ICLOAK - iCloak vs. Tails = Apples vs. Oranges

By Eric B. Delisle March 29, 2017 General No comments yet

First things first... A BIG THANK YOU to the Tails Crew!

Although I have never met the Tails team (hopefully I will), they are never far from our hearts and minds as we share some of the same passions around Liberty, Privacy and Security in our digital world.  Additionally, their project was a great inspiration to what we are doing at iCloak.  Also, let's not forget, they have worked for years with limited resources to produce the best tools they could and mostly without the benefit of many resources.  Only recently has the team received enough funding to even start paying some people for their work!

In 2014, I learned at the PET (Privacy Enhancing Technologies) Symposium in Amsterdam that we had raised more money for iCloak on Kickstarter in 30 days in Summer 2014 ($108,000) than  the entire budget of the Tails projects from 2010 - 2013 COMBINED (~$61,000)!

iCloak or Tails?  It's Up to YOU!

While we won't discuss every little difference between iCloak and Tails, the following should provide plenty of information for those whom this is written for... anyone who thinks iCloak Stik is just Tails with a different logo.

For those reading this but not familiar with the topic, a popular tool among the privacy conscious & tech savvy crowd is Tails (The Amnesiac Incognito Live System) which is often compared to iCloak as if they were the same thing. However, Tails, while being a great tool and open source project, has a large number of differences when compared with iCloak and they are in fact VERY different.

Like Tails, iCloak is a portable operating system where a user can securely and anonymously work with sensitive data. Unlike Tails, iCloak Stik does not assume the end user is already knowledgeable with a Linux desktop environment. We have slimmed the Linux experience to its basic components our target audience needs without introducing them to unfamiliar Linuxisms.
For example... just take a look at the two desktops below.

Tails 2.0 Desktop:

iCloak 2.0 Desktop:

iCloak vs. Tails:  Who is Responsible for their Product?

Tails is a volunteer project with no commercial anything.  You can't buy a Tails USB drive from Tails.  You can't buy a t-shirt.  AND... you cannot call someone to complain or ask for tech support if you are having trouble.  You use Tails at your own risk and if it bricked your computer (highly unlikely) to bad for you!

iCloak, Inc. is a Delaware C Corporation registered as a foreign corporation doing business in Florida at 37 North Orange Avenue, Suite 1025, Orlando, FL 32801.  We are sitting in our offices Monday - Friday and we answer the phone.  We do sell t-shirts and stickers.  People call us and come visit.  People even buy iCloak Stiks anonymously by mailing cash to us with a return address label and we send iCloak Stiks to them without knowing who they are.  

Some people like having a company who is legally liable and responsible for the products they sell.  iCloak is.  Tails is not.

iCloak is a commercial venture.  We are a for profit business.  We do well by doing good.  We are not bothered by charging money for our time and effort.  If you don't think there is value in buying an iCloak Stik... Don't.  If you like what we have to offer... buy one (or more!).  We offer an money back guarantee so you are welcome to try it and if you don't like or want it, we will give your money back.

One thing to note about a commercial venture vs. a volunteer only venture... if the marketplace finds value in what we create, we will sell more and thrive.  It what we make isn't wanted, we will fail.  This forces us to focus on making something that many people want, not just what we think in our geeky little world, is what people want.

Additionally, because we can use the power of capital to grow our brand, awareness of these issues, and can deploy resources we have earned without depending on donations from a tiny, minuscule, fraction of the population, we can create more and improve faster.

iCloak vs. Tails: Compatibility

One of our first challenges was to create a device that would just work on Macs and PCs.  When we started building iCloak, if you wanted to use Tails on a Mac you had to use something like reFIt to change how a Mac boots.  Most non-tech users found this step alone enough to stop them from even trying to use Tails.

iCloak Stik is compatible with a wide array of hardware including Macs, PCs, and Linux machines. The same iCloak Stik is able to boot from BIOS or UEFI systems without requiring modifications to the user's computer. This is achieved by hosting two bootloaders each handling either BIOS or EFI/UEFI as needed. 

The separation of bootloaders allows iCloak to be started from old BIOS based machines and newer UEFI systems without interfering with each other and limiting the possibility of bad behaving BIOSes which often refuse to load other hybrid approaches.

Additionally, we did a LOT of work to get Bluetooth device discovery to just work in iCloak so if you have a wireless keyboard and mouse, iCloak can detect them and use them.  Tails cannot use Bluetooth devices.

iCloak vs. Tails: RAM & Hidden Partitions

As a "Live OS", iCloak and Tails leverage the technique of loading a separate OS from your regular one into RAM after restarting your computer. This is a great place to run a data sensitive OS. Any modifications to the system while running or any stored information is basically destroyed on shutdown or power loss as a function of the nature of volatile memory. This means even if a user was infected with some malware, it would not survive restarting the computer, making any persistent infections of the iCloak Stik itself physically impossible.

NOTE: For our cybersecurity folks reading this... Yes, we know about Cold Boot Attacks and other methods for extricating data from RAM within a few minutes of a power cycle, however, those rare circumstances are outside of our typical threat model.

One difference with iCloak is that it is designed without needing to read/write to the USB drive as a function of using the system or any of its Apps (with the exception of using encryption tools if you choose to).  It CAN read/write to the USB drive, but we made iCloak small enough and without any big applications that require the USB drive to be plugged.  With iCloak you can boot into it and then remove the drive before you start using it, connect to a network, or do anything that could compromise your computer from outside.

iCloak, unlike Tails, does NOT require the USB drive to stay in the computer to use the system as it doesn't need to read/write to the disk to operate.

The iCloak Stik Operating System resides in a hidden partition of the USB drive, allowing users to utilize the rest of the drive as storage while keeping implementation details and sensitive files from accidental modification by their users. However, the iCloak platform utilizes a read-only file system which takes significant work to replace and do what is required to recreate it along with its file size and checksums. Do to the fact that iCloak always loads this file to RAM before starting its operating system, changes can not persist. This also allows the user to completely remove the iCloak Stik after it is loaded to further protect the USB drive if so desired.

Once iCloak is loaded and running, the user is utilizing a locked down OS. To help users improve their security we've provided limited access to what a user may be able to execute on the system as well as any threats from a hacker. In fact, iCloak is programmatically unable to mount the hard drives of a host system further isolating iCloak Stik from possible infections.

iCloak vs. Tails: Networking and Tor

iCloak also get between the user and all outgoing network connections for every user including the end user. All outside connections happen through a specialized system user whose only task is to run the anonymization server. All applications requiring external network access must be piped through a local anonymizing proxy which sends traffic through the anonymization networks such as Tor when you are using an application you want to use anonymously.  However, when you want to use the open internet you can but we make if very clear you are using an open browser that is not anonymous.

iCloak currently uses the Tor network to anonymize its user's traffic. Also, leveraging all of the research and testing that has already gone into the Tor Browser Bundle to make it the most secure and continuously developed browser for Tor, iCloak has adopted it and has already begun to improve upon it. 

The current Tor Browser Bundle as it is distributed can only route its browser's traffic through the Tor Network. With iCloak we've decoupled the Tor service and browser by creating our own unified system Tor controller for the entire OS which gives the user ease of access to changing IPs and routing other applications and data through the Tor network. 

Our Tor controller provides the required hooks to launch applications that require network connectivity. The controller also makes itself available to the rest of the system through the DBUS, allowing multiple, concurrently-running programs to communicate with one another. This allows us to later extend Tor connectivity to other applications as desired while transparently routing their network traffic through Tor using TorSocks. TorSocks is a network sockets wrapper which replaces the system sockets for an application to route traffic through the current Tor proxy service in the system. 

The combination of a Tor Controller, Tor Service and TorSocks together with a locked network are the basis of our application’s anonymized subsystem. The importance of this is non-trivial. The sophisticated, low level programming required to accomplish this makes our platform capable of securing many kinds of network traffic from email, to instant messaging, to VOIP, and more. 

Also, Tails cannot use a VPN... iCloak will soon release a version with it integrated on demand.

iCloak vs. Tails: Root or No Root?

Another design decision we made at iCloak was to not allow any access to the system root.  We have built special system users to execute only the bare minimum needed to accomplish what users need while using the apps provided in iCloak Stik.  It is not possible to access the Root User.  We use a technique where we set a null password which isn't a password and that means there ISN'T a password to access the root.

Wait you say... But what if you want to dig into the Linux guts and mess with stuff?  Well... you will love Tails.  :)

Tails vs. iCloak: Threat Model

One of the incredible things about the Tails project is its focus on addressing every single, tiny, threat possibility that "could" happen to a user. In fact, a big focus for Tails is always considering the worst case scenario where an entire Nation State (think China, USA or Russia) are after YOU!!! If this were the case, and you were really the target of someone with satellites that can watch every move you make, vacuum up all data over every network in your hemisphere, and use super computers to decrypt weak cryptography and use every means available to find you... Tails is working their butts off to protect you from them.

iCloak isn't. Frankly, we believe that if you are at that point and have a nation state after you, drones, all video cameras worldwide and all... you are Screwed!  Sorry, it is unlikely that iCloak Stik alone is going to save you.

Consider this... Edward Snowden BARELY escaped to Russia and that was mainly because he had a head start and he knew everything that could be used to locate him, spent his life training in these areas, and used not just Tails, Tor and PGP, but every other OpSec technique he could to avoid capture.

Also, considering the situation, if Ed had used iCloak instead of Tails to connect to Tor and use all the other techniques he would have been just as safe!

At the heart of this issue is the Threat Model. According to Wikipedia, a Threat Model is:

"...a process by which potential threats can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers the questions “Where are the high-value assets?” “Where am I most vulnerable to attack?” “What are the most relevant threats?” “Is there an attack vector that might go unnoticed?”

While we haven't released a formal threat model paper for iCloak Stik, we take an approach similar to Qubes OS who state their system is "reasonably secure".  Basically, this is similar to the security provided by installing a good security system on your house with a locked front door and a dog and a sign that says the property is protected.  Nearly every burglar in the area will simply move to the next house because it has none of that and the garage door was left open when they went to work!

Is attacking a user using iCloak "possible"?  Yes.  Is it "probable"?  No.  But again, if what you are doing is a matter of life and death consider your choices carefully and iCloak would still be a great choice in most cases.

Tails vs. iCloak: Feature Focus

Part of the difference is also what our teams focus on.  Many of the things we focus on DO overlap, however, many more do not because the Tails system has a lot more going on with it than what we include in iCloak.  The reason is our user research showed that many features and applications included in Tails are not wanted (or understood) by our target audience.

Ask yourself which of these features planned by both teams is more important to YOU?  But please understand... although you may not understand some of the features from the Tails team, they ARE important to the Tails platform

Here is a sample of planned features which the team at Tails is focused on for future versions:

  • Feature #9880: Triage tickets: 2016Q3
  • Feature #10244: Research and decide where to host the lizard failover
  • Feature #10859: Remove dependencies to maone.net from DAVE
  • Feature #11355: Re-enable Jenkins notifications on ISO build/test failure
  • Feature #11569: Have AppStream metadata for Tails Installer
  • Feature #11627: Consider updating the default system partition's size
  • Feature #11750: Track the distribution of the shares of the revocation certificate
  • Feature #11753: Port complex shell scripts shipped in /usr/local to Python
  • Feature #11804: Delete obsolete UNIX user accounts on the labs.r.n machine
  • Feature #11817: Optimize I/O settings on lizard
  • Feature #11836: Stop stringifying Puppet facts
  • Feature #11887: Make the remote shell's file operations robust
  • Feature #11898: Have a readable blueprint about randomness in Tails
  • Feature #11929: Upstream AppArmor profiles for Onionshare
  • Feature #12019: Test Totem's "Add local video" action
  • Feature #12059: Improve Dogtail's performance

At iCloak we are focused on different features like:

  • Including simple "explainer videos" for various security topics to educate users
  • Pre-configured VyprVPN service built in
  • Enabling easy automatic encryption/decryption of files stored locally or in the cloud
  • Desktop widget for creating and sending Cypher Text other sensitive information over everything from Facebook to Twitter to Email
  • A simple visual system for comparing and determining if your iCloak Stik is authentic or compromised
  • Simplify creation, sharing and management of encryption keys
  • An "App Store" with plug and play privacy, security and anonymity tools you can add if needed
  • Cloud based zero-knowledge "go between" services to make using various systems more private and controlled
  • Providing secure but positive identification for services like online banking where you cannot be anonymous and still use your bank account
  • Safe communication between iCloak and SafeCloak Companion on Windows, OS X, iOS, Android and Linux machines
  • And recently, interest from Enterprise companies in having a Citrix Receiver Client available in iCloak
Open Source Wonderland:  Many Critics & Talkers... Far Fewer Doers!

Lastly, some parting words.

If you have made it through this entire post... Congratulations.  You are pretty damn serious about your personal privacy and security.  Or, more likely, this is your hobby or profession.  You may even be looking for ammunition for or against either iCloak or Tails or both.

We love Open Source and in our other company, DigiThinkIT, we are active contributors to various projects.  We have also planned to open source iCloak Stik eventually.  The primary reason we haven't so far is we are still a startup and want to be a solid enough company to support a robust community around iCloak.  If we can't, we'd rather not waste time starting something we don't have the bandwidth to support while we are still building the company.

In 2014 in Amsterdam I will never forget speaking with Roger Dingledine and Nick Mathewson of the Tor project about what we were working on with iCloak.  They, among others, expressed various concerns around a commercial product like iCloak.  For example, one concern was using simple marketing lingo that could give people a false sense of safety because many important details are often lost on the non-tech public.  We are still concerned about this and try to find a good balance between attracting new, non-technical users, and not saying anything that isn't true or encourages people to do risky things.

I met others there who were committed to Freeganism and committed to Privacy while eschewing anything commercial believing therefore iCloak couldn't be good.  There are others who purport to be Free and Open Source purists where nothing short of every bit being open and free cannot stand.

Of course, I met others who thought iCloak was a fantastic idea and more commercial ventures that were focused on giving people choices and help for protecting their digital lives was a good thing.  For example... this guy, William Binney, the first whistle blower from the NSA, long before Snowden.

In the end, I listened and absorbed the many viewpoints and committed myself to honoring the viewpoints and suggestions that moved our basic goal forward to empower more non-technical people with tools they could use and understand to increase their options when trying to protect themselves and their Privacy.

Unfortunately, not everyone is as well educated and considerate of intelligent discourse as Roger and Nick. In fact, in the Internet world we spend a good amount of our time in, it is filled with some pretty vociferous and sometimes downright nasty "extremists" who believe only their world view is the right one.  Similar to religious zealots who do much more harm than good forcing their opinion of what is right on anyone who doesn't believe what they do.

Our hope at iCloak is that we can be of service to as many people as possible.  We love what we do and we are here to answer the requests of our customers.  We are committed to doing the best that we can in helping move the ball forward in our small way to help more people have tools to protect themselves.  

If you have an comments, suggestions or questions about iCloak please feel free to write to me directly at: eric @ icloak . org.

Eric B. Delisle

A serial Entrepreneur, With a broad base of experience from being a pet shop owner, working in radio, putting the first Virtual Reality Systems in Disney World, fundraising, import/export, cyber security, everything technology related, sales and marketing, to market research and channel distribution working for MTV Networks/Viacom, consultant to the National Science Foundation on SBIR funding proposals, and currently investing in real estate, startups, and founding and running ICLOAK, Inc.

No comments yet

No comments yet. Start a new discussion.

Add Comment