EPISODE 1636

[INTRODUCTION]

[0:00:01] ANNOUNCER: Software security is a critical issue for everyone, but it takes on an entirely different dimension when your life, or the lives of others depend on it. Consider the security needs of an environmentalist whistleblower inside a chemical corporation, or a human rights activist in Iran. Hyper-secure and fully anonymous operating systems are vital for many legitimate use cases. They are a double-edged sword though, and also, empower nefarious actors.

Tails is an operating system designed to protect against surveillance and censorship. Our guest today is a member of the Tails Group. For privacy reasons, we will refer to him as Ludo.

This episode is hosted by Lee Atchison. Lee Atchison is a software architect, author, and thought leader on cloud computing and application modernization. His best-selling book, Architecting for Scale, is an essential resource for technical teams looking to maintain high availability and manage risk in their cloud environments. Lee is the host of his podcast, Modern Digital Business, produced for people looking to build and grow their digital business. Listen at mdb.fm. Follow Lee at softwarearchitectureinsights.com and see all his content at Leeatchison.com.

[INTERVIEW]

[0:01:25] LA: Security is a critical issue for everyone nowadays, but it takes a whole new level when your life, or the life of others may be quite literally held in the balance. Consider, for example, the security needs of a pro-Ukrainian group operating in Russian-controlled territory. Hyper-secure and fully anonymous operating systems are critical for some legitimate use cases, but unfortunately, they can also be used for illegitimate use cases, hence, our conversation today.

We are going to talk about Tails. Tails is an operating system designed to protect against surveillance and censorship. My guest is one of the members of the group that operates Tails. For privacy purposes, we will only be referring to him as Ludo. Ludo, welcome to Software Engineering Daily.

[0:02:11] L: Thank you, Lee. Pleasure being here.

[0:02:13] LA: Great. Thank you for being here. Let's start out with the basics. What is Tails?

[0:02:18] L: Tails is an operating system. It's more of a toolbox meant for activists, investigative journalists, whistleblowers, and anyone really facing repression, or otherwise, in need of privacy. We aim to provide a safe environment for people to work in that anonymizes their internet traffic and leaves no trace on the computer. More technical terms, it's a live Linux distribution based on Debian Linux, which routes all your internet traffic through Tor.

[0:02:48] LA: The key to the anonymity is both mechanisms that prevent logging on the computer, as well as the use of Tor to prevent tracking of IP traffic. Is that correct? Is that a fair summary?

[0:03:00] L: Yeah, that summarizes it quite adequately.

[0:03:03] LA: Why don't we talk a little bit more then about Tor? What is Tor for people who are listening who are not aware of what of Tor?

[0:03:11] L: Tor is a combination in a sense of a network routing protocol and a quite substantial network of volunteer nodes all over the world. What it does is it routes all outbound traffic through three different intermediaries, making sure that none of the intermediaries ever knows both the sender and the receiver at the same time. Say, if Alice were to want to communicate with Bob, she would pick three nodes in the Tor network and then set up a tunnel, so that all traffic goes first through an entry node in the Tor network, then through a relay and then through an exit node, and the entry node would only be able to see, oh, there's traffic coming from Alice going to some relay somewhere and the relay would only be able to see, oh, there's traffic from one piece of the Tor network going to another bit of the Tor network and the exit relay would only be able to see, oh, there's Tor traffic going to Bob, but I don't know where it came from. That in a nutshell is what Tor does.

[0:04:15] LA: The first node knows where it came from and the last node knows where it's going to, and the middle one basically knows nothing. 

[0:04:21] L: Well, it only knows the -

[0:04:23] LA: Nothing about the original.

[0:04:25] L: Exactly.

[0:04:26] LA: Nothing about the original nodes, yeah. That's great. Why don't we go back and talk a little bit more about why is anonymity so important? Why should an average person care that something like this exists?

[0:04:40] L: Why is anonymity important? It's a safeguard measure, really, against repression and injustice. We don't think of it generally very often, but it's all over the place. It's in the very cornerstone of democracy when we vote, we do so anonymously. That is exactly to prevent other people to be able to influence our voting behavior. But also, in academia with review is generally double-blind, where both the author doesn't know the reviewers and the reviewers don't know who the author is.

[0:05:15] LA: We can use it in our own lives, but also, there is the aspect that it's the reporter use case, where you want to make sure that people are able to report bad doings without worrying about getting caught, or worrying about being disrupted.

[0:05:29] L: Yeah, in the sense of whistleblowing, for instance, you mean?

[0:05:32] LA: Whistleblowing is, yeah, the prime example of that. I mean, one of your big use cases, one of your most public after-the-fact use cases was Edward Snowden. Is that correct? Can you talk a little bit about the Edward Snowden case that entails his involvement with that?

[0:05:48] L: Well, that was, first of all, quite a long time ago. It was when Tails only just existed, really. Only, it's only been there for a couple of years. It became very, suddenly, very well-known and public, because of the use by Snowden and Laura Poitras, and Greenwald, I think, used it, too. Yeah, that set the stage for Tails growing quite significantly, getting a lot more developers suddenly getting funding, stuff like that.

[0:06:22] LA: That was a major push for it, though.

[0:06:24] L: Yeah, for sure. I mean, from obscure little operating system, we were suddenly in the spotlights of global media attention.

[0:06:33] LA: You've been very effectively used in a number of global causes, if you will. I've got several listed here. We could talk about each of them. I know, for instance, there are use cases that our pro-Ukrainian groups are using it in the war against Russia. I know you can't talk about details, but are there anything in general you can talk about? How it's being used, or why it's being used, or what value it's providing?

[0:07:00] L: Yeah. I think you're referring to BOAK, the anti-militarist group operating within Russia.

[0:07:06] LA: The anarchist. Yeah, they break.

[0:07:09] L: Yeah. Well, Tails provides a safe working environment there for them to escape the glows of the FSB, really.

[0:07:18] LA: It's got those geopolitical values, but it's also got more personal values. I know one of your other use cases is Gabriella.

[0:07:26] L: Mm-hmm.

[0:07:27] LA: Can you elaborate on that a little bit about what Gabriella is, what that use case is?

[0:07:33] L: Yeah. That was a case where Tor were - look, where Tails was used by women in Brazil, I believe? Yes, Brazil. Again, access to reproductive rights, healthcare, which is partially illegal in Brazil. It has an interesting side bit to it where, in general, most of the people that use Tails use it specifically for the anonymization that Tor provides. In their case, these were mainly women that didn't own their own computer. For them, Tails was also a means to have their own data environment on a USB stick for them to carry around with them, without having to worry about their boyfriends going through their files, or going through their browser history, etc., etc. It wasn't just to protect them from the state when they - to deny them access to reproductive rights, but also, to protect them from domestic abuse, really.

[0:08:33] LA: Why don't you tell me about, you come up with one or two of what do you think are the most interesting, or maybe better than interesting, the most important use cases that you have seen with Tails?

[0:08:45] L: Well, in recent years, I think the Russian anti-militarists are one of the most inspiring ones that I've seen.

[0:08:53] LA: This is the BOAK case?

[0:08:54] L: Yes, exactly. Yeah, it's sometimes also tricky that, because we develop an operating system that anonymizes people, it's also really hard to keep track of our user base, and it takes quite a lot of effort to find these examples, because you don't have nice metrics coming in about, hey, this person uses Tails. It's not.

[0:09:18] LA: Right. Plus, the ones you know about, you don't want to expose too much either, so I understand that as well. It's very hard to talk about it. The point I wanted to make by going through some of these examples is the need for something like a Tails operating system is critical, not just for people who don't want to be caught, but because the things that they're doing that they don't want to be caught for are important for society.

[0:09:43] L: Oh, yeah. I think in general, to come back to your question about why should people care, it's not so much that people would need anonymity for themselves per se, though I think it's always nice to have some degree of it. I mean, I think a lot of people would protest if they have to vote out in the open, all of a sudden, for instance, if you take away that anonymity there. The question to be asked is also, do I want to live in a world without anonymity? What would be the implications of that? Would I want to live in a world where you can't whistle blow anymore? Where activism can't be safeguarded against state repression? Yeah.

[0:10:25] LA: Yeah. That's the thing that I keep coming back to is I want to live in a world where it's possible to be a whistleblower. I hope I never have to be one. I hope there never needs to be any, but I'd love living in a world where it's possible for whistleblowers to exist, because they're the ones that keep the government. Not just government, but non-governmental important entities doing the right thing, or presumably, doing the right thing, or are better able to make sure that they're doing the right thing.

[0:10:56] L: Yeah. I think it's interesting to see a bit of historical perspective on that in the rise of the whole surveillance industry is, well, not very recent, but it's only been 40 years or so. Before that, anonymity was a lot easier. You just go out to the town square at night to make sure no one sees you and hang up a poster. Now, there's a CCTV camera there. That has shifted a lot in also how we think of anonymity and surveillance and control and the role of the state they're in.

[0:11:34] LA: Yeah. I think this is getting better in recent years, but the general population, I think, doesn't really know what level they're being monitored on the Internet and what level of privacy they give up on the Internet. Like, this is starting to get better as time goes on. I know many people who were surprised at how much information companies like Facebook have about them and Google have about them. People shouldn't be surprised about that, but many people are. It's like, how can they find out all this information and make it available?

[0:12:07] L: Yeah. I think, on the one hand, it's nice that there's an increasing awareness, but that doesn't change the complete ubiquity of it. It's everywhere.

[0:12:15] LA: Right.

[0:12:17] L: In that sense, the whole notion of anonymity is becoming increasingly under threat over the last 40 years, to the point where we now have to go through quite extreme technical groups to be able to do something anonymously, which is something that used to be quite easy.

[0:12:33] LA: Even then, it's hard. I mean, you can't guarantee, even with using something like Tails, complete anonymity. You just make sure it's a lot harder to discover who's there.

[0:12:43] L: Oh, yeah. For sure.

[0:12:45] LA: We've talked a lot about some of the use cases. These are all positive use cases, right? These are cases where people were doing good things that couldn't get discovered. Because of that, arguably, society is better because of these individuals and the things that they were doing. What about illegitimate use cases? There are obviously a lot of ways that this can be used in unacceptable ways. For that, I'd like to come back to the - I don't remember the name of the case, but there's a famous child predator case where the FBI cracked a Tails-based computer of a known child predator. The child predator was using Tails to keep themselves private.

[0:13:29] L: Yeah.

[0:13:30] LA: You weren't involved, you meaning Tails itself, or the Tails organization wasn't involved in discovering and working with the FBI in this particular predator. I know Facebook, I think, was involved in helping them crack the computer in order to catch this person.

[0:13:47] L: Yeah. I think at the end, Facebook hired an external security company to develop a zero-day exploit.

[0:13:53] LA: This brings up a couple of questions. One is, in your mind, do Tails actually provide protections for that child predator>? What are your thoughts about those actions and the actions, the illegitimate use case, actions such as that?

[0:14:09] L: Well, hearing that the tools you've developed are being used by a child predator is quite frankly nauseating. Yeah. That's not something I'd like to hear that happening. Yeah, it's a thing about technology in general, that it can be used both for good and for bad. Like a hammer can be used to hammer nails and construct something nice, or it could be used to smash someone's head in. I think, Tails is in a way erecting a huge shield to protect vulnerable people. Sadly, every once in a while, someone with less noble intentions sneaks behind that shield as well.

The question is, should we then remove that shield altogether? Is it good or bad to have Tails? I think, well, there's a Blackstone, this English legal scholar came up with a nice notion that it is better than 10 guilty person to escape than one innocent suffers. I think that goes for preserving anonymity as well, that we're better off ensuring anonymity for one, the legitimate calls and then accepts that there are people who abuse it as well, rather than give up on anonymity in total.

[0:15:34] LA: Yeah. I agree with you. I go back to the, I want to live in a environment where whistleblowers are possible. That's not to say that all whistleblowing is valuable, or right, or honest, or all use cases similar to that are right or honest, but I want to at least be able to live in a world where that becomes possible. Is there any hope, is there any technological hope of being able to make a differentiation between legitimate and illegitimate use cases, so that - like in the case of this child predator, the FBI was able to crack the operating system and catch this perpetrator. Is there any hope where we can live in a world where tools like Tails, or other things like that can help the legitimate use cases, yet not? Maybe limit, or reduce the usefulness for illegitimate use cases. Is that a possibility at all? What do you see as a roadblock to that?

[0:16:31] L: Well, coming back to the hammer, I think if we don't want a tool to be used for certain purposes, you can only do so much in terms of design and adding, or removing functionality to give it some kind of scope in what you want the product to be used for. What we're working down to is how we understand a certain tool. We understand the hammer as something to hammer nails and not as a weapon. That's why you can buy hammers at every hardware store and that doesn't seem to affect crime rates very much.

In the same manner, software has a community around it that gives a certain meaning to software. Tails is explicitly a tool for activists, for whistleblowers, etc., etc. We try our best, both in design choices and protecting the community around us and trying to be part of social movements to have Tails understood as a tool for such purposes. I think that is just about as much as you can do. I mean, in the end, there's nothing that will ever stop anyone from abusing certain tools, but you can try to -

[0:17:50] LA: Hammer can always be used to hit someone in the head. You just can't stop that without getting rid of a hammer, which removes a valuable tool from society.

[0:18:00] L: Exactly. The point is that we educate people on what a hammer is and how to use it properly. That's what we're trying to do with the Tails as well.

[0:18:09] LA: One of the other things I come back to is we've talked about some very clear-cut cases of legitimate and illegitimate use cases, right? Where we've talked about the - unless you're Russian, for the most part, you believe that the use for Ukraine is probably a positive use case. I think the vast majority of people in the world would agree that the child predator example is a illegitimate use case. Those are the ends, the extremes. The middle ground is where it becomes a lot more questionable, right? Who decides what's legitimate and what's illegitimate?

[0:18:43] L: Well, I mean -

[0:18:45] LA: It's more of a philosophical question, I think.

[0:18:48] L: Yeah. We as product developers have our own views on that, that we try to propagate and we try to swing this technology in that direction. After that, it's up to users to also to give it their own meaning and use it for their own conception of good. In the end, who is to determine what is -

[0:19:09] LA: Was it governments to place restrictions on its use? Is that a legitimate use of government?

[0:19:17] L: Carte blanche in general, I would say, no. I mean, if I'm playing devil's advocate, I could imagine, for instance, if the guy from the child predator case ever gets released, he would have a court order mandating never to use Tails. I would be perfectly fine with that. In general, governments banning tools like Tails is like governments getting rid of safeguards against repression, which I find very, very worrying.

[0:19:47] LA: Right. Yeah. You can imagine, and I'm sure, Russia would love to outlaw the use of Tails against in the war of Ukraine, but that's not a legitimate government request in our viewpoint, but it certainly would be from their standpoint.

[0:20:00] L: I believe they already did. Yeah.

[0:20:02] LA: Yeah. Well, yeah. The point being that the government itself is sometimes the entity that needs to be monitored.

[0:20:11] L: Yeah.

[0:20:12] LA: Let's talk a little bit more about effectiveness now. If we go back to the child predator case, the fact of the matter is the FBI with Facebook's help was able to crack the computer that this child predator was using. It was a Tails-based computer. I don't remember all the details, but they got their identity and they were able to stop this predator, which is good and all that good stuff. The fact of the matter is they were able to break the security measures put in place by Tails. Given that, can Tails actually be used for the legitimate use cases, where security is required? Is Tails effective in those cases?

[0:20:54] L: I would say, usually, yes. Nothing is perfectly secure. If you have an adversary that's willing to spend millions on developing zero-day exploits that will only work for two weeks, then you're in trouble. But then, you're in trouble, whatever you're doing.

[0:21:12] LA: Right, right.

[0:21:13] L: That was one funny element about this note and ordeal that in the NSA paper he leaks, there was some writing on how the NSA was annoyed by Tails, because it was so hard for them to get proper data on all these people that were using it.

[0:21:33] LA: Right. It was very effective in that case. You talk about resources can break anything. I would think, if I were in the BOAK group, the group that's against the Russian army, I would be very worried, because certainly, Russia is a state that has the resources and the knowledge and expertise in order to break many different security systems. I imagine, if they haven't yet, they probably could break through Tails if they really wanted to.

[0:22:08] L: Perhaps. Yeah, maybe. But it's going to cost them a lot. These are people that are taking huge risks anyway. There's a fair amount of them who are actively engaged in armed conflicts with the Russian state. You can also get shot. Their whole risk appetite is on a completely different level.

[0:22:31] LA: That's true. That's true. The risk profile of someone in BOAK is probably very different than the Mexican filmmaker, who wants to keep his stuff secret, or even the Brazilian woman who obviously, want to be kept secret and obviously, they are facing very serious personal ramifications. Yet, they don't - their enemy, so to speak, is not as well organized, or has as much expertise to be able to break through it.

[0:22:59] L: Yeah. It's one thing I found interesting to learn from the FBI Facebook crack was that it cost them six-figure numbers to have this exploit developed and the exploits worked for, I believe, two weeks in total. Then it was patched in the next update. I don't think there's many adversaries who can sustain throwing six-figure numbers every two, three weeks to keep someone with Tails infected, or to keep exploiting Tails users. That's going to get very costly very quickly.

[0:23:36] LA: The target is also moving, too, right? There's the attacks against Tails are becoming more sophisticated, but Tails itself is also becoming more sophisticated. Now, I'm assuming, as some vulnerabilities up here, you're able to look at them and fix them and move forward. How much attention is put on Tails right now to keep improving the security aspects and their privacy aspects?

[0:24:07] L: That's an ongoing issue. I mean, a lot of the work is honestly quite boring maintenance work. It's releasing updates. After the incident with Facebook hack, we did first make some - because, while we believe that exploit work was that the guy was tricked into opening a video file that exploited a known vulnerability in Totem, the video player, which probably then used a thing we call the unsafe browser. There's a problem with Tails with captive portals, that if you start Tails and you have a captive portal in front of your internet connection, you need a normal browser first before you can make a Tor connection.

That's why we ship the so-called unsafe browser, which is the only application in Tails that doesn't use Tor. That was also a means to de-anonymize someone at the end of an exploit chain. The payload of the exploit probably used the unsafe browser to leak IP information externally.

[0:25:19] LA: Broadcast information.

[0:25:21] L: Now, that's patched by now. There's app armor rules preventing that. You can also completely disable the unsafe browser at startup.

[0:25:30] LA: During my research, I also discovered a hacker news post by someone who talked about a root vulnerability for blocking system firewalls for non-Tor connections. I'm assuming, things like that come up, I'm sure, all the time and you're able to patch those when they become known.

[0:25:49] L: Yeah. We tend to follow Debian in there for most of the security updates, specifically for the kernel as well. They do quite an amazing job at keeping on top of things. I think the user to root exploit thing, I think, that what you mentioned there was someone comparing Tails to Whonix. Because if you have an exploit that issues become root on a Tails system, you can actually bypass its firewalling and get it to not use Tor. Yeah, then you would need an exploit chain that first, brings a payload to the user, which isn't completely trivial. You need some kind of social engineering, or something for someone to either open a file, or go to a certain page, or whatever. Then you need to have that payload somehow become breakout of its application and get execution rights. Then on top of that, you need an escalation to root.

[0:26:47] LA: Three very difficult steps.

[0:26:49] L: Well, one is quite doable. I mean, getting someone to open a file is pretty doable. Two definitely non-trivial steps, yes.

[0:26:58] LA: Yeah. Yeah.

[0:27:00] L: Yeah, when you compare it to, I mean, there's another system called Whonix, who use a separate virtual machine for rooting, where everything is rooted out Tor. In theory, that is a very good solution. Yeah, you get problems with things like captive portals and running a separate virtual machine, also, as it's downside in terms of usability, trying to explain users, "Hey, set up a virtual machine." Not really what you want to be doing if you're busy with human rights stuff.

[0:27:34] LA: Right. Yeah. It takes a level of technical knowledge and expertise that people may not have who need it, or may not have time, or capabilities to deal with when they're dealing with other more important issues.

[0:27:49] L: Yeah, exactly. One of our main focuses on Tails is to make it as easy to use as possible. Because we think that security depends on usability. If people aren't sure on how to use something properly, their security goes down, because there's quite a good chance that they make mistakes.

[0:28:06] LA: Makes a lot of sense. We're coming near the end here. Is there anything you want to add about Tails, or anything you want our listeners to know about Tails, or about your organization in general?

[0:28:20] L: Our organization in general. Oh, yeah. It might be good to know that we are, of course, a non-commercial entity and very dependent on donations. People can go to our website on tails.net to see how that's done. It would be much appreciated.

[0:28:35] LA: Well, my guest today has been Ludo, the pseudonym for one of the members that builds and maintains Tails, a hyper-secure, anonymous operating system. Ludo, thank you for being on Software Engineering Daily.

[0:28:48] L: Thank you for having me.

[END]