The Amnesic Incognito Live System
(Tails) is a specialized live Linux distribution aimed at preserving
the user's privacy and anonymity. It does this job primarily by forcing all
outgoing internet connections to go through the Tor network, and by leaving
no trace on local storage devices unless the user asks for this
explicitly. Tails is the merger of two projects, Incognito LiveCD and
Amnesia. The latest version, Tails 0.7, is built on
top of Debian Squeeze (6.0) and bundles some applications with customized
configurations to protect the user's privacy and anonymity. It can be run as a live distribution from a CD or USB stick.
Tails heavily relies on Tor
for its anonymity, and it gives a warning on its website that Tor is still
experimental software that cannot guarantee strong anonymity. Users that
want to know what they can expect from Tor (and Tails) with respect to
their anonymity are advised to read the About Tor page. Tails 0.7 bundles Tor 0.2.1.30. An additional warning is in order here: Tor does not support IPv6 yet.
When the live CD has booted into the graphical environment, the user is
greeted by a fairly typical GNOME desktop environment, including access to
applications like Gimp, Inkscape, Scribus, OpenOffice.org, Claws Mail,
Iceweasel, Pidgin, Liferea, Audacity, Brasero, and so on. This is not a
bare-bones distribution, but a system you could start working with
Tails gets its security updates from Debian's repositories, but the live CD
doesn't automatically download updates nor alert the user to download
them. So a manual
sudo apt-get update && sudo apt-get upgrade
before each use of the live CD is needed to stay on the safe side, because the distribution doesn't support persistent storage. Of course users could also download a new ISO image from time to time, but that seems like a waste of bandwidth.
The first thing that gives away the goal of this distribution is the Vidalia
window, which is a graphical controller program for Tor that gets started
after the user logs in. It shows the
status of the user's connection to Tor, and has buttons that allow a user
to view a bandwidth graph, a message log, or a map of the Tor network. It
also has a button to start using a new identity for subsequent connections
to make them appear as if they are coming from another computer. Vidalia's GNOME panel also gives access to some settings for Tor, but only advanced users who know what they are doing should change them.
The web browser Iceweasel 3.5.16 has the HTTPS Everywhere extension installed to automatically use HTTPS on many web sites, AdBlock Plus to browse ad-free, CS Lite to control cookie permissions, FireGPG to encrypt webmail messages, FoxyProxy which completely replaces Firefox's limited proxying capabilities, and the Monkeysphere extension to validate certificates via an OpenPGP web of trust. The offline cache and geolocation are also disabled in Firefox to prevent leaks. The latter means that requests from web sites that want to know the user's location are denied.
Out of curiosity, your author tried EFF's Panopticlick, which tests how unique
the user's browser is based on the information it shares with visited web
sites. Surfing to the web site with Iceweasel in Tails gives a slightly
lower number of bits of identifying information, primarily because the
browser has no plugins installed (which can be detected) and hence cannot
expose the presence of Flash or of Java fonts.
also installed, but instead of being used to enable or disable Tor in
Firefox, the Tails developers have customized the extension to enable or
anonymity. When the status bar indicates "Tor enabled", this extra
protection is turned on; when the user toggles the status to "Tor
disabled", the browser still uses Tor but without the additional
protection. As expected, thanks to Tor, surfing on the web in Tails is
noticeably slower compared to a direct connection. A test download of the
Tails ISO image turned out to be roughly four times slower, and complex
sites such as Gmail load noticeably slower too, but it's not unbearable:
it's a price users may be willing to pay to be anonymous.
Tails not only bundles privacy-preserving software and browser extensions, but the developers have also customized the Debian system and pre-configured many of its applications with security in mind. For instance, Tails is protected against memory recovery: on shutdown or when the boot medium is physically removed, the computer's memory is wiped. The process is explained in detail on the wiki. In short: when the memory erasure process is triggered, a new Linux kernel is booted with kexec and all free memory is overwritten once with zeros. This way, each part of the memory is either overwritten by loading the new kernel in it or erased explicitly once the new kernel is loaded.
Tails has configured its firewall to drop incoming packets by default
and to forbid
queries to DNS resolvers on the LAN, as this can result in leaks. DNS
queries go through Tor instead. Automatic media mounting is disabled to protect against vulnerabilities, although the developers still think that manually mounting internal disks may be too easy.
The developers are really serious about security, as you can see on their security page. In the "Probable holes" section, they write:
Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as — at the very least — possible.
They clarify this on the applications audit page:
Any included networked application needs to be analyzed for possible information leakages at the protocol level, e.g. if IRC clients leak local time through CTCP, if email clients leak the real IP address through the EHLO/HELO request etc.
It's interesting to read what they have done to audit some applications and to change their default configuration in Tails appropriately. For instance, thanks to their Claws Mail configuration, the mail client doesn't leak the network's domain in the EHLO command, and HTML rendering is fully disabled. For Iceweasel, they rely on the security measures of the Torbutton extension. And if you're using Pidgin for IRC, CTCP is disabled completely to prevent leaking your local time. Their attention to detail is also visible when Tails is started in a virtual machine: the distribution shows a big warning that the host operating system and the virtualization software are able to monitor what the user is doing.
Users are explicitly encouraged on the web site to contribute to Tails, and
newcomers are not left out in the cold: there's a Git merge policy
like "Documentation is not optional" and "Do not break
the build"), extensive documentation about how to work on the
code, information about the Git repositories, and
there's even a list of easy
tasks on the list of things to do. These tasks do not require deep
knowledge of the Tails internals and should be a good starting point for newcomers to learn how to contribute to the distribution. Tails also has a good relationship with Debian and other upstream projects: it tries to diverge by the smallest possible amount from its upstream projects by pushing their changes upstream. For instance, it contributes to Debian Live on a regular basis.
The project's documentation is extremely comprehensive and in-depth, although sometimes a little out-of-date. Even the release process is spelled out in detail, as well as the tests that the developers try out to see that all programs work as they should. For instance, for Iceweasel they test whether web browsing is really "torified", and whether the exposed User-Agent HTTP header field matches the one that Torbutton generates.
The things to do list on the web site is long and unfortunately not that structured, so it's not easy to see which of these items have priority for the developers, but there's a concise roadmap. The next big feature will be persistence: although Tails is explicitly designed to avoid leaving any trace, in some circumstances it could be interesting to save (some) data, such as GPG/SSH/VPN/OTR configurations, instant messenger and mail user agent configurations, SSL certificates, and so on.
The developers are also working on a better way to install Tails on a USB stick. This is already possible, as Tails ships hybrid ISO images that can be copied using dd to a USB stick, but then the USB stick's content is lost in the operation and the unused storage on the stick is wasted. Also, such a USB stick cannot be used to host both a Tails installation and a persistent storage volume. The developers are evaluating ways to solve this.
The roadmap also lists some unordered goals. One of these is support for other architectures. For now, the Tails live CD image only comes in a 32-bit x86 version. However, the developers are already working on a PowerPC release for pre-Intel Macs. They have already built a PowerPC ISO, but still have to test it. The release candidate of next Tails release will probably have a PowerPC image, to be tested by users. Another goal is a better integration of Monkeysphere for validating HTTPS certificates using the GnuPG web of trust.
There are also some network-related goals. One of these is the support
bridges. Merely trying to use Tor might be dangerous in more
authoritarian countries, as the use of Tor can be detected. With Tor bridges, users may
be able to hide the fact that they are communicating with the Tor network by relaying their Tor traffic through a bridge node which is not listed in Tor's directory. The Tails developers are thinking about adding an option to the boot menu, after which first the connection to the bridge is set up and only then Tor is started, using this bridge.
The project's wish list also mentions the idea of a two-layered
virtualized system, which isolates applications in a virtual machine to
prevent leaking the user's identity due to security holes. The page also looks at Qubes from the Polish security researchers at Invisible Things Lab, which has a similar architecture: it uses Xen to isolate applications in several virtual machines. One proposal on the Tails wiki is to build a next version of Tails on Qubes.
If you don't mind that your internet traffic is being monitored by your internet service provider, the police, or other surveillance agencies, you're not the target user of Tails. However, if you do mind, Tails might be just what you need. The developers have jumped through hoops to be able to preserve the anonymity of their users as best as possible. This distribution is an easy way to use Tor for surfing and it pre-configures a lot of applications so that you have to worry less about accidental information leaks.
Comments (2 posted)
The second (and final) beta release for Mageia 1 (a fork of the Mandriva
distribution) has been announced
the project is looking for lots of testing. "We froze the software
package versions last week. This means that no new, big, upstream code
changes will be accepted in Mageia until our final release in June; then we
will re-open the doors. We will now focus on fixing and reducing our bugs
lists and refining and polishing the user experience.
Comments (none posted)
The Debian News page notes the passing
longtime developer Adrian von Bidder. "Adrian was one of the
founding members and current secretary of debian.ch, he sparked many ideas
that made Debian Switzerland be what it is today. Adrian also actively
maintained software in the Debian package archive, and represented the
project at numerous events. Even to those, who haven't worked with him
directly, he was well known for his sometimes thoughtful, sometimes funny
Comments (6 posted)
Newsletters and articles of interest
Comments (none posted)
Lennart Poettering is back with another edition
of "systemd for Administrators". In it, he outlines some changes to configuration filenames and locations as part of an effort to standardize them across distributions. "Many of these small components are configured via configuration files in /etc. Some of these are fairly standardized among distributions and hence supporting them in the C implementations was easy and obvious. Examples include: /etc/fstab, /etc/crypttab or /etc/sysctl.conf. However, for others no standardized file or directory existed which forced us to add #ifdef orgies to our sources to deal with the different places the distributions we want to support store these things. All these configuration files have in common that they are dead-simple and there is simply no good reason for distributions to [distinguish] themselves with them: they all do the very same thing, just a bit differently.
Comments (51 posted)
on the Nook Color 1.2.0 update. "There's no need
to hack the Nook Color into an Android tablet anymore as B&N is giving out
the power for free. The biggest feature found in the v1.2 firmware update
is the inclusion of Android 2.2. Additionally, alongside this upgraded
operating system, there is yet another mobile app store open for business:
" Nook owners who don't want to wait for the over-the-air
update can update
Comments (none posted)
Michael Reed talks with Ronald Ropp
about his work on wattOS. "From the beginning, my intent for wattOS (which I first released in July 2008) was to create a simple, fast desktop that can leverage the large Debian/Ubuntu knowledge base and repositories. I've tried to keep it somewhat minimal, while being as functional as possible for the average user. I don't want them to have to do a ton of command line work just to do the basics such as web, email, music, video, print, photos, word processing, chat, etc.
Comments (none posted)
Susan Linton shines a
on Toorox. "Toorox is sometimes compared to another Gentoo-based distribution, Sabayon. This comparison may be legitimate on the surface, but differences emerge when looking deeper. Sabayon is indeed based on Gentoo as Toorox, but Sabayon is primarily a binary distribution. Package installation almost always involves installing binary Sabayon packages. While this is convenient and often preferred, Toorox compiles and install software from Gentoo sources. Toorox begins life on your computer as a binary installation with all its advantages, such as fast, easy, and ready at boot, but subsequent package installation compiles source packages. So Toorox is perfect for users that would like a source-based distribution, but don't want the initial time and effort investment. Either over time or with a all-at-once effort, one can fairly easily transform Toorox to a full source install.
Comments (1 posted)
Page editor: Rebecca Sobol
Next page: Development>>