illustration of a magnifying glass revealing ones and zeros on a
purple plan lying next to a cup

From Tails to Whiskers: How We Created a Secure Investigation Framework

At Tactical Tech we sometimes experiment with creating tools and software that we think are needed but that do not yet exist. At a recent Digital Investigation Camp, members of our team worked together with a small group of partners to address a distinct need: the ability for investigators to remain anonymous while conducting digital investigations. More specifically, we experimented with ways to use open-source tools to create a robust and durable computing environment that investigators could easily deploy when working in critical situations. To do so, we built upon existing software – namely, Tails and Tor – to prototype a new tool, which we call Whiskers. Our aim was to help investigators do their work effectively, by running Whiskers on top of Tails, while remaining anonymous. Here, you can read about the journey of that idea, from its inception to its realisation.

SIFT Project Lead: Chris Walker

Authors: Chris Walker and Tactical Tech

* *

My computer locked up while I was sitting on the warm stone steps of a 17th century Franciscan monastery overlooking a small bay off the Adriatic, trying to keep both my super heated ThinkPad and my rapidly warming beer within a small pocket of shade that, through no fault of its own, refused to stop drifting eastward. I was revising a series of guides for a target audience of journalists and researchers, the sensitive nature of whose investigative work -- and the aggressive nature of whose adversaries -- might give them cause to use the Tails operating system as a way to compartmentalise their reporting, protect their sources and preserve their anonymity.

All things considered, a frozen laptop on a hot summer day struck me as a good problem to have. My backup was relatively fresh, and -- as someone whose livelihood requires pretending to understand computers -- I am familiar with advanced troubleshooting methodologies that allowed me to press and hold my power button for four seconds, leave it alone for two, and then press it once more while rolling my eyes in case anyone was watching. My operating system's subsequent unwillingness to boot, combined with my own inability to leverage the techniques that had served me so well in the past (weekends misspent indoors, scouring stack exchange for the wisdom of my betters), started me on an 18 month journey.

I survived the remaining week of our Digital Investigation Camp thanks to a bootable Tails USB stick that I had created while drafting the guides mentioned above. By writing and dog fooding various scripts that allowed me to do moderately complicated things with Tails, I was able to use it exclusively throughout the year. And, the following Summer, I found myself back in Montenegro with a small team of brilliant software developers, digital security trainers, localisation engineers and technical writers who helped me prototype a Tails-compatible application called Whiskers as a way to bring those same tips and tricks within reach of journalists and researchers who, by and large, have not squandered their lives debugging strange configurations of Linux on the desktop.

Whiskers is currently a proof-of-concept. If it is fully implemented -- and maintained -- we believe it will give investigators who work on sensitive topics in high risk, "global south" environments access to the free and open-source digital tools they need to do their jobs in a way that is portable, cost efficient and secure. Or, to deploy the obligatory jargon, in a way that encourages compartmentalisation, supports pseudonymity, allows censorship circumvention, maximises end-point security and provides encryption.

Let's unpack that a bit.

Tails

Tails is a free and open-source, privacy-optimised variant of the Debian Linux operating system that is designed to be run from a USB stick. You turn your computer off, turn it back on after inserting the USB stick, press the right keys at the right times, wait a little while and end up running Tails. When you're done, you turn your computer off, turn it back on after removing the USB stick, wait a little while and end up right back where you were, with no changes having been made to the contents of your computer.

You may only have one laptop, but Tails gives you two different ways of using it. You can use it one way (with Tails) when working on sensitive$a content, and -- if all goes according to plan -- you can use it the other way (without Tails) when it is lost, stolen, confiscated, inspected at a border crossing or infected with malware. And you can switch from the first way to the second way simply by yanking out the USB stick and putting it in your pocket. Or, depending on the circumstances, throwing it in the trash. Security people like to call this "compartmentalisation."

While running Tails, all of your Internet traffic is routed through the Tor anonymity network. Tor is not perfect, but it is the best tool we have for preventing those with the ability to monitor your traffic -- Internet service providers, airports, libraries, employers, computer criminals, website administrators, husbands, your government and other people's governments -- from figuring out what you are doing online. Alongside the compartmentalisation described above, this allows you to maintain a separate collection of "identities" (including email addresses, usernames, passwords and payment methods) that you can use, when appropriate, for sensitive work. Tor makes it far more difficult for others to establish a connection between those identities and the actual You. Security people like to call this "pseudonymity."

These same properties allow many Tor users to access websites and other online services that are blocked from within their countries. It does not work everywhere, all of the time, but Tor is one of the more effective forms of what security people like to call "censorship circumvention."

By default, any changes you make while using Tails -- whether intentional or unintentional -- will be unmade forever when you stop using Tails. This provides what security people like to call "strong end-point security," and is a fantastic way to protect your system from malware. As you can imagine, however, it is also a bit limiting. Fortunately, Tails also includes a feature called "Persistence."

If you do work while using Tails, and if you need that work to stick around, Persistence will try very hard to preserve only the changes you intend to make. This is still a relatively good way to protect your system from malware. And all of the files you download, create or modify while using Persistence will be encrypted on the USB stick. Pretty much everybody else just calls this "encryption."

Whiskers

Our objective was to help establish portable, disposable workflows that can be relied upon by a greater number of at-risk investigators who need to remain safe and productive while leveraging data to chisel away at the walls of impunity that often protect the powerful and the corrupt.

Whiskers is a graphical user interface that makes it significantly easier for researchers and investigators to install, configure and use free and open-source software that that does not work out-of-the-box on Tails. Among other tools and workflows, this might include Web scrapers, data analysis and visualisation frameworks, photo managers, secure collaboration platforms, versatile text editors, programming libraries and alternative means of accessing websites that block Tor.

https://cdn.ttc.io/i/fit/1035/0/sm/0/plain/exposingtheinvisible.org/ckeditor_assets/pictures/723/content_whiskers-interface.png

Figure 1: A proof-of-concept user interface for Whiskers

The current Whiskers prototype is a Python application, with an internationalised graphical user interface and documentation framework, that simplifies the installation and configuration of the KeePassXC password manager; the Atom text editor; the Recoll text indexing and search tool; the SignalWire and Riot secure messaging platforms (for text only); and Jupyter Notebook, which is a data-oriented Python scripting environment. It also facilitates the rather complex series of steps required to activate and deactivate a Jupyter notebook while ensuring that it routes all of its Internet traffic through Tor.

The source code for Whiskers, instructions on how to build and test it, and all of the research we did while developing it are available on a public Gitlab repository.

SIFT

We have taken to using the acronym SIFT (Secure Investigation Framework for Tails) as a label for the various things we would eventually like to do with Whiskers. That includes training curricula, related workshops for investigators and stand-alone guides on how to use supported tools.

Pedagogical considerations

Tails provides a standardised platform for educators. Regardless of what hardware they bring to the training room, all participants will be working with the same version of the same up-to-date, malware-free operating system. This system will be configured in the same way, for all participants, and will go home with them when they leave. Anyone who has facilitated a hands-on workshop can testify to the ways in which platform uniformity contributes to efficiency when working through practical, technical exercises.

Of course, insisting on the adoption of an unfamiliar operating system can introduce significant inefficiencies as well. Which is why we began developing Whiskers in the first place. At the end of the day, Whiskers is designed to make it possible for related guides, training resources and workshops to focus largely on practical investigative skills rather than getting bogged down in "advanced Tails configuration." In our experience, researchers and investigators have a strong interest in the former and very little time for the latter.

Training models

To be clear, these workshops will not be 90-minute PowerPoint presentations. Or "full day" trainings. Indeed, even week long "bootcamps" will be insufficient -- Whiskers notwithstanding -- for most journalists and researchers to master the workflows that SIFT is meant to facilitate. There will be exceptions, of course: highly technical data journalists, researchers who've already grown comfortable with Tails and veteran users of the free and open-source tools supported by Whiskers.

But if there's one thing I've learned from ten years as an occasional digital security trainer, it's that not all "contact hours" are created equal. It is far more effective to spread the same curriculum over a month (or more) than it is to cram it into a 40 hour "intensive." And if that part-time series of short workshops is facilitated by someone who is local to the region -- someone fluent in the local language, familiar with risk environment of their participants and available to provide ongoing support -- that's where the magic happens.

Accordingly, the four training models we currently envision for SIFT include:

  1. residency, in which participants spend approximately four weeks

    with an experienced SIFT facilitator at a non-local venue. Practically speaking, the venue would have to be inexpensive, and the budget might have to cover travel, food and lodging for the families of some participants. Sessions would last approximately three hours and would be held at most four times per week. Gaps between sessions would accommodate individual and team exercises, one-on-one "office hours" and time for participants to continue their regular work. Language support would be limited.

  2. local series of workshops, in which an experienced SIFT

    facilitator travels to a particular city, for at least a month, in order to train the members of a regional organisation or network. The session cadence would be similar to that of a residency, but we suspect that more participants would find it compatible with their lives, and the budget would be less daunting. Language support would still be limited.

  3. A Training of Trainers (ToT) for past, bilingual participants and

    for experienced, local language trainers who are familiar with both the Tails operating system and the Whiskers toolset. These participants should be in a position to offer subsequent, local language workshops for members of organisations and networks based in the regions where they live. In terms of structure and budget, these ToTs would be similar to the trainings described above, but the material covered would be quite different. It would focus on expanding participants' familiarity with relevant data sets, exercises, frequently asked questions and other educational material. It would also leave room for trainers to gain practical instructional experience.

  4. A distance-learning platform -- or Massive Open Online Course (MOOC)

    -- that attempts to cover the same material as (1) and (2), above. This would likely require at least six weeks of instructional videos, individual exercises and "graded" exams, as well support for one-on-one Q&A sessions with instructors and teaching assistants. Given the possibility that journalists and researchers in some regions might be targeted for their participation, it would also require a secure, Tails-compatible distance learning platform and rather a lot of security-related instructional design to ensure that students register and interact pseudonomously. Language support would be limited until such time as the platform could be localised.

Target audience

The Whiskers target audience can be divided into two groups:

  1. Aspiring data investigators who are tech savvy or who have the

    motivation necessary to learn versatile technical skills upon which they can rely for as long as they continue doing work of this nature; and

  2. Beginning and experienced researchers who may be less focused on

    data, and less interested in expanding their technical capacity, but who are forced by the sensitivity of their work to rely on highly secure platforms --- such as Tails and SecureDrop --- and who are looking for ways to make these platforms more intuitive.

Most of the self-learning guides and training resources in SIFT will target the former, more technical, audience. We have taken this approach in part because neither the move to Linux nor the adoption of these particular open source tools demands any sort of compromise on the part of those who work directly with data. These are among the best tools for the job and are widely used by professional data journalists and data scientists, along with other veteran investigators. The primary purpose of Whiskers, for this group, is to make these tools no more difficult to install and configure on Tails than they are on other Linux distributions. Our guiding principle, here, is to avoid underestimating or patronising this audience by focusing exclusively on single purpose desktop and cloud-based resources that are optimised for "ease of use" rather than versatility or security.

Whiskers serves a different purpose for members of the second, less technical audience. These individuals are far less likely to adopt Tails as their primary work environment. For this group, Whiskers will add a few key security, usability and collaboration features that are currently unavailable on Tails but without which many of these researchers cannot do their jobs. Examples include: the ability to access websites that block Tor users; two-factor authentication methods that do not require the use of a smartphone; and support for modern, secure communication and collaboration platforms like SignalWire and Riot.

Next steps

We have not yet made an effort to field test Whiskers with a broad subset of our target audience, largely because we have had neither the time nor the resources to carry out a robust audit of the ways in which our software might slightly weaken some of the security properties that Tails provides. We believe we know what they are, but it would be irresponsible to engage in "outreach" for a project of this nature without thoroughly investigating how these issues might affect an at-risk user. If and when we do so, the following is more or less what we expect to find.

Software security considerations

  • Users in regions where access to the Tor network is monitored -- and

    where those who connect to it are persecuted -- should not use Whiskers without a thorough understanding of the trade-offs between the risk of being associated with Tor and the risk of exposing their online activities. While Tor partially mitigates these risks for users of obfuscated Tor Bridges, it is currently challenging for the average user to benefit from this mitigation in Tails. As such, there are likely circumstances under which an investigator would be better off using the Tor Browser, along with a separate data encryption solution, rather than using Tails and Whiskers.

  • As with Tor and Tails, a user's network traffic cannot be

    considered anonymous if they face a 'global passive adversary' with the ability to associate that user's entry into the Tor network with their exit from it.

  • Over the long term, Whiskers slightly weakens the ability of Tails

    to protect its users from vulnerable software. It does so simply by making it easier for less technical users to install a small collection of additional tools. This slightly expands the platform's "attack surface" against adversaries who are looking to exploit vulnerabilities in third party applications. We believe the functionality made possible by this trade-off is necessary to prevent many researchers and investigators from giving up on Tails and sticking with far less secure platforms.

  • The -- planned but incomplete -- VPN-over-Tor feature of Whiskers

    slightly weakens the Tor Browser's ability to protect its users from websites that might seek to profile those users based on the IP addresses of their VPN endpoints. Users will be strongly encouraged to use this feature only when necessary and to re-launch it between uses (which provides some protection against a malicious VPN service).

  • This same VPN-over-Tor feature makes it even more important that

    Whiskers users create new, pseudonymous accounts for online services with which they have previously registered. As mentioned above, Tails and the KeePassXC password manager, used together, make this sort of account compartmentalisation much easier, but it still requires a certain level of discipline.

Below are some of the design principles we have adopted in order to help mitigate these potential issues:

  1. We will make no changes to Tails outside of the built-in persistence

    mechanisms that it provides.

  2. We have worked, and will continue to work, as closely as possible

    with members of the Tails team.

  3. Where possible, when adding Persistence for a Whiskers-installed

    tool, we will persist only the installation of the application itself. Where it is essential for the sake of usability that we persist configuration data, we will prioritise the use of specific "dotfiles" first and persist entire directories only where necessary.

  4. All Whiskers-installed tools will be free and open-source software.

    Where possible, they will come directly from official Debian or developer-hosted repositories. We will verify any package that we add to the SIFT repository (deb tor+http://mryxwywbxhrnlcj5.onion/ stretch main) and monitor the upstream source for updates.

  5. Neither Whiskers nor any Whiskers-installed tool will bypass Tor and

    connect directly to the network.

  6. Where possible, we will avoid using the (work-in-progress) ability

    to route traffic, over Tor, through a VPN. This functionality is intended solely for accessing services that cannot be reached through Tor. Abusing it as a workaround to "torrify" applications, for example, circumvents Tor's ability to rotate circuits. This would introduce two vulnerabilities. First, it might allow a target service -- or a colluding group of services -- to build a 'profile' of a Whiskers user based on the IP address of that user's VPN endpoint. Second, it increases the probability that, given a long-running session, a malicious VPN service could build a similar profile or deanonymise the user by gaining control of that user's Tor entry relay.

  7. Where possible, Whiskers-installed tools that are designed to work

    offline will not be given access to the network, even through Tor. The Jupyter Notebooks feature is an example of this. There are a handful of use cases for allowing the browser itself -- as opposed to the Jupyter process --- to connect to the network. The interface for this tool relies on Firefox rather than the Tor Browser, however, so it does not enjoy the Tor Browser's fingerprint mitigation features. As a result, we have not given it network access.

  8. We will minimise modifications to the built-in firewall rules

    maintained by Tails. The only changes we have made so far -- and the only changes we foresee having to make --- are to allow a local service (such as a browser) to talk to another local service (such as the Jupyter Notebook process). The iptables commands we use for this purpose adhere to the principle of least privilege. Beyond that, we rely on SOCKS proxy settings or the built-in torsocks utility to grant torrified network access to applications that depend on it.

Finally, Whiskers should undergo a thorough, professional security audit before journalists and researchers in the field are encouraged to adopt it.

Other development priorities

In addition to the software security considerations described above, the following is a short list of current Whiskers development priorities:

  1. Complete work on the VPN-over-Tor feature to allow journalists and

    researchers to visit websites that block access from Tor.

  2. Support OpenRefine for

    cleaning data.

  3. Use a custom Firefox profile to visually distinguish between the

    regular Tor Browser, the VPN-over-Tor browser (which also requires torrified access to the Web) and the browsers for Jupyter Notebook and OpenRefine (neither of which should have direct access to the network).

  4. Add built-in documentation for each Whiskers-supported tool using

    the internationalised framework we have provided.

  5. Create a script to simplify the process of determining when included

    tools have deployed upstream updates.

  6. Re-implement the user interface as a [Gnome shell

    extension](https://help.gnome.org/admin/system-admin-guide/unstable/extensions.html.en), using GTK, rather than as a stand-alone QT application.

Conclusion

With the notable exception of online conference calls -- for which I still resort to my smartphone -- I have continued to rely on Tails for all of my work-related activities throughout the six months that have passed since the second Montenegro residency at which we developed the initial Whiskers prototype. During that time, various members of our team have met up three times, in person, to implement a handful of features and to address high priority bugs.

I use the latest version of Whiskers every day, and I no longer feel like my productivity is being taxed on a weekly basis by the need to engineer new workarounds to new challenges. More importantly, I feel like journalists and researchers could do the same, despite life choices that may have rewarded them with less embarrassing hobbies. Eventually, we hope that Whiskers -- or the underlying research that we have published -- will allow investigators who face severe digital security threats to continue holding power to account while protecting themselves and their sources by leveraging the security, anonymity, portability and compartmentalisation that Tails helps provide.