Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-14 09:39:18 -04:00
Code Issues Projects Releases Packages Wiki Activity

reformat unnecessary lists

Browse source
This commit is contained in:
anarsec 2024-04-22 00:04:19 +00:00
parent 8ae907510f
commit 745de9bf7d
No known key found for this signature in database
5 changed files with 54 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

2
content/posts/e2ee/index.md
View file

@ -33,7 +33,7 @@ Since anonymous public-facing projects such as counter-info websites interact wi
The following recommendations for encrypted messaging are listed in order of highest to lowest metadata protection.
**TLDR:**
**TL;DR**
* Cwtch for text communication
* SimpleX Chat or Signal for voice/video calls

8
content/posts/grapheneos/index.md
View file

@ -172,10 +172,10 @@ In the Owner user profile:
* **Settings → Security → Auto reboot:** 18 hours or less
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again. It will reboot overnight if you forget to turn it off. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* **Settings → Security → USB-C Port:** [Charging-only or Off](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Once you have all the applications you need in a secondary user profile, disable app installation in that profile — apps that are delegated to a secondary user profile from the Owner profile (via "Install available apps", as described above) will still be updated.
* **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* It is convenient to be able to receive notifications from any user profile:
* **Settings → System → Multiple users:** Send notifications to current user (enabled)
* **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* Once you have all the applications you need in a secondary user profile, disable app installation in that profile — apps that are delegated to a secondary user profile from the Owner profile (via "Install available apps", as described above) will still be updated.
* **Settings → System → Multiple users:** Send notifications to current user (enabled)
* It is convenient to be able to receive notifications from any user profile:
In all profiles:

65
content/posts/qubes/index.md
View file

@ -98,7 +98,7 @@ And to use Qubes OS:
# Getting Started
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. Check this [hardware compatibility list](https://www.qubes-os.org/hcl/) to see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop. We recommend the ThinkPad X230 because it's the only developer-tested laptop model and it is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and [Best Practices](/posts/qubes/#hardware-security) for further discussion of hardware security.
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. Check this [hardware compatibility list](https://www.qubes-os.org/hcl/) to see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop. We recommend the ThinkPad X230 because it's the only developer-tested laptop model and it is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and the [appendix](/posts/qubes/#appendix-hardware-security) for further discussion of hardware security.
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation).
@ -108,7 +108,7 @@ After you first boot Qubes OS, there is a post-installation:
* Check the boxes for Whonix qubes, and for updates to happen over Tor.
* The post-installation gives the you option to install only Debian or only Fedora Templates (instead of both), and to use the Debian Template for all sys qubes (the default is Fedora). Whether you choose to use Debian or Fedora for qubes that don't require Tor is up to you, but this guide assumes you choose Debian. The Privacy Guides project [argues](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), but also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](/posts/qubes/#post-installation-decisions) for further discussion of this configuration choice.
* The post-installation gives the you option to install only Debian or only Fedora Templates (instead of both), and to use the Debian Template for all sys qubes (the default is Fedora). Whether you choose to use Debian or Fedora for qubes that don't require Tor is up to you, but this guide assumes you choose Debian. The Privacy Guides project [argues](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), but also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See the [appendix](/posts/qubes/#appendix-post-installation-decisions) for further discussion of this configuration choice.
* Make sys-net disposable. If you are using Wi-Fi instead of Ethernet, you will need to re-enter the Wi-Fi password after every boot (you can simply paste it from your password manager).
@ -361,27 +361,41 @@ It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), a
Configuring Qubes OS is much more flexible than configuring Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
* Protecting your identity
* [Clean metadata](/posts/metadata/) from files before you share them.
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
* Limitations of the Tor network
* For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet to use.
* Reducing risks when using untrusted computers
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.net/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. Unlike for Tails, it's not possible to remove the hard drive because it is used by the operating system. Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive.
* Encryption
* Passwords: [See above](/posts/qubes/#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/). The Qubes OS documentation can be used to configure [Split-GPG](https://www.qubes-os.org/doc/split-gpg/) — this is an advanced configuration where private GPG keys are stored in an offline qube and access to them is strictly controlled.
* Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defense — Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
* Open attachments in a disposable and offline qube.
* Open links in a disposable Whonix-Workstation qube.
## Protecting your identity
## Post-installation Decisions
* [Clean metadata](/posts/metadata/) from files before you share them.
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
## Limitations of the Tor network
* For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet to use.
## Reducing risks when using untrusted computers
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.net/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. Unlike for Tails, it's not possible to remove the hard drive because it is used by the operating system. Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive.
## Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defense — Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
* Open attachments in a disposable and offline qube.
* Open links in a disposable Whonix-Workstation qube.
## Encryption
* Passwords: [See above](/posts/qubes/#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/). The Qubes OS documentation can be used to configure [Split-GPG](https://www.qubes-os.org/doc/split-gpg/) — this is an advanced configuration where private GPG keys are stored in an offline qube and access to them is strictly controlled.
# Wrapping Up
The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend that you start using Qubes OS gradually, as trying to learn everything at once can be overwhelming. But we promise, it's not as complicated as it seems at first!
# Appendix: Post-installation Decisions
During the [post-installation of Qubes OS](/posts/qubes/#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure — Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
@ -398,7 +412,7 @@ To create a Kicksecure disposable, go to **Applications menu → Qubes Tools →
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes, set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-17-dvm` Template.
## Hardware Security
# Appendix: Hardware Security
Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
@ -416,7 +430,7 @@ Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the
Qubes OS also applies appropriate software mitigation to this class of attacks at the hypervisor level, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
## OPSEC for Memory Use
# Appendix: OPSEC for Memory Use
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Make sure to always be aware of which qubes are running simultaneously — it is best to only have trusted qubes alongside each other.
@ -431,6 +445,3 @@ To address "future not-yet-identified vulnerabilities of this kind" on older har
* shut down the vault qube,
* unpause the untrusted qube(s), and paste the credential
# Wrapping Up
The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend that you start using Qubes OS gradually, as trying to learn everything at once can be overwhelming. But we promise, it's not as complicated as it seems at first!

4
content/posts/tails-best/index.md
View file

@ -276,7 +276,7 @@ Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wik
>What is a diceware passphrase? As [Privacy Guides notes](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases), "Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`." The Password Generator feature in KeePassXC can generate diceware passphrases and random passwords. If you prefer to generate diceware passphrases using real dice, see [Privacy Guides](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases).
### General recommendations:
### General recommendations
* Memorize diceware passphrases of 7-10 words for everything that you'll need to enter before you have access to an unlocked KeePassXC database (in other words, your Full Disk Encryption passphrase and the KeePassXC master passphrase).
* Generate passwords of 21 random characters for everything that can be stored in a KeePassXC database. Maintain an off-site backup of your KeePassXC database(s) in case it is ever corrupted or seized.
@ -285,7 +285,7 @@ Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wik
>
> Your memorized diceware passphrases can be easy to forget if you have several to keep track of, especially if you use any of them infrequently. To reduce the risk of forgetting a diceware passphrase permanently, you can use Tails to store all "memorized" passphrases on a LUKS USB then store it off-site where it won't be recovered during a police raid. You should be able to reconstruct the LUKS passphrase of this USB if a lot of time has passed. See the [Threat Library](https://www.notrace.how/threat-library/mitigations/digital-best-practices.html#header-use-strong-passwords) for two different approaches you can take: one relies on a trusted comrade, and the other is self-sufficient. As with all important backups, you should have at least two.
### Tails passphrases:
### Tails passphrases
For Tails, you need to memorize two passphrases:

17
content/posts/tails/index.md
View file

@ -60,12 +60,13 @@ It makes no sense to say "this tool is secure". Security always depends on the t
### Select a USB/DVD:
* Tails will only work with USBs that are at least 8GB, DVDs, or SD cards. Any data on the USB will be completely erased during installation, so save it somewhere else before, and if you don't want any trace of what was there before, use a new USB.
* The [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch) article recommends using a USB with a write-protect switch (an unmodifiable disk). When locked, the switch prevents the contents of the USB from being changed at all. This prevents a compromised Tails session from compromising your Tails USB. The write-protect switch must be turned off during installation. If you are unable to obtain such a USB, you can run Tails from a SD card, DVD-R/DVD+R, or always boot with the `toram` option (described in the article).
Tails will only work with USBs that are at least 8GB, DVDs, or SD cards. Any data on the USB will be completely erased during installation, so save it somewhere else before, and if you don't want any trace of what was there before, use a new USB.
The [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch) article recommends using a USB with a write-protect switch (an unmodifiable disk). When locked, the switch prevents the contents of the USB from being changed at all. This prevents a compromised Tails session from compromising your Tails USB. The write-protect switch must be turned off during installation. If you are unable to obtain such a USB, you can run Tails from a SD card, DVD-R/DVD+R, or always boot with the `toram` option (described in the article).
### Select a laptop:
* Although it is possible to use Tails on a desktop computer, it is not recommended because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more information on obtaining a laptop.
Although it is possible to use Tails on a desktop computer, it is not recommended because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more information on obtaining a laptop.
Some laptop and USB models will not work with Tails, or some features will not work. To see if your model has any known issues, see the [Tails known issues page](https://tails.net/support/known_issues/).
@ -79,11 +80,11 @@ There are two solutions for the "source".
### Solution 1: Install from another Tails USB
* This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.net/install/clone/pc/index.en.html) or [Mac](https://tails.net/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.net/install/clone/pc/index.en.html) or [Mac](https://tails.net/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
### Solution 2: Install by download (preferred)
* Follow the [Tails installation instructions](https://tails.net/install/index.en.html); it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you (this is called a [man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.net/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
Follow the [Tails installation instructions](https://tails.net/install/index.en.html); it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you (this is called a [man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.net/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
## Booting from your Tails USB
@ -176,11 +177,11 @@ Every time you start Tails, right after you connect to the Tor network, the Tail
### The automatic upgrade
* When an [automatic upgrade](https://tails.net/doc/upgrade/index.en.html) is available, a window will appear with information about the upgrade, and you will need to click **Upgrade now**. Wait a while for it to complete, then click 'Apply upgrade' and your internet will be interrupted for a moment. Wait until you see the Restart Tails window. If the upgrade fails (for example, because you shut down before it was finished), your Persistent Storage will not be affected, but you may not be able to restart your Tails USB. If you are using a USB with a write-protect switch, you will need to unlock it for the dedicated session in which you are performing the upgrade.
When an [automatic upgrade](https://tails.net/doc/upgrade/index.en.html) is available, a window will appear with information about the upgrade, and you will need to click **Upgrade now**. Wait a while for it to complete, then click 'Apply upgrade' and your internet will be interrupted for a moment. Wait until you see the Restart Tails window. If the upgrade fails (for example, because you shut down before it was finished), your Persistent Storage will not be affected, but you may not be able to restart your Tails USB. If you are using a USB with a write-protect switch, you will need to unlock it for the dedicated session in which you are performing the upgrade.
### The manual upgrade
* Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.net/upgrade/tails/index.en.html).
Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.net/upgrade/tails/index.en.html).
# II) Going Further: Several Tips and Explanations
@ -435,5 +436,5 @@ Sometimes the Synaptic Package Manager will refuse to install software. In this
[Tails Best Practices](/posts/tails-best) are important to establish before using Tails for highly sensitive activities like [claiming an action](https://www.notrace.how/resources/#how-submit). To avoid overwhelming yourself, start by learning how to use Tails in basic ways, such as reading anarchist websites or writing texts. See the [Tails tag](/tags/tails/) for tutorials on topics like [removing identifying metadata from files](/posts/metadata/).
*This article is heavily modified from* [TuTORiel Tails](https://infokiosques.net/spip.php?article1726) *(in French), and also includes some excerpts from* [Capulcu #1](https://capulcu.blackblogs.org/neue-texte/bandi/) *(in German).*
*This article draws from* [TuTORiel Tails](https://infokiosques.net/spip.php?article1726) *(in French), and* [Capulcu #1](https://capulcu.blackblogs.org/neue-texte/bandi/) *(in German).*