write-protect switch improvements

This commit is contained in:
anarsec 2024-04-12 00:41:24 +00:00
parent 6ebbac8958
commit 91677225a1
No known key found for this signature in database
3 changed files with 7 additions and 6 deletions

View file

@ -67,7 +67,7 @@ Once the server exists, contacts can be invited to use it. For asynchronous dire
Any Cwtch user can turn the app on their phone or computer into an untrusted server to host a group chat, though this is best for temporary needs like an event or short-term coordination, as the device must remain powered on for it to work. Fortunately, [Anarchy Planet](https://anarchyplanet.org/chat.html#cwtch) runs a public server that is suitable for long-term groups.
Asynchronous conversations on Cwtch need to be started from a synchronous conversation - you need to be online at the same time as your contact to invite them to a group, and then you no longer need to be online at the same time. In the future, Cwtch plans to improve this with [hybrid groups](https://git.openprivacy.ca/cwtch.im/cwtch-ui/wiki/One-Pager:-Managed-Groups-%28-A-Roadmap-towards-Hybrid-Groups%29). Until hybrid groups are implemented, you will need to establish your asynchronous Cwtch conversations by using a second channel to set a time for when you both need be on Cwtch.
Asynchronous conversations on Cwtch need to be started from a synchronous conversation - you need to be online at the same time as your contact to invite them to a group, and then you no longer need to be online at the same time. In the future, Cwtch plans to improve this with [hybrid groups](https://docs.cwtch.im/blog/path-to-hybrid-groups/). Until this is implemented, you will need to establish your asynchronous Cwtch conversations by using a second channel to set a time for when you both need be on Cwtch.
You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs.cwtch.im/).

View file

@ -71,7 +71,7 @@ GrapheneOS uses [gesture navigation](https://grapheneos.org/usage#gesture-naviga
# Auditor
In the post-installation instructions, **Hardware-based attestation** is the last step. The Auditor app included in GrapheneOS uses hardware security features to monitor the integrity of the device's firmware and software. This is critical because it will alert you if the device is maliciously tampered with. The Auditor app must be configured immediately after GrapheneOS is installed, before any Internet connection is made.
In the post-installation instructions, **Hardware-based attestation** is the last step. The Auditor app included in GrapheneOS uses hardware security features to monitor the integrity of the device's firmware and OS software. This is critical because it will alert you if the device is maliciously tampered with. Note that Auditor doesn't necessarily check whether the user-level apps running on your device are malicious. The Auditor app must be configured immediately after GrapheneOS is installed, before any Internet connection is made.
How does it work? Your new device is the *auditee*, and the *auditor* can be either another instance of the Auditor app on a friend's phone or the [Remote Attestation Service](https://attestation.app/); we recommend doing both. The *auditor* and *auditee* pair to create a private key, and if the *auditee's* operating system is tampered with after the pairing is complete, the *auditor* will be alerted.
@ -165,12 +165,13 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
* It is convenient to be able to receive notifications from any user profile:
* [Owner user profile] **Settings → System → Multiple users:** Send notifications to current user (enabled)
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
# How to Backup

View file

@ -157,7 +157,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
> What's a *write-protect* switch? When you insert a normal USB into a computer, the computer does *read* and *write* operations with it, and a *write* operation can change the data on the USB. Some special USBs developed for malware analysis have a physical switch that can lock the USB, so that data can be *read* from it, but no new data can be *written* to it.
If your Tails USB stick has a write-protect switch and secure firmware, such as [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are protected from compromising the USB firmware during a Tails session. If the switch is locked, you are also protected from compromising the Tails software. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot "take root" and would not carry over to subsequent Tails sessions. Note that HEADS firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. If you aren't using HEADS and you are unable to obtain such a USB, you have two options.
If your Tails USB stick has a write-protect switch like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are also from an attacker compromising the Tails software when the switch is locked. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot carry over to subsequent Tails sessions. Note that HEADS firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. If you aren't using HEADS and you are unable to obtain such a USB, you have two options.
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.net/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten.
2) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.net/doc/advanced_topics/boot_options/index.en.html).
@ -168,7 +168,7 @@ If your Tails USB stick has a write-protect switch and secure firmware, such as
On a USB with a write-protect switch, you will not be able to make any changes to the Tails USB when the switch is locked. If you can make changes, so can malware. While it would be ideal to leave the switch locked all the time, we recommend two cases where the switch must be unlocked:
1) **For a dedicated upgrade session.** If you need to upgrade Tails, you can do so in a dedicated session with the switch unlocked - this is necessary because the upgrade needs to be written to the Tails USB. Once you are done, you should restart Tails with the switch locked.
2) **If you decide to use Persistent Storage, for occasional configuration sessions.** [Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to persist between sessions that would otherwise be amnesiac on the Tails USB itself. Because it requires writing to the Tails USB to persist data, it is generally impractical to use with a write-protect switch. However, it may be acceptable to disable the switch for occasional Persistent Storage configuration sessions, such as installing additional software. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting to install it every session. Then, in a 'locked' session, you actually use Scribus - none of the files you work on are saved to the Tails USB because it is 'locked'. The Persistent Storage feature is not possible with the `toram` boot or with a DVD.
2) **If you decide to use Persistent Storage, for occasional configuration sessions.** [Persistent Storage](/posts/tails/#optional-create-and-configure-persistent-storage) is a Tails feature that allows data to persist between sessions that would otherwise be amnesiac on the Tails USB itself. Because it requires writing to the Tails USB to persist data, it is generally impractical to use with a write-protect switch. However, it may be acceptable to disable the switch for occasional Persistent Storage configuration sessions, such as installing additional software. For example, in an 'unlocked' session, you enable additional software for persistence and install Scribus, selecting to install it every session. Then, in a 'locked' session, you actually use Scribus - none of the files you work on are saved to the Tails USB because it is 'locked'. Note that in this scenario, the USB switch will need to be locked to the read-only position *after* after the Welcome Screen, because Tails will not load the Persistant Storage otherwise. The Persistent Storage feature is not possible with the `toram` boot or with a DVD.
Where can we store personal data for use between Tails sessions if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This "personal data" USB should not look identical to your Tails USB to avoid confusion. To create this separate USB, see [How to create an encrypted USB](/posts/tails/#how-to-create-an-encrypted-usb). If you are reading this from a country like the UK, where not providing encryption passwords can land you in jail, this second drive should be an HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not suitable for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).