improve install instructions

content/posts/e2ee/index.md

@@ -4,7 +4,7 @@ date=2023-04-02
 
 [taxonomies]
 categories = ["Defensive"]
-tags = ["intro", "e2ee", "easy"]
+tags = ["intro", "e2ee", "beginner"]
 
 [extra]
 blogimage="/images/BASE_2.png"
@@ -124,20 +124,12 @@ Cwtch support for Tails is very new and not thoroughly tested.
 
 * Start Tails with an Adminstration Password.
 * Download [Cwtch for Linux](https://cwtch.im/download/#linux) with Tor Browser
-* Verify your download 
-	* Open the folder using the Tor Browser's download icon
-	* Right-click in the file manager and select "Open a Terminal Here"
-	* Run `sha512sum cwtch-VERSION-NUMBER.tar.gz` (fill in the version number)
-	* Compare the hash of the file to what is listed on the download page 
 * According to our [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), personal data should be stored on a second LUKS USB and Persistent Storage should not be enabled.  Extract the file with the file manager (right click, select "Extract Here"), then copy the `cwtch` folder to such a personal data LUKS USB.
-	* OPTIONAL - If you enable Persistent Storage: with Persistent Storage unlocked, in Terminal run `sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf` then restart Tails for the changes to take effect, again with an Adminstration Password.
 * Run the install script
-	* In the File Manager, browse to the directory you just created, `cwtch`. Right click in the File Manager and select "Open a Terminal Here"
-	* Run `install-tails.sh` and enter the Administration Password when prompted.
-* As the [documentation](https://docs.cwtch.im/docs/platforms/tails) states, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:
-	* `exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch`
-* With Persistent Storage disabled, configuration and profile data must be restored from backup every session you need to install Cwtch. Backup `/home/amnesia/.cwtch/` to the personal data LUKS USB, and copy it back to `/home/amnesia/` the next time you install Cwtch.
-* Updates to new versions must be done manually - back up your profile before updating.
+	* In the File Manager, enter the `cwtch` directory you just created, so that you can see a file named "install-tails.sh". Right click in the File Manager and select "Open a Terminal Here"
+	* Run `./install-tails.sh` and enter the Administration Password when prompted.
+* You can now launch Cwtch from the "Activities" overview. 
+* With Persistent Storage disabled, profile data must be restored from backup every session you need to install Cwtch. Export your profile, copy it to the personal data LUKS USB, and import it again the next time you install Cwtch.
 
 <br>
 </details>
@@ -150,7 +142,7 @@ Cwtch support for Tails is very new and not thoroughly tested.
 </summary>
 <br>
 
-Cwtch on Whonix currently has an [issue](https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/550) - support is forthcoming. 
+Cwtch on Whonix does not guarantee Tor [Stream Isolation](/posts/qubes/#whonix-and-tor) from other applications in the same qube, so we will install it in a dedicated qube. Cwtch is installed in an App qube, follow the [installation instructions](https://docs.cwtch.im/docs/platforms/whonix/).
 
 <br>
 </details>
@@ -177,7 +169,7 @@ If SimpleX is served with a warrant, their [privacy policy](https://github.com/s
 
 SimpleX Chat will work with Tor if used on an operating system that forces it to, such as Whonix or Tails. However, voice and video calls generally don't work very well over Tor regardless of which application you use. 
 
-You can learn more about how to use SimpleX Chat with their [guide](https://simplex.chat/docs/guide/readme.html). 
+You can learn more about how to use SimpleX Chat with their [guide](https://simplex.chat/docs/guide/readme.html). Make sure to set a [database passphrase](https://simplex.chat/docs/guide/privacy-security.html#database-passphrase). 
 
 ## For Anonymous Public-facing Projects
 
@@ -224,10 +216,8 @@ Install SimpleX Chat the same way you would install any [app that doesn't requir
 * Download the [AppImage](https://simplex.chat/downloads/#desktop-app) with Tor Browser
 * According to our [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), personal data should be stored on a second LUKS USB and Persistent Storage should not be enabled. Copy the .AppImage file to such a personal data LUKS USB.
 * Make the AppImage executable
-	* In the File Manager, browse to the directory with the file. Right click in the File Manager and select "Open a Terminal Here"
-	* Run `chmod +x simplex-desktop-x86_64.AppImage` and enter the Administration Password when prompted.
-* To launch run the following command in the Terminal:
-	* `./simplex-desktop-x86_64.AppImage`
+	* In the File Manager, right-click "Properties". Under "Permissions", enable "Allow this file to run as a program". 
+* You can now launch SimpleX Chat from the "Activities" overview. 
 * With Persistent Storage disabled, configuration and profile data must be restored from backup every session. Backup `/home/amnesia/.local/share/simplex` to the personal data LUKS USB, and copy it back to `/home/amnesia/.local/share` in your next session.
 
 <br>
@@ -279,7 +269,7 @@ These barriers to anonymous registration mean that Signal is rarely used anonymo
 
 In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. Police seized suspects' phones during arrests and house raids, as well as targeting them through spyware, and then identified Signal contacts and group members. These identities were added to the list of suspects who were subsequently investigated.
 
-The risk of a compromised device aiding the police in network mapping is partly mitigated by the [username feature](https://community.signalusers.org/t/public-username-testing-staging-environment/56866) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this. 
+The risk of a compromised device aiding the police in network mapping is partly mitigated by the [username feature](https://signal.org/blog/phone-number-privacy-usernames/) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this. 
 
 A private company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.  
 

content/posts/grapheneos/index.md

@@ -4,7 +4,7 @@ date=2023-04-05
 
 [taxonomies]
 categories = ["Defensive"]
-tags = ["intro", "mobile", "easy"]
+tags = ["intro", "mobile", "beginner"]
 
 [extra]
 toc = true
@@ -193,3 +193,5 @@ With the set-up described in this guide, if a cop starts with your name, they wo
 By storing the phone in a tamper-evident manner when it's not in use, you'll be able to tell if it's been physically accessed. See the guide [Make Your Electronics Tamper-Evident](/posts/tamper/). 
 
 The [forum](https://discuss.grapheneos.org/) is generally very helpful for any remaining questions you may have. 
+
+For information on burner phones, see the [No Trace Project](https://www.notrace.how/threat-library/mitigations/anonymous-phones.html).

content/posts/linux/index.md

@@ -5,7 +5,7 @@ date=2023-04-04
 
 [taxonomies]
 categories = ["Defensive"]
-tags = ["intro", "linux", "tails", "qubes", "easy"]
+tags = ["intro", "linux", "tails", "qubes", "beginner"]
 
 [extra]
 blogimage="/gifs/destroy.gif"

content/posts/metadata/index.md

@@ -4,7 +4,7 @@ date=2023-04-03
 
 [taxonomies]
 categories = ["Defensive"]
-tags = ["metadata", "tails", "qubes", "easy"]
+tags = ["metadata", "tails", "qubes", "beginner"]
 
 [extra]
 blogimage="/images/app.png"

content/posts/qubes/index.md

@@ -75,9 +75,7 @@ Qubes OS includes Whonix by default (Qubes-Whonix) for when you want to force al
 >
 >Whonix virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. By design, Tails is meant to completely reset itself after each reboot. Encrypted persistent storage can be configured to store some data between reboots. 
 
-If an adversary hacks your Tails system to get [initial access](https://attack.mitre.org/tactics/TA0001/), such as through [phishing](/posts/tails-best/#phishing-awareness), they need to achieve [privilege escalation](https://attack.mitre.org/tactics/TA0004/) in order to bypass Tor. The [most recent Tails audit](https://tails.net/news/audit_by_ROS/index.en.html) found several privilege escalation bugs. 
-
-If an adversary hacks your Qubes-Whonix system to get [initial access](https://attack.mitre.org/tactics/TA0001/), they need to achieve [lateral movement](https://attack.mitre.org/tactics/TA0008/) to the Whonix Gateway, and then achieve privilege escalation from there in order to bypass Tor.  
+For more information on how Whonix compares to Tails against different types of deanonymization attacks, see the [Whonix documentation](https://www.whonix.org/wiki/Comparison_with_Others#Circumventing_Proxy_Obedience_Design).
 
 In order to recover data from a Qubes OS system when it is turned off, an adversary would still need to successfully [bypass](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) the [Full Disk Encryption](/glossary#full-disk-encryption-fde) (e.g. by seizing the computer when it is turned on, or cracking a weak password). In order to recover data from a Tails system when it is turned off, **the situation is the same if any data is saved to Persistent Storage or an encrypted USB** - this saved data is no longer protected by anti-forensic features but by Full Disk Encryption. 
 
@@ -339,7 +337,7 @@ Occasionally, a new version of the Tor Browser will be available before it can b
 Manage passwords by using KeePassXC from the `vault` App qube. If you are not familiar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This approach requires you to memorize three passwords:
 
 1. [LUKS](/glossary/#luks) password (first boot password)
-2. User password (second boot password, which is much less important than LUKS)
+2. User password (second boot password, which is [much less important than LUKS](https://forum.qubes-os.org/t/recommended-length-of-linux-user-account-password/19337/3))
 3. KeePassXC password
 
 Shutdown Qubes OS whenever you are away from the computer for more than a few minutes. For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords). 

content/posts/tails-best/index.md

@@ -4,10 +4,10 @@ date=2023-04-08
 
 [taxonomies]
 categories = ["Defensive"]
-tags = ["linux", "tails", "easy"]
+tags = ["linux", "tails", "beginner"]
 
 [extra]
-blogimage="/images/tails1.png"
+blogimage="/images/digital-best-practices.jpg"
 toc=true
 dateedit=2023-05-10
 a4="tails-best-a4.pdf"
@@ -183,6 +183,8 @@ Finally, a note about email - if you already use Tails and encrypted email, you
 
 Another reason to avoid using Persistent Storage features is that many of them persist user data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is user data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization with Persistent Storage enabled, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work. 
 
+If its not possible to find a USB with a write-protect switch, you can alternatively use a USB 3.0 to SD card adapter, because SD cards have a write-protect switch. 
+
 # Encryption  
 
 ## Passwords

content/posts/tails/index.md

@@ -4,7 +4,7 @@ date=2023-04-09
 
 [taxonomies]
 categories = ["Defensive"]
-tags = ["intro", "linux", "tails", "easy"]
+tags = ["intro", "linux", "tails", "beginner"]
 
 [extra]
 blogimage="/images/tails1.png"
@@ -186,9 +186,7 @@ Every time you start Tails, right after you connect to the Tor network, the Tail
 
 ### The [manual upgrade](https://tails.boum.org/upgrade/tails/index.en.html)
 
-* Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. 
-* If you already have a second Tails USB with the latest version, boot up and go to **Applications → Tails → Tails Installer**. Instead of the "install" button, you'll be asked to "upgrade". The difference is that it doesn't format the whole USB, it just replaces the Tails partition with an updated version. 
-* If you don't have a second Tails USB with the latest version, you'll need a blank USB and the (outdated) Tails USB. See the [documentation for manual upgrades](https://tails.boum.org/upgrade/tails/index.en.html). 
+* Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.boum.org/upgrade/tails/index.en.html). 
 
 # II) Going Further: Several Tips and Explanations
 

content/posts/tamper/index.md

@@ -4,7 +4,7 @@ date=2023-04-01
 
 [taxonomies]
 categories = ["Defensive"]
-tags = ["opsec", "easy"]
+tags = ["opsec", "beginner"]
 
 [extra]
 blogimage="/images/beads.jpg"

content/recommendations/_index.md

@@ -15,8 +15,6 @@ We agree with the conclusion of an overview of [targeted surveillance measures i
 
 >**[Operating system](/glossary#operating-system-os)**: **GrapheneOS** is the only reasonably secure choice for cell phones. See [GrapheneOS for Anarchists](/posts/grapheneos/). [Kill the cop in your pocket](/posts/nophones/) - if you decide to have a phone, treat it like an "encrypted landline" and leave it at home when you are out of the house. 
 
-Google Pixel phones are the only devices that currently meet the [hardware security requirements](https://grapheneos.org/faq#device-support) of GrapheneOS. If that is not possible for you, [DivestOS](https://www.privacyguides.org/en/android/#divestos) has more [supported devices](https://divestos.org/pages/devices) and is still significantly better than stock Android. 
-
 ## Your Computer  
 
 >**[Operating system](/glossary#operating-system-os)**: **Tails** is unparalleled for sensitive computer use (writing and sending communiques, moderating a sketchy website, researching for actions, reading articles that may be criminalized, etc.). Tails runs from a USB drive and is [designed](https://tails.boum.org/about/index.en.html) with the anti-forensic property of leaving no trace of your activity on your computer, as well as forcing all Internet connections through the [Tor network](/glossary#tor-network). See [Tails for Anarchists](/posts/tails/) and [Tails Best Practices](/posts/tails-best/).