Breaking the Security Model of Subgraph OS

I recently traveled to Amsterdam to attend a meeting with Tor Project staff, volunteers, and other members of the wider Tor community. Before trips like this, I prepare a separate travel computer, only bringing with me data and credentials that I might need during my trip. My primary laptop runs Qubes, but this time I decided to install Subgraph OS on my travel laptop. I had only briefly messed with it before, and there’s no better way to learn about a new operating system than by forcing yourself to actually use it for a few days.

Subgraph OS is an “adversary resistant computing platform.” It’s similar to Tails in that it’s based on Debian and all traffic is forced through Tor (that’s changing though: there’s now basic support for clearnet Chromium and OpenVPN). It uses a grsecurity Linux kernel, and many apps run in “oz sandboxes”, a homebrew sandbox solution that protects you even if an attacker manages to exploit a bug in one of these apps. Subgraph OS also includes the Subgraph Firewall, an application firewall similar to Little Snitch for macOS — something that’s pretty awesome, and hasn’t really existed in the Linux ecosystem before. Basically, it’s designed to be an easy-to-use Linux distro that’s extremely secure.

Joanna Rutkowska, the brains behind Qubes, was at the Tor meeting as well. We sat down together and started poking at Subgraph OS to see if we could break its security model, and we succeeded! After we discovered weaknesses, I polished them into a working exploit.

Continue reading

Qubes Tip: Making Yubikey OpenPGP smart cards slightly more usable

Qubes 3.2 has support for USB passthrough. This one feature has made Qubes so much more useful for me. It means that a wide variety of devices — from my laptop’s internal webcam, to plugging in smartphones to transfer data or do Android development — are finally supported. I used to have to use a separate non-Qubes computer for several tasks that I can now more conveniently and securely do within Qubes.

One way that I use USB passthrough on a daily basis is with my Yubikey. (If you’re unfamiliar, Yubikeys are small USB devices that can be used for two-factor authentication, for storing and typing static passwords, and for OpenPGP smart cards.) Normally when you use GnuPG, you keep your secret key in a file stored in ~/.gnupg. If you use an OpenPGP smart card, you don’t have your secret key on your computer at all — instead you have it stored on your smart card. With a smart card you can use your secret key, by decrypting or signing messages, but it’s designed to be impossible to export the secret key itself.

Continue reading

How Qubes makes handling PDFs way safer

Bart Gellman's tweet

Bart Gellman asked me on Twitter how to make PDFs safe to open. This is an excellent question, especially for a Pulitzer-winning surveillance/national security reporter who needs to open documents from random people on the internet, who may be trying to hack him or may be a valuable new source. PDFs, and all other document formats, can be terribly dangerous, and opening a malicious one can let an attacker take over your computer.

Continue reading

Qubes Tip: Opening links in your preferred AppVM

If you use Qubes like I do, you have many different AppVMs to compartmentalize different programs. You might have one VM for your email client, one for your jabber client, one for your password database. But if you click a link in any of these programs, it sure would be nice if that link opened in the browser VM of your choice. This isn’t all that hard to setup.

The command qvm-open-in-vm lets you open a document or a URL in another VM.

user@dev:~$ qvm-open-in-vm
Usage: /usr/bin/qvm-open-in-vm vmname filename

Continue reading

Usable Crypto Capture the Flag Challenge

Last week, during USENIX’s first Enigma conference, EFF hosted a small Capture the Flag hacking competition. I designed one of the challenges myself, entitled Usable Crypto. It requires you to use PGP as an attacker rather than a defender. It’s on the easy side, as far as CTF challenges go, and I think many people who have absolutely no hacking skills but some fumbling-around-with-PGP skills could beat it without too much trouble. And it might even demonstrate why verifying fingerprints really is rather important.

If you’d like to give it a go, it’s live at https://usable-crypto.ctf.micahflee.com/. The plot for Enigma’s CTF was loosely based off of Cory Doctorow’s novel Little Brother. You’re an X-NET hacker fighting the surveillance state’s Department of National Security. You win when you capture the flag, which is a string of text that starts with “FLAG_” (but please don’t post it in the comments).

Hardening Debian for the Desktop Using Grsecurity

I recently built a desktop system that I think is reasonably secure. It’s running Debian sid, also known as “unstable” — though in the Debian desktop world that just means you get to use the newest software. It’s just about as stable as “stable”, and besides, #yolo. It’s also running a grsecurity-patched Linux kernel and PaX, technologies that make Linux way more secure. Grsecurity protects you against memory corruption attacks, such as buffer overflows.

Last October I traveled to Moscow and interviewed Edward Snowden. Here’s one of the things he told me:

“Something that we haven’t seen that we need to see is a greater hardening of the overall kernels of every operating system through things like grsecurity, but unfortunately there’s a big usability gap between the capabilities that are out there, that are possible, and what is attainable for the average user.”

Since I just set up Debian with a grsec kernel, I figured I’d write a tutorial for how to do it. It’s still a long way before the average user can take advantage of this stuff – it breaks everything, and the user needs to learn how to diagnose and fix it themselves – but I think that it’s well within the capabilities of Linux nerds who are comfortable using a terminal. You can probably also follow along no matter what Linux distribution you’re using. Also, I’m fairly new to grsecurity myself, so if you have tips or suggestions, or if I got something wrong, please post in the comments.

Continue reading

Some Thoughts on Faraday Bags and Operational Security

I recently took a trip to Moscow to interview National Security Agency whistblower Edward Snowden about operational security. In the article I published on The Intercept, I mentioned that I used a faraday bag.

Our first meeting would be in the hotel lobby, and I arrived with all my important electronic gear in tow. I had powered down my smartphone and placed it in a “faraday bag” designed to block all radio emissions.

Since I published my interview, many people have asked me for more information about this faraday bag — which product did I get, what does it protect against, how does it work? So here are some quick thoughts on the topic.

Continue reading

Why I say Linux instead of GNU/Linux

I’ve been writing a computer security column for the Intercept. In most of my columns I mention Linux. Even when it’s not directly relevant (though it often is), most of my columns are in the form of tutorials, and I’d like my tutorials to be equally useful for Linux users as they are for Windows and Mac users.

For one thing, I love free and open source software. These projects are critical for security, privacy, and for the ability to tinker with and learn about your own computer. As the number of people who run free (as in speech) operating systems rise, so will the development resources that get poured into those operating systems until they “just work” at least as well as Windows and OS X do, so I talk about them every chance I get. Many of my readers already run free operating systems, and I would hate to leave them out.

After writing a column about how to communicate in secret while we’re all being watched, I got an email from Richard Stallman saying when I say Linux I clearly mean the GNU system, and he asked that I start referring to Linux distributions as GNU/Linux “so as to give us equal mention when you talk about our work.” And after writing my most recent column about how VMs can be used for isolation security, Stallman wrote a comment again saying that I mean “GNU and Linux” and asking that I give GNU equal mention. This is a really common point of view (though not at all a consensus) in the free software community, and one that I shared for a long time. But I’ve come to change my mind.

Continue reading

Transitioning PGP keys

I’m switching from my old key:

pub   4096R/EBA34B1C 2014-05-08 [expires: 2016-05-05]
      Key fingerprint = 0B14 9192 9806 5962 5470  0155 FD72 0AD9 EBA3 4B1C
uid                  Micah Lee <micah@micahflee.com>
uid                  Micah Lee <micah@firstlook.org>
uid                  Micah Lee <micah.lee@firstlook.org>
uid                  Micah Lee <micah.lee@theintercept.com>
uid                  Micah Lee <micah@pressfreedomfoundation.org>
uid                  Micah Lee <micah@freedom.press>
sub   4096R/64B1D8D1 2014-05-08 [expires: 2016-05-05]

to the following key:

pub   4096R/CD994F73 2015-08-14 [expires: 2016-08-13]
      Key fingerprint = 927F 419D 7EC8 2C2F 149C  1BD1 403C 2657 CD99 4F73
uid                  Micah Lee <micah@micahflee.com>
uid                  Micah Lee <micah@freedom.press>
uid                  Micah Lee <micah.lee@theintercept.com>
uid                  Micah Lee <micah@firstlook.org>
sub   4096R/5D5F1356 2015-08-14 [expires: 2016-08-13]

Here’s a copy of my new public key, and here’s a key transition statement that I signed with my old key.