AdHocSecurebox is an opinionated collection of scripts/docs to deal with sensitive data with average hardware and open source software. Work in progress.
License: The Unlicense
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of how to send files from Android phone to TailsOS.
The tails-do-it #20 actually somewhat worked as expected. But I somewhat discovered how to (not) recover a failed crappy USB stick (with a plus of I intentionaly not caring too much to close applications and etc, something that would be supposed to cause corruption), and maybe worth document how it failed. But on a hurry I just took photos.
This project today is 22 days old, have the exact url https://github.com/fititnt/TailsOS-for-non-whistleblowers and had 2 releases, TailsOS-for-non-whistleblowers v1.0 and TailsOS-for-non-whistleblowers v2.0. The current quick description (the v3.0 still not released) is
This issue is about remember me to, maybe, rename this project to something actually less vague.
The "TailsOS-for-non-whistleblowers" means literally "TailsOS (scripts/documentation) for non whistleblowers", both because I did not had a better naming and because any script/documentation would be very likely to not be a good idea be used by whistleblowers. Also see this Reddit post. If you are out of time, this quote
"Being a confidential source entails a lot of risk, and I think about 70% of this risk involves what they do before they first talk to a journalist." Micah Lee
As I was not sure if I would eventually stop updating this repository and move to new projects, but since I am optimized for searching, possibly people (and I'm saying IT personal or governmental staff) could be arrested for use this repository instead of official documentation or extra care. So in the absence of a better description, this title would be less wrong.
No. This is not for whistleblower.
This does not means that this project have backdoor or something. In fact, as I'm moving to AI/S Ethics area, I'm morally against this put backdoor. But do exist so many potential threat models that would be impracticable put anything open but do exist valid usages where Tails is a good software and the person is not someone that his current country have the right to do deep investigation.
Some of these scripts or documentation could possible be useful of you don't trust the hardware, software or your corporation network and have to do crypt operations (like SSH servers or encrypt/decrypt backups as part of weekly drill with human intervention). But even if you work at some Government and is "investigating/auditing" possible breaches is reasonable you ask upfront written authorization because you would totally seems suspicious for using this project.
One example that does not involve cyber attacks from other countries (the ones sponsored by Govermanent agencies) can be as dumb (yet able to do huge damage) as ransomware. On a recent case on Brazil, even the backups got attacked, not just the production data:
Like I said: is likely that do exist valid use cases where the daily use machine, by having direct access all the time to other servers, could be an issue. Compared to other Linux distros, Tails by default is more secure for crypto operations and even if you do not use these scripts (but have to use the standard Tails Persistence) by default it already is encrypted.
TODO: add description of the initial reasons for this project. But definitely mention about Domestic Violence survivors (fititnt, 2020-11-07 21:11 BRT)
Do some scripting of minimum viable product (MVP) of any rclone install & run on TailsOS (without need of sudo power.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of usage of VSCode on TailsOS
An minimum viable product (MVP) of AppArmor profiles to use with Cryptomator
See also:
curl: (7) Failed to connect to example.org port 443: Connection refused & curl --socks5 127.0.0.1:9050 #17While on #1 we're able to use VSCode on Tails, the feature to search extensions via the VSCode itself do not work (maybe there is some way to install outside vscode? If exist, this could be a gambiarra).
The github title also includes Electron/Chromium apps to make easier for who would try search on future. As this may have more people trying too.
Refs:
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of Oh My Zsh on TailsOS.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of usage of Cryptomator on TailsOS
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of usage of GPG, from (from creation to backup, even if just local) on TailsOS.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of how do deploy scripts that are acessible by the user on TailsOS.
As reference, the /home/amnesia/.profile alredy seems to load to the path the /home/amnesia/bin if already was created when starting a new shell
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
umask 077
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fiEdit: missed last line of code on sample code. Added.
Related:
Tails do not persist cosmetic changes on the terminal. Even if using the MVP of Oh My Zsh on TailsOS #5, the background color still mananged by the Gnome or something. This issue is to potencially find some workaround around this to use when persistence is enabled.
References:
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of backup on TailsOS.
Maybe this issue will end being just repeat the oficial documentation. Or cite how to do it using the grapical interface.
Note to self: I think I somewhat bricket the partition layout of one pen drive to a point of Disks utilities know there is an partition, but not aware that is LUKS or something. This is likely to not be related with Tails at all, since I guess I tried to open outside or I intentionally removed several times without waiting the OS close. I'm also using a pretty cheap 64gb USB stick
TL;DR: Do shell scripting plus documentation of an minimum viable product (MVP) of backup archiving with bit rot / data degradation protection.
This is something I would do for other projects, but this one, since already likely to deal with encryption (and implicitly it means compression, and compression does not play nice with data recovery) it also means that the result is more likely to face some bit rot over the years (and some level of bit rot can make not only an small part of an backup like GBs of photos and documents, but the entire backup file!).
Not everything can have a live copy that could be rechecked all the time. . And by some histories on the web about bit rot, data on HDDs with 8+ years already can bit rot, so having the just single file replicated on 2-3 mediums may not in 10-15 years, but eventually all mediums could fail and the used format could not be recovered. Not good.
And even if just from time to time do a drill of copyng older files to newer drivers may not be good enough, (in special if they already compressed or encrypted), if someone else is not able to detect years sooner that one file already going bad. One scenario where even someone not able to open partially bit rotted file (like if a file is encrypted) but be able to recover before updating to a new storage medium seems totally win win. (And I say this because, as 2020, maybe even printing good quality books are more granted to last even centures than good quality digital storage mediums today are granted to persist just a few decades.
I'm already drafting some POSIX shell scripts to allow remote backups on local machines (calling this as "securebox-backup-*"). Mostly testing on Debian-like distros but they are likely to work later on Fails. I think that for this specific issue it would mean doing some sort of parity at file level (something that could work even without RAID or a filesystem like ZFS).
100% POSIX shell scripting is harder than bash (and bash already is more complex for non-trivial script than any other scripting language. But since this is something I would expect to be able to work even 10-20 years later (maybe even have a copy of the entire operational system so in the worst case scenario even could allow someone to boot up from a virtual machine) the part about the scripting is not that bad.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of backup on Tunderbird e-mails.
See also:
The current documentation (lets call now v2.0-rc1 still document assuming someone to use this repository as a git project. On the #24, the main comment #24 (comment) necessay means that in some cases, some operations should be done on somewhat isolated ambient. And a Tails, even if the user do have Persistent storage on same pen drive, is likely that is the perfect place to not enable.
So this issue is about do some basic documentation about be able to run at least the bin/ from persistence not enabled. This also is different from official tails documentation because our focus here is do some kung-fu scripting without GUIs.
See also:
On the #13, was about where to put software. This issue is about where to put data, as default, so it makes easier for scripting and documentation (and, assuming I eventually really use Tails, this is important to still works even after years). While target audience who works with tails is likely to do things via user interface, at least one of my primary usages would be backup and restore servers when manual acction is need or when someone else, without some experience with GPG, to be able to recover data on worst cases scenarios.
I don't know how people out there, who works for more than one client, can make sanity dealing with several GPGs to avoid use symetric encryption (aka passphase) and still not have some potential flaws. It could actually be easier to send an USB stick by mail than explain how to install GPG (and yes, I know that do exist smartcards, but clients may not seem as necessary and would preffer plain password).
One downside of this is that for backup/recover that are internet (and not over offline media) the Tor on tails can actually be pretty slow compared to raw internet.
Do shell scripting plus documentation of an minimum viable product (MVP) of using Tails as an Ad Hoc Securebox for manange remote backups. Focus on somewhat automate better the backup download and backup archiving. Total aided restore process may be too complex to do it safely, but if some strategies that upload data for to another servers may be a base for end user add some extra customization.
This issue is likely to generate another GitHub Project just to keep the tools. This also helps because such scripts can be used outside Tails.. But I think that for sake of speed, tools could be added an extra copy to AdHocSecurebox/bin, so in a hurry the person do not need install another repository.
PS:
tails-backup-(...) / tails-restore-(...) to not confuse usersQuick references:
This issue is about document how to enable spell checker on Tor Browser. Not even for English version is enabled, and as for this project (current name: TailsOS-for-non-whistleblowers) we not really care that much about hide fingerprint to a point of make spelling errors.
See #4 (comment)
Related:
While be able to use VSCode on TailsOS seems to be good nice to have, I'm restarting so many times for testing things that maybe also have some way to do changes that would persist on gedit could be interesting.
Since gedit is not my main editor, this issue in special may never be fixed on this repository. But at least is an internal notice that could be interesting.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of usage of Virtual Machines (not necessarily on tails)
Related
Let's do an minimum viable product (MVP) of AppArmor profile that shows how to at block access to specific folder even if running under user who runs the application do have access to the folders.
The #32 is interesting for apps (and not only binaries) that should not have access to internet. But what about software like Zoom, Skype, Spotify, Slack, etc that should have access to internet but could still access private files? Looking deeper on AppArmor, most softwares that ship with Ubuntu, even the ones that already are not isolated with Snaps, do have AppArmor profiles. But this is likely to not apply to other apps.
Related:
While the topic #8, in special because of the first example we're already sending backups to a pen drive that would work as future copy, on this topic we should at least do a live test from the bin/restore-tailsdata-from-usb-stick.sh.
We should also assume that, if a user is in fact doing an restore, it may not have a lot of time to install this full project (or even deploy the bin/restore-tailsdata-from-usb-stick.sh) so we should somewhat document if the user is just reading.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of usage of zuluCrypt and zuluMount
Let's do an minimum viable product (MVP) of AppArmor profile that shows how to at least block access to internet to some binary.
While (as mentioned on #31 (comment)) I discovered that is possible to generate AppArmor profiles, the idea of this demo here is be somewhat a quick introduction to who already use some distro with AppArmor (or one that is easy to enable) be able to just copy and paste for their own needs.
I know that restrict only internet access is not the best ideal scenario for who already is using AppArmor, but this alone is provides some type of sandboxing not only on Tails.
See:
wget https://go.microsoft.com/fwlink/?LinkID=760868 -O /tmp/vscode.deb
sudo apt update
sudo apt install /tmp/vscode.debamnesia@amnesia:~$ wget https://go.microsoft.com/fwlink/?LinkID=760868 -O /tmp/vscode.deb
--2020-10-23 15:59:58-- https://go.microsoft.com/fwlink/?LinkID=760868
Resolving go.microsoft.com (go.microsoft.com)... 88.221.62.148
Connecting to go.microsoft.com (go.microsoft.com)|88.221.62.148|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://update.code.visualstudio.com/latest/linux-deb-x64/stable [following]
--2020-10-23 16:00:01-- https://update.code.visualstudio.com/latest/linux-deb-x64/stable
Resolving update.code.visualstudio.com (update.code.visualstudio.com)... 51.144.164.215
Connecting to update.code.visualstudio.com (update.code.visualstudio.com)|51.144.164.215|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://az764295.vo.msecnd.net/stable/d2e414d9e4239a252d1ab117bd7067f125afd80a/code_1.50.1-1602600906_amd64.deb [following]
--2020-10-23 16:00:04-- https://az764295.vo.msecnd.net/stable/d2e414d9e4239a252d1ab117bd7067f125afd80a/code_1.50.1-1602600906_amd64.deb
Resolving az764295.vo.msecnd.net (az764295.vo.msecnd.net)... 152.199.19.160
Connecting to az764295.vo.msecnd.net (az764295.vo.msecnd.net)|152.199.19.160|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64463220 (61M) [application/x-debian-package]
Saving to: ‘/tmp/vscode.deb’
/tmp/vscode.deb 100%[=====================================================================================================================>] 61.48M 614KB/s in 1m 52s
2020-10-23 16:01:58 (562 KB/s) - ‘/tmp/vscode.deb’ saved [64463220/64463220]
amnesia@amnesia:~$ sudo apt update
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for amnesia:
Hit:1 tor+http://sdscoq7snqtznauu.onion/torproject.org buster InRelease
Hit:2 tor+http://vwakviie2ienjx6t.onion/debian buster InRelease
Hit:3 tor+http://umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion 4.12 InRelease
Hit:4 tor+http://vwakviie2ienjx6t.onion/debian bullseye InRelease
Hit:5 tor+http://vwakviie2ienjx6t.onion/debian buster-backports InRelease
Hit:6 tor+http://vwakviie2ienjx6t.onion/debian sid InRelease
Hit:7 tor+http://sgvtcaew4bxjd7ln.onion buster/updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
5 packages can be upgraded. Run 'apt list --upgradable' to see them.
amnesia@amnesia:~$ sudo apt install /tmp/vscode.deb
[sudo] password for amnesia:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'code' instead of '/tmp/vscode.deb'
The following package was automatically installed and is no longer required:
libpcre2-posix0
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
code
0 upgraded, 1 newly installed, 0 to remove and 5 not upgraded.
Need to get 0 B/64.5 MB of archives.
After this operation, 276 MB of additional disk space will be used.
Get:1 /tmp/vscode.deb code amd64 1.50.1-1602600906 [64.5 MB]
[INFO] Saving package changes
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apt/cache.py", line 297, in __getitem__
rawpkg = self._cache[key]
KeyError: 'code'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/sbin/tails-additional-software", line 672, in <module>
apt_hook_pre()
File "/usr/local/sbin/tails-additional-software", line 459, in apt_hook_pre
if not apt_cache[package_name].is_installed:
File "/usr/lib/python3/dist-packages/apt/cache.py", line 299, in __getitem__
raise KeyError('The cache has no package named %r' % key)
KeyError: "The cache has no package named 'code'"
E: Sub-process /usr/local/sbin/tails-additional-software apt-pre returned an error code (1)
E: Failure running script /usr/local/sbin/tails-additional-software apt-pre
amnesia@amnesia:~$ See also:
Using the tails Persistence, while very interesting from a point of view of the default target audience, seems a wonderful, I think we may hit some bugs that only who is using Tails for what is not target audience may actually hit. Since more than VSCode could be used as portable software, let's create some optionated directory layout. This is likely to make much easier for who would like to re-use the scripts for other software changing just a few lines.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of usage of MVP of git and GitHub drills on TailsOS.
See also:
The generic error happens when using Tails v4.12 after a simple curl to an HTTPS site (curl: (7) Failed to connect to example.org port 443: Connection refused).
amnesia@amnesia:~/Persistent/git/fititnt/TailsOS-for-non-whistleblowers$ curl https://beta.rclone.org/version.txt
curl: (7) Failed to connect to beta.rclone.org port 443: Connection refused
amnesia@amnesia:~/Persistent/git/fititnt/TailsOS-for-non-whistleblowers$ curl --socks5 127.0.0.1:9050 https://beta.rclone.org/version.txt
rclone v1.54.0-beta.4833.5164c3d2dAdding --socks5 127.0.0.1:9050 fix this. But very likely this would break several shell scripts that relly on curl and do not have hardcoded proxy configuration or something
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of Tails-like concepts on everyday Linux distributions.
Tails, by design, is not an average everyday operational system. Then considering what was written at the Design some optionated directory structure for data operations #24:
On the #13, was about where to put software. This issue is about where to put data, as default, so it makes easier for scripting and documentation (and, assuming I eventually really use Tails, this is important to still works even after years). While target audience who works with tails is likely to do things via user interface, at least one of my primary usages would be backup and restore servers when manual acction is need or when someone else, without some experience with GPG, to be able to recover data on worst cases scenarios.
I don't know how people out there, who works for more than one client, can make sanity dealing with several GPGs to avoid use symetric encryption (aka passphase) and still not have some potential flaws. It could actually be easier to send an USB stick by mail than explain how to install GPG (and yes, I know that do exist smartcards, but clients may not seem as necessary and would preffer plain password).
One downside of this is that for backup/recover that are internet (and not over offline media) the Tor on tails can actually be pretty slow compared to raw internet.
This issue is about make some conventions on how to setup an more common Linux distribution in a way that play nice with Tails and, if not at least more secure, at least provide some type of namespacing.
Some tools, and a great example are the AWS CLI (https://aws.amazon.com/pt/cli/) / s3cmd (https://s3tools.org/s3cmd) or even average GUI apps, like FTP apps Filezilla, database apps, etc, are not very friendly to have different profiles. They by default use somewhat hardcoded paths or, even if they are not hardcoded, the end user is likely to either
The idea of this issue is somewhat be able to archive something in the middle of this two points without need to log on Tails. One approach could be we reuse the Tails concept of Persistence+Dotfiles and each big project somewhat have its own workspace that could be symlinked when start working and closed when is not more necessary.
See also:
This issue is just to comment (what is unlikely to become an shell script) about a quick experience testing Gnome Online Accounts on Tails.
Document (or maybe do some shell scripting) of an minimum viable product (MVP) of any FTP/SSH/etc program with GUI on TailsOS.
Related
An minimum viable product (MVP) of AppArmor profiles to use with zuluCrypt and zuluMount
See also:
This definely deserve the anti-pattern-on-tail label. But I think we could do a generic one instead of the #9 and then add to the bin/ folder
Near 49 days since I ordered an hardware authentication device (on my case, after long, long research, eventually decided that would be an YubiKey!) and its finally coming. Well... sort of... it's still on Curitiba! But at least the Brazilian Customs Clearance finally got the package to ask me to pay an small fee standard fee, even if no import tax was need. I'm anxious!
Actually, one of the reasons of my initial interest on Tails was because I would need some place to generate the hardware authentication device private key outside, make an backup, and then import to the smartcard [1]. YubiKey can both be used for GPG asymmetric encryption and SSH authentication (inclusive, based on my research, on Android), so it can work even on nasty threat models
By design smartcards are done in such way that its not possible to extract the private key. And even if the physical hardware is stolen, without the right PIN, the maximum the person can do is reset the key.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.