For Your Eyes Only: Online Privacy
Tools for The Resistance (TAILS, Thunderbird, GPG and KeepassX)
The year was 2013, Edward Snowden had released his documents to the world detailing the full scope of the NSA’s collect(and archiving said collect) on the American people. I had worked for the NSA for just a bit over four years, I knew their capabilities were vast, but I had no idea that they were being leveraged to collect US citizens communications on such a massive scale. I had been in exclusively foreign facing shops/offices where we would look at foreign nationals communications. I was shocked, I had always been told in the annual trainings and by everyone at the Agency that US collect had to be approved by a FISA court to happen, well it turns out that was only half the truth, the collect was already happening on a large scale, FISA was more to look at what was collected, more of a formality. Most of the collect was covered under “incidental collect”, a kind of catch all term for things that aren’t supposed to be collected but accidentally are. In the case of US surveillance I think that was “accidental” collect to cover their asses.
These revelations were the impetus to start researching privacy and anonymity tools, I already knew some tools to use from my time at the agency but it was time to get serious about it and take it to the next level. Ever since then I have been researching, reading, testing and working to ensure I am as secure as possible online. I began by looking into Linux, I had dabbled a bit in the past but I started seriously using it in mid 2014. By 2015 I was using Linux as my daily OS on all of my machines. While this was an important step there was still more I had to do.
Around the end of 2014 I started seriously looking at TAILS, researching it and testing it. It was a one off distro, having all the tools I could hope for, OpenSSL, GPG, KeepassX, MAT(for scrubbing metadata). In the following piece I will walk you through some of the basic steps to set up TAILS and some of the tools that it offers.
I was working recently with Brooke Binkowski of Snopes and we were discussing setting up TAILS for reporters that worked with her so I offered to write a fairly simple guide to using TAILS and a few of the included tools(KeepassX and GPG keys) in order to help them set up a TAILS installs for them. As this will be useful for more people than just Snopes journalists I am publishing it here so people have a quick guide to get them started.
Before we begin let me show you a basic write up of TAILS taken from https://tails.boum.org/about/index.en.html (I would recommend you read the entire write up yourself)
“Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.
Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc.”
Downloading, installing and setting up TAILS.
https://tails.boum.org/ to download and install TAILS. Firefox is what I recommend as TAILS has an add on to verify the SHAH signatures of the ISO.
https://rufus.akeo.ie/ for Windows: Allows you to write TAILS to a USB stick
These are the 2 URL’s you need to get the software tools you need, next comes the physical tools.
You actually need 2 USB sticks to properly install TAILS, one to install the ISO to from your regular OS and the 2nd to clone TAILS on to using the first. This is a security precaution. If you do not follow this you will be able to use TAILS still but you will not be able to set up an encrypted persistence to store files on.
I recommend SanDisk USB sticks, I have never had a problem with one and in my experience they are incredibly durable. 8GB is the minimum I would use, but if you plan on using it regularly I would highly recommend investing in a larger one in addition to the smaller one, they have up to 256GB versions that are USB 3.0(helps improve performance).
Another option for the very paranoid(such as myself) is a hardware encrypted USB drive, Corsair Padlock and Apricorn Aegis are 2 solid options. The issue with those are they need to be unlocked before plugging in and booting and lose power during boot and have to be unlocked again. These are relatively small inconveniences when compared to the actual security benefits of the drives themselves.
Once you have the tools mentioned above you can begin.
1: Plug your initial USB drive in, this should be your smaller one(if you have 2 of different sizes) Open up Rufus, this can be done by navigating to downloads(or wherever you saved the file), double clicking and opening it. Once open you should see your USB drive automatically selected in the top box, nothing needs to be canged in any of the top boxes.
2: Once open you will see an icon on the right side that looks like a disk on top of a box(represents a disk drive I believe). Hover over that with your mouse once you find and it will say Click to select an image. Click and navigate to your ISO file, usually it will be under downloads and on Windows you can see that in the left pane of explorer. Single click to select and hit open.
3: Once you have selected open Rufus will be ready to write the ISO to your USB stick so hit start and wait for it to finish. Once the ISO is finished writing it is safe to remove the USB drive.
5: Google how to boot from a USB drive on your computer, usually it will be hitting a key during boot to bring up a boot menu where you can select a boot device. Usually it’s an F key(F1, F2 etc).
6. Once you figure out how to boot from a USB it’s time to install TAILS on your second USB drive(ideally the larger drive). Insert the USB drive that you wrote TAILS to and boot the computer while rapidly hitting the F key you determined would bring up a boot menu before. Once you bring up the boot menu select your USB drive using the arrow keys and enter.
7: Once you see the boot menu select TAILS and hit enter(it should be automatically selected anyway but make sure). This will begin the boot process.
***NOTE: For hardware encrypted USB stick users this is the point where you need to fairly quickly need to unlock you drive again so keep that in mind.***
8: If all goes well you should see the TAILS greeting menu. As this is an intermediate install you won’t have access to the Persistence feature. This is the way TAILS works, you burn the ISO from an untrusted source and then the TAILS installer securely installs TAILS to another USB drive.
9: Once you are in TAILS plug in your second USB drive. Then hit the Windows key(not sure what the equivalent key on Macs are as I don’t use Macs), this will bring up a search menu. Type TAILS and you will see an option for TAILS Installer. Select that option and it will bring up the installer. You will see 3 options, you want to select “Install by cloning”, ensure your second USB drive is selected then install. It will take a few minutes and will alert you once the install is complete.
10: After you get TAILS written yo your USB drive remove the first and boot to the second USB drive. Once you are in TAILS again it is time to set up your persistence(if you would like one). Hit the windows key again and type persistence, you will see an option to configure persistence, select that option and select a passphrase, ideally a mix of 10+ alphanumeric characters and symbols. Once you select a passphrase it will give you options on what to save, I select everything. Once that is set up it will tell you any changes will not be saved until you restart.
11: Once you restart you will see the option to unlock persistence. Type in your passphrase and select unlock. Once you unlock it you will be ready to start using TAILS.
After you start using TAILS there are some things you need to keep in mind. TAILS is a great way to obfuscate your identity and location, but it is neither foolproof nor the end all be all of anonymity/security. If you want to stay anonymous NEVER log into personal accounts of any sort, create TAILS/Tor specific accounts and keep them isolated to TAILS or Tor. Ideally if you need an account that requires a phone # get a prepaid burner phone. You can use Google Voice as well for a lot of things but that's traceable to a state level actor with a warrant if Google co-operates with said warrant. Another tip to preserving anonymity is NEVER share personal information, that can be used to determine who you are if you share enough. Tutanota, Protonmail are solid choices for email in TAILS. Riseup is in some ways a better option, you can generate GPG keys for the email account and use Thunderbird to encrypt your emails and hold the keys yourself rather than let a provider hold them. The included password manager KeepassX is fantastic, you can generate long, complex and cryptologically sound passwords and store them easily. If you absolutely must post pictures, video or other media there is a program called MAT(metadata anonymization toolkit) that will scrub identifying metadata. All you do is open MAT, select the file you want to scrub and then clean it(if it’s not cleanable seriously consider not posting it). Thats the basic rundown of TAILS and some of the tools that can help protect you.
One final important note:
Anything you wish to save make sure it is saved in the folder named Persistent or Tor Persistent, anything else will be lost. GPG keys, login info for Pidgin will be saved automatically.
Generating and setting up and using GPG Keys
Here is a quick and dirty rundown on generating GPG keys, GPG is an very secure public/private key system for encrypting emails and other text/files. I am using the terminal generation methods as it allows you to generate a 4096 bit key, enigmail does not allow you to.
1: First off you want an email that you are able to set up in Thunderbird that won’t read your emails or spy on you(looking at you Google). For this I recommend Riseup, an activist run and focused email service.
2: Once you have your Riseup account it’s time to generate your keys. For this we need to open the terminal, press your Windows key and start typing terminal, you will see it pop up, click it.
3: Once in your terminal it is time to generate your key, type gpg –full-gen-key
This will bring the full key generation dialogue up, it’s not a difficult process but there are a few steps involved.
4: Select 1 for RSA&RSA, this is the default option and both RSA& RSA and DSA&Elgamal offer the same level of protection. So for my keys I use RSA.
5: For the next step type in 4096 and hit enter, this specifies you want a 4096 bit key, the most secure option available.
6: This next option is up to you but I always select 0, key never expires. Confirm this w/ y and then enter.
7: Now I time to enter your name(real or not is up to you), hit enter then enter your email address and again hit enter. Now you can enter comments if you so desire. After you are done with all that you again hit enter. Then o for okay.
8: Now it’s time to generate a passphrase for your key. I would recommend generating one in KeepassX, 100+ characters and symbols. Once you have done that copy and paste the password into the dialogue box and select ok. The key will then generate.
Congratulations you have now created a GPG key pair! Now you need to set it up on Thunderbird which I will explain in the next section.
Setting up Thunderbird w/ GPG key and email
1: Set up your email in Thunderbird(Riseup has tutorials to do that). Basically on first run Thunderbird will ask you to create an email account but you will see a “skip this and use my own email” option.
Select that and then enter your email/password combo and select IMAP or POP(I use IMAP personally).
2: Once you are in your email and can receive email click on the 3 horizontal lines in the top right or Thunderbird. You should see an enigmail option, select the arrow next to it then the Key Management option. Ensure your key shows up, if not select file and then reload key cache and it should show up then.
3: Once you ensure your key is there click on your email name in the left pane of the window, it should bring up a bunch of options. Select View Settings For This Account and then Open PGP security. Once there Check Enable OpenPGP, select specific key and then select your key.
Once you are done with all that you are ready to email using GPG. Anytime you send or receive a GPG encrypted email you will need to enter your passphrase. One thing I recommend doing it going to Enigmail, Key Management and exporting your GPG key to the Persistent folder(public and private/secret keys) just in case.
Setting up and using KeepassX effectively
When you are in TAILS hit your Windows key and start typing KeepasX, once you can see it click on it or hit enter. This will open up KeepassX and you can begin.
1: Select a passphrase. I recommend at a minimum a 10 character password including letters, numbers and symbols. This will make it harder to guess your password and will make a dictionary attack useless.
2: Once you have selected a password and are in KeepassX you can start using it.
3: You can use the Root folder to store all your passwords and usernames.
5: If you want to make separate folders(ie Social, email etc) select the Root folder on the left then select group in the top bar and you will see create group. You can name it and add notes in this screen. Once you are done you can select ok and your group will be created.
6: Once you have all your groups set up you can move on to creating individual entries. To do that you will see a key w/ a green arrow in the top bar. Click that and you will be able to set a title, username, generate a password and add notes. Most of the fields are self explanatory, the one that is a bit different is the Gen. Field. This is used to generate passwords and the Eye symbol above that shows the password you are generating. I’ll explain generating a password in the next section
7: Password generation is simple. Click Gen and it will open up a menu to generate a password. I recommend when you generate a password you have all the fields selected including special symbols. You will be able to see them under character types. You will see a # in a box to the right of those, that is how long of a password will be generated. I recommend 50 character passwords for most things. For GPG keys I recommend 150+.
8: Once you add your username, title, URL, any notes you may want and generate your password hit OK in the bottom right and it will be generated and saved.
9: Once you have your KeepassX database set up its time to save it. Once you select save you will see a window not too unlike the Windows save dialog. You will see a folder called Persistence. Double click that, name the database and save it. Take care to never forget the password to your database, there is no recovering your information if you do.
TAILS is not really a distro that you want to log into your personal email, pay bills with. TAILS is to be as anonymous as possible online. You should have new accounts that are only on TAILS. This is something that would be particularly helpful to people living under hostile regimes, journalists, activists, whistleblowers, people who are worried their views might make them into a target such as alt accounts. Just remember TAILS is not an end all be all(there is no magic bullet) but this is a fantastic tool to help you keep yourself anonymous and safe online.