mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-08-07 14:02:34 -04:00
change tails.boum.org to tails.net
This commit is contained in:
anarsec
parent
4abe74a188
commit
d34cbea02a
5 changed files with 44 additions and 44 deletions
|
|
@ -14,7 +14,7 @@ a4="tails-best-a4.pdf"
|
|||
letter="tails-best-letter.pdf"
|
||||
+++
|
||||
|
||||
As mentioned in our [recommendations](/recommendations/#your-computer), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that requires leaving no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive and is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
|
||||
As mentioned in our [recommendations](/recommendations/#your-computer), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that requires leaving no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive and is [designed](https://tails.net/about/) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
|
||||
|
||||
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary#threat-model) - operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://www.notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations.
|
||||
|
||||
|
|
@ -22,7 +22,7 @@ This text describes some additional precautions you can take that are relevant t
|
|||
|
||||
# Tails Warnings
|
||||
|
||||
Let's start by looking at the [Tails Warnings page](https://tails.boum.org/doc/about/warnings/index.en.html).
|
||||
Let's start by looking at the [Tails Warnings page](https://tails.net/doc/about/warnings/index.en.html).
|
||||
|
||||
## Protecting your identity when using Tails
|
||||
|
||||
|
|
@ -58,7 +58,7 @@ You can mitigate this second issue by what's called **"compartmentalization"**:
|
|||
|
||||
### 1. Hiding that you are using Tor and Tails
|
||||
|
||||
You can mitigate this first issue by [**Tor bridges**](https://tails.boum.org/doc/anonymous_internet/tor/index.en.html#bridges):
|
||||
You can mitigate this first issue by [**Tor bridges**](https://tails.net/doc/anonymous_internet/tor/index.en.html#bridges):
|
||||
|
||||
* Tor Bridges are secret Tor relays that hide your connection to the Tor network. However, this is only necessary where connections to Tor are blocked, such as in heavily censored countries, by some public networks, or by some parental control software. This is because Tor and Tails don't protect you by making you look like any other Internet user, but by making all Tor and Tails users look the same. It becomes impossible to tell who is who among them.
|
||||
|
||||
|
|
@ -79,7 +79,7 @@ When using Wi-Fi in a public space, keep the following operational security cons
|
|||
* Do not get into a routine of using the same cafes repeatedly if you can avoid it.
|
||||
* If you have to buy a coffee to get the Wi-Fi password, pay in cash!
|
||||
* Position yourself with your back against a wall so that no one can "shoulder surf" to see your screen, and ideally install a [privacy screen](/posts/tails/#privacy-screen) on your laptop.
|
||||
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. It is very difficult to maintain adequate situational awareness while staying focused on your Tails session - consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.boum.org/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
|
||||
* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. It is very difficult to maintain adequate situational awareness while staying focused on your Tails session - consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings. If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.net/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. Note that [Tails warns](https://tails.net/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage."
|
||||
* One person in charge of a darknet marketplace had his Tails computer seized while distracted by a fake fight next to him. Similar tactics have been used [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt with a short piece of fishing line, the police would most likely have lost all evidence when the Tails USB was pulled out. A more technical equivalent is [BusKill](https://www.buskill.in/tails/) - however, we only recommend buying this [in person](https://www.buskill.in/leipzig-proxystore/) or [3D printing it](https://www.buskill.in/3d-print-2023-08/). This is because any mail can be [intercepted](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction) and altered, making the hardware [malicious](https://en.wikipedia.org/wiki/BadUSB).
|
||||
* If coffee shops without CCTV cameras are few and far between, you can try accessing a coffee shop's Wi-Fi from outside, out of view of the cameras.
|
||||
|
||||
|
|
@ -116,7 +116,7 @@ To summarize: For sensitive and brief Internet activities, use Internet from a r
|
|||
You can mitigate this first issue by **using a computer you trust to install Tails**:
|
||||
|
||||
* According to our [recommendations](/recommendations/#your-computer), this would ideally be a [Qubes OS](/posts/qubes/) system, as it is much harder to infect than a normal Linux computer. If you have a trusted friend with a Tails USB stick that has been installed with Qubes OS (and who uses these best practices), you could [clone it](/posts/tails/#installation) instead of installing it yourself.
|
||||
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.boum.org/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-gpg-explanation).
|
||||
* Use the "Terminal" installation method ["Debian or Ubuntu using the command line and GnuPG"](https://tails.net/install/expert/index.en.html), as it more thoroughly verifies the integrity of the download using [GPG](/glossary/#gnupg-openpgp). If using the [command line](/glossary/#command-line-interface-cli) is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [Appendix](#appendix-gpg-explanation).
|
||||
* Once installed, do not plug your Tails USB stick (or any [LUKS](/glossary/#luks) USBs used during Tails sessions) into any other computer while it is running a non-Tails operating system; if the computer is infected, the infection can [spread to the USB](https://en.wikipedia.org/wiki/BadUSB).
|
||||
|
||||
### 2. Running Tails on a computer with a compromised BIOS, firmware, or hardware
|
||||
|
|
@ -159,8 +159,8 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
|
|||
|
||||
If your Tails USB stick has a write-protect switch and secure firmware, such as [Kanguru FlashTrust](https://www.kanguru.com/products/kanguru-flashtrust-secure-firmware-usb-3-0-flash-drive), you are protected from compromising the USB firmware during a Tails session. If the switch is locked, you are also protected from compromising the Tails software. This is critical. To compromise your Tails USB stick, an attacker would need to be able to write to it. This means that even if a Tails session is infected with malware, Tails itself is immutable, so the compromise cannot "take root" and would not carry over to subsequent Tails sessions. Note that HEADS firmware makes a write-protect switch redundant because it can be configured to [verify the integrity and authenticity of your Tails USB](https://osresearch.net/InstallingOS/#generic-os-installation) before booting. If you aren't using HEADS and you are unable to obtain such a USB, you have two options.
|
||||
|
||||
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.boum.org/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten.
|
||||
2) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.boum.org/doc/advanced_topics/boot_options/index.en.html).
|
||||
1) [Burn Tails to a new DVD-R/DVD+R](https://tails.net/install/dvd/index.en.html) (write once) for each new version of Tails. Don't use DVDs labeled "DVD+RW" or "DVD+RAM", which can be rewritten.
|
||||
2) Boot Tails with the `toram` option, which loads Tails completely into memory. Using the `toram` option depends on whether your Tails USB boots with [SYSLINUX or GRUB](https://tails.net/doc/advanced_topics/boot_options/index.en.html).
|
||||
* For SYSLINUX, when the boot screen appears, press Tab, and type a space. Type `toram` and press Enter.
|
||||
* For GRUB, when the boot screen appears, press `e` and use the keyboard arrows to move to the end of the line that starts with `linux`. The line is probably wrapped and displayed on multiple lines, but it is a single configuration line. Type `toram` and press F10 or Ctrl+X.
|
||||
* You can eject the Tails USB at the beginning of your session before you do anything else (whether it is connecting to the Internet or plugging in another USB) and then still use it like normal.
|
||||
|
|
@ -193,7 +193,7 @@ If its not possible to find a USB with a write-protect switch, you can alternati
|
|||
|
||||
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a random sequence of characters (letters, numbers and other symbols), while a [*passphrase*](/glossary/#passphrase) is a random sequence of words.
|
||||
|
||||
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** - when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 ([forthcoming](https://gitlab.tails.boum.org/tails/tails/-/issues/19733)) and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
|
||||
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to store unique passwords that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered off** - when the device is powered on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default as of Tails 6.0 and Qubes OS 4.1. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/) or [dys2p's](https://dys2p.com/en/2023-05-luks-security.html).
|
||||
|
||||
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of about 128 bits (diceware passphrases of **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers, and symbols) and shouldn't have less than 90 bits of entropy (seven words).
|
||||
|
||||
|
|
@ -270,7 +270,7 @@ Tails prevents deanonymization through phishing by forcing all internet connecti
|
|||
|
||||
For untrusted attachments, you would ideally **sanitize all files sent to you before opening them** with a program like [Dangerzone](https://dangerzone.rocks/), which takes potentially dangerous PDFs, office documents, or images and converts them into safe PDFs. Unfortunately, Dangerzone is [not yet readily available in Tails](https://gitlab.tails.boum.org/tails/tails/-/issues/18135). Until Dangerzone is made available in Tails, there is no program to sanitize untrusted files into trusted files.
|
||||
|
||||
**It is best to open untrusted files in a dedicated ['offline mode'](https://tails.boum.org/doc/first_steps/welcome_screen/index.en.html#index3h2) Tails session**. This will prevent anything malicious from calling home. Shutting the session down immediately afterward will minimize the chance of malware persisting. However, the files will remain untrusted.
|
||||
**It is best to open untrusted files in a dedicated ['offline mode'](https://tails.net/doc/first_steps/welcome_screen/index.en.html#index3h2) Tails session**. This will prevent anything malicious from calling home. Shutting the session down immediately afterward will minimize the chance of malware persisting. However, the files will remain untrusted.
|
||||
|
||||
## Links
|
||||
|
||||
|
|
@ -296,7 +296,7 @@ Using Tails without any of this advice is still a vast improvement over many oth
|
|||
|
||||
# Appendix: GPG Explanation
|
||||
|
||||
Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.boum.org/install/expert/index.en.html):
|
||||
Most Linux users will rarely need to use the [command line interface](/posts/linux/#the-command-line-interface). If you're using Tails, you shouldn't need it at all, although you will need the following commands for a [more secure installation](https://tails.net/install/expert/index.en.html):
|
||||
|
||||
* `wget`: this downloads files from the Internet using the Command Line (rather than a web browser)
|
||||
* `gpg`: this handles [GPG encryption](/glossary#gnupg-openpgp) operations. This is used to verify the integrity and authenticity of the Tails download.
|
||||
|
|
@ -313,7 +313,7 @@ Now you need to understand the basics of public-key cryptography. [This Computer
|
|||
|
||||
|
||||
|
||||
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.boum.org/install/expert/index.en.html).
|
||||
Tails signs their releases, and only they can do this because only they have their private key. However, I can verify that this signature is valid by having a copy of their public key. Now let's go through the [Tails verification instructions](https://tails.net/install/expert/index.en.html).
|
||||
|
||||
## Step: Generate a Key-Pair
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue