John Doe and the Pigeon Tails
Nathan Vaz
The purpose of this project is to create a solution for users to communicate securely and privately over the Internet. Through creating bootable USB disks running secure Linux-based operating systems, Tails and JonDo-LiveDVD; the project will then test the capabilities of Internet traffic anonymiser services such as Tor and JonDo through an instant messaging (IM) application. The project will also explore the role of authentication over using the Off-the-Record (OTR) plugin extension.
ITNET306A – Major Project Individual J. Doe & Pigeon Tails
Table of Contents INTRODUCTION ...... 4
LITERARY REVIEW ...... 5
BACKGROUND ...... 5
SPY VS. (SPY) ...... 6
APPLICATIONS ...... 6
PLATFORMS ...... 7
TECHNOLOGIES ...... 8
MATERIALS ...... 10
HARDWARE ...... 10 USB Flash Drives ...... 10 Computer ...... 10
OPERATING SYSTEMS ...... 10 Tails OS ...... 10 JonDo-LiveDVD ...... 10
SOFTWARE ...... 11 Virtual Box ...... 11 KeyPassX ...... 11 Pidgin ...... 11 VeraCrypt ...... 11 JonDo/JAP ...... 12
METHOD ...... 13
TAILS PLATFORM ...... 13
JONDO-LIVEDVD PLATFORM ...... 22
FIRST LAUNCH ...... 23 Tails ...... 23 JonDo-LiveDVD ...... 24
MOUNTING: ...... 28
JONDO ...... 29
PIDGIN ...... 31
TAILS ...... 31
JONDO-LIVEDVD ...... 33
PIDGIN OTR Q&A ...... 35
Nathan Vaz ITNET306A - Major Project Page 2 of 60 J. Doe & Pigeon Tails
USER INSTRUCTIONS ...... 38
TAILS ...... 38
JONDO-LIVEDVD (PC ONLY) ...... 39
USING PIDGIN AND OTR ...... 41 Not Private ...... 41 Start Private ...... 42 Why Private? ...... 46
RESULTS ...... 47
STICK 1: RED ...... 47
STICK 2: BLUE ...... 48
STICK 3: GREEN ...... 49
CONCLUSION ...... 51
REFERENCES ...... 52
APPENDICES ...... 55
APPENDIX 1 – RED ...... 55
APPENDIX 2 – BLUE ...... 57
APPENDIX 3 – GREEN ...... 59
APPENDIX 4 – YELLOW ...... 60
Nathan Vaz ITNET306A - Major Project Page 3 of 60 J. Doe & Pigeon Tails
Introduction
Whilst many Internet users currently communicate with each other or access various web services without much consideration for data privacy, the aim of this project is to change the perspective of those types of users. This project features instructions on how to create a system of communication that can remain as private as possible both over the Internet and even on users’ own hardware.
Essentially, this project creates a network of users that can securely communicate with each other over the Internet and even have a method of authenticating the other users without the need for any unsecure side-channels (other methods of communication). The technologies that are chosen for this project also enable the communication to not be recorded or logged by other users or third parties. The way that this project is constructed also allows for the quick deletion of what a user is doing.
The overall structure of the final product will look something like;
A USB stick A Bootable “Live” operating system A secure Internet traffic anonymiser An Instant Messenger (IM) application An encrypted partition Pre-authorised users Encrypted authentication methods
Although the usage scenarios for the end product could be considered potentially nefarious, however the portion of the wider user population that value their privacy a lot would find this project an interesting experiment on how to go relatively “Low-Fi” with Internet communications.
Nathan Vaz ITNET306A - Major Project Page 4 of 60 J. Doe & Pigeon Tails
Literary Review
Background After revelations were made by whistle-blower Edward Snowden in 2013 about mass surveillance methods used by the NSA and other intelligence agencies around the world, it shocked the world into action. “706 million people have changed their behaviour on the Internet because of what the NSA and GCHQ are doing.” (Schneier, 2014). Based on consumer surveys, Schneier observed that many of the 706 million users would not have changed their behaviours strongly enough to yield much effect against surveillance. It is from this perspective of addressing large sections of the general population that wish to maintain their personal privacy but might not know how, that this research is aimed. Among the general publics’ concerns about privacy, one might be inclined to note that a large majority of said public would not possess technical knowledge necessary to easily mitigate some of these concerns (CIGI, 2014). That is to say that even though technologies exist that can protect users’ privacy, they would not know how to use them. Even tutorials directly from a technology’s site can seem too advanced for some users.
The climate of vulnerable personal information privacy has reached Australian legislative shores through the implementation of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. The Act would compel internet service providers to store user metadata, which is broadly defined; “The set of metadata required to be retained is defined by reference to the following six types of information: the identity of the subscriber to a communications service; the source of the communication; the destination of the communication; the date, time and duration of the communication; the type of the communication; and the location of the equipment used in the communication.” (Attorney-General’s Department, 2015).
Nathan Vaz ITNET306A - Major Project Page 5 of 60 J. Doe & Pigeon Tails
Spy vs. (Spy) There is a faction of IT security that deals from basic stronger passwords for users to the “ultra paranoid computing” that operate as though “every CPU in the universe is controlled by your adversaries” (nsf.gov, 2014). It’s with this similar mindset that one might think about ideal security/privacy requirements from the point of view of a profession that implicitly has them, a spy. Whilst there might be a slight delusionary element to this practice, it enables a theoretical framework to protect against the better-funded entities in IT security, nation states.
Applications For the purposes of this study, a main area of focus will be surrounding messaging applications since it has a more clearly defined process in terms of source and destination. The Electronic Frontier Foundation (EFF) has conducted a ‘scorecard’ that analyse the privacy considerations of popular messaging applications and rated Pidgin and CryptoCat among the most secure (EFF, 2015). Existing applications such as Thunderbird Mail, Pidgin and CryptoCat have various forms of privacy settings such as not storing certain conversation logs. These messaging applications also use protocols such as ZRTP as a method for authenticating users, MAC spoofing to disguise hardware components and LUKS compatibility for secure passkey storage. However the feature that stands out is the OTR (off-the-record) protocol used to encrypt the messaging exchange in ‘real-time’ and authenticating users within chat applications (otr.cypherpunks.ca, 2015).
Nathan Vaz ITNET306A - Major Project Page 6 of 60 J. Doe & Pigeon Tails
Platforms Whilst the secure messaging applications can be a useful tool for users to circumvent privacy restrictions, one must also consider the operating systems they operate on and their relative vulnerabilities and/or mitigations.
For example, Windows operating systems are vulnerable to FREAK attacks, by which an attacker can export RSA keys. It is theorized that this vulnerability arose from old NSA and FBI ‘backdoors’ written into Windows source code that has been exploited (technewsworld.com, 2015). One of the key motivations to use a Linux based operating system is that the open source nature of their distributions means that no ‘backdoors’ can be written in, even if agencies allegedly approach Linux’s creator directly to do so (slashdot.org, 2013).
Another strong security and privacy feature that was interesting was the ability to boot an operating system from a USB device for greater portability. More over, the mobile USB method could also offer ‘in-a-box’ virtual machine states, which could be much easier to use for some users. Virtual machine states can be easily configured and run as a whole package from a hypervisor software such as VirtualBox or VMWare. However, running a virtual machine still would hold the inherent risks of the hypervisors operating system still having a potential monitoring presence, such as key logging. Therefore, booting from a USB device has the added advantages of the base machine not being able to monitor the USB operating system.
From my findings, there are a number of Linux OS distributions that are tailored for these sorts of purposes. This study will focus on the distributions, Tails, JonDo and Kali. Tails and JonDo were chosen primarily for their live-DVD compatibility, which means they are relatively ‘light’ and can be ‘run’ from removable media i.e. USB sticks or SD cards. Kali will be used for its offensive security capabilities, which include but are not limited to Wireshark and OWASP-Zap among others for testing purposes. However Kali also has many of the features that JonDo and Tails have which can also make it a candidate for operations.
Nathan Vaz ITNET306A - Major Project Page 7 of 60 J. Doe & Pigeon Tails
Tails has been regarded with a level of deference among the IT security fields and among many journalists due to it’s association with Edward Snowden during the NSA mass surveillance revelations (WIRED, 2014). Tails is seen as a popular tool since it operates in ‘Live mode’ meaning that by default, no information is stored when the operating system is shutdown. For many of the networked applications in Tails, the user is strongly urged to use Tor.
Technologies On a different level of Internet security lays the technology of ‘anonymised’ network traffic. The most common mitigation technique has been through Tor (The Onion Router) protocols, which divert traffic through various nodes to logically disguise the source and destination addresses of one’s web traffic. Tor is regarded as a connection tool to access the ‘Dark Web’, a section of the internet notorious for nefarious activities such as drug trafficking, terrorism, etc. but also for whistleblowers and journalists at the same time (WIRED, 2014). However, Tor has been critisised recently since it may be compromised by law enforcement agencies that mimic ‘exit nodes’ within the Tor network and can log traffic going to and from that node (Chakravarty, 2014).
There exists another promising protocol for anonymising web traffic in the form of JonDonym. JonDonym is similar to the Tor network however it screens nodes to make sure they are not malicious actors or law enforcement by using certificate authorities to verify authentic servers (anonymous-proxy-servers.net, 2015). However, JonDonym only offers anonymisation for HTTP and FTP protocols for free with other protocols available for a fee. It is this adoption and integration of JonDonym that makes the JonDo Live-DVD distribution a suitable test case to compare against Tails.
Nathan Vaz ITNET306A - Major Project Page 8 of 60 J. Doe & Pigeon Tails
Although the method of booting the platforms from a USB stick or as a virtual machine state seems like a suitable option to physically and logically separate an operating system from hardware, there are still physical vulnerabilities. Small removable media i.e. USB sticks have a tendency to be misplaced or used flippantly, so the operating systems and file systems on the devices would ideally be protected. In keeping with the mindset of circumventing nefarious nation states, one imagines USB sticks potentially confiscated by various agencies. While a popular method to mitigate this is to encrypt the drive, accessible with a passkey, in some scenarios one could be legally compelled to decrypt the drive by law enforcement agencies. However, if the volume(s) remain encrypted as well as hidden, third parties might not be able to see the encrypted volume(s), therefore might not compel one to decrypt the volume(s). The technology used for this purpose is called TrueCrypt, which can be used to hide volumes on storage media and is can be accessed by the user through encrypting the desired drive but also showing the drive as ‘free space’. Recent reports on TrueCrypt’s own download page warn users that TrueCrypt is currently compromised and temporarily recommending Microsoft’s BitLocker tool instead (sourceforge.net, 2015).
Whilst the above-mentioned technologies can be implemented as portions of existing systems, efforts to combine them into a cohesive platform that is easy to run by everyday users remain elusive. The outlook of some of the technology seems at a stall, but the combination of technologies could very well help the general population effectively address their privacy concerns.
Nathan Vaz ITNET306A - Major Project Page 9 of 60 J. Doe & Pigeon Tails
Materials
Hardware USB Flash Drives Any portable USB flash drive will do the trick; it is recommended that a minimum 8GB storage capacity be used. However some larger disks are used to “disguise” the whole disk, for example a 16GB disk can be partitioned to look like an 8GB disk with the rest hidden and dedicated to the bootable operating systems and other secure partitions.
Computer A computer, it does not matter what the manufacturer is or the original operating system it ordinarily uses, just access to the BIOS menu on start-up or the EFI menu. This project uses both PC and Mac devices.
Operating Systems Tails OS The Amnesic Incognito Live System was a very suitable choice as a platform since it was tailored towards privacy and has necessary features for the operations of the project. These features include; not naturally storing any data on its disk, connecting to the Tor network by default, USB bootable, persistent partition configuration as well as many other applications that are useful for any modern operating system as well as catering to a privacy focused user-base. Tails OS Tails can be downloaded as an ISO file for free at https://tails.boum.org/download/index.en.html either by direct download or BitTorrent.
JonDo-LiveDVD JonDo-LiveDVD is a relatively new operating system that is very much similar to Tails however, in the same way that Tails is focused on Tor, JonDo-LiveDVD is focused on JonDo; a network traffic anonymising tool. JonDo-LiveDVD also contains Tor functionality and a wider expanse of applications and services than Tails that
Nathan Vaz ITNET306A - Major Project Page 10 of 60 J. Doe & Pigeon Tails cater to privacy focused users. One drawback of JonDo-LiveDVD as it relates to this project is its lack of persistent drives, which is to say that once the operating system shuts down, all configurations and saved data will be lost unless it is stored externally. The ISO file can be downloaded for free at https://anonymous-proxy- servers.net/en/software_more.html.
Software Virtual Box Virtual Box is free virtualisation software that will enable users to test OS environments and applications without much risk to hardware. It will be useful in this project as a method of installing Tails OS onto a USB stick and creating a bootable drive.
KeyPassX KeyPassX is open-source software used on Linux platforms that is used primarily for storing passwords. It can create password database files that are encrypted and easily transferrable. It is pre-installed on both Tails and JonDo- LiveDVD operating systems. This project will use KeyPassX as a method of storing the questions and answers necessary for OTR authentication between users.
Pidgin Pidgin is an Instant Messaging (IM) application that is multiplatform and can be configured to use many different types messaging protocols. However, due to the strict nature of Tails OS, only IRC and XMPP protocols are used. In this project we will be using XMPP since it requires less registration steps for new accounts; the accounts will be registered in the dukgo.com domain, as it a free and relatively secure domain. Pidgin is pre-installed on both operating systems and also features the Off-the-Record (OTR) plugin for extra authentication methods between users.
VeraCrypt VeraCrypt is the successor to TrueCrypt since it was largely discontinued in 2014; it performs the same functions as TrueCrypt. As it relates to this project, those functions mainly include creating hidden volumes that are stored and mountable from
Nathan Vaz ITNET306A - Major Project Page 11 of 60 J. Doe & Pigeon Tails file formats. This project will use VeraCrypt to function as a persistent partition for JonDo-LiveDVD for the same features as Tails would have, namely; Pidgin configurations, KeyPassX database storage and JonDo account information. Unfortunately, due to the aforementioned demise of TrueCrypt, Tails no longer supports the application in the OS package.
JonDo/JAP JonDo is a network traffic anonymiser that is similar to Tor, however JonDo screens its “nodes” (the servers used to connect and redistribute traffic) more securely than Tor. Tor was recently critisised for having some law enforcement agencies posing as exit nodes in some Tor networks, therefore they were able to monitor the traffic going through it. JonDo is installed by default on the JonDo- LiveDVD operating system and can be activated through a JonDo configuration tool on the desktop. However it is worth noting that only encrypts basic web (HTTP/HTTPS) traffic for free. To encrypt the XMPP traffic needed for this project we must purchase a premium account.
Nathan Vaz ITNET306A - Major Project Page 12 of 60 J. Doe & Pigeon Tails
Method
Tails Platform To install Tails onto a USB drive, you first have to install Tails as a virtual machine. This was done through VirtualBox.
On the VirtualBox panel, click on New
A menu item should appear on with the following; Name, Type and Version. The name you choose is arbitrary, in this case it is just named Tails Copier, however the Type and Version must be Linux and Other Linux (64 bit) respectively and then click Continue.
Nathan Vaz ITNET306A - Major Project Page 13 of 60 J. Doe & Pigeon Tails
Memory Size can be set as the default 512 MB but if you were to choose more, that is fine as well. Then click Continue.
Since this is a “Live” operating system it is not necessary to include a Hard Disk, however choosing the defaults for the next couple of steps is fine.
Nathan Vaz ITNET306A - Major Project Page 14 of 60 J. Doe & Pigeon Tails
Finally click Create.
Nathan Vaz ITNET306A - Major Project Page 15 of 60 J. Doe & Pigeon Tails
The new virtual machine will be created in the Virtual box side panel. Highlight it and click Settings up the top.
Within those settings, navigate to Storage, select the CD/DVD icon under the Storage Tree and then click on the disk icon under Attributes. A drop-down menu will appear next to Optical Drive and you should navigate to the downloaded tails- i386-1.5.1.iso file and Open it.
Nathan Vaz ITNET306A - Major Project Page 16 of 60 J. Doe & Pigeon Tails
While remaining in the Settings menu it is important to make sure the virtual machine can write to the USB stick, this is done through the Ports tab and enabling USB Controllers.
Exit the Settings menu by click OK and return to the main VirtualBox home panel.
While making sure the Tails Copier machine is selected in the left column panel, click the Start button along the top of the window.
Nathan Vaz ITNET306A - Major Project Page 17 of 60 J. Doe & Pigeon Tails
A new window will open with two options Live or Live (failsafe), just let this step continue since Live will be chosen by default in 5 seconds.
On the next options given, click Yes and Forward.
Nathan Vaz ITNET306A - Major Project Page 18 of 60 J. Doe & Pigeon Tails
The password doesn’t have to be secure it is simply for root access and other administration tasks for now. Leave the other settings in their default status, as they won’t matter too much.
Once the virtual machine is up and running, make sure the (correct) USB stick is accessible to Tails through the following path.
Nathan Vaz ITNET306A - Major Project Page 19 of 60 J. Doe & Pigeon Tails
The next step is to navigate to the Tails Installer through Applications > Tails > Tails Installer and then the following window will appear.
Click on Clone & Install, and make sure the Target device is the correct one and click Install Tails.
Remember that in this setup the USB device will be reformatted, completely erasing anything stored on the drive.
Nathan Vaz ITNET306A - Major Project Page 20 of 60 J. Doe & Pigeon Tails
The successful installation will look like the image below. You can exit the installer tool and remove the USB stick.
You now have a bootable USB device capable of running Tails independently from a virtual machine
Nathan Vaz ITNET306A - Major Project Page 21 of 60 J. Doe & Pigeon Tails
JonDo-LiveDVD Platform Creating a bootable USB for the JonDo-LiveDVD operating system is much simpler.
To start, download the Universal USB Installer and the JonDo-LiveDVD ISO file. Open the Installer and select Try Unlisted Linux ISO in step 1, navigate to your downloaded ISO file in step 2 and select the USB’s drive letter. Click Create.
The program will extract the ISO and copy to the USB drive. When the process is complete a window like the one below will eventually appear and you have a bootable JonDo-LiveDVD USB.
Nathan Vaz ITNET306A - Major Project Page 22 of 60 J. Doe & Pigeon Tails
First Launch To launch the bootable Tails or JonDo-LiveDVD USB sticks on a machine requires some setup when starting up your machine.
• Start with a powered off PC and plug the bootable USB in. • When powering on your PC, access the BIOS page (usually the F2 button) before the default operating system launches. Note: The option to launch BIOS can go by quite quickly. • Once in the BIOS page, find an option that says Boot order. Rearrange the boot order so that the USB stick is the first option. Save and exit the BIOS settings. • This should start the boot process from the USB stick.
For Mac platforms the process is a little different and unfortunately the JonDo OS cannot be booted from a Mac.
• Start with a powered off Mac and plug the bootable USB in. • Power on the Mac while holding the Option key. This will display two options either the usual Macintosh Hard Drive with a disk drive icon or EFI boot with a flash drive icon. Select the EFI boot. • This should start the boot process from the USB stick.
Tails Tails will begin the same way it did during the virtual machine instance.
It is very important to click Yes for “more options?” and assign a root (admin) password.
Once tails has started it is important to create persistent partitions.
Open the Configure Persistent Volume tool found under Applications > Tails
It will prompt you to create a password for the volume. This will be the password that will eventually be given out with the final sticks.
The persistent volume will be created.
Nathan Vaz ITNET306A - Major Project Page 23 of 60 J. Doe & Pigeon Tails
A series of options will be presented as to what kinds of data will be preserved in the persistent volume.
Select Personal Data and Pidgin.
For the persistent volume to be applied the OS must restart. Shutdown Tails.
JonDo-LiveDVD For JonDo-LiveDVD, there are no persistent volume capabilities however one can still import configurations and settings from an external source or in this case the partitioned USB drive XXXXXX
From within JonDo-LiveDVD, open VeraCrypt through Applications > Accessories.
Click Create Volume.
A setup wizard window will appear.
Select Create an encrypted file container.
Select Hidden VeraCrypt volume.
Under Volume Location, select the name and location of the encrypted volume.
Nathan Vaz ITNET306A - Major Project Page 24 of 60 J. Doe & Pigeon Tails
Select the encryption method as AES (Twofish(Serpent)) and the Hash algorithm as SHA-512.
The Outer Volume doesn’t need to be huge so only allocate 20 MB for the size.
The Outer Volume password can be anything, it is not overly important so just enter password for now.
Click Format after the mouse has moved around a bit and randomised the pool. You will be then be prompted to enter your Admin password.
Nathan Vaz ITNET306A - Major Project Page 25 of 60 J. Doe & Pigeon Tails
You should now find the newly created volume and copy some “junk” files in there that look important with names like ClientList.doc or FinancialInformation.txt etc.
Back in the VeraCrypt wizard, you should proceed to hit Next and then configure the Hidden Volume.
The steps for configuring the hidden volume are similar to creating the Outer Volume with the notable exception that the password chosen must be different to the Outer Volume password. In this case it is Hiddenpidginconfigfiles .
Continuing the steps as you would on the Outer Volume and then click Format.
The Hidden Volume is successfully created. Important Note: Never modify the Outer Volume or the Hidden Volume will be corrupted.
Nathan Vaz ITNET306A - Major Project Page 26 of 60 J. Doe & Pigeon Tails
Nathan Vaz ITNET306A - Major Project Page 27 of 60 J. Doe & Pigeon Tails
Mounting: To access the Volumes you have to click an empty slot in VeraCrypt and then the Select File button. Navigate to the file, in this case pidgin store jondo.
Then click Mount down the bottom.
VeraCrypt will ask for a password, depending on whether or not you wish to access the Outer or Hidden volumes you can select either password i.e. password for Outer and Hiddenpidginconfigfiles for Hidden.
Mount the Hidden Volume.
The Hidden Volume will now be accessible through the Thundar file system.
Nathan Vaz ITNET306A - Major Project Page 28 of 60 J. Doe & Pigeon Tails
JonDo To start up the JonDo anonymiser software, click the JonDo icon on the desktop
By default, the anonymiser will only enable certain protocols in the free version (which does not include Pidgin in this version).
To purchase a paid account there are several payment options, the easiest and quickest method is to go through PayPal. JonDo will copy the payment URL to the clipboard and you have to open up a browser to continue the payment, Note: PayPal requires cookies enabled.
After payment is accepted in the JonDo will create an account, however since there is no persistent volumes the account information must be stored within the VeraCrypt Secret Volume.
Nathan Vaz ITNET306A - Major Project Page 29 of 60 J. Doe & Pigeon Tails
Click the Backup button and navigate to the VeraCrypt hidden volume and save it there. You will then be prompted for a password this can be anything. The password will be used when Importing the account later on.
The account file is now saved on the Hidden volume and can be accessed in other sessions of JonDo-Live.
Nathan Vaz ITNET306A - Major Project Page 30 of 60 J. Doe & Pigeon Tails
Pidgin
Tails Open up the KeyPassX application along the top home bar.
Go to Extras > Password Generator
Select the password length to be 42 characters, tick the boxes Enable entropy collection and Collect once per session and then click Generate.
An entropy collection window will be created and once it has completed, a random 42 character password is generated.
Keep this window open over the next couple of steps.
Nathan Vaz ITNET306A - Major Project Page 31 of 60 J. Doe & Pigeon Tails
Open up Pidgin
A couple of windows will open, Buddy List and Accounts.
In the Accounts window click Add.
The image below shows the configuration settings of an account. The username green1747 can obviously be replaced with whatever you wish; the password is copied from the generated KeyPassX password and is remembered and the box “create this new account on the server” is a bit self- explanatory but should only be clicked when first configuring the account.
A successfully added account looks like the image below with the Available status appearing.
Adding a buddy is done in the Buddy List.
You can pre assign buddies in each account but they will not fully authorise until later in the Off-the-record process.
Nathan Vaz ITNET306A - Major Project Page 32 of 60 J. Doe & Pigeon Tails
In the Tails USB sticks the Pidgin configurations such as Buddy List and OTR keys will be saved to the persistent partition that we set up earlier. So on next login, the Pidgin account that was setup would be automatically logged in with the buddy list ready to go.
JonDo-LiveDVD The JonDo-Live setup is a little different since there is no persistent partition.
Starting up Pidgin in JonDo-Live is a little different because there is an option of which type of proxy we want to use, since we have the premium account set up we can use the JonDo proxy.
The process for setting up accounts, complex passwords and buddies is exactly the same as on Tails.
The difference arises when making sure the Pidgin account is accessible when restarting the system.
Once all the Pidgin settings are to your liking;
Open up the Thundar file system tool (the hammer icon tool down the bottom). Navigate to /home/user/ and press Ctrl+H to view the hidden files.
Nathan Vaz ITNET306A - Major Project Page 33 of 60 J. Doe & Pigeon Tails
Copy the .purple folder to your VeraCrypt Hidden volume that was set up earlier (step XX).
Nathan Vaz ITNET306A - Major Project Page 34 of 60 J. Doe & Pigeon Tails
Pidgin OTR Q&A Off the record is a protocol used within Pidgin to authenticate users and ensure private messaging with no conversation logs kept. One of the authentication methods used is a question and answer method, for example;
1. Red will ask Blue a question Q1 with an expected answer A1, 2. Blue will receive the question Q1 and a field to answer. 3. Only if Blue answers the correct answer A1 will Red consider Blue as authentic. 4. Blue will then send Red a question Q2 with an expected answer A2, 5. Red will receive the question Q2 and a field to answer. 6. Only if Red answers the correct answer A2 will Blue consider Red as authentic. 7. Now the conversation is guaranteed authentic on both ends.
This step designs the questions and answers.
This step is best done within a VirtualBox virtual Tails machine.
Attach a separate USB drive for the purpose of storing the various question and answer folders for each user.
Open up KeyPassX and click the New Database icon (directly under File). A window will appear requesting a password, this can be anything secure, and you should also generate a key file stored in the USB folder.
Create a new email entry under the name of the question direction i.e. Red asks Blue. The username will be the question itself “what time is it?” and the password will be a generated password. Repeat the process in reverse i.e. Blue asks Red with a
Nathan Vaz ITNET306A - Major Project Page 35 of 60 J. Doe & Pigeon Tails different username (question) “who won the game last night?” and different generated password (answer).
Continue the procedure for however many users are in the designed system. In this project as a proof of concept there are 4 total users; Red, Blue, Green and Yellow. The full configurations are in the corresponding Appendices
Create folders on the USB stick based on how many users are in the system, in this example we will follow the Red folder. In the Red folder will have the questions and answers of BlueAsksRed, RedAsksBlue, GreenAsksRed etc. this makes logical sense to make sure for example that the Red user does not know the exchange requirements between Green and Blue.
Nathan Vaz ITNET306A - Major Project Page 36 of 60 J. Doe & Pigeon Tails
Save the KeyPassX password database into the corresponding user folder on the USB stick as well as the generated key file.
Start up the various bootable USB sticks, insert the KeyPassX USB and copy the corresponding user folder containing the password database files and key files should, either to the Personal Files persistent partitions on the Tails or the VeraCrypt Hidden Volume for JonDo-Live.
Each Tails USB stick persistent partition should include:
• The pre-saved Pidgin XMPP duckgo account and buddy list. • A KeyPassX database which requires a password and keyfile.
Each JonDo-Live USB stick hidden VeraCrypt volume should include:
• The copied .purple Pidgin configuration files which contains the pre-saved Pidgin XMPP duckgo account and buddy list. • A KeyPassX database which requires a password and keyfile. • A JonDo/JAP anonymiser account configuration.
Nathan Vaz ITNET306A - Major Project Page 37 of 60 J. Doe & Pigeon Tails
User Instructions
Tails Start with a powered off PC or Mac
Insert the USB drive
PC: Turn the computer on and quickly press F2 to access the BIOS menu
Navigate to a “Boot Order” option and select the USB disk as the first option
Mac: Turn the computer on while holding the Option button
Select the EFI boot option.
Tails will start and you will be presented with two options
Select yes for both and enter the Persistent Password
Assign an admin password of your choosing and leave the default options unless the Network Connection requires a proxy setup or password, then select that option.
Apply the appropriate Internet connection settings in the icon on the top-right of the screen.
Wait for Tor to automatically start, a notification will appear in the same area.
Click on Places and go to the Persistent folder
Open the
Open the PidginQA
Enter the
Nathan Vaz ITNET306A - Major Project Page 38 of 60 J. Doe & Pigeon Tails
JonDo-LiveDVD (PC only) Turn the computer on and quickly press F2 to access the BIOS menu
Navigate to a “Boot Order” option and select the USB disk as the first option.
The landing page will offer options, you should
Choose the default firewall settings
Set a sudo (admin) password
Open the Thundar file system
Navigate to the other partition on the USB drive.
Open the VeraCrypt file with VeraCrypt (right-click, open with other program) and mount the volume
Enter the Hidden Volume password.
Copy the .purple folder within the newly mounted Hidden Volume (should be located at /media/veracrypt1)
Note: you may have to press Ctrl+H to view the .purple folder.
Open the
Open the PidginQA
Enter the
Open another window of the Thundar file system
Navigate to /home/user/
Press Ctrl+H to view the hidden files
Delete the .purple folder
Note: If an error occurs, open the .purple folder, delete its contents and try again.
Nathan Vaz ITNET306A - Major Project Page 39 of 60 J. Doe & Pigeon Tails
Paste the .purple folder from the Hidden Volume
Open JonDo by clicking the JonDo icon on the desktop
Click Config…
Select Payment in the left column
Click the Import button
Navigate to the mounted Hidden Volume and select the Account File (.acc extention)
Enter the JonDo password
Note: If an error message pops up about non-anonymous connections, click Yes
Nathan Vaz ITNET306A - Major Project Page 40 of 60 J. Doe & Pigeon Tails
Using Pidgin and OTR Open Pidgin
Preloaded buddies will appear Not Authorized until the flowing message appears. The corresponding account also receives the same message.
Not Private When both accounts click Authorize they can now chat to each other.
Nathan Vaz ITNET306A - Major Project Page 41 of 60 J. Doe & Pigeon Tails
Start Private You will notice however that there is a status in the bottom-right of the chat window that says Not Private. To start a Private message one of the users must click Start Private Conversation.
Two private keys are generated for each user
The conversation will still read as an Unverified user until one or both parties Authenticate the other.
Nathan Vaz ITNET306A - Major Project Page 42 of 60 J. Doe & Pigeon Tails
The options for verification are stored in the KeyPassX database file.
Which would be copied over to the Authentication question and answer fields.
Nathan Vaz ITNET306A - Major Project Page 43 of 60 J. Doe & Pigeon Tails
The other buddy will receive an authentication request, which they have to answer correctly. If the KeyPassX files are configured properly, the recipient should have the correct answer stored.
Successful authentication also encourages the user to authenticate back.
The process is similar, with another pre-specified question and answer.
Nathan Vaz ITNET306A - Major Project Page 44 of 60 J. Doe & Pigeon Tails
Finally when both users are authenticated successfully, the icon down the bottom of the chat windows will read as Private
Nathan Vaz ITNET306A - Major Project Page 45 of 60 J. Doe & Pigeon Tails
Why Private? As you can see from the debug window below, the Private conversation features of Pidgin does not send or store any messages in plain text.
However, when the chat exchange is not private, the messages can be seen in plain text.
Nathan Vaz ITNET306A - Major Project Page 46 of 60 J. Doe & Pigeon Tails
Results
Four bootable USB sticks were created, two running Tails OS and two running JonDo-LiveDVD.
Stick 1: Red
It is shown in the image above that Stick 1 started out as a 16GB disk and was partitioned to create the Untitled volume of 7.9GB to look like a regular USB stick when plugged into a regular running machine, since the Tails and Encrypted volumes would not automatically mount when plugged in to a regular computer. This would make it hidden enough for the average user. The Tails partition contains the live bootable operating system and the Encrypted partition is the configured persistent partition that contains the Pidgin configurations, KeyPassX Q&A database files and is capable of storing more information from the Tails OS during operation.
Stick 1 is associated with Red configurations and passwords detailed in Appendix XX.
Nathan Vaz ITNET306A - Major Project Page 47 of 60 J. Doe & Pigeon Tails
Stick 2: Blue
Stick 2 also started out as a 16GB drive and was partitioned into two, so that the JonDoTest Volume would look like a regular 8GB USB. However, unlike the Tails partitioned volume, the UUI partition shows up as well when booted into a regular operating system. The UUI partition contains the JonDo-LiveDVD bootable OS and the JonDoTest partition contains the VeraCrypt file, which can be later, mounted as a volume to reveal the Pidgin configurations, KeyPassX Q&A database files and the JonDo premium account information. Though the whole purpose of using live operating systems is to minimize the amount of stored personal information, if it is really necessary to save files, the JonDoTest partition seems like the best bet.
Stick 2 is associated with Blue configurations and passwords detailed in Appendix XX.
Nathan Vaz ITNET306A - Major Project Page 48 of 60 J. Doe & Pigeon Tails
Stick 3: Green
Stick 3 was originally a 8GB USB stick that is now completely partitioned to accommodate the Tails OS and persistent partition. Similarly to Stick 1, the Tails partition features the bootable Tail OS and the Encrypted partition features the Pidgin configurations, KeyPassX Q&A database files and is capable of storing more information from the Tails OS during operation. Since there are no other volumes partitioned onto the disk, the disk is not readable when it is plugged into a regular operating system.
Stick 3 is associated with Green configurations and passwords detailed in Appendix XX.
Nathan Vaz ITNET306A - Major Project Page 49 of 60 J. Doe & Pigeon Tails
Stick 4: Yellow
Stick 4 started as a 8GB USB stick and is singularly partitioned to only hold the JonDo-LiveDVD OS. Much like Stick 2, the UUI partition that contains the operating system does show up when inserted into a regular OS. However, since JonDo- LiveDVD does not have persistent partitions or a segmented partition on the disk, the only option of configuring the Pidgin, KeyPassX Q&A files and JonDo account information is to store them on a separate device altogether. While still keeping the theme of securing as much as possible, it will still be configured as a VeraCrypt file capable of being mounted.
Stick 4 is associated with Yellow configurations and passwords detailed in Appendix XX.
Nathan Vaz ITNET306A - Major Project Page 50 of 60 J. Doe & Pigeon Tails
Conclusion
As this project has progressed it has become evident that between Tails OS and JonDo-LiveDVD OS, the need for secure and anonymous Internet traffic is steadily met. Through the ease of use with Tails’ auto-configuration and auto-connection to Tor networks, users who are concerned about privacy are gently introduced to the capabilities of Tor. Users who are more concerned about the compromised exit nodes of Tor can explore the JonDo protocol with more secure servers even if it does come at a price.
As a proof of concept by testing instant messaging (IM) services as anonymously as possible, this project managed to reveal some of the shortcomings of each operating system; whether they are the lack of certain features due to reputation i.e. True/VeraCrypt being scrapped from Tails OS, or the inconvenience of no all-in-one solutions such as persistent drives not able to be configured on JonDo-LiveDVD. The shortcomings are emphasised when they are combined with different partition configurations on the overall USB devices, with JonDoLiveDVD requiring an entirely separate device just to store configurations.
A shining light of authentication methods stood out in the form of the Off-the-Record methodology, with the different methods of authentication possible as well as establishing a private messaging which does not store conversation logs.
Hopefully, this project can assist users with less technical ability to apply various setups to protect their privacy. Through using one of these privacy-focused operating systems to perform regular functions such as web browsing, users are made aware of just how many monitoring tools such as cookies, metadata attached to files, unsecure connections and many more. The experience may be enough to put a user’s own online privacy into perspective.
Nathan Vaz ITNET306A - Major Project Page 51 of 60 J. Doe & Pigeon Tails
References
Schneier.com, (2014). Over 700 Million People Taking Steps to Avoid NSA Surveillance - Schneier on Security. [online] Available at: https://www.schneier.com/blog/archives/2014/12/over_700_millio.html [Accessed 15 Sep. 2015].
Cigionline.org, (2014). CIGI-Ipsos Global Survey on Internet Security and Trust. [online] Available at: https://www.cigionline.org/internet-survey [Accessed 15 Sep. 2015].
Australian Government - Attorney-General's Department, (2015). Data Retention Facts. Canberra: Australian Government.
Nsf.gov, (2015). US NSF - CISE - WATCH Series. [online] Available at: http://www.nsf.gov/cise/cns/watch/talks/lincoln.jsp [Accessed 15 Sep. 2015].
Electronic Frontier Foundation, (2014). Secure Messaging Scorecard. [online] Available at: https://www.eff.org/secure-messaging-scorecard [Accessed 15 Sep. 2015].
Otr.cypherpunks.ca, (2014). Off-the-Record Messaging. [online] Available at: https://otr.cypherpunks.ca/ [Accessed 15 Sep. 2015].
Technewsworld.com, (2015). Windows Caught in Path of FREAK Security Storm | Cybersecurity | TechNewsWorld. [online] Available at: http://www.technewsworld.com/story/81787.html [Accessed 15 Sep. 2015].
Nathan Vaz ITNET306A - Major Project Page 52 of 60 J. Doe & Pigeon Tails
Finley, K. (2014). Out in the Open: Inside the Operating System Edward Snowden Used to Evade the NSA. [online] WIRED. Available at: http://www.wired.com/2014/04/tails/ [Accessed 17 Sep. 2015].
Chakravarty, S. (2014). On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records. [online] Available at: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf [Accessed 16 Sep. 2015].
Tails.boum.org, (2015). Tails - About. [online] Available at: https://tails.boum.org/about/index.en.html [Accessed 15 Sep. 2015].
GmbH, J. (2015). JonDonym – about the anonymisation service. [online] Anonymous-proxy-servers.net. Available at: https://anonymous-proxy- servers.net/en/overview.html [Accessed 22 Oct. 2015].
Truecrypt.sourceforge.net, (2015). TrueCrypt. [online] Available at: http://truecrypt.sourceforge.net/ [Accessed 21 Oct. 2015].
Anonymous-proxy-servers.net, (2015). JonDo Help: Payment settings. [online] Available at: https://anonymous-proxy-servers.net/en/help/payment.html [Accessed 11 Oct. 2015].
Developer.pidgin.im, (2015). ConfigurationFiles – Pidgin. [online] Available at: https://developer.pidgin.im/wiki/ConfigurationFiles [Accessed 14 Nov. 2015].
Nathan Vaz ITNET306A - Major Project Page 53 of 60 J. Doe & Pigeon Tails
CodePlex, (2015). VeraCrypt. [online] Available at: https://veracrypt.codeplex.com/wikipage?title=Plausible%20Deniability [Accessed 15 Nov. 2015].
Nathan Vaz ITNET306A - Major Project Page 54 of 60 J. Doe & Pigeon Tails
Appendices
Appendix 1 – Red Persistent Login: Gryffindorsarethebravest
Pidgin Account Details: Title: Red Username: [email protected] Password: 8]Qr!uhZ!eL,,HZiL2<.R#5{8P*et+#A9 KeyPassX: Filename: PidginQARed Key file: sysredlog Master: GryffindorPidgin Q&A Title: BlueAsksRed Username: how is the weather? Url: Password: ]/\[]&pDbh95+)'$U43&2[&4n Title: GreenAsksRed Username: what was the score last night? Url: Password: NR)8VD2Bh2*9qz?o(bHvT#{:'/c=rjz$]'bc9'wJhF Comment: Title: RedAsksBlue Username: what time is it? Url: Password: =;d<,(X"sHm(r+xvf]Q(xS3q`Lz[Dk#Kt",xuS<.ei Comment: Title: RedAsksGreen Username: who won? Url: Password: Cc[t( Title: RedAsksGreen Username: who won? Url: Password: Cc[t( Title: RedAsksYellow Nathan Vaz ITNET306A - Major Project Page 55 of 60 J. Doe & Pigeon Tails Username: how was your birthday? Url: Password: j*&9@7vb~y5CxB+i]g#Dx*rfF2{t;:4dRns!Q~gijA Comment: Title: YellowAsksRed Username: when does the train come? Url: Password: 6G5D;d"&)@b#V6U)\J&B>5?^:5&6jJkvg[*G5MGAL/ Comment: Nathan Vaz ITNET306A - Major Project Page 56 of 60 J. Doe & Pigeon Tails Appendix 2 – Blue Outer Volume Login: password Hidden Volume Login: Ravenclawsarethesmartest Pidgin Account Details: Title: Blue Username: [email protected] Password: +(}mYBRWX):uDH[S"piV7,{a#]N7gU`}bntq{NZ;bb KeyPassX: Filename: PidginQABlue Key file: sysbluelog Master: RavenclawPidgin JonDo account number: 438555151752 JonDo export password: Dumbledore4589 Q&A Title: BlueAsksGreen Username: when did that happen? Url: Password: 5xv8E4Xw$$}*y#sx,cpDvCV5C<7[R!9BqYv7QbTf`Y Comment: Title: BlueAsksRed Username: how is the weather? Url: Password: ]/\[]&pDbh95+)'$U43&2[&4n Title: BlueAsksYellow Username: where is that peacock? Url: Password: ZQZx%bb,\zm{ePh&p.AGURx5[=\"Fb5?(m)3HMb=Xg Comment: Title: GreenAsksBlue Username: how high can you jump? Url: Password: bBc"3P7SqR?z&cT+Pe95b[P44d+>sk!Vy}3YepY48? Comment: Title: RedAsksBlue Username: what time is it? Url: Password: =;d<,(X"sHm(r+xvf]Q(xS3q`Lz[Dk#Kt",xuS<.ei Comment: Nathan Vaz ITNET306A - Major Project Page 57 of 60 J. Doe & Pigeon Tails Title: YellowAsksBlue Username: who met kennedy? Url: Password: \(.TAG`8Z)LPRy8P:?YBY?$]W@>?Th!VDMX>HFB4%^ Comment: Nathan Vaz ITNET306A - Major Project Page 58 of 60 J. Doe & Pigeon Tails Appendix 3 – Green Persistent Login: Slytherinsarenottobetrusted Pidgin Account Details: Title: Green Username: [email protected] Password: 4,7R']e^^,L/`qbi3]'fz9WBgtX#^ZRFt4DQ?burE} KeyPassX: Filename: PidginQAGreen Key file: sysgreenlog Master: SlytherinPidgin Q&A Title: BlueAsksGreen Username: when did that happen? Url: Password: 5xv8E4Xw$$}*y#sx,cpDvCV5C<7[R!9BqYv7QbTf`Y Comment: Title: GreenAsksBlue Username: how high can you jump? Url: Password: bBc"3P7SqR?z&cT+Pe95b[P44d+>sk!Vy}3YepY48? Comment: Title: GreenAsksRed Username: what was the score last night? Url: Password: NR)8VD2Bh2*9qz?o(bHvT#{:'/c=rjz$]'bc9'wJhF Comment: Title: GreenAsksYellow Username: who controls the fax machine? Url: Password: sK"Mb`bLS,ad~2a2m'5pPJ7PW?\y8J&F/B5EA"m#3P Comment: Title: RedAsksGreen Username: who won? Url: Password: Cc[t( Title: YellowAsksGreen Username: how did the cow get inside? Url: Password: {&;:~#5r'6t\NiL"/R<%+^*8K"hgDJW+/rmvC}9LS] Nathan Vaz ITNET306A - Major Project Page 59 of 60 J. Doe & Pigeon Tails Appendix 4 – Yellow Outer Volume Login: password HiddenVolume Login: Hufflepuffsarethekindest Pidgin Account Details: Title: Yellow Username: [email protected] Password: E$EDDho^8Z;W)r*7$dzg2G#UoG+2H~=Fo+C9jbD+Kf KeyPassX: Filename: PidginQAYellow Key file: sysyellowlog Master: HufflepuffPidgin JonDo account number: 438555151752 JonDo export password: Dumbledore4589 Nathan Vaz ITNET306A - Major Project Page 60 of 60