Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-27 07:50:31 -04:00
Code Issues Projects Releases Packages Wiki Activity

graphene update

Browse source
This commit is contained in:
anarsec 2024-04-17 17:52:08 +00:00
parent af1bc7fc97
commit 49f323d16c
No known key found for this signature in database
4 changed files with 54 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

73
content/posts/grapheneos/index.md
View file

@ -19,19 +19,19 @@ While [anarchists should minimize the presence of phones in their lives](/posts/
# What is GrapheneOS?
GrapheneOS is a security-focused version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) have irrevocable access to your files, call logs, location, etc.). GrapheneOS uses hardware-based security to [make it far more difficult](https://grapheneos.org/faq#encryption) to bypass the disk encryption, it is significantly [hardened](/glossary#hardening) against hacking, and it removes all Google apps and services by default. There are other alternative Android operating systems, [but they don't have comparable security](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of privacy and security improvements over standard Android.
GrapheneOS is a security-focused version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) has irrevocable access to your files, call logs, location, etc.). GrapheneOS removes all Google apps and services by default, uses hardware-based security to [make it far more difficult](https://grapheneos.org/faq#encryption) to bypass the disk encryption, and it is significantly [hardened](/glossary#hardening) against hacking. There are other alternative Android operating systems, [but they don't have comparable security](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of privacy and security improvements over standard Android.
Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/), cell phones connecting to cell towers give the provider a history of your geolocation. For this reason, we recommend that you leave your smartphone at home and use it like a landline, connecting to the Internet via Wi-Fi in airplane mode, rather than using a SIM card to connect through cell towers. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Furthermore, it's not enough to only leave your phone at home when you're going to a demo or action, as this will [stand out](/posts/nophones/#metadata-patterns) as an outlier and serve as an indication of conspiratorial activity in that time window.
# Installation
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS — see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, [making it substantially harder to remotely exploit user installed apps like Signal](https://grapheneos.social/@GrapheneOS/111479318824446241).
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS — see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, making it substantially harder to remotely exploit user installed apps such as Signal which has a ["massive amount of remote attack surface"](https://grapheneos.social/@GrapheneOS/111479318824446241).
Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
Starting with the Pixel 6, Pixel devices will receive at least 5 years of security updates from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released — for example, the Google Pixel 6a after the Pixel 7 is released.
[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems that you can install from.
The first time you boot Graphene, it will ask you if you want to connect to Wi-Fi. Don't, we need to do [hardware-based attestation](/posts/grapheneos/#auditor) first. Never set up fingerprint authentication. Set a [strong password](/posts/tails-best/#passwords).
@ -45,11 +45,11 @@ There is no official support for installing from Qubes OS, but it is possible wi
</summary>
<br>
*These instructions assume that your sys-usb qube is disposable, which is the default in the [post-installation settings](/posts/qubes/#getting-started).*
*These instructions assume that your sys-usb qube is disposable, which is the default in the [post-installation settings](/posts/qubes/#getting-started), and that it uses a Debian template.*
* In a disposable Whonix-Workstation qube, open the [command line installation guide](https://grapheneos.org/install/cli) using Tor Browser.
* You will read "Installing from an OS in a virtual machine is not recommended. USB passthrough is often not reliable." This means we will be doing everything from sys-usb, which does not use USB passthrough. If you set sys-usb to be disposable when you installed Qubes OS, it will be reset after a reboot.
* For simplicity, we will temporarily enable networking in sys-usb. It is also possible to keep sys-usb offline by copying platform-tools and the factory image from a whonix disposable into sys-usb, and getting udev rules from [Github](https://github.com/M0Rf30/android-udev-rules) instead of apt. In the **Settings → Basic** tab of sys-usb, make the following changes:
* For simplicity, we will temporarily enable networking in sys-usb. It is also possible to keep sys-usb offline by copying platform-tools and the factory image from the disposable Whonix-Workstation qube into sys-usb, and getting udev rules from [Github](https://github.com/M0Rf30/android-udev-rules) instead of apt. In the **Settings → Basic** tab of sys-usb, make the following changes:
* Private storage max size: 10.0 GB
* Net qube: sys-firewall
* Press **Apply**
@ -71,31 +71,33 @@ GrapheneOS uses [gesture navigation](https://grapheneos.org/usage#gesture-naviga
# Auditor
In the post-installation instructions, **Hardware-based attestation** is the last step. The Auditor app included in GrapheneOS uses hardware security features to monitor the integrity of the device's firmware and OS software. This is critical because it will alert you if the device is maliciously tampered with. Note that Auditor doesn't necessarily check whether the user-level apps running on your device are malicious. The Auditor app must be configured immediately after GrapheneOS is installed, before any Internet connection is made.
In the post-installation instructions, **Hardware-based attestation** is the last step. The Auditor app included in GrapheneOS uses hardware security features to monitor the integrity of the device's firmware and OS software. This is critical because it will alert you if these components of the device are maliciously tampered with. Note that Auditor doesn't necessarily check whether the user-level apps running on your device are malicious. The Auditor app must be configured immediately after GrapheneOS is installed, before any Internet connection is made.
How does it work? Your new device is the *auditee*, and the *auditor* can be either another instance of the Auditor app on a friend's phone or the [Remote Attestation Service](https://attestation.app/); we recommend doing both. The *auditor* and *auditee* pair to create a private key, and if the *auditee's* operating system is tampered with after the pairing is complete, the *auditor* will be alerted.
How does it work? Your new device is the *auditee*, and the *auditor* can be either another instance of the Auditor app on a friend's phone or the [Remote Attestation Service](https://attestation.app/) we recommend doing both. The *auditor* and *auditee* pair to create a private key, and if the *auditee's* operating system is tampered with after the pairing is complete, the *auditor* will be alerted during the next test.
First, immediately after installing the device and before connecting to the Internet, [perform a "local verification"](https://attestation.app/tutorial#local-verification). This requires the presence of a friend whom you see semi-regularly and who has the Auditor app (on any Android device). The first pairing will show a brown background, and subsequent audits will show attestation results with a green background if nothing is remiss. There is no remote connection established between the phones of the auditor and auditee; you must perform these verifications in person.
We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, and then turn on Wi-Fi. This "will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio." Leave airplane mode on at all times — otherwise the phone will interact with cellular networks even if there is no SIM card the phone.
We recommend using the phone as a Wi-Fi only device. Turn on airplane mode. It "will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio." Leave airplane mode enabled at all times — otherwise the phone will interact with cellular networks even if there is no SIM card in the phone.
You are now ready to connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up a [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. The default delay until alerts is 48 hours; if you know your phone will be off for a longer period, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home while traveling), simply ignore the notification emails. You can always log back in to view your attestation history.
You are now ready to connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up a [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. You can always log back in to view your attestation history. The default delay until alerts is 48 hours; if you know your phone will be off for a longer period, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home while traveling), simply ignore the notification emails.
# User Profiles
User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) compartmentalizes your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from each other — if one is compromised, the others aren't necessarily.
The Owner user profile is the default profile that is present when you turn on the phone. You can create additional user profiles. Each profile is [encrypted](/glossary/#encryption) with its own encryption key and cannot access the data of other profiles. Even the device owner cannot view the data of other profiles without knowing their password. A shortcut for switching between different user profiles is located at the bottom of Quick Settings (accessible by swiping down twice from the top of the screen). When you press **End session** on a profile, that profile's data is encrypted at rest.
The Owner user profile is the default profile that is present when you turn on the phone. You can create additional user profiles. Each profile is [encrypted](/glossary/#encryption) with its own encryption key and cannot access the data of other profiles. Even the device owner cannot view the data of other profiles without knowing their password.
We'll now create a second user profile for all applications that don't require Google Play services:
* **Settings → System → Multiple users**, press **Add user**. You can name it Default and press **Switch to Default**.
* Set a password that is different from your Owner user profile password.
* Choose either the combination of a weak password + small locking time (trusting the rate-limiting of password attempts [enforced by the secure element](https://grapheneos.org/faq#encryption)), or a [strong password](/posts/tails-best/#passwords) + longer locking time (if rate-limiting is bypassed through a firmware vulnerability this is still a strong password, but the profile data is vulnerable if the device is left unattended). Keep in mind that if police ever seize your device (such as during a daytime house raid), it should ideally be turned off, and at minimum, it should be locked (which starts the countdown to the Auto-reboot feature mentioned below).
* This is the profile that you will be regularly unlocking throughout the day. This means that you only have to enter the Owner password upon boot, which allows it to be very strong. For the Default password, choose either the combination of a weak password + a short locking time, or a [strong password](/posts/tails-best/#passwords) + a longer locking time. The first option puts trust in the rate-limiting of password attempts [enforced by the secure element](https://grapheneos.org/faq#encryption). The second option doesn't put trust in the rate-limiting, given it could be bypassed through a secure element vulnerability, but has the trade-off that the profile data is vulnerable if the device is left unattended while unlocked. You can also have a strong password + a short locking time if you don't unlock the device many times a day. Keep in mind that if police ever seize your device (such as during a daytime house raid), it should ideally be turned off, and at minimum, it should be locked (which starts the countdown to the Auto reboot feature mentioned below).
* In the Default user profile, you can set the locking time with **Settings → Security → Screen lock settings → Lock after screen timeout**, and the screen timeout with **Settings → Display → Screen timeout**.
Later, we will optionally create a third user profile for applications that require Google Play services.
When you press **End session** on a profile, that profile's data is encrypted at rest. A shortcut for switching between different user profiles is located at the bottom of Quick Settings (accessible by swiping down twice from the top of the screen).
To reiterate, the user profiles and their purposes are:
**1) Owner**
@ -114,9 +116,9 @@ To reiterate, the user profiles and their purposes are:
The GrapheneOS app store contains the standalone applications developed by the GrapheneOS project, such as Vanadium, Auditor, Camera, and PDF Viewer. These are automatically updated.
To install additional software, avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/en/android/#f-droid). GrapheneOS has a [Sandboxed Google Play](https://grapheneos.org/features#sandboxed-google-play) that can be installed through the GrapheneOS app store: "Google Play receives absolutely no special access or privileges on GrapheneOS". Alternatively, you can use the [Aurora Store](https://www.privacyguides.org/en/android/#aurora-store), though it has [some of the same security issues as F-Droid](https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do).
To install additional software, avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/en/android/#f-droid). GrapheneOS has a [Sandboxed](/glossary/#sandboxing) Google Play that can be installed through the GrapheneOS app store: ["Google Play receives absolutely no special access or privileges on GrapheneOS."](https://grapheneos.org/features#sandboxed-google-play) Alternatively, you can use the [Aurora Store](https://www.privacyguides.org/en/android/#aurora-store), though it has [some of the same security issues as F-Droid](https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do).
The approach we will take is that all applications needed in any user profile will be installed in the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all installed applications (except the VPN) will be "disabled". Then we'll use the **Install available apps** feature to delegate apps to the secondary profiles that you need them in. Automatic updates in the Owner user profile will also automatically be applied to the secondary user profiles.
The approach we will take is that all applications needed in the Default user profile will be installed in the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all installed applications (except the VPN) will be "disabled", because we only use these applications from the Default user profile. Then we'll use the **Install available apps** feature to delegate apps to the Default user profile.
To install and configure Sandboxed Google Play:
@ -139,21 +141,23 @@ Now we will delegate apps to the profiles they are needed in:
## Software That Isn't On the Play Store
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself). [Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to the profiles it is needed in. Unfortunately, apps obtained through Obtainium require manual updates — it will notify you when one is needed.
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself), and you must [verify them yourself](https://github.com/soupslurpr/AppVerifier).
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal without [Google software](https://github.com/mollyim/mollyim-android#free-and-open-source) and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium, press **Add App**, then copy the Github Releases URL. Obtanium will be able to install the app, and if there is a new version, you will get a system notification and an update icon next to it, and you will need to update it manually.
[Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and it is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases) — `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to a secondary profile. Unfortunately, apps obtained through Obtainium require manual updates — it will notify you when one is needed.
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal without [Google software](https://github.com/mollyim/mollyim-android#free-and-open-source) and it is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium, press **Add App**, then copy the Github Releases URL.
## Software That Requires Google Play Services
If there is an app you want to use that requires Google Play services, create a specific user profile for it from the Owner user profile. This is also a good way to isolate any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. If you create a Google user profile, you will need to install and configure Sandboxed Google Play in it.
If there is an app you want to use that requires Google Play services, create another secondary user profile for it. This is also a good way to isolate any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. You will need to install and configure Sandboxed Google Play in this "Google" user profile.
Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid the need for this Google user profile.
# VoIP
A Wi-Fi only smartphone doesn't require a service plan. As explained in [Kill the Cop in Your Pocket](/posts/nophones#bureaucracy), bureaucracies often require a phone number that can be called from a normal phone (without encryption). [VoIP](/glossary#voip-voice-over-internet-protocol) applications allow you to create a number and make calls over Wi-Fi rather than through cell towers. A phone number is also occasionally required for applications such as [Signal registration](/posts/e2ee/#signal), and a VoIP number will usually work.
A Wi-Fi only smartphone doesn't require a service plan. As explained in [Kill the Cop in Your Pocket](/posts/nophones#bureaucracy), bureaucracies often require a phone number that can be called from a normal phone (without encryption). [VoIP](/glossary#voip-voice-over-internet-protocol) applications allow you to create a number and make calls over Wi-Fi rather than through cell towers. A phone number is also occasionally required to register for an application, and a VoIP number will usually work.
Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones; the main advantage is that you can hear the phone ringing even when your computer is turned off. The [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) VoIP service works well with their [Cheogram client](https://cheogram.com/) and can be paid for in Bitcoin. There are also mobile-only paid options such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360020177133-Why-isn-t-MySudo-working-in-my-country-)). A MySudo subscription can be purchased anonymously with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is probably unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.
Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones. The [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) VoIP service can be paid for in Bitcoin, and it can be used with their [Cheogram app](https://cheogram.com/). There are also mobile-only paid options such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360020177133-Why-isn-t-MySudo-working-in-my-country-)). A MySudo subscription can be purchased anonymously with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is probably unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.
# Tor
@ -161,15 +165,22 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
# Recommended Settings and Habits
* [Owner user profile] **Settings → Security → Auto reboot:** 18 hours or less
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile — apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
Turn off the phone overnight and when you leave it at home. [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective when the device is turned off. Additionally, if the operating system is compromised by [malware](/glossary/#malware) a reboot can [clean the malware from your system](https://www.privacyguides.org/en/os/android-overview/#verified-boot), so it is best practice to shut down the device daily.
In the Owner user profile:
* **Settings → Security → Auto reboot:** 18 hours or less
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again. It will reboot overnight if you forget to turn it off. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* **Settings → Security → USB-C Port:** [Charging-only or Off](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Once you have all the applications you need in a secondary user profile, disable app installation in that profile — apps that are delegated to a secondary user profile from the Owner profile (via "Install available apps", as described above) will still be updated.
* **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* It is convenient to be able to receive notifications from any user profile:
* [Owner user profile] **Settings → System → Multiple users:** Send notifications to current user (enabled)
* **Settings → System → Multiple users:** Send notifications to current user (enabled)
In all profiles:
* Leave the Global Toggles for Bluetooth, location, camera access, and microphone access disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
@ -177,7 +188,7 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
Dont use cloud backups. You can't trust the corporate options, and they're the easiest way for the police to access your data. If you must back up your phone, back it up to your encrypted computer.
GrapheneOS currently offers Seedvault as a backup solution, but it's not very reliable. As the [documentation notes](https://grapheneos.org/faq#file-transfer), connecting directly to a computer requires "needing to trust the computer with coarse-grained access", so it is best to avoid it. Instead, you can manually back up files by copying them to a USB-C flash drive using the Files app, or sending them to yourself using an [encrypted messaging app](/posts/e2ee/).
GrapheneOS currently offers [Seedvault](https://grapheneos.org/features#encrypted-backups) as a backup solution, but it's not very reliable. As the [documentation notes](https://grapheneos.org/faq#file-transfer), connecting directly to a computer requires "needing to trust the computer with coarse-grained access", so it is best to avoid it. Instead, you can manually back up files by copying them to a USB-C flash drive using the Files app, or sending them to yourself using an [encrypted messaging app](/posts/e2ee/).
# Password Management
@ -187,7 +198,7 @@ If you feel you need a password manager, [KeePassDX](https://www.privacyguides.o
2) The Default user profile
3) (Optional) Apps like [Cwtch](/posts/e2ee/#cwtch) and [Molly](/posts/e2ee/#signal) have their own passwords.
Be sure to turn off the phone overnight and when you leave it at home. If the police get access when the phone is turned on (at a lock-screen), the "Auto reboot" setting will turn it off before they have much time to try a [brute-force attack](/glossary/#brute-force-attack). For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords).
For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords).
# Linux Desktop Phones
@ -195,10 +206,10 @@ Why recommend a Pixel over a Linux desktop phone? Linux desktop phones like the
# Wrapping Up
With the set-up described in this guide, if a cop starts with your name, they wont be able to simply look it up in a cellular provider database to get your phone number. If you use the phone as a Wi-Fi only device and always leave it at home, it cannot be used to determine your movement profile and history. If you use a VoIP number, it's accessed through a VPN, so even if that number is known, it can't be used to locate you. All communications with comrades use [end-to-end encryption](/posts/e2ee/) so they do not aid in network mapping. Even if you are unlucky enough to be the target of a well-funded investigation, the hardened operating system makes it difficult to compromise with spyware, and such a compromise should be [detectable](/posts/grapheneos/#auditor).
With the set-up described in this guide, if a cop starts with your name, they wont be able to simply look it up in a cellular provider database to get your phone number. If you use the phone as a Wi-Fi only device and always leave it at home, it cannot be used to determine your movement profile and history. If you use a VoIP number accessed through a VPN, even if that number is known it can't be used to locate you. All communications with comrades use [end-to-end encryption](/posts/e2ee/) so they do not facilitate [network mapping](https://notrace.how/threat-library/techniques/network-mapping.html). Even if you are unlucky enough to be targeted by a well-funded investigation, the hardened operating system makes it difficult to compromise with spyware, and such a compromise should be [detectable](/posts/grapheneos/#auditor).
By storing the phone in a tamper-evident manner when it's not in use, you'll be able to tell if it's been physically accessed. See the guide [Make Your Electronics Tamper-Evident](/posts/tamper/).
The [forum](https://discuss.grapheneos.org/) is generally very helpful for any remaining questions you may have.
The GrapheneOS [forum](https://discuss.grapheneos.org/) is generally very helpful for any remaining questions you may have.
For information on burner phones, see the [No Trace Project](https://notrace.how/threat-library/mitigations/anonymous-phones.html).

4
content/posts/tails-best/index.md
View file

@ -14,7 +14,7 @@ a4="tails-best-a4.pdf"
letter="tails-best-letter.pdf"
+++
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary/#threat-model) — operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations. If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary/#threat-model) — operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities like [claiming an action](https://notrace.how/resources/#how-to-submit-an-anonymous-communique). The [No Trace Project Threat Library](https://notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations. If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
<!-- more -->
@ -194,7 +194,7 @@ If its not possible to find a USB with a write-protect switch, you can alternati
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a random sequence of characters (letters, numbers and other symbols), while a [*passphrase*](/glossary/#passphrase) is a random sequence of words.
Never reuse a password/passphrase for multiple things ("password recycling") — KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** — when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary/#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
Never reuse a password/passphrase for multiple things ("password recycling") — KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** — when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary/#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html) this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (seven words).

4
content/posts/tails/index.md
View file

@ -202,7 +202,7 @@ Tor has several limitations. For example, if someone with the technical and lega
### What is HTTPS?
Virtually all websites today use [HTTPS](/glossary/#https); the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are going to, for example, riseup.net, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS.
Virtually all websites today use [HTTPS](/glossary/#https) the S stands for "secure" (e.g., `https://www.anarsec.guide`). If you try to visit a website without `https://` in the Tor Browser, you will receive a warning before proceeding. If you see `http://` instead of `https://` in front of a website's address, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your credentials). HTTPS means that the digital record of what you do on the site you are visiting is protected by an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are going to, for example, riseup.net, but they will not have access to your emails and passwords, nor will they know if you are checking your emails or reading a random page on the site. A small padlock appears to the left of the site address when you are using HTTPS.
If there's a yellow warning on the padlock, it means that some elements on the page you're viewing are not encrypted (they use HTTP), which could reveal the exact page or allow intermediaries to partially modify the page. By default, the Tor Browser uses HTTPS-Only Mode to prevent users from visiting HTTP sites.
@ -433,7 +433,7 @@ Sometimes the Synaptic Package Manager will refuse to install software. In this
# Best Practices
[Tails Best Practices](/posts/tails-best) are important to establish before using Tails for highly sensitive activities. To avoid overwhelming yourself, start by learning how to use Tails in basic ways, such as reading anarchist websites or writing texts. See the [Tails tag](/tags/tails/) for tutorials on topics like [removing identifying metadata from files](/posts/metadata/).
[Tails Best Practices](/posts/tails-best) are important to establish before using Tails for highly sensitive activities like [claiming an action](https://notrace.how/resources/#how-to-submit-an-anonymous-communique). To avoid overwhelming yourself, start by learning how to use Tails in basic ways, such as reading anarchist websites or writing texts. See the [Tails tag](/tags/tails/) for tutorials on topics like [removing identifying metadata from files](/posts/metadata/).
*This article is heavily modified from* [TuTORiel Tails](https://infokiosques.net/spip.php?article1726) *(in French), and also includes some excerpts from* [Capulcu #1](https://capulcu.blackblogs.org/neue-texte/bandi/) *(in German).*

8
themes/DeepThought/static/js/site.js
View file

@ -30,6 +30,14 @@
const elemAbsBottom = elemRect.bottom - bodyRect.top;
const h = (window.innerHeight || document.documentElement.clientHeight);
document.querySelector(".menu").style = "position: sticky; top: 48px;";
const minScroll = tocIndex.offsetTop - document.querySelector(".menu").clientHeight + tocIndex.offsetHeight + 50;
const maxScroll = tocIndex.offsetTop - tocIndex.offsetHeight - 50;
if(document.querySelector(".menu").scrollTop < minScroll){
document.querySelector(".menu").scrollTop = minScroll;
}
else if(document.querySelector(".menu").scrollTop > maxScroll){
document.querySelector(".menu").scrollTop = maxScroll;
}
}
function activateIfVisible() {