1
0
Fork 0
mayvaneday/blog/2023/04/LiveUSB.html

86 lines
17 KiB
HTML
Raw Permalink Normal View History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>I spent a week using Tails as my only operating system - Archive - MayVaneDay Studios</title>
<link href="../../../style.css" rel="stylesheet" type="text/css" media="all">
<meta name="author" content="Vane Vander">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body class="mayvaneday">
<article>
<div class="box">
<h1>I spent a week using Tails as my only operating system</h1>
<p>published: 2023-04-01</p>
</div>
<hr>
<div class="box">
<p>Please don't post links to my blog posts on social media or forums. I want to keep this website low-traffic and lowkey, and artificial publicity has historically attracted large swaths of men contacting me in bad faith. Ovarit is the only exception as long as <a href="../../2022/october/ovarit.html">y'all can tone down the ableism for five minutes</a>. (Rest in peace, ThePinkPill.) Thank you for respecting my boundaries.</p>
</div>
<hr>
<div class="box">
<h2>Introduction</h2>
<p>I think the hard drive in my computer is starting to die. Programs take several minutes to load on first use where once they popped up almost instantly. It's a bit shameful when my decked-out Thinkpad T510 with the maximum RAM is slower than the netbook I "stole" from my grandmother several years ago with only a fraction of the RAM and a CPU with half the GHz. But apparently the average lifespan of a hard drive is <a href="https://web.archive.org/web/20230205154348/https://www.prosofteng.com/blog/how-long-do-hard-drives-last/">about three to five years</a>, and I salvaged this hard drive from a computer I got in <em>2017</em>, so six years is a pretty good run for a consumer-grade hard drive that's seen lots of distrohopping and data hoarding.</p>
<p>So I went looking for a live Linux distro I could throw on a flash drive and camp out on until my first paycheck (or tax return, or holiday present) came. My first thought was Kodachi, since I knew it would come with Tor and I2P already installed. But then I saw a recent review on DistroWatch that scared me away:</p>
<blockquote><a href="https://web.archive.org/web/20230125012332/https://distrowatch.com/dwres.php?resource=ratings&amp;distro=kodachi">I admit I was until recently a fan of this distro, but testing out what some other reviewers said, finding criticism well-founded, plus discovering some new information about how internet and vpn use is regulated in the developer's nation, I can no longer say this is at all a distro for casual web and app users' privacy or security.</a></blockquote>
<blockquote>Indeed, there is GUFW, but it is out of the box disabled, with no warnings from the developer; though one unchecks "Enable ipv6" in Dashboard, then and after restarts every time one's ipv6 address is always visible to the web despite ipv4 becoming obfuscated as promised; gnunet and i2p are outdated modules, and it's not easy for casual users to know or update them; on first boot, per a 2020 Youtube Russian OSINT video at his channel, the developer states the OS writes to json your IP so he can check it for blacklisting...if you're blacklisted, you won't be able to ever connect to Kodachi vpn.</blockquote>
<blockquote>At first boot, regardless of IP blacklisting or not, the OS further does an HWID hash of your device and sends it to the developer so he can ban you from Kodachi vpn (and perhaps further download of the OS); no contest with banning spammers, torrent abusers, and the like. But one has to realize that this OS and developer are in Oman and check laws there.</blockquote>
<blockquote>Since 2010, vpn use has been heavily restricted in Oman; literally one has to have a business to apply for vpn use, and even then such business will be required to get and keep information on user identities and usage, required to forward same to the Telecommunications Regulatory Service; it's not just spam/crime that's banned and actionable in Oman, but if you criticize faith or the Royal family, or view sexually explicit material of any kind, or are the whistleblower type, or are an activist, likely you at least need to be watched if outside Oman. In any case, minimally, at first boot your HWID, IP and location are very likely going to be sent to cyber at trs dot gov dot om as TRS requires of all business licensees. Given the solid relationship Oman has with the US and UK governments, decide for yourself if you'd be comfortable with Oman watching your online moves.</blockquote>
<blockquote>To me it seems intended or not, Kodachi OS is more in the nature of a honeypot, rather than oasis from, online surveillance; in the quest toward better privacy I'd suggest an OS such as Qubes or Whonix if your device can handle virtualization; if not, some like ParrotOS home edition have AnonSurf via Tor, a network manager with pre-configured openvpn you can easily enter your own free or paid vpn credentials into, plus it runs easily even on Pentium III dual cores.</blockquote>
<p><a href="https://archive.md/NffSH">rlxos</a> caught my eye, thinking that maybe what I needed was not a live USB but instead an immutable distro to reduce disk writes. But the strange grammar errors throughout the homepage and documentation put me off. I had a long list of phrases I found particularly egregious, but in the two months since first drafting this post and publishing it, they seem to have all been fixed. Maybe rlxos will be suitable for usage one day. Just not today. Until then, enjoy this... <a href="https://archive.md/G5Z84">walkthrough</a>. Truly the fastest tutorial in my life.</p>
<p>Going back to my search for a live distro, I next focused on <a href="https://archive.md/u1gSJ">Parrot</a>, particularly Home Edition as I didn't need all the pentesting tools found in Security Edition. Parrot, from the descriptions on the download page, looked like what Kodachi used to back in its heyday: a quick way to conceal all network traffic (albeit with Tor instead of Kodachi's built-in VPN), lots of "normal people" desktop applications like GIMP and LibreOffice built into the live image, support for whatever full-disk encryption I wanted to use... But then I attempted to follow both the official instructions and a post in the community forums for enabling encrypted persistence, because I figured, if it was an option, I'd like to <em>not</em> have to rebuild all my configuration files on reboot. Neither sets of instructions worked. Plus I don't like the concept of <a href="https://archive.md/Eo6FJ">downloading random binary blobs from GitHub repos</a>.</p>
<p>I eventually dusted off my old Tails drive, knowing that it had a working persistence feature... and discovered that <a href="https://archive.ph/HYpS2#70%">Tails version 5.8 had major issues with persistence</a>, meaning that I had to backup, wipe, and then recreate my <em>entire</em> Tails drive. Yeah, no problem, computer, just let me re-copy my entire Wii ISO collection... I totally have five hours to burn...</p>
<p>(Side rant: for the love of fuck, stop stylizing the name of the distro as "TAILS". I can smell a wannabe hackerman LARPer from a mile away when he (the LARPers on privacy subreddits are always men from what I've observed) goes into r/onions or r/tor and tells someone to "install" "TAILS" so that they can go buy drugs. Yes, I know, it was historically an acronym for "The Amnesic Incognito Live System". But you know what? You go onto the distro's <a href="https://archive.ph/8kVzE">official website</a>, and the name of the distro is stylized in normal case as "Tails". You look at <a href="https://archive.ph/eiVex">the documentation</a>, and it's referred to as "Tails". You go to the <a href="https://archive.ph/bB84r">Git repo</a> and scroll down to the README, and it's "Tails". You <em>BOOT UP THE DAMN THING</em> and get to the desktop and open "About", and it calls itself "Tails". For a website that cares so much about "deadnaming", you'd think Redditors would be more careful about making sure they were using the right name for their tools. Maybe I expect too much from social media users...)</p>
<p>After I got all my files back on my Tails drive where I wanted them, I then made it my mission to spend at least a week using Tails as my only operating system. Everything I did, from darknet exploration to website publishing to even just <a href="http://grwp24hodrefzvjjuccrkw3mjq4tzhaaq32amf33dzpmuxe7ilepcmad.onion/playlist?list=PLsX9RpOd1et2BMZv_A9RhmKbtzZuKbkqw">watching weird men review shitty NFT play-to-earn games</a>, had to be done in Tails. However, there's no rule saying I couldn't tweak some of Tails' system settings...</p>
</div>
<hr>
<div class="box">
<h2>Results</h2>
<p>Tails has built-in support for unlocking and mounting VeraCrypt drives, which is fortunate because I wasn't able to make an AppImage of VeraCrypt work properly in time for this experiment. Unison doesn't play nicely with Tails' Dotfiles feature, though, repeatedly complaining that its archive files (needed to make future runs of Unison faster) were out-of-date or offering to delete large swaths of the files on either my sneakernet drive or my Tails drive. If I pass the <code>-ignorearchives</code> option to Unison when running it, this problem goes away, but then I need to wait for Unison to calculate hashes for <em>every file</em> I want to sync. Since my sneakernet drive is about thirty-two gigabytes and almost full, this means almost an hour of waiting on <em>each sync run</em>. I've got better things to do with my time, so I opted to only sync the two once a week instead of before turning off my computer each day.</p>
<p>Most programs can be jerryrigged to run on Tails with persistence by prepending the <code>HOME</code> variable to the command used to run them, forcing them to believe that the home directory lives somewhere else. For example, to force RetroArch to save my configurations, I open a terminal and run:</p>
<p><code>HOME=/home/amnesia/Persistent/sneakernet/fakehome/retroarch/ retroarch</code></p>
<p>If a program has a configuration file that you don't see yourself editing often, if ever, you can also enable Dotfiles in the Persistent Storage settings and then copy that config file to <code>/live/persistence/TailsData_unlocked/dotfiles/</code>. The config file will then be symlinked into your home directory on next boot and every boot after that. This is how I got Zim to remember the paths to my three dream journals.</p>
<p>I didn't expect piracy to go well anyway, since Tor isn't designed for torrenting and it wouldn't make sense to try to configure a VPN. The deemix AppImage, needed for ripping music from the streaming service Deezer's servers, hung and didn't load. Originally, I thought this was because Tails wasn't letting it bind to localhost port 6595, so I punched a hole in <code>iptables</code>. It loaded then, but I couldn't find an option in the settings to set a proxy, so I closed it and started it again with <code>torsocks ./deemix-new.appimage</code>. At least, that was my intention; a window never popped up, and the program didn't output any debugging info to <code>stderr</code> or <code>stdout</code>, so I can only assume it hung again.</p>
<p>Unlike deemix, the personal booru (image collection) software <a href="https://archive.md/1AYmo">Hydrus</a> has the option to set a SOCKS5 proxy (<code>socks5://127.0.0.1:9050</code>) to be able to talk to the Internet, so I didn't have to fiddle with <code>torsocks</code> to get a usable connection. Note that you'll get an IP of a known Tor exit node, so some websites will rate-limit or even block your connection. Even then, drag-and-drop from Tor Browser didn't work, so I had to manually copy the link for whatever page I was trying to rip images from and then paste it into the URL box on Hydrus' download screen. Very frustrating.</p>
<p>In the past, I've been able to get Syncthing working on Tails. While I no longer have the tutorial in my files to reference, it involved passing a command-line flag to tell Syncthing where to put its configuration files, also passing it an environment variable to tell it to use the Tor SOCKS5 proxy, punching a hole in <code>iptables</code> to allow the Syncthing web UI to bind to localhost port 8384, and then telling Tor Browser to not attempt to proxy connections to localhost. However, I am no longer able to find that specific option in Tor Browser, neither in the proxy settings nor in <code>about:config</code>, so unless you like manually editing XML files or finagling with <code>syncthing-gtk</code>, you're out of luck.</p>
<p>As a replacement for Syncthing, I used <a href="https://archive.md/eGBak">bsync</a> instead to manually sync file changes to my server:</p>
<p><code>python3 ~/bsync.py -v -i -p 4445 -o &quot;-i ~/.ssh/contabo&quot; /home/amnesia/Persistent/Notebox lethe@letsdecentralize.org:/home/lethe/Sync/Notebox</code></p>
<p>jSite works if you have Freenet running on a remote server, but you need to do some wrestling with <code>iptables</code> first in a root terminal:</p>
<pre>
apt install default-jre -y
iptables -I INPUT -p tcp -m tcp --dport 9481 -j ACCEPT
iptables -I OUTPUT -p tcp -m tcp --dport 9481 -j ACCEPT
</pre>
<p>Then SSH to your remote server (in a normal terminal, not a root one) and port forward 9481 to localhost:</p>
<p><code>ssh username@your.server -L 9481:127.0.0.1:9481</code></p>
<p>Then you can run jSite:</p>
<p><code>java -jar ~/Persistent/sneakernet/Apps/jSite.jar</code></p>
<p>Similarly, if you need to upload a single file or just browse Freenet itself and don't feel like using a TUI browser on the remote server:</p>
<pre>
sudo iptables -I INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
sudo iptables -I OUTPUT -p tcp -m tcp --dport 8888 -j ACCEPT
ssh username@your.server -L 8888:127.0.0.1:8888
</pre>
<p>Because I can't find the option in Tor Browser to allow connections to localhost anymore, I instead had to use an AppImage of Firefox I had lying around in order to open the Freenet web UI:</p>
<p><code>~/Persistent/sneakernet/Apps/Firefox_Developer_Edition-110.0b4.glibc2.17-x86_64.AppImage --profile /home/amnesia/Persistent/sneakernet/fakehome/firefox/</code></p>
<p>(In retrospect, I could have used this browser to configure Syncthing too... oh well.)</p>
<p>As far as programming goes, I can't build anything written in Golang that requires modules, because Google's Golang proxy servers don't like Tor users:</p>
<p><code>go: github.com/a-h/gemini@v0.0.44: Get &quot;https://proxy.golang.org/github.com/a-h/gemini/@v/v0.0.44.mod&quot;: dial tcp 142.250.186.177:443: connect: connection refused</code></p>
<p>Running the build command as <code>GOPROXY=direct torsocks go build</code> didn't help:</p>
<p><code>go: golang.org/x/text@v0.3.3: unrecognized import path &quot;golang.org/x/text&quot;: https fetch: Get &quot;https://golang.org/x/text?go-get=1&quot;: dial tcp 142.250.186.113:443: connect: connection refused</code></p>
<p>As demonstrated by <code>bsync</code> above, Python works just fine, but good luck installing anything from <code>pip</code>. If you install <code>build-essential</code>, you can also build <a href="https://archive.ph/COidU">C/C++ projects</a> as long as their dependencies are in the default Debian repositories and you have Additional Software enabled in Tails' Persistent Storage settings.</p>
</div>
<hr>
<div class="box">
<h2>Conclusion</h2>
<p>My biggest problem during this week was the lack of I2P support. In order to check I2P eepsite uptimes for Let's Decentralize, I had to SSH into my personal server and run a text-based browser to go to every eepsite. This wouldn't have been much of a problem except that someone's spent the last few months DDoSing my server, making all network connections in and out <em>glacially</em> slow. One of these days I'll move my sorry ass back to Vultr. I've been spending three dollars a month there to reserve my old IPv4 address, anyway. Home sweet home, 8.9.30.45. Just wait until that damn paycheck comes, okay?</p>
<p>Other than I2P and the slow Unison syncs, everything in Tails worked surprisingly fine. I found myself mounting my computer's internal hard drive to retrieve some file far less than expected, and when I did, files loaded much faster because the rest of the operating system wasn't also writing every log file to the disk at the same time. Things would have gone a lot worse if I hadn't had the server to piggyback everything off of, though. I can't imagine trying to run Freenet or IPFS directly on Tails, or <a href="../february/utopia.html">creating virtual machines</a>, or wrangling a large music server with all the uploading and downloading that entails. Tails certainly excels at helping me in my goal of reducing screen time, because there simply isn't as much that I can do.</p>
</div>
<hr>
<div class="box">
<p align=right>CC BY-NC-SA 4.0 &copy; Vane Vander</p>
</div>
</article>
</body>
</html>