style!: Remove all mkdocs-material icon references

2026-05-25 12:51:25 +00:00 · 2026-05-18 17:55:18 -05:00
parent 52d2965b0b
commit 26607bf4dd
68 changed files with 575 additions and 614 deletions
@@ -254,7 +254,7 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
        ▸ requestList: 1 item
          ▸ Request
            ▸ reqCert
-              serialNumber
+                  serialNumber
    ```

    For the "Response" we can also see the "serial number":
@@ -295,7 +295,7 @@ graph TB
    obnoxious --> | No | ispDNS{Does ISP support<br> encrypted DNS?}
    ispDNS --> | Yes | useISP(Use<br> encrypted DNS<br> with ISP)
    ispDNS --> | No | nothing(Do nothing)
-```
+    ```

 Encrypted DNS with a third party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences, or you're interested in a provider that does some rudimentary filtering.

@@ -345,23 +345,23 @@ This feature does come at a privacy cost, as it tells the DNS server some inform

 If you have `dig` installed you can test whether your DNS provider gives EDNS information out to DNS nameservers with the following command:

-```bash
+    ```bash
 dig +nocmd -t txt o-o.myaddr.l.google.com +nocomments +noall +answer +stats
-```
+    ```

 Note that this command will contact Google for the test, and return your IP as well as EDNS client subnet information. If you want to test another DNS resolver you can specify their IP, to test `9.9.9.11` for example:

-```bash
+    ```bash
 dig +nocmd @9.9.9.11 -t txt o-o.myaddr.l.google.com +nocomments +noall +answer +stats
-```
+    ```

 If the results include a second edns0-client-subnet TXT record (like shown below), then your DNS server is passing along EDNS information. The IP or network shown after is the precise information which was shared with Google by your DNS provider.

-```text
+    ```text
 o-o.myaddr.l.google.com. 60 IN TXT "198.51.100.32"
 o-o.myaddr.l.google.com. 60 IN TXT "edns0-client-subnet 198.51.100.0/24"
 ;; Query time: 64 msec
 ;; SERVER: 9.9.9.11#53(9.9.9.11)
 ;; WHEN: Wed Mar 13 10:23:08 CDT 2024
 ;; MSG SIZE  rcvd: 130
-```
+    ```
@@ -31,13 +31,13 @@ If you have [cryptocurrency](../../../tools/software/cryptocurrency/index.md), y

 When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy (more on this below). Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero.

- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../../../tools/services/financial-services/index.md#gift-card-marketplaces)
+- [Online Gift Card Marketplaces](../../../tools/services/financial-services/index.md#gift-card-marketplaces)

 ## Virtual Cards

 Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information.

- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../../../tools/services/financial-services/index.md#payment-masking-services)
+- [Recommended Payment Masking Services](../../../tools/services/financial-services/index.md#payment-masking-services)

 These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions.

@@ -54,7 +54,7 @@ Cryptocurrencies are a digital form of currency designed to work without central

 There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors.

- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../../../tools/software/cryptocurrency/index.md#monero)
+- [Recommended Cryptocurrency](../../../tools/software/cryptocurrency/index.md#monero)

 Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can trace (at least to some extent) Bitcoin Lightning Network and/or Monero transactions. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million to further develop tools to do so. Due to the secrecy surrounding tools like these, <mark>none of these methods of tracing cryptocurrencies have been independently confirmed.</mark> However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins in their current form only succeed in thwarting mass surveillance.

@@ -8,15 +8,15 @@ description: Tor is a free to use, decentralized network designed for using the

 [**Tor**](../../../tools/advanced/alternative-networks/index.md#tor) is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool.

-[:material-movie-open-play-outline: Video: Why You Need Tor](https://www.privacyguides.org/videos/2025/03/02/why-you-need-tor)
+[Video: Why You Need Tor](https://www.privacyguides.org/videos/2025/03/02/why-you-need-tor)

 Tor works by routing your internet traffic through volunteer-operated servers instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity.

-[:octicons-home-16:](https://torproject.org)
-[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion)
-[:octicons-info-16:](https://tb-manual.torproject.org)
-[:octicons-code-16:](https://gitlab.torproject.org/tpo/core/tor)
-[:octicons-heart-16:](https://donate.torproject.org)
+[Homepage](https://torproject.org)
+[Onion Service](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion)
+[Documentation](https://tb-manual.torproject.org)
+[Source Code](https://gitlab.torproject.org/tpo/core/tor)
+[Contribute](https://donate.torproject.org)
 { .pg:buttons }

 ## Safely Connecting to Tor
@@ -180,7 +180,7 @@ Though Tor does provide strong privacy guarantees, one must be aware that Tor is

 If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting.

- [Tor Browser :material-arrow-right-drop-circle:](../../../tools/software/tor/index.md#tor-browser)
+- [Tor Browser](../../../tools/software/tor/index.md#tor-browser)

 ### Protections provided by bridges

@@ -8,7 +8,7 @@ description: Privacy isn't a straightforward topic, and it's easy to get caught

 These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. <mark>Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.</mark> When you evaluate software, you should look at the reputation and security of each tool on an individual basis.

-Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as [:material-package-variant-closed-remove: Supply Chain Attacks](../common-threats/index.md#attacks-against-certain-organizations){ .pg-viridian }, which are discussed further in our [Common Threats](../common-threats/index.md) page.[^1]
+Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as [Supply Chain Attacks](../common-threats/index.md#attacks-against-certain-organizations){ .pg-viridian }, which are discussed further in our [Common Threats](../common-threats/index.md) page.[^1]

 On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.

@@ -6,47 +6,47 @@ description: Your threat model is personal to you, but these are some of the thi

 Broadly speaking, we categorize our recommendations into the [threats](../threat-modeling/index.md) or goals that apply to most people. <mark>You may be concerned with none, one, a few, or all of these possibilities</mark>, and the tools and services you use depend on what your goals are. You may have specific threats outside these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat.

-<span class="pg-purple">:material-incognito: **Anonymity**</span>
+<span class="pg-purple">**Anonymity**</span>

-:   Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically.
+: Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically.

-<span class="pg-red">:material-target-account: **Targeted Attacks**</span>
+<span class="pg-red">**Targeted Attacks**</span>

-:   Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically.
+: Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically.

-<span class="pg-viridian">:material-package-variant-closed-remove: **Supply Chain Attacks**</span>
+<span class="pg-viridian">**Supply Chain Attacks**</span>

-:    Typically, a form of <span class="pg-red">:material-target-account: Targeted Attack</span> that centers around a vulnerability or exploit introduced into otherwise good software either directly or through a dependency from a third party.
+: Typically, a form of <span class="pg-red">Targeted Attack</span> that centers around a vulnerability or exploit introduced into otherwise good software either directly or through a dependency from a third party.

-<span class="pg-orange">:material-bug-outline: **Passive Attacks**</span>
+<span class="pg-orange">**Passive Attacks**</span>

-:   Being protected from things like malware, data breaches, and other attacks that are made against many people at once.
+: Being protected from things like malware, data breaches, and other attacks that are made against many people at once.

-<span class="pg-teal">:material-server-network: **Service Providers**</span>
+<span class="pg-teal">**Service Providers**</span>

-:   Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server).
+: Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server).

-<span class="pg-blue">:material-eye-outline: **Mass Surveillance**</span>
+<span class="pg-blue">**Mass Surveillance**</span>

-:  Protection from government agencies, organizations, websites, and services which work together to track your activities.
+: Protection from government agencies, organizations, websites, and services which work together to track your activities.

-<span class="pg-brown">:material-account-cash: **Surveillance Capitalism**</span>
+<span class="pg-brown">**Surveillance Capitalism**</span>

-:   Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors.
+: Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors.

-<span class="pg-green">:material-account-search: **Public Exposure**</span>
+<span class="pg-green">**Public Exposure**</span>

-:   Limiting the information about you that is accessible online—to search engines or the public.
+: Limiting the information about you that is accessible online—to search engines or the public.

-<span class="pg-blue-gray">:material-close-outline: **Censorship**</span>
+<span class="pg-blue-gray">**Censorship**</span>

-:   Avoiding censored access to information or being censored yourself when speaking online.
+: Avoiding censored access to information or being censored yourself when speaking online.

-Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with <span class="pg-viridian">:material-package-variant-closed-remove: Supply Chain Attacks</span> and <span class="pg-red">:material-target-account: Targeted Attacks</span>. They will likely still want to protect their personal data from being swept up in <span class="pg-blue">:material-eye-outline: Mass Surveillance</span> programs. Similarly, many people may be primarily concerned with <span class="pg-green">:material-account-search: Public Exposure</span> of their personal data, but they should still be wary of security-focused issues, such as <span class="pg-orange">:material-bug-outline: Passive Attacks</span>—like malware affecting their devices.
+Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with <span class="pg-viridian">Supply Chain Attacks</span> and <span class="pg-red">Targeted Attacks</span>. They will likely still want to protect their personal data from being swept up in <span class="pg-blue">Mass Surveillance</span> programs. Similarly, many people may be primarily concerned with <span class="pg-green">Public Exposure</span> of their personal data, but they should still be wary of security-focused issues, such as <span class="pg-orange">Passive Attacks</span>—like malware affecting their devices.

 ## Anonymity vs. Privacy

-<span class="pg-purple">:material-incognito: Anonymity</span>
+<span class="pg-purple">Anonymity</span>

 Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity.

@@ -54,7 +54,7 @@ Whistleblowers and journalists, for example, can have a much more extreme threat

 ## Security and Privacy

-<span class="pg-orange">:material-bug-outline: Passive Attacks</span>
+<span class="pg-orange">Passive Attacks</span>

 Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.)

@@ -67,24 +67,22 @@ To minimize the damage that a malicious piece of software *could* do, you should
 >
 > Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../../tools/os/desktop/index.md#qubes-os).

-
 ## Attacks against Specific Individuals

-<span class="pg-red">:material-target-account: Targeted Attacks</span>
+<span class="pg-red">Targeted Attacks</span>

 Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies.

 > [!TIP]
 > By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this.

-
 If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://learn.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user.

 ## Attacks against Certain Organizations

-<span class="pg-viridian">:material-package-variant-closed-remove: Supply Chain Attacks</span>
+<span class="pg-viridian">Supply Chain Attacks</span>

-Supply chain attacks are frequently a form of <span class="pg-red">:material-target-account: Targeted Attack</span> towards businesses, governments, and activists, although they can end up compromising the public at large as well.
+Supply chain attacks are frequently a form of <span class="pg-red">Targeted Attack</span> towards businesses, governments, and activists, although they can end up compromising the public at large as well.

 > [!NOTE]
 > A notable example of this occurred in 2017 when M.E.Doc, a popular accounting software in Ukraine, was infected with the *NotPetya* virus, subsequently infecting people who downloaded that software with ransomware. NotPetya itself was a ransomware attack which impacted 2000+ companies in various countries, and was based on the *EternalBlue* exploit developed by the NSA to attack Windows computers over the network.
@@ -105,7 +103,7 @@ These sorts of attacks can require a lot of time and preparation to perform and

 ## Privacy from Service Providers

-<span class="pg-teal">:material-server-network: Service Providers</span>
+<span class="pg-teal">Service Providers</span>

 We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them.

@@ -124,7 +122,7 @@ Even with E2EE, service providers can still profile you based on **metadata**, w

 ## Mass Surveillance Programs

-<span class="pg-blue">:material-eye-outline: Mass Surveillance</span>
+<span class="pg-blue">Mass Surveillance</span>

 Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative.

@@ -150,7 +148,7 @@ If you're concerned about mass surveillance programs, you can use strategies lik

 ## Surveillance as a Business Model

-<span class="pg-brown">:material-account-cash: Surveillance Capitalism</span>
+<span class="pg-brown">Surveillance Capitalism</span>

 > Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3]

@@ -160,11 +158,11 @@ Additionally, even companies outside the *AdTech* or tracking industry can share

 ## Limiting Public Information

-<span class="pg-green">:material-account-search: Public Exposure</span>
+<span class="pg-green">Public Exposure</span>

 The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy.

- [View our guide on account deletion :material-arrow-right-drop-circle:](../account-deletion/index.md)
+- [View our guide on account deletion](../account-deletion/index.md)

 On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission.

@@ -172,7 +170,7 @@ If you've already submitted your real information to sites which shouldn't have

 ## Avoiding Censorship

-<span class="pg-blue-gray">:material-close-outline: Censorship</span>
+<span class="pg-blue-gray">Censorship</span>

 Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5]

@@ -185,7 +183,6 @@ People concerned with the threat of censorship can use technologies like [Tor](.
 >
 > You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../../advanced/dns-overview/index.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection).

-
 You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught.

 [^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance).
@@ -40,7 +40,6 @@ Most computers and phones come equipped with a TPM (or a similar secure cryptopr
 > [!NOTE]
 > Virtual TPMs are susceptible to side-channel attacks and external TPMs, as a result of being separate from the CPU on the motherboard, are vulnerable to [sniffing](https://pulsesecurity.co.nz/articles/TPM-sniffing) when an attacker has access to the hardware. The solution to this problem is to include the secure processor inside the CPU itself, which is the case for Apple's chips and Microsoft's [Pluton](https://microsoft.com/en-us/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs).

-
 ### Biometrics

 Many devices come equipped with a fingerprint reader or face recognition capabilities. These can be very convenient, but they aren't perfect and sometimes fail. Most devices will fall back to a PIN or password when this happens, meaning that the security of your devices is still only as good as your password.
@@ -52,7 +51,6 @@ Most implementations of face authentication require you to be looking at your ph
 > [!WARNING]
 > Some devices do not have the proper hardware for secure face authentication. There are two main types of face authentication: 2D and 3D. 3D face authentication makes use of a dot projector that lets the device create a 3D depth map of your face. Make sure that your device has this capability.

-
 Android defines three [security classes](https://source.android.com/docs/security/features/biometric/measure#biometric-classes) for biometrics; you should check that your device is Class 3 before enabling biometrics.

 ### Device Encryption
@@ -69,8 +67,8 @@ Some threats can't be protected against by your internal components alone. Many

 Hardware keys are devices that use strong cryptography to authenticate you to a device or account. The idea is that because they can not be copied, you can use them to secure accounts in such a way that they can only be accessed with physical possession of the key, eliminating many remote attacks.

-[Recommended Hardware Keys :material-arrow-right-drop-circle:](../../../tools/hardware/security-keys/index.md)
-[Learn More about Hardware Keys :material-arrow-right-drop-circle:](../multi-factor-authentication/index.md#hardware-security-keys)
+[Recommended Hardware Keys](../../../tools/hardware/security-keys/index.md)
+[Learn More about Hardware Keys](../multi-factor-authentication/index.md#hardware-security-keys)
 { .pg:buttons }

 ### Camera/Microphone
@@ -80,7 +78,6 @@ If you don't want to trust your OS's permission controls to prevent the camera f
 > [!WARNING]
 > You should only buy covers that fit your laptop and won't cause damage when you close the lid. Covering the camera will interfere with automatic brightness and face authentication features.

-
 For microphone access, in most cases you will need to trust your OS's built-in permission controls. Alternatively, buy a device that doesn't have a built-in microphone and use an external microphone that you can unplug when you're done using it. Some devices, like a [MacBook or an iPad](https://support.apple.com/guide/security/hardware-microphone-disconnect-secbbd20b00b/web), feature a hardware disconnect for the microphone when you close the lid.

 Many computers have a BIOS option to disable the camera and microphone. When disabled there, the hardware won't even appear as a device on a booted system.
@@ -132,7 +129,6 @@ Your router handles all your network traffic and acts as your first line of defe
 > [!NOTE]
 > A lot of routers come with storage to put your files on so you can access them from any computer on your network. We recommend you don't use networking devices for things other than networking. In the event your router was compromised, your files would also be compromised.

-
 The most important thing to think about with routers is keeping them up-to-date. Many modern routers will automatically install updates, but many others won't. You should check on your router's settings page for this option. That page can usually be accessed by typing `192.168.1.1` or `192.168.0.1` into the URL bar of any browser assuming you're on the same network. You can also check in the network settings of your OS for "router" or "gateway".

 If your router does not support automatic updates, you will need to go to the manufacturer's site to download the updates and apply them manually.
@@ -78,7 +78,7 @@ One metric to determine the strength of a diceware passphrase is how much entrop
      <mn>2</mn>
    </msub>
    <mo form="prefix" stretchy="false">(</mo>
-    <mtext>WordsInList</mtext>
+      <mtext>WordsInList</mtext>
    <mo form="postfix" stretchy="false">)</mo>
  </mrow>
 </math> and the overall entropy of the passphrase is calculated as: <math>
@@ -103,7 +103,7 @@ Therefore, each word in the aforementioned list results in ~12.9 bits of entropy
      <mn>2</mn>
    </msub>
    <mo form="prefix" stretchy="false">(</mo>
-    <mn>7776</mn>
+      <mn>7776</mn>
    <mo form="postfix" stretchy="false">)</mo>
  </mrow>
 </math>), and a seven word passphrase derived from it has ~90.47 bits of entropy (<math>
@@ -122,10 +122,10 @@ Therefore, each word in the aforementioned list results in ~12.9 bits of entropy
 </math>).

 The [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is <math>
-  <msup>
-    <mtext>WordsInList</mtext>
-    <mtext>WordsInPhrase</mtext>
-  </msup>
+    <msup>
+      <mtext>WordsInList</mtext>
+      <mtext>WordsInPhrase</mtext>
+    </msup>
 </math>, or in our case, <math><msup><mn>7776</mn><mn>7</mn></msup></math>.

 Let's put all of this in perspective: A seven word passphrase using [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases.
@@ -73,23 +73,23 @@ These questions can apply to a wide variety of situations, online and offline. A

 **What do you want to protect? (Or, *what do you have that is worth protecting?*)**

-:   Your assets might include jewelry, electronics, important documents, or photos.
+: Your assets might include jewelry, electronics, important documents, or photos.

 **Who do you want to protect it from?**

-:   Your adversaries might include burglars, roommates, or guests.
+: Your adversaries might include burglars, roommates, or guests.

 **How likely is it that you will need to protect it?**

-:   Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider?
+: Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider?

 **How bad are the consequences if you fail?**

-:   Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home?
+: Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home?

 **How much trouble are you willing to go through to prevent these consequences?**

-:   Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there?
+: Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there?

 Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system.

@@ -99,7 +99,7 @@ Making a security plan will help you to understand the threats that are unique t

 For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations.

- [Common Goals and Threats :material-arrow-right-drop-circle:](../common-threats/index.md)
+- [Common Goals and Threats](../common-threats/index.md)

 ## Sources

@@ -7,7 +7,7 @@ description: Virtual Private Networks shift risk away from your ISP to a third-p

 Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world.

-[:material-movie-open-play-outline: Video: Do you need a VPN?](https://www.privacyguides.org/videos/2024/12/12/do-you-need-a-vpn)
+[Video: Do you need a VPN?](https://www.privacyguides.org/videos/2024/12/12/do-you-need-a-vpn)
 { .pg:buttons }

 Normally, an ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../../advanced/dns-overview/index.md#why-shouldnt-i-use-encrypted-dns).
@@ -17,7 +17,6 @@ Using a VPN hides even this information from your ISP, by shifting the trust you
 > [!NOTE]
 > When we refer to "Virtual Private Networks" on this website, we are usually referring to **commercial** [VPN providers](../../../tools/services/vpn/index.md), who you pay a monthly fee to in exchange for routing your internet traffic securely through their public servers. There are many other forms of VPN, such as ones you host yourself or ones operated by workplaces which allow you to securely connect to internal/employee network resources, however, these VPNs are usually designed for accessing remote networks securely, rather than protecting the privacy of your internet connection.

-
 ## How does a VPN work?

 VPNs encrypt your traffic between your device and a server owned by your VPN provider. From the perspective of anyone between you and the VPN server, it looks like you're connecting to the VPN server. From the perspective of anyone between the VPN server and your destination site, all they can see is the VPN server connecting to the website.
@@ -14,25 +14,25 @@ Many people get the concepts of **privacy**, **security**, and **anonymity** con
 <!-- markdownlint-disable-next-line -->
 **Privacy**

-:   <mark>Privacy is the assurance that your data is only seen by the parties you intend to view it.</mark> In the context of an instant messenger, for example, end-to-end encryption provides privacy by keeping your message visible only to yourself and the recipient.
+: <mark>Privacy is the assurance that your data is only seen by the parties you intend to view it.</mark> In the context of an instant messenger, for example, end-to-end encryption provides privacy by keeping your message visible only to yourself and the recipient.

 <!-- markdownlint-disable-next-line -->
 **Security**

-:   Security is the ability to trust the applications you use—that the parties involved are who they say they are—and keep those applications safe. In the context of browsing the web, for example, security can be provided by HTTPS certificates.
+: Security is the ability to trust the applications you use—that the parties involved are who they say they are—and keep those applications safe. In the context of browsing the web, for example, security can be provided by HTTPS certificates.

-:   Certificates prove you are talking directly to the website you're visiting, and keep attackers on your network from reading or modifying the data sent to or from the website.
+: Certificates prove you are talking directly to the website you're visiting, and keep attackers on your network from reading or modifying the data sent to or from the website.

 <!-- markdownlint-disable-next-line -->
 **Anonymity**

-:   Anonymity is the ability to act without a persistent identifier. You might achieve this online with [Tor](../../../tools/software/tor/index.md), which allows you to browse the internet with a random IP address and network connection instead of your own.
+: Anonymity is the ability to act without a persistent identifier. You might achieve this online with [Tor](../../../tools/software/tor/index.md), which allows you to browse the internet with a random IP address and network connection instead of your own.

-:   **Pseudonymity** is a similar concept, but it allows you to have a persistent identifier without it being tied to your real identity. If everybody knows you as `@GamerGuy12` online, but nobody knows your real name, that is your pseudonym.
+: **Pseudonymity** is a similar concept, but it allows you to have a persistent identifier without it being tied to your real identity. If everybody knows you as `@GamerGuy12` online, but nobody knows your real name, that is your pseudonym.

 All of these concepts overlap, but it is possible to have any combination of these. The sweet spot for most people is when all three of these concepts overlap. However, it's trickier to achieve than many initially believe. Sometimes, you have to compromise on some of these, and that's okay too. This is where **threat modeling** comes into play, allowing you to make informed decisions about the [software and services](../../../tools/_index.md) you use.

-[:material-book-outline: Learn More About Threat Modeling](../threat-modeling/index.md)
+[Learn More About Threat Modeling](../threat-modeling/index.md)
 { .pg:buttons }

 ## Privacy vs. Secrecy
@@ -51,7 +51,8 @@ Take cookie consent forms, for example. You may encounter these dozens of times

 Privacy is something we need to have baked into the [software and services](../../../tools/_index.md) we use by default, you can't bend most apps into being private on your own.

-[:material-movie-open-play-outline: Video: 5 Steps to Improve Your Privacy](https://www.privacyguides.org/videos/2025/02/14/5-easy-steps-to-protect-yourself-online){ class="md-button" }
+[Video: 5 Steps to Improve Your Privacy](https://www.privacyguides.org/videos/2025/02/14/5-easy-steps-to-protect-yourself-online)
+{ .pg:buttons }

 ## Sources

@@ -9,12 +9,12 @@ robots: nofollow, max-snippet:-1, max-image-preview:large

 The **Android Open Source Project** is a secure mobile operating system featuring strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system.

-[:octicons-home-16:](https://source.android.com)
-[:octicons-info-16:](https://source.android.com/docs)
-[:octicons-code-16:](https://cs.android.com/android/platform/superproject/main)
+[Homepage](https://source.android.com)
+[Documentation](https://source.android.com/docs)
+[Source Code](https://cs.android.com/android/platform/superproject/main)
 { .pg:buttons }

-[Our Android Advice :material-arrow-right-drop-circle:](../../../tools/os/android/_index.md)
+[Our Android Advice](../../../tools/os/android/_index.md)
 { .pg:buttons }

 ## Security Protections
@@ -79,16 +79,14 @@ An app may request a permission for a specific feature it has. For example, any
 > [!WARNING]
 > If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely.

-
 > [!NOTE]
 > Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all the analytics features that are provided by Google Firebase Analytics.

-
 ## Privacy Features

 ### User Profiles

-Multiple **user profiles** can be found in :gear: **Settings** → **System** → **Users** and are the simplest way to isolate in Android.
+Multiple **user profiles** can be found in **Settings** → **System** → **Users** and are the simplest way to isolate in Android.

 With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.

@@ -104,7 +102,7 @@ This method is generally less secure than a secondary user profile; however, it

 ### Private Space

-**Private Space** is a feature introduced in Android 15 that adds another way of isolating individual apps. You can set up a private space in the owner profile by navigating to :gear: **Settings** → **Security & privacy** → **Private space**. Once set up, your private space resides at the bottom of the app drawer.
+**Private Space** is a feature introduced in Android 15 that adds another way of isolating individual apps. You can set up a private space in the owner profile by navigating to **Settings** → **Security & privacy** → **Private space**. Once set up, your private space resides at the bottom of the app drawer.

 Like user profiles, a private space is encrypted using its own encryption key, and you have the option to set up a different unlock method. Like work profiles, you can use apps from both the owner profile and private space simultaneously. Apps launched from a private space are distinguished by an icon depicting a key within a shield.

@@ -112,7 +110,7 @@ Unlike work profiles, Private Space is a feature native to Android that does not

 ### VPN kill switch

-Android 7 and above supports a VPN kill switch, and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.
+Android 7 and above supports a VPN kill switch, and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in **Settings** → **Network & internet** → **VPN** → Settings → **Block connections without VPN**.

 ### Global Toggles

@@ -151,14 +149,14 @@ If you have an EOL device shipped with Android 10 or above and are unable to run

 All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you.

-On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**.
+On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**.

 - [x] Select **Delete advertising ID**

 On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check

- :gear: **Settings** → **Google** → **Ads**
- :gear: **Settings** → **Privacy** → **Ads**
+- **Settings** → **Google** → **Ads**
+- **Settings** → **Privacy** → **Ads**

 You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads* (this varies between OEM distributions of Android). If presented with the option to delete the advertising ID, that is preferred. If not, then make sure to opt out and reset your advertising ID.

@@ -80,7 +80,7 @@ Enabling **Airplane Mode** stops your phone from contacting cell towers. You wil

 #### Wi-Fi

-You can enable [hardware address randomization](https://support.apple.com/en-us/102509#triswitch) to protect you from tracking across Wi-Fi networks, and on the same network over time. On the network you are currently connected to, tap the :material-information: button:
+You can enable [hardware address randomization](https://support.apple.com/en-us/102509#triswitch) to protect you from tracking across Wi-Fi networks, and on the same network over time. On the network you are currently connected to, tap the info button:

 - [x] Set **Private Wi-Fi Address** to **Fixed** or **Rotating**

@@ -126,7 +126,7 @@ Apple Intelligence can integrate with [ChatGPT](https://support.apple.com/guide/

 You can also have it ask for confirmation every time if you leave ChatGPT integration on:

- [x] Turn on **Confirm Requests** 
+- [x] Turn on **Confirm Requests**

 If you don't want anyone to be able to control your phone with Siri when it is locked, you can turn that off here.

@@ -157,7 +157,6 @@ iPhones are already resistant to brute-force attacks by making you wait long per
 > [!WARNING]
 > With this setting enabled, someone could intentionally wipe your phone by entering the wrong password many times. Make sure you have proper backups and only enable this setting if you feel comfortable with it.

-
 - [x] Turn on **Erase Data**

 #### Privacy & Security
@@ -255,7 +254,6 @@ Sometimes you might want to hand your phone to someone to make a call or do a sp
 > [!WARNING]
 > Guided Access isn't foolproof, as it's possible you could leak data unintentionally or the feature could be bypassed. You should only use Guided Access for situations where you casually hand your phone to someone to use. You should not use it as a tool to protect against advanced adversaries.

-
 ### Redacting Elements in Images

 If you need to hide information in a photo, you can use Apple's built-in editing tools to do so.
@@ -263,7 +261,7 @@ If you need to hide information in a photo, you can use Apple's built-in editing
 You can use the [Clean Up](https://support.apple.com/en-us/121429) feature on supported devices to pixelate faces or remove objects from images.

 - Open the **Photos** app and tap the photo you have selected for redaction
- Tap the :material-tune:
+- Tap **Adjust**
 - Tap the button labeled **Clean Up**
 - Draw a circle around whatever you want to redact. Faces will be pixelated, and it will attempt to delete anything else.

@@ -272,7 +270,7 @@ Our warning [against blurring text](../../../tools/software/data-redaction/index
 <div class="annotate" markdown>

 - Tap the image you have selected for redaction
- Tap the :material-tune: → :material-dots-horizontal: (1) → Markup → :material-plus:
+- Tap **Adjust** → **More** (⋯) → Markup → **Add**
 - Select **Add Shape** and choose the square or circle
 - On the toolbar, tap the circle and choose black as the color for filling in the shape. You can also move the shape and increase its size as you see fit.

@@ -294,7 +292,7 @@ Apple always makes beta versions of iOS available early for those that wish to h

 ### Before First Unlock

-If your threat model includes [:material-target-account: Targeted Attacks](../../basics/common-threats/index.md#attacks-against-specific-individuals){ .pg-red } that involve forensic tools, and you want to minimize the chance of exploits being used to access your phone, you should restart your device frequently. The state *after* a reboot but *before* unlocking your device is referred to as "Before First Unlock" (BFU), and when your device is in that state it makes it [significantly more difficult](https://belkasoft.com/checkm8_glossary) for forensic tools to exploit vulnerabilities to access your data. This BFU state allows you to receive notifications for calls, texts, and alarms, but most of the data on your device is still encrypted and inaccessible. This can be impractical, so consider whether these trade-offs make sense for your situation.
+If your threat model includes [Targeted Attacks](../../basics/common-threats/index.md#attacks-against-specific-individuals){ .pg-red } that involve forensic tools, and you want to minimize the chance of exploits being used to access your phone, you should restart your device frequently. The state *after* a reboot but *before* unlocking your device is referred to as "Before First Unlock" (BFU), and when your device is in that state it makes it [significantly more difficult](https://belkasoft.com/checkm8_glossary) for forensic tools to exploit vulnerabilities to access your data. This BFU state allows you to receive notifications for calls, texts, and alarms, but most of the data on your device is still encrypted and inaccessible. This can be impractical, so consider whether these trade-offs make sense for your situation.

 iPhones [automatically reboot](https://support.apple.com/guide/security/protecting-user-data-in-the-face-of-attack-secf5549a4f5/1/web/1#:~:text=On%20an%20iPhone%20or%20iPad%20with%20iOS%2018%20and%20iPadOS%2018%20or%20later%2C%20a%20new%20security%20protection%20will%20restart%20devices%20if%20they%20remain%20locked%20for%20a%20prolonged%20period%20of%20time.) if they're not unlocked after a period of time.

@@ -7,7 +7,7 @@ description: Linux is an open-source, privacy-focused desktop operating system a

 Our website generally uses the term “Linux” to describe **desktop** Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed on this page.

-[Our Linux Recommendations :material-arrow-right-drop-circle:](../../../tools/os/desktop/index.md)
+[Our Linux Recommendations](../../../tools/os/desktop/index.md)
 { .pg:buttons }

 ## Security Notes
@@ -68,7 +68,7 @@ Arch and Arch-based distributions are not recommended for those new to Linux (re

 For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](#mandatory-access-control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit).

-Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository) **must** be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software [:material-package-variant-closed-remove: Supply Chain Attacks](../../basics/common-threats/index.md#attacks-against-certain-organizations){ .pg-viridian }, which has in fact happened [in the past](https://bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository).
+Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository) **must** be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software [Supply Chain Attacks](../../basics/common-threats/index.md#attacks-against-certain-organizations){ .pg-viridian }, which has in fact happened [in the past](https://bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository).

 The AUR should always be used sparingly, and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to the use of third-party Personal Package Archives (PPAs) on Debian-based distributions or Community Projects (COPR) on Fedora.

@@ -95,7 +95,7 @@ SELinux on [Fedora](https://docs.fedoraproject.org/en-US/quick-docs/selinux-gett

 Most Linux distributions have an option within its installer for enabling [LUKS](../../../tools/software/encryption/index.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to back up your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device:

- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure)
+- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure)

 ### Swap

@@ -79,7 +79,7 @@ Click on **About** and type your desired device name into the **Name** field.

 You should automatically install all available updates to make sure your Mac has the latest security fixes.

-Click the small :material-information-outline: icon next to **Automatic Updates**:
+Click the small icon next to **Automatic Updates**:

 - [x] Turn on **Download new updates when available**

@@ -109,7 +109,6 @@ You can also have it ask for confirmation every time if you leave ChatGPT integr
 > [!WARNING]
 > Any request made with ChatGPT will be sent to ChatGPT's servers, there is no on-device processing and no PCC like with Apple Intelligence.

-
 #### Privacy & Security

 Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions.
@@ -163,7 +162,6 @@ macOS employs defense in depth by relying on multiple layers of software and har
 > [!WARNING]
 > macOS allows you to install beta updates. These are unstable and may come with [extra telemetry](https://beta.apple.com/privacy) since they're for testing purposes. Because of this, we recommend you avoid beta software in general.

-
 #### Signed System Volume

 macOS's system components are protected in a read-only [signed system volume](https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web), meaning that neither you nor malware can alter important system files.
@@ -180,11 +178,10 @@ System Integrity Protection makes critical file locations read-only to protect a

 ##### App Sandbox

-On macOS, whether an app is sandboxed is determined by the developer when they sign it. The [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox) protects against vulnerabilities in the apps you run by limiting what a malicious actor can access in the event that the app is exploited. The App Sandbox *alone* can't protect against [:material-package-variant-closed-remove: Supply Chain Attacks](../../basics/common-threats/index.md#attacks-against-certain-organizations){ .pg-viridian } by malicious developers. For that, sandboxing needs to be enforced by someone other than the developer themselves, as it is on the [App Store](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/1/web/1#:~:text=All%20apps%20from%20the%20App%20Store%20are%20sandboxed%20to%20restrict%20access%20to%20data%20stored%20by%20other%20apps.).
+On macOS, whether an app is sandboxed is determined by the developer when they sign it. The [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox) protects against vulnerabilities in the apps you run by limiting what a malicious actor can access in the event that the app is exploited. The App Sandbox *alone* can't protect against [Supply Chain Attacks](../../basics/common-threats/index.md#attacks-against-certain-organizations){ .pg-viridian } by malicious developers. For that, sandboxing needs to be enforced by someone other than the developer themselves, as it is on the [App Store](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/1/web/1#:~:text=All%20apps%20from%20the%20App%20Store%20are%20sandboxed%20to%20restrict%20access%20to%20data%20stored%20by%20other%20apps.).

 > [!WARNING]
-> Software downloaded from outside the official App Store is not required to be sandboxed. If your threat model prioritizes defending against [:material-bug-outline: Passive Attacks](../../basics/common-threats/index.md#security-and-privacy){ .pg-orange }, then you may want to check if the software you download outside the App Store is sandboxed, which is up to the developer to *opt in*.
-
+> Software downloaded from outside the official App Store is not required to be sandboxed. If your threat model prioritizes defending against [Passive Attacks](../../basics/common-threats/index.md#security-and-privacy){ .pg-orange }, then you may want to check if the software you download outside the App Store is sandboxed, which is up to the developer to *opt in*.

 You can check if an app uses the App Sandbox in a few ways:

@@ -193,7 +190,6 @@ You can check if apps that are already running are sandboxed using the [Activity
 > [!WARNING]
 > Just because one of an app's processes is sandboxed doesn't mean they all are.

-
 Alternatively, you can check apps before you run them by running this command in the terminal:

 ``` zsh