Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-28 00:07:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

tails-best update continued

Browse source
This commit is contained in:
anarsec 2024-04-21 00:48:03 +00:00
parent 795b8b2b79
commit 5826499548
No known key found for this signature in database
5 changed files with 765 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

661
' Normal file
View file

@ -0,0 +1,661 @@
@charset "utf-8"
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 100
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 100
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 100
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 200
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 200
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 200
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 300
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 300
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 300
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 400
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 400
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 400
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 500
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 500
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 500
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 600
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 600
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 600
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 700
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 700
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 700
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 800
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 800
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 800
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 900
font-display: swap
src: url(../webfonts/cyrillic-italic.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 900
font-display: swap
src: url(..webfonts/latin-ext-italic.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: italic
font-weight: 900
font-display: swap
src: url(../webfonts/latin-italic.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 100
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 100
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 100
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 200
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 200
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 200
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 300
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 300
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 300
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 400
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 400
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 400
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 500
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 500
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 500
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 600
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 600
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 600
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 700
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 700
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 700
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 800
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 800
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 800
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
/* cyrillic */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 900
font-display: swap
src: url(../webfonts/cyrillic-normal.woff2) format('woff2')
unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116
/* latin-ext */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 900
font-display: swap
src: url(../webfonts/latin-ext-normal.woff2) format('woff2')
unicode-range: U+0100-02AF, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF
/* latin */
@font-face
font-family: 'Jost'
font-style: normal
font-weight: 900
font-display: swap
src: url(../webfonts/latin-normal.woff2) format('woff2')
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD
// Update Bulma's global variables
$family-sans-serif: "Jost", sans-serif
$footer-padding: 1.0rem 2.5rem
/* on small resolutions */
@media screen and (max-width:1023px)
/* add left and right margins to menu */
.navbar-brand
margin-left: 0.5em!important
.navbar-menu
margin-right: 0.5em!important
/* allow menu items to wrap */
.navbar-menu
flex-shrink: 1!important
.navbar-end
flex-wrap: wrap!important
html
scroll-behavior: smooth
body
font-family: $family-sans-serif
display: flex
flex-direction: column
min-height: 100vh
section
flex: 1
#dark-mode
display: none
.menu
position: sticky
top: 48px
max-height: calc(100vh - 48px)
overflow-y: scroll
div.column.is-2.is-hidden-mobile
padding-right: 0px !important
img
margin: auto
display: block
#image-gay
width: auto
height: auto
max-height:90vh
ul
font-size: 18px
color: #373737 !important
.toc
font-size: 15.5px !important
ol
font-size: 18px
color: #373737 !important
p
font-size: 18px
color: #373737 !important
h1
text-align: center !important
font-size: 2.8em !important
text-decoration: underline #AE3B8B !important
h2:not(.title)
font-size: 1.8em !important
margin-top: 2.5rem !important
margin-bottom: 2rem !important
h3
font-size: 1.4em !important
font-style: italic !important
h4
font-size: 1.1em !important
text-decoration: underline !important
a
color: #AE3B8B
.menu-list a.is-active
background-color: #AE3B8B
code
color: #AE3B8B
.icon-text
font-size: 16px
body[theme="dark"]
background-color: black !important
body[theme="dark"] article.box
background-color: black !important
box-shadow: 0 .5em 1em -.125em rgba(245,245,245,.1),0 0 0 1px rgba(245,245,245,.02)
body[theme="dark"] blockquote
background-color: #090809 !important
border-left: 5px solid #232223
body[theme="dark"] .navbar
background-color: #090809 !important
body[theme="dark"] .footer
background-color: #090809 !important
body[theme="dark"] .navbar-item
color: #c9c7c9 !important
body[theme="dark"] .navbar-item:hover
color: black !important
body[theme="dark"] .navbar-item:focus
color: black !important
body[theme="dark"] p
color: #c9c7c9 !important
body[theme="dark"] strong
color: #c9c7c9 !important
body[theme="dark"] ol
color: #c9c7c9 !important
body[theme="dark"] ul
color: #c9c7c9 !important
body[theme="dark"] .title
color: #c9c7c9 !important
body[theme="dark"] h1
color: #c9c7c9 !important
body[theme="dark"] h2
color: #c9c7c9 !important
body[theme="dark"] h3
color: #c9c7c9 !important
body[theme="dark"] h4
color: #c9c7c9 !important
body[theme="dark"] a.toc
color: #c9c7c9 !important
body[theme="dark"] a.toc:hover
color: black !important
body[theme="dark"] a:not(.toc,.navbar-item)
color: #fa86d8 !important
body[theme="dark"] code
color: #fa86d8 !important
background-color: #090809 !important
body[theme="dark"] a.is-active
background-color: #fa86d8 !important
color: black !important
img[theme=dark]:not(.no-dark)
filter: invert(1) hue-rotate(180deg)

181
content/posts/tails-best/index.md
View file

@ -102,7 +102,7 @@ If a Wi-Fi antenna is too technical for you, you may even want to **use your hom
#### To summarize
For sensitive and irregular Internet activities, use Internet from a random cafe, preceeded by surveillance detection and anti-surveillance. For activities that require daily Internet access such that taking surveillance countermeasures and finding a new cafe isn't realistic, it's best to use a Wi-Fi antenna. If this is too technical for you, using your home Wi-Fi is an option, but this requires trusting Tor's resilience to correlation attacks and whatever measures you take against being hacked.
For sensitive and irregular Internet activities, use Internet from a random cafe, preceeded by surveillance detection and anti-surveillance. For activities that require daily Internet access such that taking surveillance countermeasures and finding a new cafe isn't realistic, it's best to use a Wi-Fi antenna. If this is too technical for you, using your home Wi-Fi is an option, but this requires trusting Tor's resilience to correlation attacks and the measures you take against being hacked.
# Reducing risks when using untrusted computers
@ -166,7 +166,7 @@ Not everyone will need to apply all of the advice below. For example, if you're
> What's a *write-protect* switch? When you insert a normal USB into a computer, the computer does *read* and *write* operations with it, and a *write* operation can change the data on the USB. Some special USBs developed for malware analysis have a physical switch that can lock the USB, so that data can be *read* from it, but no new data can be *written* to it.
If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are also from an attacker compromising the Tails software when the switch is locked. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot carry over to subsequent Tails sessions.
If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), when the switch is locked you are protected from an attacker compromising the Tails software stored on the USB. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, your Tails USB is immutable, so the compromise cannot carry over to subsequent Tails sessions ("malware persistence") by modifying operating system files. The only other way to establish "malware persistence" is firmware compromise, which you have already mitigated.
Note that Heads firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting.
@ -180,136 +180,143 @@ If you aren't using Heads and you are unable to obtain a USB with a write-protec
## Unlocking the switch
On a USB with a write-protect switch, you will not be able to make any changes to the Tails USB when the switch is locked. If you can make changes, so can malware. While it would be ideal to leave the switch locked all the time, we recommend two cases where the switch must be unlocked:
On a USB with a write-protect switch, you will not be able to make any changes to the Tails USB when the switch is locked. If you can make changes, so can malware. There are only two cases where the switch must be unlocked:
1) **For a dedicated upgrade session.** If you need to upgrade Tails, you can do so in a dedicated session with the switch unlocked — this is necessary because the upgrade needs to be written to the Tails USB. Once you are done, you should restart Tails with the switch locked.
2) **If you decide to use Persistent Storage, for occasional configuration sessions.** [Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to persist between sessions that would otherwise be amnesiac on the Tails USB itself. Because it requires writing to the Tails USB to persist data, it is generally impractical to use with a write-protect switch. However, it may be acceptable to disable the switch for occasional Persistent Storage configuration sessions, such as installing additional software. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting to install it every session. Then, in a 'locked' session, you actually use Scribus — none of the files you work on are saved to the Tails USB because it is 'locked'. Note that in this scenario, the USB switch will need to be locked to the read-only position *after* after the Welcome Screen, because Tails will not load the Persistant Storage otherwise. The Persistent Storage feature is not possible with the `toram` boot or with a DVD.
### 1. For a dedicated upgrade session.
## "Persistent data" USBs
If you need to upgrade Tails, you can do so in a dedicated session with the switch unlocked — this is necessary because the upgrade needs to be written to the Tails USB. Once you are done, you should restart Tails with the switch locked.
Where can we store personal data for use between Tails sessions if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This "personal data" USB should not look identical to your Tails USB to avoid confusion. To create this separate USB, see [How to create an encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb). If you are reading this from a country like the UK, where not providing encryption passwords can land you in jail, this second drive should be an HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not suitable for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).
### 2. For a dedicated configuration session, if you decide to use Persistent Storage.
[Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to carry over between sessions that would otherwise be amnesiac, by saving data onto the Tails USB itself. Because Persistent Storage requires writing to the Tails USB, it is generally impractical to use with a write-protect switch.
Another reason to avoid using Persistent Storage features is that many of them store personal data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is personal data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization with Persistent Storage enabled, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work.
However, you may want to use some Persistent Storage features that don't store personal data, such as the additional software feature. This requires unlocking the switch for a dedicated Persistent Storage configuration session:
* Start an "unlocked" session, [create Persistent Storage](/posts/tails#optional-create-and-configure-persistent-storage) with additional software enabled, [install the additional software](/posts/tails#installing-additional-software), and select to "Install Every Time" when prompted.
* Now that the configuration is complete, restart Tails into a "locked" session before actually using the software. This way, none of the files you work on are saved to the Tails USB because it is "locked", but now the additional software is configured to install every time you enter your Persistent Storage password at the Welcome Screen. To have a "locked" session with Persistent Storage, the USB switch will need to be locked to the read-only position *after* after the Welcome Screen because Tails will not allow you to enter the password otherwise.
The Persistent Storage feature is not possible with the DVD or `toram` boot option.
## "Personal data" USBs
Where can we store personal data for use between Tails sessions if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This "personal data" USB should not look identical to your Tails USB to avoid confusion. To create this separate USB, see [How to create an encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb). If you are reading this from a country like the UK where not providing encryption passwords can land you in jail, this second drive should be an HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not suitable for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).
The compartmentalization approach [discussed above](/posts/tails-best#2-using-tails-for-more-than-one-purpose-at-a-time) neatly separates different identities by using separate Tails sessions for separate activities — for example, in Tails session #1 you do website moderation activities, and in Tails session #2 you do action research activities. This approach has implications for how you organize your "personal data" USBs. If the files you save could be used to link your activities together, use a different "personal data" USB for each activity.
![](/posts/tails-best/luks.png)
Compartmentalization is an approach that neatly separates different identities by using separate Tails sessions for separate activities — in Tails session #1 you do activities related to moderating a website, and in Tails session #2 you do activities related to researching for an action. This approach also comes into play with your "personal data" USBs. If the files you save could be used to link your activities together, use a different "personal data" USB for each activity. For a "personal data" USB that stores very sensitive files (such as the text of a communique), it is best to reformat and then destroy the USB once you no longer need the files (see [Really delete data from a USB drive](/posts/tails/#really-delete-data-from-a-usb)). This is another reason to use a separate USB for any files that need to be saved — you don't accumulate the forensic history of all your files on your Tails Persistent Storage, and you can easily destroy USBs as needed.
If a "personal data" USB is used to save very sensitive files (such as the text of a communique), it is best to overwrite and then destroy the USB once you no longer need the files (see [Really delete data from a USB drive](/posts/tails/#really-delete-data-from-a-usb)). This is another reason to use a separate USB for any files that need to be saved — you don't accumulate the forensic history of all your files on your Tails Persistent Storage, and you can easily destroy these "personal data" USBs as needed.
## Email and Additional Software
If you already use Tails and encrypted email, you may be familiar with Thunderbird's Persistent Storage feature for your inbox and PGP keys. This feature won't work with a write-protect switch enabled. Instead of using Persistent Storage for email, simply login to Thunderbird in each new session. PGP keys can be stored on the "personal data" USB like any other file, and imported when needed with one click. This approach has the advantage that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
Finally, a note about email — if you already use Tails and encrypted email, you may be familiar with Thunderbird's Persistent Storage feature. This feature allows you to store your Thunderbird email account details, as well as your inbox and PGP keys, on a Tails USB. With a "personal data" USB, Thunderbird won't automatically open your accounts. We recommend that you do one of the following:
# Phishing Awareness
- Create new Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the advantage that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
- Keep the Thunderbird data folder on the "personal data" USB. After logging in to Thunderbird, use the Files browser (Applications → Accessories → Files) and enable the "Show hidden files" setting. Navigate to Home, then copy the folder called `.thunderbird` to your "personal data" USB. In each future session, after you have unlocked the 'personal data' USB and before you start Thunderbird, copy the `.thunderbird` folder to Home (which is running in RAM, so doesn't require the write-protect switch to be unlocked).
Let's return to the subject of how an adversary would conduct a [remote attack](/glossary/#remote-attacks) targeting you or your project for hacking; the answer is most likely ["phishing"](/glossary/#phishing). *Phishing* is when an adversary crafts an email (or a message in an application) to trick you into revealing information or to introduce malware onto your machine. [*Spear phishing*](/glossary/#spear-phishing) is when the adversary has done some reconnaissance and uses information they already know about you to tailor their phishing attack.
Another reason to avoid using Persistent Storage features is that many of them persist user data to the Tails USB. If your Tails session is compromised, the data you access during that session can be used to tie your activities together. If there is user data on the Tails USB, such as an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization with Persistent Storage enabled, you would need a dedicated Tails USB for each identity, and updating them all every month would be a lot of work.
Phishing only works if the adversary has a way of sending you a message: you don't need to worry about this attack vector for activities like submitting a communique or doing action research, but it is relevant for public-facing projects that have a communication channel. Be aware that the "from" field in emails can be spoofed to fool you — [PGP signing](/posts/e2ee/#pgp-email) mitigates this to prove that the email is actually from who you expect it to be from.
You have probably heard the advice to be skeptical about clicking on links and opening file attachments — this is why. Phishing relies on your actions to succeed, so your awareness is your best defense.
A malicious file or link works by [executing code](https://en.wikipedia.org/wiki/Arbitrary_code_execution) on your machine. For malicious files, the code executes when the file is opened. For malicious links, the code executes when you visit the website, usually with the help of JavaScript. The point of this code execution is to give an entry point ("inital access") to infect your machine with malware.
Tails protects against malware deanonymizing you by forcing all internet connections through the Tor network. However, once the adversary has "initial access" they will try to further their attack;
* [to make the infection persistent](https://attack.mitre.org/tactics/TA0003/),
* [to install a screen or key logger](https://attack.mitre.org/tactics/TA0009/),
* [to exfiltrate your data](https://attack.mitre.org/tactics/TA0010/),
* [to achieve "privilege escalation"](https://en.wikipedia.org/wiki/Privilege_escalation)
Privilege escalation (i.e. going from an unprivileged user to the administration user on the system) is usually necessary to bypass Tor. Tails does not have a default Administration password (it must be set on the session's Welcome Screen if needed) in order to make "privilege escalation" more difficult.
The most recent [Tails audit](https://tails.net/news/audit_by_ROS/index.en.html) found several "privilege escalation vulnerabilities," and even a vulnerability that leaked the IP address from the non-privileged user. If resilience to malware attacks is an important part of your threat model, see [When to Use Tails vs. Qubes OS](/posts/qubes#when-to-use-tails-vs-qubes-os).
## Files
In 2017, the FBI and Facebook worked together to develop a malicious video file [that deanonymized a Tails user](https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) after he opened it while using his home Wi-Fi.
For untrusted attachments, you would ideally **sanitize all files sent to you before opening them** with a program like [Dangerzone](https://dangerzone.rocks/), which takes potentially dangerous PDFs, office documents, or images and converts them into safe PDFs. Unfortunately, Dangerzone is [not yet readily available in Tails](https://gitlab.tails.boum.org/tails/tails/-/issues/18135). Until Dangerzone is made available in Tails, there is no program to sanitize untrusted files into trusted files.
**It is best to open untrusted files in a dedicated ['offline mode'](https://tails.net/doc/first_steps/welcome_screen/index.en.html#index3h2) Tails session**. This will prevent code execution from establishing a remote connection to the adversary, which is usually needed to further the attack. Shutting the session down immediately afterward will minimize the chance of malware persisting. However, the files will remain untrusted.
## Links
With untrusted links, there are two things you must protect: your anonymity and your information.
* **It is best to open untrusted links in a dedicated Tails session without unlocked Persistent Storage or attached "personal data" USBs.** You can put the link on a Riseup Pad to access it.
* [**Use Tor Browser on the Safest security setting**](/posts/tails/#tor-browser-security-settings)! The vast majority of exploits against Tor Browser will not work with the Safest setting.
* **Manually copy and paste the address into your browser, and retype the domain**. For example, after pasting the link `anarsec.guide/posts/tails`, retype `anarsec.guide` yourself. Do not click through a hyperlink (i.e. always copy and paste) because it can be used to mislead you about where you are going. Retyping the domain protects against "typo-squatting" (mailriseup.net instead of mail.riseup.net) as well as ["homograph attacks"](https://www.theguardian.com/technology/2017/apr/19/phishing-url-trick-hackers) (where Cyrillic letters are substituted for normal letters).
* **Never follow a shortened link** (e.g. a site like bit.ly that takes long web addresses and makes a short one) because it cannot be verified before redirection. [Unshorten.me](https://unshorten.me/) can reveal shortened links.
* **If you don't recognize the domain, research it**. Search for the domain with the domain name in quotation marks using a privacy-preserving search engine (such as DuckDuckGo) to see if its a legitimate website. This isnt a surefire solution, but its a good precaution to take.
![](/posts/tails-best/duckduck.cleaned.png)
* **Don't enter any identifying information into the website**. If you follow a link from an email and are asked to log in, be aware that this is a common endgame for phishing campaigns. Instead, manually go to the website of the service you are trying to access and sign in there. That way, youll know youre logging in to the right website because youve typed in the address yourself, rather than having to trust the link in the email.
## Watering hole attacks
An adversary can also compromise a "trusted" website — this allows them to install malware on the computers of anyone who visits the website, without needing to engage in phishing. This is called a ["watering hole attack" or a "drive-by compromise"](https://attack.mitre.org/techniques/T1189/) because it attacks many people simultaneously. For example, the [FBI hacked a website then used a Tor Browser exploit](https://www.vice.com/en/article/53d4n8/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant) to hack 8,000 users who visited it.
This is why its important to [**use Tor Browser on the Safest security setting**](/posts/tails/#tor-browser-security-settings) by default, even for "trusted" websites.
# Encryption
## Passwords
[Encryption](/glossary/#encryption) is a blessing — it's the only thing standing in the way of our adversaries reading all our data, if it's used well. The first step in securing your encryption is to make sure that you use very good passwords — most passwords don't need to be memorized because they are stored in a password manager called KeePassXC, so they can be completely random. To learn how to use KeePassXC, see [Password Manager](/posts/tails/#password-manager-keepassxc).
[Encryption](/glossary/#encryption) is the only thing standing in the way of our adversaries reading all our data, if it's used well. The first step in securing your encryption is to make sure that you use very strong passwords — most passwords don't need to be memorized because they are stored in a password manager called KeePassXC, so they can be completely random. Never reuse a password for multiple things ("password recycling") — KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. To learn how to use KeePassXC, see [Password Manager](/posts/tails/#password-manager-keepassxc).
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a random sequence of characters (letters, numbers and other symbols), while a [*passphrase*](/glossary/#passphrase) is a random sequence of words.
Never reuse a password/passphrase for multiple things ("password recycling") — KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** — when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary/#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html) — this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
[LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** — when the device is powered on, the password can be retrieved from memory. Adversaries can attempt to [brute-force attack](/glossary/#brute-force-attack) encryption with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html) — this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (seven words).
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (diceware passphrases of seven words).
![](/posts/tails-best/passphrase.png)
What is a diceware passphrase? As [Privacy Guides notes](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases), "Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`." The Password Generator feature in KeePassXC can generate diceware passphrases and random passwords. If you prefer to generate diceware passphrases using real dice, see [Privacy Guides](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases).
>What is a diceware passphrase? As [Privacy Guides notes](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases), "Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`." The Password Generator feature in KeePassXC can generate diceware passphrases and random passwords. If you prefer to generate diceware passphrases using real dice, see [Privacy Guides](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases).
Our recommendations are:
### General recommendations:
1) Memorize diceware passphrases of 7-10 words for everything that is not stored in a KeePassXC database.
2) Generate passwords of 21 random characters for everything that can be stored in a KeePassXC database. Maintain an offsite backup of your KeePassXC database(s) in case it is ever corrupted or seized.
* Memorize diceware passphrases of 7-10 words for everything that you'll need to enter before you have access to an unlocked KeePassXC database (in other words, your Full Disk Encryption passphrase and the KeePassXC master passphrase).
* Generate passwords of 21 random characters for everything that can be stored in a KeePassXC database. Maintain an off-site backup of your KeePassXC database(s) in case it is ever corrupted or seized.
> **Tip**
>
> Diceware passphrases can be easy to forget if you have several to keep track of, especially if you use them infrequently. To reduce the risk of forgetting a diceware passphrase, you can store all "memorized" passphrases on a LUKS USB that you create using Tails, which is hidden somewhere off-site where it won't be recovered during a police raid. You should be able to reconstruct the LUKS passphrase if a lot of time has passed. See the [No Trace Project](https://notrace.how/threat-library/mitigations/digital-best-practices.html) for two different approaches you can take: one relies on a trusted comrade, and the other is self-sufficient. As with all important backups, you should have at least two.
> Your memorized diceware passphrases can be easy to forget if you have several to keep track of, especially if you use any of them infrequently. To reduce the risk of forgetting a diceware passphrase permanently, you can use Tails to store all "memorized" passphrases on a LUKS USB then store it off-site where it won't be recovered during a police raid. You should be able to reconstruct the LUKS passphrase of this USB if a lot of time has passed. See the [Threat Library](https://www.notrace.how/threat-library/mitigations/digital-best-practices.html#header-use-strong-passwords) for two different approaches you can take: one relies on a trusted comrade, and the other is self-sufficient. As with all important backups, you should have at least two.
### Tails passphrases:
For Tails, you need to memorize two passphrases:
1) The [LUKS](/glossary/#luks) "personal data" USB passphrase, where your KeePassXC file is stored.
2) The KeePassXC passphrase
If you are using Persistent Storage, this is another passphrase that you will have to enter on the Welcome Screen at boot time, but it can be the same as 1. Shutdown Tails whenever you are away from the computer for more than a few minutes.
If you are using Persistent Storage, this is another passphrase that you will have to enter on the Welcome Screen at boot time, but it can be the same as the LUKS password. Shutdown Tails whenever you are away from the computer for more than a few minutes.
## Encrypted containers
## Encrypted volumes
[LUKS](/glossary/#luks) is great, but defense-in-depth can't hurt. If the police seize your USB in a house raid, they will try a [variety of tactics to bypass the authentication](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), so a second layer of defense with a different encryption implementation can be useful for highly sensitive data.
Sirikali is an encrypted volume program that uses [Gocryptfs](https://nuetzlich.net/gocryptfs/) behind the scenes. It is [available in the Debian repository](https://packages.debian.org/bookworm/sirikali) and can be easily installed as [additional software](/posts/tails#installing-additional-software). Make sure to also install "suggested packages". If you don't want to reinstall Sirikali every session, you will need to [configure Additional Software in Persistent Storage](/posts/tails-best/#using-a-write-protect-switch). If you are comfortable on the [command line](/glossary/#command-line-interface-cli), you can use gocryptfs instead.
[Gocryptfs](https://nuetzlich.net/gocryptfs/) is an encrypted container program that is [available for Debian](https://packages.debian.org/bullseye/gocryptfs) and can be easily installed as [additional software](/posts/tails/#optional-create-and-configure-persistent-storage). If you don't want to reinstall it every session, you will need to [configure Additional Software in Persistent Storage](/posts/tails-best/#using-a-write-protect-switch).
The first time you use Sirikali, create a Gocryptfs volume; press "Create Volume", and select the option "Gocryptfs."
To use gocryptfs, you will need to use Terminal (the [command line](/glossary/#command-line-interface-cli)).
You will be prompted for a password. Create a new entry in your KeepassXC file and generate a password using the Generate Password feature (the dice icon). "Create volume" will create two new directories: the "cipher" directory (`/home/amnesia/example`) where the encrypted files are stored and the "plain" directory where you access your decrypted files once mounted there (`/home/amnesia/.SiriKali/example`)
On your Personal Data LUKS USB, use the file manager to create two folders and name them `cipher` and `plain`. Right click in the white space of your file manager and select 'Open Terminal Here'. This will allow you to be in the correct location when Terminal opens, instead of having to know how to navigate using the `cd` command.
You will need to "mount" the volume every time you use it, which happens automatically when you first create it. You can now add files to your mounted encrypted volume: navigating to the "plain" directory requires selecting "Show Hidden Files" in the File Manager.
In Terminal, use the `ls` command to list the folders you have, and it should output the two you just created, among others:
`ls`
The first time you use Gocryptfs, create a Gocryptfs filesystem;
`gocryptfs -init cipher`
You will be prompted for a password. Create a new entry in your KeepassXC file and generate a password using the Generate Password feature (the dice icon). Then copy the password and paste it into the terminal (Edit → Paste or Ctrl+Shift+V). It will output a master key — save it in the KeepassXC entry.
Every time you use the filesystem, mount it like this:
`gocryptfs cipher plain`
You will be prompted for the password. Note that the order is important — `cipher` is the first argument and `plain` is the second.
You can now add files to your mounted, decrypted container in the 'plain' folder. When you unmount the filesystem, the container will be encrypted. To do this:
`fusermount -u plain`
Now plain is just an empty folder again. Before storing important files in the container, you should run a test to make sure it works as expected, especially if you are unfamiliar with the command line interface.
When you unmount the volume, the plain directory will just be an empty folder again. Before storing important files in the volume, you should run a test to make sure it works as expected, especially if its your first time using it.
## Encrypted Communication
PGP email is the most established form of encrypted communication on Tails in the anarchist space. Unfortunately, PGP does not have [forward secrecy](/glossary/#forward-secrecy) — that is, a single secret (your private key) can decrypt all messages, rather than just a single message, which is the standard in encrypted messaging today. It is the opposite of "metadata protecting", and has [several other shortcomings](/posts/e2ee/#pgp-email).
For [synchronous](/glossary/#synchronous-communication) and [asynchronous](/glossary/#asynchronous-communication) messaging we recommend [Cwtch](/posts/e2ee/#cwtch). For more information on Cwtch, see [Encrypted Messaging For Anarchists](/posts/e2ee/).
# Phishing Awareness
Finally, consider how an adversary would conduct a [remote attack](/glossary/#remote-attacks) targeting you or your project; the answer is most likely ["phishing"](/glossary/#phishing). *Phishing* is when an adversary crafts an email (or text, message in an application, etc.) to trick you into revealing information, gain access to your account, or introduce malware to your machine. [*Spear phishing*](/glossary/#spear-phishing) is when the adversary has done some reconnaissance and uses information they already know about you to tailor their phishing attack.
You have probably heard the advice to be skeptical about clicking on links and opening attachments — this is why. To make matters worse, the "from" field in emails can be spoofed to fool you — [PGP signing](/posts/e2ee/#pgp-email) mitigates this to prove that the email is actually from who you expect it to be from.
Sometimes the goal of phishing is to deliver a "payload" that calls back to the adversary — it is the [initial access](https://attack.mitre.org/tactics/TA0001/) entry point to infect your machine with malware. A payload can be embedded in a file and run when the file is opened. In the case of a link, a payload can be delivered via malicious JavaScript in the website, allowing the payload to be executed on your computer. Tor is supposed to protect your location (IP address), but now the adversary has a way to further their attack; [make the infection persistent](https://attack.mitre.org/tactics/TA0003/), [install a screen or key logger](https://attack.mitre.org/tactics/TA0009/), [exfiltrate your data](https://attack.mitre.org/tactics/TA0010/), etc. The reason Tails does not have a default Administration password (it must be set on the session's Welcome Screen if needed) is to make it more difficult to [escalate privileges](https://attack.mitre.org/tactics/TA0004/), which would be necessary to bypass Tor.
## Attachments
Tails prevents deanonymization through phishing by forcing all internet connections through the Tor network. However, this is still vulnerable to [0-day exploits](/glossary/#zero-day-exploit) that nation-state actors have access to. For example, the FBI and Facebook worked together to develop a 0-day exploit against Tails [that deanonymized a user](https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) after he opened a video attachment from his home Wi-Fi.
For untrusted attachments, you would ideally **sanitize all files sent to you before opening them** with a program like [Dangerzone](https://dangerzone.rocks/), which takes potentially dangerous PDFs, office documents, or images and converts them into safe PDFs. Unfortunately, Dangerzone is [not yet readily available in Tails](https://gitlab.tails.boum.org/tails/tails/-/issues/18135). Until Dangerzone is made available in Tails, there is no program to sanitize untrusted files into trusted files.
**It is best to open untrusted files in a dedicated ['offline mode'](https://tails.net/doc/first_steps/welcome_screen/index.en.html#index3h2) Tails session**. This will prevent anything malicious from calling home. Shutting the session down immediately afterward will minimize the chance of malware persisting. However, the files will remain untrusted.
## Links
With untrusted links, there are two things you must protect: your anonymity and your information.
To protect your anonymity, [**use Tor Browser on the Safest security setting**](/posts/tails/#tor-browser-security-settings)! The vast majority of exploits against Tor Browser will not work with the Safest setting. In addition, **don't enter any identifying information into the website**.
Your information can only be protected **by your behavior** — phishing awareness allows you to think critically about whether this could be a phishing attack and act accordingly.
Investigate untrusted links before you click by **manually copying and pasting the address into your browser** — do not click through a hyperlink as the text can be used to mislead you about where you are going. **Never follow a shortened link** (e.g. a site like bit.ly that takes long web addresses and makes a short one) because it cannot be verified before redirection. [Unshorten.me](https://unshorten.me/) can reveal shortened links.
![](/posts/tails-best/duckduck.cleaned.png)
Also, **dont follow links to domains you don't recognize**. When in doubt, search for the domain with the domain name in quotation marks using a privacy-preserving search engine (such as DuckDuckGo) to see if its a legitimate website. This isnt a surefire solution, but its a good precaution to take.
Finally, if you click on any link in an email and are asked to log in, be aware that this is a common endgame for phishing campaigns. **Do not do it**. Instead, manually go to the website of the service you are trying to access and sign in there. That way, youll know youre logging in to the right site because youve typed in the address yourself, rather than having to trust the link in the email. For example, you might type your password at mailriseup.net instead of mail.riseup.net (this is called "typo-squatting"). Similarly, a "[homograph attack](https://www.theguardian.com/technology/2017/apr/19/phishing-url-trick-hackers)" substitutes Cyrillic letters for normal letters, which is even harder to visually recognize.
**It is best to open untrusted links in a dedicated Tails session without unlocked Persistent Storage or attached "personal data" USBs.**
For [synchronous](/glossary/#synchronous-communication) and [asynchronous](/glossary/#asynchronous-communication) messaging we recommend [Cwtch](/posts/e2ee/#cwtch), unless its for an anonymous public-facing project, in which case we still recommend PGP. For more information, see [Encrypted Messaging For Anarchists](/posts/e2ee/).
# To Conclude
Using Tails without any of this advice is still a vast improvement over many other options. Given that anarchists regularly entrust their freedom to Tails, such as sending communiques, taking these extra precautions can further strengthen your trust in this operating system.
Using Tails without any of this advice is still a vast improvement over many other options. Given that anarchists regularly entrust their freedom to Tails, taking these extra precautions can further strengthen your trust in this operating system.
# Appendix: GPG Explanation
@ -322,7 +329,7 @@ Most Linux users will rarely need to use the [command line interface](/posts/lin
Using `gpg` during the installation of Tails will be less confusing if you understand how it works.
First, some clarification. [PGP and GPG](/glossary/#gnupg-openpgp) are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication ([although we don't recommend it](/posts/e2ee/#pgp-email)), but we use it here only to verify the integrity and authenticity of files.
First, some clarification. [PGP and GPG](/glossary/#gnupg-openpgp) are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for [encrypted email communication](/posts/e2ee/#pgp-email)), but we use it here only to verify the integrity and authenticity of files.
GPG is a classic example of [public-key cryptography](/glossary/#public-key-cryptography). GPG provides cryptographic functions for [encrypting](/glossary/#encryption), decrypting, and signing files; our concern here is digitally signing files. The Tails team [digitally signs](/glossary/#digital-signatures) their .img releases. GPG gives us a way to verify that the file has actually been "signed" by the developers, which allows us to trust that it hasn't been tampered with.
@ -330,11 +337,11 @@ Now you need to understand the basics of public-key cryptography. [This Computer
![](/posts/tails-best/signature.png)
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.net/install/expert/index.en.html).
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now I'll explain the `gpg` commands in the [Tails verification instructions](https://tails.net/install/expert/index.en.html).
## Step: Generate a Key-Pair
Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate a key-pair.
Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate your own key-pair.
* `gpg --gen-key` will prompt you for some configuration options and then generate your key-pair.
@ -349,7 +356,7 @@ Now we know that we have a genuine version of the Tails public key. `gpg` also
## Step: Verify the downloaded Tails .img file
* `TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.10.img.sig tails-amd64-5.10.img` allows you to verify that the .img file is signed as it should be by examining the output as instructed. Version numbers in the command will change.
* `TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-6.1.img.sig tails-amd64-6.1.img` allows you to verify that the .img file is signed as it should be by examining the output as instructed. Version numbers in the command will change.
Now that we know that we have a genuine version of the Tails .img file, we can proceed to install it on a USB.

4
content/posts/tails/index.md
View file

@ -98,7 +98,7 @@ After about 30 seconds of loading, the [Welcome Screen](https://tails.net/doc/fi
On the Welcome Screen, select your language and keyboard layout in the **Language & Region** section. For Mac users, there is a keyboard layout for Macintosh. Under "Additional Settings" you will find a **+** button, click it and more configuration options will appear:
* Administration Password
* Set this if you need administration rights. This is necessary, for example, to install additional software that you want to use during your Tails session. In the following dialog you can enter any password (and you have to remember it!). It will only be valid for this one Tails session.
* Set this if you need administration rights. This is necessary, for example, to install additional software that you want to use during your Tails session. In the following dialog you can enter any password (and you have to remember it!). It will only be valid for this one Tails session. Restart the Tails session without an administration password as soon as you are done the activity that required it.
* MAC Address Spoofing
* We recommend that you never disable this. It is enabled by default.
* Network Connection
@ -372,7 +372,7 @@ To install software from the Debian software repository:
* Start Tails with administration rights, then go to **Applications → System Tools → Synaptic Package Manager**.
* When prompted, enter your administration password (it will take a while to download the repositories).
* Go to "All" and select the software you want to install: "Select for installation", then "Apply".
* Once done, if your Persistent Storage is open, Tails will ask if you want to install it once or add it to your Persistent Storage. If you add it to your Persistent Storage, the relevant software files will be saved there. For security reasons, they are automatically updated whenever a network connection is established.
* Once done, if your Persistent Storage is open, a notification will ask if you want to "Install Only Once" or "Install Every Time" (which adds it to your Persistent Storage). If you add it to your Persistent Storage, the relevant software files will be saved there and automatically updated whenever a network connection is established.
* You can access and remove the additional software you have installed by going to **Applications → System Tools → Additional Software**.
For more information, see the documentation on [installing additional software](https://tails.net/doc/persistent_storage/additional_software/index.en.html).

2
content/recommendations/_index.md
View file

@ -12,6 +12,8 @@ An anarchist threat model needs to protect against State-level adversaries that
We agree with the conclusion of an overview of [targeted surveillance measures in France](https://actforfree.noblogs.org/post/2023/07/24/number-of-the-day-89502-preventive-surveillance-measures-france/): "So lets be clear about our responsibilities: if we knowingly bring a networked device equipped with a microphone and/or a camera (cell phone, baby monitor, computer, car GPS, networked watch, etc.) close to a conversation in which “private or confidential words are spoken” and must remain so, even if it's switched off, we become a potential state informer…"
We also recommend the Threat Library's ["Digital Best Practices"](https://www.notrace.how/threat-library/mitigations/digital-best-practices.html).
## Your Phone
>**[Operating system](/glossary#operating-system-os)**: **GrapheneOS** is the only reasonably secure choice for cell phones. See [GrapheneOS for Anarchists](/posts/grapheneos/). [Kill the cop in your pocket](/posts/nophones/) — if you decide to have a phone, treat it like an "encrypted landline" and leave it at home when you are out of the house.

6
themes/DeepThought/sass/deep-thought.sass
View file

@ -560,6 +560,9 @@ h1
text-align: center !important
font-size: 2.8em !important
h1:not(.title)
text-decoration: underline #AE3B8B !important
h2:not(.title)
font-size: 1.8em !important
margin-top: 2.5rem !important
@ -629,6 +632,9 @@ body[theme="dark"] .title
body[theme="dark"] h1
color: #c9c7c9 !important
body[theme="dark"] h1:not(.title)
text-decoration: underline #fa86d8 !important
body[theme="dark"] h2
color: #c9c7c9 !important