The Amber Project as of 2017/05/12

by: Orange

Introduction

The Amber Project was conceived as a way to consolidate my efforts and explorations in computer security and privacy awareness for the future as well as produce materials that would help me quickly create and share tools I find useful along the way. The things mentioned in this post were developed this year. The Amber Project will continue past this year and will likely be the focus of my work for the foreseeable future.

I hope that my work will strengthen the dialogue around logs, data security, and privacy. Although not all the work discussed below works towards that, it has been necessary for me to find my own opinions on the matter. 

The works were produced for competent computer users who have some limited knowledge of Linux systems but may not have knowledge of system administration.

Writing this post has been somewhat difficult as it is complex to produce a timeline or even put it in an order that feels coherent due to the nature of my work being sporadic and mostly experimenting in these technologies working towards a larger project in the future; I will discuss this further near the end of this post. 

The current projects under the umbrella of “The Amber Project” that are discussed in this post are “SurfsUpOS”, “TailsInABox”, “The Internet Is Real Life”, “My First YouTube Downloader”, “I am awake, I am alive, I am Orange”, and “Zine.sh”

Works

During the year I also gave a talk titled “How to live your life while using reasonably secure technologies” which summarised a lot of the research I had been doing up until that point (2017/03/15). This talk was given to a technologically competent audience which meant the talk received relevant feedback from the target demographic. The aim of the talk was to raise awareness of PGP, Tor Onion Services, and TailsOS along with some reasonably high profile stories that were going on at the time. The slides are available. [1]

SurfsUpOS started off as a collection of scripts used to install a server on Raspberry Pi’s Raspbian OS but, as the project progressed, the less sense it made to have it as an install script named “TheOneYouBury” (originally due to the assumed user appearing suspicious downloading my OS instead of Raspbian and using git to install my customisations) and it made more sense to have it just as an OS that is ready for simple configuration. It is based around FullPageOS which is a Raspbian distro for digital signage, so it provided a cleaner slate and a collection of setup scripts for making a distro.

Most of the basis of the scripts are based around tutorials[2][3] that I have come across and agree with the conclusions of with the addition of a couple of extra security measures, such as removing none elliptical curve based keys as I don’t trust them for long term use.
When I learnt more things such as UFW and UNIX sockets, I'd integrate them into the OS.
There are a few things I do not like in the current version, such as the lack of non-terminal interfaces for configuration (or really interface in general). As a concept and experiment, both “TheOneYouBury” and “SurfsUpOS” were really useful to point at and reuse parts of when setting up non-test systems for people and myself (such as in WB100 where I set up and secured Raspberry Pis for the art department in order to control their 3D printers). I do want to continue this work and will likely rename this project into AmberOS, which will be specific to running Tor Onion Services. I have read about isolation through machines and would like to bake this into the OS perhaps by using mesh networking between multiple Pi Zero Ws and Pi 3s. The setup and configuration process I’m hoping to use won’t require use of the terminal (unless you want to of course), but instead be configured by using web interfaces and the USB Gadget Mode capabilities of the Pi Zero and Pi A+ (allowing a Pi to emulate mass storage or other USB devices).

The experiments I have done with Raspberry Pis and single board computers this year have laid the groundwork for what I think could be a very useful tool for setting up and experimenting with Tor Onion Services, either in personal or activist spaces. I will be looking into working among more social circles in order to adapt the distro to better suit these uses. Using the Raspberry Pi as a platform for security, however, is still not perfect as none of the boards can easily be used with entirely open firmware (although people are working on it)[4] which is really required to have a reasonably trustworthy system. 

The Internet Is Real Life

“The Internet Is Real Life” has been well received aesthetically but was produced as a result of my experiments with redundancy in my git-server as a status indicator to show if the connection is still up, as with my other project (“Dreher Tweet”). It exists as tweets on my twitter account (https://twitter.com/_xs) displaying the phrase “THE INTERNET IS REAL LIFE” on a mirror which is angled so that the sky can be seen behind and above the mirror, the phrase is also distorted to help reduce the perspective warp giving a digital-style look. I find the dialogue between the clouds in the sky and the digital cloud really interesting, as the work interacts with both.

I am awake, I am alive, I am orange

“I am awake, I am alive, I am orange” is another continuous work, however this work was prompted by the supposed disappearance of Julian Assange in Autumn 2016 and lack of renewal of a warrant canary around the same time by RiseUp (a privacy orientated ancom collective). The idea being a warrant canary that would instead be watching life. The initial commit is here: https://github.com/ixt/I-am-awake-I-am-alive-I-am-orange/commit/6701f1ccf54f94cce4a3ece03ee389cc344ed09e. It takes the form of a text file that a change is signed and then published. The intention of the work going into the future would be to have a dead man's switch containing all of a person’s secrets or information; if that person wishes to donate to the public their digital life’s work or perhaps just their last 24 hours of data (biometrics, location and messages etc), then it could be done automatically. This reaction system could be built into SurfsUpOS’s successor for those who see themselves as a higher target than a usual member of the public, which could help them stay alive and connected to the internet for long enough to escape given the right circumstances. The current iteration is built for me and includes an encrypted bash twitter client for ease of use in TailsOS, this will not be included in the repo in clear text due to security concerns.  

Fuck That

“Fuck That” is my response and addition to another student’s work that was exhibited in the gallery space opposite mine. I include it here in this post not to claim his work as my own but I feel that I need to include it in “The Amber Project” as it is somewhat symbolic of a change in my own work and my attitude towards work. Tom Pinsent is the artist of the original piece, his work “Come Dine With Me” was an installation made from a Macbook Pro, an axe, and a candle stick holder. The intention of the work was to annoy the viewer by increasing the volume of generated soundscape until the piece was interacted with by the press of a space bar which would cause the sound of flatulence to occur and then the process would repeat starting from a lower volume. Being situated across from this work was frustrating due to my work being discussion based and me being required to stay with my work. Because of that, it became very annoying quickly; sometimes it even drowned out my own speech. I had considered putting the axe through the Macbook on opening night and had been given permission by Tom himself and encouraged by members of staff and viewers alike; I decided against it and slept on the idea.
The next day I was required to attend a talk and critique by my former project supervisor, Andrew Shoben, whom I did not have a very good relationship with and personally do not agree with on a few subjects. In order to show respect for my course leader I attended the lecture and was willing to give it a shot, but by the end of the talk I felt fed up and angry. The talk had made me realise that it wasn’t necessarily design that I had disliked and felt discouraged by, but in fact its association with advertising and, by extension, my realisation of why I do not like his work. So I decided to boycott the critique session not wanting to give Shoben credence as an artist, thinking of him more as an advertiser and therefore not relevant to my degree program (except maybe in the case of what I must not end up like). I spent a while trying to calm myself and got in control of my faculties better and remembered the Macbook, a professional piece of kit that I had encouraged Tom to buy at the beginning of Year 1 and, having been recently converted to Linux this year, he seemed to no longer want or need it. I decided to go and destroy the Macbook in the gallery with the axe at 15:30, 30 minutes before closing time recording it all on Google Glass, knowing that I had discussed it with people previous to doing it I felt confidence to go relieve myself of the past, both mine and Toms. It is available to watch above. During the video you can hear and see me ask for Shoben, I should clarify this was not to threaten him but to deliver an awful punchline along the lines of “Critique this.” I like it better this way though as, true to my goal of not wanting to legitimise him as an artist, I could not include him in the end.

My First YouTube Downloader

“My First YouTube Downloader” is a script that downloads and plays the latest videos on YouTube for a given term, by default “My First Vlog”; the resulting stream of videos is mostly American children recording their day and talking to the camera. They use various metaphors and actions that are common to the vlogging world such as putting their hands over the lens of the camera at the beginning and end of shots in order to show cuts in video in a more interesting way, or at the end of the video asking the viewer to “like, comment, and subscribe”. I find it very interesting how consistent the whole stream is a lot of the time and the acquired ability to edit vlogs from what media they have consumed in the past. When I see adults on the stream, it seems to me that they do not have as much talent as the children; they rely heavily on music, video effects, and title cards rather than effective cuts and good content. I was motivated to make this work after hearing about the results of the search “My First Vlog” from a vlogger whose friend was saying how funny the results were. I thought it was somewhat disappointing that they would be laughing at children’s lives but when I tried it, it felt really really interesting and has brought me to tears more than once, both from laughter and awe.  

I installed this work into monitors and when using raspberry pi’s as a platform to display it I found OMXPlayer was best for viewing, and the use of this produced an effect of videos that would “fight” for the screen, I liked this a lot and did not attempt to troubleshoot the situation. 

TailsInABox

When first creating the pen drive for booting TailsOS, I realised how user unfriendly the process was. It was putting a lot of trust in the user to understand the tools from the get-go. So I decided to create “TailsInABox” which is a few scripts and modifications to RaspbianOS that converts a PiZero and Pimironi Blinkt that would allow flashing of a TailsOS pen drive without the need to go to tails.boum.org nor to do all the verification yourself, instead it would be moved from a digital security problem to a physical security problem which, for trusted institutions (such as Goldsmiths), is a much easier thing to protect. I am still unsure of how to make updating and securing of the box the best it can be. Currently it is self-updating (with PGP verification) with connection to WiFi, but the initial connection is still an issue. I used a few parts of SurfsUpOS in the securing of TailsInABox, but it’s more likely going forward that I have it as a mode for the successor of SurfsUpOS to help streamline and possibly use it as a feature to bring the other aspects of the OS to a user. A lot of the issues I was facing were due to the scripts not staying alive or exiting wrong and being played more than once, so I wrote a daemon to run the progress lights independently and, in the current prototype, it functions well and is very stable unlike earlier ones. 

Exhibtion

Now that the main projects are discussed, I am going to talk about my exhibition plans. I had decided a while ago that my exhibition would be a collage of a few projects and instead I would spend my year creating small works that would give me insight and a chance to learn more in order to create materials and run workshops.

Over Easter, I started working on layouts and thoughts around producing a zine that could be sold or given away in the gallery as part of the project that would give people some actionable tutorials that could help people wth their data security and privacy protections. Due to the nature of the content, it changes often so leaving a lot of the work assembling and checking through tutorials to the last minute makes some sense. I lost the assembled work a few days before the exhibition, and did not have enough time to remake the work in the stress of assembling an actual piece for the gallery. The work was lost due to a aspect of TailsOS (which I use as a primary OS) in which when you remove the pen drive the OS protects itself by deleting all your progress and wipes the RAM which, in the case of an adversary attacking, is a really useful trait. I removed the pen drive when going to backup the work on an external hard drive (which after I would back up to my internet connected computers elsewhere). After this set back I thought the best way to move forward would be instead to produce A4 sheet zines that I was thinking about earlier in the year using the notes that I would have put in the larger zine, printing off relevant (and perhaps less relevant) sheets that would be inline with my discussions in gallery. I needed the printer working in the gallery in order for this to work but I could not get it working in time and lost a day to troubleshooting CUPS and proprietary drivers and, due to losing the whole day, I did not have enough time to work through the notes again and produce preprinted ones. In hindsight I did do the best I could given the situation I was presented with. Making regular hourly backups, however, would have helped considerably along with backing up onto internet connected computers first. I would also have benefited from creating a better system for contingency for the content as without the zines, the work in the gallery became less meaningful in my opinion.

In the exhibition I wished to spend the whole time having conversations that were more than just the same 3 lines about the work and instead open myself up to hearing feedback from people who did not know my work on various issues I covered in the works on display (and the current world of privacy and internet security).

The works displayed in the gallery were: 3 instances of My First YouTube Downloader (one looking at “First Vlog”, one looking at “Beauty” and the third looking at “Truth”), the remains of the zine printing materials, and a video of me removing the microphones from my smartphone. Also in my installation there were news articles about security and privacy printed from the past week stuck to the wall, a Xiaomi internet connected rice cooker, Google Glass, Huel, and 2 folding chairs with vinyl stickers reading “ENCRYPT” and “KEEP NO LOGS”. These objects and projects were not included with the intention of being consumable fully without me being there for questions, there were no labels of the objects in the installation and this was by design. I saw what I put in the gallery as a performance with installed works / objects that I could use as reference material for various things in conversion with those who sit down with me.

I also had business cards created from laser cutting out-of-circulation 5000 Won notes (the currency from Democratic People’s Republic of Korea); these were given only when people asked what it was.

The overall feedback from people was mixed, there were some who seemed to understand the reason for the lack of labels and the encouragement to sit down with me, and there were others who did not like the lack of labels and were probably never going to engage actively or directly anyway, and without the zines being created that was somewhat of a loss.

I think that the layout I had produced, potentially the use of shelves included, was ultimately a bad decision. If I want to repeat this again in the future, I would definitely get the zines ready and focus on making the works more accessible, perhaps automating the selection of articles for the wall, having more chairs and a table, more objects, and less of my own work. I think a big problem I still have not worked out is how to translate works like SurfsUpOS over to the gallery; workshops are a possibility but they are not likely to work with just passer-bys. My work has to be taken in two ways due to this separation in what can be showable and what is actionable (as in things people use out of the gallery or in workshops). If I were to repeat this year with the knowledge I have now I would focus on one or two projects that could then be ran as workshops external to the gallery and then use the gallery space as a more relaxed discussion environment around the materials produced for the workshops. 

Repositories:

https://github.com/ixt/I-am-awake-I-am-alive-I-am-orange
https://github.com/ixt/My-First-Youtube-Downloader
https://github.com/ixt/Scripts
https://github.com/ixt/TailsInABox
https://github.com/ixt/SurfsUpOS
https://github.com/ixt/Zine.sh

Bibliography / References:

[1] https://ff4500.red/talks/How-to-live-your-life-while-using-reasonably-secure-technologies.pdf
[2] https://riseup.net/en/security/network-security/tor/onionservices-best-practices
[3] https://yawnbox.com/2016/04/26/ubuntu-os-updates-with-security-and-privacy/
[4] http://crna.cc/

Works I may have used and forgotten so including anyway:

http://paginaspersonales.deusto.es/isantos/papers/2017/2017-sanchez-rola-onions-www.pdf