Discussion:
SecureDrop and tails vs Qubes
(too old to reply)
Loic Dachary
2017-12-13 09:06:30 UTC
Permalink
Hi,

It was suggested to launch a thread (https://labs.riseup.net/code/issues/15052#note-3) about the reasons why SecureDrop is working on a Qubes based workstation for journalists as an alternative to using an airgap tails. Conor & Jen are cc'ed so they can comment on this.

First of all this is not something new: people asked for it long ago but Qubes was not mature enough. The upcoming Qubes version 4 changes that and motivated new development in the SecureDrop team. As a result of this effort, started a few months ago, the pro and cons of using tails vs Qubes appear more clearly. IMHO the most prominent ones are:

* Qubes is not amnesic and the user can customize it more easily than Tails
* Tails is amnesic, usable with an airgap workstation and more secure than Qubes
* Adding a software distribution channel to a Qubes workstation is easy while creating and distributing tails derivatives is challenging and discouraged
* Tails is already mature while Qubes reaches maturity in 2018
* Qubes is based on Xen and runs on a limited range of hardware compared to tails

On a personal note I'd like to work on improving the tails experience for all existing SecureDrop users. Migrating to Qubes or not will eventually be their decision, they won't be forced. In 2018 there will be a significant SecureDrop effort to improve the tails journalist user experience.

Cheers
--
Loïc Dachary, Artisan Logiciel Libre
sajolida
2017-12-14 10:31:00 UTC
Permalink
Post by Loic Dachary
It was suggested to launch a thread
(https://labs.riseup.net/code/issues/15052#note-3) about the reasons
why SecureDrop is working on a Qubes based workstation for
journalists as an alternative to using an airgap tails. Conor & Jen
are cc'ed so they can comment on this.
Thanks for starting this discussion!
Post by Loic Dachary
First of all this is not something new: people asked for it long ago
but Qubes was not mature enough. The upcoming Qubes version 4
changes that and motivated new development in the SecureDrop team. As
a result of this effort, started a few months ago, the pro and cons
of using tails vs Qubes appear more clearly.
NB, Conor's talk at LibrePlanet 17 who explains this in details already:

https://media.libreplanet.org/u/libreplanet/m/securedrop-leaking-safely-to-modern-news-organizations/

Given that Tails will probably remain relevant in the SecureDrop
ecosystem for a while (for example on the source's side), my intention
with this thread is to:

* Have more feedback from SecureDrop about the Tails in general,
hopefully opening communication channels that can be fruitful for the
future. I don't remember much discussion on public channels between
Tails and SecureDrop in the past.

* Understand what Tails should do to be more relevant in similar
contexts ("Tails for journalists and their sources").
Post by Loic Dachary
IMHO the most prominent ones are>
* Qubes is not amnesic and the user can customize it more easily than Tails
* Tails is amnesic, usable with an airgap workstation and more
secure than Qubes
* Adding a software distribution channel to a Qubes workstation is
easy while creating and distributing tails derivatives is
challenging and discouraged
I agree with "challenging". I partly disagree with "discouraged".

Sure, we've been discouraging people to shot themselves in the foot by
customizing Tails to the point of breaking it.

But we're also aware of the need for more customization and flexibility
withing Tails and have made steps in this direction:

- We published a statement in 2015 on how Tails derivatives should
work and how to collaborate:

https://tails.boum.org/contribute/derivatives/

- We got funding this year to work on a better support for storing
additional software in persistence which is so far only possible from
the command line and not on air-gapped machines:

https://labs.riseup.net/code/issues/14568

- We documented how to configure additional APT repositories:

https://tails.boum.org/doc/advanced_topics/additional_software/
Post by Loic Dachary
* Tails is already mature while Qubes reaches maturity in 2018
* Qubes is based on Xen and runs on a limited range of hardware compared to tails
On a personal note I'd like to work on improving the tails
experience for all existing SecureDrop users. Migrating to Qubes or
not will eventually be their decision, they won't be forced. In 2018
there will be a significant SecureDrop effort to improve the tails
journalist user experience.
I'd be interested in hearing Jen and Conor's take on this.
Would it make sense to have two options for the journalist workstation?
And I would totally understand if it doesn't make sense for them :)
Loic Dachary
2017-12-14 11:11:47 UTC
Permalink
Post by sajolida
Post by Loic Dachary
It was suggested to launch a thread
(https://labs.riseup.net/code/issues/15052#note-3) about the reasons
why SecureDrop is working on a Qubes based workstation for
journalists as an alternative to using an airgap tails. Conor & Jen
are cc'ed so they can comment on this.
Thanks for starting this discussion!
Post by Loic Dachary
First of all this is not something new: people asked for it long ago
but Qubes was not mature enough. The upcoming Qubes version 4
changes that and motivated new development in the SecureDrop team. As
a result of this effort, started a few months ago, the pro and cons
of using tails vs Qubes appear more clearly.
https://media.libreplanet.org/u/libreplanet/m/securedrop-leaking-safely-to-modern-news-organizations/
Given that Tails will probably remain relevant in the SecureDrop
ecosystem for a while (for example on the source's side), my intention
* Have more feedback from SecureDrop about the Tails in general,
hopefully opening communication channels that can be fruitful for the
future. I don't remember much discussion on public channels between
Tails and SecureDrop in the past.
* Understand what Tails should do to be more relevant in similar
contexts ("Tails for journalists and their sources").
Post by Loic Dachary
IMHO the most prominent ones are>
* Qubes is not amnesic and the user can customize it more easily than Tails
* Tails is amnesic, usable with an airgap workstation and more secure than Qubes
* Adding a software distribution channel to a Qubes workstation is
easy while creating and distributing tails derivatives is
challenging and discouraged
I agree with "challenging". I partly disagree with "discouraged".
I meant to say I was discouraged by https://tails.boum.org/contribute/derivatives/ not that tail discourages it, sorry about that. My hunch is that it would take me at least three months full time to come up with a derivative addressing all problems (i.e. security releases, quality assurance process, automatic upgrades, ...). And most likely another three months before recommending that someone uses it for real. This is taking into account that I have experience with packaging, Q/A automated or manual and release management.

How far am I from reality ?
Post by sajolida
Sure, we've been discouraging people to shot themselves in the foot by
customizing Tails to the point of breaking it.
But we're also aware of the need for more customization and flexibility
- We published a statement in 2015 on how Tails derivatives should
https://tails.boum.org/contribute/derivatives/
- We got funding this year to work on a better support for storing
additional software in persistence which is so far only possible from
https://labs.riseup.net/code/issues/14568
https://tails.boum.org/doc/advanced_topics/additional_software/
Post by Loic Dachary
* Tails is already mature while Qubes reaches maturity in 2018
* Qubes is based on Xen and runs on a limited range of hardware compared to tails
On a personal note I'd like to work on improving the tails
experience for all existing SecureDrop users. Migrating to Qubes or
not will eventually be their decision, they won't be forced. In 2018
there will be a significant SecureDrop effort to improve the tails
journalist user experience.
I'd be interested in hearing Jen and Conor's take on this.
Would it make sense to have two options for the journalist workstation?
And I would totally understand if it doesn't make sense for them :)
--
Loïc Dachary, Artisan Logiciel Libre
u
2017-12-14 12:00:00 UTC
Permalink
Hi!
Post by Loic Dachary
Post by sajolida
Post by Loic Dachary
It was suggested to launch a thread
(https://labs.riseup.net/code/issues/15052#note-3) about the reasons
why SecureDrop is working on a Qubes based workstation for
journalists as an alternative to using an airgap tails. Conor & Jen
are cc'ed so they can comment on this.
Thanks for starting this discussion!
Given that Tails will probably remain relevant in the SecureDrop
ecosystem for a while (for example on the source's side), my intention
* Have more feedback from SecureDrop about the Tails in general,
hopefully opening communication channels that can be fruitful for the
future. I don't remember much discussion on public channels between
Tails and SecureDrop in the past.
* Understand what Tails should do to be more relevant in similar
contexts ("Tails for journalists and their sources").
Post by Loic Dachary
IMHO the most prominent ones are>
* Qubes is not amnesic and the user can customize it more easily than Tails
* Tails is amnesic, usable with an airgap workstation and more secure than Qubes
* Adding a software distribution channel to a Qubes workstation is
easy while creating and distributing tails derivatives is
challenging and discouraged
I agree with "challenging". I partly disagree with "discouraged".
I meant to say I was discouraged by https://tails.boum.org/contribute/derivatives/ not that tail discourages it, sorry about that. My hunch is that it would take me at least three months full time to come up with a derivative addressing all problems (i.e. security releases, quality assurance process, automatic upgrades, ...). And most likely another three months before recommending that someone uses it for real. This is taking into account that I have experience with packaging, Q/A automated or manual and release management.
Creating a derivative does not only involve creating the derivative, but
maintaining it. As you might know, we release Tails every 6 weeks, based
on the TorBrowser & FF ESR schedule.

I believe that this is not necessarily the way to go. Instead, it would
be useful to know what SecureDrop is missing in Tails that it finds in
Qubes, and how this might be addressed. So instead of creating a
derivative, it seems more interesting to me at first sight to try to
contribute improvements to Tails.

Cheers!
u.
Loic Dachary
2017-12-14 12:31:10 UTC
Permalink
Post by u
Hi!
Post by Loic Dachary
Post by sajolida
Post by Loic Dachary
It was suggested to launch a thread
(https://labs.riseup.net/code/issues/15052#note-3) about the reasons
why SecureDrop is working on a Qubes based workstation for
journalists as an alternative to using an airgap tails. Conor & Jen
are cc'ed so they can comment on this.
Thanks for starting this discussion!
Given that Tails will probably remain relevant in the SecureDrop
ecosystem for a while (for example on the source's side), my intention
* Have more feedback from SecureDrop about the Tails in general,
hopefully opening communication channels that can be fruitful for the
future. I don't remember much discussion on public channels between
Tails and SecureDrop in the past.
* Understand what Tails should do to be more relevant in similar
contexts ("Tails for journalists and their sources").
Post by Loic Dachary
IMHO the most prominent ones are>
* Qubes is not amnesic and the user can customize it more easily than Tails
* Tails is amnesic, usable with an airgap workstation and more secure than Qubes
* Adding a software distribution channel to a Qubes workstation is
easy while creating and distributing tails derivatives is
challenging and discouraged
I agree with "challenging". I partly disagree with "discouraged".
I meant to say I was discouraged by https://tails.boum.org/contribute/derivatives/ not that tail discourages it, sorry about that. My hunch is that it would take me at least three months full time to come up with a derivative addressing all problems (i.e. security releases, quality assurance process, automatic upgrades, ...). And most likely another three months before recommending that someone uses it for real. This is taking into account that I have experience with packaging, Q/A automated or manual and release management.
Creating a derivative does not only involve creating the derivative, but
maintaining it. As you might know, we release Tails every 6 weeks, based
on the TorBrowser & FF ESR schedule.
Yes, that's what I meant above with "addressing all problems".
Post by u
I believe that this is not necessarily the way to go. Instead, it would
be useful to know what SecureDrop is missing in Tails that it finds in
Qubes, and how this might be addressed. So instead of creating a
derivative, it seems more interesting to me at first sight to try to
contribute improvements to Tails.
Absolutely right and I posted https://labs.riseup.net/code/issues/15052 in that spirit.

Cheers
Post by u
Cheers!
u.
_______________________________________________
Tails-dev mailing list
https://mailman.boum.org/listinfo/tails-dev
--
Loïc Dachary, Artisan Logiciel Libre
sajolida
2017-12-16 18:51:00 UTC
Permalink
Post by Loic Dachary
Post by sajolida
Post by Loic Dachary
* Adding a software distribution channel to a Qubes workstation is
easy while creating and distributing tails derivatives is
challenging and discouraged
I agree with "challenging". I partly disagree with "discouraged".
I meant to say I was discouraged by https://tails.boum.org/contribute/derivatives/ not that tail discourages it, sorry about that. My hunch is that it would take me at least three months full time to come up with a derivative addressing all problems (i.e. security releases, quality assurance process, automatic upgrades, ...). And most likely another three months before recommending that someone uses it for real. This is taking into account that I have experience with packaging, Q/A automated or manual and release management.
How far am I from reality ?
Not far at all :) I fully understand what you're reporting here!

"Discourage" has different meanings and I disagree with it meaning:

"3. To try to prevent by expressing disapproval or raising objections"

http://www.thefreedictionary.com/discourage

Which is a common meaning in free software communities. But it's not our
intention at Tails and that's why we published these guidelines.

They would be though to implement but we would highly encourage this!
Conor Schaefer
2017-12-15 19:24:14 UTC
Permalink
Post by sajolida
Thanks for starting this discussion!
Great conversation, Loic, thanks also for getting the ball rolling.
Post by sajolida
Post by Loic Dachary
First of all this is not something new: people asked for it long ago
but Qubes was not mature enough. The upcoming Qubes version 4
changes that and motivated new development in the SecureDrop team. As
a result of this effort, started a few months ago, the pro and cons
of using tails vs Qubes appear more clearly.
https://media.libreplanet.org/u/libreplanet/m/securedrop-leaking-safely-to-modern-news-organizations/
Yes, at a high level that's approximately the plan we're looking at.
Realistically we'll need to scope our efforts in 2018 more narrowly than
what was discussed there—for instance, it's highly unlikely we'll be
able to rewrite and QA both the journalist experience and the backend
server story—but having conversations about the feasibility of
approaches is precisely the goal.
Post by sajolida
Given that Tails will probably remain relevant in the SecureDrop
ecosystem for a while (for example on the source's side), my intention
* Have more feedback from SecureDrop about the Tails in general,
hopefully opening communication channels that can be fruitful for the
future. I don't remember much discussion on public channels between
Tails and SecureDrop in the past.
Agreed. The SecureDrop team has done a poor job historically in
collaborating closely with some of the groups we depend most upon. Let's
change that. We've already started following your pre-release
announcements more closely so that we can perform vigorous QA before
releases go stable. With timely QA and engagement on your bug tracker,
hopefully we can avoid problems like our clunky response to the Nautilus
desktop icon issue being resolved:
https://github.com/freedomofpress/securedrop/issues/2586
Post by sajolida
* Understand what Tails should do to be more relevant in similar
contexts ("Tails for journalists and their sources").
Post by Loic Dachary
IMHO the most prominent ones are>
* Qubes is not amnesic and the user can customize it more easily than Tails
* Tails is amnesic, usable with an airgap workstation and more secure than Qubes
* Adding a software distribution channel to a Qubes workstation is
easy while creating and distributing tails derivatives is
challenging and discouraged
I agree with "challenging". I partly disagree with "discouraged".
Sure, we've been discouraging people to shot themselves in the foot by
customizing Tails to the point of breaking it.
Fair points. With the (Tails-based) SecureDrop Journalist Workstation,
we're already shoehorning a lot of persistence into the environment,
which I count as going against the grain of the primary use case of
Tails. For instance, we're setting network-manager hooks to update the
system torrc with hidservauth cookies, so authenticated Onion Services
are accessible in Tor Browser.

This works! But distributing updates to the various workstations out in
the wild is quite challenging, and currently requires that Admins or
Journalists pull from git, verify a tag, and run a script. A strategy
that supports unattended upgrades would enable us to be more confident
in iterating on the workstation tooling.
Post by sajolida
But we're also aware of the need for more customization and flexibility
- We published a statement in 2015 on how Tails derivatives should
https://tails.boum.org/contribute/derivatives/
- We got funding this year to work on a better support for storing
additional software in persistence which is so far only possible from
https://labs.riseup.net/code/issues/14568
https://tails.boum.org/doc/advanced_topics/additional_software/
Great news, and congratulations! Those are some great sources you
shared, thanks. I'd actually been under the impression that we'd need to
get packages into Debian in order for them to be apt-installable, and
having a lower bar that would enable us to ship our own packages (as we
do with the SecureDrop servers) is worth a closer look.
Post by sajolida
Post by Loic Dachary
* Tails is already mature while Qubes reaches maturity in 2018
* Qubes is based on Xen and runs on a limited range of hardware compared to tails
On a personal note I'd like to work on improving the tails
experience for all existing SecureDrop users. Migrating to Qubes or
not will eventually be their decision, they won't be forced. In 2018
there will be a significant SecureDrop effort to improve the tails
journalist user experience.
I'd be interested in hearing Jen and Conor's take on this.
Would it make sense to have two options for the journalist workstation?
And I would totally understand if it doesn't make sense for them :)
Right now we're just prototyping with Qubes, to evaluate if we can build
a "better" experience for journalists. Loic summarized most of the
details already, but I'll list some further goals that make Qubes
attractive:

* isolation for potentially malicious submissions
* automatic sanitization of submissions, e.g. PDFs
* use of split-gpg to integrate the Journalist Workstation (networked)
and the Secure Viewing Station (airgapped)

We've been working on an updated threat model that should be ready for
public consumption in early 2018. The current SecureDrop
architecture—including the multiple Tails devices per instance—was
designed several years ago, and we've learned a lot since then. Having a
more modern threat model will enable us to make informed decisions about
major changes such as trusting hypervisor isolation in place of a
hardware airgap.

To be sure, Tails remains extremely relevant for the Source use case. We
have not ever written a software client for Sources, depending instead
on Tor Browser. We also, all of us, use Tails devices for storing
sensitive secrets of various kinds, and have copious internal
documentation on the process. Publishing much of that documentation may
be of benefit to both projects.
intrigeri
2018-05-21 15:56:47 UTC
Permalink
Hi,
Post by Conor Schaefer
Fair points. With the (Tails-based) SecureDrop Journalist Workstation,
we're already shoehorning a lot of persistence into the environment,
which I count as going against the grain of the primary use case of
Tails. For instance, we're setting network-manager hooks to update the
system torrc with hidservauth cookies, so authenticated Onion Services
are accessible in Tor Browser.
This works! But distributing updates to the various workstations out in
the wild is quite challenging, and currently requires that Admins or
Journalists pull from git, verify a tag, and run a script. A strategy
that supports unattended upgrades would enable us to be more confident
in iterating on the workstation tooling.
Interesting!

I think the new torrc.d/ directory support would help: you could make
that directory persistent and drop files in it.

We don't include that directory at the moment
(https://bugs.debian.org/866187) but if that's something you need we
could source it without waiting for the Debian default torrc to do it
(we ship our own torrc anyway).
Post by Conor Schaefer
Post by sajolida
https://tails.boum.org/doc/advanced_topics/additional_software/
Great news, and congratulations! Those are some great sources you
shared, thanks. I'd actually been under the impression that we'd need to
get packages into Debian in order for them to be apt-installable, and
having a lower bar that would enable us to ship our own packages (as we
do with the SecureDrop servers) is worth a closer look.
Yeah! Please check it out and let us know if there's a reason why it
does not work for you.
Post by Conor Schaefer
We've been working on an updated threat model that should be ready for
public consumption in early 2018. The current SecureDrop
architecture—including the multiple Tails devices per instance—was
designed several years ago, and we've learned a lot since then. Having a
more modern threat model will enable us to make informed decisions about
major changes such as trusting hypervisor isolation in place of a
hardware airgap.
Where can I read more about this updated threat model?

Cheers,
--
intrigeri
iry
2018-05-23 02:11:00 UTC
Permalink
Post by intrigeri
I think the new torrc.d/ directory support would help: you could
make that directory persistent and drop files in it.
We don't include that directory at the moment
(https://bugs.debian.org/866187) but if that's something you need
we could source it without waiting for the Debian default torrc to
do it (we ship our own torrc anyway).
Hi intrigeri,

Just a friendly reminder that torrc.d feature is very experimental at
this moment. It may be a good idea not to use it until the issue in
this ticket is resolved:
https://trac.torproject.org/projects/tor/ticket/25140

Best Regards,
iry

Loading...