diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md
index 90f5abd..bd27657 100644
--- a/content/posts/e2ee/index.md
+++ b/content/posts/e2ee/index.md
@@ -15,28 +15,27 @@ letter = "e2ee-letter.pdf"
+++
There are several different options for [end-to-end encrypted](/glossary/#end-to-end-encryption-e2ee) communication, each with different trade-offs. This article provides an overview and installation instructions for Tails, Qubes OS, and GrapheneOS.
-Before proceeding, there are a few concepts that need to be understood, in order to distinguish between the various options.
+Before proceeding, let’s go over a few concepts to help you distinguish between the different options.
-* **End-to-end encryption** means that only you and the person you are communicating with can read messages. However, not all [encryption](/glossary/#encryption) is created equal. The quality of the encryption is determined by the *encryption protocol* used and how it is implemented at the software level.
-* **Metadata protection** means that the [*metadata*](/glossary/#metadata) (the data about the data) about the communication is obscured. Even if the message itself is encrypted, metadata can reveal who is communicating with whom, when, how often, the sizes of any files that may have been transferred, and so on. Metadata exposure is [a major concern](https://docs.cwtch.im/security/risk#threat-model).
-* **Peer-to-peer** means that there is no centralized server to trust.
-* **Tor** is an [anonymity network](/glossary/#tor-network), and some applications route your messages through it by default.
+* **End-to-end encryption** means (in theory) that only you and the person you are communicating with can read messages. However, not all [encryption](/glossary/#encryption) is created equal. The quality of the encryption is determined by the *encryption protocol* used and how it's implemented at the software level.
+* **Metadata protection** means that the message [*metadata*](/glossary/#metadata) (the data about the data) is obscured. Even if the message itself is encrypted, metadata can reveal who is communicating with whom, when, how often, the sizes of any files that may have been transferred, and so on. Metadata exposure is [a major concern](https://docs.cwtch.im/security/risk#threat-model).
+* **Peer-to-peer** means that the messages do not pass through a centralized server.
+* **Tor** is an [anonymity network](/glossary/#tor-network). Some applications route your messages through Tor by default.
For a more in-depth look at these various considerations, we recommend [The Guide to Peer-to-Peer, Encryption, and Tor: New Communication Infrastructure for Anarchists](https://www.notrace.how/resources/#the-guide-to-peer-to-peer-encryption-and-tor). This text criticizes Signal for not being peer-to-peer and not using Tor by default, and goes on to compare Signal, Cwtch, and Briar.
-Anonymous public-facing projects have additional needs for encrypted communication, because they will be interacting with unknown (and untrusted) contacts:
-* Anyone can contact the project without requiring a separate channel
+Since anonymous public-facing projects such as counter-info websites interact with unknown (ie untrusted) contacts, they need more from encrypted communication than a personal user. These additional needs include:
+* That anyone can contact the project
* Resiliency to [correlation attacks](/glossary/#correlation-attack)
* Resiliency to [exploits](/glossary/#exploit)
-* Multiple project members can access the same messages
+* For multiple project members to be able to access the same messages
-The following options for encrypted messaging are listed from most metadata protection to least.
+The following recommendations for encrypted messaging are listed in order of highest to lowest metadata protection.
**TLDR:**
-* For text communication with other anarchists, prioritize Cwtch.
-* For voice or video calls, use SimpleX Chat or Signal (with usernames).
-* For anonymous public projects, PGP email is still the best option.
-
+* Cwtch for text messages
+* SimpleX Chat or Signal for voice or video calls
+* PGP Email for anonymously-run public projects
# Cwtch
@@ -48,7 +47,7 @@ The following options for encrypted messaging are listed from most metadata prot
* **Peer-to-peer**: Yes
* **Tor**: Yes
-Cwtch is our preference, by a long shot. For an overview of how Cwtch works, watch the video below. Cwtch is designed with metadata protection in mind; it is peer-to-peer, uses the Tor network, and stores everything locally on the device, encrypted.
+Cwtch is our preference for text messages by a long shot. For an overview of how Cwtch works, watch the video below. Cwtch is designed with metadata protection in mind; it's peer-to-peer, uses the Tor network, and stores all data locally on the device, encrypted.
@@ -60,7 +59,7 @@ Cwtch is our preference, by a long shot. For an overview of how Cwtch works, wat
-Like all peer-to-peer communication, Cwtch requires *[synchronous](/glossary/#synchronous-communication)* communication, meaning that both peers must be online at the same time. However, its server feature also allows *[asynchronous](/glossary/#asynchronous-communication)* communication by providing offline delivery:
+Like all peer-to-peer communication, Cwtch requires *[synchronous](/glossary/#synchronous-communication)* communication, meaning that both people must be online at the same time. However, its server feature also allows *[asynchronous](/glossary/#asynchronous-communication)* communication by providing offline delivery:
>"Cwtch contact to contact chat is fully peer to peer, which means if one peer is offline, you cannot chat, and there is no mechanism for multiple people to chat. To support group chat (and offline delivery) we have created untrusted Cwtch [servers](https://docs.cwtch.im/security/components/cwtch/server) which can host messages for a group. [...] the server has no way to know what messages for what groups it might be holding, or who is accessing it."
@@ -74,23 +73,23 @@ You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs
## For Anonymous Public-facing Projects
-**Anyone can contact the project without requiring a separate channel**
+**Need #1: That anyone can contact the project**
-Anyone can connect to a public Cwtch account when it is online. In the future, Cwtch bots that are semi-trusted (which are hosted on a Cwtch server) will enable first contact when the public Cwtch account is offline.
+Anyone can connect to a public Cwtch account when it's online. If the account is offline, it's not currently possible to establish first contact, though this will be supported in the future.
Cwtch will reject connections from blocked contacts, and if the setting "Block Unknown Contacts" is enabled, you must be the one to add a contact in order to establish a connection. This greatly limits the kinds of features that untrusted contacts can access. However, this setting is less relevant for public projects that need to be able to be contacted by anyone.
-**Resiliency to correlation attacks**
+**Need #2: Resiliency to correlation attacks**
Real-time messaging applications are particularly susceptible to end-to-end correlation attacks because of the ability of an adversary, once they know their target's ID on the messaging platform, to trigger incoming network traffic on the target's side by sending them messages on the platform (when the target is online). "Appear Offline Mode" in Cwtch allows a user to selectively connect to trusted contacts and groups, while appearing offline to everyone else. An [issue](https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/712) is open to further address this.
[Content padding exists](https://docs.cwtch.im/security/components/tapir/packet_format) to frustrate correlation attacks via message size.
-**Resiliency to exploits**
+**Need #3: Resiliency to exploits**
-A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Cwtch does [fuzz testing](https://openprivacy.ca/discreet-log/07-fuzzbot/) to find bugs. For public-facing project accounts, we recommend that you do not enable the "file sharing experiment" or the "image previews and profile pictures experiment" in the settings.
+A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Cwtch does [fuzz testing](https://openprivacy.ca/discreet-log/07-fuzzbot/) to find bugs. For public-facing project accounts, we recommend against enabling the "file sharing experiment" or the "image previews and profile pictures experiment" in the settings.
-**Multiple project members can access the same messages**
+**Need #4: For multiple project members to be able to access the same messages**
If a project has multiple members, all of them should be able to access the same messages independently. Currently, this is not possible with Cwtch.
@@ -108,7 +107,7 @@ If a project has multiple members, all of them should be able to access the same
-Install Cwtch as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
+Install Cwtch the same way you would install any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
@@ -128,7 +127,7 @@ Cwtch support for Tails is very new and not thoroughly tested.
* Verify your download
* Open the folder using the Tor Browser's download icon
* Right-click in the file manager and select "Open a Terminal Here"
- * Run `sha512sum cwtch-VERSION-NUMBER.tar.gz` (replace the version number as appropriate)
+ * Run `sha512sum cwtch-VERSION-NUMBER.tar.gz` (fill in the version number)
* Compare the hash of the file to what is listed on the download page
* According to our [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), personal data should be stored on a second LUKS USB and Persistent Storage should not be enabled. Extract the file with the file manager (right click, select "Extract Here"), then copy the `cwtch` folder to such a personal data LUKS USB.
* OPTIONAL - If you enable Persistent Storage: with Persistent Storage unlocked, in Terminal run `sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf` then restart Tails for the changes to take effect, again with an Adminstration Password.
@@ -138,7 +137,7 @@ Cwtch support for Tails is very new and not thoroughly tested.
* As the [documentation](https://docs.cwtch.im/docs/platforms/tails) states, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:
* `exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch`
* With Persistent Storage disabled, configuration and profile data must be restored from backup every session you need to install Cwtch. Backup `/home/amnesia/.cwtch/` to the personal data LUKS USB, and copy it back to `/home/amnesia/` the next time you install Cwtch.
-* Updates to new versions must be done manually - back up your profile first.
+* Updates to new versions must be done manually - back up your profile before updating.
@@ -170,33 +169,33 @@ Cwtch on Whonix currently has an [issue](https://git.openprivacy.ca/cwtch.im/cwt
SimpleX Chat functions without persistent user IDs, which creates strong metadata protection. This means that an adversary can't easily observe how users are connected to each other in a network. This is possible because connection requests work by sharing an invitation link that is communicated through a separate channel, or in person. When connecting to another user you have the choice to use "Incognito mode", which creates a new random profile for each contact. This avoids sharing any data between contacts.
-As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer - it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server). Your data can be exported and then imported onto another device, as there are no central servers where this is backed up.
+As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer - it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server).
-Due to needing to [place some trust in the SimpleX servers](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers), **we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls**. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone.
+Since SimpleX requires that users [place some trust in the SimpleX servers](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers), **we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls**. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone.
-If SimpleX is served with a warrant, their [privacy policy](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md) is quite specific. Servers have the [records of the message queues](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#connections-with-other-users) and any [undelivered encrypted messages](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#messages-and-files) - no data is stored that links the queues or messages to particular users, and the data which is stored is not very useful without access to the user's device. SimpleX Chat doesn't have to use the default SimpleX servers.
+If SimpleX is served with a warrant, their [privacy policy](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md) is quite specific. Servers have the [records of the message queues](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#connections-with-other-users) and any [undelivered encrypted messages](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md#messages-and-files) - no data is stored that links the queues or messages to particular users, and the data which is stored is not very useful without access to the user's device.
-SimpleX Chat will work with Tor if used on an operating system that forces it to, such as Whonix or Tails. However, voice and video calls are generally not very functional over Tor with any application due to the latency Tor will introduce.
+SimpleX Chat will work with Tor if used on an operating system that forces it to, such as Whonix or Tails. However, voice and video calls generally don't work very well over Tor regardless of which application you use.
You can learn more about how to use SimpleX Chat with their [guide](https://simplex.chat/docs/guide/readme.html).
## For Anonymous Public-facing Projects
-**Anyone can contact the project without requiring a separate channel**
+**Need #1: That anyone can contact the project**
-Unlike the one-time invitation links that are normally used by SimpleX Chat and shared through a separate channel, you also have a [long term address](https://simplex.chat/docs/guide/app-settings.html#your-profile-settings) that can be published online so that anyone can connect to you. We recommend not enabling "Auto-accept".
+Unlike the one-time invitation links that are normally used by SimpleX Chat and shared through a separate channel, you also have a [long term address](https://simplex.chat/docs/guide/app-settings.html#your-profile-settings) that can be published online so that anyone can connect to you. We recommend against enabling "Auto-accept".
-**Resiliency to correlation attacks**
+**Need #2: Resiliency to correlation attacks**
-Real-time messaging applications are particularly susceptible to end-to-end correlation attacks because of the ability of an adversary, once they know their target's ID on the messaging platform, to trigger incoming network traffic on the target's side by sending them messages on the platform (when the target is online). An [issue](https://github.com/simplex-chat/simplex-chat/issues/3197) is open to address this. Message "mixing" is also [planned](https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations).
+Real-time messaging applications are particularly susceptible to end-to-end correlation attacks because once an adversary knows their target's ID on the messaging platform, they can trigger incoming network traffic on the target's side by sending them messages on the platform (when the target is online). An [issue](https://github.com/simplex-chat/simplex-chat/issues/3197) is open to address this. Message "mixing" is also [planned](https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations).
[Content padding exists](https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations) to frustrate correlation attacks via message size.
-**Resiliency to exploits**
+**Need #3: Resiliency to exploits**
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). For public-facing project accounts, we recommend that you set SimpleX Chat preferences to only allow text (prohibiting voice messages and attachments).
-**Multiple project members can access the same messages**
+**Need #4: For multiple project members to be able to access the same messages**
If a project has multiple members, all of them should be able to access the same messages independently. Currently, this is not possible with SimpleX Chat.
@@ -208,7 +207,7 @@ If a project has multiple members, all of them should be able to access the same
-Install SimpleX Chat as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid). If you are using SimpleX Chat from behind a VPN (as [we recommend](/posts/grapheneos/#how-to-install-software)) then the default relay for calls is redundant and can be turned off: **Settings → Audio & video calls**, disable **Always use relay**
+Install SimpleX Chat the same way you would install any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid). If you're using a VPN (as [we recommend](/posts/grapheneos/#how-to-install-software)) then the default relay for calls is redundant and can be turned off to improve call quality: **Settings → Audio & video calls**, disable **Always use relay**
@@ -221,13 +220,13 @@ Install SimpleX Chat as you would any [app that doesn't require Google Services]
-* Start Tails with an Adminstration Password.
+* Start Tails with an Administration Password.
* Download the [AppImage](https://simplex.chat/downloads/#desktop-app) with Tor Browser
* According to our [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), personal data should be stored on a second LUKS USB and Persistent Storage should not be enabled. Copy the .AppImage file to such a personal data LUKS USB.
* Make the AppImage executable
* In the File Manager, browse to the directory with the file. Right click in the File Manager and select "Open a Terminal Here"
* Run `chmod +x simplex-desktop-x86_64.AppImage` and enter the Administration Password when prompted.
-* To launch, in the Terminal, run:
+* To launch run the following command in the Terminal:
* `./simplex-desktop-x86_64.AppImage`
* With Persistent Storage disabled, configuration and profile data must be restored from backup every session. Backup `/home/amnesia/.local/share/simplex` to the personal data LUKS USB, and copy it back to `/home/amnesia/.local/share` in your next session.
@@ -243,7 +242,7 @@ Install SimpleX Chat as you would any [app that doesn't require Google Services]
-SimpleX Chat on Whonix is not guaranteed to have Tor [Stream Isolation](/posts/qubes/#whonix-and-tor) from other applications in the same qube, so we will install it in a dedicated qube. SimpleX Chat is installed in an App qube, not a Template (because it is an AppImage).
+SimpleX Chat on Whonix does not guarantee Tor [Stream Isolation](/posts/qubes/#whonix-and-tor) from other applications in the same qube, so we will install it in a dedicated qube. SimpleX Chat is installed in an App qube, not a Template (because it is an AppImage).
* Download the [AppImage](https://simplex.chat/downloads/#desktop-app) using Tor Browser in a disposable Whonix qube.
* [Create an App qube](/posts/qubes/#how-to-organize-your-qubes) with the Template `whonix-ws-16` and networking `sys-whonix`.
@@ -272,23 +271,23 @@ The Signal Protocol has a moderate amount of metadata protection; [sealed sender
Signal is not peer-to-peer; it uses centralized servers that we must trust. Signal will work with Tor if used on an operating system that forces it to, such as Whonix or Tails.
-Signing up for a Signal account is difficult to do anonymously. The account is tied to a phone number that the user must still control - due to [changes in "registration lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number) and must be maintained - most people will not do this.
+Signing up for a Signal account is difficult to do anonymously. The account is tied to a phone number that the user must retain control of - due to [changes in "registration lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number) and must be maintained as long as you’re using it, which takes some technical know-how and likely some money, limiting the amount of people who will do this.
Another barrier to anonymous registration is that Signal Desktop will only work if Signal is first registered from a smartphone. For users familiar with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer using [Signal-cli](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for registration would have to be obtained anonymously.
-These barriers to anonymous registration mean that Signal is rarely used anonymously. This has significant implications if the State gains [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to the device. One of the primary goals of State surveillance of anarchists is [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html), and it's common for them to gain physical access to devices through [house raids](https://www.notrace.how/threat-library/techniques/house-raid.html) or even simple arrests. For example, if your device's [authentication is bypassed](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), it is easy for the police to identify all of your Signal contacts (as well as the members of any groups you are in) simply by their phone number.
+These barriers to anonymous registration mean that Signal is rarely used anonymously. This has significant implications if the State gains [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to the device. One of the primary goals of State surveillance of anarchists is [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html), and it's common for them to gain physical access to devices through [house raids](https://www.notrace.how/threat-library/techniques/house-raid.html) or arrests. For example, if police bypass your device's [authentication](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), they can identify Signal contacts (as well as the members of any groups you are in) simply by their phone numbers, if those contacts haven't changed their settings to hide their phone number.
-In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. The phones of suspects were accessed through physically seizing them during arrests and house raids, as well as through spyware, and then Signal contacts and group members were identified. These identities were added to the list of suspects who were subsequently investigated.
+In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. Police seized suspects' phones during arrests and house raids, as well as targeting them through spyware, and then identified Signal contacts and group members. These identities were added to the list of suspects who were subsequently investigated.
-A compromised device contributing to network mapping is partly mitigated by the [username feature](https://community.signalusers.org/t/public-username-testing-staging-environment/56866) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
+The risk of a compromised device aiding the police in network mapping is partly mitigated by the [username feature](https://community.signalusers.org/t/public-username-testing-staging-environment/56866) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. If you aren't using Signal from behind a VPN or Tor, then in **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
-A company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
+A private company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
>In its targeted interception mode – which starts from a single target – JASMINE has claimed it is able to identify communicating parties in encrypted but peer-to-peer applications [...] the JASMINE documentation explicitly claims support for identifying the IP addresses of participants in encrypted apps such as WhatsApp and Signal during voice and video calls where peer-to-peer connections are also used for calling by default.
>
>The JASMINE documentation also explains that by analysing encrypted traffic “events” for a whole country – in mass interception mode – JASMINE has the ability to correlate and identify the participants in encrypted group chats on messaging apps.
-A similar surveillance product would not work against Cwtch because it uses Tor by default. Without a Tor or VPN proxy, an adversary can see that you are connecting to Signal servers which is what enables this type of timing correlation attack. Although it is possible to configure Signal to use a VPN or Tor, it is opt-in so will always be a minority of users.
+A similar surveillance product would not work against Cwtch because it uses Tor by default. Without a Tor or VPN proxy, an adversary can see that you are connecting to Signal servers which is what enables this type of timing correlation attack. Although it is possible to configure Signal to use a VPN or Tor, it is opt-in so most people will not use it like this.
Signal was designed to bring encrypted communication to the masses, not for an anarchist threat model. Because it's very difficult to register for Signal anonymously, and because you must first install Signal on a phone to use it on a computer, **we recommend prioritizing Cwtch over Signal for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls.** For the same reasons, Signal is not well-suited for anonymous public-facing projects.
@@ -300,10 +299,10 @@ Signal was designed to bring encrypted communication to the masses, not for an a
-We recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are familiar with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal needs to be registered on a smartphone before it can be connected to a computer. Install Signal as you would any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid). If you are using Signal from behind a VPN (as [we recommend](/posts/grapheneos/#how-to-install-software)) then a relay for calls is redundant and should be turned off: **Settings → Privacy → Advanced**, disable **Always relay calls**
+We recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are familiar with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal needs to be registered on a smartphone before it can be connected to a computer. Install Signal the same way you would install any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid). If you are using Signal from behind a VPN (as [we recommend](/posts/grapheneos/#how-to-install-software)) then a relay for calls is redundant and should be turned off: **Settings → Privacy → Advanced**, disable **Always relay calls**
-[Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android - we recommend it over Signal for anarchists, and extending trust to the Molly team is made easier by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't available in the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption.
+[Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android - we recommend it over Signal, and trusting the Molly team is made easier by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't available in the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption.
@@ -338,7 +337,7 @@ Some of the [Signal Configuration and Hardening Guide](https://blog.privacyguide
* Go to **Applications menu → Qubes Tools → Qube Manager**
* Clone whonix-ws-16 and name it something like whonix-ws-16-signal.
- * We do this so as not to add attack surface to the base Whonix Workstation template. If you also install other messaging applications, they could share a cloned template with a name like whonix-ws-16-e2ee
+ * We do this to avoid adding attack surface to the base Whonix Workstation template. If you also install other messaging applications, they could share a cloned template with a name like whonix-ws-16-e2ee
* Open a Terminal in the new Template: **Applications menu → Template: whonix-ws-16-signal: Xfce Terminal**
* Run the commands in the [Signal installation guide](https://www.signal.org/download/linux/) to install Signal Desktop in the Template.
* Note that the layout of the Signal installation guide is a bit confusing for users unfamiliar with the command line; `wget` and `cat` are separate commands, but `echo` in #2 is a command so long that it takes two lines (which is why the second line is indented).
@@ -371,29 +370,29 @@ https_proxy = 127.0.0.1:8082
* **Peer-to-peer**: No
* **Tor**: Not default
-PGP (Pretty Good Privacy) is not so much a messaging platform as it is a way to encrypt messages on top of existing messaging platforms (in this case, email). PGP email does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions from future key or password compromises. It maintains the secrecy of past communications even if the current communication is compromised. This means that an adversary could decrypt all future PGP messages in one fell swoop. When you also consider the metadata exposure inherent in email, PGP simply doesn't meet the standards of modern cryptography. For a more technical critique, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). [Privacy Guides](https://www.privacyguides.org/en/basics/email-security/) agrees that "email is best used for receiving transactional emails [...], not for communicating with others." **We recommend that anarchists don't use PGP email for communication with other anarchists**.
+PGP (Pretty Good Privacy) is not so much a messaging platform as it is a way to encrypt messages on top of existing messaging platforms (in this case, email). PGP email does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions from future key or password compromises. It maintains the secrecy of past communications even if the current communication is compromised. This means that an adversary could decrypt all past PGP messages in one fell swoop. When you also consider the metadata exposure inherent in email, PGP simply doesn't meet the standards of modern cryptography. For a more technical critique, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). [Privacy Guides](https://www.privacyguides.org/en/basics/email-security/) agrees that "email is best used for receiving transactional emails [...], not for communicating with others." **We recommend that anarchists still using PGP email for communication use Cwtch groups instead.**
**There is an exception: for anonymous public-facing projects, we still recommend using PGP email** because it is the best option that meets the additional needs required by a public account. Use a [radical server](https://riseup.net/en/security/resources/radical-servers) that doesn't require an invite code and read the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp).
## For Anonymous Public-facing Projects
-**Anyone can contact the project without requiring a separate channel**
+**Need #1: That anyone can contact the project**
Anyone can send a message to a public email account regardless of whether the recipient is online or offline.
-**Resiliency to correlation attacks**
+**Need #2: Resiliency to correlation attacks**
Email is not a real-time messaging application - this means that it is not particularly susceptible to end-to-end correlation attacks via time.
No content padding exists to frustrate correlation attacks via message size in email protocols, but if you access the mail servers through Tor then the traffic is padded.
-**Resiliency to exploits**
+**Need #3: Resiliency to exploits**
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Email can be accessed through webmail (via Tor Browser) or through a client like Thunderbird - these have different attack surfaces. For example, a Cwtch developer found an exploit to [turn Thunderbird into a decryption oracle](https://pseudorandom.resistant.tech/disclosing-security-and-privacy-issues-in-thunderbird.html) when it displays messages with HTML.
We recommend using Thunderbird (which is available in Tails and Qubes-Whonix by default) with the setting to display email as "Plain Text" rather than as HTML: View → Message Body As → Plain Text. Most webmail will not function with Tor Browser in "Safest" mode.
-**Multiple project members can access the same messages**
+**Need #4: For multiple project members to be able to access the same messages**
If a project has multiple members, all of them should be able to access the same messages independently. This is straight forward with email, if all project members have the email password and the private PGP key.
diff --git a/content/posts/grapheneos/index.md b/content/posts/grapheneos/index.md
index d2f8f65..8b4fbc9 100644
--- a/content/posts/grapheneos/index.md
+++ b/content/posts/grapheneos/index.md
@@ -14,20 +14,20 @@ a4="grapheneos-a4.pdf"
letter="grapheneos-letter.pdf"
+++
-[Anarchists should minimize the presence of phones in their lives](/posts/nophones/). If you decide to use a phone, make it as difficult as possible for an adversary to geotrack it, intercept its messages, or hack it. This means using GrapheneOS.
+While [anarchists should minimize the presence of phones in their lives](/posts/nophones/), if you do decide to use a phone, make it as difficult as possible for an adversary to geotrack it, intercept its messages, or hack it. This means using GrapheneOS.
# What is GrapheneOS?
-GrapheneOS is a private and secure version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) have irrevocable access to your files, call logs, location, etc.), and it is trivial to [bypass standard Android authentication](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) with [physical access](/glossary/#physical-attacks) to the device. GrapheneOS uses hardware-based security to [greatly increase the difficulty](https://grapheneos.org/faq#encryption) of bypassing authentication, is significantly [hardened](/glossary#hardening) against hacking, and has all Google apps and services removed by default. There are other alternative Android operating systems, [but they are inferior](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of privacy and security improvements over standard Android. GrapheneOS is [regularly audited](https://grapheneos.org/faq#audit).
+GrapheneOS is a security-focused version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) have irrevocable access to your files, call logs, location, etc.). GrapheneOS uses hardware-based security to [make it far more difficult](https://grapheneos.org/faq#encryption) to bypass the disk encryption, it is significantly [hardened](/glossary#hardening) against hacking, and it removes all Google apps and services by default. There are other alternative Android operating systems, [but they don't have comparable security](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of privacy and security improvements over standard Android.
-Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/), cell phones leave a geolocation history when they connect to cell towers. For this reason, we recommend that you use a smartphone that stays at home like a landline and connects to the Internet via Wi-Fi in airplane mode, rather than using a SIM card to connect through cell towers. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Furthermore, it's not enough to only leave your phone at home when you're going to a demo or action, as this will [stand out](/posts/nophones/#metadata-patterns) as an outlier and serve as an indication of conspiratorial activity in that time window.
+Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/), cell phones connecting to cell towers give the provider a history of your geolocation. For this reason, we recommend that you leave your smartphone at home and use it like a landline, connecting to the Internet via Wi-Fi in airplane mode, rather than using a SIM card to connect through cell towers. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Furthermore, it's not enough to only leave your phone at home when you're going to a demo or action, as this will [stand out](/posts/nophones/#metadata-patterns) as an outlier and serve as an indication of conspiratorial activity in that time window.
# Installation
-[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and are not recommended. Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
+[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
-[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with a command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
+[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
The first time you boot Graphene, it will ask you if you want to connect to Wi-Fi. Don't, we need to do [hardware-based attestation](#auditor) first. Never set up fingerprint authentication. Set a [strong password](/posts/tails-best/#passwords).
@@ -50,7 +50,7 @@ There is no official support for installing from Qubes OS, but it is possible wi
* Net qube: sys-firewall
* Press **Apply**
* Follow the installation instructions in the sys-usb terminal. When you get to **Flashing factory images**, don't run `./flash-all.sh`. Instead, scroll down to Troubleshooting and run the command that uses a different temporary directory. The flash script is expected to print out messages like `archive does not contain 'example.img'`.
-* When you are done, restart sys-usb. If it is disposable, the changes you made will be gone. Don't forget to change the sys-usb qube settings back:
+* When you're done, restart sys-usb. If it is disposable, the changes you made will be gone. Don't forget to change the sys-usb qube settings back:
* Net qube: (none)
@@ -71,9 +71,9 @@ In the post-installation instructions, **Hardware-based attestation** is the las
How does it work? Your new device is the *auditee*, and the *auditor* can be either another instance of the Auditor app on a friend's phone or the [Remote Attestation Service](https://attestation.app/); we recommend doing both. The *auditor* and *auditee* pair to create a private key, and if the *auditee's* operating system is tampered with after the pairing is complete, the *auditor* will be alerted.
-First, immediately after installing the device and before connecting to the Internet, [perform a local verification](https://attestation.app/tutorial#local-verification). This requires the presence of a friend whom you see semi-regularly and who has the Auditor app (on any Android device). The first pairing will show a brown background, and subsequent audits will show attestation results with a green background if nothing is remiss. There is no remote connection between your phones; you must re-audit to benefit.
+First, immediately after installing the device and before connecting to the Internet, [perform a "local verification"](https://attestation.app/tutorial#local-verification). This requires the presence of a friend whom you see semi-regularly and who has the Auditor app (on any Android device). The first pairing will show a brown background, and subsequent audits will show attestation results with a green background if nothing is remiss. There is no remote connection established between the phones of the auditor and auditee; you must perform these verifications in person.
-We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, which prevents your phone from being reached and tracked by the cellular network, and then turn on Wi-Fi. Leave airplane mode on at all times - otherwise the phone will connect to cellular networks even if there is no SIM card the phone.
+We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, and then turn on Wi-Fi. This "will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio." Leave airplane mode on at all times - otherwise the phone will interact with cellular networks even if there is no SIM card the phone.
You are now ready to connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up a [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. The default delay until alerts is 48 hours; if you know your phone will be off for a longer period, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home while traveling), simply ignore the notification emails. You can always log back in to view your attestation history.
@@ -109,9 +109,9 @@ To reiterate, the user profiles and their purposes are:
The GrapheneOS app store contains the standalone applications developed by the GrapheneOS project, such as Vanadium, Auditor, Camera, and PDF Viewer. These are automatically updated.
-To install additional software, avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/android/#f-droid). GrapheneOS has a [Sandboxed Google Play](https://grapheneos.org/features#sandboxed-google-play) that can be installed through the GrapheneOS app store: "Google Play receives absolutely no special access or privileges on GrapheneOS".
+To install additional software, avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/en/android/#f-droid). GrapheneOS has a [Sandboxed Google Play](https://grapheneos.org/features#sandboxed-google-play) that can be installed through the GrapheneOS app store: "Google Play receives absolutely no special access or privileges on GrapheneOS". Alternatively, you can use the [Aurora Store](https://www.privacyguides.org/en/android/#aurora-store), though it has [some of the same security issues as F-Droid](https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do).
-The approach we will take is that all applications needed in any user profile will be installed in the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all applications (except the VPN) will be disabled. The **Install available apps** feature is then used to delegate apps to the required profiles. Automatic updates in the Owner user profile will also be applied to the secondary user profiles.
+The approach we will take is that all applications needed in any user profile will be installed in the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all installed applications (except the VPN) will be "disabled". Then we'll use the **Install available apps** feature to delegate apps to the secondary profiles that you need them in. Automatic updates in the Owner user profile will also automatically be applied to the secondary user profiles.
To install and configure Sandboxed Google Play:
@@ -121,7 +121,7 @@ To install and configure Sandboxed Google Play:
* Automatic updates are enabled by default on the Google Play Store: **Google Play Store Settings → Network Preferences → Auto-update apps**.
* Notifications for Google Play Store and Google Play Services must be enabled for auto-updates to work: **Settings → Apps → Google Play Store / Google Play Services → Notifications**. If you get notifications from the Play Store that it wants to update itself, [accept them](https://discuss.grapheneos.org/d/4191-what-were-your-less-than-ideal-experiences-with-grapheneos/18).
-You are now ready to install applications from the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you want to use a free VPN, RiseupVPN is recommended. If you want to pay for a VPN anonymously, both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn) are also recommended. VPNs are per profile, so must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
+You are now ready to install applications from the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you want to use a free VPN, we recommend RiseupVPN. If you want to pay for a VPN anonymously, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). VPNs must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks – especially those targeting messaging apps – more difficult to perform and less effective.
@@ -140,13 +140,13 @@ As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signa
## Software That Requires Google Play Services
-If there is an app you want to use that requires Google Play services, create a specific user profile for it from the Owner user profile; you can name it Google. This is also a good way to isolate any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. If you create a Google user profile, you will need to install and configure Sandboxed Google Play in it.
+If there is an app you want to use that requires Google Play services, create a specific user profile for it from the Owner user profile. This is also a good way to isolate any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. If you create a Google user profile, you will need to install and configure Sandboxed Google Play in it.
Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid the need for this Google user profile.
# VoIP
-A Wi-Fi only smartphone doesn't require a monthly SIM card fee. As explained in [Kill the Cop in Your Pocket](/posts/nophones#bureaucracy), bureaucracies often require a phone number that can be called normally (without encryption). [VoIP](/glossary#voip-voice-over-internet-protocol) applications allow you to create a number and make calls over the Internet rather than through cell towers. A phone number is also occasionally required for applications such as [Signal registration](/posts/e2ee/#signal), and a VoIP number will often work.
+A Wi-Fi only smartphone doesn't require a service plan. As explained in [Kill the Cop in Your Pocket](/posts/nophones#bureaucracy), bureaucracies often require a phone number that can be called from a normal phone (without encryption). [VoIP](/glossary#voip-voice-over-internet-protocol) applications allow you to create a number and make calls over Wi-Fi rather than through cell towers. A phone number is also occasionally required for applications such as [Signal registration](/posts/e2ee/#signal), and a VoIP number will usually work.
Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones; the main advantage is that you can hear the phone ringing even when your computer is turned off. The [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) VoIP service works well with their [Cheogram client](https://cheogram.com/) and can be paid for in Bitcoin. There are also mobile-only paid options such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360020177133-Why-isn-t-MySudo-working-in-my-country-)). A MySudo subscription can be purchased anonymously with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is probably unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.
@@ -154,18 +154,16 @@ Some of the VoIP applications [that work on computers](/posts/nophones#bureaucra
You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if you need the anonymity of Tor rather than the privacy of Riseup VPN, you should use [either Qubes OS or Tails](/posts/qubes/#when-to-use-tails-vs-qubes-os) on a computer. The [Graphene docs](https://grapheneos.org/usage#web-browsing) recommend avoiding Gecko-based browsers like Tor Browser, as these browsers "do not have internal sandboxing on Android." Orbot is an app that can route traffic from any other app on your device through the Tor network, but simply using the Vanadium browser through Orbot is [not recommended by the Tor Project](https://support.torproject.org/tbb/tbb-9/).
-Applications like Cwtch and Briar have Tor built in and should not be used through a VPN like Orbot.
-
# Recommended Settings and Habits
* [Owner user profile] **Settings → Security → Auto reboot:** 8 hours
- * The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting will return it to effective encryption even if they leave it powered on.
-* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when not in use. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
+ * The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting will return it to a more effective encryption once the time has elapsed.
+* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
-* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - updates will still happen to apps installed in a secondary user profile delegated from the Owner profile. We do this so that malicious changes to the secondary user profile will be harder to accomplish.
+* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
-* It is convenient to be able to receive notifications from any user profile.
+* It is convenient to be able to receive notifications from any user profile:
* [Owner user profile] **Settings → System → Multiple users:** Send notifications to current user (enabled)
# How to Backup
@@ -186,7 +184,7 @@ Be sure to turn off the phone overnight and when you leave it at home. If the po
# Linux Desktop Phones
-Why recommend a Pixel over a Linux desktop phone? Linux desktop phones like the [PinePhone Pro](https://en.wikipedia.org/wiki/PinePhone_Pro) are [much easier to hack than GrapheneOS](https://madaidans-insecurities.github.io/linux-phones.html) because they lack modern security features like full system MAC policies, verified boot, strong app sandboxing, and modern [exploit](/glossary/#exploit) mitigations. Their hardware architecturally lacks modern security features like hardware based encryption (via a Trusted Execution Environment/Secure Element) and has questionable integration of components such as the modem. For these reasons, we don't recommend Linux desktop phones.
+Why recommend a Pixel over a Linux desktop phone? Linux desktop phones like the [PinePhone Pro](https://en.wikipedia.org/wiki/PinePhone_Pro) are [much easier to hack than GrapheneOS](https://madaidans-insecurities.github.io/linux-phones.html) because they lack modern security features like full system MAC policies, verified boot, strong app sandboxing, and modern [exploit](/glossary/#exploit) mitigations. Their hardware architecturally lacks modern security features like hardware based encryption (via a Trusted Execution Environment/Secure Element) and has questionable integration of components such as the modem.
# Wrapping Up
diff --git a/content/posts/linux/index.md b/content/posts/linux/index.md
index a6a1886..ca53b3c 100644
--- a/content/posts/linux/index.md
+++ b/content/posts/linux/index.md
@@ -16,40 +16,40 @@ a4="linux-a4.pdf"
letter="linux-letter.pdf"
+++
-As an anarchist, you've probably heard the recommendation to use a Linux computer. This article is intended to get you started by giving you a brief overview of what you need to know.
+As an anarchist, someone's probably recommended that you use a Linux computer at some point. This article is intended to get you started by giving you a brief overview of what you need to know.
# What is Linux and Why Use It?
-If you are reading this, you are probably using either Windows or macOS on your computer. These are both [operating systems](/glossary#operating-system-os), which is the system software that runs your device. They're also both "closed-source", which means that the software's "*source* code" is not available (*closed*) to the public, so it can't be audited for privacy and security. Windows and macOS computers send your data to Microsoft and Apple, and you can't trust their [full-disk encryption](/glossary#full-disk-encryption-fde) to protect your data if the computer is [physically accessed](/glossary/#physical-attacks) (like after a [house raid](https://www.notrace.how/threat-library/techniques/house-raid.html)).
+If you're reading this, you're probably using either Windows or macOS on your computer. These are both [operating systems](/glossary#operating-system-os), which is the system software that runs your device. They're also both "closed-source", which means that the software's "*source* code" is not available (*closed*) to the public, so it can't be audited for privacy and security. Windows and macOS computers send your data to Microsoft and Apple, and you can't trust their [full-disk encryption](/glossary#full-disk-encryption-fde) to protect your data if the computer is [physically accessed](/glossary/#physical-attacks) (like after a [house raid](https://www.notrace.how/threat-library/techniques/house-raid.html)).
-Linux is a set of operating systems that are [open-source](/glossary#open-source), which means that the *source* code can be analyzed by anyone. Linux is the name given to the core (**kernel**) of the operating system, and many different **distributions** (or 'distros') are based on it. Simply put, *Linux is the only type of computer that anarchists can trust*.
+Linux is a set of operating systems that are [open-source](/glossary#open-source), which means that the *source* code can be analyzed by anyone. Linux is the name given to the core (**kernel**) of the operating system, and many different **distributions** (or 'distros') are based on it.
-Linux distributions that anarchists are likely to have heard of are Debian, Ubuntu and [Tails](/tags/tails/). Each Linux distribution makes different choices about how to manage software, what kernel version to use, etc. In fact, both Ubuntu and Tails are adaptations of Debian for the specific use cases of being user-friendly (Ubuntu) and providing anonymity (Tails).
+Some Linux distributions you may have heard of are Debian, Ubuntu and [Tails](/tags/tails/). Each Linux distribution manages software differently, may use a different kernel version, etc, depending on what the specific distribution is geared towards. In fact, both Ubuntu and Tails are adaptations of the Debian distribution for being user-friendly (Ubuntu) and providing anonymity (Tails).
# How Software Works
-In Linux, the term for an application is a **package**. Instead of downloading applications from various sites on the Internet (as in Windows and macOS), a Linux distribution has a centralized **repository** where the software lives. This has the advantage that the integrity of the software is verified by the distribution, and it is guaranteed to work with that Linux distribution. It is still possible to install software from outside of a distro's repository, but it is generally considered riskier, and verifying the integrity is your responsibility. Installing a package requires knowing its name, and all packages in a repository can be browsed using a web browser for both [Debian](https://www.debian.org/distrib/packages#search_packages) and [Fedora](https://packages.fedoraproject.org/).
+In Linux, the term for an application is a **package**. Instead of downloading applications from various sites on the Internet (as in Windows and macOS), a Linux distribution has a centralized **repository** where the software lives. The advantage of this is that the integrity of the software is verified by the distribution, and it is guaranteed to work with that distribution. It is still possible to install software from outside of a distro's repository, but it is generally considered riskier, and verifying the integrity becomes your responsibility. Installing a package requires knowing its name, and all packages in a repository can be browsed using a web browser for both [Debian](https://www.debian.org/distrib/packages#search_packages) and [Fedora](https://packages.fedoraproject.org/).
-How do you actually install from a software repository? Each distribution also has a **package manager**, which is an application that installs software from a software repository. Debian and distributions based on it use the `apt` package manager. In some distributions, it is possible to install software with a Graphical User Interface (GUI) that uses the package manager in the background, such as the [Synaptic Package Manager](/posts/tails/#installing-additional-software) in Tails.
+How do you actually install from a software repository? Each distribution also has a **package manager**, which is an application that installs software from a repository. Debian and other distributions based on it use the `apt` package manager. In some distributions, it is possible to install software with a Graphical User Interface (GUI) that uses the package manager in the background, such as the [Synaptic Package Manager](/posts/tails/#installing-additional-software) in Tails.
# Software Alternatives
-Part of the learning curve for Linux is figuring out which open-source software to use instead of the closed-source options you are used to in Windows and macOS. For example, instead of using Microsoft Word, you might use LibreOffice. The fact that an application is open-source is an essential criterion, but it is not enough to be considered secure. For example, Telegram advertises itself as open-source, but the servers are not open-source and the cryptography is [garbage](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/). The list of [included software for Tails](/posts/tails/#included-software) will cover many of your needs with reputable choices, and you can also check out [switching.software](https://switching.software/).
+Part of the learning curve for Linux is figuring out which open-source software to use instead of the closed-source options you are used to in Windows and macOS. For example, instead of using Microsoft Word, you might use LibreOffice. It's essential that the applications you use are open-source, but an application being open-source is not enough to consider it secure. For example, Telegram advertises itself as open-source, but the servers are not open-source and the cryptography is [garbage](https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/). The list of [included software for Tails](/posts/tails/#included-software) will cover many of your needs by listing reputable choices, and you can also check out [switching.software](https://switching.software/).
# The Command Line Interface
-The dreaded [command line](/glossary/#command-line-interface-cli)! What even is it? You are used to interacting with applications through a **Graphical User Interface (GUI)**, which means pointing and clicking buttons with your mouse. Some applications can also be interacted with through a **Command Line Interface (CLI)**, which is textual. Many applications are available in both CLI and GUI versions.
+The dreaded [command line](/glossary/#command-line-interface-cli)! What even is it? You are used to interacting with applications through a **Graphical User Interface (GUI)**, which means pointing and clicking with your mouse. Some applications can also be interacted with through a **Command Line Interface (CLI)**, which is textual. Many applications are available in both CLI and GUI versions. In a nutshell, the GUI is just a graphical depiction of the same things that you would do in the Command Line (CLI), designed to make it easier and more intuitive to navigate your computer.
For example, navigating the contents of your computer with the File Manager GUI is pretty standard - you click on a folder (called a *directory* in Linux), and it opens. The same navigation through the file system is also possible from the CLI.
-When you open a Terminal (the CLI application), you get a *prompt*. It is called a prompt because it is prompting you to say something in a language that the Terminal understands. Prompts differ in what information is displayed, but they all end with the `$` character. You then give *commands* to the Terminal. The Terminal responds, then redisplays the prompt to take more commands.
+When you open a Terminal (the CLI application), you get a *prompt*. It is called a prompt because it is prompting you to say something in a language that the Terminal understands. Prompts differ in what information is displayed, but they all end with the `$` character. You then give *commands* to the Terminal. The Terminal responds, then redisplays the prompt for the next command.
The best way to learn the basics of the command line is to interact with it. We recommend the [Foundations: Linux Journey](https://techlearningcollective.com/foundations/linux-journey/) "Command Line" module to learn some basic commands. The [Software Distribution and Packages](https://techlearningcollective.com/foundations/linux-journey/software-distribution) exercise will teach you what you need to know to [install software in Qubes](/posts/qubes/#how-to-install-software).
-Some commands require elevated privileges, equivalent to "Open as Administrator" in Windows. For example, installing software usually requires this. Prefixing a command with `sudo` will execute it as the administrative user, named root (note: the root user is not the same as the root directory, and the two should not be confused). A root prompt will display `#` instead of `$`. Be especially careful with any commands you run while using these elevated privileges, as you'll have the power to erase your entire hard drive or change important files. It is helpful to know that text is pasted in the Terminal with Ctrl+Shift+V (i.e. the Shift key must also be pressed).
+Some commands require elevated privileges, equivalent to "Open as Administrator" in Windows. For example, installing software usually requires this privileged access. Prefixing a command with `sudo` will execute it as the administrative user, named root (note: the root user is not the same as the root directory, and the two should not be confused). A root prompt will display `#` instead of `$`. Be especially careful with any commands you run while using these elevated privileges, as you'll have the power to erase your entire hard drive or change important files. It is helpful to know that text is pasted in the Terminal with Ctrl+Shift+V (i.e. the Shift key must also be pressed).
Most Linux users will rarely need to use the CLI. If you're using Tails, you shouldn't need it at all. If you're using Qubes OS, the CLI is only needed to install software:
diff --git a/content/posts/metadata/index.md b/content/posts/metadata/index.md
index e45afc4..83b7484 100644
--- a/content/posts/metadata/index.md
+++ b/content/posts/metadata/index.md
@@ -15,7 +15,7 @@ letter="metadata-letter.pdf"
+++
-[Metadata](/glossary/#metadata) is 'data about data' or 'information about information'. In the context of files, this can mean information that is automatically embedded in the file, and this information can be used to deanonymize you. For example, an image file will often have metadata about when it was taken, where it was taken, what camera it was taken with, and so on. A PDF file may have information about what program created it, what computer, etc. This can be used by investigators to link a photo to the camera on which it was taken, a video to the computer on which it was edited, and so on. To learn more about how metadata can be used to identify and reveal personal information, see [Behind the Data: Investigating metadata](https://exposingtheinvisible.org/en/guides/behind-the-data-metadata-investigations/). Before you put a sensitive file on the Internet, cleanse it of metadata.
+[Metadata](/glossary/#metadata) is 'data about data' or 'information about information'. In the context of files, this can mean information that is automatically embedded in the file, and this information can be used to deanonymize you. For example, an image file will often have metadata about when it was taken, where it was taken, what camera it was taken with, and so on. A PDF file may have information about what program created it, what computer, etc. This can be used by investigators to link a photo to the camera on which it was taken, a video to the computer on which it was edited, and so on. To learn more about how metadata can be used to identify and reveal personal information, see [Behind the Data: Investigating metadata](https://exposingtheinvisible.org/en/guides/behind-the-data-metadata-investigations/). Before you put a sensitive file on the Internet, remove the metadata.
@@ -27,7 +27,7 @@ Fortunately, there is a tool that comprehensively cleans metadata, and it is ava
If you are not comfortable with the command line, we recommend using Metadata Cleaner - it uses `mat2` under the hood, so it has all the same functionality. Metadata Cleaner is better than Exiftool and other metadata removal software - see the [comparison docs](https://0xacab.org/jvoisin/mat2/-/blob/master/doc/comparison_to_others.md).
-Metadata Cleaner shows the metadata it detects, but "it doesn't mean that a file is clean from any metadata if mat2 doesn't show any. There is no reliable way to detect every single possible metadata for complex file formats." You should clean the file even if no metadata is displayed.
+Metadata Cleaner shows the metadata it detects, but "it doesn't mean that a file is clean from any metadata if mat2 doesn't show any. There is no reliable way to detect every single possible metadata for complex file formats." This means that you should clean the file even if no metadata is displayed.
To use the Metadata Cleaner, first add a file. When you click it, the current metadata is displayed. Select the file, then select **Clean**, followed by **Save**. You can verify that the metadata has been removed by re-adding the cleaned file and viewing its metadata.
@@ -41,7 +41,7 @@ While it is possible to remove all metadata from an image or video, forensic exa
> Every camera's sensor has a unique noise signature because of subtle hardware differences. The sensor noise is detectable in the pixels of every image and video shot with the camera and could be fingerprinted. In the same way ballistics forensics can trace a bullet to the barrel it came from, the same can be accomplished with adversarial digital forensics for all images and videos. Note this effect is different from file metadata.
-Multiple photos or videos from the same camera can be tied together in this way, and if the camera is recovered, it can be confirmed where the files came from. Cheap cameras can be purchased from a refurbished store and used only once for pictures or videos that require high security.
+Multiple photos or videos from the same camera can be tied together in this way, and if the camera is recovered, it can be confirmed where the files came from. Cheap cameras can be purchased from a pawn shop and used only once for pictures or videos that require high security.
# Printer Forensics
diff --git a/content/posts/nophones/index.md b/content/posts/nophones/index.md
index 33d59a0..9b52d44 100644
--- a/content/posts/nophones/index.md
+++ b/content/posts/nophones/index.md
@@ -14,49 +14,47 @@ a4="nophones-a4.pdf"
letter="nophones-letter.pdf"
+++
-With effective [security culture and operational security](https://www.notrace.how/resources/read/csrc-bulletin-1-en.html#header-a-base-to-stand-on-distinguishing-opsec-and-security-culture), the forces of repression wouldn't know about our specific criminal activities, but they also wouldn't know about our lives, [relationships](https://www.notrace.how/threat-library/techniques/network-mapping.html), movement patterns, and so on. This knowledge is a huge advantage in narrowing down suspects and conducting targeted surveillance. Your phone's location is [tracked at all times](https://www.vice.com/en/article/m7vqkv/how-fbi-gets-phone-data-att-tmobile-verizon), and this data is harvested by private companies, allowing police to bypass laws requiring them to obtain a warrant. The phone's [hardware identifiers and subscription information](https://anonymousplanet.org/guide.html#your-imei-and-imsi-and-by-extension-your-phone-number) are logged by cell towers with every connection. Hacking services like [Pegasus](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) put total phone compromise within reach of even local law enforcement and are "zero-click," meaning success doesn't depend on you clicking a link or opening a file.
+Effective [security culture and operational security](https://www.notrace.how/resources/read/csrc-bulletin-1-en.html#header-a-base-to-stand-on-distinguishing-opsec-and-security-culture) prevents the forces of repression from knowing about our specific criminal activities, but also about our lives, [relationships](https://www.notrace.how/threat-library/techniques/network-mapping.html), movement patterns, and so on. This knowledge is a huge advantage in narrowing down suspects and conducting targeted surveillance. Your phone's location is [tracked at all times](https://www.vice.com/en/article/m7vqkv/how-fbi-gets-phone-data-att-tmobile-verizon), and this data is harvested by private companies, allowing police to bypass needing to obtain a warrant. The phone's [hardware identifiers and subscription information](https://anonymousplanet.org/guide.html#your-imei-and-imsi-and-by-extension-your-phone-number) are logged by each and every cell tower your phone connects to. Hacking services like [Pegasus](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) put total phone compromise within reach of even local law enforcement and are "zero-click," meaning they don't depend on you clicking a link or opening a fileto hack your phone.
-On the flip side, after more than 30 recent arsons in a small town in France went unsolved, [investigators complained](https://actforfree.noblogs.org/post/2022/04/17/grenoblefrance-these-saboteurs-of-the-ultra-left-have-been-elusive-for-five-years/) that "it is impossible to exploit phone or vehicle registration data because they operate without phones or cars!" This article will outline some strategies for killing the cop in your pocket.
+On the flip side, after more than 30 arsons in a small town in France went unsolved, [investigators complained](https://actforfree.noblogs.org/post/2022/04/17/grenoblefrance-these-saboteurs-of-the-ultra-left-have-been-elusive-for-five-years/) that "it is impossible to exploit phone or vehicle registration data because they operate without phones or cars!" This article will outline some strategies for killing the cop in your pocket.
# Encryption and Geolocation
-Some comrades respond to the issues with smartphones by using flip phones or a landline to communicate with each other, but this approach leaves nothing hidden from the eyes of the State because nothing is [encrypted](/glossary/#encryption) - neither the content of your conversations nor who is talking to whom. For example, in a [recent repressive operation](https://www.notrace.how/resources/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan), the police set up real-time geolocation of the suspect's phone and made a list of everyone the suspect communicated with using unencrypted phone calls. A short biography was written for each contact.
+Some comrades respond to the issues that arise with smartphones by using flip phones or a landline to communicate with each other, but since these devices are not [encrypted](/glossary/#encryption), the State can see the content of your conversations, who you call and who calls you. For example, in a [recent repressive operation](https://www.notrace.how/resources/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan), the police tracked the geolocation of the suspect's flip phone phone in real time and made a list of everyone the suspect called.
-It has become quite common for comrades to carry a cell phone around with them wherever they go, and in the contexts where people use flip phones, to make unencrypted calls to other anarchists. We think both of these practices should be completely avoided. Let's not make the job of the police and intelligence agencies so easy by providing them with our social network and geolocation history on a silver platter.
+It has become quite common for comrades to carry cell phones around with them wherever they go, and, where people use flip phones, to make unencrypted calls to other anarchists. We think both of these practices should be avoided. Let's not make the job of the police and intelligence agencies so easy by providing them with our social networks and geolocation history on a silver platter.
-If you don't carry a phone with you everywhere, their only means of determining geolocation is through physical surveillance, which is resource-intensive and can be detected. The first step in a surveillance effort is to build a movement profile for the target, and the geolocation history of a cell phone provides this in comprehensive detail.
+If you don't carry a phone with you everywhere, their only means of determining geolocation is through physical surveillance, which is resource-intensive and can be detected. The first step in a surveillance effort is to build a movement profile for the target, and cell phone geolocation history provides a detailed picture of your daily patterns.
Another primary goal of targeted surveillance is to map the target's social network in order to identify other targets. The only way to avoid giving this to our enemies is to use only [encrypted messaging](/posts/e2ee/) to communicate with other anarchists; these tools can help prevent investigators from knowing who is talking to whom, or what they are talking about.
# Metadata Patterns
-The normalization of constant connectivity within dominant society has led some anarchists to correctly note that the [metadata](/glossary/#metadata) generated by phone activity is useful to investigators. However, the conclusion that some draw from this insight, that we should ["never turn off the phone,"](https://web.archive.org/web/20210126183740/https://325.nostate.net/2018/11/09/never-turn-off-the-phone-a-new-approach-to-security-culture) takes us in the wrong direction. Their logic is that if you step out of the normal metadata patterns, those moments become suspicious, and if those moments coincide with when an action occurs, that could be used as evidence to link you to the crime or to investigate you more closely. This is true, but the only conclusion that can be drawn from this - which is not a total dead end, at least - is to minimize the creation of normal metadata patterns in the first place.
+The normalization of constant connectivity within dominant society has led some anarchists to correctly note that phone [metadata](/glossary/#metadata) is useful to investigators. However, the conclusion that some draw from this insight, that we should ["never turn off the phone,"](https://web.archive.org/web/20210126183740/https://325.nostate.net/2018/11/09/never-turn-off-the-phone-a-new-approach-to-security-culture) takes us in the wrong direction. Their logic is that if you step out of the normal metadata patterns, those moments become suspicious, and if those moments coincide with when an action occurs, that could be used as evidence to link you to the crime or to investigate you more closely. While this is true, it makes far more sense to minimize the creation of normal metadata patterns in the first place.
Our connections to the infrastructures of domination must remain sporadic and unpredictable if we are to retain any semblance of freedom and ability to strike at the enemy. What if the reconnaissance required for an action requires an entire weekend away from electronic devices? Or let's start with the simple fact that phones must be left at home during an action - this only becomes the outlier to a pattern if phones otherwise accompany us wherever we go. In a normatively "always connected" life, either of these metadata changes would stick out like a sore thumb, but this is not the case if you refuse to always be plugged in. **This requires leaving your phone at home by default**.
# Do You Really Need a Phone?
-Phones have colonized everyday life because people have been instilled with the belief that they need *synchronous* communication in every moment. [*Synchronous*](/glossary/#synchronous-communication) means that two or more parties communicate in real time, as opposed to something [*asynchronous*](/glossary/#asynchronous-communication) like email, where messages are sent at different times. This "need" has become normalized, but it is worth resisting within the anarchist space. [Anarchy can only be anti-industrial](https://theanarchistlibrary.org/library/bismuto-beyond-the-moment#toc1), and this requires that we learn to live without the conveniences sold to us by the telecom companies: we should be able to live without being connected to the Internet at all times, without algorithmic real-time directions, and without the infinite flexibility that allows us to change plans at the last minute.
+Phones have colonized everyday life because people have been instilled with the belief that they need *synchronous* communication in every moment. [*Synchronous*](/glossary/#synchronous-communication) means that two or more parties communicate in real time, as opposed to something [*asynchronous*](/glossary/#asynchronous-communication) like email, where messages are sent at different times. This "need" has become normalized, but it is worth resisting within the anarchist space. [Anarchy can only be anti-industrial](https://theanarchistlibrary.org/library/bismuto-beyond-the-moment#toc1), and this requires that we learn to live without the conveniences sold to us by the telecom companies: we must defend (or rekindle) our ability to live without being connected to the Internet at all times, without algorithmic real-time directions, and without the infinite flexibility that allows us to change plans at the last minute.
-If you decide to use a phone, it should be as difficult as possible for an adversary to geotrack, intercept messages, or hack, which means using [GrapheneOS](/posts/grapheneos/). This is because **only [encrypted communications](/posts/e2ee/) should be used to communicate with other anarchists** - this rules out flip phones and landlines. GrapheneOS is the only smartphone operating system that provides reasonable privacy and security.
+If you decide to use a phone, in order to make it as difficult as possible for an adversary to geotrack, intercept messages, or hack, use [GrapheneOS](/posts/grapheneos/). If we can agree to **only use [encrypted communications](/posts/e2ee/) to communicate with other anarchists**, this rules out flip phones and landlines. GrapheneOS is the only smartphone operating system that provides reasonable privacy and security.
-**To prevent your movements from being tracked, you need to treat the smartphone like a landline and leave it at home when you are out of the house**. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for any geolocation data. If you use the phone as we recommend, as a [Wi-Fi only device](/posts/grapheneos/#what-is-grapheneos), and keep it in airplane mode at all times, cell towers won't be able to connect to the phone. It's not enough to only leave it at home when you're going to a demo or action, because that pattern of behavior will stand out as an outlier and serve as an indication that criminal activity is taking place in that window of time. Keep in mind that even if this "encrypted landline" cannot track your movements if you leave it at home, [malware](/glossary/#malware) could still turn it into an audio recording device.
+**To prevent your movements from being tracked, treat the smartphone like a landline and leave it at home when you are out of the house**. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for any geolocation data. If you use the phone as we recommend, as a [Wi-Fi only device](/posts/grapheneos/#what-is-grapheneos), and keep it in airplane mode at all times, cell towers won't be able to connect to the phone. It's not enough to only leave it at home when you're going to a demo or action, because that pattern of behavior will stand out as an outlier and serve as an indication that criminal activity is taking place in that window of time. Keep in mind that even if this "encrypted landline" cannot track your movements if you leave it at home, [malware](/glossary/#malware) could still turn it into an audio recording device.
-If only the comrades who are taking the biggest risks don't carry a cop in their pockets everywhere they go, they'll stand out. Identical in principle to black bloc tactics, the simple act of wearing a mask will provide cover for anyone to act anonymously. Therefore, we propose that those parts of the anarchist space that have been overtaken by dominant society's relationship to technology take several steps back to re-establish less intrusive baselines around phones.
-
-You may choose to entirely live without phones, if you don't feel that you need an "encrypted landline". The strategies for minimizing the need for phones that follow rely on computers, where synchronous communication is also possible but more limited.
+You may choose to live without phones entirely, if you don't feel that you need an "encrypted landline". The strategies for minimizing the need for phones that follow rely on computers, where synchronous communication is also possible but more limited.
## Bureaucracy
-Many bureaucratic organizations make it difficult not to have a phone: health care, the post office, banking, etc. Since these communications do not need to be encrypted, you can use a [Voice over Internet Protocol (VoIP)](/glossary#voip-voice-over-internet-protocol) application (which allows you to make phone calls over the Internet rather than through cell towers).
+Many bureaucratic institutions that we are forced to deal with make it difficult to live without a phone: health care, banking, etc. Since these communications do not need to be encrypted, you can use a [Voice over Internet Protocol (VoIP)](/glossary#voip-voice-over-internet-protocol) application (which allows you to make phone calls over the Internet rather than through cell towers).
-Any VoIP application option on a computer is asynchronous because it doesn't ring when the computer is off - you rely on the voicemail feature to return missed calls. For example, a service like [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) gives you a VoIP number, which you can optionally pay for in bitcoin, and you make calls using an XMPP (Jabber) client - [Cheogram](https://cheogram.com/) works well.
+Any VoIP application option on a computer is asynchronous because it doesn't ring when the computer is off - you rely on the voicemail feature to return missed calls. For example, a service like [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) gives you a VoIP number, which you can pay for in cryptocurrency, and you make calls using an XMPP application - [Cheogram](https://cheogram.com/) works well.
If you use an "encrypted landline", you can use a [VoIP app](/posts/grapheneos/#voip).
-Though usually more expensive than VoIP, a flip phone or landline also works well for making and receiving 'normal life' calls if you're not going to use it to talk to anarchists, and in the case of the flip phone, if you will leave it at home.
+Though usually more expensive than VoIP, a flip phone or landline also works well for making and receiving 'bureaucratic' calls from home, like those mentioned above.
VoIP usually works for any [two-factor authentication](/glossary/#two-factor-authentication-2fa) (2FA) you need (if a service requires you to receive a random number to log in). [Online phone numbers](https://anonymousplanet.org/guide.html#online-phone-number) are another option.
@@ -64,19 +62,19 @@ VoIP usually works for any [two-factor authentication](/glossary/#two-factor-aut
Not carrying a phone everywhere requires a change in the way you socialize if you are [already caught in the net](https://theanarchistlibrary.org/library/return-fire-vol-4-supplement-caught-in-the-net). Being intentional about minimizing the mediation of screens in our relationships is a valuable goal in and of itself.
-An "encrypted landline" allows you to be reachable at home and can be dedicated to voice calls. If someone needs to get your attention, this is how. You can otherwise use a computer for encrypted messaging, which we find far preferable to an unending stream of notifications on a device that is always within reach.
+Using an "encrypted landline" to make phone calls and a computer for encrypted messaging allows us to avoid the unending stream of notifications on a device that is always within reach.
-Except in cases where it is unavoidable (as in the case of a publication whose editors live in different regions), organizing should not be mediated by technology. The dynamic by which, in some parts of the anarchist space, the entirety of how anarchists organize projects together has been reduced to a monoculture of Signal group chats (or worse) warrants much criticism. This capture of organizing relationships by smartphone culture has led to a meeting that never ends. It also means that our organizing is relatively easy to surveil. Only one phone in the group chat needs to be compromised with malware to access all the messages.
+It would do us all good to take a hard look at the monoculture of Signal group chats that have replaced face-to-face encounters in some parts of the anarchist space. This capture of organizing relationships by smartphone culture forces us into a never-ending meeting that is relatively easy to surveil.
-That said, encrypted communication is useful for setting up real-life meetings where life and organizing actually take place, or for projects that are shared with comrades across distances. See [Encrypted Messaging for Anarchists](/posts/e2ee/) for various options appropriate to an anarchist [threat model](/glossary/#threat-model).
+That said, encrypted communication can be useful for setting up real-life meetings where life and organizing actually take place, or for projects shared across distances. See [Encrypted Messaging for Anarchists](/posts/e2ee/) for various options appropriate to an anarchist [threat model](/glossary/#threat-model).
## Emergency Calls
-A passerby on the street will often lend you their phone to make an urgent call. If the need arises in remote areas, such as on a hiking trip, the use of a flip phone would be a good solution. To receive emergency calls, if you cannot be reached from a computer as described above, we can stop by each other's houses or arrange encrypted messaging check-ins in advance. What scenarios actually require the ability to receive a call at any moment? If they actually exist in your life, you can organize around them without projecting that urgency into all areas and moments of your life.
+A passerby on the street will often lend you their phone to make an urgent call if you tell them that yours is out of battery. To receive emergency calls, if you cannot be reached from a computer as described above, we can stop by each other's houses or arrange encrypted messaging check-ins in advance. What scenarios actually require you to be available to receive a call at any moment? If these actually exist in your life, you can organize around them without projecting that urgency into all other areas and moments.
## Directions
-Buy a paper map of your area and bring it with you. For longer trips or trips where you need directions, use [OpenStreetMap](https://www.openstreetmap.org/) to note them ahead of time. Wear a watch to make sure you arrive on time.
+Buy a paper map of your area and bring it with you. For longer trips or trips where you need directions, use [OpenStreetMap](https://www.openstreetmap.org/) to note them ahead of time.
## Music and Podcasts
@@ -90,7 +88,7 @@ It's always with us, always on, no matter where we are or what we're doing. It k
When I stroll through an area or take the subway, I see it with almost everyone, and no one can last more than a few seconds without frantically reaching for their pocket: the cell phone is whipped out, a message is sent, an email is checked, a photo is liked. It is put away again, a short break, and here we go again, skimming through today's news and checking out what all the friends are up to...
-It's our companion when we're on the toilet, at work or at school, and it apparently helps to fight boredom while we're waiting or working, etc. Is this perhaps one of the reasons for the success of all these technological devices, that real life is so damn boring and monotonous that a few square centimeters of screen is almost always more exciting than the world and the people around us? Is it like an addiction (people definitely have withdrawal symptoms...) or has it even become part of our body? Without it, we no longer know how to orient ourselves and feel that something is missing? So it is no longer just a tool or a toy, but a part of us that also exerts a certain control over us, to which we adapt, for example, by not leaving the house until the battery is fully charged? Is thesmartphone the first step in blurring the line between human and robot?
+It's our companion when we're on the toilet, at work or at school, and it apparently helps to fight boredom while we're waiting or working, etc. Is this perhaps one of the reasons for the success of all these technological devices, that real life is so damn boring and monotonous that a few square centimeters of screen is almost always more exciting than the world and the people around us? Is it like an addiction (people definitely have withdrawal symptoms...) or has it even become part of our body? Without it, we no longer know how to orient ourselves and feel that something is missing? So it is no longer just a tool or a toy, but a part of us that also exerts a certain control over us, to which we adapt, for example, by not leaving the house until the battery is fully charged? Is the smartphone the first step in blurring the line between human and robot?
When we see what technocrats of all kinds are prophesying (Google Glasses, implanted chips, etc.), it almost seems as if we are heading towards becoming cyborgs, people with implanted smartphones that we control through our thoughts (until our thoughts themselves are finally controlled). It is not surprising that the media, the spokesmen of domination, show us only the positive aspects of this development, but it is shocking that almost no one questions this view. It's probably every ruler's wildest dream: to be able to monitor everyone's thoughts and actions at all times and to intervene immediately in case of any disturbance. Totally controlled and monitored worker bees who are allowed to have some (virtual) fun as a reward while a few profit.
diff --git a/content/posts/tamper/index.md b/content/posts/tamper/index.md
index fd493ab..dbfdc47 100644
--- a/content/posts/tamper/index.md
+++ b/content/posts/tamper/index.md
@@ -14,7 +14,7 @@ a4="tamper-a4.pdf"
letter="tamper-letter.pdf"
+++
-If the police ever have [physical access](/glossary/#physical-attacks) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it at the hardware, firmware, or software level. One way to minimize this risk is to make it tamper-evident. As the No Trace Project Threat Library [notes](https://www.notrace.how/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) - it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to be able to detect when they do."
+If the police ever have [physical access](/glossary/#physical-attacks) to an electronic device like a laptop, even [for five minutes](https://www.vice.com/en/article/a3q374/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes), they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it at the hardware, firmware, or software level. One way to minimize this risk is to make devices tamper-evident. As the No Trace Project Threat Library [notes](https://www.notrace.how/threat-library/mitigations/tamper-evident-preparation.html), "Tamper-evident preparation will make it possible to discern when something has been [physically accessed](/glossary/#physical-attacks) - it's not possible to prevent a powerful enemy from obtaining physical access to your computer when you are away, but it should be possible to detect when they do."
['Evil maid' attacks](https://en.wikipedia.org/wiki/Evil_maid_attack) work like this: An attacker gains temporary access to your [encrypted](/glossary/#encryption) laptop or phone. Although they can’t decrypt your data, they can tamper with your laptop for a few minutes and then leave it exactly where they found it. When you return and enter your credentials, you have been hacked. The attacker may have [modified data on your hard drive](https://media.ccc.de/v/gpn20-32-poc-implementing-evil-maid-attack-on-encrypted-boot), replaced the firmware, or installed a hardware component such as a keylogger.
@@ -102,7 +102,7 @@ This excerpt assumes that we take the cell phone with us, but [as discussed else
# Physical Intrusion Detection
-"Defense in depth" means that there are multiple layers of security that must be bypassed for an adversary to succeed. [Physical intrusion detection](https://www.notrace.how/threat-library/mitigations/physical-intrusion-detection.html) should be in addition to tamper-evident laptops and storage. That way, even if a covert house search doesn't interact with the tamper-evident storage (for example, because the goal is to install [covert surveillance devices](https://www.notrace.how/threat-library/techniques/covert-surveillance-devices.html)), you can still find out about it.
+"Defense in depth" means that there are multiple layers of security that an adversary must bypass in order to succeed. [Physical intrusion detection](https://www.notrace.how/threat-library/mitigations/physical-intrusion-detection.html) should be in place in addition to tamper-evident laptops and storage. That way, even if a covert house search doesn't interact with the tamper-evident storage (for example, because the goal is to install [covert surveillance devices](https://www.notrace.how/threat-library/techniques/covert-surveillance-devices.html)), you can still find out about it.
Haven is an Android app developed by the Freedom of Press Foundation that uses the smartphone’s many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. Unfortunately Haven is currently unmaintained and unreliable on many devices. Until [a good alternative is developed](https://github.com/guardianproject/haven/issues/465), make sure to test the functionality of Haven on your device before relying on it. We don't recommend using home surveillance cameras without privacy features, because then the police can have easy knowledge of your comings and goings without needing to set up their own surveillance cameras.
@@ -114,7 +114,7 @@ Haven should be used on a dedicated cheap Android device that is otherwise empty
# Tamper-Evident Software and Firmware
-So far, we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. "Defense in depth" requires this - to trust an electronic device, you must trust the hardware, firmware, and software. Software or firmware compromise can occur [remotely](/glossary/#remote-attacks) (over the Internet) as well as with physical access, so it is especially important. Tamper-evident software and firmware are compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
+So far, we have only looked at making hardware compromise tamper-evident. It is also possible to make software and firmware tamper-evident. This is required for "defense in depth" - to trust an electronic device, you must trust the hardware, firmware, and software. Software or firmware compromise can occur [remotely](/glossary/#remote-attacks) (over the Internet) as well as with physical access, so it is especially important because the other measures won't detect a remote firmware compromise. Tamper-evident software and firmware are compatible with our [recommendations](/recommendations): Qubes OS or Tails on laptops, or GrapheneOS on a smartphone.
For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that allows you to be notified if firmware or software has been tampered with - you will receive an email when Auditor performs a remote attestation.
@@ -128,9 +128,9 @@ With the measures described above, any 'evil maid' would have to bypass:
2) The tamper-evident storage, and
3) The tamper-evident glitter nail polish (for an attack that requires opening the laptop), or HEADS/Auditor (for a software or firmware attack)
-These layers are all important, although they may seem redundant. The expertise and cost required to successfully execute the attack increases significantly with each layer, making it much less likely to be attempted in the first place. The best practice is to [obtain a fresh device in such a way that it cannot be intercepted](/posts/tails-best/#to-mitigate-against-physical-attacks), and then consistently implement all of these layers from the beginning.
+These layers are all important, although they may seem redundant. The expertise and cost required to successfully execute the attack increases significantly with each layer, making it much less likely that an adversary will attempt it in the first place. The best practice is to [obtain a fresh device in such a way that it cannot be intercepted](/posts/tails-best/#to-mitigate-against-physical-attacks), and then consistently implement all of these layers from the beginning.
-This means that every time you leave the house with no one home, you turn off sensitive devices and put them into tamper-evident storage, take the necessary photos, and activate Haven. This may sound tedious, but it can be done in less than a minute if you leave unused devices in storage. When you get home, first check the Haven log. Next, verify the tamper-evident storage.
+This means that every time you leave the house with no one home for a significant amount of time, you put the turned-off devices into tamper-evident storage, take the necessary photos, and activate Haven. This may sound tedious, but it can be done in less than a minute if you leave unused devices in storage. When you get home, first check the Haven log. Next, verify the tamper-evident storage.
Laptop screws can be verified monthly, or when something suspicious happens. Neither HEADS nor Auditor require much effort to use properly once set up; Auditor runs without interaction and HEADS becomes part of your boot process.
diff --git a/layout/.anarsec_article.typ.swp b/layout/.anarsec_article.typ.swp
deleted file mode 100644
index 268750d..0000000
Binary files a/layout/.anarsec_article.typ.swp and /dev/null differ