mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-08 14:52:54 -04:00
standarize em dashes
This commit is contained in:
anarsec
parent
d6f4ad9d2e
commit
5d9796b043
12 changed files with 98 additions and 98 deletions
|
|
@ -12,7 +12,7 @@ paginate_by = 5
|
||||||
|
|
||||||
[PGP key](/anarsec.asc)
|
[PGP key](/anarsec.asc)
|
||||||
|
|
||||||
>Our PGP public key can be verified from a second location [at 0xacab](https://0xacab.org/anarsec/anarsec.guide/-/blob/no-masters/static/anarsec.asc) - commit SHA should be 4ab7e7262f51a661b02e1cf6712b75101f4b25e1.
|
>Our PGP public key can be verified from a second location [at 0xacab](https://0xacab.org/anarsec/anarsec.guide/-/blob/no-masters/static/anarsec.asc) — commit SHA should be 4ab7e7262f51a661b02e1cf6712b75101f4b25e1.
|
||||||
>
|
>
|
||||||
>WayBack Machine of PGP key: [anarsec.guide](https://web.archive.org/web/20230619164601/https://www.anarsec.guide/anarsec.asc) / [0xacab.org](https://web.archive.org/web/20230619164309/https://0xacab.org/anarsec/anarsec.guide/-/blob/no-masters/static/anarsec.asc)
|
>WayBack Machine of PGP key: [anarsec.guide](https://web.archive.org/web/20230619164601/https://www.anarsec.guide/anarsec.asc) / [0xacab.org](https://web.archive.org/web/20230619164309/https://0xacab.org/anarsec/anarsec.guide/-/blob/no-masters/static/anarsec.asc)
|
||||||
|
|
||||||
|
|
@ -21,7 +21,7 @@ paginate_by = 5
|
||||||
|
|
||||||
Anarsec encourages contributions! If you would like to suggest edits to a guide, we prefer that you contact us rather than submit a merge request on 0xacab. This is to maintain a unified tone and style to the guides.
|
Anarsec encourages contributions! If you would like to suggest edits to a guide, we prefer that you contact us rather than submit a merge request on 0xacab. This is to maintain a unified tone and style to the guides.
|
||||||
|
|
||||||
We are also open to submitted guides - please get in touch with proposals.
|
We are also open to submitted guides — please get in touch with proposals.
|
||||||
|
|
||||||
>0xacab commits are signed with SSH key fingerprint:
|
>0xacab commits are signed with SSH key fingerprint:
|
||||||
xXfPe+zku+SaJorO4XldMFcAVPMmQQgLHl4VpmYhiok
|
xXfPe+zku+SaJorO4XldMFcAVPMmQQgLHl4VpmYhiok
|
||||||
|
|
|
||||||
|
|
@ -60,7 +60,7 @@ For more information, see [symmetric cryptography](/glossary/#symmetric-cryptogr
|
||||||
|
|
||||||
### End-to-end encryption (e2ee)
|
### End-to-end encryption (e2ee)
|
||||||
|
|
||||||
Data is [encrypted](/glossary/#encryption) as it travels from one device to another - endpoint to endpoint - and cannot be decrypted by any intermediary. It can only be decrypted by the endpoints. This is different from "encryption at rest", such as [Full Disk Encryption](/glossary/#full-disk-encryption-fde), where the data stored on your device is encrypted when the device is turned off. Both are important!
|
Data is [encrypted](/glossary/#encryption) as it travels from one device to another — endpoint to endpoint — and cannot be decrypted by any intermediary. It can only be decrypted by the endpoints. This is different from "encryption at rest", such as [Full Disk Encryption](/glossary/#full-disk-encryption-fde), where the data stored on your device is encrypted when the device is turned off. Both are important!
|
||||||
|
|
||||||
For more information, check out [Encrypted Messaging for Anarchists](/posts/e2ee), and [Defend Dissent: Protecting Your Communications](https://open.oregonstate.education/defenddissent/chapter/protecting-your-communications/).
|
For more information, check out [Encrypted Messaging for Anarchists](/posts/e2ee), and [Defend Dissent: Protecting Your Communications](https://open.oregonstate.education/defenddissent/chapter/protecting-your-communications/).
|
||||||
|
|
||||||
|
|
@ -88,7 +88,7 @@ Hardening is a general term for the process of securing systems against attacks.
|
||||||
|
|
||||||
### HTTPS
|
### HTTPS
|
||||||
|
|
||||||
The "S" in HTTPS stands for "secure"; which means that your Internet connection is encrypted using the [Transport Layer Security (TLS)](https://invidious.sethforprivacy.com/watch?v=0TLDTodL7Lc&listen=false) protocol. This involves the website generating a certificate using [public-key cryptography](/glossary/#public-key-cryptography) that can be used to verify its authenticity - that you are actually connecting to the web server you intended, and that this connection is encrypted.
|
The "S" in HTTPS stands for "secure"; which means that your Internet connection is encrypted using the [Transport Layer Security (TLS)](https://invidious.sethforprivacy.com/watch?v=0TLDTodL7Lc&listen=false) protocol. This involves the website generating a certificate using [public-key cryptography](/glossary/#public-key-cryptography) that can be used to verify its authenticity — that you are actually connecting to the web server you intended, and that this connection is encrypted.
|
||||||
|
|
||||||
For more information, see [our explanation](/posts/tails/#what-is-https) or [Defend Dissent: Protecting Your Communications](https://open.oregonstate.education/defenddissent/chapter/protecting-your-communications/).
|
For more information, see [our explanation](/posts/tails/#what-is-https) or [Defend Dissent: Protecting Your Communications](https://open.oregonstate.education/defenddissent/chapter/protecting-your-communications/).
|
||||||
|
|
||||||
|
|
@ -236,7 +236,7 @@ Google Voice is a well-known and insecure VoIP service; this technology routes y
|
||||||
|
|
||||||
A VPN extends a private network (like your home network) over a public network (like the Internet). Devices connected to the VPN are part of the private network, even if they are physically located elsewhere. Applications that use a VPN are subject to the functionality, security, and management of the private network.
|
A VPN extends a private network (like your home network) over a public network (like the Internet). Devices connected to the VPN are part of the private network, even if they are physically located elsewhere. Applications that use a VPN are subject to the functionality, security, and management of the private network.
|
||||||
|
|
||||||
In other words, it is a technology that essentially makes it appear that you are connecting to the Internet from the network of the company providing the service, rather than from your home network. Your connection to the company is through an encrypted "tunnel". A VPN is not the best tool for anonymity (defined as knowing who you are – Tor is far better), but it can partially enhance your privacy (defined as knowing what you are doing).
|
In other words, it is a technology that essentially makes it appear that you are connecting to the Internet from the network of the company providing the service, rather than from your home network. Your connection to the company is through an encrypted "tunnel". A VPN is not the best tool for anonymity (defined as knowing who you are — Tor is far better), but it can partially enhance your privacy (defined as knowing what you are doing).
|
||||||
|
|
||||||
It is important to emphasize this to cut through the widespread marketing hype; [a VPN is not enough to keep you anonymous](https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me/). Using a VPN can be thought of as simply shifting your trust from a local Internet Service Provider which is guaranteed to be a snitch to a remote company that claims to limit its ability to effectively snitch on you.
|
It is important to emphasize this to cut through the widespread marketing hype; [a VPN is not enough to keep you anonymous](https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me/). Using a VPN can be thought of as simply shifting your trust from a local Internet Service Provider which is guaranteed to be a snitch to a remote company that claims to limit its ability to effectively snitch on you.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -67,7 +67,7 @@ Once the server exists, contacts can be invited to use it. For asynchronous dire
|
||||||
|
|
||||||
Any Cwtch user can turn the app on their phone or computer into an untrusted server to host a group chat, though this is best for temporary needs like an event or short-term coordination, as the device must remain powered on for it to work. Fortunately, [Anarchy Planet](https://anarchyplanet.org/chat.html#cwtch) runs a public server that is suitable for long-term groups.
|
Any Cwtch user can turn the app on their phone or computer into an untrusted server to host a group chat, though this is best for temporary needs like an event or short-term coordination, as the device must remain powered on for it to work. Fortunately, [Anarchy Planet](https://anarchyplanet.org/chat.html#cwtch) runs a public server that is suitable for long-term groups.
|
||||||
|
|
||||||
Asynchronous conversations on Cwtch need to be started from a synchronous conversation - you need to be online at the same time as your contact to invite them to a group, and then you no longer need to be online at the same time. In the future, Cwtch plans to improve this with [hybrid groups](https://docs.cwtch.im/blog/path-to-hybrid-groups/). Until this is implemented, you will need to establish your asynchronous Cwtch conversations by using a second channel to set a time for when you both need be on Cwtch.
|
Asynchronous conversations on Cwtch need to be started from a synchronous conversation — you need to be online at the same time as your contact to invite them to a group, and then you no longer need to be online at the same time. In the future, Cwtch plans to improve this with [hybrid groups](https://docs.cwtch.im/blog/path-to-hybrid-groups/). Until this is implemented, you will need to establish your asynchronous Cwtch conversations by using a second channel to set a time for when you both need be on Cwtch.
|
||||||
|
|
||||||
You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs.cwtch.im/).
|
You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs.cwtch.im/).
|
||||||
|
|
||||||
|
|
@ -87,7 +87,7 @@ Real-time messaging applications are particularly susceptible to end-to-end corr
|
||||||
|
|
||||||
**Need #3: Resiliency to exploits**
|
**Need #3: Resiliency to exploits**
|
||||||
|
|
||||||
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Cwtch libraries are written in memory-safe languages (Go and Rust) and Cwtch does [fuzz testing](https://openprivacy.ca/discreet-log/07-fuzzbot/) to find bugs. See the [Security Handbook](https://docs.cwtch.im/security/intro) to learn more. For public-facing project accounts, we recommend against enabling the "file sharing experiment" or the "image previews and profile pictures experiment" in the settings.
|
A vulnerability in any application can be targeted with exploits — a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Cwtch libraries are written in memory-safe languages (Go and Rust) and Cwtch does [fuzz testing](https://openprivacy.ca/discreet-log/07-fuzzbot/) to find bugs. See the [Security Handbook](https://docs.cwtch.im/security/intro) to learn more. For public-facing project accounts, we recommend against enabling the "file sharing experiment" or the "image previews and profile pictures experiment" in the settings.
|
||||||
|
|
||||||
**Need #4: For multiple project members to be able to access the same messages**
|
**Need #4: For multiple project members to be able to access the same messages**
|
||||||
|
|
||||||
|
|
@ -97,7 +97,7 @@ If a project has multiple members, all of them should be able to access the same
|
||||||
>
|
>
|
||||||
>[**Briar**](https://briarproject.org) is another application that works in a similar way (with peer-to-peer and Tor), using the [Bramble Transport Protocol](https://code.briarproject.org/briar/briar/-/wikis/A-Quick-Overview-of-the-Protocol-Stack) (BTP). Briar's main distinguishing feature is that it continues to work [even when the underlying network infrastructure is down](https://briarproject.org/how-it-works/). It was [audited in 2017](https://code.briarproject.org/briar/briar/-/wikis/FAQ#has-briar-been-independently-audited). Unfortunately, Briar Desktop does not yet work with Tails or Qubes-Whonix because it cannot [use the system Tor](https://code.briarproject.org/briar/briar/-/issues/2095). Unlike Cwtch, to connect to a contact on Briar, you both have to add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. [Briar Mailbox](https://briarproject.org/download-briar-mailbox/) allows asynchronous communication.
|
>[**Briar**](https://briarproject.org) is another application that works in a similar way (with peer-to-peer and Tor), using the [Bramble Transport Protocol](https://code.briarproject.org/briar/briar/-/wikis/A-Quick-Overview-of-the-Protocol-Stack) (BTP). Briar's main distinguishing feature is that it continues to work [even when the underlying network infrastructure is down](https://briarproject.org/how-it-works/). It was [audited in 2017](https://code.briarproject.org/briar/briar/-/wikis/FAQ#has-briar-been-independently-audited). Unfortunately, Briar Desktop does not yet work with Tails or Qubes-Whonix because it cannot [use the system Tor](https://code.briarproject.org/briar/briar/-/issues/2095). Unlike Cwtch, to connect to a contact on Briar, you both have to add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. [Briar Mailbox](https://briarproject.org/download-briar-mailbox/) allows asynchronous communication.
|
||||||
>
|
>
|
||||||
>[**OnionShare**](https://docs.onionshare.org/2.6/en/features.html#chat-anonymously) has a chat feature that creates an ephemeral peer-to-peer chat room that is routed over the Tor network. The metadata protection works in the same way as Cwtch; it uses the Tor network as a shield and stores everything (ephemerally) locally on the device running OnionShare. OnionShare doesn’t implement any chat encryption on its own - it relies on the Tor onion service’s encryption. Cwtch and Briar both have more features (including the additional Tapir and BTP encryption protocols). The only advantage of OnionShare is that it is installed on Tails by default.
|
>[**OnionShare**](https://docs.onionshare.org/2.6/en/features.html#chat-anonymously) has a chat feature that creates an ephemeral peer-to-peer chat room that is routed over the Tor network. The metadata protection works in the same way as Cwtch; it uses the Tor network as a shield and stores everything (ephemerally) locally on the device running OnionShare. OnionShare doesn’t implement any chat encryption on its own — it relies on the Tor onion service’s encryption. Cwtch and Briar both have more features (including the additional Tapir and BTP encryption protocols). The only advantage of OnionShare is that it is installed on Tails by default.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>
|
<summary>
|
||||||
|
|
@ -161,11 +161,11 @@ Cwtch on Whonix does not guarantee Tor [Stream Isolation](/posts/qubes/#whonix-a
|
||||||
|
|
||||||
SimpleX Chat functions without persistent user IDs, which creates strong metadata protection. This means that an adversary can't easily observe how users are connected to each other in a network. This is possible because connection requests work by sharing an invitation link that is communicated through a separate channel, or in person. When connecting to another user you have the choice to use "Incognito mode", which creates a new random profile for each contact. This avoids sharing any data between contacts.
|
SimpleX Chat functions without persistent user IDs, which creates strong metadata protection. This means that an adversary can't easily observe how users are connected to each other in a network. This is possible because connection requests work by sharing an invitation link that is communicated through a separate channel, or in person. When connecting to another user you have the choice to use "Incognito mode", which creates a new random profile for each contact. This avoids sharing any data between contacts.
|
||||||
|
|
||||||
As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer - it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server).
|
As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer — it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server).
|
||||||
|
|
||||||
Since SimpleX requires that users [place some trust in the SimpleX servers](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers), **we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls**. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone.
|
Since SimpleX requires that users [place some trust in the SimpleX servers](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers), **we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls**. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone.
|
||||||
|
|
||||||
If SimpleX is served with a warrant, their [privacy policy](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md) is quite specific. Servers have the [records of the message queues](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#connections-with-other-users) and any [undelivered encrypted messages](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#messages-and-files) - no data is stored that links the queues or messages to particular users, and the data which is stored is not very useful without access to the user's device.
|
If SimpleX is served with a warrant, their [privacy policy](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md) is quite specific. Servers have the [records of the message queues](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#connections-with-other-users) and any [undelivered encrypted messages](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#messages-and-files) — no data is stored that links the queues or messages to particular users, and the data which is stored is not very useful without access to the user's device.
|
||||||
|
|
||||||
SimpleX Chat will work with Tor if used on an operating system that forces it to, such as Whonix or Tails. However, voice and video calls generally don't work very well over Tor regardless of which application you use.
|
SimpleX Chat will work with Tor if used on an operating system that forces it to, such as Whonix or Tails. However, voice and video calls generally don't work very well over Tor regardless of which application you use.
|
||||||
|
|
||||||
|
|
@ -185,7 +185,7 @@ Real-time messaging applications are particularly susceptible to end-to-end corr
|
||||||
|
|
||||||
**Need #3: Resiliency to exploits**
|
**Need #3: Resiliency to exploits**
|
||||||
|
|
||||||
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). For public-facing project accounts, we recommend that you set SimpleX Chat preferences to only allow text (prohibiting voice messages and attachments).
|
A vulnerability in any application can be targeted with exploits — a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). For public-facing project accounts, we recommend that you set SimpleX Chat preferences to only allow text (prohibiting voice messages and attachments).
|
||||||
|
|
||||||
**Need #4: For multiple project members to be able to access the same messages**
|
**Need #4: For multiple project members to be able to access the same messages**
|
||||||
|
|
||||||
|
|
@ -261,7 +261,7 @@ The Signal Protocol has a moderate amount of metadata protection; [sealed sender
|
||||||
|
|
||||||
Signal is not peer-to-peer; it uses centralized servers that we must trust. Signal will work with Tor if used on an operating system that forces it to, such as Whonix or Tails.
|
Signal is not peer-to-peer; it uses centralized servers that we must trust. Signal will work with Tor if used on an operating system that forces it to, such as Whonix or Tails.
|
||||||
|
|
||||||
Signing up for a Signal account is difficult to do anonymously. The account is tied to a phone number that the user must retain control of - due to [changes in "registration lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number) and must be maintained as long as you’re using it, which takes some technical know-how and likely some money, limiting the amount of people who will do this.
|
Signing up for a Signal account is difficult to do anonymously. The account is tied to a phone number that the user must retain control of — due to [changes in "registration lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number) and must be maintained as long as you’re using it, which takes some technical know-how and likely some money, limiting the amount of people who will do this.
|
||||||
|
|
||||||
Another barrier to anonymous registration is that Signal Desktop will only work if Signal is first registered from a smartphone. For users familiar with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer using [Signal-cli](https://0xacab.org/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for registration would have to be obtained anonymously.
|
Another barrier to anonymous registration is that Signal Desktop will only work if Signal is first registered from a smartphone. For users familiar with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer using [Signal-cli](https://0xacab.org/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for registration would have to be obtained anonymously.
|
||||||
|
|
||||||
|
|
@ -269,13 +269,13 @@ These barriers to anonymous registration mean that Signal is rarely used anonymo
|
||||||
|
|
||||||
In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. Police seized suspects' phones during arrests and house raids, as well as targeting them through spyware, and then identified Signal contacts and group members. These identities were added to the list of suspects who were subsequently investigated.
|
In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. Police seized suspects' phones during arrests and house raids, as well as targeting them through spyware, and then identified Signal contacts and group members. These identities were added to the list of suspects who were subsequently investigated.
|
||||||
|
|
||||||
The risk of a compromised device aiding the police in network mapping is partly mitigated by the [username feature](https://signal.org/blog/phone-number-privacy-usernames/) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. We recommend that you select a username and profile photo that won't be useful for establishing your identity. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
|
The risk of a compromised device aiding the police in network mapping is partly mitigated by the [username feature](https://signal.org/blog/phone-number-privacy-usernames/) — use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. We recommend that you select a username and profile photo that won't be useful for establishing your identity. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
|
||||||
|
|
||||||
A private company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
|
A private company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
|
||||||
|
|
||||||
>In its targeted interception mode – which starts from a single target – JASMINE has claimed it is able to identify communicating parties in encrypted but peer-to-peer applications [...] the JASMINE documentation explicitly claims support for identifying the IP addresses of participants in encrypted apps such as WhatsApp and Signal during voice and video calls where peer-to-peer connections are also used for calling by default.
|
>In its targeted interception mode — which starts from a single target — JASMINE has claimed it is able to identify communicating parties in encrypted but peer-to-peer applications [...] the JASMINE documentation explicitly claims support for identifying the IP addresses of participants in encrypted apps such as WhatsApp and Signal during voice and video calls where peer-to-peer connections are also used for calling by default.
|
||||||
>
|
>
|
||||||
>The JASMINE documentation also explains that by analysing encrypted traffic “events” for a whole country – in mass interception mode – JASMINE has the ability to correlate and identify the participants in encrypted group chats on messaging apps.
|
>The JASMINE documentation also explains that by analysing encrypted traffic “events” for a whole country — in mass interception mode — JASMINE has the ability to correlate and identify the participants in encrypted group chats on messaging apps.
|
||||||
|
|
||||||
A similar surveillance product would not work against Cwtch because it uses Tor by default. Without a Tor or VPN proxy, an adversary can see that you are connecting to Signal servers which is what enables this type of timing correlation attack. Although it is possible to configure Signal to use a VPN or Tor, it is opt-in so most people will not use it like this.
|
A similar surveillance product would not work against Cwtch because it uses Tor by default. Without a Tor or VPN proxy, an adversary can see that you are connecting to Signal servers which is what enables this type of timing correlation attack. Although it is possible to configure Signal to use a VPN or Tor, it is opt-in so most people will not use it like this.
|
||||||
|
|
||||||
|
|
@ -292,7 +292,7 @@ Signal was designed to bring encrypted communication to the masses, not for an a
|
||||||
We recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are familiar with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal needs to be registered on a smartphone before it can be connected to a computer. Install Signal the same way you would install any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid). If you are using Signal from behind a VPN (as [we recommend](/posts/grapheneos/#how-to-install-software)) then a relay for calls is redundant and should be turned off: **Settings → Privacy → Advanced**, disable **Always relay calls**
|
We recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are familiar with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal needs to be registered on a smartphone before it can be connected to a computer. Install Signal the same way you would install any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid). If you are using Signal from behind a VPN (as [we recommend](/posts/grapheneos/#how-to-install-software)) then a relay for calls is redundant and should be turned off: **Settings → Privacy → Advanced**, disable **Always relay calls**
|
||||||
|
|
||||||
|
|
||||||
[Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android - we recommend it over Signal, and trusting the Molly team is made easier by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't available in the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption.
|
[Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android — we recommend it over Signal, and trusting the Molly team is made easier by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't available in the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
</details>
|
</details>
|
||||||
|
|
@ -377,13 +377,13 @@ Anyone can send a message to a public email account regardless of whether the re
|
||||||
|
|
||||||
**Need #2: Resiliency to correlation attacks**
|
**Need #2: Resiliency to correlation attacks**
|
||||||
|
|
||||||
Email is not a real-time messaging application - this means that it is not particularly susceptible to end-to-end correlation attacks via time.
|
Email is not a real-time messaging application — this means that it is not particularly susceptible to end-to-end correlation attacks via time.
|
||||||
|
|
||||||
No content padding exists to frustrate correlation attacks via message size in email protocols, but if you access the mail servers through Tor then the traffic is padded.
|
No content padding exists to frustrate correlation attacks via message size in email protocols, but if you access the mail servers through Tor then the traffic is padded.
|
||||||
|
|
||||||
**Need #3: Resiliency to exploits**
|
**Need #3: Resiliency to exploits**
|
||||||
|
|
||||||
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Email can be accessed through webmail (via Tor Browser) or through a client like Thunderbird - these have different attack surfaces. For example, a Cwtch developer found an exploit to [turn Thunderbird into a decryption oracle](https://pseudorandom.resistant.tech/disclosing-security-and-privacy-issues-in-thunderbird.html) when it displays messages with HTML.
|
A vulnerability in any application can be targeted with exploits — a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Email can be accessed through webmail (via Tor Browser) or through a client like Thunderbird — these have different attack surfaces. For example, a Cwtch developer found an exploit to [turn Thunderbird into a decryption oracle](https://pseudorandom.resistant.tech/disclosing-security-and-privacy-issues-in-thunderbird.html) when it displays messages with HTML.
|
||||||
|
|
||||||
We recommend using Thunderbird (which is available in Tails and Qubes-Whonix by default) with the setting to display email as "Plain Text" rather than as HTML: View → Message Body As → Plain Text. Most webmail will not function with Tor Browser in "Safest" mode.
|
We recommend using Thunderbird (which is available in Tails and Qubes-Whonix by default) with the setting to display email as "Plain Text" rather than as HTML: View → Message Body As → Plain Text. Most webmail will not function with Tor Browser in "Safest" mode.
|
||||||
|
|
||||||
|
|
@ -401,5 +401,5 @@ If a project has multiple members, all of them should be able to access the same
|
||||||
|
|
||||||
We do *not* recommend:
|
We do *not* recommend:
|
||||||
* **Telegram**: Telegram has no end-to-end encryption for group chats, and it is opt-in for one-on-one chats. The encryption doesn't use established protocols, and has had cryptographers describe it as ["the most backdoor-looking bug I’ve ever seen"](https://words.filippo.io/dispatches/telegram-ecdh/).
|
* **Telegram**: Telegram has no end-to-end encryption for group chats, and it is opt-in for one-on-one chats. The encryption doesn't use established protocols, and has had cryptographers describe it as ["the most backdoor-looking bug I’ve ever seen"](https://words.filippo.io/dispatches/telegram-ecdh/).
|
||||||
* **Matrix/Element**: Matrix has a problem that is inherent in federated networks - terrible [metadata leakage](https://anarc.at/blog/2022-06-17-matrix-notes/#metadata-handling) and [data ownership](https://anarc.at/blog/2022-06-17-matrix-notes/#data-retention-defaults). It has no forward secrecy, the Element client has a large attack surface, and there is a [long list of other issues](https://telegra.ph/why-not-matrix-08-07). What's more, the developers are very friendly with various [national police agencies](https://element.io/blog/bundesmessenger-is-a-milestone-in-germanys-ground-breaking-vision/).
|
* **Matrix/Element**: Matrix has a problem that is inherent in federated networks — terrible [metadata leakage](https://anarc.at/blog/2022-06-17-matrix-notes/#metadata-handling) and [data ownership](https://anarc.at/blog/2022-06-17-matrix-notes/#data-retention-defaults). It has no forward secrecy, the Element client has a large attack surface, and there is a [long list of other issues](https://telegra.ph/why-not-matrix-08-07). What's more, the developers are very friendly with various [national police agencies](https://element.io/blog/bundesmessenger-is-a-milestone-in-germanys-ground-breaking-vision/).
|
||||||
* **XMPP Clients**: Regardless of the client, an XMPP server will [always be able to see your contact list](https://coy.im/documentation/security-threat-model/). Additionally, server-side parties (e.g., administrators, attackers, law enforcement) can [inject arbitrary messages, modify address books, log passwords in cleartext](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/) and [act as a man-in-the-middle](https://notes.valdikss.org.ru/jabber.ru-mitm/).
|
* **XMPP Clients**: Regardless of the client, an XMPP server will [always be able to see your contact list](https://coy.im/documentation/security-threat-model/). Additionally, server-side parties (e.g., administrators, attackers, law enforcement) can [inject arbitrary messages, modify address books, log passwords in cleartext](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/) and [act as a man-in-the-middle](https://notes.valdikss.org.ru/jabber.ru-mitm/).
|
||||||
|
|
|
||||||
|
|
@ -25,11 +25,11 @@ Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/fi
|
||||||
|
|
||||||
# Installation
|
# Installation
|
||||||
|
|
||||||
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, [making it substantially harder to remotely exploit user installed apps like Signal](https://grapheneos.social/@GrapheneOS/111479318824446241).
|
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS — see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, [making it substantially harder to remotely exploit user installed apps like Signal](https://grapheneos.social/@GrapheneOS/111479318824446241).
|
||||||
|
|
||||||
Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
|
Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
|
||||||
|
|
||||||
Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
|
Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released — for example, the Google Pixel 6a after the Pixel 7 is released.
|
||||||
|
|
||||||
[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
|
[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
|
||||||
|
|
||||||
|
|
@ -77,13 +77,13 @@ How does it work? Your new device is the *auditee*, and the *auditor* can be eit
|
||||||
|
|
||||||
First, immediately after installing the device and before connecting to the Internet, [perform a "local verification"](https://attestation.app/tutorial#local-verification). This requires the presence of a friend whom you see semi-regularly and who has the Auditor app (on any Android device). The first pairing will show a brown background, and subsequent audits will show attestation results with a green background if nothing is remiss. There is no remote connection established between the phones of the auditor and auditee; you must perform these verifications in person.
|
First, immediately after installing the device and before connecting to the Internet, [perform a "local verification"](https://attestation.app/tutorial#local-verification). This requires the presence of a friend whom you see semi-regularly and who has the Auditor app (on any Android device). The first pairing will show a brown background, and subsequent audits will show attestation results with a green background if nothing is remiss. There is no remote connection established between the phones of the auditor and auditee; you must perform these verifications in person.
|
||||||
|
|
||||||
We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, and then turn on Wi-Fi. This "will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio." Leave airplane mode on at all times - otherwise the phone will interact with cellular networks even if there is no SIM card the phone.
|
We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, and then turn on Wi-Fi. This "will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio." Leave airplane mode on at all times — otherwise the phone will interact with cellular networks even if there is no SIM card the phone.
|
||||||
|
|
||||||
You are now ready to connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up a [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. The default delay until alerts is 48 hours; if you know your phone will be off for a longer period, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home while traveling), simply ignore the notification emails. You can always log back in to view your attestation history.
|
You are now ready to connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up a [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. The default delay until alerts is 48 hours; if you know your phone will be off for a longer period, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home while traveling), simply ignore the notification emails. You can always log back in to view your attestation history.
|
||||||
|
|
||||||
# User Profiles
|
# User Profiles
|
||||||
|
|
||||||
User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) compartmentalizes your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from each other - if one is compromised, the others aren't necessarily.
|
User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) compartmentalizes your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from each other — if one is compromised, the others aren't necessarily.
|
||||||
|
|
||||||
The Owner user profile is the default profile that is present when you turn on the phone. You can create additional user profiles. Each profile is [encrypted](/glossary/#encryption) with its own encryption key and cannot access the data of other profiles. Even the device owner cannot view the data of other profiles without knowing their password. A shortcut for switching between different user profiles is located at the bottom of Quick Settings (accessible by swiping down twice from the top of the screen). When you press **End session** on a profile, that profile's data is encrypted at rest.
|
The Owner user profile is the default profile that is present when you turn on the phone. You can create additional user profiles. Each profile is [encrypted](/glossary/#encryption) with its own encryption key and cannot access the data of other profiles. Even the device owner cannot view the data of other profiles without knowing their password. A shortcut for switching between different user profiles is located at the bottom of Quick Settings (accessible by swiping down twice from the top of the screen). When you press **End session** on a profile, that profile's data is encrypted at rest.
|
||||||
|
|
||||||
|
|
@ -128,9 +128,9 @@ To install and configure Sandboxed Google Play:
|
||||||
|
|
||||||
You are now ready to install applications from the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you want to use a free VPN, we recommend RiseupVPN. If you want to pay for a VPN anonymously, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). VPNs must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
|
You are now ready to install applications from the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you want to use a free VPN, we recommend RiseupVPN. If you want to pay for a VPN anonymously, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). VPNs must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
|
||||||
|
|
||||||
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks – especially those targeting messaging apps – more difficult to perform and less effective.
|
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
|
||||||
|
|
||||||
Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN** and follow the instructions. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps - see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
|
Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN** and follow the instructions. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps — see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
|
||||||
|
|
||||||
Now we will delegate apps to the profiles they are needed in:
|
Now we will delegate apps to the profiles they are needed in:
|
||||||
|
|
||||||
|
|
@ -139,7 +139,7 @@ Now we will delegate apps to the profiles they are needed in:
|
||||||
|
|
||||||
## Software That Isn't On the Play Store
|
## Software That Isn't On the Play Store
|
||||||
|
|
||||||
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself). [Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to the profiles it is needed in. Unfortunately, apps obtained through Obtainium require manual updates - it will notify you when one is needed.
|
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself). [Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to the profiles it is needed in. Unfortunately, apps obtained through Obtainium require manual updates — it will notify you when one is needed.
|
||||||
|
|
||||||
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal without [Google software](https://github.com/mollyim/mollyim-android#free-and-open-source) and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium, press **Add App**, then copy the Github Releases URL. Obtanium will be able to install the app, and if there is a new version, you will get a system notification and an update icon next to it, and you will need to update it manually.
|
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal without [Google software](https://github.com/mollyim/mollyim-android#free-and-open-source) and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium, press **Add App**, then copy the Github Releases URL. Obtanium will be able to install the app, and if there is a new version, you will get a system notification and an update icon next to it, and you will need to update it manually.
|
||||||
|
|
||||||
|
|
@ -165,7 +165,7 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
|
||||||
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
|
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
|
||||||
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
|
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
|
||||||
* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
|
* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
|
||||||
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - apps installed in a secondary user profile delegated from the Owner profile will still be updated.
|
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile — apps installed in a secondary user profile delegated from the Owner profile will still be updated.
|
||||||
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
|
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
|
||||||
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
|
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
|
||||||
* It is convenient to be able to receive notifications from any user profile:
|
* It is convenient to be able to receive notifications from any user profile:
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,7 @@ Part of the learning curve for Linux is figuring out which open-source software
|
||||||
|
|
||||||
The dreaded [command line](/glossary/#command-line-interface-cli)! What even is it? You are used to interacting with applications through a **Graphical User Interface (GUI)**, which means pointing and clicking with your mouse. Some applications can also be interacted with through a **Command Line Interface (CLI)**, which is textual. Many applications are available in both CLI and GUI versions. In a nutshell, the GUI is just a graphical depiction of the same things that you would do in the Command Line (CLI), designed to make it easier and more intuitive to navigate your computer.
|
The dreaded [command line](/glossary/#command-line-interface-cli)! What even is it? You are used to interacting with applications through a **Graphical User Interface (GUI)**, which means pointing and clicking with your mouse. Some applications can also be interacted with through a **Command Line Interface (CLI)**, which is textual. Many applications are available in both CLI and GUI versions. In a nutshell, the GUI is just a graphical depiction of the same things that you would do in the Command Line (CLI), designed to make it easier and more intuitive to navigate your computer.
|
||||||
|
|
||||||
For example, navigating the contents of your computer with the File Manager GUI is pretty standard - you click on a folder (called a *directory* in Linux), and it opens. The same navigation through the file system is also possible from the CLI.
|
For example, navigating the contents of your computer with the File Manager GUI is pretty standard — you click on a folder (called a *directory* in Linux), and it opens. The same navigation through the file system is also possible from the CLI.
|
||||||
|
|
||||||
When you open a Terminal (the CLI application), you get a *prompt*. It is called a prompt because it is prompting you to say something in a language that the Terminal understands. Prompts differ in what information is displayed, but they all end with the `$` character. You then give *commands* to the Terminal. The Terminal responds, then redisplays the prompt for the next command.
|
When you open a Terminal (the CLI application), you get a *prompt*. It is called a prompt because it is prompting you to say something in a language that the Terminal understands. Prompts differ in what information is displayed, but they all end with the `$` character. You then give *commands* to the Terminal. The Terminal responds, then redisplays the prompt for the next command.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ Fortunately, there is a tool that comprehensively cleans metadata, and it is ava
|
||||||
|
|
||||||
# Using the Metadata Cleaner
|
# Using the Metadata Cleaner
|
||||||
|
|
||||||
If you are not comfortable with the command line, we recommend using Metadata Cleaner - it uses `mat2` under the hood, so it has all the same functionality. Metadata Cleaner is better than Exiftool and other metadata removal software - see the [comparison docs](https://0xacab.org/jvoisin/mat2/-/blob/master/doc/comparison_to_others.md).
|
If you are not comfortable with the command line, we recommend using Metadata Cleaner — it uses `mat2` under the hood, so it has all the same functionality. Metadata Cleaner is better than Exiftool and other metadata removal software — see the [comparison docs](https://0xacab.org/jvoisin/mat2/-/blob/master/doc/comparison_to_others.md).
|
||||||
|
|
||||||
Metadata Cleaner shows the metadata it detects, but "it doesn't mean that a file is clean from any metadata if mat2 doesn't show any. There is no reliable way to detect every single possible metadata for complex file formats." This means that you should clean the file even if no metadata is displayed.
|
Metadata Cleaner shows the metadata it detects, but "it doesn't mean that a file is clean from any metadata if mat2 doesn't show any. There is no reliable way to detect every single possible metadata for complex file formats." This means that you should clean the file even if no metadata is displayed.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ Another primary goal of targeted surveillance is to map the target's social netw
|
||||||
|
|
||||||
The normalization of constant connectivity within dominant society has led some anarchists to correctly note that phone [metadata](/glossary/#metadata) is useful to investigators. However, the conclusion that some draw from this insight, that we should ["never turn off the phone,"](https://web.archive.org/web/20210126183740/https://325.nostate.net/2018/11/09/never-turn-off-the-phone-a-new-approach-to-security-culture) takes us in the wrong direction. Their logic is that if you step out of the normal metadata patterns, those moments become suspicious, and if those moments coincide with when an action occurs, that could be used as evidence to link you to the crime or to investigate you more closely. While this is true, it makes far more sense to minimize the creation of normal metadata patterns in the first place.
|
The normalization of constant connectivity within dominant society has led some anarchists to correctly note that phone [metadata](/glossary/#metadata) is useful to investigators. However, the conclusion that some draw from this insight, that we should ["never turn off the phone,"](https://web.archive.org/web/20210126183740/https://325.nostate.net/2018/11/09/never-turn-off-the-phone-a-new-approach-to-security-culture) takes us in the wrong direction. Their logic is that if you step out of the normal metadata patterns, those moments become suspicious, and if those moments coincide with when an action occurs, that could be used as evidence to link you to the crime or to investigate you more closely. While this is true, it makes far more sense to minimize the creation of normal metadata patterns in the first place.
|
||||||
|
|
||||||
Our connections to the infrastructures of domination must remain sporadic and unpredictable if we are to retain any semblance of freedom and ability to strike at the enemy. What if the reconnaissance required for an action requires an entire weekend away from electronic devices? Or let's start with the simple fact that phones must be left at home during an action - this only becomes the outlier to a pattern if phones otherwise accompany us wherever we go. In a normatively "always connected" life, either of these metadata changes would stick out like a sore thumb, but this is not the case if you refuse to always be plugged in. **This requires leaving your phone at home by default**.
|
Our connections to the infrastructures of domination must remain sporadic and unpredictable if we are to retain any semblance of freedom and ability to strike at the enemy. What if the reconnaissance required for an action requires an entire weekend away from electronic devices? Or let's start with the simple fact that phones must be left at home during an action — this only becomes the outlier to a pattern if phones otherwise accompany us wherever we go. In a normatively "always connected" life, either of these metadata changes would stick out like a sore thumb, but this is not the case if you refuse to always be plugged in. **This requires leaving your phone at home by default**.
|
||||||
|
|
||||||
# Do You Really Need a Phone?
|
# Do You Really Need a Phone?
|
||||||
|
|
||||||
|
|
@ -50,7 +50,7 @@ You may choose to live without phones entirely, if you don't feel that you need
|
||||||
|
|
||||||
Many bureaucratic institutions that we are forced to deal with make it difficult to live without a phone: health care, banking, etc. Since these communications do not need to be encrypted, you can use a [Voice over Internet Protocol (VoIP)](/glossary#voip-voice-over-internet-protocol) application (which allows you to make phone calls over the Internet rather than through cell towers).
|
Many bureaucratic institutions that we are forced to deal with make it difficult to live without a phone: health care, banking, etc. Since these communications do not need to be encrypted, you can use a [Voice over Internet Protocol (VoIP)](/glossary#voip-voice-over-internet-protocol) application (which allows you to make phone calls over the Internet rather than through cell towers).
|
||||||
|
|
||||||
Any VoIP application option on a computer is asynchronous because it doesn't ring when the computer is off - you rely on the voicemail feature to return missed calls. For example, a service like [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) gives you a VoIP number, which you can pay for in cryptocurrency, and you make calls using an XMPP application - [Cheogram](https://cheogram.com/) works well.
|
Any VoIP application option on a computer is asynchronous because it doesn't ring when the computer is off — you rely on the voicemail feature to return missed calls. For example, a service like [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) gives you a VoIP number, which you can pay for in cryptocurrency, and you make calls using an XMPP application — [Cheogram](https://cheogram.com/) works well.
|
||||||
|
|
||||||
If you use an "encrypted landline", you can use a [VoIP app](/posts/grapheneos/#voip).
|
If you use an "encrypted landline", you can use a [VoIP app](/posts/grapheneos/#voip).
|
||||||
|
|
||||||
|
|
@ -100,13 +100,13 @@ Perhaps taking the example of architecture can better illustrate something as co
|
||||||
|
|
||||||
It is the same with all the technologies of today that are presented to us as progress and as something that makes life easier. They were designed with the intention of making money and controlling us, and will always carry that. No matter how many supposed benefits your smartphone brings you, those who get rich by collecting your data and monitoring you will always benefit more than you.
|
It is the same with all the technologies of today that are presented to us as progress and as something that makes life easier. They were designed with the intention of making money and controlling us, and will always carry that. No matter how many supposed benefits your smartphone brings you, those who get rich by collecting your data and monitoring you will always benefit more than you.
|
||||||
|
|
||||||
If in the past it was said that "knowledge is power", today it should be said that "information is power". The more rulers know about their flocks, the better they can dominate them - in this sense, technology as a whole is a powerful tool of control to predict and thus prevent people from coming together to attack what oppresses them.
|
If in the past it was said that "knowledge is power", today it should be said that "information is power". The more rulers know about their flocks, the better they can dominate them — in this sense, technology as a whole is a powerful tool of control to predict and thus prevent people from coming together to attack what oppresses them.
|
||||||
|
|
||||||
These smartphones seem to need a little more than just a little electricity... In our generation, which at least knew a world without smartphones, there might still be some people who understand what I'm talking about, who still know what it's like to have a discussion without looking at their phone every thirty seconds, to get lost and discover new places by doing so, or to debate something without immediately asking Google for the answer. But I don't want to go back to the past, even though it wouldn't be possible anyway, but the more technology penetrates our lives, the harder it becomes to destroy it. What if we are one of the last generations able to stop this evolution of human beings into completely controlled robots?
|
These smartphones seem to need a little more than just a little electricity... In our generation, which at least knew a world without smartphones, there might still be some people who understand what I'm talking about, who still know what it's like to have a discussion without looking at their phone every thirty seconds, to get lost and discover new places by doing so, or to debate something without immediately asking Google for the answer. But I don't want to go back to the past, even though it wouldn't be possible anyway, but the more technology penetrates our lives, the harder it becomes to destroy it. What if we are one of the last generations able to stop this evolution of human beings into completely controlled robots?
|
||||||
|
|
||||||
And what if at some point we will be unable to reverse this development? Humanity has reached a historically new stage with technology. A stage where it is able to annihilate all human life (nuclear energy) or to modify it (genetic manipulation). This fact underlines once again the need to act today to destroy this society. To do this, we need to encounter other people and communicate our ideas.
|
And what if at some point we will be unable to reverse this development? Humanity has reached a historically new stage with technology. A stage where it is able to annihilate all human life (nuclear energy) or to modify it (genetic manipulation). This fact underlines once again the need to act today to destroy this society. To do this, we need to encounter other people and communicate our ideas.
|
||||||
|
|
||||||
Isn't it obvious that if instead of talking to each other, we only communicate in messages of five sentences or less, there will be long-term effects? Apparently not. First of all, the way we think influences the way we speak, and vice versa - the way we speak and communicate influences the way we think. If we are only able to exchange the shortest and most concise messages, how can we talk about a completely different world? And if we can't even talk about another world, how can we reach for it?
|
Isn't it obvious that if instead of talking to each other, we only communicate in messages of five sentences or less, there will be long-term effects? Apparently not. First of all, the way we think influences the way we speak, and vice versa — the way we speak and communicate influences the way we think. If we are only able to exchange the shortest and most concise messages, how can we talk about a completely different world? And if we can't even talk about another world, how can we reach for it?
|
||||||
|
|
||||||
Direct communication between autonomous individuals is the basis of any shared rebellion, it is the starting point of shared dreams and common struggles. Without unmediated communication, a struggle against this world and for freedom is impossible.
|
Direct communication between autonomous individuals is the basis of any shared rebellion, it is the starting point of shared dreams and common struggles. Without unmediated communication, a struggle against this world and for freedom is impossible.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,9 +21,9 @@ Qubes OS can be configured to force all Internet connections through the [Tor ne
|
||||||
|
|
||||||
# Who is Qubes OS For?
|
# Who is Qubes OS For?
|
||||||
|
|
||||||
Given that anarchists are [regularly targeted](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
|
Given that anarchists are [regularly targeted](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS — both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
|
||||||
|
|
||||||
Even if you don't do anything directly incriminating on the computer you use every day, if it were compromised, this would still give investigators a field day for [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to communicate with other comrades, so making our personal computers difficult to hack is an important baseline for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.
|
Even if you don't do anything directly incriminating on the computer you use every day, if it were compromised, this would still give investigators a field day for [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html) — knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to communicate with other comrades, so making our personal computers difficult to hack is an important baseline for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.
|
||||||
|
|
||||||
# How Does Qubes OS Work?
|
# How Does Qubes OS Work?
|
||||||
|
|
||||||
|
|
@ -48,7 +48,7 @@ Ignore the greyed-out parts of the diagram for now. Daily use of Qubes OS primar
|
||||||
|
|
||||||
You'll notice that App qube #1 is connected to the Internet, App qube #2 is offline, while App qube #3 is connected to the Internet via Tor and is Disposable. Note that Whonix is actually split between two qubes: the workstation (App qube #3) and the gateway (sys-whonix). This has the security property that if the workstation qube is compromised, the gateway qube (where Tor runs) is not.
|
You'll notice that App qube #1 is connected to the Internet, App qube #2 is offline, while App qube #3 is connected to the Internet via Tor and is Disposable. Note that Whonix is actually split between two qubes: the workstation (App qube #3) and the gateway (sys-whonix). This has the security property that if the workstation qube is compromised, the gateway qube (where Tor runs) is not.
|
||||||
|
|
||||||
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails uses only memory (when the Persistent Storage feature is not enabled), Qubes OS uses the hard drive, so a Disposable qube will leave forensic traces on your computer - a Disposable isn't intended to be anti-forensic, it's intended to reset a qube in case it is compromised by malware.
|
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails uses only memory (when the Persistent Storage feature is not enabled), Qubes OS uses the hard drive, so a Disposable qube will leave forensic traces on your computer — a Disposable isn't intended to be anti-forensic, it's intended to reset a qube in case it is compromised by malware.
|
||||||
|
|
||||||
|
|
||||||
## Management Qubes
|
## Management Qubes
|
||||||
|
|
@ -59,9 +59,9 @@ Two more components are needed to complete the Qubes OS system:
|
||||||
|
|
||||||
* **Admin qube**. This is the small, isolated and trusted qube that manages the other qubes. It's very protected because if it's compromised, it's game over. It uses a technology called Xen as the hypervisor. It is also called dom0, which is a Xen naming convention. The Admin qube has no network connectivity and is only used to run the [desktop environment](https://en.wikipedia.org/wiki/Desktop_environment) and [window manager](https://en.wikipedia.org/wiki/Window_manager).
|
* **Admin qube**. This is the small, isolated and trusted qube that manages the other qubes. It's very protected because if it's compromised, it's game over. It uses a technology called Xen as the hypervisor. It is also called dom0, which is a Xen naming convention. The Admin qube has no network connectivity and is only used to run the [desktop environment](https://en.wikipedia.org/wiki/Desktop_environment) and [window manager](https://en.wikipedia.org/wiki/Window_manager).
|
||||||
|
|
||||||
* **Template qubes**. These are where applications and operating system files live and where you install and update software. Each App qube is based on a Template qube, and the App qube can only read from the Template, not write to it. This means that the more sensitive system files are protected from whatever happens in an App qube - they are not retained between App qube restarts. Multiple App qubes can be based on a single Template, which has the convenient feature that updating one Template will update all App qubes based on that Template.
|
* **Template qubes**. These are where applications and operating system files live and where you install and update software. Each App qube is based on a Template qube, and the App qube can only read from the Template, not write to it. This means that the more sensitive system files are protected from whatever happens in an App qube — they are not retained between App qube restarts. Multiple App qubes can be based on a single Template, which has the convenient feature that updating one Template will update all App qubes based on that Template.
|
||||||
|
|
||||||
Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware - only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's not possible to compromise the hardware from a compromised App qube.
|
Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware — only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's not possible to compromise the hardware from a compromised App qube.
|
||||||
|
|
||||||
# When to Use Tails vs. Qubes OS
|
# When to Use Tails vs. Qubes OS
|
||||||
|
|
||||||
|
|
@ -77,7 +77,7 @@ Qubes OS includes Whonix by default (Qubes-Whonix) for when you want to force al
|
||||||
|
|
||||||
For more information on how Whonix compares to Tails against different types of deanonymization attacks, see the [Whonix documentation](https://www.whonix.org/wiki/Comparison_with_Others#Circumventing_Proxy_Obedience_Design).
|
For more information on how Whonix compares to Tails against different types of deanonymization attacks, see the [Whonix documentation](https://www.whonix.org/wiki/Comparison_with_Others#Circumventing_Proxy_Obedience_Design).
|
||||||
|
|
||||||
In order to recover data from a Qubes OS system when it is turned off, an adversary would still need to successfully [bypass](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) the [Full Disk Encryption](/glossary#full-disk-encryption-fde) (e.g. by seizing the computer when it is turned on, or cracking a weak password). In order to recover data from a Tails system when it is turned off, **the situation is the same if any data is saved to Persistent Storage or an encrypted USB** - this saved data is no longer protected by anti-forensic features but by Full Disk Encryption.
|
In order to recover data from a Qubes OS system when it is turned off, an adversary would still need to successfully [bypass](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) the [Full Disk Encryption](/glossary#full-disk-encryption-fde) (e.g. by seizing the computer when it is turned on, or cracking a weak password). In order to recover data from a Tails system when it is turned off, **the situation is the same if any data is saved to Persistent Storage or an encrypted USB** — this saved data is no longer protected by anti-forensic features but by Full Disk Encryption.
|
||||||
|
|
||||||
Our recommendation is to use Tails:
|
Our recommendation is to use Tails:
|
||||||
|
|
||||||
|
|
@ -102,7 +102,7 @@ Qubes OS works best on a laptop with a solid state drive (SSD, which is faster t
|
||||||
|
|
||||||
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation).
|
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation).
|
||||||
|
|
||||||
[Do not set up "dual boot"](https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot) - another operating system could be used to compromise Qubes OS.
|
[Do not set up "dual boot"](https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot) — another operating system could be used to compromise Qubes OS.
|
||||||
|
|
||||||
After you first boot Qubes OS, there is a post-installation:
|
After you first boot Qubes OS, there is a post-installation:
|
||||||
|
|
||||||
|
|
@ -112,7 +112,7 @@ After you first boot Qubes OS, there is a post-installation:
|
||||||
|
|
||||||
* Make sys-net disposable. If you are using Wi-Fi instead of Ethernet, you will need to re-enter the Wi-Fi password after every boot.
|
* Make sys-net disposable. If you are using Wi-Fi instead of Ethernet, you will need to re-enter the Wi-Fi password after every boot.
|
||||||
|
|
||||||
The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin - stop here to read it! The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but can be difficult for a new user to navigate. We'll go over some basics here that aren't already covered on the Getting Started page.
|
The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin — stop here to read it! The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but can be difficult for a new user to navigate. We'll go over some basics here that aren't already covered on the Getting Started page.
|
||||||
|
|
||||||
# How to Update
|
# How to Update
|
||||||
|
|
||||||
|
|
@ -151,7 +151,7 @@ From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Click on the Domains widget to see which Qubes are currently running and how much memory (RAM) and processing power (CPU) they are using. Each qube uses memory, so when you are done with a qube, you should shut it down to free up the memory it is using. Closing windows isn't enough - you need to shut down the qube when you're done with it.
|
Click on the Domains widget to see which Qubes are currently running and how much memory (RAM) and processing power (CPU) they are using. Each qube uses memory, so when you are done with a qube, you should shut it down to free up the memory it is using. Closing windows isn't enough — you need to shut down the qube when you're done with it.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -192,11 +192,11 @@ Remember that you should not run `apt update` or `dnf update`.
|
||||||
|
|
||||||
Returning to the example above, I start a terminal in the `debian-12-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs gnome-disk-utility`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
|
Returning to the example above, I start a terminal in the `debian-12-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs gnome-disk-utility`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
|
||||||
|
|
||||||
You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk - you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). If the software is available on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) - if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
|
You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk — you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). If the software is available on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) — if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
|
||||||
|
|
||||||
# How to Organize Your Qubes
|
# How to Organize Your Qubes
|
||||||
|
|
||||||
The next step is to decide how to organize your system - the options are much more flexible in Qubes OS than in a monolithic system like Tails (and more prone to user error). In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended setup for the typical user, which can be tweaked as needed.
|
The next step is to decide how to organize your system — the options are much more flexible in Qubes OS than in a monolithic system like Tails (and more prone to user error). In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended setup for the typical user, which can be tweaked as needed.
|
||||||
|
|
||||||
After installation, a number of qubes will already exist by default. Click on the Applications Menu to see them all. We are going to delete the following default App qubes because they connect to the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.
|
After installation, a number of qubes will already exist by default. Click on the Applications Menu to see them all. We are going to delete the following default App qubes because they connect to the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.
|
||||||
|
|
||||||
|
|
@ -207,7 +207,7 @@ How the App qubes will be organized, without displaying service qubes or Templat
|
||||||
* **A vault qube**. This is used for all data storage because you don't need internet to store files. This qube can be reassigned to the `debian-12-documents` Template so that trusted files can be opened there.
|
* **A vault qube**. This is used for all data storage because you don't need internet to store files. This qube can be reassigned to the `debian-12-documents` Template so that trusted files can be opened there.
|
||||||
|
|
||||||
* **A disposable Whonix-Workstation qube (`whonix-workstation-17-dvm`)**.
|
* **A disposable Whonix-Workstation qube (`whonix-workstation-17-dvm`)**.
|
||||||
* [Remember](#general-usage) - Whonix works by using the Whonix-Workstation Template (`whonix-workstation-17`) for the App qube, and the Whonix-Gateway Template (`whonix-gateway-17`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway - all your activity takes place in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
|
* [Remember](#general-usage) — Whonix works by using the Whonix-Workstation Template (`whonix-workstation-17`) for the App qube, and the Whonix-Gateway Template (`whonix-gateway-17`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway — all your activity takes place in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
|
||||||
* Disposables appear in Applications Menu in a way that can be confusing. You will see two entries for this qube: the **whonix-workstation-17-dvm** entry in the Apps menu, which is where you launch applications from, and the **whonix-workstation-17-dvm** entry in the Templates menu, which is the Template for the disposable (do not use applications from here).
|
* Disposables appear in Applications Menu in a way that can be confusing. You will see two entries for this qube: the **whonix-workstation-17-dvm** entry in the Apps menu, which is where you launch applications from, and the **whonix-workstation-17-dvm** entry in the Templates menu, which is the Template for the disposable (do not use applications from here).
|
||||||
* You can think of a disposable Whonix-Workstation qube as similar to Tails: system-wide Tor, and deletion after shutdown (without the anti-forensics property, as noted above).
|
* You can think of a disposable Whonix-Workstation qube as similar to Tails: system-wide Tor, and deletion after shutdown (without the anti-forensics property, as noted above).
|
||||||
* Do not customize the disposable Template at all to resist fingerprinting.
|
* Do not customize the disposable Template at all to resist fingerprinting.
|
||||||
|
|
@ -225,7 +225,7 @@ If you wanted, you could use the system as is, but let's create an App qube and
|
||||||
* **Template**: whonix-workstation-17
|
* **Template**: whonix-workstation-17
|
||||||
* **Networking**: sys-whonix
|
* **Networking**: sys-whonix
|
||||||
* Now that the qube exists, [install the Monero wallet into the App qube](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). Then, in the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
|
* Now that the qube exists, [install the Monero wallet into the App qube](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). Then, in the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
|
||||||
* This App qube is not made disposable - we prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.
|
* This App qube is not made disposable — we prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.
|
||||||
|
|
||||||
* **An offline disposable qube**. At the moment, both disposables are networked (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM**
|
* **An offline disposable qube**. At the moment, both disposables are networked (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM**
|
||||||
* **Name**: debian-12-offline-dvm
|
* **Name**: debian-12-offline-dvm
|
||||||
|
|
@ -233,7 +233,7 @@ If you wanted, you could use the system as is, but let's create an App qube and
|
||||||
* **Type**: AppVM
|
* **Type**: AppVM
|
||||||
* **Template**: debian-12-documents
|
* **Template**: debian-12-documents
|
||||||
* **Networking**: none
|
* **Networking**: none
|
||||||
* You can also use Fedora. In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable at the top of the Applications Menu - make sure you are working in the disposable, not the disposable Template.
|
* You can also use Fedora. In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable at the top of the Applications Menu — make sure you are working in the disposable, not the disposable Template.
|
||||||
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`
|
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`
|
||||||
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.
|
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.
|
||||||
|
|
||||||
|
|
@ -241,15 +241,15 @@ If you wanted, you could use the system as is, but let's create an App qube and
|
||||||
|
|
||||||
* **Split-GPG**: GPG keys live in an offline qube and access to them is strictly controlled
|
* **Split-GPG**: GPG keys live in an offline qube and access to them is strictly controlled
|
||||||
* **Split-SSH**: SSH keys live in an offline qube and access to them is strictly controlled
|
* **Split-SSH**: SSH keys live in an offline qube and access to them is strictly controlled
|
||||||
* **Mullvad-VPN**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the few reputable VPN companies - they accept cryptocurrency and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
|
* **Mullvad-VPN**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the few reputable VPN companies — they accept cryptocurrency and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
|
||||||
* **sys-VPN**: A VPN qube that uses the OpenVPN protocol
|
* **sys-VPN**: A VPN qube that uses the OpenVPN protocol
|
||||||
* **split-XMR**: The Monero wallet lives in an offline qube and access to it is strictly controlled.
|
* **split-XMR**: The Monero wallet lives in an offline qube and access to it is strictly controlled.
|
||||||
|
|
||||||
You should configure your non-Tor qubes to be forced through a VPN (RiseupVPN, Mullvad, or IVPN), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
|
You should configure your non-Tor qubes to be forced through a VPN (RiseupVPN, Mullvad, or IVPN), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
|
||||||
|
|
||||||
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks – especially those targeting messaging apps – more difficult to perform and less effective.
|
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
|
||||||
|
|
||||||
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - when an App qube is about to run out of space, the Disk Space Monitor widget will alert you. To increase the amount of private storage for any qube, go to the qubes' **Settings → Basic** tab and change the "Private storage max size". This storage won't be used immediately, it's just the maximum that can be used by that qube.
|
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly — when an App qube is about to run out of space, the Disk Space Monitor widget will alert you. To increase the amount of private storage for any qube, go to the qubes' **Settings → Basic** tab and change the "Private storage max size". This storage won't be used immediately, it's just the maximum that can be used by that qube.
|
||||||
|
|
||||||
If a Disposable keeps crashing, try to increase the amount of RAM allocated to it: go to the disposable Template's **Settings → Advanced** tab and increase the "Initial memory" and "Max memory".
|
If a Disposable keeps crashing, try to increase the amount of RAM allocated to it: go to the disposable Template's **Settings → Advanced** tab and increase the "Initial memory" and "Max memory".
|
||||||
|
|
||||||
|
|
@ -257,13 +257,13 @@ If a Disposable keeps crashing, try to increase the amount of RAM allocated to i
|
||||||
|
|
||||||
Disposables can be launched from the Applications menu: the disposable is at the top, and the disposable Template is near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all your Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, you can do so from the Qubes Domains widget in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would launch another disposable.
|
Disposables can be launched from the Applications menu: the disposable is at the top, and the disposable Template is near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all your Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, you can do so from the Qubes Domains widget in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would launch another disposable.
|
||||||
|
|
||||||
Once you close all the windows of a disposable, the whole disposable is shut down and reset to the state of its Template - any malware that may have been installed is now gone.
|
Once you close all the windows of a disposable, the whole disposable is shut down and reset to the state of its Template — any malware that may have been installed is now gone.
|
||||||
|
|
||||||
In contrast, an App qube must be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local`, and `/rw/config` directory. The next time an App qube boots, all locations in its file system other than these three directories will reflect the state of its Template. See how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
|
In contrast, an App qube must be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local`, and `/rw/config` directory. The next time an App qube boots, all locations in its file system other than these three directories will reflect the state of its Template. See how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
In the file manager of an App qube, right-clicking on certain fle types gives you the **Edit In DisposableVM** and **View In DisposableVM** options. This is how we want to open any untrusted files. It will use the default disposable that we set earlier, which is offline. As soon as you close the viewing application, the disposable is reverted to its prior state. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. In contrast, viewing in a disposable is read-only, so if the file does something malicious, it can't write to the App qube you launched it from - this is preferable for files you don't need to edit.
|
In the file manager of an App qube, right-clicking on certain fle types gives you the **Edit In DisposableVM** and **View In DisposableVM** options. This is how we want to open any untrusted files. It will use the default disposable that we set earlier, which is offline. As soon as you close the viewing application, the disposable is reverted to its prior state. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. In contrast, viewing in a disposable is read-only, so if the file does something malicious, it can't write to the App qube you launched it from — this is preferable for files you don't need to edit.
|
||||||
|
|
||||||
If your file opens in an application other than the one you want, you'll need to change the default for the disposable Template:
|
If your file opens in an application other than the one you want, you'll need to change the default for the disposable Template:
|
||||||
|
|
||||||
|
|
@ -277,7 +277,7 @@ If your file opens in an application other than the one you want, you'll need to
|
||||||
|
|
||||||
For PDF files, right-click and select **Convert To Trusted PDF**, and for image files, right-click and select **Convert To Trusted Img**. This will sanitize the file so that it can go from untrusted to trusted. It does this by converting it to images in a disposable and wiping the metadata.
|
For PDF files, right-click and select **Convert To Trusted PDF**, and for image files, right-click and select **Convert To Trusted Img**. This will sanitize the file so that it can go from untrusted to trusted. It does this by converting it to images in a disposable and wiping the metadata.
|
||||||
|
|
||||||
You can set it up so that certain types of files in an App qube open in a disposable by default. However, setting PDF files to always open in a disposable is not failsafe - some files may have their name end in `.pdf`, but in fact be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd still like to set the default to open only PDF files in a disposable, right-click a PDF file and select **Open With Other Application → qvm-open-in-dvm**.
|
You can set it up so that certain types of files in an App qube open in a disposable by default. However, setting PDF files to always open in a disposable is not failsafe — some files may have their name end in `.pdf`, but in fact be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd still like to set the default to open only PDF files in a disposable, right-click a PDF file and select **Open With Other Application → qvm-open-in-dvm**.
|
||||||
|
|
||||||
# How to Use Devices (like USBs)
|
# How to Use Devices (like USBs)
|
||||||
|
|
||||||
|
|
@ -293,9 +293,9 @@ To learn how to attach devices, let's format the empty USB or hard drive that wi
|
||||||
|
|
||||||
Webcams and microphones are considered devices and must be attached to an App qube to be used.
|
Webcams and microphones are considered devices and must be attached to an App qube to be used.
|
||||||
|
|
||||||
There are command line instructions for setting up an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice) - we recommend configuring a confirmation prompt. We also recommend enabling a USB keyboard [on a dedicated USB controller](https://www.qubes-os.org/doc/usb-qubes/#qubes-41-how-to-enable-a-usb-keyboard-on-a-separate-usb-controller).
|
There are command line instructions for setting up an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice) — we recommend configuring a confirmation prompt. We also recommend enabling a USB keyboard [on a dedicated USB controller](https://www.qubes-os.org/doc/usb-qubes/#qubes-41-how-to-enable-a-usb-keyboard-on-a-separate-usb-controller).
|
||||||
|
|
||||||
You don't always need to attach a USB drive to another qube with the Qubes Devices widget - external devices are also accessible directly from sys-usb, through the File Manager. You can [copy specific files](#how-to-copy-and-move-files) between the USB and another App qube without having to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb to take advantage of it being disposable.
|
You don't always need to attach a USB drive to another qube with the Qubes Devices widget — external devices are also accessible directly from sys-usb, through the File Manager. You can [copy specific files](#how-to-copy-and-move-files) between the USB and another App qube without having to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb to take advantage of it being disposable.
|
||||||
|
|
||||||
# How to Backup
|
# How to Backup
|
||||||
|
|
||||||
|
|
@ -320,7 +320,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
|
||||||
|
|
||||||
The Whonix project has its own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), on which Whonix is based. When Whonix is used in Qubes OS, it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems, but it's preferable to use it on Qubes OS because of the superior isolation it provides.
|
The Whonix project has its own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), on which Whonix is based. When Whonix is used in Qubes OS, it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems, but it's preferable to use it on Qubes OS because of the superior isolation it provides.
|
||||||
|
|
||||||
[Multiple default applications](https://www.whonix.org/wiki/Stream_Isolation#List) on a Whonix-Workstation App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated - this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation).
|
[Multiple default applications](https://www.whonix.org/wiki/Stream_Isolation#List) on a Whonix-Workstation App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated — this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation).
|
||||||
|
|
||||||
To take advantage of compartmentalization, create separate Whonix-Workstation App qubes for distinct activities/identities, as we did [above](#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice not to use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) at the same time:
|
To take advantage of compartmentalization, create separate Whonix-Workstation App qubes for distinct activities/identities, as we did [above](#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice not to use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) at the same time:
|
||||||
|
|
||||||
|
|
@ -328,9 +328,9 @@ To take advantage of compartmentalization, create separate Whonix-Workstation Ap
|
||||||
|
|
||||||
Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory.
|
Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory.
|
||||||
|
|
||||||
Like any software, the Tor Browser has vulnerabilities that can be exploited - various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting.
|
Like any software, the Tor Browser has vulnerabilities that can be exploited — various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting.
|
||||||
|
|
||||||
Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template - the disposable Template will be updated automatically.
|
Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template — the disposable Template will be updated automatically.
|
||||||
|
|
||||||
# Password Management
|
# Password Management
|
||||||
|
|
||||||
|
|
@ -366,15 +366,15 @@ Configuring Qubes OS is much more flexible than configuring Tails, but most of t
|
||||||
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
|
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
|
||||||
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/).
|
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/).
|
||||||
* Phishing awareness
|
* Phishing awareness
|
||||||
* This is where Qubes OS really shines. Awareness is no longer your only defense - Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
|
* This is where Qubes OS really shines. Awareness is no longer your only defense — Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
|
||||||
* Open attachments in a disposable and offline qube.
|
* Open attachments in a disposable and offline qube.
|
||||||
* Open links in a disposable Whonix-Workstation qube.
|
* Open links in a disposable Whonix-Workstation qube.
|
||||||
|
|
||||||
## Post-installation Decisions
|
## Post-installation Decisions
|
||||||
|
|
||||||
During the [post-installation of Qubes OS](#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure - Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
|
During the [post-installation of Qubes OS](#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure — Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
|
||||||
|
|
||||||
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template, clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend using disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
|
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template, clone the Debian Template — follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend using disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
|
||||||
|
|
||||||
* Go to **Applications menu → Qubes Tools → Create Qubes VM**
|
* Go to **Applications menu → Qubes Tools → Create Qubes VM**
|
||||||
* Name: kicksecure-17-dvm
|
* Name: kicksecure-17-dvm
|
||||||
|
|
@ -382,7 +382,7 @@ Kicksecure is not currently [available as a Template](https://www.kicksecure.com
|
||||||
* Type: AppVM
|
* Type: AppVM
|
||||||
* Template: kicksecure-17
|
* Template: kicksecure-17
|
||||||
* Networking: default (sys-firewall)
|
* Networking: default (sys-firewall)
|
||||||
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable at the top of the Applications Menu - make sure you are working in the disposable, not the disposable Template.
|
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable at the top of the Applications Menu — make sure you are working in the disposable, not the disposable Template.
|
||||||
|
|
||||||
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes:
|
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes:
|
||||||
|
|
||||||
|
|
@ -400,15 +400,15 @@ Hardware security is a nuanced subject, with three prominent factors at play for
|
||||||
|
|
||||||
Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the **ThinkPad X230** and **ThinkPad T430** strike a relatively unique balance because they both use the [Ivy generation](https://en.wikipedia.org/wiki/Ivy_Bridge_(microarchitecture)) of CPUs and are both compatible with Heads:
|
Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the **ThinkPad X230** and **ThinkPad T430** strike a relatively unique balance because they both use the [Ivy generation](https://en.wikipedia.org/wiki/Ivy_Bridge_(microarchitecture)) of CPUs and are both compatible with Heads:
|
||||||
|
|
||||||
* **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process - the Thinkpad X230 and T430 have TPM v1.1.
|
* **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process — the Thinkpad X230 and T430 have TPM v1.1.
|
||||||
* **Blobs**: There are no binary blobs on these models after Heads is installed, except for the Intel Management Engine (which can be neutered) and the Ethernet blob (which can be generated).
|
* **Blobs**: There are no binary blobs on these models after Heads is installed, except for the Intel Management Engine (which can be neutered) and the Ethernet blob (which can be generated).
|
||||||
* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this generation of CPUs](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Newer hardware uses CPUs with different extensions that are vulnerable to new attack vectors - the Ivy generation is not affected by these.
|
* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this generation of CPUs](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Newer hardware uses CPUs with different extensions that are vulnerable to new attack vectors — the Ivy generation is not affected by these.
|
||||||
|
|
||||||
Qubes OS also applies appropriate software mitigation to this class of attacks at the hypervisor level, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
|
Qubes OS also applies appropriate software mitigation to this class of attacks at the hypervisor level, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
|
||||||
|
|
||||||
## OPSEC for Memory Use
|
## OPSEC for Memory Use
|
||||||
|
|
||||||
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Make sure to always be aware of which qubes are running simultaneously - it is best to only have trusted qubes alongside each other.
|
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Make sure to always be aware of which qubes are running simultaneously — it is best to only have trusted qubes alongside each other.
|
||||||
|
|
||||||
* sys-usb: Disposable. Run only when needed, and shut down when finished. Restart after using an untrusted USB device.
|
* sys-usb: Disposable. Run only when needed, and shut down when finished. Restart after using an untrusted USB device.
|
||||||
* sys-net: Disposable. Run only when needed, and shut down when finished. Shut down when performing sensitive operations in other qubes, if possible. Restart before compartmentalized activities that require high security.
|
* sys-net: Disposable. Run only when needed, and shut down when finished. Shut down when performing sensitive operations in other qubes, if possible. Restart before compartmentalized activities that require high security.
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ a4="tails-best-a4.pdf"
|
||||||
letter="tails-best-letter.pdf"
|
letter="tails-best-letter.pdf"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary#threat-model) - operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://www.notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations. If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
|
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary#threat-model) — operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://www.notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations. If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
|
||||||
|
|
||||||
<!-- more -->
|
<!-- more -->
|
||||||
|
|
||||||
|
|
@ -67,7 +67,7 @@ You can mitigate the techniques available to powerful adversaries by **not using
|
||||||
|
|
||||||
### Internet not tied to your identity
|
### Internet not tied to your identity
|
||||||
|
|
||||||
"Mobile Wi-Fi" devices exist which give you Internet access through the mobile network (via SIM cards) - these are a bad idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile operator every time you connect, allowing identification and geographic localization. The adapter works like a mobile phone! If you do not want different research sessions to be associated with each other, do not use the same device or SIM card more than once!
|
"Mobile Wi-Fi" devices exist which give you Internet access through the mobile network (via SIM cards) — these are a bad idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile operator every time you connect, allowing identification and geographic localization. The adapter works like a mobile phone! If you do not want different research sessions to be associated with each other, do not use the same device or SIM card more than once!
|
||||||
|
|
||||||
To use internet not tied to your identity, you have two options: Wi-Fi from a public space (like going to a cafe without CCTV cameras), or by using a Wi-Fi antenna through a window from a private space. The latter option is preferable for any computer activity that takes a prolonged amount of time because the main police priority will be to seize the computer while it is unencrypted, and this is much harder for them to achieve in a private space. In a public space, there is also more of a risk of cameras seeing you type your password. However, using a Wi-Fi antenna is also more technical (guide coming soon).
|
To use internet not tied to your identity, you have two options: Wi-Fi from a public space (like going to a cafe without CCTV cameras), or by using a Wi-Fi antenna through a window from a private space. The latter option is preferable for any computer activity that takes a prolonged amount of time because the main police priority will be to seize the computer while it is unencrypted, and this is much harder for them to achieve in a private space. In a public space, there is also more of a risk of cameras seeing you type your password. However, using a Wi-Fi antenna is also more technical (guide coming soon).
|
||||||
|
|
||||||
|
|
@ -75,24 +75,24 @@ When using Wi-Fi in a public space, keep the following operational security cons
|
||||||
* Do not get into a routine of using the same cafes repeatedly if you can avoid it.
|
* Do not get into a routine of using the same cafes repeatedly if you can avoid it.
|
||||||
* If you have to buy a coffee to get the Wi-Fi password, pay in cash!
|
* If you have to buy a coffee to get the Wi-Fi password, pay in cash!
|
||||||
* Position yourself with your back against a wall so that no one can "shoulder surf" to see your screen, and ideally install a [privacy screen](/posts/tails/#privacy-screen) on your laptop.
|
* Position yourself with your back against a wall so that no one can "shoulder surf" to see your screen, and ideally install a [privacy screen](/posts/tails/#privacy-screen) on your laptop.
|
||||||
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. It is very difficult to maintain adequate situational awareness while staying focused on your Tails session - consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.net/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.net/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
|
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. It is very difficult to maintain adequate situational awareness while staying focused on your Tails session — consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.net/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.net/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
|
||||||
* One person in charge of a darknet marketplace had his Tails computer seized while distracted by a fake fight next to him. Similar tactics have been used [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt with a short piece of fishing line, the police would most likely have lost all evidence when the Tails USB was pulled out. A more technical equivalent is [BusKill](https://www.buskill.in/tails/) - however, we only recommend buying this [in person](https://www.buskill.in/leipzig-proxystore/) or [3D printing it](https://www.buskill.in/3d-print-2023-08/). This is because any mail can be [intercepted](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction) and altered, making the hardware [malicious](https://en.wikipedia.org/wiki/BadUSB).
|
* One person in charge of a darknet marketplace had his Tails computer seized while distracted by a fake fight next to him. Similar tactics have been used [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt with a short piece of fishing line, the police would most likely have lost all evidence when the Tails USB was pulled out. A more technical equivalent is [BusKill](https://www.buskill.in/tails/) — however, we only recommend buying this [in person](https://www.buskill.in/leipzig-proxystore/) or [3D printing it](https://www.buskill.in/3d-print-2023-08/). This is because any mail can be [intercepted](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction) and altered, making the hardware [malicious](https://en.wikipedia.org/wiki/BadUSB).
|
||||||
* If coffee shops without CCTV cameras are few and far between, you can try accessing a coffee shop's Wi-Fi from outside, out of view of the cameras.
|
* If coffee shops without CCTV cameras are few and far between, you can try accessing a coffee shop's Wi-Fi from outside, out of view of the cameras.
|
||||||
|
|
||||||
### Non-Targeted and Targeted Correlation Attacks
|
### Non-Targeted and Targeted Correlation Attacks
|
||||||
|
|
||||||
As described in the quotation above, a global adversary (i.e. the NSA) may be capable of breaking Tor through a correlation attack. If this happens, the Internet address you used in a coffee shop without CCTV cameras will only lead to your general area (e.g. your city) because it is not associated with you. Of course, this is less true if you use the location routinely. Correlation attacks are even less feasible against connections to an .onion address because you never leave the Tor network, so there is no "end" to correlate with through network traffic analysis (if the server location is unknown to the adversary). It is worth emphasizing that "End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users."
|
As described in the quotation above, a global adversary (i.e. the NSA) may be capable of breaking Tor through a correlation attack. If this happens, the Internet address you used in a coffee shop without CCTV cameras will only lead to your general area (e.g. your city) because it is not associated with you. Of course, this is less true if you use the location routinely. Correlation attacks are even less feasible against connections to an .onion address because you never leave the Tor network, so there is no "end" to correlate with through network traffic analysis (if the server location is unknown to the adversary). It is worth emphasizing that "End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users."
|
||||||
|
|
||||||
What we will term a "targeted" correlation attack is possible by a non-global adversary (i.e. local law enforcement), if you are already in their sights and a target of [physical surveillance](https://www.notrace.how/threat-library/techniques/physical-surveillance/covert.html) and/or [digital surveillance](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance.html). This is a subtype of correlation attack where the presumed target is already known, thus making the attack easier to achieve because it vastly reduces the amount of data to filter through for correlation. A non-targeted correlation attack used to deanonymize a Tor user is unprecedented in current evidence used in court, although [a "targeted" correlation attack has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as corroborating evidence - a suspect had already been identified, which allowed investigators to correlate their local footprint with specific online activity. Specifically, they correlated Tor network traffic coming from the suspect's house with the times their anonymous alias was online in chatrooms.
|
What we will term a "targeted" correlation attack is possible by a non-global adversary (i.e. local law enforcement), if you are already in their sights and a target of [physical surveillance](https://www.notrace.how/threat-library/techniques/physical-surveillance/covert.html) and/or [digital surveillance](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance.html). This is a subtype of correlation attack where the presumed target is already known, thus making the attack easier to achieve because it vastly reduces the amount of data to filter through for correlation. A non-targeted correlation attack used to deanonymize a Tor user is unprecedented in current evidence used in court, although [a "targeted" correlation attack has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as corroborating evidence — a suspect had already been identified, which allowed investigators to correlate their local footprint with specific online activity. Specifically, they correlated Tor network traffic coming from the suspect's house with the times their anonymous alias was online in chatrooms.
|
||||||
|
|
||||||
To explain how this works, it helps if you have a basic understanding of what Tor information is visible to various third parties - see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https). For a non-targeted correlation attack, the investigator will need to **start from after Tor's exit node**: take the specific online activity coming from the exit node and try to correlate it with an enormous amount of global data that is entering Tor entry nodes. However, if a suspect is already identified, the investigator can instead do a "targeted" correlation attack and **start from before Tor's entry node**: take the data entering the entry node (via **the suspect's physical or digital footprint**) and try to correlate it with **specific online activity** coming from an exit node.
|
To explain how this works, it helps if you have a basic understanding of what Tor information is visible to various third parties — see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https). For a non-targeted correlation attack, the investigator will need to **start from after Tor's exit node**: take the specific online activity coming from the exit node and try to correlate it with an enormous amount of global data that is entering Tor entry nodes. However, if a suspect is already identified, the investigator can instead do a "targeted" correlation attack and **start from before Tor's entry node**: take the data entering the entry node (via **the suspect's physical or digital footprint**) and try to correlate it with **specific online activity** coming from an exit node.
|
||||||
|
|
||||||
A more sophisticated analysis of the specific online activity would involve logging the connections to the server for detailed comparison, and a simple analysis would be something that is publicly visible to anyone (such as when your alias is online in a chatroom, or when a post is published to a website). For your physical footprint, a surveillance operation can note that you go to a cafe regularly, then try to correlate this with online activity they suspect you of (for example, if they suspect you are a website moderator, they can try to correlate these time windows with web moderator activity). For your digital footprint, if you are using Internet from home, an investigator can log all your Tor traffic and then try to correlate it with specific online activity.
|
A more sophisticated analysis of the specific online activity would involve logging the connections to the server for detailed comparison, and a simple analysis would be something that is publicly visible to anyone (such as when your alias is online in a chatroom, or when a post is published to a website). For your physical footprint, a surveillance operation can note that you go to a cafe regularly, then try to correlate this with online activity they suspect you of (for example, if they suspect you are a website moderator, they can try to correlate these time windows with web moderator activity). For your digital footprint, if you are using Internet from home, an investigator can log all your Tor traffic and then try to correlate it with specific online activity.
|
||||||
|
|
||||||
To mitigate the risk of "targeted" correlation attacks:
|
To mitigate the risk of "targeted" correlation attacks:
|
||||||
|
|
||||||
* If you only need to use the Internet briefly to submit a communique, you can **do [surveillance detection](https://www.notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a coffee shop**, just like you would prior to a direct action.
|
* If you only need to use the Internet briefly to submit a communique, you can **do [surveillance detection](https://www.notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a coffee shop**, just like you would prior to a direct action.
|
||||||
* For projects like moderating a website or hacking that require daily Internet access, it is not realistic to find a new Wi-Fi location every day. In that case, the ideal mitigation is to **use a Wi-Fi antenna from indoors** - a physical surveillance effort won't see you entering a cafe, and a digital surveillance effort won't see anything on your home Internet.
|
* For projects like moderating a website or hacking that require daily Internet access, it is not realistic to find a new Wi-Fi location every day. In that case, the ideal mitigation is to **use a Wi-Fi antenna from indoors** — a physical surveillance effort won't see you entering a cafe, and a digital surveillance effort won't see anything on your home Internet.
|
||||||
* If a Wi-Fi antenna is too technical for you, you may even want to **use your home internet** for some projects that require frequent internet access. This contradicts the previous advice to not use your personal Wi-Fi. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from (especially if you intentionally [make correlation attacks more difficult](/posts/tails/#make-correlation-attacks-more-difficult)). In our view, the main risk of using your home internet is not that the adversary is able to break Tor through a correlation attack, but that the adversary is able to hack your system, such as through [phishing](#phishing-awareness), which [enables them to bypass Tor](/posts/qubes/#when-to-use-tails-vs-qubes-os).
|
* If a Wi-Fi antenna is too technical for you, you may even want to **use your home internet** for some projects that require frequent internet access. This contradicts the previous advice to not use your personal Wi-Fi. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from (especially if you intentionally [make correlation attacks more difficult](/posts/tails/#make-correlation-attacks-more-difficult)). In our view, the main risk of using your home internet is not that the adversary is able to break Tor through a correlation attack, but that the adversary is able to hack your system, such as through [phishing](#phishing-awareness), which [enables them to bypass Tor](/posts/qubes/#when-to-use-tails-vs-qubes-os).
|
||||||
* If you want to submit a report-back the morning after a riot, or a communique shortly after an action (times when there may be a higher risk of targeted surveillance), consider waiting and at least taking surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank arson in Canada, police surveilled a suspect as he traveled from his home to an Internet cafe, and watched him post the communique and then bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.notrace.how/resources/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe near the comrade's home and requested CCTV footage for the day an arson communique was sent.
|
* If you want to submit a report-back the morning after a riot, or a communique shortly after an action (times when there may be a higher risk of targeted surveillance), consider waiting and at least taking surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank arson in Canada, police surveilled a suspect as he traveled from his home to an Internet cafe, and watched him post the communique and then bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.notrace.how/resources/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe near the comrade's home and requested CCTV footage for the day an arson communique was sent.
|
||||||
|
|
||||||
|
|
@ -144,7 +144,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
|
||||||
|
|
||||||
* **Wi-Fi that is unrelated to your identity**. We recommend using Wi-Fi that is unrelated to your identity (i.e. not at your home or work) not only to mitigate deanonymization, but also to mitigate remote hacking. It is best to never use the dedicated Tails laptop on your home Wi-Fi. This makes the laptop much less accessible to a remote attacker than a laptop that is constantly connected to your home Wi-Fi. If an attacker is targeting you, they need a point to start, and your home Wi-Fi is a pretty good place to start.
|
* **Wi-Fi that is unrelated to your identity**. We recommend using Wi-Fi that is unrelated to your identity (i.e. not at your home or work) not only to mitigate deanonymization, but also to mitigate remote hacking. It is best to never use the dedicated Tails laptop on your home Wi-Fi. This makes the laptop much less accessible to a remote attacker than a laptop that is constantly connected to your home Wi-Fi. If an attacker is targeting you, they need a point to start, and your home Wi-Fi is a pretty good place to start.
|
||||||
* **Remove the hard drive**—it's easier than it sounds. If you buy the laptop, you can ask the store to do it and potentially save some money. If you search on youtube for "remove hard drive" for your specific laptop model, there will probably be an instructional video. Make sure you remove the laptop battery and unplug the power cord first. We remove the hard drive to completely eliminate the hard drive firmware, which has been known to be [compromised to install persistent malware](https://www.wired.com/2015/02/nsa-firmware-hacking/). A hard drive is part of the attack surface and is unnecessary on a live system like Tails that runs off a USB.
|
* **Remove the hard drive**—it's easier than it sounds. If you buy the laptop, you can ask the store to do it and potentially save some money. If you search on youtube for "remove hard drive" for your specific laptop model, there will probably be an instructional video. Make sure you remove the laptop battery and unplug the power cord first. We remove the hard drive to completely eliminate the hard drive firmware, which has been known to be [compromised to install persistent malware](https://www.wired.com/2015/02/nsa-firmware-hacking/). A hard drive is part of the attack surface and is unnecessary on a live system like Tails that runs off a USB.
|
||||||
* Consider **removing the Bluetooth interface, camera, and microphone** while you're at it, although this is more involved—you'll need the user manual for your laptop model. The camera can at least be "disabled" by putting a sticker over it. The microphone is often connected to the motherboard via a plug - in this case just unplug it. If this is not obvious, or if there is no connector because the cable is soldered directly to the motherboard, or if the connector is needed for other purposes, cut the microphone cable with a pair of pliers. The same method can be used to permanently disable the camera if you don't trust the sticker method. It is also possible to use Tails on a dedicated "offline" computer by removing the network card as well. Some laptops have switches on the case that can be used to disable the wireless interfaces, but for an "offline" computer it is preferable to actually remove the network card.
|
* Consider **removing the Bluetooth interface, camera, and microphone** while you're at it, although this is more involved—you'll need the user manual for your laptop model. The camera can at least be "disabled" by putting a sticker over it. The microphone is often connected to the motherboard via a plug — in this case just unplug it. If this is not obvious, or if there is no connector because the cable is soldered directly to the motherboard, or if the connector is needed for other purposes, cut the microphone cable with a pair of pliers. The same method can be used to permanently disable the camera if you don't trust the sticker method. It is also possible to use Tails on a dedicated "offline" computer by removing the network card as well. Some laptops have switches on the case that can be used to disable the wireless interfaces, but for an "offline" computer it is preferable to actually remove the network card.
|
||||||
|
|
||||||
* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates an attack on the BIOS firmware against a Tails user, allowing the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be removed like the hard drive. It is needed to turn on the laptop, so it must be replaced with [open-source](/glossary#open-source) firmware. This is an advanced process because it requires opening the computer and using special tools. Most anarchists will not be able to do this themselves, but hopefully there is a trusted person in your networks who can set it up for you. The project is called HEADS because it's the other side of Tails—where Tails secures software, HEADS secures firmware. It has a similar purpose to the [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) found in GrapheneOS, which establishes a full chain of trust from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop if you plan to install it—we recommend the ThinkPad X230 because it's less involved to install than other models. The CPUs of this generation are capable of effectively removing the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) when flashing HEADS, but this is not the case with later generations of CPUs on newer computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a wider range of laptop models but has less security. HEADS can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation), preventing it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks!
|
* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates an attack on the BIOS firmware against a Tails user, allowing the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be removed like the hard drive. It is needed to turn on the laptop, so it must be replaced with [open-source](/glossary#open-source) firmware. This is an advanced process because it requires opening the computer and using special tools. Most anarchists will not be able to do this themselves, but hopefully there is a trusted person in your networks who can set it up for you. The project is called HEADS because it's the other side of Tails—where Tails secures software, HEADS secures firmware. It has a similar purpose to the [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) found in GrapheneOS, which establishes a full chain of trust from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop if you plan to install it—we recommend the ThinkPad X230 because it's less involved to install than other models. The CPUs of this generation are capable of effectively removing the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) when flashing HEADS, but this is not the case with later generations of CPUs on newer computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a wider range of laptop models but has less security. HEADS can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation), preventing it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks!
|
||||||
|
|
||||||
|
|
@ -168,16 +168,16 @@ If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust]
|
||||||
|
|
||||||
On a USB with a write-protect switch, you will not be able to make any changes to the Tails USB when the switch is locked. If you can make changes, so can malware. While it would be ideal to leave the switch locked all the time, we recommend two cases where the switch must be unlocked:
|
On a USB with a write-protect switch, you will not be able to make any changes to the Tails USB when the switch is locked. If you can make changes, so can malware. While it would be ideal to leave the switch locked all the time, we recommend two cases where the switch must be unlocked:
|
||||||
|
|
||||||
1) **For a dedicated upgrade session.** If you need to upgrade Tails, you can do so in a dedicated session with the switch unlocked - this is necessary because the upgrade needs to be written to the Tails USB. Once you are done, you should restart Tails with the switch locked.
|
1) **For a dedicated upgrade session.** If you need to upgrade Tails, you can do so in a dedicated session with the switch unlocked — this is necessary because the upgrade needs to be written to the Tails USB. Once you are done, you should restart Tails with the switch locked.
|
||||||
2) **If you decide to use Persistent Storage, for occasional configuration sessions.** [Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to persist between sessions that would otherwise be amnesiac on the Tails USB itself. Because it requires writing to the Tails USB to persist data, it is generally impractical to use with a write-protect switch. However, it may be acceptable to disable the switch for occasional Persistent Storage configuration sessions, such as installing additional software. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting to install it every session. Then, in a 'locked' session, you actually use Scribus - none of the files you work on are saved to the Tails USB because it is 'locked'. Note that in this scenario, the USB switch will need to be locked to the read-only position *after* after the Welcome Screen, because Tails will not load the Persistant Storage otherwise. The Persistent Storage feature is not possible with the `toram` boot or with a DVD.
|
2) **If you decide to use Persistent Storage, for occasional configuration sessions.** [Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to persist between sessions that would otherwise be amnesiac on the Tails USB itself. Because it requires writing to the Tails USB to persist data, it is generally impractical to use with a write-protect switch. However, it may be acceptable to disable the switch for occasional Persistent Storage configuration sessions, such as installing additional software. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting to install it every session. Then, in a 'locked' session, you actually use Scribus — none of the files you work on are saved to the Tails USB because it is 'locked'. Note that in this scenario, the USB switch will need to be locked to the read-only position *after* after the Welcome Screen, because Tails will not load the Persistant Storage otherwise. The Persistent Storage feature is not possible with the `toram` boot or with a DVD.
|
||||||
|
|
||||||
Where can we store personal data for use between Tails sessions if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This "personal data" USB should not look identical to your Tails USB to avoid confusion. To create this separate USB, see [How to create an encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb). If you are reading this from a country like the UK, where not providing encryption passwords can land you in jail, this second drive should be an HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not suitable for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).
|
Where can we store personal data for use between Tails sessions if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This "personal data" USB should not look identical to your Tails USB to avoid confusion. To create this separate USB, see [How to create an encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb). If you are reading this from a country like the UK, where not providing encryption passwords can land you in jail, this second drive should be an HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not suitable for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Compartmentalization is an approach that neatly separates different identities by using separate Tails sessions for separate activities - in Tails session #1 you do activities related to moderating a website, and in Tails session #2 you do activities related to researching for an action. This approach also comes into play with your "personal data" USBs. If the files you save could be used to link your activities together, use a different "personal data" USB for each activity. For a "personal data" USB that stores very sensitive files (such as the text of a communique), it is best to reformat and then destroy the USB once you no longer need the files (see [Really delete data from a USB drive](/posts/tails/#really-delete-data-from-a-usb)). This is another reason to use a separate USB for any files that need to be saved - you don't accumulate the forensic history of all your files on your Tails Persistent Storage, and you can easily destroy USBs as needed.
|
Compartmentalization is an approach that neatly separates different identities by using separate Tails sessions for separate activities — in Tails session #1 you do activities related to moderating a website, and in Tails session #2 you do activities related to researching for an action. This approach also comes into play with your "personal data" USBs. If the files you save could be used to link your activities together, use a different "personal data" USB for each activity. For a "personal data" USB that stores very sensitive files (such as the text of a communique), it is best to reformat and then destroy the USB once you no longer need the files (see [Really delete data from a USB drive](/posts/tails/#really-delete-data-from-a-usb)). This is another reason to use a separate USB for any files that need to be saved — you don't accumulate the forensic history of all your files on your Tails Persistent Storage, and you can easily destroy USBs as needed.
|
||||||
|
|
||||||
Finally, a note about email - if you already use Tails and encrypted email, you may be familiar with Thunderbird's Persistent Storage feature. This feature allows you to store your Thunderbird email account details, as well as your inbox and PGP keys, on a Tails USB. With a "personal data" USB, Thunderbird won't automatically open your accounts. We recommend that you do one of the following:
|
Finally, a note about email — if you already use Tails and encrypted email, you may be familiar with Thunderbird's Persistent Storage feature. This feature allows you to store your Thunderbird email account details, as well as your inbox and PGP keys, on a Tails USB. With a "personal data" USB, Thunderbird won't automatically open your accounts. We recommend that you do one of the following:
|
||||||
|
|
||||||
- Create new Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the advantage that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
|
- Create new Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the advantage that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
|
||||||
- Keep the Thunderbird data folder on the "personal data" USB. After logging in to Thunderbird, use the Files browser (Applications → Accessories → Files) and enable the "Show hidden files" setting. Navigate to Home, then copy the folder called `.thunderbird` to your "personal data" USB. In each future session, after you have unlocked the 'personal data' USB and before you start Thunderbird, copy the `.thunderbird` folder to Home (which is running in RAM, so doesn't require the write-protect switch to be unlocked).
|
- Keep the Thunderbird data folder on the "personal data" USB. After logging in to Thunderbird, use the Files browser (Applications → Accessories → Files) and enable the "Show hidden files" setting. Navigate to Home, then copy the folder called `.thunderbird` to your "personal data" USB. In each future session, after you have unlocked the 'personal data' USB and before you start Thunderbird, copy the `.thunderbird` folder to Home (which is running in RAM, so doesn't require the write-protect switch to be unlocked).
|
||||||
|
|
@ -194,7 +194,7 @@ If its not possible to find a USB with a write-protect switch, you can alternati
|
||||||
|
|
||||||
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a random sequence of characters (letters, numbers and other symbols), while a [*passphrase*](/glossary/#passphrase) is a random sequence of words.
|
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a random sequence of characters (letters, numbers and other symbols), while a [*passphrase*](/glossary/#passphrase) is a random sequence of words.
|
||||||
|
|
||||||
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** - when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
|
Never reuse a password/passphrase for multiple things ("password recycling") — KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** — when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
|
||||||
|
|
||||||
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (seven words).
|
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (seven words).
|
||||||
|
|
||||||
|
|
@ -243,7 +243,7 @@ Every time you use the filesystem, mount it like this:
|
||||||
|
|
||||||
`gocryptfs cipher plain`
|
`gocryptfs cipher plain`
|
||||||
|
|
||||||
You will be prompted for the password. Note that the order is important - `cipher` is the first argument and `plain` is the second.
|
You will be prompted for the password. Note that the order is important — `cipher` is the first argument and `plain` is the second.
|
||||||
|
|
||||||
You can now add files to your mounted, decrypted container in the 'plain' folder. When you unmount the filesystem, the container will be encrypted. To do this:
|
You can now add files to your mounted, decrypted container in the 'plain' folder. When you unmount the filesystem, the container will be encrypted. To do this:
|
||||||
|
|
||||||
|
|
@ -310,7 +310,7 @@ First, some clarification. [PGP and GPG](/glossary/#gnupg-openpgp) are terms tha
|
||||||
|
|
||||||
GPG is a classic example of [public-key cryptography](/glossary/#public-key-cryptography). GPG provides cryptographic functions for [encrypting](/glossary/#encryption), decrypting, and signing files; our concern here is digitally signing files. The Tails team [digitally signs](/glossary/#digital-signatures) their .img releases. GPG gives us a way to verify that the file has actually been "signed" by the developers, which allows us to trust that it hasn't been tampered with.
|
GPG is a classic example of [public-key cryptography](/glossary/#public-key-cryptography). GPG provides cryptographic functions for [encrypting](/glossary/#encryption), decrypting, and signing files; our concern here is digitally signing files. The Tails team [digitally signs](/glossary/#digital-signatures) their .img releases. GPG gives us a way to verify that the file has actually been "signed" by the developers, which allows us to trust that it hasn't been tampered with.
|
||||||
|
|
||||||
Now you need to understand the basics of public-key cryptography. [This Computerphile video](https://invidious.sethforprivacy.com/watch?v=GSIDS_lvRv4) has a great overview with visual aids. To summarize, a **secret/private** key is used to **sign** messages, and only the user who has that key can do so. Each **private** key has a corresponding **public** key - this is called a **key pair**. The public key is shared with everyone and is used to verify the signature. Confused? Watch the video!
|
Now you need to understand the basics of public-key cryptography. [This Computerphile video](https://invidious.sethforprivacy.com/watch?v=GSIDS_lvRv4) has a great overview with visual aids. To summarize, a **secret/private** key is used to **sign** messages, and only the user who has that key can do so. Each **private** key has a corresponding **public** key — this is called a **key pair**. The public key is shared with everyone and is used to verify the signature. Confused? Watch the video!
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -42,9 +42,9 @@ Today's digital security is not necessarily tomorrow's. **Protecting personal da
|
||||||
|
|
||||||
Tails is free and [open-source](/glossary/#open-source) software. Anyone can view, download and modify the source code (the recipe)... It is absolutely necessary to make sure that the version of Tails you have is sound. Don't neglect the verification steps during installation, which are well explained on the Tails website.
|
Tails is free and [open-source](/glossary/#open-source) software. Anyone can view, download and modify the source code (the recipe)... It is absolutely necessary to make sure that the version of Tails you have is sound. Don't neglect the verification steps during installation, which are well explained on the Tails website.
|
||||||
|
|
||||||
Tails allows non-experts to benefit from digital security and anonymity without a steep learning curve. Using Tor is central to digital anonymity, and Tails helps us make as few mistakes as possible when using Tor and some other tools. Using Tails takes very little effort to make everyday digital behavior more secure, even if it seems “inconvenient” at times. The "convenient" alternative, on the other hand, means an increased risk of repression – not only for you, but also for those you communicate with.
|
Tails allows non-experts to benefit from digital security and anonymity without a steep learning curve. Using Tor is central to digital anonymity, and Tails helps us make as few mistakes as possible when using Tor and some other tools. Using Tails takes very little effort to make everyday digital behavior more secure, even if it seems “inconvenient” at times. The "convenient" alternative, on the other hand, means an increased risk of repression — not only for you, but also for those you communicate with.
|
||||||
|
|
||||||
This tutorial is divided into several sections. The first covers the basics for getting started with Tails. The second section covers tips for using the software included in Tails, as well as what you need to know about how Tor works. The third section is about troubleshooting any problems that you might encounter with your Tails USB, so do not give up at the first problem - most of the time the solution is simple!
|
This tutorial is divided into several sections. The first covers the basics for getting started with Tails. The second section covers tips for using the software included in Tails, as well as what you need to know about how Tor works. The third section is about troubleshooting any problems that you might encounter with your Tails USB, so do not give up at the first problem — most of the time the solution is simple!
|
||||||
|
|
||||||
## The Threat Model Concept
|
## The Threat Model Concept
|
||||||
|
|
||||||
|
|
@ -128,9 +128,9 @@ If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the syste
|
||||||
|
|
||||||
## Optional: Create and Configure Persistent Storage
|
## Optional: Create and Configure Persistent Storage
|
||||||
|
|
||||||
Tails is amnesiac by default. It will forget everything you have done as soon as you end the session. This isn't always what you want - for example, you may want to work on a document that you can't finish in one session. The same goes for installing additional software: you would have to redo the installation each time you start up. Tails has a feature called Persistent Storage, which allows you to save certain data between sessions. This is explicitly less secure, but necessary for some activities.
|
Tails is amnesiac by default. It will forget everything you have done as soon as you end the session. This isn't always what you want — for example, you may want to work on a document that you can't finish in one session. The same goes for installing additional software: you would have to redo the installation each time you start up. Tails has a feature called Persistent Storage, which allows you to save certain data between sessions. This is explicitly less secure, but necessary for some activities.
|
||||||
|
|
||||||
The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows a user to make some data persistent – that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**.
|
The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows a user to make some data persistent — that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**.
|
||||||
|
|
||||||
A window will pop up asking you to enter a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for information on passphrase strength. You'll then [configure](https://tails.net/doc/persistent_storage/configure/index.en.html) what you want to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
|
A window will pop up asking you to enter a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for information on passphrase strength. You'll then [configure](https://tails.net/doc/persistent_storage/configure/index.en.html) what you want to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
|
||||||
|
|
||||||
|
|
@ -250,7 +250,7 @@ The Onion Circuits application shows which Tor circuit a server connection (webs
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Like any software, the Tor Browser has vulnerabilities that can be exploited - various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest**. The vast majority of exploits against Tor Browser will not work with the Safest setting.
|
Like any software, the Tor Browser has vulnerabilities that can be exploited — various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest**. The vast majority of exploits against Tor Browser will not work with the Safest setting.
|
||||||
|
|
||||||
The layout of some pages may be changed, and some types of content may be disabled (SVG images, click-to-play videos, etc.). For example, this site has two things that will be blocked in Safest mode because they rely on Javascript: dark mode and the article's table of contents. Some sites will not work at all with these restrictions; if you have reason to trust them, you can view them with a less restrictive setting on a site-by-site basis. Remember that both "Standard" and "Safer" settings allow scripts to work, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
|
The layout of some pages may be changed, and some types of content may be disabled (SVG images, click-to-play videos, etc.). For example, this site has two things that will be blocked in Safest mode because they rely on Javascript: dark mode and the article's table of contents. Some sites will not work at all with these restrictions; if you have reason to trust them, you can view them with a less restrictive setting on a site-by-site basis. Remember that both "Standard" and "Safer" settings allow scripts to work, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
|
||||||
|
|
||||||
|
|
@ -294,7 +294,7 @@ Tails comes with [many applications](https://tails.net/doc/about/features/index.
|
||||||
|
|
||||||
When you need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Application → Favorites → KeePassXC**) that allows you to store your passwords in a file and protect them with a single master password.
|
When you need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Application → Favorites → KeePassXC**) that allows you to store your passwords in a file and protect them with a single master password.
|
||||||
|
|
||||||
We recommend that you compartmentalize your passwords - have a different KeePassXC file for each separate project. They can share the same Master Password - the point of compartmentalization is that only one project's passwords are unlocked at any given time. If the Tails session is compromised, the adversary won't get all of your passwords in one fell swoop, just the ones that are currently unlocked.
|
We recommend that you compartmentalize your passwords — have a different KeePassXC file for each separate project. They can share the same Master Password — the point of compartmentalization is that only one project's passwords are unlocked at any given time. If the Tails session is compromised, the adversary won't get all of your passwords in one fell swoop, just the ones that are currently unlocked.
|
||||||
|
|
||||||
>In the terminology used by KeePassXC, a *password* is a random sequence of characters (letters, numbers, and other symbols), while a *passphrase* is a random sequence of words.
|
>In the terminology used by KeePassXC, a *password* is a random sequence of characters (letters, numbers, and other symbols), while a *passphrase* is a random sequence of words.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ a4="tamper-a4.pdf"
|
||||||
letter="tamper-letter.pdf"
|
letter="tamper-letter.pdf"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
If the police ever have [physical access](/glossary/#physical-attacks) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it at the hardware, firmware, or software level. One way to minimize this risk is to make devices tamper-evident. As the No Trace Project Threat Library [notes](https://www.notrace.how/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) - it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to detect when they do."
|
If the police ever have [physical access](/glossary/#physical-attacks) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it at the hardware, firmware, or software level. One way to minimize this risk is to make devices tamper-evident. As the No Trace Project Threat Library [notes](https://www.notrace.how/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) — it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to detect when they do."
|
||||||
|
|
||||||
<!-- more -->
|
<!-- more -->
|
||||||
['Evil maid' attacks](https://en.wikipedia.org/wiki/Evil_maid_attack) work like this: An attacker gains temporary access to your [encrypted](/glossary/#encryption) laptop or phone. Although they can’t decrypt your data, they can tamper with your laptop for a few minutes and then leave it exactly where they found it. When you return and enter your credentials, you have been hacked. The attacker may have [modified data on your hard drive](https://media.ccc.de/v/gpn20-32-poc-implementing-evil-maid-attack-on-encrypted-boot), replaced the firmware, or installed a hardware component such as a keylogger.
|
['Evil maid' attacks](https://en.wikipedia.org/wiki/Evil_maid_attack) work like this: An attacker gains temporary access to your [encrypted](/glossary/#encryption) laptop or phone. Although they can’t decrypt your data, they can tamper with your laptop for a few minutes and then leave it exactly where they found it. When you return and enter your credentials, you have been hacked. The attacker may have [modified data on your hard drive](https://media.ccc.de/v/gpn20-32-poc-implementing-evil-maid-attack-on-encrypted-boot), replaced the firmware, or installed a hardware component such as a keylogger.
|
||||||
|
|
@ -45,7 +45,7 @@ For this reason, it is preferable to apply nail polish directly to the screws ra
|
||||||
<img src="/posts/tamper/X230.jpg" class="no-dark">
|
<img src="/posts/tamper/X230.jpg" class="no-dark">
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
Glitter nail polish was successfully bypassed during a Tamper Evident Challenge in 2018 - the winner [explained](https://hoodiepony.medium.com/bypassing-the-glitter-nail-polish-tamper-evident-seal-25d6973d617d) how they managed to do it. Notably, a brand of nail polish with relatively large pieces of glitter in only two colors was used. It would be difficult to apply this bypass to inset screw holes; if the glitter was applied with a high density of elements, but not too thick, this would also increase the difficulty. Finally, [using an adhesive](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-klebstoff) would also make the bypass less feasible.
|
Glitter nail polish was successfully bypassed during a Tamper Evident Challenge in 2018 — the winner [explained](https://hoodiepony.medium.com/bypassing-the-glitter-nail-polish-tamper-evident-seal-25d6973d617d) how they managed to do it. Notably, a brand of nail polish with relatively large pieces of glitter in only two colors was used. It would be difficult to apply this bypass to inset screw holes; if the glitter was applied with a high density of elements, but not too thick, this would also increase the difficulty. Finally, [using an adhesive](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-klebstoff) would also make the bypass less feasible.
|
||||||
|
|
||||||
Verification that the random pattern hasn't changed can be done manually with what astronomers call a "blink comparison". This is used in astronomy to detect small changes in the night sky: you quickly flick between the original photo and the current one, which makes it easier to see any changes. Alternatively, if you have an Android smartphone (either [GrapheneOS](/posts/grapheneos/) or a cheap one for [intrusion detection](#physical-intrusion-detection) that has an inferior camera), you can use an app called [Blink Comparison](https://github.com/proninyaroslav/blink-comparison), which makes it less likely to miss something. It can be installed like any other [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software), i.e. not through F-Droid.
|
Verification that the random pattern hasn't changed can be done manually with what astronomers call a "blink comparison". This is used in astronomy to detect small changes in the night sky: you quickly flick between the original photo and the current one, which makes it easier to see any changes. Alternatively, if you have an Android smartphone (either [GrapheneOS](/posts/grapheneos/) or a cheap one for [intrusion detection](#physical-intrusion-detection) that has an inferior camera), you can use an app called [Blink Comparison](https://github.com/proninyaroslav/blink-comparison), which makes it less likely to miss something. It can be installed like any other [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software), i.e. not through F-Droid.
|
||||||
|
|
||||||
|
|
@ -53,11 +53,11 @@ The Blink Comparison app encrypts its storage to prevent an adversary from easil
|
||||||
|
|
||||||
## Getting Started
|
## Getting Started
|
||||||
|
|
||||||
Now that you understand the nuances of applying nail polish to the screws of your laptop case, let's actually do it - if you are going to [install HEADS](#tamper-evident-software-and-firmware), do that first so the nail polish doesn't have to be removed and repeated. Before you start, you can also take a picture of the inside of the laptop in case you ever need to check if the internal components have been tampered with despite the nail polish protection (keep in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like the one shown above.
|
Now that you understand the nuances of applying nail polish to the screws of your laptop case, let's actually do it — if you are going to [install HEADS](#tamper-evident-software-and-firmware), do that first so the nail polish doesn't have to be removed and repeated. Before you start, you can also take a picture of the inside of the laptop in case you ever need to check if the internal components have been tampered with despite the nail polish protection (keep in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like the one shown above.
|
||||||
|
|
||||||
* First, take a photo of the bottom of the computer and use a program like GIMP to number the screws to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws that need to be numbered so that in the future you know which screw the photo `3.jpg` refers to.
|
* First, take a photo of the bottom of the computer and use a program like GIMP to number the screws to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws that need to be numbered so that in the future you know which screw the photo `3.jpg` refers to.
|
||||||
* Apply the glitter nail polish directly to each screw, making sure there are enough glitter elements without being too thick.
|
* Apply the glitter nail polish directly to each screw, making sure there are enough glitter elements without being too thick.
|
||||||
* Once it is dry, take good close-up photos of each screw - either with the Blink Comparison app on a smartphone or with a regular camera. It is a good idea to use lighting that is reproducible, so close the blinds on any windows and rely on the indoor lighting and the camera flash. Number the file names of the photos and back them up to a second storage location.
|
* Once it is dry, take good close-up photos of each screw — either with the Blink Comparison app on a smartphone or with a regular camera. It is a good idea to use lighting that is reproducible, so close the blinds on any windows and rely on the indoor lighting and the camera flash. Number the file names of the photos and back them up to a second storage location.
|
||||||
|
|
||||||
If you ever need to remove the nail polish to access the inside of the laptop, you can use a syringe to apply the nail polish remover to avoid applying too much and damaging the internal electronics.
|
If you ever need to remove the nail polish to access the inside of the laptop, you can use a syringe to apply the nail polish remover to avoid applying too much and damaging the internal electronics.
|
||||||
|
|
||||||
|
|
@ -121,7 +121,7 @@ This excerpt assumes that we take the cell phone with us, but [as discussed else
|
||||||
|
|
||||||
Haven is an Android app developed by the Freedom of Press Foundation that uses the smartphone’s many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. Unfortunately Haven is currently unmaintained and unreliable on many devices. Until [a good alternative is developed](https://github.com/guardianproject/haven/issues/465), make sure to test the functionality of Haven on your device before relying on it. We don't recommend using home surveillance cameras without privacy features, because then the police can have easy knowledge of your comings and goings without needing to set up their own surveillance cameras.
|
Haven is an Android app developed by the Freedom of Press Foundation that uses the smartphone’s many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. Unfortunately Haven is currently unmaintained and unreliable on many devices. Until [a good alternative is developed](https://github.com/guardianproject/haven/issues/465), make sure to test the functionality of Haven on your device before relying on it. We don't recommend using home surveillance cameras without privacy features, because then the police can have easy knowledge of your comings and goings without needing to set up their own surveillance cameras.
|
||||||
|
|
||||||
Haven should be used on a dedicated cheap Android device that is otherwise empty - an older [Pixel](https://www.privacyguides.org/android/#google-pixel) is a good choice because it is cheap but has good cameras. Make sure [full disk encryption](/glossary/#full-disk-encryption-fde) is enabled. If you have a smartphone in addition to the dedicated Haven phone, it should be turned off in the tamper-evident storage - if Haven was running on it instead and was discovered by the intruder, they would now have physical access to it while it was turned on.
|
Haven should be used on a dedicated cheap Android device that is otherwise empty — an older [Pixel](https://www.privacyguides.org/android/#google-pixel) is a good choice because it is cheap but has good cameras. Make sure [full disk encryption](/glossary/#full-disk-encryption-fde) is enabled. If you have a smartphone in addition to the dedicated Haven phone, it should be turned off in the tamper-evident storage — if Haven was running on it instead and was discovered by the intruder, they would now have physical access to it while it was turned on.
|
||||||
|
|
||||||
* Place the Haven smartphone in a location that has a line of sight to where an intruder would have to pass, such as a hallway that must be used to move between rooms or to access where the tamper-evident storage is located. It should be plugged in so the battery doesn't die; fairly long microUSB cables are available for this purpose.
|
* Place the Haven smartphone in a location that has a line of sight to where an intruder would have to pass, such as a hallway that must be used to move between rooms or to access where the tamper-evident storage is located. It should be plugged in so the battery doesn't die; fairly long microUSB cables are available for this purpose.
|
||||||
* Set a countdown to turn Haven on before you leave the house. The Haven app will log everything locally on the Android device. Sending remote notifications is currently [broken](https://github.com/guardianproject/haven/issues/454).
|
* Set a countdown to turn Haven on before you leave the house. The Haven app will log everything locally on the Android device. Sending remote notifications is currently [broken](https://github.com/guardianproject/haven/issues/454).
|
||||||
|
|
@ -129,9 +129,9 @@ Haven should be used on a dedicated cheap Android device that is otherwise empty
|
||||||
|
|
||||||
# Tamper-Evident Software and Firmware
|
# Tamper-Evident Software and Firmware
|
||||||
|
|
||||||
So far, we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. This is required for "defense in depth" - to trust an electronic device, you must trust the hardware, firmware, and software. Software or firmware compromise can occur [remotely](/glossary/#remote-attacks) (over the Internet) as well as with physical access, so it is especially important because the other measures won't detect a remote firmware compromise. Tamper-evident software and firmware are compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
|
So far, we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. This is required for "defense in depth" — to trust an electronic device, you must trust the hardware, firmware, and software. Software or firmware compromise can occur [remotely](/glossary/#remote-attacks) (over the Internet) as well as with physical access, so it is especially important because the other measures won't detect a remote firmware compromise. Tamper-evident software and firmware are compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
|
||||||
|
|
||||||
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that allows you to be notified if firmware or software has been tampered with - you will receive an email when Auditor performs a remote attestation.
|
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that allows you to be notified if firmware or software has been tampered with — you will receive an email when Auditor performs a remote attestation.
|
||||||
|
|
||||||
For Tails or Qubes OS, [HEADS](https://osresearch.net/) can do the same before you enter your boot password (on [supported devices](https://osresearch.net/Prerequisites#supported-devices)). However, installation is advanced. Keep the HEADS USB security dongle with you when you leave the house, and have a backup hidden at a trusted friend's house in case it ever falls in a puddle. For more information, see [Tails Best Practices](/posts/tails-best/#to-mitigate-against-remote-attacks).
|
For Tails or Qubes OS, [HEADS](https://osresearch.net/) can do the same before you enter your boot password (on [supported devices](https://osresearch.net/Prerequisites#supported-devices)). However, installation is advanced. Keep the HEADS USB security dongle with you when you leave the house, and have a backup hidden at a trusted friend's house in case it ever falls in a puddle. For more information, see [Tails Best Practices](/posts/tails-best/#to-mitigate-against-remote-attacks).
|
||||||
|
|
||||||
|
|
@ -151,15 +151,15 @@ Laptop screws can be verified monthly, or when something suspicious happens. Nei
|
||||||
|
|
||||||
# Further Reading
|
# Further Reading
|
||||||
|
|
||||||
* [Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice](https://dys2p.com/en/2021-12-tamper-evident-protection.html)
|
* [Random Mosaic — Detecting unauthorized physical access with beans, lentils and colored rice](https://dys2p.com/en/2021-12-tamper-evident-protection.html)
|
||||||
|
|
||||||
# Appendix: Cracking Safes
|
# Appendix: Cracking Safes
|
||||||
|
|
||||||
* [Rare-earth magnets](https://en.wikipedia.org/wiki/Safe-cracking#Magnet_risk) can unlock safes that use a [solenoid](https://www.youtube.com/watch?v=Y6cZrieFw-k) as the locking device in an undetectable manner.
|
* [Rare-earth magnets](https://en.wikipedia.org/wiki/Safe-cracking#Magnet_risk) can unlock safes that use a [solenoid](https://www.youtube.com/watch?v=Y6cZrieFw-k) as the locking device in an undetectable manner.
|
||||||
* [Safe bouncing](https://en.wikipedia.org/wiki/Safe-cracking#Safe_bouncing) is when the locking mechanism can be moved sufficiently by [banging or bouncing the safe](https://mosandboo.com/how-to-open-a-safe-without-the-key-or-code/) to open it in an undetectable manner. Safes that use a gear mechanism are less susceptible to mechanical attacks.
|
* [Safe bouncing](https://en.wikipedia.org/wiki/Safe-cracking#Safe_bouncing) is when the locking mechanism can be moved sufficiently by [banging or bouncing the safe](https://mosandboo.com/how-to-open-a-safe-without-the-key-or-code/) to open it in an undetectable manner. Safes that use a gear mechanism are less susceptible to mechanical attacks.
|
||||||
* Many safe models have a "management reset code" (also known as a "try-out combination") - if this code is not changed from its default setting the safe can be unlocked in an undetectable manner.
|
* Many safe models have a "management reset code" (also known as a "try-out combination") — if this code is not changed from its default setting the safe can be unlocked in an undetectable manner.
|
||||||
* [Spiking](https://en.wikipedia.org/wiki/Safe-cracking#Spiking_the_lock) is when the wires leading to the reset button, solenoid, or motor can be exposed and spiked with a battery. This should be possible to make tamper-evident, as it requires access to the wires.
|
* [Spiking](https://en.wikipedia.org/wiki/Safe-cracking#Spiking_the_lock) is when the wires leading to the reset button, solenoid, or motor can be exposed and spiked with a battery. This should be possible to make tamper-evident, as it requires access to the wires.
|
||||||
* [Brute force](/glossary#brute-force-attack) attacks - trying all possible combinations - are possible if the adversary has time. Dialing mechanisms can be brute-forced with a [computerized autodialer](https://learn.sparkfun.com/tutorials/building-a-safe-cracking-robot) that [doesn't need supervision](https://www.youtube.com/watch?v=vkk-2QEUvuk). Electronic keypads are less susceptible to brute force if they have a well-designed incremental lockout feature; for example, get it wrong 10 timesand you're locked out for a few minutes, 5 more wrong codes and you're locked out for an hour, etc.
|
* [Brute force](/glossary#brute-force-attack) attacks — trying all possible combinations — are possible if the adversary has time. Dialing mechanisms can be brute-forced with a [computerized autodialer](https://learn.sparkfun.com/tutorials/building-a-safe-cracking-robot) that [doesn't need supervision](https://www.youtube.com/watch?v=vkk-2QEUvuk). Electronic keypads are less susceptible to brute force if they have a well-designed incremental lockout feature; for example, get it wrong 10 timesand you're locked out for a few minutes, 5 more wrong codes and you're locked out for an hour, etc.
|
||||||
* There are several tools that can automatically retrieve or reset the combination of an electronic lock, such as the Little Black Box and Phoenix. Tools like these are often connected to wires inside the lock that can be accessed without damaging the lock or container. This should be possible to make tamper-evident, as it requires access to the wires.
|
* There are several tools that can automatically retrieve or reset the combination of an electronic lock, such as the Little Black Box and Phoenix. Tools like these are often connected to wires inside the lock that can be accessed without damaging the lock or container. This should be possible to make tamper-evident, as it requires access to the wires.
|
||||||
* There are several [keypad-based attacks](https://en.wikipedia.org/wiki/Safe-cracking#Keypad-based_attacks), and some can be mitigated with proper operational security.
|
* There are several [keypad-based attacks](https://en.wikipedia.org/wiki/Safe-cracking#Keypad-based_attacks), and some can be mitigated with proper operational security.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,13 +14,13 @@ We agree with the conclusion of an overview of [targeted surveillance measures i
|
||||||
|
|
||||||
## Your Phone
|
## Your Phone
|
||||||
|
|
||||||
>**[Operating system](/glossary#operating-system-os)**: **GrapheneOS** is the only reasonably secure choice for cell phones. See [GrapheneOS for Anarchists](/posts/grapheneos/). [Kill the cop in your pocket](/posts/nophones/) - if you decide to have a phone, treat it like an "encrypted landline" and leave it at home when you are out of the house.
|
>**[Operating system](/glossary#operating-system-os)**: **GrapheneOS** is the only reasonably secure choice for cell phones. See [GrapheneOS for Anarchists](/posts/grapheneos/). [Kill the cop in your pocket](/posts/nophones/) — if you decide to have a phone, treat it like an "encrypted landline" and leave it at home when you are out of the house.
|
||||||
|
|
||||||
## Your Computer
|
## Your Computer
|
||||||
|
|
||||||
>**[Operating system](/glossary#operating-system-os)**: **Tails** is unparalleled for sensitive computer use (writing and sending communiques, moderating a sketchy website, researching for actions, reading articles that may be criminalized, etc.). Tails runs from a USB drive and is designed with the anti-forensic property of leaving no trace of your activity on your computer, as well as forcing all Internet connections through the [Tor network](/glossary#tor-network). See [Tails for Anarchists](/posts/tails/) and [Tails Best Practices](/posts/tails-best/).
|
>**[Operating system](/glossary#operating-system-os)**: **Tails** is unparalleled for sensitive computer use (writing and sending communiques, moderating a sketchy website, researching for actions, reading articles that may be criminalized, etc.). Tails runs from a USB drive and is designed with the anti-forensic property of leaving no trace of your activity on your computer, as well as forcing all Internet connections through the [Tor network](/glossary#tor-network). See [Tails for Anarchists](/posts/tails/) and [Tails Best Practices](/posts/tails-best/).
|
||||||
|
|
||||||
>**[Operating system](/glossary#operating-system-os)**: **Qubes OS** has better security than Tails for many use cases, but has a steeper learning curve and no anti-forensic features. However, it is accessible enough for journalists and other non-technical users. Basic knowledge of using Linux is required - see [Linux Essentials](/posts/linux). Qubes OS can even run Windows programs such as Adobe InDesign, but much more securely than a standard Windows computer. See [Qubes OS for Anarchists](/posts/qubes/).
|
>**[Operating system](/glossary#operating-system-os)**: **Qubes OS** has better security than Tails for many use cases, but has a steeper learning curve and no anti-forensic features. However, it is accessible enough for journalists and other non-technical users. Basic knowledge of using Linux is required — see [Linux Essentials](/posts/linux). Qubes OS can even run Windows programs such as Adobe InDesign, but much more securely than a standard Windows computer. See [Qubes OS for Anarchists](/posts/qubes/).
|
||||||
|
|
||||||
See [When to Use Tails vs. Qubes OS](/posts/qubes/#when-to-use-tails-vs-qubes-os)
|
See [When to Use Tails vs. Qubes OS](/posts/qubes/#when-to-use-tails-vs-qubes-os)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue