diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md
index 198e391..6888ece 100644
--- a/content/posts/e2ee/index.md
+++ b/content/posts/e2ee/index.md
@@ -33,7 +33,7 @@ Since anonymous public-facing projects such as counter-info websites interact wi
The following recommendations for encrypted messaging are listed in order of highest to lowest metadata protection.
**TLDR:**
-* Cwtch for text messages
+* Cwtch for text communication
* SimpleX Chat or Signal for voice or video calls
* PGP Email for anonymously-run public projects
@@ -47,7 +47,7 @@ The following recommendations for encrypted messaging are listed in order of hig
* **Peer-to-peer**: Yes
* **Tor**: Yes
-Cwtch is our preference for text messages by a long shot. For an overview of how Cwtch works, watch the video below. Cwtch is designed with metadata protection in mind; it's peer-to-peer, uses the Tor network, and stores all data locally on the device, encrypted.
+Cwtch is our preference for text communication by a long shot. For an overview of how Cwtch works, watch the video below. Cwtch is designed with metadata protection in mind; it's peer-to-peer, uses the Tor network, and stores all data locally on the device, encrypted.
@@ -269,7 +269,7 @@ These barriers to anonymous registration mean that Signal is rarely used anonymo
In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. Police seized suspects' phones during arrests and house raids, as well as targeting them through spyware, and then identified Signal contacts and group members. These identities were added to the list of suspects who were subsequently investigated.
-The risk of a compromised device aiding the police in network mapping is partly mitigated by the [username feature](https://signal.org/blog/phone-number-privacy-usernames/) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
+The risk of a compromised device aiding the police in network mapping is partly mitigated by the [username feature](https://signal.org/blog/phone-number-privacy-usernames/) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. We recommend that you select a username and profile photo that won't be useful for establishing your identity. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
A private company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
diff --git a/content/posts/grapheneos/index.md b/content/posts/grapheneos/index.md
index b294992..1d6bbb6 100644
--- a/content/posts/grapheneos/index.md
+++ b/content/posts/grapheneos/index.md
@@ -25,7 +25,11 @@ Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/fi
# Installation
-[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
+[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, [making it substantially harder to remotely exploit user installed apps like Signal](https://grapheneos.social/@GrapheneOS/111479318824446241).
+
+Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
+
+Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
@@ -86,8 +90,9 @@ The Owner user profile is the default profile that is present when you turn on t
We'll now create a second user profile for all applications that don't require Google Play services:
* **Settings → System → Multiple users**, press **Add user**. You can name it Default and press **Switch to Default**.
-* Set a [strong password](/posts/tails-best/#passwords) that is different from your Owner user profile password.
-* In the Default user profile, **Settings → Security → Screen lock settings → Lock after screen timeout** can be set to 30 minutes to minimize how often you'll have to re-enter the password.
+* Set a password that is different from your Owner user profile password.
+ * Choose either the combination of a weak password + small locking time (trusting the rate-limiting of password attempts [enforced by the secure element](https://grapheneos.org/faq#encryption)), or a [strong password](/posts/tails-best/#passwords) + longer locking time (if rate-limiting is bypassed through a firmware vulnerability this is still a strong password, but the profile data is vulnerable if the device is left unattended). Keep in mind that if police ever seize your device (such as during a daytime house raid), it should ideally be turned off, and at minimum, it should be locked (which starts the countdown to the Auto-reboot feature mentioned below).
+* In the Default user profile, you can set the locking time with **Settings → Security → Screen lock settings → Lock after screen timeout**, and the screen timeout with **Settings → Display → Screen timeout**.
Later, we will optionally create a third user profile for applications that require Google Play services.
@@ -156,9 +161,10 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
# Recommended Settings and Habits
-* [Owner user profile] **Settings → Security → Auto reboot:** 8 hours
- * The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting will return it to a more effective encryption once the time has elapsed.
+* [Owner user profile] **Settings → Security → Auto reboot:** 18 hours or less
+ * The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
+* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
diff --git a/content/posts/linux/index.md b/content/posts/linux/index.md
index 7b1c473..60d2c69 100644
--- a/content/posts/linux/index.md
+++ b/content/posts/linux/index.md
@@ -1,6 +1,5 @@
+++
-title="Linux Essentials"
-description="The Basics Needed to Use Tails or Qubes"
+title="Linux Essentials: The Basics Needed to Use Tails or Qubes"
date=2023-04-04
[taxonomies]
diff --git a/themes/DeepThought/sass/deep-thought.sass b/themes/DeepThought/sass/deep-thought.sass
index 116b720..9039f77 100644
--- a/themes/DeepThought/sass/deep-thought.sass
+++ b/themes/DeepThought/sass/deep-thought.sass
@@ -542,12 +542,16 @@ pre[theme="dark"]
height: auto
max-height:90vh
+h1
+ text-align: center !important
+
h2
font-size: 1.44em !important
h3
font-size: 1.09em !important
+ font-style: italic !important
h4
- font-size: 1em !important
- font-style: italic !important
+ font-size: 0.9em !important
+ text-decoration: underline !important
diff --git a/themes/DeepThought/templates/page.html b/themes/DeepThought/templates/page.html
index b5e9be0..f45e471 100644
--- a/themes/DeepThought/templates/page.html
+++ b/themes/DeepThought/templates/page.html
@@ -19,7 +19,6 @@