From 0dc607247e867b444ea0e26a7f546f5572370a16 Mon Sep 17 00:00:00 2001 From: anarsec Date: Sat, 8 Jul 2023 17:35:15 +0000 Subject: [PATCH] qubes update, pdf macro, last edited macro --- content/glossary/_index.md | 2 +- content/posts/_index.md | 1 - content/posts/e2ee/index.md | 1 + content/posts/grapheneos/index.md | 4 ++-- content/posts/linux/index.md | 1 + content/posts/metadata/index.md | 1 + content/posts/nophones/index.md | 1 + content/posts/qubes/index.md | 13 +++++++++---- content/posts/tails-best/index.md | 1 + content/posts/tails/index.md | 3 ++- content/posts/tamper/index.md | 1 + themes/DeepThought/templates/macros.html | 21 ++++++++++++--------- themes/DeepThought/templates/page.html | 3 +++ themes/DeepThought/templates/section.html | 3 +++ 14 files changed, 38 insertions(+), 18 deletions(-) diff --git a/content/glossary/_index.md b/content/glossary/_index.md index f825733..51393e6 100644 --- a/content/glossary/_index.md +++ b/content/glossary/_index.md @@ -127,7 +127,7 @@ For more info, check out [Defend Dissent: Passwords](https://open.oregonstate.ed ### Phishing -Phishing is a [social engineering](/glossary/#social-engineering) technique. Attackers send SMS messages, emails, chat messages, etc., to their victims in order to get their personal data. After that, attackers can try to impersonate their victims. It can also be used to make the victim download [malware](#malware) onto a system, which can be used as a starting point for hacking it. [Spear phishing](/glossary/#spear-phishing) is a more sophisticated phishing technique. +Phishing is a [social engineering](/glossary/#social-engineering) technique. Attackers send SMS messages, emails, chat messages, etc., to their victims in order to get their personal data. After that, attackers can try to impersonate their victims. It can also be used to make the victim download [malware](#malware) onto a system, which can be used as a starting point for hacking it. [Spear phishing](/glossary/#spear-phishing) is a more sophisticated phishing technique. For more info, see the [Kicksecure documentation](https://www.kicksecure.com/wiki/Social_Engineering). ### Physical attacks diff --git a/content/posts/_index.md b/content/posts/_index.md index 1068a5c..e1b8bd0 100644 --- a/content/posts/_index.md +++ b/content/posts/_index.md @@ -2,5 +2,4 @@ title = "Guides" sort_by = "date" paginate_by = 10 -description = 'All guides are maintained.' +++ diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md index f3380e3..3a8cc5a 100644 --- a/content/posts/e2ee/index.md +++ b/content/posts/e2ee/index.md @@ -9,6 +9,7 @@ tags = ["intro", "e2ee", "easy"] [extra] blogimage="/images/BASE_2.png" toc=true +dateedit=2023-05-10 +++ Several different options are available for [end-to-end encrypted](/glossary/#end-to-end-encryption-e2ee) communications, with different trade-offs. This article will present an overview, as well as installation instructions for Tails, Qubes OS, and GrapheneOS. diff --git a/content/posts/grapheneos/index.md b/content/posts/grapheneos/index.md index f0c2c31..9935dae 100644 --- a/content/posts/grapheneos/index.md +++ b/content/posts/grapheneos/index.md @@ -9,6 +9,7 @@ tags = ["intro", "mobile", "easy"] [extra] toc = true blogimage="/images/graphene.avif" +dateedit=2023-05-10 +++ [Anarchists shouldn't have phones](/posts/nophones/). If you absolutely must use a phone, it should be as difficult as possible for an adversary to geotrack, intercept messages, or hack. This means using GrapheneOS. @@ -109,11 +110,10 @@ Now we will delegate apps to their needed profiles: * To install Riseup VPN (or any other app) in the Default user profile: **Settings → System → Multiple users → Default → Install available apps**, then select Riseup VPN. #### Software That Isn't On the Play Store -Some apps aren't on the Play Store, either because they are in development or they don't want users to have to interact with Google. The Play Store can be used to update apps, but when you download individual .apk files you will need to remember to update them yourself (there are exceptions, for example Signal is designed to self-update). [Obtainium](https://github.com/ImranR98/Obtainium) is an app to keep track of what apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't on the Play Store, install Obtainium into the Owner user profile. Use the same process of installing .apk files into the Owner user profile, disabling them, and delegating apps to their needed profiles. +Some apps aren't on the Play Store, either because they are in development or they don't want users to have to interact with Google. The Play Store can be used to update apps, but when you download individual .apk files you will need to remember to update them yourself (there are exceptions, for example Signal is designed to self-update). [Obtainium](https://github.com/ImranR98/Obtainium) is an app to keep track of what apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't on the Play Store, install Obtainium into the Owner user profile (and don't disable it). Use the same process of installing apps into the Owner user profile but through Obtainium, then disabling them and delegating them to their needed profiles. Unfortunately, apps acquired through Obtainium require manual updates - it will notify you when one is needed. As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal with [no Google software](https://github.com/mollyim/mollyim-android#free-and-open-source), and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium press **Add App**, then copy the Github Releases URL. Obtanium can install the app, and when there is a new version you will get a system notification and an update icon will be present beside it, at which point you must manually update it. - Cwtch is not yet present on the Google Play Store, and can be added to Obtainium by entering the [Download page URL](https://cwtch.im/download/). #### Software That Requires Google Play Services diff --git a/content/posts/linux/index.md b/content/posts/linux/index.md index 9deaf98..0c222a8 100644 --- a/content/posts/linux/index.md +++ b/content/posts/linux/index.md @@ -10,6 +10,7 @@ tags = ["intro", "linux", "tails", "qubes", "easy"] [extra] blogimage="/gifs/destroy.gif" toc=true +dateedit=2023-05-10 +++ As an anarchist, you've probably heard the recommendation to use a Linux computer. This article is intended to get you up to speed by giving a brief overview of what you need to know. diff --git a/content/posts/metadata/index.md b/content/posts/metadata/index.md index e39b868..98c96c9 100644 --- a/content/posts/metadata/index.md +++ b/content/posts/metadata/index.md @@ -9,6 +9,7 @@ tags = ["metadata", "tails", "qubes", "easy"] [extra] blogimage="/images/app.png" toc=true +dateedit=2023-05-10 +++ diff --git a/content/posts/nophones/index.md b/content/posts/nophones/index.md index 66b4aa2..9f1844c 100644 --- a/content/posts/nophones/index.md +++ b/content/posts/nophones/index.md @@ -9,6 +9,7 @@ tags = ["mobile"] [extra] blogimage="/images/prison.jpg" toc=true +dateedit=2023-05-10 +++ With effective [security culture and OPSEC](https://www.csrc.link/read/csrc-bulletin-1-en.html#header-a-base-to-stand-on-distinguishing-opsec-and-security-culture), the forces of repression wouldn't know about our specific criminal activities, but they also wouldn't know about our lives, [relationships](https://www.csrc.link/threat-library/techniques/network-mapping.html), movement patterns, etc. This knowledge is a huge asset to help them narrow down suspects and execute targeted surveillance. The location of your phone is [tracked at all times](https://www.vice.com/en/article/m7vqkv/how-fbi-gets-phone-data-att-tmobile-verizon), and this data is harvested by private companies, enabling police to bypass laws requiring them to obtain a warrant. [Hardware identifiers and the subscription information](https://anonymousplanet.org/guide.html#your-imei-and-imsi-and-by-extension-your-phone-number) of the phone are logged by cell towers with every connection. Hacking services like [Pegasus](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) bring total phone compromise within the reach of even local law enforcement agencies, and are 'zero-click', meaning that success doesn't rely on you clicking a link or opening a file. diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md index 7a8cfbf..48e9354 100644 --- a/content/posts/qubes/index.md +++ b/content/posts/qubes/index.md @@ -9,6 +9,7 @@ tags = ["intro", "linux", "windows", "qubes", "intermediate"] [extra] blogimage="/images/qubes-os.png" toc=true +dateedit=2023-05-10 +++ Qubes OS is a security-oriented [operating system](/glossary#operating-system-os) (OS), meaning it is an operating system designed from the ground up to be more difficult to hack. This is achieved through [compartmentalization](https://www.qubes-os.org/faq/#how-does-qubes-os-provide-security), where each compartment is called a "qube" (using "virtual machines" — more on that below). All other Linux systems like [Tails](/tags/tails/) are *monolithic*, which means that if a hack succeeds anywhere on the system it can take over more easily. In Qubes OS, if one qube is compromised, the others remain safe. You can think of using Qubes OS as like having many different computers on your desk for different activities but with the convenience of a single physical machine, a single unified desktop environment, and a set of tools for using a number of different qubes together securely as parts of a unified system. @@ -26,7 +27,7 @@ Qubes OS is not quite another version of Linux. Rather, it is based on many "[vi What is a virtual machine? [Virtualization](/glossary/#virtualization) is the process of running a virtual computer *inside* your computer. The virtual machine thinks it's a computer running on real hardware, but really it's running on abstracted hardware (software imitating hardware). Qubes OS uses a special program called a hypervisor to manage and run many of these virtual machines at once, on the same physical computer. To simplify things, virtual machines are referred to as qubes. Different operating systems like Debian, Whonix, Fedora, Windows, etc. can all run together simultaneously. The hypervisor strongly isolates each of the qubes from one another. -![desktop](r4.0-xfce.png) +![](r4.0-xfce.png) At the risk of overwhelming you, here is an overview of how Qubes OS is structured. You don't need to memorize any of this to actually use Qubes OS, it can just be helpful to understand the outline of the system before getting started. Each rectangle represents a qube (that is, a virtual machine). Let's break it down. @@ -226,7 +227,7 @@ If your file is opening in a different application than what you require, you'll 6. Delete the file from the disposable Template (don't forget to empty the trash). 7. Shut down the disposable Template for the change to take effect. -For PDF files, right-clicking will also give the option **Convert To Trusted PDF**. This will sanitize the PDF file so that it can go from being untrusted to trusted. This is achieved by it being converted into images in a disposable, and cleaning the metadata. +For PDF files, right-clicking will also give the option **Convert To Trusted PDF**, and image files will give the option **Convert To Trusted Img**. This will sanitize the file so that it can go from being untrusted to trusted. This is achieved by it being converted into images in a disposable, and cleaning the metadata. Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to set the default of only opening PDF files in a disposable, right-click a PDF and select **Open With Other Application → qvm-open-in-dvm**. @@ -248,7 +249,9 @@ To learn how to attach devices, we will format the empty USB or hard drive you w 4. Before removing the USB drive, first eject it using the Qubes Devices widget, which ejects it from the qube. Then go to **Applications menu → sys-usb → Files**, and select "Safely Remove Drive" to eject it from the computer. -There are command line instructions for using an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice). Webcams and microphones are considered devices, and must be attached to an App qube in order to use them. +Webcams and microphones are considered devices, and must be attached to an App qube in order to use them. + +There are command line instructions for setting up an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice) - we recommend to configure a confirmation prompt. It is also recommended to enable a USB keyboard [on a dedicated USB controller](https://www.qubes-os.org/doc/usb-qubes/#qubes-41-how-to-enable-a-usb-keyboard-on-a-separate-usb-controller) to compartmentalize the use of peripherals. You don't always need to attach a USB drive to another qube with the Qubes Devices widget - it will also be accessible from sys-usb directly, through the File Manager. You can [copy specific files](#how-to-copy-and-move-files) between the USB and another App qube without needing to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb - since it's disposable, it does the job of sanitizing for another device. @@ -348,7 +351,9 @@ Qubes OS also applies proper software mitigation to this class of attacks at the #### OPSEC for Memory Use To address "future not-yet-identified vulnerabilities of this kind" on older hardware that is no longer receiving microcode updates, the OPSEC suggestion is to limit the presence of secrets in memory that could result in leaks. Every qube that is running is using memory, and a compromised qube could use such vulnerabilities to read and exfiltrate the memory being used by other qubes. Disposables will be reset after being shutdown, so we can assume that their compromise would likely be transient. Perform sensitive operations in qubes with no networking, and shutdown secure qubes when not in use. Pay attention to which qubes are running simultaneously: -* [vault qube](#how-to-organize-your-qubes): Do not run with an unlocked KeePassXC database at the same time as a highly-untrusted qube. +* [vault qube](#how-to-organize-your-qubes): + * Do not run an unlocked KeePassXC database at the same time as a highly-untrusted qube. + * Rather than having only one vault qube which stores all files (as described above), you can compartmentalize by having different vault qubes dedicated to specific activities (i.e. `vault-personal`, `vault-project1`, etc.). This means that if a networked qube is compromised while working on project1, [intentional sniffing](https://www.qubes-os.org/doc/data-leaks/) will not have potential access to all files, but only to those files that are compartmentalized for project1. * sys-usb: Disposable. Only run when needed, and shutdown when finished. * sys-net: Disposable. Only run when needed, and shutdown when finished. Shutdown when performing sensitive operations in other qubes, as far as possible. Restart before activities which require sys-net (i.e. email, ssh sessions, etc.). diff --git a/content/posts/tails-best/index.md b/content/posts/tails-best/index.md index 74c4c73..f9c1418 100644 --- a/content/posts/tails-best/index.md +++ b/content/posts/tails-best/index.md @@ -9,6 +9,7 @@ tags = ["linux", "tails", "easy"] [extra] blogimage="/images/tails1.png" toc=true +dateedit=2023-05-10 +++ As mentioned in our [recommendations](/recommendations/#computers-sensitive), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that needs to have no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive, and is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to working with Tails, start with [Tails for Anarchists](/posts/tails-tutorial/). diff --git a/content/posts/tails/index.md b/content/posts/tails/index.md index 750d8f6..3bd928e 100644 --- a/content/posts/tails/index.md +++ b/content/posts/tails/index.md @@ -9,6 +9,7 @@ tags = ["intro", "linux", "tails", "easy"] [extra] blogimage="/images/tails1.png" toc=true +dateedit=2023-05-10 +++ Tails is an [operating system](/glossary/#operating-system-os) that makes anonymous computer use accessible to anyone. Tails is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, unless you explicitly ask it to. It achieves this by running from a DVD or USB independent of the computer’s installed operating system. Tails comes with [several built-in applications](https://tails.boum.org/doc/about/features/index.en.html) pre-configured with security in mind, and all anarchists should know how to use it for secure communication, research, editing, and the publication of sensitive documents. @@ -206,7 +207,7 @@ If there is a yellow warning on the padlock, it means that, in the page you're b ![http](http.png) -HTTPS is essential both to limit your web fingerprint, but also to prevent an intermediary from modifying the data you exchange with websites. If the intermediary cannot decrypt the data, they cannot modify it. +HTTPS is essential both to limit your web fingerprint, but also to prevent an intermediary from modifying the data you exchange with websites. If the intermediary cannot decrypt the data, they cannot modify it. For an overview of HTTP / HTTPS connections with and without Tor, and what information is visible to various third parties, see the EFF's [interactive illustration](https://www.eff.org/pages/tor-and-https). In short, don't visit websites that don't use HTTPS. diff --git a/content/posts/tamper/index.md b/content/posts/tamper/index.md index 235e3fa..1236f09 100644 --- a/content/posts/tamper/index.md +++ b/content/posts/tamper/index.md @@ -9,6 +9,7 @@ tags = ["opsec", "easy"] [extra] blogimage="/images/X230.jpg" toc=true +dateedit=2023-05-10 +++ If police can ever have [physical access](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/physical-access.html) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it on the hardware, firmware, or software level. One way to minimize this risk is to make it tamper-evident. As the CSRC Threat Library [notes](https://www.csrc.link/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) - it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to be able to detect when they do." diff --git a/themes/DeepThought/templates/macros.html b/themes/DeepThought/templates/macros.html index 5c92797..e33642f 100644 --- a/themes/DeepThought/templates/macros.html +++ b/themes/DeepThought/templates/macros.html @@ -53,14 +53,12 @@ {% macro page_publish_metadata(page) %} - - - - {{ config.extra.author.name }} published on + Published on  +  | Last edited on  {% endmacro %} @@ -69,14 +67,19 @@ - {{ page.reading_time }} min, - - - - {{ page.word_count }} words + {{ page.reading_time }} min {% endmacro %} +{% macro page_content_pdfs(page) %} + + + + + PDF: Letter | A4 + + +{% endmacro %} {% macro render_categories(categories) %}

Categories: diff --git a/themes/DeepThought/templates/page.html b/themes/DeepThought/templates/page.html index dc01689..785243e 100644 --- a/themes/DeepThought/templates/page.html +++ b/themes/DeepThought/templates/page.html @@ -27,6 +27,9 @@

{{ macros::page_content_metadata(page=page) }}
+
+ {{ macros::page_content_pdfs(page=page) }} +
{% if page.taxonomies.categories %} {{ macros::render_categories(categories=page.taxonomies.categories) }} diff --git a/themes/DeepThought/templates/section.html b/themes/DeepThought/templates/section.html index 1e4c353..1434a75 100644 --- a/themes/DeepThought/templates/section.html +++ b/themes/DeepThought/templates/section.html @@ -45,6 +45,9 @@
{{ macros::page_content_metadata(page=page) }}
+
+ {{ macros::page_content_pdfs(page=page) }} +
{{ page.summary | safe }}