Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-23 23:01:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

Tails best, dark mode js, toc js, csp js

Browse source
This commit is contained in:
anarsec 2023-07-06 18:55:09 +00:00
parent 8cf6183410
commit c2827a1522
No known key found for this signature in database
7 changed files with 181 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
content/posts/tails-best/diagram.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 466 KiB

95
content/posts/tails-best/index.md
View file

@ -51,10 +51,17 @@ The first issue is mitigated by [**Tor bridges**](https://tails.boum.org/doc/ano
> A powerful adversary, who could analyze the timing and shape of the traffic entering and exiting the Tor network, might be able to deanonymize Tor users. These attacks are called *end-to-end correlation* attacks, because the attacker has to observe both ends of a Tor circuit at the same time. [...] End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users.
The second issue is mitigated by **not using an Internet connection that could deanonymize you** and by **prioritizing .onion links when available**:
* If a determined adversary breaks Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic), the Internet address you had used in a cafe without CCTV cameras will only lead to your general area (for example, your city) because it is not associated with you. A correlation attack being used to deanonymize a Tor user is unprecedented in current evidence that has been used in court, though [it has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as supporting evidence once a suspect was already identified by a snitch. Correlation attacks are even less feasible against connections to an .onion address, because you never exit the Tor network, so there is no 'end' to correlate with.
* There are several opsec considerations to keep in mind if using Wi-Fi at a cafe without CCTV cameras. If you need to buy a coffee to get the Wi-Fi password, pay in cash! Position yourself with your back against a wall so that nobody can 'shoulder surf' you to see your screen, and ideally install a privacy screen on the laptop. Maintain situational awareness, and be ready to pull out the Tails USB and power down the computer at a moment's notice. An individual responsible for a darknet marketplace had his Tails computer seized while distracted by a fake fight beside him - if his Tails USB had been attached to a bracelet by short length of fishing line, the feds would have very likely lost all evidence when the Tails USB was yanked out - the Tails screen will freeze on whatever was up last, and any LUKS USBs will now be encrypted.
* Wi-Fi adapters that work through SIM cards are not a good idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile network provider every time you connect, allowing identification as well as geographical localization. The adapter works like a cell phone! If you do not want different research sessions to be associated with each other, do not use such an adapter or the SIM card more than once!
* There are several opsec considerations to keep in mind if using Wi-Fi at a cafe without CCTV cameras.
* See [Appendix 2](#appendix-2-location-location-location) for more information on choosing a location.
* Do not make a routine by using the same cafes repeatedly, if it can be avoided.
* If you need to buy a coffee to get the Wi-Fi password, pay in cash!
* Position yourself with your back against a wall so that nobody can 'shoulder surf' you to see your screen, and ideally install a privacy screen on the laptop.
* Maintain situational awareness, and be ready to pull out the Tails USB and power down the computer at a moment's notice. An individual responsible for a darknet marketplace had his Tails computer seized while distracted by a fake fight beside him - if his Tails USB had been attached to a bracelet by short length of fishing line, the feds would have very likely lost all evidence when the Tails USB was yanked out - the Tails screen will freeze on whatever was up last, and any LUKS USBs will now be encrypted. If maintaining situational awareness feels unrealistic, have a trusted friend hanging out who can dedicate themselves to this.
* If cafes without CCTV cameras are few and far between, you can try to access the Wi-Fi of a cafe from outdoors, outside of the view of their cameras. Some external Wi-Fi adapters will be able to catch signals that are further away, as discussed in [Appendix 2](#appendix-2-location-location-location).
* If a determined adversary breaks Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic), the Internet address you had used in a cafe without CCTV cameras will only lead to your general area (for example, your city) because it is not associated with you, provided that you don't use it routinely. A correlation attack being used to deanonymize a Tor user is unprecedented in current evidence that has been used in court, though [it has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as supporting evidence once a suspect was already identified to correlate with. Correlation attacks are even less feasible against connections to an .onion address, because you never exit the Tor network, so there is no 'end' to correlate with.
* However, a more likely low-tech 'correlation attack' is possible by local law enforcement, starting from your identity rather than starting from your anonymous Internet activity, if you are already in their sights and a target of [physical surveillance](https://www.csrc.link/threat-library/techniques/physical-surveillance/covert.html). For example, if a surveillance operation notices that you go to a cafe regularly, and an anarchist website is always updated in those time windows, this pattern can indicate that you are moderating that website. Perhaps an undercover can even get a glance at your screen.
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) prior to heading to a cafe**, and changing Wi-Fi locations regularly, but this is not particularly realistic for projects like moderating a website which require daily Internet access. Alternatively, mitigations can involve **using a Wi-Fi antenna from indoors** (guide forthcoming), **scheduling posts to be published later** (WordPress has this feature), or potentially even **using Tor from your home Internet** for some projects. This contradicts the prior advice, but using Tor from home will avoid creating a movement profile that is so easily physically observed (compared to a network traffic profile that is more technical to observe, and may be more difficult to draw meaningful conclusions from).
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) prior to heading to a cafe**, and changing Wi-Fi locations regularly, but this may not be particularly realistic for projects like moderating a website which require daily Internet access. Alternatively, mitigations can involve **using a Wi-Fi antenna from indoors** (guide forthcoming), **scheduling posts to be published later** (WordPress has this feature), or potentially even **using Tor from your home Internet** for some projects. This contradicts the prior advice, but using Tor from home will avoid creating a movement profile that is so easily physically observed (compared to a network traffic profile that is more technical to observe, and may be more difficult to draw meaningful conclusions from).
* If you want to send in a report-back the morning after a riot, or a communique soon after an action (times when there might be a higher risk of targeted surveillance), consider waiting and at minimum take surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank was gutted with fire in Canada, police surveilled a suspect while he travelled from home to an Internet cafe, and watched while he posted the communique and then proceeded to bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.csrc.link/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe close to the comrade's home, and requested CCTV footage for the day during which an arson communique was sent.
#### Reducing risks when using untrusted computers
@ -231,3 +238,85 @@ You may want to open untrusted links in a dedicated Tails session, with no Persi
# To Conclude
Using Tails without any of this advice is still a huge improvement over many other options. Given that anarchists regularly entrust their freedom to Tails, such as for submitting communiques, taking these extra precautions can further strengthen your trust in this operating system.
# Appendix: Deanonymization of your WLAN (Wi-Fi) adapter despite Tails?
***Capulcu*** *(from [Autonomes Blättchen No. 49](https://autonomesblaettchen.noblogs.org/files/2022/06/nr49web.pdf), 2022)*
The two main techniques for anonymizing network traffic while using Tails are using Tor to obfuscate IP addresses and using a MAC address changer to obfuscate the MAC address. In theory, this does the trick. However, security cannot always be guaranteed and attacks aimed at deanonymization occur against both techniques. The compromise of one technique does not entail the compromise of the other. Nevertheless, *for particularly sensitive publications*, it is important to thwart all possibilities of successful identification.
**Background information:** The IP address can be used to identify the location of the router. The MAC address is 'only' used for local assignment: which endpoint device is to receive which data packet from the router. According to the current Internet standard, it is not usually sent beyond the router to the Internet[^1].
![diagram](diagram.png)
In September 2019, our collective published a short statement ("[Security warning about MAC changer](https://capulcu.blackblogs.org/)") in which we warn against possible deanonymization through the use of WLAN adapters - including when using the Tails operating system. Here, we want to supplement the chapter "Dangers of WLAN adapters" in the current edition of the [Capulcu Tails publication](https://capulcu.blackblogs.org/wp-content/uploads/sites/54/2021/04/Tails-2021-04-12.pdf) with insight into the problems of WLAN adapters and a recommendation for use.
**The problem:** WLAN adapters send manufacturer-specific information with the data transfer. This information can enable a unique assignment despite a MAC address spoofed by the MAC changer. **This affects both internal WLAN adapters that are installed in your laptop in the form of a network card, as well as external WLAN adapters connected via USB**. The technical details are explained below. This fingerprinting is not conclusive forensic evidence. In combination with other evidence, however, it could result in a legally constructed 'unique' assignment: which computer was responsible for a certain Internet publication.
**A concrete example**: Due to previous police surveillance, a café in your city is suspected of being used for the publication of communiques. The café operator has allowed himself to be bribed or coerced by the cops into configuring his (commercially available) Internet router in such a way that it logs all of the data packets of all computers seeking contact. If the presence of various computers in this café was 'recorded' at the same time as an explosive Indymedia publication, this could be used for further investigations, despite the fact that the content of the data packets only shows that the data was anonymized using Tor. If your computer was logged (despite a spoofed MAC address) and if the fingerprint of your WLAN adapter turns up again elsewhere (by chance, or through targeted investigations - e.g. during a house raid) and can be proven as belonging to you, a prosecutor could try to use this as evidence of you submitting the Indymedia publication.
**Recommendation**: Until there is a (stable) solution for the "WLAN fingerprinting" problem, you should remove the internal WLAN adapter for particularly sensitive research and publications and use a (cheap) external USB WLAN adapter and **dispose of it after use**. We also advise you to use WLAN adapters that can be controlled by the Tails operating system without manufacturer-specific firmware (e.g. WLAN adapters with Qualcomm's Atheros chip that use the ath9k driver).
**Description of the problem and technical details**
If you have not explicitly deactivated the WLAN on the Tails welcome screen (via Offline Mode) or, if available, via a hardware switch, the Tails operating system will automatically search for existing WLAN access provided by access points (Wi-Fi routers). It does this by sending a radio signal (*probe request*) at regular intervals to all access points in the vicinity. The regularly sent request contains the unique MAC address of your WLAN adapter. However, Tails protects your anonymity by not sending the real address, but a randomly generated MAC address. If there are access points in the vicinity, they also respond with a radio signal (*probe response*). This response contains information about the network name (SSID), authentication and encryption. The information contained in these radio signals makes it possible to connect to an access point and exchange data packets.
The problem: Various studies from the years 2016-2019, whose results are recorded in various publications, show that radio signals also contain other information that can be used to identify you with a high degree of probability despite a changed MAC address!
The paper "[*Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms*](https://papers.mathyvanhoef.com/asiaccs2016.pdf)" shows the possibility of an identification based on radio signals (probe requests) by the WLAN standard [802.11](https://en.wikipedia.org/wiki/IEEE_802.11), which is also used by Tails. Here, the (spoofed) MAC addresses are disregarded and deanonymization takes place via the radio signals sent by WLAN adapters (via so-called "probe request fingerprinting"). The paper refers to real-world test data, i.e. with data from commercially available hardware[^2], and shows that WLAN radio signals contain enough information to uniquely identify their specific patterns. The paper also discusses various attack options for deanonymization, which we will not summarize here.
The paper "[*A Study of MAC Address Randomization in Mobile Devices and When it Fails*](https://arxiv.org/pdf/1703.02874)" takes the previous study as a starting point and adds further possibilities for identifying endpoint devices with changed MAC addresses. The study concludes that MAC address modification can be overridden by the attacks presented and is not sufficient for anonymization. The authors suggest to change the entire MAC address and not only the digits after the manufacturer identifier - the so-called OUI[^3], as [is the case with Tails](https://tails.boum.org/contribute/design/MAC_address/#active-probe-fingerprinting). In addition, according to the paper, a random MAC address should be used for each separate probe request.
Another paper titled "[*Defeating MAC Address Randomization Through Timing Attacks*](http://papers.mathyvanhoef.com/wisec2016.pdf)" deals with probe requests and the detection of devices that change their MAC addresses at periodic intervals (which does not happen under Tails and is fatal according to the paper). In the summary, the authors of the paper conclude that the attack they use can deanonymize a large fraction of devices (up to 77%), even if no large amounts of data are transmitted in the radio signals.
Further publications on possible deanonymization attacks (which do not explicitly affect Linux operating systems) can be found here:
- "[Know Thy Quality: Assessment of Device Detection by WiFi Signals](http://sig-iss.work/percomworkshops2019/papers/p639-rutermann.pdf)"
- "[Accurate and Efficient Wireless Device Fingerprinting Using Channel State Information](https://www.cs.ucr.edu/~zhiyunq/pub/infocom18_wireless_fingerprinting.pdf)"
- "[Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field](http://www.uninformed.org/?v=5&a=1&t=pdf)
- "[Device Fingerprinting in Wireless Networks: Challenges and Opportunities](https://arxiv.org/pdf/1501.01367v1.pdf)"
**Probe Request Fingerprinting**
The probe requests sent at short intervals by all WLAN adapters (whether internal or external) contain WLAN adapter-specific information elements (IEs) in the management frame. The values of the [IEs](http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf) are partly manufacturer-specific (in terms of content and sequence). This makes them particularly suitable for deanonymizing fingerprinting, which was used in the previously mentioned papers. Among the various implementations of proprietary [WLAN firmware](https://en.wikipedia.org/wiki/Proprietary_software), there are so many different ways to arrange them that tracking can therefore be successful. In addition, WLAN adapters can often be distinguished by sequence number[^4], data throughput rate, and other radio signal-specific parameters[^5].
**Reduce the digital footprint**
The packet sizes of probe requests differ according to the information they contain. In most cases, this depends heavily on the firmware implementations of the manufacturers. However, there are also free driver implementations for WLAN adapters that do not require proprietary firmware and can be controlled via the operating system[^6]:
>[ath9k](https://wiki.debian.org/ath9k) is a Linux kernel driver supporting Atheros 802.11n PCI/PCI-E chips, introduced at Linux 2.6.27. It does not require a binary HAL (hardware abstraction layer) and no firmware is required to be loaded from userspace.
This gives you control over your WLAN adapter and already reduces your digital footprint (e.g. ath9k WLAN adapter drivers do not contain vendor specific tags). This is also noticeable in the reduced packet size of probe requests[^7]. On the Wikipedia page for the comparison of [open source WLAN drivers](https://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers) you can find other hardware besides ath9k WLAN adapters that does not need vendor specific firmware[^8].
After our warning in summer 2019, we summarized our ideas for avoiding probe requests and listening for probe responses in a [proposal for improving the Tails operating system](https://gitlab.tails.boum.org/tails/tails/-/issues/17831). In it, we suggest replacing network software on Debian (which provides the basis for Tails) with newer applications in which periodic scanning for access points can be disabled. In our tests, this made it possible to passively find access points and establish a connection without probe requests. These considerations were initially [rejected by the Tails developers](https://gitlab.tails.boum.org/tails/tails/-/issues/6453), since a software we used (iwd) is still too unstable in their eyes.
*capulcu*
# Appendix 2: Location, Location, Location
*From **How to Hack like a Ghost** by Sparc Flow, available on [Library Genesis](https://en.wikipedia.org/wiki/Library_Genesis)*
One way to increase your anonymity is to be careful of your physical location when hacking. Dont get me wrong: Tor is amazing. [...] But when you do rely on these services, always assume that your IP address—and hence, your geographical location and/or browser fingerprint—is known to these intermediaries and can be discovered by your final target or anyone investigating on their behalf. Once you accept this premise, the conclusion naturally presents itself: to be truly anonymous on the internet, you need to pay as much attention to your physical trail as you do to your internet fingerprint.
If you happen to live in a big city, use busy train stations, malls, or similar public gathering places that have public Wi-Fi to quietly conduct your operations. Just another dot in the fuzzy stream of daily passengers. However, be careful not to fall prey to our treacherous human pattern-loving nature. Avoid at all costs sitting in the same spot day in, day out. Make it a point to visit new locations and even change cities from time to time.
Some places in the world, like China, Japan, the UK, Singapore, the US, and even some parts of France, have cameras monitoring streets and public places. In that case, an alternative would be to embrace one of the oldest tricks in the book: war driving. Use a car[^9] to drive around the city looking for public Wi-Fi hotspots. A typical Wi-Fi receiver can catch a signal up to 40 meters (~150 feet) away, which you can increase to a couple hundred meters (a thousand feet) with a directional antenna, like Alfa Networks' Wi-Fi adapter. Once you find a free hotspot, or a poorly secured one that you can break into—WEP encryption and weak WPA2 passwords are not uncommon and can be cracked with tools like Aircrack-ng and Hashcat— park your car nearby and start your operation. If you hate aimlessly driving around, check out online projects like [WiFi Map](https://www.wifimap.io) that list open Wi-Fi hotspots, sometimes with their passwords.
Hacking is really a way of life. If you are truly committed to your cause, you should fully embrace it and avoid being sloppy at all costs.
[^1]: This applies to the IPv4 Internet protocol standard. Caution: In some company networks, this no longer applies!
[^2]: Eight million Probe Requests, most of which were collected from a busy square in Rome and a train station in Lyon.
[^3]: According to the Tails developers, unusual MAC addresses also stand out and are therefore not used by Tails.
[^4]: Tails does not change the MAC address after a random number of probe requests, nor does it reset the sequence number of transmitted packets, which provides additional tracking.
[^5]: HT Capabilities, Supported Rates, Extended Supported Rates, Extended Capabilities, VHT Capabilities, Vendor Specific,...
[^6]: More precisely: via the kernel.
[^7]: The smaller the packet size, the fewer traces there are as well.
[^8]: Recognizable by the green fields in the column "Non-free firmware required."
[^9]: AnarSec note: This guide is not taking into account the possibility of physical surveillance. We would not recommend using a car, due to how it can easily be [tracked with a GPS device](https://www.csrc.link/threat-library/techniques/covert-surveillance-devices/location.html).

4
content/posts/tails/index.md
View file

@ -248,7 +248,9 @@ The Onion Circuits application shows which Tor circuit a connection to a server
![safest](safest.png)
Like any software, Tor Browser has vulnerabilities that can be exploited. To limit this, it's important to keep Tails up to date, and it's also recommended to increase the security settings of the Tor browser: you click on the shield icon and then **Change**. By default it's set to Standard, which is a browsing quality that hardly changes from a normal browser. We recommend that you set the most restrictive setting before starting any browsing: **Safest**. The layout of some sites may be modified, and sometimes some content will not be downloaded anymore (images, videos, etc.). Some sites will not work at all; if you have reason to trust them, you can view them on a less restrictive setting on a site by site basis. Note that both of the less restrictive setting allow scripts to function, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
Like any software, Tor Browser has vulnerabilities that can be exploited. To limit this, it's important to keep Tails up to date, and it's also recommended to increase the security settings of the Tor browser: you click on the shield icon and then **Change**. By default it's set to Standard, which is a browsing quality that hardly changes from a normal browser. We recommend that you set the most restrictive setting before starting any browsing: **Safest**.
The layout of some sites may be modified, and some types of content will be disabled (SVG images, videos are click-to-play, etc.). For example, this website has two things which will be blocked on Safest mode because they rely on Javascript: dark mode, and the Table of Contents. Some sites will not work at all with these restrictions; if you have reason to trust them, you can view them on a less restrictive setting on a site by site basis. Note that both of the less restrictive setting allow scripts to function, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.
***Downloading/uploading and the Tor Browser folder***