typst glossary bug

content/posts/tails-best/index.md

@@ -14,7 +14,7 @@ a4="tails-best-a4.pdf"
 letter="tails-best-letter.pdf"
 +++
 
-This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary#threat-model) — operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://www.notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations. If you are new to Tails, start with [Tails for Anarchists](/posts/tails/). 
+This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary/#threat-model) — operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://www.notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations. If you are new to Tails, start with [Tails for Anarchists](/posts/tails/). 
 
 <!-- more -->
 
@@ -26,7 +26,7 @@ Let's start by looking at the three topics covered on the [Tails Warnings page](
 
 > Tails is designed to hide your identity. But some of your activities could reveal your identity:
 >
-> 1. Sharing files with [metadata](/glossary#metadata), such as date, time, location, and device information
+> 1. Sharing files with [metadata](/glossary/#metadata), such as date, time, location, and device information
 > 2. Using Tails for more than one purpose at a time
 
 ## 1. Sharing files with metadata
@@ -41,9 +41,9 @@ You can mitigate this second issue by what's called **"compartmentalization"**:
 
 * [Compartmentalization](https://www.notrace.how/threat-library/mitigations/compartmentalization.html) means keeping different activities or projects separate. If you use Tails sessions for more than one purpose at a time, an adversary could link your different activities together. For example, if you log into different accounts on the same website in a single Tails session, the website could determine that the accounts are being used by the same person. This is because websites can tell when two accounts are using the same Tor circuit.
 * To prevent an adversary from linking your activities while using Tails, restart Tails between different activities. For example, restart Tails between checking different project emails.
-* Tails is amnesiac by default, so to save any data from a Tails session, you must save it to a USB. If the files you save could be used to link your activities together, use a different encrypted ([LUKS](/glossary#luks)) USB stick for each activity. For example, use one Tails USB stick for moderating a website and another for researching actions. Tails has a feature called Persistent Storage, but we do not recommend using it for data storage, explained [below](/posts/tails-best/#using-a-write-protect-switch).  
+* Tails is amnesiac by default, so to save any data from a Tails session, you must save it to a USB. If the files you save could be used to link your activities together, use a different encrypted ([LUKS](/glossary/#luks)) USB stick for each activity. For example, use one Tails USB stick for moderating a website and another for researching actions. Tails has a feature called Persistent Storage, but we do not recommend using it for data storage, explained [below](/posts/tails-best/#using-a-write-protect-switch).  
 
-# Limitations of the [Tor network](/glossary#tor-network)
+# Limitations of the [Tor network](/glossary/#tor-network)
 
 ![](/posts/tails-best/tor.png)
 
@@ -123,7 +123,7 @@ This second issue requires several mitigations. Let's start with a few definitio
 * *Firmware* is the software that's embedded in a piece of hardware; you can simply think of it as "software for hardware". It can be found in several different places (hard drives, USB drives, graphics processor, etc.). 
 * *BIOS* is the specific firmware that is responsible for booting your computer when you press the power button—this is a great place for [malware](/glossary/#malware) to hide because it is undetectable by the operating system. 
 
-Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, or software: [remote attacks](/glossary#remote-attacks) (via the Internet) and [physical attacks](/glossary/#physical-attacks) (via physical access). Not everyone will need to apply all of the advice below. For example, if you're only using Tails for anonymous web browsing and writen correspondence, some of this may be overkill. However, if you're using Tails to take responsibility for actions that are highly criminalized, a more thorough approach is likely relevant. 
+Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, or software: [remote attacks](/glossary/#remote-attacks) (via the Internet) and [physical attacks](/glossary/#physical-attacks) (via physical access). Not everyone will need to apply all of the advice below. For example, if you're only using Tails for anonymous web browsing and writen correspondence, some of this may be overkill. However, if you're using Tails to take responsibility for actions that are highly criminalized, a more thorough approach is likely relevant. 
 
 ### To mitigate against physical attacks:
 
@@ -146,7 +146,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
 * **Remove the hard drive**—it's easier than it sounds. If you buy the laptop, you can ask the store to do it and potentially save some money. If you search on youtube for "remove hard drive" for your specific laptop model, there will probably be an instructional video. Make sure you remove the laptop battery and unplug the power cord first. We remove the hard drive to completely eliminate the hard drive firmware, which has been known to be [compromised to install persistent malware](https://www.wired.com/2015/02/nsa-firmware-hacking/). A hard drive is part of the attack surface and is unnecessary on a live system like Tails that runs off a USB. 
 * Consider **removing the Bluetooth interface, camera, and microphone** while you're at it, although this is more involved—you'll need the user manual for your laptop model. The camera can at least be "disabled" by putting a sticker over it. The microphone is often connected to the motherboard via a plug — in this case just unplug it. If this is not obvious, or if there is no connector because the cable is soldered directly to the motherboard, or if the connector is needed for other purposes, cut the microphone cable with a pair of pliers. The same method can be used to permanently disable the camera if you don't trust the sticker method. It is also possible to use Tails on a dedicated "offline" computer by removing the network card as well. Some laptops have switches on the case that can be used to disable the wireless interfaces, but for an "offline" computer it is preferable to actually remove the network card.  
 
-* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates an attack on the BIOS firmware against a Tails user, allowing the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be removed like the hard drive. It is needed to turn on the laptop, so it must be replaced with [open-source](/glossary#open-source) firmware. This is an advanced process because it requires opening the computer and using special tools. Most anarchists will not be able to do this themselves, but hopefully there is a trusted person in your networks who can set it up for you. The project is called HEADS because it's the other side of Tails—where Tails secures software, HEADS secures firmware. It has a similar purpose to the [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) found in GrapheneOS, which establishes a full chain of trust from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop if you plan to install it—we recommend the ThinkPad X230 because it's less involved to install than other models. The CPUs of this generation are capable of effectively removing the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) when flashing HEADS, but this is not the case with later generations of CPUs on newer computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a wider range of laptop models but has less security. HEADS can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation), preventing it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks!
+* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates an attack on the BIOS firmware against a Tails user, allowing the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be removed like the hard drive. It is needed to turn on the laptop, so it must be replaced with [open-source](/glossary/#open-source) firmware. This is an advanced process because it requires opening the computer and using special tools. Most anarchists will not be able to do this themselves, but hopefully there is a trusted person in your networks who can set it up for you. The project is called HEADS because it's the other side of Tails—where Tails secures software, HEADS secures firmware. It has a similar purpose to the [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) found in GrapheneOS, which establishes a full chain of trust from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop if you plan to install it—we recommend the ThinkPad X230 because it's less involved to install than other models. The CPUs of this generation are capable of effectively removing the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) when flashing HEADS, but this is not the case with later generations of CPUs on newer computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a wider range of laptop models but has less security. HEADS can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation), preventing it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks!
 
 * **Use USBs with secure firmware**, such as the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), so that the USB will [stop working](https://www.kanguru.com/blogs/gurublog/15235873-prevent-badusb-usb-firmware-protection-from-kanguru) if the firmware is compromised. Kanguru has [retailers worldwide](https://www.kanguru.com/pages/where-to-buy), allowing you to buy them in person to avoid the risk of mail interception.
 
@@ -190,11 +190,11 @@ If its not possible to find a USB with a write-protect switch, you can alternati
 
 ## Passwords
 
-[Encryption](/glossary#encryption) is a blessing—it's the only thing standing in the way of our adversaries reading all our data, if it's used well. The first step in securing your encryption is to make sure that you use very good passwords—most passwords don't need to be memorized because they are stored in a password manager called KeePassXC, so they can be completely random. To learn how to use KeePassXC, see [Password Manager](/posts/tails/#password-manager-keepassxc). 
+[Encryption](/glossary/#encryption) is a blessing—it's the only thing standing in the way of our adversaries reading all our data, if it's used well. The first step in securing your encryption is to make sure that you use very good passwords—most passwords don't need to be memorized because they are stored in a password manager called KeePassXC, so they can be completely random. To learn how to use KeePassXC, see [Password Manager](/posts/tails/#password-manager-keepassxc). 
 
 >In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a random sequence of characters (letters, numbers and other symbols), while a [*passphrase*](/glossary/#passphrase) is a random sequence of words. 
 
-Never reuse a password/passphrase for multiple things ("password recycling") — KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** — when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html). 
+Never reuse a password/passphrase for multiple things ("password recycling") — KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** — when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary/#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html). 
 
 Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (seven words).
 
@@ -220,12 +220,12 @@ If you are using Persistent Storage, this is another passphrase that you will ha
 
 ## Encrypted containers 
 
-[LUKS](/glossary#luks) is great, but defense-in-depth can't hurt. If the police seize your USB in a house raid, they will try a [variety of tactics to bypass the authentication](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), so a second layer of defense with a different encryption implementation can be useful for highly sensitive data. 
+[LUKS](/glossary/#luks) is great, but defense-in-depth can't hurt. If the police seize your USB in a house raid, they will try a [variety of tactics to bypass the authentication](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), so a second layer of defense with a different encryption implementation can be useful for highly sensitive data. 
 
 
 [Gocryptfs](https://nuetzlich.net/gocryptfs/) is an encrypted container program that is [available for Debian](https://packages.debian.org/bullseye/gocryptfs) and can be easily installed as [additional software](/posts/tails/#optional-create-and-configure-persistent-storage). If you don't want to reinstall it every session, you will need to [configure Additional Software in Persistent Storage](/posts/tails-best/#using-a-write-protect-switch). 
 
-To use gocryptfs, you will need to use Terminal (the [command line](/glossary#command-line-interface-cli)).
+To use gocryptfs, you will need to use Terminal (the [command line](/glossary/#command-line-interface-cli)).
 
 On your Personal Data LUKS USB, use the file manager to create two folders and name them `cipher` and `plain`. Right click in the white space of your file manager and select 'Open Terminal Here'. This will allow you to be in the correct location when Terminal opens, instead of having to know how to navigate using the `cd` command. 
 
@@ -253,7 +253,7 @@ Now plain is just an empty folder again. Before storing important files in the c
 
 ## Encrypted Communication 
 
-PGP email is the most established form of encrypted communication on Tails in the anarchist space. Unfortunately, PGP does not have [forward secrecy](/glossary#forward-secrecy)—that is, a single secret (your private key) can decrypt all messages, rather than just a single message, which is the standard in encrypted messaging today. It is the opposite of "metadata protecting", and has [several other shortcomings](/posts/e2ee/#pgp-email). 
+PGP email is the most established form of encrypted communication on Tails in the anarchist space. Unfortunately, PGP does not have [forward secrecy](/glossary/#forward-secrecy)—that is, a single secret (your private key) can decrypt all messages, rather than just a single message, which is the standard in encrypted messaging today. It is the opposite of "metadata protecting", and has [several other shortcomings](/posts/e2ee/#pgp-email). 
 
 For [synchronous](/glossary/#synchronous-communication) and [asynchronous](/glossary/#asynchronous-communication) messaging we recommend [Cwtch](/posts/e2ee/#cwtch). For more information on Cwtch, see [Encrypted Messaging For Anarchists](/posts/e2ee/). 
 
@@ -267,7 +267,7 @@ Sometimes the goal of phishing is to deliver a "payload" that calls back to the
 
 ## Attachments 
 
-Tails prevents deanonymization through phishing by forcing all internet connections through the Tor network. However, this is still vulnerable to [0-day exploits](/glossary#zero-day-exploit) that nation-state actors have access to. For example, the FBI and Facebook worked together to develop a 0-day exploit against Tails [that deanonymized a user](https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) after he opened a video attachment from his home Wi-Fi.
+Tails prevents deanonymization through phishing by forcing all internet connections through the Tor network. However, this is still vulnerable to [0-day exploits](/glossary/#zero-day-exploit) that nation-state actors have access to. For example, the FBI and Facebook worked together to develop a 0-day exploit against Tails [that deanonymized a user](https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) after he opened a video attachment from his home Wi-Fi.
 
 For untrusted attachments, you would ideally **sanitize all files sent to you before opening them** with a program like [Dangerzone](https://dangerzone.rocks/), which takes potentially dangerous PDFs, office documents, or images and converts them into safe PDFs. Unfortunately, Dangerzone is [not yet readily available in Tails](https://gitlab.tails.boum.org/tails/tails/-/issues/18135). Until Dangerzone is made available in Tails, there is no program to sanitize untrusted files into trusted files.
 
@@ -300,7 +300,7 @@ Using Tails without any of this advice is still a vast improvement over many oth
 Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.net/install/expert/index.en.html):
 
 * `wget`: this downloads files from the Internet using the Command Line (rather than a web browser)
-* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. This is used to verify the integrity and authenticity of the Tails download. 
+* `gpg`: this handles [GPG encryption](/glossary/#gnupg-openpgp) operations. This is used to verify the integrity and authenticity of the Tails download. 
 * `apt`: this manages packages in Debian. 
 * `dd`: this copies a file from one disk to another. 
 

layout/anarsec_article.typ

@@ -85,6 +85,7 @@
   outline(indent: 20pt, depth: 2)
 
   // format links
+  let glossaryFootnote = state("x", [#footnote[anarsec.guide/glossary]<glossary-footnote>])
   show link: it => {
     it.body
     if type(it.dest) == "string" {
@@ -102,12 +103,13 @@
       }
       else if it.dest.starts-with("/glossary#") or it.dest.starts-with("/glossary/#") {
         context {
-	      let elements = query(heading.where(label: label(it.dest.trim("/glossary#", at: start).trim("/glossary/#", at: start)), level: 2))
+	      let elements = query(heading.where(label: label(it.dest.trim("/glossary#", at: start).trim("/glossary/#", at: start))))
           if elements.len() != 0 {
             text[#super[†]]
           }
           else {
-            footnote[anarsec.guide/glossary]
+            context glossaryFootnote.get()
+            glossaryFootnote.update(x => footnote(<glossary-footnote>))
           }
         }
       }

themes/DeepThought/sass/deep-thought.sass

@@ -529,6 +529,9 @@ section
   max-height: calc(100vh - 48px)
   overflow-y: scroll
 
+div.column.is-2.is-hidden-mobile
+  padding-right: 0px !important
+
 img 
   margin: auto
   display: block