clarify phrasing and small edits from feedback

content/posts/qubes/index.md

@@ -21,7 +21,7 @@ Qubes OS can be configured to force all Internet connections through the [Tor ne
 
 # Who is Qubes OS For? 
 
-Given that anarchists are [regularly targeted](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. We recommend Qubes OS for everyday use, and [below](/posts/qubes/#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS in more detail — both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced". 
+Given that anarchists are [regularly targeted](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) with malware in repressive investigations, Qubes OS is an excellent choice for us. We recommend Qubes OS for everyday use, and [below](/posts/qubes/#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS in more detail — both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced". 
 
 Even if you don't do anything directly incriminating on the computer you use every day, if it were compromised, this would still give investigators a field day for [network mapping](https://notrace.how/threat-library/techniques/network-mapping.html) — knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to communicate with other comrades, so making our personal computers difficult to hack is an important baseline for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.  
 
@@ -61,7 +61,7 @@ Two more components are needed to complete the Qubes OS system:
 
 * **Template qubes**. These are where applications and operating system files live and where you install and update software. Each App qube is based on a Template qube, and the App qube can only read from the Template, not write to it. This means that the more sensitive system files are protected from whatever happens in an App qube — they are not retained between App qube restarts. Multiple App qubes can be based on a single Template, which has the convenient feature that updating one Template will update all App qubes based on that Template.
 
-Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware — only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's not possible to compromise the hardware from a compromised App qube.  
+Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware — only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's more difficult to compromise the hardware from a compromised App qube.  
 
 # When to Use Tails vs. Qubes OS
 
@@ -116,7 +116,7 @@ The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is
 
 # How to Update 
 
-On Qubes OS, you should **not** use the `apt update` or `apt upgrade` commands, which you may be used to from other Linux experiences. As the [documentation](https://www.qubes-os.org/doc/how-to-update/) states, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing you'll want to do after connecting to the Internet is run Qubes Update. From the docs: 
+On Qubes OS, you should **not** use the `apt update` or `apt upgrade` commands, which you may be used to from other Linux experiences. As the [documentation](https://www.qubes-os.org/doc/how-to-update/) states, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing you'll want to do after connecting to the Internet in a new Qubes installation is to run Qubes Update. From the docs: 
 
 > you can [...] start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
 
@@ -135,7 +135,7 @@ It's a bit tricky at first, but you'll get the hang of it in no time!
 
 # How to Copy and Move Files 
 
-There is a special tool for moving files and directories (folders) between qubes that requires explicit user permission. As a rule of thumb, only move files from more trusted qubes to less trusted ones. 
+There is a special tool for moving files and directories (folders) between qubes that requires explicit user permission.   
 
 From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
 
@@ -143,7 +143,7 @@ From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
 ![](/posts/qubes/copy-to.png)
 >2. A dialog box will appear in dom0 asking for the name of the target qube (qube B). Enter or select the desired destination qube name.
 ![](/posts/qubes/dom0.png)
->3. If the target qube is not already running, it will be started automatically, and the file will be copied there. It will show up in this directory (which will automatically be created if it does not already exist): `/home/user/QubesIncoming/<source_qube>/<filename>`. If you selected Move rather than Copy, the original file in the source qube will be deleted. (Moving a file is equivalent to copying the file, then deleting the original.)
+>3. If the target qube is not already running, it will be started automatically, and the file will be copied there. It will show up in this directory (which will automatically be created if it does not already exist): `/home/user/QubesIncoming/<source_qube>/`. If you selected Move rather than Copy, the original file in the source qube will be deleted. (Moving a file is equivalent to copying the file, then deleting the original.)
 >
 >4. If you wish, you may now move the file in the target qube to a different directory and delete the `/home/user/QubesIncoming/` directory when no longer needed.
 
@@ -159,7 +159,7 @@ Click on the Domains widget to see which Qubes are currently running and how muc
 
 While Tails can install additional software through [a Graphical User Interface](https://tails.net/doc/persistent_storage/additional_software/index.en.html) (GUI, the "point and click" alternative to the [Command Line Interface](/glossary/#command-line-interface-cli)), Qubes OS cannot at this time, so new software must be installed from the command line. If you are unfamiliar with the command line or how software works in Linux, see [Linux Essentials](/posts/linux/) to get acquainted. When choosing what additional software to install, keep in mind that being [open-source](/glossary/#open-source) is an essential criteria, but not sufficient to be considered secure. The list of [included software for Tails](https://tails.net/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices. 
 
-Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, which can be found using a web browser for both [Debian](http://packages.debian.org/) and [Fedora](https://packages.fedoraproject.org/), or on the command line.  
+Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, which can be found using a web browser for both [Debian](http://packages.debian.org/) and [Fedora](https://packages.fedoraproject.org/), or using the command line.  
 
 It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, to avoid unnecessarily increasing the attack surface of all App qubes based on the default Template. The basic formula is:
 
@@ -168,7 +168,7 @@ It is best not to install additional software into the default Template, but rat
 3) Create an App qube based on the cloned Template
 4) Optional: Make this App qube a disposable
 
-For example, to install packages for working with documents, which are not included by default in `debian-12`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-12` and select "Clone qube". Name the new Template `debian-12-documents`.   
+For example, to install packages for working with documents, which are not included by default in `debian-12`, clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-12` and select "Clone qube". Name the new Template `debian-12-documents`.   
 
 To install new software, as described in the [docs](https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-default-repositories): 
 
@@ -184,7 +184,7 @@ To install new software, as described in the [docs](https://www.qubes-os.org/doc
 >
 >5. Restart all qubes based on the template.
 >
->6. (Recommended) In the relevant qubes’ **Settings → Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
+>6. (Recommended) In the relevant qubes’ **Settings → Applications** tab, move the new application(s) to the "Selected" list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
 
 ![](/posts/qubes/menu.png)
 
@@ -234,7 +234,7 @@ Go to **Applications menu → Qubes Tools → Create Qubes VM**:
 * Now that the qube exists, install the Monero wallet into the App qube, following the [instructions for "Kicksecure-Qubes App qube"](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). 
 * In the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
 
-This App qube is not disposable. We prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.  
+This App qube is not disposable. We prefer all networked qubes to be disposable, but this qube requires data persistence for the wallet to work, so it cannot be disposable with a simple setup.
 
 Note that we don't need to clone the Template because the Monero wallet is a Flatpak, so it is installed into the App qube, not into the Template. 
 
@@ -252,7 +252,7 @@ The cloned Template we will need is already configured: `debian-12-documents`. G
 * In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable in the Apps tab of the Applications Menu. Make sure you are not working in the disposable Template (the same name in the Templates tab of the Applications menu).
 * Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`  
 
-Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.  
+Now, if a malicious document achieves [code execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution) after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.  
 
 ## Additional Settings 
 
@@ -395,7 +395,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
 Manage passwords by using KeePassXC from the `vault` App qube. If you are not familiar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This approach requires you to memorize three passwords:
 
 1. [LUKS](/glossary/#luks) password (first boot password)
-2. User password (second boot password, which is [much less important than LUKS](https://forum.qubes-os.org/t/recommended-length-of-linux-user-account-password/19337/3))
+2. User password (second boot password, which is [much less important than the LUKS password](https://forum.qubes-os.org/t/recommended-length-of-linux-user-account-password/19337/3))
 3. KeePassXC password
 
 Shutdown Qubes OS whenever you are away from the computer for more than a few minutes. For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords). 
@@ -416,7 +416,7 @@ Configuring Qubes OS is much more flexible than configuring Tails, but most of t
 ## Limitations of the Tor network
 
 * For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
-* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet to use.  
+* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet connection to use.  
 
 ## Reducing risks when using untrusted computers
 
@@ -481,7 +481,7 @@ Qubes OS also applies appropriate software mitigation to this class of attacks a
 
 Each running qube uses memory, and a compromised qube could use CPU vulnerabilities to read and exfiltrate memory used by other qubes. To address "future not-yet-identified vulnerabilities of this kind", the operational security (OPSEC) suggestion is to limit the presence of things in memory that a compromised qube could read.
 
-Disposables [reset](https://www.qubes-os.org/doc/how-to-use-disposables/) after they are shut down, so we can assume that their compromise would likely be temporary (for it to not be temporary, an adversary would need to escape from the virtual machine with a Xen exploit, before the disposable is shut down). Memory OPSEC protects against an adversary who can exploit a CPU vulnerability, but cannot escape from a Xen virtual machine. 
+Disposables are [recycled](https://www.qubes-os.org/doc/how-to-use-disposables/) after they are shut down, so we can assume that their compromise would likely be temporary (for it to not be temporary, an adversary would need to escape from the virtual machine with a Xen exploit, before the disposable is shut down). Memory OPSEC protects against an adversary who can exploit a CPU vulnerability, but cannot escape from a Xen virtual machine. 
 
 We call a qube "untrusted" when it is networked and thus is at a higher risk of compromise. While it can be useful to distinguish levels of trust for networked qubes based on likely attack vectors (red borders for fully untrusted, purple borders for semi-trusted, etc.), any networked qube should be considered untrusted on some level. Whenever possible, untrusted qubes should be disposable.
 
@@ -489,7 +489,7 @@ We call a qube "untrusted" when it is networked and thus is at a higher risk of
 
 Make sure to always be aware of which qubes are running simultaneously. 
 
-* Perform sensitive operations in trusted qubes (without networking), while no untrusted qubes are running. Shut down trusted qubes when they are not in use. The `vault` is considered a trusted qube. 
+* Perform sensitive operations in trusted qubes (without networking if not required), while no untrusted qubes are running. Shut down trusted qubes when they are not in use. The `vault` is considered a trusted qube. 
 * While untrusted qubes are running there should be no qubes running simultaneously that put sensitive data into memory, because you are assuming that all memory could be leaked. Qubes containing sensitive data include:
 	* Any qubes containing data that isn't compartmentalized to your current activity. For example, if you are moderating a website, images files you are going to upload to the website aren't sensitive, but files associated with an unrelated project are. 
 	* The `vault` qube containing your KeePassXC database.