KittenGroomer/CIRCLean – data security for journalists and activists

Liz: Rachel Rayns, our Creative Producer, makes a habit of finding interesting people for us to talk to. She works with the creative industries on supporting their work with the Pi, and introducing people who aren’t the usual maths/physics suspects to computing – and while she does that, she discovers some really amazing projects.

We recently sent Rachel from Pi Towers to chair the panel at Makerversity on The New Hardware Revolution, where she met Maya Bonkowski, an interaction designer and security specialist. Maya, as it turns out, is a perfect embodiment of the sort of thing we mean when we talk about hardware revolutions. She’s been working with investigative journalists and hackers on a project called that’s called CIRCLean in some incarnations and KittenGroomer in others, which sanitises USB sticks of malware and turns untrusted documents into clean, readable text. 

There’s a real need for this kind of application: if you’re an activist under threat from security forces, or if you’re an investigative journalist working with people who need to keep their data secure and off networks (especially in places with heavy penalties for criticising government), the USB stick is a vital tool – but it’s also a tool that’s very susceptible to malware.

Maya subsequently sent me a very long email about what they’re doing. It’s so interesting that I’ve reproduced it in its entirety below (with her permission). Over to Maya. 

Right, so where to begin.


Being a journalist in some parts of the world can be a rather serious and hazardous health condition. When the Syrian uprising began and the internet and mobile networks were turned off, all that was left were satellite phones. For a while, anyway. Until making a phone call became hazardous to the village with sat phone call signals being triangulated, possibly attracting an immediately subsequent carpet bombing.

Everybody loves kittens. Because kittens are loveable. But sometimes kittens need a new home, and then it becomes our job of finding a loving home for that kitten. Sometimes, unfortunately, homeless kittens will have all sorts of nasties and things that will itch and go bump in the night. They may take some work, but everyone loves kittens and they’re worth it.

What’s with the kittens? If you have a fact that guys with guns will shoot you in the face for even knowing about, then talking about kittens is possibly a far safer lifestyle choice.

In the Beginning:

My friend Quinn Norton, an OpSec/Journo who covers Anonymous and Occupy for WIRED magazine, launches into a rant: “So here’s my problem. Somebody gives me a USB key with something on it and I can’t f******* do anything with it. Nothing. It’s f****** useless and really I’ve got nothing.” More shouty ranty problem explanations followed.

The three main attack vectors against data security, and the sort of thing that makes Quinn’s work hard, are email attachments, unsecured (or poorly secured) LANs and USB keys. Apparently, enough dirty nasty things can be done at the block device level of plugging in a USB key, never mind such high level things as an infected document or program.

But, you really really want to know what’s on the key. Let’s say a north-African Royal Family has a chunk of the country’s annual budget allocated to them as a block percentage without any details. Someone’s promised you the full detail version of the budget including an itemised breakdown of the Royal Family spend. (Meet in this alley at night, and I’ll hand it to you through your open car window as you slowly drive by in the rain. Sadly, that one turned out to be a dud.)

The problem:

  • we need to extract the information in a safe way from USB key without plugging it into any computer that we might ever want to use again
  • you need an “airlocked” (non-networked) machine in case it tries to tell someone with guns about you
  • a second laptop is impractical and raises too many questions
  • Virtual Machines require competency to use them (and people are stupid/lazy)
  • Virtual Machines expose the Host computer to whatever is connected anyway.

The solution:

Extracting data from unknown data formats presents its own issues – MSOffice documents are the potential black plague carriers of data. PDFs files can be crafted to kill your system BIOS and brick your machine. Image files carry their own implications. But there are enough ways of translating and extracting data out of problem formats and putting them into functionally benign formats. This is the easy part.

But you still need a place to do all this.

So, there was this vision making the rounds in 2011/12 about creating an inexpensive computing platform that anyone anywhere in the world could use. You could hook it up to a TV and presto: you have a computer and can learn about computers. It could be anywhere and inexpensive enough to actually be anywhere, not just in a company office space. It could be in class rooms. It could be in private homes. It could be in your backpack. “Oh this? It’s a Raspberry Pi – it’s a cheap computer that enables anyone to get into computing. Would you like to see what it can do?”

Right, so the rPi vision as I saw it was: get these things everywhere to enable people without Macbook (or even anything near chromebook) budgets to get into computing. Get Africa computing. Get poor villages computing. Get students connected to the interwebs. Get it out there. Oh, and by the way, create an internationally available stable and consistent platform. And as a side effect of all of that, provide a plausibly deniable platform available anywhere. (Thank you!)

As it was in Autumn 2012, Raspbian had nearly everything needed software-wise. The installation of OpenOffice took care of a lot of the bulk of data format translations, and X was already installed (iirc) so it had a place to run. Because why would you have a word processor installed if you didn’t have a place to run it? Even if you only ever intend to run office apps in headless mode.

Next you want to make it do something on its own under controlled circumstances. The way it works is that you plug the key of questionable lineage into the top USB port. Then supply a clean/blank USB key and plug that into the bottom USB port. Then you turn it on and wait.

A couple of scripts buried as far down into the startup sequence as I could manage (and still have them work) trigger a number of things (or not):

  • if both USB ports aren’t directly connected to USB storage devices, be an rPi. Do rPi things. (Hide in plain sight.)
  • if they are both storage devices do something else.

If the system decides that the only things connected are 2 USB storage devices and then to clean data from one USB stick to the other, it recursively runs through all the files, directories (and treat archive files as directories, so unpack and process everything in them too), and partitions through the various document processing routines, writing clean data to the other USB stick.

This was the basis for the first prototype system. I’d recently received my first 256MB B model, and some cursing and swearing later it worked. It was even slower than the 512MB B model.

The Original Name: “KittenGroomer”

Apparently OpSec and InfoSec types spend or have spent too much time anywhere near 4chan; and while less questionable names where being explored around declawing, bathing, trimming and so on, the *Sec community branded it “KittenGroomer” within about 20 minutes of its conceptual birth and it stuck. The Journo/OpSec friend started promoting it before I’d opened the editor on the first Bash script. Before the project shifted from being “SEEKRIT!!” to open public visibility, a 4chan-inspired idea to ensure that you had a legit KittenGroomer was to stick a holographic PedoBear sticker across the SD card slot and the SD card. Never happened.

The prototype got a lot of attention from different people pretty quickly and it wasn’t long before someone working for the Computer Incident and Response Centre of Luxembourg (CIRCL) took some interest. In early December 2012, I put the first prototype in a bubble wrap envelope and mailed off. (They didn’t have any rPi’s yet.) A decision was made to de-SEEKRIT the KittenGroomer and eventually was presented to the Luxembourg minister responsible for information security. Some budget was allocated to refining the KittenGroomer and it became an official CIRCL project. There was talk of commercialising the project. Raf (the person at CIRCL I sent it to) put a stop to the commercialisation. It must always remain freely available. I never did get the trip to Luxembourg to meet the Minister.

OpenOffice was replaced with LibreOffice. (LO was forked from OO, then it was discovered that 25% of OO code did nothing, and was subsequently cut out – hopefully taking some security issues as well). A fast library used to convert PDFs into HMTL was reworked to work on armv6/7 (and even safely tested against some carefully caveated super nasty BIOS crushing PDFs Raf keeps under heavy lock and key).

I haven’t had much time to contribute in a while, but last October-ish we added audio as a status indicator so you don’t need a screen (we never did properly sort out the power management properly to keep the hdmi output from turning off). While it’s working it now plays 8bit 80s(ish) midi tunes until it’s done and shuts the system down. I curated the tunes so that they’re more or less in that curious/painful/delightful/odd/indeterminate aural appreciation space. The Nyan cat theme song was a request. That’s all I have to say about that selection.

What’s happened with it:

The KittenGroomer has been to a number of cryptofests, Raspberry Jams and the like, and has generally been well received. A number of seminars for journalists have been held and there are now KittenGroomer-equipped journalists out there. There might be a venture to package up and sell ready-to-go KittenGroomers (which I just found out about this morning). There’s still a lot of work that can/should be done on it.

The CIRCL project page:

and their git repo:

The main (Raf’s) git repo:

There’s more to come I’m sure. There’s already an otherwise clean Pizza Express napkin with a thorough sketch all over it.


matt venn avatar

amazing! Really fantastic application, another great niche for the Pi.

AndrewS avatar


“And as a side effect of all of that, provide a plausibly deniable platform available anywhere. (Thank you!)”
And with the microSD cards now used by the Model B+ being even easier to hide… ;-)

Presumably you have to be careful not to plug the USB sticks in the wrong way around?

James avatar

“And with the microSD cards now used by the Model B+ being even easier to hide… ;-)”
Or eat ;-)

Hamid Elaosta avatar

An even better modification would be to expect a particular partition label /ID so that on the off chance the baddies did plug 2 pen drive in (expecting it to be one of these), it won’t match and nothing will happen.

Liz Upton avatar

I think that’s pull-request worthy.

Juan Rial avatar

If the baddies suspect that this is “one of these”, it means they’re aware there exists such a thing as “one of these”, which implies they know where to obtain the OS image. So all they need to do is examine the contents of the SD card, in particular, the files that differ between this thing and the Raspbian or whatever it’s based on, and they’ll know.

It’s a good idea, and certainly useful, but it only protects against adversaries that are ignorant to the existence of this project.

Hamid Elaosta avatar

Juan, agreed. But such is life with open source. There are plenty of binary places you could hide the code though that might differ from Pi to Pi.

My initial thought though was just for if you’re stopped for a spot check, or similar, where the “baddies” might be vaguely aware of the existence of this tech, but not have the technical expertise to examine in detail.

I like the idea of having some code compile each boot, you’d have to make sure you trust the code thought.

Perhaps you could modify the pi to burst into flames if they try to connect it to the “correct” power source, then you slyly replace, let’s say the Ethernet jack with a hidden ee prom, that will boot when you apply the “wrong” power.

Lots of fun ideas come to mind!

Kyle H avatar

Do not trust anyone else’s KittenGroomer. There is no write-protect on most USB keys.

Do not trust your own KittenGroomer, if it has been out of your sight. Always verify the image you’re using before you use it.

If you have the only original USB drive, you do not want it wiped or overwritten with /dev/random or overwritten with /dev/zero or sent a self-destruct command by a malicious alteration of the KittenGroomer initialization files. Without verifying these files as original, from a device that isn’t the device that runs them, you run that risk.

kventin avatar

for _really_ paranoid, there is “TCCBOOT: TinyCC Boot Loader” []

it’s a boot loader to compile kernel from source code every time it boots.
you have to trust the source, of course.

iirc new version of tcc works on rpi.

sherjenn avatar

I don’t think that I own any USBs that haven’t become malware portals at one point or another. I need to order some clean one’s I have to reformat my USBs continually.

Tai Viinikka avatar

It’s a very solid idea, and I’m glad you put it into action, Maya! Well done!

Is someone on the lookout for a crossinfecting malware, the cousin of Stuxnet[1], that can run on Windows and Raspbian?


[1] capable of crossinfecting Windows and Siemens Programmable Logic Controllers… so ARM wouldn’t be a stretch.

3xBackups avatar

The key would be a tiny fragment of machine code that functions as 3 different jumps on the 3 different architectures. And any excess code behaves in effect like NOP’s (no operation) on the other 2 architectures. It could probably be achieved with fuzzing or by hand crafting the tiny fragment of machine code. You would need a table of assembly mnemonics and their corresponding hexadecimal values for each architecture as well as a very good understanding of registers, flags, memory layout, indirect and conditional branching on each.

scot avatar

That’s one of the coolest things I’ve seen on this blog. (been following since the beggining)

scot avatar

what if the software that does the cleaning lived on the second usb so they wouldn’t be able to find it on the pi? As it is they just scan your sd card if you have a pi, but it would be much easyer to hide one of those tiny usb sticks.

Mark avatar

All this about exploding Pi’s – have you never tried to find a micro-SD that came adrift in your own stuff?? Just have an innocent micro-SD with your Pi, and the kitten in your shoe, camera case, metal glasses-case lining, belly-button, hair..

Comments are closed