Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-25 15:45:48 -04:00
Code Issues Projects Releases Packages Wiki Activity

clarify phrasing and small edits from feedback

Browse source
This commit is contained in:
anarsec 2024-05-01 16:50:05 +00:00
parent 9bed1441fc
commit 1bf64e65a1
No known key found for this signature in database
6 changed files with 69 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

60
content/posts/tails/index.md
View file

@ -52,7 +52,7 @@ Tails is not magic and has many limitations. The Internet and computers are host
Building a threat model is simply a matter of asking yourself certain questions. Who am I defending against? What are their capabilities? What would be the consequences if they had access to that data? And then, based on the particular situation, assess how you can protect yourself.
It makes no sense to say "this tool is secure". Security always depends on the threat model and the level (network, hardware, software, etc.). For more information on this topic, see the [Threat Library](https://notrace.how/threat-library/).
It makes no sense to say "this tool is secure". Security always depends on the threat model and it takes place on multiple levels (network, hardware, software, etc.). For more information on this topic, see the [Threat Library](https://notrace.how/threat-library/).
# I) The Basics of Using Tails
@ -78,14 +78,14 @@ To install Tails on a USB, you need a "source" and a USB (8GB or larger).
There are two solutions for the "source".
### Solution 1: Install from another Tails USB
This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.net/install/clone/pc/index.en.html) or [Mac](https://tails.net/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
### Solution 2: Install by download (preferred)
### Solution 1: Install by download (preferred)
Follow the [Tails installation instructions](https://tails.net/install/index.en.html); it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you (this is called a [man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.net/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
### Solution 2: Install from another Tails USB
This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.net/install/clone/pc/index.en.html) or [Mac](https://tails.net/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
## Booting from your Tails USB
Once you have a Tails USB, follow the Tails instructions [for booting Tails on a Mac or PC](https://tails.net/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on your laptop. The Boot Loader screen will appear and Tails will start automatically after several seconds.
@ -115,14 +115,14 @@ If you have Persistent Storage enabled, the passphrase to unlock it will appear
Tails is a simple operating system.
1. The Activities menu. Allows you to see an overview of your windows and applications. It also allows you to search for applications, files, and folders. You can also access Activities by sending your mouse to the top left corner of your screen or by pressing the Command/Window (❖) key.
1. The Activities menu. Allows you to see an overview of your windows and applications. It also allows you to search for applications, files, and folders. You can also access Activities by sending your mouse to the top left corner of your screen or by pressing the Command/Windows (❖) key.
2. The Applications menu. Lists available applications (software), organized by category.
3. The Places menu. Shortcuts to various folders and storage devices, which can also be accessed through the Files browser (**Applications → Accessories → Files**).
4. Date and time. Once connected to the Internet, all Tails systems around the world [share the same time](https://tails.net/doc/first_steps/desktop/time/index.en.html).
5. The Tor status indicator. Tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the Onion Circuits application from here. Check your Tor connection by visiting `check.torproject.org` in your Tor Browser.
5. The Tor status indicator. Tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the Onion Circuits application from here. Check your Tor connection by visiting `check.torproject.org` in the Tor Browser.
6. The "Universal Access" button. This menu allows you to enable accessibility software such as the screen reader, visual keyboard, and large text display.
7. Choice of keyboard layouts. An icon showing the current keyboard layout (in the example above, en for an English layout). Clicking it provides options for other layouts selected at the Welcome Screen.
8. The System menu. From here, you can access the volume and screen brightness, the Wi-Fi and Ethernet connection (if connected), the battery status, and the restart and shutdown buttons.
7. Choice of keyboard layouts. An icon showing the current keyboard layout (in the example above, `en` for an English layout). Clicking it provides options for other layouts selected at the Welcome Screen.
8. The System menu. From here, you can access the volume and screen brightness, the Wi-Fi and Ethernet connection, the battery status, and the restart and shutdown buttons.
9. The Workspaces icon. This button toggles between multiple views of the desktop (called "workspaces”), which can help reduce visual clutter on a small screen.
If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the system menu, see the [troubleshooting documentation](https://tails.net/doc/anonymous_internet/no-wifi/index.en.html). Once you connect to Wi-Fi, a Tor Connection assistant will appear to help you connect to the Tor network. Select **Connect to Tor automatically**, unless you are in a country where you need to hide that you're using Tor (in which case you'll need to configure [a bridge](https://tails.net/doc/anonymous_internet/tor/index.en.html#hiding)).
@ -131,7 +131,7 @@ If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the syste
Tails is amnesiac by default. It will forget everything you have done as soon as you end the session. This isn't always what you want — for example, you may want to install additional software without needing to re-install it each time you start up. Tails has a feature called Persistent Storage, which allows you to save data between sessions. This is explicitly less secure, but necessary for some activities.
The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows a user to make some data persistent — that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**.
The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows you to make some data persistent — that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**.
A window will pop up asking you to enter a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for information on passphrase strength. You'll then [configure](https://tails.net/doc/persistent_storage/configure/index.en.html) what you want to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
@ -156,7 +156,7 @@ A window will pop up asking you to enter a passphrase; see [Tails Best Practices
* **Thunderbird Email Client**: The Thunderbird email inbox, feeds, and OpenPGP keys.
* **GnuPG**: The OpenPGP keys you create or import into GnuPG and Kleopatra.
* **Pidgin**: The account files of this chat application (using the XMPP protocol).
* **SSH Client**: SSH is used to connect to servers. All files related to SSH.
* **SSH Client**: All files related to SSH, a protocol used to connect to servers.
**Advanced Settings:**
@ -165,7 +165,7 @@ A window will pop up asking you to enter a passphrase; see [Tails Best Practices
To use Persistent Storage, you must unlock it on the Welcome Screen. If you want to change the passphrase, see the [documentation](https://tails.net/doc/persistent_storage/passphrase/index.en.html). If you ever forget your passphrase, it's impossible to recover it; you'll have to [delete](https://tails.net/doc/persistent_storage/delete/index.en.html) the Persistent Storage and start over.
In [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), we recommend against using Persistent Storage in most cases. Any files that need to be persistent can be stored on a second [LUKS-encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb) instead. Most Persistent Storage features do not work well with USBs that have a write-protect switch.
In [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), we recommend against using Persistent Storage in most cases; most Persistent Storage features do not work well with USBs that have a write-protect switch, any files stored on a Tails USB will leave forensic traces on it, and storing personal data on the Tails USB also prevents it from being compartmentalized when Persistent Storage is unlocked. Any files that need to be persistent can be stored on a second [LUKS-encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb) instead.
## Upgrading the Tails USB
@ -181,7 +181,7 @@ When an [automatic upgrade](https://tails.net/doc/upgrade/index.en.html) is avai
### The manual upgrade
Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.net/upgrade/tails/index.en.html).
Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades (which happen approximately every two years) or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.net/upgrade/tails/index.en.html).
# II) Going Further: Several Tips and Explanations
@ -193,17 +193,17 @@ Sometimes the upgrade window will tell you that you need to do a manual upgrade.
![](/posts/tails/tor.png)
Internet traffic, including the IP address of the final destination, is encrypted in layers like an onion. Each hop along the three relays removes one layer of encryption. Each relay only knows the relay before it and the relay after it (relay #3 knows that it came from relay #2 and that it goes to such-and-such a website, but not relay #1).
Internet traffic, including the IP address of the final destination, is encrypted in layers like an onion. Each hop along the three relays removes one layer of encryption. Each relay only knows the relay before it and the relay after it (the exit relay knows that it came from the middle relay and that it goes to such-and-such a website, but not the entry relay).
![See *anarsec.guide* for the animation.](/posts/tails/anonymous-browsing.gif)
This means that any intermediaries between you and relay #1 know that you're using Tor, but they don't know what site you're going to. Any intermediaries after relay #3 know that someone in the world is going to that site, but they don't know who it is. The site's web server sees you coming from the IP address of relay #3.
This means that any intermediaries between you and the entry relay know that you're using Tor, but they don't know what site you're going to. Any intermediaries after the exit relay know that someone in the world is going to that site, but they don't know who it is. The site's web server sees you coming from the IP address of the exit relay.
Tor has several limitations. For example, if someone with the technical and legal means believes you're connecting from a particular Wi-Fi connection to visit a particular site, they can try to match your Wi-Fi connection with what the website activity (a "correlation attack"). However, to our knowledge, this type of attack has never been used by itself to incriminate someone in court. For sensitive activities, use Internet connections that are not tied to your identity to protect yourself in case Tor fails.
### What is HTTPS?
Virtually all websites today use [HTTPS](/glossary/#https) — the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are visiting riseup.net, for example, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS.
Virtually all websites today use [HTTPS](/glossary/#https) — the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after the exit relay of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after the exit relay will know that you are visiting riseup.net, for example, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS.
If there's a yellow warning on the padlock, it means that some elements on the page you're viewing are not encrypted (they use HTTP), which could reveal the exact page or allow intermediaries to partially modify the page. By default, the Tor Browser uses HTTPS-Only Mode to prevent users from visiting HTTP sites.
@ -221,7 +221,7 @@ Have you ever seen a strange website address with 56 random characters ending in
Anyone can set up an .onion site. But why would they want to? Well, the server location is anonymized, so authorities cannot find out where the site is hosted in order to shut it down. When you send data to an .onion site, you enter the site's three Tor relays after the standard Tor circuit. So we have 6 Tor relays between us and the site; we know the first 3 relays, the site knows the last 3, and each Tor node only knows the relay before and after. Unlike a normal HTTPS website, it's all Tor encrypted from end to end.
This means that both the client (your laptop) and the server (where the site lives) remain anonymous, whereas with a normal website, only the client is anonymous. In addition to being more anonymous for the server, it is also more anonymous for the client: you never leave the Tor network, so it is not possible to intercept you after relay #3.
This means that both the client (your laptop) and the server (where the site lives) remain anonymous, whereas with a normal website, only the client is anonymous. In addition to being more anonymous for the server, it is also more anonymous for the client: you never leave the Tor network, so it is not possible to intercept you after the exit relay.
The .onion site address is long because it includes the site's certificate. HTTPS is unnecessary; security depends on knowing the site's .onion address.
@ -233,7 +233,7 @@ Some sites block users who visit through the Tor network, or otherwise make it i
![](/posts/tails/new_identity.png)
The site may only block certain Tor relays. In this case, you can change the Tor exit node being used for this site: click the **≣ → "New Tor circuit for this site"** button. The Tor circuit (path) will only change for the one tab. You may need to do this several times in a row if you're unlucky enough to encounter multiple banned relays.
The site may only block certain Tor relays. In this case, you can change the Tor exit node being used for this site: click the **≣ → "New Tor circuit for this site"** button. The Tor circuit (path) will change for the current tab, including other open tabs or windows from the same website. You may need to do this several times in a row if you're unlucky enough to encounter multiple banned relays.
Since all Tor relays are public, it is also possible that the site is blocking the entire Tor network. In this case, you can try using a proxy to access the site, such as `https://hide.me/en/proxy` (but only if you don't have to enter personal information like login credentials). You can also check if the page you want to access has been saved to the Wayback Machine: `web.archive.org`.
@ -257,7 +257,7 @@ The layout of some pages may be changed, and some types of content may be disabl
### Downloading/uploading and the Tor Browser folder
The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prevent it from snooping on all your files a malicious site compromised it. This means there are special considerations when uploading or downloading files using the Tor Browser.
The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prevent it from snooping on all your files if a malicious site compromised it. This means there are special considerations when uploading or downloading files using the Tor Browser.
#### Downloading
@ -267,7 +267,7 @@ When you download something using the Tor Browser, it is stored in the Tor Brows
#### Uploading
Similarly, if you want to upload something using the Tor Browser (for example, to include a file in a blog post), you will first need to move or copy the file to the Tor Browser folder. Then it will be available when you select an upload in the Tor Browser.
Similarly, if you want to upload something using the Tor Browser (for example, to include a file in a blog post), you will first need to move or copy the file to the Tor Browser folder. Then it will be available when you select the file to upload in the Tor Browser.
#### RAM
@ -277,11 +277,11 @@ Be aware that if you are downloading or otherwise working with very large files,
![](/posts/tails/onionshare.png)
It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.net/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). By default, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to the settings and uncheck "Stop sharing after first download". As soon as you close OnionShare, disconnect from the Internet, or shut down Tails, the files will no longer be accessible. This is a great way to share files because it doesn't require you to plug a USB into someone else's computer, which we [don't recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared through another channel (such as a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type).
It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.net/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). By default, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to the settings and uncheck "Stop sharing after first download". As soon as you close OnionShare, disconnect from the Internet, or shut down Tails, the files will no longer be accessible. This is a great way to share files because it doesn't require you to plug a USB into someone else's computer, which we [don't recommend](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared through another channel (such as a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type).
### Make Correlation Attacks More Difficult
When you request a web page through a web browser, the site's server sends it to you in small "packets" that have a specific size and timing (among other characteristics). When using the Tor Browser, the sequence of packets can also be analyzed to look for patterns that can be matched to those of websites. To learn more, see ["1.3.3. Passive Application-Layer Traffic Patterns"](https://spec.torproject.org/proposals/344-protocol-info-leaks.html). Tor [plans to fix this issue in the future](https://gitlab.torproject.org/tpo/team/-/wikis/Sponsor-112).
When you request a web page through a web browser, the site's server sends it to you in small "packets" that have a specific size and timing (among other characteristics). When using the Tor Browser, the sequence of packets can also be analyzed to look for patterns that can be matched to those of websites. To learn more, see ["1.3.3. Passive Application-Layer Traffic Patterns"](https://spec.torproject.org/proposals/344-protocol-info-leaks.html). Tor [plans to mitigate this issue in the future](https://gitlab.torproject.org/tpo/team/-/wikis/Sponsor-112).
To make this ["correlation attack"](/glossary/#correlation-attack) more difficult, disable JavaScript by using Tor Browser on the **Safest** setting.
@ -293,7 +293,7 @@ Tails comes with [many applications](https://tails.net/doc/about/features/index.
## Password Manager (KeePassXC)
When you need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Application → Favorites → KeePassXC**) that allows you to store your passwords in a file and protect them with a single master password.
When you need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Applications → Favorites → KeePassXC**) that allows you to store your passwords in a file and protect them with a single master password.
We recommend that you compartmentalize your passwords — have a different KeePassXC file for each separate project. They can share the same Master Password — the point of compartmentalization is that only one project's passwords are unlocked at any given time. If the Tails session is compromised, the adversary won't get all of your passwords in one fell swoop, just the ones that are currently unlocked.
@ -321,13 +321,13 @@ However, it can take weeks or years before that space is actually used for new f
There are two types of storage: magnetic (HDD) and flash (SSD, NVMe, USB, memory cards, etc.). The only way to erase a file on either is to [reformat the entire drive](/posts/tails/#how-to-create-an-encrypted-usb) and select **Overwrite existing data with zeros**.
However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (i.e. thermite) to be effective.
However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (e.g. thermite) to be effective.
For flash memory drives (USBs, SSDs, SD cards, etc.), use pliers to break the circuit board out of the plastic casing. Use a high-quality house-hold blender to shred the memory chips, including the circuit board, into pieces that are ideally less than two millimeters in size. This blender should not be used for food afterwards, even after cleaning it.
For flash memory drives (USBs, SSDs, SD cards, etc.), use pliers to break the circuit board out of the plastic casing. Use a high-quality house-hold blender to shred the memory chips, including the circuit board, into pieces that are ideally less than two millimeters in size. This blender should not be used for food afterwards, because cleaning it will not adequately remove toxic traces.
## How to create an encrypted USB
Store data only on encrypted drives. This is necessary if you want to use a separate LUKS USB instead of Persistent Storage on the Tails USB. [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to **Applications → Utilities → Disks**.
Store data only on encrypted drives. This is necessary if you want to use a separate LUKS USB instead of Persistent Storage on the Tails USB as advised in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to **Applications → Utilities → Disks**.
* When you insert the USB, a new "device" should appear in the list. Select it and make sure that the description (brand, name, size) matches your device. Be careful not to make a mistake!
* Format it by clicking **≣ → Format the disk**.
@ -393,16 +393,16 @@ If the Tails Boot Loader page appears, try booting into Tails troubleshooting mo
After an upgrade or otherwise, Tails no longer starts on your computer. You have three options:
1) See if the [Tails news page](https://tails.net/news/index.en.html) mentions any problems with the upgrade.
2) Perform a manual upgrade, which may be necessary if the computer was turned off before an automatic upgrade was complete.
2) [Perform a manual upgrade](/posts/tails/#the-manual-upgrade), which may be necessary if the computer was turned off before an automatic upgrade was complete.
3) If the first two solutions don't work, the USB is too old, of poor quality, or has been broken. If you need to recover data from Persistent Storage, plug that USB into a Tails session using another USB. It will appear as a normal USB that you will need to unlock with your password. If you can't access your data on another Tails USB that has Persistent Storage enabled, your USB may be dead.
***I can't connect to a public Wi-Fi network with an authentication page (a captive portal)***
If you need to connect to Wi-Fi using a captive portal, you must enable Unsafe Browser. Connect to Wi-Fi, and then open **Applications → Internet → Unsafe Browser**. You enter the URL of a site that isn't sketchy to access the authentication page. Once you've completed the captive portal page, wait until Tor is ready, and then close the unsafe browser.
If you need to connect to Wi-Fi using a captive portal, you must enable Unsafe Browser in the Welcome Screen. Connect to Wi-Fi, and then open **Applications → Internet → Unsafe Browser**. You enter the URL of a site that isn't sketchy (e.g. wikipedia.org) to access the authentication page. Once you've completed the captive portal page, wait until Tor is ready, and then close the unsafe browser.
***What if I run out of space on a USB?***
If you run out of space on a USB drive, or if you see less data than you actually have on your USB, check "Show hidden files" in the file browser. There you will see new files named .something. The file .Trash-10xx is taking up space (and if you select "Move to Trash" it will be removed completely). Don't change any other hidden files.
If you run out of space on a USB drive, or if you see less data than you actually have on your USB, check "Show hidden files" in the file browser. There you will see new files named `.something`. The file `.Trash-10xx` is taking up space (and if you right-click on it and select "Move to Trash" it will be removed completely). Don't change any other hidden files.
***A file always opens in read-only mode or does not open at all?***