Better strategy for dealing with malware on the SVS #160
Comments
|
We had been talking about this and while the documentation doesn't reflect the new install yet. It was planned to add that to their process. The journalist would have (1) 64GB drive for their personnel tails use (not the airgapped machine). (1) 64GB usb flash drive used for sneakernetting file back and forth to airgapped viewing station, (1) small <1GB drive for the airgapped viewing stations tail OS that would contain the private gpg key and 3rd party packages. (2) 500GB external hard drives for cold storage of encrypted documents. |
|
It might pay then to restrict the available extension types to known image, video and document types as one possible implementation because journalists adding in their own 3rd party packages to use with TAILS just sounds to me like an invitation for a FINFISHER type of attack. The viewing station could then be best run on a DVD-R read only TAILS boot with the GPG key burnt into it? Transporting files to be decrypted and viewed might be best done on small disposable USB drives, 'burners' or whatever other nickname you want to give to them, use them once and destroy them ( furnace ). Or is that going a bit too far? |
|
@Taipo I've considered putting in the journalist best practice guide that journalists have a bucket of cheap USBs they use for transport. Once they use one once, they throw it out. |
|
Hmmmm now that I think about it, that then unfortunately creates the possibility for a KleptoDumpsteralogical Attack ( don't bother googling that, i just made that one up ) if the odd journo does not wipe and dispose of the great pile of USB sticks correctly. Not to mention, buying that many on a regular basis could put them at risk of being sold 'preloaded' USB sticks from a national security lettered USB stick supplier...that may sound a bit far fetched, and maybe it is, but the harder we make this thing to crack, the more an adversary is left to such tactics which are currently being used for example against criminal gangs that buy burner cell phones by the boatload. But certainly worth brain storming about, food for thought I guess. |
|
Ok, I'm proposing the following:
@dolanjs is the Journalist supposed to use Tails on their personal workstation? I think that would be a good idea. |
|
@diracdeltas yes they are suppose to use Tails on their personnel workstation when accessing the document interface. Also think that the USB stick for transfering files from the document interface to the airgapped host and the USB stick that transfers the files encrypted w/ the journalist's personnel gpg key for publication from the airgapped host to a non tails OS should be different physical USB sticks. |
|
@diracdeltas nope, I wrote to copy it to the persistent volume, but really all I meant was copy it off of the USB stick, so that when they decrypt documents they don't end up there. Also, non-persistent storage lives in memory. So if the documents are too big to fit into memory you'll have to use persistence. But this is an edge case. However I'd also like to point out that this whole process is starting to seem very cumbersome, and like it can only be operated by experts. If we keep moving in this direction I think it's likely that journalists just won't follow the best practices. I don't have any better suggestions though. |
|
I second Micah's concerns about usability. Have we considered using read-only media (CDs, DVDs) to copy files from the document interface to the viewing station? Would that prevent exfiltration of plaintext? |
|
@garrettr I don't see how using read-only media in the document-interface-to-svs step solves the problem of plaintext exfiltration, since all the files need to get copied to the Tails drive for decryption. I was assuming any attacks from malicious files would happen after decryption. I agree that it seems like a huge usability cost to require journalists to decrypt files one source at a time. Maybe we could come up with a reliable way for them to check whether files had been modified between getting taken off the Document Interface and getting taken off the SVS. |
|
Discussed this with @diracdeltas, we agreed that using read-only media as part of the journalist's regular workflow would help reduce the attack surface and opportunity for exfiltration. However, they will eventually have to use writeable media to copy decrypted submissions elsewhere, either to work on them more (we can't assume a journalist will be able to do everything they need with Tails) or for publication. We also agreed that this is a low priority for now. |
|
Marking as "Pending close" because this is in general covered by the Reading Room / journalist workstation. |
|
Agreed, the strategy here is the SecureDrop Qubes workstation, where each submission will be opened in a Qubes DispVM. Opened followup there: freedomofpress/securedrop-workstation#26 |
The current docs say, "As long as you're using the latest version of Tails, you should be able to open any document that gets submitted to you without the risk of malicious documents compromising the Viewing Station. However, if they do compromise it, Tails is designed so that the next time you reboot the malware will be gone."
I can think of a couple potential issues with this:
Fixing (1) might be especially hard because journalists will want to copy external software packages to the persistent volume so that they can be auto-loaded for viewing file types that TAILS doesn't natively support. It seems like it wouldn't be hard to hide malware in one of these packages.
The text was updated successfully, but these errors were encountered: