mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-08 14:52:54 -04:00
tail best updates, pdf macro
This commit is contained in:
parent
11986c34cb
commit
0031e85f7a
15 changed files with 62 additions and 22 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,5 +1,7 @@
|
|||
public/
|
||||
|
||||
*.pdf
|
||||
|
||||
# temporary files which can be created if a process still has a handle open of a deleted file
|
||||
.fuse_hidden*
|
||||
|
||||
|
|
18
CHANGELOG.md
18
CHANGELOG.md
|
@ -1 +1,17 @@
|
|||
Coming soon
|
||||
# Tails for Anarchists
|
||||
|
||||
# Tails Best Practices
|
||||
|
||||
# Qubes OS for Anarchists
|
||||
|
||||
# Why Anarchists Shouldn't Have Phones
|
||||
|
||||
# GrapheneOS for Anarchists
|
||||
|
||||
# Linux Essentials
|
||||
|
||||
# Removing Identifying Metadata From Files
|
||||
|
||||
# Encrypted Messaging for Anarchists
|
||||
|
||||
# Making Your Electronics Tamper-Evident
|
||||
|
|
|
@ -10,6 +10,8 @@ tags = ["intro", "e2ee", "easy"]
|
|||
blogimage="/images/BASE_2.png"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="e2ee-a4.pdf"
|
||||
letter = "e2ee-letter.pdf"
|
||||
+++
|
||||
Several different options are available for [end-to-end encrypted](/glossary/#end-to-end-encryption-e2ee) communications, with different trade-offs. This article will present an overview, as well as installation instructions for Tails, Qubes OS, and GrapheneOS.
|
||||
<!-- more -->
|
||||
|
@ -227,7 +229,7 @@ What homeserver you use is important— do not use the default homeserver matrix
|
|||
|
||||
Matrix can either be used through a web client (using Element Web on Tor Browser) or though a desktop client (using Element Desktop). The web clients for Systemli and Anarchy Planet are `element.systemli.org` and `anarchy.chat`, respectively. When using a desktop client, before trying to log in change the homeserver address to `https://matrix.systemli.org` or `https://riot.anarchyplanet.org`, respectively. It is easy to create an account anonymously, and does not require a phone. Systemli requires having an email account with them (which you need an invite to obtain), whereas anyone can sign up to Anarchy Planet with the registration code `aplanet`.
|
||||
|
||||
A matrix ID looks like @username:homeserver, so for example, @anarsec:riot.anarchyplanet.org. Just like email, you can message accounts that are on different homeservers.
|
||||
A matrix ID looks like \@username:homeserver, so for example, \@anarsec:riot.anarchyplanet.org. Just like email, you can message accounts that are on different homeservers.
|
||||
|
||||
As soon as you have logged in, go to **Setting → Security & Privacy**.
|
||||
|
||||
|
|
|
@ -10,6 +10,8 @@ tags = ["intro", "mobile", "easy"]
|
|||
toc = true
|
||||
blogimage="/images/graphene.avif"
|
||||
dateedit=2023-05-10
|
||||
a4="grapheneos-a4.pdf"
|
||||
letter="grapheneos-letter.pdf"
|
||||
+++
|
||||
|
||||
[Anarchists shouldn't have phones](/posts/nophones/). If you absolutely must use a phone, it should be as difficult as possible for an adversary to geotrack, intercept messages, or hack. This means using GrapheneOS.
|
||||
|
@ -157,7 +159,7 @@ Applications like Cwtch and Briar have Tor built in, and should not be used thro
|
|||
# Recommended Settings and Habits
|
||||
|
||||
* **Settings → Security → Auto reboot:** 8 hours [Owner user profile]
|
||||
* Auto reboot when no profile has been unlocked for several hours will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will at minimum reboot overnight if you forget to turn it off. In the event of [malware](/glossary/#malware) compromise of the device, Verified Boot will prevent and revert changes to the operating system files upon rebooting the device. If police ever manage to obtain your phone when it is in a lock-screen state, this setting will return it to effective encryption even if they keep it powered on.
|
||||
* Auto reboot when no profile has been unlocked for several hours will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will at minimum reboot overnight if you forget to turn it off. In the event of [malware](/glossary/#malware) compromise of the device, [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert changes to the operating system files upon rebooting the device. If police ever manage to obtain your phone when it is in a lock-screen state, this setting will return it to effective encryption even if they keep it powered on.
|
||||
* Keep the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when not in use. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
|
||||
* **Settings → Connected devices → Bluetooth timeout:** 2 minutes
|
||||
* Quite a few applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos", because it will have access to all of your pictures then. Instead, in the Files app, long-press to select the picture, then share it with Signal.
|
||||
|
|
|
@ -11,6 +11,8 @@ tags = ["intro", "linux", "tails", "qubes", "easy"]
|
|||
blogimage="/gifs/destroy.gif"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="linux-a4.pdf"
|
||||
letter="linux-letter.pdf"
|
||||
+++
|
||||
|
||||
As an anarchist, you've probably heard the recommendation to use a Linux computer. This article is intended to get you up to speed by giving a brief overview of what you need to know.
|
||||
|
|
|
@ -10,6 +10,8 @@ tags = ["metadata", "tails", "qubes", "easy"]
|
|||
blogimage="/images/app.png"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="metadata-a4.pdf"
|
||||
letter="metadata-letter.pdf"
|
||||
+++
|
||||
|
||||
|
||||
|
|
|
@ -10,6 +10,8 @@ tags = ["mobile"]
|
|||
blogimage="/images/prison.jpg"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="nophones-a4.pdf"
|
||||
letter="nophones-letter.pdf"
|
||||
+++
|
||||
|
||||
With effective [security culture and OPSEC](https://www.csrc.link/read/csrc-bulletin-1-en.html#header-a-base-to-stand-on-distinguishing-opsec-and-security-culture), the forces of repression wouldn't know about our specific criminal activities, but they also wouldn't know about our lives, [relationships](https://www.csrc.link/threat-library/techniques/network-mapping.html), movement patterns, etc. This knowledge is a huge asset to help them narrow down suspects and execute targeted surveillance. The location of your phone is [tracked at all times](https://www.vice.com/en/article/m7vqkv/how-fbi-gets-phone-data-att-tmobile-verizon), and this data is harvested by private companies, enabling police to bypass laws requiring them to obtain a warrant. [Hardware identifiers and the subscription information](https://anonymousplanet.org/guide.html#your-imei-and-imsi-and-by-extension-your-phone-number) of the phone are logged by cell towers with every connection. Hacking services like [Pegasus](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) bring total phone compromise within the reach of even local law enforcement agencies, and are 'zero-click', meaning that success doesn't rely on you clicking a link or opening a file.
|
||||
|
|
|
@ -10,6 +10,8 @@ tags = ["intro", "linux", "windows", "qubes", "intermediate"]
|
|||
blogimage="/images/qubes-os.png"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="qubes-a4.pdf"
|
||||
letter="qubes-letter.pdf"
|
||||
+++
|
||||
Qubes OS is a security-oriented [operating system](/glossary#operating-system-os) (OS), meaning it is an operating system designed from the ground up to be more difficult to hack. This is achieved through [compartmentalization](https://www.qubes-os.org/faq/#how-does-qubes-os-provide-security), where each compartment is called a "qube" (using "virtual machines" — more on that below). All other Linux systems like [Tails](/tags/tails/) are *monolithic*, which means that if a hack succeeds anywhere on the system it can take over more easily. In Qubes OS, if one qube is compromised, the others remain safe. You can think of using Qubes OS as like having many different computers on your desk for different activities but with the convenience of a single physical machine, a single unified desktop environment, and a set of tools for using a number of different qubes together securely as parts of a unified system.
|
||||
|
||||
|
|
|
@ -10,9 +10,11 @@ tags = ["linux", "tails", "easy"]
|
|||
blogimage="/images/tails1.png"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="tails-best-a4.pdf"
|
||||
letter="tails-best-letter.pdf"
|
||||
+++
|
||||
|
||||
As mentioned in our [recommendations](/recommendations/#computers-sensitive), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that needs to have no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive, and is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to working with Tails, start with [Tails for Anarchists](/posts/tails-tutorial/).
|
||||
As mentioned in our [recommendations](/recommendations/#computers), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that needs to have no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive, and is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to working with Tails, start with [Tails for Anarchists](/posts/tails/).
|
||||
|
||||
This text details some extra precautions that you can take which are relevant to an anarchist [threat model](/glossary#threat-model). Not all anarchist threat models are the same and only you can decide what mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [CSRC Threat Library](https://www.csrc.link/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations.
|
||||
|
||||
|
@ -27,6 +29,7 @@ Let's start by looking at the [Tails Warnings page](https://tails.boum.org/doc/a
|
|||

|
||||
|
||||
> Tails is designed to hide your identity. But some of your activities could reveal your identity:
|
||||
>
|
||||
> 1. Sharing files with [metadata](/glossary#metadata), such as date, time, location, and device information
|
||||
> 2. Using Tails for more than one purpose at a time
|
||||
|
||||
|
@ -49,6 +52,7 @@ This second issue can be mitigated by what's called **'compartmentalization'**:
|
|||

|
||||
|
||||
> Tails uses the Tor network because it is the strongest and most popular network to protect from surveillance and censorship. But Tor has limitations if you are concerned about:
|
||||
>
|
||||
> 1. Hiding that you are using Tor and Tails
|
||||
> 2. Protecting your online communications from determined, skilled attackers
|
||||
|
||||
|
@ -60,7 +64,7 @@ This first issue is mitigated by [**Tor bridges**](https://tails.boum.org/doc/an
|
|||
|
||||
> A powerful adversary, who could analyze the timing and shape of the traffic entering and exiting the Tor network, might be able to deanonymize Tor users. These attacks are called *end-to-end correlation* attacks, because the attacker has to observe both ends of a Tor circuit at the same time. [...] End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users.
|
||||
|
||||
### Protecting your online communications from determined, skilled attackers
|
||||
### Protecting against determined, skilled attackers
|
||||
|
||||
This second issue is mitigated by **not using an Internet connection that could deanonymize you** and by **prioritizing .onion links when available**:
|
||||
|
||||
|
@ -90,7 +94,7 @@ This second issue is mitigated by **not using an Internet connection that could
|
|||
|
||||
This first issue is mitigated by **using a computer that you trust to install Tails**:
|
||||
|
||||
* As per our [recommendations](/recommendations/#computers-daily-use), this would ideally be from [Qubes OS](/posts/qubes/) which is much more difficult to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick which was installed with Qubes OS (and who uses these best practices), you could [clone it](https://tails.boum.org/upgrade/clone/index.en.html) instead of installing it yourself.
|
||||
* As per our [recommendations](/recommendations/#computers), this would ideally be from [Qubes OS](/posts/qubes/) which is much more difficult to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick which was installed with Qubes OS (and who uses these best practices), you could [clone it](/posts/tails/#installation) instead of installing it yourself.
|
||||
* Use the install method ["Terminal: Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), because it checks the integrity of the download more thoroughly using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you through it, or first learn command line basics and GnuPG with [Linux Essentials](/posts/linux/).
|
||||
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs that are used in Tails sessions) into a computer while another operating system is running on it; if the computer is infected, the infection can then [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
|
||||
|
||||
|
@ -120,7 +124,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
|
|||
* **Remove the hard drive**—it's easier than it sounds. You can ask the store where you buy it to do this and potentially save some money. If you look on youtube for 'remove hard drive' for your laptop model, there will likely be an instructional video. Make sure that you remove the laptop battery first and unplug the power cord. We remove the hard drive to completely eliminate the hard drive firmware, which has been known to be [compromised in order to install malware that is persistent](https://www.wired.com/2015/02/nsa-firmware-hacking/). This is part of the attack surface, and is unnecessary with a live system like Tails which runs from a USB.
|
||||
* Consider **removing the Bluetooth interface, camera, and microphone** while you are at it, though this is more involved—you'll need the user manual for your laptop model. At a minimum, the camera can be "deactivated" by placing a sticker over it. The microphone is often connected to the motherboard via a plug - it is then sufficient to disconnect it. If this is not clear, or there is no connector because the cable is soldered directly, or the connector is needed for other purposes, then cut the microphone cable with pliers. The camera can be permanently disabled using the same method if you don't trust the sticker method. It is also possible to use Tails on a dedicated "offline" computer by also removing the network card. Some laptops have switches on the case that can be used to disable the wireless interfaces, but it is preferable to actually remove the network card.
|
||||
|
||||
* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates a remote attack on BIOS firmware against a Tails user, enabling the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be simply removed like the hard drive. It is needed for turning on the laptop, so must be replaced with [open-source](/glossary#open-source) firmware, which is an advanced process (opening up the computer and using special tools). Most anarchists will not be able to do this by themselves, but hopefully there is someone in your networks who can set it up for you. It's called HEADS because it's the 'other side' of Tails—where Tails secures software, HEADS secures hardware. It has a similar purpose to the [Verified Boot](url) found in GrapheneOS, which establishes a full chain of trust starting from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop if you intend to install it—we recommend the ThinkPad X230 because the install is less involved than for other models. The CPUs of this generation are able to have the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) effectively removed in the process of flashing HEADS, but this is not the case with later CPU generations on more recent computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a broader range of laptop models but has inferior security. HEADS can be configured to [verify the integrity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) which will prevent it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks.
|
||||
* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates a remote attack on BIOS firmware against a Tails user, enabling the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be simply removed like the hard drive. It is needed for turning on the laptop, so must be replaced with [open-source](/glossary#open-source) firmware, which is an advanced process (opening up the computer and using special tools). Most anarchists will not be able to do this by themselves, but hopefully there is someone in your networks who can set it up for you. It's called HEADS because it's the 'other side' of Tails—where Tails secures software, HEADS secures hardware. It has a similar purpose to the [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) found in GrapheneOS, which establishes a full chain of trust starting from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop if you intend to install it—we recommend the ThinkPad X230 because the install is less involved than for other models. The CPUs of this generation are able to have the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) effectively removed in the process of flashing HEADS, but this is not the case with later CPU generations on more recent computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a broader range of laptop models but has inferior security. HEADS can be configured to [verify the integrity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) which will prevent it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks.
|
||||
|
||||
* **Using USBs with secure firmware**, like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive) which has [retailers globally](https://www.kanguru.com/pages/where-to-buy), so that the USB will [stop working](https://www.kanguru.com/blogs/gurublog/15235873-prevent-badusb-usb-firmware-protection-from-kanguru) if the firmware is altered through compromise.
|
||||
|
||||
|
@ -143,9 +147,9 @@ If your Tails USB stick has a write-protect switch and secure firmware, such as
|
|||
On a USB with a write-protect switch, you will not be able to make any changes to the Tails USB when the switch is enabled. If you could make changes, so could malware. Although ideally the switch would be enabled all the time, we recommend two cases where the switch can be disabled:
|
||||
|
||||
1) **For a dedicated upgrade session.** When Tails needs to be upgraded, you can do so in a dedicated session with the switch disabled - this is required because the upgrade will need to be written to the Tails USB. As soon as you are done you should reboot Tails with the switch enabled.
|
||||
2) **For occasional Persistent Storage configuration sessions, if you decide to use it.** [Persistent Storage](/posts/tails/#create-and-configure-persistence) is a Tails feature that allows data to persist between otherwise amnesiac sessions. Because it requires writing to the Tails USB to persist data, it is generally impractical to use along with a write-protect switch. However, disabling the switch for occasional Persistent Storage configuration sessions, for example to install additional software, might be acceptable. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting that it is installed every session. Then, in a 'locked' session you actually use Scribus - none of the files you work on will be saved to the Tails USB, because it is 'locked'. The Persistent Storage feature is not possible using the `toram` boot, or with a DVD.
|
||||
2) **For occasional Persistent Storage configuration sessions, if you decide to use it.** [Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to persist between otherwise amnesiac sessions. Because it requires writing to the Tails USB to persist data, it is generally impractical to use along with a write-protect switch. However, disabling the switch for occasional Persistent Storage configuration sessions, for example to install additional software, might be acceptable. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting that it is installed every session. Then, in a 'locked' session you actually use Scribus - none of the files you work on will be saved to the Tails USB, because it is 'locked'. The Persistent Storage feature is not possible using the `toram` boot, or with a DVD.
|
||||
|
||||
Where can we store personal data for use between Tails sessions, if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This 'personal data' USB should not look identical to your Tails USB, to avoid confusing them. To make this separate USB, see [Creating and using LUKS encrypted volumes](https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html). If you happen to be reading this from a country like the UK where not providing encryption passwords can land you in jail, this second drive should be a HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not appropriate for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).
|
||||
Where can we store personal data for use between Tails sessions, if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This 'personal data' USB should not look identical to your Tails USB, to avoid confusing them. To make this separate USB, see [How to create an encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb). If you happen to be reading this from a country like the UK where not providing encryption passwords can land you in jail, this second drive should be a HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not appropriate for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).
|
||||
|
||||

|
||||
|
||||
|
@ -154,7 +158,7 @@ Compartmentalization is an approach that cleanly separates different identities
|
|||
Finally, a note on emails - if you already use Tails and encrypted email ([despite it not being particularly secure](/posts/e2ee/#pgp-email)), you may be used to the Thunderbird Persistent Storage feature, which allows storing Thunderbird email account details on a Tails USB, as well as the inbox and PGP keys. With a 'personal data' USB, Thunderbird won't automatically open your accounts anymore. For this, we recommend either:
|
||||
|
||||
- Re-creating Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the benefit that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
|
||||
- Keeping Thunderbird data folder on the 'personal data' USB. After logging in to Thunderbird, use the Files browser (Applications ▸ Accessories ▸ Files) and enable the setting "Show hidden files". Navigate to Home, then copy the folder titled `.thunderbird` to your 'personal data' USB. In each future session, after unlocking the 'personal data' USB and before launching Thunderbird, copy the `.thunderbird/` folder into Home.
|
||||
- Keeping Thunderbird data folder on the 'personal data' USB. After logging in to Thunderbird, use the Files browser (Applications → Accessories → Files) and enable the setting "Show hidden files". Navigate to Home, then copy the folder titled `.thunderbird` to your 'personal data' USB. In each future session, after unlocking the 'personal data' USB and before launching Thunderbird, copy the `.thunderbird/` folder into Home.
|
||||
|
||||
Another reason to not use Persistent Storage features is that many of them persist user data onto the Tails USB. If your Tails session is compromised, the data you access during it can be used to link your activities together. If there is user data on the Tails USB, like an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization, you would need a dedicated Tails USB for each identity, and updating them all every month is a lot of work.
|
||||
|
||||
|
@ -195,7 +199,7 @@ If you use Persistent Storage, that is another passphrase which will have to be
|
|||
[LUKS](/glossary#luks) is great, but 'defense-in-depth' can't hurt. If police seize your USB in a house raid, they can try to unlock it with a [brute-force attack to guess the password](/glossary#brute-force-attack), so a second layer of defense with a different encryption implementation can make sense for highly sensitive data.
|
||||
|
||||
|
||||
[Gocryptfs](https://nuetzlich.net/gocryptfs/) is an encrypted container program that is [available for Debian](https://packages.debian.org/bullseye/gocryptfs) and thus easy to install with Tails as [additional software](https://tails.boum.org/doc/first_steps/additional_software/index.en.html). If you don't want to have to reinstall it every session, Additional Software will need to be [configured in Persisent Storage](#using-a-write-protect-switch).
|
||||
[Gocryptfs](https://nuetzlich.net/gocryptfs/) is an encrypted container program that is [available for Debian](https://packages.debian.org/bullseye/gocryptfs) and thus easy to install with Tails as [additional software](/posts/tails/#optional-create-and-configure-persistent-storage). If you don't want to have to reinstall it every session, Additional Software will need to be [configured in Persistent Storage](#using-a-write-protect-switch).
|
||||
|
||||
To use gocryptfs, you will need to use Terminal (the [command line](/glossary#command-line-interface-cli)).
|
||||
|
||||
|
@ -211,13 +215,15 @@ The first time you use it, you create a gocryptfs filesystem;
|
|||
|
||||
You will be prompted for the password. Create a new entry in your KeepassXC file and create a password by using the Generate Password feature (the dice icon). Then copy the password, and paste it into the terminal (Edit → Paste, or Ctrl+Shift+V). It will output a master key—save this in the KeepassXC entry.
|
||||
|
||||
Every time you use the filesystem, mount it and enter the password:
|
||||
Every time you use the filesystem, mount it like so:
|
||||
|
||||
`gocryptfs cipher plain`
|
||||
`gocryptfs cipher/ plain/`
|
||||
|
||||
You will be prompted for the password. Note that the order matters - `cipher/` is the first argument and `plain/` is the second.
|
||||
|
||||
You can now add files to your mounted decrypted container in the folder 'plain'. When you unmount, the container will be encrypted. To do so:
|
||||
|
||||
`fusermount -u plain`
|
||||
`fusermount -u plain/`
|
||||
|
||||
Now plain is just an empty folder again.
|
||||
|
||||
|
@ -235,7 +241,7 @@ For more information on either option, see [Encrypted Messaging For Anarchists](
|
|||
|
||||
We will end by thinking about how an adversary would go about their [remote attack](/glossary/#remote-attacks) targeting you or your project; the answer is very likely to be ['phishing'](/glossary/#phishing). *Phishing* is when an adversary crafts an email (or a text, a message in an app, etc.) in such a way to trick you into divulging information, gain access to your account, or introduce malware to you machine. [*Spear phishing*](/glossary/#spear-phishing) is when the adversary has done some reconnaissance, and uses information they already know about you to specially tailor their phishing attack.
|
||||
|
||||
You have probably already heard the advice to be skeptical of clicking links and opening attachments—this is why. To make matters more confusing, the "from" field in email can be forged to trick you—[PGP signing](/posts/e2ee/) mitigates against this to prove that the email actually comes from who you expect.
|
||||
You have probably already heard the advice to be skeptical of clicking links and opening attachments—this is why. To make matters more confusing, the "from" field in email can be forged to trick you—[PGP signing](/posts/e2ee/#pgp-email) mitigates against this to prove that the email actually comes from who you expect.
|
||||
|
||||
Sometimes the goal of phishing is to deliver a ['payload'](https://docs.rapid7.com/metasploit/working-with-payloads), which will call back to the adversary—it is the [initial access](https://attack.mitre.org/tactics/TA0001/) foothold to infecting your machine with malware. A payload can be embedded in a file and executed when the file is opened. For a link, a payload can be delivered through malicious javascript in the website that will allow the payload to execute on your computer. Tor should protect your location (IP address), but the adversary now has an opportunity to further their attack; to [make the infection persist](https://attack.mitre.org/tactics/TA0003/), to [install a screen or key logger](https://attack.mitre.org/tactics/TA0009/), to [exfiltrate your data](https://attack.mitre.org/tactics/TA0010/), etc. The reason that Tails has no default Administration password (it must be set at the Welcome Screen for the session if needed) is to make the [privilege escalation](https://attack.mitre.org/tactics/TA0004/) more difficult, which would be necessary to slip around Tor.
|
||||
|
||||
|
@ -295,7 +301,7 @@ Further publications on possible deanonymization attacks (which do not explicitl
|
|||
|
||||
- "[Know Thy Quality: Assessment of Device Detection by WiFi Signals](http://sig-iss.work/percomworkshops2019/papers/p639-rutermann.pdf)"
|
||||
- "[Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information](https://www.cs.ucr.edu/~zhiyunq/pub/infocom18_wireless_fingerprinting.pdf)"
|
||||
- "[Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field](http://www.uninformed.org/?v=5&a=1&t=pdf)
|
||||
- "[Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field](http://www.uninformed.org/?v=5&a=1&t=pdf)"
|
||||
- "[Device Fingerprinting in Wireless Networks: Challenges and Opportunities](https://arxiv.org/pdf/1501.01367v1.pdf)"
|
||||
|
||||
## Probe Request Fingerprinting
|
||||
|
|
|
@ -10,6 +10,8 @@ tags = ["intro", "linux", "tails", "easy"]
|
|||
blogimage="/images/tails1.png"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="tails-a4.pdf"
|
||||
letter="tails-letter.pdf"
|
||||
+++
|
||||
|
||||
Tails is an [operating system](/glossary/#operating-system-os) that makes anonymous computer use accessible to anyone. Tails is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, unless you explicitly ask it to. It achieves this by running from a DVD or USB independent of the computer’s installed operating system. Tails comes with [several built-in applications](https://tails.boum.org/doc/about/features/index.en.html) pre-configured with security in mind, and all anarchists should know how to use it for secure communication, research, editing, and the publication of sensitive documents.
|
||||
|
@ -54,7 +56,7 @@ Tails allows non-experts to benefit from digital security and anonymity without
|
|||
|
||||
This tutorial is in several sections. The first is about the basics for starting to use Tails. The second section contains tips on using software included in Tails, as well as what you need to know about how Tor works. The third section is about troubleshooting any issues that you might encounter with your Tails USB to avoid giving up at the first problem - most of the time the solution is simple!
|
||||
|
||||
## The concept of a threat model.
|
||||
## The concept of a threat model
|
||||
|
||||
Tails is not magic and has plenty of limitations. The Internet and computers are hostile territory and are based on stealing your data. Tails does not protect you from human error, compromised hardware, compromised firmware, being hacked, or certain other types of attacks. There is no absolutely perfect security on the Internet, hence the interest in being able to make a [threat model](/glossary/#threat-model).
|
||||
|
||||
|
@ -204,7 +206,7 @@ Every time you start Tails, the Tails Upgrader checks if you are using the lates
|
|||
|
||||
Internet traffic, including the IP address of the final destination, is encrypted in different layers like an onion. With each hop along the three relays, an encryption layer is removed. Each relay only knows the step before it, and after it (relay #3 knows that it comes from relay #2 and that it goes to such and such a website after, but does not know relay #1).
|
||||
|
||||

|
||||

|
||||
|
||||
This means that any intermediaries between you and relay #1 know you're using Tor but they don't know what site you're going to. Any intermediaries after relay #3 know that someone in the world is going to this site. The web server of the site sees you coming from the IP address of relay #3.
|
||||
|
||||
|
|
|
@ -10,6 +10,8 @@ tags = ["opsec", "easy"]
|
|||
blogimage="/images/X230.jpg"
|
||||
toc=true
|
||||
dateedit=2023-05-10
|
||||
a4="tamper-a4.pdf"
|
||||
letter="tamper-letter.pdf"
|
||||
+++
|
||||
|
||||
If police can ever have [physical access](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/physical-access.html) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it on the hardware, firmware, or software level. One way to minimize this risk is to make it tamper-evident. As the CSRC Threat Library [notes](https://www.csrc.link/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) - it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to be able to detect when they do."
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
,-\__
|
||||
|f-"Y\ -------------------
|
||||
\()7L/ < >
|
||||
\()7L/ < Be gay, do crime! >
|
||||
cgD ------------------- __ _
|
||||
|\( \ .' Y '>,
|
||||
\ \ \ / _ _ \
|
||||
|
|
BIN
static/images/gay.png
Normal file
BIN
static/images/gay.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 44 KiB |
|
@ -123,7 +123,7 @@
|
|||
<footer class="footer py-4">
|
||||
<div class="content has-text-centered has-text-link-light">
|
||||
<p>
|
||||
<a href="https://0xacab.org/anarsec/anarsec.guide/-/blob/no-masters/CHANGELOG.md">Changelog </a>
|
||||
<a href="http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/anarsec/anarsec.guide/-/blob/no-masters/CHANGELOG.md">Changelog </a>
|
||||
<a href="/atom.xml" target="_blank">
|
||||
<span class="icon is-large" title="RSS Feed">
|
||||
<i class="fas fa-rss fa-lg"></i>
|
||||
|
|
|
@ -58,7 +58,7 @@
|
|||
</span>
|
||||
<span>Published on </span>
|
||||
<span><time datetime="{{ page.date }}">{{ page.date | date(format='%B %d, %Y') }}</time></span>
|
||||
<span> | Last edited on <time datetime="{{ page.extra.dateedit }}">{{ page.extra.dateedit | date(format='%B %d, %Y') }}</time></span>
|
||||
<span> | <a href="http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/anarsec/anarsec.guide/-/blob/no-masters/CHANGELOG.md">Last edited on <time datetime="{{ page.extra.dateedit }}">{{ page.extra.dateedit | date(format='%B %d, %Y') }}</time></a></span>
|
||||
</span>
|
||||
{% endmacro %}
|
||||
|
||||
|
@ -76,7 +76,7 @@
|
|||
<span class="icon">
|
||||
<i class="far fa-file-pdf"></i>
|
||||
</span>
|
||||
<span>PDF: Letter | A4 </span>
|
||||
<span>PDF: <a href="/posts/{{page.slug | lower}}/{{page.extra.letter | lower}}">Letter</a> | <a href="/posts/{{page.slug | lower}}/{{page.extra.a4 | lower}}">A4</a> </span>
|
||||
</span>
|
||||
|
||||
{% endmacro %}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue