Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-29 09:28:51 -04:00
Code Issues Projects Releases Packages Wiki Activity

miscellaneous feedback integration

Browse source
This commit is contained in:
anarsec 2023-10-03 21:11:45 +00:00
parent 5755584357
commit 8afa5b96a8
No known key found for this signature in database
9 changed files with 74 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

10
content/posts/qubes/index.md
View file

@ -21,9 +21,9 @@ Qubes OS can be configured to force all Internet connections through the [Tor ne
# Who is Qubes OS For?
Given that anarchists are [regularly targeted](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users like journalists who don't know much about Linux.
Given that anarchists are [regularly targeted](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users like journalists who don't know much about Linux. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
Even if nothing directly incriminating is done on a computer you use every day, its compromise will still give investigators a field day for [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to commmunicate with other comrades, so making our personal computers difficult to hack is a reasonable goal for all anarchists.
Even if nothing directly incriminating is done on a computer you use every day, its compromise will still give investigators a field day for [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to commmunicate with other comrades, so making our personal computers difficult to hack is a reasonable goal for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.
# How Does Qubes OS Work?
@ -93,7 +93,9 @@ And to use Tails:
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop—we recommend the ThinkPad X230 because it's less complicated to install than other models. The X230 is also the only developer-tested laptop model and is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and [Best Practices](#hardware-security) for further discussion of hardware security.
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. Do not set up dual boot - another operating system could be used to compromise the Qubes OS. If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it, or first learn the basics of the command line and GPG (required during the [verification step](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/).
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-3-gpg-explanation).
Do not set up "dual boot" - another operating system could be used to compromise the Qubes OS.
In the post-installation:
@ -336,7 +338,7 @@ There is much more flexibility in how you configure Qubes OS than Tails, but mos
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.boum.org/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi and replace the BIOS with [HEADS](https://osresearch.net/). It's not possible to remove the hard drive, and Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive (and App qubes don't have write access to their templates).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. It's not possible to remove the hard drive, and Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive (and App qubes don't have write access to their templates).
* Encryption
* Passwords: [See above](#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.