mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-08 23:02:55 -04:00
csrc links to notrace.how, miscellaneous edits
This commit is contained in:
anarsec
parent
9d659896fa
commit
d83276dadb
17 changed files with 42 additions and 153 deletions
|
|
@ -16,7 +16,7 @@ letter="tails-best-letter.pdf"
|
|||
|
||||
As mentioned in our [recommendations](/recommendations/#your-computer), Tails is an [operating system](/glossary#operating-system-os) that is unparalleled for sensitive computer use that requires leaving no forensic trace (writing and sending communiques, research for actions, etc.). Tails runs from a USB drive and is [designed](https://tails.boum.org/about/index.en.html) to leave no trace of your activity on your computer, and to force all Internet connections through the [Tor network](/glossary#tor-network). If you are new to Tails, start with [Tails for Anarchists](/posts/tails/).
|
||||
|
||||
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary#threat-model) - operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [CSRC Threat Library](https://www.csrc.link/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations.
|
||||
This text describes some additional precautions you can take that are relevant to an anarchist [threat model](/glossary#threat-model) - operational security for Tails. Not all anarchist threat models are the same, and only you can decide which mitigations are worth putting into practice for your activities, but we aim to provide advice that is appropriate for high-risk activities. The [No Trace Project Threat Library](https://www.notrace.how/threat-library/) is another great resource for thinking through your threat model and appropriate mitigations.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ You can mitigate this first issue by **cleaning metadata from files before shari
|
|||
|
||||
You can mitigate this second issue by what's called **"compartmentalization"**:
|
||||
|
||||
* [Compartmentalization](https://www.csrc.link/threat-library/mitigations/compartmentalization.html) means keeping different activities or projects separate. If you use Tails sessions for more than one purpose at a time, an adversary could link your different activities together. For example, if you log into different accounts on the same website in a single Tails session, the website could determine that the accounts are being used by the same person. This is because websites can tell when two accounts are using the same Tor circuit.
|
||||
* [Compartmentalization](https://www.notrace.how/threat-library/mitigations/compartmentalization.html) means keeping different activities or projects separate. If you use Tails sessions for more than one purpose at a time, an adversary could link your different activities together. For example, if you log into different accounts on the same website in a single Tails session, the website could determine that the accounts are being used by the same person. This is because websites can tell when two accounts are using the same Tor circuit.
|
||||
* To prevent an adversary from linking your activities while using Tails, restart Tails between different activities. For example, restart Tails between checking different project emails.
|
||||
* Tails is amnesiac by default, so to save any data from a Tails session, you must save it to a USB. If the files you save could be used to link your activities together, use a different encrypted ([LUKS](/glossary#luks)) USB stick for each activity. For example, use one Tails USB stick for moderating a website and another for researching actions. Tails has a feature called Persistent Storage, but we do not recommend using it for data storage, explained [below](#using-a-write-protect-switch).
|
||||
|
||||
|
|
@ -86,14 +86,14 @@ Use an Internet connection that isn't connected to you, such as in a cafe withou
|
|||
|
||||
As described in the quotation above, a global adversary (i.e. the NSA) may be capable of breaking Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic). If this happens, the Internet address you used in a coffee shop without CCTV cameras will only lead to your general area (e.g. your city) because it is not associated with you. Of course, this is less true if you use it routinely. Correlation attacks are even less feasible against connections to an .onion address because you never leave the Tor network, so there is no "end" to correlate with through network traffic analysis (if the server location is unknown to the adversary).
|
||||
|
||||
What we will term a "targeted" correlation attack is possible by a non-global adversary (i.e. local law enforcement), if you are already in their sights and a target of [physical surveillance](https://www.csrc.link/threat-library/techniques/physical-surveillance/covert.html) and/or [digital surveillance](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance.html). This is a subtype of correlation attack where the presumed target is already known, thus making the attack easier to achieve because it vastly reduces the amount of data to filter through for correlation. A non-targeted correlation attack used to deanonymize a Tor user is unprecedented in current evidence used in court, although [a "targeted" correlation attack has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as corroborating evidence - a suspect had already been identified, which allowed investigators to correlate their local footprint with specific online activity. Specifically, they correlated Tor network traffic coming from the suspect's house with the times their anonymous alias was online in chatrooms.
|
||||
What we will term a "targeted" correlation attack is possible by a non-global adversary (i.e. local law enforcement), if you are already in their sights and a target of [physical surveillance](https://www.notrace.how/threat-library/techniques/physical-surveillance/covert.html) and/or [digital surveillance](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance.html). This is a subtype of correlation attack where the presumed target is already known, thus making the attack easier to achieve because it vastly reduces the amount of data to filter through for correlation. A non-targeted correlation attack used to deanonymize a Tor user is unprecedented in current evidence used in court, although [a "targeted" correlation attack has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as corroborating evidence - a suspect had already been identified, which allowed investigators to correlate their local footprint with specific online activity. Specifically, they correlated Tor network traffic coming from the suspect's house with the times their anonymous alias was online in chatrooms.
|
||||
|
||||
To explain how this works, it helps if you have a basic understanding of what Tor information is visible to various third parties - see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https). For a non-targeted correlation attack, the investigator will need to **start from after Tor's exit node**: take the specific online activity coming from the exit node and try to correlate it with an enormous amount of global data that is entering Tor entry nodes. However, if a suspect is already identified, the investigator can instead do a "targeted" correlation attack and **start from before Tor's entry node**: take the data entering the entry node (via **the suspect's physical or digital footprint**) and try to correlate it with **specific online activity** coming from the exit node.
|
||||
|
||||
A more sophisticated analysis of the specific online activity would involve logging the connections to the server for detailed comparison, and a simple analysis would be something that is publicly visible to anyone (such as when your alias is online in a chatroom, or when a post is published to a website). For your physical footprint, a surveillance operation can note that you go to a cafe regularly, then try to correlate this with online activity they suspect you of (for example, if they suspect you are a website moderator, they can try to correlate these time windows with web moderator activity). For your digital footprint, if you are using Internet from home, an investigator can log all your Tor traffic and then try to correlate it with specific online activity.
|
||||
|
||||
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) before going to a coffee shop**, and changing Wi-Fi locations regularly. For projects like moderating a website that require daily Internet access, this may not be particularly realistic. In that case, the ideal mitigation is to **use a Wi-Fi antenna from indoors** (guide coming soon) - a physical surveillance effort won't see you entrying a cafe, and a digital surveillance effort won't see anything on your home Internet. If this is too technical for you, you may even want to **use your home internet** for some projects that require very frequent internet access. This contradicts the previous advice to not use your personal Wi-Fi. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from (especially if you intentionally [make correlation attacks more difficult](/posts/tails/#make-correlation-attacks-more-difficult)).
|
||||
* If you want to submit a report-back the morning after a riot, or a communique shortly after an action (times when there may be a higher risk of targeted surveillance), consider waiting and at least taking surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank arson in Canada, police surveilled a suspect as he traveled from his home to an Internet cafe, and watched him post the communique and then bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.csrc.link/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe near the comrade's home and requested CCTV footage for the day an arson communique was sent.
|
||||
* Possible mitigations in this scenario include **doing [surveillance detection](https://www.notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a coffee shop**, and changing Wi-Fi locations regularly. For projects like moderating a website that require daily Internet access, this may not be particularly realistic. In that case, the ideal mitigation is to **use a Wi-Fi antenna from indoors** (guide coming soon) - a physical surveillance effort won't see you entrying a cafe, and a digital surveillance effort won't see anything on your home Internet. If this is too technical for you, you may even want to **use your home internet** for some projects that require very frequent internet access. This contradicts the previous advice to not use your personal Wi-Fi. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from (especially if you intentionally [make correlation attacks more difficult](/posts/tails/#make-correlation-attacks-more-difficult)).
|
||||
* If you want to submit a report-back the morning after a riot, or a communique shortly after an action (times when there may be a higher risk of targeted surveillance), consider waiting and at least taking surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank arson in Canada, police surveilled a suspect as he traveled from his home to an Internet cafe, and watched him post the communique and then bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.notrace.how/resources/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe near the comrade's home and requested CCTV footage for the day an arson communique was sent.
|
||||
|
||||
To summarize: For highly sensitive activities, use Internet from a random cafe, preceeded by surveillance detection just like you would prior to a direct action. For activities that require frequent internet access such that the random cafe model isn't sustainable, it's best to use a Wi-Fi antenna positioned behind a window to access from a few kilometers away. If this is too technical for you, using your home Wi-Fi is an option, but requires putting faith in it being difficult to break Tor with a non-targeted correlation attack, and it being difficult to draw meaningful conclusions from your home's Tor traffic through a "targeted" correlation attack.
|
||||
|
||||
|
|
@ -212,7 +212,7 @@ If you are using Persistent Storage, this is another passphrase that you will ha
|
|||
|
||||
## Encrypted containers
|
||||
|
||||
[LUKS](/glossary#luks) is great, but defense-in-depth can't hurt. If the police seize your USB in a house raid, they will try a [variety of tactics to bypass the authentication](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), so a second layer of defense with a different encryption implementation can be useful for highly sensitive data.
|
||||
[LUKS](/glossary#luks) is great, but defense-in-depth can't hurt. If the police seize your USB in a house raid, they will try a [variety of tactics to bypass the authentication](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), so a second layer of defense with a different encryption implementation can be useful for highly sensitive data.
|
||||
|
||||
|
||||
[Gocryptfs](https://nuetzlich.net/gocryptfs/) is an encrypted container program that is [available for Debian](https://packages.debian.org/bullseye/gocryptfs) and can be easily installed as [additional software](/posts/tails/#optional-create-and-configure-persistent-storage). If you don't want to reinstall it every session, you will need to [configure Additional Software in Persistent Storage](#using-a-write-protect-switch).
|
||||
|
|
@ -407,4 +407,4 @@ Now that we know that we have a genuine version of the Tails .img file, we can p
|
|||
|
||||
[^8]: Recognizable by the green fields in the column "Non-free firmware required."
|
||||
|
||||
[^9]: AnarSec note: Keep in mind that a car can easily be [tracked with a GPS device](https://www.csrc.link/threat-library/techniques/covert-surveillance-devices/location.html).
|
||||
[^9]: AnarSec note: Keep in mind that a car can easily be [tracked with a GPS device](https://www.notrace.how/threat-library/techniques/covert-surveillance-devices/location.html).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue