QubesOS for Organizational Security Auditing

7:51PM Jul 30, 2020

Speakers:

Keywords:

cubes

run

vm

engagement

organization

security

called

clients

harlow

talk

question

people

zoom

security auditing

capacity building

organizational

recon

vpn

type

civil society groups

Many members of the International internet freedom community, perform organizational security audits for nonprofits, media organizations and small NGOs in need. These services fill a specific need for affordable and achievable ways to bolster a small organization security posture. Our next talk is about the workflow developed in the freedom of the press foundation centered around the cubes operating system. We'll also examine the finer philosophical goals and methodologies built around small scale or exact auditing. Well showcasing how a pretty simple setup using this new and exciting operating system has been created. Please welcome Harlow Holmes, with cubes OS for organizational security auditing.

So we assign out watch watch stream for a little while.

Hey everybody, My name is Harlow Holmes I'm the director of digital security at freedom of the press Foundation, and today I'm going to talk to you about using cubes OS and organizational security auditing.

First off, by way of introduction, freedom of the press foundation is a nonprofit, 501 c three organization where we do. I would say three things pretty admirably. The first is, in software development. We have a flagship newsroom appliance called secure drop, which you may have heard of, which is also going to be giving a talk on Saturday. It's a newsroom appliance that enables potential sources to speak to journalists in a technically anonymous way. And over the years, this newsroom appliance has been installed in a variety of newspapers across the globe.

Another pillar is advocacy. So between the writings of Trevor Tim and Parker Higgins we also have a incredibly ambitious project called the US press freedom tracker, please do check it out, where we actually have a dedicated newsroom, that tracks down investigates and reports on instances where members of the press have had their right to report infringed upon while on the job. This can include anything from, you know, retaliation. As far as subpoenas are concerned, attacks and arrests. Finally, there's my department, the digital security training team, where we trained journalists on a variety of topics of digital security whether that's the easiest low hanging fruit stuff. Advanced tool usage for communicating with sources risky research, etc. And we also have a new organizational security practice where we actually embed with organizations of a variety of sizes. In order to do need finding risk assessments, perform evaluations and recommendations on their digital security. Working with small civil society organizations represents a very interesting niche. While freedom of the press foundation is not the only organization that performs these types of service for civil society groups. We are the only just about only organization in the United States, that takes these shared methodologies amongst civil society support groups and tailors that specifically based off of the experience that we've had over the years, working so intimately with journalists. In order to better paint a picture of what this practice looks like I'm first going to walk you through some of the lessons that we've learned that influenced our practice. So first off, working with civil society groups is different because they benefit a lot more from capacity building than other organizations might. And they also have very specific cultural fields specific and geographic needs that need to be folded into every engagement, civil society groups need and deserve. Working with service providers that can emphasize empathy. Inclusion sustainability and self sufficiency as part of their engagement, partly because they cannot afford the industry rate, which I think is self explanatory given their size, but also because baked into every organization that you visit is a very very strong culture that usually does want to promote empathy and inclusion through every step of the way. So, what does an organizational security audit look like delivered by freedom of the press foundation. First off, we draw very heavily from the exercises and activities that are in the safe tag manual. This is a project from Internews which is a media organization based out of Washington DC, but also has presence across across the globe. This manual, written by john kam Ville Megan deploy Seamus Toohey, and with other contributors provides a excellent framework for doing this type of organizational security auditing tailored to civil society groups of a certain size, but an impactful engagement has to go beyond safe tack. This is where Human Centered Design Thinking comes in a lot of our methodology draws from the work done by the Luma Institute, which is a methodology for brainstorming around prototyping product design and general problem solving, from a UX perspective, and also from participating in so many workshops run by aspiration technology which is a nonprofit tech collective based out in San Francisco and the bay. What we draw from aspiration technologies way of going about things is a way of establishing rapport around getting people to do successful brainstorming exercises together. Literally I have

posted everywhere I've got like post it's upon post it's, I got like posted everywhere.

My data is so far incomplete, but we are working on the assumption that by focusing on capacity building. Once an organization gets to the implementation phase of their organizational security audit. They save money, they save resources and they save time, because they have institutional know how with in house knowledge and naturally we do come prepared with tools to perform technical analyses, this should not be confused with a full on penetration test for a variety of reasons. And where we noticed vulnerabilities, we simply write them up and flag them. We do not capture said flags. When performing an assessment I rely upon the standard suite of tools that you would find in the Kali Linux distribution. And I do it all in cubes, we're going to talk about that very very shortly. Our engagements attempt to cover six categories of overall organizational security for a number of reasons, not all of these targets may be reached. Sometimes, another third party will do a more in depth audit of web application so we're not required to go there. Sometimes there's a, I don't know, crippling global pandemic that we can't seem to get a grip on. And so there's no office to physically evaluate, can you tell that quarantine has gotten to me. Jokes aside, working from home poses a unique challenge as individual employees have to coordinate and implement their own physical security. This is where our emphasis on capacity building plays an even more important role. Nowadays I guide dogs and drafting guidelines around the physical prerequisites of endpoint security in the home. Examples may include knowing how to administer your own router. Using full disk encryption to your advantage when you leave the house to walk the dog, and other things like that. Whether we're doing engagements in house with a client or entirely at home. This is the workflow.

Phase One is preparation.

There's ultimately a lot of work that needs to be done in scheduling your time on site with the client. Also it's very important to work with whomever at the office can put time slots in people's calendars, so they can actually sit down with you and have interviews. That's a lot of bureaucracy and it's not as fun as the other stuff like shopping for your Airbnb or whatever. But it's very very important that people sit down with you and actually take up their phones take up their computers and show you exactly what it is that you need to see what their settings are whether or not they have full disk encryption turned on. All of these things are harder and harder now that we're all pretty much homebound and working from home. And the reason why is because you can't always tell whether or not someone is telling you the truth about how they enabled you know such and such a feature. Do is where we interact with the organization the most. And as you can imagine, a lot of this work has shifted once again during the pandemic. But what we do continue to do is have a lot of conversations to understand how data flows within an organization, wherever people happen to be working all engagements come with a digital security training series gleaning from the data we gather in our one on one interviews we establish opportunities to once again, promote capacity building, either by filling in gaps of digitech knowledge or indulging in tool based trainings the employees are curious to learn more deeply. Phase Three is where we geek out a bit to evaluate existing practices in the organization's public facing communications, and ultimately write generate deliver and discuss our outcomes, as well as the organization's roadmap for implementation. This talk is not about how to do audits and it's definitely not about how to do pen testing because we actually don't do pen testing. And there are also so many great resources out there to guide anyone through learning how to become a competent auditor. We're not going to talk about how to do and Matt. This has hope, so probably you know how to do it. And if you don't know how to do it, you can always watch Ocean's eight and learn from the master Rianna. However, I want to take the rest of my time here to introduce you to the tooling I've developed to do this on cubes. Further, I hope to knit, the more procedural, and even philosophical aspects to doing this work with examples of how concisely how the operating system is ideal in supporting it. Let me put it another way, when you get a group of hardcore cubes users in a room. Everybody wants to show off their cities. So here's mine. The fundamental building blocks are a cube to maintain connectivity, a cube to do the bulk of the work of safe space to view sketchy stuff, and a way to probe a network using physical interfaces rather than virtual ones. First off, we have our VPN proxy cube. This isn't really required for an engagement, but I think it's just good to have in general and I wanted to introduce this here. If you wanted to replicate this on your own machine. It's important to understand that cubes takes what I like to call a Lego block approach to its networking. Typically, any application cube is connect if it's connected to the internet. First connects to cube that's called sis firewall, the firewall cube that has its IP tables especially configured in order to keep connections between the various application cubes that you might run, separate from one another and thereby safe. And then, sis firewall cubes connects to another cube, called sis net sis net is a hardware virtual machine, so it's designated as an H VM. And that allows it to interact with all of the radios that you might have on your computer, your Ethernet card. Anything that physically allows you to attach to the internet.

The reason why people run VPNs in the first place is perhaps you don't trust the internet connection that you're on, or you might find yourself connecting to services that are not encrypted or serve over, you know, HTTP or something like that, or some other protocol that doesn't necessarily provide enough protection for what you want to do. So this is why people choose VPN, and there's a million out there for you to choose from. So what you want to do is you want to create another cube that you actually insert between your application VM that's going to be doing, you know, running the software that rakes requests to the Internet, and that system firewall cube. And once again, given that cubes has this Lego block approach to networking which I love so much. You can actually make it so that every single application cube has its own route to the internet, no matter how convoluted that may be that could include you know running your app VM through your VPN, then over Tor then through another VPN before it hits sis firewall and ultimately sis net, or you can also be creative in trying out different types of VPNs assigning their individual configurations and credentials within any of them and then have one cube that's running on piia and you know Kuala Lumpur and another cube that's running mole bad in Sweden, something like that. Next is my analysis cube. And this is the space where I use all of the software that I need in order to get the audit done. It's not

too special,

it simply has a bunch of callee tools. My favorite text editor so I can take notes and write and run snippets of code should I need to clean data. I've also installed other awesome tools that I like that don't come with Kali. By default, so for example I really love something called DNS twist, which is a simple Python script that queries domains to find whether or not there are typo squatting attacks that are possible. And if someone has typos squatted on a particular domain, it can give you information about who owns it. And so from a security auditing perspective that is a very important bit of information for your organization to know a typo squatting attack is a very common tactic to get people to click on phishing links to confuse external visitors to your site, and to do other types of reputational damage so shout out DNS twist our team also uses keybase, we leverage both you know the inter team communications, and we also really love the end to end encrypted get feature which allows our team to safely store and share assets that we generate individually. So we have a centralized place for that as easy to use get repository. I threw the whole Cali kit in there because I never know what I might need when I'm on an engagement and I like to be nimble and creative and Kelly's definitely got it all or at least most of it. That said, there are some bash configs and little scripts which do two interesting things. First off, in order to be as respectful of my clients right to privacy. I have to be sure that I can minimize sending away any unnecessary data. So for example, I've tricked out my bash aliases to start recon ng g which is a great powerhouse of a program to organize and run queries against the type of data that you might come across doing this type of thing. But I had to modify my bash aliases to make sure that I always start recon and G with the dash dash, no analytics flag.

That's just one example.

Second, and most importantly, has to do with working with Python and virtual environments, different tools that you use may need different modules and different Python modules to run as dependencies. And so, this is the thing about cubes in any application VM, or app VM any changes that you make to you know your typical install paths for Python will not persist from session to session, meaning at the end of the day when I shut down that cube. The next day I opened it up again, and all of these dependencies would be lost. This is one of cubes is unique security properties, um, if I want this type of persistence I would have to run PIP from inside the app VMs underlying template, not the app VM itself because the template is the only place where you can create that type of persistence. But that's not clean, or is it efficient at all if you're using cubes. And because templates are actually restricted to communicate over the internet, only with their respective package managers, running PIP inside a template would not work, by default, or would require me to modify the templates strict firewall rules, those rules are here to protect us. And so I'm going to avoid doing that and so instead I use virtual environments to create an environment inside my app VM inside which after I've sourced it. I then run PIP to install any dependencies that I need. And next we have the Antarctica disposable VM. This is another cubes gem like chef's kiss cubes allows you to spin up disposable app VMs that completely vanish, when they're closed. This protects you from potential malware or data exfiltration like your Firefox profile for example, and any other nasties that you might encounter. So why do I use it. When on an engagement. The client might send you documentation that you requested like say an inventory of all of the devices in house in a PDF or during office hours, which we usually have as part of this capacity building that I was talking about an employee might sidle up to you and as you know, Hey, I got this weird document last week and I was happier here because I'd feel so much better if somebody looked at it. It happens actually. So you need a sandbox to open up any of that stuff. I built my ideal sandbox which I lovingly call Antarctica. This is a non networked disposable VM that contains tools to interact with media both visually and on a metadata level to a modest degree. I even put in, OS query, which is a neat open source tool that allows you to inspect changes to your operating system as it interacts with files. So imagine one day I could encounter a file that attempts to write somewhere inappropriate or ask access other resources and, you know, whatever, and catch it in the act. This has actually not happened to me yet I have not yet had the pleasure, but it's nice to have. What I do use is mostly Libra office, and the basic PDF viewer events and call it a day. The one interesting pro tip I can offer here is creating a special desktop file to appropriately open up any document with the best software for the job. And this is created in the template VM for this disposable VM.

Next we have our network reconnaissance cube. So, I can no longer do this in the COVID-19 era. But when physically on an engagement, I'm required to examine the network devices in the office. Remember offices. This is where I break my rule that I had before. During this phase, I have no choice but to touch your internet. But if I'm going to break a rule, I can at least try to do it responsibly. This also allows me to get creative with another feature of cubes, the possibility to create as many network interfaces as I want. So, I can efficiently connect to the clients in office network using one interface, while simultaneously continuing to go about my business on my other private VPN back to connection to the Internet. In other words, while I'm connected to my own my Wi Fi or tethering to my own phone on Cisco net. I can connect to the in house network directly on my specialized net recon cube to perform engagement specific tasks, this cube is almost exactly like the basic sis net DTM, but it also has net recon tools like the aircrack suite, in map dig and Wireshark in map is obviously most helpful for enumerating the different types of services running in house. Also establishing which ports are exposed because sometimes those can be problematic, as well as determining whether it's possible to gain access on Office appliances like routers printers TVs coffee machines and others that expose an admin interface. So here are the pro tips here. Take the opportunity to grab your egress IP which is visible to the internet at large anytime a machine in the office connects to anything. And you can investigate that later, not in this queue but on you know probably your analysis cube. During the part of your engagement when you're sitting at home and writing up reports. As you generate assets. Use the inter cube copy and move schemes to move scan output from this particular cube into your analysis cube. But beware that there may be some trust issues. So the cubes team always cautions always open or sorry, always copy data from only more trusted VMs, so less trusted VMs and it should never be the other way around. So you have to ask yourself the question, is this net recon cube less trusted than your analysis cube. And if you're in doubt, use the clipboard to copy paste scan output into a fresh file in your analysis cube because ultimately it's just what a. txt file anyways. And also take screenshots wherever possible which live in Dom zero and therefore more trustworthy should you. For example, find anything interesting on an admin panel that you gain access to. That said, this is the funnest cube, because you get to pull out your awesome gear and use them in cubes. Here's an example.

Once I've run air sweet now notice that I have two network interfaces on the top right hand corner. The red which represents this net and the green, which is my modified one. I, you can't see this because I'm not videoing it but I've popped in a USB Wi Fi radio, and it's once it's ready. I will assign it to air sweet. So down at the bottom where you see I've run, if config. It only shows that I have the loopback interface running, but once my USB Wi Fi radio is attached to the cube properly I now have two interfaces. Now with my Wi Fi interface, ready to go. I associate to this network, pop in my long lovely passphrase for this network. And once connected. I am associated to this network and will be assigned an IP address. Once again, this is a cube that does not have a connection to sis firewall in between it and the actual internet so there is a little bit of elevated risk here but this is the only way to actually probe a network while using cubes. This is the reason why we have two interfaces created, because we don't want to be running experiments like the ones that we're going to be doing ANSYS net and we also want to prevent ourselves from the temptation of installing extra bits of software into sis net peripherals.

So we've gone through the fundamentals of what I think is the optimal setup for doing organizational security auditing with the cubes operating system. But we can always go further cubes is the premier operating system designed from the bottom up with security at its core, and I always get a kick out of putting on that tinfoil hat cracking my knuckles and exploring other less visible features within the OS to further harden my setup. In previous slides, I mentioned possible trust issues as you copy or move scan results which are usually text files from the net recon cube to the analysis cube. While I believe that responsible usage of that VM and my entire cubes machine in general. Should mitigate the vast majority of security threats, you still never know. And we haven't even talked about the other cubes I may be running concurrently on the same box like my work cube and slack and all sorts of electron apps and so you know it's supposed to be a multi purpose machine. And what we're going to do is we're going to dig a little bit deeper and exploring some more possibilities cubes manages permissions to a variety of assets that another queue may request via files called RPC policies. These are found in Dom zero, and modifying these policies can and can affect and ultimately safeguard particularly vulnerable, or maybe an extremely sensitive cube against another cube. If that for cube, for some reason, wants to go rogue. I guess it's similar philosophically to granular permissions that you might see on your mobile phone. Do you want this cube to copy files to another cube, do you allow this cube to use your clipboard. These are all questions that can be addressed by modifying your RPC policies. There's so many RPC policies that can be leveraged for this particular project. And I think it's a good idea to restrict file moving and copying, to a one directional relationship between our net recon cube and our analysis cube. I can then assure that any other cube has no file permissions to the net recon cube, other than my analysis cube. That's just one example, I might have several analysis cubes for concurrent projects. So my ideal RPC policy for such permissions would specify that any cube with my unique, let's say, work sec analysis tag would only have that access, and in one line on any RPC policy, you can specify which cubes have access via their tab, not necessarily via their names so that's incredibly convenient. I work with a small team for each engagement. And as my team and I grow more confident using cubes and also doing these types of gigs uniformity and standardization is key. That is our goal. I want all teammates to have the same setup. And the best way to ensure that is by taking advantage of the saltstack for provisioning uniform templates and setting RPC policies on everyone's computers. Salt is a management system similar to Ansible or puppet, and in fact its syntax is so much like Ansible I was able to get started right away. This solves any lingering problems with making sure that not only everyone will have the same software installed on the required templates, but also provisioning app VMs with requisite scripts and profiles is made, incredibly easy and entirely doable. My buddy and colleague, the inimitable crew shell does has a great primer. And also, stay tuned for the securedrop talk, which focuses on cubes on Saturday to hear more about these issues in a little bit more technical detail. Now, let's talk about how cubes can assist in my goal to craft a workflow that is technically in step with my ideals and responsibilities visa v data retention, nothing, not even cubes is perfect, and neither am I. Where I've identified risks to undo data exposure. I am forthright with clients about my any acceptable risk in a memo of understanding that the client has to understand on day one.

Also, once an engagement is finished entirely. I backup the corresponding analysis cube in its entirety, to encrypted cold storage in cubes, the cubes manager exposes a nifty function to do just that. In my case, the backup is actually double encrypted once to a passphrase required for the backup process. And again, on the looks encrypted physical medium I save it to Pro Tip No need to retain the encryption passphrase in the backup manager settings as that will cause Dom zero to retain the plain text of the passphrase. Next is report generation. I forced my team to do all their note taking in markdown. I'm sorry, but this allows us to easily format reports from our consolidated notes gathered assets recon in je queries and other raw material that we might generate. But not every single one of my clients is going to want to read markdown, as I'm sure you know, so we use Jekyll to munch through all that markdown and locally generate an HTML representation which looks pretty spiffy thanks to my esteemed colleague David Wong Tong puerta whose sense of style is absolutely unmatched. Love you. Since it's locally served, all I need to do is print a PDF from my browser. And once the report is ready we send it off to the client securely using the clients end to end encryption solution of choice. That could be signal wire or PGP encrypted email. Speaking of which, communicating with clients before, during, and after an engagement is just as important as all the lead hacker stuff we all really enjoy doing. So it's reasonable to want to also have an environment where you can talk as safely and securely as possible, even from your heart and cube setup. While I prefer talking to clients over end to end communication platforms, especially when it's time to go over the outcome narrative clients are going to have their preferences and limitations and I have to be prepared to meet them where they are. This is especially true during the COVID-19 era where if you are not on site, you are going to spend countless hours in zoom rooms, doing masterclasses and other digital security workshops, performing interviews with, employees, and having conversations with, you know, people from the IT department or third party vendors, as I laid out in earlier parts during this talk. So, begs the question. Have you ever done zoom on cubes. I have while zoom is a phenomenal platform for keeping so many people connected, especially in these times. It's not my preferred platform. And there have been previous instances where the security community has criticized the platform for its various flaws, for example, not giving users choice over what region their server resides less than robust encryption keys, no end to end encryption yet, although they're working on it. But there have been floods. Zoom has definitely come a long way in such a short time. And that's really admirable, the way that they respond to criticism from the information security community privacy activists and users that can be commended and I think it's exemplary of how organizations that face this kind of crises of scale within crises, on the globe should respond so let's all give them applause.

That said,

I do want to be able to properly compartmentalize between zoom and my more valuable assets on my cubes machine.

So you want to know how I run zoom in a cube. Here's how

similar to my Antarctica disposable VM. I have disposable templates for zoom. Unlike the Antarctica disc this disc does use networking, so it is connected to the internet. If I need to hop on a call I spin up a disk from the cubes menu, wait for it to start up. And then once it's booted before joining that call. I attached my camera, and my microphone, which are hardware accessible from Dom zero to the disposable VM, from within there. I actually wrote a quick script to do that by running the script, all I need to do is type, the unique ID of the disposable window, and it automatically attaches. Once the call is completed, I leave the meeting. And once I exit the zoom app, the disk disappears back into the ether from which it had been spawned. I think that that's a really efficient way of doing that if one is worried about any potential implications of having a persistent zoom identity, lying around in a cube somewhere, although there are other tactics some of my friends actually are way less paranoid than I am. They're like, I just have a zoom cube. It's okay. So you know, your mileage may vary. It's up to you, but this is what I do.

I have a couple of ideas about where this project should go next. I'm definitely at the phase where I'm looking for feedback from my colleagues the global organizational security community, and fellow cubes users. So my question for you is, so my question is for you. What other properties within this neat operating system, haven't I explored. Are there more efficient ways to skin this particular cat as the saying goes, is there anything I can do better as a rollout this tooling to the rest of my teammates, a colleague suggested I package this as an RPM, which is a great idea, as I can eventually go from a scatterbrain bunch of scripts into something more cohesive and trustworthy. I'm not yet sure where that should be on my roadmap. It would depend on the feedback that I initially get and also I'm not quite done experimenting with what I want to add to the existing feature set one idea I had was to leverage firewall rules to restrict a given app VM to only the domains that are relevant to the web application in an inventory list. So for example, I might be able to apply a restrictive set of firewall rules to an app VM based off of the output of a recon and G query. I'm not yet sure if that's necessary. It might be Yak shaving but it's an interesting thought exercise. So, that's it. Thank you for listening to my talk, and I would like to say thank you to a bunch of amazing people who helped me learn all of these things that I was able to share with you today. JOHN Canfield Michelle dos Megan deploy McHale II, Alan gun, aka gunner Jin Helsby David Huerta Michael Lee, Olivia Martin, Connor Shaffer, Martin Shelton ro s, Trevor Tim Seamus Toohey the good folks at Digital defenders and that circle and countless others in the trenches.

Talk to you later. I'm Harlow on Twitter Harlow at freedom, press Harlow just about everywhere else you can find me and something else where you can talk to you soon.

Thank you so much to Harlow Holmes. This talk is cubes OS for organizational security auditing. If you've got questions for Harlow please feel free to drop them in the matrix box. We have a question from the audience. Harlow what would you recommend is a good machine to run cubes OS on. Are there particular few machines or other hardware you recommend or with any laptop suitable for Linux also be suitable for cute so s.

Great question. And, First and foremost, know that the cubes project actually does have like a recommended and approved hardware list. And in our experience in working with cubes for a number of years now. We're a real big fan of Lenovo's so like X series t series. I personally run like a T 470, I have a t 480. I also have a T. Oh no, so I have an x 260 and an X 230. And those are really really well. Oh. Also, there is a group called insert oh so like insert row, insert row.ca. They're based out of Canada and they sell cubes mesh like cubes machines kind of ready to go out of the box on trusted hardware. So have a have a, have a look at their.

Fantastic. Thank you. Question from the audience what was the name of the utility slash tool to identify changes to the OS after running something untrusted someone in the audience missed the name, and I see it on the slide.

That's called OS query, and it's open source you can find it on GitHub, I believe. It originated at Facebook. Actually, but um, you know, opa it's still like a very valued open source projects. Yes, you can find that pretty easily there.

Fantastic. How do you look data on the Antarctica VM.

So, what you can do in. Okay so cubes has an API that allows different cubes to talk to one another. It's very limited and once again, it's also like what you can do is done by those RPC policies that I was showing you earlier, but simply open up a terminal and type q VM dash move for Q VM copy that and the name of the file that you want to move or copy and then a GUI window will pop up and asking you, which which cube that is that you want to copy this

in other questions in the audience, when you meet clients are looking for good appsec. When would you recommend them using cubes Oh s and when, when would you recommend them using tails.

That's a great question. I'm so glad you asked that because I can talk about that for hours. So,

seven minutes so. Okay.

But, So,

there are there are different usages for both of them, like, I mean, first and foremost, I think cubes is a good candidate for your daily driver. Whereas, Tails, I use mostly for like very very special purposes. If you are one of the benefits to using tails. Also, fabulous, fabulous projects I love them so dearly. One of the benefits to using tails is that you actually do get to hold your entire computer in your pocket and walk away with it. And so, that's amazing. However, the networking on tails is such that you know like it's very strict everything is going over Tor. And, you know, unless you like break it intentionally which you can do but like you shouldn't do and why would you do that. What, because the networking goes over Tor certain things are not going to be available to you. You're going to have a lot of restrictions. So like for instance you can't run signal. Currently, or you know like that. I was once on a project where we got it to run wire, but he still had questions about like whether or not we were breaking certain security properties within wire. And so, if you're if unless you just want to talk to people on like IRC all day which is like fine if you do that's perfectly cool, then anyone something like a little bit more suited for like the way that we use communication tools right now, then like cubes is a little bit more appropriate.

antastic. Oh, yes, I'm

just going to talk about tails, tails is the perfect sandbox and quite frankly like not a lot of the clients that I speak to are going to want to have to because like, unlike tails, you can, you have to have a dedicated machine. And so, there's no going back to Windows right. And so in that case, I recommend tails so much to clients who actually are like working on an investigative story for instance, and for like a duration of time they need to like have a consistent persistence basically to a project that's absolutely perfectly.

Fabulous okay we have another question. What do you think is the biggest hurdle to doing a full conversion to cubes, or getting those you work with to convert. What do you feel like is the biggest thing you turn away from your cubes box to do on your phone, or somewhere else.

Okay, so first working backwards. I've been using cubes every day for three years, if not more. So there's no going back to me but it's like a steep learning curve it takes a lot of getting used to. There, as it currently is like the GUI isn't, you know like, as comfortable as, you know, Windows or Mac, like, that's just kind of the law of the land right now. But that said, their UX is getting better they actually do have dedicated UX volunteers and researchers now and so like over time this operating system will definitely like grow and become more accommodating to everyone to use for general purpose computing. Um, yeah, let's see another hurdle is under another turtle is actually getting used to, where different you know cubes is or different domains, and what their capabilities are and so on, and possibly like having extra incorrect expectations about like what particular domain has access to and like, oh, and also like this A glib quick answer copying and pasting between domains is actually like that takes some getting.

Fantastic. It's got time for one more make two. Can you talk about live USB or VM support in cubes.

Yes. Um, so if I understand your question correctly I guess I can give you an anecdote, which is running tails in cubes, which is do. So, you actually can do that it takes a little bit like it definitely is not like a one click, you know like, out of the box I'm going to double click on the tails. Live CD and then off it goes. And also it's ram intensive, but so far. If you have enough ram to take care of it. You can within a practice run like ISOs like tails, you can even run Windows, in it. That said, because of the windowing properties like that, for instance, if you're installing Windows, there's going to be a lot of times where you know you get through one part of the installation and then you have to reboot and get to another part of the installation. and so that takes a lot of babysitting. In order for that to successfully go on. So it's not for the faint of heart.

Fabulous. So here's one more question which is people want to find out more about you or your work, or whatever else. How can they get in touch with you How can they find you.

Um, I am yeah Harlow and freedom, press or Harlow on Twitter and, yeah, you can always find either.

Fabulous. Okay, one more. This may be quick. I don't know how much are you automating your setups to solve Ansible,

etc. So, that is not a question for me, actually, that would be a question that I really encourage you raise to our security engineering team, and so on Saturday McHale he is going to be giving a talk about our work in cubes and they can talk to you about that. I definitely like a little bit at this point feeling my way around about around automation.

Alright. Fantastic Carlos, thank you so very, very much. Thanks so much.

Hey, no 2020. Good to see ya. It's me, we need your minutes you may remember me from the media show or you may remember me from when I was born at home in 2008 at the media show, we always tried to bring hope to a wider audience, whether that be Greg Connie's talk on evil interfaces, what we learned about how hackers find passwords or just what Mitch altman and Emmanuel Goldstein taught us about what it meant to be a hacker. So now I want to introduce you to my new baby brother.

No no no, not you know what I mean he's my new spiritual baby brother. The book. Keep Calm and log on, which is also made by my turtle Gus Andrews. I like the media show. Keep Calm and log on, it's an attempt to take everything we've learned at home.