Bug #7076

Warn against plugging a Tails device in untrusted systems

Added by segfault 2014-04-12 16:45:10 . Updated 2015-08-03 03:23:15 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2014-04-12
Due date:
% Done:

30%

Feature Branch:
doc/7076-plug_untrusted
Type of work:
End-user documentation
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Like mentioned by intrigeri in Bug #7073, users shouldn’t plug their USB stick / SD card in computers running untrusted operating systems, because they could corrupt the tails installation. I think there should be a warning about this in the documentation.


Subtasks


Related issues

Related to Tails - Bug #9116: Document that Tails doesn't protect against BIOS/firmware attacks Resolved 2015-03-26
Related to Tails - Bug #11102: Document how much one effectively trusts non-Tails OS into which one plugs a Tails USB stick Confirmed 2016-02-10

History

#1 Updated by intrigeri 2014-04-12 18:17:43

Agreed. Where would you see it?
On https://tails.boum.org/doc/about/warning/, or elsewhere?

If you’re interested in drafting something, you can start by pasting it here in a comment.

#2 Updated by hyas 2014-06-14 19:57:31

Here is my suggestion:
“Physical media (USB sticks, SD cards) containing Tails shouldn’t be plugged in computers running unreliable operating systems. You should switch the computer off before plugging your device in.”

#3 Updated by BitingBird 2014-06-15 12:53:42

  • Status changed from New to Confirmed

#4 Updated by BitingBird 2014-06-15 12:53:59

Warning sections seems good to me.

#5 Updated by sajolida 2014-06-19 13:28:19

  • Subject changed from Warn about plugging Tails USB stick / SD card in untrusted systems to Warn against plugging a Tails device in untrusted systems

Note that we already have a FAQ about using Tails on a compromised system:

https://tails.boum.org/support/faq/#compromised_system

Of course, the case which is described here is different, but of a related matter. At least the difference is worth being explained well.

If we think it is worth adding an new entry about that in the warning page, then it might be worth being merged with at least the hardware part of that FAQ, and probably explaining than installing Tails from a untrusted operating system is a bad idea as well.

#6 Updated by segfault 2014-07-29 15:07:27

My draft:

Tails device shouldn’t be plugged in computers currently running an untrusted operating system

Plugging your Tails device into a computer currently running a compromised operating system might corrupt the installed Tails, annihilating all the protection Tails provides.
So you shouldn’t use your Tails device in any other way than booting Tails from it.

#7 Updated by sajolida 2014-07-30 08:51:19

  • Assignee set to segfault
  • QA Check set to Info Needed

Thanks for that wording. I’m still wondering where this should go in our website.
I’m still not sure it deserves to be included in the /doc/about/warning page. But I propose we merge this with the current /support/faq/#compromised_system.

Would you interesting in doing that work as well?

I think this question should be restructured to mention

- Compromised hardware (already there)

- Installing from compromised system (to write)
- Plugging Tails on a compromised system (your stuff)

#8 Updated by intrigeri 2014-07-30 09:04:06

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#9 Updated by segfault 2014-08-03 16:24:12

I think this should be included in the warning page. Tails is designed to protect against attackers with extensive capabilities [1], including eavesdropping and software exploitation. So Tails should protect against an attacker who knows you are using Tails [2] and has the capabilities to exploit your usual operating system. An attacker with these capabilities could easily target your usual operating system to corrupt your Tails installation the next time you use your Tails USB stick to transfer some files.

I agree that we should consider carefully what to include in the warnings, because too many warnings could deter users from reading them. That’s why I tried to keep it as short as possible.

[1] /contribute/design/#index9h3
[2] /doc/about/fingerprint/index.en.html

#10 Updated by BitingBird 2015-01-08 04:59:44

  • Assignee deleted (segfault)
  • QA Check deleted (Info Needed)
  • Type of work changed from Documentation to Discuss

segfault proposed a wording, we should discuss it.

#11 Updated by intrigeri 2015-01-08 10:29:53

  • Target version set to Tails_1.3
  • QA Check set to Ready for QA
  • Type of work changed from Discuss to Documentation

#12 Updated by intrigeri 2015-01-14 19:59:12

  • Assignee set to sajolida

#13 Updated by bertagaz 2015-02-09 11:56:51

We acked on having this warning in the warning page during the last February 2015 meeting.

#14 Updated by sajolida 2015-02-19 15:41:08

  • Assignee deleted (sajolida)
  • Target version deleted (Tails_1.3)
  • QA Check deleted (Ready for QA)

That’s not ready for QA as no patch has been submitted.

#15 Updated by BitingBird 2015-02-19 18:45:38

  • Assignee set to BitingBird
  • Target version set to Tails_1.3.2

#16 Updated by BitingBird 2015-03-14 16:16:22

  • Feature Branch set to bitingbird:doc/7076-plug_untrusted

#17 Updated by BitingBird 2015-03-14 16:33:00

  • % Done changed from 10 to 20

Rewrote the whole FAQ section. I think I included all the problems you mentionned. Included segfault’s wording, only changed “annihilating all” to “destroying”.

Please review :)

#18 Updated by BitingBird 2015-03-14 16:33:20

  • Assignee changed from BitingBird to sajolida
  • QA Check set to Ready for QA

#19 Updated by BitingBird 2015-03-14 17:05:51

built and it looks good, btw

#20 Updated by BitingBird 2015-03-19 14:29:02

  • Target version changed from Tails_1.3.2 to Tails_1.4

#21 Updated by BitingBird 2015-04-05 17:49:58

  • Priority changed from Normal to Elevated

I’d like to see this ticket merged before I work on Bug #9116 -> raising priority :)

#22 Updated by sajolida 2015-04-07 14:05:20

  • related to Bug #9116: Document that Tails doesn't protect against BIOS/firmware attacks added

#23 Updated by sajolida 2015-04-07 14:25:38

  • Assignee changed from sajolida to BitingBird
  • QA Check changed from Ready for QA to Dev Needed

Thanks for working on this.

I have a few remarks regarding the methodology:

  • Do atomic commits as much as possible (1 change = 1 commit). You added the last paragraph to resolve this ticket but also inserted many small changes in the upper paragraphs that I find questionable. I would be happy to improve on the last paragraph only but I won’t do that based on such a big commit that includes stuff that I don’t like.
  • Limit each sentence to less than 25 words. See the golden rules of GDSG: <https://developer.gnome.org/gdp-style-guide/2.32/gdp-style-guide.html#fundamentals-2>. For example, you merged two small sentences in the first paragraph to create one of 32 words.
  • Don’t change the original text unless you have a good reason to do so (and justify this in your commit message) as it breaks translations. Always ponder improving the English with degrading all translations. Atomic commits make it easier to debate on those improvements.
  • Limit rewrapping as it makes it harder for me to review your changes and for you to do atomic commits.

Then about the content:

  • bertagaz said in https://labs.riseup.net/code/issues/7076#note-13 that this should go into a dedicated warning on the warning page.
  • Since we’re going this way, I would like it to be better structured to differentiate hardware (and firmware) compromission and software (untrusted OS) at install time and when plugging a USB. You shoulud probably solve Bug #9116 in the same branch as this one as this will make more sense to this structure. Right now your text mixes both things: it starts discussing software issue, then hardware, and then software again. Maybe adding small titles or bullet points could help make this better structured.

So could you please start again from the original text, move it to the warning page, reinsert your changes one by one (taking into account the methodology points above), and try to restructure the whole thing to differentiate software and hardware issues?

#24 Updated by BitingBird 2015-05-08 23:16:07

  • Assignee changed from BitingBird to intrigeri
  • QA Check changed from Dev Needed to Ready for QA

I ended up working on Bug #7076, Bug #9116 and Bug #8993 together.

I didn’t touch the FAQ, just added a link to the warnings. I created two new warnings (at the beginning, because afterwards it speaks more about network issues). The first warning is about compromized hardware/BIOS/firmware, the second warning is about compromissions from an untrusted system (install + by plugging in), with a link to the FAQ. It’s not atomic commits, but I didn’t touch the existing tex, this time :)

Built, looks good. Please review :)

#25 Updated by BitingBird 2015-05-08 23:20:29

  • Assignee changed from intrigeri to sajolida

#26 Updated by BitingBird 2015-05-09 03:53:26

  • Target version changed from Tails_1.4 to Tails_1.4.1

#27 Updated by sajolida 2015-05-20 14:26:33

  • Assignee changed from sajolida to BitingBird
  • QA Check changed from Ready for QA to Dev Needed
  • Feature Branch changed from bitingbird:doc/7076-plug_untrusted to doc/7076-plug_untrusted

Thanks for working on this, it looks good :)

  • I’m worried about keeping this partly duplicated between support/faq#compromised_system and the warning page. Both sections now have the same anchor and cover complementary topics. Do you think we could move what’s still relevant from the FAQ into the warning and remove the FAQ section? This would help you resolve something I find ambiguous in the sentence “Tails can not be compromised by a virus in your usual operating system”.

Here are a few suggestions for improvements:

  • In English typography it is usual to add “serial commas” before the conjunction of an enumeration. See Chicago Manual of Style, 6.18 (Seria commas).
  • Why did you put those as the first warnings on the page? I guess you had a good reason to do so but I’m worried about jargon such as “BIOS” and “firmware” being introduced in the first section of that page. That might put off people who don’t understand these words and make them less willing to read the rest.
  • I’m also wondering how we could improve on the part that says “in practice they function like hardware” which I find hard to comprehend. Especially since we’ve seen in the recent BIOS attacks that some BIOS and firmware can be modified through software from the operating system. That’s still not the case for hardware :)
  • We should be careful every time we use the pronouns ‘it’, ‘that, ’these’, etc. as they are often ambiguous. More than once people from the team misunderstood what I meant to refer to and correct me when I thought that my use of such a pronoun was unambiguous. In your warning I would try to clarify at least “it might be corrupted” which could refer to “Tails” or “system”.
  • We usual avoid the term “boot” (see Apple).

Meta:

  • Make sure to base your future work on the branch on origin.
  • Know that you’re a Git expert, I recommend you to activate colors in your diff. This will help you spot trailing spaces (see commit:3e03809). To do so, add to following to your `.gitconfig`:
[color]
        branch = true
        diff = true
        decorate = true
        grep = true
        interactive = true
        pager = true
        showbranch = true
        status = true
        ui = true

#28 Updated by BitingBird 2015-05-20 17:41:56

I added it before the other warnings because it’s local, and all others were through the network (so this one also applies for offline usecase, not the others) (although, after a second look, “Tails does not encrypt your data by default” should come first in this logic). Another logic might work too, where would you see it? Actually, I was not very sure what was the current logic of the page.

You forgot a word (“be”) when rewritting:
- keylogger), then it might not be safe to use Tails.
+ keylogger), then it might unsafe to use Tails.

You also simplified “currently running a compromised system”, but I left it to differenciate between virus on not-used system and virus on running system. It’s not always very clear for users…

I was not happy at first about the separation, but OTOH what I left in the FAQ is not a warning, it explains a non-risk. I linked each one from the other, so I liked the split, but of course it’s always weird to split information about close topics.

I’ll work on the rest in the next days :)

Thanks for the review, it was a big one!

#29 Updated by sajolida 2015-05-21 11:09:58

> I added it before the other warnings because it’s local, and all others were through the network (so this one also applies for offline usecase, not the others).

Ok, and the warning about “not install Tails from an untrusted operating
system” applies at installation time so it make sense to have it first.

The current order of the warning page has no particular logic so we only
need to be careful about improving (and there’s a lot of to improve
upon). But I’m convinced now that we can leave this one as the first one
and it’s not going to degrade stuff.

> You forgot a word (“be”) when rewritting:

Fixed in 8cbae28, thanks for the careful review :)

> You also simplified “currently running a compromised system”, but I left it to differenciate between virus on not-used system and virus on running system. It’s not always very clear for users…

Ah, sorry! I understand now. But read on, as I think this could be
clarified even better.

> I was not happy at first about the separation, but OTOH what I left in the FAQ is not a warning, it explains a non-risk. I linked each one from the other, so I liked the split, but of course it’s always weird to split information about close topics.

I think we can do better and maybe solve some other of my concerns by:

  • Having this as the first warning on the page but only as one warning
    with three subsections: “software”, then “hardware”, then “firmware”.
  • When explaining “software”, make it clear that Tails runs
    independently from the OS installed on the computer. So you’re protected
    from viruses in your OS when starting from Tails. But you are not when
    installing Tails from your OS or plugging your Tails device in your OS
    while it runs. (That would merge both the FAQ and your warning). Maybe
    this clarifies both the “virus” thing that I pointed out and the
    clarification about “currently running a compromised system” that you
    were worried about.
  • It might be easier to explain “firmware” after “software” and
    “hardware” as other special category which is somehow between the two.
    I’d prefer having hardware and firmware after because it’s probably less
    frequent than having a Windows virus and it’s not something people can
    really act upon and do something to detect or solve (it’s only good to
    know).

> Thanks for the review, it was a big one!

For sure :)

#30 Updated by sajolida 2015-06-10 10:32:35

According to external experts, the current wording still sort of speaks to the incorrect notion that physical access is needed for attacks to take place. We shouldn’t instead consider firmware as “hardware” and actually more like “software” since recent attacks proved that it can suffer from the same software flaws (it can be updated, infected, etc.).

We should also consider recommending using Tails on a dedicated machine. Since a fat OS is more likely to be the target of firmware attacks. If Tails is run from a dedicated machine these attacks are less likely.

#31 Updated by sajolida 2015-06-10 11:42:49

Also, as a consequence advertising “Don’t leave your hardware unattended” like in Bug #9116 is not enough to protect from firmware attacks as shown lately.

#32 Updated by BitingBird 2015-06-29 01:30:16

  • Target version changed from Tails_1.4.1 to Tails_1.5

#33 Updated by BitingBird 2015-07-04 10:22:47

  • Assignee changed from BitingBird to sajolida
  • % Done changed from 20 to 30
  • QA Check changed from Dev Needed to Ready for QA

Separated the BIOS/firmware part. Do you like it better ?

#34 Updated by sajolida 2015-08-01 10:07:56

  • Assignee changed from sajolida to BitingBird
  • Priority changed from Elevated to Normal

Yes, I do. We’re almost there!

I pushed a bunch of minor improvements with 7185b7c..ad8abd0. Please have a look :)

  • I liked commit 981713a. It feels good to see people improving my
    writing. Note that we’re not on a crusade against gerund forms but
    limiting them is good as for example here it takes out several
    words.
  • Note that you didn’t merge the changes I pushed to master before working
    again on your branch. For example, I improved a sentence that you improved
    again (in different ways) and that created a conflict but no big deal.
  • I’m still not convinced by the split between the FAQ and the warning,
    especially since people are supposed to read the warning (but not so much the
    FAQ). It’s good to scare them but not too much :) Still, I’m OK with merging
    this as it is and consider that this should be dealt with as part of Feature #9814.

Anyway, once you give me the green light I’ll merge all this at last!

#35 Updated by sajolida 2015-08-01 10:10:17

Ah, and let me mention the most controversial part of this in a comment to let the other Redmine freaks know. I added a link to the LegbaCore video with commit 8cb6adc. I think it’s cool to see stuff in action even more when it’s scary :)

#36 Updated by BitingBird 2015-08-02 13:43:59

  • Assignee changed from BitingBird to sajolida
  • QA Check changed from Ready for QA to Pass

I liked your changes. Please merge :)

#37 Updated by sajolida 2015-08-03 02:42:30

  • Status changed from In Progress to Resolved
  • % Done changed from 30 to 100

Applied in changeset commit:73d1fedd8a08dc6975a3d85bed3ad00db086fb35.

#38 Updated by sajolida 2015-08-03 02:42:55

  • Assignee deleted (sajolida)
  • % Done changed from 100 to 30

Merged. High five! I’ll write something to LegbaCore as well.

#39 Updated by BitingBird 2015-08-03 03:23:15

Youhou !!!

#40 Updated by segfault 2016-02-11 21:15:12

  • related to Bug #11102: Document how much one effectively trusts non-Tails OS into which one plugs a Tails USB stick added