[META] Tails-like functionality in Qubes

[mfc]

Just wanted to create a ticket for those interested to track Tails-like functionality in Qubes. This would include:

• Tails-like workstation / gateway
  • solved with existing whonix workstation / gateway templates? (re: applications, networking)
• Live USB
  • Live USB/DVD #1018
• anti-forensics
  • DisposableVMs: support for in-RAM execution only (for anti-forensics) #904
  • Wipe Video RAM on Shutdown #1563
  • Wipe RAM on shutdown #1562

Are there additional functionalities in Tails not currently captured in these categories or the referenced tickets? Please share, or create tickets to track these differences.

---

mailing list thread that touches on the subject: https://secure-os.org/pipermail/desktops/2015-November/000015.html

[Jeeppler]

@mfc the whole point of tails is to be non-persistent how do you want to achieve this feature in Qubes OS? Where is the benefit for Qubes users over Whonix? What do you think about offering tails as disposable VM?

[adrelanos]

I don't see any distinctive advantages gained by Tails in a Qubes VM in comparison to Qubes-Whonix.

Anyhow. There is value in having Tails boot in a Qubes HVM. So I can more conveniently boot Tails sometimes to look around rather than involving a second computer. Convenience improves productivity. Similarly having a Tails template for Qubes with full integration of Qubes tools would also simplify other things. (Non-desktop related stuff, file copy etc.)

Also for the sake of having diversity. Being made by a different developer community. Coming with different default applications. Perhaps convenient for previous users of Debian / Tails that now like to migrate to Qubes / Tails.

My question:

Generally speaking… Putting Qubes aside for a moment for the sake
of argument… Let’s suppose we have a Debian Live DVD. Then, from there start Whonix. Or Tails. How specifically would Tails be more amnesic than Whonix?

jmercier reply:

If both are running from a live cd, then (simply put) that would be
the same.

Source, the comment section of the blog post:

https://garlicgambit.wordpress.com/2016/04/22/how-to-run-tails-from-a-qubes-live-cd/

Let's go through the original argument.

Why would you want to run Tails from a Qubes live cd?

There are two main reasons for this:

By default Tails obscures a lot of uniquely identifying bits about
the system and the user. However Tails is mostly run on bare metal.
This is a recommended approach for good reasons. But this makes it
relatively easy to get access to uniquely identifying parts from the
hardware of the system. This can include (unique) serial numbers
from: the motherboard, cpu, videocard, memory, network card and bios.
It can even include the unique service tags from the original
equipment manufacturer (woops). Sophisticated attackers can use this
information to de-anonymize users. With virtualization you can
obscure and anonymize this information even more to minimize
information leaks.

As concluded above, Tails in a VM has no advantages over Whonix in a VM in this regard. Whether the host operating system is run from read-only media or not does not change anything about this.

Tails does not protect against a compromised endpoint. If attackers
can gain root access to a Tails system they can shutdown or
circumvent Tor to de-anonymize the user. One solution for this
problem is to separate the ‘workstation’ from the ‘Tor proxy’. With
virtualization it is easy to create such a setup. Whonix is a project
that already implements this idea and it is available for Qubes!

So
why not switch to Whonix? Well because Whonix is mainly aimed at
persistent installations, whilst Tails is not. We would argue that,
on top of all the security and privacy technologies, Tails’ main
strength is the fact that it is amnesiac or non-persistent. A reboot
should clean up all records of its use. In order to keep this
important property and get the benefits of virtualization you would
need to run Tails from a virtual environment which in itself is also
not persistent. One such virtual environment is the Qubes live cd.

a) Qubes Live plus Qubes-Whonix
b) Qubes Live plus Tails
-> persisted data after shutdown: a = b = 0 (*)

Otherwise please explain what and how Qubes-Whonix could possibly persist anything more than Tails?

---

(*)
Issues fixable by Qubes only:

• DisposableVMs: support for in-RAM execution only (for anti-forensics) #904

Issues not possible to fix at either Whonix or Tails at the VM level, that are required to make Qubes Live comparable to Qubes-Whonix Live / Tails Live.

• Wipe Video RAM on Shutdown #1563
• Wipe RAM on shutdown #1562

[mfc]

I agree it is very unclear to me what the difference is between a theoretical Tails-workstation and current Whonix-workstation. Because of this, I think #1969 is misdirected since once there is an updated Qubes Live USB image it will have Whonix integrated in it... unless there are specific functionalities of Tails that are not captured in Whonix (please share if these exist!).

and I agree that "Tails in Qubes" probably means (1) improving Qubes Live USB and (2) improving Whonix templates in Qubes.

I'm going to change this ticket to be a meta-ticket tracking implementing "Tails-like functionality" in Qubes, since that would probably be more useful.

[DrWhax]

Hi,

As I see it, there are quite some differences between Whonix and Tails. So far, the direction seems to be, "Tails like functionality" which seems to mean, improving Whonix templates.

Correct me if i'm wrong but I think the differences here are:

• Tails doesn't come with persistence enabled by default. (Amnesic feature)
• Use Tails' Tor firewall rules in a separate VM. (this to provide the same UX)
• Tails configuration has received more scrutiny over the years.

How to leverage Qubes:

• DispVM's for Tails means we get Amnesic features by default!

There are probably more differences but I would have to use Whonix for that.

[andrewdavidwong]

@DrWhax:

How to leverage Qubes:

• DispVM's for Tails means we get Amnesic features by default!

As Patrick explained above, this is only part of the picture. There are two senses of "Tails-like functionality in Qubes":

1. Amnesiac Torified VMs in persistent Qubes OS.
2. Amnesiac Qubes OS containing Torified VMs.

"DispVMs for Tails" would only achieve 1, not 2. (And, arguably, the same or better could be achieved with Whonix VMs.)

But if 2 is ever created, I propose the name TaiQuWhonDo: The Amnesiac Incognito Qubes Whonix Desktop operating system. (Just kidding.)

[Jeeppler]

TaiQuWhonDo I like the name ;-)

[jpouellet]

Another forensics concern to track/address if we want to go down this road:

• The last backup passphrase is saved in /etc/qubes/backup/qubes-manager-backup.conf. This is previously known/documented, but still was an undesired surprise to me.

[andrewdavidwong]

Closing this since we don't do meta issues anymore:

https://www.qubes-os.org/doc/issue-tracking/#projects

If needed, we can make a project for this instead, but it probably doesn't need one for now.