Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-08 23:02:55 -04:00
Code Issues Projects Releases Packages Wiki Activity

Initial commit

Browse source
This commit is contained in:
anarsec 2023-06-19 15:53:33 +00:00
commit 4ab7e7262f
No known key found for this signature in database
147 changed files with 7847 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
content/_index.md Normal file
View file

@ -0,0 +1,12 @@
+++
sort_by = "date"
paginate_by = 10
+++
<br><center>
<h3><b><a href="https://theanarchistlibrary.org/library/return-fire-vol-4-supplement-caught-in-the-net">Technology is a weapon used against us by the network of domination,</a><br> but maybe we can make the blade cut both ways.</b></h3>
---
* Want a quick overview of our advice for all comrades? [**See our recommendations**](/recommendations).
* Don't know where to start? [**Tails for Anarchists**](/posts/tails/) is the guide with the most relevance to all anarchists. All incriminating digital activities should be accomplished with Tails (such as action research or writing communiques).
* You can also check out a [**series of articles**](/series) or pick a [**tag**](/tags) that interests you.

28
content/contact/_index.md Normal file
View file

@ -0,0 +1,28 @@
+++
title = "Contact"
sort_by = "date"
paginate_by = 5
+++
<br>
<div class="has-text-centered">
<p>
**Email**: anarsec (at) riseup (dot) net
[PGP key](/anarsec.asc)
Our PGP public key can be verified at a second location [here](https://0xacab.org/anarsec/anarsec.guide/-/blob/no-masters/static/anarsec.asc) - commit history should display "Initial commit". WayBack Machine of PGP key: anarsec.guide / 0xacab.org
[Why we don't recommend email](/posts/e2ee/#pgp-email)
**Matrix**: @anarsec:riot.anarchyplanet.org
[What is Matrix?](/posts/e2ee/#element-matrix)
# Contribute
Anarsec encourages contributions! If you would like to suggest edits to a guide, get in touch with us, or submit an issue or merge request on [Riseup's Gitlab instance](https://0xacab.org/anarsec/anarsec.guide) - whatever is your preference.
We are also open to submitted guides - please get in touch with proposals.

241
content/glossary/_index.md Normal file
View file

@ -0,0 +1,241 @@
+++
title = "Glossary"
sort_by = "date"
paginate_by = 5
+++
<br>
> This glossary defines terms often used in AnarSec articles.
### Asynchronous Communication
Both parties do not need to be online simultaneously, in contrast to [synchronous communication](#synchronous-communication). This relies on a server of some kind that will store messages until message recipients come online. This is the type of messaging that most people are familiar with (email, Signal, etc.).
### Backdoor
A backdoor in software or hardware allows an unauthorized party to bypass access control. For instance, an undocumented developer account in a router will enable developers of this product to bypass the login form. Third parties can also use backdoors to access software/hardware. Hackers want to establish backdoors, and so do police agencies.
### Brute-force attack
An attacker who “simply” tries every possible key to access a service or decrypt a file uses “brute force.” This process is called a brute-force attack. More efficient computers make brute-force attacks more feasible. Modern cryptographic protocols are designed to force an adversary (not in possession of the cryptographic key) to spend (close to) as much time as it would take to try every possible key to break the code. The parameters of a good protocol are chosen so that this amount of time is impractical.
### Checksums / Fingerprints
Checksums are digital fingerprints: small-sized blocks of data derived from another block of digital data for the purpose of detecting any changes that may have been introduced. For example, when you download an operating system .iso file, a checksum will be listed that looks like: `sha512: 9f923361887ac4b1455bc5ae51c06f2457c6d(continued...)`. You can use [hash functions](https://open.oregonstate.education/defenddissent/chapter/cryptographic-hash/) like sha512 to create fingerprints. Essentially, this mathematical operation converts the 0s and 1s of the file into a unique "fingerprint". If a single 1 or 0 is changed, a completely different fingerprint will result, and it is often important to know whether a file has changed, such as when downloading the image file for an operating system. Fingerprints are often used in cryptography (e.g., in certificates or to verify [public keys](#public-key-cryptography) in general). [GtkHash](https://tails.boum.org/doc/encryption_and_privacy/checksums/index.en.html) is a program that allows you to calculate checksums without needing to use a command line interface.
### Command Line Interface (CLI)
The 'command line' is an all-text alternative to using the graphical 'point and click' tool that most of us are more familiar with; the Command Line Interface (CLI) allows us to do some things that a Graphical User Interface (GUI) does not. Oftentimes, either a GUI or CLI would work and which you use is a matter of preference. For example, in [Tails](#tails), you can verify the [checksum](/glossary/#checksums-fingerprints) of a file with a GUI (the GtkHash program) or a CLI command (`sha256sum`).
[Tech Learning Collective's "Foundations: Command Line Basics" course](https://techlearningcollective.com/foundations/#foundations-command-line-basics) is our recommended introduction to CLI/terminal use.
### CVE
CVE stands for “Common Vulnerabilities and Exposures”. It is a globally unique identifier for [security vulnerabilities](#vulnerability) in software. Identifiers look like “CVE-YEAR-NUMBER.” The year included in the identifier is the year when the CVE ID was assigned, not the year when the vulnerability became publicly known.
### DDoS Attack
A DDoS attack (Distributed Denial of Service attack) tries to overload or crash services on the targeted system by sending a large number of requests from numerous sources. The goal of DDoS attacks is to affect the availability of a service or system, e.g., making a web server unreachable for web browsers.
### Digital Signatures
Digital signatures are based on [public-key cryptography](#public-key-cryptography). A private key is used to digitally sign data, while the corresponding public key is used by third parties to validate the signature. Before a public key is used to verify a signature, its authenticity should be verified.
To learn more, [check out this video](https://invidious.sethforprivacy.com/watch?v=s22eJ1eVLTU&listen=false). For a more detailed look, see [Defend Dissent: Authenticity through Cryptographic Signing](https://open.oregonstate.education/defenddissent/chapter/cryptographic-signing/) or our [GPG explanation](/posts/linux/#gpg-explanation).
### Doxxing
Publicly releasing private data about an individual or organization is called doxxing. Before publication, the person conducting doxing can use public databases, social media, or [social engineering](/glossary/#social-engineering) to acquire information.
### Encryption
Encryption is the process of scrambling a message so that it can only be unscrambled (and read) by the intended parties. The method by which you scramble the original message, or *plaintext*, is called the *cipher* or *encryption protocol*. In almost all cases, the cipher is not intended to be kept secret. The scrambled, unreadable, encrypted message is called the ciphertext and can be safely shared. Most ciphers require an additional piece of information called a *cryptographic key* to encrypt and decrypt (scramble and unscramble) messages.
For more info, see [symmetric cryptography](/glossary/#symmetric-cryptography), [asymmetric cryptograph](/glossary/#public-key-cryptography), or [Defend Dissent: What is Encryption?](https://open.oregonstate.education/defenddissent/chapter/what-is-encryption/)
### End-to-end encryption (e2ee)
The data is [encrypted](#encryption) while in transit from one device to another - endpoint to endpoint, and cannot be decrypted by any intermediaries. It can only be decrypted by the endpoints. This is distinct from encryption at rest, like in [Full Disk Encryption](#full-disk-encryption-fde), where the data stored on your device is encrypted once the device is turned off. Both are important!
For more info, check out [Encrypted Messaging for Anarchists](/posts/e2ee), and [Defend Dissent: Protecting Your Communications](https://open.oregonstate.education/defenddissent/chapter/protecting-your-communications/).
### Exploit
An exploit is designed to exploit a [vulnerability](#vulnerability). Even worse (or better, depending on if you are the attacker or attacked) are [zero-day exploits](#zero-day-exploit).
### Forward secrecy
Forward secrecy (FS, also known as “Perfect Forward Secrecy”) combines a system of long-term keys and session keys to protect encrypted communications against key compromise in the future. An attacker who can record every encrypted message ([man-in-the-middle](#man-in-the-middle-attack)) wont be able to decrypt these messages when keys are compromised in the future. Modern encryption protocols like [TLS](#https) 1.3 and the Signal Protocol offer FS. To learn more, see [Anonymous Planet](https://anonymousplanet.org/guide.html#forward-secrecy).
### Full Disk Encryption (FDE)
FDE means that the entire storage medium is [encrypted](#encryption) until a password is provided when the device is turned on. Not all FDE is created equal. For example, the quality of how FDE is implemented on a phone isnt only tied to your operating system, but also to your hardware (the model of your phone). FDE uses [symmetric cryptography](/glossary/#symmetric-cryptography), and, on Linux, it typically uses the [LUKS specification](/glossary/#luks).
### GnuPG / OpenPGP
GnuPG (GPG) is a program that implements the OpenPGP (Pretty Good Privacy) standard. GPG provides cryptographic functions to encrypt, decrypt, and sign text and files. It is a classic example of [public-key cryptography](#public-key-cryptography). When used in tandem with email, [metadata](#metadata) (like email addresses) remains unencrypted. It does not provide [Forward Secrecy](#forward-secrecy).
For more info, check out [this primer](https://github.com/AnarchoTechNYC/meta/wiki/Pretty-Good-Privacy-%28PGP%29). We do not recommend it for encrypted communications, [here's why](/posts/e2ee/#pgp-email).
### Hardening
Hardening is a generic term for the process of securing systems against attacks.
### HTTPS
The 'S' in HTTPS stands for 'secure'; this means your Internet connection is encrypted using the [Transport Layer Security (TLS)](https://invidious.sethforprivacy.com/watch?v=0TLDTodL7Lc&listen=false) protocol. This involves the website generating a certificate with [public-key cryptography](#public-key-cryptography) that can be used to verify its authenticity - that you are in fact connecting to the web server that you intend to, and that this connection is encrypted.
For more info, check out [our explanation](/posts/tails/#tor) or [Defend Dissent: Protecting Your Communications](https://open.oregonstate.education/defenddissent/chapter/protecting-your-communications/).
### Linux
Linux is an [open-source](#open-source) 'kernel' upon which operating systems are built. Unlike Windows or macOS, there are many flavours of Linux operating systems. For example, Ubuntu, Kali, and Tails are based on Debian. Manjaro is based on Arch. For more info, see [Linux Essentials](/posts/linux).
### LUKS
The [Linux Unified Key Setup (LUKS)](https://gitlab.com/cryptsetup/cryptsetup) is a platform-independent specification for hard disk encryption. It is the standard used in [Tails](#tails), [Qubes OS](#qubes-os), Ubuntu, etc.
### Malware
Malware (malicious software) is a generic term for software containing unwanted or malicious functions. Malware includes ransomware, Trojan horses, computer viruses, worms, spyware, scareware, adware, etc. Nowadays, malware is harder to categorize because sophisticated malware often combines properties of different categories. For instance, [WannaCry](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack) propagated like a worm but encrypted files and demanded ransom (ransomware).
### Man-in-the-middle attack
An example of a man-in-the-middle attack is when Alice communicates with Bob via the Internet, Eve (Eavesdropper) joins the conversation “in the middle” and becomes man-in-the-middle. Eve can modify, insert, replay, or read messages at will. Protective measures are encryption (confidentiality) and checking the authenticity and integrity of all messages. However, one must also ensure that one is communicating with the expected party. You have to verify that you possess the real public key of the respective recipient. For instance, this is what you are doing when verifying the 'Safety Number' of a contact in the Signal encrypted messaging app.
For a more detailed look, check out [Defend Dissent: The Man in the Middle](https://open.oregonstate.education/defenddissent/chapter/the-man-in-the-middle/)
### Metadata
Metadata is data that provides information about other data. For instance, a JPG file contains the actual picture (data) but also may contain metadata like the date when the file was made, type of camera, GPS coordinates, etc. Metadata can be valuable for attackers (finding appropriate exploits for outdated software used by the victim), government agencies (collecting information about people to create social graphs), and other parties (who aim to show location-based advertisements). As soon as you use any computer, you are likely leaving metadata behind.
For more info, check out [Removing Identifying Metadata From Files](/posts/metadata) and [Defend Dissent: Metadata](https://open.oregonstate.education/defenddissent/chapter/metadata/).
### Open-source
The only software we can trust because the source code that it is written in is open for anyone to examine.
### Operating system (OS)
The system software that runs your device, before all other software. Some common examples are Windows, macOS, Linux, Android, and iOS. Linux and some versions of Android are the only open-source options in this list.
### Passphrase
A passphrase is similar to a [password](#password); however, it consists of words instead of characters.
### Password
A password is a string of characters used for authentication. A strong password consists of randomly chosen characters that all have an identical probability of occurrence, which can be created with the KeePassXC Password Generator.
For more info, check out [Defend Dissent: Passwords](https://open.oregonstate.education/defenddissent/chapter/passwords/)
### Phishing
Phishing is a [social engineering](/glossary/#social-engineering) technique. Attackers send SMS messages, emails, chat messages, etc., to their victims in order to get their personal data. After that, attackers can try to impersonate their victims. It can also be used to make the victim download [malware](#malware) onto a system, which can be used as a starting point for hacking it. [Spear phishing](/glossary/#spear-phishing) is a more sophisticated phishing technique.
### Physical attacks
By a physical attack, we mean a situation in which an adversary first gains physical access to your device through loss, theft, or confiscation. For example, your phone may be confiscated while crossing a border or during an arrest. This is in contrast to a [remote attack](#remote-attacks).
For a more detailed look, check out [Defend Dissent: Protecting Your Devices](https://open.oregonstate.education/defenddissent/chapter/protecting-your-devices/)
### Plausible deniability
Plausible deniability can be a security goal. It is accomplished if you cant prove that a person/system sent a particular message. Then, this person/system can plausibly deny being the sender of the message.
### Public-key cryptography
Public-key cryptography (or asymmetric cryptography) is the opposite of [symmetric cryptography](/glossary/#symmetric-cryptography). Every party has two keys (public and private). The private one must be kept secret and is used for decryption; the public one has to be published, and it is used for encryption. This is the model used for encrypted communications, because the public key (again, required to be in the open) cannot be used to decrypt. All other parties must verify that a published public key belongs to the anticipated owner to avoid [man-in-the-middle attacks](/glossary/#man-in-the-middle-attack).
There are different approaches to public-key cryptography. For example, some cryptosystems are based on the algebraic structure of elliptic curves over finite fields (ECC). Others are based on the difficulty of the factorization of the product of two large prime numbers (RSA). Public-key cryptography can also be used for [digital signatures](/glossary/#digital-signatures).
To learn more, check out [this video](https://invidious.sethforprivacy.com/watch?v=GSIDS_lvRv4), or for a more detailed look, check out [Defend Dissent: Public-Key Cryptography](https://open.oregonstate.education/defenddissent/chapter/public-key-cryptography/).
### Qubes OS
You can think of [Qubes OS](https://www.qubes-os.org/) as Linux + [virtual machines](#virtual-machine-vm). We [recommend](/recommendations) it as a daily use operating system for intermediate Linux users.
### Remote attacks
By a remote attack, we mean that an adversary would access the data on your phone or laptop through an Internet or data connection. There are companies that design and sell the ability to infect your device (usually focusing on smartphones) with [malware](#malware) that would allow their customer (your adversary, be it a corporate or state agent) to gain remote access to some or all your information. This is in contrast to a [physical attack](#physical-attacks).
For a more detailed look, check out [Defend Dissent: Protecting Your Devices](https://open.oregonstate.education/defenddissent/chapter/protecting-your-devices/)
### Sandboxing
Sandboxing is software-based isolation of applications to mitigate system failures or vulnerabilities. For example, if an attacker hacks an application that is 'sandboxed', they will need to escape the sandbox to hack the whole system. [Virtualization](#virtualization) is the most powerful implementation of sandboxing.
### Security goal
Security goals are concepts in information security that define what has to be fulfilled. Well-known security goals are confidentiality, integrity, and availability (referred to as the CIA triad).
### Social engineering
Social engineering is a generic term for the psychological manipulation of humans into performing actions. Social engineering isnt dependent on technology; it is quite common in everyday life. For example, children cry to manipulate their parents; commercials manipulate their viewers. In information security, [phishing](/glossary/#phishing) is a widespread social engineering technique.
### Spear phishing
Spear phishing is more sophisticated than regular [phishing](/glossary/#phishing) which casts a wide net. In spear phishing, attackers customize their forged messages and send them to a smaller amount of potential victims. Spear phishing requires more research on the attackers side; however, the success rate of spear phishing attacks is higher than the success rate of regular phishing attacks.
### Supply-chain attack
A supply-chain attack can affect any user of hardware or software components. Attackers manipulate a component during its manufacturing process. In most cases, the actual attack happens before the targeted user possesses the manipulated component. Examples are manipulated compilers or firmware, and attacks like [Stuxnet](https://en.wikipedia.org/wiki/Stuxnet) or [SolarWinds](https://en.wikipedia.org/wiki/2020_SolarWinds_watering_hole_attack).
### Symmetric cryptography
Symmetric cryptography is the opposite of [public-key cryptography](/glossary/#public-key-cryptography). Two parties need the same private key to communicate. Both of them use this key for encryption and decryption. Symmetric encryption is faster than public-key encryption; however, you have to exchange keys securely. AES is a well-known representative of symmetric cryptography. This is the model used for [Full Disk Encryption](/glossary/#full-disk-encryption-fde) (for example, used by [LUKS](/glossary/#luks) in Linux Full Disk Encryption).
### Synchronous communication
Both parties need to be online simultaneously, in contrast to [asynchronous communication](#asynchronous-communication). This does not require any servers specific to the communication and is often referred to as "peer to peer".
### Tails
Tails is an operating system that makes secure and anonymous computer use accessible to anyone. Tails runs from a USB drive, and is designed to leave no trace of your activity on your computer, unless you explicitly ask it to.
Tails relies on the [Tor anonymity network](/glossary/#tor-network) to protect your privacy online; all software is configured to connect to the Internet through Tor. If an application tries to connect to the Internet directly, the connection is automatically blocked for security.
For more info, check out [Tails for Anarchists](/posts/tails).
### Threat model
Threat modeling is a family of activities for improving security by identifying a range of adversaries, [security goals](#security-goal), and [vulnerabilities](#vulnerability), then defining countermeasures to prevent, or mitigate the effects of, threats to the system. A threat is a potential or actual undesirable event that may be malicious (such as [DDoS attack](#ddos-attack)) or incidental (such as a hard drive failure). Threat modeling is the conscious activity of identifying and assessing threats and vulnerabilities.
For more info, see [the CSRC Threat Library](https://www.csrc.link/threat-library/), [Defend Dissent: Digital Threats to Social Movements](https://open.oregonstate.education/defenddissent/chapter/digital-threats/) and [Defending against Surveillance and Suppression](https://open.oregonstate.education/defenddissent/chapter/surveillance-and-suppression/).
### Tor network
[Tor](https://www.torproject.org/) (it stands for The Onion Router) is an open and distributed network that helps defend against traffic analysis. Tor protects you by bouncing your communications around a network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the operators of the sites you visit from learning your physical location.
Each website visited through the Tor network passes through 3 relays. Relays are servers operated by different people and organizations around the world. A single relay never knows both where the encrypted connection is coming from and where it is going to. An extract of a leaked Top Secret appraisal by the NSA characterized Tor as "the King of high secure, low latency Internet anonymity" with "no contenders for the throne in waiting". The Tor network can be accessed through the Tor Browser on any operating system. The operating system [Tails](#tails) forces every program to use the Tor network when accessing the Internet.
For more info, see [our description of Tor](/posts/tails/#tor).
### Two-Factor Authentication (2FA)
Two-factor authentication (or “2FA”) is a way to let a user identify themselves to a service provider by requiring a combination of two different authentication methods. These may be something that the user knows (like a password or PIN) or something that the user possesses (like a hardware token or mobile phone).
### Virtualization
Virtualization is technology that creates a virtual version of something, including virtual computer hardware platforms, storage devices, and computer network resources. A [Virtual Machine](#virtual-machine-vm) leverages this technology.
### Virtual Machine (VM)
A virtual machine is the [virtualization](#virtualization)/emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. This can provide the security benefit of [sandboxing](#sandboxing). [Qubes OS](#qubes-os) is composed of VMs that [run on the hardware directly](https://www.qubes-os.org/faq/#how-does-qubes-os-compare-to-running-vms-in-a-conventional-os) (which is referred to as "bare metal"). According to the Qubes project, "virtualization is currently the only practically viable approach to implementing strong isolation while simultaneously providing compatibility with existing applications and drivers."
### VoIP (Voice over Internet Protocol)
Google Voice is a well-known and insecure VoIP service; this technology puts your calls through the Internet (like how Signal does) instead of using the standard cell tower transmission. Unlike Signal, with VoIP you can receive calls from anyone, not just other Signal users. The benefit of using VoIP for calls compared to a data plan is that you can generate different numbers for different activities (one that you can use for bills, one to register for a Signal account, etc.), and you never need to disable Airplane mode. The benefit of using a data plan instead is that you can use it away from Wi-Fi, at the cost of geolocation (that is, it will be possible for your service provider, and perhaps other parties, to know where your device is at any given time).
### VPN (Virtual Private Network)
A VPN extends a private network (e.g., your network at home) across a public network (like the Internet). Devices connected to the VPN are part of the private network, even if they are physically somewhere else. Applications using a VPN are subject to the functionality, security, and management of the private network.
Put another way, it is a technology that essentially makes it appear like you emerge onto the Internet from the network of the company providing the service, rather than from your home network. Your connection to the company is through an encrypted tunnel. A VPN is not the best tool for anonymity (defined as knowledge of who you are Tor is far better), but can partially bolster your privacy (defined as knowledge of what you are doing).
It is important to stress this to cut through the widespread marketing hype; [a VPN is not enough to keep you anonymous](https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me/). Using a VPN can be thought of as simply shifting your trust from a local Internet Service Provider guaranteed to be a snitch to a remote one that claims to put limits on their ability to effectively snitch on you.
For an excellent comparison of a VPN and [Tor](#tor-network), see [Defend Dissent: Anonymous Routing](https://open.oregonstate.education/defenddissent/chapter/anonymous-routing/).
### Vulnerability
Commonly, vulnerabilities are [exploitable](#exploit) security flaws in software or hardware. Well-known vulnerabilities receive names like Heartbleed, Shellshock, Spectre, or Stagefright and at least one [CVE](#cve) identifier. There arent always exploits available for vulnerabilities. A well-known system to classify the severity of vulnerabilities is [CVSS](https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System).
### Zero-day exploit
A zero-day [exploit](#exploit) is unknown to the public, publisher, or other parties who would typically mitigate it. As a result, it is extremely powerful and highly-valued. Governments can either develop their own zero-day exploits, or buy them from a [zero-day broker](https://www.wired.com/story/untold-history-americas-zero-day-market/).

6
content/posts/_index.md Normal file
View file

@ -0,0 +1,6 @@
+++
title = "Guides"
sort_by = "date"
paginate_by = 10
description = "All guides are maintained - see the changelog."
+++

BIN
content/posts/e2ee/cwtch-explainer.mp4 Normal file
View file

Binary file not shown.

BIN
content/posts/e2ee/element.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 30 KiB

277
content/posts/e2ee/index.md Normal file
View file

@ -0,0 +1,277 @@
+++
title="Encrypted Messaging for Anarchists"
date=2023-04-02
[taxonomies]
categories = ["Defensive"]
tags = ["intro", "e2ee", "easy"]
[extra]
blogimage="/images/BASE_2.png"
toc=true
+++
Several different options are available for [end-to-end encrypted](/glossary/#end-to-end-encryption-e2ee) communications, with different trade-offs. This article will present an overview, as well as installation instructions for Tails, Qubes OS, and GrapheneOS.
<!-- more -->
There are some concepts that need to be understood before going further, in order to distinguish the various options.
* **End-to-end encryption** means that only you, and the person you communicate with, can read messages. However, not all [encryption](/glossary/#encryption) is created equal. The quality of the encryption is determined by the *encryption protocol* that is used, and how it is implemented at the software level.
* **Metadata protection** means whether the [*metadata*](/glossary/#metadata) (the data about the data) about the communication is obscured. Even if the message itself is encrypted, metadata can reveal who is communicating with whom, when, how often, the sizes of whatever files may have been transferred, etc. Metadata exposure is [a major concern](https://docs.openprivacy.ca/cwtch-security-handbook/risk.html#threat-model).
* **Peer-to-peer** means that there is no centralized server that you need to trust.
* **Tor** is an [anonymity network](/glossary/#tor-network), and some applications route your messages through it by default.
For a longer form look at these different considerations, we recommend [The Guide to Peer-to-Peer, Encryption, and Tor: New Communication Infrastructure for Anarchists](https://www.csrc.link/#the-guide-to-peer-to-peer-encryption-and-tor). This text criticizes Signal for not being peer-to-peer and not using Tor by default, and goes on to compare Signal, Cwtch, and Briar. The following options for encrypted messaging are listed from most metadata protection to least.
<br>
<video controls="" width="99%">
<source src="cwtch-explainer.mp4" type="video/mp4">
</video>
# Cwtch
* **Mediums**: Text
* **Metadata protection**: Yes (strong)
* **Encryption protocol**: Tor Onion Services (v3) + [Tapir](https://docs.openprivacy.ca/cwtch-security-handbook/cwtch-overview.html)
* **Peer-to-peer**: Yes
* **Tor**: Yes
Cwtch is our preference, by a long shot. It is currently in transition from [beta to stable versions](https://docs.cwtch.im/blog/path-to-cwtch-stable). For an overview of how Cwtch works, see their [video explainer](https://cwtch.im/#how-it-works). The [Cwtch Handbook](https://docs.cwtch.im/) will tell you everything you need to know for using it. Cwtch is designed with metadata protection in mind; it is peer-to-peer, uses the Tor network as a shield and stores everything locally on-device, encrypted.
Like all peer-to-peer communication, Cwtch requires *synchronous* communication, meaning that both peers are online simultaneously. However, their server feature allows *asynchronous* communication as well by providing offline delivery:
>"Cwtch contact to contact chat is fully peer to peer, which means if one peer is offline, you cannot chat, and there is no mechanism for multiple people to chat. To support group chat (and offline delivery) we have created untrusted Cwtch [servers](https://docs.cwtch.im/docs/servers/introduction) which can host messages for a group. [...] the server has no way to know what messages for what groups it might be holding, or who is accessing it."
Any Cwtch user can turn the app on their phone or computer into an untrusted server to host a group chat, though this is best for temporary needs like an event or short-term coordination, because the device needs to stay powered on for it to work. Medium-term untrusted servers can be set up on a spare Android device that can stay on, and longer-term servers can be self-hosted on a VPS if you know Linux system administration. Once the server exists, contacts can be invited to use it. You can create a group chat with only two people, which enables asynchronous direct messages.
>**Note**: [**Briar**](https://briarproject.org) is another application which works in a similar way (with peer-to-peer and Tor), and uses the [Bramble Transport Protocol](https://code.briarproject.org/briar/briar/-/wikis/A-Quick-Overview-of-the-Protocol-Stack) (BTP). The main distinguishing feature of Briar is that it continues to function [even when underlying network infrastructure is down](https://briarproject.org/how-it-works/). It was [audited in 2017](https://code.briarproject.org/briar/briar/-/wikis/FAQ#has-briar-been-independently-audited). Unfortunately, Briar Desktop does not yet work with Tails or Qubes-Whonix, because it cannot [use the system Tor](https://code.briarproject.org/briar/briar/-/issues/2095). Unlike Cwtch, to add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contacts QR code if they are nearby.
<details>
<summary><strong>Cwtch Installation on GrapheneOS</strong></summary>
<br>
<p>If you have decided to use a smartphone despite our <a href="/posts/nophones/">recommendation to not use phones</a>, Cwtch is available for Android. Follow the instructions for <a href="/posts/grapheneos/#software-that-isn-t-on-the-play-store">installing software that isn't on the Play Store</a>. Updates must be made manually - back up your profile first.</p>
<br>
</details>
<details>
<summary><strong>Cwtch Installation on Tails</strong></summary>
<br>
<p>There is no Tor <a href="https://tails.boum.org/contribute/design/stream_isolation/">Stream Isolation</a> for Cwtch on Tails, so each session must be run in a unique Tails session, or can otherwise be associated with Tor Browser activity, etc.</p>
<ul>
<li>Download <a href="https://cwtch.im/download/#linux">Cwtch for Linux</a> using Tor Browser</li>
<li>Verify the download <ul>
<li>Open the folder from Tor Browser&#39;s download icon </li>
<li>Right click in the file manager and select &quot;Open a Terminal Here&quot;</li>
<li>Run <code>sha512sum cwtch-v1.10.0.tar.gz</code> (replacing the filename as appropriate)</li>
<li>Compare the hash of the file with what is listed on the download page </li>
</ul>
</li>
<li>As per our <a href="/posts/tails-best/#using-a-write-protect-switch">Tails Best Practices</a>, personal data should be stored on a second LUKS USB, not on the Tails Persistent Storage. Copy the file to a second LUKS USB and extract it with the file manager (right click, select &quot;Extract Here&quot;). We will not be using the Additional Software Persistent Storage feature (because it is an AppImage so doesn't require it). </li>
<li>Run the install script<ul>
<li>In the File Manager, enter to directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
<li>Run <code>install-home.sh</code></li>
<li>TODO backup for persistence? Test</li>
</ul>
</li>
<li>Tails forces all networking through Tor, so <a href="https://docs.cwtch.im/docs/tor#advanced-tor-configuration">Advanced Tor Configuration</a> must be set within Cwtch:<ul>
<li>Start Cwtch by TODO. </li>
</ul>
</li>
<li>Updates must be made manually - back up your profile first.</li>
</ul>
<br>
</details>
<details>
<summary><strong>Cwtch Installation on Qubes-Whonix</strong></summary>
<br>
<p>Cwtch on Whonix currently has an <a href="https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/550">issue</a> - it works, but there is no Tor Stream Isolation. This is resolved by creating a dedicated Cwtch qube. Cwtch is installed in an App qube, not a Template (because it is an AppImage).</p>
<ul>
<li>Download <a href="https://cwtch.im/download/#linux">Cwtch for Linux</a> using Tor Browser in a disposable Whonix qube.</li>
<li>Verify the download:<ul>
<li>Open the folder from Tor Browser&#39;s download icon </li>
<li>Right click in the file manager and select &quot;Open a Terminal Here&quot;</li>
<li>Run <code>sha512sum cwtch-v1.10.0.tar.gz</code> (replacing the filename as appropriate)</li>
<li>Compare the hash of the file with what is listed on the download page </li>
</ul>
</li>
<li><a href="/posts/qubes/#how-to-organize-your-qubes">Create an App qube</a> with the Template <code>whonix-ws-16</code> and networking <code>sys-whonix</code>.</li>
<li>Copy the file to your new Cwtch App qube and extract it with the file manager (right click, select &quot;Extract Here&quot;). </li>
<li>Run the install script<ul>
<li>In the File Manager, enter to directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
<li>Run <code>install-home.sh</code></li>
</ul>
</li>
<li>Reboot the App qube for Cwtch to show up in the <strong>Settings &gt; Applications</strong> tab</li>
<li><code>sys-whonix</code> forces all networking through Tor, so <a href="https://docs.cwtch.im/docs/tor#advanced-tor-configuration">Advanced Tor Configuration</a> must be set within Cwtch:<ul>
<li>TODO </li>
</ul>
</li>
<li>Updates must be made manually - back up your profile first.</li>
</ul>
</details>
<br>
![onionshare](onionshare.png)
# OnionShare
* **Mediums**: Text
* **Metadata protection**: Yes (strong)
* **Encryption protocol**: Tor Onion Services (v3)
* **Peer-to-peer**: Yes
* **Tor**: Yes
OnionShare has a [chat feature](https://docs.onionshare.org/2.6/en/features.html#chat-anonymously), which creates an ephemeral peer-to-peer chat room that is routed over the Tor network. Metadata protection works the same way as for Cwtch; it uses the Tor network as a shield and (ephemerally) stores everything locally on-device. The encryption protocol relies on Tor v3 onion service encryption; elliptic curve Diffie Hellman with Curve25519. Cwtch and Briar both have more features (including the additional Tapir and BTP encryption protocols), really the only benefit to OnionShare is that it is installed by default on Tails.
<br>
![signal](signal.jpg)
# Signal
* **Mediums**: Video call, voice call, text
* **Metadata protection**: Yes (Moderate)
* **Encryption protocol**: Signal Protocol, audited ([2017](https://en.wikipedia.org/wiki/Signal_Protocol))
* **Peer-to-peer**: No
* **Tor**: Not default
The Signal Protocol has some metadata protection; [sealed sender](https://signal.org/blog/sealed-sender/), [private contact discovery](https://signal.org/blog/private-contact-discovery/), and the [private group system](https://signal.org/blog/signal-private-group-system/). Message recipient identifiers are only kept on the Signal servers as long as necessary in order to transmit each message. As a result, when Signal is served with a warrant, they [can only provide](https://signal.org/bigbrother/) the time of account creation and the date of the account's last connection to Signal servers, when provided with a phone number. Nonetheless, Signal is [reliant on the Google Services Framework](https://web.archive.org/web/20210728141938/https://serpentsec.1337.cx/signal-sucks-heres-why) (though it's possible to use without it) and the metadata protection of sealed sender [only applies to contacts (by default)](https://web.archive.org/web/20210728141938/https://serpentsec.1337.cx/signal-sucks-heres-why).
Signal [is not peer-to-peer](https://www.csrc.link/#the-guide-to-peer-to-peer-encryption-and-tor); it operates centralized servers that we have to trust. Signal will work with Tor if it is used on an operating system that forces it; such as Whonix or Tails.
However, registration for a Signal account is difficult to achieve anonymously. The account is tied to a phone number which the user needs to continue to control - due to [changes to "Registration Lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. In the future, Signal intends to make it so that accounts do [not require a phone number](https://signal.org/blog/building-faster-oram/), but until this is the case Signal cannot be easily used anonymously. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number), and then must be maintained.
Another barrier to anonymous registration is that Signal Desktop only works if Signal is first registered from a smartphone. For users comfortable with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer with [Signal-cli](https://0xacab.org/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for the registration would need to be obtained anonymously.
As a result, Signal is rarely used anonymously which has a significant impact if the State gets [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to the device. One of the primary goals of State surveillance of anarchists is [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html), and it's not uncommon that they get physical access to devices through [house raids](https://www.csrc.link/threat-library/techniques/house-raid.html). For example, if device [authentication is bypassed](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), it would then be possible to identify every Signal contact simply via their phone numbers (in addition to reading message history, etc.).
Due to the near impossibility of using Signal anonymously as well as our [recommendation to not use phones](/posts/nophones/), we don't currently recommend anarchists use Signal. We nonetheless provide installation instructions because it has become the norm in the anarchist space in many countries, and it might be hard to get in touch with somebody without it.
<details>
<summary><strong>Signal Installation on GrapheneOS</strong></summary>
</details>
If you have decided to use a smartphone [despite our recommendation to not use phones](/posts/nophones/), we recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are comfortable with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal must be registered on a smartphone before being linked to a computer. Install Signal like you would for any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
[Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android - we recommend it over Signal for anarchists, and extending trust to the Molly team is facilitated by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't on the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption.
<details>
<summary><strong>Signal Installation on Tails</strong></summary>
</details>
About.Privacy [maintains a guide](https://0xacab.org/about.privacy/messengers-on-tails-os/) for installing Signal Desktop on Tails. There is a guide for registering an account from Tails without a smartphone (using Signal-cli), and another guide for if you already have a Signal account.
Some of [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) also applies to Signal Desktop.
<details>
<summary><strong>Signal Installation on Qubes-Whonix</strong></summary>
</details>
Signal Desktop on Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Signal Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository).
* Go to **Applications menu > Qubes Tools > Qube Manager**
* Clone whonix-ws-16, and call it something like whonix-ws-16-signal.
* We do this to not add attack surface to the base Whonix Workstation template. If you also install other messaging applications like Element Desktop, they could share a cloned template with a name like whonix-ws-16-e2ee
* Open a Terminal in the new Template: **Applications menu > Template: whonix-ws-16-signal: Xfce Terminal**
* Run the commands in the [Signal install guide](https://www.signal.org/download/linux/) to install Signal Desktop in the Template.
* Note that the layout of the Signal install guide is a bit confusing for users unfamiliar with the command line; `wget` and `cat` are separate commands, but `echo` in #2 is one command that is so long it takes two lines (which is why the second line is indented).
* Template qubes require a proxy for `wget`. Before running the command, create a configuration file at `~/.wgetrc` in the Template, with the contents:
```
use_proxy = on
http_proxy = 127.0.0.1:8082
https_proxy = 127.0.0.1:8082
```
* [Create an App qube](/posts/qubes/#how-to-organize-your-qubes) with the Template `whonix-ws-16-element` and networking `sys-whonix`.
* In the new App qube's **Settings > Applications** tab, bring Signal into the Selected column, and press **OK**.
* Updates will be handled by **Qubes Update** as you would expect.
Alternatively, you can install Signal Desktop in a Whonix Workstation App qube by using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/), and you will not need to bother with Templates. Signal Desktop on Flathub is [community maintained](https://github.com/flathub/org.signal.Signal), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
<br>
<br>
![element](element.png)
# Element / Matrix
* **Mediums**: Video call, voice call, text
* **Metadata protection**: Poor
* **Encryption protocol**: vodozemac, audited ([2022](https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption))
* **Peer-to-peer**: No
* **Tor**: Not default
Element is the name of the application (the client), and Matrix is the name of the network. A comparison to email may be helpful to understand it; Element is the equivalent of Thunderbird, whereas Matrix is the equivalent of the Simple Mail Transfer Protocol (SMTP) which underlies email. Element/Matrix is not peer-to-peer; you need to trust the server. However, unlike Signal, the servers are not centralized but rather federated - anyone can host their own. Unfortunately, the 'federation model' has the trade off that Matrix does [not have metadata protection](https://web.archive.org/web/https://serpentsec.1337.cx/matrix): "Federated networks are naturally more vulnerable to metadata leaks than peer-to-peer or centralized networks". To minimize this, see [Notes on the safe use of the Matrix service from Systemli](https://wiki.systemli.org/howto/matrix/privacy).
Element will work with Tor if it is used on an operating system that forces it; such as Whonix or Tails.
What homeserver you use is important— do not use the default homeserver matrix.org. [Systemli](https://www.systemli.org/en/service/matrix/) and [Anarchy Planet](https://anarchyplanet.org/chat.html) are reputable radical hosts. Systemli's instance has a default message retention time of [30 days](https://wiki.systemli.org/en/howto/matrix/max_lifetime), and IP addresses are not stored.
Matrix can either be used through a web client (using Element Web on Tor Browser) or though a desktop client (using Element Desktop). The web clients for Systemli and Anarchy Planet are `element.systemli.org` and `anarchy.chat`, respectively. When using a desktop client, before trying to log in change the homeserver address to `https://matrix.systemli.org` or `https://riot.anarchyplanet.org`, respectively. It is easy to create an account anonymously, and does not require a phone. Systemli requires having an email account with them (which you need an invite to obtain), whereas anyone can sign up to Anarchy Planet with the registration code `aplanet`.
A matrix ID looks like @username:homeserver, so for example, @anarsec:riot.anarchyplanet.org. Just like email, you can message accounts that are on different homeservers.
As soon as you have logged in, go to **Settings > Security & Privacy**.
* You will see that under **Where you're signed in** it lists all signed-in devices. For anonymous use cases, you will generally only be signed-in on one device.
* Scroll down to **Secure Backup**. This is a feature that allows you to verify a new session without having access to a signed-in device. Press **Set up**, then the **Generate a Security Key** choice. Save the Security Key in KeePassXC. This "Security Key" will be needed for logging into a new device or session.
* For Element Desktop, you will only need to use the Security Key if you sign out.
* For Element Web (using Tor Browser), you will need the Security Key every time you use it. Tor Browser clears your cookies, so you will need to sign in to a new session.
Some current limitations:
* "Disappearing messages" is not yet a feature, but it is forthcoming. Message retention time can be set by the homeserver administrator, as mentioned above, and it is indeed set on both of our recommended homeservers.
* One to one audio/video calls [are encrypted](https://matrix.org/faq/#are-voip-calls-encrypted%3F) and you can use them. Group audio/video calls are not encrypted, so don't use them. This will be resolved when [Element-call](https://github.com/vector-im/element-call) is stable.
* The Matrix protocol itself [theoretically](/glossary#forward-secrecy) supports [Forward Secrecy](/glossary#forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-meta/issues/1296) due to it breaking some aspects of the user experience such as key backups and shared message history.
* Profile pictures, reactions, and nicknames are not encrypted.
>**Note**: You may have heard of **XMPP** (formerly called Jabber). XMPP has similar security properties to Matrix, but many clients don't support end-to-end encryption (via the OMEMO protocol) by default. Configuring a client properly is non-trivial. XMPP and Matrix leak similar amounts of metadata, but OMEMO has never been formally audited like the Matrix encryption protocol. Additionally, the administrator is able to act as a [man-in-the-middle](/glossary#man-in-the-middle-attack) on [any XMPP server](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/). For these reasons, we recommend using Matrix over XMPP.
<details>
<summary><strong>Element Installation on GrapheneOS</strong></summary>
</details>
If you have decided to use a smartphone despite our [recommendation to not use phones](/posts/nophones/), Element is available for Android. Install Element like you would for any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
<details>
<summary><strong>Element Installation on Tails</strong></summary>
</details>
The easiest option is to use the Element web client on Tor Browser. This doesn't require any additional software. Tor Browser deletes all data upon closing, so you'll be prompted for the Security Key after each login in order to access your past messages. Make sure to **Sign Out** when finished, to avoid accumulating "Signed-in devices".
To install Element Desktop, About.Privacy [maintains a guide](https://0xacab.org/about.privacy/messengers-on-tails-os/).
<details>
<summary><strong>Element Installation on Qubes-Whonix</strong></summary>
</details>
The easiest option is to use the Element web client on Tor Browser is a disposable Whonix qube. This doesn't require any additional software. Tor Browser deletes all data upon closing, so you'll be prompted for the Security Key after each login in order to access your past messages. Make sure to **Sign Out** when finished, to avoid accumulating "Signed-in devices".
To install Element Desktop, Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Element Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository).
* Go to **Applications menu > Qubes Tools > Qube Manager**
* Clone whonix-ws-16, and call it something like whonix-ws-16-element.
* We do this to not add attack surface to the base Whonix Workstation template. If you also install other messaging applications like Signal Desktop, they could share a cloned template with a name like whonix-ws-16-e2ee
* Open a Terminal in the new Template: **Applications menu > Template: whonix-ws-16-element: Xfce Terminal**
* Run the commands in the [Element install guide](https://element.io/download#linux) to install Element Desktop in the Template.
* Template qubes require a proxy for `wget`. Before running the command, create a configuration file at `~/.wgetrc` in the Template, with the contents:
```
use_proxy = on
http_proxy = 127.0.0.1:8082
https_proxy = 127.0.0.1:8082
```
* [Create an App qube](/posts/qubes/#how-to-organize-your-qubes) with the Template `whonix-ws-16-element` and networking `sys-whonix`.
* In the new App qube's **Settings > Applications** tab, bring Element Desktop into the Selected column, and press **OK**.
* Updates will be handled by **Qubes Update** as you would expect.
* Avoid pressing "Sign Out", simply shutdown the qube when finished.
Alternatively, you can install Element Desktop in a Whonix Workstation App qube by using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/), and you will not need to bother with Templates. Element Desktop on Flathub is [community maintained](https://github.com/flathub/im.riot.Riot), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
<br>
<br>
![pgp](pgp.webp)
# PGP Email
* **Mediums**: Text
* **Metadata protection**: No
* **Encryption protocol**: [RSA](https://blog.trailofbits.com/2019/07/08/fuck-rsa/) or ed25519, no forward secrecy
* **Peer-to-peer**: No
* **Tor**: Depends
PGP (Pretty Good Privacy) isn't so much a messaging platform as it is a way of encrypting messages on top of existing messaging platforms (in this case, email). PGP email is the only option presented which does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions against future compromises of keys or passwords. It maintains the secrecy of past communications even if the current one is compromised. This means that an adversary could decrypt all PGP messages in the future in one fell swoop. Once you also take into account the metadata exposure inherent in email, PGP should be disqualified from inclusion in this list. It simply doesn't meet the standards of a modern cryptography. However, given that it is already widely used within the anarchist space, we include it here as a warning that it is not recommended. For a more technical criticism, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). We recommend switching to Element for asynchronous use cases, and switching to Cwtch for synchronous use cases. If you need to use email, use a [radical server](https://riseup.net/en/security/resources/radical-servers) and see the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp).
PGP is used for another purpose outside of communication: to verify the integrity of files. For this use, see our [GPG explanation](/posts/linux/#gpg-explanation).

BIN
content/posts/e2ee/onionshare.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
content/posts/e2ee/pgp.webp Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
content/posts/e2ee/signal.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 22 KiB

149
content/posts/grapheneos/index.md Normal file
View file

@ -0,0 +1,149 @@
+++
title="GrapheneOS for Anarchists"
date=2023-04-05
[taxonomies]
categories = ["Defensive"]
tags = ["intro", "mobile", "easy"]
[extra]
toc = true
blogimage="/images/graphene.avif"
+++
[Anarchists shouldn't have phones](/posts/nophones/). If you absolutely must use a phone, it should be as difficult as possible for an adversary to geotrack, intercept messages, or hack. This means using GrapheneOS.
<!-- more -->
# What is GrapheneOS?
GrapheneOS is a private and secure version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) has irrevocable ability to access your files, call logs, location, etc.), and it is trivial to [bypass standard Android authentication](https://web.archive.org/web/20221209080901/https://securephones.io/) with [physical access](/glossary/#physical-attacks) to the device. GrapheneOS uses hardware-based security to [substantially increase the difficulty](https://grapheneos.org/faq#encryption) of bypassing the authentication, it is significantly [hardened](/glossary#hardening) against hacking, and it has all Google apps and services removed by default. Other alternative Android operating systems exist [but they are inferior](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of the privacy and security improvements over standard Android. GrapheneOS is [regularly audited](https://grapheneos.org/faq#audit).
Cellphones leave a geolocation history when they connect to cell towers, by nature of [how the technology works](https://anonymousplanet.org/guide.html#your-metadata-including-your-geo-location). For this reason, we recommend using a smartphone which stays at home like a landline, and connects to the Internet through Wi-Fi rather than by using a SIM card to connect through cell towers. Even if you use an anonymously acquired SIM, if this is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Additionally, it's insufficient to only leave a phone at home when you are going to a demo or action because this then [stands out](/posts/nophones/#metadata-patterns) as an outlier, serving as an indication that there is conspiratorial activity in that time window.
# Installation
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). Beginning with the Pixel 6, Pixel devices receive a minimum of 5 years of security updates from when they are released. End-of-life devices (GrapheneOS "extended support" devices) do not have full security updates so they are not recommended. Avoid carrier variants of the phone, meaning don't buy one from a mobile network operator, which can prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model just after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
[Installing GrapheneOS](https://grapheneos.org/install/) can happen through a web browser, or through the [command line](/glossary#command-line-interface-cli). The command line method doesn't require trusting the server infrastructure, but is more technical. If you are uncomfortable with a command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list their officially supported operating systems. Neither list includes Qubes OS, but it is possible to install from Qubes OS with the following steps.
<details>
<summary><strong>Installation on Qubes OS</strong></summary>
<p>TODO</p>
</details>
* In a Whonix-Workstation disposable qube, open the [command line installation guide](https://grapheneos.org/install/cli) using Tor Browser.
* You will read "Installing from an OS in a virtual machine is not recommended. USB passthrough is often not reliable." This means that we will do everything from sys-usb, which does not use USB passthrough. If during the post-installation of Qubes OS you set sys-usb to be disposable, it will reset after a reboot.
* For the sake of simplicity, we will enable networking in sys-usb temporarily. It is also possible to keep sys-usb offline by copying platform-tools and the factory image into sys-usb from a whonix disposable, and getting udev rules from [Github](https://github.com/M0Rf30/android-udev-rules) rather than apt. In the **Settings → Basic** tab of sys-usb, make the follow changes:
* Private storage max size: 10.0 GB
* Net qube: sys-firewall
* Press **Apply**
* Follow the installation instructions from the sys-usb Terminal. When you get to **Flashing factory images**, don't run `./flash-all.sh`. Instead, scroll down to troubleshooting and run the command that uses a different temporary directory. It is expected for the flash script to output messages like `archive does not contain 'example.img'`.
* Upon first booting Graphene, it will prompt you if you want to connect to Wi-Fi. Don't, we need to do [hardware-based attestation](#auditor) first. Never set up the fingerprint authentication. Set a [strong password](/posts/tails-best/#passwords). This will only have to be entered on boot - we will set a shorter password for unlocking throughout the day later on.
* When you are done, reboot sys-usb. If it is disposable, the changes you have made will be gone. Don't forget to change back the sys-usb qube settings:
* Net qube: (none)
# System navigation
By default, GrapheneOS uses [gesture navigation](https://grapheneos.org/usage#gesture-navigation). The essentials are:
* The bottom of the screen is a reserved touch zone for system navigation.
* Swiping up from the navigation bar while removing your finger from the screen is the **Home** gesture.
* Swiping up from the navigation bar while holding your finger on the screen before releasing is the **Recent Apps** gesture.
* Swiping from either the left or the right of the screen within the app (not the navigation bar) is the **Back** gesture.
* The launcher uses a swipe up gesture starting anywhere on the screen to open the app drawer from the home screen. You need to start that gesture above the system navigation bar.
# Auditor
In the post-installation instructions, **Hardware-based attestation** is the last step. The Auditor app included in GrapheneOS leverages hardware security features in order to provide integrity monitoring to the device's firmware and software. This is crucial because it will alert you if the device is maliciously tampered with. The Auditor app must be configured directly after GrapheneOS is installed, before any Internet connection.
How does it work? Your new device is the *auditee*, and the *auditor* can either be another instance of the Auditor app on a friend's phone or the [Remote Attestation Service](https://attestation.app/); we recommend doing both. The *auditor* and *auditee* pair to form a private key, and should tampering with the operating system of the *auditee* happen after the pairing is complete, the *auditor* will be alerted.
First, directly after the device has been installed and before connecting to the Internet, [perform local verification](https://attestation.app/tutorial#local-verification). This requires having a friend present who you see semi-regularly and who has the Auditor app (on any Android device). The first pairing will show a brown background, and subsequent audits will show attestation results with a green background if nothing is remiss. There is no remote connection between your phones; you need to re-audit to benefit.
We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, which will prevent your phone from being reached and tracked from the cellular network, and then enable Wi-Fi. You can now connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up the [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. The default permitted delay until alerts is 48 hours; if you know your phone will be off for a longer amount of time, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home during travel), just ignore the notification emails. You can log back in at any time to view the attestation history.
# User Profiles
User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) will compartmentalize your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from one another - if one is compromised, the others aren't necessarily.
The Owner user profile is the default profile which is there when you turn on the phone. We will install only one app in the Owner user profile, RiseupVPN, our preferred [VPN](/glossary/#vpn-virtual-private-network) application. All default connections made by GrapheneOS will be forced through the Riseup VPN. First, browse to **riseup.net/en/vpn/android** using Vanadium. Download the .apk file. Navigate to the downloaded file with the Files app, and click on it to install. You will be prompted that you need to change the Vanadium setting for **Install unknown apps**: temporarily enable "Allow from this source". Once Riseup VPN is installed, accept the 'Connection request' prompt. A green display will mean that the VPN is successfully connected. Navigate to **Advanced settings** in the Riseup VPN menu, click **Always-on VPN**, and follow the instructions. Now before you forget, revert the Vanadium setting: **Settings → Apps → Vanadium → Install unknown apps**, and disallow. Moving forward, the Riseup VPN will automatically connect when you turn on your phone.
Additional user profiles can be created. Each profile is [encrypted](/glossary/#encryption) using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. We will now create a second user profile for installing applications: **Settings → System → Multiple users**, press **Add user**. You can name it Default, and press **Switch to Default**. Set a shorter password, which will allow you to enter your long diceware password at boot for the Owner, and a shorter password when using the phone throughout the day. A shortcut to switch between different user profiles is present on the bottom of Quick Settings (accessible by swiping down from the top of the screen, twice).
Later on, we will optionally create an additional user profile for applications that require Google Play Services.
# How to Install Software
GrapheneOS's app store has the standalone applications built by the GrapheneOS project such as Vanadium, Auditor, Camera, and PDF Viewer. These are updated automatically.
For installing additional software, avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/android/#f-droid). GrapheneOS has a Sandboxed Google Play which can be installed through the GrapheneOS app store, but this is unnecessary unless the application requires Google Play services to function properly (see [below](#software-that-requires-google-play-services)). For all apps that do not require Google Play services, use the [Aurora Store](https://auroraoss.com/), which is a client that allows you to install applications from the Google Play Store without a Google Account or Google Play services.
To install the Aurora Store in the Default user profile, download the apk file for **AuroraStore (Stable)** from **auroraoss.com** using the Vanadium web browser. Be aware that search results for 'Aurora Store' will feature many malicious websites, so type in the URL directly. Verifying the integrity of an .apk file [is too technical](https://www.privacyguides.org/android/#verifying-apk-fingerprints) for most users. The installation is the same process for Riseup VPN; temporarily enable "Allow from this source" for Vanadium. During the Aurora Store installer, you need to grant permissions:
* External Storage Access: Grant > Configure Storage Scopes
* External Storage Manager: this will be granted by Storage Scopes
* Installer Permissions: Grant
Before you forget, revert the Vanadium setting. You can now install and update applications. Log in using an anonymous account. Start by installing RiseupVPN from Aurora, and configuring it as we did for the Owner profile, and continue with any other apps - for ideas, see [Encrypted Messaging for Anarchists](/posts/e2ee/). The Aurora Store does not [yet](https://gitlab.com/AuroraOSS/AuroraStore/-/issues/865) support automatic updates, so change the settings so that updates are more visible when they become available in Aurora Store's **Settings → Customization → Select default tab: Updates**
The Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, but you will still benefit from not requiring the full Google Play client and Google Play services on the Default user profile.
#### Software That Isn't On the Play Store
Some apps aren't on the Play Store (and thus can't be installed from Aurora), either because they are in development or they don't want users to have to interact with Google. Aurora can be used to update apps, but when you download individual .apk files you will need to remember to update them yourself (there are exceptions, for example Signal is designed to self-update). [Obtainium](https://github.com/ImranR98/Obtainium) is an app to keep track of what apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture).
For example, Molly-FOSS, a hardened version of Signal with [no Google software](https://github.com/mollyim/mollyim-android#free-and-open-source), is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium press **Add App**, then copy the Github Releases URL. Obtanium can install the app, and when there is a new version you will get a system notification and an update icon will be present beside it, at which point you must manually update it.
Cwtch is not yet present on the Google Play Store, and can be added to Obtainium by entering the [Download page URL](https://cwtch.im/download/).
#### Software That Requires Google Play Services
If there is an app you would like to use that requires Google Play services, create a specific user profile for it from the Owner user profile; you can name it Google. This is also a good solution for isolating any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. This user profile can have the same password as the Default user profile - the advantage of using a separate passphrase is only in case an attacker records you entering it.
Within the new Google user profile, install Sandboxed Google Play by opening Apps and install Google Play services (this will also install Google Services Framework and the Google Play Store).
The Google Play Store requires a Google account to log in, but one with false info can be created for exclusive use with the Google Play Store.
Once installed and logged in, disable the advertising ID: **Settings → Apps → Sandboxed Google Play → Google Settings → Ads**, and select *Delete advertising ID*. You can now install applications through the Google Play Store within that profile. We recommend installing Riseup VPN again first, so that it is active in all user profiles. Automatic updates can be enabled in Google Play Store's **Settings → Network Preferences → Auto-update apps**. If you get notifications from the Play Store that it wants to update itself, [accept them](https://discuss.grapheneos.org/d/4191-what-were-your-less-than-ideal-experiences-with-grapheneos/18). Notifications for Google Play Store and Google Play Services need to be enabled for auto-updates to work.
Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid needing this Google user profile.
# VoIP
A Wi-Fi only smartphone doesn't require paying a monthly fee for a SIM card. As explained in [Why Anarchists Shouldn't Have Phones](/posts/nophones#bureaucracy), bureaucracies often require a phone number that can be called normally (without encryption). [VoIP](/glossary#voip-voice-over-internet-protocol) applications allow you to create a number and make phone calls over the Internet rather than through cell towers. A phone number is also occasionally required for applications, such as [Signal registration](/posts/e2ee/#signal), and a VoIP number will often work.
Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones; the main advantage is that you will hear it ring even when your computer is off. The [jmp.chat](https://jmp.chat/) VoIP service works well with their client [Cheogram](https://cheogram.com/) and can be paid for in Bitcoin. In addition, there are paid options that are only present on mobile such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360020177133-Why-isn-t-MySudo-working-in-my-country-)). A MySudo subscription can be anonymously purchased with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is likely unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.
# Tor
Perhaps you want to use [Tor](/glossary/#tor-network) from a smartphone. However, if you need the anonymity of Tor rather than the privacy of Riseup VPN, you should use [either Qubes OS or Tails](/posts/qubes/#when-to-use-tails-vs-qubes-os) on a computer. The [Graphene docs](https://grapheneos.org/usage#web-browsing) recommend avoiding Gecko-based browsers like Tor Browser given that such browsers "do not have internal sandboxing on Android." Orbot is an app that can route traffic from any other app on your device through the Tor network, but simply using the Vanadium browser through Orbot is [not recommended by the Tor Project](https://support.torproject.org/tbb/tbb-9/).
Applications like Cwtch and Briar have Tor built in, and should not be used through a VPN like Orbot.
# Recommended Settings and Habits
* **Settings → Security → Auto reboot:** 8 hours [Owner user profile]
* Auto reboot when no profile has been unlocked for several hours will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will at minimum reboot overnight if you forget to turn it off. In the event of [malware](/glossary/#malware) compromise of the device, Verified Boot will prevent and revert changes to the operating system files upon rebooting the device. If police ever manage to obtain your phone when it is in a lock-screen state, this setting will return it to effective encryption even if they keep it powered on.
* Keep the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when not in use. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
* **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* Quite a few applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos", because it will have access to all of your pictures then. Instead, in the Files app, long-press to select the picture, then share it with Signal.
* Once you have all the applications you need installed in a given user profile, disable app installation within it [Owner user profile].
* **Settings → System → Multiple users → [Username]:** Disallow installing apps (enabled)
* If an app asks for storage permissions, choose Storage Scopes. This makes the app assume that is has all of the storage permissions that were requested by it, despite not actually having any of them.
* It is convenient to be able to receive notifications from any user profile. Within the Owner user profile:
* **Settings → System → Multiple users:** Send notifications to current user (enabled)
# How to Backup
Dont use cloud backups. None of the corporate options offer encryption at rest, and it is the easiest avenue for police to access your data. If you need to backup your phone, backup onto your encrypted computer.
GrapheneOS currently provides Seedvault as a backup solution, but it's not very reliable. As the [docs specify](https://grapheneos.org/faq#file-transfer), connecting directly to a computer requires "needing to trust the computer with coarse-grained access", so it is best avoided. Instead, you can manually backup files by copying them to a USB-C flash drive with the Files app, or sending them to yourself via an encrypted messaging app like [Element (Matrix)](/posts/e2ee/#element-matrix).
# Password Management
If you feel you need a password manager, [KeePassDX](https://www.privacyguides.org/en/passwords/#keepassdx-android) is a good option. However, most app credentials can be kept on KeePassXC on a computer as they don't need to be entered regularly. The set up described in this guide requires memorizing two passwords:
1) The Owner user profile (boot password)
2) The weak password shared by all other user profiles. This can simply be the first word of the boot password.
3) (Optional) Apps like [Cwtch](/posts/e2ee/#cwtch) and [Molly](/posts/e2ee/#signal) have their own passwords.
The weak password for secondary user profiles relies on the adversary obtaining physical access to your phone when it is turned off, which will force them to access the Owner user profile before they can attack secondary user profiles. Make sure to turn it off overnight and when you leave it at home. If they get access when the device is turned on (at a lock-screen), the "Auto reboot" setting will turn it off before they have much time to attempt a [brute-force](/glossary/#brute-force-attack). For notes on password quality for 1, see [Tails Best Practices](/posts/tails-best/#passwords).
# The Baseband Chip and Linux Phones
The hardware used for cellphones is significantly less trustworthy than a ThinkPad running Tails or Qubes OS with open-source firmware. Components of the phone, such as the processor and radio technologies, rely on closed-source components. The baseband chip (GSM module, cellular modem) is closed-source, and integrated with the processor and memory; baseband attacks can read and alter data on the phone [remotely](/glossary/#remote-attacks). This is why cellphones can never be trusted to the extent of Tails, which is used for incriminating activities such as submitting a communique because it can be used on trusted hardware, and leaves no trace. In contrast, incriminating activities should never happen over a phone unless it is a burner phone acquired for a one-off use, no matter how secure the operating system. In GrapheneOS, the [baseband is isolated](https://grapheneos.org/faq#baseband-isolation).
Why recommend a Pixel, and not a Linux phone? Linux-based phones such as the [PinePhone Pro](https://en.wikipedia.org/wiki/PinePhone_Pro) have sought to address closed-source hardware and firmware but fall short. Open-source firmware is [available to technical users](https://hackaday.com/2022/07/12/open-firmware-for-pinephone-lte-modem-whats-up-with-that/), but the baseband firmware remains closed-source. Although slightly more trust can be placed in the hardware of some Linux-based phones, they are [significantly easier to hack than GrapheneOS](https://madaidans-insecurities.github.io/linux-phones.html), as they do not have modern security features such as full system MAC policies, verified boot, strong app sandboxing, and modern [exploit](/glossary/#exploit) mitigations. For this reason, we don't recommend Linux-based phones.
# Wrapping Up
With the set-up described, if a cop starts with your name, they wont be able to simply look it up in a cellular provider database to get your phone number. If you use the phone as a Wi-Fi only device and always leave it at home, it cannot be used to determine your movement profile and history. If you use a VoIP number, it is accessed through a VPN so, even if this number is known, it can't be used to locate you. All communications with comrades use [end-to-end encryption](/posts/e2ee/); thus, they do not assist network mapping. Even if you have the bad fortune of being the target of a highly resourced investigation, the hardened operating system makes it more difficult to compromise with spyware, and such a compromise should be able to be [detected](#auditor).
By storing the phone in a tamper-evident way when it is not in use, you'll be able to notice if it's been physically accessed. See the tutorial [Making Your Electronics Tamper-Evident](/posts/tamper/).
The [forum](https://discuss.grapheneos.org/) is generally very helpful for any remaining questions you may have.

92
content/posts/linux/index.md Normal file
View file

@ -0,0 +1,92 @@
+++
title="Linux Essentials"
description="The Basics Needed to Use Tails or Qubes"
date=2023-04-04
[taxonomies]
categories = ["Defensive"]
tags = ["intro", "linux", "tails", "qubes", "easy"]
[extra]
blogimage="/gifs/destroy.gif"
toc=true
+++
As an anarchist, you've probably heard the recommendation to use a Linux computer. This article is intended to get you up to speed by giving a brief overview of what you need to know.
<!-- more -->
# What is Linux, and Why Use It?
If you are reading this, you probably use either Windows or macOS on your computer. These are both [operating systems](/glossary#operating-system-os), meaning the system software that runs your device. They are also both 'closed-source', meaning that the software '*source* code' is *closed* to the public, and so can't be inspected for privacy and security. Windows and macOS computers are sending your data to Microsoft and Apple, and you can't trust their [Full-Disk Encryption](/glossary#full-disk-encryption-fde) to protect your data if the computer is being [physically accessed](/glossary/#physical-attacks) (like after a [house raid](https://www.csrc.link/threat-library/techniques/house-raid.html)).
Linux is a set of operating systems which are [open-source](/glossary#open-source), which means that the *source* code can be analyzed by anyone. Linux is the name for the core (**kernel**) of the operating system, and many different **distributions** (or 'distros') are based on it. Simply put, *Linux is the only type of computer that anarchists can put any trust in*.
Linux distributions that anarchists are likely to have heard of are Debian, Ubuntu and Tails. Each different Linux distribution makes different choices about how to manage software, what kernel version to use, etc. In fact, both Ubuntu and Tails are adaptations of Debian for the specific use cases of being user-friendly (Ubuntu) and providing default anonymity (Tails).
# How Software Works
In Linux, the term for an application is a **package**. Rather than downloading applications from various websites on the Internet (like in Windows and macOS), a Linux distribution will have a centralized **repository** where the software lives. This has the benefit that the integrity of the software is verified by the distribution, and it is guaranteed to work with that Linux distribution. It is still possible to install software from outside of a distro's repository, but it is generally considered to be riskier and verifying the integrity is your responsibility. Installing a package requires knowing its name, and all packages in a repository can be browsed through a web browser for [Debian](https://www.debian.org/distrib/packages#search_packages) as well as [Fedora](https://packages.fedoraproject.org/).
How do you actually install from the software repository? Each distribution also has a **package manager**, which is an application which installs software from a software repository. Debian, and distributions based on it, use the `apt` package manager. In some distributions, it is possible to install software with a Graphical User Interface (GUI) that is using the package manager in the background, like the [Synaptic Package Manager](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html#index3h1) in Tails.
# Software Alternatives
Part of the learning curve to Linux is figuring out what open-source software to use, instead of the closed-source options you will be familiar with from Windows and macOS. For example, instead of using Microsoft Word, you can use LibreOffice. An application being open-source is an essential criteria, but is insufficient to be considered secure. For example, Telegram advertises itself as being open-source, but the servers are not open-source and the cryptography is [trash](https://anonymousplanet.org/guide.html#bad-cryptography). The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
# The Command Line Interface
The dreaded [command line](/glossary/#command-line-interface-cli)! What even is it? You are used to interacting with applications through a **Graphical User Interface (GUI)**, which means through pointing and clicking buttons with your mouse. Some applications can also be interacted with through a **Command Line Interface (CLI)**, which is textual. Many applications will be available in both CLI and GUI versions.
For example, navigating the contents of your computer with the File Manager GUI is pretty standard - you click on a folder (called a *directory* in Linux), and it opens. The same navigation around the file system is also possible from the CLI.
When you open a Terminal (the CLI application), there is a *prompt* waiting for you. It is called this because it is prompting you to say something, in a language that the Terminal understands. Prompts will differ in what information is displayed but all end with the `$` character. You then issue *commands* to the Terminal. The Terminal responds, then it redisplays the prompt in order to receive further commands.
The best way to learn command line basics is to interact with it. We recommend this [Foundations: Linux Journey](https://techlearningcollective.com/foundations/linux-journey/the-shell) exercise to learn some basic commands. The [Software Distribution and Packages](https://techlearningcollective.com/foundations/linux-journey/software-distribution) exercise will teach you what you need to know to [install software in Qubes](/posts/qubes/#how-to-install-software).
Some commands will require elevated permissions, equivalent to 'Open as Administrator' in Windows. For example, installing software typically requires this. Prepending `sudo` to a command will run it as the administrative user, named root (note: the root user is not the same as the root directory, and the two should not be confused). A root prompt will display `#` rather than `$`. Be especially careful with any command you run while using these elevated permissions, as you'll have the permissions necessary to wipe your entire disk or modify important files. It is helpful to know that text in the Terminal is pasted with Ctrl+Shift+V (i.e. the Shift key must also be pressed).
Most Linux users will rarely need to use the CLI. For using [Tails](/tags/tails/), it shouldn't be required at all, although you will need the following commands for the [more secure installation](https://tails.boum.org/install/expert/index.en.html):
* `wget`: this downloads files from the Internet over the Command Line (rather than through a web browser)
* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. It is how the integrity of the Tails download is verified.
* `apt`: this manages packages on Debian.
* `dd`: this copies a file from one disk to another.
The [Qubes](/tags/qubes/) installation requires the same commands (during the [verification](https://www.qubes-os.org/security/verifying-signatures/) stage). The Command Line Interface is otherwise only required to install software:
* `apt install <PACKAGE_NAME>`: this installs packages on Debian
* `dnf install <PACKAGE_NAME>`: this installs packages on Fedora
If you ever don't understand what a command is meant to do, try searching [explainshell](https://explainshell.com/) for it.
#### GPG Explanation
Using `gpg` during the installation of Tails or Qubes OS will be less confusing if you understand how it works.
First, some points of clarification. PGP and GPG are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication ([though we don't recommend it](/posts/e2ee/#pgp-email)), but we are using it here exclusively to verify the integrity of files.
GPG is a classic example of [public-key cryptography](/glossary/#public-key-cryptography). GPG provides cryptographic functions to [encrypt](/glossary/#encryption), decrypt, and sign files; our concern here is digitally signing files. The Qubes and Tails teams both generate a [digital signature](/glossary/#digital-signatures) on their .img releases. GPG gives us a way to verify that the file is truly 'signed' by the developers, which enables us to trust that it hasn't been tampered with.
Now you need to understand the very basics of public-key cryptography. [This Computerphile video](https://invidious.sethforprivacy.com/watch?v=GSIDS_lvRv4&listen=false) has a great overview with visual aids. To summarize it, a **secret/private** key is used to **sign** messages, and only the user possessing this key can do so. Each **private** key has a corresponding **public** key - this is termed a **key pair**. The public key is shared with everyone, and this is used to verify the signature. Confused? Watch the video!
Tails and Qubes OS sign their releases, and only they can do this because only they possess their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's walk through the [Tails verification instructions](https://tails.boum.org/install/expert/index.en.html), which is less convoluted than the [Qubes OS equivalent](https://www.qubes-os.org/security/verifying-signatures/).
**Step: Create a Key-Pair**
Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate a key-pair.
* `gpg --gen-key` will prompt you for some configuration options and then generate your key-pair.
**Step: Verify the Tails public key**
* `gpg --import < tails-signing.key` imports the Tails public key into your keyring, so that it can be used.
* `gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import` imports a Debian developer's public key into your keyring, so that it can be used.
* `gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F` allows you to verify the Tails public key with the Debian developer's public key, by examining the output as instructed. This is so that if the source of the Tails public key (tails.boum.org) is compromised, you have an external source of truth to alert you of this.
* `gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F` certifies the Tails public key with the key you created in the last step.
Now we know that we have a genuine version of the Tails public key. `gpg` also knows this because we have decided to certify it.
**Step: Verify your downloaded Tails .img file**
* `TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.10.img.sig tails-amd64-5.10.img` allows you to verify that the .img file is signed how it should be, by examining the output as instructed.
Now we know that we have a genuine version of the Tails .img file, so can proceed to install it to a USB.
# Going Further
If you'd like to learn more about Linux, we recommend:
* The rest of the Tech Learning Collective's [Foundations](https://techlearningcollective.com/foundations/) exercises will give you a much more comprehensive foundation than what you need to use Qubes or Tails.
* [Linux Fundamentals on Hack The Box Academy](https://academy.hackthebox.com/course/preview/linux-fundamentals) is another interactive learning environment, with a less comprehensive overview.

BIN
content/posts/metadata/app.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 47 KiB

44
content/posts/metadata/index.md Normal file
View file

@ -0,0 +1,44 @@
+++
title="Removing Identifying Metadata From Files"
date=2023-04-03
[taxonomies]
categories = ["Defensive"]
tags = ["metadata", "tails", "qubes", "easy"]
[extra]
blogimage="/images/app.png"
toc=true
+++
[Metadata](/glossary/#metadata) is 'data about data', or 'information about information'. In the context of files, this can mean information that is automatically embedded in the file, and this information can be used to deanonymize you. For example, an image file will often have metadata about when it was taken, where, on which camera, etc. A PDF file may have information about which program created it, on which computer, etc. This can be used by investigators to link a photo to the camera it was taken on, link a video to the computer it was edited on, and so on. To learn more about how metadata can be used to identify and reveal personal information, see [Behind the Data: Investigating metadata](https://exposingtheinvisible.org/en/guides/behind-the-data-metadata-investigations/). Before putting a sensitive file onto the Internet, clean the metadata from it.
<!-- more -->
# Metadata Anonymization Toolkit
Thankfully, there is a tool that comprehensively cleans metadata, and it is available as both a [command line interface](/glossary#command-line-interface-cli) and a graphical user interface. The command line version is called `mat2` and is [open-source](https://0xacab.org/jvoisin/mat2), and the graphical version is called [Metadata Cleaner](https://metadatacleaner.romainvigier.fr/) and is also [open-source](https://gitlab.com/rmnvgr/metadata-cleaner/). Both programs are included in [Tails](/tags/tails/) and [Qubes-Whonix](/posts/qubes/#whonix-and-tor) by default.
# Using Metadata Cleaner
Unless you are comfortable with the command line, we recommend Metadata Cleaner - it is using `mat2` under the hood, so has all of the same functionality. Metadata Cleaner is better than Exiftool and other software that removes metadata - see the [comparison docs](https://0xacab.org/jvoisin/mat2/-/blob/master/doc/comparison_to_others.md).
Metadata Cleaner displays metadata that it detects, but "it doesn't mean that a file is clean from any metadata if mat2 doesn't show any. There is no reliable way to detect every single possible metadata for complex file formats." You should clean the file even if no metadata is displayed.
To use Metadata Cleaner, first add a file. If you click on it, the current metadata will be displayed. Highlight the file, then select **Clean**, followed by **Save**. You can double-check that the metadata was removed by re-adding the cleaned file and displaying its metadata.
Cleaning a PDF file will transform it into images, which makes it no longer possible to select the text in it. If you would like to retain this ability, there is a *lightweight* cleaning mode, which only cleans the superficial metadata of your file but not the metadata of embedded resources (such as of images in the PDF). Embedded resources having metadata can be avoided using Metadata Cleaner on the images before importing them to the layout software, and using layout software on Tails or Qubes-Whonix like Scribus which will be generic to those operating systems. You can enable "Lightweight mode" in the settings of Metadata Cleaner.
Keep in mind the limitations of Metadata Cleaner: "mat2 only removes metadata from your files, it does not anonymise their content, nor can it handle watermarking, steganography, or any too custom metadata field/system. If you really want to be anonymous, use file formats that do not contain any metadata, or better: use plain-text."
# Photo and Video Forensics
Even though it is possible to clean all metadata from an image or video, forensic examination may nonetheless determine which device was used to capture it. As the Whonix [docs](https://www.whonix.org/wiki/Surfing_Posting_Blogging#Photographs) note:
> Every camera's sensor has a unique noise signature because of subtle hardware differences. The sensor noise is detectable in the pixels of every image and video shot with the camera and could be fingerprinted. In the same way ballistics forensics can trace a bullet to the barrel it came from, the same can be accomplished with adversarial digital forensics for all images and videos. Note this effect is different from file metadata.
Multiple photos or videos from the same camera can be tied together in this way, and if the camera is recovered it can be confirmed to be where the files came from. Cheap cameras can be acquired from a refurbished store and used only once for images or videos that require high security.
# Printer Forensics
All modern printers leave invisible watermarks in order to encode information such as the serial number of the printer and and when it was printed. If printed material is scanned, these markings are present in the file. To learn more, see [Revealing Traces in printouts and scans](https://dys2p.com/en/2022-09-print-scan-traces.html) and the Whonix documentation on [printing and scanning](https://www.whonix.org/wiki/Printing_and_Scanning).
# Further Reading
* [Redacting Documents/Pictures/Videos/Audio safely](https://anonymousplanet.org/guide.html#redacting-documentspicturesvideosaudio-safely)

67
content/posts/nophones/index.md Normal file
View file

@ -0,0 +1,67 @@
+++
title="Why Anarchists Shouldn't Have Phones"
date=2023-04-06
[taxonomies]
categories = ["Defensive"]
tags = ["mobile"]
[extra]
blogimage="/images/prison.jpg"
toc=false
+++
With effective [security culture and OPSEC](https://www.csrc.link/read/csrc-bulletin-1-en.html#header-a-base-to-stand-on-distinguishing-opsec-and-security-culture), the forces of repression wouldn't know about our specific criminal activities, but they also wouldn't know about our lives, [relationships](https://www.csrc.link/threat-library/techniques/network-mapping.html), movement patterns, etc. This knowledge is a huge asset to help them narrow down suspects and execute targeted surveillance. The location of your phone is [tracked at all times](https://anonymousplanet.org/guide.html#your-metadata-including-your-geolocation), and this data is harvested by private companies, enabling police to bypass laws requiring them to obtain a warrant. [Hardware identifiers and the subscription information](https://anonymousplanet.org/guide.html#your-imei-and-imsi-and-by-extension-your-phone-number) of the phone are logged by cell towers with every connection. Hacking services like [Pegasus](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) bring total phone compromise within the reach of even local law enforcement agencies, and are 'zero-click', meaning that success doesn't rely on you clicking a link or opening a file.
<!-- more -->
On the flip side, after over 30 recent arsons went unsolved in a small city in France, [investigators complained](https://actforfree.noblogs.org/post/2022/04/17/grenoblefrance-these-saboteurs-of-the-ultra-left-have-been-elusive-for-five-years/) that "It is impossible to exploit telephone or vehicle registration data, since they operate without telephones or cars!" This article will map out some strategies for getting around any need you might have for a phone.
# Encryption and Geolocation
Some comrades approach the issues with smartphones by using flip phones or a landline to communicate with each other, but this approach leaves nothing obscured from the eyes of the State because nothing is [encrypted](/glossary/#encryption) - neither the content of your conversations nor who is speaking with whom. For example, in a [recent repressive operation](https://www.csrc.link/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan), police set up real-time geolocation of the suspect's phone, and made a list of everyone the suspect communicated with using unencrypted phone conversations over the course of a year. A brief biography was made for each contact.
It has become quite common for comrades to carry a cellphone around with them wherever they go, and in the contexts where people use flip phones, to make unencrypted calls to other anarchists. We should not make the jobs of police and intelligence agencies so easy; if the police don't have a phone to track, their only means of location tracking is an around-the-clock physical surveillance effort, which is resource-intensive and can be detected. The first step in such an effort at surveillance is to create a movement profile for the target, and cellphone geolocation history provides this in all-encompassing detail. Another primary goal of targeted surveillance is to map the target's social network in order to identify other targets. The only way to avoid providing this to our enemies on a silver platter is to exclusively use encrypted tools to communicate with other anarchists; these tools can help to prevent investigators from knowing who speaks with whom, or what they speak about.
# Metadata Patterns
The normalization of constant connectedness in dominant society has led some anarchists to rightfully note that the [metadata](/glossary/#metadata) generated from phone activity is useful to investigators. However, the conclusion that some draw from this insight, namely that we should ['never turn off the phone'](https://www.csrc.link/#never-turn-off-the-phone-a-new-approach-to-security-culture), leads us in the wrong direction entirely. Their logic is that if you step outside of normal metadata patterns, these moments become suspect, and if these moments align with when an action occurs, this could be used as evidence to link you to the crime or investigate you more closely. This is true, but the only conclusion to draw from this - which is not a total dead end, at least - is to minimize creating normal metadata patterns in the first place.
Our connections to the infrastructures of domination must remain sporadic and unpredictable if we are to retain any semblance of freedom and ability to strike the enemy. What if the reconnaissance required for an action requires an entire weekend away from electronic devices? Or let's start from the simple fact that phones must be left at home during an action - this only becomes the outlier to a pattern if phones otherwise accompany us wherever we go. With a normatively 'always connected' life, either of these metadata changes would stick out like a sore thumb, but this is not the case if you refuse to always plug yourself in.
# Do You Really Need a Phone?
Whether or not you need a phone comes down to whether you need *synchronous* communication every moment of your life. [*Synchronous*](/glossary/#synchronous-communication) means when two or more parties communicate in real time, versus something [*asynchronous*](/glossary/#asynchronous-communication) like email, where messages are sent at different times. This 'need' has become normalized, but it is worth pushing back against within the anarchist space. [Anarchy can only be anti-industrial](https://theanarchistlibrary.org/library/bismuto-beyond-the-moment#toc1), and this requires that we learn to live without the conveniences sold to us by telecom companies: we ought to be able to live without being connected to the Internet at all times, without algorithmic real-time directions, and without an infinite flexibility that enables us to change plans at the last minute.
If you absolutely must use a phone, it should be as difficult as possible for an adversary to geotrack, intercept messages, or hack, which means using [GrapheneOS](/posts/graphene/). This is because *exclusively* using [encrypted communication](/posts/e2ee/) to communicate with other anarchists rules out flip phones and landlines, and GrapheneOS is the only smartphone option that has reasonable privacy and security. To avoid your movements being tracked, you must treat the smartphone like a landline and leave it at home when you are out of the house. Even if you use an anonymously acquired SIM, if this is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. If you use the phone as we recommend as a [Wi-Fi-only device](/posts/grapheneos/#what-is-grapheneos), and if you keep airplane mode enabled at all times, cell towers can't connect to the phone. Nevertheless, [malware](/glossary/#malware) compromise could still turn it into a audio recording device or log GPS history. Additionally, it's insufficient to only leave it at home when you are going to a demo or action because this pattern of behaviour then stands out as an outlier, serving as a hint that there is criminal activity happening in that time window.
However, it's best to avoid using phones altogether. If it's only the comrades who are taking the biggest risks who are enacting these measures, they will stand out. Identical in principle to the black bloc tactic, the simple act of donning a mask will provide cover for anyone to act anonymously. Therefore, our proposal is that the parts of the anarchist space which have been swept up by dominant society's relationship to technology take several steps back to re-establish less intrusive baselines around phones. The strategies we will explain in the remainder of this article to live without phones rely on computers, where synchronous communication is possible but more limited, as your computer generally stays at home.
# Bureaucracy
Many bureaucratic organizations make it difficult to not have a phone: healthcare, the post office, banking, etc. Since these communications do not need to be encrypted, you can use a [Voice over Internet Protocol (VoIP)](/glossary#voip-voice-over-internet-protocol) application (which allows you to make phone calls over the Internet rather than through cell towers).
Any VoIP application option on a computer will be asynchronous because it won't ring when the computer is off - you rely on the voicemail feature to return missed calls. For example, a service like [jmp.chat](https://jmp.chat/) gives you a VoIP number that you can optionally pay for in Bitcoin, and you make calls through a XMPP (Jabber) client - [Cheogram](https://cheogram.com/) works well.
Although typically more expensive then VoIP, a flip phone or landline also works well for making and receiving 'normal life' calls if you aren't going to be using it to speak with anarchists, and, in the case of the flip phone, leaving it at home. These have the advantage that you don't need a computer to be on to hear it ring.
A flip phone can be used for any [Two-Factor Authentication](/glossary/#two-factor-authentication-2fa) (2FA) that you require (when a service makes you receive a text message to log in), which do not always work with VoIP providers. If you only need a flip phone for 2FA, [online phone numbers](https://anonymousplanet.org/guide.html#online-phone-number) are another option.
# Communication
Not having a phone will require changing how you socialize if you are [already caught in the net](https://theanarchistlibrary.org/library/return-fire-vol-4-supplement-caught-in-the-net). Being intentional about minimizing the mediation of screens in our relationships is a valuable goal in and of itself.
Except in cases where it cannot be avoided (as in the case of a publication whose editors live in different regions from one another), organizing should not be mediated by technology. The dynamic by which, in some parts of the anarchist space, the entirety of how anarchists organize projects together has been reduced to a monoculture of Signal group chats (or worse) warrants a lot of criticism. This capture of organizing relationships by smartphone culture has given rise to a meeting that never ends, which is bad for a lot of anarchists' morale. It also means that our organizing is relatively easy to surveil. Only one phone in the group chat needs to be compromised with malware for access to all messages.
That said, encrypted communication is useful for setting up real-life meet-ups where life and organizing actually takes place, or for projects that are shared with comrades across distances. See [Encrypted Messaging for Anarchists](/posts/e2ee/) for different options that are appropriate for an anarchist [threat model](/glossary/#threat-model).
# Emergency Calls
A passer-by on the street will often let you borrow their phone to make an urgent call. If the need arises in remote regions such as during a hiking trip, this is where using a flip phones would be a good fit. For receiving emergency calls, if you are not reachable from a computer as outlined above, we can drop by one another's houses or arrange for encrypted messaging check-ins ahead of time. What scenarios actually require being able to receive a call at any moment? If these actually exist in your life, you can organize to accommodate for them without projecting this urgency onto all areas and moments of your life.
# Directions
Buy a paper map of your region and bring it with you. For trips that are longer or where you will need directions, use [OpenStreetMap](https://www.openstreetmap.org/) to note them ahead of time. Wear a watch to be able to get where you are going on time.
# Music and Podcasts
They still make MP3 players! For a way cheaper price, you can play music and podcasts, but the device has neither GPS nor radio hardware. This does not mean they can't be used for geolocation. If your Wi-Fi is on, the approximate location of your MP3 player can be determined from the IP address.
# Appendix: Against the Smartphone
*From Fernweh (#24)*

BIN
content/posts/qubes/copy-to.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

4
content/posts/qubes/diagram.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
content/posts/qubes/disposable.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
content/posts/qubes/dom0.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

289
content/posts/qubes/index.md Normal file
View file

@ -0,0 +1,289 @@
+++
title="Qubes OS for Anarchists"
date=2023-04-07
[taxonomies]
categories = ["Defensive"]
tags = ["intro", "linux", "windows", "qubes", "intermediate"]
[extra]
blogimage="/images/qubes-os.png"
toc=true
+++
Qubes OS is a security-oriented [operating system](/glossary#operating-system-os) (OS), meaning it is an operating system designed from the ground up to be more difficult to hack. This is achieved through [compartmentalization](https://www.qubes-os.org/faq/#how-does-qubes-os-provide-security), where each compartment is called a "qube" (using "virtual machines" — more on that below). All other Linux systems like [Tails](/tags/tails/) are *monolithic*, which means that if a hack succeeds anywhere on the system it can take over more easily. In Qubes OS, if one qube is compromised, the others remain safe. You can think of using Qubes OS as like having many different computers on your desk for different activities but with the convenience of a single physical machine, a single unified desktop environment, and a set of tools for using a number of different qubes together securely as parts of a unified system.
<!-- more -->
Qubes OS can be made to force all Internet connections through the [Tor network](/glossary/#tor-network) (like Tails) by using [Whonix](https://www.whonix.org/wiki/Qubes), which is included by default. Devices (USBs, network devices, microphone and camera) are all strongly isolated and only allowed access when it is explicitly granted. "Disposables" are one-off qubes that self-destruct when shut down.
# Who is Qubes OS For?
Given that anarchists are [regularly targeted](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in the course of repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for daily-use, and [further down](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. Whereas Tails is so user-friendly that Linux knowledge isn't even required, Qubes OS is a bit more involved, yet it is still designed to be accessible to users like journalists who don't know Linux well.
Even if nothing directly incriminating is done on a computer that you use everyday, its compromise will still give investigators a field day for [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use their daily-use computer for some anarchist projects and communication with other comrades, so making our personal computers difficult to hack is a reasonable goal for all anarchists.
# How Does Qubes OS Work?
Qubes OS is not quite another version of Linux. Rather, it is based on many "[virtual machines](/glossary/#virtual-machine-vm)" running Linux. All of these "virtual machines" are configured to work together in order to build a cohesive operating system.
What is a virtual machine? [Virtualization](/glossary/#virtualization) is the process of running a virtual computer *inside* your computer. The virtual machine thinks it's a computer running on real hardware, but really it's running on abstracted hardware (software imitating hardware). Qubes OS uses a special program called a hypervisor to manage and run many of these virtual machines at once, on the same physical computer. To simplify things, virtual machines are referred to as qubes. Different operating systems like Debian, Whonix, Fedora, Windows, etc. can all run together simultaneously. The hypervisor strongly isolates each of the qubes from one another.
At the risk of overwhelming you, here is an overview of how Qubes OS is structured. Each rectangle represents a qube (that is, a virtual machine). Let's break it down.
![Qubes Architecture](qubes-arch.png)
* **Admin qube**. This graphic uses the old naming convention (AdminVM). This is the small, isolated and trusted qube that manages the other qubes. It is very protected because if it's compromised, it's game over. It uses a technology called Xen as the hypervisor. It is also named dom0, which is a Xen naming convention. The Admin qube has no network connectivity and is only used for running the [desktop environment](https://en.wikipedia.org/wiki/Desktop_environment) and [window manager](https://en.wikipedia.org/wiki/Window_manager).
* **App qubes**. There are three in this example. #1 is running the Debian operating system, #2 is running Fedora, and #3 is running Whonix. App qubes are where you run applications, store files, and do your work. You can have many isolated App qubes for different activities or purposes. Each App qube is like an entire self-contained operating system.
* **Template qubes**. These are where applications and operating system files live. Templates are where you install and update software. Every App qube is based on a Template qube, but the Template is "read only" from the App qube's perspective. This means that the more sensitive system files are additionally protected from whatever happens in an App qube - they are not preserved between restarts of an App qube. Multiple App qubes can be based on a single Template, which has the convenient feature that updating a Template will provide updates to all App qubes based on this Template.
* **Service qubes**. Sys qubes (as in *system*) connect to the Internet and devices. **sys-usb** manages attached USB devices, so that they are only attached to a qube with your consent. **sys-net** is similar to sys-usb, for network devices. **sys-firewall** is firewall control for all qubes connected to the Internet, and is in a separate qube so that if sys-net is compromised the firewall rules can't be trivially modified. Note that qubes never connect to sys-net directly, but always through sys-firewall. **sys-whonix** forces all network traffic through Tor, and itself connects to the firewall.
You'll notice that App qube #1 is connected to the Internet, App qube #2 is offline, while App qube #3 is connected to the Internet over Tor and is Disposable. Note that Whonix is actually two qubes: the workstation (App qube #3) and the gateway (sys-whonix). This has the security property that if the workstation is compromised, the gateway (where Tor is running) is not. Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware - only the Admin qube can directly access the hard drive and only Service qubes can directly access the networking, USB, microphone and camera hardware.
A Disposable qube is a type of App qube that self-destructs when its originating window closes - after shutdown it reverts back to the Template. Note that while Tails exclusively uses memory (if the Persistent Storage feature is not enabled), Qubes OS uses the hard drive so forensic traces are still possible when using a Disposable.
You don't need to memorize any of this to actually use Qubes OS, it can just be helpful to understand the outline of the system before getting started.
# When to Use Tails vs Qubes OS
Qubes includes Whonix by default for when you need to force all connections through Tor. As [Privacy Guides](https://www.privacyguides.org/desktop/#anonymity-focused-distributions) compares (emphasis added):
> Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. **This means that even if the Workstation is compromised by [malware](/glossary/#malware) of some kind, the true IP address remains hidden.**
>
>Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a [hardened](/glossary#hardening) distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). **A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized.**
>
>Whonix virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. By design, Tails is meant to completely reset itself after each reboot. Encrypted persistent storage can be configured to store some data between reboots.
For data to be recovered from a Qubes OS system, the [Full Disk Encryption](/glossary#full-disk-encryption-fde) would still need to be successfully [bypassed](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) (such as by seizing the computer when it is turned on, or the use of a weak password). If the Tails Persistent Storage feature is in use, any data that is configured to persist faces the same issue.
Our recommendation is to use Qubes OS:
* As a daily-use computer
* For opening untrusted files or links. Many anarchist projects require this, such as website moderation, publications, etc.
* For tasks or workflows where Tails is too limiting or not applicable
And to use Tails:
* For writing and submitting communiques
* For action research
* For provisioning and connecting to hacking infrastructure
* For anything else where traces will land you in prison
* If the learning curve for Qubes OS is too steep
# Getting Started
Qubes OS runs ideally on a laptop with a solid-state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/qubes-best/#heads-open-source-firmware) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop—we recommend the ThinkPad X230 because the install is less involved than for other models. The X230 is also the only laptop model that is developer-tested, and is easily found in refurbished computer stores for around $200 USD. See the [community-recommended computers](https://forum.qubes-os.org/t/5560) list for several other options.
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you up and running. If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you though it, or first learn command line basics and GPG (required during the [verification stage](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/).
In the post-installation:
* Tick the checkmark for Whonix qubes, as well as for updates to happen over Tor.
* The post-installation also gives the option of using the Debian Template for all sys qubes (the default is Fedora). Whether you opt to use Debian or Fedora for qubes that don't require Tor is your decision. Privacy Guides [makes the argument](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen).
* Make sys-net disposable if you will be using an Ethernet connection (or don't mind entering the Wi-Fi password upon boot).
The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin. The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but difficult to orient to for a new user. We'll cover some basics here that aren't already mentioned in the Getting Started link.
# How to Update
On Qubes OS, you should NOT be typing `apt update` or `apt upgrade` from the command line, which you may be used to from other experiences with Linux. As the [docs](https://www.qubes-os.org/doc/how-to-update/) specify, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing that you'll want to do after connecting to the Internet is to launch Qubes Update. From the docs:
> you can [...] start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
Updates will take a moment to be detected on a new system, so select "Enable updates...", tick all qubes, and press **Next**. A Whonix window might pop up prompting you to do a command line update, but this can be ignored as it will be resolved by the update. Once Qubes Update is done, reboot.
# How to Copy and Paste Text
Qubes has a special global clipboard to allow you to copy and paste text between qubes.
1. Press **Ctrl+C** to copy text as normal to the internal clipboard of the source App qube.
2. Press **Ctrl+Shift+C** to transfer the contents of the source App qube's internal clipboard to the global clipboard.
3. Press **Ctrl+Shift+V** in the destination App qube to transfer the contents of the global clipboard to the destination App qube's internal clipboard.
4. Press **Ctrl+V** to paste text as normal from the internal clipboard of the destination App qube.
It's a little tricky at first, but you'll get the hang of it fast!
# How to Copy and Move Files
A special tool exists for moving files and directories (folders) between qubes that requires explicit user consent. As a rule of thumb, only move files from more trusted qubes to less trusted ones.
From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
>1. Open a file manager in the qube containing the file you wish to copy (the source qube), right-click on the file you wish to copy or move, and select **Copy to Other AppVM**... or **Move to Other AppVM**....
![copy](copy-to.png)
>2. A dialog box will appear in dom0 asking for the name of the target qube (qube B). Enter or select the desired destination qube name.
![dom0](dom0.png)
>3. If the target qube is not already running, it will be started automatically, and the file will be copied there. It will show up in this directory (which will automatically be created if it does not already exist): `/home/user/QubesIncoming/<source_qube>/<filename>`. If you selected Move rather than Copy, the original file in the source qube will be deleted. (Moving a file is equivalent to copying the file, then deleting the original.)
>
>4. If you wish, you may now move the file in the target qube to a different directory and delete the /home/user/QubesIncoming/ directory when no longer needed.
# How to Install Software
While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html) for installing any additional software, at this time Qubes OS does not, so new software must be installed from the command line. If unfamilar with either the command line or how software works in Linux, check out [Linux Essentials](/posts/linux/) to get acquainted. For choosing what additional software to install, keep in mind that an application being [open-source](/glossary/#open-source) is an essential criteria, but is insufficient to be considered secure. The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, and all can be browsed through a web browser for [Debian](http://packages.debian.org/) as well as [Fedora](https://packages.fedoraproject.org/), or on the command line.
It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, in order to not unnecessarily increase the attack surface of all App qubes based on the default Template. For example, to install packages for working with documents which are not included by default in `debian-11`, I clone it first. Go to **Applications menu > Qubes Tools > Qube Manager**. Right-click `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`.
To install new software, as the [docs](https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-default-repositories) detail:
>1. Start the template.
>
>2. Start a terminal.
>
>3. Install software as normally instructed inside that operating system, e.g.:
>* Fedora: `sudo dnf install <PACKAGE_NAME>`
>* Debian: `sudo apt install <PACKAGE_NAME>`
>
>4. Shut down the template.
>
>5. Restart all qubes based on the template.
>
>6. (Recommended) In the relevant qubes **Settings > Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
![menu](menu.png)
Remember, you should not be running `apt update` or `dnf update`.
To return to the example above, I would start a terminal in the `debian-11-documents` Template which I had just cloned, and run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs`. Once the install completes, I shut down the Template. I could then create or assign a qube to use this Template, and use LibreOffice, etc. Installing software should be the only time that most users *need* to use the command line with Qubes OS.
You may want to use software that is not present in the Debian/Fedora repositories, which makes matters a bit more complicated and also poses a security risk - you must independently assess whether the source is trustworthy, instead of relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) lays out your options. If the software is available at [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories (such as Signal Desktop), we recommend [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/).
# How to Organize Your Qubes
The next step is to decide how to organize your system - there is much more flexibility in this regard than in a monolithic system like Tails. In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended set-up for the typical user, which can be futher extended as needed.
After installation, a number of qubes already exist. Click on the Applications Menu to see all of them. We will delete the following default App qubes because they use the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu > Qubes Tools > Qube Manager**. Right-click and select "Delete qube" for each.
How the App qubes will be organized, without displaying service qubes or Templates:
![diagram](diagram.svg)
* **A vault qube**. This will be used for all data storage, because a qube that doesn't need networking shouldn't have it. This qube can be reassigned to the `debian-11-documents` Template so that trusted files can be opened there.
* **A disposable Whonix qube**. The default `whonix-ws-16-dvm` qube is disposable (noted by the "dvm" naming, meaning disposable virtual machine). You can think of it as similar to Tails: system-wide Tor, and erasure after shutdown (without the anti-forensics property, as noted above). All Whonix App qubes use the `whonix-ws` (workstation) Template and only the `sys-whonix` qube uses the `whonix-gw` (gateway) Template.
* **A disposable Debian or Fedora qube**. The default `debian/fedora-dvm` qube (depending on your post-installation decision) is disposable, and is great for web browsing that blocks Tor, such as logging into online banking.
It's possible to just use the system as it is now, but let's show you how to create an App qube and a disposable.
* **A Monero qube**. Lets say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize that activity. Go to **Applications menu > Qubes Tools > Create Qubes VM**
* **Name**: Project-monero
* **Color**: Yellow
* **Type**: AppVM
* **Template**: whonix-ws-16
* **Networking**: sys-whonix
* The official Monero wallet is natively included in whonix-ws. Now that the qube exists, in the **Settings > Applications** tab, bring Monero Wallet into the Selected column, and press **OK**. The shortcut will now appear in the Applications Menu.
* **An offline disposable qube**. Right now both disposables have networking (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu > Qubes Tools > Create Qubes VM**
* **Name**: debian-11-offline-dvm
* **Color**: Black
* **Type**: AppVM
* **Template**: debian-11-documents
* **Networking**: none
* You could equally use Fedora. In the new qubes' **Settings > Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the offline disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template.
* Go to **Applications menu > Qubes Tools > Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm`
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network, and which is destroyed upon being exited.
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to configure qubes that otherwise require advanced command line use to set up. Available configurations include:
* **Split-gpg**: GPG keys live in an offline qube and their access is tightly controlled
* **Split-ssh**: SSH keys live in an offline qube and their access is tightly controlled
* **Mullvad-vpn**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the only reputable VPN companies - they accept cryptocurrency, and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
* **sys-vpn**: A VPN qube using the OpenVPN protocol
If you want your qubes that are not using Tor to be forced through a VPN, this is the easiest way to set that up.
# How to Use Disposables
Disposables can be launched from the Applications menu; the disposable will be at the top, and the disposable Template near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu > Disposable: whonix-16-ws-dvm > Tor Browser**. This is how you do all Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, this can be accomplished from the Qubes Domains widget, in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would start yet another disposable.
Once you close all windows of a disposable, the whole disposable shuts down and is destroyed. The next time that it boots, the disposable will completely reflect the state of its Template. In contrast, an App qube needs to be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local` and `/rw/config` directory. The next time that it boots, all locations in the file system of an App qube other than these three directories will reflect the state of its Template. Take a look at how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
![disposable](disposable.png)
In the file manager of an App qube, right-clicking on certain types of files will give the option **Edit In DisposableVM** and **View In DisposableVM**. This is exactly how we want to open any untrusted files stored in our vault qube. It will use the default disposable that we set earlier, which is offline. Once you close the viewing application the whole disposable will be destroyed. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. By contrast, viewing in a disposable is read-only, so if the file executes something malicious, it can't write to the App qube you launched it from - this is preferred for files you don't need to edit.
If your file is opening in a different application than what you require, you'll need to change the disposable Template default:
1. Send a file of this type to your disposable Template (in our case, `debian-11-offline-dvm`).
2. Open the file manager for the disposable Template.
3. Select the file, right-click **Properties**.
4. In the **Open With** tab, select your preferred application for this file type.
5. Press **Set as default**.
6. Delete the file from the disposable Template (don't forget to empty the trash).
7. Shut down the disposable Template for the change to take effect.
For PDF files, right-clicking will also give the option **Convert To Trusted PDF**. This will sanitize the PDF file so that it can go from being untrusted to trusted. This is achieved by it being converted into images in a disposable, and then OCR to make highlighting text possible again.
# How to Use Devices (like USBs)
To learn how to attach devices, we will format the empty USB or hard drive you will be using for backups. The USB will be attached to an offline disposable to mitigate against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB).
1. Go to **Applications menu > Disposable: debian-11-offline-dvm > Disks**. The disposable will have a name with a random number like disp4653. If Disks is not present, make the change on the **Settings > Applications** tab.
![widget](media-removable.png)
*The Qubes Devices widget icon*
2. The Qubes Devices widget is used to attach a USB drive (or just its partitions) to any qube easily. Simply click on the widget and plug in your USB drive. The new entry will be under "Data (Block) Devices", typically `sys-usb:sda` is the one you want (`sda1` is a partition and would need to be mounted manually). Hover over the entry, and attach it to the disposable you just started (in the case of the example I gave above, disp4653).
3. The empty USB or hard drive should now be displayed in the Disks application. Format the empty device and then create a new encrypted partition, [like you would in Tails](https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html#index2h1). You can use the same LUKS password as is used for your Qubes OS LUKS, because you will need to memorize it to restore from backup, and it will contain the same data.
4. Before removing the USB drive, first eject it using the Qubes Devices widget, which ejects it from the qube. Then go to **Applications menu > sys-usb > Files**, and select "Safely Remove Drive" to eject it from the computer.
There are command line instructions for using an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice).
# How to Backup
As soon as your qubes are organized in the way that you would like, backup your system. Depending on your needs, we recommend making a weekly backup, and a redundant one which is stored off-site and is synchronized monthly (to protect against data loss from a [house raid](https://www.csrc.link/threat-library/techniques/house-raid.html)).
Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup):
>1. Go to **Applications menu > Qubes Tools > Backup Qubes**.
>
>2. Move the VMs that you want to back up to the right-hand Selected column. VMs in the left-hand Available column will not be backed up. You may choose whether to compress backups by checking or unchecking the Compress the backup box. Compressed backups will be smaller but take more time to create. Once you have selected all desired VMs, click Next.
>
>3. Go to **Applications menu > Disposable: debian-11-offline-dvm > Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be backing up to and attach it ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **+ Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in it called `backups`.
>
>4. In Backup Qubes, select the destination for the backup:
>* **Target qube**: select the disposable, named something like disp1217.
>* **Backup directory**: click **...** to select the newly created folder `backups`.
>5. Set an encryption passphrase, which can be the same as your Qubes OS user passphrase, because you will need to memorize it to restore from backup, and it will contain the same data. This is dom0, so you won't be able to paste it from a password manager.
>6. Untick "Save settings as default backup profile", and press **Next**.
>7. Once the backup is complete, test restore your backup. Go to **Applications menu > Qubes Tools > Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you cant restore your data from it, and you cant be sure that your backup is not corrupted until you try to restore.
# Whonix and Tor
The Whonix project has their own [extensive documentation](https://www.whonix.org/wiki/Documentation). When Whonix is used in Qubes OS it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems as well, but it's preferable to use it on Qubes OS due to the superior isolation it provides.
Different applications on a Whonix App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated - this is called [Stream Isolation](https://anonymousplanet.org/guide.html#pick-your-connectivity-method).
Note that [multiple Whonix App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) should not be used simultaneously:
> It is safest to only use one Whonix-Workstation at a time and for a single activity. New risks are introduced by running multiple Whonix-Workstation at the same time. For instance, if a single Whonix-Workstation was compromised, it could potentially perform various side channel attacks to learn about running processes in other VMs, and not all of these can be defeated. Depending on user activities, a skilled adversary might be able to correlate multiple Whonix-Workstations to the same pseudonym.
Also worth noting is that "for those who regularly download Internet files, Tor Browser's default download folder is inconvenient." Follow the [docs](https://www.whonix.org/wiki/Tor_Browser#Navigating_Tor_Browser_Downloads) to change the default in the `whonix-ws` (workstation) Template.
Tor Browser can't upload files from `/home/user/QubesIncoming/` due to how permissions are set, so move files somewhere in `/home/user/` to upload them, such as the Downloads directory.
# Password Management
Passwords should be managed with KeePassXC from the `vault` App qube. If unfamiliar with KeePassXC, you can learn about it in the [Tails for Anarchists](/posts/tails/). This leaves three passwords that must be memorized:
1. [LUKS](/glossary/#luks) password (first boot password)
2. User password (second boot password)
3. KeePassXC file password
For notes on password quality for passwords you must memorize, see [Tails Best Practices](/posts/tails-best/#passwords).
# Windows Qubes
It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), though the installation is a bit involved. This allows programs that are not available for Linux, such as the Adobe Creative Suite programs, to be used from Qubes OS (ideally offline). Installing "cracked" software downloaded from a torrent is not recommended as these are often malicious. The Adobe Creative Suite can be downloaded from Adobe, and then cracked with [GenP](https://www.reddit.com/r/GenP/wiki/redditgenpguides/#wiki_guide_.232_-_dummy_guide_for_first_timers_genp_.28method_1.3A_cc.2Bgenp.29).
# Best Practices
There is a lot more flexibility in how you configure Qubes OS than Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
* Protecting your identity
* Still [clean metadata](/posts/metadata/) from files before sharing them.
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
* Limitations of the Tor network
* For sensitive activity, don't use Internet connections that could deanonymize you, and prioritize .onion links when available.
* If you might be a target for physical surveillance, consider doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) prior to heading to a cafe. Alternatively, use a Wi-Fi antenna from indoors.
* Reducing risks when using untrusted computers
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to [GnuPG verification of Tails](https://tails.boum.org/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate against physical attacks to the computer, buy a dedicated laptop from a refurbished store, make it [tamper-evident and store it in a tamper-evident safe](/posts/tamper/).
* To mitigate against remote attacks to the computer, you can use anonymous Wi-Fi, and replace the BIOS with [HEADS](https://osresearch.net/). It's not possible to remove the hard drive, and Qubes OS already isolates the Bluetooth interface, camera and microphone. USBs with secure firmware are less important thanks to the isolation that sys-usb provides, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive (and App qubes don't have write access to their templates).
* Encryption
* Passwords: [See above](#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defence.
* Encrypted communication: for synchronous messaging, use [Cwtch](https://cwtch.im/), and for asynchronous messaging use Element. See [Encrypted Messaging for Anarchists](/posts/e2ee/).
* Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defence - the design of Qubes OS protects against [phishing](/glossary/#phishing) attacks.
* Open attachments in a qube that is disposable and offline.
* Open links in a Whonix qube that is disposable.
# Wrapping Up
The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend starting to use Qubes OS gradually, where you can progressively do tasks on Qubes OS instead of your previous operating system, because trying to learn everything at once may be overwhelming.

BIN
content/posts/qubes/media-removable.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
content/posts/qubes/menu.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
content/posts/qubes/qubes-arch.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 837 KiB

BIN
content/posts/tails-best/X230.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
content/posts/tails-best/duckduck.cleaned.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
content/posts/tails-best/flashtrust.webp Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 17 KiB

1
content/posts/tails-best/identity.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

217
content/posts/tails-best/index.md Normal file
View file

@ -0,0 +1,217 @@
+++
title="Tails Best Practices"
date=2023-04-08
[taxonomies]
categories = ["Defensive"]
tags = ["best practice", "linux", "tails", "easy"]
[extra]
blogimage="/images/tails1.png"
toc=true
+++
As mentioned in our [recommendations](/recommendations/#computers-sensitive), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that needs to have no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive, and is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to working with Tails, start with [Tails for Anarchists](/posts/tails-tutorial/).
This text details some extra precautions that you can take which are relevant to an anarchist [threat model](/glossary#threat-model). Not all anarchist threat models are the same and only you can decide what mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [CSRC Threat Library](https://www.csrc.link/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations.
<!-- more -->
# Tails Warnings
Let's start by looking at the [Tails Warnings page](https://tails.boum.org/doc/about/warnings/index.en.html).
#### Protecting your identity when using Tails
![identity](identity.svg)
> Tails is designed to hide your identity. But some of your activities could reveal your identity:
> 1. Sharing files with [metadata](/glossary#metadata), such as date, time, location, and device information
> 2. Using Tails for more than one purpose at a time
The first issue can be mitigated by **cleaning metadata from files before sharing them**:
* To learn how, see [Removing Identifying Metadata From Files](/posts/metadata/).
The second issue can be mitigated by what's called **'compartmentalization'**:
* [Compartmentalization](https://www.csrc.link/threat-library/mitigations/compartmentalization.html) means keeping different activities or projects separated from each other. If you use Tails sessions for more than one purpose at a time, an adversary could link your different activities together. For example, if you log into different accounts on the same website in a single Tails session, the website could determine that the accounts are used by the same person. This is because websites can tell when two accounts are using the same Tor circuit.
* To prevent an adversary from linking your activities together while using Tails, restart Tails between different activities. For example, restart Tails between checking different project emails.
* Tails is amnesiac by default, so to save any data from a Tails session it needs to be saved to a USB. If the files that you save could be used to link your activities together, use a different encrypted ([LUKS](/glossary#luks)) USB stick for each activity. For example, use one Tails USB stick for moderating a website and another one for research for actions. Tails has a feature called Persistent Storage, but we recommend not using this for data storage, which will be explained [below](#using-a-write-protect-switch).
#### Limitations of the [Tor network](/glossary#tor-network)
![tor](tor.svg)
> Tails uses the Tor network because it is the strongest and most popular network to protect from surveillance and censorship. But Tor has limitations if you are concerned about:
> 1. Hiding that you are using Tor and Tails
> 2. Protecting your online communications from determined, skilled attackers
The first issue is mitigated by [**Tor bridges**](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#bridges):
* Tor Bridges are secret Tor relays that keep your connection to the Tor network hidden. However, this is only necessary where connections to Tor are blocked, for example in some countries with heavy censorship, by some public networks, or by some parental controls. This is because Tor and Tails don't protect you by making you look like any random Internet user, but by making all Tor and Tails users look the same. It becomes impossible to know who is who among them.
> A powerful adversary, who could analyze the timing and shape of the traffic entering and exiting the Tor network, might be able to deanonymize Tor users. These attacks are called *end-to-end correlation* attacks, because the attacker has to observe both ends of a Tor circuit at the same time. [...] End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users.
The second issue is mitigated by **not using an Internet connection that could deanonymize you** and by **prioritizing .onion links when available**:
* If a determined adversary breaks Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic), the Internet address you had used in a cafe without CCTV cameras will only lead to your general area (for example, your city) because it is not associated with you. A correlation attack being used to deanonymize a Tor user is unprecedented in current evidence that has been used in court, though [it has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as supporting evidence once a suspect was already identified by a snitch. Correlation attacks are even less feasible against connections to an .onion address, because you never exit the Tor network, so there is no 'end' to correlate with.
* There are several opsec considerations to keep in mind if using Wi-Fi at a cafe without CCTV cameras. If you need to buy a coffee to get the Wi-Fi password, pay in cash! Position yourself with your back against a wall so that nobody can 'shoulder surf' you to see your screen, and ideally install a privacy screen on the laptop. Maintain situational awareness, and be ready to pull out the Tails USB and power down the computer at a moment's notice. An individual responsible for a darknet marketplace had his Tails computer seized while distracted by a fake fight beside him - if his Tails USB had been attached to a bracelet by short length of fishing line, the feds would have very likely lost all evidence when the Tails USB was yanked out - the Tails screen will freeze on whatever was up last, and any LUKS USBs will now be encrypted.
* However, a more likely low-tech 'correlation attack' is possible by local law enforcement, starting from your identity rather than starting from your anonymous Internet activity, if you are already in their sights and a target of [physical surveillance](https://www.csrc.link/threat-library/techniques/physical-surveillance/covert.html). For example, if a surveillance operation notices that you go to a cafe regularly, and an anarchist website is always updated in those time windows, this pattern can indicate that you are moderating that website. Perhaps an undercover can even get a glance at your screen.
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) prior to heading to a cafe**, and changing Wi-Fi locations regularly, but this is not particularly realistic for projects like moderating a website which require daily Internet access. Alternatively, mitigations can involve **using a Wi-Fi antenna from indoors** (guide forthcoming), **scheduling posts to be published later** (WordPress has this feature), or potentially even **using Tor from your home Internet** for some projects. This contradicts the prior advice, but using Tor from home will avoid creating a movement profile that is so easily physically observed (compared to a network traffic profile that is more technical to observe, and may be more difficult to draw meaningful conclusions from).
* If you want to send in a report-back the morning after a riot, or a communique soon after an action (times when there might be a higher risk of targeted surveillance), consider waiting and at minimum take surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank was gutted with fire in Canada, police surveilled a suspect while he travelled from home to an Internet cafe, and watched while he posted the communique and then proceeded to bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.csrc.link/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe close to the comrade's home, and requested CCTV footage for the day during which an arson communique was sent.
#### Reducing risks when using untrusted computers
![pc](warning_compromisedpc.svg)
> Tails can safely run on a computer that has a virus. But Tails cannot always protect you when:
> 1. Installing from an infected computer
> 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
The first issue is mitigated by **using a computer that you trust to install Tails**:
* As per our [recommendations](/recommendations/#computers-daily-use), this would ideally be from [Qubes OS](/posts/qubes/) which is much more difficult to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick which was installed with Qubes OS (and who uses these best practices), you could [clone it](https://tails.boum.org/upgrade/clone/index.en.html) instead of installing it yourself.
* Use the install method ["Terminal: Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), because it checks the integrity of the download more thoroughly using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you through it, or first learn command line basics and GnuPG with [Linux Essentials](/posts/linux/).
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs that are used in Tails sessions) into a computer while another operating system is running on it; if the computer is infected, the infection can then [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
The second issue requires several mitigations. Let's start with some definitions.
* *Hardware* means the physical computer that you use.
* *Firmware* means software that's embedded in a piece of hardware; you can think of it simply as "software for hardware". It can be found in several different locations (hard drives, USB drives, graphics processor, etc).
* *BIOS* means the specific firmware that is responsible for booting your computer when you press the power button—this is a great place for [malware](/glossary/#malware) to hide because it is undetectable by the operating system.
Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, or the Tails software; [remote attacks](/glossary#remote-attacks) (through the Internet) and [physical attacks](/glossary/#physical-attacks) (through physical access). Not everyone will need to apply all of the advice below. For example, if Tails is only being used for anonymous Internet browsing and writen correspondence, some of this may be overkill. However, if Tails is being used to take responsibility for actions that are highly criminalized, a more thorough approach is likely relevant.
**To mitigate against physical attacks:**
> Your computer might be compromised if its physical components have been altered. For example, if a keylogger has been physically installed on your computer, your passwords, personal information, and other data typed on your keyboard could be stored and accessed by someone else, even if you are using Tails.
* First, **obtain a 'fresh' computer**. A laptop bought from a random refurbished computer store is very unlikely [to already be compromised](https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/). Buy your computer with cash so that it is not traced to you, and in person because mail can be intercepted—a used [T Series](https://www.thinkwiki.org/wiki/Category:T_Series) or [X Series](https://www.thinkwiki.org/wiki/Category:X_Series) Thinkpad from a refurbished computer store is a cheap and reliable option. It is best to use Tails with a dedicated laptop, which will prevent the hardware being targeted for compromise through a less secure operating system, or through your normal non-anonymous activities. Another reason to have a dedicated laptop is so that if something in Tails breaks, any information that leaks which exposes the laptop isn't automatically also tied to you and your daily computer activities.
![X230](X230.jpg)
* **Make the laptop screws tamper-evident, store it in a tamper-evident way, and monitor for intrusions**. With these precautions, if physical attacks happen in the future, you'll be able to notice. See the tutorial [Making Your Electronics Tamper-Evident](/posts/tamper/) to adapt the laptop chassis screws, use the app Haven for intrusion detection, as well as how to store it so that you'll be able to notice if it's been physically accessed. Store any external devices youll be using with the laptop in the same way (USB, external hard drive, mouse, keyboard). Once physical attack vectors are mitigated, an adversary will need to rely on remote attacks.
**To mitigate against remote attacks:**
* **Anonymous Wi-Fi**. Using anonymous Wi-Fi is not only recommended to mitigate against deanonymization, but also against remote hacking. It is best to never use the dedicated Tails laptop from your home Wi-Fi. This makes the laptop much less accessible to a remote attacker than a laptop that you constantly have connected to your home Wi-Fi. If an attacker is targeting you specifically, they need a starting point, and your home Wi-Fi is a pretty good one.
* **Remove the hard drive**—it's easier than it sounds. You can ask the store where you buy it to do this and potentially save some money. If you look on youtube for 'remove hard drive' for your laptop model, there will likely be an instructional video. Make sure that you remove the laptop battery first and unplug the power cord. We remove the hard drive to completely eliminate the hard drive firmware, which has been known to be [compromised in order to install malware that is persistent](https://www.wired.com/2015/02/nsa-firmware-hacking/). This is part of the attack surface, and is unnecessary with a live system like Tails which runs from a USB.
* Consider **removing the Bluetooth interface, camera, and microphone** while you are at it, though this is more involved—you'll need the user manual for your laptop model. At a minimum, the camera can be "deactivated" by placing a sticker over it. The microphone is often connected to the motherboard via a plug - it is then sufficient to disconnect it. If this is not clear, or there is no connector because the cable is soldered directly, or the connector is needed for other purposes, then cut the microphone cable with pliers. The camera can be permanently disabled using the same method if you don't trust the sticker method. It is also possible to use Tails on a dedicated "offline" computer by also removing the network card. Some laptops have switches on the case that can be used to disable the wireless interfaces, but it is preferable to actually remove the network card.
* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates a remote attack on BIOS firmware against a Tails user, enabling the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be simply removed like the hard drive. It is needed for turning on the laptop, so must be replaced with [open-source](/glossary#open-source) firmware, which is an advanced process (opening up the computer and using special tools). Most anarchists will not be able to do this by themselves, but hopefully there is someone in your networks who can set it up for you. It's called HEADS because it's the 'other side' of Tails—where Tails secures software, HEADS secures hardware. It has a similar purpose to the [Verified Boot](url) found in GrapheneOS, which establishes a full chain of trust starting from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop if you intend to install it—we recommend the ThinkPad X230 because the install is less involved than for other models. The CPUs of this generation are able to have the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) effectively removed in the process of flashing HEADS, but this is not the case with later CPU generations on more recent computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a broader range of laptop models but has inferior security. HEADS can be configured to [verify the integrity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) which will prevent it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks.
* **Using USBs with secure firmware**, like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive) which has [retailers globally](https://www.kanguru.com/pages/where-to-buy), so that the USB will [stop working](https://www.kanguru.com/blogs/gurublog/15235873-prevent-badusb-usb-firmware-protection-from-kanguru) if the firmware is altered through compromise.
![flash](flashtrust.webp)
* **Use a USB with a physical write-protect switch**.
# Using A Write-Protect Switch
> What's a *write-protect* switch? When you insert a normal USB into a computer, the computer does *read* and *write* operations with it, and a *write* operation can change the data. Some special USBs developed for malware analysis have a physical switch that can lock the USB, so that data can be read from it, but no new data can be written to it.
If your Tails USB stick has a write-protect switch and secure firmware, such as the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you will be protected from the USB firmware being compromised during a Tails session, as well as from Tails software itself being compromised. This is critical. Compromising your Tails USB stick would necessitate being able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable so the compromise cannot "take root", and would no longer be present during your next Tails session. If you are unable to obtain such a USB, you have two options.
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.boum.org/install/dvd/index.en.html) (write once) for each new version of Tails - it should not have the label "DVD+RW" or "DVD+RAM" so that the DVD cannot be rewritten.
2) Boot Tails with the `toram` option, which loads Tails completely into the memory. To use the `toram` option, it depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.boum.org/doc/advanced_topics/boot_options/index.en.html).
* For SYSLINUX, when the boot screen appears you must press the Tab key, and enter a space. Type `toram` and press Enter.
* For GRUB, when the boot screen appears you must press `e`, navigate with the arrows of the keyboard to the end of the line that starts with `linux`. The line is most likely wrapped and displayed on several lines but it is a single configuration line. Type `toram` and press F10 or Ctrl+X.
* Once you are at the Tails desktop, you can then eject the USB on which Tails is located before starting your work (whether connecting to the Internet or plugging in another USB).
On a USB with a write-protect switch, you will not be able to make any changes to the Tails USB when the switch is enabled. If you could make changes, so could malware. Although ideally the switch would be enabled all the time, we recommend two cases where the switch can be disabled:
1) **For a dedicated upgrade session.** When Tails needs to be upgraded, you can do so in a dedicated session with the switch disabled - this is required because the upgrade will need to be written to the Tails USB. As soon as you are done you should reboot Tails with the switch enabled.
2) **For occasional Persistent Storage configuration sessions, if you decide to use it.** [Persistent Storage](/posts/tails/#create-and-configure-persistence) is a Tails feature that allows data to persist between otherwise amnesiac sessions. Because it requires writing to the Tails USB to persist data, it is generally impractical to use along with a write-protect switch. However, disabling the switch for occasional Persistent Storage configuration sessions, for example to install additional software, might be acceptable. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting that it is installed every session. Then, in a 'locked' session you actually use Scribus - none of the files you work on will be saved to the Tails USB, because it is 'locked'. The Persistent Storage feature is not possible using the `toram` boot, or with a DVD.
Where can we store personal data for use between Tails sessions, if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This 'personal data' USB should not look identical to your Tails USB, to avoid confusing them. To make this separate USB, see [Creating and using LUKS encrypted volumes](https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html). If you happen to be reading this from a country like the UK where not providing encryption passwords can land you in jail, this second drive should be a HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SDD and USB drives are not appropriate for Hidden Volumes).
![diagram-tailsusb-2projectusbs]
Compartmentalization is an approach that cleanly separates different identities - in Tails session #1 you do activities related to moderating a website, and in Tails session #2 you do activities related to research for an action. This approach also comes into play for your 'personal data' USBs. If the files that you save could be used to link your activities together, use a different 'personal data' USB for each activity. For a 'personal data' USB that stores very sensitive files (like the text of a communique), once you no longer need the files it is best to reformat then destroy the USB (see [Really delete data from a USB drive](/posts/tails/#really-delete-data-from-a-usb)). This is another reason to use a separate USB for any files that need to be saved - you don't accumulate the forensic history of all of your files on your Tails Persistent Storage, and can simply destroy USBs as needed.
Finally, a note on emails - if you already use Tails and encrypted email ([despite it not being particularly secure](/posts/e2ee/#pgp-email)), you may be used to the Thunderbird Persistent Storage feature, which allows storing Thunderbird email account details on a Tails USB, as well as the inbox and PGP keys. With a 'personal data' USB, Thunderbird won't automatically open your accounts anymore. For this, we recommend either:
- Re-creating Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the benefit that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
- Keeping Thunderbird data folder on the 'personal data' USB. After logging in to Thunderbird, use the Files browser (Applications ▸ Accessories ▸ Files) and enable the setting "Show hidden files". Navigate to Home, then copy the folder titled `.thunderbird` to your 'personal data' USB. In each future session, after unlocking the 'personal data' USB and before launching Thunderbird, copy the `.thunderbird/` folder into Home.
Another reason to not use Persistent Storage features is that many of them persist user data onto the Tails USB. If your Tails session is compromised, the data you access during it can be used to link your activities together. If there is user data on the Tails USB, like an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization, you would need a dedicated Tails USB for each identity, and updating them all every month is a lot of work.
# Encryption
#### Passwords
[Encryption](/glossary#encryption) is a blessing—it's the only thing standing in the way of our adversary reading all of our data, if it's used well. The first step to secure your encryption is to ensure that you use very good passwords—most passwords don't need to be memorized because they will be stored in a password manager called KeePassXC, so can be completely random (see [Password Manger](/posts/tails/#password-manager-keepassxc) to learn how to use it). In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a randomized sequence of characters (letters, numbers and other symbols), whereas a [*passphrase*](/glossary/#passphrase) is a random series of words. Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. For Tails, you will need to memorize two passphrases:
1) The [LUKS](/glossary/#luks) 'personal data' USB passphrase, where your KeePassXC file will be stored
2) The KeePassXC passphrase
If you use Persistent Storage, that is another passphrase which will have to be entered on the Welcome Screen upon booting but it can be the same as 1.
Your passwords/passphrases should have an entropy of around 128 bits (passphrases of approximately ten words, or passwords of 21 random characters from the Password Generator in KeePassXC), and the ones you must memorize should be hard to forget. LUKS encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/), so your passwords/passphrases shouldn't be less than 90 bits of entropy (approximately seven words).
[Diceware passphrases](https://www.eff.org/dice) can be easy to forget when you have several to keep track of, but a similar option is to choose a book, turn to a memorable chapter title or sentence with at least ten words, and add on a word/number that is meaningful to you. This will be hard to forget even if months pass without using it because you can reference the book if your memory flags, and the appended meaningful word/number should be memorable. You can choose whether to remove spaces and capitalization, or to leave it exactly as is, or to reverse the word order, but be consistent across all of your passphrases.
#### Encrypted containers
[LUKS](/glossary#luks) is great, but 'defense-in-depth' can't hurt. If police seize your USB in a house raid, they can try to unlock it with a [brute-force attack to guess the password](/glossary#brute-force-attack), so a second layer of defense with a different encryption implementation can make sense for highly sensitive data.
[Gocryptfs](https://nuetzlich.net/gocryptfs/) is an encrypted container program that is [available for Debian](https://packages.debian.org/bullseye/gocryptfs) and thus easy to install with Tails as [additional software](https://tails.boum.org/doc/first_steps/additional_software/index.en.html). If you don't want to have to reinstall it every session, Additional Software will need to be [configured in Persisent Storage](#using-a-write-protect-switch).
To use gocryptfs, you will need to use Terminal (the [command line](/glossary#command-line-interface-cli)).
On your Personal Data LUKS USB, use the file manager to make two folders, and name them 'cipher' and 'plain'. Right click in the white space of your file manager, and select 'Open Terminal Here'.
In Terminal, list the folders that are present and it should output the two you just created:
`ls`
The first time you use it, you create a gocryptfs filesystem;
`gocryptfs -init cipher`
You will be prompted for the password. Create a new entry in your KeepassXC file and create a password by using the Generate Password feature (the dice icon). Then copy the password, and paste it into the terminal (Edit > Paste, or Ctrl+Shift+V). It will output a master key—save this in the KeepassXC entry.
Every time you use the filesystem, mount it and enter the password:
`gocryptfs cipher plain`
You can now add files to your mounted decrypted container in the folder 'plain'. When you unmount, the container will be encrypted. To do so:
`fusermount -u plain`
Now plain is just an empty folder again.
#### Encrypted Communication
PGP email is the most established form of encrypted communication on Tails in the anarchist space. Unfortunately, PGP does not have [forward secrecy](/glossary#forward-secrecy)—this means that a single secret (your Private Key) can decrypt all messages rather than only a single message, which is today's standard in encrypted messaging. It is the opposite of 'metadata protecting', and has [several other failings](/posts/e2ee/#pgp-email).
For [synchronous](/glossary/#synchronous-communication) messaging—when you are both online at the same time—we recommend [Cwtch](/posts/e2ee/#cwtch) for encrypted communications on Tails.
For [asynchronous](/glossary/#asynchronous-communication) messaging—when you are not online simultanelously—we recommend [Element](/posts/e2ee/#element-matrix). What server you use is important as well—[Systemli](https://www.systemli.org/en/service/matrix/) and [Anarchy Planet](https://anarchyplanet.org/chat.html) are reputable hosts.
For more information on either option, see [Encrypted Messaging For Anarchists](/posts/e2ee/).
# Phishing Awareness
We will end by thinking about how an adversary would go about their [remote attack](/glossary/#remote-attacks) targeting you or your project; the answer is very likely to be ['phishing'](/glossary/#phishing). *Phishing* is when an adversary crafts an email (or a text, a message in an app, etc.) in such a way to trick you into divulging information, gain access to your account, or introduce malware to you machine. [*Spear phishing*](/glossary/#spear-phishing) is when the adversary has done some reconnaissance, and uses information they already know about you to specially tailor their phishing attack.
You have probably already heard the advice to be skeptical of clicking links and opening attachments—this is why. To make matters more confusing, the "from" field in email can be forged to trick you—[PGP signing](/posts/e2ee/) mitigates against this to prove that the email actually comes from who you expect.
Sometimes the goal of phishing is to deliver a ['payload'](https://docs.rapid7.com/metasploit/working-with-payloads), which will call back to the adversary—it is the [initial access](https://attack.mitre.org/tactics/TA0001/) foothold to infecting your machine with malware. A payload can be embedded in a file and executed when the file is opened. For a link, a payload can be delivered through malicious javascript in the website that will allow the payload to execute on your computer. Tor should protect your location (IP address), but the adversary now has an opportunity to further their attack; to [make the infection persist](https://attack.mitre.org/tactics/TA0003/), to [install a screen or key logger](https://attack.mitre.org/tactics/TA0009/), to [exfiltrate your data](https://attack.mitre.org/tactics/TA0010/), etc. The reason that Tails has no default Administration password (it must be set at the Welcome Screen for the session if needed) is to make the [privilege escalation](https://attack.mitre.org/tactics/TA0004/) more difficult, which would be necessary to slip around Tor.
#### Attachments
For untrusted attachments, you would ideally **sanitize all files that are sent to you before opening them** with a program like [Dangerzone](https://dangerzone.rocks/), which takes potentially dangerous PDFs, office documents, or images and converts them to safe PDFs. Unfortunately, Dangerzone is [not easily available in Tails yet](https://gitlab.tails.boum.org/tails/tails/-/issues/18135). An inferior option is to **open untrusted files in a dedicated ['Offline Mode'](https://tails.boum.org/doc/first_steps/welcome_screen/index.en.html#index3h2) session**, so that if they are malicious they can't phone home, and you shut down immediately after so that their opportunity to persist is minimized. Tails prevents against deanonymization through phishing by forcing all internet connections through the Tor network. However, this is still vulnerable to [0-day exploits](/glossary#zero-day-exploit), which nation-state actors possess. For example, the FBI and Facebook collaborated to develop a 0-day exploit against Tails [which deanonymized a user](https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) after he opened a video file attachment from his home Wi-Fi.
#### Links
For untrusted links, there are two things to protect; your anonymity and your information. Unless the adversary has a 0-day exploit on Tor Browser or Tails, your anonymity should be protected **if you don't enter any identifying information into the website**. Your information can only be protected **by your behaviour**—phishing awareness allows you to think critically about whether this could be a phishing attack and act accordingly.
Examine untrusted links prior to clicking them by **manually copy and pasting the address into the browser**—don't click through a hyper-link because the text can be used to deceive what link it will take you to. **Never follow a shortened link** (e.g., a site like bit.ly which takes long web addresses and makes a short, typable one) because it cannot be examined prior to redirection. [Unshorten.me](https://unshorten.me/) can reveal any shortened link.
![DuckDuckGo](duckduck.cleaned.png)
Furthermore, **dont follow links to domains you are unfamiliar with**. If in doubt, perform a search for the domain, with the domain name in quotation marks with a privacy-preserving search engine (like DuckDuckGo) to see if its a legitimate web site. This isnt a 100% fix, but its a good precaution to take.
Finally, if you click on any link from an email, and are asked to log in, be aware that is a common endgame for phishing campaigns. **Do not do it**. Instead, manually go to the website of the service you are trying to log into and log in there. This way, youll know youre logging in to the correct website because youve typed in the address for it, rather than having to trust the email link. For example, you could be entering your password into mailriseup.net and not mail.riseup.net (this is called 'typo-squatting').
You may want to open untrusted links in a dedicated Tails session, with no Persistent Storage unlocked or Personal Data USBs mounted.
# To Conclude
Using Tails without any of this advice is still a huge improvement over many other options. Given that anarchists regularly entrust their freedom to Tails, such as for submitting communiques, taking these extra precautions can further strengthen your trust in this operating system.

1
content/posts/tails-best/tor.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 26 KiB

1
content/posts/tails-best/warning_compromisedpc.svg Normal file
View file

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 350"><defs><style>.cls-1{fill:#58595b;}.cls-2{fill:#ffd500;}.cls-3{opacity:0.44;}.cls-4{fill:#9c6bad;}.cls-5{fill:#363436;}.cls-6{fill:#a0a2a5;}.cls-7{fill:#dadbdc;}</style></defs><title>warning_compromisedpc</title><g id="Layer_3" data-name="Layer 3"><path class="cls-1" d="M415.3,338.94a8.93,8.93,0,0,1-4.19-1l-222-117.31a9,9,0,1,1,8.41-15.91l222,117.3a9,9,0,0,1-4.22,17Z"/><path class="cls-2" d="M21.36,206l10.5,26.25,9.88-37.68L55.64,224l17.29-39,20.25,30.58L118,174.53,141.79,206l13.85-37.95,23.88,35.56,13.95-2,10.79-.82,13.22-38.29,25,36.08,17.71-36.51,17.29,35.48L304.3,160l21.54,37.11,20.69-35.51,24.08,37.06,16.06-36.13,25.63,39.83,21.93-33.66,24.08,36.44,17-31.19L504,215l17.6-28.72L535.51,220l6.9-31.29,11.32,40.45L566.09,198l9.57,41.69,11.89-29.84,5.88,45.93v22.49l-.08.59c-3.1-33.89-133.09-61.15-293-61.15-161.87,0-293.1,27.93-293.1,62.38V259.74Z"/><g class="cls-3"><path class="cls-4" d="M21.36,206l10.5,26.25,9.88-37.68L55.64,224l17.29-39,20.25,30.58L118,174.53,141.79,206l13.85-37.95,23.88,35.56,13.95-2,10.79-.82,13.22-38.29,25,36.08,17.71-36.51,17.29,35.48L304.3,160l21.54,37.11,20.69-35.51,24.08,37.06,16.06-36.13,25.63,39.83,21.93-33.66,24.08,36.44,17-31.19L504,215l17.6-28.72L535.51,220l6.9-31.29,11.32,40.45L566.09,198l9.57,41.69,11.89-29.84,5.88,45.93v22.49l-.08.59c-3.1-33.89-133.09-61.15-293-61.15-161.87,0-293.1,27.93-293.1,62.38V259.74Z"/></g><polygon class="cls-5" points="286.19 321.21 486.36 298.31 485.92 288.99 94.13 224.35 94.56 233.67 286.19 321.21"/><polygon class="cls-6" points="285.76 311.88 485.92 288.99 294.3 201.45 94.13 224.35 285.76 311.88"/><polygon class="cls-1" points="294.3 201.45 485.92 288.99 514.47 103.49 322.31 17.14 294.3 201.45"/><polygon class="cls-5" points="302.54 197.82 479.82 278.8 506.22 107.21 328.46 27.32 302.54 197.82"/><path class="cls-7" d="M220.74,277.18l-.13-.06-55-25.12,61.44-7.42.13.06,55,25.12Zm-51.49-24.62,51.64,23.59,57.64-6.95-51.64-23.59Z"/><path class="cls-7" d="M353.19,297.92l-.13-.05-170.74-78L295.25,207.5l.12.06,170.75,78ZM186,220.47,353.35,296.9,462.4,285,295.08,208.52Z"/><path class="cls-2" d="M7.24,224V228l5.88,45.94,7.52-31.2,6.28,41.22L38.47,252l10.2,41.35L58.8,259.34l11,40.6L86,267.27l11.53,39.32,24.29-33.35,30.47,42L177,275.11l40.48,46.31,20-46.31,37.06,47.13,22.64-43.4,38.29,41.75,28.41-49.3,27.13,49.11,2.52-.22L424,316.89l19.39-49.5,32.49,43.05,17.29-47.9,20.59,41.17L530.68,258l22.23,35.82,11.53-46.11,15.23,32.37L593.43,224v56.09c0,18.89-52.34,62.39-293.09,62.39C35,342.48,7.24,301.14,7.24,280.09"/><g class="cls-3"><circle class="cls-4" cx="413.78" cy="329.85" r="5.87"/></g></g></svg>
Side by side

After

Width:  |  Height:  |  Size: 2.6 KiB

BIN
content/posts/tails/anonymous-browsing.gif Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.1 MiB

BIN
content/posts/tails/empty_device.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
content/posts/tails/grub.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 13 KiB

402
content/posts/tails/index.md Normal file
View file

@ -0,0 +1,402 @@
+++
title="Tails for Anarchists"
date=2023-04-09
[taxonomies]
categories = ["Defensive"]
tags = ["intro", "linux", "tails", "easy"]
[extra]
blogimage="/images/tails1.png"
toc=true
+++
Tails is an [operating system](/glossary/#operating-system-os) that makes anonymous computer use accessible to anyone. Tails is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, unless you explicitly ask it to. It achieves this by running from a DVD or USB independent of the computers installed operating system. Tails comes with [several built-in applications](https://tails.boum.org/doc/about/features/index.en.html) pre-configured with security in mind, and all anarchists should know how to use it for secure communication, research, editing, and the publication of sensitive documents.
<!-- more -->
The [documentation on the Tails website](https://tails.boum.org/) is great, and recommended. However, most of our comrades won't read documentation, but will read a zine. This tutorial synthesizes the most relevant documentation, and also has advice on configuration and use specific to an anarchist [threat model](#the-concept-of-a-threat-model). Our article [Tails Best Practices](/posts/tails-best) goes further in this direction, but we recommend that you familiarize yourself with Tails before reading it.
# TAILS: **T**he **A**mnesic & **I**ncognito **L**ive **S**ystem
Tails is an operating system. Everyone knows about operating systems. You have probably heard of "Windows" or "MacOS". An operating system is the set of programs that runs the different components (hard disk, screen, processor, memory, etc...) of the computer and therefore allows it to function.
Other operating systems exist. Perhaps you have already heard of Linux or Ubuntu? In the Linux family, there is a sub-family called Debian. And in this sub-family, we find Ubuntu and Tails. Tails is a distribution (a version) of Linux with several distinguishing features.
***Live System***
* Tails is what is referred to as a live system. This means that it is a standalone operating system which is not installed on a computer, but rather on a USB (or even an SD card or a DVD). Whatever operating system you have installed on the hard drive remains untouched. You can even use Tails on a computer without a hard drive.
***Amnesia***
* Tails is designed to not leave any data behind on the computer you are running; it writes nothing to the hard disk, and runs only in RAM which is wiped after shut down. The Tails live system itself (usually running on a USB) is also left untouched. You can only save information by explictly saving it somewhere before shutting down. The goal of this is to avoid leaving forensic traces that could be read by someone with physical access to either your computer or your Tails USB at a later date. Things like Internet search history, cache, "recently edited" documents, etc., are all erased. The computer itself also has no trace that Tails was ever even used on the computer.
***Incognito***
* Tails is also a system that allows you to be incognito, meaning anonymous. It hides the elements that could reveal your identity, your location, etc. Tails makes use of the [Tor anonymity network](/glossary#tor-network) to protect your anonymity online: the Tor Browser and all other default software are configured to connect to the Internet through Tor. If an application tries to connect to the Internet directly, the connection is automatically blocked. Tails also changes the so-called "MAC address" of your network hardware, which can be used to uniquely identify your laptop.
![tor-features](tor-features.png)
<div class="is-family-monospace is-size-7"><center>
<p><em>Tor Browser features</em></p>
<br>
</div>
***Security***
* Tails is designed with security in mind. A minimal, functional, and verified environment is already installed (with what is required for simple word processing, image processing, etc.). It is bundled with easy-to-use [encryption](/glossary/#encryption) and data deletion tools and protections from common attacks or threats.
Today's digital security will not necessarily be secure tomorrow. **Protecting personal data requires updates, and it is important to do them in a timely manner.** Digital tools are unreliable if they are never updated, and to have lasting confidence in these tools, it is good to check that teams are maintaining them, that they are reactive, and to know what their reputation is. It is important to understand the spirit of Tails: everything is designed with security in mind. However, in software, there is no such thing as an all-powerful tool; there are always limits (and we will see some of them below). Moreover, **the way you use Tails can create security issues.**
Tails is free and [open-source](/glossary/#open-source) software. Anyone can consult the source code (the recipe), get it, and modify it... It is absolutely necessary to make sure that the version of Tails in your possession is healthy. Don't neglect the verification steps during the installation which are well-explained on the Tails website.
Tails allows non-experts to benefit from digital security and anonymity without too steep of a learning curve. Tor must be central to digital anonymity and Tails helps us to make as few mistakes as possible when using Tor as well as some other tools. The effort required to change our everyday digital behavior is minimal, even if it seems "inconvenient" to many of us. The "convenient" alternative, on the other hand, means controllability, predictability, manipulability, and increased risk of repression not only for you, but also for those with whom you communicate.
This tutorial is in several sections. The first is about the basics for starting to use Tails. The second section contains tips on using software included in Tails, as well as what you need to know about how Tor works. The third section is about troubleshooting any issues that you might encounter with your Tails USB to avoid giving up at the first problem - most of the time the solution is simple!
#### The concept of a threat model.
Tails is not magic and has plenty of limitations. The Internet and computers are hostile territory and are based on stealing your data. Tails does not protect you from human error, compromised hardware, compromised firmware, being hacked, or certain other types of attacks. There is no absolutely perfect security on the Internet, hence the interest in being able to make a [threat model](/glossary/#threat-model).
Building a threat model is simply a matter of asking yourself certain questions. Who am I defending against? What are their capacities? What are the consequences if they have access to such data? How can I protect myself?
It makes no sense to say "such and such a tool is secure". Security always depends on the threat model and which level (network, hardware, software, etc.) is being discussed. For more detailed information on this topic, see the [Threat Library](csrc.link/threat-library).
# I) The Basics of Using Tails
#### Prerequisites
***Selecting a USB/DVD:***
* Tails only works on USBs of more than 8 GB or on DVDs (where it is not possible to use the Persistent Storage feature described below). The data on the USB will be completely erased at installation, so save your data elsewhere beforehand, and if you don't want any trace of what was there before, use a new USB.
* The article [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch) recommends using a USB with a write-protect switch (an unchangeable data medium) to make sure that nothing is left behind when doing sensitive work, and that the laptop cannot compromise your Tails system. The article details how to adapt to this. The write-protect switch will need to be disabled during installation. If you are unable to obtain such a USB, you can use Tails from a DVD-R/DVD+R, or always boot it with the `toram` option (described at more length in the article).
***Selecting a laptop:***
* Although it is possible to use Tails on a desktop computer, this is not advised because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. Additionally, it would be harder to tell if someone had opened your desktop case and installed a physical keylogger. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more on obtaining a laptop.
Some laptop and some USB models do not work with Tails, or some features will not work. To see whether your model has known issues, consult the [Tails known issues page](https://tails.boum.org/support/known_issues/).
If Tails is too slow, make sure that the USB is 3.0 or higher, and using a USB 3.0 port on the laptop. If Tails completely freezes often, it's possible to increase the RAM of your computer. 8 GB will be sufficient.
#### Installation
To install Tails on a USB, you need a "source" and a USB (that is 8 GB or larger).
Concerning the "source", there are two solutions.
***Solution 1: Installation from another Tails USB***
* This requires knowing a Tails user you trust. A very straightforward software called the Tails Installer allows you to "clone" a new Tails USB in a few minutes; see the documentation for cloning from a [PC](https://tails.boum.org/install/clone/pc/index.en.html) or [Mac](https://tails.boum.org/install/clone/mac/index.en.html). Any Persistent Storage data isn't transferred. The disadvantage of this method is that it can spread a compromised installation.
***Solution 2: Installation by download (Preferred)***
* You have to follow the [Tails installation guide](https://tails.boum.org/install/index.en.html). The Tails website will guide you step by step; it is important to follow the entire tutorial. It is possible for an attacker to [intercept and modify the data](/glossary#man-in-the-middle-attack) on its way to you, so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the install method [using GnuPG](https://tails.boum.org/install/expert/index.en.html) is preferred, because it checks the integrity of the download more thoroughly.
#### Booting from your Tails USB
Once you have a Tails USB, follow the Tails guides to [start Tails on a Mac or PC computer](https://tails.boum.org/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on the laptop. The "Boot Loader" screen will appear and Tails starts automatically after 4 seconds.
![bootloader](grub.png)
After around 30 more seconds of a loading screen, the [Welcome Screen](https://tails.boum.org/doc/first_steps/welcome_screen/index.en.html) appears.
![welcomescreen](welcome_screen.png)
In the Welcome Screen, select your language and keyboard layout in the **Language & Region** section. For Mac users, there is a keyboard layout for Macintosh. Under "Additional Settings" you will find a **+** button, click on it and further configuration options will appear:
* Administration Password
* Set this if you need administration rights for a program. For example, this is necessary to install additional software to use during your Tails session. In the following dialog you can write any password (and you must remember it!). It only stays valid for this one Tails session. Dedicate the session to what you need it for, and then reboot without an administration password before doing any other activities.
* MAC Address Spoofing
* We recommend to never disable this. It is enabled by default.
* Network Connection
* With "Disable all networking" you can disable all software network adapters at start-up. If you intend to have an 'offline' Tails session, it makes sense to do this before Tails starts its network functionality.
* Unsafe Browser
* The Unsafe Browser is enabled by default, which doesn't use Tor. An attacker could [exploit](/glossary/#exploit) a vulnerability in another application in Tails to launch an invisible Unsafe Browser and reveal your true IP address. This is possible even if you don't use the Unsafe Browser yourself. For example, an attacker could exploit a vulnerability in Thunderbird by sending you a [phishing](/glossary/#phishing) email that launches an invisible Unsafe Browser which visits a website, revealing your IP address. Such an attack is very unlikely, but it could be carried out by a strong attacker, such as a government or a hacking company. For this reason, we **recommend to disable it with every session**. It should only be left enabled when establishing an Internet connection requires connecting via a captive portal (that is, the type of login page that can be found at many Internet cafés, hotels, etc.).
When you have enabled Persistent Storage, the passphrase to unlock it will appear in this window. If you haven't enabled Persistent Storage, no data will persist on your Tails USB beyond this session. Click **Start Tails**. After 15 to 30 seconds, the Tails desktop appears."
![desktop-labeled](tailsdesktop.png)
TODO label / update
#### Using the Tails desktop
Tails is a classic and simple operating system.
1. The "Activities" menu. Allows you to see an overview of windows and applications. It also allows you to search through applications, files, and folders. You can also access "Activities" by sending the mouse to the top left corner of your screen or by pressing the Command/Windows (❖) key on the keyboard.
2. The Applications menu. Lists available applications (software), classified by theme.
3. The Places menu. Shortcuts to different folders and storage media, which can also be accessed with the Files browser (Applications ▸ Accessories ▸ Files).
4. Date and time. Once connected to the Internet, all the Tails USBs around the world [have the same time](https://tails.boum.org/doc/first_steps/desktop/time/index.en.html).
5. The Tor status indicator which tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the "Onion Circuits" application from here. A Tor connection can be verified by visiting `check.torproject.org` in Tor Browser.
6. The "Universal Access" button. The Universal Access menu allows you to activate accessibility software like the screen reader, visual keyboard, and large text display.
7. Choice of keyboard layouts. An icon that shows the current keyboard layout (in the above example, en for an English layout). Clicking it will provide options for other layouts selected at the Welcome Screen.
8. The system menu. You can use this to change screen brightness and the volume, the Wi-Fi and Ethernet connection (if it is connected), the battery status, and the restart and shutdown buttons.
9. The "workspaces" icon. This button toggles between multiple views of the desktop (the “workspaces”); this can be helpful to prevent visual crowding on a small screen.
If your laptop is equipped with Wi-Fi but there is no Wi-Fi option in the system menu, see the [troubleshooting documentation](https://tails.boum.org/doc/anonymous_internet/no-wifi/index.en.html). Once you connect to Wi-Fi, a Tor Connection assistant appears to help you to connect to the Tor network. Choose **Connect to Tor automatically** unless you are in a country where you need to hide that you are using Tor (in which case, you'll need to configure [a bridge](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#hiding)).
#### Optional: Create and Configure Persistent Storage
Tails is amnesiac by default. It forgets everything you did between sessions. This isn't always what you want - for instance, you may want to work on a document that you can't complete in one sitting. The same is true for installing additional software: you would have to redo the installation after each start-up. Tails has a feature called Persistent Storage, which makes it no longer completely forgetful. This is explicitly less secure, but it is necessary for some activities.
The principle is to create a second storage area (called a partition) on your Tails USB, which is encrypted. This new partition allows a user to persist data that is, to keep it around between Tails sessions. It's very simple to enable Persistent Storage. To create the [Persistent Storage](https://tails.boum.org/doc/persistent_storage/create/index.en.html), choose **Applications ▸ Tails ▸ Persistent Storage**.
A window opens where you have to type a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for notes on passphrase strength. You'll then [configure](https://tails.boum.org/doc/persistent_storage/configure/index.en.html) what you need to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
* **Persistent Folder**: Data such as your personal files, documents, or images that you're working on can be saved in the Persistent Storage on the Tails USB.
* **Welcome Screen**: Settings from the Welcome Screen can be saved in the Persistent Storage: language, keyboard, and additional settings.
* **Printers**: [Printer configuration](https://tails.boum.org/doc/sensitive_documents/printing_and_scanning/index.en.html) can be saved in the Persistent Storage.
* **Network Connections**: The passwords for Wi-Fi networks can be saved in the Persistent Storage, so you don't have to type them every time.
* **Tor Bridge**: When the Tor Bridge feature is turned on (for users in countries that censor Tor), the last Tor Bridge that you used is saved in the Persistent Storage.
* **Tor Browser Bookmarks**: Tor Browser bookmarks can be saved in the Persistent Storage.
* **Electrum Bitcoin Wallet**: The bitcoin wallet and preferences can be saved in the Persistent Storage.
* **Thunderbird Email Client**: The email inbox, feeds, and OpenPGP keys of Thunderbird can be saved in the Persistent Storage.
* **GnuPG**: The OpenPGP keys that you create or import into GnuPG and Kleopatra can be saved in the Persistent Storage.
* **Pidgin**: The account files of this chat application (using the XMPP protocol) can be saved in the Persistent Storage.
* **SSH Client**: SSH is used to connect to servers. All files related to SSH can be saved in the Persistent Storage.
* **Additional Software**: With this feature enabled, a list of additional software of your choice is automatically installed every time you start Tails. The corresponding software packages are stored in the Persistent Storage. They are automatically upgraded after a network connection is established. [Be careful with what you install](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html#warning).
* **Dotfiles**: On Tails and Linux in general, the name of configuration files often starts with a dot and are sometimes called "dotfiles" for this reason. These can be saved in the Persistent Storage. Be careful about what configuration settings you change, because altering default settings can break your anonymity.
Persistent Storage must be unlocked at the Welcome Screen to use it. If you want to change the passphrase, see the [documentation](https://tails.boum.org/doc/persistent_storage/passphrase/index.en.html). If you ever forget the passphrase, it is impossible to recover it; you'll need to [delete](https://tails.boum.org/doc/persistent_storage/delete/index.en.html) the Persistent Storage and start again.
In [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), we recommend against using Persistent Storage in most cases. Any files that need to persist can instead be saved to a second [LUKS-encrypted USB](#how-to-create-an-encrypted-usb). Most Persistent Storage features do not work well with USBs that have a write-protect switch.
#### Upgrading the Tails USB
The security of Tails (and more generally of Linux) depends on the continuous development of the operating system and the resolution of any security flaws through upgrades. It is important to always use the latest version (Tails is updated approximately every month) because security vulnerabilities are regularly discovered in the programs used by Tails, which in the worst case scenario can lead to your identity, IP address, etc., being revealed. A Tails upgrade will patch these security holes and usually enhance other features as well.
Every time you start Tails, the Tails Upgrader checks if you are using the latest Tails version right after you connect to the Tor network. There are 2 types of upgrades.
![auto](upgrader_automatic.png)
***The [automatic upgrade](https://tails.boum.org/doc/upgrade/index.en.html)***
* A window will appear with information about the upgrade, and you have to click **Upgrade now**. You have to wait a little while for it to complete, and for a moment it will cut your Internet. Do not shut down before you see the Restart Tails window. If the upgrade fails (for instance, because it shut down before it was finished), your Persistent Storage is not affected, but you may not be able to restart your Tails USB. If you are using a USB with a write-protect switch, you will have to set it to "writable" for the single session in which you are performing the upgrade.
***The [manual upgrade](https://tails.boum.org/upgrade/tails/index.en.html)***
* Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only done for major upgrades or in case of an issue.
* If you already have a second Tails USB with the latest version, you start on that one, and navigate to Applications ▸ Tails ▸ Tails Installer. Instead of the button reading "install", you'll be asked "upgrade". The difference is that it won't format the whole USB, it will just replace the Tails partition with an updated version.
* If you don't have a second Tails USB with the latest version, you'll need a blank USB and the (out of date) Tails USB. See the [documentation for manual upgrades](https://tails.boum.org/upgrade/tails/index.en.html).
# II) Going Further: Several Tips and Explanations
#### Tor
***What is Tor?***
[Tor](/glossary/#tor-network) stands for The Onion Router, and is the best way to be anonymous on the Internet. Tor is an open-source software associated with a public network of several thousand relays (servers). Instead of connecting directly to a location on the Internet, Tor will take a detour via three intermediate relays. Tor Browser uses Tor, but other applications can too if they are properly configured. All applications included by default in Tails that connect to the Internet use Tor.
![tor](tor.png)
Internet traffic, including the IP address of the final destination, is encrypted in different layers like an onion. With each hop along the three relays, an encryption layer is removed. Each relay only knows the step before it, and after it (relay #3 knows that it comes from relay #2 and that it goes to such and such a website after, but does not know relay #1).
![animation](anonymous-browsing.gif)
This means that any intermediaries between you and relay #1 know you're using Tor but they don't know what site you're going to. Any intermediaries after relay #3 know that someone in the world is going to this site. The web server of the site sees you coming from the IP address of relay #3.
Tor has multiple limitations. For example, an entity with the appropriate technical and legal means can, if it assumes you're connecting from a specific Wi-Fi connection to post to a specific site, try to match what comes out of your connection to what goes into the site (a "correlation attack"). However, this type of attack has never been used to incriminate someone in court by itself, to our knowledge. For sensitive activities, use Internet connections that are not tied to your identity in order to protect yourself in the scenario that Tor is not perfect.
***What is HTTPS?***
Virtually all websites today use [HTTPS](/glossary/#https); the S stands for "secure" (for example, https://www.anarsec.guide). If you try to visit a website without `http://` on Tor Browser, there is a warning message before continuing. If you see `http://` instead of `https://` before the address of a website, it means that all intermediaries after relay #3 of the Tor network know what you are exchanging with the website (including your log-in information). HTTPS means that the digital records of what you do on the site you are visiting is protected with an encryption key that belongs to the site. Intermediaries after relay #3 will know that you are going to riseup.net, for example, but they will not have access to your emails and passwords nor will they know if you are consulting your emails or if you are reading a random page on the site. A little padlock appears to the left of the site address when you use HTTPS.
If there is a yellow warning on the padlock, it means that, in the page you're browsing, some elements are not encrypted (they use HTTP), which can reveal the exact page you're browsing or allow intermediaries to partially modify the page.
HTTPS is essential both to limit your web fingerprint, but also to prevent an intermediary from modifying the data you exchange with websites. If the intermediary cannot decrypt the data, they cannot modify it.
In short, don't visit websites that don't use HTTPS.
***Onion Services: what is .onion?***
Perhaps you have seen a strange site address containing 56 random characters, ending in .onion? This is called an onion service, and the only way to visit a website that uses such an address is to use the Tor Browser. The "deepweb" and "darkweb" are terms popularized in news media in recent years to describe these onion services.
Anyone can create an .onion site. But why would they want to? Well, the server location is anonymized, so authorities cannot find out where the website is hosted in order to take it down. When you send data to an .onion site, after the standard Tor circuit you enter the site's three Tor relays. So we have 6 Tor relays between us and the site; we know the first 3 relays, the site knows the last 3, and each Tor node just knows the relay before and after. Unlike an HTTPS normal website, it's all Tor encryption from end to end.
This means that both the client (your laptop) and the server (where the site lives) remain anonymous, whereas for a normal website, only the client is anonymous. In addition to being more anonymous for the server, it is also more anonymous for the client: you never leave the Tor network, so there is no possibility of interception after relay #3.
The .onion site address is so long because it includes the site's certificate. HTTPS is unnecessary; security depends on knowing the site's .onion address.
Some sites offer both a classic URL as well as an .onion address. In this case, if the site has been configured for it, an indication ".onion available" should appear. If not, sometimes the site indicates the .onion address somewhere on its page. To find out the addresses of sites which are only available as .onion, you have to either get them by word of mouth, or through websites that list other .onion sites, such as this [GitHub page](https://github.com/alecmuffett/real-world-onion-sites).
***Sites that block Tor***
The Tor network is blocked and otherwise rendered more inconvenient to use in many ways. You may be confronted with CAPTCHA images (a kind of game that verifies you “are not a robot”) or obliged to provide additional personal data (ID card, phone number…) before proceeding, or Tor may be completely blocked.
Perhaps only certain Tor relays are blocked. In this case, you can change the Tor exit nodes for this site: click on the ≣ > "New Tor circuit for this site". The Tor circuit (path) will only change for the one tab. You may have to do this several times in a row if you're unlucky enough to run into several relays that have been banned.
It is also possible that the entire Tor network is blocked, because all Tor relays are public. In this case you can try to use a proxy to get to the site, such as https://hide.me/en/proxy (but only if you don't have to enter any personal data or do anything sensitive like login information). You can also check whether the page you want to access has been saved to the Wayback Machine: web.archive.org.
***Separate Anonymous Identities Cleanly***
It is not recommended to perform different tasks on the Internet that should not be associated with each other during the same Tails session. You have to separate different (contextual) identities carefully! For example, it is dangerous to check your personal emails via Tor Browser and to publish an anonymous text during the same session. That is, you should not be identifiable and anonymous on the Tor network at the same time. You also shouldn't use the Tor network under pseudonym A and pseudonym B in the same session, because these pseudonyms could be connected to each other on a monitored or compromised Tor exit relay. Shut down and restart Tails between Internet activities of different identities!
The 'New Identity' feature of Tor Browser is not sufficient to completely separate contextual identities in Tails, since connections outside the Tor Browser are not restarted and you retain the same Tor entrance node. Restarting Tails is a better solution.
![onions](onion-circuits.png)
The Onion Circuits application shows which Tor circuit a connection to a server uses (website or otherwise). Sometimes, it can be useful to make sure that the exit relay is not located in a certain country, to be further away from the easiest access of investigating authorities. In the example above, the connection to check.torproject.org goes through the relays tor7kryptonit, Casper03, and the exit node blackfish. If you click on a circuit, technical details about the relays of the circuit appear in the right pane. The 'New Identity' feature of Tor Browser is useful for changing this exit relay without needing to reboot the Tails session, which can be repeated until you have an exit relay you are happy with. We are not suggesting to use 'New Identity' when switching between identities, but simply when you want to change the exit node within a single identity's activity.
***Tor Browser security settings***
Like any software, Tor Browser has vulnerabilities that can be exploited. To limit this, it's important to keep Tails up to date, and it's also recommended to increase the security settings of the Tor browser: you click on the shield icon and then **Change**. By default it's set to Standard, which is a browsing quality that hardly changes from a normal browser. We recommend that you set the most restrictive setting before starting any browsing: **Safest**. The layout of some sites may be modified, and sometimes some content will not be downloaded anymore (images, videos, etc.). Some sites will not work at all; if you have reason to trust them, you can view them on a less restrictive setting on a site by site basis. Note that both of the less restrictive setting allow scripts to function, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
***Downloading/uploading and the Tor Browser folder***
The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prevent it from being able to snoop on all your files, just in case it is comprised by a malicious website. This means there are special considerations for uploading or downloading files with the Tor Browser.
*Downloads*
When you download something using the Tor Browser it will be saved in the Tor Browser folder (`/home/amnesia/Tor Browser/`), which is inside the "sandbox". If you want to do anything with this file, you should then move it out of the Tor Browser folder. You can use the file manager (Applications > Accessories > Files) to do this.
*Uploads*
Similarly, if you want to upload something using the Tor Browser (for example attaching a file to a blog post or email you have open in the browser), you will first have to move or copy that file into the Tor Browser folder. Then it will be available to you when you go to select an upload in the Tor Browser.
*RAM*
Be aware that, because all of your Tails session is running in RAM (unless you have set up Persistent Storage), if you are downloading or otherwise working with very large files, your RAM may fill up. This will cause Tails to slow down or glitch. You can mitigate this by closing unneeded applications and deleting other files you have downloaded. In the worst case, you may need to enable Persistent Storage and move large files to the persistent Tor Browser folder so they will no longer use up RAM.
***Share Files with Onionshare***
It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.boum.org/doc/anonymous_internet/onionshare/index.en.html) (Applications ▸ Internet ▸ OnionShare). Normally, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to Settings and unselect "Stop sharing after first download". As soon as you close OnionShare, cut the Internet connection, or shut down Tails, the files can no longer be accessed. This is a great way of sharing files because it doesn't require plugging a USB into someone else's computer, which is [not recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared via another channel (like a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type).
***Make Correlation Attacks More Difficult***
When you request a web page through a web browser, it is transmitted to you in small "packets" characterized by a specific size and timing (alongside other characteristics). When using Tor Browser, the sequence of transmitted packets can also be analyzed and assigned certain patterns. The patterns here can be matched with those of monitored websites on the Internet. To make this "correlation attack" more difficult, before connecting to a sensitive website you can open various other pages that require loading (such as streaming videos on a privacy-friendly website like kolektiva.media) in additional tabs of your browser. This will generate a lot of additional traffic, which will make the analysis of your pattern more difficult.
#### Included Software
Tails includes [many applications](https://tails.boum.org/doc/about/features/index.en.html) by default. The documentation gives an overview of [Internet applications](https://tails.boum.org/doc/anonymous_internet/index.en.html), applications for [encryption and privacy](https://tails.boum.org/doc/encryption_and_privacy/index.en.html), as well as applications for [working on sensitive documents](https://tails.boum.org/doc/sensitive_documents/index.en.html). In the rest of this section, we will just highlight common use cases relevant to anarchists, but read the documentation for further information.
#### Password Manager (KeePassXC)
If you're going to need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (Application ▸ Favorites ▸ KeePassXC). In the terminology used by KeePassXC, a password is a randomized sequence of characters (letters, numbers, and other symbols), whereas a passphrase is a random series of words.
When you [create a new KeePassXC database](https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), in the **Encryption settings** window, increase the **Decryption time** from the default to the maximum (5 seconds). Then, select a [strong passphrase](/posts/tails-best/#passwords) and then save your KeePassXC file. This file will contain all your passwords/passphrases, and needs to persist between sessions on your Persistent Storage or on a second LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). The decryption time setting of a pre-existing KeePassXC file can be updated: Database > Database Security > Encryption Settings.
As soon as you close KeePassXC, or if you don't use it for a few minutes, it will lock. Be careful not to forget your main passphrase. We recommend against using the auto-fill feature, because it is easy to fill your password into the wrong window by mistake.
![diagram]TODO
* Right-click on the Root to organize groups
* Create a new entry
* Copy the username
* Copy the password
* Here you can use the Password Generator
#### Really delete data from a USB
"Permanently delete" or "trash" does not delete data... and it can be very easy to recover. Indeed, when you "delete" a file, you are only telling the operating system that the contents of this file are no longer of interest to you. It then deletes its entry in the index of existing files. It can then reuse the space that the data took up to write something else.
However, it may be weeks or years before that space is actually used for new files, which is when the old data actually disappears. In the meantime, if you look directly at what is written to the drive, you can find the contents of the files. This is a fairly simple operation, automated by many software programs that allow you to "recover" or "restore" data. One cannot really delete data, however one can "overwrite data", which is a partial solution.
There are two types of storage; magnetic storage (HDD) and flash storage (SSD, NVMe, USB, memory cards, etc.). The [Wipe feature](https://tails.boum.org/doc/encryption_and_privacy/secure_deletion/index.en.html#index3h1) on Tails is not effective on USB storage. The only way to delete a file on a USB is to [format the entire USB](#how-to-create-an-encrypted-usb), and select **Overwrite existing data with zeros**. Doing it twice is a good idea.
However, traces of the previously written data may still remain. If you have sensitive documents that you really want to delete, it is best to physically destroy the USB after reformatting it. Thankfully, USBs are either cheap or easy to steal. Make sure to still reformat the drive before destroying it; destroying a drive is also often a partial solution. Data can still be retrieved from disk fragments, and burning a drive requires temperatures higher than a normal fire (i.e. thermite).
* For flash memory drives (USBs, SSD, SD cards, etc.), use two pliers to break the circuit board out of the housing, then break the memory chips, including the circuit board, into pieces (beware of splintering). Hold the pieces in the flame of a camping gas torch. You will only achieve a partial decomposition of the transistor material. Use sufficient respiratory protection or distance! The fumes are unhealthy.
* If burning the pieces is too involved, discretely dropping them down a storm drain while you tie your shoe would make recovery unlikely.
#### How to create an encrypted USB
Exclusively store data on encrypted drives. This is necessary for using a separate LUKS USB instead of Persistent Storage on the Tails USB. [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to Applications ▸ Utilities ▸ Disks.
* When you insert the USB, a new "device" should appear in the list. Select it, and verify that the description (brand, name, size) matches your device. Be careful not to make a mistake!
* Format it by clicking **≣ ▸ Format the disk**.
* Select **Overwrite existing data with zeroes** in the Erase drop-down list. Keep in mind that this is likely incomplete if there were sensitive documents on the USB.
* Choose **Compatible with all systems and devices (MBR/DOS)** in the Partitioning drop-down list.
* Then click **Format…**
![empty](empty_device.png)
* Now you must add the encrypted partition.
* Click on the "**+**"
* Choose the size of your partition (all free space)
* For "type" select **internal disk to be used with Linux systems only (Ext4)**; check **Password protected volume (LUKS)**
* Enter a [strong passphrase](/posts/tails-best/#passwords)
When you insert an encrypted USB, it will not be opened automatically but only when you select it in the Places menu. You will be prompted to enter the passphrase. Before you can remove the disk when the work is done, you have to right-click on it under Places > Computer and then select Eject.
#### Encrypt a file with a password or with a public key
In Tails, you can use the Kleopatra application to [encrypt a file](https://tails.boum.org/doc/encryption_and_privacy/kleopatra/index.en.html#index1h1) with a password or a public PGP key. This will create a .pgp file. If you are going to encrypt a file, do so in RAM before you store it on a LUKS USB. Once the unencrypted version of a file is on a USB, the USB must be reformatted to remove it.
If you choose the passphrase option, you will have to open the file in Tails and type the passphrase. If you don't want the unencrypted data to be stored in the location where you saved it (e.g. on a USB), it's best to first copy the encrypted file to a Tails folder that is only in RAM (e.g. Locations ▸ Documents) before decrypting it.
#### Adding administration rights
In Tails, an administration password (also called a "root" password) is required to perform system administration tasks. For example:
- To install additional software
- To access the computer's internal hard drives
- To run [commands](/glossary/#command-line-interface-cli) in the root terminal
- To access certain permissions, such as when you have a window that asks for administration authentication
By default, the administration password is disabled for more security. This can prevent an attacker with [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to your Tails system from gaining administration privileges. Also, if you set an administration password for your session, you create another vector to potentially bypass Tails security.
To set an administration password, you must choose an administration password at the Welcome Screen when starting Tails. This password only lasts for the duration of the session.
#### Installing additional software
If you install new software, it's up to you to make sure it is secure. Tails forces all software to connect to the internet through Tor, so you make need to use a program called `torsocks` from Terminal to start additional software that requires an Internet connection (for example, `torsocks --isolate mumble`). The software used in Tails is audited for security, but this may not be the case for what you install. Before installing new software, it's best to make sure there isn't already software in Tails that does the job you want to do. If you want additional software to persist beyond a single session, you have to enable "Additional Software" in Persistent Storage [configuration](https://tails.boum.org/doc/persistent_storage/configure/index.en.html).
To install software from the Debian software repository:
* Start Tails with administration rights, then go to Applications ▸ System Tools ▸ Synaptic Package Manager.
* When prompted, enter your administration password (if it's the first time you do this, it will take time to download the repositories).
* Go to "All" and choose the software you want to install: "select for installation", then "apply".
* Once done, Tails will ask you, if your Persistent Storage is open, if you want to install it once, or add it to your Persistent Storage. If you add it to the Persistent Storage, the corresponding software files are saved there. They are automatically updated for security reasons as soon as a network connection is established.
* You will be able to access the additional software you have installed, with the option to remove them, in Applications ▸ System Tools ▸ Additional Software.
For more information, see the documentation on [Installing additional software](https://tails.boum.org/doc/persistent_storage/configure/index.en.html).
#### Remember to make backups!
A Tails USB is easily lost and USBs have a much shorter life span than a hard drive (especially the cheap ones). If you put important data on it, think about making regular backups. If you use a second LUKS-encrypted USB, this is as simple as using the File Manager to copy files to a third LUKS-encrypted USB.
If you use Persistent Storage, see the [documentation on backing it up](https://tails.boum.org/doc/persistent_storage/backup/index.en.html).
#### Privacy screen
A [privacy screen](https://en.wikipedia.org/wiki/Monitor_filter) can be added on top of the laptop screen to prevent people (or hidden cameras) from seeing the content unless they are directly facing it.
# III) Troubleshooting Issues
***The computer tries to boot on the USB but it doesn't work***
Check the error messages displayed (for example, if you have an old computer with 32-bit architecture, it won't work on Tails). If it says `Error starting GDM with your graphics card`, the issue is with the graphics card; check the documentation for [Known issues with graphics cards](https://tails.boum.org/support/known_issues/graphics/index.en.html). You can also check the list of [known issues](https://tails.boum.org/support/known_issues/index.en.html) on the Tails site for your computer model.
If the Tails Boot Loader page displays, try booting to "Tails troubleshooting mode".
***My Tails USB doesn't want to start anymore! (and it was starting before on the same computer)***
Following an upgrade, or otherwise, Tails does not start anymore on your computer. You have three options:
1) See if the [Tails news page](https://tails.boum.org/news/index.en.html) mentions any problems about the upgrade.
2) Do a manual upgrade, which may be necessary if the computer was turned off before the end of the upgrade.
3) If the first two solutions don't work, the USB is too old, it is of bad quality or it has been mistreated. If you have data on Persistent Storage to recover, plug this USB into a Tails session that is using another USB. It will appear as a normal USB that you have to unlock with your password. If you can't access your data on another Tails USB where you had Persistent Storage enabled, your USB may be dead.
***I can't connect to a public Wi-Fi network with an authentication page (a captive portal)***
If you must connect to Wi-Fi using a captive portal, Unsafe Browser needs to be enabled. Connect to the Wi-Fi, then you open Applications ▸ Internet ▸ Unsafe Browser. You type a URL of a site that isn't sketchy to access the authentication page. Once you've put in the login, you wait for Tor to be ready to go to your Tor Browser, then close the unsafe browser.
***I have no more free space on a USB?***
If you have no more space on a USB or if there is less data indicated than actually present on your USB, in the Files browser you enable "Show hidden files". There you will have new files named .something. The file .Trash-10xx is your trash (and if you put in the trash it will be completely removed). Don't change other hidden files.
***A file always opens in read-only or does not open?***
In some programs, this is normal if the same file is already open. If this isn't the case, use the same trick as the paragraph above. You enable Show hidden files. There will be a .lock file with the same name as the file you have an issue with. Delete this file which indicates that it is already open elsewhere. If that's not the issue, you have to change the permission rights of the document.
***I can't install Tails on a USB***
Check that your USB is not [known to have issues](https://tails.boum.org/support/known_issues/index.en.html#problematic-usb-sticks) on Tails. [Format](#how-to-create-an-encrypted-usb) the entire USB and try to restart the installation.
***An application makes Tails slow down? The screen is glitching?***
Try pressing the Windows key, or the Cmd key for Mac, which will open the window with all your running applications. You can turn off applications by pressing the little cross. If pressing this key doesn't work, you must forcefully shut down by holding the power button.
***Add a printer***
You go to: Applications ▸ System Tools ▸ Settings ▸ Devices ▸ Printers ▸ "+" ▸ Add a printer. Some printer models may not work (or work with difficulty) with Tails.
***Unable to install new software***
It has happened that the Synaptic Package Manager refused to install software. In that case, the solution had been to go through a root terminal (which requires an administration password): installation by the command `apt update && apt install [package_name]`
# Best Practices
[Tails Best Practices](/posts/tails-best) are important to establish before using Tails for highly sensitive activities. To avoid overwhelming yourself, get acquainted with using Tails in a basic way first; perhaps to read anarchist websites, or to write texts. See the [Tails tag](/tags/tails/) for tutorials on subjects like [removing identifying metadata from files](/posts/metadata/).
*This article is heavily modified from* [TuTORiel Tails](https://infokiosques.net/spip.php?article1726) *(in French), and also includes some excerpts from* [Capulcu #1](https://capulcu.blackblogs.org/neue-texte/bandi/) *(German).*

BIN
content/posts/tails/onion-circuits.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
content/posts/tails/tailsdesktop.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
content/posts/tails/tor-features.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 136 KiB

BIN
content/posts/tails/tor.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 117 KiB

BIN
content/posts/tails/upgrader_automatic.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
content/posts/tails/welcome_screen.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
content/posts/tamper/X230.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
content/posts/tamper/blink.webp Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 127 KiB

119
content/posts/tamper/index.md Normal file
View file

@ -0,0 +1,119 @@
+++
title="Making Your Electronics Tamper-Evident"
date=2023-04-01
[taxonomies]
categories = ["Defensive"]
tags = ["opsec", "easy"]
[extra]
blogimage="/images/X230.jpg"
toc=true
+++
If police can ever have [physical access](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/physical-access.html) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it on the hardware, firmware, or software level. One way to minimize this risk is to make it tamper-evident. As the CSRC Threat Library [notes](https://www.csrc.link/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) - it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to be able to detect when they do."
<!-- more -->
['Evil maid' attacks](https://en.wikipedia.org/wiki/Evil_maid_attack) work like this: An attacker gains temporary access to your [encrypted](/glossary/#encryption) laptop or phone. Although they cant decrypt your data, they can spend a few minutes tampering with your laptop and then leave it exactly where they found it. When you come back and type in your credentials, you have been hacked. The attacker could have [modified data on your hard disk](https://media.ccc.de/v/gpn20-32-poc-implementing-evil-maid-attack-on-encrypted-boot), replaced the firmware, or installed a hardware component like a keylogger.
# Tamper-Evident Laptop Screws
Let's start with your laptop. For a seal to be effective at alerting you to intruders, it needs to be impossible to remove and replace without leaving a mark, and also unique—otherwise the adversary could just replicate the seal and youd never know theyd been there. Glitter nail polish will form a unique pattern that is impossible to replicate, and if you take a photo of this pattern, you can use it to verify that the nail polish has not been removed and then reapplied in your absence, such as during a [covert house search](https://www.csrc.link/threat-library/techniques/covert-house-search.html). The presentation "[Thwarting Evil Maid Attacks](https://media.ccc.de/v/30C3_-_5600_-_en_-_saal_1_-_201312301245_-_thwarting_evil_maid_attacks_-_eric_michaud_-_ryan_lackey)" introduced this technique in 2013.
Mullvad VPN [made a guide](https://mullvad.net/en/help/how-tamper-protect-laptop/) for applying this technique: first apply stickers over the laptop chassis screws, then the nail polish. An [independent test](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-aufklebern) noted:
> Attackers without a lot of practice can use a needle or scalpel, for example, to drive under the sticker and push it partially upward to get to the screws relatively easily. The broken areas in the paint could be repaired with clear nail polish, although we did not need to do this in most of our tests. The picture below is a pre-post-comparison of one of our first attempts. Except for 3-4 glitter elements at the top left edge of the sticker, all others are still in the same place. This could be further reduced in subsequent attempts, so we rate this method as only partially suitable. [...] The relevant factor in this process is the amount of elements on the edge of the sticker. In addition, there are special seal stickers available which break when peeled off. They are probably more suitable for this method.
![mullvad](mullvad.png)
For this reason, it is preferable to apply nail polish directly to the screws instead of on top of a sticker. This direct application is done for [NitroKey](https://docs.nitrokey.com/nitropad/qubes/sealed-hardware) and [Purism](https://puri.sm/posts/anti-interdiction-update-six-month-retrospective/) laptops. Keep these nuances in mind:
> The screws holes are particularly relevant here. If they are too deep, it is difficult to take a suitable photo of the seal under normal conditions. If the hole is shallow or if it is completely filled with nail polish, there is a risk that if a lot of polish is used, the top layer can be cut off and reapplied after manipulation with clear polish. If the nail polish contains too few elements, they could be manually arranged back to the original location after manipulation if necessary.
![X230](X230.jpg)
Glitter nail polish was successfully bypassed during a Tamper Evident Challenge in 2018 - the winner [explained](https://hoodiepony.medium.com/bypassing-the-glitter-nail-polish-tamper-evident-seal-25d6973d617d) how they managed to succeed. It is worth noting that a nail polish brand was used with relatively large glitter pieces of only two colors. It would be difficult to apply this bypass to inset screw holes; if the glitter was painted on with a high density of elements, but not too thickly, that would also increase the difficulty. Finally, [using an adhesive](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-klebstoff) would also make the bypass less feasible.
Verification that the random pattern hasn't changed can be done manually with what astronomers called "blink comparison". This is used in astronomy to detect small changes in the night sky: you rapidly flick between the original photo and the current one, which makes it easier to see any changes. Alternatively, if you have an Android smartphone (either [GrapheneOS](/posts/grapheneos/) or a cheap one for [intrusion detection](#physical-intrusion-detection) which will have an inferior camera) you can use an app called [Blink Comparison](https://github.com/proninyaroslav/blink-comparison) which makes it less likely to miss something. It can be installed like you would for any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software), which is to say, not through F-Droid.
The Blink Comparison app encrypts its storage, to prevent an adversary from easily replacing the photos, and gives a helpful interface for comparing them. The app helps you to take the comparison photo from the same angle and distance as the original photo. Blink Comparison then switches between the two images when the screen is touched, making direct comparison much easier.
Now that you understand the nuances of using nail polish on the chassis screws of your laptop(s), we'll actually do it - this is best done after [flashing HEADS](#tamper-evident-software-and-firmware) so that it doesn't have to be removed and repeated. Before getting started, you can also take a photo of the inside of the laptop, in case one day you need to check if its internal components have been tampered with despite the nail polish protection (keeping in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like that shown above.
* First, take a photo of the underside of the computer and use a software like GIMP to number the screws, in order to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws which need to be numbered so that in the future you know which screw the photo `3.jpg` refers to.
* Apply the glitter nail polish directly to each screw, with sufficient density of glitter but not too thickly.
* Once it has dried, be sure to take good close-up photos of each individual screw - either with the Blink Comparison app on a smartphone, or with a normal camera. It is a good idea to use lighting that is reproducible, so close the blinds on any windows and rely on the indoor lighting and camera flash. Number the file names of the photos, and back them up to a second storage location.
If you ever need to remove the nail polish to access the internal of the laptop, you can use a syringe to apply the nail polish remover so as to avoid putting too much and damaging the internal electronics.
# Tamper-Evident Storage
Now that you understand the concept, you need a tamper-evident storage solution for all sensitive electronics when you are out of the house (laptops, external drives, USBs, phones, external keyboards, and mice). Safes are often used to protect valuable items, but they can be bypassed in several ways, and some of these bypasses are difficult to detect (see the [Appendix](#appendix-cracking-safes)). It is not trivial or inexpensive to make a safe tamper-evident, if it can be done at all.
TODO photo
A better and cheaper solution is to implement the guide of [dys2p](https://dys2p.com/en/2021-12-tamper-evident-protection.html#kurzzeitige-lagerung):
> When we need to leave a place and leave items or equipment behind, we can store them in a box that is transparent from all sides. Then we fill the box with our colorful mixture so that our devices are covered. The box should be stored in such a way that shocks or other factors do not change the mosaic. For example, the box can be positioned on a towel or piece of clothing on an object in such a way that this attenuates minor vibrations of the environment, but the box cannot slide off it.
>
>For an overall comparison, we can photograph the box from all visible sides and store these photos on a device that is as secure as possible, send it to a trusted person via an encrypted and verified channel, or send it to another device of our own. The next step is to compare the found mosaic with the original one. The app Blink Comparison is ideal for this purpose.
>
>To protect an object from damage, e.g., by staining or by the substance leaking into, say, the ports of a laptop, it can be wrapped in cling film, a bag, or otherwise.
Several colorful mixtures are described: [red lentils & beluga lentils](https://dys2p.com/en/2021-12-tamper-evident-protection.html#rote-linsen-und-belugalinsen), [yellow peas & white beans](https://dys2p.com/en/2021-12-tamper-evident-protection.html#gelbe-erbsen-und-wei%C3%9Fe-bohnen), etc. For a box that is transparent on all sides and can fit a laptop, a small fish tank works well. [Longer-term storage](https://dys2p.com/en/2021-12-tamper-evident-protection.html#laengerfristige-lagerung-oder-versand) can use vacuum seals.
This excerpted instruction assumes that we take the cellphone with us, but [as discussed elsewhere](/posts/nophones/#do-you-really-need-a-phone), this has its own security issues and so is not recommended. So the smartphone that we use to take a photo of the storage will need to stay in the house out of storage. [In the next section](#physical-intrusion-detection), we recommend that you acquire a cheap Android phone that only runs an app called Haven when you are out of the house. This device is going to stay out of storage anyway, so you can use it to take photos of the storage. Alternatively, if you don't have a dedicated Haven phone but you do have a [GrapheneOS](/posts/grapheneos/) device (or if the Haven phone camera is too low-quality), you can use it to take photos of the storage and then hide it somewhere in your home while you are away. With no phone, a camera can be used. Cameras, however, don't have encryption, so modifying the photos is significantly easier.
<details>
<summary><strong>If you use a dedicated Haven phone</strong></summary>
</details>
* Once you have put bagged electronic devices in the container, and covered them with a colorful mixture, take the photos on this Haven phone using the Blink Comparison app. Send them to yourself over [Signal](/posts/e2ee/#signal) (with the Note to Self feature, and delete for everyone) or [Element](/posts/e2ee/#element-matrix).
* Once you return, do the verification on the Haven phone using Blink Comparison.
* Once your devices are out of storage, check that the images you sent to yourself on Signal/Element aren't different from those on your Haven phone, and also check the timestamp. Once the verification is complete, you can delete the photos so that there is no confusion in future verifications about which photos to use.
<details>
<summary><strong>If you use a GrapheneOS phone, but not a dedicated Haven phone</strong></summary>
</details>
* Once you have put bagged electronic devices in the container, and covered them with a colorful mixture, take the photos using the Blink Comparison app. Send them to yourself over [Signal](/posts/e2ee/#signal) (with the Note to Self feature, and delete for everyone) or [Element](/posts/e2ee/#element-matrix). Power off the device and hide it somewhere.
* Once you return, do the verification using Blink Comparison.
* Once your laptop is out of storage, check that the images you sent to yourself on Signal/Element aren't different from those on your GrapheneOS phone, and also check the timestamp. Once the verification is complete, you can delete the photos so that there is no confusion in future verifications about which photos to use. If the phone is found and the firmware or software is modified, Auditor will notify you.
# Physical Intrusion Detection
"Defense in depth" means that there are multiple layers of security that need to be bypassed for an adversary to succeed. [Physical intrusion detection](https://www.csrc.link/threat-library/mitigations/physical-intrusion-detection.html) should be done in addition to tamper-evident laptops and storage. This way, even if a covert house search doesn't interact with the tamper-evident storage (for example, because the goal is to install [covert surveillance devices](https://www.csrc.link/threat-library/techniques/covert-surveillance-devices.html)), you can still find out about it.
Haven is an Android app that is developed by the Freedom of Press Foundation, which uses the smartphones many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. The version on [Github](https://github.com/guardianproject/haven) is more recent than the Google Play store, so [use Obtanium](/posts/grapheneos/#software-that-isn-t-on-the-play-store) to install it. Haven should be used on a dedicated cheap Android device that is otherwise empty - an older [Pixel](https://www.privacyguides.org/android/#google-pixel) is a good choice because it is cheap but has good cameras. Make sure that [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is enabled. If you have a smartphone other than the dedicated Haven phone, it should be powered off in the tamper-evident storage - if Haven was running on it instead and was discovered by the intruder, they would now have physical access to it while it was turned on.
* Place the Haven smartphone in a location that has a line of sight of where an intruder would need to pass through, such as a hallway that needs to be accessed to move between rooms or to access the storage. It should be plugged in so that the battery doesn't die; microUSB cables that are quite long can be obtained for this purpose.
* Set a count down for it to turn on before you leave the house. The Haven app will log everything locally on the Android device. Remotely sending notifications is currently [broken](https://github.com/guardianproject/haven/issues/454).
* When you get home, check the Haven log.
# Tamper-Evident Software and Firmware
So far we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. "Defense in depth" requires this - to trust an electronic device, you need to trust the hardware, firmware, and software. Software or firmware compromise can happen [remotely](/glossary/#remote-attacks) (through the Internet) as well as with physical access, so it is especially important. Tamper-evident software and firmware is compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that will enable being notified if there is tampering with firmware or software - you will receive an email when Auditor engages in remote attestation. For Tails or Qubes, [HEADS](https://osresearch.net/) can do the same before you enter your boot password (on [supported devices](https://osresearch.net/Prerequisites#supported-devices)). Keep the HEADS USB security dongle with you when you leave the house, and have a backup hidden at a trusted friend's house in case it ever falls into a puddle.
# Wrapping Up
With the measures described above, any 'evil maid' would need to bypass:
1) Haven detecting them, and
2) The tamper-evident storage, and
3) The tamper-evident glitter nail polish (for an attack that requires opening the laptop), or HEADS/Auditor (for a software or firmware attack)
These layers are all important, even if they may seem redundant. The expertise and expense of successfully executing the attack is increased substantially with every layer, which makes it much less likely that the attack will be attempted to begin with. It is best practice to [obtain a fresh device in a way that cannot be intercepted](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) and then consistently implement all of these layers from the very beginning.
That means that whenever you leave the house, you power off sensitive devices and put them into tamper-evident storage, take the required photos, and enable Haven. This might sound laborious, but it can be done in under a minute if you leave unused devices in storage. When you come home, first check the Haven log. Next, verify the tamper-evident storage.
Laptop screws can be verified on a monthly basis, or if anything suspect happens. Neither HEADS nor Auditor require much effort after set-up to be used properly; Auditor will run without interaction, and HEADS becomes part of your booting process.
# Further Reading
* [Random Mosaic Detecting unauthorized physical access with beans, lentils and colored rice](https://dys2p.com/en/2021-12-tamper-evident-protection.html)
# Appendix: Cracking Safes
* [Rare-earth magnets](https://en.wikipedia.org/wiki/Safe-cracking#Magnet_risk) can unlock safes that use a [solenoid](https://www.youtube.com/watch?v=Y6cZrieFw-k) as the locking device, in a way that is not detectable.
* [Safe bouncing](https://en.wikipedia.org/wiki/Safe-cracking#Safe_bouncing) is when the locking mechanism can be moved sufficiently by [banging or bouncing the safe](https://mosandboo.com/how-to-open-a-safe-without-the-key-or-code/) to open it, in a way that is not detectable. Safes that use a gear mechanism are less susceptible to mechanical attacks.
* A "management reset code" (also known as a "try-out combination") is present on many models of safes - if this code is not changed from its default then the safe can be unlocked in a way that is not detectable.
* [Spiking](https://en.wikipedia.org/wiki/Safe-cracking#Spiking_the_lock) is when the wires on a cheap safe leading to the reset button, solenoid, or motor can be exposed, and spiked with a battery. This should be possible to make tamper-evident, as it requires getting access to the wires.
* [Brute force](/glossary#brute-force-attack) attacks - trying all possible combinations - are possible if the adversary has time. Dial mechanisms can be brute-forced with a [computerized autodialer](https://learn.sparkfun.com/tutorials/building-a-safe-cracking-robot) which [doesn't need supervision](https://www.youtube.com/watch?v=vkk-2QEUvuk). Electronic keypads are less susceptible to brute-forcing if they have a well-designed incremental lockout feature; for example, if you get it wrong 10 times, you're locked out for a few minutes, 5 more incorrect codes and you're locked out for an hour, etc.
* Several tools exist that can automatically retrieve or reset the combination of an electronic lock; notably, the Little Black Box and Phoenix. Tools like these are often connected to wires in the lock that can be accessed without causing damage to the lock or container. This should be possible to make tamper-evident, as it requires getting access to the wires.
* Several [keypad-based attacks](https://en.wikipedia.org/wiki/Safe-cracking#Keypad-based_attacks) exist, but some can be mitigated with proper OPSEC.

BIN
content/posts/tamper/mullvad.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 903 KiB

46
content/recommendations/_index.md Normal file
View file

@ -0,0 +1,46 @@
+++
title = "Recommendations"
sort_by = "date"
paginate_by = 5
+++
<br>
These recommendations are intended for all anarchists and are accompanied by tutorials to put them into practice. They are informed by a threat model protecting against government security forces and equivalent adversaries that are trying to achieve [targeted digital surveillance](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance.html) for [incrimination](https://www.csrc.link/threat-library/tactics/incrimination.html) or [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html). The goal is to obscure the visibility of our enemies into our lives and projects, and to leave no traces when this is relevant. Technology is hostile terrain.
## Phones
>**[Operating system](/glossary#operating-system-os)**: **GrapheneOS** is the only reasonably secure choice for cellphones. See [GrapheneOS for Anarchists](/posts/graphene/). Better yet, [don't have a phone](/posts/nophones/).
Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). If this is not possible for you, [DivestOS](https://www.privacyguides.org/en/android/#divestos) has more [supported devices](https://divestos.org/pages/devices) and it is significantly better than stock Android.
## Computers
>**[Operating system](/glossary#operating-system-os)**: **Tails** is unparalleled for sensitive computer use (writing and sending communiques, moderating a sketchy website, research for actions, reading articles that may be criminalized, etc.). Tails runs from a USB drive, and is [designed](https://tails.boum.org/about/index.en.html) with the anti-forensic property of leaving no trace of your activity on your computer, as well as to force all Internet connections through the [Tor network](/glossary#tor-network). See [Tails for Anarchists](/posts/tails/) and [Tails Best Practices](/posts/tails-best/).
>**[Operating system](/glossary#operating-system-os)**: **Qubes OS** has better security than Tails for many use cases, but has more of a learning curve and no anti-forensic properties. It is nonetheless accessible enough for journalists and other non-technical users. Fundamental knowledge of using Linux is required - see [Linux Essentials](/posts/linux). Qubes OS can even run Windows programs like Adobe InDesign, although much more securely than a standard Windows computer. See [Qubes OS for Anarchists](/posts/qubes/).
See [When to Use Tails vs Qubes OS](/posts/qubes/#when-to-use-tails-vs-qubes-os)
We do not offer "harm reduction" advice for Windows or macOS computers, because this is already prevalent and gives a false sense of privacy and security. If you need to use one of these Operating Systems, see The Hitchhikers Guide to Online Anonymity for tutorials on [Windows](https://anonymousplanet.org/guide.html#windows-host-os) and [macOS](https://anonymousplanet.org/guide.html#macos-host-os).
## Home Network
>**[Operating system](/glossary#operating-system-os) (router)**: [**OpenWrt**](https://openwrt.org/). [GL-iNet](https://www.gl-inet.com/) sells affordable OpenWrt routers that are user friendly - the 'Travel' models are sufficient for an apartment-sized residence.
>**[Operating system](/glossary#operating-system-os) (hardware firewall)**: [**OPNsense**](https://opnsense.org/). Although you can get by with only a router, a hardware firewall allows you to further segment your network, and other security upgrades.
If an adversary compromises your router, [they can then compromise all devices connecting to it](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/), so it's important to not use the [closed-source](/glossary#open-source) router your Internet Service Provider gives you. Guide forthcoming.
## Encrypted Messaging
See [Encrypted Messaging for Anarchists](/posts/e2ee/)
## Storing Electronic Devices
See [Making Your Electronics Tamper-Evident](/posts/tamper/).
## A Note On Borders
If you risk bringing the phone or computer you use in daily life with you across a border (not recommended), ensure that Full Disk Encryption is enabled, it is powered down, and be prepared to refuse password access along with the implications that will have on your border crossing. It is not sufficient to delete files (or messages, etc.) prior to crossing and then unlock your device. In fact, recently deleted files or messages is the first place a border team will look. To prevent data recovery, you must do a Factory Reset and then reinstall the operating system.
A better approach is to have a device dedicated to travel which you can unlock for border agents, because you always cross with a fresh operating system installation. Stock Android can be [easily installed (flashed)](https://flash.android.com) to [certain phone models](https://source.android.com/docs/setup/build/flash#device-requirements), after a Factory Reset. The fresh phone can be populated with benign contacts like family. Once you are across, you can use the phone normally, but redo the flashing before another border crossing. If the device is taken out of your sight at any point dont even turn it on again before trashing it, as it may now send your password to the agency and be infected with spyware.

12
content/search/_index.md Normal file
View file

@ -0,0 +1,12 @@
+++
title = "Search"
sort_by = "date"
paginate_by = 5
+++
<br><center>
The search feature is powered by DuckDuckGo -- a search engine that respects user privacy.
<form action="https://duckduckgo.com/" method="get">
<input type="hidden" name="sites" value="anarsec.guide">
<input type="search" name="q">
<input type="submit" value="Search">
</form>

28
content/series/_index.md Normal file
View file

@ -0,0 +1,28 @@
+++
title = "Series"
description = ""
sort_by = "date"
paginate_by = 5
+++
<br>
# Defensive
#### Tails
* [Tails for Anarchists](/posts/tails/)
* [Tails Best Practices](/posts/tails-best/)
#### Qubes OS
* [Qubes OS for Anarchists](/posts/qubes/)
#### Phones
* [Why Anarchists Shouldn't Have Phones](/posts/nophones/)
* [GrapheneOS for Anarchists](/posts/grapheneos/)
#### Tails and Qubes OS
* [Linux Essentials: The Basics Needed to Use Tails or Qubes](/posts/linux/)
* [Removing Identifying Metadata From Files](/posts/metadata/)
#### Tails, Qubes OS, and GrapheneOS
* [Encrypted Messaging for Anarchists](/posts/e2ee/)
* [Making Your Electronics Tamper-Evident](/posts/tamper/)