From 5f5b9d8830985864e78409e3304e61d9c3a3cebc Mon Sep 17 00:00:00 2001
From: anarsec <anarsec@riseup.net>
Date: Wed, 28 Jun 2023 16:51:29 +0000
Subject: [PATCH] cwtch on tails, argon2id tails 6.0, relative hrefs
---
content/posts/e2ee/index.md | 19 +++++++++----------
content/posts/tails-best/index.md | 4 ++--
.../templates/categories/list.html | 2 +-
themes/DeepThought/templates/tags/list.html | 2 +-
4 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/content/posts/e2ee/index.md b/content/posts/e2ee/index.md
index d8d3edd..29fe7d9 100644
--- a/content/posts/e2ee/index.md
+++ b/content/posts/e2ee/index.md
@@ -64,22 +64,21 @@ Any Cwtch user can turn the app on their phone or computer into an untrusted ser
<li>Compare the hash of the file with what is listed on the download page </li>
</ul>
</li>
-<li>As per our <a href="/posts/tails-best/#using-a-write-protect-switch">Tails Best Practices</a>, personal data should be stored on a second LUKS USB, not on the Tails Persistent Storage. Copy the file to such a personal data LUKS USB and extract it with the file manager (right click, select "Extract Here"). We will not be using the Additional Software Persistent Storage feature - Cwtch is an AppImage so doesn't require it. </li>
+<li>As per our <a href="/posts/tails-best/#using-a-write-protect-switch">Tails Best Practices</a>, personal data should be stored on a second LUKS USB, and the Persistent Storage is not enabled. Extract the file with the file manager (right click, select "Extract Here"), then copy the folder <code>cwtch</code> to such a personal data LUKS USB. <ul>
+<li>OPTIONAL - If you do enable Persistent Storage: with Persistent Storage unlocked, in Terminal run <code>sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf</code> then reboot Tails for the changes to take effect, again with an Adminstration Password.</li>
+</ul>
+</li>
<li>Run the install script<ul>
-<li>In the File Manager, enter to directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
-<li>Run <code>install-tails.sh</code></li>
+<li>In the File Manager, enter the directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
+<li>Run <code>install-tails.sh</code> and enter the Administration Password when prompted.</li>
</ul>
</li>
<li>As the <a href="https://docs.cwtch.im/docs/platforms/tails">documentation</a> specifies, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:<ul>
<li><code>exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch</code></li>
</ul>
</li>
-<li>How you use Cwtch depends on whether you have enabled Persistent Storage: <ul>
-<li>With Persistent Storage disabled, Cwtch must be re-installed every session you need to use it. Backup <code>`/home/amnesia/.cwtch/`</code> to the personal data LUKS USB, and copy it back into <code>/home/amnesia/</code> the next time you install Cwtch. </li>
-<li>With Persistent Storage enabled and unlocked, in Terminal run <code>sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf</code></li>
-</ul>
-</li>
-<li>Updates must be made manually - back up your profile first.</li>
+<li>With Persistent Storage disabled, Cwtch must be re-installed every session you need to use it. Backup <code>`/home/amnesia/.cwtch/`</code> to the personal data LUKS USB, and copy it back into <code>/home/amnesia/</code> the next time you install Cwtch.</li>
+<li>Updates to new versions must be made manually - back up your profile first.</li>
<br>
</details>
@@ -175,7 +174,7 @@ https_proxy = 127.0.0.1:8082
* **Peer-to-peer**: No
* **Tor**: Not default
-Element is the name of the application (the client), and Matrix is the name of the network. A comparison to email may be helpful to understand it; Element is the equivalent of Thunderbird, whereas Matrix is the equivalent of the Simple Mail Transfer Protocol (SMTP) which underlies email. Element/Matrix is not peer-to-peer; you need to trust the server. However, unlike Signal, the servers are not centralized but rather federated - anyone can host their own. Unfortunately, the 'federation model' has the trade off that Matrix does [not have metadata protection](https://web.archive.org/web/https://serpentsec.1337.cx/matrix): "Federated networks are naturally more vulnerable to metadata leaks than peer-to-peer or centralized networks". To minimize this, see [Notes on the safe use of the Matrix service from Systemli](https://wiki.systemli.org/howto/matrix/privacy).
+Element is the name of the application (the client), and Matrix is the name of the network. A comparison to email may be helpful to understand it; Element is the equivalent of Thunderbird, whereas Matrix is the equivalent of the Simple Mail Transfer Protocol (SMTP) which underlies email. Element/Matrix is not peer-to-peer; you need to trust the server. However, unlike Signal, the servers are not centralized but rather federated - anyone can host their own. Unfortunately, the 'federation model' has the trade off that Matrix does [not have metadata protection](https://web.archive.org/web/https://serpentsec.1337.cx/matrix): "Federated networks are naturally more vulnerable to metadata leaks than peer-to-peer or centralized networks". To minimize this, see [Notes on the safe use of the Matrix service from Systemli](https://wiki.systemli.org/en/howto/matrix/privacy).
Element will work with Tor if it is used on an operating system that forces it; such as Whonix or Tails.
diff --git a/content/posts/tails-best/index.md b/content/posts/tails-best/index.md
index c43a185..6858b53 100644
--- a/content/posts/tails-best/index.md
+++ b/content/posts/tails-best/index.md
@@ -4,7 +4,7 @@ date=2023-04-08
[taxonomies]
categories = ["Defensive"]
-tags = ["best practice", "linux", "tails", "easy"]
+tags = ["linux", "tails", "easy"]
[extra]
blogimage="/images/tails1.png"
@@ -138,7 +138,7 @@ Another reason to not use Persistent Storage features is that many of them persi
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a randomized sequence of characters (letters, numbers and other symbols), whereas a [*passphrase*](/glossary/#passphrase) is a random series of words.
-Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered down** - when the device is on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default from [Tails 5.13](https://tails.boum.org/security/argon2id/index.en.html) onwards, and Qubes OS 4.1 onwards. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/).
+Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered down** - when the device is on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default from Tails 6.0 ([forthcoming](https://gitlab.tails.boum.org/tails/tails/-/issues/19733)) onwards, and Qubes OS 4.1 onwards. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/).
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of around 128 bits (diceware passphrases of approximately **ten words**, or passwords of **21 random characters**, including uppercase, lowercase, numbers and symbols) and shouldn't have less than 90 bits of entropy (approximately seven words).
diff --git a/themes/DeepThought/templates/categories/list.html b/themes/DeepThought/templates/categories/list.html
index c78c7b0..2671db5 100644
--- a/themes/DeepThought/templates/categories/list.html
+++ b/themes/DeepThought/templates/categories/list.html
@@ -13,7 +13,7 @@
<p class='subtitle is-4'>{{ terms | length }} categories in total</p>
<p>
{% for category in terms %}
- <a href="{{ get_taxonomy_url(kind='categories', name=category.name) }}" class="mr-4">
+ <a href="/categories/{{category.name | lower}}" class="mr-4">
<span class="icon">
<i class="fas fa-cube"></i>
</span>
diff --git a/themes/DeepThought/templates/tags/list.html b/themes/DeepThought/templates/tags/list.html
index 4100e8d..74780a8 100644
--- a/themes/DeepThought/templates/tags/list.html
+++ b/themes/DeepThought/templates/tags/list.html
@@ -13,7 +13,7 @@
<p class='subtitle is-4'>{{ terms | length }} tags in total</p>
<p>
{% for tag in terms %}
- <a href="{{ get_taxonomy_url(kind='tags', name=tag.name) }}" class="mr-4">
+ <a href="/tags/{{tag.name | lower}}" class="mr-4">
<span class="icon">
<i class="fas fa-tag"></i>
</span>
--
GitLab