Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-08 23:02:55 -04:00
Code Issues Projects Releases Packages Wiki Activity

miscellaneous feedback integration

Browse source
This commit is contained in:
anarsec 2023-10-03 21:11:45 +00:00
parent 5755584357
commit 8afa5b96a8
No known key found for this signature in database
9 changed files with 74 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

14
content/_index.md
View file

@ -2,12 +2,8 @@
sort_by = "date"
paginate_by = 10
+++
<br><center>
<h3><b>Note: AnarSec is currently in a draft state, but will launch in the coming weeks.</b></h3>
<h3><b><a href="https://theanarchistlibrary.org/library/return-fire-vol-4-supplement-caught-in-the-net">Technology is a weapon used against us by the network of domination,</a><br> but maybe we can make the blade cut both ways.</b></h3>
---
* Want a quick overview of our advice for all comrades? [**See our recommendations**](/recommendations).
* Don't know where to start? [**Tails for Anarchists**](/posts/tails/) is the guide with the most relevance to all anarchists. All incriminating digital activities should be accomplished with Tails (such as action research or writing communiques).
* You can also check out a [**series of guides**](/series) or pick a [**tag**](/tags) that interests you.
* You want a quick overview of our advice for all comrades? → [**Recommendations**](/recommendations)
* You need to write anonymous responsibility claims or do action research? → [**Tails for Anarchists**](/posts/tails) and [**Tails Best Practices**](/posts/tails-best)
* You need to manage a large number of digital identities on a daily basis? → [**Qubes OS for Anarchists**](/posts/qubes)
* You want to protect your digital devices from covert house visits by law enforcement? → [**Make Your Electronics Tamper-Evident**](/posts/tamper)
* See the [**series of guides**](/series) for an overview.

4
content/glossary/_index.md
View file

@ -27,7 +27,7 @@ Checksums are digital fingerprints: small-sized blocks of data derived from anot
The "command line" is an all-text alternative to the graphical "point and click" tool that most of us are more familiar with; the Command Line Interface (CLI) allows us to do some things that a Graphical User Interface (GUI) does not. Often, either a GUI or a CLI would work, and which you use is a matter of preference. For example, in [Tails](/glossary/#tails), you can verify the [checksum](/glossary/#checksums-fingerprints) of a file using either a GUI (the GtkHash program) or a CLI command (`sha256sum`).
The Tech Learning Collective's "Foundations: Linux Journey" course on the [command line](https://techlearningcollective.com/foundations/linux-journey/the-shell) is our recommended introduction to using the CLI/terminal.
For more information, see [Linux Essentials](/posts/linux/#the-command-line-interface). The Tech Learning Collective's "Foundations: Linux Journey" course on the [command line](https://techlearningcollective.com/foundations/linux-journey/the-shell) is our recommended introduction to using the CLI/terminal.
### CVE
@ -41,7 +41,7 @@ A Distributed Denial of Service (DDoS) attack attempts to overload or crash the
Digital signatures are based on [public-key cryptography](/glossary/#public-key-cryptography). A private key is used to digitally sign data, while the corresponding public key is used by third parties to verify the signature. Before a public key is used to verify a signature, its authenticity should be verified.
To learn more, [watch this video](https://invidious.sethforprivacy.com/watch?v=s22eJ1eVLTU&listen=false). For a more detailed look, see [Defend Dissent: Authenticity through Cryptographic Signing](https://open.oregonstate.education/defenddissent/chapter/cryptographic-signing/) or our [GPG explanation](/posts/linux/#gpg-explanation).
To learn more, [watch this video](https://invidious.sethforprivacy.com/watch?v=s22eJ1eVLTU&listen=false). For a more detailed look, see [Defend Dissent: Authenticity through Cryptographic Signing](https://open.oregonstate.education/defenddissent/chapter/cryptographic-signing/) or our [GPG explanation](/posts/tails-best/#appendix-3-gpg-explanation).
### Doxxing

120
content/posts/e2ee/index.md
View file

@ -26,7 +26,7 @@ For a more in-depth look at these various considerations, we recommend [The Guid
The following options for encrypted messaging are listed from most metadata protection to least.
**TLDR: Use Cwtch. Don't use Signal or PGP.**
**TLDR: For text communication with other anarchists, prioritize Cwtch over Signal or PGP. For voice or video calls, use Signal.**
# Cwtch
@ -153,7 +153,11 @@ Another barrier to anonymous registration is that Signal Desktop will only work
These barriers to anonymous registration mean that Signal is rarely used anonymously. This has significant implications if the State gains [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to the device. One of the primary goals of State surveillance of anarchists is [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html), and it's common for them to gain physical access to devices through [house raids](https://www.csrc.link/threat-library/techniques/house-raid.html) or even simple arrests. For example, if your device's [authentication is bypassed](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), it would be possible to identify each of your Signal contacts simply by their phone number (in addition to reading message history, etc.). This is a serious security breach, especially in the context of Signal groups, and is unavoidable due to the way Signal is designed. Compare this to the same attack on a Cwtch user - all contacts are anonymous, and their identities are also protected by Tor, so device compromise does not contribute to network mapping.
**Simply put, Signal does not fit an anarchist threat model** - it was designed to bring encrypted communication to the masses. Because it's nearly impossible to use Signal anonymously, and because [we recommend against using phones](/posts/nophones/), **we recommend that anarchists don't use Signal**. We only provide installation instructions because it has become the norm in the anarchist space in many countries, and it may be difficult to contact someone without it.
**Simply put, Signal is not a great fit for an anarchist threat model** - it was designed to bring encrypted communication to the masses. Because it's very difficult to use Signal anonymously, and because [we recommend against using phones whenever possible](/posts/nophones/), **we recommend that anarchists prioritize Cwtch over Signal for text communications with other anarchists.** That said, we nonetheless recommend Signal for voice and video calls because there is currently no better option.
>**Note**
>
>[SimpleX Chat](https://www.privacyguides.org/en/real-time-communication/#simplex-chat) is similar to Signal, but supports anonymous registration. However, it is currently only available for smartphones.
<details>
<summary>
@ -224,112 +228,6 @@ https_proxy = 127.0.0.1:8082
<br>
<br>
# Element / Matrix
![](element.png)
* **Mediums**: Video call, voice call, text
* **Metadata protection**: Poor
* **Encryption protocol**: vodozemac, audited ([2022](https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption))
* **Peer-to-peer**: No
* **Tor**: Not default
Element is the name of the application (the client) and Matrix is the name of the network. A comparison to email may be helpful in understanding this; Element is the equivalent of Thunderbird, while Matrix is the equivalent of the Simple Mail Transfer Protocol (SMTP) that underlies email. **We recommend Element for one-to-one voice and video calls**.
Element/Matrix is not peer-to-peer; you have to trust the server. However, unlike Signal, the servers are not centralized, but rather federated - anyone can host their own. Unfortunately, the "federation model" has the trade-off that Matrix has [no metadata protection](https://web.archive.org/web/https://serpentsec.1337.cx/matrix): "Federated networks are naturally more vulnerable to metadata leaks than peer-to-peer or centralized networks". To minimize this, see Systemli's [notes on the safe use of the Matrix service](https://wiki.systemli.org/en/howto/matrix/privacy).
Element will work with Tor when used on an operating system that forces it, such as Whonix or Tails.
Which homeserver you use is important — do not use the default homeserver matrix.org. [Systemli](https://www.systemli.org/en/service/matrix/) and [Anarchy Planet](https://anarchyplanet.org/chat.html) are reputable radical hosts. Both have a default message retention time of [30 days](https://wiki.systemli.org/en/howto/matrix/max_lifetime) and do not store IP addresses.
Matrix can be used through either a web client (using Element Web on Tor Browser) or a desktop client (using Element Desktop). The web clients for Systemli and Anarchy Planet are `element.systemli.org` and `anarchy.chat`, respectively. If you are using a desktop client, change the homeserver address to `https://matrix.systemli.org` or `https://riot.anarchyplanet.org` before trying to log in. It is easy to create an account anonymously and does not require a phone. Systemli requires you to have an email account with them (for which you need an invitation), while anyone can register at Anarchy Planet using the registration code `aplanet`.
A matrix ID looks like \@username:homeserver, for example \@anarsec:riot.anarchyplanet.org. Just like email, you can send messages to accounts that are on different homeservers.
Once you are logged in, go to **Settings → Security & Privacy**.
* You'll see all the devices you're signed in to listed under **Where you're signed in**. For anonymous use cases, you will usually only be signed in to one device.
* Scroll down to **Secure Backup**. This is a feature that allows you to verify a new session without having access to a signed-in device. Press **Set up**, then **Generate a Security Key**. Save the Security Key in KeePassXC. This "Security Key" will be needed to log into a new device or session.
* For Element Desktop, you will only need to use the Security Key if you sign out.
* For Element Web (using Tor Browser), you will need the Security Key every time you use it. Tor Browser will clear your cookies, so you will need to sign in for a new session.
## Some current limitations
* "Disappearing messages" is not a feature yet, but it is coming. Message retention time can be set by the homeserver administrator, as mentioned above, and is in fact set on both of our recommended homeservers.
* One-to-one voice/video calls [are encrypted](https://matrix.org/faq/#are-voip-calls-encrypted%3F) and you can use them. Group audio/video calls are not encrypted, so don't use them. This will be fixed when [Element-call](https://github.com/vector-im/element-call) is stable.
* The Matrix protocol itself theoretically supports [forward secrecy](/glossary#forward-secrecy), but it is [not currently supported in Element](https://github.com/vector-im/element-meta/issues/1296) because it breaks some aspects of the user experience such as key backups and shared message history.
* Profile pictures, reactions, and nicknames are not encrypted.
>**Note**
>
>You may have heard of **XMPP** (formerly known as Jabber). XMPP has similar security properties to Matrix, but many clients don't support end-to-end encryption (using the OMEMO protocol) by default. Properly configuring a client is non-trivial. XMPP and Matrix leak similar amounts of metadata, but OMEMO has never been formally audited like the Matrix encryption protocol. In addition, the administrator can act as a [man-in-the-middle](/glossary#man-in-the-middle-attack) on [any XMPP server](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/). For these reasons, we recommend using Matrix instead of XMPP.
<details>
<summary>
**Element Installation on GrapheneOS**
</summary>
<br>
If you have decided to use a smartphone despite our [recommendation not to use phones](/posts/nophones/), Element is available for Android. Install Element as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
<br>
</details>
<details>
<summary>
**Element Installation on Tails**
</summary>
<br>
The easiest option is to use the Element web client on Tor Browser. It doesn't require any additional software. Tor Browser deletes all data when it closes, so you'll be prompted for the Security Key each time you login in to access your past messages. Be sure to **Sign Out** when you are finished, to avoid accumulating "Signed-in devices".
To install Element Desktop, About.Privacy [maintains a guide](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo).
<br>
</details>
<details>
<summary>
**Element Installation on Qubes-Whonix**
</summary>
<br>
The easiest option is to use the Element web client on Tor Browser is a disposable Whonix qube. It doesn't require any additional software. Tor Browser deletes all data when it closes, so you'll be prompted for the Security Key after each time you log in to access your past messages. Be sure to **Sign Out** when you are finished, to avoid accumulating "Signed-in devices".
To install Element Desktop, Whonix is not guaranteed to have Tor [Stream Isolation](/posts/qubes/#whonix-and-tor) from other applications in the same qube, so we will install it in a dedicated qube. Element Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository).
* Go to **Applications menu → Qubes Tools → Qube Manager**
* Clone whonix-ws-16 and name it something like whonix-ws-16-element.
* We do this so as not to add attack surface to the base Whonix Workstation template. If you also install other messaging applications like Signal Desktop, they could share a cloned template with a name like whonix-ws-16-e2ee
* Open a Terminal in the new Template: **Applications menu → Template: whonix-ws-16-element: Xfce Terminal**
* Run the commands in the [Element installation guide](https://element.io/download#linux) to install Element Desktop in the Template.
* Template qubes require a proxy for `wget`. Before running the command, create a configuration file at `~/.wgetrc` in the Template, with the following contents:
```bash
use_proxy = on
http_proxy = 127.0.0.1:8082
https_proxy = 127.0.0.1:8082
```
* [Create an App qube](/posts/qubes/#creating-qubes) with the Template `whonix-ws-16-element` and networking `sys-whonix`.
* In the **Settings → Applications** tab of the new App qube, move Element Desktop to the Selected column and press **OK**.
* Updates will be handled by **Qubes Update** as you would expect.
* Avoid pressing "Sign Out", just shut down the qube when finished.
>**Alternative method**
>
>You can install Element Desktop in a Whonix Workstation App qube using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) and not need to bother with Templates. Element Desktop on Flathub is [community maintained](https://github.com/flathub/im.riot.Riot), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
<br>
</details>
<br>
<br>
# PGP Email
![](pgp.webp)
@ -340,10 +238,10 @@ https_proxy = 127.0.0.1:8082
* **Peer-to-peer**: No
* **Tor**: Not default
PGP (Pretty Good Privacy) is not so much a messaging platform as it is a way to encrypt messages on top of existing messaging platforms (in this case, email). PGP email does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions from future key or password compromises. It maintains the secrecy of past communications even if the current communication is compromised. This means that an adversary could decrypt all future PGP messages in one fell swoop. When you also consider the metadata exposure inherent in email, PGP should be disqualified from inclusion on this list. It simply doesn't meet the standards of modern cryptography. However, since it is already widely used in the anarchist space, we include it here as a warning that **we recommend that anarchists don't use PGP**. For a more technical critique, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). [Privacy Guides](https://www.privacyguides.org/en/basics/email-security/) agrees that "email is best used for receiving transactional emails [...], not for communicating with others."
PGP (Pretty Good Privacy) is not so much a messaging platform as it is a way to encrypt messages on top of existing messaging platforms (in this case, email). PGP email does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions from future key or password compromises. It maintains the secrecy of past communications even if the current communication is compromised. This means that an adversary could decrypt all future PGP messages in one fell swoop. When you also consider the metadata exposure inherent in email, PGP should be disqualified from inclusion on this list. It simply doesn't meet the standards of modern cryptography. However, since it is already widely used in the anarchist space, we include it here as a warning that **we recommend that anarchists don't use encrypted email for communication with other anarchists**. For a more technical critique, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). [Privacy Guides](https://www.privacyguides.org/en/basics/email-security/) agrees that "email is best used for receiving transactional emails [...], not for communicating with others."
We recommend switching to Cwtch for synchronous and asynchronous use cases. If you must use email, use a [radical server](https://riseup.net/en/security/resources/radical-servers) and read the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp).
We recommend switching to Cwtch for synchronous and asynchronous use cases. The exception to this recommendation is for public-facing projects - Hybrid Groups need to be implemented in Cwtch before this can be recommended. If you must use email, use a [radical server](https://riseup.net/en/security/resources/radical-servers) and read the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp).
PGP is used for another purpose outside of communication: verifying the integrity and authenticity of files. For this use case, see our [GPG explanation](/posts/linux/#gpg-explanation).
PGP is used for another purpose outside of communication: verifying the integrity and authenticity of files. For this use case, see our [explanation](/posts/tails-best/#appendix-3-gpg-explanation).

46
content/posts/linux/index.md
View file

@ -51,55 +51,15 @@ The best way to learn the basics of the command line is to interact with it. We
Some commands require elevated privileges, equivalent to "Open as Administrator" in Windows. For example, installing software usually requires this. Prefixing a command with `sudo` will execute it as the administrative user, named root (note: the root user is not the same as the root directory, and the two should not be confused). A root prompt will display `#` instead of `$`. Be especially careful with any commands you run while using these elevated privileges, as you'll have the power to erase your entire hard drive or change important files. It is helpful to know that text is pasted in the Terminal with Ctrl+Shift+V (i.e. the Shift key must also be pressed).
Most Linux users will rarely need to use the CLI. If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.boum.org/install/expert/index.en.html):
* `wget`: this downloads files from the Internet using the Command Line (rather than a web browser)
* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. This is used to verify the integrity and authenticity of the Tails download.
* `apt`: this manages packages in Debian.
* `dd`: this copies a file from one disk to another.
The [Qubes](/tags/qubes/) installation requires the same commands (during the [verification](https://www.qubes-os.org/security/verifying-signatures/) phase). The Command Line Interface is otherwise only needed to install software:
Most Linux users will rarely need to use the CLI. If you're using Tails, you shouldn't need it at all. If you're using Qubes OS, the CLI is only needed to install software:
* `apt install <PACKAGE_NAME>`: this will install packages on Debian
* `dnf install <PACKAGE_NAME>`: this will install packages on Fedora
Additionally, the CLI is needed for the more secure installation of both [Tails](/posts/tails-best/#appendix-3-gpg-explanation) and [Qubes OS](https://www.qubes-os.org/security/verifying-signatures/) to verify the download's authenticity.
If you ever don't understand what a command does, try searching [explainshell](https://explainshell.com/) for it.
## GPG Explanation
Using `gpg` during the installation of Tails or Qubes OS will be less confusing if you understand how it works.
First, some clarification. [PGP and GPG](/glossary/#gnupg-openpgp) are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication ([although we don't recommend it](/posts/e2ee/#pgp-email)), but we use it here only to verify the integrity and authenticity of files.
GPG is a classic example of [public-key cryptography](/glossary/#public-key-cryptography). GPG provides cryptographic functions for [encrypting](/glossary/#encryption), decrypting, and signing files; our concern here is digitally signing files. The Qubes and Tails teams both [digitally sign](/glossary/#digital-signatures) on their .img releases. GPG gives us a way to verify that the file has actually been "signed" by the developers, which allows us to trust that it hasn't been tampered with.
Now you need to understand the basics of public-key cryptography. [This Computerphile video](https://invidious.sethforprivacy.com/watch?v=GSIDS_lvRv4) has a great overview with visual aids. To summarize, a **secret/private** key is used to **sign** messages, and only the user who has that key can do so. Each **private** key has a corresponding **public** key - this is called a **key pair**. The public key is shared with everyone and is used to verify the signature. Confused? Watch the video!
![](signature.png)
Tails and Qubes OS sign their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.boum.org/install/expert/index.en.html), which are less convoluted than the [Qubes OS equivalent](https://www.qubes-os.org/security/verifying-signatures/).
### Step: Generate a Key-Pair
Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate a key-pair.
* `gpg --gen-key` will prompt you for some configuration options and then generate your key-pair.
### Step: Verify the Tails public key
* `gpg --import < tails-signing.key` imports the Tails public key into your keyring so that it can be used.
* `gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import` imports the public key of a Debian developer into your keyring so that it can be used.
* `gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F` allows you to verify the Tails public key with the Debian developer's public key by examining the output as instructed. This is so that if the source of the Tails public key (tails.net) is compromised, you have an external source of truth to alert you.
* `gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F` will certify the Tails public key with the key you created in the last step.
Now we know that we have a genuine version of the Tails public key. `gpg` also knows this because we chose to certify it.
### Step: Verify the downloaded Tails .img file
* `TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.10.img.sig tails-amd64-5.10.img` allows you to verify that the .img file is signed as it should be by examining the output as instructed.
Now that we know that we have a genuine version of the Tails .img file, we can proceed to install it on a USB.
# Going Further
If you want to learn more about Linux, we'd recommend:

10
content/posts/qubes/index.md
View file

@ -21,9 +21,9 @@ Qubes OS can be configured to force all Internet connections through the [Tor ne
# Who is Qubes OS For?
Given that anarchists are [regularly targeted](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users like journalists who don't know much about Linux.
Given that anarchists are [regularly targeted](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users like journalists who don't know much about Linux. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
Even if nothing directly incriminating is done on a computer you use every day, its compromise will still give investigators a field day for [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to commmunicate with other comrades, so making our personal computers difficult to hack is a reasonable goal for all anarchists.
Even if nothing directly incriminating is done on a computer you use every day, its compromise will still give investigators a field day for [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to commmunicate with other comrades, so making our personal computers difficult to hack is a reasonable goal for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.
# How Does Qubes OS Work?
@ -93,7 +93,9 @@ And to use Tails:
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop—we recommend the ThinkPad X230 because it's less complicated to install than other models. The X230 is also the only developer-tested laptop model and is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and [Best Practices](#hardware-security) for further discussion of hardware security.
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. Do not set up dual boot - another operating system could be used to compromise the Qubes OS. If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it, or first learn the basics of the command line and GPG (required during the [verification step](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/).
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-3-gpg-explanation).
Do not set up "dual boot" - another operating system could be used to compromise the Qubes OS.
In the post-installation:
@ -336,7 +338,7 @@ There is much more flexibility in how you configure Qubes OS than Tails, but mos
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.boum.org/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi and replace the BIOS with [HEADS](https://osresearch.net/). It's not possible to remove the hard drive, and Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive (and App qubes don't have write access to their templates).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. It's not possible to remove the hard drive, and Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive (and App qubes don't have write access to their templates).
* Encryption
* Passwords: [See above](#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.

44
content/posts/tails-best/index.md
View file

@ -111,7 +111,7 @@ To summarize: For highly sensitive activities, use Internet from a random cafe,
You can mitigate this first issue by **using a computer you trust to install Tails**:
* According to our [recommendations](/recommendations/#your-computer), this would ideally be a [Qubes OS](/posts/qubes/) system, as it is much harder to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick that has been installed with Qubes OS (and who uses these best practices), you could [clone it](/posts/tails/#installation) instead of installing it yourself.
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it, or first learn the basics of the command line and GnuPG with [Linux Essentials](/posts/linux/).
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-3-gpg-explanation).
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs used during Tails sessions) into any other computer while it is running a non-Tails operating system; if the computer is infected, the infection can [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
### 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
@ -345,6 +345,48 @@ Some places in the world, like China, Japan, the UK, Singapore, the US, and even
Hacking is really a way of life. If you are truly committed to your cause, you should fully embrace it and avoid being sloppy at all costs.
# Appendix 3: GPG Explanation
Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.boum.org/install/expert/index.en.html):
* `wget`: this downloads files from the Internet using the Command Line (rather than a web browser)
* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. This is used to verify the integrity and authenticity of the Tails download.
* `apt`: this manages packages in Debian.
* `dd`: this copies a file from one disk to another.
Using `gpg` during the installation of Tails will be less confusing if you understand how it works.
First, some clarification. [PGP and GPG](/glossary/#gnupg-openpgp) are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication ([although we don't recommend it](/posts/e2ee/#pgp-email)), but we use it here only to verify the integrity and authenticity of files.
GPG is a classic example of [public-key cryptography](/glossary/#public-key-cryptography). GPG provides cryptographic functions for [encrypting](/glossary/#encryption), decrypting, and signing files; our concern here is digitally signing files. The Tails team [digitally signs](/glossary/#digital-signatures) their .img releases. GPG gives us a way to verify that the file has actually been "signed" by the developers, which allows us to trust that it hasn't been tampered with.
Now you need to understand the basics of public-key cryptography. [This Computerphile video](https://invidious.sethforprivacy.com/watch?v=GSIDS_lvRv4) has a great overview with visual aids. To summarize, a **secret/private** key is used to **sign** messages, and only the user who has that key can do so. Each **private** key has a corresponding **public** key - this is called a **key pair**. The public key is shared with everyone and is used to verify the signature. Confused? Watch the video!
![](signature.png)
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.boum.org/install/expert/index.en.html).
## Step: Generate a Key-Pair
Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate a key-pair.
* `gpg --gen-key` will prompt you for some configuration options and then generate your key-pair.
## Step: Verify the Tails public key
* `gpg --import < tails-signing.key` imports the Tails public key into your keyring so that it can be used.
* `gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import` imports the public key of a Debian developer into your keyring so that it can be used.
* `gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F` allows you to verify the Tails public key with the Debian developer's public key by examining the output as instructed. This is so that if the source of the Tails public key (tails.net) is compromised, you have an external source of truth to alert you.
* `gpg --lsign-key A490D0F4D311A4153E2BB7CADBB802B258ACD84F` will certify the Tails public key with the key you created in the last step.
Now we know that we have a genuine version of the Tails public key. `gpg` also knows this because we chose to certify it.
## Step: Verify the downloaded Tails .img file
* `TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-5.10.img.sig tails-amd64-5.10.img` allows you to verify that the .img file is signed as it should be by examining the output as instructed. Version numbers in the command will change.
Now that we know that we have a genuine version of the Tails .img file, we can proceed to install it on a USB.
<br>
<hr>

0
content/posts/linux/signature.png → content/posts/tails-best/signature.png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 157 KiB

After

Width:  |  Height:  |  Size: 157 KiB

Before After
Before After

6
content/posts/tamper/index.md
View file

@ -43,7 +43,7 @@ The Blink Comparison app encrypts its storage to prevent an adversary from easil
## Getting Started
Now that you understand the nuances of applying nail polish to the screws of your laptop case, let's actually do it - this is best done after [flashing HEADS](#tamper-evident-software-and-firmware), so it doesn't have to be removed and repeated. Before you start, you can also take a picture of the inside of the laptop in case you ever need to check if the internal components have been tampered with despite the nail polish protection (keep in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like the one shown above.
Now that you understand the nuances of applying nail polish to the screws of your laptop case, let's actually do it - if you are going to [install HEADS](#tamper-evident-software-and-firmware), do that first so the nail polish doesn't have to be removed and repeated. Before you start, you can also take a picture of the inside of the laptop in case you ever need to check if the internal components have been tampered with despite the nail polish protection (keep in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like the one shown above.
* First, take a photo of the bottom of the computer and use a program like GIMP to number the screws to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws that need to be numbered so that in the future you know which screw the photo `3.jpg` refers to.
* Apply the glitter nail polish directly to each screw, making sure there are enough glitter elements without being too thick.
@ -114,7 +114,9 @@ Haven is an Android app developed by the Freedom of Press Foundation that uses t
So far, we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. "Defense in depth" requires this - to trust an electronic device, you must trust the hardware, firmware, and software. Software or firmware compromise can occur [remotely](/glossary/#remote-attacks) (over the Internet) as well as with physical access, so it is especially important. Tamper-evident software and firmware are compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that allows you to be notified if firmware or software has been tampered with - you will receive an email when Auditor performs a remote attestation. For Tails or Qubes, [HEADS](https://osresearch.net/) can do the same before you enter your boot password (on [supported devices](https://osresearch.net/Prerequisites#supported-devices)). Keep the HEADS USB security dongle with you when you leave the house, and have a backup hidden at a trusted friend's house in case it ever falls in a puddle.
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that allows you to be notified if firmware or software has been tampered with - you will receive an email when Auditor performs a remote attestation.
For Tails or Qubes OS, [HEADS](https://osresearch.net/) can do the same before you enter your boot password (on [supported devices](https://osresearch.net/Prerequisites#supported-devices)). However, installation is advanced. Keep the HEADS USB security dongle with you when you leave the house, and have a backup hidden at a trusted friend's house in case it ever falls in a puddle. For more information, see [Tails Best Practices](/posts/tails-best/#to-mitigate-against-remote-attacks).
# Wrapping Up

11
content/recommendations/_index.md
View file

@ -25,13 +25,6 @@ See [When to Use Tails vs. Qubes OS](/posts/qubes/#when-to-use-tails-vs-qubes-os
We do not offer "harm reduction" advice for Windows or macOS computers, as this is already widespread and gives a false sense of privacy and security. If you need to use one of these operating systems, see The Hitchhikers Guide to Online Anonymity for tutorials on [Windows](https://anonymousplanet.org/guide.html#windows-host-os) and [macOS](https://anonymousplanet.org/guide.html#macos-host-os).
## Your Home Network
>**[Operating system](/glossary#operating-system-os) (router)**: [**OpenWrt**](https://www.privacyguides.org/en/router/#openwrt). [GL-iNet](https://www.gl-inet.com/) sells affordable OpenWrt routers that are easy to use - the 'Travel' models are sufficient for an apartment sized residence.
>**[Operating system](/glossary#operating-system-os) (hardware firewall)**: [**OPNsense**](https://www.privacyguides.org/en/router/#opnsense). Although you can get by with just a router, a hardware firewall allows you to further segment your network and provides other security enhancements.
If an adversary compromises your router, [they can use it to compromise any device connected to it](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/), so it's important not to use the [closed-source](/glossary#open-source) router your Internet Service Provider provides. Guide coming soon.
## Encrypted Messaging
See [Encrypted Messaging for Anarchists](/posts/e2ee/)
@ -42,7 +35,7 @@ See [Make Your Electronics Tamper-Evident](/posts/tamper/).
## Preparation for Crossing Borders
If you risk taking the phone or computer you use every day across a border (not recommended), make sure that Full Disk Encryption is enabled, that it is turned off, and that you are prepared to deny password access and accept the consequences of doing so. It is not enough to delete files (or messages, apps, etc.) before crossing the border and then unlock your device. In fact, the first thing a border team will check is whether anything was recently deleted. To prevent data recovery, you must perform a Factory Reset and then reinstall the operating system.
It is not recommended to risk taking the phone or computer you use every day across a border. If you do, make sure that Full Disk Encryption is enabled, that it is turned off, and that you are prepared to deny password access and accept the consequences of doing so. It is not enough to delete files (or messages, apps, etc.) before crossing the border and then unlock your device. In fact, the first thing a border team will check is whether anything was recently deleted. To prevent data recovery, you must perform a Factory Reset and then reinstall the operating system.
A better approach is to have a dedicated travel device that you can unlock for border agents, since you always cross with a fresh operating system installation. Stock Android can be [easily installed (flashed)](https://flash.android.com) on [certain phone models](https://source.android.com/docs/setup/build/flash#device-requirements) after a factory reset. The fresh phone can be populated with benign contacts such as family. Once across the border, you can use the phone normally, but redo the flashing before crossing the border again. If the phone is taken out of your sight at any point, dont even turn it back on before trashing it, as it may now send your password to the authorities and be infected with spyware.
A better approach is to have a dedicated travel device that you can unlock for border agents, since you always cross with a fresh operating system installation. For phones, stock Android can be [easily installed (flashed)](https://flash.android.com) on [certain phone models](https://source.android.com/docs/setup/build/flash#device-requirements) after a factory reset. The fresh phone can be populated with benign contacts such as family. Once across the border, you can restore your data and use the phone normally, but redo this process before crossing the border again. The same principle applies to computers - reinstall the operating system, make it look normal, then restore the data you need once you have crossed. If the device is taken out of your sight at any point, dont even turn it back on before trashing it, as it may now send your password to the authorities and be infected with spyware.