
Do you stll end up on an NSA list by visiting their website?
The developers of privacy-protecting Linux distribution Tails have decided to get closer to Debian with the project's 3.0 release. Tails - aka The Amnesic Incognito Live System - is designed to boot and run from removable storage and not to leave any trace of what you did while running it. Users booting into version 3.0 will …
> **Yes I know I should not trust a SHA-256 tool off the same disk.
*** And don't trust the SHA-256 printed in the magazine either, because the magazine could be tampered with
**** You can use PGP signatures, but how do you know you have the right PGP key to validate it with?
"You can use PGP signatures, but how do you know you have the right PGP key to validate it with?"
If you have been using Debian or Ubuntu for any length of time, packaged software downloads are signed using developer keys, some of which have signed the Tails gpg keys. So you can install the debian-keyring package, which is signed by these distribution repositories and this gets the same verification as other Debian or Ubuntu packages installed using apt-get . This means that for the NSA to have compromised the Tails instance as downloaded through a MITM or whatever, and for you not to be able to detect this if you're very careful and check signatures, they would also have had to compromise signed parts of the Ubuntu or Debian infrastructure. It seems to me much more easy for the NSA to have compromised the Tails distribution itself. To find that kind of hole you would have to check the Tails source code and compile it yourself, assuming you're both paranoid enough to want to do that, while sufficiently technically capable to compile it yourself on a platform which you do actually trust. Instructions on checking this chain of trust here:
https://tails.boum.org/install/download/openpgp/index.en.html#wot
Pretty sure even having TAILS on a flash drive on your person would be "reason to investigate" for the various powers that be.
Worse if they don't understand it.
"Unlock this drive citizen!"
"Erm, there is nothing on it"
"Yes, you must be hiding it!"
"Thats... thats not how this works"
"Give us the password to unlock the hidden/encrypted files or you go to prison!"
For average Joe it's hard to find a pipe with fast enough upload bandwidth to run tails with TOR. When playing with an older version, it would only boot on an older 32 bit Win 7 laptop, not new machines with 64 bit Win 7 or 10. Provided 3.0 will boot on newer hardware, providing for use with popular proxies, and VPNs would make it much more useful. As I recall, Tails doesn't leave a browser or device footprint, which is great for home use, but won't boot to corporate WAN desktop for a novice lacking machine credentials on the WAN. If smart, Joe will use a VPN or Proxy, and Firefox, with addons. Encrypting files for average Joe not likely to go further than a few RAR files on his network drive. (Perhaps copies of tax returns, Will, Trust, and business documents) Even then, he needs to store the keys separately from the documents. A spreadsheet with keys using a program on another thumb drive, allowing selection of what to decrypt, again not something Joe's going to do, unless he finds a turnkey solution. Implementation of PGP is involved, requiring a separate vault of saved keys on Tails thumb drive with it's own password. Still the receiver has to somehow get the key to the person sent the file to decrypt it. Quickest way would be an attachment with block of random data with the encrypted Email, then calling Email receiver by phone, telling them how to find the key within the random block of data. Unless there's a real need, not likely to happen. Likely there is no stopping a brute force dictionary attacks on passwords to stop an attack on Tails. Nothing preventing a Tails drive being copied, and being placed in a VM until password is broken if it does self erase.