Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-25 15:45:48 -04:00
Code Issues Projects Releases Packages Wiki Activity

update remaining guides

Browse source
This commit is contained in:
anarsec 2023-07-11 01:31:27 +00:00
parent 3ce6491c8f
commit 337f615dd3
No known key found for this signature in database
3 changed files with 15 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

14
content/posts/tails-best/index.md
View file

@ -70,12 +70,12 @@ This second issue is mitigated by **not using an Internet connection that could
* Wi-Fi adapters that work through SIM cards are not a good idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile network provider every time you connect, allowing identification as well as geographical localization. The adapter works like a cell phone! If you do not want different research sessions to be associated with each other, do not use such an adapter or the SIM card more than once!
* There are several opsec considerations to keep in mind if using Wi-Fi at a cafe without CCTV cameras.
* See [Appendix 2](#appendix-2-location-location-location) for more information on choosing a location.
* See [below](#appendix-2-location-location-location) for more information on choosing a location.
* Do not make a routine by using the same cafes repeatedly, if it can be avoided.
* If you need to buy a coffee to get the Wi-Fi password, pay in cash!
* Position yourself with your back against a wall so that nobody can 'shoulder surf' you to see your screen, and ideally install a privacy screen on the laptop.
* Maintain situational awareness, and be ready to pull out the Tails USB and power down the computer at a moment's notice. An individual responsible for a darknet marketplace had his Tails computer seized while distracted by a fake fight beside him. Similar tactics have been employed [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt by a short length of fishing line, the feds would have very likely lost all evidence when the Tails USB was yanked out - a more technical equivalent is [BusKill](https://docs.buskill.in/buskill-app/en/stable/introduction/what.html) (we don't recommend buying it through mail, which can be intercepted to make hardware [malicious](https://en.wikipedia.org/wiki/BadUSB)). You can also remove the laptop battery so that if the power cable is removed, the laptop immediately powers off. The Tails USB being removed will cause the screen to freeze on whatever was up last, and powering down the laptop will cause any LUKS USBs to be encrypted once [the RAM dissipates](https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense). If maintaining situational awareness feels unrealistic, consider asking a trusted friend to hang out who can dedicate themselves to this.
* If cafes without CCTV cameras are few and far between, you can try to access the Wi-Fi of a cafe from outdoors, outside of the view of their cameras. Some external Wi-Fi adapters will be able to catch signals that are further away, as discussed in [Appendix 2](#appendix-2-location-location-location).
* If cafes without CCTV cameras are few and far between, you can try to access the Wi-Fi of a cafe from outdoors, outside of the view of their cameras. Some external Wi-Fi adapters will be able to catch signals that are further away, as discussed [below](#appendix-2-location-location-location).
* If a determined adversary breaks Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic), the Internet address you had used in a cafe without CCTV cameras will only lead to your general area (for example, your city) because it is not associated with you, provided that you don't use it routinely. A correlation attack being used to deanonymize a Tor user is unprecedented in current evidence that has been used in court, though [it has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as supporting evidence once a suspect was already identified to correlate with. Correlation attacks are even less feasible against connections to an .onion address, because you never exit the Tor network, so there is no 'end' to correlate with.
* However, a more likely low-tech 'correlation attack' is possible by local law enforcement, starting from your identity rather than starting from your anonymous Internet activity, if you are already in their sights and a target of [physical surveillance](https://www.csrc.link/threat-library/techniques/physical-surveillance/covert.html). For example, if a surveillance operation notices that you go to a cafe regularly, and an anarchist website is always updated in those time windows, this pattern can indicate that you are moderating that website. Perhaps an undercover can even get a glance at your screen.
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) prior to heading to a cafe**, and changing Wi-Fi locations regularly, but this may not be particularly realistic for projects like moderating a website which require daily Internet access. Alternatively, mitigations can involve **using a Wi-Fi antenna from indoors** (guide forthcoming), **scheduling posts to be published later** (WordPress has this feature), or potentially even **using Tor from your home Internet** for some projects. This contradicts the prior advice, but using Tor from home will avoid creating a movement profile that is so easily physically observed (compared to a network traffic profile that is more technical to observe, and may be more difficult to draw meaningful conclusions from).
@ -106,7 +106,7 @@ This second issue requires several mitigations. Let's start with some definition
* *Firmware* means software that's embedded in a piece of hardware; you can think of it simply as "software for hardware". It can be found in several different locations (hard drives, USB drives, graphics processor, etc).
* *BIOS* means the specific firmware that is responsible for booting your computer when you press the power button—this is a great place for [malware](/glossary/#malware) to hide because it is undetectable by the operating system.
Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, or the Tails software; [remote attacks](/glossary#remote-attacks) (through the Internet) and [physical attacks](/glossary/#physical-attacks) (through physical access). Not everyone will need to apply all of the advice below. For example, if Tails is only being used for anonymous Internet browsing and writen correspondence, some of this may be overkill. However, if Tails is being used to take responsibility for actions that are highly criminalized, a more thorough approach is likely relevant.
Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, or software; [remote attacks](/glossary#remote-attacks) (through the Internet) and [physical attacks](/glossary/#physical-attacks) (through physical access). Not everyone will need to apply all of the advice below. For example, if Tails is only being used for anonymous Internet browsing and writen correspondence, some of this may be overkill. However, if Tails is being used to take responsibility for actions that are highly criminalized, a more thorough approach is likely relevant.
#### To mitigate against physical attacks:
@ -196,7 +196,7 @@ If you use Persistent Storage, that is another passphrase which will have to be
## Encrypted containers
[LUKS](/glossary#luks) is great, but 'defense-in-depth' can't hurt. If police seize your USB in a house raid, they can try to unlock it with a [brute-force attack to guess the password](/glossary#brute-force-attack), so a second layer of defense with a different encryption implementation can make sense for highly sensitive data.
[LUKS](/glossary#luks) is great, but 'defense-in-depth' can't hurt. If police seize your USB in a house raid, they can try to unlock it with a [brute-force attack](/glossary#brute-force-attack) to guess the password, so a second layer of defense with a different encryption implementation can make sense for highly sensitive data.
[Gocryptfs](https://nuetzlich.net/gocryptfs/) is an encrypted container program that is [available for Debian](https://packages.debian.org/bullseye/gocryptfs) and thus easy to install with Tails as [additional software](/posts/tails/#optional-create-and-configure-persistent-storage). If you don't want to have to reinstall it every session, Additional Software will need to be [configured in Persistent Storage](#using-a-write-protect-switch).
@ -243,7 +243,7 @@ We will end by thinking about how an adversary would go about their [remote atta
You have probably already heard the advice to be skeptical of clicking links and opening attachments—this is why. To make matters more confusing, the "from" field in email can be forged to trick you—[PGP signing](/posts/e2ee/#pgp-email) mitigates against this to prove that the email actually comes from who you expect.
Sometimes the goal of phishing is to deliver a ['payload'](https://docs.rapid7.com/metasploit/working-with-payloads), which will call back to the adversary—it is the [initial access](https://attack.mitre.org/tactics/TA0001/) foothold to infecting your machine with malware. A payload can be embedded in a file and executed when the file is opened. For a link, a payload can be delivered through malicious javascript in the website that will allow the payload to execute on your computer. Tor should protect your location (IP address), but the adversary now has an opportunity to further their attack; to [make the infection persist](https://attack.mitre.org/tactics/TA0003/), to [install a screen or key logger](https://attack.mitre.org/tactics/TA0009/), to [exfiltrate your data](https://attack.mitre.org/tactics/TA0010/), etc. The reason that Tails has no default Administration password (it must be set at the Welcome Screen for the session if needed) is to make the [privilege escalation](https://attack.mitre.org/tactics/TA0004/) more difficult, which would be necessary to slip around Tor.
Sometimes the goal of phishing is to deliver a 'payload' which will call back to the adversary—it is the [initial access](https://attack.mitre.org/tactics/TA0001/) foothold to infecting your machine with malware. A payload can be embedded in a file and executed when the file is opened. For a link, a payload can be delivered through malicious JavaScript in the website that will allow the payload to execute on your computer. Tor should protect your location (IP address), but the adversary now has an opportunity to further their attack; to [make the infection persist](https://attack.mitre.org/tactics/TA0003/), to [install a screen or key logger](https://attack.mitre.org/tactics/TA0009/), to [exfiltrate your data](https://attack.mitre.org/tactics/TA0010/), etc. The reason that Tails has no default Administration password (it must be set at the Welcome Screen for the session if needed) is to make the [privilege escalation](https://attack.mitre.org/tactics/TA0004/) more difficult, which would be necessary to slip around Tor.
## Attachments
@ -253,7 +253,7 @@ For untrusted attachments, you would ideally **sanitize all files that are sent
For untrusted links, there are two things to protect; your anonymity and your information. Unless the adversary has a 0-day exploit on Tor Browser or Tails, your anonymity should be protected **if you don't enter any identifying information into the website**. Your information can only be protected **by your behaviour**—phishing awareness allows you to think critically about whether this could be a phishing attack and act accordingly.
Examine untrusted links prior to clicking them by **manually copy and pasting the address into the browser**—don't click through a hyper-link because the text can be used to deceive what link it will take you to. **Never follow a shortened link** (e.g., a site like bit.ly which takes long web addresses and makes a short, typable one) because it cannot be examined prior to redirection. [Unshorten.me](https://unshorten.me/) can reveal any shortened link.
Examine untrusted links prior to clicking them by **manually copy and pasting the address into the browser**—don't click through a hyper-link because the text can be used to deceive what link it will take you to. **Never follow a shortened link** (e.g., a site like bit.ly which takes long web addresses and makes a short one) because it cannot be examined prior to redirection. [Unshorten.me](https://unshorten.me/) can reveal any shortened link.
![](duckduck.cleaned.png)
@ -333,6 +333,8 @@ Some places in the world, like China, Japan, the UK, Singapore, the US, and even
Hacking is really a way of life. If you are truly committed to your cause, you should fully embrace it and avoid being sloppy at all costs.
<br>
[^1]: This applies to the IPv4 Internet protocol standard. Caution: In some company networks, this no longer applies!