From 11986c34cb00de265cf52868c71c2b3d637c42dc Mon Sep 17 00:00:00 2001
From: anarsec <anarsec@riseup.net>
Date: Sat, 8 Jul 2023 20:49:47 +0000
Subject: [PATCH] more md formatting

---
 content/glossary/_index.md        |   5 ++
 content/posts/e2ee/index.md       | 142 +++++++++++++++++++++---------
 content/posts/grapheneos/index.md |  28 ++++--
 content/posts/linux/index.md      |  13 ++-
 content/posts/metadata/index.md   |   3 +
 content/posts/nophones/index.md   |   6 ++
 content/posts/qubes/index.md      |  26 +++++-
 content/posts/tails-best/index.md |  37 +++++---
 content/posts/tails/index.md      |  40 +++++----
 content/posts/tamper/index.md     |  25 +++++-
 10 files changed, 237 insertions(+), 88 deletions(-)

diff --git a/content/glossary/_index.md b/content/glossary/_index.md
index 51393e6..ef6a55c 100644
--- a/content/glossary/_index.md
+++ b/content/glossary/_index.md
@@ -20,9 +20,11 @@ A backdoor in software or hardware allows an unauthorized party to bypass access
 An attacker who “simply” tries every possible key to access a service or decrypt a file uses “brute force.” This process is called a brute-force attack. More efficient computers make brute-force attacks more feasible. Modern cryptographic protocols are designed to force an adversary (not in possession of the cryptographic key) to spend (close to) as much time as it would take to try every possible key to break the code. The parameters of a good protocol are chosen so that this amount of time is impractical. 
 
 ### Checksums / Fingerprints
+
 Checksums are digital fingerprints: small-sized blocks of data derived from another block of digital data for the purpose of detecting any changes that may have been introduced. For example, when you download an operating system .iso file, a checksum will be listed that looks like: `sha512: 9f923361887ac4b1455bc5ae51c06f2457c6d(continued...)`. You can use [hash functions](https://open.oregonstate.education/defenddissent/chapter/cryptographic-hash/) like sha512 to create fingerprints. Essentially, this mathematical operation converts the 0s and 1s of the file into a unique "fingerprint". If a single 1 or 0 is changed, a completely different fingerprint will result, and it is often important to know whether a file has changed, such as when downloading the image file for an operating system. Fingerprints are often used in cryptography (e.g., in certificates or to verify [public keys](#public-key-cryptography) in general). [GtkHash](https://tails.boum.org/doc/encryption_and_privacy/checksums/index.en.html) is a program that allows you to calculate checksums without needing to use a command line interface.  
 
 ### Command Line Interface (CLI)
+
 The 'command line' is an all-text alternative to using the graphical 'point and click' tool that most of us are more familiar with; the Command Line Interface (CLI) allows us to do some things that a Graphical User Interface (GUI) does not. Oftentimes, either a GUI or CLI would work and which you use is a matter of preference. For example, in [Tails](#tails), you can verify the [checksum](/glossary/#checksums-fingerprints) of a file with a GUI (the GtkHash program) or a CLI command (`sha256sum`). 
 
 [Tech Learning Collective's "Foundations: Command Line Basics" course](https://techlearningcollective.com/foundations/#foundations-command-line-basics) is our recommended introduction to CLI/terminal use.
@@ -32,9 +34,11 @@ The 'command line' is an all-text alternative to using the graphical 'point and
 CVE stands for “Common Vulnerabilities and Exposures”. It is a globally unique identifier for [security vulnerabilities](#vulnerability) in software. Identifiers look like “CVE-YEAR-NUMBER.” The year included in the identifier is the year when the CVE ID was assigned, not the year when the vulnerability became publicly known.
 
 ### DDoS Attack
+
 A DDoS attack (Distributed Denial of Service attack) tries to overload or crash services on the targeted system by sending a large number of requests from numerous sources. The goal of DDoS attacks is to affect the availability of a service or system, e.g., making a web server unreachable for web browsers.
 
 ### Digital Signatures
+
 Digital signatures are based on [public-key cryptography](#public-key-cryptography). A private key is used to digitally sign data, while the corresponding public key is used by third parties to validate the signature. Before a public key is used to verify a signature, its authenticity should be verified.
 
 To learn more, [check out this video](https://invidious.sethforprivacy.com/watch?v=s22eJ1eVLTU&listen=false). For a more detailed look, see [Defend Dissent: Authenticity through Cryptographic Signing](https://open.oregonstate.education/defenddissent/chapter/cryptographic-signing/) or our [GPG explanation](/posts/linux/#gpg-explanation).
@@ -186,6 +190,7 @@ Symmetric cryptography is the opposite of [public-key cryptography](/glossary/#p
 Both parties need to be online simultaneously, in contrast to [asynchronous communication](#asynchronous-communication). This does not require any servers specific to the communication and is often referred to as "peer to peer". 
 
 ### Tails
+
 Tails is an operating system that makes secure and anonymous computer use accessible to anyone. Tails runs from a USB drive, and is designed to leave no trace of your activity on your computer, unless you explicitly ask it to.
 
 Tails relies on the [Tor anonymity network](/glossary/#tor-network) to protect your privacy online; all software is configured to connect to the Internet through Tor. If an application tries to connect to the Internet directly, the connection is automatically blocked for security.
diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md
index 058a80a..8504400 100644
--- a/content/posts/e2ee/index.md
+++ b/content/posts/e2ee/index.md
@@ -51,48 +51,59 @@ Any Cwtch user can turn the app on their phone or computer into an untrusted ser
 >[**Briar**](https://briarproject.org) is another application which works in a similar way (with peer-to-peer and Tor), and uses the [Bramble Transport Protocol](https://code.briarproject.org/briar/briar/-/wikis/A-Quick-Overview-of-the-Protocol-Stack) (BTP). The main distinguishing feature of Briar is that it continues to function [even when underlying network infrastructure is down](https://briarproject.org/how-it-works/). It was [audited in 2017](https://code.briarproject.org/briar/briar/-/wikis/FAQ#has-briar-been-independently-audited). Unfortunately, Briar Desktop does not yet work with Tails or Qubes-Whonix, because it cannot [use the system Tor](https://code.briarproject.org/briar/briar/-/issues/2095). Unlike Cwtch, to connect with a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. [Briar Mailbox](https://briarproject.org/download-briar-mailbox/) enables asynchronous communication. 
 
 <details>
-<summary><strong>Cwtch Installation on GrapheneOS</strong></summary>
+<summary>
+
+**Cwtch Installation on GrapheneOS**
+
+</summary>
 <br>
-<p>If you have decided to use a smartphone despite our <a href="/posts/nophones/">recommendation to not use phones</a>, Cwtch is available for Android. Follow the instructions for <a href="/posts/grapheneos/#software-that-isn-t-on-the-play-store">installing software that isn't on the Play Store</a>. Updates must be made manually - back up your profile first.</p>
+
+If you have decided to use a smartphone despite our [recommendation to not use phones](/posts/nophones/), Cwtch is available for Android. Follow the instructions for [installing software that isn't on the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). Updates must be made manually - back up your profile first.
+
 <br>
 </details>
 
 <details>
-<summary><strong>Cwtch Installation on Tails</strong></summary>
+<summary>
+
+**Cwtch Installation on Tails**
+
+</summary>
 <br>
-<p>Cwtch is still beta - support for Tails is very new and not yet thoroughly tested.</p>
-<ul>
-<li>Start Tails with an Adminstration Password.</li>
-<li>Download <a href="https://cwtch.im/download/#linux">Cwtch for Linux</a> using Tor Browser</li>
-<li>Verify the download <ul>
-<li>Open the folder from Tor Browser&#39;s download icon </li>
-<li>Right click in the file manager and select &quot;Open a Terminal Here&quot;</li>
-<li>Run <code>sha512sum cwtch-VERSION-NUMBER.tar.gz</code> (replacing the filename as appropriate)</li>
-<li>Compare the hash of the file with what is listed on the download page </li>
-</ul>
-</li>
-<li>As per our <a href="/posts/tails-best/#using-a-write-protect-switch">Tails Best Practices</a>, personal data should be stored on a second LUKS USB, and the Persistent Storage is not enabled.  Extract the file with the file manager (right click, select &quot;Extract Here&quot;), then copy the folder <code>cwtch</code> to such a personal data LUKS USB. <ul>
-<li>OPTIONAL - If you do enable Persistent Storage: with Persistent Storage unlocked, in Terminal run <code>sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf</code> then reboot Tails for the changes to take effect, again with an Adminstration Password.</li>
-</ul>
-</li>
-<li>Run the install script<ul>
-<li>In the File Manager, enter the directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
-<li>Run <code>install-tails.sh</code> and enter the Administration Password when prompted.</li>
-</ul>
-</li>
-<li>As the <a href="https://docs.cwtch.im/docs/platforms/tails">documentation</a> specifies, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:<ul>
-<li><code>exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch</code></li>
-</ul>
-</li>
-<li>With Persistent Storage disabled, configuration and profile data must be recovered from backup every session you need to install Cwtch. Backup <code>`/home/amnesia/.cwtch/`</code> to the personal data LUKS USB, and copy it back into <code>/home/amnesia/</code> the next time you install Cwtch.</li>
-<li>Updates to new versions must be made manually - back up your profile first.</li>
+
+Cwtch is still beta - support for Tails is very new and not yet thoroughly tested.
+
+* Start Tails with an Adminstration Password.
+* Download [Cwtch for Linux](https://cwtch.im/download/#linux) using Tor Browser
+* Verify the download 
+	* Open the folder from Tor Browser's download icon
+	* Right click in the file manager and select "Open a Terminal Here"
+	* Run `sha512sum cwtch-VERSION-NUMBER.tar.gz` (replacing the filename as appropriate)
+	* Compare the hash of the file with what is listed on the download page 
+* As per our [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), personal data should be stored on a second LUKS USB, and the Persistent Storage is not enabled.  Extract the file with the file manager (right click, select "Extract Here"), then copy the folder `cwtch` to such a personal data LUKS USB.
+	* OPTIONAL - If you do enable Persistent Storage: with Persistent Storage unlocked, in Terminal run `sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf` then reboot Tails for the changes to take effect, again with an Adminstration Password.
+* Run the install script
+	* In the File Manager, enter the directory you just created, `cwtch`. Right click in the File Manager and select "Open a Terminal Here"
+	* Run `install-tails.sh` and enter the Administration Password when prompted.
+* As the [documentation](https://docs.cwtch.im/docs/platforms/tails) specifies, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:
+	* `exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch`
+* With Persistent Storage disabled, configuration and profile data must be recovered from backup every session you need to install Cwtch. Backup `/home/amnesia/.cwtch/` to the personal data LUKS USB, and copy it back into `/home/amnesia/` the next time you install Cwtch.
+* Updates to new versions must be made manually - back up your profile first.
+
 <br>
 </details>
 
 <details>
-<summary><strong>Cwtch Installation on Qubes-Whonix</strong></summary>
+<summary>
+
+**Cwtch Installation on Qubes-Whonix**
+
+</summary>
+<br>
+
+Cwtch on Whonix currently has an [issue](https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/550) - support is forthcoming. 
+
 <br>
-<p>Cwtch on Whonix currently has an <a href="https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/550">issue</a> - support is forthcoming. </p>
 </details>
 
 ![](onionshare.png)
@@ -132,25 +143,44 @@ As a result, Signal is rarely used anonymously which has a significant impact if
 Due to the near impossibility of using Signal anonymously as well as our [recommendation to not use phones](/posts/nophones/), we don't currently recommend anarchists use Signal. We nonetheless provide installation instructions because it has become the norm in the anarchist space in many countries, and it might be hard to get in touch with somebody without it.  
 
 <details>
-<summary><strong>Signal Installation on GrapheneOS</strong></summary>
-</details>
+<summary>
+
+**Signal Installation on GrapheneOS**
+
+</summary>
+<br>
 
 If you have decided to use a smartphone [despite our recommendation to not use phones](/posts/nophones/), we recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are comfortable with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal must be registered on a smartphone before being linked to a computer. Install Signal like you would for any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid). 
 
 [Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android - we recommend it over Signal for anarchists, and extending trust to the Molly team is facilitated by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't on the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption. 
 
-<details>
-<summary><strong>Signal Installation on Tails</strong></summary>
+<br>
 </details>
 
+<details>
+<summary>
+
+**Signal Installation on Tails**
+
+</summary>
+<br>
+
 About.Privacy [maintains a guide](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo) for installing Signal Desktop on Tails. There is a guide for registering an account from Tails without a smartphone (using Signal-cli), and another guide for if you already have a Signal account.  
 
 Some of [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) also applies to Signal Desktop.
 
-<details>
-<summary><strong>Signal Installation on Qubes-Whonix</strong></summary>
+<br>
 </details>
 
+
+<details>
+<summary>
+
+**Signal Installation on Qubes-Whonix**
+
+</summary>
+<br>
+
 Signal Desktop on Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Signal Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository). 
 
 * Go to **Applications menu → Qubes Tools → Qube Manager**
@@ -173,6 +203,9 @@ https_proxy = 127.0.0.1:8082
 >
 >You can install Signal Desktop in a Whonix Workstation App qube by using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/), and you will not need to bother with Templates. Signal Desktop on Flathub is [community maintained](https://github.com/flathub/org.signal.Signal), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security). 
 
+<br>
+</details>
+
 <br>
 <br>
 
@@ -203,7 +236,7 @@ As soon as you have logged in, go to **Setting → Security & Privacy**.
 	* For Element Desktop, you will only need to use the Security Key if you sign out. 
 	* For Element Web (using Tor Browser), you will need the Security Key every time you use it. Tor Browser clears your cookies, so you will need to sign in to a new session.  
 
-Some current limitations:
+## Some current limitations
 
 * "Disappearing messages" is not yet a feature, but it is forthcoming. Message retention time can be set by the homeserver administrator, as mentioned above, and it is indeed set on both of our recommended homeservers. 
 * One to one audio/video calls [are encrypted](https://matrix.org/faq/#are-voip-calls-encrypted%3F) and you can use them. Group audio/video calls are not encrypted, so don't use them. This will be resolved when [Element-call](https://github.com/vector-im/element-call) is stable. 
@@ -215,23 +248,41 @@ Some current limitations:
 >You may have heard of **XMPP** (formerly called Jabber). XMPP has similar security properties to Matrix, but many clients don't support end-to-end encryption (via the OMEMO protocol) by default. Configuring a client properly is non-trivial. XMPP and Matrix leak similar amounts of metadata, but OMEMO has never been formally audited like the Matrix encryption protocol. Additionally, the administrator is able to act as a [man-in-the-middle](/glossary#man-in-the-middle-attack) on [any XMPP server](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/). For these reasons, we recommend using Matrix over XMPP. 
 
 <details>
-<summary><strong>Element Installation on GrapheneOS</strong></summary>
-</details>
+<summary>
+
+**Element Installation on GrapheneOS**
+
+</summary>
+<br>
 
 If you have decided to use a smartphone despite our [recommendation to not use phones](/posts/nophones/), Element is available for Android. Install Element like you would for any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).  
 
-<details>
-<summary><strong>Element Installation on Tails</strong></summary>
+<br>
 </details>
 
+<details>
+<summary>
+
+**Element Installation on Tails**
+
+</summary>
+<br>
+
 The easiest option is to use the Element web client on Tor Browser. This doesn't require any additional software. Tor Browser deletes all data upon closing, so you'll be prompted for the Security Key after each login in order to access your past messages. Make sure to **Sign Out** when finished, to avoid accumulating "Signed-in devices".
 
 To install Element Desktop, About.Privacy [maintains a guide](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo). 
 
-<details>
-<summary><strong>Element Installation on Qubes-Whonix</strong></summary>
+<br>
 </details>
 
+<details>
+<summary>
+
+**Element Installation on Qubes-Whonix**
+
+</summary>
+<br>
+
 The easiest option is to use the Element web client on Tor Browser is a disposable Whonix qube. This doesn't require any additional software. Tor Browser deletes all data upon closing, so you'll be prompted for the Security Key after each login in order to access your past messages. Make sure to **Sign Out** when finished, to avoid accumulating "Signed-in devices". 
 
 To install Element Desktop, Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Element Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository). 
@@ -256,6 +307,9 @@ https_proxy = 127.0.0.1:8082
 >
 >You can install Element Desktop in a Whonix Workstation App qube by using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/), and you will not need to bother with Templates. Element Desktop on Flathub is [community maintained](https://github.com/flathub/im.riot.Riot), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security). 
 
+<br>
+</details>
+
 <br>
 <br>
 
diff --git a/content/posts/grapheneos/index.md b/content/posts/grapheneos/index.md
index b9aff53..2401f10 100644
--- a/content/posts/grapheneos/index.md
+++ b/content/posts/grapheneos/index.md
@@ -14,20 +14,30 @@ dateedit=2023-05-10
 
 [Anarchists shouldn't have phones](/posts/nophones/). If you absolutely must use a phone, it should be as difficult as possible for an adversary to geotrack, intercept messages, or hack. This means using GrapheneOS. 
 <!-- more -->
+
 # What is GrapheneOS?
+
 GrapheneOS is a private and secure version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) has irrevocable ability to access your files, call logs, location, etc.), and it is trivial to [bypass standard Android authentication](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) with [physical access](/glossary/#physical-attacks) to the device. GrapheneOS uses hardware-based security to [substantially increase the difficulty](https://grapheneos.org/faq#encryption) of bypassing the authentication, it is significantly [hardened](/glossary#hardening) against hacking, and it has all Google apps and services removed by default. Other alternative Android operating systems exist [but they are inferior](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of the privacy and security improvements over standard Android. GrapheneOS is [regularly audited](https://grapheneos.org/faq#audit).
 
 Cellphones leave a geolocation history when they connect to cell towers, by nature of [how the technology works](https://privsec.dev/posts/android/android-tips/#carrier-tracking). For this reason, we recommend using a smartphone which stays at home like a landline, and connects to the Internet on airplane mode through Wi-Fi rather than by using a SIM card to connect through cell towers. Even if you use an anonymously acquired SIM, if this is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Additionally, it's insufficient to only leave a phone at home when you are going to a demo or action because this then [stands out](/posts/nophones/#metadata-patterns) as an outlier, serving as an indication that there is conspiratorial activity in that time window. 
 
 # Installation 
+
 [Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are the only devices that currently meet GrapheneOS's hardware security requirements - see the [supported devices](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). Beginning with the Pixel 6, Pixel devices receive a minimum of [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from when they are released. End-of-life devices (GrapheneOS "extended support" devices) do not have full security updates so they are not recommended. Avoid carrier variants of the phone, meaning don't buy one from a mobile network operator, which can prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model just after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released. 
 
-[Installing GrapheneOS](https://grapheneos.org/install/) can happen through a web browser, or through the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with a command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list their officially supported operating systems. There is not official support for installing from Qubes OS, but it is possible with the following steps.
+[Installing GrapheneOS](https://grapheneos.org/install/) can happen through a web browser, or through the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with a command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list their officially supported operating systems. 
+
+Upon first booting Graphene, it will prompt you if you want to connect to Wi-Fi. Don't, we need to do [hardware-based attestation](#auditor) first. Never set up the fingerprint authentication. Set a [strong password](/posts/tails-best/#passwords).  
+
+There is not official support for installing from Qubes OS, but it is possible with the following steps.
 
 <details>
-<summary><strong>Installation on Qubes OS</strong></summary>
-<p>TODO</p>
-</details>
+<summary>
+
+**Installation on Qubes OS**
+
+</summary>
+<br>
 
 *These instructions assume that your sys-usb Qube is disposable, which is a [post-installation default](/posts/qubes/#getting-started).*
 
@@ -41,7 +51,7 @@ Cellphones leave a geolocation history when they connect to cell towers, by natu
 * When you are done, reboot sys-usb. If it is disposable, the changes you have made will be gone. Don't forget to change back the sys-usb qube settings:
 	* Net qube: (none)
 
-Upon first booting Graphene, it will prompt you if you want to connect to Wi-Fi. Don't, we need to do [hardware-based attestation](#auditor) first. Never set up the fingerprint authentication. Set a [strong password](/posts/tails-best/#passwords).  
+</details>
 
 # System navigation
 
@@ -66,6 +76,7 @@ We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, whic
 You can now connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up the [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. The default permitted delay until alerts is 48 hours; if you know your phone will be off for a longer amount of time, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home during travel), just ignore the notification emails. You can log back in at any time to view the attestation history. 
 
 # User Profiles 
+
 User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) will compartmentalize your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from one another - if one is compromised, the others aren't necessarily. 
 
 The Owner user profile is the default profile which is there when you turn on the phone. Additional user profiles can be created. Each profile is [encrypted](/glossary/#encryption) using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. A shortcut to switch between different user profiles is present on the bottom of Quick Settings (accessible by swiping down from the top of the screen, twice). When you press **End session** on a profile, that profile's data is encrypted at rest.
@@ -93,6 +104,7 @@ To reiterate, the user profiles and their purposes will be:
 * Where applications that require Google Play services are used
 
 # How to Install Software
+
 GrapheneOS's app store has the standalone applications built by the GrapheneOS project such as Vanadium, Auditor, Camera, and PDF Viewer. These are updated automatically. 
 
 For installing additional software, avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/android/#f-droid). GrapheneOS has a [Sandboxed Google Play](https://grapheneos.org/features#sandboxed-google-play) which can be installed through the GrapheneOS app store: "Google Play receives absolutely no special access or privileges on GrapheneOS". 
@@ -117,6 +129,7 @@ Now we will delegate apps to their needed profiles:
 * To install Riseup VPN (or any other app) in the Default user profile: **Settings → System → Multiple users → Default → Install available apps**, then select Riseup VPN. 
 
 ## Software That Isn't On the Play Store
+
 Some apps aren't on the Play Store, either because they are in development or they don't want users to have to interact with Google. The Play Store can be used to update apps, but when you download individual .apk files you will need to remember to update them yourself (there are exceptions, for example Signal is designed to self-update). [Obtainium](https://github.com/ImranR98/Obtainium) is an app to keep track of what apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't on the Play Store, install Obtainium into the Owner user profile (and don't disable it). Use the same process of installing apps into the Owner user profile but through Obtainium, then disabling them and delegating them to their needed profiles. Unfortunately, apps acquired through Obtainium require manual updates - it will notify you when one is needed. 
 
 As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal with [no Google software](https://github.com/mollyim/mollyim-android#free-and-open-source), and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium press **Add App**, then copy the Github Releases URL. Obtanium can install the app, and when there is a new version you will get a system notification and an update icon will be present beside it, at which point you must manually update it.   
@@ -124,16 +137,19 @@ As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signa
 Cwtch is not yet present on the Google Play Store, and can be added to Obtainium by entering the [Download page URL](https://cwtch.im/download/).  
 
 ## Software That Requires Google Play Services
+
 If there is an app you would like to use that requires Google Play services, create a specific user profile for it from the Owner user profile; you can name it Google. This is also a good solution for isolating any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. If you create a Google user profile, you will need to install and configure Sandboxed Google Play in it. 
 
 Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid needing this Google user profile.  
 
 # VoIP
+
 A Wi-Fi only smartphone doesn't require paying a monthly fee for a SIM card. As explained in [Why Anarchists Shouldn't Have Phones](/posts/nophones#bureaucracy), bureaucracies often require a phone number that can be called normally (without encryption). [VoIP](/glossary#voip-voice-over-internet-protocol) applications allow you to create a number and make phone calls over the Internet rather than through cell towers. A phone number is also occasionally required for applications, such as [Signal registration](/posts/e2ee/#signal), and a VoIP number will often work. 
 
 Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones; the main advantage is that you will hear it ring even when your computer is off. The [jmp.chat](https://jmp.chat/) VoIP service works well with their client [Cheogram](https://cheogram.com/) and can be paid for in Bitcoin. In addition, there are paid options that are only present on mobile such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360020177133-Why-isn-t-MySudo-working-in-my-country-)). A MySudo subscription can be anonymously purchased with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is likely unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.  
 
 # Tor 
+
 Perhaps you want to use [Tor](/glossary/#tor-network) from a smartphone. However, if you need the anonymity of Tor rather than the privacy of Riseup VPN, you should use [either Qubes OS or Tails](/posts/qubes/#when-to-use-tails-vs-qubes-os) on a computer. The [Graphene docs](https://grapheneos.org/usage#web-browsing) recommend avoiding Gecko-based browsers like Tor Browser given that such browsers "do not have internal sandboxing on Android." Orbot is an app that can route traffic from any other app on your device through the Tor network, but simply using the Vanadium browser through Orbot is [not recommended by the Tor Project](https://support.torproject.org/tbb/tbb-9/). 
 
 Applications like Cwtch and Briar have Tor built in, and should not be used through a VPN like Orbot. 
@@ -152,11 +168,13 @@ Applications like Cwtch and Briar have Tor built in, and should not be used thro
 	* **Settings → System → Multiple users:** Send notifications to current user (enabled) 	
 
 # How to Backup 
+
 Don’t use cloud backups. You can't trust the corporate options, and they are the easiest avenue for police to access your data. If you need to backup your phone, backup onto your encrypted computer.
 
 GrapheneOS currently provides Seedvault as a backup solution, but it's not very reliable. As the [docs specify](https://grapheneos.org/faq#file-transfer), connecting directly to a computer requires "needing to trust the computer with coarse-grained access", so it is best avoided. Instead, you can manually backup files by copying them to a USB-C flash drive with the Files app, or sending them to yourself via an encrypted messaging app like [Element (Matrix)](/posts/e2ee/#element-matrix). 
 
 # Password Management
+
 If you feel you need a password manager, [KeePassDX](https://www.privacyguides.org/en/passwords/#keepassdx-android) is a good option. However, most app credentials can be kept on KeePassXC on a computer as they don't need to be entered regularly. The set up described in this guide requires memorizing two passwords: 
 
 1) The Owner user profile (boot password)
diff --git a/content/posts/linux/index.md b/content/posts/linux/index.md
index e28bccf..4a1c114 100644
--- a/content/posts/linux/index.md
+++ b/content/posts/linux/index.md
@@ -17,6 +17,7 @@ As an anarchist, you've probably heard the recommendation to use a Linux compute
 <!-- more -->
 
 # What is Linux, and Why Use It? 
+
 If you are reading this, you probably use either Windows or macOS on your computer. These are both [operating systems](/glossary#operating-system-os), meaning the system software that runs your device. They are also both 'closed-source', meaning that the software '*source* code' is *closed* to the public, and so can't be inspected for privacy and security. Windows and macOS computers are sending your data to Microsoft and Apple, and you can't trust their [Full-Disk Encryption](/glossary#full-disk-encryption-fde) to protect your data if the computer is being [physically accessed](/glossary/#physical-attacks) (like after a [house raid](https://www.csrc.link/threat-library/techniques/house-raid.html)). 
 
 Linux is a set of operating systems which are [open-source](/glossary#open-source), which means that the *source* code can be analyzed by anyone. Linux is the name for the core (**kernel**) of the operating system, and many different **distributions** (or 'distros') are based on it. Simply put, *Linux is the only type of computer that anarchists can put any trust in*. 
@@ -24,14 +25,17 @@ Linux is a set of operating systems which are [open-source](/glossary#open-sourc
 Linux distributions that anarchists are likely to have heard of are Debian, Ubuntu and Tails. Each different Linux distribution makes different choices about how to manage software, what kernel version to use, etc. In fact, both Ubuntu and Tails are adaptations of Debian for the specific use cases of being user-friendly (Ubuntu) and providing default anonymity (Tails).   
 
 # How Software Works
+
 In Linux, the term for an application is a **package**. Rather than downloading applications from various websites on the Internet (like in Windows and macOS), a Linux distribution will have a centralized **repository** where the software lives. This has the benefit that the integrity of the software is verified by the distribution, and it is guaranteed to work with that Linux distribution. It is still possible to install software from outside of a distro's repository, but it is generally considered to be riskier and verifying the integrity is your responsibility. Installing a package requires knowing its name, and all packages in a repository can be browsed through a web browser for [Debian](https://www.debian.org/distrib/packages#search_packages) as well as [Fedora](https://packages.fedoraproject.org/).
 
 How do you actually install from the software repository? Each distribution also has a **package manager**, which is an application which installs software from a software repository. Debian, and distributions based on it, use the `apt` package manager. In some distributions, it is possible to install software with a Graphical User Interface (GUI) that is using the package manager in the background, like the [Synaptic Package Manager](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html#index3h1) in Tails. 
 
 # Software Alternatives
+
 Part of the learning curve to Linux is figuring out what open-source software to use, instead of the closed-source options you will be familiar with from Windows and macOS. For example, instead of using Microsoft Word, you can use LibreOffice. An application being open-source is an essential criteria, but is insufficient to be considered secure. For example, Telegram advertises itself as being open-source, but the servers are not open-source and the cryptography is [trash](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/). The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices. 
 
 # The Command Line Interface
+
 The dreaded [command line](/glossary/#command-line-interface-cli)! What even is it? You are used to interacting with applications through a **Graphical User Interface (GUI)**, which means through pointing and clicking buttons with your mouse. Some applications can also be interacted with through a **Command Line Interface (CLI)**, which is textual. Many applications will be available in both CLI and GUI versions. 
 
 For example, navigating the contents of your computer with the File Manager GUI is pretty standard - you click on a folder (called a *directory* in Linux), and it opens. The same navigation around the file system is also possible from the CLI.
@@ -54,10 +58,10 @@ The [Qubes](/tags/qubes/) installation requires the same commands (during the [v
 * `apt install <PACKAGE_NAME>`: this installs packages on Debian 
 * `dnf install <PACKAGE_NAME>`: this installs packages on Fedora 
 
-
 If you ever don't understand what a command is meant to do, try searching [explainshell](https://explainshell.com/) for it.
 
 ## GPG Explanation
+
 Using `gpg` during the installation of Tails or Qubes OS will be less confusing if you understand how it works. 
 
 First, some points of clarification. PGP and GPG are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication ([though we don't recommend it](/posts/e2ee/#pgp-email)), but we are using it here exclusively to verify the integrity and authenticity of files.  
@@ -68,13 +72,13 @@ Now you need to understand the very basics of public-key cryptography. [This Com
 
 Tails and Qubes OS sign their releases, and only they can do this because only they possess their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's walk through the [Tails verification instructions](https://tails.boum.org/install/expert/index.en.html), which is less convoluted than the [Qubes OS equivalent](https://www.qubes-os.org/security/verifying-signatures/). 
 
-**Step: Create a Key-Pair**
+### Step: Create a Key-Pair
 
 Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate a key-pair. 
 
 * `gpg --gen-key` will prompt you for some configuration options and then generate your key-pair.
 
-**Step: Verify the Tails public key**
+### Step: Verify the Tails public key
 
 * `gpg --import < tails-signing.key` imports the Tails public key into your keyring, so that it can be used. 
 * `gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import` imports a Debian developer's public key into your keyring, so that it can be used. 
@@ -83,13 +87,14 @@ Tails recommends this [Riseup guide](https://riseup.net/en/security/message-secu
 
 Now we know that we have a genuine version of the Tails public key.  `gpg` also knows this because we have decided to certify it. 
 
-**Step: Verify your downloaded Tails .img file**
+### Step: Verify your downloaded Tails .img file
 
 * `TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.10.img.sig tails-amd64-5.10.img` allows you to verify that the .img file is signed how it should be, by examining the output as instructed.  
 
 Now we know that we have a genuine version of the Tails .img file, so can proceed to install it to a USB. 
 
 # Going Further
+
 If you'd like to learn more about Linux, we recommend:
 
 * The rest of the Tech Learning Collective's [Foundations](https://techlearningcollective.com/foundations/) exercises will give you a much more comprehensive foundation than what you need to use Qubes or Tails.  
diff --git a/content/posts/metadata/index.md b/content/posts/metadata/index.md
index bf2f9cc..cf68c11 100644
--- a/content/posts/metadata/index.md
+++ b/content/posts/metadata/index.md
@@ -18,9 +18,11 @@ dateedit=2023-05-10
 <!-- more -->
 
 # Metadata Anonymization Toolkit 
+
 Thankfully, there is a tool that comprehensively cleans metadata, and it is available as both a [command line interface](/glossary#command-line-interface-cli) and a graphical user interface. The command line version is called `mat2` and is [open-source](https://0xacab.org/jvoisin/mat2), and the graphical version is called  [Metadata Cleaner](https://metadatacleaner.romainvigier.fr/) and is also [open-source](https://gitlab.com/rmnvgr/metadata-cleaner/). Both programs are included in [Tails](/tags/tails/) and [Qubes-Whonix](/posts/qubes/#whonix-and-tor) by default. 
 
 # Using Metadata Cleaner 
+
 Unless you are comfortable with the command line, we recommend Metadata Cleaner - it is using `mat2` under the hood, so has all of the same functionality. Metadata Cleaner is better than Exiftool and other software that removes metadata - see the [comparison docs](https://0xacab.org/jvoisin/mat2/-/blob/master/doc/comparison_to_others.md). 
 
 Metadata Cleaner displays metadata that it detects, but "it doesn't mean that a file is clean from any metadata if mat2 doesn't show any. There is no reliable way to detect every single possible metadata for complex file formats." You should clean the file even if no metadata is displayed.  
@@ -39,6 +41,7 @@ Even though it is possible to clean all metadata from an image or video, forensi
 Multiple photos or videos from the same camera can be tied together in this way, and if the camera is recovered it can be confirmed to be where the files came from. Cheap cameras can be acquired from a refurbished store and used only once for images or videos that require high security. 
 
 # Printer Forensics 
+
 All modern printers leave invisible watermarks in order to encode information such as the serial number of the printer and and when it was printed. If printed material is scanned, these markings are present in the file. To learn more, see [Revealing Traces in printouts and scans](https://dys2p.com/en/2022-09-print-scan-traces.html) and the Whonix documentation on [printing and scanning](https://www.whonix.org/wiki/Printing_and_Scanning). 
 
 # Further Reading
diff --git a/content/posts/nophones/index.md b/content/posts/nophones/index.md
index 9f1844c..18094e0 100644
--- a/content/posts/nophones/index.md
+++ b/content/posts/nophones/index.md
@@ -39,6 +39,7 @@ If you absolutely must use a phone, it should be as difficult as possible for an
 However, it's best to avoid using phones altogether. If it's only the comrades who are taking the biggest risks who are enacting these measures, they will stand out. Identical in principle to the black bloc tactic, the simple act of donning a mask will provide cover for anyone to act anonymously. Therefore, our proposal is that the parts of the anarchist space which have been swept up by dominant society's relationship to technology take several steps back to re-establish less intrusive baselines around phones. The strategies we will explain in the remainder of this article to live without phones rely on computers, where synchronous communication is possible but more limited, as your computer generally stays at home.
 
 # Bureaucracy 
+
 Many bureaucratic organizations make it difficult to not have a phone: healthcare, the post office, banking, etc. Since these communications do not need to be encrypted, you can use a [Voice over Internet Protocol (VoIP)](/glossary#voip-voice-over-internet-protocol) application (which allows you to make phone calls over the Internet rather than through cell towers). 
 
 Any VoIP application option on a computer will be asynchronous because it won't ring when the computer is off - you rely on the voicemail feature to return missed calls. For example, a service like [jmp.chat](https://jmp.chat/) gives you a VoIP number that you can optionally pay for in Bitcoin, and you make calls through a XMPP (Jabber) client - [Cheogram](https://cheogram.com/) works well. 
@@ -48,6 +49,7 @@ Although typically more expensive then VoIP, a flip phone or landline also works
 A flip phone can be used for any [Two-Factor Authentication](/glossary/#two-factor-authentication-2fa) (2FA) that you require (when a service makes you receive a text message to log in), which do not always work with VoIP providers. If you only need a flip phone for 2FA, [online phone numbers](https://anonymousplanet.org/guide.html#online-phone-number) are another option. 
 
 # Communication
+
 Not having a phone will require changing how you socialize if you are [already caught in the net](https://theanarchistlibrary.org/library/return-fire-vol-4-supplement-caught-in-the-net). Being intentional about minimizing the mediation of screens in our relationships is a valuable goal in and of itself. 
 
 Except in cases where it cannot be avoided (as in the case of a publication whose editors live in different regions from one another), organizing should not be mediated by technology. The dynamic by which, in some parts of the anarchist space, the entirety of how anarchists organize projects together has been reduced to a monoculture of Signal group chats (or worse) warrants a lot of criticism. This capture of organizing relationships by smartphone culture has given rise to a meeting that never ends, which is bad for a lot of anarchists' morale. It also means that our organizing is relatively easy to surveil. Only one phone in the group chat needs to be compromised with malware for access to all messages. 
@@ -55,15 +57,19 @@ Except in cases where it cannot be avoided (as in the case of a publication whos
 That said, encrypted communication is useful for setting up real-life meet-ups where life and organizing actually takes place, or for projects that are shared with comrades across distances. See [Encrypted Messaging for Anarchists](/posts/e2ee/) for different options that are appropriate for an anarchist [threat model](/glossary/#threat-model).  
 
 # Emergency Calls 
+
 A passer-by on the street will often let you borrow their phone to make an urgent call. If the need arises in remote regions such as during a hiking trip, this is where using a flip phones would be a good fit. For receiving emergency calls, if you are not reachable from a computer as outlined above, we can drop by one another's houses or arrange for encrypted messaging check-ins ahead of time. What scenarios actually require being able to receive a call at any moment? If these actually exist in your life, you can organize to accommodate for them without projecting this urgency onto all areas and moments of your life.
 
 # Directions
+
 Buy a paper map of your region and bring it with you. For trips that are longer or where you will need directions, use [OpenStreetMap](https://www.openstreetmap.org/) to note them ahead of time. Wear a watch to be able to get where you are going on time.  
 
 # Music and Podcasts 
+
 They still make MP3 players! For a way cheaper price, you can play music and podcasts, but the device has neither GPS nor radio hardware. This does not mean they can't be used for geolocation. If your Wi-Fi is on, the approximate location of your MP3 player can be determined from the IP address.
 
 # Appendix: Against the Smartphone
+
 *From [Fernweh (#24)](https://fernweh.noblogs.org/texte/24-ausgabe/gegen-das-smartphone/)* 
 
 It's always with us, it's always on, no matter where we are or what we're doing. It informs us about everything and everyone: what our friends are doing, when the next subway leaves and what the weather will be like tomorrow. It takes cares of us, wakes us up in the morning, reminds us of important appointments and always listens to us. It knows everything about us, when we go to bed, where we are and when, who we communicate with, who our best friends are, what music we listen to and what our hobbies are. And all it asks for is a little electricity now and then? 
diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md
index c90c938..3d7f8f0 100644
--- a/content/posts/qubes/index.md
+++ b/content/posts/qubes/index.md
@@ -18,11 +18,13 @@ Qubes OS is a security-oriented [operating system](/glossary#operating-system-os
 Qubes OS can be made to force all Internet connections through the [Tor network](/glossary/#tor-network) (like Tails) by using [Whonix](https://www.whonix.org/wiki/Qubes), which is included by default. Devices (USBs, network devices, microphone and camera) are all strongly isolated and only allowed access when it is explicitly granted. "Disposables" are one-off qubes that self-destruct when shut down. 
 
 # Who is Qubes OS For? 
+
 Given that anarchists are [regularly targeted](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in the course of repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for daily-use, and [further down](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. Whereas Tails is so user-friendly that Linux knowledge isn't even required, Qubes OS is a bit more involved, yet it is still designed to be accessible to users like journalists who don't know Linux well. 
 
 Even if nothing directly incriminating is done on a computer that you use everyday, its compromise will still give investigators a field day for [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use their daily-use computer for some anarchist projects and communication with other comrades, so making our personal computers difficult to hack is a reasonable goal for all anarchists.  
 
 # How Does Qubes OS Work? 
+
 Qubes OS is not quite another version of Linux. Rather, it is based on many "[virtual machines](/glossary/#virtual-machine-vm)" running Linux. All of these "virtual machines" are configured to work together in order to build a cohesive operating system. 
 
 What is a virtual machine? [Virtualization](/glossary/#virtualization) is the process of running a virtual computer *inside* your computer. The virtual machine thinks it's a computer running on real hardware, but really it's running on abstracted hardware (software imitating hardware). Qubes OS uses a special program called a hypervisor to manage and run many of these virtual machines at once, on the same physical computer. To simplify things, virtual machines are referred to as qubes. Different operating systems like Debian, Whonix, Fedora, Windows, etc. can all run together simultaneously. The hypervisor strongly isolates each of the qubes from one another. 
@@ -60,6 +62,7 @@ Two more components are necessary to complete the Qubes OS system:
 Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware - only the Admin qube can directly access the hard drive and only Service qubes can directly access the networking, USB, microphone and camera hardware. 
 
 # When to Use Tails vs Qubes OS
+
 Qubes includes Whonix by default for when you need to force all connections through Tor. As [Privacy Guides](https://www.privacyguides.org/desktop/#anonymity-focused-distributions) compares (emphasis added):
 
 > Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. **This means that even if the Workstation is compromised by [malware](/glossary/#malware) of some kind, the true IP address remains hidden.**
@@ -85,6 +88,7 @@ And to use Tails:
 * If the learning curve for Qubes OS is too steep
 
 # Getting Started
+
 Qubes OS runs ideally on a laptop with a solid-state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/qubes-best/#heads-open-source-firmware) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop—we recommend the ThinkPad X230 because the install is less involved than for other models. The X230 is also the only laptop model that is developer-tested, and is easily found in refurbished computer stores for around $200 USD. See the [community-recommended computers](https://forum.qubes-os.org/t/5560) list for several other options, and [Best Practices](#hardware-security) for further discussion of hardware security. 
 
 The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you up and running. Do not set up dual boot - an other OS could be used to compromise Qubes OS. If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you though it, or first learn command line basics and GPG (required during the [verification stage](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/). 
@@ -100,6 +104,7 @@ In the post-installation:
 The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin. The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but difficult to orient to for a new user. We'll cover some basics here that aren't already mentioned in the Getting Started link. 
 
 # How to Update 
+
 On Qubes OS, you should NOT be typing `apt update` or `apt upgrade` from the command line, which you may be used to from other experiences with Linux. As the [docs](https://www.qubes-os.org/doc/how-to-update/) specify, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing that you'll want to do after connecting to the Internet is to launch Qubes Update. From the docs: 
 
 > you can [...] start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
@@ -107,6 +112,7 @@ On Qubes OS, you should NOT be typing `apt update` or `apt upgrade` from the com
 Updates will take a moment to be detected on a new system, so select "Enable updates...", tick all qubes, and press **Next**. A Whonix window might pop up prompting you to do a command line update, but this can be ignored as it will be resolved by the update. Once Qubes Update is done, reboot. 
 
 # How to Copy and Paste Text
+
 Qubes has a special global clipboard to allow you to copy and paste text between qubes.
 
 1. Press **Ctrl+C** to copy text as normal to the internal clipboard of the source App qube.
@@ -117,6 +123,7 @@ Qubes has a special global clipboard to allow you to copy and paste text between
 It's a little tricky at first, but you'll get the hang of it fast!
 
 # How to Copy and Move Files 
+
 A special tool exists for moving files and directories (folders) between qubes that requires explicit user consent. As a rule of thumb, only move files from more trusted qubes to less trusted ones. 
 
 From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
@@ -130,6 +137,7 @@ From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
 >4. If you wish, you may now move the file in the target qube to a different directory and delete the /home/user/QubesIncoming/ directory when no longer needed.
 
 # How to Shutdown Qubes 
+
 ![](r4.1-widgets.png)
 
 Click on the Domains widget to see which Qubes are currently running, as well as how much memory (RAM) and computing power (CPU) they are using. Each qube uses memory, so when you are done with a qube you should shut it down to free up the memory it is using. Closing windows is not enough - you need to shut each qube down manually when it's no longer needed. 
@@ -137,6 +145,7 @@ Click on the Domains widget to see which Qubes are currently running, as well as
 ![](shutdown.png)
 
 # How to Install Software
+
 While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html) for installing any additional software, at this time Qubes OS does not, so new software must be installed from the command line. If unfamilar with either the command line or how software works in Linux, check out [Linux Essentials](/posts/linux/) to get acquainted. For choosing what additional software to install, keep in mind that an application being [open-source](/glossary/#open-source) is an essential criteria, but is insufficient to be considered secure. The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices. 
 
 Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, and all can be browsed through a web browser for [Debian](http://packages.debian.org/) as well as [Fedora](https://packages.fedoraproject.org/), or on the command line.  
@@ -168,6 +177,7 @@ To return to the example above, I would start a terminal in the `debian-11-docum
 You may want to use software that is not present in the Debian/Fedora repositories, which makes matters a bit more complicated and also poses a security risk - you must independently assess whether the source is trustworthy, instead of relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) lays out your options. If the software is available at [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories (such as Signal Desktop), we recommend [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/).  
 
 # How to Organize Your Qubes
+
 The next step is to decide how to organize your system - there is much more flexibility in this regard than in a monolithic system like Tails. In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended set-up for the typical user, which can be futher extended as needed.
 
 After installation, a number of qubes already exist. Click on the Applications Menu to see all of them. We will delete the following default App qubes because they use the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.  
@@ -182,6 +192,8 @@ How the App qubes will be organized, without displaying service qubes or Templat
 
 * **A disposable Debian or Fedora qube**. The default `debian/fedora-dvm` qube (depending on your post-installation decision) is disposable, and is great for web browsing that blocks Tor, such as logging into online banking. 
 
+## Creating Qubes
+
 It's possible to just use the system as it is now, but let's show you how to create an App qube and a disposable. 
 
 * **A Monero qube**. Lets say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize that activity. Go to **Applications menu → Qubes Tools → Create Qubes VM**
@@ -202,7 +214,7 @@ It's possible to just use the system as it is now, but let's show you how to cre
 	* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm`  
 	* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network, and which is destroyed upon being exited. 
 
-[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to configure qubes that otherwise require advanced command line use to set up. Available configurations include:
+[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to create and configure qubes that otherwise require advanced command line use to set up. Available configurations include:
 
 * **Split-gpg**: GPG keys live in an offline qube and their access is tightly controlled 
 * **Split-ssh**: SSH keys live in an offline qube and their access is tightly controlled 
@@ -214,11 +226,11 @@ If you want your qubes that are not using Tor to be forced through a VPN, this i
 By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - if an App qube is close to filling up, the Disk Space Monitor widget will have a notification. To increase the private storage size of any given qube, in the qubes' **Settings → Basic** tab, change "Private storage max size". This storage won't be used immediately, it is just the max that can be used by that qube. 
 
 # How to Use Disposables 
+
 Disposables can be launched from the Applications menu; the disposable will be at the top, and the disposable Template near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, this can be accomplished from the Qubes Domains widget, in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would start yet another disposable. 
 
 Once you close all windows of a disposable, the whole disposable shuts down and is destroyed. The next time that it boots, the disposable will completely reflect the state of its Template. In contrast, an App qube needs to be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local` and `/rw/config` directory. The next time that it boots, all locations in the file system of an App qube other than these three directories will reflect the state of its Template. Take a look at how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information. 
 
-
 ![](disposable.png)
 
 In the file manager of an App qube, right-clicking on certain types of files will give the option **Edit In DisposableVM** and **View In DisposableVM**. This is exactly how we want to open any untrusted files stored in our vault qube. It will use the default disposable that we set earlier, which is offline. Once you close the viewing application the whole disposable will be destroyed. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. By contrast, viewing in a disposable is read-only, so if the file executes something malicious, it can't write to the App qube you launched it from - this is preferred for files you don't need to edit.  
@@ -238,6 +250,7 @@ For PDF files, right-clicking will also give the option **Convert To Trusted PDF
 Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to set the default of only opening PDF files in a disposable, right-click a PDF and select **Open With Other Application → qvm-open-in-dvm**. 
 
 # How to Use Devices (like USBs) 
+
 To learn how to attach devices, we will format the empty USB or hard drive you will be using for backups. The USB will be attached to an offline disposable to mitigate against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB). 
 
 1. Go to **Applications menu → Disposable: debian-11-offline-dvm → Disks**. The disposable will have a name with a random number like disp4653. If Disks is not present, make the change on the **Settings → Applications** tab. 
@@ -262,6 +275,7 @@ There are command line instructions for setting up an [external keyboard](https:
 You don't always need to attach a USB drive to another qube with the Qubes Devices widget - it will also be accessible from sys-usb directly, through the File Manager. You can [copy specific files](#how-to-copy-and-move-files) between the USB and another App qube without needing to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb - since it's disposable, it does the job of sanitizing for another device. 
 
 # How to Backup
+
 As soon as your qubes are organized in the way that you would like, backup your system. Depending on your needs, we recommend making a weekly backup - pick a day of the week and add a reminder on your calendar. We also recommend making a redundant backup which is stored off-site and is synchronized monthly (to protect against data loss from a [house raid](https://www.csrc.link/threat-library/techniques/house-raid.html)).  
 
 Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup):
@@ -280,6 +294,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
 >7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you can’t restore your data from it, and you can’t be sure that your backup is not corrupted until you try to restore.
 
 # Whonix and Tor
+
 The Whonix project has their own [extensive documentation](https://www.whonix.org/wiki/Documentation), as does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), upon which it is based. When Whonix is used in Qubes OS it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems as well, but it's preferable to use it on Qubes OS due to the superior isolation it provides. 
 
 Different applications on a Whonix App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated - this is called [Stream Isolation](https://www.whonix.org/wiki/Stream_Isolation).  
@@ -292,6 +307,7 @@ Also worth noting is that "for those who regularly download Internet files, Tor
 Tor Browser can't upload files from `/home/user/QubesIncoming/` due to how permissions are set, so move files somewhere in `/home/user/` to upload them, such as the Downloads directory.
 
 # Password Management 
+
 Passwords should be managed with KeePassXC from the `vault` App qube. If unfamiliar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This leaves three passwords that must be memorized:
 
 1. [LUKS](/glossary/#luks) password (first boot password)
@@ -301,9 +317,11 @@ Passwords should be managed with KeePassXC from the `vault` App qube. If unfamil
 For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords). 
 
 # Windows Qubes
+
 It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), though the installation is a bit involved. This allows programs that are not available for Linux, such as the Adobe Creative Suite programs, to be used from Qubes OS (ideally offline). Installing "cracked" software downloaded from a torrent is not recommended as these are often malicious. The Adobe Creative Suite can be downloaded from Adobe, and then cracked with [GenP](https://www.reddit.com/r/GenP/wiki/redditgenpguides/#wiki_guide_.232_-_dummy_guide_for_first_timers_genp_.28method_1.3A_cc.2Bgenp.29).  
 
 # Best Practices 
+
 There is a lot more flexibility in how you configure Qubes OS than Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
 
 * Protecting your identity 
@@ -345,6 +363,7 @@ Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Servic
 * Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template.
 
 ## Hardware Security 
+
 Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
 
 * **Root of trust**: A secure element to store secrets that can be used as a root of trust during the boot process.  
@@ -362,6 +381,7 @@ Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the
 Qubes OS also applies proper software mitigation to this class of attacks at the level of the hypervisor, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
 
 ## OPSEC for Memory Use  
+
 To address "future not-yet-identified vulnerabilities of this kind" on older hardware that is no longer receiving microcode updates, the OPSEC suggestion is to limit the presence of secrets in memory that could result in leaks. Every qube that is running is using memory, and a compromised qube could use such vulnerabilities to read and exfiltrate the memory being used by other qubes. Disposables will be reset after being shutdown, so we can assume that their compromise would likely be transient. Perform sensitive operations in qubes with no networking, and shutdown secure qubes when not in use. Pay attention to which qubes are running simultaneously:  
 
 * [vault qube](#how-to-organize-your-qubes): 
@@ -371,9 +391,11 @@ To address "future not-yet-identified vulnerabilities of this kind" on older har
 * sys-net: Disposable. Only run when needed, and shutdown when finished. Shutdown when performing sensitive operations in other qubes, as far as possible. Restart before activities which require sys-net (i.e. email, ssh sessions, etc.).
 
 ## Remove Passwordless Root 
+
 By default, Qubes OS does not require a password for root permissions (in other words, you can run a command with `sudo` without a password). The [docs](https://www.qubes-os.org/doc/vm-sudo/) explain the rationale for this decision. In alignment with the security principle of defense-in-depth, we recommend enabling a password for root permissions. Forcing an adversary to successfully execute privilege escalation can be a mitigating factor, considering the hardening of Kicksecure/Whonix Templates as well as the limited time window provided by disposables.  
 
 If you are comfortable with the command line, follow the [docs](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) for replacing passwordless root access with a Dom0 user prompt in Debian/Whonix/Kicksecure Templates.  
 
 # Wrapping Up
+
 The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend starting to use Qubes OS gradually, where you can progressively do tasks on Qubes OS instead of your previous operating system, because trying to learn everything at once may be overwhelming. 
diff --git a/content/posts/tails-best/index.md b/content/posts/tails-best/index.md
index 68c02e0..faac59b 100644
--- a/content/posts/tails-best/index.md
+++ b/content/posts/tails-best/index.md
@@ -30,11 +30,15 @@ Let's start by looking at the [Tails Warnings page](https://tails.boum.org/doc/a
 > 1. Sharing files with [metadata](/glossary#metadata), such as date, time, location, and device information
 > 2. Using Tails for more than one purpose at a time
 
-The first issue can be mitigated by **cleaning metadata from files before sharing them**:
+### Sharing files with metadata
+
+This first issue can be mitigated by **cleaning metadata from files before sharing them**:
 
 * To learn how, see [Removing Identifying Metadata From Files](/posts/metadata/). 
 
-The second issue can be mitigated by what's called **'compartmentalization'**:
+### Using Tails for more than one purpose at a time
+
+This second issue can be mitigated by what's called **'compartmentalization'**:
 
 * [Compartmentalization](https://www.csrc.link/threat-library/mitigations/compartmentalization.html) means keeping different activities or projects separated from each other. If you use Tails sessions for more than one purpose at a time, an adversary could link your different activities together. For example, if you log into different accounts on the same website in a single Tails session, the website could determine that the accounts are used by the same person. This is because websites can tell when two accounts are using the same Tor circuit.
 * To prevent an adversary from linking your activities together while using Tails, restart Tails between different activities. For example, restart Tails between checking different project emails.
@@ -48,13 +52,17 @@ The second issue can be mitigated by what's called **'compartmentalization'**:
 > 1. Hiding that you are using Tor and Tails
 > 2. Protecting your online communications from determined, skilled attackers
 
-The first issue is mitigated by [**Tor bridges**](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#bridges):
+### Hiding that you are using Tor and Tails
+
+This first issue is mitigated by [**Tor bridges**](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#bridges):
 
 * Tor Bridges are secret Tor relays that keep your connection to the Tor network hidden. However, this is only necessary where connections to Tor are blocked, for example in some countries with heavy censorship, by some public networks, or by some parental controls. This is because Tor and Tails don't protect you by making you look like any random Internet user, but by making all Tor and Tails users look the same. It becomes impossible to know who is who among them.
 
 > A powerful adversary, who could analyze the timing and shape of the traffic entering and exiting the Tor network, might be able to deanonymize Tor users. These attacks are called *end-to-end correlation* attacks, because the attacker has to observe both ends of a Tor circuit at the same time. [...] End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users.
 
-The second issue is mitigated by **not using an Internet connection that could deanonymize you** and by **prioritizing .onion links when available**:
+### Protecting your online communications from determined, skilled attackers
+
+This second issue is mitigated by **not using an Internet connection that could deanonymize you** and by **prioritizing .onion links when available**:
 
 * Wi-Fi adapters that work through SIM cards are not a good idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile network provider every time you connect, allowing identification as well as geographical localization. The adapter works like a cell phone! If you do not want different research sessions to be associated with each other, do not use such an adapter or the SIM card more than once!
 * There are several opsec considerations to keep in mind if using Wi-Fi at a cafe without CCTV cameras. 
@@ -78,13 +86,17 @@ The second issue is mitigated by **not using an Internet connection that could d
 > 1. Installing from an infected computer
 > 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
 
-The first issue is mitigated by **using a computer that you trust to install Tails**:
+### Installing from an infected computer
+
+This first issue is mitigated by **using a computer that you trust to install Tails**:
 
 * As per our [recommendations](/recommendations/#computers-daily-use), this would ideally be from [Qubes OS](/posts/qubes/) which is much more difficult to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick which was installed with Qubes OS (and who uses these best practices), you could [clone it](https://tails.boum.org/upgrade/clone/index.en.html) instead of installing it yourself. 
 * Use the install method ["Terminal: Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), because it checks the integrity of the download more thoroughly using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you through it, or first learn command line basics and GnuPG with [Linux Essentials](/posts/linux/).
 * Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs that are used in Tails sessions) into a computer while another operating system is running on it; if the computer is infected, the infection can then [spread to the USB](https://en.wikipedia.org/wiki/BadUSB). 
 
-The second issue requires several mitigations. Let's start with some definitions. 
+### Running Tails on a computer with a compromised BIOS, firmware, or hardware
+
+This second issue requires several mitigations. Let's start with some definitions. 
 
 * *Hardware* means the physical computer that you use. 
 * *Firmware* means software that's embedded in a piece of hardware; you can think of it simply as "software for hardware". It can be found in several different locations (hard drives, USB drives, graphics processor, etc). 
@@ -92,7 +104,7 @@ The second issue requires several mitigations. Let's start with some definitions
 
 Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, or the Tails software; [remote attacks](/glossary#remote-attacks) (through the Internet) and [physical attacks](/glossary/#physical-attacks) (through physical access). Not everyone will need to apply all of the advice below. For example, if Tails is only being used for anonymous Internet browsing and writen correspondence, some of this may be overkill. However, if Tails is being used to take responsibility for actions that are highly criminalized, a more thorough approach is likely relevant. 
 
-**To mitigate against physical attacks:**
+#### To mitigate against physical attacks:
 
 > Your computer might be compromised if its physical components have been altered. For example, if a keylogger has been physically installed on your computer, your passwords, personal information, and other data typed on your keyboard could be stored and accessed by someone else, even if you are using Tails.
 
@@ -102,7 +114,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
 
 * **Make the laptop screws tamper-evident, store it in a tamper-evident way, and monitor for intrusions**. With these precautions, if physical attacks happen in the future, you'll be able to notice. See the tutorial [Making Your Electronics Tamper-Evident](/posts/tamper/) to adapt the laptop chassis screws, use the app Haven for intrusion detection, as well as how to store it so that you'll be able to notice if it's been physically accessed. Store any external devices you’ll be using with the laptop in the same way (USB, external hard drive, mouse, keyboard). Once physical attack vectors are mitigated, an adversary will need to rely on remote attacks. 
 
-**To mitigate against remote attacks:**
+#### To mitigate against remote attacks:
 
 * **Anonymous Wi-Fi**. Using anonymous Wi-Fi is not only recommended to mitigate against deanonymization, but also against remote hacking. It is best to never use the dedicated Tails laptop from your home Wi-Fi. This makes the laptop much less accessible to a remote attacker than a laptop that you constantly have connected to your home Wi-Fi. If an attacker is targeting you specifically, they need a starting point, and your home Wi-Fi is a pretty good one. 
 * **Remove the hard drive**—it's easier than it sounds. You can ask the store where you buy it to do this and potentially save some money. If you look on youtube for 'remove hard drive' for your laptop model, there will likely be an instructional video. Make sure that you remove the laptop battery first and unplug the power cord. We remove the hard drive to completely eliminate the hard drive firmware, which has been known to be [compromised in order to install malware that is persistent](https://www.wired.com/2015/02/nsa-firmware-hacking/). This is part of the attack surface, and is unnecessary with a live system like Tails which runs from a USB. 
@@ -246,9 +258,11 @@ Finally, if you click on any link from an email, and are asked to log in, be awa
 You may want to open untrusted links in a dedicated Tails session, with no Persistent Storage unlocked or Personal Data USBs mounted. 
 
 # To Conclude
+
 Using Tails without any of this advice is still a huge improvement over many other options. Given that anarchists regularly entrust their freedom to Tails, such as for submitting communiques, taking these extra precautions can further strengthen your trust in this operating system. 
 
 # Appendix: Deanonymization of your WLAN (Wi-Fi) adapter despite Tails?
+
 ***Capulcu*** *(from [Autonomes Blättchen No. 49](https://autonomesblaettchen.noblogs.org/files/2022/06/nr49web.pdf), 2022)*
 
 The two main techniques for anonymizing network traffic while using Tails are using Tor to obfuscate IP addresses and using a MAC address changer to obfuscate the MAC address. In theory, this does the trick. However, security cannot always be guaranteed and attacks aimed at deanonymization occur against both techniques. The compromise of one technique does not entail the compromise of the other. Nevertheless, *for particularly sensitive publications*, it is important to thwart all possibilities of successful identification.
@@ -265,7 +279,7 @@ In September 2019, our collective published a short statement ("[Security warnin
 
 **Recommendation**: Until there is a (stable) solution for the "WLAN fingerprinting" problem, you should remove the internal WLAN adapter for particularly sensitive research and publications and use a (cheap) external USB WLAN adapter and **dispose of it after use**. We also advise you to use WLAN adapters that can be controlled by the Tails operating system without manufacturer-specific firmware (e.g. WLAN adapters with Qualcomm's Atheros chip that use the ath9k driver).
 
-**Description of the problem and technical details**
+## Description of the problem and technical details
 
 If you have not explicitly deactivated the WLAN on the Tails welcome screen (via Offline Mode) or, if available, via a hardware switch, the Tails operating system will automatically search for existing WLAN access provided by access points (Wi-Fi routers). It does this by sending a radio signal (*probe request*) at regular intervals to all access points in the vicinity. The regularly sent request contains the unique MAC address of your WLAN adapter. However, Tails protects your anonymity by not sending the real address, but a randomly generated MAC address. If there are access points in the vicinity, they also respond with a radio signal (*probe response*). This response contains information about the network name (SSID), authentication and encryption. The information contained in these radio signals makes it possible to connect to an access point and exchange data packets.
 
@@ -284,11 +298,11 @@ Further publications on possible deanonymization attacks (which do not explicitl
 - "[Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field](http://www.uninformed.org/?v=5&a=1&t=pdf)
 - "[Device Fingerprinting in Wireless Networks: Challenges and Opportunities](https://arxiv.org/pdf/1501.01367v1.pdf)" 
 
-**Probe Request Fingerprinting**
+## Probe Request Fingerprinting
 
 The probe requests sent at short intervals by all WLAN adapters (whether internal or external) contain WLAN adapter-specific information elements (IEs) in the management frame. The values of the [IEs](http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf) are partly manufacturer-specific (in terms of content and sequence). This makes them particularly suitable for deanonymizing fingerprinting, which was used in the previously mentioned papers. Among the various implementations of proprietary [WLAN firmware](https://en.wikipedia.org/wiki/Proprietary_software), there are so many different ways to arrange them that tracking can therefore be successful. In addition, WLAN adapters can often be distinguished by sequence number[^4], data throughput rate, and other radio signal-specific parameters[^5].
 
-**Reduce the digital footprint**
+## Reduce the digital footprint
 
 The packet sizes of probe requests differ according to the information they contain. In most cases, this depends heavily on the firmware implementations of the manufacturers. However, there are also free driver implementations for WLAN adapters that do not require proprietary firmware and can be controlled via the operating system[^6]:
 
@@ -302,6 +316,7 @@ After our warning in summer 2019, we summarized our ideas for avoiding probe req
 
 
 # Appendix 2: Location, Location, Location
+
 *From **How to Hack like a Ghost** by Sparc Flow, available on [Library Genesis](https://en.wikipedia.org/wiki/Library_Genesis)*
 
 One way to increase your anonymity is to be careful of your physical location when hacking. Don’t get me wrong: Tor is amazing. [...] But when you do rely on these services, always assume that your IP address—and hence, your geographical location and/or browser fingerprint—is known to these intermediaries and can be discovered by your final target or anyone investigating on their behalf. Once you accept this premise, the conclusion naturally presents itself: to be truly anonymous on the internet, you need to pay as much attention to your physical trail as you do to your internet fingerprint.
diff --git a/content/posts/tails/index.md b/content/posts/tails/index.md
index d3f7fb7..57df7a7 100644
--- a/content/posts/tails/index.md
+++ b/content/posts/tails/index.md
@@ -66,12 +66,12 @@ It makes no sense to say "such and such a tool is secure". Security always depen
 
 ## Prerequisites
 
-***Selecting a USB/DVD:***
+### Selecting a USB/DVD:
 
 * Tails only works on USBs of more than 8 GB or on DVDs (where it is not possible to use the Persistent Storage feature described below). The data on the USB will be completely erased at installation, so save your data elsewhere beforehand, and if you don't want any trace of what was there before, use a new USB. 
 * The article [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch) recommends using a USB with a write-protect switch (an unchangeable data medium) to make sure that nothing is left behind when doing sensitive work, and that the laptop cannot compromise your Tails system. The article details how to adapt to this. The write-protect switch will need to be disabled during installation. If you are unable to obtain such a USB, you can use Tails from a DVD-R/DVD+R, or always boot it with the `toram` option (described at more length in the article).
 
-***Selecting a laptop:***
+### Selecting a laptop:
 
 * Although it is possible to use Tails on a desktop computer, this is not advised because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. Additionally, it would be harder to tell if someone had opened your desktop case and installed a physical keylogger. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more on obtaining a laptop. 
 
@@ -85,15 +85,16 @@ To install Tails on a USB, you need a "source" and a USB (that is 8 GB or larger
 
 Concerning the "source", there are two solutions.
 
-***Solution 1: Installation from another Tails USB***
+### Solution 1: Installation from another Tails USB
 
 * This requires knowing a Tails user you trust. A very straightforward software called the Tails Installer allows you to "clone" a new Tails USB in a few minutes; see the documentation for cloning from a [PC](https://tails.boum.org/install/clone/pc/index.en.html) or [Mac](https://tails.boum.org/install/clone/mac/index.en.html). Any Persistent Storage data isn't transferred. The disadvantage of this method is that it can spread a compromised installation.
 
-***Solution 2: Installation by download (Preferred)***
+### Solution 2: Installation by download (Preferred)
 
 * You have to follow the [Tails installation guide](https://tails.boum.org/install/index.en.html). The Tails website will guide you step by step; it is important to follow the entire tutorial. It is possible for an attacker to [intercept and modify the data](/glossary#man-in-the-middle-attack) on its way to you, so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the install method [using GnuPG](https://tails.boum.org/install/expert/index.en.html) is preferred, because it checks the integrity of the download more thoroughly.
 
 ## Booting from your Tails USB 
+
 Once you have a Tails USB, follow the Tails guides to [start Tails on a Mac or PC computer](https://tails.boum.org/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on the laptop. The "Boot Loader" screen will appear and Tails starts automatically after 4 seconds. 
 
 ![](grub.png)
@@ -181,11 +182,11 @@ Every time you start Tails, the Tails Upgrader checks if you are using the lates
 
 ![](upgrader_automatic.png)
 
-***The [automatic upgrade](https://tails.boum.org/doc/upgrade/index.en.html)***
+### The [automatic upgrade](https://tails.boum.org/doc/upgrade/index.en.html)
 
 * A window will appear with information about the upgrade, and you have to click **Upgrade now**. You have to wait a little while for it to complete, and for a moment it will cut your Internet. Do not shut down before you see the Restart Tails window. If the upgrade fails (for instance, because it shut down before it was finished), your Persistent Storage is not affected, but you may not be able to restart your Tails USB. If you are using a USB with a write-protect switch, you will have to set it to "writable" for the single session in which you are performing the upgrade.
 
-***The [manual upgrade](https://tails.boum.org/upgrade/tails/index.en.html)***
+### The [manual upgrade](https://tails.boum.org/upgrade/tails/index.en.html)
 
 * Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only done for major upgrades or in case of an issue. 
 * If you already have a second Tails USB with the latest version, you start on that one, and navigate to **Applications → Tails → Tails Installer**. Instead of the button reading "install", you'll be asked "upgrade". The difference is that it won't format the whole USB, it will just replace the Tails partition with an updated version. 
@@ -194,7 +195,8 @@ Every time you start Tails, the Tails Upgrader checks if you are using the lates
 # II) Going Further: Several Tips and Explanations
 
 ##  Tor 
-***What is Tor?***
+
+### What is Tor?
 
 [Tor](/glossary/#tor-network) stands for The Onion Router, and is the best way to be anonymous on the Internet. Tor is an open-source software associated with a public network of several thousand relays (servers). Instead of connecting directly to a location on the Internet, Tor will take a detour via three intermediate relays. Tor Browser uses Tor, but other applications can too if they are properly configured. All applications included by default in Tails that connect to the Internet use Tor. 
 
@@ -208,7 +210,7 @@ This means that any intermediaries between you and relay #1 know you're using To
 
 Tor has multiple limitations. For example, an entity with the appropriate technical and legal means can, if it assumes you're connecting from a specific Wi-Fi connection to post to a specific site, try to match what comes out of your connection to what goes into the site (a "correlation attack"). However, this type of attack has never been used to incriminate someone in court by itself, to our knowledge. For sensitive activities, use Internet connections that are not tied to your identity in order to protect yourself in the scenario that Tor is not perfect.  
 
-***What is HTTPS?***
+### What is HTTPS?
 
 Virtually all websites today use [HTTPS](/glossary/#https); the S stands for "secure" (for example, https://www.anarsec.guide). If you try to visit a website without `http://` on Tor Browser, there is a warning message before continuing. If you see `http://` instead of `https://` before the address of a website, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your log-in information). HTTPS means that the digital records of what you do on the site you are visiting is protected with an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are going to riseup.net, for example, but they will not have access to your emails and passwords nor will they know if you are consulting your emails or if you are reading a random page on the site. A little padlock appears to the left of the site address when you use HTTPS. 
 
@@ -220,7 +222,7 @@ HTTPS is essential both to limit your web fingerprint, but also to prevent an in
 
 In short, don't visit websites that don't use HTTPS. 
 
-***Onion Services: what is .onion?***
+### Onion Services: what is .onion?
 
 Perhaps you have seen a strange site address containing 56 random characters, ending in .onion? This is called an onion service, and the only way to visit a website that uses such an address is to use the Tor Browser. The "deepweb" and "darkweb" are terms popularized in news media in recent years to describe these onion services. 
 
@@ -234,7 +236,7 @@ The .onion site address is so long because it includes the site's certificate. H
 
 Some sites offer both a classic URL as well as an .onion address. In this case, if the site has been configured for it, an indication ".onion available" should appear. If not, sometimes the site indicates the .onion address somewhere on its page. To find out the addresses of sites which are only available as .onion, you have to either get them by word of mouth, or through websites that list other .onion sites, such as this [GitHub page](https://github.com/alecmuffett/real-world-onion-sites).
 
-***Sites that block Tor***
+### Sites that block Tor
 
 The Tor network is blocked and otherwise rendered more inconvenient to use in many ways. You may be confronted with CAPTCHA images (a kind of game that verifies you “are not a robot”) or obliged to provide additional personal data (ID card, phone number…) before proceeding, or Tor may be completely blocked. 
 
@@ -244,7 +246,7 @@ Perhaps only certain Tor relays are blocked. In this case, you can change the To
 
 It is also possible that the entire Tor network is blocked, because all Tor relays are public. In this case you can try to use a proxy to get to the site, such as https://hide.me/en/proxy (but only if you don't have to enter any personal data or do anything sensitive like login information). You can also check whether the page you want to access has been saved to the Wayback Machine: web.archive.org.  
 
-***Separate Anonymous Identities Cleanly***
+### Separate Anonymous Identities Cleanly
 
 It is not recommended to perform different tasks on the Internet that should not be associated with each other during the same Tails session. You have to separate different (contextual) identities carefully! For example, it is dangerous to check your personal emails via Tor Browser and to publish an anonymous text during the same session. That is, you should not be identifiable and anonymous on the Tor network at the same time. You also shouldn't use the Tor network under pseudonym A and pseudonym B in the same session, because these pseudonyms could be connected to each other on a monitored or compromised Tor exit relay. Shut down and restart Tails between Internet activities of different identities!
 
@@ -254,7 +256,7 @@ The 'New Identity' feature of Tor Browser is not sufficient to completely separa
 
 The Onion Circuits application shows which Tor circuit a connection to a server uses (website or otherwise). Sometimes, it can be useful to make sure that the exit relay is not located in a certain country, to be further away from the easiest access of investigating authorities. In the example above, the connection to check.torproject.org goes through the relays tor7kryptonit, Casper03, and the exit node blackfish. If you click on a circuit, technical details about the relays of the circuit appear in the right pane. The 'New Identity' feature of Tor Browser is useful for changing this exit relay without needing to reboot the Tails session, which can be repeated until you have an exit relay you are happy with. We are not suggesting to use 'New Identity' when switching between identities, but simply when you want to change the exit node within a single identity's activity. 
 
-***Tor Browser security settings***
+### Tor Browser security settings
 
 ![](safest.png)
 
@@ -262,31 +264,31 @@ Like any software, Tor Browser has vulnerabilities that can be exploited. To lim
 
 The layout of some sites may be modified, and some types of content will be disabled (SVG images, videos are click-to-play, etc.). For example, this website has two things which will be blocked on Safest mode because they rely on Javascript: dark mode, and the Table of Contents. Some sites will not work at all with these restrictions; if you have reason to trust them, you can view them on a less restrictive setting on a site by site basis. Note that both of the less restrictive setting allow scripts to function, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
 
-***Downloading/uploading and the Tor Browser folder***
+### Downloading/uploading and the Tor Browser folder
 
 The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prevent it from being able to snoop on all your files, just in case it is comprised by a malicious website. This means there are special considerations for uploading or downloading files with the Tor Browser.
 
-*Downloads*
+#### Downloads
 
 When you download something using the Tor Browser it will be saved in the Tor Browser folder (`/home/amnesia/Tor Browser/`), which is inside the "sandbox". If you want to do anything with this file, you should then move it out of the Tor Browser folder. You can use the file manager (**Applications → Accessories → Files**) to do this. 
 
 ![](nautilus.png)
 
-*Uploads*
+#### Uploads
 
 Similarly, if you want to upload something using the Tor Browser (for example attaching a file to a blog post or email you have open in the browser), you will first have to move or copy that file into the Tor Browser folder. Then it will be available to you when you go to select an upload in the Tor Browser.
 
-*RAM*
+#### RAM
 
 Be aware that, because all of your Tails session is running in RAM (unless you have set up Persistent Storage), if you are downloading or otherwise working with very large files, your RAM may fill up. This will cause Tails to slow down or glitch. You can mitigate this by closing unneeded applications and deleting other files you have downloaded. In the worst case, you may need to enable Persistent Storage and move large files to the persistent Tor Browser folder so they will no longer use up RAM.
 
-***Share Files with Onionshare***
+### Share Files with Onionshare
 
 ![](onionshare.png)
 
 It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.boum.org/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). Normally, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to Settings and unselect "Stop sharing after first download". As soon as you close OnionShare, cut the Internet connection, or shut down Tails, the files can no longer be accessed. This is a great way of sharing files because it doesn't require plugging a USB into someone else's computer, which is [not recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared via another channel (like a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type). 
 
-***Make Correlation Attacks More Difficult***
+### Make Correlation Attacks More Difficult
 
 When you request a web page through a web browser, it is transmitted to you in small "packets" characterized by a specific size and timing (alongside other characteristics). When using Tor Browser, the sequence of transmitted packets can also be analyzed and assigned certain patterns. The patterns here can be matched with those of monitored websites on the Internet. To make this "correlation attack" more difficult, before connecting to a sensitive website you can open various other pages that require loading (such as streaming videos on a privacy-friendly website like kolektiva.media) in additional tabs of your browser. This is officiallly recommended by Tor - see [Do multiple things at once with your Tor client](https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations/). This will generate a lot of additional traffic, which will make the analysis of your pattern more difficult.  
 
@@ -295,6 +297,7 @@ When you request a web page through a web browser, it is transmitted to you in s
 Tails includes [many applications](https://tails.boum.org/doc/about/features/index.en.html) by default. The documentation gives an overview of [Internet applications](https://tails.boum.org/doc/anonymous_internet/index.en.html), applications for [encryption and privacy](https://tails.boum.org/doc/encryption_and_privacy/index.en.html), as well as applications for [working on sensitive documents](https://tails.boum.org/doc/sensitive_documents/index.en.html). In the rest of this section, we will just highlight common use cases relevant to anarchists, but read the documentation for further information. 
 
 ## Password Manager (KeePassXC)
+
 If you're going to need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Application → Favorites → KeePassXC**) which allows you to store your passwords in a file and protect them with a single master password. In the terminology used by KeePassXC, a *password* is a randomized sequence of characters (letters, numbers, and other symbols), whereas a *passphrase* is a random series of words.
 
 ![](seconds.png)
@@ -381,6 +384,7 @@ To install software from the Debian software repository:
 For more information, see the documentation on [Installing additional software](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html).  
 
 ## Remember to make backups!
+
 A Tails USB is easily lost and USBs have a much shorter life span than a hard drive (especially the cheap ones). If you put important data on it, think about making regular backups. If you use a second LUKS-encrypted USB, this is as simple as using the File Manager to copy files to a backup LUKS-encrypted USB. 
 
 If you use Persistent Storage, see the [documentation on backing it up](https://tails.boum.org/doc/persistent_storage/backup/index.en.html). 
diff --git a/content/posts/tamper/index.md b/content/posts/tamper/index.md
index ca0c664..36d3e43 100644
--- a/content/posts/tamper/index.md
+++ b/content/posts/tamper/index.md
@@ -37,6 +37,8 @@ Verification that the random pattern hasn't changed can be done manually with wh
 
 The Blink Comparison app encrypts its storage, to prevent an adversary from easily replacing the photos, and gives a helpful interface for comparing them. The app helps you to take the comparison photo from the same angle and distance as the original photo. Blink Comparison then switches between the two images when the screen is touched, making direct comparison much easier. 
 
+## Implementation
+
 Now that you understand the nuances of using nail polish on the chassis screws of your laptop(s), we'll actually do it - this is best done after [flashing HEADS](#tamper-evident-software-and-firmware) so that it doesn't have to be removed and repeated. Before getting started, you can also take a photo of the inside of the laptop, in case one day you need to check if its internal components have been tampered with despite the nail polish protection (keeping in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like that shown above. 
 
 * First, take a photo of the underside of the computer and use a software like GIMP to number the screws, in order to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws which need to be numbered so that in the future you know which screw the photo `3.jpg` refers to. 
@@ -63,21 +65,36 @@ Several colorful mixtures are described: [red lentils & beluga lentils](https://
 This excerpted instruction assumes that we take the cellphone with us, but [as discussed elsewhere](/posts/nophones/#do-you-really-need-a-phone), this has its own security issues and so is not recommended. So the smartphone that we use to take a photo of the storage will need to stay in the house out of storage. [In the next section](#physical-intrusion-detection), we recommend that you acquire a cheap Android phone that only runs an app called Haven when you are out of the house. This device is going to stay out of storage anyway, so you can use it to take photos of the storage. Alternatively, if you don't have a dedicated Haven phone but you do have a [GrapheneOS](/posts/grapheneos/) device (or if the Haven phone camera is too low-quality), you can use it to take photos of the storage and then hide it somewhere in your home while you are away. With no phone, a camera can be used. Cameras, however, don't have encryption, so modifying the photos is significantly easier. 
 
 <details>
-<summary><strong>If you use a dedicated Haven phone</strong></summary>
-</details>
+<summary>
+
+**If you use a dedicated Haven phone**
+
+</summary>
+<br>
 
 * Once you have put bagged electronic devices in the container, and covered them with a colorful mixture, take the photos on this Haven phone using the Blink Comparison app. Send them to yourself over [Signal](/posts/e2ee/#signal) (with the Note to Self feature, and delete for everyone) or [Element](/posts/e2ee/#element-matrix). 
 * Once you return, do the verification on the Haven phone using Blink Comparison. 
 * Once your devices are out of storage, check that the images you sent to yourself on Signal/Element aren't different from those on your Haven phone, and also check the timestamp. Once the verification is complete, you can delete the photos so that there is no confusion in future verifications about which photos to use. 
 
-<details>
-<summary><strong>If you use a GrapheneOS phone, but not a dedicated Haven phone</strong></summary>
+<br>
 </details>
 
+
+<details>
+<summary>
+
+**If you use a GrapheneOS phone, but not a dedicated Haven phone**
+
+</summary>
+<br>
+
 * Once you have put bagged electronic devices in the container, and covered them with a colorful mixture, take the photos using the Blink Comparison app. Send them to yourself over [Signal](/posts/e2ee/#signal) (with the Note to Self feature, and delete for everyone) or [Element](/posts/e2ee/#element-matrix). Power off the device and hide it somewhere. 
 * Once you return, do the verification using Blink Comparison.
 * Once your laptop is out of storage, check that the images you sent to yourself on Signal/Element aren't different from those on your GrapheneOS phone, and also check the timestamp. Once the verification is complete, you can delete the photos so that there is no confusion in future verifications about which photos to use. If the phone is found and the firmware or software is modified, Auditor will notify you. 
 
+<br>
+</details>
+
 # Physical Intrusion Detection 
 
 "Defense in depth" means that there are multiple layers of security that need to be bypassed for an adversary to succeed. [Physical intrusion detection](https://www.csrc.link/threat-library/mitigations/physical-intrusion-detection.html) should be done in addition to tamper-evident laptops and storage. This way, even if a covert house search doesn't interact with the tamper-evident storage (for example, because the goal is to install [covert surveillance devices](https://www.csrc.link/threat-library/techniques/covert-surveillance-devices.html)), you can still find out about it.