mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-09 07:12:54 -04:00
md formatting
This commit is contained in:
parent
0dc607247e
commit
b6bbc36b6f
8 changed files with 141 additions and 79 deletions
|
@ -14,6 +14,7 @@ dateedit=2023-05-10
|
|||
Several different options are available for [end-to-end encrypted](/glossary/#end-to-end-encryption-e2ee) communications, with different trade-offs. This article will present an overview, as well as installation instructions for Tails, Qubes OS, and GrapheneOS.
|
||||
<!-- more -->
|
||||
There are some concepts that need to be understood before going further, in order to distinguish the various options.
|
||||
|
||||
* **End-to-end encryption** means that only you, and the person you communicate with, can read messages. However, not all [encryption](/glossary/#encryption) is created equal. The quality of the encryption is determined by the *encryption protocol* that is used, and how it is implemented at the software level.
|
||||
* **Metadata protection** means whether the [*metadata*](/glossary/#metadata) (the data about the data) about the communication is obscured. Even if the message itself is encrypted, metadata can reveal who is communicating with whom, when, how often, the sizes of whatever files may have been transferred, etc. Metadata exposure is [a major concern](https://docs.cwtch.im/security/risk#threat-model).
|
||||
* **Peer-to-peer** means that there is no centralized server that you need to trust.
|
||||
|
@ -30,6 +31,7 @@ The following options for encrypted messaging are listed from most metadata prot
|
|||
</video>
|
||||
|
||||
# Cwtch
|
||||
|
||||
* **Mediums**: Text
|
||||
* **Metadata protection**: Yes (strong)
|
||||
* **Encryption protocol**: Tor Onion Services (v3) + [Tapir](https://docs.openprivacy.ca/cwtch-security-handbook/cwtch-overview.html)
|
||||
|
@ -93,9 +95,10 @@ Any Cwtch user can turn the app on their phone or computer into an untrusted ser
|
|||
<p>Cwtch on Whonix currently has an <a href="https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/550">issue</a> - support is forthcoming. </p>
|
||||
</details>
|
||||
|
||||

|
||||

|
||||
|
||||
# OnionShare
|
||||
|
||||
* **Mediums**: Text
|
||||
* **Metadata protection**: Yes (strong)
|
||||
* **Encryption protocol**: Tor Onion Services (v3)
|
||||
|
@ -106,9 +109,10 @@ OnionShare has a [chat feature](https://docs.onionshare.org/2.6/en/features.html
|
|||
|
||||
<br>
|
||||
|
||||

|
||||

|
||||
|
||||
# Signal
|
||||
|
||||
* **Mediums**: Video call, voice call, text
|
||||
* **Metadata protection**: Yes (Moderate)
|
||||
* **Encryption protocol**: Signal Protocol, audited ([2017](https://en.wikipedia.org/wiki/Signal_Protocol))
|
||||
|
@ -172,9 +176,10 @@ https_proxy = 127.0.0.1:8082
|
|||
<br>
|
||||
<br>
|
||||
|
||||

|
||||

|
||||
|
||||
# Element / Matrix
|
||||
|
||||
* **Mediums**: Video call, voice call, text
|
||||
* **Metadata protection**: Poor
|
||||
* **Encryption protocol**: vodozemac, audited ([2022](https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption))
|
||||
|
@ -192,12 +197,14 @@ Matrix can either be used through a web client (using Element Web on Tor Browser
|
|||
A matrix ID looks like @username:homeserver, so for example, @anarsec:riot.anarchyplanet.org. Just like email, you can message accounts that are on different homeservers.
|
||||
|
||||
As soon as you have logged in, go to **Setting → Security & Privacy**.
|
||||
|
||||
* You will see that under **Where you're signed in** it lists all signed-in devices. For anonymous use cases, you will generally only be signed-in on one device.
|
||||
* Scroll down to **Secure Backup**. This is a feature that allows you to verify a new session without having access to a signed-in device. Press **Set up**, then the **Generate a Security Key** choice. Save the Security Key in KeePassXC. This "Security Key" will be needed for logging into a new device or session.
|
||||
* For Element Desktop, you will only need to use the Security Key if you sign out.
|
||||
* For Element Web (using Tor Browser), you will need the Security Key every time you use it. Tor Browser clears your cookies, so you will need to sign in to a new session.
|
||||
|
||||
Some current limitations:
|
||||
|
||||
* "Disappearing messages" is not yet a feature, but it is forthcoming. Message retention time can be set by the homeserver administrator, as mentioned above, and it is indeed set on both of our recommended homeservers.
|
||||
* One to one audio/video calls [are encrypted](https://matrix.org/faq/#are-voip-calls-encrypted%3F) and you can use them. Group audio/video calls are not encrypted, so don't use them. This will be resolved when [Element-call](https://github.com/vector-im/element-call) is stable.
|
||||
* The Matrix protocol itself [theoretically](/glossary#forward-secrecy) supports [Forward Secrecy](/glossary#forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-meta/issues/1296) due to it breaking some aspects of the user experience such as key backups and shared message history.
|
||||
|
@ -252,9 +259,10 @@ https_proxy = 127.0.0.1:8082
|
|||
<br>
|
||||
<br>
|
||||
|
||||

|
||||

|
||||
|
||||
# PGP Email
|
||||
|
||||
* **Mediums**: Text
|
||||
* **Metadata protection**: No
|
||||
* **Encryption protocol**: [RSA](https://blog.trailofbits.com/2019/07/08/fuck-rsa/) or ed25519, no forward secrecy
|
||||
|
|
|
@ -46,6 +46,7 @@ Upon first booting Graphene, it will prompt you if you want to connect to Wi-Fi.
|
|||
# System navigation
|
||||
|
||||
By default, GrapheneOS uses [gesture navigation](https://grapheneos.org/usage#gesture-navigation). The essentials are:
|
||||
|
||||
* The bottom of the screen is a reserved touch zone for system navigation.
|
||||
* Swiping up from the navigation bar while removing your finger from the screen is the **Home** gesture.
|
||||
* Swiping up from the navigation bar while holding your finger on the screen before releasing is the **Recent Apps** gesture.
|
||||
|
@ -70,6 +71,7 @@ User profiles are a feature that allows you to compartmentalize your phone, simi
|
|||
The Owner user profile is the default profile which is there when you turn on the phone. Additional user profiles can be created. Each profile is [encrypted](/glossary/#encryption) using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. A shortcut to switch between different user profiles is present on the bottom of Quick Settings (accessible by swiping down from the top of the screen, twice). When you press **End session** on a profile, that profile's data is encrypted at rest.
|
||||
|
||||
We will now create a second user profile for all applications which don't require Google Play services:
|
||||
|
||||
* **Settings → System → Multiple users**, press **Add user**. You can name it Default, and press **Switch to Default**.
|
||||
* Set a [strong password](/posts/tails-best/#passwords) that is different from your Owner user profile password.
|
||||
* In the Default user profile, **Settings → Security → Screen lock settings → Lock after screen timout** can be set to 30 minutes to minimize how often you'll need to re-enter the password.
|
||||
|
@ -79,12 +81,15 @@ Later on, we will optionally create a third user profile for applications that r
|
|||
To reiterate, the user profiles and their purposes will be:
|
||||
|
||||
**1) Owner**
|
||||
|
||||
* Where applications are installed
|
||||
|
||||
**2) Default**
|
||||
|
||||
* Where applications are used
|
||||
|
||||
**3) Google (optional)**
|
||||
|
||||
* Where applications that require Google Play services are used
|
||||
|
||||
# How to Install Software
|
||||
|
@ -95,6 +100,7 @@ For installing additional software, avoid F-Droid due to its numerous [security
|
|||
The approach we will take is that all applications that are needed in any user profile will be installed into the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all applications (except the VPN) will be disabled. The **Install available apps** feature will then be used to delegate apps to their needed profiles. Automatic updates in the Owner user profile will be applied in the secondary user profiles as well.
|
||||
|
||||
To install and configure Sandboxed Google Play:
|
||||
|
||||
* Within the Owner user profile, install Sandboxed Google Play by opening Apps and install Google Play services (this will also install Google Services Framework and the Google Play Store).
|
||||
* The Google Play Store requires a Google account to log in, but one with false info can be created for exclusive use with the Google Play Store.
|
||||
* Once installed and logged in, disable the advertising ID: **Settings → Apps → Sandboxed Google Play → Google Settings → Ads**, and select *Delete advertising ID*.
|
||||
|
@ -106,17 +112,18 @@ You can now install applications through the Google Play Store. The first applic
|
|||
Using the example of RiseupVPN, once it is installed, accept the 'Connection request' prompt. A green display will mean that the VPN is successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN**, and follow the instructions. Moving forward, the VPN will automatically connect when you turn on your phone. Continue to install any other apps - for ideas, see [Encrypted Messaging for Anarchists](/posts/e2ee/).
|
||||
|
||||
Now we will delegate apps to their needed profiles:
|
||||
|
||||
* In the Owner profile, disable all applications other than the VPN: **Settings → Apps → [Example] → Disable**.
|
||||
* To install Riseup VPN (or any other app) in the Default user profile: **Settings → System → Multiple users → Default → Install available apps**, then select Riseup VPN.
|
||||
|
||||
#### Software That Isn't On the Play Store
|
||||
## Software That Isn't On the Play Store
|
||||
Some apps aren't on the Play Store, either because they are in development or they don't want users to have to interact with Google. The Play Store can be used to update apps, but when you download individual .apk files you will need to remember to update them yourself (there are exceptions, for example Signal is designed to self-update). [Obtainium](https://github.com/ImranR98/Obtainium) is an app to keep track of what apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't on the Play Store, install Obtainium into the Owner user profile (and don't disable it). Use the same process of installing apps into the Owner user profile but through Obtainium, then disabling them and delegating them to their needed profiles. Unfortunately, apps acquired through Obtainium require manual updates - it will notify you when one is needed.
|
||||
|
||||
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal with [no Google software](https://github.com/mollyim/mollyim-android#free-and-open-source), and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium press **Add App**, then copy the Github Releases URL. Obtanium can install the app, and when there is a new version you will get a system notification and an update icon will be present beside it, at which point you must manually update it.
|
||||
|
||||
Cwtch is not yet present on the Google Play Store, and can be added to Obtainium by entering the [Download page URL](https://cwtch.im/download/).
|
||||
|
||||
#### Software That Requires Google Play Services
|
||||
## Software That Requires Google Play Services
|
||||
If there is an app you would like to use that requires Google Play services, create a specific user profile for it from the Owner user profile; you can name it Google. This is also a good solution for isolating any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. If you create a Google user profile, you will need to install and configure Sandboxed Google Play in it.
|
||||
|
||||
Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid needing this Google user profile.
|
||||
|
@ -132,6 +139,7 @@ Perhaps you want to use [Tor](/glossary/#tor-network) from a smartphone. However
|
|||
Applications like Cwtch and Briar have Tor built in, and should not be used through a VPN like Orbot.
|
||||
|
||||
# Recommended Settings and Habits
|
||||
|
||||
* **Settings → Security → Auto reboot:** 8 hours [Owner user profile]
|
||||
* Auto reboot when no profile has been unlocked for several hours will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will at minimum reboot overnight if you forget to turn it off. In the event of [malware](/glossary/#malware) compromise of the device, Verified Boot will prevent and revert changes to the operating system files upon rebooting the device. If police ever manage to obtain your phone when it is in a lock-screen state, this setting will return it to effective encryption even if they keep it powered on.
|
||||
* Keep the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when not in use. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
|
||||
|
@ -150,6 +158,7 @@ GrapheneOS currently provides Seedvault as a backup solution, but it's not very
|
|||
|
||||
# Password Management
|
||||
If you feel you need a password manager, [KeePassDX](https://www.privacyguides.org/en/passwords/#keepassdx-android) is a good option. However, most app credentials can be kept on KeePassXC on a computer as they don't need to be entered regularly. The set up described in this guide requires memorizing two passwords:
|
||||
|
||||
1) The Owner user profile (boot password)
|
||||
2) The Default user profile
|
||||
3) (Optional) Apps like [Cwtch](/posts/e2ee/#cwtch) and [Molly](/posts/e2ee/#signal) have their own passwords.
|
||||
|
|
|
@ -43,19 +43,21 @@ The best way to learn command line basics is to interact with it. We recommend t
|
|||
Some commands will require elevated permissions, equivalent to 'Open as Administrator' in Windows. For example, installing software typically requires this. Prepending `sudo` to a command will run it as the administrative user, named root (note: the root user is not the same as the root directory, and the two should not be confused). A root prompt will display `#` rather than `$`. Be especially careful with any command you run while using these elevated permissions, as you'll have the permissions necessary to wipe your entire disk or modify important files. It is helpful to know that text in the Terminal is pasted with Ctrl+Shift+V (i.e. the Shift key must also be pressed).
|
||||
|
||||
Most Linux users will rarely need to use the CLI. For using [Tails](/tags/tails/), it shouldn't be required at all, although you will need the following commands for the [more secure installation](https://tails.boum.org/install/expert/index.en.html):
|
||||
|
||||
* `wget`: this downloads files from the Internet over the Command Line (rather than through a web browser)
|
||||
* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. It is how the integrity and authenticity of the Tails download is verified.
|
||||
* `apt`: this manages packages on Debian.
|
||||
* `dd`: this copies a file from one disk to another.
|
||||
|
||||
The [Qubes](/tags/qubes/) installation requires the same commands (during the [verification](https://www.qubes-os.org/security/verifying-signatures/) stage). The Command Line Interface is otherwise only required to install software:
|
||||
|
||||
* `apt install <PACKAGE_NAME>`: this installs packages on Debian
|
||||
* `dnf install <PACKAGE_NAME>`: this installs packages on Fedora
|
||||
|
||||
|
||||
If you ever don't understand what a command is meant to do, try searching [explainshell](https://explainshell.com/) for it.
|
||||
|
||||
#### GPG Explanation
|
||||
## GPG Explanation
|
||||
Using `gpg` during the installation of Tails or Qubes OS will be less confusing if you understand how it works.
|
||||
|
||||
First, some points of clarification. PGP and GPG are terms that can be used interchangeably; PGP (Pretty Good Privacy) is the encryption standard, and GPG (GNU Privacy Guard) is a program that implements it. PGP/GPG is also used for encrypted email communication ([though we don't recommend it](/posts/e2ee/#pgp-email)), but we are using it here exclusively to verify the integrity and authenticity of files.
|
||||
|
@ -69,9 +71,11 @@ Tails and Qubes OS sign their releases, and only they can do this because only t
|
|||
**Step: Create a Key-Pair**
|
||||
|
||||
Tails recommends this [Riseup guide](https://riseup.net/en/security/message-security/openpgp/gpg-keys#using-the-linux-command-line) to generate a key-pair.
|
||||
|
||||
* `gpg --gen-key` will prompt you for some configuration options and then generate your key-pair.
|
||||
|
||||
**Step: Verify the Tails public key**
|
||||
|
||||
* `gpg --import < tails-signing.key` imports the Tails public key into your keyring, so that it can be used.
|
||||
* `gpg --keyring=/usr/share/keyrings/debian-keyring.gpg --export chris@chris-lamb.co.uk | gpg --import` imports a Debian developer's public key into your keyring, so that it can be used.
|
||||
* `gpg --keyid-format 0xlong --check-sigs A490D0F4D311A4153E2BB7CADBB802B258ACD84F` allows you to verify the Tails public key with the Debian developer's public key, by examining the output as instructed. This is so that if the source of the Tails public key (tails.boum.org) is compromised, you have an external source of truth to alert you of this.
|
||||
|
@ -87,6 +91,7 @@ Now we know that we have a genuine version of the Tails .img file, so can procee
|
|||
|
||||
# Going Further
|
||||
If you'd like to learn more about Linux, we recommend:
|
||||
|
||||
* The rest of the Tech Learning Collective's [Foundations](https://techlearningcollective.com/foundations/) exercises will give you a much more comprehensive foundation than what you need to use Qubes or Tails.
|
||||
* [Linux Fundamentals on Hack The Box Academy](https://academy.hackthebox.com/course/preview/linux-fundamentals) is another interactive learning environment, with a less comprehensive overview.
|
||||
|
||||
|
|
|
@ -42,5 +42,7 @@ Multiple photos or videos from the same camera can be tied together in this way,
|
|||
All modern printers leave invisible watermarks in order to encode information such as the serial number of the printer and and when it was printed. If printed material is scanned, these markings are present in the file. To learn more, see [Revealing Traces in printouts and scans](https://dys2p.com/en/2022-09-print-scan-traces.html) and the Whonix documentation on [printing and scanning](https://www.whonix.org/wiki/Printing_and_Scanning).
|
||||
|
||||
# Further Reading
|
||||
|
||||
* [Anonymous File Sharing](https://www.whonix.org/wiki/Surfing_Posting_Blogging#Anonymous_File_Sharing) from the Whonix documentation.
|
||||
* [Redacting Documents/Pictures/Videos/Audio safely](https://anonymousplanet.org/guide.html#redacting-documentspicturesvideosaudio-safely) for a table of recommended software for creating different types of files.
|
||||
|
||||
|
|
|
@ -31,9 +31,9 @@ What is a virtual machine? [Virtualization](/glossary/#virtualization) is the pr
|
|||
|
||||
At the risk of overwhelming you, here is an overview of how Qubes OS is structured. You don't need to memorize any of this to actually use Qubes OS, it can just be helpful to understand the outline of the system before getting started. Each rectangle represents a qube (that is, a virtual machine). Let's break it down.
|
||||
|
||||
#### General Usage
|
||||
## General Usage
|
||||
|
||||

|
||||

|
||||
|
||||
For now, ignore the greyed-out sections of the diagram. Daily use of Qubes OS primarily involves interaction with two components:
|
||||
|
||||
|
@ -47,9 +47,9 @@ You'll notice that App qube #1 is connected to the Internet, App qube #2 is offl
|
|||
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails exclusively uses memory (if the Persistent Storage feature is not enabled), Qubes OS uses the hard drive so forensic traces are still possible when using a Disposable.
|
||||
|
||||
|
||||
#### Management Qubes
|
||||
## Management Qubes
|
||||
|
||||

|
||||

|
||||
|
||||
Two more components are necessary to complete the Qubes OS system:
|
||||
|
||||
|
@ -71,11 +71,13 @@ Qubes includes Whonix by default for when you need to force all connections thro
|
|||
For data to be recovered from a Qubes OS system, the [Full Disk Encryption](/glossary#full-disk-encryption-fde) would still need to be successfully [bypassed](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) (such as by seizing the computer when it is turned on, or the use of a weak password). If the Tails Persistent Storage feature is in use, any data that is configured to persist faces the same issue.
|
||||
|
||||
Our recommendation is to use Qubes OS:
|
||||
|
||||
* As a daily-use computer
|
||||
* For opening untrusted files or links. Many anarchist projects require this, such as website moderation, publications, etc.
|
||||
* For tasks or workflows where Tails is too limiting or not applicable
|
||||
|
||||
And to use Tails:
|
||||
|
||||
* For writing and submitting communiques
|
||||
* For action research
|
||||
* For provisioning and connecting to hacking infrastructure
|
||||
|
@ -88,6 +90,7 @@ Qubes OS runs ideally on a laptop with a solid-state drive (SSD, which is faster
|
|||
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you up and running. Do not set up dual boot - an other OS could be used to compromise Qubes OS. If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you though it, or first learn command line basics and GPG (required during the [verification stage](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/).
|
||||
|
||||
In the post-installation:
|
||||
|
||||
* Tick the checkmark for Whonix qubes, as well as for updates to happen over Tor.
|
||||
|
||||
* The post-installation gives the option of installing exclusively Debian or Fedora Templates (instead of both), as well as using the Debian Template for all sys qubes (the default is Fedora). Whether you opt to use Debian or Fedora for qubes that don't require Tor is your decision. Privacy Guides [makes the argument](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), yet also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](#post-installation-decisions) for further discussion of this configuration choice.
|
||||
|
@ -119,19 +122,19 @@ A special tool exists for moving files and directories (folders) between qubes t
|
|||
From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
|
||||
|
||||
>1. Open a file manager in the qube containing the file you wish to copy (the source qube), right-click on the file you wish to copy or move, and select **Copy to Other AppVM**... or **Move to Other AppVM**....
|
||||

|
||||

|
||||
>2. A dialog box will appear in dom0 asking for the name of the target qube (qube B). Enter or select the desired destination qube name.
|
||||

|
||||

|
||||
>3. If the target qube is not already running, it will be started automatically, and the file will be copied there. It will show up in this directory (which will automatically be created if it does not already exist): `/home/user/QubesIncoming/<source_qube>/<filename>`. If you selected Move rather than Copy, the original file in the source qube will be deleted. (Moving a file is equivalent to copying the file, then deleting the original.)
|
||||
>
|
||||
>4. If you wish, you may now move the file in the target qube to a different directory and delete the /home/user/QubesIncoming/ directory when no longer needed.
|
||||
|
||||
# How to Shutdown Qubes
|
||||

|
||||

|
||||
|
||||
Click on the Domains widget to see which Qubes are currently running, as well as how much memory (RAM) and computing power (CPU) they are using. Each qube uses memory, so when you are done with a qube you should shut it down to free up the memory it is using. Closing windows is not enough - you need to shut each qube down manually when it's no longer needed.
|
||||
|
||||

|
||||

|
||||
|
||||
# How to Install Software
|
||||
While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html) for installing any additional software, at this time Qubes OS does not, so new software must be installed from the command line. If unfamilar with either the command line or how software works in Linux, check out [Linux Essentials](/posts/linux/) to get acquainted. For choosing what additional software to install, keep in mind that an application being [open-source](/glossary/#open-source) is an essential criteria, but is insufficient to be considered secure. The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
|
||||
|
@ -155,7 +158,8 @@ To install new software, as the [docs](https://www.qubes-os.org/doc/how-to-insta
|
|||
>5. Restart all qubes based on the template.
|
||||
>
|
||||
>6. (Recommended) In the relevant qubes’ **Settings → Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
|
||||

|
||||
|
||||

|
||||
|
||||
Remember, you should not be running `apt update` or `dnf update`.
|
||||
|
||||
|
@ -170,7 +174,7 @@ After installation, a number of qubes already exist. Click on the Applications M
|
|||
|
||||
How the App qubes will be organized, without displaying service qubes or Templates:
|
||||
|
||||

|
||||

|
||||
|
||||
* **A vault qube**. This will be used for all data storage, because a qube that doesn't need networking shouldn't have it. This qube can be reassigned to the `debian-11-documents` Template so that trusted files can be opened there.
|
||||
|
||||
|
@ -199,6 +203,7 @@ It's possible to just use the system as it is now, but let's show you how to cre
|
|||
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network, and which is destroyed upon being exited.
|
||||
|
||||
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to configure qubes that otherwise require advanced command line use to set up. Available configurations include:
|
||||
|
||||
* **Split-gpg**: GPG keys live in an offline qube and their access is tightly controlled
|
||||
* **Split-ssh**: SSH keys live in an offline qube and their access is tightly controlled
|
||||
* **Mullvad-vpn**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the only reputable VPN companies - they accept cryptocurrency, and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
|
||||
|
@ -214,11 +219,12 @@ Disposables can be launched from the Applications menu; the disposable will be a
|
|||
Once you close all windows of a disposable, the whole disposable shuts down and is destroyed. The next time that it boots, the disposable will completely reflect the state of its Template. In contrast, an App qube needs to be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local` and `/rw/config` directory. The next time that it boots, all locations in the file system of an App qube other than these three directories will reflect the state of its Template. Take a look at how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
|
||||
|
||||
|
||||

|
||||

|
||||
|
||||
In the file manager of an App qube, right-clicking on certain types of files will give the option **Edit In DisposableVM** and **View In DisposableVM**. This is exactly how we want to open any untrusted files stored in our vault qube. It will use the default disposable that we set earlier, which is offline. Once you close the viewing application the whole disposable will be destroyed. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. By contrast, viewing in a disposable is read-only, so if the file executes something malicious, it can't write to the App qube you launched it from - this is preferred for files you don't need to edit.
|
||||
|
||||
If your file is opening in a different application than what you require, you'll need to change the disposable Template default:
|
||||
|
||||
1. Send a file of this type to your disposable Template (in our case, `debian-11-offline-dvm`).
|
||||
2. Open the file manager for the disposable Template.
|
||||
3. Select the file, right-click **Properties**.
|
||||
|
@ -287,6 +293,7 @@ Tor Browser can't upload files from `/home/user/QubesIncoming/` due to how permi
|
|||
|
||||
# Password Management
|
||||
Passwords should be managed with KeePassXC from the `vault` App qube. If unfamiliar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This leaves three passwords that must be memorized:
|
||||
|
||||
1. [LUKS](/glossary/#luks) password (first boot password)
|
||||
2. User password (second boot password)
|
||||
3. KeePassXC password
|
||||
|
@ -298,6 +305,7 @@ It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), t
|
|||
|
||||
# Best Practices
|
||||
There is a lot more flexibility in how you configure Qubes OS than Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
|
||||
|
||||
* Protecting your identity
|
||||
* Still [clean metadata](/posts/metadata/) from files before sharing them.
|
||||
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
|
||||
|
@ -318,11 +326,12 @@ There is a lot more flexibility in how you configure Qubes OS than Tails, but mo
|
|||
* Open attachments in a qube that is disposable and offline.
|
||||
* Open links in a Whonix qube that is disposable.
|
||||
|
||||
#### Post-installation Decisions
|
||||
## Post-installation Decisions
|
||||
|
||||
During the [post-installation of Qubes OS](#getting-started), you have the option of installing exclusively Debian or Fedora Templates (instead of both). You also have the option of using the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates, and to convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will either be Whonix or Kicksecure - Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
|
||||
|
||||
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template you will clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend to use disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
|
||||
|
||||
* Go to **Applications menu → Qubes Tools → Create Qubes VM**
|
||||
* Name: kicksecure-16-dvm
|
||||
* Color: purple
|
||||
|
@ -332,10 +341,12 @@ Kicksecure is not currently [available as a Template](https://www.kicksecure.com
|
|||
* In the new qubes' **Settings → Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template.
|
||||
|
||||
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If during the Qubes OS installation, you set all sys qubes to use the Debian Template, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-11-dvm`. If you want to use disposable Kicksecure for sys qubes:
|
||||
|
||||
* Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template.
|
||||
|
||||
#### Hardware Security
|
||||
## Hardware Security
|
||||
Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
|
||||
|
||||
* **Root of trust**: A secure element to store secrets that can be used as a root of trust during the boot process.
|
||||
* **Blobs:** Newer hardware comes with [binary blobs](https://en.wikipedia.org/wiki/Binary_blob) which require trusting corporations to do the right thing, while some older hardware is available without binary blobs.
|
||||
* **Microcode updates**: Newer hardware gets [microcode](https://en.wikipedia.org/wiki/Microcode) updates to the CPU which (ideally) address security vulnerabilities as they are discovered, while older hardware doesn't after it is considered End Of Life. The [Heads threat model page](https://osresearch.net/Heads-threat-model/#binary-blobs-microcode-updates-and-transient-execution-vulnerabilities) explains why CPU vulnerabilities matter:
|
||||
|
@ -343,21 +354,23 @@ Hardware security is a nuanced subject, with three prominent factors at play for
|
|||
>"With the disclosure of the Spectre and Meltdown vulnerabilities in January 2018, it became apparent that most processors manufactured since the late 1990s can potentially be compromised by attacks made possible because of [transient execution CPU vulnerabilities](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability). [...] Future not-yet-identified vulnerabilities of this kind is likely. For users of Qubes OS, this class of vulnerabilities can additionally compromise the enforced isolation of virtual machines, and it is prudent to take the risks associated with these vulnerabilities into account when deciding on a platform on which to run Heads and Qubes OS."
|
||||
|
||||
Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the **ThinkPad X230** and the **ThinkPad T430** strike a relatively unique balance, because they both use the [Ivy generation](https://en.wikipedia.org/wiki/Ivy_Bridge_(microarchitecture)) of CPUs and they are both compatible with Heads:
|
||||
|
||||
* **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process - the Thinkpad X230 and T430 have TPM v1.1.
|
||||
* **Blobs**: No binary blobs are present on these models after Heads is installed, with the exception of the Intel Management Engine (which can be "neutered") and the ethernet blob (which can be generated).
|
||||
* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this CPU generation](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Newer hardware uses CPUs with other extensions that are vulnerable to new attack vectors - the Ivy generation is unimpacted by these.
|
||||
|
||||
Qubes OS also applies proper software mitigation to this class of attacks at the level of the hypervisor, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
|
||||
|
||||
#### OPSEC for Memory Use
|
||||
## OPSEC for Memory Use
|
||||
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that is no longer receiving microcode updates, the OPSEC suggestion is to limit the presence of secrets in memory that could result in leaks. Every qube that is running is using memory, and a compromised qube could use such vulnerabilities to read and exfiltrate the memory being used by other qubes. Disposables will be reset after being shutdown, so we can assume that their compromise would likely be transient. Perform sensitive operations in qubes with no networking, and shutdown secure qubes when not in use. Pay attention to which qubes are running simultaneously:
|
||||
|
||||
* [vault qube](#how-to-organize-your-qubes):
|
||||
* Do not run an unlocked KeePassXC database at the same time as a highly-untrusted qube.
|
||||
* Rather than having only one vault qube which stores all files (as described above), you can compartmentalize by having different vault qubes dedicated to specific activities (i.e. `vault-personal`, `vault-project1`, etc.). This means that if a networked qube is compromised while working on project1, [intentional sniffing](https://www.qubes-os.org/doc/data-leaks/) will not have potential access to all files, but only to those files that are compartmentalized for project1.
|
||||
* sys-usb: Disposable. Only run when needed, and shutdown when finished.
|
||||
* sys-net: Disposable. Only run when needed, and shutdown when finished. Shutdown when performing sensitive operations in other qubes, as far as possible. Restart before activities which require sys-net (i.e. email, ssh sessions, etc.).
|
||||
|
||||
#### Remove Passwordless Root
|
||||
## Remove Passwordless Root
|
||||
By default, Qubes OS does not require a password for root permissions (in other words, you can run a command with `sudo` without a password). The [docs](https://www.qubes-os.org/doc/vm-sudo/) explain the rationale for this decision. In alignment with the security principle of defense-in-depth, we recommend enabling a password for root permissions. Forcing an adversary to successfully execute privilege escalation can be a mitigating factor, considering the hardening of Kicksecure/Whonix Templates as well as the limited time window provided by disposables.
|
||||
|
||||
If you are comfortable with the command line, follow the [docs](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) for replacing passwordless root access with a Dom0 user prompt in Debian/Whonix/Kicksecure Templates.
|
||||
|
|
|
@ -22,36 +22,40 @@ This text details some extra precautions that you can take which are relevant to
|
|||
|
||||
Let's start by looking at the [Tails Warnings page](https://tails.boum.org/doc/about/warnings/index.en.html).
|
||||
|
||||
#### Protecting your identity when using Tails
|
||||
## Protecting your identity when using Tails
|
||||
|
||||

|
||||

|
||||
|
||||
> Tails is designed to hide your identity. But some of your activities could reveal your identity:
|
||||
> 1. Sharing files with [metadata](/glossary#metadata), such as date, time, location, and device information
|
||||
> 2. Using Tails for more than one purpose at a time
|
||||
|
||||
The first issue can be mitigated by **cleaning metadata from files before sharing them**:
|
||||
|
||||
* To learn how, see [Removing Identifying Metadata From Files](/posts/metadata/).
|
||||
|
||||
The second issue can be mitigated by what's called **'compartmentalization'**:
|
||||
|
||||
* [Compartmentalization](https://www.csrc.link/threat-library/mitigations/compartmentalization.html) means keeping different activities or projects separated from each other. If you use Tails sessions for more than one purpose at a time, an adversary could link your different activities together. For example, if you log into different accounts on the same website in a single Tails session, the website could determine that the accounts are used by the same person. This is because websites can tell when two accounts are using the same Tor circuit.
|
||||
* To prevent an adversary from linking your activities together while using Tails, restart Tails between different activities. For example, restart Tails between checking different project emails.
|
||||
* Tails is amnesiac by default, so to save any data from a Tails session it needs to be saved to a USB. If the files that you save could be used to link your activities together, use a different encrypted ([LUKS](/glossary#luks)) USB stick for each activity. For example, use one Tails USB stick for moderating a website and another one for research for actions. Tails has a feature called Persistent Storage, but we recommend not using this for data storage, which will be explained [below](#using-a-write-protect-switch).
|
||||
|
||||
#### Limitations of the [Tor network](/glossary#tor-network)
|
||||
## Limitations of the [Tor network](/glossary#tor-network)
|
||||
|
||||

|
||||

|
||||
|
||||
> Tails uses the Tor network because it is the strongest and most popular network to protect from surveillance and censorship. But Tor has limitations if you are concerned about:
|
||||
> 1. Hiding that you are using Tor and Tails
|
||||
> 2. Protecting your online communications from determined, skilled attackers
|
||||
|
||||
The first issue is mitigated by [**Tor bridges**](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#bridges):
|
||||
|
||||
* Tor Bridges are secret Tor relays that keep your connection to the Tor network hidden. However, this is only necessary where connections to Tor are blocked, for example in some countries with heavy censorship, by some public networks, or by some parental controls. This is because Tor and Tails don't protect you by making you look like any random Internet user, but by making all Tor and Tails users look the same. It becomes impossible to know who is who among them.
|
||||
|
||||
> A powerful adversary, who could analyze the timing and shape of the traffic entering and exiting the Tor network, might be able to deanonymize Tor users. These attacks are called *end-to-end correlation* attacks, because the attacker has to observe both ends of a Tor circuit at the same time. [...] End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users.
|
||||
|
||||
The second issue is mitigated by **not using an Internet connection that could deanonymize you** and by **prioritizing .onion links when available**:
|
||||
|
||||
* Wi-Fi adapters that work through SIM cards are not a good idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile network provider every time you connect, allowing identification as well as geographical localization. The adapter works like a cell phone! If you do not want different research sessions to be associated with each other, do not use such an adapter or the SIM card more than once!
|
||||
* There are several opsec considerations to keep in mind if using Wi-Fi at a cafe without CCTV cameras.
|
||||
* See [Appendix 2](#appendix-2-location-location-location) for more information on choosing a location.
|
||||
|
@ -65,15 +69,17 @@ The second issue is mitigated by **not using an Internet connection that could d
|
|||
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) prior to heading to a cafe**, and changing Wi-Fi locations regularly, but this may not be particularly realistic for projects like moderating a website which require daily Internet access. Alternatively, mitigations can involve **using a Wi-Fi antenna from indoors** (guide forthcoming), **scheduling posts to be published later** (WordPress has this feature), or potentially even **using Tor from your home Internet** for some projects. This contradicts the prior advice, but using Tor from home will avoid creating a movement profile that is so easily physically observed (compared to a network traffic profile that is more technical to observe, and may be more difficult to draw meaningful conclusions from).
|
||||
* If you want to send in a report-back the morning after a riot, or a communique soon after an action (times when there might be a higher risk of targeted surveillance), consider waiting and at minimum take surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank was gutted with fire in Canada, police surveilled a suspect while he travelled from home to an Internet cafe, and watched while he posted the communique and then proceeded to bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.csrc.link/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe close to the comrade's home, and requested CCTV footage for the day during which an arson communique was sent.
|
||||
|
||||
#### Reducing risks when using untrusted computers
|
||||
## Reducing risks when using untrusted computers
|
||||
|
||||

|
||||

|
||||
|
||||
> Tails can safely run on a computer that has a virus. But Tails cannot always protect you when:
|
||||
>
|
||||
> 1. Installing from an infected computer
|
||||
> 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
|
||||
|
||||
The first issue is mitigated by **using a computer that you trust to install Tails**:
|
||||
|
||||
* As per our [recommendations](/recommendations/#computers-daily-use), this would ideally be from [Qubes OS](/posts/qubes/) which is much more difficult to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick which was installed with Qubes OS (and who uses these best practices), you could [clone it](https://tails.boum.org/upgrade/clone/index.en.html) instead of installing it yourself.
|
||||
* Use the install method ["Terminal: Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), because it checks the integrity of the download more thoroughly using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you through it, or first learn command line basics and GnuPG with [Linux Essentials](/posts/linux/).
|
||||
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs that are used in Tails sessions) into a computer while another operating system is running on it; if the computer is infected, the infection can then [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
|
||||
|
@ -92,7 +98,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
|
|||
|
||||
* First, **obtain a 'fresh' computer**. A laptop bought from a random refurbished computer store is very unlikely [to already be compromised](https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/). Buy your computer with cash so that it is not traced to you, and in person because mail can be intercepted—a used [T Series](https://www.thinkwiki.org/wiki/Category:T_Series) or [X Series](https://www.thinkwiki.org/wiki/Category:X_Series) Thinkpad from a refurbished computer store is a cheap and reliable option. It is best to use Tails with a dedicated laptop, which will prevent the hardware being targeted for compromise through a less secure operating system, or through your normal non-anonymous activities. Another reason to have a dedicated laptop is so that if something in Tails breaks, any information that leaks which exposes the laptop isn't automatically also tied to you and your daily computer activities.
|
||||
|
||||

|
||||

|
||||
|
||||
* **Make the laptop screws tamper-evident, store it in a tamper-evident way, and monitor for intrusions**. With these precautions, if physical attacks happen in the future, you'll be able to notice. See the tutorial [Making Your Electronics Tamper-Evident](/posts/tamper/) to adapt the laptop chassis screws, use the app Haven for intrusion detection, as well as how to store it so that you'll be able to notice if it's been physically accessed. Store any external devices you’ll be using with the laptop in the same way (USB, external hard drive, mouse, keyboard). Once physical attack vectors are mitigated, an adversary will need to rely on remote attacks.
|
||||
|
||||
|
@ -106,7 +112,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
|
|||
|
||||
* **Using USBs with secure firmware**, like the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive) which has [retailers globally](https://www.kanguru.com/pages/where-to-buy), so that the USB will [stop working](https://www.kanguru.com/blogs/gurublog/15235873-prevent-badusb-usb-firmware-protection-from-kanguru) if the firmware is altered through compromise.
|
||||
|
||||

|
||||

|
||||
|
||||
* **Use a USB with a physical write-protect switch**.
|
||||
|
||||
|
@ -115,6 +121,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
|
|||
> What's a *write-protect* switch? When you insert a normal USB into a computer, the computer does *read* and *write* operations with it, and a *write* operation can change the data. Some special USBs developed for malware analysis have a physical switch that can lock the USB, so that data can be read from it, but no new data can be written to it.
|
||||
|
||||
If your Tails USB stick has a write-protect switch and secure firmware, such as the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you will be protected from the USB firmware being compromised during a Tails session, as well as from Tails software itself being compromised. This is critical. Compromising your Tails USB stick would necessitate being able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable so the compromise cannot "take root", and would no longer be present during your next Tails session. If you are unable to obtain such a USB, you have two options.
|
||||
|
||||
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.boum.org/install/dvd/index.en.html) (write once) for each new version of Tails - it should not have the label "DVD+RW" or "DVD+RAM" so that the DVD cannot be rewritten.
|
||||
2) Boot Tails with the `toram` option, which loads Tails completely into the memory. To use the `toram` option, it depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.boum.org/doc/advanced_topics/boot_options/index.en.html).
|
||||
* For SYSLINUX, when the boot screen appears you must press the Tab key, and enter a space. Type `toram` and press Enter.
|
||||
|
@ -128,19 +135,20 @@ On a USB with a write-protect switch, you will not be able to make any changes t
|
|||
|
||||
Where can we store personal data for use between Tails sessions, if the write-protect switch prevents us from using Persistent Storage? We recommend storing personal data on a second LUKS USB. This 'personal data' USB should not look identical to your Tails USB, to avoid confusing them. To make this separate USB, see [Creating and using LUKS encrypted volumes](https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html). If you happen to be reading this from a country like the UK where not providing encryption passwords can land you in jail, this second drive should be a HDD containing a [Veracrypt Hidden Volume](https://www.veracrypt.fr/en/Hidden%20Volume.html) (SSD and USB drives are [not appropriate for Hidden Volumes](https://www.veracrypt.fr/en/Trim%20Operation.html)).
|
||||
|
||||

|
||||

|
||||
|
||||
Compartmentalization is an approach that cleanly separates different identities - in Tails session #1 you do activities related to moderating a website, and in Tails session #2 you do activities related to research for an action. This approach also comes into play for your 'personal data' USBs. If the files that you save could be used to link your activities together, use a different 'personal data' USB for each activity. For a 'personal data' USB that stores very sensitive files (like the text of a communique), once you no longer need the files it is best to reformat then destroy the USB (see [Really delete data from a USB drive](/posts/tails/#really-delete-data-from-a-usb)). This is another reason to use a separate USB for any files that need to be saved - you don't accumulate the forensic history of all of your files on your Tails Persistent Storage, and can simply destroy USBs as needed.
|
||||
|
||||
Finally, a note on emails - if you already use Tails and encrypted email ([despite it not being particularly secure](/posts/e2ee/#pgp-email)), you may be used to the Thunderbird Persistent Storage feature, which allows storing Thunderbird email account details on a Tails USB, as well as the inbox and PGP keys. With a 'personal data' USB, Thunderbird won't automatically open your accounts anymore. For this, we recommend either:
|
||||
- Re-creating Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the benefit that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
|
||||
- Keeping Thunderbird data folder on the 'personal data' USB. After logging in to Thunderbird, use the Files browser (Applications ▸ Accessories ▸ Files) and enable the setting "Show hidden files". Navigate to Home, then copy the folder titled `.thunderbird` to your 'personal data' USB. In each future session, after unlocking the 'personal data' USB and before launching Thunderbird, copy the `.thunderbird/` folder into Home.
|
||||
|
||||
- Re-creating Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the benefit that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password.
|
||||
- Keeping Thunderbird data folder on the 'personal data' USB. After logging in to Thunderbird, use the Files browser (Applications ▸ Accessories ▸ Files) and enable the setting "Show hidden files". Navigate to Home, then copy the folder titled `.thunderbird` to your 'personal data' USB. In each future session, after unlocking the 'personal data' USB and before launching Thunderbird, copy the `.thunderbird/` folder into Home.
|
||||
|
||||
Another reason to not use Persistent Storage features is that many of them persist user data onto the Tails USB. If your Tails session is compromised, the data you access during it can be used to link your activities together. If there is user data on the Tails USB, like an email inbox, compartmentalization of Tails sessions is no longer possible. To achieve compartmentalization, you would need a dedicated Tails USB for each identity, and updating them all every month is a lot of work.
|
||||
|
||||
# Encryption
|
||||
|
||||
#### Passwords
|
||||
## Passwords
|
||||
|
||||
[Encryption](/glossary#encryption) is a blessing—it's the only thing standing in the way of our adversary reading all of our data, if it's used well. The first step to secure your encryption is to ensure that you use very good passwords—most passwords don't need to be memorized because they will be stored in a password manager called KeePassXC, so can be completely random. To learn how to use KeePassXC, see [Password Manger](/posts/tails/#password-manager-keepassxc).
|
||||
|
||||
|
@ -150,11 +158,12 @@ Never reuse a password/passphrase for multiple things ("password recycling") - K
|
|||
|
||||
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of around 128 bits (diceware passphrases of approximately **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers and symbols) and shouldn't have less than 90 bits of entropy (approximately seven words).
|
||||
|
||||

|
||||

|
||||
|
||||
What is a diceware passphrase? As [Privacy Guides notes](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases), "Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`." The Password Generator feature in KeePassXC can generate diceware passphrases and random passwords. If you prefer to generate diceware passphrases using real dice, see [Privacy Guides](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases).
|
||||
|
||||
Our recommendations are:
|
||||
|
||||
1) Memorize diceware passphrases of 7-10 words for anything that is not stored in a KeePassXC database
|
||||
2) Generate passwords of 21 random characters for anything that can be stored in a KeePassXC database. Maintain an offsite backup of your KeePassXC database(s) in case it is ever corrupted or seized.
|
||||
|
||||
|
@ -169,7 +178,7 @@ For Tails, you will need to memorize two passphrases:
|
|||
|
||||
If you use Persistent Storage, that is another passphrase which will have to be entered on the Welcome Screen upon booting but it can be the same as 1.
|
||||
|
||||
#### Encrypted containers
|
||||
## Encrypted containers
|
||||
|
||||
[LUKS](/glossary#luks) is great, but 'defense-in-depth' can't hurt. If police seize your USB in a house raid, they can try to unlock it with a [brute-force attack to guess the password](/glossary#brute-force-attack), so a second layer of defense with a different encryption implementation can make sense for highly sensitive data.
|
||||
|
||||
|
@ -200,7 +209,7 @@ You can now add files to your mounted decrypted container in the folder 'plain'.
|
|||
|
||||
Now plain is just an empty folder again.
|
||||
|
||||
#### Encrypted Communication
|
||||
## Encrypted Communication
|
||||
|
||||
PGP email is the most established form of encrypted communication on Tails in the anarchist space. Unfortunately, PGP does not have [forward secrecy](/glossary#forward-secrecy)—this means that a single secret (your Private Key) can decrypt all messages rather than only a single message, which is today's standard in encrypted messaging. It is the opposite of 'metadata protecting', and has [several other failings](/posts/e2ee/#pgp-email).
|
||||
|
||||
|
@ -218,17 +227,17 @@ You have probably already heard the advice to be skeptical of clicking links and
|
|||
|
||||
Sometimes the goal of phishing is to deliver a ['payload'](https://docs.rapid7.com/metasploit/working-with-payloads), which will call back to the adversary—it is the [initial access](https://attack.mitre.org/tactics/TA0001/) foothold to infecting your machine with malware. A payload can be embedded in a file and executed when the file is opened. For a link, a payload can be delivered through malicious javascript in the website that will allow the payload to execute on your computer. Tor should protect your location (IP address), but the adversary now has an opportunity to further their attack; to [make the infection persist](https://attack.mitre.org/tactics/TA0003/), to [install a screen or key logger](https://attack.mitre.org/tactics/TA0009/), to [exfiltrate your data](https://attack.mitre.org/tactics/TA0010/), etc. The reason that Tails has no default Administration password (it must be set at the Welcome Screen for the session if needed) is to make the [privilege escalation](https://attack.mitre.org/tactics/TA0004/) more difficult, which would be necessary to slip around Tor.
|
||||
|
||||
#### Attachments
|
||||
## Attachments
|
||||
|
||||
For untrusted attachments, you would ideally **sanitize all files that are sent to you before opening them** with a program like [Dangerzone](https://dangerzone.rocks/), which takes potentially dangerous PDFs, office documents, or images and converts them to safe PDFs. Unfortunately, Dangerzone is [not easily available in Tails yet](https://gitlab.tails.boum.org/tails/tails/-/issues/18135). An inferior option is to **open untrusted files in a dedicated ['Offline Mode'](https://tails.boum.org/doc/first_steps/welcome_screen/index.en.html#index3h2) session**, so that if they are malicious they can't phone home, and you shut down immediately after so that their opportunity to persist is minimized. Tails prevents against deanonymization through phishing by forcing all internet connections through the Tor network. However, this is still vulnerable to [0-day exploits](/glossary#zero-day-exploit), which nation-state actors possess. For example, the FBI and Facebook collaborated to develop a 0-day exploit against Tails [which deanonymized a user](https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez) after he opened a video file attachment from his home Wi-Fi.
|
||||
|
||||
#### Links
|
||||
## Links
|
||||
|
||||
For untrusted links, there are two things to protect; your anonymity and your information. Unless the adversary has a 0-day exploit on Tor Browser or Tails, your anonymity should be protected **if you don't enter any identifying information into the website**. Your information can only be protected **by your behaviour**—phishing awareness allows you to think critically about whether this could be a phishing attack and act accordingly.
|
||||
|
||||
Examine untrusted links prior to clicking them by **manually copy and pasting the address into the browser**—don't click through a hyper-link because the text can be used to deceive what link it will take you to. **Never follow a shortened link** (e.g., a site like bit.ly which takes long web addresses and makes a short, typable one) because it cannot be examined prior to redirection. [Unshorten.me](https://unshorten.me/) can reveal any shortened link.
|
||||
|
||||

|
||||

|
||||
|
||||
Furthermore, **don’t follow links to domains you are unfamiliar with**. If in doubt, perform a search for the domain, with the domain name in quotation marks with a privacy-preserving search engine (like DuckDuckGo) to see if it’s a legitimate web site. This isn’t a 100% fix, but it’s a good precaution to take.
|
||||
|
||||
|
@ -246,7 +255,7 @@ The two main techniques for anonymizing network traffic while using Tails are us
|
|||
|
||||
**Background information:** The IP address can be used to identify the location of the router. The MAC address is 'only' used for local assignment: which endpoint device is to receive which data packet from the router. According to the current Internet standard, it is not usually sent beyond the router to the Internet[^1].
|
||||
|
||||

|
||||

|
||||
|
||||
In September 2019, our collective published a short statement ("[Security warning about MAC changer](https://capulcu.blackblogs.org/)") in which we warn against possible deanonymization through the use of WLAN adapters - including when using the Tails operating system. Here, we want to supplement the chapter "Dangers of WLAN adapters" in the current edition of the [Capulcu Tails publication](https://capulcu.blackblogs.org/wp-content/uploads/sites/54/2021/04/Tails-2021-04-12.pdf) with insight into the problems of WLAN adapters and a recommendation for use.
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ Other operating systems exist. Perhaps you have already heard of Linux or Ubuntu
|
|||
|
||||
* Tails is also a system that allows you to be incognito, meaning anonymous. It hides the elements that could reveal your identity, your location, etc. Tails makes use of the [Tor anonymity network](/glossary#tor-network) to protect your anonymity online: the Tor Browser and all other default software are configured to connect to the Internet through Tor. If an application tries to connect to the Internet directly, the connection is automatically blocked. Tails also changes the so-called "MAC address" of your network hardware, which can be used to uniquely identify your laptop.
|
||||
|
||||

|
||||

|
||||
<div class="is-family-monospace is-size-7"><center>
|
||||
<p><em>Tor Browser features</em></p>
|
||||
<br>
|
||||
|
@ -54,7 +54,7 @@ Tails allows non-experts to benefit from digital security and anonymity without
|
|||
|
||||
This tutorial is in several sections. The first is about the basics for starting to use Tails. The second section contains tips on using software included in Tails, as well as what you need to know about how Tor works. The third section is about troubleshooting any issues that you might encounter with your Tails USB to avoid giving up at the first problem - most of the time the solution is simple!
|
||||
|
||||
#### The concept of a threat model.
|
||||
## The concept of a threat model.
|
||||
|
||||
Tails is not magic and has plenty of limitations. The Internet and computers are hostile territory and are based on stealing your data. Tails does not protect you from human error, compromised hardware, compromised firmware, being hacked, or certain other types of attacks. There is no absolutely perfect security on the Internet, hence the interest in being able to make a [threat model](/glossary/#threat-model).
|
||||
|
||||
|
@ -64,39 +64,43 @@ It makes no sense to say "such and such a tool is secure". Security always depen
|
|||
|
||||
# I) The Basics of Using Tails
|
||||
|
||||
#### Prerequisites
|
||||
## Prerequisites
|
||||
|
||||
***Selecting a USB/DVD:***
|
||||
|
||||
* Tails only works on USBs of more than 8 GB or on DVDs (where it is not possible to use the Persistent Storage feature described below). The data on the USB will be completely erased at installation, so save your data elsewhere beforehand, and if you don't want any trace of what was there before, use a new USB.
|
||||
* The article [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch) recommends using a USB with a write-protect switch (an unchangeable data medium) to make sure that nothing is left behind when doing sensitive work, and that the laptop cannot compromise your Tails system. The article details how to adapt to this. The write-protect switch will need to be disabled during installation. If you are unable to obtain such a USB, you can use Tails from a DVD-R/DVD+R, or always boot it with the `toram` option (described at more length in the article).
|
||||
|
||||
***Selecting a laptop:***
|
||||
|
||||
* Although it is possible to use Tails on a desktop computer, this is not advised because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. Additionally, it would be harder to tell if someone had opened your desktop case and installed a physical keylogger. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more on obtaining a laptop.
|
||||
|
||||
Some laptop and some USB models do not work with Tails, or some features will not work. To see whether your model has known issues, consult the [Tails known issues page](https://tails.boum.org/support/known_issues/).
|
||||
|
||||
If Tails is too slow, make sure that the USB is 3.0 or higher, and using a USB 3.0 port on the laptop. If Tails completely freezes often, it's possible to increase the RAM of your computer. 8 GB will be sufficient.
|
||||
|
||||
#### Installation
|
||||
## Installation
|
||||
|
||||
To install Tails on a USB, you need a "source" and a USB (that is 8 GB or larger).
|
||||
|
||||
Concerning the "source", there are two solutions.
|
||||
|
||||
***Solution 1: Installation from another Tails USB***
|
||||
|
||||
* This requires knowing a Tails user you trust. A very straightforward software called the Tails Installer allows you to "clone" a new Tails USB in a few minutes; see the documentation for cloning from a [PC](https://tails.boum.org/install/clone/pc/index.en.html) or [Mac](https://tails.boum.org/install/clone/mac/index.en.html). Any Persistent Storage data isn't transferred. The disadvantage of this method is that it can spread a compromised installation.
|
||||
|
||||
***Solution 2: Installation by download (Preferred)***
|
||||
|
||||
* You have to follow the [Tails installation guide](https://tails.boum.org/install/index.en.html). The Tails website will guide you step by step; it is important to follow the entire tutorial. It is possible for an attacker to [intercept and modify the data](/glossary#man-in-the-middle-attack) on its way to you, so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the install method [using GnuPG](https://tails.boum.org/install/expert/index.en.html) is preferred, because it checks the integrity of the download more thoroughly.
|
||||
|
||||
#### Booting from your Tails USB
|
||||
## Booting from your Tails USB
|
||||
Once you have a Tails USB, follow the Tails guides to [start Tails on a Mac or PC computer](https://tails.boum.org/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on the laptop. The "Boot Loader" screen will appear and Tails starts automatically after 4 seconds.
|
||||
|
||||

|
||||

|
||||
|
||||
After around 30 more seconds of a loading screen, the [Welcome Screen](https://tails.boum.org/doc/first_steps/welcome_screen/index.en.html) appears.
|
||||
|
||||

|
||||

|
||||
|
||||
In the Welcome Screen, select your language and keyboard layout in the **Language & Region** section. For Mac users, there is a keyboard layout for Macintosh. Under "Additional Settings" you will find a **+** button, click on it and further configuration options will appear:
|
||||
|
||||
|
@ -111,9 +115,9 @@ In the Welcome Screen, select your language and keyboard layout in the **Languag
|
|||
|
||||
When you have enabled Persistent Storage, the passphrase to unlock it will appear in this window. If you haven't enabled Persistent Storage, no data will persist on your Tails USB beyond this session. Click **Start Tails**. After 15 to 30 seconds, the Tails desktop appears."
|
||||
|
||||
#### Using the Tails desktop
|
||||
## Using the Tails desktop
|
||||
|
||||

|
||||

|
||||
|
||||
Tails is a classic and simple operating system.
|
||||
|
||||
|
@ -129,7 +133,7 @@ Tails is a classic and simple operating system.
|
|||
|
||||
If your laptop is equipped with Wi-Fi but there is no Wi-Fi option in the system menu, see the [troubleshooting documentation](https://tails.boum.org/doc/anonymous_internet/no-wifi/index.en.html). Once you connect to Wi-Fi, a Tor Connection assistant appears to help you to connect to the Tor network. Choose **Connect to Tor automatically** unless you are in a country where you need to hide that you are using Tor (in which case, you'll need to configure [a bridge](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#hiding)).
|
||||
|
||||
#### Optional: Create and Configure Persistent Storage
|
||||
## Optional: Create and Configure Persistent Storage
|
||||
|
||||
Tails is amnesiac by default. It forgets everything you did between sessions. This isn't always what you want - for instance, you may want to work on a document that you can't complete in one sitting. The same is true for installing additional software: you would have to redo the installation after each start-up. Tails has a feature called Persistent Storage, which makes it no longer completely forgetful. This is explicitly less secure, but it is necessary for some activities.
|
||||
|
||||
|
@ -138,17 +142,21 @@ The principle is to create a second storage area (called a partition) on your Ta
|
|||
A window opens where you have to type a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for notes on passphrase strength. You'll then [configure](https://tails.boum.org/doc/persistent_storage/configure/index.en.html) what you need to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
|
||||
|
||||
**Personal Documents:**
|
||||
|
||||
* **Persistent Folder**: Data such as your personal files, documents, or images that you're working on can be saved in the Persistent Storage on the Tails USB.
|
||||
|
||||
**System Settings:**
|
||||
|
||||
* **Welcome Screen**: Settings from the Welcome Screen can be saved in the Persistent Storage: language, keyboard, and additional settings.
|
||||
* **Printers**: [Printer configuration](https://tails.boum.org/doc/sensitive_documents/printing_and_scanning/index.en.html) can be saved in the Persistent Storage.
|
||||
|
||||
**Network:**
|
||||
|
||||
* **Network Connections**: The passwords for Wi-Fi networks can be saved in the Persistent Storage, so you don't have to type them every time.
|
||||
* **Tor Bridge**: When the Tor Bridge feature is turned on (for users in countries that censor Tor), the last Tor Bridge that you used is saved in the Persistent Storage.
|
||||
|
||||
**Applications:**
|
||||
|
||||
* **Tor Browser Bookmarks**: Tor Browser bookmarks can be saved in the Persistent Storage.
|
||||
* **Electrum Bitcoin Wallet**: The bitcoin wallet and preferences can be saved in the Persistent Storage.
|
||||
* **Thunderbird Email Client**: The email inbox, feeds, and OpenPGP keys of Thunderbird can be saved in the Persistent Storage.
|
||||
|
@ -157,6 +165,7 @@ A window opens where you have to type a passphrase; see [Tails Best Practices](/
|
|||
* **SSH Client**: SSH is used to connect to servers. All files related to SSH can be saved in the Persistent Storage.
|
||||
|
||||
**Advanced Settings:**
|
||||
|
||||
* **Additional Software**: With this feature enabled, a list of additional software of your choice is automatically installed every time you start Tails. The corresponding software packages are stored in the Persistent Storage. They are automatically upgraded after a network connection is established. [Be careful with what you install](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html#warning).
|
||||
* **Dotfiles**: On Tails and Linux in general, the name of configuration files often starts with a dot and are sometimes called "dotfiles" for this reason. These can be saved in the Persistent Storage. Be careful about what configuration settings you change, because altering default settings can break your anonymity.
|
||||
|
||||
|
@ -164,13 +173,13 @@ Persistent Storage must be unlocked at the Welcome Screen to use it. If you wan
|
|||
|
||||
In [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), we recommend against using Persistent Storage in most cases. Any files that need to persist can instead be saved to a second [LUKS-encrypted USB](#how-to-create-an-encrypted-usb). Most Persistent Storage features do not work well with USBs that have a write-protect switch.
|
||||
|
||||
#### Upgrading the Tails USB
|
||||
## Upgrading the Tails USB
|
||||
|
||||
The security of Tails (and more generally of Linux) depends on the continuous development of the operating system and the resolution of any security flaws through upgrades. It is important to always use the latest version (Tails is updated approximately every month) because security vulnerabilities are regularly discovered in the programs used by Tails, which in the worst case scenario can lead to your identity, IP address, etc., being revealed. A Tails upgrade will patch these security holes and usually enhance other features as well.
|
||||
|
||||
Every time you start Tails, the Tails Upgrader checks if you are using the latest Tails version right after you connect to the Tor network. There are 2 types of upgrades.
|
||||
|
||||

|
||||

|
||||
|
||||
***The [automatic upgrade](https://tails.boum.org/doc/upgrade/index.en.html)***
|
||||
|
||||
|
@ -184,16 +193,16 @@ Every time you start Tails, the Tails Upgrader checks if you are using the lates
|
|||
|
||||
# II) Going Further: Several Tips and Explanations
|
||||
|
||||
#### Tor
|
||||
## Tor
|
||||
***What is Tor?***
|
||||
|
||||
[Tor](/glossary/#tor-network) stands for The Onion Router, and is the best way to be anonymous on the Internet. Tor is an open-source software associated with a public network of several thousand relays (servers). Instead of connecting directly to a location on the Internet, Tor will take a detour via three intermediate relays. Tor Browser uses Tor, but other applications can too if they are properly configured. All applications included by default in Tails that connect to the Internet use Tor.
|
||||
|
||||

|
||||

|
||||
|
||||
Internet traffic, including the IP address of the final destination, is encrypted in different layers like an onion. With each hop along the three relays, an encryption layer is removed. Each relay only knows the step before it, and after it (relay #3 knows that it comes from relay #2 and that it goes to such and such a website after, but does not know relay #1).
|
||||
|
||||

|
||||

|
||||
|
||||
This means that any intermediaries between you and relay #1 know you're using Tor but they don't know what site you're going to. Any intermediaries after relay #3 know that someone in the world is going to this site. The web server of the site sees you coming from the IP address of relay #3.
|
||||
|
||||
|
@ -205,7 +214,7 @@ Virtually all websites today use [HTTPS](/glossary/#https); the S stands for "se
|
|||
|
||||
If there is a yellow warning on the padlock, it means that, in the page you're browsing, some elements are not encrypted (they use HTTP), which can reveal the exact page you're browsing or allow intermediaries to partially modify the page. By default, Tor Browser uses HTTPS-Only Mode to prevent visiting HTTP websites.
|
||||
|
||||

|
||||

|
||||
|
||||
HTTPS is essential both to limit your web fingerprint, but also to prevent an intermediary from modifying the data you exchange with websites. If the intermediary cannot decrypt the data, they cannot modify it. For an overview of HTTP / HTTPS connections with and without Tor, and what information is visible to various third parties, see the EFF's [interactive illustration](https://www.eff.org/pages/tor-and-https).
|
||||
|
||||
|
@ -215,7 +224,7 @@ In short, don't visit websites that don't use HTTPS.
|
|||
|
||||
Perhaps you have seen a strange site address containing 56 random characters, ending in .onion? This is called an onion service, and the only way to visit a website that uses such an address is to use the Tor Browser. The "deepweb" and "darkweb" are terms popularized in news media in recent years to describe these onion services.
|
||||
|
||||

|
||||

|
||||
|
||||
Anyone can create an .onion site. But why would they want to? Well, the server location is anonymized, so authorities cannot find out where the website is hosted in order to take it down. When you send data to an .onion site, after the standard Tor circuit you enter the site's three Tor relays. So we have 6 Tor relays between us and the site; we know the first 3 relays, the site knows the last 3, and each Tor node just knows the relay before and after. Unlike an HTTPS normal website, it's all Tor encryption from end to end.
|
||||
|
||||
|
@ -229,7 +238,7 @@ Some sites offer both a classic URL as well as an .onion address. In this case,
|
|||
|
||||
The Tor network is blocked and otherwise rendered more inconvenient to use in many ways. You may be confronted with CAPTCHA images (a kind of game that verifies you “are not a robot”) or obliged to provide additional personal data (ID card, phone number…) before proceeding, or Tor may be completely blocked.
|
||||
|
||||

|
||||

|
||||
|
||||
Perhaps only certain Tor relays are blocked. In this case, you can change the Tor exit nodes for this site: click on the **≣ → "New Tor circuit for this site"**. The Tor circuit (path) will only change for the one tab. You may have to do this several times in a row if you're unlucky enough to run into several relays that have been banned.
|
||||
|
||||
|
@ -241,13 +250,13 @@ It is not recommended to perform different tasks on the Internet that should not
|
|||
|
||||
The 'New Identity' feature of Tor Browser is not sufficient to completely separate contextual identities in Tails, since connections outside the Tor Browser are not restarted and you retain the same Tor entrance node. Restarting Tails is a better solution.
|
||||
|
||||

|
||||

|
||||
|
||||
The Onion Circuits application shows which Tor circuit a connection to a server uses (website or otherwise). Sometimes, it can be useful to make sure that the exit relay is not located in a certain country, to be further away from the easiest access of investigating authorities. In the example above, the connection to check.torproject.org goes through the relays tor7kryptonit, Casper03, and the exit node blackfish. If you click on a circuit, technical details about the relays of the circuit appear in the right pane. The 'New Identity' feature of Tor Browser is useful for changing this exit relay without needing to reboot the Tails session, which can be repeated until you have an exit relay you are happy with. We are not suggesting to use 'New Identity' when switching between identities, but simply when you want to change the exit node within a single identity's activity.
|
||||
|
||||
***Tor Browser security settings***
|
||||
|
||||

|
||||

|
||||
|
||||
Like any software, Tor Browser has vulnerabilities that can be exploited. To limit this, it's important to keep Tails up to date, and it's also recommended to increase the security settings of the Tor browser: you click on the shield icon and then **Change**. By default it's set to Standard, which is a browsing quality that hardly changes from a normal browser. We recommend that you set the most restrictive setting before starting any browsing: **Safest**.
|
||||
|
||||
|
@ -261,7 +270,7 @@ The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prev
|
|||
|
||||
When you download something using the Tor Browser it will be saved in the Tor Browser folder (`/home/amnesia/Tor Browser/`), which is inside the "sandbox". If you want to do anything with this file, you should then move it out of the Tor Browser folder. You can use the file manager (**Applications → Accessories → Files**) to do this.
|
||||
|
||||

|
||||

|
||||
|
||||
*Uploads*
|
||||
|
||||
|
@ -273,7 +282,7 @@ Be aware that, because all of your Tails session is running in RAM (unless you h
|
|||
|
||||
***Share Files with Onionshare***
|
||||
|
||||

|
||||

|
||||
|
||||
It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.boum.org/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). Normally, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to Settings and unselect "Stop sharing after first download". As soon as you close OnionShare, cut the Internet connection, or shut down Tails, the files can no longer be accessed. This is a great way of sharing files because it doesn't require plugging a USB into someone else's computer, which is [not recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared via another channel (like a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type).
|
||||
|
||||
|
@ -281,31 +290,31 @@ It is possible to send a document through an .onion link thanks to [OnionShare](
|
|||
|
||||
When you request a web page through a web browser, it is transmitted to you in small "packets" characterized by a specific size and timing (alongside other characteristics). When using Tor Browser, the sequence of transmitted packets can also be analyzed and assigned certain patterns. The patterns here can be matched with those of monitored websites on the Internet. To make this "correlation attack" more difficult, before connecting to a sensitive website you can open various other pages that require loading (such as streaming videos on a privacy-friendly website like kolektiva.media) in additional tabs of your browser. This is officiallly recommended by Tor - see [Do multiple things at once with your Tor client](https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations/). This will generate a lot of additional traffic, which will make the analysis of your pattern more difficult.
|
||||
|
||||
#### Included Software
|
||||
## Included Software
|
||||
|
||||
Tails includes [many applications](https://tails.boum.org/doc/about/features/index.en.html) by default. The documentation gives an overview of [Internet applications](https://tails.boum.org/doc/anonymous_internet/index.en.html), applications for [encryption and privacy](https://tails.boum.org/doc/encryption_and_privacy/index.en.html), as well as applications for [working on sensitive documents](https://tails.boum.org/doc/sensitive_documents/index.en.html). In the rest of this section, we will just highlight common use cases relevant to anarchists, but read the documentation for further information.
|
||||
|
||||
#### Password Manager (KeePassXC)
|
||||
## Password Manager (KeePassXC)
|
||||
If you're going to need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Application → Favorites → KeePassXC**) which allows you to store your passwords in a file and protect them with a single master password. In the terminology used by KeePassXC, a *password* is a randomized sequence of characters (letters, numbers, and other symbols), whereas a *passphrase* is a random series of words.
|
||||
|
||||

|
||||

|
||||
|
||||
When you [create a new KeePassXC database](https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), in the **Encryption settings** window, increase the **Decryption time** from the default to the maximum (5 seconds). Then, select a [strong passphrase](/posts/tails-best/#passwords) and then save your KeePassXC file. This file will contain all your passwords/passphrases, and needs to persist between sessions on your Persistent Storage or on a second LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). The decryption time setting of a pre-existing KeePassXC file can be updated: **Database → Database Security → Encryption Settings**.
|
||||
|
||||
As soon as you close KeePassXC, or if you don't use it for a few minutes, it will lock. Be careful not to forget your main passphrase. We recommend against using the auto-fill feature, because it is easy to fill your password into the wrong window by mistake.
|
||||
|
||||

|
||||

|
||||
|
||||
1) Right-click on a folder to add sub-groups
|
||||
2) Create a new entry
|
||||
3) Copy the username
|
||||
4) Copy the password
|
||||
|
||||

|
||||

|
||||
|
||||
5) Use the Password Generator when editing an entry
|
||||
|
||||
#### Really delete data from a USB
|
||||
## Really delete data from a USB
|
||||
|
||||
"Permanently delete" or "trash" does not delete data... and it can be very easy to recover. Indeed, when you "delete" a file, you are only telling the operating system that the contents of this file are no longer of interest to you. It then deletes its entry in the index of existing files. It can then reuse the space that the data took up to write something else.
|
||||
|
||||
|
@ -318,16 +327,17 @@ However, traces of the previously written data may still remain. If you have sen
|
|||
* For flash memory drives (USBs, SSD, SD cards, etc.), use two pliers to break the circuit board out of the housing, then break the memory chips, including the circuit board, into pieces (beware of splintering). Hold the pieces in the flame of a camping gas torch. You will only achieve a partial decomposition of the transistor material. Use sufficient respiratory protection or distance! The fumes are unhealthy.
|
||||
* If burning the pieces is too involved, discretely dropping them down a storm drain while you tie your shoe would make recovery unlikely.
|
||||
|
||||
#### How to create an encrypted USB
|
||||
## How to create an encrypted USB
|
||||
|
||||
Exclusively store data on encrypted drives. This is necessary for using a separate LUKS USB instead of Persistent Storage on the Tails USB. [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to **Applications → Utilities → Disks**.
|
||||
|
||||
* When you insert the USB, a new "device" should appear in the list. Select it, and verify that the description (brand, name, size) matches your device. Be careful not to make a mistake!
|
||||
* Format it by clicking **≣ → Format the disk**.
|
||||
* Select **Overwrite existing data with zeroes** in the Erase drop-down list. Keep in mind that this is likely incomplete if there were sensitive documents on the USB.
|
||||
* Choose **Compatible with all systems and devices (MBR/DOS)** in the Partitioning drop-down list.
|
||||
* Then click **Format…**
|
||||
|
||||

|
||||

|
||||
|
||||
* Now you must add the encrypted partition.
|
||||
* Click on the "**+**"
|
||||
|
@ -337,15 +347,16 @@ Exclusively store data on encrypted drives. This is necessary for using a separa
|
|||
|
||||
When you insert an encrypted USB, it will not be opened automatically but only when you select it in the Places menu. You will be prompted to enter the passphrase. Before you can remove the disk when the work is done, you have to right-click on it under **Places → Computer** and then select Eject.
|
||||
|
||||
#### Encrypt a file with a password or with a public key
|
||||
## Encrypt a file with a password or with a public key
|
||||
|
||||
In Tails, you can use the Kleopatra application to [encrypt a file](https://tails.boum.org/doc/encryption_and_privacy/kleopatra/index.en.html#index1h1) with a password or a public PGP key. This will create a .pgp file. If you are going to encrypt a file, do so in RAM before you store it on a LUKS USB. Once the unencrypted version of a file is on a USB, the USB must be reformatted to remove it.
|
||||
|
||||
If you choose the passphrase option, you will have to open the file in Tails and type the passphrase. If you don't want the unencrypted data to be stored in the location where you saved it (e.g. on a USB), it's best to first copy the encrypted file to a Tails folder that is only in RAM (e.g. **Places → Documents**) before decrypting it.
|
||||
|
||||
#### Adding administration rights
|
||||
## Adding administration rights
|
||||
|
||||
In Tails, an administration password (also called a "root" password) is required to perform system administration tasks. For example:
|
||||
|
||||
- To install additional software
|
||||
- To access the computer's internal hard drives
|
||||
- To run [commands](/glossary/#command-line-interface-cli) in the root terminal
|
||||
|
@ -355,11 +366,12 @@ By default, the administration password is disabled for more security. This can
|
|||
|
||||
To set an administration password, you must choose an administration password at the Welcome Screen when starting Tails. This password only lasts for the duration of the session.
|
||||
|
||||
#### Installing additional software
|
||||
## Installing additional software
|
||||
|
||||
If you install new software, it's up to you to make sure it is secure. Tails forces all software to connect to the internet through Tor, so you make need to use a program called `torsocks` from Terminal to start additional software that requires an Internet connection (for example, `torsocks --isolate mumble`). The software used in Tails is audited for security, but this may not be the case for what you install. Before installing new software, it's best to make sure there isn't already software in Tails that does the job you want to do. If you want additional software to persist beyond a single session, you have to enable "Additional Software" in Persistent Storage [configuration](https://tails.boum.org/doc/persistent_storage/configure/index.en.html).
|
||||
|
||||
To install software from the Debian software repository:
|
||||
|
||||
* Start Tails with administration rights, then go to **Applications → System Tools → Synaptic Package Manager**.
|
||||
* When prompted, enter your administration password (if it's the first time you do this, it will take time to download the repositories).
|
||||
* Go to "All" and choose the software you want to install: "select for installation", then "apply".
|
||||
|
@ -368,12 +380,12 @@ To install software from the Debian software repository:
|
|||
|
||||
For more information, see the documentation on [Installing additional software](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html).
|
||||
|
||||
#### Remember to make backups!
|
||||
## Remember to make backups!
|
||||
A Tails USB is easily lost and USBs have a much shorter life span than a hard drive (especially the cheap ones). If you put important data on it, think about making regular backups. If you use a second LUKS-encrypted USB, this is as simple as using the File Manager to copy files to a backup LUKS-encrypted USB.
|
||||
|
||||
If you use Persistent Storage, see the [documentation on backing it up](https://tails.boum.org/doc/persistent_storage/backup/index.en.html).
|
||||
|
||||
#### Privacy screen
|
||||
## Privacy screen
|
||||
|
||||
A [privacy screen](https://en.wikipedia.org/wiki/Monitor_filter) can be added on top of the laptop screen to prevent people (or hidden cameras) from seeing the content unless they are directly facing it.
|
||||
|
||||
|
|
|
@ -24,12 +24,12 @@ Let's start with your laptop. For a seal to be effective at alerting you to intr
|
|||
Mullvad VPN [made a guide](https://mullvad.net/en/help/how-tamper-protect-laptop/) for applying this technique: first apply stickers over the laptop chassis screws, then the nail polish. An [independent test](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-aufklebern) noted:
|
||||
> Attackers without a lot of practice can use a needle or scalpel, for example, to drive under the sticker and push it partially upward to get to the screws relatively easily. The broken areas in the paint could be repaired with clear nail polish, although we did not need to do this in most of our tests. The picture below is a pre-post-comparison of one of our first attempts. Except for 3-4 glitter elements at the top left edge of the sticker, all others are still in the same place. This could be further reduced in subsequent attempts, so we rate this method as only partially suitable. [...] The relevant factor in this process is the amount of elements on the edge of the sticker. In addition, there are special seal stickers available which break when peeled off. They are probably more suitable for this method.
|
||||
|
||||

|
||||

|
||||
|
||||
For this reason, it is preferable to apply nail polish directly to the screws instead of on top of a sticker. This direct application is done for [NitroKey](https://docs.nitrokey.com/nitropad/qubes/sealed-hardware) and [Purism](https://puri.sm/posts/anti-interdiction-update-six-month-retrospective/) laptops. Keep these nuances in mind:
|
||||
> The screws holes are particularly relevant here. If they are too deep, it is difficult to take a suitable photo of the seal under normal conditions. If the hole is shallow or if it is completely filled with nail polish, there is a risk that if a lot of polish is used, the top layer can be cut off and reapplied after manipulation with clear polish. If the nail polish contains too few elements, they could be manually arranged back to the original location after manipulation if necessary.
|
||||
|
||||

|
||||

|
||||
|
||||
Glitter nail polish was successfully bypassed during a Tamper Evident Challenge in 2018 - the winner [explained](https://hoodiepony.medium.com/bypassing-the-glitter-nail-polish-tamper-evident-seal-25d6973d617d) how they managed to succeed. It is worth noting that a nail polish brand was used with relatively large glitter pieces of only two colors. It would be difficult to apply this bypass to inset screw holes; if the glitter was painted on with a high density of elements, but not too thickly, that would also increase the difficulty. Finally, [using an adhesive](https://dys2p.com/en/2021-12-tamper-evident-protection.html#glitzer-nagellack-mit-klebstoff) would also make the bypass less feasible.
|
||||
|
||||
|
@ -38,6 +38,7 @@ Verification that the random pattern hasn't changed can be done manually with wh
|
|||
The Blink Comparison app encrypts its storage, to prevent an adversary from easily replacing the photos, and gives a helpful interface for comparing them. The app helps you to take the comparison photo from the same angle and distance as the original photo. Blink Comparison then switches between the two images when the screen is touched, making direct comparison much easier.
|
||||
|
||||
Now that you understand the nuances of using nail polish on the chassis screws of your laptop(s), we'll actually do it - this is best done after [flashing HEADS](#tamper-evident-software-and-firmware) so that it doesn't have to be removed and repeated. Before getting started, you can also take a photo of the inside of the laptop, in case one day you need to check if its internal components have been tampered with despite the nail polish protection (keeping in mind that not all components are visible). Use a nail polish that has different colors and sizes of glitter, like that shown above.
|
||||
|
||||
* First, take a photo of the underside of the computer and use a software like GIMP to number the screws, in order to make it easier to verify. For example, the ThinkPad X230 shown above has 13 screws which need to be numbered so that in the future you know which screw the photo `3.jpg` refers to.
|
||||
* Apply the glitter nail polish directly to each screw, with sufficient density of glitter but not too thickly.
|
||||
* Once it has dried, be sure to take good close-up photos of each individual screw - either with the Blink Comparison app on a smartphone, or with a normal camera. It is a good idea to use lighting that is reproducible, so close the blinds on any windows and rely on the indoor lighting and camera flash. Number the file names of the photos, and back them up to a second storage location.
|
||||
|
@ -48,7 +49,7 @@ If you ever need to remove the nail polish to access the internal of the laptop,
|
|||
|
||||
Now that you understand the concept, you need a tamper-evident storage solution for all sensitive electronics when you are out of the house (laptops, external drives, USBs, phones, external keyboards, and mice). Safes are often used to protect valuable items, but they can be bypassed in several ways, and some of these bypasses are difficult to detect (see the [Appendix](#appendix-cracking-safes)). It is not trivial or inexpensive to make a safe tamper-evident, if it can be done at all.
|
||||
|
||||

|
||||

|
||||
|
||||
A better and cheaper solution is to implement the guide of [dys2p](https://dys2p.com/en/2021-12-tamper-evident-protection.html#kurzzeitige-lagerung):
|
||||
> When we need to leave a place and leave items or equipment behind, we can store them in a box that is transparent from all sides. Then we fill the box with our colorful mixture so that our devices are covered. The box should be stored in such a way that shocks or other factors do not change the mosaic. For example, the box can be positioned on a towel or piece of clothing on an object in such a way that this attenuates minor vibrations of the environment, but the box cannot slide off it.
|
||||
|
@ -96,6 +97,7 @@ For GrapheneOS, [Auditor](/posts/grapheneos/#auditor) is an app that will enable
|
|||
# Wrapping Up
|
||||
|
||||
With the measures described above, any 'evil maid' would need to bypass:
|
||||
|
||||
1) Haven detecting them, and
|
||||
2) The tamper-evident storage, and
|
||||
3) The tamper-evident glitter nail polish (for an attack that requires opening the laptop), or HEADS/Auditor (for a software or firmware attack)
|
||||
|
@ -107,6 +109,7 @@ That means that whenever you leave the house, you power off sensitive devices an
|
|||
Laptop screws can be verified on a monthly basis, or if anything suspect happens. Neither HEADS nor Auditor require much effort after set-up to be used properly; Auditor will run without interaction, and HEADS becomes part of your booting process.
|
||||
|
||||
# Further Reading
|
||||
|
||||
* [Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice](https://dys2p.com/en/2021-12-tamper-evident-protection.html)
|
||||
|
||||
# Appendix: Cracking Safes
|
||||
|
@ -118,3 +121,4 @@ Laptop screws can be verified on a monthly basis, or if anything suspect happens
|
|||
* [Brute force](/glossary#brute-force-attack) attacks - trying all possible combinations - are possible if the adversary has time. Dial mechanisms can be brute-forced with a [computerized autodialer](https://learn.sparkfun.com/tutorials/building-a-safe-cracking-robot) which [doesn't need supervision](https://www.youtube.com/watch?v=vkk-2QEUvuk). Electronic keypads are less susceptible to brute-forcing if they have a well-designed incremental lockout feature; for example, if you get it wrong 10 times, you're locked out for a few minutes, 5 more incorrect codes and you're locked out for an hour, etc.
|
||||
* Several tools exist that can automatically retrieve or reset the combination of an electronic lock; notably, the Little Black Box and Phoenix. Tools like these are often connected to wires in the lock that can be accessed without causing damage to the lock or container. This should be possible to make tamper-evident, as it requires getting access to the wires.
|
||||
* Several [keypad-based attacks](https://en.wikipedia.org/wiki/Safe-cracking#Keypad-based_attacks) exist, but some can be mitigated with proper OPSEC.
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue