Re: [Tails-project] The FACIL key: a multi-boot USB key with…

Delete this message

Reply to this message
Author: Mathieu Gauthier-Pilote
Date:  
To: tails-project
Subject: Re: [Tails-project] The FACIL key: a multi-boot USB key with TAILS on it!
Le 2014-10-14 06:33, sajolida@??? a écrit :
> Unfortunately, it is currently very difficult for a user to be able
> to verify the authenticity of Tails once installed on a USB stick.
> As security is meant to be used as a very secure environment, we
> believe that distributing preinstalled version of Tails is
> currently pretty much incompatible with our mission.
>
> See https://labs.riseup.net/code/issues/7269.


I see. Some of the OSes on the FACIL key are simply ISOs, but indeed
it is not the case of Debian/TAILS. :-(

The FACIL key is done with MultiSystem (http://liveusb.info/). Users
will be able to use the MultiSystem GUI to modify/update their own key.

> Plus, be very careful in the way that you boot from the ISO as the
> set of command line arguments passed to the live system can
> completely break some of the security built in Tails. So in case of
> doubt, ask us for a review of your code.


I am pretty sure the command line arguments are from the TAILS ISO. I
could be wrong however, so to be sure I will ask the main MultiSystem
developer, François Fabre, how he does it.

> I also understand that people won't be able to create a persistent
> volume on this USB stick. Which is a very popular feature of Tails,
> and pretty much needed if you want to do serious stuff with it.
>
> See https://tails.boum.org/doc/first_steps/persistence/.


I presume people will be free to follow these instructions for their
own copy of the key. I did not try it myself though.

> All in all, I think that you should make it clear on your product
> that the version of Tails included should only be used for testing
> and educational purpose but shouldn't be relied upon for security.


All the OSes on the FACIL key are meant for live boot. They come as is
straight from Trisquel, Debian, Fedora, Ubuntu, OpenSUSE, etc. We
cannot provide any kind of guaranty for any of them. We will encourage
people to take control of their own key, if only to keep the OSes they
like up-to-date and flush the others to clear some space.

In the case of TAILS, ultimately, what we can instruct people to do if
they are serious about their security is to remove TAILS from the
FACIL key using MultiSystem and redo the whole process of a)
downloading the TAILS ISO, b) verifying it, and c) putting it
themselves on their own key (using MultiSystem or some other means).

There is of course the issue of shipping the key by mail... We don't
have a solution for that one yet.

Thanks for the reply.

Best Regards,

Mathieu GP