Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-08 14:52:54 -04:00
Code Issues Projects Releases Packages Wiki Activity

dark mode fix

Browse source
This commit is contained in:
anarsec 2024-04-14 20:52:43 +00:00
parent 7daa9fe776
commit ec6fb8110b
No known key found for this signature in database
17 changed files with 122 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

8
content/posts/e2ee/index.md
View file

@ -55,7 +55,7 @@ Cwtch is our preference for text communication by a long shot. For an overview o
<source src="cwtch-explainer.mp4" type="video/mp4">
</video>
<center><em>How Cwtch works</em></center>
<p style="text-align:center"><em>How Cwtch works</em></p>
<br>
@ -87,7 +87,7 @@ Real-time messaging applications are particularly susceptible to end-to-end corr
**Need #3: Resiliency to exploits**
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Cwtch does [fuzz testing](https://openprivacy.ca/discreet-log/07-fuzzbot/) to find bugs. For public-facing project accounts, we recommend against enabling the "file sharing experiment" or the "image previews and profile pictures experiment" in the settings.
A vulnerability in any application can be targeted with exploits - a severe vulnerability can allow an adversary to hack your system, such as by permitting [Remote Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution). Cwtch libraries are written in memory-safe languages (Go and Rust) and Cwtch does [fuzz testing](https://openprivacy.ca/discreet-log/07-fuzzbot/) to find bugs. See the [Security Handbook](https://docs.cwtch.im/security/intro) to learn more. For public-facing project accounts, we recommend against enabling the "file sharing experiment" or the "image previews and profile pictures experiment" in the settings.
**Need #4: For multiple project members to be able to access the same messages**
@ -263,7 +263,7 @@ Signal is not peer-to-peer; it uses centralized servers that we must trust. Sign
Signing up for a Signal account is difficult to do anonymously. The account is tied to a phone number that the user must retain control of - due to [changes in "registration lock"](https://blog.privacyguides.org/2022/11/10/signal-number-registration-update/), it is no longer sufficient to register with a disposable phone number. An anonymous phone number can be obtained [on a burner phone or online](https://anonymousplanet.org/guide.html#getting-an-anonymous-phone-number) and must be maintained as long as youre using it, which takes some technical know-how and likely some money, limiting the amount of people who will do this.
Another barrier to anonymous registration is that Signal Desktop will only work if Signal is first registered from a smartphone. For users familiar with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer using [Signal-cli](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for registration would have to be obtained anonymously.
Another barrier to anonymous registration is that Signal Desktop will only work if Signal is first registered from a smartphone. For users familiar with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer using [Signal-cli](https://0xacab.org/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for registration would have to be obtained anonymously.
These barriers to anonymous registration mean that Signal is rarely used anonymously. This has significant implications if the State gains [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to the device. One of the primary goals of State surveillance of anarchists is [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html), and it's common for them to gain physical access to devices through [house raids](https://www.notrace.how/threat-library/techniques/house-raid.html) or arrests. For example, if police bypass your device's [authentication](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), they can identify Signal contacts (as well as the members of any groups you are in) simply by their phone numbers, if those contacts haven't changed their settings to hide their phone number.
@ -305,7 +305,7 @@ We recommend the [Signal Configuration and Hardening Guide](https://blog.privacy
</summary>
<br>
About.Privacy [maintains a guide](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo) for installing Signal Desktop on Tails. There is a guide for registering an account from Tails without a smartphone (using Signal-cli), and another guide for if you already have a Signal account.
About.Privacy [maintains a guide](https://0xacab.org/about.privacy/messengers-on-tails-os/-/wikis/HowTo) for installing Signal Desktop on Tails. There is a guide for registering an account from Tails without a smartphone (using Signal-cli), and another guide for if you already have a Signal account.
Some of the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) also applies to Signal Desktop.

2
content/posts/grapheneos/index.md
View file

@ -177,7 +177,7 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
Dont use cloud backups. You can't trust the corporate options, and they're the easiest way for the police to access your data. If you must back up your phone, back it up to your encrypted computer.
GrapheneOS currently offers Seedvault as a backup solution, but it's not very reliable. As the [documentation notes](https://grapheneos.org/faq#file-transfer), connecting directly to a computer requires "needing to trust the computer with coarse-grained access", so it is best to avoid it. Instead, you can manually back up files by copying them to a USB-C flash drive using the Files app, or sending them to yourself using an encrypted messaging app like [Element (Matrix)](/posts/e2ee/#element-matrix).
GrapheneOS currently offers Seedvault as a backup solution, but it's not very reliable. As the [documentation notes](https://grapheneos.org/faq#file-transfer), connecting directly to a computer requires "needing to trust the computer with coarse-grained access", so it is best to avoid it. Instead, you can manually back up files by copying them to a USB-C flash drive using the Files app, or sending them to yourself using an [encrypted messaging app](/posts/e2ee/).
# Password Management

2
content/posts/linux/index.md
View file

@ -1,5 +1,5 @@
+++
title="Linux Essentials: The Basics Needed to Use Tails or Qubes"
title="Linux Essentials"
date=2023-04-04
[taxonomies]

5
content/posts/tails-best/index.md
View file

@ -131,7 +131,12 @@ Our adversaries have two attack vectors to compromise BIOS, firmware, hardware,
* First, **get a fresh computer**. A laptop from a random refurbished computer store is unlikely [to already be compromised](https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/). Buy your computer with cash so it cannot be traced back to you, and in person because mail can be intercepted—a used [T Series](https://www.thinkwiki.org/wiki/Category:T_Series) or [X Series](https://www.thinkwiki.org/wiki/Category:X_Series) Thinkpad from a refurbished computer store is a cheap and reliable option. It is best to use Tails with a dedicated laptop, which prevents the adversary from targeting the hardware through a less secure operating system or through your normal non-anonymous activities. Another reason to have a dedicated laptop is that if something in Tails breaks, any information that leaks and exposes the laptop won't automatically be tied to you and your daily computer activities.
<p>
<span class="is-hidden">
![](X230.jpg)
</span>
<img src="X230.jpg" class="no-dark">
</p>
* **Make the laptop's screws tamper-evident, store it in a tamper-evident manner, and monitor for break-ins**. With these precautions in place, you'll be able to detect any future physical attacks. See the [Make Your Electronics Tamper-Evident](/posts/tamper/) tutorial to adapt your laptop's screws, use some form of intrusion detection, and store your laptop so you'll know if it's been physically accessed. Store any external devices youll be using with the laptop in the same way (USB, external hard drive, mouse, keyboard). When physical attack vectors are mitigated, an adversary can only use remote attacks.

9
content/posts/tails/index.md
View file

@ -318,12 +318,11 @@ Clicking "Permanently delete" or sending files to the "trash" does not delete da
However, it can take weeks or years before that space is actually used for new files, at which point the old data actually disappears. In the meantime, if you look directly at what is written to the drive, you can find the contents of the files. This is a fairly simple process, automated by many software programs that allow you to "recover" or "restore" data. You can't really delete data, but you can overwrite data, which is a partial solution.
There are two types of storage: magnetic (HDD) and flash (SSD, NVMe, USB, memory cards, etc.). The only way to erase a file on a USB is to [reformat the entire USB](#how-to-create-an-encrypted-usb) and select **Overwrite existing data with zeros**. Doing this twice is a good idea.
There are two types of storage: magnetic (HDD) and flash (SSD, NVMe, USB, memory cards, etc.). The only way to erase a file on either is to [reformat the entire drive](#how-to-create-an-encrypted-usb) and select **Overwrite existing data with zeros**.
However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (i.e. thermite).
However, traces of the previously written data may still remain. If you have sensitive documents that you really want to erase, it is best to physically destroy the USB after reformatting it. Fortunately, USBs are cheap and easy to steal. Be sure to reformat the drive before destroying it; destroying a drive is often a partial solution. Data can still be recovered from disk fragments, and burning a drive requires temperatures higher than a normal fire (i.e. thermite) to be effective.
* For flash memory drives (USBs, SSDs, SD cards, etc.), use two pairs of pliers to break the circuit board out of the case, then break the memory chips, including the circuit board, into pieces (be careful not to touch the sharp splinters). Hold the pieces in the flame of a camping torch. You will achieve only partial decomposition of the transistor material at this heat. Use adequate respiratory protection or stand back! The fumes are unhealthy.
* If burning the pieces is too involved, discreetly dropping them into a storm drain while tying your shoe would make them unlikely to be recovered.
For flash memory drives (USBs, SSDs, SD cards, etc.), use pliers to break the circuit board out of the plastic casing. Use a high-quality house-hold blender to shred the memory chips, including the circuit board, into pieces that are ideally less than two millimeters in size. This blender should be dedicated to this task, and not used for food afterwards.
## How to create an encrypted USB
@ -436,7 +435,5 @@ Sometimes the Synaptic Package Manager will refuse to install software. In this
[Tails Best Practices](/posts/tails-best) are important to establish before using Tails for highly sensitive activities. To avoid overwhelming yourself, start by learning how to use Tails in basic ways, such as reading anarchist websites or writing texts. See the [Tails tag](/tags/tails/) for tutorials on topics like [removing identifying metadata from files](/posts/metadata/).
---
*This article is heavily modified from* [TuTORiel Tails](https://infokiosques.net/spip.php?article1726) *(in French), and also includes some excerpts from* [Capulcu #1](https://capulcu.blackblogs.org/neue-texte/bandi/) *(in German).*

5
content/posts/tamper/index.md
View file

@ -27,7 +27,12 @@ Mullvad VPN [created a guide](https://mullvad.net/en/help/how-tamper-protect-lap
> Attackers without a lot of practice can use a needle or scalpel, for example, to drive under the sticker and push it partially upward to get to the screws relatively easily. The broken areas in the paint could be repaired with clear nail polish, although we did not need to do this in most of our tests. The picture below is a pre-post-comparison of one of our first attempts. Except for 3-4 glitter elements at the top left edge of the sticker, all others are still in the same place. This could be further reduced in subsequent attempts, so we rate this method as only partially suitable. [...] The relevant factor in this process is the amount of elements on the edge of the sticker. In addition, there are special seal stickers available which break when peeled off. They are probably more suitable for this method.
<p>
<span class="is-hidden">
![](mullvad.png)
</span>
<img src="mullvad.png" class="no-dark">
</p>
For this reason, it is preferable to apply nail polish directly to the screws rather than over a sticker. This direct application is done for [NitroKey](https://docs.nitrokey.com/nitropad/qubes/sealed-hardware) and [Purism](https://puri.sm/posts/anti-interdiction-update-six-month-retrospective/) laptops. Keep these nuances in mind: