Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-10 07:43:00 -04:00
Code Issues Projects Releases Packages Wiki Activity

change tails.boum.org to tails.net

Browse source
This commit is contained in:
anarsec 2024-04-11 18:05:56 +00:00
parent 4abe74a188
commit d34cbea02a
No known key found for this signature in database
5 changed files with 44 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

2
content/glossary/_index.md
View file

@ -21,7 +21,7 @@ An attacker who “simply” tries every possible key to access a service or dec
### Checksums / Fingerprints
Checksums are digital fingerprints: small-sized blocks of data derived from another block of digital data for the purpose of detecting any changes that may have been made. For example, when you download the [Noisy script](https://0xacab.org/anarsec/noisy), the SHA512 checksum will be: `ed3e1c4012d38300ed2160bddb6ef33d22ffb67036e8f86eb7a45b683b2cd2501e63b2b6a528635cbc098175690ef9cb49598fb6cfe9361c4390bf5cb731272c`. You can use [hash functions](https://open.oregonstate.education/defenddissent/chapter/cryptographic-hash/) like SHA512 to create fingerprints. Essentially, this mathematical operation converts the 0's and 1's of the file into a unique "fingerprint". Changing a single 1 or 0 results in a completely different fingerprint. It is often important to know if a file has changed, such as when downloading the image file for an operating system. Fingerprints are often used in cryptography (e.g. in certificates or to verify [public keys](/glossary/#public-key-cryptography) in general). [GtkHash](https://tails.boum.org/doc/encryption_and_privacy/checksums/index.en.html) is a program that allows you to calculate checksums without using a command line interface.
Checksums are digital fingerprints: small-sized blocks of data derived from another block of digital data for the purpose of detecting any changes that may have been made. For example, when you download the [Noisy script](https://0xacab.org/anarsec/noisy), the SHA512 checksum will be: `ed3e1c4012d38300ed2160bddb6ef33d22ffb67036e8f86eb7a45b683b2cd2501e63b2b6a528635cbc098175690ef9cb49598fb6cfe9361c4390bf5cb731272c`. You can use [hash functions](https://open.oregonstate.education/defenddissent/chapter/cryptographic-hash/) like SHA512 to create fingerprints. Essentially, this mathematical operation converts the 0's and 1's of the file into a unique "fingerprint". Changing a single 1 or 0 results in a completely different fingerprint. It is often important to know if a file has changed, such as when downloading the image file for an operating system. Fingerprints are often used in cryptography (e.g. in certificates or to verify [public keys](/glossary/#public-key-cryptography) in general). GtkHash is a program that allows you to calculate checksums without using a command line interface.
### Command Line Interface (CLI)

4
content/posts/qubes/index.md
View file

@ -157,7 +157,7 @@ Click on the Domains widget to see which Qubes are currently running and how muc
# How to Install Software
While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html) (GUI) for installing additional software, Qubes OS does not at this time, so new software must be installed from the command line. If you are unfamiliar with the command line or how software works in Linux, see [Linux Essentials](/posts/linux/) to get acquainted. When choosing what additional software to install, keep in mind that being [open-source](/glossary/#open-source) is an essential criteria, but not sufficient to be considered secure. The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
While Tails [has a Graphical User Interface](https://tails.net/doc/persistent_storage/additional_software/index.en.html) (GUI) for installing additional software, Qubes OS does not at this time, so new software must be installed from the command line. If you are unfamiliar with the command line or how software works in Linux, see [Linux Essentials](/posts/linux/) to get acquainted. When choosing what additional software to install, keep in mind that being [open-source](/glossary/#open-source) is an essential criteria, but not sufficient to be considered secure. The list of [included software for Tails](https://tails.net/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, which can be found using a web browser for both [Debian](http://packages.debian.org/) and [Fedora](https://packages.fedoraproject.org/), or on the command line.
@ -357,7 +357,7 @@ Configuring Qubes OS is much more flexible than configuring Tails, but most of t
* For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
* If you might be a target for physical surveillance, consider doing [surveillance detection](https://www.notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further discussion of deciding what Internet to use.
* Reducing risks when using untrusted computers
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.boum.org/install/expert/index.en.html).
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.net/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. Unlike for Tails, it's not possible to remove the hard drive because it is used by the operating system. Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive (and App qubes don't have write access to their templates).

22
content/posts/tails-best/index.md
View file

@ -14,7 +14,7 @@ a4="tails-best-a4.pdf"
letter="tails-best-letter.pdf"
+++
As mentioned in our [recommendations](/recommendations/#your-computer), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that requires leaving no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive and is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
As mentioned in our [recommendations](/recommendations/#your-computer), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that requires leaving no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive and is [designed](https://tails.net/about/) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary#threat-model) - operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://www.notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations.
@ -22,7 +22,7 @@ This text describes some additional precautions you can take that are relevant t
# Tails Warnings
Let's start by looking at the [Tails Warnings page](https://tails.boum.org/doc/about/warnings/index.en.html).
Let's start by looking at the [Tails Warnings page](https://tails.net/doc/about/warnings/index.en.html).
## Protecting your identity when using Tails
@ -58,7 +58,7 @@ You can mitigate this second issue by what's called **"compartmentalization"**:
### 1. Hiding that you are using Tor and Tails
You can mitigate this first issue by [**Tor bridges**](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#bridges):
You can mitigate this first issue by [**Tor bridges**](https://tails.net/doc/anonymous_internet/tor/index.en.html#bridges):
* Tor Bridges are secret Tor relays that hide your connection to the Tor network. However, this is only necessary where connections to Tor are blocked, such as in heavily censored countries, by some public networks, or by some parental control software. This is because Tor and Tails don't protect you by making you look like any other Internet user, but by making all Tor and Tails users look the same. It becomes impossible to tell who is who among them.
@ -79,7 +79,7 @@ When using Wi-Fi in a public space, keep the following operational security cons
* Do not get into a routine of using the same cafes repeatedly if you can avoid it.
* If you have to buy a coffee to get the Wi-Fi password, pay in cash!
* Position yourself with your back against a wall so that no one can "shoulder surf" to see your screen, and ideally install a [privacy screen](/posts/tails/#privacy-screen) on your laptop.
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. It is very difficult to maintain adequate situational awareness while staying focused on your Tails session - consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.boum.org/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. It is very difficult to maintain adequate situational awareness while staying focused on your Tails session - consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.net/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.net/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
* One person in charge of a darknet marketplace had his Tails computer seized while distracted by a fake fight next to him. Similar tactics have been used [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt with a short piece of fishing line, the police would most likely have lost all evidence when the Tails USB was pulled out. A more technical equivalent is [BusKill](https://www.buskill.in/tails/) - however, we only recommend buying this [in person](https://www.buskill.in/leipzig-proxystore/) or [3D printing it](https://www.buskill.in/3d-print-2023-08/). This is because any mail can be [intercepted](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction) and altered, making the hardware [malicious](https://en.wikipedia.org/wiki/BadUSB).
* If coffee shops without CCTV cameras are few and far between, you can try accessing a coffee shop's Wi-Fi from outside, out of view of the cameras.
@ -116,7 +116,7 @@ To summarize: For sensitive and brief Internet activities, use Internet from a r
You can mitigate this first issue by **using a computer you trust to install Tails**:
* According to our [recommendations](/recommendations/#your-computer), this would ideally be a [Qubes OS](/posts/qubes/) system, as it is much harder to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick that has been installed with Qubes OS (and who uses these best practices), you could [clone it](/posts/tails/#installation) instead of installing it yourself.
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-gpg-explanation).
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.net/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-gpg-explanation).
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs used during Tails sessions) into any other computer while it is running a non-Tails operating system; if the computer is infected, the infection can [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
### 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
@ -159,8 +159,8 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
If your Tails USB stick has a write-protect switch and secure firmware, such as [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are protected from compromising the USB firmware during a Tails session. If the switch is locked, you are also protected from compromising the Tails software. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot "take root" and would not carry over to subsequent Tails sessions. Note that HEADS firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. If you aren't using HEADS and you are unable to obtain such a USB, you have two options.
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.boum.org/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten.
2) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.boum.org/doc/advanced_topics/boot_options/index.en.html).
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.net/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten.
2) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.net/doc/advanced_topics/boot_options/index.en.html).
* For SYSLINUX, when the boot screen appears, press Tab, and type a space. Type `toram` and press Enter.
* For GRUB, when the boot screen appears, press `e` and use the keyboard arrows to move to the end of the line that starts with `linux`. The line is probably wrapped and displayed on multiple lines, but it is a single configuration line. Type `toram` and press F10 or Ctrl+X.
* You can eject the Tails USB at the beginning of your session before you do anything else (whether it is connecting to the Internet or plugging in another USB) and then still use it like normal.
@ -193,7 +193,7 @@ If its not possible to find a USB with a write-protect switch, you can alternati
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a random sequence of characters (letters, numbers and other symbols), while a [*passphrase*](/glossary/#passphrase) is a random sequence of words.
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** - when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 ([forthcoming](https://gitlab.tails.boum.org/tails/tails/-/issues/19733)) and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** - when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (seven words).
@ -270,7 +270,7 @@ Tails prevents deanonymization through phishing by forcing all internet connecti
For untrusted attachments, you would ideally **sanitize all files sent to you before opening them** with a program like [Dangerzone](https://dangerzone.rocks/), which takes potentially dangerous PDFs, office documents, or images and converts them into safe PDFs. Unfortunately, Dangerzone is [not yet readily available in Tails](https://gitlab.tails.boum.org/tails/tails/-/issues/18135). Until Dangerzone is made available in Tails, there is no program to sanitize untrusted files into trusted files.
**It is best to open untrusted files in a dedicated ['offline mode'](https://tails.boum.org/doc/first_steps/welcome_screen/index.en.html#index3h2) Tails session**. This will prevent anything malicious from calling home. Shutting the session down immediately afterward will minimize the chance of malware persisting. However, the files will remain untrusted.
**It is best to open untrusted files in a dedicated ['offline mode'](https://tails.net/doc/first_steps/welcome_screen/index.en.html#index3h2) Tails session**. This will prevent anything malicious from calling home. Shutting the session down immediately afterward will minimize the chance of malware persisting. However, the files will remain untrusted.
## Links
@ -296,7 +296,7 @@ Using Tails without any of this advice is still a vast improvement over many oth
# Appendix: GPG Explanation
Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.boum.org/install/expert/index.en.html):
Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.net/install/expert/index.en.html):
* `wget`: this downloads files from the Internet using the Command Line (rather than a web browser)
* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. This is used to verify the integrity and authenticity of the Tails download.
@ -313,7 +313,7 @@ Now you need to understand the basics of public-key cryptography. [This Computer
![](signature.png)
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.boum.org/install/expert/index.en.html).
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.net/install/expert/index.en.html).
## Step: Generate a Key-Pair

58
content/posts/tails/index.md
View file

@ -14,11 +14,11 @@ a4="tails-a4.pdf"
letter="tails-letter.pdf"
+++
Tails is an [operating system](/glossary/#operating-system-os) that makes anonymous computer use accessible to everyone. Tails is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer unless you explicitly configure it to save specific data. It accomplishes this by running from a DVD or USB, independent of the operating system installed on the computer. Tails comes with [several built-in applications](https://tails.boum.org/doc/about/features/index.en.html) preconfigured with security in mind, and all anarchists should know how to use it for secure communication, research, editing, and publishing sensitive content.
Tails is an [operating system](/glossary/#operating-system-os) that makes anonymous computer use accessible to everyone. Tails is [designed](https://tails.net/about/index.en.html) to leave no trace of your activity on your computer unless you explicitly configure it to save specific data. It accomplishes this by running from a DVD or USB, independent of the operating system installed on the computer. Tails comes with [several built-in applications](https://tails.net/doc/about/features/index.en.html) preconfigured with security in mind, and all anarchists should know how to use it for secure communication, research, editing, and publishing sensitive content.
<!-- more -->
The [documentation on the Tails website](https://tails.boum.org/) is excellent and easy to follow. This tutorial summarizes the most relevant documentation and additionally includes configuration and usage advice specific to an anarchist [threat model](/glossary/#threat-model). Our [Tails Best Practices](/posts/tails-best) article goes into more detail, but we recommend that you familiarize yourself with the basics of Tails before reading it.
The [documentation on the Tails website](https://tails.net/doc/index.en.html) is excellent and easy to follow. This tutorial summarizes the most relevant documentation and additionally includes configuration and usage advice specific to an anarchist [threat model](/glossary/#threat-model). Our [Tails Best Practices](/posts/tails-best) article goes into more detail, but we recommend that you familiarize yourself with the basics of Tails before reading it.
# TAILS: **T**he **A**mnesic & **I**ncognito **L**ive **S**ystem
@ -73,7 +73,7 @@ It makes no sense to say "this tool is secure". Security always depends on the t
* Although it is possible to use Tails on a desktop computer, it is not recommended because it is only possible to [detect physical tampering](/posts/tamper/#tamper-evident-laptop-screws) on a laptop. Also, it would be harder to detect if someone had opened your desktop case and installed a physical keylogger. See [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers) for more information on obtaining a laptop.
Some laptop and USB models will not work with Tails, or some features will not work. To see if your model has any known issues, see the [Tails known issues page](https://tails.boum.org/support/known_issues/).
Some laptop and USB models will not work with Tails, or some features will not work. To see if your model has any known issues, see the [Tails known issues page](https://tails.net/support/known_issues/).
If Tails is too slow, make sure the USB is 3.0 or higher and that you are using a USB 3.0 port on the laptop. If Tails freezes frequently, you can add more RAM to your computer. 8GB should be sufficient.
@ -85,19 +85,19 @@ There are two solutions for the "source".
### Solution 1: Install from another Tails USB
* This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.boum.org/install/clone/pc/index.en.html) or [Mac](https://tails.boum.org/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
* This requires knowing a Tails user you trust. A very simple software called the Tails Installer allows you to "clone" an existing Tails USB to a new one in a few minutes; see the documentation for cloning from a [PC](https://tails.net/install/clone/pc/index.en.html) or [Mac](https://tails.net/install/clone/mac/index.en.html). Any Persistent Storage data won't be transferred. The downside of this method is that it may spread a compromised installation.
### Solution 2: Install by download (preferred)
* You must follow the [Tails installation instructions](https://tails.boum.org/install/index.en.html). The Tails website provides step-by-step instructions; it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you ([man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.boum.org/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
* You must follow the [Tails installation instructions](https://tails.net/install/index.en.html). The Tails website provides step-by-step instructions; it is important to follow the entire tutorial. It is possible for an attacker to intercept and modify the data on its way to you ([man-in-the-middle attack](/glossary#man-in-the-middle-attack)), so do not skip the verification steps. As discussed in [Tails Best Practices](/posts/tails-best/#reducing-risks-when-using-untrusted-computers), the [GnuPG installation method](https://tails.net/install/expert/index.en.html) is preferable because it more thoroughly verifies the integrity of the download.
## Booting from your Tails USB
Once you have a Tails USB, follow the Tails instructions [for booting Tails on a Mac or PC](https://tails.boum.org/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on your laptop. The Boot Loader screen will appear and Tails will start automatically after 4 seconds.
Once you have a Tails USB, follow the Tails instructions [for booting Tails on a Mac or PC](https://tails.net/doc/first_steps/start/index.en.html). The Tails USB must be inserted before turning on your laptop. The Boot Loader screen will appear and Tails will start automatically after 4 seconds.
![](grub.png)
After about 30 seconds of loading, the [Welcome Screen](https://tails.boum.org/doc/first_steps/welcome_screen/index.en.html) will appear.
After about 30 seconds of loading, the [Welcome Screen](https://tails.net/doc/first_steps/welcome_screen/index.en.html) will appear.
![](welcome_screen.png)
@ -123,22 +123,22 @@ Tails is a classic and simple operating system.
1. The Activities menu. Allows you to see an overview of your windows and applications. It also allows you to search for applications, files, and folders. You can also access Activities by sending your mouse to the top left corner of your screen or by pressing the Command/Window (❖) key.
2. The Applications menu. Lists available applications (software), organized by topic.
3. The Places menu. Shortcuts to various folders and storage devices, which can also be accessed through the Files browser (**Applications → Accessories → Files**).
4. Date and time. Once connected to the Internet, all Tails systems around the world [share the same time](https://tails.boum.org/doc/first_steps/desktop/time/index.en.html).
4. Date and time. Once connected to the Internet, all Tails systems around the world [share the same time](https://tails.net/doc/first_steps/desktop/time/index.en.html).
5. The Tor status indicator. Tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the Onion Circuits application from here. Check your Tor connection by visiting `check.torproject.org` in your Tor Browser.
6. The "Universal Access" button. This menu allows you to enable accessibility software such as the screen reader, visual keyboard, and large text display.
7. Choice of keyboard layouts. An icon showing the current keyboard layout (in the example above, en for an English layout). Clicking it provides options for other layouts selected at the Welcome Screen.
8. The System menu. From here, you can change the screen brightness and volume, the Wi-Fi and Ethernet connection (if connected), the battery status, and the restart and shutdown buttons.
9. The Workspaces icon. This button toggles between multiple views of the desktop (called "workspaces”), which can help reduce visual clutter on a small screen.
If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the system menu, see the [troubleshooting documentation](https://tails.boum.org/doc/anonymous_internet/no-wifi/index.en.html). Once you connect to Wi-Fi, a Tor Connection assistant will appear to help you connect to the Tor network. Select **Connect to Tor automatically**, unless you are in a country where you need to hide that you're using Tor (in which case you'll need to configure [a bridge](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#hiding)).
If your laptop is equipped with Wi-Fi, but there is no Wi-Fi option in the system menu, see the [troubleshooting documentation](https://tails.net/doc/anonymous_internet/no-wifi/index.en.html). Once you connect to Wi-Fi, a Tor Connection assistant will appear to help you connect to the Tor network. Select **Connect to Tor automatically**, unless you are in a country where you need to hide that you're using Tor (in which case you'll need to configure [a bridge](https://tails.net/doc/anonymous_internet/tor/index.en.html#hiding)).
## Optional: Create and Configure Persistent Storage
Tails is amnesiac by default. It will forget everything you have done as soon as you end the session. This isn't always what you want - for example, you may want to work on a document that you can't finish in one session. The same goes for installing additional software: you would have to redo the installation each time you start up. Tails has a feature called Persistent Storage, which allows you to save certain data between sessions. This is explicitly less secure, but necessary for some activities.
The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows a user to make some data persistent that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.boum.org/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**.
The principle behind Persistent Storage is to create a second storage area (called a partition) on your Tails USB that is encrypted. This new partition allows a user to make some data persistent that is, to keep it between Tails sessions. It's very easy to enable Persistent Storage. To create the [Persistent Storage](https://tails.net/doc/persistent_storage/create/index.en.html), choose **Applications → Tails → Persistent Storage**.
A window will pop up asking you to enter a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for information on passphrase strength. You'll then [configure](https://tails.boum.org/doc/persistent_storage/configure/index.en.html) what you want to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
A window will pop up asking you to enter a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for information on passphrase strength. You'll then [configure](https://tails.net/doc/persistent_storage/configure/index.en.html) what you want to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
**Personal Documents:**
@ -147,7 +147,7 @@ A window will pop up asking you to enter a passphrase; see [Tails Best Practices
**System Settings:**
* **Welcome Screen**: Settings from the Welcome Screen: language, keyboard, and additional settings.
* **Printers**: [Printer configuration](https://tails.boum.org/doc/sensitive_documents/printing_and_scanning/index.en.html).
* **Printers**: [Printer configuration](https://tails.net/doc/sensitive_documents/printing_and_scanning/index.en.html).
**Network:**
@ -165,10 +165,10 @@ A window will pop up asking you to enter a passphrase; see [Tails Best Practices
**Advanced Settings:**
* **Additional Software**: If this feature is enabled, a list of additional software of your choice will be automatically installed each time you start Tails. These software packages are stored in Persistent Storage. They are automatically updated when you connect to the Internet. [Be careful what you install](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html#warning).
* **Additional Software**: If this feature is enabled, a list of additional software of your choice will be automatically installed each time you start Tails. These software packages are stored in Persistent Storage. They are automatically updated when you connect to the Internet. [Be careful what you install](https://tails.net/doc/persistent_storage/additional_software/index.en.html#warning).
* **Dotfiles**: In Tails and Linux in general, the names of configuration files often start with a dot, so they are sometimes called "dotfiles". These can be saved in the Persistent Storage. Be careful what configuration settings you change, as changing the defaults can break your anonymity.
To use Persistent Storage, you must unlock it on the Welcome Screen. If you want to change the passphrase, see the [documentation](https://tails.boum.org/doc/persistent_storage/passphrase/index.en.html). If you ever forget your passphrase, it's impossible to recover it; you'll have to [delete](https://tails.boum.org/doc/persistent_storage/delete/index.en.html) the Persistent Storage and start over.
To use Persistent Storage, you must unlock it on the Welcome Screen. If you want to change the passphrase, see the [documentation](https://tails.net/doc/persistent_storage/passphrase/index.en.html). If you ever forget your passphrase, it's impossible to recover it; you'll have to [delete](https://tails.net/doc/persistent_storage/delete/index.en.html) the Persistent Storage and start over.
In [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), we recommend against using Persistent Storage in most cases. Any files that need to be persistent can be stored on a second [LUKS-encrypted USB](#how-to-create-an-encrypted-usb) instead. Most Persistent Storage features do not work well with USBs that have a write-protect switch.
@ -180,13 +180,13 @@ Every time you start Tails, right after you connect to the Tor network, the Tail
![](upgrader_automatic.png)
### The [automatic upgrade](https://tails.boum.org/doc/upgrade/index.en.html)
### The [automatic upgrade](https://tails.net/doc/upgrade/index.en.html)
* A window will appear with information about the upgrade, and you will need to click **Upgrade now**. Wait a while for it to complete, then click 'Apply upgrade' and your internet will be interrupted for a moment. Wait until you see the Restart Tails window. If the upgrade fails (for example, because you shut down before it was finished), your Persistent Storage will not be affected, but you may not be able to restart your Tails USB. If you are using a USB with a write-protect switch, you will need to unlock it for the dedicated session in which you are performing the upgrade.
### The [manual upgrade](https://tails.boum.org/upgrade/tails/index.en.html)
### The [manual upgrade](https://tails.net/upgrade/tails/index.en.html)
* Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.boum.org/upgrade/tails/index.en.html).
* Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only used for major upgrades or if there is a problem with automatic upgrades. See the [documentation for manual upgrades](https://tails.net/upgrade/tails/index.en.html).
# II) Going Further: Several Tips and Explanations
@ -282,7 +282,7 @@ Be aware that if you are downloading or otherwise working with very large files,
![](onionshare.png)
It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.boum.org/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). By default, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to the settings and uncheck "Stop sharing after first download". As soon as you close OnionShare, disconnect from the Internet, or shut down Tails, the files will no longer be accessible. This is a great way to share files because it doesn't require you to plug a USB into someone else's computer, which we [don't recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared through another channel (such as a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type).
It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.net/doc/anonymous_internet/onionshare/index.en.html) (**Applications → Internet → OnionShare**). By default, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to the settings and uncheck "Stop sharing after first download". As soon as you close OnionShare, disconnect from the Internet, or shut down Tails, the files will no longer be accessible. This is a great way to share files because it doesn't require you to plug a USB into someone else's computer, which we [don't recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared through another channel (such as a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type).
### Make Correlation Attacks More Difficult
@ -290,11 +290,11 @@ When you request a web page through a web browser, the site's server sends it to
To make this ["correlation attack"](/glossary/#correlation-attack) more difficult, disable JavaScript by using Tor Browser on the **Safest** setting.
Additionally, you can create concurrent traffic by using [Noisy](https://0xacab.org/anarsec/noisy) from the command line, which will make website traffic fingerprinting more difficult. [Doing multiple things at once with your Tor client](https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations/) is recommended by the Tor team.
Additionally, [doing multiple things at once with your Tor client](https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations/) is recommended by the Tor team.
## Included Software
Tails comes with [many applications](https://tails.boum.org/doc/about/features/index.en.html) by default. The documentation gives an overview of [Internet applications](https://tails.boum.org/doc/anonymous_internet/index.en.html), applications for [encryption and privacy](https://tails.boum.org/doc/encryption_and_privacy/index.en.html), and applications for [working with sensitive documents](https://tails.boum.org/doc/sensitive_documents/index.en.html). In the rest of this section, we will only highlight common use cases relevant to anarchists, but read the documentation for more information.
Tails comes with [many applications](https://tails.net/doc/about/features/index.en.html) by default. The documentation gives an overview of [Internet applications](https://tails.net/doc/anonymous_internet/index.en.html), applications for [encryption and privacy](https://tails.net/doc/encryption_and_privacy/index.en.html), and applications for [working with sensitive documents](https://tails.net/doc/sensitive_documents/index.en.html). In the rest of this section, we will only highlight common use cases relevant to anarchists, but read the documentation for more information.
## Password Manager (KeePassXC)
@ -306,7 +306,7 @@ We recommend that you compartmentalize your passwords - have a different KeePass
![](seconds.png)
When you [create a new KeePassXC database](https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), increase the decryption time in the **Encryption settings** window from the default to the maximum (5 seconds). Then choose a [strong passphrase](/posts/tails-best/#passwords) and save your KeePassXC file. We recommend that you click the small dice icon (🎲) in the password field to generate a random passphrase of 7-10 words.
When you [create a new KeePassXC database](https://tails.net/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), increase the decryption time in the **Encryption settings** window from the default to the maximum (5 seconds). Then choose a [strong passphrase](/posts/tails-best/#passwords) and save your KeePassXC file. We recommend that you click the small dice icon (🎲) in the password field to generate a random passphrase of 7-10 words.
This KeePassXC database file will contain all your passwords/passphrases and must persist between sessions on your Persistent Storage or on a separate LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). As soon as you close KeePassXC or don't use it for a few minutes, it will lock. Make sure you do not forget your main passphrase.
@ -324,7 +324,7 @@ Clicking "Permanently delete" or sending files to the "trash" does not delete da
However, it can take weeks or years before that space is actually used for new files, at which point the old data actually disappears. In the meantime, if you look directly at what is written to the drive, you can find the contents of the files. This is a fairly simple process, automated by many software programs that allow you to "recover" or "restore" data. You can't really delete data, but you can overwrite data, which is a partial solution.
There are two types of storage: magnetic (HDD) and flash (SSD, NVMe, USB, memory cards, etc.). The [wipe feature](https://tails.boum.org/doc/encryption_and_privacy/secure_deletion/index.en.html#index3h1) on Tails is not effective on USB storage. The only way to erase a file on a USB is to [reformat the entire USB](#how-to-create-an-encrypted-usb) and select **Overwrite existing data with zeros**. Doing this twice is a good idea.
There are two types of storage: magnetic (HDD) and flash (SSD, NVMe, USB, memory cards, etc.). The only way to erase a file on a USB is to [reformat the entire USB](#how-to-create-an-encrypted-usb) and select **Overwrite existing data with zeros**. Doing this twice is a good idea.
However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (i.e. thermite).
@ -353,7 +353,7 @@ If you insert an encrypted USB, it will not open automatically, but only when yo
## Encrypting a file with a password or public key
In Tails, you can use the Kleopatra application to [encrypt a file](https://tails.boum.org/doc/encryption_and_privacy/kleopatra/index.en.html#index1h1) with a password or public PGP key. This creates a .pgp file. If you want to encrypt a file, do so in RAM before saving it to a LUKS USB. Once the unencrypted version of a file is saved on a USB, the USB must be reformatted to remove it.
In Tails, you can use the Kleopatra application to [encrypt a file](https://tails.net/doc/encryption_and_privacy/kleopatra/index.en.html#index1h1) with a password or public PGP key. This creates a .pgp file. If you want to encrypt a file, do so in RAM before saving it to a LUKS USB. Once the unencrypted version of a file is saved on a USB, the USB must be reformatted to remove it.
If you choose the password option, you must open the file in Tails and enter the password. If you don't want the unencrypted data to be stored in the same place where you saved it (e.g. on a USB), it's best to copy the encrypted file to a Tails folder that's only in RAM (e.g. **Places → Documents**) before decrypting it.
@ -372,7 +372,7 @@ To set an administration password, you must select an administration password on
## Installing additional software
If you install new software, it's up to you to make sure it's secure. Tails forces all software to connect to the internet through Tor, so you may need to use a program called `torsocks` from the Terminal to start additional software that requires an Internet connection (e.g. `torsocks --isolate mumble`). The software used in Tails is audited for security, but this may not be the case for what you install. Before installing new software, it's best to make sure that Tails doesn't already have software that does the job you want it to do. If you want additional software to persist beyond a single session, you need to enable "Additional Software" in the Persistent Storage [configuration](https://tails.boum.org/doc/persistent_storage/configure/index.en.html).
If you install new software, it's up to you to make sure it's secure. Tails forces all software to connect to the internet through Tor, so you may need to use a program called `torsocks` from the Terminal to start additional software that requires an Internet connection (e.g. `torsocks --isolate mumble`). The software used in Tails is audited for security, but this may not be the case for what you install. Before installing new software, it's best to make sure that Tails doesn't already have software that does the job you want it to do. If you want additional software to persist beyond a single session, you need to enable "Additional Software" in the Persistent Storage [configuration](https://tails.net/doc/persistent_storage/configure/index.en.html).
To install software from the Debian software repository:
@ -382,13 +382,13 @@ To install software from the Debian software repository:
* Once done, if your Persistent Storage is open, Tails will ask if you want to install it once or add it to your Persistent Storage. If you add it to your Persistent Storage, the relevant software files will be saved there. For security reasons, they are automatically updated whenever a network connection is established.
* You can access and remove the additional software you have installed by going to **Applications → System Tools → Additional Software**.
For more information, see the documentation on [installing additional software](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html).
For more information, see the documentation on [installing additional software](https://tails.net/doc/persistent_storage/additional_software/index.en.html).
## Remember to make backups!
A Tails USB is easily lost, and USBs have a much shorter lifespan than hard drives (especially the cheap ones). If you have important data on it, remember to back it up regularly. If you use a second LUKS-encrypted USB, this is as simple as using the File Manager to copy files to a backup LUKS-encrypted USB.
If you use Persistent Storage, see the [documentation for backing it up](https://tails.boum.org/doc/persistent_storage/backup/index.en.html).
If you use Persistent Storage, see the [documentation for backing it up](https://tails.net/doc/persistent_storage/backup/index.en.html).
## Privacy screen
@ -398,7 +398,7 @@ A [privacy screen](https://en.wikipedia.org/wiki/Monitor_filter) can be added to
***The computer tries to boot the USB but it doesn't work***
Check the error messages you get (for example, if you have an old 32-bit computer, it won't work with Tails). If it says `Error starting GDM with your graphics card`, the issue is with the graphics card; check the documentation for [Known issues with graphics cards](https://tails.boum.org/support/known_issues/graphics/index.en.html). You can also check the list of [known issues](https://tails.boum.org/support/known_issues/index.en.html) on the Tails site for your computer model.
Check the error messages you get (for example, if you have an old 32-bit computer, it won't work with Tails). If it says `Error starting GDM with your graphics card`, the issue is with the graphics card; check the documentation for [Known issues with graphics cards](https://tails.net/support/known_issues/graphics/index.en.html). You can also check the list of [known issues](https://tails.net/support/known_issues/index.en.html) on the Tails site for your computer model.
If the Tails Boot Loader page appears, try booting into Tails troubleshooting mode.
@ -406,7 +406,7 @@ If the Tails Boot Loader page appears, try booting into Tails troubleshooting mo
After an upgrade or otherwise, Tails no longer starts on your computer. You have three options:
1) See if the [Tails news page](https://tails.boum.org/news/index.en.html) mentions any problems with the upgrade.
1) See if the [Tails news page](https://tails.net/news/index.en.html) mentions any problems with the upgrade.
2) Perform a manual upgrade, which may be necessary if the computer was turned off before the upgrade was complete.
3) If the first two solutions don't work, the USB is too old, of poor quality, or has been broken. If you need to recover data from Persistent Storage, plug that USB into a Tails session using another USB. It will appear as a normal USB that you will need to unlock with your password. If you can't access your data on another Tails USB that has Persistent Storage enabled, your USB may be dead.
@ -424,7 +424,7 @@ In some programs, this is normal if the same file is already open. If this isn't
***I can't install Tails on a USB***
Make sure your USB is not [known to have issues](https://tails.boum.org/support/known_issues/index.en.html#problematic-usb-sticks) with Tails. [Format](#how-to-create-an-encrypted-usb) the entire USB and try the installation again.
Make sure your USB is not [known to have issues](https://tails.net/support/known_issues/index.en.html#problematic-usb-sticks) with Tails. [Format](#how-to-create-an-encrypted-usb) the entire USB and try the installation again.
***Is an application slowing down Tails? The screen is glitching?***

2
content/recommendations/_index.md
View file

@ -17,7 +17,7 @@ We agree with the conclusion of an overview of [targeted surveillance measures i
## Your Computer
>**[Operating system](/glossary#operating-system-os)**: **Tails** is unparalleled for sensitive computer use (writing and sending communiques, moderating a sketchy website, researching for actions, reading articles that may be criminalized, etc.). Tails runs from a USB drive and is [designed](https://tails.boum.org/about/index.en.html) with the anti-forensic property of leaving no trace of your activity on your computer, as well as forcing all Internet connections through the [Tor network](/glossary#tor-network). See [Tails for Anarchists](/posts/tails/) and [Tails Best Practices](/posts/tails-best/).
>**[Operating system](/glossary#operating-system-os)**: **Tails** is unparalleled for sensitive computer use (writing and sending communiques, moderating a sketchy website, researching for actions, reading articles that may be criminalized, etc.). Tails runs from a USB drive and is designed with the anti-forensic property of leaving no trace of your activity on your computer, as well as forcing all Internet connections through the [Tor network](/glossary#tor-network). See [Tails for Anarchists](/posts/tails/) and [Tails Best Practices](/posts/tails-best/).
>**[Operating system](/glossary#operating-system-os)**: **Qubes OS** has better security than Tails for many use cases, but has a steeper learning curve and no anti-forensic features. However, it is accessible enough for journalists and other non-technical users. Basic knowledge of using Linux is required - see [Linux Essentials](/posts/linux). Qubes OS can even run Windows programs such as Adobe InDesign, but much more securely than a standard Windows computer. See [Qubes OS for Anarchists](/posts/qubes/).