From fbfa0ea01cea6bf8a85596a18be33f158339fe0e Mon Sep 17 00:00:00 2001
From: anarsec <anarsec@riseup.net>
Date: Fri, 11 Aug 2023 16:51:25 +0000
Subject: [PATCH] tails best further updates

---
 content/posts/tails-best/index.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/content/posts/tails-best/index.md b/content/posts/tails-best/index.md
index 0bc16cf..33ac2cc 100644
--- a/content/posts/tails-best/index.md
+++ b/content/posts/tails-best/index.md
@@ -67,21 +67,22 @@ You can mitigate this first issue by [**Tor bridges**](https://tails.boum.org/do
 An *end-to-end correlation* attack is a theoretical way that a global adversary could break Tor's anonymity:
 > A powerful adversary, who could analyze the timing and shape of the traffic entering and exiting the Tor network, might be able to deanonymize Tor users. These attacks are called *end-to-end correlation* attacks, because the attacker has to observe both ends of a Tor circuit at the same time. [...] End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users.
 
-You can mitigate this second issue by **not using an Internet connection that is tied to your identity**, and by **prioritizing .onion links when available**:
+You can mitigate the techniques available to powerful adversaries by **not using an Internet connection that is tied to your identity**, and by **prioritizing .onion links when available**:
 
-* Wi-Fi adapters that work through the mobile network (via SIM cards) are a bad idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile operator every time you connect, allowing identification and geographic localization. The adapter works like a mobile phone! If you do not want different research sessions to be associated with each other, do not use the same adapter or SIM card more than once!
+* "Mobile Wi-Fi" devices exist which give you Internet access through the mobile network (via SIM cards) - these are a bad idea. The unique identification number of your SIM card (IMSI) and the unique serial number of your adapter (IMEI) are also transmitted to the mobile operator every time you connect, allowing identification and geographic localization. The adapter works like a mobile phone! If you do not want different research sessions to be associated with each other, do not use the same adapter or SIM card more than once!
 * Use an Internet connection that isn't connected to you, such as in a cafe without CCTV cameras. There are several opsec considerations to keep in mind when using Wi-Fi in a public space like this. 
 	* See [below](#appendix-2-location-location-location) for more information on choosing a location.  
 	* Do not get into a routine of using the same cafes repeatedly if you can avoid it. 
 	* If you have to buy a coffee to get the Wi-Fi password, pay in cash! 
-	* Position yourself with your back against a wall so that no one can "shoulder surf" to see your screen, and ideally install a privacy screen on your laptop. 
-	* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. One person in charge of a darknet marketplace had his Tails computer seized while distracted by a fake fight next to him. Similar tactics have been used [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt with a short piece of fishing line, the police would most likely have lost all evidence when the Tails USB was pulled out - note that [Tails warns](https://tails.boum.org/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage." A more technical equivalent is [BusKill](https://docs.buskill.in/buskill-app/en/stable/introduction/what.html) - however, we only recommend buying this in person, such as at a conference. Any mail can be [intercepted](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction) and altered, making it [malicious](https://en.wikipedia.org/wiki/BadUSB). If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. If maintaining situational awareness seems unrealistic, consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings.
+	* Position yourself with your back against a wall so that no one can "shoulder surf" to see your screen, and ideally install a [privacy screen](/posts/tails/#privacy-screen) on your laptop. 
+	* Maintain situational awareness and be ready to pull out the Tails USB to shut down the computer at a moment's notice. One person in charge of a darknet marketplace had his Tails computer seized while distracted by a fake fight next to him. Similar tactics have been used [in other police operations](https://dys2p.com/en/2023-05-luks-security.html#attacks). If his Tails USB had been attached to a belt with a short piece of fishing line, the police would most likely have lost all evidence when the Tails USB was pulled out - note that [Tails warns](https://tails.boum.org/doc/first_steps/shutdown/index.en.html) "Only physically remove the USB stick in case of emergency as doing so can sometimes break the file system of the Persistent Storage." A more technical equivalent is [BusKill](https://docs.buskill.in/buskill-app/en/stable/introduction/what.html) - however, we only recommend buying this in person, such as at a conference (because any mail can be [intercepted](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction) and altered, making the hardware [malicious](https://en.wikipedia.org/wiki/BadUSB)). If the Tails USB is removed, Tails will shut down and [overwrite the RAM with random data](https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html). Any LUKS USBs that were unlocked in the Tails session will now be encrypted again. If maintaining situational awareness seems unrealistic, consider asking a trusted friend to hang out who can dedicate themselves to keeping an eye on your surroundings.
 	* If coffee shops without CCTV cameras are few and far between, you can try accessing a coffee shop's Wi-Fi from outside, out of view of the cameras. Some external Wi-Fi adapters can pick up signals from further away, as discussed [below](#appendix-2-location-location-location). 
-* As described in the quotation above, a global adversary (i.e. the NSA) may be capable of breaking Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic). If this happens, the Internet address you used in a coffee shop without CCTV cameras will only lead to your general area (e.g. your city) because it is not associated with you. Of course, this is less true if you use it routinely. Correlation attacks are even less feasible against connections to an .onion address because you never leave the Tor network, so there is no "end" to correlate with through network traffic analysis. 
-* What we will term a "reverse correlation attack" is possible by a non-global adversary (i.e. local law enforcement), if you are already in their sights and a target of [physical surveillance](https://www.csrc.link/threat-library/techniques/physical-surveillance/covert.html) and/or [digital surveillance](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance.html). A correlation attack used to deanonymize a Tor user is unprecedented in current evidence used in court, although [a "reverse correlation attack" has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as corroborating evidence - a suspect had already been identified, which allowed investigators to correlate their local footprint with specific online activity. Specifically, they correlated Tor network traffic coming from the suspect's house with the times their anonymous alias was online in chatrooms. To explain how this works, it helps if you have a basic understanding of what Tor information is visible to various third parties - see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https). For a normal correlation attack, the investigator will need to start from after Tor's exit node: try to correlate the user's online activities to an enormous amount of global data. However, if a suspect is already identified, the investigator can then do a "reverse correlation attack" and start from before Tor's entry node: **try to correlate the suspect's physical or digital footprint to specific online activity**. For your physical footprint, a surveillance operation can note that you go to a cafe regularly, then try to correlate this with online activity they suspect you of (for example, if they suspect you are a website moderator, they can try to correlate to when articles are posted). For your digital footprint, if you are using Internet from home, an investigator can log all your Tor traffic and then try to correlate it with when articles are posted to this anarchist website.
+* As described in the quotation above, a global adversary (i.e. the NSA) may be capable of breaking Tor through a [correlation attack](https://anonymousplanet.org/guide.html#your-anonymized-torvpn-traffic). If this happens, the Internet address you used in a coffee shop without CCTV cameras will only lead to your general area (e.g. your city) because it is not associated with you. Of course, this is less true if you use it routinely. Correlation attacks are even less feasible against connections to an .onion address because you never leave the Tor network, so there is no "end" to correlate with through network traffic analysis (if the server location is unknown to the adversary because a clearnet site is not also hosted on the same server).  
+* What we will term a "targeted" correlation attack is possible by a non-global adversary (i.e. local law enforcement), if you are already in their sights and a target of [physical surveillance](https://www.csrc.link/threat-library/techniques/physical-surveillance/covert.html) and/or [digital surveillance](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance.html) - this is a subtype of correlation attack where the presumed target is already known, thus making the attack easier to achieve. This is because it vastly reduces the amount of data to filter through for correlation. A non-targeted correlation attack used to deanonymize a Tor user is unprecedented in current evidence used in court, although [a "targeted" correlation attack has been used](https://medium.com/beyond-install-tor-signal/case-file-jeremy-hammond-514facc780b8) as corroborating evidence - a suspect had already been identified, which allowed investigators to correlate their local footprint with specific online activity. Specifically, they correlated Tor network traffic coming from the suspect's house with the times their anonymous alias was online in chatrooms. To explain how this works, it helps if you have a basic understanding of what Tor information is visible to various third parties - see the EFF's [interactive graphic](https://www.eff.org/pages/tor-and-https). For a non-targeted correlation attack, the investigator will need to **start from after Tor's exit node**: take the specific online activity coming from the exit node and try to correlate it with an enormous amount of global data that is entering Tor entry nodes. However, if a suspect is already identified, the investigator can instead do a "targeted" correlation attack and **start from before Tor's entry node**: take the data entering the entry node (via **the suspect's physical or digital footprint**) and try to correlate it with **specific online activity** coming from the exit node. A more sophisticated analysis of the specific online activity would involve logging the connections to the server for detailed comparison, and a simple analysis would be something that is publically visible to anyone (such as when your alias is online in a chatroom, or when a post is published to a website). For your physical footprint, a surveillance operation can note that you go to a cafe regularly, then try to correlate this with online activity they suspect you of (for example, if they suspect you are a website moderator, they can try to correlate these time windows with web moderator activity). For your digital footprint, if you are using Internet from home, an investigator can log all your Tor traffic and then try to correlate it with web moderator activity.
 	* Possible mitigations in this scenario include **doing [surveillance detection](https://www.csrc.link/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://www.csrc.link/threat-library/mitigations/anti-surveillance.html) before going to a coffee shop**, and changing Wi-Fi locations regularly. For projects like moderating a website that require daily Internet access, this may not be particularly realistic. In that case, the ideal mitigation is to **use a Wi-Fi antenna from indoors** (guide coming soon) - a physical surveillance effort won't see you entrying a cafe, and a digital surveillance effort won't see anything on your home Internet. If this is too technical for you, you may even want to **use your home internet** for some projects that require very frequent internet access. This contradicts the previous advice to not use your personal Wi-Fi. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from (especially if you intentionally [make correlation attacks more difficult](/posts/tails/#make-correlation-attacks-more-difficult)). 
 	* If you want to submit a report-back the morning after a riot, or a communique shortly after an action (times when there may be a higher risk of targeted surveillance), consider waiting and at least taking surveillance detection and anti-surveillance measures beforehand. In 2010, the morning after a bank arson in Canada, police surveilled a suspect as he traveled from his home to an Internet cafe, and watched him post the communique and then bury the laptop in the woods. More recently, investigators physically surveilling [an anarchist in France](https://www.csrc.link/#quelques-premiers-elements-du-dossier-d-enquete-contre-ivan) installed a hidden camera to monitor access to an Internet cafe near the comrade's home and requested CCTV footage for the day an arson communique was sent.  
-* To summarize: For highly sensitive activities, use Internet from a random cafe, preceeded by surveillance detection just like you would prior to a direct action. For activities that require frequent internet access such that the random cafe model isn't sustainable, it's best to use a Wi-Fi antenna positioned behind a window to access from a few kilometers away. If this is too technical for you, using your home Wi-Fi is an option, but requires putting faith in it being difficult to break Tor with a correlation attack, and it being difficult to draw meaningful conclusions from your home's Tor traffic through a "reverse correlation attack". 
+
+To summarize: For highly sensitive activities, use Internet from a random cafe, preceeded by surveillance detection just like you would prior to a direct action. For activities that require frequent internet access such that the random cafe model isn't sustainable, it's best to use a Wi-Fi antenna positioned behind a window to access from a few kilometers away. If this is too technical for you, using your home Wi-Fi is an option, but requires putting faith in it being difficult to break Tor with a correlation attack, and it being difficult to draw meaningful conclusions from your home's Tor traffic through a "reverse correlation attack". 
 
 ## Reducing risks when using untrusted computers
 
-- 
GitLab