Document how much one effectively trusts non-Tails OS into which one plugs a Tails USB stick
As stated on https://mailman.boum.org/pipermail/tails-dev/2015-July/009234.html, about Hacking Team bits about Tails:
> o Infecting USB device which appears to be a bootable disk (Antonio +
> Giovanni)§ It will drop (release) the scout, then it will run
> a wipe.
Seems to be the same, but from a running and already infected non-Tails OS, when a Tails USB stick is plugged in it. That’s more concerning. We should check if we’re communicating clearly enough that:
- the OS used to install or upgrade a Tails device can corrupt it
- plugging one’s Tails device in an untrusted OS is dangerous
I constantly run into Tails USB sticks that have “hidden” files that indicate they have been plugged into Windows or OSX machines. Maybe I mostly run into users who don’t care about security (I doubt it), maybe we don’t do a good job at the 2nd point.
The 1st point became slightly more important now that we distribute Tails Installer outside of Tails: the Tails filesystem is mounted for several minutes during the installation process, which gives the attacker more time (and a nicer environment) to corrupt stuff than when doing a mere block copy (
Setting priority >> normal, since it’s not a theoretical threat: the Hacking Team documents drop tells us that actual attackers are on it.
Related to Tails -
|Related to Tails - Feature #8845: Give some love to our warning page||Confirmed||2015-02-03|
Related to Tails -
|Related to Tails - Bug #11137: Try to detect/warn in greeter if user has plugged tails device into untrusted system||In Progress||2016-02-18|
#4 Updated by sajolida 2016-02-12 18:26:28
Regarding “plugging one’s Tails device in an untrusted OS is dangerous” I think that the only thing we have is /doc/first_steps/persistence/warnings#index6h1. Maybe this could be a candidate for Feature #8845.
Regarding “the OS used to install or upgrade a Tails device can corrupt it”, I think that on top of documenting this as a possibility, I’m more interested in moving towards
Feature #7499 and make it so Tails only gets upgraded from Tails (and possibly discourgaging or preventing upgrading from outside of it). At least that’s the security process what we had in mind when designing /upgrade and thus doubting about documenting anything else (for example Feature #10884).
#6 Updated by intrigeri 2016-02-13 01:09:59
> Regarding “the OS used to install or upgrade a Tails device can corrupt it”, I think that on top of documenting this as a possibility, I’m more interested in moving towards
Cool! Let’s keep in mind that
Feature #7499 (and its Feature #5981 predecessor) have been around for years, with nobody putting serious work into it (and while it’s on our roadmap for this year, I see no complete team to work on it), so I would not count on it to address a security threat that actual adversaries are apparently exploiting already. So I’m glad that you mention “on top of documenting this” :)