank credentials (by them filling in the form and sending it to you), depending on the browser you may or may not be able to suck up other accounts from them (eg user logs into a credit card company site to see their bill, then logs into your fake bank to see if they can pay it).

Re:What a shame

[Midnight_Falcon]

Someone give this man a dollar (or an mBTC) for correctly describing Reverse Heartbleed. Luckily, Tails isn't affected by this.

Re:What a shame

[Fnord666]

Heartbleed is a server exploit

Actually it can cut both ways.

Re:What a shame

[cffrost]

https://www.schneier.com/blog/archives/2014/04/reverse_heartbl.html

Having the souce Code does not make it safe

[hduff]

Unless you compile from vetted source code on an un-compromised system using an un-compromised compiler, etc., you can't be certain the binary they provide is the same as what compiling the source code would provide.

Re:Having the souce Code does not make it safe

[istartedi]

I would assemble the system myself from discrete transistors, except that I can't be sure the NSA didn't drug me, drag me off and hypnotize me.

Re:Having the souce Code does not make it safe

[olip85]

Unless you compile from vetted source code on an un-compromised system using an un-compromised compiler

A very interesting (and quite short) read about that : Reflections on Trusting Trust

Re:Having the souce Code does not make it safe

[AmiMoJo]

Most of us are gonna have to trust someone at some point. We can't build our own CPUs out of sand, we have to hope that Intel didn't install an NSA sponsored backdoor. Fortunately all the evidence so far suggests that the NSA avoids creating pre-exploited hardware and firmware, instead relying on more subtle techniques like weakening encryption or making use of genuine bugs. Maybe they insert a few bugs too, but again the evidence suggests that using systems like Tails is pretty effective.

At any rate, it seems to be far better than using Windows, even if I haven't personally audited the millions upon millions of lines of source code needed to build it.

Re:The NSA is becoming a new God for "True Believe

[Em+Adespoton]

I had a few other questions as well...
This does nothing to protect against tampered hardware (keyloggers, screen captures, etc.). If you're using USB, you also have to trust that you really only have a flash device in that circuitry. Plus, you have to trust that any certificates you use aren't compromised, any exit nodes you use don't belong to the NSA (a large number do), etc.

All in all, this really only protects you if you weren't already a surveillance target and weren't using compromised systems.

Still, it's better than the alternative. Just not "completely secure".

Re:NSA boogeyman

[Midnight_Falcon]

Considering the fact that the NSA is super-secretive and the ongoing joke is it's an acronym for "No Such Organization," short of another Edward Snowden I don't think you can be given the kind of evidence you want. Remember, before Snowden those "paranoid" people like Tor Developers were relegated by folks like you into the land of nutjobs, conspiracy theorists and tinfoil-hat haberdashers. Now look..

Re:Anonymous on the internet?

[K.+S.+Kyosuke]

Dear Wycliffe, in your time people were happy with letters and manuscripts. Why, you didn't even have the humble printing press at your disposal! Even if privacy-conscious citizens won't be able to share their shower selfies on YouTube, or whatever is popular this week, I'm sure that their actual communication needs will be amply provided for by a system like this.

Re:Anonymous

[BitZtream]

as long as you don't share anything reveling.

So its pretty much useless then? I realize the point of what its doing, but its fairly trivial with software running at or near exit nodes to figure out who's doing what and who they are. I have no doubt the NSA is capable of doing it. Put me in an IRC channel with 20 people I know and have chatted with for some time, randomize their nicks, give me an hour and I can tell you who most of them are based on their conversation patterns alone, and I'm just observant, not software combing EVERYTHING you do.

Doesn't mean you shouldn't try to be anonymous, but just that its PRETTY FRAKING HARD to do if you're doing it in public view, regardless of how hard you try to hide.

Re:NSA boogeyman

[K.+S.+Kyosuke]

Also known as Nasty Sexual Assailants.

Re:NSA boogeyman

[Midnight_Falcon]

NSA Agents

NSA agent is the name given to most employees of the NSA, same as other federal bodies like FBI, CIA, DEA, etc. You start as a "Special Agent" typically and then move up to Assistant-Special-Agent-in-Charge...Special-Agent-in-Charge etc..it's the default term. No one said anything about night vision and silenced weapons etc, AFAIK it was a plain ol stakeout. Sounds like you're the one playing too many video games.

some dolt

A rather accomplished and well-known individual who's been at the core of many privacy-related projects and founded a major hackerspace in San Francisco..and happens to be connected with Assange, Poitras, Snowden etc and in the NSA's radar..

Re:Anonymous on the internet?

[Midnight_Falcon]

No, no, and no. If you were using tails, you wouldn't have been vulnerable to this attack because it enables NoScript by default. Tails' use of security best practices helps protect against zero-day exploits like the FBI's javascript malicious payload.

Re:Open Source

[K.+S.+Kyosuke]

Well, OpenSSL is sort of complex. When it comes to actual security, simplicity is your friend. So I wonder whether - for mutual communication of two people (both equipped with this software) - you actually *need* OpenSSL or any crypto implementation of similar complexity. Just cut off everything unnecessary - especially given how X.509 should be suspicious to most paranoid people in the first place! What if the CAs get compromised by government agents? Just exchange your public keys in person to be sure. You don't need OpenSSL to do that.

Why doesn't TAILS use TRUCRYPT (or similar)?

[corezz]

I get the impression TAILS doesn't include a full system encryption on boot which means if the USB is discovered they could check whats on it. I assume Snowden wrote the retrieved data to the same usb stick. Maybe Trucrypt isn't available for linux distros but i am sure there are plenty of alternatives that do a similar full system os encryption.

Re:Why doesn't TAILS use TRUCRYPT (or similar)?

[TeknoHog]

Maybe Trucrypt isn't available for linux distros but i am sure there are plenty of alternatives that do a similar full system os encryption.

I can think of one alternative on Linux, it's called Truecrypt with an "e".

Re:Anonymous

[Midnight_Falcon]

There's plenty of ways to defeat stylometric analysis, notably, running things through a translation engine several times through a few languages.

Re:NSA boogeyman

[lonOtter]

No, he doesn't. He's referring to the real puppeteers: NSO.

Trust No One

[Lawrence_Bird]

Are you able to verify all of the distribution yourself? Are you able to vet the contributors? Are they able to vet each other? Is Tor really safe?

It all comes down to a matter of degree but in the end... Trust No One

Re:Trust No One

[Nimey]

In other words, don't use any technology unless you developed it yourself, smelted the raw materials yourself, &c.

How much do you trust the evidence of your senses?

Re:Trust No One

[Lawrence_Bird]

You'll notice that al Qaeda has gone back to using couriers.

I would say if you use technology which can compromise your location, communications or other private info and you do not want to share that then yes, you are making a mistake to assume safety unless you have personally vetted it. As noted earlier, it comes down to a matter of degree/risk assessment (ignoring that you may be terrible or unqualifed at assessing that) but that there is a non zero probability you have been compromised. And Trust No One should be your default policy, not trust those guys because, well they say the right thing and seem nice!

Whonix is another alternative

[Nimey]

https://www.whonix.org/

Magnet links:
magnet:?xt=urn:btih:A031805E690BB0E03114A8FEB52485517218D3CE&dn=Whonix-Gateway-8.1.ova&tr=http%3a%2f%2fannounce.torrentsmd.com%3a6969%2fannounce&ws=http%3a%2f%2fwebseed.whonix.org%3a8008%2f8.1%2fWhonix-Gateway-8.1.ova

magnet:?xt=urn:btih:AB89247534553946C500EDF3A78E9C30F9C956ED&dn=Whonix-Workstation-8.1.ova&tr=http%3a%2f%2fannounce.torrentsmd.com%3a6969%2fannounce&ws=http%3a%2f%2fwebseed.whonix.org%3a8008%2f8.1%2fWhonix-Workstation-8.1.ova

And here's the magnet link for Tails v0.23 for good measure:
magnet:?xt=urn:btih:B7EE06A2568630EED830CFFBF45B6BFD5DE796D4&dn=tails-i386-0.23&tr=http%3a%2f%2ftorrent.gresille.org%2fannounce

Re:Whonix is another alternative

[Nimey]

Note that the above Whonices are vulnerable to Heartbleed, so you'll need to do an apt-get update/apt-get dist-upgrade once you've imported the VMs into VirtualBox.

Re:NSA boogeyman

Really? There haven't been enough scandals yet?

- pressure to backdoor linux - http://www.itworld.com/open-source/383628/linus-father-confirms-nsa-attempt-backdoor-linux
- NSA/GCHQ have power points about trying to attack TOR exit nodes including with DOS attacks
- they hack sys admins
- they are suspected of introducing bugs into code bases (anonymous commit to the linux kernel which had a = instead of == allowing remote code exploit)
- they are known to have inserted hardware backdoors into US chips - most probably Intel and Via.
- they used NIST to cripple encryption and random number generation standards. (They fixed the s-boxes in DES, but they reduced the key length from 64 bits to 54 bits. They lobbied to reduce the number of passes in current crypto systems. The Dual_EC_DRBG is the backdoored random number standard they forced though.)
- They paid $10 million to RSA to set the default to this bad random number generation standard.
- They use porn browsing habits and other information they collect to discredit people they don't like - this includes Americans.
- They launch DoS attack against people they don't like. This includes people in anonymous and file shares using pirate bay. Anyone happening to use the same public IRC servers suffer too.
- They launch "false flag" operations - meaning they do something evil, blame someone else, and use that as an excuse to do the thing they originally wanted to do but couldn't (the equivalent of shooting your own troops, blaming the enemy, and launching a "counter attack").
- Joe Nachio former CEO of Qwest, was invited to Fort Meade and asked to do something blatantly illegal to which he said no. As a result, he lost the government contracts he expected to get, and the government arrested him for insider trading. He served 6 years in prison after being denied the right to defend himself because the programs in question were classified. (And you wonder why other telcos go along with the NSA's "requests")
- Lavabit (secure email provider) was strong armed into closing after they received an NSL to spy on Snowden's email. The form of the NSL required that ALL lavabit customers would be spied on.

These are just off the top of my head! How many demonstrations of evil do you need from those bastards? They are completely out of control.

Re:The NSA is becoming a new God for "True Believe

[kefkahax]

One of the ways the NSA (and other organizations) have benefited from the leaks is the fear instilled in those that would otherwise speak out about injustice/corruption/etc..

Re:The NSA is becoming a new God for "True Believe

[nobuddy]

How much do they pay you for these NSA flagellation? I'd like a second income, and it appears you don't have to put any effort into it at all.

Re:The NSA is becoming a new God for "True Believe

[Hognoxious]

Don't know who did 9-11? No carrier

Re:NSA boogeyman

[R3d+M3rcury]

The Netherlands Space Office?

Re:The NSA is becoming a new God for "True Believe

[sneakyimp]

TAILS sounds like a honeypot to me. What's wrong with just booting off a KNOPPIX CD-ROM or an Ubuntu CD-ROM? I expect some stuff might get written to a tmp directory somewhere but you could always shred any files there before rebooting the machine.

Re:NSA boogeyman

[deadweight]

Ah.........NO. Let us just say I live in an area where you can meet these people and they are NOT agents. ROFLMAO

Re:The NSA is becoming a new God for "True Believe

[fractoid]

Just physically unplug the hard drive before booting off a live CD? I have to admit, though, that my first reaction was also "Anonymously produced live CD promises to protect your secrets? Sounds legit."

Re:NSA boogeyman

[Midnight_Falcon]

Regardless of this (and please enlighten us to what they are called rather than just dismiss), common parlance is to refer to NSA employees as Agents. Just google "NSA Agent" to see countless journalistic reports about NSA Employees referred to as "Agents" (outside of the context of covert operations video game nonsense)....same is true with other agencies. And yes, they do have "Special Agent" etc ranks. However, they will not permit ex-employees to use such designations on their resumes and force them to use other titles like "Clerk" or "Analyst."

Re:Anonymous

[fractoid]

Sir! I think we've just identified the Babelfish Bandit!

Re:NSA boogeyman

[fractoid]

Who are controlled in turn by an even more mysterious organisation: ROUS.

But I doubt they exist.

Re:The NSA is becoming a new God for "True Believe

[theshowmecanuck]

Sort of my first thought... he used this secure software to thwart the NSA, while the NSA supposedly 'owned' OpenSSL that the software likely used. Kind of ironic.

GRUB2 Iso Boot

[basecastula+]

Has anyone tried to boot tails from the grub2 menu yet? I do know archbang does not work. Otherwise it should be easy.

Re:The NSA is becoming a new God for "True Believe

[fizzer06]

In the novel "1984", Big Brother made sure you knew you were being watched.

News: NSA hired person good at security

[ignavus]

"Fire him! He's too clever for us!"

Re:NSA boogeyman

[fsterman]

A Tor developer? Being paranoid? Shocking!

No, I'm sorry, when I say "evidence" what I mean is, and try to follow along here, "evidence". Not anecdotes. Not scary bumping noises in the night. Evidence.

Okay, "When I flew away for an appointment, I installed four alarm systems in my apartment," Appelbaum told the paper after discussing other situations which he said made him feel uneasy. "When I returned, three of them had been turned off. The fourth, however, had registered that somebody was in my flat - although I'm the only one with a key. And some of my effects, whose positions I carefully note, were indeed askew. My computers had been turned on and off."

Who breaks into an apartment, turns off alarms, and politely tries to put everything back in its place? Do you want him to post video of agents too? Just listen to the man.

Re:The NSA is becoming a new God for "True Believe

[Johann+Lau]

It was not his choice to get stuck there, the US govt pretty much made sure. You know, even getting the Swiss to force down the plane of a president and search it, because he might be on board... really, your comment is unintentionally ironic: the invasion already happened -- that is, your external enemies ain't shit compared to the internal ones you bred yourself -- and it's YOU who is bending over and cheering.

Old fashion...

[geogob]

How about just sending the stuff by snail mail? I'd bet my cup of coffee that they completely lost the expertise and interest on this form of communication.

If the NSA doesn't like Tails they will target it.

[mark_reh]

They will put developers to work on the open source code who will "accidentally" insert bugs that open holes in the security -like the hole that was recently discovered in https. Tails may have been a problem for them in the past, but with the NSA's nearly infinite budget it seems unlikely that Tails would remain a problem for long.

Re:Anonymous

[inasity_rules]

But I revel in sharing! :P

Re:NSA boogeyman

[minus9]

Just because your paranoid it doesn't mean they're not out to get you.

more idiotic every day

computer-in-a-box? is that how you explain a live cd to a tech crowd?

Harry Tuttle

[ThatsNotPudding]

Well, personally my first thought after reading the summary was "but how do you trust the BIOS?" A few years ago I'd have immediately said that's conspiracy theory and dismissed it (along with the other items you listed). But after a year of exposure to the Snowden and RSA revelations and everything else, it pains me to say these NSA questions aren't so far fetched any more.

We need a Harry Tuttle to show up at night in our apts to offer us an alternative BIOS chip.

Re:Anonymous on the internet?

[fulldecent]

Tor is ineffective when you can tap the whole internet and do statistical analysis.

Next.

Re:NSA boogeyman

[deadweight]

WTF??? I can only say so much on here, but NO WAY are NSA employees running around being "agents". If some guy knocked on my door and said he was an NSA agent I would be falling over laughing.

Re:NSA boogeyman

[HagraBiscuit]

+1 point for the splendid reference, I bow my head in solemn deference.

Re:NSA boogeyman

[HagraBiscuit]

"The true paranoid is just someone in posession of all the facts".

Re:NSA boogeyman

[Midnight_Falcon]

That's not what I said at all. What I said is that, in common parlance (as in newspaper articles, discussions, etc) NSA employees are referred to as "Agents" in Standard Written English.

Re:Anonymous on the internet?

[Midnight_Falcon]

No, actually, and the hubris of your "Next" comment is telling about how you summarily dismissed this without doing any actual research. Have you ever actually tried to do a traffic correlation attack? Do you even know how Tor works?

Tor, in order to defeat traffic correlation attacks (or at least make them much more difficult), re-negotiates its connection to use a different circuit every ten minutes. The NSA themselves in the leaked "Tor Stinks" document even pointed to this as being extremely difficult, if not impossible, to track users through. The NSA admits that even with manual analysis, only a small fraction of tor users can be exposed. Reference.

Then the game ends and ...

[Dabido]

All your Tails are belong to us - NSA.

Re:Anonymous on the internet?

[fulldecent]

Heres the slides (warning TS//) http://apps.washingtonpost.com... They are from 2007, before iPhone came out. Much has changed since then.

NSA capabilities now include tapping phones of an entire country this is even U// by now https://firstlook.org/theinter...

Since Tor was identified as interesting in 2007 and since it hasn't died, it is safe to assume efforts are continuing to be applied against it.

And no, I don't have access to Internet scale data streams here, just using the standard Tor disclaimer at https://www.torproject.org/abo... but even 10 minutes is a long time if you have constant near-realtime communication.

Of course, Tor would be very effective for messaging services where you send one message and then disconnect!