From 4f1ae04890474c928a0c302c376453604688837c Mon Sep 17 00:00:00 2001
From: anarsec <anarsec@riseup.net>
Date: Thu, 29 Jun 2023 22:28:16 +0000
Subject: [PATCH] glossary, tails updates

---
 content/glossary/_index.md        |  6 +++---
 content/posts/e2ee/index.md       |  4 +++-
 content/posts/grapheneos/index.md |  2 +-
 content/posts/qubes/index.md      |  2 +-
 content/posts/tails/index.md      | 32 +++++++++++++++----------------
 content/recommendations/_index.md |  4 ++--
 6 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/content/glossary/_index.md b/content/glossary/_index.md
index 6ed6c47..f825733 100644
--- a/content/glossary/_index.md
+++ b/content/glossary/_index.md
@@ -47,7 +47,7 @@ Publicly releasing private data about an individual or organization is called do
 
 Encryption is the process of scrambling a message so that it can only be unscrambled (and read) by the intended parties. The method by which you scramble the original message, or *plaintext*, is called the *cipher* or *encryption protocol*. In almost all cases, the cipher is not intended to be kept secret. The scrambled, unreadable, encrypted message is called the ciphertext and can be safely shared. Most ciphers require an additional piece of information called a *cryptographic key* to encrypt and decrypt (scramble and unscramble) messages.
 
-For more info, see [symmetric cryptography](/glossary/#symmetric-cryptography), [asymmetric cryptograph](/glossary/#public-key-cryptography), or [Defend Dissent: What is Encryption?](https://open.oregonstate.education/defenddissent/chapter/what-is-encryption/)
+For more info, see [symmetric cryptography](/glossary/#symmetric-cryptography), [asymmetric cryptography](/glossary/#public-key-cryptography), or [Defend Dissent: What is Encryption?](https://open.oregonstate.education/defenddissent/chapter/what-is-encryption/)
 
 ### End-to-end encryption (e2ee)
 
@@ -204,7 +204,7 @@ For more info, see [the CSRC Threat Library](https://www.csrc.link/threat-librar
 
 Each website visited through the Tor network passes through 3 relays. Relays are servers operated by different people and organizations around the world. A single relay never knows both where the encrypted connection is coming from and where it is going to. An extract of a leaked Top Secret appraisal by the NSA characterized Tor as "the King of high secure, low latency Internet anonymity" with "no contenders for the throne in waiting". The Tor network can be accessed through the Tor Browser on any operating system. The operating system [Tails](#tails) forces every program to use the Tor network when accessing the Internet. 
 
-For more info, see [our description of Tor](/posts/tails/#tor).
+For more info, see [our description of Tor](/posts/tails/#tor) and [Privacy Guides](https://www.privacyguides.org/en/advanced/tor-overview/).
 
 ### Two-Factor Authentication (2FA)
 
@@ -230,7 +230,7 @@ Put another way, it is a technology that essentially makes it appear like you em
 
 It is important to stress this to cut through the widespread marketing hype; [a VPN is not enough to keep you anonymous](https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me/). Using a VPN can be thought of as simply shifting your trust from a local Internet Service Provider guaranteed to be a snitch to a remote one that claims to put limits on their ability to effectively snitch on you.  
 
-For an excellent comparison of a VPN and [Tor](#tor-network), see [Defend Dissent: Anonymous Routing](https://open.oregonstate.education/defenddissent/chapter/anonymous-routing/).
+For more info, see [Privacy Guides](https://www.privacyguides.org/en/basics/vpn-overview/), and for an excellent comparison of a VPN and [Tor](#tor-network), see [Defend Dissent: Anonymous Routing](https://open.oregonstate.education/defenddissent/chapter/anonymous-routing/).
 
 ### Vulnerability
 
diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md
index f38d695..d99255f 100644
--- a/content/posts/e2ee/index.md
+++ b/content/posts/e2ee/index.md
@@ -260,7 +260,9 @@ https_proxy = 127.0.0.1:8082
 * **Peer-to-peer**: No 
 * **Tor**: Depends
 
-PGP (Pretty Good Privacy) isn't so much a messaging platform as it is a way of encrypting messages on top of existing messaging platforms (in this case, email). PGP email is the only option presented which does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions against future compromises of keys or passwords. It maintains the secrecy of past communications even if the current one is compromised. This means that an adversary could decrypt all PGP messages in the future in one fell swoop. Once you also take into account the metadata exposure inherent in email, PGP should be disqualified from inclusion in this list. It simply doesn't meet the standards of a modern cryptography. However, given that it is already widely used within the anarchist space, we include it here as a warning that it is not recommended. For a more technical criticism, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). We recommend switching to Element for asynchronous use cases, and switching to Cwtch for synchronous use cases. If you need to use email, use a [radical server](https://riseup.net/en/security/resources/radical-servers) and see the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp). 
+PGP (Pretty Good Privacy) isn't so much a messaging platform as it is a way of encrypting messages on top of existing messaging platforms (in this case, email). PGP email does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions against future compromises of keys or passwords. It maintains the secrecy of past communications even if the current one is compromised. This means that an adversary could decrypt all PGP messages in the future in one fell swoop. Once you also take into account the metadata exposure inherent in email, PGP should be disqualified from inclusion in this list. It simply doesn't meet the standards of a modern cryptography. However, given that it is already widely used within the anarchist space, we include it here as a warning that it is not recommended. For a more technical criticism, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). [Privacy Guides](https://www.privacyguides.org/en/basics/email-security/) agrees that "email is best used for receiving transactional emails [...], not for communicating with others." 
+
+We recommend switching to Element for asynchronous use cases, and switching to Cwtch for synchronous use cases. If you need to use email, use a [radical server](https://riseup.net/en/security/resources/radical-servers) and see the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp). 
 
 PGP is used for another purpose outside of communication: to verify the integrity of files. For this use, see our [GPG explanation](/posts/linux/#gpg-explanation).
 
diff --git a/content/posts/grapheneos/index.md b/content/posts/grapheneos/index.md
index 12178b9..d11e3b3 100644
--- a/content/posts/grapheneos/index.md
+++ b/content/posts/grapheneos/index.md
@@ -100,7 +100,7 @@ To install and configure Sandboxed Google Play:
 * Automatic updates are enabled in Google Play Store by default: **Google Play Store Settings â†’ Network Preferences â†’ Auto-update apps**.   
 * Notifications for Google Play Store and Google Play Services need to be enabled for auto-updates to work: **Settings â†’ Apps â†’ Google Play Store / Google Play Services â†’ Notifications**. If you get notifications from the Play Store that it wants to update itself, [accept them](https://discuss.grapheneos.org/d/4191-what-were-your-less-than-ideal-experiences-with-grapheneos/18).
 
-You can now install applications through the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you will be using a free VPN, RiseupVPN is recommended. If you want to anonymously pay for a VPN, both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn) are also recommended. VPNs are per-profile, so must be installed in each user profile separately. All default connections made by GrapheneOS will be forced through the VPN (other than [connectivity checks](https://grapheneos.org/faq#default-connections), which can optionally be disabled).
+You can now install applications through the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you will be using a free VPN, RiseupVPN is recommended. If you want to anonymously pay for a VPN, both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn) are also recommended. VPNs are per-profile, so must be installed in each user profile separately. All default connections made by GrapheneOS will be forced through the VPN (other than [connectivity checks](https://grapheneos.org/faq#default-connections), which can optionally be [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)).
 
 Using the example of RiseupVPN, once it is installed, accept the 'Connection request' prompt. A green display will mean that the VPN is successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN**, and follow the instructions. Moving forward, the VPN will automatically connect when you turn on your phone. Continue to install any other apps - for ideas, see [Encrypted Messaging for Anarchists](/posts/e2ee/). 
 
diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md
index 0543aa6..8a8e453 100644
--- a/content/posts/qubes/index.md
+++ b/content/posts/qubes/index.md
@@ -335,7 +335,7 @@ Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Servic
 Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
 * **Root of trust**: A secure element to store secrets that can be used as a root of trust during the boot process.  
 * **Blobs:** Newer hardware comes with [binary blobs](https://en.wikipedia.org/wiki/Binary_blob) which require trusting corporations to do the right thing, while some older hardware is available without binary blobs. 
-* **Microcode updates**: Newer hardware gets microcode updates to the CPU which (ideally) address security vulnerabilities as they are discovered, while older hardware doesn't after it is considered End Of Life. The [Heads threat model page](https://osresearch.net/Heads-threat-model/#binary-blobs-microcode-updates-and-transient-execution-vulnerabilities) explains why CPU vulnerabilities matter:
+* **Microcode updates**: Newer hardware gets [microcode](https://en.wikipedia.org/wiki/Microcode) updates to the CPU which (ideally) address security vulnerabilities as they are discovered, while older hardware doesn't after it is considered End Of Life. The [Heads threat model page](https://osresearch.net/Heads-threat-model/#binary-blobs-microcode-updates-and-transient-execution-vulnerabilities) explains why CPU vulnerabilities matter:
 
 	>"With the disclosure of the Spectre and Meltdown vulnerabilities in January 2018, it became apparent that most processors manufactured since the late 1990s can potentially be compromised by attacks made possible because of [transient execution CPU vulnerabilities](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability). [...]  Future not-yet-identified vulnerabilities of this kind is likely. For users of Qubes OS, this class of vulnerabilities can additionally compromise the enforced isolation of virtual machines, and it is prudent to take the risks associated with these vulnerabilities into account when deciding on a platform on which to run Heads and Qubes OS." 
 
diff --git a/content/posts/tails/index.md b/content/posts/tails/index.md
index 79ac9ca..b744058 100644
--- a/content/posts/tails/index.md
+++ b/content/posts/tails/index.md
@@ -118,7 +118,7 @@ Tails is a classic and simple operating system.
 
 1. The "Activities" menu. Allows you to see an overview of windows and applications. It also allows you to search through applications, files, and folders. You can also access "Activities" by sending the mouse to the top left corner of your screen or by pressing the Command/Windows (â–) key on the keyboard.
 2. The Applications menu. Lists available applications (software), classified by theme. 
-3. The Places menu. Shortcuts to different folders and storage media, which can also be accessed with the Files browser (Applications â–¸ Accessories â–¸ Files). 
+3. The Places menu. Shortcuts to different folders and storage media, which can also be accessed with the Files browser (**Applications â†’ Accessories â†’ Files**). 
 4. Date and time. Once connected to the Internet, all the Tails USBs around the world [have the same time](https://tails.boum.org/doc/first_steps/desktop/time/index.en.html). 
 5. The Tor status indicator which tells you if you are connected to the Tor network. If there is an X over the onion icon, you are not connected. You can open the "Onion Circuits" application from here. A Tor connection can be verified by visiting `check.torproject.org` in Tor Browser. 
 6. The "Universal Access" button. The Universal Access menu allows you to activate accessibility software like the screen reader, visual keyboard, and large text display.
@@ -132,7 +132,7 @@ If your laptop is equipped with Wi-Fi but there is no Wi-Fi option in the system
 
 Tails is amnesiac by default. It forgets everything you did between sessions. This isn't always what you want - for instance, you may want to work on a document that you can't complete in one sitting. The same is true for installing additional software: you would have to redo the installation after each start-up. Tails has a feature called Persistent Storage, which makes it no longer completely forgetful. This is explicitly less secure, but it is necessary for some activities. 
 
-The principle is to create a second storage area (called a partition) on your Tails USB, which is encrypted. This new partition allows a user to persist data â€“ that is, to keep it around â€“ between Tails sessions. It's very simple to enable Persistent Storage. To create the [Persistent Storage](https://tails.boum.org/doc/persistent_storage/create/index.en.html), choose **Applications â–¸ Tails â–¸ Persistent Storage**. 
+The principle is to create a second storage area (called a partition) on your Tails USB, which is encrypted. This new partition allows a user to persist data â€“ that is, to keep it around â€“ between Tails sessions. It's very simple to enable Persistent Storage. To create the [Persistent Storage](https://tails.boum.org/doc/persistent_storage/create/index.en.html), choose **Applications â†’ Tails â†’ Persistent Storage**. 
 
 A window opens where you have to type a passphrase; see [Tails Best Practices](/posts/tails-best/#passwords) for notes on passphrase strength. You'll then [configure](https://tails.boum.org/doc/persistent_storage/configure/index.en.html) what you need to keep in Persistent Storage. Persistent Storage can be enabled for several types of data:
 
@@ -178,7 +178,7 @@ Every time you start Tails, the Tails Upgrader checks if you are using the lates
 ***The [manual upgrade](https://tails.boum.org/upgrade/tails/index.en.html)***
 
 * Sometimes the upgrade window will tell you that you need to do a manual upgrade. This type of upgrade is only done for major upgrades or in case of an issue. 
-* If you already have a second Tails USB with the latest version, you start on that one, and navigate to Applications â–¸ Tails â–¸ Tails Installer. Instead of the button reading "install", you'll be asked "upgrade". The difference is that it won't format the whole USB, it will just replace the Tails partition with an updated version. 
+* If you already have a second Tails USB with the latest version, you start on that one, and navigate to **Applications â†’ Tails â†’ Tails Installer**. Instead of the button reading "install", you'll be asked "upgrade". The difference is that it won't format the whole USB, it will just replace the Tails partition with an updated version. 
 * If you don't have a second Tails USB with the latest version, you'll need a blank USB and the (out of date) Tails USB. See the [documentation for manual upgrades](https://tails.boum.org/upgrade/tails/index.en.html). 
 
 # II) Going Further: Several Tips and Explanations
@@ -224,7 +224,7 @@ Some sites offer both a classic URL as well as an .onion address. In this case,
 
 The Tor network is blocked and otherwise rendered more inconvenient to use in many ways. You may be confronted with CAPTCHA images (a kind of game that verifies you â€œare not a robotâ€) or obliged to provide additional personal data (ID card, phone numberâ€¦) before proceeding, or Tor may be completely blocked. 
 
-Perhaps only certain Tor relays are blocked. In this case, you can change the Tor exit nodes for this site: click on the â‰£	â†’ "New Tor circuit for this site". The Tor circuit (path) will only change for the one tab. You may have to do this several times in a row if you're unlucky enough to run into several relays that have been banned. 
+Perhaps only certain Tor relays are blocked. In this case, you can change the Tor exit nodes for this site: click on the **â‰£	â†’ "New Tor circuit for this site"**. The Tor circuit (path) will only change for the one tab. You may have to do this several times in a row if you're unlucky enough to run into several relays that have been banned. 
 
 It is also possible that the entire Tor network is blocked, because all Tor relays are public. In this case you can try to use a proxy to get to the site, such as https://hide.me/en/proxy (but only if you don't have to enter any personal data or do anything sensitive like login information). You can also check whether the page you want to access has been saved to the Wayback Machine: web.archive.org.  
 
@@ -248,7 +248,7 @@ The Tor Browser on Tails is kept in a ["sandbox"](/glossary/#sandboxing) to prev
 
 *Downloads*
 
-When you download something using the Tor Browser it will be saved in the Tor Browser folder (`/home/amnesia/Tor Browser/`), which is inside the "sandbox". If you want to do anything with this file, you should then move it out of the Tor Browser folder. You can use the file manager (Applications â†’ Accessories â†’ Files) to do this. 
+When you download something using the Tor Browser it will be saved in the Tor Browser folder (`/home/amnesia/Tor Browser/`), which is inside the "sandbox". If you want to do anything with this file, you should then move it out of the Tor Browser folder. You can use the file manager (**Applications â†’ Accessories â†’ Files**) to do this. 
 
 *Uploads*
 
@@ -260,7 +260,7 @@ Be aware that, because all of your Tails session is running in RAM (unless you h
 
 ***Share Files with Onionshare***
 
-It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.boum.org/doc/anonymous_internet/onionshare/index.en.html) (Applications â–¸ Internet â–¸ OnionShare). Normally, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to Settings and unselect "Stop sharing after first download". As soon as you close OnionShare, cut the Internet connection, or shut down Tails, the files can no longer be accessed. This is a great way of sharing files because it doesn't require plugging a USB into someone else's computer, which is [not recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared via another channel (like a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type). 
+It is possible to send a document through an .onion link thanks to [OnionShare](https://tails.boum.org/doc/anonymous_internet/onionshare/index.en.html) (**Applications â†’ Internet â†’ OnionShare**). Normally, OnionShare stops the hidden service after the files have been downloaded once. If you want to offer the files for multiple downloads, you need to go to Settings and unselect "Stop sharing after first download". As soon as you close OnionShare, cut the Internet connection, or shut down Tails, the files can no longer be accessed. This is a great way of sharing files because it doesn't require plugging a USB into someone else's computer, which is [not recommended](/posts/tails-best/#reducing-risks-when-using-untrusted-computers). The long .onion address can be shared via another channel (like a [Riseup Pad](https://pad.riseup.net/) you create that is easier to type). 
 
 ***Make Correlation Attacks More Difficult***
 
@@ -271,11 +271,11 @@ When you request a web page through a web browser, it is transmitted to you in s
 Tails includes [many applications](https://tails.boum.org/doc/about/features/index.en.html) by default. The documentation gives an overview of [Internet applications](https://tails.boum.org/doc/anonymous_internet/index.en.html), applications for [encryption and privacy](https://tails.boum.org/doc/encryption_and_privacy/index.en.html), as well as applications for [working on sensitive documents](https://tails.boum.org/doc/sensitive_documents/index.en.html). In the rest of this section, we will just highlight common use cases relevant to anarchists, but read the documentation for further information. 
 
 #### Password Manager (KeePassXC)
-If you're going to need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (Application â–¸ Favorites â–¸ KeePassXC).  In the terminology used by KeePassXC, a password is a randomized sequence of characters (letters, numbers, and other symbols), whereas a passphrase is a random series of words.
+If you're going to need to know a lot of passwords, it can be nice to have a secure way to store them (i.e. not a piece of paper next to your computer). KeePassXC is a password manager included in Tails (**Application â†’ Favorites â†’ KeePassXC**) which allows you to store your passwords in a file and protect them with a single master password. In the terminology used by KeePassXC, a *password* is a randomized sequence of characters (letters, numbers, and other symbols), whereas a *passphrase* is a random series of words.
 
 ![seconds](seconds.png)
 
-When you [create a new KeePassXC database](https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), in the **Encryption settings** window, increase the **Decryption time** from the default to the maximum (5 seconds). Then, select a [strong passphrase](/posts/tails-best/#passwords) and then save your KeePassXC file. This file will contain all your passwords/passphrases, and needs to persist between sessions on your Persistent Storage or on a second LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). The decryption time setting of a pre-existing KeePassXC file can be updated: Database â†’ Database Security â†’ Encryption Settings. 
+When you [create a new KeePassXC database](https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html#index1h1), in the **Encryption settings** window, increase the **Decryption time** from the default to the maximum (5 seconds). Then, select a [strong passphrase](/posts/tails-best/#passwords) and then save your KeePassXC file. This file will contain all your passwords/passphrases, and needs to persist between sessions on your Persistent Storage or on a second LUKS-encrypted USB as described in [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch). The decryption time setting of a pre-existing KeePassXC file can be updated: **Database â†’ Database Security â†’ Encryption Settings**. 
 
 As soon as you close KeePassXC, or if you don't use it for a few minutes, it will lock. Be careful not to forget your main passphrase. We recommend against using the auto-fill feature, because it is easy to fill your password into the wrong window by mistake. 
 
@@ -305,9 +305,9 @@ However, traces of the previously written data may still remain. If you have sen
 
 #### How to create an encrypted USB 
 
-Exclusively store data on encrypted drives. This is necessary for using a separate LUKS USB instead of Persistent Storage on the Tails USB. [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to Applications â–¸ Utilities â–¸ Disks. 
+Exclusively store data on encrypted drives. This is necessary for using a separate LUKS USB instead of Persistent Storage on the Tails USB. [LUKS](/glossary/#luks) is the Linux encryption standard. To encrypt a new USB, go to **Applications â†’ Utilities â†’ Disks**. 
 * When you insert the USB, a new "device" should appear in the list. Select it, and verify that the description (brand, name, size) matches your device. Be careful not to make a mistake!
-* Format it by clicking **â‰£  â–¸ Format the disk**. 
+* Format it by clicking **â‰£  â†’ Format the disk**. 
 	* Select **Overwrite existing data with zeroes** in the Erase drop-down list. Keep in mind that this is likely incomplete if there were sensitive documents on the USB.  
 	* Choose **Compatible with all systems and devices (MBR/DOS)** in the Partitioning drop-down list.
 	* Then click **Formatâ€¦**
@@ -320,13 +320,13 @@ Exclusively store data on encrypted drives. This is necessary for using a separa
 	* For "type" select **internal disk to be used with Linux systems only (Ext4)**; check **Password protected volume (LUKS)**
 	* Enter a [strong passphrase](/posts/tails-best/#passwords)
 
-When you insert an encrypted USB, it will not be opened automatically but only when you select it in the Places menu. You will be prompted to enter the passphrase. Before you can remove the disk when the work is done, you have to right-click on it under Places â†’ Computer and then select Eject.  
+When you insert an encrypted USB, it will not be opened automatically but only when you select it in the Places menu. You will be prompted to enter the passphrase. Before you can remove the disk when the work is done, you have to right-click on it under **Places â†’ Computer** and then select Eject.  
 
 #### Encrypt a file with a password or with a public key
 
 In Tails, you can use the Kleopatra application to [encrypt a file](https://tails.boum.org/doc/encryption_and_privacy/kleopatra/index.en.html#index1h1) with a password or a public PGP key. This will create a .pgp file. If you are going to encrypt a file, do so in RAM before you store it on a LUKS USB. Once the unencrypted version of a file is on a USB, the USB must be reformatted to remove it. 
 
-If you choose the passphrase option, you will have to open the file in Tails and type the passphrase. If you don't want the unencrypted data to be stored in the location where you saved it (e.g. on a USB), it's best to first copy the encrypted file to a Tails folder that is only in RAM (e.g. Locations â–¸ Documents) before decrypting it.
+If you choose the passphrase option, you will have to open the file in Tails and type the passphrase. If you don't want the unencrypted data to be stored in the location where you saved it (e.g. on a USB), it's best to first copy the encrypted file to a Tails folder that is only in RAM (e.g. **Places â†’ Documents**) before decrypting it.
 
 #### Adding administration rights
 
@@ -345,11 +345,11 @@ To set an administration password, you must choose an administration password at
 If you install new software, it's up to you to make sure it is secure. Tails forces all software to connect to the internet through Tor, so you make need to use a program called `torsocks` from Terminal to start additional software that requires an Internet connection (for example, `torsocks --isolate mumble`). The software used in Tails is audited for security, but this may not be the case for what you install. Before installing new software, it's best to make sure there isn't already software in Tails that does the job you want to do. If you want additional software to persist beyond a single session, you have to enable "Additional Software" in Persistent Storage [configuration](https://tails.boum.org/doc/persistent_storage/configure/index.en.html). 
 
 To install software from the Debian software repository:
-* Start Tails with administration rights, then go to Applications â–¸ System Tools â–¸ Synaptic Package Manager. 
+* Start Tails with administration rights, then go to **Applications â†’ System Tools â†’ Synaptic Package Manager**. 
 * When prompted, enter your administration password (if it's the first time you do this, it will take time to download the repositories). 
 * Go to "All" and choose the software you want to install: "select for installation", then "apply". 
 * Once done, Tails will ask you, if your Persistent Storage is open, if you want to install it once, or add it to your Persistent Storage. If you add it to the Persistent Storage, the corresponding software files are saved there. They are automatically updated for security reasons as soon as a network connection is established. 
-* You will be able to access the additional software you have installed, with the option to remove them, in Applications â–¸ System Tools â–¸ Additional Software.
+* You will be able to access the additional software you have installed, with the option to remove them, in **Applications â†’ System Tools â†’ Additional Software**.
 
 For more information, see the documentation on [Installing additional software](https://tails.boum.org/doc/persistent_storage/configure/index.en.html).  
 
@@ -380,7 +380,7 @@ Following an upgrade, or otherwise, Tails does not start anymore on your compute
 
 ***I can't connect to a public Wi-Fi network with an authentication page (a captive portal)***
 
-If you must connect to Wi-Fi using a captive portal, Unsafe Browser needs to be enabled. Connect to the Wi-Fi, then you open Applications â–¸ Internet â–¸ Unsafe Browser. You type a URL of a site that isn't sketchy to access the authentication page. Once you've put in the login, you wait for Tor to be ready to go to your Tor Browser, then close the unsafe browser.  
+If you must connect to Wi-Fi using a captive portal, Unsafe Browser needs to be enabled. Connect to the Wi-Fi, then you open **Applications â†’ Internet â†’ Unsafe Browser**. You type a URL of a site that isn't sketchy to access the authentication page. Once you've put in the login, you wait for Tor to be ready to go to your Tor Browser, then close the unsafe browser.  
 
 ***I have no more free space on a USB?***
 
@@ -400,7 +400,7 @@ Try pressing the Windows key, or the Cmd key for Mac, which will open the window
 
 ***Add a printer***
 
-You go to: Applications â–¸ System Tools â–¸ Settings â–¸ Devices â–¸ Printers â–¸ "+" â–¸ Add a printer. Some printer models may not work (or work with difficulty) with Tails.
+You go to: **Applications â†’ System Tools â†’ Settings â†’ Devices â†’ Printers â†’ "+" â†’ Add a printer**. Some printer models may not work (or work with difficulty) with Tails.
 
 ***Unable to install new software***
 
diff --git a/content/recommendations/_index.md b/content/recommendations/_index.md
index 4f43bb1..3f218ab 100644
--- a/content/recommendations/_index.md
+++ b/content/recommendations/_index.md
@@ -24,9 +24,9 @@ See [When to Use Tails vs Qubes OS](/posts/qubes/#when-to-use-tails-vs-qubes-os)
 We do not offer "harm reduction" advice for Windows or macOS computers, because this is already prevalent and gives a false sense of privacy and security. If you need to use one of these Operating Systems, see The Hitchhikerâ€™s Guide to Online Anonymity for tutorials on [Windows](https://anonymousplanet.org/guide.html#windows-host-os) and [macOS](https://anonymousplanet.org/guide.html#macos-host-os). 
 
 ## Home Network 
->**[Operating system](/glossary#operating-system-os) (router)**: [**OpenWrt**](https://openwrt.org/). [GL-iNet](https://www.gl-inet.com/) sells affordable OpenWrt routers that are user friendly - the 'Travel' models are sufficient for an apartment-sized residence. 
+>**[Operating system](/glossary#operating-system-os) (router)**: [**OpenWrt**](https://www.privacyguides.org/en/router/#openwrt). [GL-iNet](https://www.gl-inet.com/) sells affordable OpenWrt routers that are user friendly - the 'Travel' models are sufficient for an apartment-sized residence. 
 
->**[Operating system](/glossary#operating-system-os) (hardware firewall)**: [**OPNsense**](https://opnsense.org/). Although you can get by with only a router, a hardware firewall allows you to further segment your network, and other security upgrades.    
+>**[Operating system](/glossary#operating-system-os) (hardware firewall)**: [**OPNsense**](https://www.privacyguides.org/en/router/#opnsense). Although you can get by with only a router, a hardware firewall allows you to further segment your network, and other security upgrades.    
 
 If an adversary compromises your router, [they can then compromise all devices connecting to it](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/), so it's important to not use the [closed-source](/glossary#open-source) router your Internet Service Provider gives you. Guide forthcoming.  
 
-- 
GitLab