diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md index 8d4cbd1..90f5abd 100644 --- a/content/posts/e2ee/index.md +++ b/content/posts/e2ee/index.md @@ -78,6 +78,8 @@ You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs Anyone can connect to a public Cwtch account when it is online. In the future, Cwtch bots that are semi-trusted (which are hosted on a Cwtch server) will enable first contact when the public Cwtch account is offline. +Cwtch will reject connections from blocked contacts, and if the setting "Block Unknown Contacts" is enabled, you must be the one to add a contact in order to establish a connection. This greatly limits the kinds of features that untrusted contacts can access. However, this setting is less relevant for public projects that need to be able to be contacted by anyone. + **Resiliency to correlation attacks** Real-time messaging applications are particularly susceptible to end-to-end correlation attacks because of the ability of an adversary, once they know their target's ID on the messaging platform, to trigger incoming network traffic on the target's side by sending them messages on the platform (when the target is online). "Appear Offline Mode" in Cwtch allows a user to selectively connect to trusted contacts and groups, while appearing offline to everyone else. An [issue](https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/712) is open to further address this. diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md index 232d8c6..5b0a1a3 100644 --- a/content/posts/qubes/index.md +++ b/content/posts/qubes/index.md @@ -388,13 +388,17 @@ Qubes OS also applies appropriate software mitigation to this class of attacks a ## OPSEC for Memory Use -To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Be aware of which qubes are running simultaneously: +To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Be aware of which qubes are running simultaneously - it is best to only have trusted qubes alongside each other. -* [vault qube](#how-to-organize-your-qubes): - * Do not run an unlocked KeePassXC database at the same time as a highly untrusted qube. - * Instead of having only one vault qube that stores all files (as described above), you can compartmentalize by having different vault qubes dedicated to specific activities (i.e. `vault-personal`, `vault-project1`, etc.). This means that if a networked qube is compromised while working on project1, [intentional sniffing](https://www.qubes-os.org/doc/data-leaks/) will not have potential access to all files, but only to those files that are compartmentalized for project1. * sys-usb: Disposable. Run only when needed, and shut down when finished. * sys-net: Disposable. Run only when needed, and shut down when finished. Shut down when performing sensitive operations in other qubes, if possible. Restart before activities that require sys-net (i.e. email, ssh sessions, etc.). +* [vault qube](#how-to-organize-your-qubes): + * Instead of having only one vault qube that stores all files (as described above), you can compartmentalize by having different vault qubes dedicated to specific activities (i.e. `vault-personal`, `vault-project1`, etc.). This means that if a networked qube is compromised while working on project1, [intentional sniffing](https://www.qubes-os.org/doc/data-leaks/) will not have potential access to all files, but only to those files that are compartmentalized for project1. + * Configure KeePassXC to lock when it is unused: **Application Settings → Security → Timeouts**, enable **Lock databases after inactivity**. If you need a password when using an untrusted qube: + * "Emergency pause" the untrusted qube(s), + * start the necessary vault qube and open the KeePassXC database, + * copy the credential to the untrusted qube, + * shut down the vault qube, then resume the untrusted qube(s). ## Remove Passwordless Root diff --git a/content/posts/tails-best/index.md b/content/posts/tails-best/index.md index 6800479..6326640 100644 --- a/content/posts/tails-best/index.md +++ b/content/posts/tails-best/index.md @@ -73,7 +73,7 @@ You can mitigate the techniques available to powerful adversaries by **not using "Mobile Wi-Fi" devices exist which give you Internet access through the mobile network (via SIM cards) - these are a bad idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile operator every time you connect, allowing identification and geographic localization. The adapter works like a mobile phone! If you do not want different research sessions to be associated with each other, do not use the same device or SIM card more than once! -To use internet not tied to your identity, you have two options: Wi-Fi from a public space (like going to a cafe without CCTV cameras), or by using a Wi-Fi antenna through a window from a private space. The latter option is preferable for any computer activity that takes a prolonged amount of time because the main police priority will be to seize the computer while it is unencrypted, and this is much harder from them to achieve in a private space. In a public space, there is also more of a risk of cameras seeing you type your password. However, using a Wi-Fi antenna is also more technical (guide coming soon). +To use internet not tied to your identity, you have two options: Wi-Fi from a public space (like going to a cafe without CCTV cameras), or by using a Wi-Fi antenna through a window from a private space. The latter option is preferable for any computer activity that takes a prolonged amount of time because the main police priority will be to seize the computer while it is unencrypted, and this is much harder for them to achieve in a private space. In a public space, there is also more of a risk of cameras seeing you type your password. However, using a Wi-Fi antenna is also more technical (guide coming soon). When using Wi-Fi in a public space, keep the following operational security considerations in mind: * Do not get into a routine of using the same cafes repeatedly if you can avoid it. @@ -145,7 +145,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, * **Remove the hard drive**—it's easier than it sounds. If you buy the laptop, you can ask the store to do it and potentially save some money. If you search on youtube for "remove hard drive" for your specific laptop model, there will probably be an instructional video. Make sure you remove the laptop battery and unplug the power cord first. We remove the hard drive to completely eliminate the hard drive firmware, which has been known to be [compromised to install persistent malware](https://www.wired.com/2015/02/nsa-firmware-hacking/). A hard drive is part of the attack surface and is unnecessary on a live system like Tails that runs off a USB. * Consider **removing the Bluetooth interface, camera, and microphone** while you're at it, although this is more involved—you'll need the user manual for your laptop model. The camera can at least be "disabled" by putting a sticker over it. The microphone is often connected to the motherboard via a plug - in this case just unplug it. If this is not obvious, or if there is no connector because the cable is soldered directly to the motherboard, or if the connector is needed for other purposes, cut the microphone cable with a pair of pliers. The same method can be used to permanently disable the camera if you don't trust the sticker method. It is also possible to use Tails on a dedicated "offline" computer by removing the network card as well. Some laptops have switches on the case that can be used to disable the wireless interfaces, but for an "offline" computer it is preferable to actually remove the network card. -* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates an attack on the BIOS firmware against a Tails user, allowing the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be removed like the hard drive. It is needed to turn on the laptop, so it must be replaced with [open-source](/glossary#open-source) firmware. This is an advanced process because it requires opening the computer and using special tools. Most anarchists will not be able to do this themselves, but hopefully there is a trusted person in your networks who can set it up for you. The project is called HEADS because it's the other side of Tails—where Tails secures software, HEADS secures firmware. It has a similar purpose to the [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) found in GrapheneOS, which establishes a full chain of trust from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop if you plan to install it—we recommend the ThinkPad X230 because it's less involved to install than other models. The CPUs of this generation are capable of effectively removing the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) when flashing HEADS, but this is not the case with later generations of CPUs on newer computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a wider range of laptop models but has less security. HEADS can be configured to [verify the integrity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation), preventing it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks! +* **Replace the BIOS with [HEADS](https://osresearch.net/)**. A [video](https://invidious.sethforprivacy.com/watch?v=sNYsfUNegEA) demonstrates an attack on the BIOS firmware against a Tails user, allowing the security researcher to steal GPG keys and emails. Unfortunately, the BIOS cannot be removed like the hard drive. It is needed to turn on the laptop, so it must be replaced with [open-source](/glossary#open-source) firmware. This is an advanced process because it requires opening the computer and using special tools. Most anarchists will not be able to do this themselves, but hopefully there is a trusted person in your networks who can set it up for you. The project is called HEADS because it's the other side of Tails—where Tails secures software, HEADS secures firmware. It has a similar purpose to the [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) found in GrapheneOS, which establishes a full chain of trust from the hardware. HEADS has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop if you plan to install it—we recommend the ThinkPad X230 because it's less involved to install than other models. The CPUs of this generation are capable of effectively removing the [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor) when flashing HEADS, but this is not the case with later generations of CPUs on newer computers. [Coreboot](https://www.coreboot.org/users.html), the project on which HEADS is based, is compatible with a wider range of laptop models but has less security. HEADS can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation), preventing it from booting if it has been tampered with. HEADS protects against physical and remote classes of attacks! * **Use USBs with secure firmware**, such as the [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), so that the USB will [stop working](https://www.kanguru.com/blogs/gurublog/15235873-prevent-badusb-usb-firmware-protection-from-kanguru) if the firmware is compromised. Kanguru has [retailers worldwide](https://www.kanguru.com/pages/where-to-buy), allowing you to buy them in person to avoid the risk of mail interception. @@ -157,7 +157,7 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware, > What's a *write-protect* switch? When you insert a normal USB into a computer, the computer does *read* and *write* operations with it, and a *write* operation can change the data on the USB. Some special USBs developed for malware analysis have a physical switch that can lock the USB, so that data can be *read* from it, but no new data can be *written* to it. -If your Tails USB stick has a write-protect switch and secure firmware, such as [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are protected from compromising the USB firmware during a Tails session. If the switch is locked, you are also protected from compromising the Tails software. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot "take root" and would not carry over to subsequent Tails sessions. If you are unable to obtain such a USB, you have two options. +If your Tails USB stick has a write-protect switch and secure firmware, such as [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are protected from compromising the USB firmware during a Tails session. If the switch is locked, you are also protected from compromising the Tails software. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot "take root" and would not carry over to subsequent Tails sessions. Note that HEADS firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. If you aren't using HEADS and you are unable to obtain such a USB, you have two options. 1) [Burn Tails to a new DVD-R/DVD+R](https://tails.boum.org/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten. 2) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.boum.org/doc/advanced_topics/boot_options/index.en.html). @@ -176,7 +176,7 @@ Where can we store personal data for use between Tails sessions if the write-pro Compartmentalization is an approach that neatly separates different identities by using separate Tails sessions for separate activities - in Tails session #1 you do activities related to moderating a website, and in Tails session #2 you do activities related to researching for an action. This approach also comes into play with your "personal data" USBs. If the files you save could be used to link your activities together, use a different "personal data" USB for each activity. For a "personal data" USB that stores very sensitive files (such as the text of a communique), it is best to reformat and then destroy the USB once you no longer need the files (see [Really delete data from a USB drive](/posts/tails/#really-delete-data-from-a-usb)). This is another reason to use a separate USB for any files that need to be saved - you don't accumulate the forensic history of all your files on your Tails Persistent Storage, and you can easily destroy USBs as needed. -Finally, a note about email - if you already use Tails and encrypted email ([even though it is not very secure](/posts/e2ee/#pgp-email)), you may be familiar with Thunderbird's Persistent Storage feature. This feature allows you to store your Thunderbird email account details, as well as your inbox and PGP keys, on a Tails USB. With a "personal data" USB, Thunderbird won't automatically open your accounts. We recommend that you do one of the following: +Finally, a note about email - if you already use Tails and encrypted email, you may be familiar with Thunderbird's Persistent Storage feature. This feature allows you to store your Thunderbird email account details, as well as your inbox and PGP keys, on a Tails USB. With a "personal data" USB, Thunderbird won't automatically open your accounts. We recommend that you do one of the following: - Create new Thunderbird email accounts in each session. PGP keys can be stored on the separate 'personal data' USB like any other file, and imported when needed. This has the advantage that if law enforcement manages to bypass LUKS, they still don't have your inbox without knowing your email password. - Keep the Thunderbird data folder on the "personal data" USB. After logging in to Thunderbird, use the Files browser (Applications → Accessories → Files) and enable the "Show hidden files" setting. Navigate to Home, then copy the folder called `.thunderbird` to your "personal data" USB. In each future session, after you have unlocked the 'personal data' USB and before you start Thunderbird, copy the `.thunderbird` folder to Home (which is running in RAM, so doesn't require the write-protect switch to be unlocked). diff --git a/content/recommendations/_index.md b/content/recommendations/_index.md index 8283d3c..123cdb2 100644 --- a/content/recommendations/_index.md +++ b/content/recommendations/_index.md @@ -5,7 +5,9 @@ paginate_by = 5 +++
-These recommendations are intended for all anarchists and are accompanied by guides on how to put them into practice. They are based on a threat model that protects against government security forces and equivalent adversaries that seek to achieve [targeted digital surveillance](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance.html) for [incrimination](https://www.notrace.how/threat-library/tactics/incrimination.html) or [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html). The goal is to obscure the visibility of our enemies into our lives and projects, and to leave no trace when relevant. Technology is hostile terrain. +Our recommendations are intended for all anarchists and they are accompanied by guides for putting the advice into practice. + +An anarchist threat model needs to protect against State-level adversaries that seek to achieve [targeted digital surveillance](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance.html) for [incrimination](https://www.notrace.how/threat-library/tactics/incrimination.html) or [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html). Our goal is to obscure the visibility of our enemies into our lives and projects, and to leave no trace when relevant. Technology is hostile terrain. We agree with the conclusion of an overview of [targeted surveillance measures in France](https://actforfree.noblogs.org/post/2023/07/24/number-of-the-day-89502-preventive-surveillance-measures-france/): "So let’s be clear about our responsibilities: if we knowingly bring a networked device equipped with a microphone and/or a camera (cell phone, baby monitor, computer, car GPS, networked watch, etc.) close to a conversation in which “private or confidential words are spoken” and must remain so, even if it's switched off, we become a potential state informer…" diff --git a/content/series/_index.md b/content/series/_index.md index a5b1e19..d8f81d0 100644 --- a/content/series/_index.md +++ b/content/series/_index.md @@ -21,9 +21,9 @@ paginate_by = 5 #### General * [Linux Essentials: The Basics Needed to Use Tails or Qubes](/posts/linux/) -* [Removing Identifying Metadata From Files](/posts/metadata/) +* [Remove Identifying Metadata From Files](/posts/metadata/) * [Encrypted Messaging for Anarchists](/posts/e2ee/) -* [Making Your Electronics Tamper-Evident](/posts/tamper/) +* [Make Your Electronics Tamper-Evident](/posts/tamper/) # Offensive