From 1bf64e65a1c7cc5895f3669555d19bec4fac1d8c Mon Sep 17 00:00:00 2001
From: anarsec <anarsec@riseup.net>
Date: Wed, 1 May 2024 16:50:05 +0000
Subject: [PATCH] clarify phrasing and small edits from feedback

---
 content/posts/e2ee/index.md     | 40 ++++++++++------------
 content/posts/linux/index.md    |  2 +-
 content/posts/metadata/index.md |  2 +-
 content/posts/nophones/index.md | 10 +++---
 content/posts/qubes/index.md    | 28 +++++++--------
 content/posts/tails/index.md    | 60 ++++++++++++++++-----------------
 6 files changed, 69 insertions(+), 73 deletions(-)

diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md
index 75b3873..6f965fc 100644
--- a/content/posts/e2ee/index.md
+++ b/content/posts/e2ee/index.md
@@ -17,14 +17,14 @@ There are several different options for [end-to-end encrypted](/glossary/#end-to
 <!-- more -->
 Before proceeding, let’s go over a few concepts to help you distinguish between the different options. 
 
-* **End-to-end encryption** means (in theory) that only you and the person you are communicating with can read messages. However, not all [encryption](/glossary/#encryption) is created equal. The quality of the encryption is determined by the *encryption protocol* used and how it's implemented at the software level. See ["End-to-end encryption security: attacks and defense"](https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm.html#end-to-end-encryption-security-attacks-and-defense) for more information.
+* **End-to-end encryption** means (in theory) that only you and the person you are communicating with can read messages. However, not all [encryption](/glossary/#encryption) is created equal. The quality of the encryption is determined by the *encryption protocol* used and how it's implemented at the software level. 
 * **Metadata protection** means that the message [*metadata*](/glossary/#metadata) (the data about the data) is obscured. Even if the message itself is encrypted, metadata can reveal who is communicating with whom, when, how often, the sizes of any files that may have been transferred, and so on. Metadata exposure is [a major concern](https://docs.cwtch.im/security/risk#threat-model). 
 * **Peer-to-peer** means that the messages do not pass through a centralized server. 
 * **Tor** is an [anonymity network](/glossary/#tor-network). Some applications route your messages through Tor by default. 
 
 For a more in-depth look at these various considerations, we recommend [The Guide to Peer-to-Peer, Encryption, and Tor: New Communication Infrastructure for Anarchists](https://www.notrace.how/resources/#pet-guide). This text criticizes Signal for not being peer-to-peer and not using Tor by default, and goes on to compare Signal, Cwtch, and Briar. 
 
-Since anonymous public-facing projects such as counter-info websites interact with unknown (ie untrusted) contacts, they need more from encrypted communication than a personal user. These additional needs include:
+Since anonymous public-facing projects such as counter-info websites interact with unknown (i.e. untrusted) contacts, they need more from encrypted communication than people using applications for private communication. These additional needs include:
 
 * That anyone can contact the project
 * Resiliency to [correlation attacks](/glossary/#correlation-attack) 
@@ -62,16 +62,22 @@ Cwtch is our preference for text communication by a long shot. Cwtch is designed
 
 Like all peer-to-peer communication, Cwtch requires *[synchronous](/glossary/#synchronous-communication)* communication, meaning that both people must be online at the same time. However, its server feature also allows *[asynchronous](/glossary/#asynchronous-communication)* communication by providing offline delivery:
 
->"Cwtch contact to contact chat is fully peer to peer, which means if one peer is offline, you cannot chat, and there is no mechanism for multiple people to chat. To support group chat (and offline delivery) we have created untrusted Cwtch [servers](https://docs.cwtch.im/security/components/cwtch/server) which can host messages for a group. [...] the server has no way to know what messages for what groups it might be holding, or who is accessing it."
+>"Cwtch contact to contact chat is fully peer to peer, which means if one peer is offline, you cannot chat, and there is no mechanism for multiple people to chat. To support group chat (and offline delivery) we have created untrusted Cwtch servers which can host messages for a group. [...] the server has no way to know what messages for what groups it might be holding, or who is accessing it."
 
-Once the server exists, contacts can be invited to use it. For asynchronous direct messaging, create a group chat with only two people. 
+Cwtch servers enable group communication through untrusted infrastructure — these servers are "untrusted" because the protocol is [designed to be secure against a malicious Cwtch server](https://docs.cwtch.im/security/components/cwtch/server). Once the server exists, contacts can be invited to use it. For asynchronous direct messaging, create a group chat with only two people. 
 
-Any Cwtch user can turn the app on their phone or computer into an untrusted server to host a group chat, though this is best for temporary needs like an event or short-term coordination, as the device must remain powered on for it to work. Fortunately, [Anarchy Planet](https://anarchyplanet.org/chat.html#cwtch) runs a public server that is suitable for long-term groups. 
+Any Cwtch user can turn the app on their phone or computer into a server to host a group chat, though this is best for temporary needs like an event or short-term coordination, as the device must remain powered on for it to work. Fortunately, [Anarchy Planet](https://anarchyplanet.org/chat.html#cwtch) runs a public server that is suitable for long-term groups. 
 
 Asynchronous conversations on Cwtch need to be started from a synchronous conversation — in other words, you need to be online at the same time as your contact to invite them to a group, and then you no longer need to be online at the same time. This "first contact" dynamic is not unique to Cwtch, but is present in all peer-to-peer applications. In the future, Cwtch plans to improve this with [hybrid groups](https://docs.cwtch.im/blog/path-to-hybrid-groups/). Until hybrid groups are implemented, you will need to establish your asynchronous Cwtch conversations by using a second channel to set a time when you will both be online. 
 
 You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs.cwtch.im/).
 
+>**Note**
+>
+>**[Briar](https://briarproject.org)** is another application that works in a similar way (with peer-to-peer and Tor), using the [Bramble Transport Protocol](https://code.briarproject.org/briar/briar/-/wikis/A-Quick-Overview-of-the-Protocol-Stack) (BTP). Briar's main distinguishing feature is that it continues to work [even when the underlying network infrastructure is down](https://briarproject.org/how-it-works/). It was [audited in 2017](https://code.briarproject.org/briar/briar/-/wikis/FAQ#has-briar-been-independently-audited). Unfortunately, Briar Desktop does not yet work with Tails or Qubes-Whonix because it cannot [use the system Tor](https://code.briarproject.org/briar/briar/-/issues/2095). Unlike Cwtch, to connect to a contact on Briar, you both have to add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. [Briar Mailbox](https://briarproject.org/download-briar-mailbox/) allows asynchronous communication. 
+>
+>**[OnionShare](https://docs.onionshare.org/2.6/en/features.html#chat-anonymously)** has a chat feature that creates an ephemeral peer-to-peer chat room that is routed over the Tor network. The metadata protection works in the same way as Cwtch; it uses the Tor network as a shield and stores everything (ephemerally) locally on the device running OnionShare. OnionShare doesn’t implement any chat encryption on its own — it relies on the Tor onion service’s encryption. Cwtch and Briar both have more features (including the additional Tapir and BTP encryption protocols). The only advantage of OnionShare is that it is installed on Tails by default. 
+
 ## For Anonymous Public-facing Projects
 
 **Need #1: That anyone can contact the project**
@@ -92,12 +98,6 @@ A vulnerability in any application can be targeted with exploits — a severe vu
 
 If a project has multiple members, all of them should be able to access the same messages independently. Currently, this is not possible with Cwtch.  
 
->**Note**
->
->**[Briar](https://briarproject.org)** is another application that works in a similar way (with peer-to-peer and Tor), using the [Bramble Transport Protocol](https://code.briarproject.org/briar/briar/-/wikis/A-Quick-Overview-of-the-Protocol-Stack) (BTP). Briar's main distinguishing feature is that it continues to work [even when the underlying network infrastructure is down](https://briarproject.org/how-it-works/). It was [audited in 2017](https://code.briarproject.org/briar/briar/-/wikis/FAQ#has-briar-been-independently-audited). Unfortunately, Briar Desktop does not yet work with Tails or Qubes-Whonix because it cannot [use the system Tor](https://code.briarproject.org/briar/briar/-/issues/2095). Unlike Cwtch, to connect to a contact on Briar, you both have to add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. [Briar Mailbox](https://briarproject.org/download-briar-mailbox/) allows asynchronous communication. 
->
->**[OnionShare](https://docs.onionshare.org/2.6/en/features.html#chat-anonymously)** has a chat feature that creates an ephemeral peer-to-peer chat room that is routed over the Tor network. The metadata protection works in the same way as Cwtch; it uses the Tor network as a shield and stores everything (ephemerally) locally on the device running OnionShare. OnionShare doesn’t implement any chat encryption on its own — it relies on the Tor onion service’s encryption. Cwtch and Briar both have more features (including the additional Tapir and BTP encryption protocols). The only advantage of OnionShare is that it is installed on Tails by default. 
-
 ## Installation
 
 <details>
@@ -157,14 +157,12 @@ Cwtch on Whonix does not guarantee Tor [Stream Isolation](/posts/qubes/#whonix-a
 ![](/posts/e2ee/network.png) 
 
 * **Mediums**: Video call, voice call, text
-* **Metadata protection**: Yes (strong)
+* **Metadata protection**: Yes (Moderate)
 * **Encryption protocol**: [SimpleX Messaging Protocol](https://simplex.chat/docs/protocol/simplex-chat.html), audited ([2022](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html)), and [SimpleX File Transfer Protocol](https://simplex.chat/blog/20230301-simplex-file-transfer-protocol.html)
 * **Peer-to-peer**: No 
 * **Tor**: Not default
 
-SimpleX Chat functions without persistent user IDs, which creates strong metadata protection. This means that an adversary can't easily observe how users are connected to each other in a network. This is possible because connection requests work by sharing an invitation link that is communicated through a separate channel, or in person. When connecting to another user you have the choice to use "Incognito mode", which creates a new random profile for each contact. This avoids sharing any data between contacts. 
-
-As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer — it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server). 
+SimpleX Chat allows voice and video calls, but this [inherently provides less metadata protection](https://mastodon.social/@sarahjamielewis/112311305534271974). As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer — it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server). 
 
 Since SimpleX requires that users [place some trust in the SimpleX servers](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers), **we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls**. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone. 
 
@@ -379,6 +377,10 @@ PGP (Pretty Good Privacy) is not so much a messaging platform as it is a way to
 
 **There is an exception: for anonymous public-facing projects, we still recommend using PGP email** because it is currently the best option that meets the additional needs required by a public account. Use a [radical server](https://riseup.net/en/security/resources/radical-servers) that doesn't require an invite code. You can learn more about how to use PGP email with the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp). 
 
+>**Note**
+>
+>PGP is used for another purpose outside of communication: verifying the integrity and authenticity of files. For this use case, see our [explanation](/posts/tails-best/#appendix-gpg-explanation).
+
 ## For Anonymous Public-facing Projects
 
 **Need #1: That anyone can contact the project**
@@ -401,13 +403,7 @@ We recommend using Thunderbird (which is available in Tails and Qubes-Whonix by
 
 If a project has multiple members, all of them should be able to access the same messages independently. This is straight forward with email, if all project members have the email password and the private PGP key.  
 
->**Note**
->
->PGP is used for another purpose outside of communication: verifying the integrity and authenticity of files. For this use case, see our [explanation](/posts/tails-best/#appendix-gpg-explanation).
-
-<br>
-
-# Warnings
+# Applications we do not recommend
 
 We do *not* recommend:
 
diff --git a/content/posts/linux/index.md b/content/posts/linux/index.md
index de66e4a..f20d579 100644
--- a/content/posts/linux/index.md
+++ b/content/posts/linux/index.md
@@ -34,7 +34,7 @@ How do you actually install from a software repository? Each distribution also h
 
 # Software Alternatives
 
-Part of the learning curve for Linux is figuring out which open-source software to use instead of the closed-source options you are used to in Windows and macOS. For example, instead of using Microsoft Word, you might use LibreOffice. It's essential that the applications you use are open-source, but an application being open-source is not enough to consider it secure. For example, Telegram advertises itself as open-source, but the servers are not open-source and the cryptography is [garbage](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/). The list of [included software for Tails](/posts/tails/#included-software) will cover many of your needs with reputable choices, and you can also check out [switching.software](https://switching.software/). 
+Part of the learning curve for Linux is figuring out which open-source software to use instead of the closed-source options you are used to in Windows and macOS. For example, instead of using Microsoft Word, you might use LibreOffice. It's essential that the applications you use are open-source, but an application being open-source is not enough to consider it secure. For example, Telegram advertises itself as open-source, but its servers are not open-source and its cryptography is [garbage](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/). The list of [included software for Tails](/posts/tails/#included-software) will cover many of your needs with reputable choices, and you can also check out [switching.software](https://switching.software/). 
 
 # The Command Line Interface
 
diff --git a/content/posts/metadata/index.md b/content/posts/metadata/index.md
index 3e71f4a..ef11666 100644
--- a/content/posts/metadata/index.md
+++ b/content/posts/metadata/index.md
@@ -31,7 +31,7 @@ Metadata Cleaner shows the metadata it detects, but "it doesn't mean that a file
 
 To use the Metadata Cleaner, first add a file. When you click it, the current metadata is displayed. Select the file, then select **Clean**. You can verify that the metadata has been removed by re-adding the cleaned file and viewing its metadata. 
 
-When you clean a PDF file, it is converted to images, so the quality is downgraded and you cannot select the text in it. If you want to retain this ability, there is a *lightweight* cleaning mode that cleans only the superficial metadata of your file, but not the metadata of embedded resources (such as images in the PDF). Embedded resources with metadata can be avoided by using Metadata Cleaner on the images before importing them into the layout software, and by using layout software on Tails or Qubes-Whonix such as Scribus that are generic for those operating systems. You can enable "lightweight cleaning" in the Metadata Cleaner settings. 
+When you clean a PDF file, it is converted to images, so the quality is downgraded and you cannot select the text in it. If you want to retain this ability, there is a *lightweight* cleaning mode that cleans only the superficial metadata of your file, but not the metadata of "embedded resources" (such as images in the PDF). If you are creating a PDF, use Metadata Cleaner on any images before importing them into the layout software, and use layout software on Tails or Qubes-Whonix such as Scribus that are generic for those operating systems. You can enable "lightweight cleaning" in the Metadata Cleaner settings. 
 
 Note the limitations of Metadata Cleaner: "mat2 only removes metadata from your files, it does not anonymise their content, nor can it handle watermarking, steganography, or any too custom metadata field/system. If you really want to be anonymous, use file formats that do not contain any metadata, or better: use plain-text."
 
diff --git a/content/posts/nophones/index.md b/content/posts/nophones/index.md
index 51a02d4..b44369d 100644
--- a/content/posts/nophones/index.md
+++ b/content/posts/nophones/index.md
@@ -26,7 +26,7 @@ In a [recent repressive operation](https://notrace.how/resources/#ivan) against
 
 If you don't leave the house with a phone, the police will have to resort to physical surveillance to determine your whereabouts, which is resource-intensive and detectable. If you are ever placed under physical surveillance, the investigator's first step is to understand your "movement profile," and your phone's geolocation history provides a detailed picture of your daily patterns.  
 
-Some anarchists respond to the problems with smartphones by using flip phones or landlines to communicate with each other, but these devices do not support [encrypted communication](/glossary/#end-to-end-encryption-e2ee), so the State learns who is talking to whom and what they are talking about. A primary goal of targeted surveillance is to map the target's social network in order to identify other targets. The only way to avoid giving this information to our enemies is to use only [encrypted mediums](/posts/e2ee/) to communicate with other anarchists through technology.
+Some anarchists respond to the problems with smartphones by using flip phones or landlines to communicate with each other, but this isn't a good solution. Flip phones and landlines do not support [encrypted communication](/glossary/#end-to-end-encryption-e2ee), so the State learns who is talking to whom and what they are talking about. A primary goal of targeted surveillance is to map the target's social network in order to identify other targets. The only way to avoid giving this information to our enemies is to use only [encrypted mediums](/posts/e2ee/) to communicate with other anarchists through technology.
 
 # Metadata Patterns
 
@@ -40,9 +40,9 @@ Phones have colonized everyday life because people have been instilled with the
 
 If you decide to use a phone, in order to make it as difficult as possible for an adversary to geotrack it, intercept its messages, or hack it, use [GrapheneOS](/posts/grapheneos/). If we can agree to **only use [encrypted communications](/posts/e2ee/) to communicate with other anarchists**, this rules out flip phones and landlines. GrapheneOS is the only smartphone operating system that provides reasonable privacy and security. 
 
-**To prevent your movements from being tracked, treat the smartphone like a landline and leave it at home when you are out of the house**. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for geolocation data. If you use the phone as we recommend (as a [Wi-Fi only device](/posts/grapheneos/#what-is-grapheneos) that is kept in airplane mode at all times), cell towers won't be able to connect to it. It's not sufficient to only leave the phone at home when you're going to a meeting, demo or action because that will be an outlier from your normal pattern of behaviour and serve as an indication that criminal activity is taking place in that time window. 
+**To prevent your movements from being tracked, treat the smartphone like a landline and leave it at home when you are out of the house**. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for geolocation data. If you use the phone as we recommend (as a [Wi-Fi only device](/posts/grapheneos/#what-is-grapheneos) that is kept in airplane mode at all times), it won't connect to cell towers. It's not sufficient to only leave the phone at home when you're going to a meeting, demo or action because that will be an outlier from your normal pattern of behaviour and serve as an indication that criminal activity is taking place in that time window. 
 
-You may choose to live without phones entirely, if you don't feel that you need an "encrypted landline". The strategies for minimizing the need for phones that follow rely on computers, where synchronous communication is also possible but more limited.
+You may choose to live without phones entirely, if you don't feel that you need an "encrypted landline". The following strategies for minimizing the need for phones rely on computers, where synchronous communication is also possible but more limited.
 
 ## Bureaucracy 
 
@@ -50,10 +50,10 @@ Many bureaucratic institutions that we are forced to deal with make it difficult
 
 Any VoIP application that is available on a computer is asynchronous because it doesn't ring when the computer is off — you rely on the voicemail feature to return missed calls. For example, a service like [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) gives you a VoIP number, which you can pay for in Bitcoin, and you make calls using an XMPP application — [Cheogram](https://cheogram.com/) works well.
 
-Though usually more expensive than VoIP, a flip phone or landline also works well for making and receiving 'bureaucratic' calls from home, like those mentioned above. 
-
 VoIP usually works for any [two-factor authentication](/glossary/#two-factor-authentication-2fa) (2FA) you need (when a service requires you to receive a random number to log in). [Online phone numbers](https://anonymousplanet.org/guide.html#online-phone-number) are another option. 
 
+Though usually more expensive than VoIP, a dedicated flip phone or landline also works well for making and receiving 'bureaucratic' calls from home, like those mentioned above. 
+
 ## Communication
 
 Not carrying a phone everywhere requires a change in the way you socialize if you are [already caught in the net](https://theanarchistlibrary.org/library/return-fire-vol-4-supplement-caught-in-the-net). Being intentional about minimizing the mediation of screens in our relationships is a valuable goal in and of itself. 
diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md
index c3558ee..78adda2 100644
--- a/content/posts/qubes/index.md
+++ b/content/posts/qubes/index.md
@@ -21,7 +21,7 @@ Qubes OS can be configured to force all Internet connections through the [Tor ne
 
 # Who is Qubes OS For? 
 
-Given that anarchists are [regularly targeted](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. We recommend Qubes OS for everyday use, and [below](/posts/qubes/#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS in more detail — both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced". 
+Given that anarchists are [regularly targeted](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) with malware in repressive investigations, Qubes OS is an excellent choice for us. We recommend Qubes OS for everyday use, and [below](/posts/qubes/#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS in more detail — both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced". 
 
 Even if you don't do anything directly incriminating on the computer you use every day, if it were compromised, this would still give investigators a field day for [network mapping](https://notrace.how/threat-library/techniques/network-mapping.html) — knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to communicate with other comrades, so making our personal computers difficult to hack is an important baseline for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.  
 
@@ -61,7 +61,7 @@ Two more components are needed to complete the Qubes OS system:
 
 * **Template qubes**. These are where applications and operating system files live and where you install and update software. Each App qube is based on a Template qube, and the App qube can only read from the Template, not write to it. This means that the more sensitive system files are protected from whatever happens in an App qube — they are not retained between App qube restarts. Multiple App qubes can be based on a single Template, which has the convenient feature that updating one Template will update all App qubes based on that Template.
 
-Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware — only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's not possible to compromise the hardware from a compromised App qube.  
+Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware — only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's more difficult to compromise the hardware from a compromised App qube.  
 
 # When to Use Tails vs. Qubes OS
 
@@ -116,7 +116,7 @@ The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is
 
 # How to Update 
 
-On Qubes OS, you should **not** use the `apt update` or `apt upgrade` commands, which you may be used to from other Linux experiences. As the [documentation](https://www.qubes-os.org/doc/how-to-update/) states, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing you'll want to do after connecting to the Internet is run Qubes Update. From the docs: 
+On Qubes OS, you should **not** use the `apt update` or `apt upgrade` commands, which you may be used to from other Linux experiences. As the [documentation](https://www.qubes-os.org/doc/how-to-update/) states, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing you'll want to do after connecting to the Internet in a new Qubes installation is to run Qubes Update. From the docs: 
 
 > you can [...] start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
 
@@ -135,7 +135,7 @@ It's a bit tricky at first, but you'll get the hang of it in no time!
 
 # How to Copy and Move Files 
 
-There is a special tool for moving files and directories (folders) between qubes that requires explicit user permission. As a rule of thumb, only move files from more trusted qubes to less trusted ones. 
+There is a special tool for moving files and directories (folders) between qubes that requires explicit user permission.   
 
 From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
 
@@ -143,7 +143,7 @@ From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
 ![](/posts/qubes/copy-to.png)
 >2. A dialog box will appear in dom0 asking for the name of the target qube (qube B). Enter or select the desired destination qube name.
 ![](/posts/qubes/dom0.png)
->3. If the target qube is not already running, it will be started automatically, and the file will be copied there. It will show up in this directory (which will automatically be created if it does not already exist): `/home/user/QubesIncoming/<source_qube>/<filename>`. If you selected Move rather than Copy, the original file in the source qube will be deleted. (Moving a file is equivalent to copying the file, then deleting the original.)
+>3. If the target qube is not already running, it will be started automatically, and the file will be copied there. It will show up in this directory (which will automatically be created if it does not already exist): `/home/user/QubesIncoming/<source_qube>/`. If you selected Move rather than Copy, the original file in the source qube will be deleted. (Moving a file is equivalent to copying the file, then deleting the original.)
 >
 >4. If you wish, you may now move the file in the target qube to a different directory and delete the `/home/user/QubesIncoming/` directory when no longer needed.
 
@@ -159,7 +159,7 @@ Click on the Domains widget to see which Qubes are currently running and how muc
 
 While Tails can install additional software through [a Graphical User Interface](https://tails.net/doc/persistent_storage/additional_software/index.en.html) (GUI, the "point and click" alternative to the [Command Line Interface](/glossary/#command-line-interface-cli)), Qubes OS cannot at this time, so new software must be installed from the command line. If you are unfamiliar with the command line or how software works in Linux, see [Linux Essentials](/posts/linux/) to get acquainted. When choosing what additional software to install, keep in mind that being [open-source](/glossary/#open-source) is an essential criteria, but not sufficient to be considered secure. The list of [included software for Tails](https://tails.net/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices. 
 
-Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, which can be found using a web browser for both [Debian](http://packages.debian.org/) and [Fedora](https://packages.fedoraproject.org/), or on the command line.  
+Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, which can be found using a web browser for both [Debian](http://packages.debian.org/) and [Fedora](https://packages.fedoraproject.org/), or using the command line.  
 
 It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, to avoid unnecessarily increasing the attack surface of all App qubes based on the default Template. The basic formula is:
 
@@ -168,7 +168,7 @@ It is best not to install additional software into the default Template, but rat
 3) Create an App qube based on the cloned Template
 4) Optional: Make this App qube a disposable
 
-For example, to install packages for working with documents, which are not included by default in `debian-12`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-12` and select "Clone qube". Name the new Template `debian-12-documents`.   
+For example, to install packages for working with documents, which are not included by default in `debian-12`, clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-12` and select "Clone qube". Name the new Template `debian-12-documents`.   
 
 To install new software, as described in the [docs](https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-default-repositories): 
 
@@ -184,7 +184,7 @@ To install new software, as described in the [docs](https://www.qubes-os.org/doc
 >
 >5. Restart all qubes based on the template.
 >
->6. (Recommended) In the relevant qubes’ **Settings → Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
+>6. (Recommended) In the relevant qubes’ **Settings → Applications** tab, move the new application(s) to the "Selected" list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
 
 ![](/posts/qubes/menu.png)
 
@@ -234,7 +234,7 @@ Go to **Applications menu → Qubes Tools → Create Qubes VM**:
 * Now that the qube exists, install the Monero wallet into the App qube, following the [instructions for "Kicksecure-Qubes App qube"](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). 
 * In the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
 
-This App qube is not disposable. We prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.  
+This App qube is not disposable. We prefer all networked qubes to be disposable, but this qube requires data persistence for the wallet to work, so it cannot be disposable with a simple setup.
 
 Note that we don't need to clone the Template because the Monero wallet is a Flatpak, so it is installed into the App qube, not into the Template. 
 
@@ -252,7 +252,7 @@ The cloned Template we will need is already configured: `debian-12-documents`. G
 * In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable in the Apps tab of the Applications Menu. Make sure you are not working in the disposable Template (the same name in the Templates tab of the Applications menu).
 * Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`  
 
-Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.  
+Now, if a malicious document achieves [code execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution) after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.  
 
 ## Additional Settings 
 
@@ -395,7 +395,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
 Manage passwords by using KeePassXC from the `vault` App qube. If you are not familiar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This approach requires you to memorize three passwords:
 
 1. [LUKS](/glossary/#luks) password (first boot password)
-2. User password (second boot password, which is [much less important than LUKS](https://forum.qubes-os.org/t/recommended-length-of-linux-user-account-password/19337/3))
+2. User password (second boot password, which is [much less important than the LUKS password](https://forum.qubes-os.org/t/recommended-length-of-linux-user-account-password/19337/3))
 3. KeePassXC password
 
 Shutdown Qubes OS whenever you are away from the computer for more than a few minutes. For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords). 
@@ -416,7 +416,7 @@ Configuring Qubes OS is much more flexible than configuring Tails, but most of t
 ## Limitations of the Tor network
 
 * For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
-* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet to use.  
+* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet connection to use.  
 
 ## Reducing risks when using untrusted computers
 
@@ -481,7 +481,7 @@ Qubes OS also applies appropriate software mitigation to this class of attacks a
 
 Each running qube uses memory, and a compromised qube could use CPU vulnerabilities to read and exfiltrate memory used by other qubes. To address "future not-yet-identified vulnerabilities of this kind", the operational security (OPSEC) suggestion is to limit the presence of things in memory that a compromised qube could read.
 
-Disposables [reset](https://www.qubes-os.org/doc/how-to-use-disposables/) after they are shut down, so we can assume that their compromise would likely be temporary (for it to not be temporary, an adversary would need to escape from the virtual machine with a Xen exploit, before the disposable is shut down). Memory OPSEC protects against an adversary who can exploit a CPU vulnerability, but cannot escape from a Xen virtual machine. 
+Disposables are [recycled](https://www.qubes-os.org/doc/how-to-use-disposables/) after they are shut down, so we can assume that their compromise would likely be temporary (for it to not be temporary, an adversary would need to escape from the virtual machine with a Xen exploit, before the disposable is shut down). Memory OPSEC protects against an adversary who can exploit a CPU vulnerability, but cannot escape from a Xen virtual machine. 
 
 We call a qube "untrusted" when it is networked and thus is at a higher risk of compromise. While it can be useful to distinguish levels of trust for networked qubes based on likely attack vectors (red borders for fully untrusted, purple borders for semi-trusted, etc.), any networked qube should be considered untrusted on some level. Whenever possible, untrusted qubes should be disposable.
 
@@ -489,7 +489,7 @@ We call a qube "untrusted" when it is networked and thus is at a higher risk of
 
 Make sure to always be aware of which qubes are running simultaneously. 
 
-* Perform sensitive operations in trusted qubes (without networking), while no untrusted qubes are running. Shut down trusted qubes when they are not in use. The `vault` is considered a trusted qube. 
+* Perform sensitive operations in trusted qubes (without networking if not required), while no untrusted qubes are running. Shut down trusted qubes when they are not in use. The `vault` is considered a trusted qube. 
 * While untrusted qubes are running there should be no qubes running simultaneously that put sensitive data into memory, because you are assuming that all memory could be leaked. Qubes containing sensitive data include:
 	* Any qubes containing data that isn't compartmentalized to your current activity. For example, if you are moderating a website, images files you are going to upload to the website aren't sensitive, but files associated with an unrelated project are. 
 	* The `vault` qube containing your KeePassXC database. 
diff --git a/content/posts/tails/index.md b/content/posts/tails/index.md
index 66dfeaa..7d1c137 100644
--- a/content/posts/tails/index.md
+++ b/content/posts/tails/index.md
@@ -52,7 +52,7 @@ Tails is not magic and has many limitations. The Internet and computers are host
 
 Building a threat model is simply a matter of asking yourself certain questions. Who am I defending against? What are their capabilities? What would be the consequences if they had access to that data? And then, based on the particular situation, assess how you can protect yourself. 
 
-It makes no sense to say "this tool is secure". Security always depends on the threat model and the level (network, hardware, software, etc.). For more information on this topic, see the [Threat Library](https://notrace.how/threat-library/). 
+It makes no sense to say "this tool is secure". Security always depends on the threat model and it takes place on multiple levels (network, hardware, software, etc.). For more information on this topic, see the [Threat Library](https://notrace.how/threat-library/). 
 
 # I) The Basics of Using Tails
 
@@ -78,14 +78,14 @@ To install Tails on a USB, you need a "source" and a USB (8GB or larger).
 
 There are two solutions for the "source".
 
-### Solution 1: Install from another Tails USB
-
-This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.net/install/clone/pc/index.en.html) or [Mac](https://tails.net/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
-
-### Solution 2: Install by download (preferred)
+### Solution 1: Install by download (preferred)
 
 Follow the [Tails installation instructions](https://tails.net/install/index.en.html); it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you (this is called a [man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.net/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
 
+### Solution 2: Install from another Tails USB
+
+This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.net/install/clone/pc/index.en.html) or [Mac](https://tails.net/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
+
 ## Booting from your Tails USB 
 
 Once you have a Tails USB, follow the Tails instructions [for booting Tails on a Mac or PC](https://tails.net/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on your laptop. The Boot Loader screen will appear and Tails will start automatically after several seconds. 
@@ -115,14 +115,14 @@ If you have Persistent Storage enabled, the passphrase to unlock it will appear
 
 Tails is a simple operating system. 
 
-1. The Activities menu. Allows you to see an overview of your windows and applications. It also allows you to search for applications, files, and folders. You can also access Activities by sending your mouse to the top left corner of your screen or by pressing the Command/Window (❖) key.
+1. The Activities menu. Allows you to see an overview of your windows and applications. It also allows you to search for applications, files, and folders. You can also access Activities by sending your mouse to the top left corner of your screen or by pressing the Command/Windows (❖) key.
 2. The Applications menu. Lists available applications (software), organized by category. 
 3. The Places menu. Shortcuts to various folders and storage devices, which can also be accessed through the Files browser (**Applications → Accessories → Files**). 
 4. Date and time. Once connected to the Internet, all Tails systems around the world [share the same time](https://tails.net/doc/first_steps/desktop/time/index.en.html). 
-5. The Tor status indicator. Tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the Onion Circuits application from here. Check your Tor connection by visiting `check.torproject.org` in your Tor Browser. 
+5. The Tor status indicator. Tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the Onion Circuits application from here. Check your Tor connection by visiting `check.torproject.org` in the Tor Browser. 
 6. The "Universal Access" button. This menu allows you to enable accessibility software such as the screen reader, visual keyboard, and large text display.
-7. Choice of keyboard layouts. An icon showing the current keyboard layout (in the example above, en for an English layout). Clicking it provides options for other layouts selected at the Welcome Screen.
-8. The System menu. From here, you can access the volume and screen brightness, the Wi-Fi and Ethernet connection (if connected), the battery status, and the restart and shutdown buttons. 
+7. Choice of keyboard layouts. An icon showing the current keyboard layout (in the example above, `en` for an English layout). Clicking it provides options for other layouts selected at the Welcome Screen.
+8. The System menu. From here, you can access the volume and screen brightness, the Wi-Fi and Ethernet connection, the battery status, and the restart and shutdown buttons. 
 9. The Workspaces icon. This button toggles between multiple views of the desktop (called "workspaces”), which can help reduce visual clutter on a small screen.  
 
 If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the system menu, see the [troubleshooting documentation](https://tails.net/doc/anonymous_internet/no-wifi/index.en.html). Once you connect to Wi-Fi, a Tor Connection assistant will appear to help you connect to the Tor network. Select **Connect to Tor automatically**, unless you are in a country where you need to hide that you're using Tor (in which case you'll need to configure [a bridge](https://tails.net/doc/anonymous_internet/tor/index.en.html#hiding)).
@@ -131,7 +131,7 @@ If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the syste
 
 Tails is amnesiac by default. It will forget everything you have done as soon as you end the session. This isn't always what you want — for example, you may want to install additional software without needing to re-install it each time you start up. Tails has a feature called Persistent Storage, which allows you to save data between sessions. This is explicitly less secure, but necessary for some activities. 
 
-The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows a user to make some data persistent — that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**. 
+The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows you to make some data persistent — that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**. 
 
 A window will pop up asking you to enter a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for information on passphrase strength. You'll then [configure](https://tails.net/doc/persistent_storage/configure/index.en.html) what you want to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
 
@@ -156,7 +156,7 @@ A window will pop up asking you to enter a passphrase; see [Tails Best Practices
 * **Thunderbird Email Client**: The Thunderbird email inbox, feeds, and OpenPGP keys. 
 * **GnuPG**: The OpenPGP keys you create or import into GnuPG and Kleopatra. 
 * **Pidgin**: The account files of this chat application (using the XMPP protocol).
-* **SSH Client**: SSH is used to connect to servers. All files related to SSH. 
+* **SSH Client**: All files related to SSH, a protocol used to connect to servers.
 
 **Advanced Settings:**
 
@@ -165,7 +165,7 @@ A window will pop up asking you to enter a passphrase; see [Tails Best Practices
 
 To use Persistent Storage, you must unlock it on the Welcome Screen. If you want to change the passphrase, see the [documentation](https://tails.net/doc/persistent_storage/passphrase/index.en.html). If you ever forget your passphrase, it's impossible to recover it; you'll have to [delete](https://tails.net/doc/persistent_storage/delete/index.en.html) the Persistent Storage and start over. 
 
-In [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), we recommend against using Persistent Storage in most cases. Any files that need to be persistent can be stored on a second [LUKS-encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb) instead. Most Persistent Storage features do not work well with USBs that have a write-protect switch. 
+In [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), we recommend against using Persistent Storage in most cases; most Persistent Storage features do not work well with USBs that have a write-protect switch, any files stored on a Tails USB will leave forensic traces on it, and storing personal data on the Tails USB also prevents it from being compartmentalized when Persistent Storage is unlocked. Any files that need to be persistent can be stored on a second [LUKS-encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb) instead. 
 
 ## Upgrading the Tails USB
 
@@ -181,7 +181,7 @@ When an [automatic upgrade](https://tails.net/doc/upgrade/index.en.html) is avai
 
 ### The manual upgrade
 
-Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.net/upgrade/tails/index.en.html). 
+Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades (which happen approximately every two years) or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.net/upgrade/tails/index.en.html). 
 
 # II) Going Further: Several Tips and Explanations
 
@@ -193,17 +193,17 @@ Sometimes the upgrade window will tell you that you need to do a manual upgrade.
 
 ![](/posts/tails/tor.png)
 
-Internet traffic, including the IP address of the final destination, is encrypted in layers like an onion. Each hop along the three relays removes one layer of encryption. Each relay only knows the relay before it and the relay after it (relay #3 knows that it came from relay #2 and that it goes to such-and-such a website, but not relay #1). 
+Internet traffic, including the IP address of the final destination, is encrypted in layers like an onion. Each hop along the three relays removes one layer of encryption. Each relay only knows the relay before it and the relay after it (the exit relay knows that it came from the middle relay and that it goes to such-and-such a website, but not the entry relay). 
 
 ![See *anarsec.guide* for the animation.](/posts/tails/anonymous-browsing.gif)
 
-This means that any intermediaries between you and relay #1 know that you're using Tor, but they don't know what site you're going to. Any intermediaries after relay #3 know that someone in the world is going to that site, but they don't know who it is. The site's web server sees you coming from the IP address of relay #3. 
+This means that any intermediaries between you and the entry relay know that you're using Tor, but they don't know what site you're going to. Any intermediaries after the exit relay know that someone in the world is going to that site, but they don't know who it is. The site's web server sees you coming from the IP address of the exit relay. 
 
 Tor has several limitations. For example, if someone with the technical and legal means believes you're connecting from a particular Wi-Fi connection to visit a particular site, they can try to match your Wi-Fi connection with what the website activity (a "correlation attack"). However, to our knowledge, this type of attack has never been used by itself to incriminate someone in court. For sensitive activities, use Internet connections that are not tied to your identity to protect yourself in case Tor fails.  
 
 ### What is HTTPS?
 
-Virtually all websites today use [HTTPS](/glossary/#https) — the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are visiting riseup.net, for example, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS. 
+Virtually all websites today use [HTTPS](/glossary/#https) — the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after the exit relay of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after the exit relay will know that you are visiting riseup.net, for example, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS. 
 
 If there's a yellow warning on the padlock, it means that some elements on the page you're viewing are not encrypted (they use HTTP), which could reveal the exact page or allow intermediaries to partially modify the page. By default, the Tor Browser uses HTTPS-Only Mode to prevent users from visiting HTTP sites. 
 
@@ -221,7 +221,7 @@ Have you ever seen a strange website address with 56 random characters ending in
 
 Anyone can set up an .onion site. But why would they want to? Well, the server location is anonymized, so authorities cannot find out where the site is hosted in order to shut it down. When you send data to an .onion site, you enter the site's three Tor relays after the standard Tor circuit. So we have 6 Tor relays between us and the site; we know the first 3 relays, the site knows the last 3, and each Tor node only knows the relay before and after. Unlike a normal HTTPS website, it's all Tor encrypted from end to end. 
 
-This means that both the client (your laptop) and the server (where the site lives) remain anonymous, whereas with a normal website, only the client is anonymous. In addition to being more anonymous for the server, it is also more anonymous for the client: you never leave the Tor network, so it is not possible to intercept you after relay #3.  
+This means that both the client (your laptop) and the server (where the site lives) remain anonymous, whereas with a normal website, only the client is anonymous. In addition to being more anonymous for the server, it is also more anonymous for the client: you never leave the Tor network, so it is not possible to intercept you after the exit relay.  
 
 The .onion site address is long because it includes the site's certificate. HTTPS is unnecessary; security depends on knowing the site's .onion address. 
 
@@ -233,7 +233,7 @@ Some sites block users who visit through the Tor network, or otherwise make it i
 
 ![](/posts/tails/new_identity.png)
 
-The site may only block certain Tor relays. In this case, you can change the Tor exit node being used for this site: click the **≣	→ "New Tor circuit for this site"** button. The Tor circuit (path) will only change for the one tab. You may need to do this several times in a row if you're unlucky enough to encounter multiple banned relays. 
+The site may only block certain Tor relays. In this case, you can change the Tor exit node being used for this site: click the **≣	→ "New Tor circuit for this site"** button. The Tor circuit (path) will change for the current tab, including other open tabs or windows from the same website. You may need to do this several times in a row if you're unlucky enough to encounter multiple banned relays. 
 
 Since all Tor relays are public, it is also possible that the site is blocking the entire Tor network. In this case, you can try using a proxy to access the site, such as `https://hide.me/en/proxy` (but only if you don't have to enter personal information like login credentials). You can also check if the page you want to access has been saved to the Wayback Machine: `web.archive.org`.  
 
@@ -257,7 +257,7 @@ The layout of some pages may be changed, and some types of content may be disabl
 
 ### Downloading/uploading and the Tor Browser folder
 
-The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prevent it from snooping on all your files a malicious site compromised it. This means there are special considerations when uploading or downloading files using the Tor Browser.
+The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prevent it from snooping on all your files if a malicious site compromised it. This means there are special considerations when uploading or downloading files using the Tor Browser.
 
 #### Downloading
 
@@ -267,7 +267,7 @@ When you download something using the Tor Browser, it is stored in the Tor Brows
 
 #### Uploading
 
-Similarly, if you want to upload something using the Tor Browser (for example, to include a file in a blog post), you will first need to move or copy the file to the Tor Browser folder. Then it will be available when you select an upload in the Tor Browser.
+Similarly, if you want to upload something using the Tor Browser (for example, to include a file in a blog post), you will first need to move or copy the file to the Tor Browser folder. Then it will be available when you select the file to upload in the Tor Browser.
 
 #### RAM
 
@@ -277,11 +277,11 @@ Be aware that if you are downloading or otherwise working with very large files,
 
 ![](/posts/tails/onionshare.png)
 
-It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.net/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). By default, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to the settings and uncheck "Stop sharing after first download". As soon as you close OnionShare, disconnect from the Internet, or shut down Tails, the files will no longer be accessible. This is a great way to share files because it doesn't require you to plug a USB into someone else's computer, which we [don't recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared through another channel (such as a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type). 
+It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.net/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). By default, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to the settings and uncheck "Stop sharing after first download". As soon as you close OnionShare, disconnect from the Internet, or shut down Tails, the files will no longer be accessible. This is a great way to share files because it doesn't require you to plug a USB into someone else's computer, which we [don't recommend](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared through another channel (such as a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type). 
 
 ### Make Correlation Attacks More Difficult
 
-When you request a web page through a web browser, the site's server sends it to you in small "packets" that have a specific size and timing (among other characteristics). When using the Tor Browser, the sequence of packets can also be analyzed to look for patterns that can be matched to those of websites. To learn more, see ["1.3.3. Passive Application-Layer Traffic Patterns"](https://spec.torproject.org/proposals/344-protocol-info-leaks.html). Tor [plans to fix this issue in the future](https://gitlab.torproject.org/tpo/team/-/wikis/Sponsor-112). 
+When you request a web page through a web browser, the site's server sends it to you in small "packets" that have a specific size and timing (among other characteristics). When using the Tor Browser, the sequence of packets can also be analyzed to look for patterns that can be matched to those of websites. To learn more, see ["1.3.3. Passive Application-Layer Traffic Patterns"](https://spec.torproject.org/proposals/344-protocol-info-leaks.html). Tor [plans to mitigate this issue in the future](https://gitlab.torproject.org/tpo/team/-/wikis/Sponsor-112). 
 
 To make this ["correlation attack"](/glossary/#correlation-attack) more difficult, disable JavaScript by using Tor Browser on the **Safest** setting. 
 
@@ -293,7 +293,7 @@ Tails comes with [many applications](https://tails.net/doc/about/features/index.
 
 ## Password Manager (KeePassXC)
 
-When you need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Application → Favorites → KeePassXC**) that allows you to store your passwords in a file and protect them with a single master password. 
+When you need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Applications → Favorites → KeePassXC**) that allows you to store your passwords in a file and protect them with a single master password. 
 
 We recommend that you compartmentalize your passwords — have a different KeePassXC file for each separate project. They can share the same Master Password — the point of compartmentalization is that only one project's passwords are unlocked at any given time. If the Tails session is compromised, the adversary won't get all of your passwords in one fell swoop, just the ones that are currently unlocked. 
 
@@ -321,13 +321,13 @@ However, it can take weeks or years before that space is actually used for new f
 
 There are two types of storage: magnetic (HDD) and flash (SSD, NVMe, USB, memory cards, etc.). The only way to erase a file on either is to [reformat the entire drive](/posts/tails/#how-to-create-an-encrypted-usb) and select **Overwrite existing data with zeros**. 
 
-However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (i.e. thermite) to be effective.  
+However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (e.g. thermite) to be effective.  
 
-For flash memory drives (USBs, SSDs, SD cards, etc.), use pliers to break the circuit board out of the plastic casing. Use a high-quality house-hold blender to shred the memory chips, including the circuit board, into pieces that are ideally less than two millimeters in size. This blender should not be used for food afterwards, even after cleaning it.  
+For flash memory drives (USBs, SSDs, SD cards, etc.), use pliers to break the circuit board out of the plastic casing. Use a high-quality house-hold blender to shred the memory chips, including the circuit board, into pieces that are ideally less than two millimeters in size. This blender should not be used for food afterwards, because cleaning it will not adequately remove toxic traces. 
 
 ## How to create an encrypted USB 
 
-Store data only on encrypted drives. This is necessary if you want to use a separate LUKS USB instead of Persistent Storage on the Tails USB. [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to **Applications → Utilities → Disks**. 
+Store data only on encrypted drives. This is necessary if you want to use a separate LUKS USB instead of Persistent Storage on the Tails USB as advised in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to **Applications → Utilities → Disks**. 
 
 * When you insert the USB, a new "device" should appear in the list. Select it and make sure that the description (brand, name, size) matches your device. Be careful not to make a mistake!
 * Format it by clicking **≣  → Format the disk**. 
@@ -393,16 +393,16 @@ If the Tails Boot Loader page appears, try booting into Tails troubleshooting mo
 After an upgrade or otherwise, Tails no longer starts on your computer. You have three options:
 
 1) See if the [Tails news page](https://tails.net/news/index.en.html) mentions any problems with the upgrade. 
-2) Perform a manual upgrade, which may be necessary if the computer was turned off before an automatic upgrade was complete.
+2) [Perform a manual upgrade](/posts/tails/#the-manual-upgrade), which may be necessary if the computer was turned off before an automatic upgrade was complete.
 3) If the first two solutions don't work, the USB is too old, of poor quality, or has been broken. If you need to recover data from Persistent Storage, plug that USB into a Tails session using another USB. It will appear as a normal USB that you will need to unlock with your password. If you can't access your data on another Tails USB that has Persistent Storage enabled, your USB may be dead. 
 
 ***I can't connect to a public Wi-Fi network with an authentication page (a captive portal)***
 
-If you need to connect to Wi-Fi using a captive portal, you must enable Unsafe Browser. Connect to Wi-Fi, and then open **Applications → Internet → Unsafe Browser**. You enter the URL of a site that isn't sketchy to access the authentication page. Once you've completed the captive portal page, wait until Tor is ready, and then close the unsafe browser.  
+If you need to connect to Wi-Fi using a captive portal, you must enable Unsafe Browser in the Welcome Screen. Connect to Wi-Fi, and then open **Applications → Internet → Unsafe Browser**. You enter the URL of a site that isn't sketchy (e.g. wikipedia.org) to access the authentication page. Once you've completed the captive portal page, wait until Tor is ready, and then close the unsafe browser.  
 
 ***What if I run out of space on a USB?***
 
-If you run out of space on a USB drive, or if you see less data than you actually have on your USB, check "Show hidden files" in the file browser. There you will see new files named .something. The file .Trash-10xx is taking up space (and if you select "Move to Trash" it will be removed completely). Don't change any other hidden files.  
+If you run out of space on a USB drive, or if you see less data than you actually have on your USB, check "Show hidden files" in the file browser. There you will see new files named `.something`. The file `.Trash-10xx` is taking up space (and if you right-click on it and select "Move to Trash" it will be removed completely). Don't change any other hidden files.  
 
 ***A file always opens in read-only mode or does not open at all?***