KittenGroomer/CIRCLean – data security for journalists and activists

Liz: Rachel Rayns, our Creative Producer, makes a habit of finding interesting people for us to talk to. She works with the creative industries on supporting their work with the Pi, and introducing people who aren’t the usual maths/physics suspects to computing – and while she does that, she discovers some really amazing projects.

We recently sent Rachel from Pi Towers to chair the panel at Makerversity on The New Hardware Revolution, where she met Maya Bonkowski, an interaction designer and security specialist. Maya, as it turns out, is a perfect embodiment of the sort of thing we mean when we talk about hardware revolutions. She’s been working with investigative journalists and hackers on a project called that’s called CIRCLean in some incarnations and KittenGroomer in others, which sanitises USB sticks of malware and turns untrusted documents into clean, readable text. 

There’s a real need for this kind of application: if you’re an activist under threat from security forces, or if you’re an investigative journalist working with people who need to keep their data secure and off networks (especially in places with heavy penalties for criticising government), the USB stick is a vital tool – but it’s also a tool that’s very susceptible to malware.

Maya subsequently sent me a very long email about what they’re doing. It’s so interesting that I’ve reproduced it in its entirety below (with her permission). Over to Maya. 

Right, so where to begin.


Being a journalist in some parts of the world can be a rather serious and hazardous health condition. When the Syrian uprising began and the internet and mobile networks were turned off, all that was left were satellite phones. For a while, anyway. Until making a phone call became hazardous to the village with sat phone call signals being triangulated, possibly attracting an immediately subsequent carpet bombing.

Everybody loves kittens. Because kittens are loveable. But sometimes kittens need a new home, and then it becomes our job of finding a loving home for that kitten. Sometimes, unfortunately, homeless kittens will have all sorts of nasties and things that will itch and go bump in the night. They may take some work, but everyone loves kittens and they’re worth it.

What’s with the kittens? If you have a fact that guys with guns will shoot you in the face for even knowing about, then talking about kittens is possibly a far safer lifestyle choice.

In the Beginning:

My friend Quinn Norton, an OpSec/Journo who covers Anonymous and Occupy for WIRED magazine, launches into a rant: “So here’s my problem. Somebody gives me a USB key with something on it and I can’t f******* do anything with it. Nothing. It’s f****** useless and really I’ve got nothing.” More shouty ranty problem explanations followed.

The three main attack vectors against data security, and the sort of thing that makes Quinn’s work hard, are email attachments, unsecured (or poorly secured) LANs and USB keys. Apparently, enough dirty nasty things can be done at the block device level of plugging in a USB key, never mind such high level things as an infected document or program.

But, you really really want to know what’s on the key. Let’s say a north-African Royal Family has a chunk of the country’s annual budget allocated to them as a block percentage without any details. Someone’s promised you the full detail version of the budget including an itemised breakdown of the Royal Family spend. (Meet in this alley at night, and I’ll hand it to you through your open car window as you slowly drive by in the rain. Sadly, that one turned out to be a dud.)

The problem:

  • we need to extract the information in a safe way from USB key without plugging it into any computer that we might ever want to use again
  • you need an “airlocked” (non-networked) machine in case it tries to tell someone with guns about you
  • a second laptop is impractical and raises too many questions
  • Virtual Machines require competency to use them (and people are stupid/lazy)
  • Virtual Machines expose the Host computer to whatever is connected anyway.

The solution:

Extracting data from unknown data formats presents its own issues – MSOffice documents are the potential black plague carriers of data. PDFs files can be crafted to kill your system BIOS and brick your machine. Image files carry their own implications. But there are enough ways of translating and extracting data out of problem formats and putting them into functionally benign formats. This is the easy part.

But you still need a place to do all this.

So, there was this vision making the rounds in 2011/12 about creating an inexpensive computing platform that anyone anywhere in the world could use. You could hook it up to a TV and presto: you have a computer and can learn about computers. It could be anywhere and inexpensive enough to actually be anywhere, not just in a company office space. It could be in class rooms. It could be in private homes. It could be in your backpack. “Oh this? It’s a Raspberry Pi – it’s a cheap computer that enables anyone to get into computing. Would you like to see what it can do?”

Right, so the rPi vision as I saw it was: get these things everywhere to enable people without Macbook (or even anything near chromebook) budgets to get into computing. Get Africa computing. Get poor villages computing. Get students connected to the interwebs. Get it out there. Oh, and by the way, create an internationally available stable and consistent platform. And as a side effect of all of that, provide a plausibly deniable platform available anywhere. (Thank you!)

As it was in Autumn 2012, Raspbian had nearly everything needed software-wise. The installation of OpenOffice took care of a lot of the bulk of data format translations, and X was already installed (iirc) so it had a place to run. Because why would you have a word processor installed if you didn’t have a place to run it? Even if you only ever intend to run office apps in headless mode.

Next you want to make it do something on its own under controlled circumstances. The way it works is that you plug the key of questionable lineage into the top USB port. Then supply a clean/blank USB key and plug that into the bottom USB port. Then you turn it on and wait.

A couple of scripts buried as far down into the startup sequence as I could manage (and still have them work) trigger a number of things (or not):

  • if both USB ports aren’t directly connected to USB storage devices, be an rPi. Do rPi things. (Hide in plain sight.)
  • if they are both storage devices do something else.

If the system decides that the only things connected are 2 USB storage devices and then to clean data from one USB stick to the other, it recursively runs through all the files, directories (and treat archive files as directories, so unpack and process everything in them too), and partitions through the various document processing routines, writing clean data to the other USB stick.

This was the basis for the first prototype system. I’d recently received my first 256MB B model, and some cursing and swearing later it worked. It was even slower than the 512MB B model.

The Original Name: “KittenGroomer”

Apparently OpSec and InfoSec types spend or have spent too much time anywhere near 4chan; and while less questionable names where being explored around declawing, bathing, trimming and so on, the *Sec community branded it “KittenGroomer” within about 20 minutes of its conceptual birth and it stuck. The Journo/OpSec friend started promoting it before I’d opened the editor on the first Bash script. Before the project shifted from being “SEEKRIT!!” to open public visibility, a 4chan-inspired idea to ensure that you had a legit KittenGroomer was to stick a holographic PedoBear sticker across the SD card slot and the SD card. Never happened.

The prototype got a lot of attention from different people pretty quickly and it wasn’t long before someone working for the Computer Incident and Response Centre of Luxembourg (CIRCL) took some interest. In early December 2012, I put the first prototype in a bubble wrap envelope and mailed off. (They didn’t have any rPi’s yet.) A decision was made to de-SEEKRIT the KittenGroomer and eventually was presented to the Luxembourg minister responsible for information security. Some budget was allocated to refining the KittenGroomer and it became an official CIRCL project. There was talk of commercialising the project. Raf (the person at CIRCL I sent it to) put a stop to the commercialisation. It must always remain freely available. I never did get the trip to Luxembourg to meet the Minister.

OpenOffice was replaced with LibreOffice. (LO was forked from OO, then it was discovered that 25% of OO code did nothing, and was subsequently cut out – hopefully taking some security issues as well). A fast library used to convert PDFs into HMTL was reworked to work on armv6/7 (and even safely tested against some carefully caveated super nasty BIOS crushing PDFs Raf keeps under heavy lock and key).

I haven’t had much time to contribute in a while, but last October-ish we added audio as a status indicator so you don’t need a screen (we never did properly sort out the power management properly to keep the hdmi output from turning off). While it’s working it now plays 8bit 80s(ish) midi tunes until it’s done and shuts the system down. I curated the tunes so that they’re more or less in that curious/painful/delightful/odd/indeterminate aural appreciation space. The Nyan cat theme song was a request. That’s all I have to say about that selection.

What’s happened with it:

The KittenGroomer has been to a number of cryptofests, Raspberry Jams and the like, and has generally been well received. A number of seminars for journalists have been held and there are now KittenGroomer-equipped journalists out there. There might be a venture to package up and sell ready-to-go KittenGroomers (which I just found out about this morning). There’s still a lot of work that can/should be done on it.

The CIRCL project page:

and their git repo:

The main (Raf’s) git repo:

There’s more to come I’m sure. There’s already an otherwise clean Pizza Express napkin with a thorough sketch all over it.