Tails

Discussion in 'privacy technology' started by RockLobster, Oct 3, 2014.

  1. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I have found an issue when downloading tails via Tor, the file is corrupt every time and of varying file sizes anyone got any thoughts on this ?
     
  2. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    I'm gonna use this thread to say ~ Snipped as per TOS ~... I bought a Sandisk Cruzer just to use for TAILS and guess what? I never got it to work there.. I finally found that it's it's a known problem, apparently:

    "For example, a number of SanDisk Cruzer USB devices don't work with the distribution, the ASUS VivoBook X202E laptop has problems with the UEFI Bios, Dell Inspiron 8100 has problems displaying the correct menus, and many more devices will not even run the OS."

    From here:

    http://news.softpedia.com/news/Priv...-Major-NSS-Serious-Security-Flaw-460141.shtml
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Are you using a Torrent download or the other way?

    Also, you might try sending a post to the tails-support message group about this problem for their help in resolving the matter.
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Straight download from tails.boum.org. I downloaded it 5 times and the file size was different each time. Also I think their .sig file is invalid but I am not sure about that because I am not sure if I used the correct procedure to verify it.
    Here is their .sig file as I downloaded it if anyone wants to try it. (Change the file extension back to .sig This forum would not let me upload .sig files so i changed the file extension to .txt. )
    I don't see why it should be invalid, version 1.1.2 is only a week old.
    I didn't send them a message because I thought it might put me on an nsa watch list or something but I guess someone needs to do it so I'll tell them.
     

    Attached Files:

    Last edited: Oct 3, 2014
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    What about if you remove the Sandisc software from it ?
     
  6. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    Still doesn't work. I formatted the pen several times.
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    It's the same .sig file as I'm getting, and it is valid. (Assuming I have imported the correct signing key, fingerprint: 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1)
    tails fingerprint.png
     
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    The best way to get support for your issue is to join the tails-support list at https://mailman.boum.org/listinfo/tails-support and send your message #1 to them.

    Otherwise, try the following, assuming the directory in which you issue the commands contain the downloaded Tails .iso file: (Note: I normally change the suffix .sig to .pgp to indicate its file type)

    1. Get the Tails signing signature key from the keyserver:

    command: gpg --keyserver hkp://keys.gnupg.net --recv-keys 0xBE2CD9C1
    response:
    gpg: requesting key BE2CD9C1 from hkp server keys.gnupg.net
    gpg: key BE2CD9C1: public key "Tails developers (signing key) <tails@boum.org>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1 (RSA: 1)

    2. Double-check the key's fingerprint

    command: gpg --fingerprint 0xBE2CD9C1
    response:
    pub 4096R/BE2CD9C1 2010-10-07 [expires: 2015-02-05]
    Key fingerprint = 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1
    uid Tails developers (signing key) <tails@boum.org>
    uid T(A)ILS developers (signing key) <amnesia@boum.org>

    3. Verify the signature

    command: gpg tails-i386-0.17.1.iso.pgp
    response:
    Detached signature.
    Please enter name of data file: tails-i386-0.17.1.iso
    gpg: Signature made Thu 21 Mar 2013 07:30:38 PM EDT using RSA key ID BE2CD9C1
    gpg: Good signature from "Tails developers (signing key) <tails@boum.org>"
    gpg: aka "T(A)ILS developers (signing key) <amnesia@boum.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1

    -- Tom
     
  9. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I am now thinking this is a Tor Browser problem, last night I downloaded tails directly using a regular Firefox twice, once from the Tails website and once from the softpedia site and the file was 913MB both times as it should be, I downloaded it again via Tor twice more and it was 836MB and 865MB, that makes a total of 5 times via tor and it was different every time, always less than 913MB. I joined the Tor forum at stackexchange.com and reported that but no one replied yet. I also emailed tor help and told them about it. If they reply I'll let you all know what they said.
     
    Last edited: Oct 4, 2014
  10. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Thanks for taking the trouble to do that Tom, but why does it say good signature from Tails developers but then says not a trusted signature and no indication the signature belongs to the owner ?
    Does this mean it has a signature but anyone could have done it ?
    I really don't understand the logic behind these signatures and certificates ... I mean like .. if someone set up a fake website and put a doctored version of a file on it then surely they could put some kind of signature on the same site too ? How would anyone know it was not by the real developers if they don't know what the real developer's signature really should be ?
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    The Tor forum at Stackexchange will not be able to help you with Tails problems. As I mentioned above in message #8, you need to report the problem to the tails-support mailing list for help (See the URL there to click on and submit your email address to join it).

    -- Tom
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    If it says it is a good signature that means that the signed file has not been altered by others after it has been signed. Of course, an attacker could sign the file with his own key, so you have to verify yourself that the key you imported or downloaded actually belongs to the TAILS developers. If you have verified that in some way, you can sign their key with your own, and the software will no longer give that warning.
    More info:
    https://tails.boum.org/doc/get/trusting_tails_signing_key/index.en.html
     
  13. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Are you sure it's only the Tails download? Are other things downloading the way they should? Just as an example: I remember I had issues a few years back with ESET Nod32 and Windows having a bug in which downloads were being corrupted.

    I remember using some sort of test that tested for download/internet issues, but I forget what it was. If I find it I'll let you know, but there's probably tons of ways to check if that's the issue.
     
  14. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    So far tails is the only file I have had a problem with, Tor support emailed me they said either an exit node may be modifying traffic, or the tails file is too large.
    If it is an exit node problem that is more of a concern, anyone with an interest in privacy applications can see the motivation for trying to block tor users from getting the new version of tails anonymously. I would expect now that I downloaded it from a regular browser any anonymity I might have had could be compromised.
    That does not really matter to me because I am more interested in tails from an academic point of view than a practical need for anonymity but to others it might.
     
    Last edited: Oct 4, 2014
  15. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Thanks Tom, I am currently trying to learn how all this works so in future I will understand what I am looking at. I could not find anyone that knew how to do this, I wonder why there is not already a protocol where download managers and websites would automate the process of file checking ? It seems strange that we would have to track down an old command line app to do it ourselves manually and even then, to the uninitiated it is not exactly clear what the result means.
     
    Last edited: Oct 4, 2014
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Maybe SSL/TLS: The Ugly Truth will help in understanding the basic ideas.
     
  17. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Well I think I understand the basics now but I never could get it to work, I can't believe they actually released that pgp4win to the public it reminds me of a test version I would knock up for myself to check the functionality.
    The last thing I tried before I gave up was to use the Kleopatra GUI and do the following
    1 download main program .iso
    2 download .sig file
    3 download .key file
    4 right click .key file and import it
    5 right click .iso choose verify
    6 in dialogue box select input file is detached signature
    7 in dialogue box browse to .sig file
    8 click decrypt/verify
    result: "could not determine whether this is an S/MIME or an OpenPGP signature - maybe it is not a signature at all ?"

    That was when my annoyance level peaked and I decided enough is enough so I just installed it regardless. I really don't see such a system of verification ever being taken up by the public at large it is far too convoluted.
     
    Last edited: Oct 7, 2014
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    An automated process with download manager/browser or website would probably not give the same security by far, BUT I agree Gpg4win could be made way more user-friendly.
    I found using the command line a better alternative, but it takes a bit more time until you get used to it.
    If you're on Windows, open Command Prompt.
    (You can use copy/paste to speed it up, but Command Prompt does not support CTRL+V, you have to Right-click and Paste.)

    First, navigate to the Gpg4win folder:
    Code:
    cd C:\Program Files (x86)\Gnu\GnuPG
    On a 32 bit Windows, it's just Program Files without the (x86)

    Then tell it to verify the .sig or .asc file with the file path:
    Code:
    gpg.exe --verify C:\Users\*username*\Downloads\tails-i386-1.1.2.iso.sig
    If the file itself that you want to verify(e.g. the .iso or .exe) has a different file name or is in a different folder, you have to specify that as well, for example:
    Code:
    gpg.exe --verify C:\Users\*username*\Downloads\tails-i386-1.1.2.iso.sig C:\Download\TAILS.iso
    (it does not show process/percentage of verifying, with large files like the TAILS iso, you might have to wait a while, depending on the speed of your computer.
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    That belongs in its own thread, so it's better indexed for searching.
     
  20. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Thankyou, that worked, I think this means my download was good.

    C:\Program Files\GNU\GnuPG>gpg.exe --verify C:\Users\RockLobster\Downloads\Tails-i386-1.1.2.iso.sig
    gpg: Signature made 09/24/14 16:52:10 Central Daylight Time using RSA key ID BE2CD9C1
    gpg: Good signature from "Tails developers (signing key) <tails@boum.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1

    C:\Program Files\GNU\GnuPG>
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Yes, it's good.