mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-08 14:52:54 -04:00
tails update
This commit is contained in:
anarsec
parent
9c9e5152ab
commit
18c410f95c
3 changed files with 40 additions and 41 deletions
|
|
@ -158,10 +158,11 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
|
|||
|
||||
> What's a *write-protect* switch? When you insert a normal USB into a computer, the computer does *read* and *write* operations with it, and a *write* operation can change the data on the USB. Some special USBs developed for malware analysis have a physical switch that can lock the USB, so that data can be *read* from it, but no new data can be *written* to it.
|
||||
|
||||
If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are also from an attacker compromising the Tails software when the switch is locked. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot carry over to subsequent Tails sessions. Note that HEADS firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. If you aren't using HEADS and you are unable to obtain such a USB, you have two options.
|
||||
If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are also from an attacker compromising the Tails software when the switch is locked. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot carry over to subsequent Tails sessions. Note that HEADS firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. If you aren't using HEADS and you are unable to obtain such a USB, you have three options.
|
||||
|
||||
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.net/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten.
|
||||
2) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.net/doc/advanced_topics/boot_options/index.en.html).
|
||||
1) Install Tails on a SD card, and use a USB 3.0 to SD card adapter, because SD cards have a write-protect switch.
|
||||
2) [Burn Tails to a new DVD-R/DVD+R](https://tails.net/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten.
|
||||
3) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.net/doc/advanced_topics/boot_options/index.en.html).
|
||||
* For SYSLINUX, when the boot screen appears, press Tab, and type a space. Type `toram` and press Enter.
|
||||
* For GRUB, when the boot screen appears, press `e` and use the keyboard arrows to move to the end of the line that starts with `linux`. The line is probably wrapped and displayed on multiple lines, but it is a single configuration line. Type `toram` and press F10 or Ctrl+X.
|
||||
* You can eject the Tails USB at the beginning of your session before you do anything else (whether it is connecting to the Internet or plugging in another USB) and then still use it like normal.
|
||||
|
|
@ -184,8 +185,6 @@ Finally, a note about email — if you already use Tails and encrypted email, yo
|
|||
|
||||
Another reason to avoid using Persistent Storage features is that many of them persist user data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is user data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization with Persistent Storage enabled, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work.
|
||||
|
||||
If its not possible to find a USB with a write-protect switch, you can alternatively use a USB 3.0 to SD card adapter, because SD cards have a write-protect switch.
|
||||
|
||||
# Encryption
|
||||
|
||||
## Passwords
|
||||
|
|
|
|||
|
|
@ -20,27 +20,27 @@ Tails is an [operating system](/glossary/#operating-system-os) that makes anonym
|
|||
|
||||
The [documentation on the Tails website](https://tails.net/doc/index.en.html) is excellent and easy to follow. This tutorial summarizes the most relevant documentation and additionally includes configuration and usage advice specific to an anarchist [threat model](/glossary/#threat-model). Our [Tails Best Practices](/posts/tails-best) article goes into more detail, but we recommend that you familiarize yourself with the basics of Tails before reading it.
|
||||
|
||||
# TAILS: **T**he **A**mnesic & **I**ncognito **L**ive **S**ystem
|
||||
# TAILS: The Amnesic & Incognito Live System
|
||||
|
||||
Tails is an operating system. You have probably heard of "Windows" or "macOS", these are names for two of the most common operating systems. An operating system is the set of programs that run the various components (hard drive, screen, processor, memory, etc...) of the computer and allow it to function.
|
||||
Tails is an operating system. An operating system is the set of programs that run the various components (hard drive, screen, processor, memory, etc...) of the computer and allow it to function.
|
||||
|
||||
There are other operating systems. Maybe you have heard of Linux? Linux refers to a family of operating systems that branches off into several sub-families, or different versions of Linux, one of which is called Debian. In the Debian sub-family we find Ubuntu and Tails. Tails is a distribution (version) of Linux with several distinguishing features:
|
||||
You have probably heard of "Windows" or "macOS", the two most common operating systems. There are other operating systems — maybe you have heard of Linux? Linux refers to a family of operating systems that branches off into several sub-families, or different versions of Linux, one of which is called Debian. In the Debian sub-family we find Ubuntu and Tails. Tails is a distribution (version) of Linux with several distinguishing features:
|
||||
|
||||
* ***Live System***
|
||||
* Tails is a so-called live system. While other operating systems live on your computer's hard drive, Tails is installed on an external device such as a USB (or even an SD card or DVD). When you start your computer with the Tails device plugged in, your computer runs off of that device instead, leaving your hard drive untouched. You can even use Tails on a computer without a hard drive.
|
||||
* Tails is a so-called live system. While other operating systems run from your computer's hard drive, Tails is installed on an external device such as a USB (or even an SD card or DVD). When you start your computer with the Tails device plugged in, your computer runs off of that device instead, leaving your hard drive untouched. You can even use Tails on a computer without a hard drive.
|
||||
* ***Amnesia***
|
||||
* Tails is designed to leave no data on the computer you are using; it writes nothing to the hard drive, and runs only in RAM (memory), which is automatically erased after shutdown. The Tails live system itself (usually running on a USB) is also left untouched. The only way to save information is to move it to another USB partition before shutting down (see below). The purpose of this is to avoid leaving forensic traces that someone with physical access to your computer or your Tails USB could later read. Things like Internet search history, cache, "recently edited" documents, etc. are all erased. Tails also leaves no trace that it was ever used on the computer itself.
|
||||
* Tails is designed to leave no data on the computer you are using; it writes nothing to the hard drive, and runs only in RAM (memory), which is automatically erased after shutdown. The Tails live system itself (usually running on a USB) is also left untouched. The only way to save information is to move it to another USB partition before shutting down (see below). The purpose of this is to avoid leaving forensic traces that someone with physical access to your computer or your Tails USB could later read. Things like Internet search history, "recently edited" documents, etc. are all erased.
|
||||
* ***Incognito***
|
||||
* Tails is also a system that allows you to be incognito, or anonymous. It hides the elements that could reveal your identity, location, etc. Tails uses the [Tor anonymity network](/glossary#tor-network) to protect your anonymity online by forcing all default software to connect to the Internet through Tor. If an application tries to connect to the Internet directly, Tails will automatically block the connection. Tails also changes the "MAC address" of your network hardware, which can be used to uniquely identify your laptop.
|
||||
|
||||
|
||||
|
||||
* ***Security***
|
||||
* Tails was designed with security in mind. A minimal, functional, and verified environment is already installed (with everything needed for basic word processing, image editing, etc.). It comes bundled with easy-to-use [encryption](/glossary/#encryption) and data deletion tools, as well as protection against common attacks or threats.
|
||||
* Tails was designed with security in mind. A minimal, functional, and verified environment is already installed (with everything needed for basic word processing, image editing, encryption, etc.).
|
||||
|
||||
Today's digital security is not necessarily tomorrow's. **Protecting personal data requires regular updates.** Digital tools are unreliable if they are never updated, and to have lasting confidence in these tools, it is good to know that teams are actively maintaining them and that they have a good reputation. It is important to understand the spirit of Tails: everything is designed with security in mind. However, in software, there is no such thing as an omnipotent tool; there are always limits. Also, **the way you use Tails can create security problems.**
|
||||
Today's digital security is not necessarily tomorrow's. **Protecting personal data requires regular updates.** Digital tools are unreliable if they are never updated, and to have lasting confidence in these tools, it is good to know that teams are actively maintaining them and that they have a good reputation. It is important to understand the spirit of Tails: everything is designed with security in mind. However, in software, there is no such thing as a perfect tool; there are always limits. Also, **the way you use Tails can create security problems.**
|
||||
|
||||
Tails is free and [open-source](/glossary/#open-source) software. Anyone can view, download and modify the source code (the recipe)... It is absolutely necessary to make sure that the version of Tails you have is sound. Don't neglect the verification steps during installation, which are well explained on the Tails website.
|
||||
Tails is free and [open-source](/glossary/#open-source) software. Anyone can view, download and modify the source code (the recipe)... It is absolutely necessary to make sure that the version of Tails you have is genuine. Don't neglect the verification steps during installation, which are well explained on the Tails website.
|
||||
|
||||
Tails allows non-experts to benefit from digital security and anonymity without a steep learning curve. Using Tor is central to digital anonymity, and Tails helps us make as few mistakes as possible when using Tor and some other tools. Using Tails takes very little effort to make everyday digital behavior more secure, even if it seems “inconvenient” at times. The "convenient" alternative, on the other hand, means an increased risk of repression — not only for you, but also for those you communicate with.
|
||||
|
||||
|
|
@ -61,11 +61,11 @@ It makes no sense to say "this tool is secure". Security always depends on the t
|
|||
### Select a USB/DVD:
|
||||
|
||||
* Tails will only work with USBs that are at least 8GB, DVDs, or SD cards. Any data on the USB will be completely erased during installation, so save it somewhere else before, and if you don't want any trace of what was there before, use a new USB.
|
||||
* The [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch) article recommends using a USB with a write-protect switch (an unmodifiable disk). When locked, the switch prevents the contents of the USB from being changed at all. This prevents you from leaving anything behind when doing sensitive work, and prevents your laptop from compromising your Tails USB. The write-protect switch must be turned off during installation. If you are unable to obtain such a USB, you can run Tails from a DVD-R/DVD+R, or always boot with the `toram` option (described in the article).
|
||||
* The [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch) article recommends using a USB with a write-protect switch (an unmodifiable disk). When locked, the switch prevents the contents of the USB from being changed at all. This prevents a compromised Tails session from compromising your Tails USB. The write-protect switch must be turned off during installation. If you are unable to obtain such a USB, you can run Tails from a SD card, DVD-R/DVD+R, or always boot with the `toram` option (described in the article).
|
||||
|
||||
### Select a laptop:
|
||||
|
||||
* Although it is possible to use Tails on a desktop computer, it is not recommended because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. Also, it would be harder to detect if someone had opened your desktop case and installed a physical keylogger. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more information on obtaining a laptop.
|
||||
* Although it is possible to use Tails on a desktop computer, it is not recommended because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more information on obtaining a laptop.
|
||||
|
||||
Some laptop and USB models will not work with Tails, or some features will not work. To see if your model has any known issues, see the [Tails known issues page](https://tails.net/support/known_issues/).
|
||||
|
||||
|
|
@ -83,11 +83,11 @@ There are two solutions for the "source".
|
|||
|
||||
### Solution 2: Install by download (preferred)
|
||||
|
||||
* You must follow the [Tails installation instructions](https://tails.net/install/index.en.html). The Tails website provides step-by-step instructions; it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you ([man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.net/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
|
||||
* Follow the [Tails installation instructions](https://tails.net/install/index.en.html); it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you (this is called a [man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.net/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
|
||||
|
||||
## Booting from your Tails USB
|
||||
|
||||
Once you have a Tails USB, follow the Tails instructions [for booting Tails on a Mac or PC](https://tails.net/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on your laptop. The Boot Loader screen will appear and Tails will start automatically after 4 seconds.
|
||||
Once you have a Tails USB, follow the Tails instructions [for booting Tails on a Mac or PC](https://tails.net/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on your laptop. The Boot Loader screen will appear and Tails will start automatically after several seconds.
|
||||
|
||||
|
||||
|
||||
|
|
@ -98,7 +98,7 @@ After about 30 seconds of loading, the [Welcome Screen](https://tails.net/doc/fi
|
|||
On the Welcome Screen, select your language and keyboard layout in the **Language & Region** section. For Mac users, there is a keyboard layout for Macintosh. Under "Additional Settings" you will find a **+** button, click it and more configuration options will appear:
|
||||
|
||||
* Administration Password
|
||||
* Set this if you need administration rights for a program. This is necessary, for example, to install additional software that you want to use during your Tails session. In the following dialog you can enter any password (and you have to remember it!). It will only be valid for this one Tails session. Use the session only for what you need administration privileges for, and then reboot without an administration password before doing anything else.
|
||||
* Set this if you need administration rights. This is necessary, for example, to install additional software that you want to use during your Tails session. In the following dialog you can enter any password (and you have to remember it!). It will only be valid for this one Tails session.
|
||||
* MAC Address Spoofing
|
||||
* We recommend that you never disable this. It is enabled by default.
|
||||
* Network Connection
|
||||
|
|
@ -112,23 +112,23 @@ If you have Persistent Storage enabled, the passphrase to unlock it will appear
|
|||
|
||||
|
||||
|
||||
Tails is a classic and simple operating system.
|
||||
Tails is a simple operating system.
|
||||
|
||||
1. The Activities menu. Allows you to see an overview of your windows and applications. It also allows you to search for applications, files, and folders. You can also access Activities by sending your mouse to the top left corner of your screen or by pressing the Command/Window (❖) key.
|
||||
2. The Applications menu. Lists available applications (software), organized by topic.
|
||||
2. The Applications menu. Lists available applications (software), organized by category.
|
||||
3. The Places menu. Shortcuts to various folders and storage devices, which can also be accessed through the Files browser (**Applications → Accessories → Files**).
|
||||
4. Date and time. Once connected to the Internet, all Tails systems around the world [share the same time](https://tails.net/doc/first_steps/desktop/time/index.en.html).
|
||||
5. The Tor status indicator. Tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the Onion Circuits application from here. Check your Tor connection by visiting `check.torproject.org` in your Tor Browser.
|
||||
6. The "Universal Access" button. This menu allows you to enable accessibility software such as the screen reader, visual keyboard, and large text display.
|
||||
7. Choice of keyboard layouts. An icon showing the current keyboard layout (in the example above, en for an English layout). Clicking it provides options for other layouts selected at the Welcome Screen.
|
||||
8. The System menu. From here, you can change the screen brightness and volume, the Wi-Fi and Ethernet connection (if connected), the battery status, and the restart and shutdown buttons.
|
||||
8. The System menu. From here, you can access the volume and screen brightness, the Wi-Fi and Ethernet connection (if connected), the battery status, and the restart and shutdown buttons.
|
||||
9. The Workspaces icon. This button toggles between multiple views of the desktop (called "workspaces”), which can help reduce visual clutter on a small screen.
|
||||
|
||||
If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the system menu, see the [troubleshooting documentation](https://tails.net/doc/anonymous_internet/no-wifi/index.en.html). Once you connect to Wi-Fi, a Tor Connection assistant will appear to help you connect to the Tor network. Select **Connect to Tor automatically**, unless you are in a country where you need to hide that you're using Tor (in which case you'll need to configure [a bridge](https://tails.net/doc/anonymous_internet/tor/index.en.html#hiding)).
|
||||
|
||||
## Optional: Create and Configure Persistent Storage
|
||||
|
||||
Tails is amnesiac by default. It will forget everything you have done as soon as you end the session. This isn't always what you want — for example, you may want to work on a document that you can't finish in one session. The same goes for installing additional software: you would have to redo the installation each time you start up. Tails has a feature called Persistent Storage, which allows you to save certain data between sessions. This is explicitly less secure, but necessary for some activities.
|
||||
Tails is amnesiac by default. It will forget everything you have done as soon as you end the session. This isn't always what you want — for example, you may want to install additional software without needing to re-install it each time you start up. Tails has a feature called Persistent Storage, which allows you to save data between sessions. This is explicitly less secure, but necessary for some activities.
|
||||
|
||||
The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows a user to make some data persistent — that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**.
|
||||
|
||||
|
|
@ -188,7 +188,7 @@ Every time you start Tails, right after you connect to the Tor network, the Tail
|
|||
|
||||
### What is Tor?
|
||||
|
||||
[Tor](/glossary/#tor-network), which stands for The Onion Router, is the best way to be anonymous on the Internet. Tor is open-source software connected to a public network of thousands of relays (servers). Instead of connecting directly to a location on the Internet, Tor takes a detour through three intermediate relays. The Tor Browser uses the Tor network, but other applications can as well if they are configured properly. All internet-facing applications included in Tails by default use Tor.
|
||||
[Tor](/glossary/#tor-network), which stands for The Onion Router, is the best way to be anonymous on the Internet. Tor is open-source software connected to a public network of thousands of relays (servers). Instead of connecting directly to a location on the Internet, Tor takes a detour through three intermediate relays. The Tor Browser uses the Tor network, but other applications can as well if they are configured properly. All default applications included in Tails use Tor if they need to connect to the Internet.
|
||||
|
||||
|
||||
|
||||
|
|
@ -198,11 +198,11 @@ Internet traffic, including the IP address of the final destination, is encrypte
|
|||
|
||||
This means that any intermediaries between you and relay #1 know that you're using Tor, but they don't know what site you're going to. Any intermediaries after relay #3 know that someone in the world is going to that site, but they don't know who it is. The site's web server sees you coming from the IP address of relay #3.
|
||||
|
||||
Tor has several limitations. For example, if someone with the technical and legal means believes you're connecting from a particular Wi-Fi connection to visit a particular site, they can try to match what comes out of your connection with what goes into the site (a "correlation attack"). However, to our knowledge, this type of attack has never been used by itself to incriminate someone in court. For sensitive activities, use Internet connections that are not tied to your identity to protect yourself in case Tor fails.
|
||||
Tor has several limitations. For example, if someone with the technical and legal means believes you're connecting from a particular Wi-Fi connection to visit a particular site, they can try to match your Wi-Fi connection with what the website activity (a "correlation attack"). However, to our knowledge, this type of attack has never been used by itself to incriminate someone in court. For sensitive activities, use Internet connections that are not tied to your identity to protect yourself in case Tor fails.
|
||||
|
||||
### What is HTTPS?
|
||||
|
||||
Virtually all websites today use [HTTPS](/glossary/#https) — the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are going to, for example, riseup.net, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS.
|
||||
Virtually all websites today use [HTTPS](/glossary/#https) — the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are visiting riseup.net, for example, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS.
|
||||
|
||||
If there's a yellow warning on the padlock, it means that some elements on the page you're viewing are not encrypted (they use HTTP), which could reveal the exact page or allow intermediaries to partially modify the page. By default, the Tor Browser uses HTTPS-Only Mode to prevent users from visiting HTTP sites.
|
||||
|
||||
|
|
@ -210,11 +210,11 @@ If there's a yellow warning on the padlock, it means that some elements on the p
|
|||
|
||||
HTTPS is essential both to limit your web fingerprint and to prevent an intermediary from modifying the data you exchange with websites. If the intermediary cannot decrypt the data, they cannot modify it. For an overview of HTTP / HTTPS connections with and without Tor, and what information is visible to various third parties, see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https).
|
||||
|
||||
In short, don't visit websites that don't use HTTPS.
|
||||
In short, don't visit websites that aren't using HTTPS.
|
||||
|
||||
### Onion Services: what is .onion?
|
||||
|
||||
Have you ever seen a strange website address with 56 random characters ending in .onion? This is called an onion service, and the only way to visit a website using such an address is to use the Tor Browser. The "deepweb" and "darkweb" are terms that have been popularized in the media in recent years to describe these onion services.
|
||||
Have you ever seen a strange website address with 56 random characters ending in .onion? This is called an onion service, and the only way to visit a website using such an address is to use the Tor Browser. The "deepweb" and "darkweb" are terms that have been popularized in the media to describe these onion services.
|
||||
|
||||
|
||||
|
||||
|
|
@ -238,7 +238,7 @@ Since all Tor relays are public, it is also possible that the site is blocking t
|
|||
|
||||
### Cleanly Separate Anonymous Identities
|
||||
|
||||
It is not recommended to perform different Internet tasks that should not be associated with each other during the same Tails session. You must separate different (contextual) identities carefully! For example, it is dangerous to check your personal email and publish an anonymous text during the same session. In othe words, you should not be identifiable and anonymous on the Tor network at the same time. You also shouldn't use the Tor network under both pseudonym A and pseudonym B in the same session, as these pseudonyms could be connected through a monitored or compromised Tor exit relay. Shut down and restart Tails between Internet activities under different identities!
|
||||
It is not recommended to perform different Internet tasks that should not be associated with each other during the same Tails session. You must separate different (contextual) identities carefully! For example, it is dangerous to check your personal email and publish an anonymous text during the same session. In other words, you should not be identifiable and anonymous on the Tor network at the same time. You also shouldn't use the Tor network under both pseudonym A and pseudonym B in the same session, as these pseudonyms could be connected through a monitored or compromised Tor exit relay. Shut down and restart Tails between Internet activities under different identities!
|
||||
|
||||
The Tor Browser's 'New Identity' feature is not sufficient to completely separate contextual identities in Tails, since it does not reestablish connections outside the Tor Browser, and you keep the same Tor entry node. Restarting Tails is a better solution.
|
||||
|
||||
|
|
@ -252,7 +252,7 @@ The Onion Circuits application shows which Tor circuit a server connection (webs
|
|||
|
||||
Like any software, the Tor Browser has vulnerabilities that can be exploited — various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest**. The vast majority of exploits against Tor Browser will not work with the Safest setting.
|
||||
|
||||
The layout of some pages may be changed, and some types of content may be disabled (SVG images, click-to-play videos, etc.). For example, this site has two things that will be blocked in Safest mode because they rely on Javascript: dark mode and the article's table of contents. Some sites will not work at all with these restrictions; if you have reason to trust them, you can view them with a less restrictive setting on a site-by-site basis. Remember that both "Standard" and "Safer" settings allow scripts to work, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
|
||||
The layout of some pages may be changed, and some types of content may be disabled (SVG images, click-to-play videos, etc.). For example, anarsec.guide has two things that will be broken in Safest mode because they rely on Javascript: dark mode and the article's table of contents. Some sites will not work at all with these restrictions; if you have reason to trust them, you can view them with a less restrictive setting on a site-by-site basis. Remember that both "Standard" and "Safer" settings allow scripts to work, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
|
||||
|
||||
### Downloading/uploading and the Tor Browser folder
|
||||
|
||||
|
|
@ -270,7 +270,7 @@ Similarly, if you want to upload something using the Tor Browser (for example, t
|
|||
|
||||
#### RAM
|
||||
|
||||
Be aware that if you are downloading or otherwise working with very large files, your RAM (memory) may fill up. This is because your entire Tails session is running in RAM (unless you have set up Persistent Storage, which uses the USB). If the RAM fills up, Tails will slow down or crash. You can mitigate this by closing unneeded applications and deleting other files you have downloaded. In the worst case, you may need to enable Persistent Storage and move large files to the persistent Tor Browser folder to stop them from using RAM.
|
||||
Be aware that if you are downloading or otherwise working with very large files, your RAM (memory) may fill up. This is because your entire Tails session is running in RAM (unless you have set up Persistent Storage, which uses the USB). If the RAM fills up, Tails will slow down or crash. You can mitigate this by closing unneeded applications and deleting other files you have downloaded. In the worst case, you may need to temporarily enable Persistent Storage to download or upload large files via the persistent Tor Browser folder, which uses the USB instead of RAM.
|
||||
|
||||
### Share Files with Onionshare
|
||||
|
||||
|
|
@ -300,9 +300,9 @@ We recommend that you compartmentalize your passwords — have a different KeePa
|
|||
|
||||
|
||||
|
||||
When you [create a new KeePassXC database](https://tails.net/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), increase the decryption time in the **Encryption settings** window from the default to the maximum (5 seconds). Then choose a [strong passphrase](/posts/tails-best/#passwords) and save your KeePassXC file. We recommend that you click the small dice icon (🎲) in the password field to generate a random passphrase of 7-10 words.
|
||||
When you [create a new KeePassXC database](https://tails.net/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), increase the decryption time in the **Encryption settings** window from the default to the maximum (5 seconds). Then choose a [strong passphrase](/posts/tails-best/#passwords) and save your KeePassXC file. We recommend that you click the small dice icon in the password field to generate a random passphrase of 7-10 words.
|
||||
|
||||
This KeePassXC database file will contain all your passwords/passphrases and must persist between sessions on your Persistent Storage or on a separate LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). As soon as you close KeePassXC or don't use it for a few minutes, it will lock. Make sure you do not forget your main passphrase.
|
||||
This KeePassXC database file will contain all your passwords/passphrases and must persist between sessions on your Persistent Storage or on a separate LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). As soon as you close KeePassXC or don't use it for a few minutes, it will lock. Make sure you do not forget your KeePassXC passphrase.
|
||||
|
||||
After creating the database itself, you should see an empty “Root” folder. If you'd like to organize your passwords into different groups, right-click this folder and select "New Group...".
|
||||
|
||||
|
|
@ -322,7 +322,7 @@ There are two types of storage: magnetic (HDD) and flash (SSD, NVMe, USB, memory
|
|||
|
||||
However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (i.e. thermite) to be effective.
|
||||
|
||||
For flash memory drives (USBs, SSDs, SD cards, etc.), use pliers to break the circuit board out of the plastic casing. Use a high-quality house-hold blender to shred the memory chips, including the circuit board, into pieces that are ideally less than two millimeters in size. This blender should be dedicated to this task, and not used for food afterwards.
|
||||
For flash memory drives (USBs, SSDs, SD cards, etc.), use pliers to break the circuit board out of the plastic casing. Use a high-quality house-hold blender to shred the memory chips, including the circuit board, into pieces that are ideally less than two millimeters in size. This blender should not be used for food afterwards, even after cleaning it.
|
||||
|
||||
## How to create an encrypted USB
|
||||
|
||||
|
|
@ -342,13 +342,13 @@ Store data only on encrypted drives. This is necessary if you want to use a sepa
|
|||
* For "Type" select **internal disk to be used with Linux systems only (Ext4)**; check **Password protected volume (LUKS)**
|
||||
* Enter a [strong passphrase](/posts/tails-best/#passwords)
|
||||
|
||||
If you insert an encrypted USB, it will not open automatically, but only when you select it in the Places menu. You will be prompted to enter the passphrase. Before you can remove the drive when you are finished working with it, you must right-click it in **Places → Computer** and select Eject.
|
||||
If you insert an encrypted USB, you will be prompted to enter the passphrase. Before removing the drive after you are finished working with it, you must right-click it in **Places → Computer** and select Eject.
|
||||
|
||||
## Encrypting a file with a password or public key
|
||||
|
||||
In Tails, you can use the Kleopatra application to [encrypt a file](https://tails.net/doc/encryption_and_privacy/kleopatra/index.en.html#index1h1) with a password or public PGP key. This creates a .pgp file. If you want to encrypt a file, do so in RAM before saving it to a LUKS USB. Once the unencrypted version of a file is saved on a USB, the USB must be reformatted to remove it.
|
||||
|
||||
If you choose the password option, you must open the file in Tails and enter the password. If you don't want the unencrypted data to be stored in the same place where you saved it (e.g. on a USB), it's best to copy the encrypted file to a Tails folder that's only in RAM (e.g. **Places → Documents**) before decrypting it.
|
||||
For the same reason, before decrypting a file first copy it to a Tails folder that's only in RAM (e.g. **Places → Documents**).
|
||||
|
||||
## Adding administration rights
|
||||
|
||||
|
|
@ -359,7 +359,7 @@ Tails requires an administration password (also called a "root" password) to per
|
|||
- Running [commands](/glossary/#command-line-interface-cli) in the root terminal
|
||||
- Accessing certain privileges, such as when you see a window that asks for administration authentication
|
||||
|
||||
By default, the administration password is disabled for added security. This can prevent an attacker with [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to your Tails system from gaining administration privileges. Also, if you set an administration password for your session, you are creating another vector to potentially bypass Tails security.
|
||||
By default, the administration password is disabled for added security. This can prevent an attacker with [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to your Tails system from gaining administration privileges. If you set an administration password for your session, you are creating another vector to potentially bypass Tails security.
|
||||
|
||||
To set an administration password, you must select an administration password on the Welcome Screen when you start Tails. This password is only valid for the duration of the session.
|
||||
|
||||
|
|
@ -370,7 +370,7 @@ If you install new software, it's up to you to make sure it's secure. Tails forc
|
|||
To install software from the Debian software repository:
|
||||
|
||||
* Start Tails with administration rights, then go to **Applications → System Tools → Synaptic Package Manager**.
|
||||
* When prompted, enter your administration password (if you're doing this for the first time, it will take a while to download the repositories).
|
||||
* When prompted, enter your administration password (it will take a while to download the repositories).
|
||||
* Go to "All" and select the software you want to install: "Select for installation", then "Apply".
|
||||
* Once done, if your Persistent Storage is open, Tails will ask if you want to install it once or add it to your Persistent Storage. If you add it to your Persistent Storage, the relevant software files will be saved there. For security reasons, they are automatically updated whenever a network connection is established.
|
||||
* You can access and remove the additional software you have installed by going to **Applications → System Tools → Additional Software**.
|
||||
|
|
@ -385,7 +385,7 @@ If you use Persistent Storage, see the [documentation for backing it up](https:/
|
|||
|
||||
## Privacy screen
|
||||
|
||||
A [privacy screen](https://en.wikipedia.org/wiki/Monitor_filter) can be added to your laptop screen to prevent people (or hidden cameras) from seeing the content unless they are looking directly at it.
|
||||
A [privacy screen](https://en.wikipedia.org/wiki/Monitor_filter) can be added to your laptop screen to prevent people (or hidden cameras) from seeing the content unless they are positioned directly in front of it.
|
||||
|
||||
# III) Troubleshooting Issues
|
||||
|
||||
|
|
@ -400,7 +400,7 @@ If the Tails Boot Loader page appears, try booting into Tails troubleshooting mo
|
|||
After an upgrade or otherwise, Tails no longer starts on your computer. You have three options:
|
||||
|
||||
1) See if the [Tails news page](https://tails.net/news/index.en.html) mentions any problems with the upgrade.
|
||||
2) Perform a manual upgrade, which may be necessary if the computer was turned off before the upgrade was complete.
|
||||
2) Perform a manual upgrade, which may be necessary if the computer was turned off before an automatic upgrade was complete.
|
||||
3) If the first two solutions don't work, the USB is too old, of poor quality, or has been broken. If you need to recover data from Persistent Storage, plug that USB into a Tails session using another USB. It will appear as a normal USB that you will need to unlock with your password. If you can't access your data on another Tails USB that has Persistent Storage enabled, your USB may be dead.
|
||||
|
||||
***I can't connect to a public Wi-Fi network with an authentication page (a captive portal)***
|
||||
|
|
@ -421,7 +421,7 @@ Make sure your USB is not [known to have issues](https://tails.net/support/known
|
|||
|
||||
***Is an application slowing down Tails? The screen is glitching?***
|
||||
|
||||
Try pressing the Windows key, or the Cmd key for Mac, which will open the window with all your running applications. You can turn off applications by pressing the little cross. If that doesn't work, you'll need to force a shutdown by holding down the power button.
|
||||
Try pressing the Windows key, or the Cmd key for Mac, which will open the window with all your running applications, from where you can exit them. If that doesn't work, you'll need to force a shutdown by holding down the power button.
|
||||
|
||||
***Add a printer***
|
||||
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@
|
|||
#v(10pt)
|
||||
]
|
||||
show heading.where(level: 3): it => block(width: 100%)[
|
||||
#set text(size: 14pt, font: "Jost", style: "italic")
|
||||
#set text(size: 13pt, font: "Jost", style: "italic")
|
||||
#text(it.body)
|
||||
#v(10pt)
|
||||
]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue