mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-09 23:32:56 -04:00
tails best edits
This commit is contained in:
anarsec
parent
11a8bd8da3
commit
b3aeac2777
5 changed files with 22 additions and 104 deletions
|
|
@ -31,7 +31,7 @@ For more information, see [Linux Essentials](/posts/linux/#the-command-line-inte
|
|||
|
||||
### Correlation Attack
|
||||
|
||||
An end-to-end correlation attack is a theoretical way that a global adversary could break the anonymity of the [Tor network](/glossary/#tor-network). For more information, see [Protecting against determined, skilled attackers](/posts/tails-best/#2-protecting-against-determined-skilled-attackers) and [Make Correlation Attacks More Difficult](/posts/tails/#make-correlation-attacks-more-difficult).
|
||||
An end-to-end correlation attack is a theoretical way that a global adversary could break the anonymity of the [Tor network](/glossary/#tor-network). For more information, see [Protecting against determined, skilled attackers](/posts/tails-best/#2-protecting-against-determined-skilled-attackers) and [Make Correlation Attacks More Difficult](/posts/tails/#make-correlation-attacks-more-difficult). For research papers on the subject, see [Thirteen Years of Tor Attacks](https://github.com/Attacks-on-Tor/Attacks-on-Tor#correlation-attacks) and the design proposal on [information leaks in Tor](https://spec.torproject.org/proposals/344-protocol-info-leaks.html).
|
||||
|
||||
### CVE
|
||||
|
||||
|
|
@ -45,7 +45,7 @@ A Distributed Denial of Service (DDoS) attack attempts to overload or crash the
|
|||
|
||||
Digital signatures are based on [public-key cryptography](/glossary/#public-key-cryptography). A private key is used to digitally sign data, while the corresponding public key is used by third parties to verify the signature. Before a public key is used to verify a signature, its authenticity should be verified.
|
||||
|
||||
To learn more, [watch this video](https://invidious.sethforprivacy.com/watch?v=s22eJ1eVLTU&listen=false). For a more detailed look, see [Defend Dissent: Authenticity through Cryptographic Signing](https://open.oregonstate.education/defenddissent/chapter/cryptographic-signing/) or our [GPG explanation](/posts/tails-best/#appendix-3-gpg-explanation).
|
||||
To learn more, [watch this video](https://invidious.sethforprivacy.com/watch?v=s22eJ1eVLTU&listen=false). For a more detailed look, see [Defend Dissent: Authenticity through Cryptographic Signing](https://open.oregonstate.education/defenddissent/chapter/cryptographic-signing/) or our [GPG explanation](/posts/tails-best/#appendix-gpg-explanation).
|
||||
|
||||
### Doxxing
|
||||
|
||||
|
|
|
|||
|
|
@ -284,7 +284,7 @@ A company that sells spyware to governments has a product called JASMINE that is
|
|||
>
|
||||
>The JASMINE documentation also explains that by analysing encrypted traffic “events” for a whole country – in mass interception mode – JASMINE has the ability to correlate and identify the participants in encrypted group chats on messaging apps.
|
||||
|
||||
A similar product would not work against Cwtch, because it uses Tor by default. Without Tor, an adversary can see that you are connecting to Signal servers which is what enables this type of timing correlation attack.
|
||||
A similar surveillance product would not work against Cwtch because it uses Tor by default. Without a Tor or VPN proxy, an adversary can see that you are connecting to Signal servers which is what enables this type of timing correlation attack. Although it is possible to configure Signal to use a VPN or Tor, it is opt-in so will always be a minority of users.
|
||||
|
||||
Signal was designed to bring encrypted communication to the masses, not for an anarchist threat model. Because it's very difficult to register for Signal anonymously, and because you must first install Signal on a phone to use it on a computer, **we recommend prioritizing Cwtch over Signal for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls.** For the same reasons, Signal is not well-suited for anonymous public-facing projects.
|
||||
|
||||
|
|
@ -394,7 +394,7 @@ If a project has multiple members, all of them should be able to access the same
|
|||
|
||||
>**Note**
|
||||
>
|
||||
>PGP is used for another purpose outside of communication: verifying the integrity and authenticity of files. For this use case, see our [explanation](/posts/tails-best/#appendix-3-gpg-explanation).
|
||||
>PGP is used for another purpose outside of communication: verifying the integrity and authenticity of files. For this use case, see our [explanation](/posts/tails-best/#appendix-gpg-explanation).
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ Most Linux users will rarely need to use the CLI. If you're using Tails, you sho
|
|||
* `apt install <PACKAGE_NAME>`: this will install packages on Debian
|
||||
* `dnf install <PACKAGE_NAME>`: this will install packages on Fedora
|
||||
|
||||
Additionally, the CLI is needed for the more secure installation of both [Tails](/posts/tails-best/#appendix-3-gpg-explanation) and [Qubes OS](https://www.qubes-os.org/security/verifying-signatures/) to verify the download's authenticity.
|
||||
Additionally, the CLI is needed for the more secure installation of both [Tails](/posts/tails-best/#appendix-gpg-explanation) and [Qubes OS](https://www.qubes-os.org/security/verifying-signatures/) to verify the download's authenticity.
|
||||
|
||||
If you ever don't understand what a command does, try searching [explainshell](https://explainshell.com/) for it.
|
||||
|
||||
|
|
|
|||
|
|
@ -93,7 +93,7 @@ And to use Tails:
|
|||
|
||||
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop—we recommend the ThinkPad X230 because it's less complicated to install than other models. The X230 is also the only developer-tested laptop model and is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and [Best Practices](#hardware-security) for further discussion of hardware security.
|
||||
|
||||
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-3-gpg-explanation).
|
||||
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation).
|
||||
|
||||
Do not set up "dual boot" - another operating system could be used to compromise the Qubes OS.
|
||||
|
||||
|
|
|
|||
|
|
@ -73,29 +73,34 @@ You can mitigate the techniques available to powerful adversaries by **not using
|
|||
|
||||
"Mobile Wi-Fi" devices exist which give you Internet access through the mobile network (via SIM cards) - these are a bad idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile operator every time you connect, allowing identification and geographic localization. The adapter works like a mobile phone! If you do not want different research sessions to be associated with each other, do not use the same device or SIM card more than once!
|
||||
|
||||
Use an Internet connection that isn't connected to you, such as in a cafe without CCTV cameras. There are several operational security considerations to keep in mind when using Wi-Fi in a public space like this.
|
||||
* See [below](#appendix-2-location-location-location) for more information on choosing a location.
|
||||
To use internet not tied to your identity, you have two options: Wi-Fi from a public space (like going to a cafe without CCTV cameras), or by using a Wi-Fi antenna through a window from a private space. The latter option is preferable for any computer activity that takes a prolonged amount of time because the main risk is that police will be able to seize the computer while it is unencrypted, and this is much harder from them to achieve in a private space. However, using a Wi-Fi antenna is also more technical (guide coming soon).
|
||||
|
||||
When using Wi-Fi in a public space, keep the following operational security considerations in mind:
|
||||
* Do not get into a routine of using the same cafes repeatedly if you can avoid it.
|
||||
* If you have to buy a coffee to get the Wi-Fi password, pay in cash!
|
||||
* Position yourself with your back against a wall so that no one can "shoulder surf" to see your screen, and ideally install a [privacy screen](/posts/tails/#privacy-screen) on your laptop.
|
||||
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. If maintaining situational awareness seems unrealistic, consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.boum.org/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
|
||||
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. It is very difficult to maintain adequate situational awareness while staying focused on your Tails session - consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.boum.org/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
|
||||
* One person in charge of a darknet marketplace had his Tails computer seized while distracted by a fake fight next to him. Similar tactics have been used [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt with a short piece of fishing line, the police would most likely have lost all evidence when the Tails USB was pulled out. A more technical equivalent is [BusKill](https://www.buskill.in/tails/) - however, we only recommend buying this [in person](https://www.buskill.in/leipzig-proxystore/) or [3D printing it](https://www.buskill.in/3d-print-2023-08/). This is because any mail can be [intercepted](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction) and altered, making the hardware [malicious](https://en.wikipedia.org/wiki/BadUSB).
|
||||
* If coffee shops without CCTV cameras are few and far between, you can try accessing a coffee shop's Wi-Fi from outside, out of view of the cameras. Some external Wi-Fi adapters can pick up signals from further away, as discussed [below](#appendix-2-location-location-location).
|
||||
* If coffee shops without CCTV cameras are few and far between, you can try accessing a coffee shop's Wi-Fi from outside, out of view of the cameras.
|
||||
|
||||
#### Non-Targeted and Targeted Correlation Attacks
|
||||
|
||||
As described in the quotation above, a global adversary (i.e. the NSA) may be capable of breaking Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic). If this happens, the Internet address you used in a coffee shop without CCTV cameras will only lead to your general area (e.g. your city) because it is not associated with you. Of course, this is less true if you use it routinely. Correlation attacks are even less feasible against connections to an .onion address because you never leave the Tor network, so there is no "end" to correlate with through network traffic analysis (if the server location is unknown to the adversary).
|
||||
As described in the quotation above, a global adversary (i.e. the NSA) may be capable of breaking Tor through a correlation attack. If this happens, the Internet address you used in a coffee shop without CCTV cameras will only lead to your general area (e.g. your city) because it is not associated with you. Of course, this is less true if you use the location routinely. Correlation attacks are even less feasible against connections to an .onion address because you never leave the Tor network, so there is no "end" to correlate with through network traffic analysis (if the server location is unknown to the adversary). It is worth emphasizing that "End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users."
|
||||
|
||||
What we will term a "targeted" correlation attack is possible by a non-global adversary (i.e. local law enforcement), if you are already in their sights and a target of [physical surveillance](https://www.notrace.how/threat-library/techniques/physical-surveillance/covert.html) and/or [digital surveillance](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance.html). This is a subtype of correlation attack where the presumed target is already known, thus making the attack easier to achieve because it vastly reduces the amount of data to filter through for correlation. A non-targeted correlation attack used to deanonymize a Tor user is unprecedented in current evidence used in court, although [a "targeted" correlation attack has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as corroborating evidence - a suspect had already been identified, which allowed investigators to correlate their local footprint with specific online activity. Specifically, they correlated Tor network traffic coming from the suspect's house with the times their anonymous alias was online in chatrooms.
|
||||
|
||||
To explain how this works, it helps if you have a basic understanding of what Tor information is visible to various third parties - see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https). For a non-targeted correlation attack, the investigator will need to **start from after Tor's exit node**: take the specific online activity coming from the exit node and try to correlate it with an enormous amount of global data that is entering Tor entry nodes. However, if a suspect is already identified, the investigator can instead do a "targeted" correlation attack and **start from before Tor's entry node**: take the data entering the entry node (via **the suspect's physical or digital footprint**) and try to correlate it with **specific online activity** coming from the exit node.
|
||||
To explain how this works, it helps if you have a basic understanding of what Tor information is visible to various third parties - see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https). For a non-targeted correlation attack, the investigator will need to **start from after Tor's exit node**: take the specific online activity coming from the exit node and try to correlate it with an enormous amount of global data that is entering Tor entry nodes. However, if a suspect is already identified, the investigator can instead do a "targeted" correlation attack and **start from before Tor's entry node**: take the data entering the entry node (via **the suspect's physical or digital footprint**) and try to correlate it with **specific online activity** coming from an exit node.
|
||||
|
||||
A more sophisticated analysis of the specific online activity would involve logging the connections to the server for detailed comparison, and a simple analysis would be something that is publicly visible to anyone (such as when your alias is online in a chatroom, or when a post is published to a website). For your physical footprint, a surveillance operation can note that you go to a cafe regularly, then try to correlate this with online activity they suspect you of (for example, if they suspect you are a website moderator, they can try to correlate these time windows with web moderator activity). For your digital footprint, if you are using Internet from home, an investigator can log all your Tor traffic and then try to correlate it with specific online activity.
|
||||
|
||||
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a coffee shop**, and changing Wi-Fi locations regularly. For projects like moderating a website that require daily Internet access, this may not be particularly realistic. In that case, the ideal mitigation is to **use a Wi-Fi antenna from indoors** (guide coming soon) - a physical surveillance effort won't see you entrying a cafe, and a digital surveillance effort won't see anything on your home Internet. If this is too technical for you, you may even want to **use your home internet** for some projects that require very frequent internet access. This contradicts the previous advice to not use your personal Wi-Fi. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from (especially if you intentionally [make correlation attacks more difficult](/posts/tails/#make-correlation-attacks-more-difficult)).
|
||||
To mitigate the risk of "targeted" correlation attacks:
|
||||
|
||||
* If you only need to use the Internet briefly to submit a communique, you can **do [surveillance detection](https://www.notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a coffee shop**, just like you would prior to a direct action.
|
||||
* For projects like moderating a website or hacking that require daily Internet access, it is not realistic to find a new Wi-Fi location every day. In that case, the ideal mitigation is to **use a Wi-Fi antenna from indoors** - a physical surveillance effort won't see you entering a cafe, and a digital surveillance effort won't see anything on your home Internet.
|
||||
* If a Wi-Fi antenna is too technical for you, you may even want to **use your home internet** for some projects that require frequent internet access. This contradicts the previous advice to not use your personal Wi-Fi. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from (especially if you intentionally [make correlation attacks more difficult](/posts/tails/#make-correlation-attacks-more-difficult)).
|
||||
* If you want to submit a report-back the morning after a riot, or a communique shortly after an action (times when there may be a higher risk of targeted surveillance), consider waiting and at least taking surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank arson in Canada, police surveilled a suspect as he traveled from his home to an Internet cafe, and watched him post the communique and then bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.notrace.how/resources/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe near the comrade's home and requested CCTV footage for the day an arson communique was sent.
|
||||
|
||||
To summarize: For highly sensitive activities, use Internet from a random cafe, preceeded by surveillance detection just like you would prior to a direct action. For activities that require frequent internet access such that the random cafe model isn't sustainable, it's best to use a Wi-Fi antenna positioned behind a window to access from a few kilometers away. If this is too technical for you, using your home Wi-Fi is an option, but requires putting faith in it being difficult to break Tor with a non-targeted correlation attack, and it being difficult to draw meaningful conclusions from your home's Tor traffic through a "targeted" correlation attack.
|
||||
To summarize: For sensitive and brief Internet activities, use Internet from a random cafe, preceeded by surveillance detection and anti-surveillance. For activities that require frequent internet access such that the random cafe model isn't sustainable, it's best to use a Wi-Fi antenna positioned behind a window to access from a hundred metres away. If this is too technical for you, using your home Wi-Fi is an option, but requires putting faith in it being difficult to break Tor with a non-targeted correlation attack, and it being difficult to draw meaningful conclusions from your home's Tor traffic through a "targeted" correlation attack.
|
||||
|
||||
## Reducing risks when using untrusted computers
|
||||
|
||||
|
|
@ -111,7 +116,7 @@ To summarize: For highly sensitive activities, use Internet from a random cafe,
|
|||
You can mitigate this first issue by **using a computer you trust to install Tails**:
|
||||
|
||||
* According to our [recommendations](/recommendations/#your-computer), this would ideally be a [Qubes OS](/posts/qubes/) system, as it is much harder to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick that has been installed with Qubes OS (and who uses these best practices), you could [clone it](/posts/tails/#installation) instead of installing it yourself.
|
||||
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-3-gpg-explanation).
|
||||
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-gpg-explanation).
|
||||
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs used during Tails sessions) into any other computer while it is running a non-Tails operating system; if the computer is infected, the infection can [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
|
||||
|
||||
### 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
|
||||
|
|
@ -279,73 +284,7 @@ You may want to open untrusted links in a dedicated Tails session without unlock
|
|||
|
||||
Using Tails without any of this advice is still a vast improvement over many other options. Given that anarchists regularly entrust their freedom to Tails, such as sending communiques, taking these extra precautions can further strengthen your trust in this operating system.
|
||||
|
||||
# Appendix: Deanonymization of your WLAN (Wi-Fi) adapter despite Tails?
|
||||
|
||||
***Capulcu*** *(from [Autonomes Blättchen No. 49](https://autonomesblaettchen.noblogs.org/files/2022/06/nr49web.pdf), 2022)*
|
||||
|
||||
The two main techniques for anonymizing network traffic while using Tails are using Tor to obfuscate IP addresses and using a MAC address changer to obfuscate the MAC address. In theory, this does the trick. However, security cannot always be guaranteed and attacks aimed at deanonymization occur against both techniques. The compromise of one technique does not entail the compromise of the other. Nevertheless, *for particularly sensitive publications*, it is important to thwart all possibilities of successful identification.
|
||||
|
||||
**Background information:** The IP address can be used to identify the location of the router. The MAC address is 'only' used for local assignment: which endpoint device is to receive which data packet from the router. According to the current Internet standard, it is not usually sent beyond the router to the Internet[^1].
|
||||
|
||||
|
||||
|
||||
In September 2019, our collective published a short statement ("[Security warning about MAC changer](https://capulcu.blackblogs.org/)") in which we warn against possible deanonymization through the use of WLAN adapters - including when using the Tails operating system. Here, we want to supplement the chapter "Dangers of WLAN adapters" in the current edition of the [Capulcu Tails publication](https://capulcu.blackblogs.org/wp-content/uploads/sites/54/2021/04/Tails-2021-04-12.pdf) with insight into the problems of WLAN adapters and a recommendation for use.
|
||||
|
||||
**The problem:** WLAN adapters send manufacturer-specific information with the data transfer. This information can enable a unique assignment despite a MAC address spoofed by the MAC changer. **This affects both internal WLAN adapters that are installed in your laptop in the form of a network card, as well as external WLAN adapters connected via USB**. The technical details are explained below. This fingerprinting is not conclusive forensic evidence. In combination with other evidence, however, it could result in a legally constructed 'unique' assignment: which computer was responsible for a certain Internet publication.
|
||||
|
||||
**A concrete example**: Due to previous police surveillance, a café in your city is suspected of being used for the publication of communiques. The café operator has allowed himself to be bribed or coerced by the cops into configuring his (commercially available) Internet router in such a way that it logs all of the data packets of all computers seeking contact. If the presence of various laptops in this café was 'recorded' at the same time as an explosive Indymedia publication, this could be used for further investigations, despite the fact that the content of the data packets only shows that the data was anonymized using Tor. If your computer was logged (despite a spoofed MAC address) and if the fingerprint of your WLAN adapter turns up again elsewhere (by chance, or through targeted investigations - e.g. during a house raid) and can be proven as belonging to you, a prosecutor could try to use this as evidence of you submitting the Indymedia publication.
|
||||
|
||||
**Recommendation**: Until there is a (stable) solution for the "WLAN fingerprinting" problem, you should remove the internal WLAN adapter for particularly sensitive research and publications and use a (cheap) external USB WLAN adapter and **dispose of it after use**. We also advise you to use WLAN adapters that can be controlled by the Tails operating system without manufacturer-specific firmware (e.g. WLAN adapters with Qualcomm's Atheros chip that use the ath9k driver).
|
||||
|
||||
## Description of the problem and technical details
|
||||
|
||||
If you have not explicitly deactivated the WLAN on the Tails welcome screen (via Offline Mode) or, if available, via a hardware switch, the Tails operating system will automatically search for existing WLAN access provided by access points (Wi-Fi routers). It does this by sending a radio signal (*probe request*) at regular intervals to all access points in the vicinity. The regularly sent request contains the unique MAC address of your WLAN adapter. However, Tails protects your anonymity by not sending the real address, but a randomly generated MAC address. If there are access points in the vicinity, they also respond with a radio signal (*probe response*). This response contains information about the network name (SSID), authentication and encryption. The information contained in these radio signals makes it possible to connect to an access point and exchange data packets.
|
||||
|
||||
The problem: Various studies from the years 2016-2019, whose results are recorded in various publications, show that radio signals also contain other information that can be used to identify you with a high degree of probability despite a changed MAC address!
|
||||
|
||||
The paper "[*Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms*](https://papers.mathyvanhoef.com/asiaccs2016.pdf)" shows the possibility of an identification based on radio signals (probe requests) by the WLAN standard [802.11](https://en.wikipedia.org/wiki/IEEE_802.11), which is also used by Tails. Here, the (spoofed) MAC addresses are disregarded and deanonymization takes place via the radio signals sent by WLAN adapters (via so-called "probe request fingerprinting"). The paper refers to real-world test data, i.e. with data from commercially available hardware[^2], and shows that WLAN radio signals contain enough information to uniquely identify their specific patterns. The paper also discusses various attack options for deanonymization, which we will not summarize here.
|
||||
|
||||
The paper "[*A Study of MAC Address Randomization in Mobile Devices and When it Fails*](https://arxiv.org/pdf/1703.02874)" takes the previous study as a starting point and adds further possibilities for identifying endpoint devices with changed MAC addresses. The study concludes that MAC address modification can be overridden by the attacks presented and is not sufficient for anonymization. The authors suggest to change the entire MAC address and not only the digits after the manufacturer identifier - the so-called OUI[^3], as [is the case with Tails](https://tails.boum.org/contribute/design/MAC_address/#active-probe-fingerprinting). In addition, according to the paper, a random MAC address should be used for each separate probe request.
|
||||
|
||||
Another paper titled "[*Defeating MAC Address Randomization Through Timing Attacks*](http://papers.mathyvanhoef.com/wisec2016.pdf)" deals with probe requests and the detection of devices that change their MAC addresses at periodic intervals (which does not happen under Tails and is fatal according to the paper). In the summary, the authors of the paper conclude that the attack they use can deanonymize a large fraction of devices (up to 77%), even if no large amounts of data are transmitted in the radio signals.
|
||||
|
||||
Further publications on possible deanonymization attacks (which do not explicitly affect Linux operating systems) can be found here:
|
||||
|
||||
- "[Know Thy Quality: Assessment of Device Detection by WiFi Signals](http://sig-iss.work/percomworkshops2019/papers/p639-rutermann.pdf)"
|
||||
- "[Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information](https://www.cs.ucr.edu/~zhiyunq/pub/infocom18_wireless_fingerprinting.pdf)"
|
||||
- "[Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field](http://www.uninformed.org/?v=5&a=1&t=pdf)"
|
||||
- "[Device Fingerprinting in Wireless Networks: Challenges and Opportunities](https://arxiv.org/pdf/1501.01367v1.pdf)"
|
||||
|
||||
## Probe Request Fingerprinting
|
||||
|
||||
The probe requests sent at short intervals by all WLAN adapters (whether internal or external) contain WLAN adapter-specific information elements (IEs) in the management frame. The values of the [IEs](http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf) are partly manufacturer-specific (in terms of content and sequence). This makes them particularly suitable for deanonymizing fingerprinting, which was used in the previously mentioned papers. Among the various implementations of proprietary [WLAN firmware](https://en.wikipedia.org/wiki/Proprietary_software), there are so many different ways to arrange them that tracking can therefore be successful. In addition, WLAN adapters can often be distinguished by sequence number[^4], data throughput rate, and other radio signal-specific parameters[^5].
|
||||
|
||||
## Reduce the digital footprint
|
||||
|
||||
The packet sizes of probe requests differ according to the information they contain. In most cases, this depends heavily on the firmware implementations of the manufacturers. However, there are also free driver implementations for WLAN adapters that do not require proprietary firmware and can be controlled via the operating system[^6]:
|
||||
|
||||
>[ath9k](https://wiki.debian.org/ath9k) is a Linux kernel driver supporting Atheros 802.11n PCI/PCI-E chips, introduced at Linux 2.6.27. It does not require a binary HAL (hardware abstraction layer) and no firmware is required to be loaded from userspace.
|
||||
|
||||
This gives you control over your WLAN adapter and already reduces your digital footprint (e.g. ath9k WLAN adapter drivers do not contain vendor specific tags). This is also noticeable in the reduced packet size of probe requests[^7]. On the Wikipedia page for the comparison of [open source WLAN drivers](https://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers) you can find other hardware besides ath9k WLAN adapters that does not need vendor specific firmware[^8].
|
||||
|
||||
After our warning in summer 2019, we summarized our ideas for avoiding probe requests and listening for probe responses in a [proposal for improving the Tails operating system](https://gitlab.tails.boum.org/tails/tails/-/issues/17831). In it, we suggest replacing network software on Debian (which provides the basis for Tails) with newer applications in which periodic scanning for access points can be disabled. In our tests, this made it possible to passively find access points and establish a connection without probe requests. These considerations were initially [rejected by the Tails developers](https://gitlab.tails.boum.org/tails/tails/-/issues/6453), since a software we used (iwd) is still too unstable in their eyes.
|
||||
|
||||
*capulcu*
|
||||
|
||||
|
||||
# Appendix 2: Location, Location, Location
|
||||
|
||||
*From **How to Hack like a Ghost** by Sparc Flow, available on [Library Genesis](https://en.wikipedia.org/wiki/Library_Genesis)*
|
||||
|
||||
One way to increase your anonymity is to be careful of your physical location when hacking. Don’t get me wrong: Tor is amazing. [...] But when you do rely on these services, always assume that your IP address—and hence, your geographical location and/or browser fingerprint—is known to these intermediaries and can be discovered by your final target or anyone investigating on their behalf. Once you accept this premise, the conclusion naturally presents itself: to be truly anonymous on the internet, you need to pay as much attention to your physical trail as you do to your internet fingerprint.
|
||||
|
||||
If you happen to live in a big city, use busy train stations, malls, or similar public gathering places that have public Wi-Fi to quietly conduct your operations. Just another dot in the fuzzy stream of daily passengers. However, be careful not to fall prey to our treacherous human pattern-loving nature. Avoid at all costs sitting in the same spot day in, day out. Make it a point to visit new locations and even change cities from time to time.
|
||||
|
||||
Some places in the world, like China, Japan, the UK, Singapore, the US, and even some parts of France, have cameras monitoring streets and public places. In that case, an alternative would be to embrace one of the oldest tricks in the book: war driving. Use a car[^9] to drive around the city looking for public Wi-Fi hotspots. A typical Wi-Fi receiver can catch a signal up to 40 meters (~150 feet) away, which you can increase to a couple hundred meters (a thousand feet) with a directional antenna, like Alfa Networks' Wi-Fi adapter. Once you find a free hotspot, or a poorly secured one that you can break into—WEP encryption and weak WPA2 passwords are not uncommon and can be cracked with tools like Aircrack-ng and Hashcat— park your car nearby and start your operation. If you hate aimlessly driving around, check out online projects like [WiFi Map](https://www.wifimap.io) that list open Wi-Fi hotspots, sometimes with their passwords.
|
||||
|
||||
Hacking is really a way of life. If you are truly committed to your cause, you should fully embrace it and avoid being sloppy at all costs.
|
||||
|
||||
# Appendix 3: GPG Explanation
|
||||
# Appendix: GPG Explanation
|
||||
|
||||
Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.boum.org/install/expert/index.en.html):
|
||||
|
||||
|
|
@ -387,24 +326,3 @@ Now we know that we have a genuine version of the Tails public key. `gpg` also
|
|||
|
||||
Now that we know that we have a genuine version of the Tails .img file, we can proceed to install it on a USB.
|
||||
|
||||
<br>
|
||||
|
||||
<hr>
|
||||
|
||||
[^1]: This applies to the IPv4 Internet protocol standard. Caution: In some company networks, this no longer applies!
|
||||
|
||||
[^2]: Eight million Probe Requests, most of which were collected from a busy square in Rome and a train station in Lyon.
|
||||
|
||||
[^3]: According to the Tails developers, unusual MAC addresses also stand out and are therefore not used by Tails.
|
||||
|
||||
[^4]: Tails does not change the MAC address after a random number of probe requests, nor does it reset the sequence number of transmitted packets, which provides additional tracking.
|
||||
|
||||
[^5]: HT Capabilities, Supported Rates, Extended Supported Rates, Extended Capabilities, VHT Capabilities, Vendor Specific,...
|
||||
|
||||
[^6]: More precisely: via the kernel.
|
||||
|
||||
[^7]: The smaller the packet size, the fewer traces there are as well.
|
||||
|
||||
[^8]: Recognizable by the green fields in the column "Non-free firmware required."
|
||||
|
||||
[^9]: AnarSec note: Keep in mind that a car can easily be [tracked with a GPS device](https://www.notrace.how/threat-library/techniques/covert-surveillance-devices/location.html).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue