Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-22 14:20:47 -04:00
Code Issues Projects Releases Packages Wiki Activity

cwtch on tails, argon2id tails 6.0, relative hrefs

Browse source
This commit is contained in:
anarsec 2023-06-28 16:51:29 +00:00
parent cfdd7766b6
commit 5f5b9d8830
No known key found for this signature in database
4 changed files with 13 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

19
content/posts/e2ee/index.md
View file

@ -64,22 +64,21 @@ Any Cwtch user can turn the app on their phone or computer into an untrusted ser
<li>Compare the hash of the file with what is listed on the download page </li>
</ul>
</li>
<li>As per our <a href="/posts/tails-best/#using-a-write-protect-switch">Tails Best Practices</a>, personal data should be stored on a second LUKS USB, not on the Tails Persistent Storage. Copy the file to such a personal data LUKS USB and extract it with the file manager (right click, select &quot;Extract Here&quot;). We will not be using the Additional Software Persistent Storage feature - Cwtch is an AppImage so doesn't require it. </li>
<li>As per our <a href="/posts/tails-best/#using-a-write-protect-switch">Tails Best Practices</a>, personal data should be stored on a second LUKS USB, and the Persistent Storage is not enabled. Extract the file with the file manager (right click, select &quot;Extract Here&quot;), then copy the folder <code>cwtch</code> to such a personal data LUKS USB. <ul>
<li>OPTIONAL - If you do enable Persistent Storage: with Persistent Storage unlocked, in Terminal run <code>sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf</code> then reboot Tails for the changes to take effect, again with an Adminstration Password.</li>
</ul>
</li>
<li>Run the install script<ul>
<li>In the File Manager, enter to directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
<li>Run <code>install-tails.sh</code></li>
<li>In the File Manager, enter the directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
<li>Run <code>install-tails.sh</code> and enter the Administration Password when prompted.</li>
</ul>
</li>
<li>As the <a href="https://docs.cwtch.im/docs/platforms/tails">documentation</a> specifies, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:<ul>
<li><code>exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch</code></li>
</ul>
</li>
<li>How you use Cwtch depends on whether you have enabled Persistent Storage: <ul>
<li>With Persistent Storage disabled, Cwtch must be re-installed every session you need to use it. Backup <code>`/home/amnesia/.cwtch/`</code> to the personal data LUKS USB, and copy it back into <code>/home/amnesia/</code> the next time you install Cwtch. </li>
<li>With Persistent Storage enabled and unlocked, in Terminal run <code>sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf</code></li>
</ul>
</li>
<li>Updates must be made manually - back up your profile first.</li>
<li>With Persistent Storage disabled, Cwtch must be re-installed every session you need to use it. Backup <code>`/home/amnesia/.cwtch/`</code> to the personal data LUKS USB, and copy it back into <code>/home/amnesia/</code> the next time you install Cwtch.</li>
<li>Updates to new versions must be made manually - back up your profile first.</li>
<br>
</details>
@ -175,7 +174,7 @@ https_proxy = 127.0.0.1:8082
* **Peer-to-peer**: No
* **Tor**: Not default
Element is the name of the application (the client), and Matrix is the name of the network. A comparison to email may be helpful to understand it; Element is the equivalent of Thunderbird, whereas Matrix is the equivalent of the Simple Mail Transfer Protocol (SMTP) which underlies email. Element/Matrix is not peer-to-peer; you need to trust the server. However, unlike Signal, the servers are not centralized but rather federated - anyone can host their own. Unfortunately, the 'federation model' has the trade off that Matrix does [not have metadata protection](https://web.archive.org/web/https://serpentsec.1337.cx/matrix): "Federated networks are naturally more vulnerable to metadata leaks than peer-to-peer or centralized networks". To minimize this, see [Notes on the safe use of the Matrix service from Systemli](https://wiki.systemli.org/howto/matrix/privacy).
Element is the name of the application (the client), and Matrix is the name of the network. A comparison to email may be helpful to understand it; Element is the equivalent of Thunderbird, whereas Matrix is the equivalent of the Simple Mail Transfer Protocol (SMTP) which underlies email. Element/Matrix is not peer-to-peer; you need to trust the server. However, unlike Signal, the servers are not centralized but rather federated - anyone can host their own. Unfortunately, the 'federation model' has the trade off that Matrix does [not have metadata protection](https://web.archive.org/web/https://serpentsec.1337.cx/matrix): "Federated networks are naturally more vulnerable to metadata leaks than peer-to-peer or centralized networks". To minimize this, see [Notes on the safe use of the Matrix service from Systemli](https://wiki.systemli.org/en/howto/matrix/privacy).
Element will work with Tor if it is used on an operating system that forces it; such as Whonix or Tails.

4
content/posts/tails-best/index.md
View file

@ -4,7 +4,7 @@ date=2023-04-08
[taxonomies]
categories = ["Defensive"]
tags = ["best practice", "linux", "tails", "easy"]
tags = ["linux", "tails", "easy"]
[extra]
blogimage="/images/tails1.png"
@ -138,7 +138,7 @@ Another reason to not use Persistent Storage features is that many of them persi
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a randomized sequence of characters (letters, numbers and other symbols), whereas a [*passphrase*](/glossary/#passphrase) is a random series of words.
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered down** - when the device is on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default from [Tails 5.13](https://tails.boum.org/security/argon2id/index.en.html) onwards, and Qubes OS 4.1 onwards. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/).
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered down** - when the device is on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default from Tails 6.0 ([forthcoming](https://gitlab.tails.boum.org/tails/tails/-/issues/19733)) onwards, and Qubes OS 4.1 onwards. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/).
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of around 128 bits (diceware passphrases of approximately **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers and symbols) and shouldn't have less than 90 bits of entropy (approximately seven words).

2
themes/DeepThought/templates/categories/list.html
View file

@ -13,7 +13,7 @@
<p class='subtitle is-4'>{{ terms | length }} categories in total</p>
<p>
{% for category in terms %}
<a href="{{ get_taxonomy_url(kind='categories', name=category.name) }}" class="mr-4">
<a href="/categories/{{category.name | lower}}" class="mr-4">
<span class="icon">
<i class="fas fa-cube"></i>
</span>

2
themes/DeepThought/templates/tags/list.html
View file

@ -13,7 +13,7 @@
<p class='subtitle is-4'>{{ terms | length }} tags in total</p>
<p>
{% for tag in terms %}
<a href="{{ get_taxonomy_url(kind='tags', name=tag.name) }}" class="mr-4">
<a href="/tags/{{tag.name | lower}}" class="mr-4">
<span class="icon">
<i class="fas fa-tag"></i>
</span>