USB stick closeup
CC0 Public Domain

The machine in the middle

Create a weigh station to open strange files from the internet.

Here's another instalment in our irregular YOLO tech series. If you've been following the news, then you'll be up on the latest about Israeli spyware vendor NSO Group, which licenses its Pegasus intrusion software to various corrupt regimes and dictators to target human rights activists, political opponents, civil society leaders and journalists.  This kind of thing is why YOLO devices -- those gadgets you want to connect with the unwashed and the unknown -- should exist. They can be the expendable team. The tech that can take the hit without bringing everything else down.  Here's a work station you can use to open files you get from strangers on the internet and when your done with your work, easily wipe it before using it ever again.

In an earlier post, we looked at how a journalist can create a secured, anonymous way for sources to send files and messages using Onionshare on a Raspberry Pi. Receiving files, though, is just the first thing. What happen they start landing? In may ways, if you've done this, you haven't solved a problem so much as you've invited more of them into your life. Sorry 'bout that. What you'll now want is a secure way to check your Onionshare device, initially examine the files on it, and figure out what to do with them. So, our next piece of YOLO tech is the weigh station machine. 

People will send you a lot of nonsense. Someone might send you something useful. Or they might just drop some malware disguised as an interesting looking PDF file. Eiither way, you really don't want to download whatever lands in your Onionshare folder straight onto your nice reporting machine without first checking it out. All strange files are suspect. Those coming from strangers on the internet are even more suspect. So, let's create a an airlock to check these files out, open them up, read them and see what they're really made of. In this way, these files don't stay on your Onionshare Pi, and they don't reach your reporting machine. This is reportedly what happens when people use SecureDrop properly: the files are moved to a mid-way laptop for opening and inspecting. We're going to replicate this step on the cheap.

For our own home brew limbo machine, we're going to use Tails OS. This is a secured, Linux operating system that's portable and can run on many types of computers from a USB stick. By default it's also an amnesiac, meaning, when you turn it off, anything that was done is lost, and next time you turn it on, it starts fresh. Whatever machine that's running it will also have no record of any activity. It can useful to carry a Tails USB around, because then a lot of different computers can be your computer, and when you're done, there's no trace you were on it. All its internet traffic is channeled through the Tor network as well, so your web visits stay private and you can stay more anonymous.

But none of that is related to our use case this time. We just want to have an operating system that will take a bullet for us. The reason we're using it here is fairly straight-forward: It's cheap, secure, and if something goes wrong, it's easy to erase, reboot and start again, and the computer you're using it on will almost surely be fine as well. For more about Tails, the documentation is here

Ingredients for our recipe

  • 1 USB stick for running the Tails OS (minimum recommendation is 8gb, but for doing things with reasonably sized files, I say go large. I'm running mine on a 64gb stick)
  • A desktop or laptop machine with a 64-bit x86-64 compatible processor. I'm running mine on an old, fairly damaged Lenovo Thinkpad E560 that work was getting ready to recycle. The point is, you don't need anything very special for this. Try looking around pawn shops or second-hand sores, you can find something for £150 or likely less that will fit the bill. It's possible someone you know has a machine in a closet they think is toast, but will work for this. We aren't using our reporting laptop because we want to separate our systems and it's likely you'll want to run both Tails and do your reporting at the same time.
  • A second USB for storing your settings, passwords, moving files, etc.

Software used: Tails OS (note, the site has broken SSL on many pages. Welcome to open source software. It does work well in the Tor Browser and nothing else), Filezilla, KeePassXC, and Veracrypt.

The recipe

Let's make USB stick with Tails OS on it. Install Tails on your USB stick. Go to this page, scroll down to "Download, installation, and upgrade" and choose the machine you have for the download file and set up instructions. Follow those. It's pretty clear and I won't be going through them here. I did mine on a Mac. You may have something else.

Try it out on your Tails USB. Drop it in your weigh station machine and see if everything is working. I'm assuming it's a PC of some sort, so find yours here to see how to make it load Tails. I went into the BIOS settings and altered the boot order so it always tries to load from the USB port first.

Let's make our Tails OS persistent. Why? Because this is is a YOLO device, not a burner machine. We're going to get a few uses out of it, and likely just keep it running as it's our laptop for checking our Onionshare Pi. Persistence means that Tails will keep a little encrypted section that will maintain your settings and any other data or apps you install. Tails can walk you through setting up a persistent volume pretty easily, but here's the the how-to if you need it. Be sure to back it up!

Let's add an FTP client. For whatever damned reason, Tails doesn't come with an FTP tool. Don't get me started. But we want one of these because it's easier to check the Onionshare Pi via SFTP than it will be to unmount and mount the Raspberry Pi's USB stick all the time, restarting Onionshare and so forth. So, we're going to add FileZilla to our persistent Tails volume. To do that:

  • Set up an administrator password when starting Tails.
  • After Tails launches, go into the "Applications" menu in the nav bar and go to:
    System Tools > Synaptic Package Manager.
  • Use your admin password.
  • Search for Filezilla
  • Tick the box for the latest version, and in the pop-up, select "mark for installation."
  • Click the "apply" button, then click "apply" in the pop up window, because you mean it. 
  • Let things download and then when asked, click "Install every time" or Tails won't remember to keep Filezilla if it shuts down and restarts. Then click "close" on the "changes applied" box, because for some reason that exists.

Configure the FTP client to reach your Onionshare Raspberry Pi. So, now Filezilla exists on your Tails OS. Find it in "Applications" under "Internet" nestled between your Electrum Bitcoin wallet and Onions Circuits. Open that up. If you recall from our Onionshare post, you had set up a way to SSH into your Onionshare device from your laptop to set it up. Those credentials will work in your SFTP client.  You should have these saved in a KeePassXC password manager if you followed things to the letter. If not, hopefully you've got it in a SAFELY stored offline text file. Because now you need it.

The Host is your Pi's IP address. Then the username is your ssh user, and the password is your ssh password. And the port will be 22, unless you did extra credit work and futzed with that. Now navigate to your /media/USB directory in the Raspberry Pi (if you called it that). You should see anything that's been dropped there, including the happy little hello.txt file we made. Try downloading that into Tails and opening it to make sure things are working.

Test it out

Let's take our new set up for a test drive. You now have an Onionshare device to get files, and a Tails OS laptop to look at them. Send yourself a PDF. Here's one, now.  Save Myanmar-Internet-Briefing-Paper-UPDATED.pdf somewhere on your computer (not the Tails one, obvs). Open up the Tor Browser and visit your Onionshare form. Send the file along with a friendly text message. Now that you've done that, go to Filezilla in Tails and check your USB directory. You should see a new directory in there that you can download to your Tails machine and open. I saved it in Documents, which can be found under "places" in the nav bar.

And that's it, we have two pieces of our YOLO tech setup, now. We haven't yet looked at the operational security of using these yet, and we have one more device to cover: The YOLO phone.

Final bits and pieces

Some homework before starting the next post...

  1. Tails comes installed with KeePassXC. Create a database to store your FTP and SSH credentials for the Onionshare Pi. From now on, you will only access the Pi from the Tails machine. Learn the finer points of password management with KeePassXC here.
  2. Tails also has Veracrypt installed. This is a tool for created encrypted file storage volumes. When you decide you want to work with a file you've inspected on Tails, you're going to want to transport it (or a redacted, meta-scrubbed copy of it or a flattened export or a screenshot of it) on a USB stick to your work machine. You're work machine will never network to the Tails machine. Also, you want to secure the USB stick. Learn how to make an encrypted volume with Veracrypt on your USB stick here. You'll also need to install Veracrypt on the device the USB is moving files to, but it has versions for Mac Windows and Linux.

Next post: Working with files.


There are a few operating systems that run on USBs, and some that are highly secure themselves. I thought about just setting up Qubes and forgetting about both Tails and the Raspberry Pi. In Qubes you can create isolated environments for each. But that would require a fairly impressive machine, and these posts are focused on low-cost options. Qubes is great, but it's also not single-purpose. It's good. Great even. It's not YOLO.

It's worth noting that Tails also has Onionshare pre-installed. The issue with this is that Tails software versions are often not up to date, and it's only the latest version of Onionshare that really suits our needs. Also, you don't want collection and analysis to happen on the same device. Finally, we want our secure contact webform to stay on all the time, while we might want to turn off our laptop and put it away. Your work computer is a lousy web server.

Conceivably there are a few options you could use to connect to you Pi from Tails. You could wire it if you want, but the Pi already has it's ethernet port plugged into the router. You could create networks with USB ports or use USB ports to hand-move things, but SFTP is both secure enough, and keeps the wires and complications down.

This article was updated on 20 July 2021