Rebased on #2606, swapped legacy admonitions

Co-authored-by: noClaps <github@zerolimits.dev>
Co-authored-by: Pa1NarK <69745008+pixincreate@users.noreply.github.com>

.all-contributorsrc

@@ -2956,6 +2956,15 @@
         "business",
         "fundingFinding"
       ]
+    },
+    {
+      "login": "bruch-alex",
+      "name": "Alex Bruch",
+      "avatar_url": "https://avatars.githubusercontent.com/u/173354246?v=4",
+      "profile": "https://github.com/bruch-alex",
+      "contributions": [
+        "translation"
+      ]
     }
   ],
   "contributorsPerLine": 5,

README.md

@@ -609,6 +609,9 @@ Privacy Guides wouldn't be possible without these wonderful people ([emoji key](
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/PASSK3YS"><img src="https://avatars.githubusercontent.com/u/54213179?v=4" width="100px;" loading=lazy /><br /><sub><b>Kieran Colfer</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=PASSK3YS" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/SamsungGalaxyPlayer"><img src="https://avatars.githubusercontent.com/u/12520755?v=4" width="100px;" loading=lazy /><br /><sub><b>Justin Ehrenhofer</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=SamsungGalaxyPlayer" title="Documentation">📖</a> <a href="#business-SamsungGalaxyPlayer" title="Business development">💼</a> <a href="#fundingFinding-SamsungGalaxyPlayer" title="Funding Finding">🔍</a></td>
     </tr>
+    <tr>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/bruch-alex"><img src="https://avatars.githubusercontent.com/u/173354246?v=4" width="100px;" loading=lazy /><br /><sub><b>Alex Bruch</b></sub></a><br /><a href="#translation-bruch-alex" title="Translation">🌍</a></td>
+    </tr>
   </tbody>
   <tfoot>
     <tr>

docs/advanced/payments.md

@@ -3,33 +3,33 @@ title: Private Payments
 icon: material/hand-coin
 description: Your buying habits are the holy grail of ad targeting, but you still have plenty of options when it comes to making payments privately.
 ---
-There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately.
+Data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately.
 
 ## Cash
 
-For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable.
+For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangeable.
 
-Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations.
+Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Regulated exchanges, banks, and money services businesses must collect an ID for transactions exceeding $3,000. Cash contains serial numbers to assist law enforcement in targeted investigations.
 
-Despite this, it’s typically the best option.
+Despite the above, cash is typically the best option when available.
 
 ## Prepaid Cards & Gift Cards
 
-It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud.
+You can easily purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout in an effort to reduce fraud.
 
 Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (e.g.: from Visa or Mastercard) usually have limits of up to $1,000 per card.
 
 Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit.
 
-Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps.
+Prepaid cards usually don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps.
 
-Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash.
+Cash remains the best option for in-person purchases for most people. Gift cards are often sold at a discount, which make them attractive. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash.
 
 ### Online Marketplaces
 
-If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered).
+If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer high limits (with ID verification), but they usually allow basic, low-limit accounts with just an email address. Expect limits under $10,000 for basic accounts and significantly higher limits for ID verified accounts (if offered).
 
-When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero.
+When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy (more on this below). Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero.
 
 - [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces)
 
@@ -43,14 +43,14 @@ These tend to be good options for recurring/subscription payments online, while
 
 ## Cryptocurrency
 
-Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose.
+Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a transparent blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose.
 
 <div class="admonition danger" markdown>
 <p class="admonition-title">Danger</p>
 
-The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity.
+The vast majority of cryptocurrencies operate on a **transparent** blockchain, meaning that every transaction's details are public knowledge. This includes most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity.
 
-Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust.
+Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. Transactions are irreversible and do not include any consumer protections.
 
 </div>
 
@@ -60,23 +60,25 @@ There are a number of cryptocurrency projects which purport to provide privacy b
 
 - [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#monero)
 
-Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance.
+Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can trace (at least to some extent) Bitcoin Lightning Network and/or Monero transactions. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million to further develop tools to do so. Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins in their current form only succeed in thwarting mass surveillance.
 
 ### Other Coins (Bitcoin, Ethereum, etc.)
 
-The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons.
+The vast majority of cryptocurrency projects use a transparent blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons.
 
-Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years.
+Anonymous transactions on a transparent blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, this example requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical (even for enthusiasts) for many years.
 
 ==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged.
 
 ### Wallet Custody
 
-With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies.
+With cryptocurrency there are two forms of wallets: custodial wallets and self-custody wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Self-custody wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, self-custody wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies.
 
 ### Acquisition
 
-Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces, platforms which facilitate trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward.
+Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces (platforms which facilitate trades between people) are one option, though the user experience typically suffers. If using an exchange which requires KYC is acceptable for you as long as subsequent transactions can't be traced, it's much easier to purchase Monero on a centralized exchange or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own self-custody wallet to use privately from that point forward.
+
+[Recommended places to buy Monero](../cryptocurrency.md#buying-monero){ .md-button }
 
 If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall.
 
@@ -85,3 +87,10 @@ If you go this route, make sure to purchase Monero at different times and in dif
 When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself.
 
 When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address.
+
+<div class="admonition tip" markdown>
+<p class="admonition-title">Important notices</p>
+
+The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](../about/notices.md).
+
+</div>

docs/android/distributions.md

@@ -19,17 +19,6 @@ schema:
       "@context": http://schema.org
       "@type": WebPage
       url: "./"
-  -
-    "@context": http://schema.org
-    "@type": CreativeWork
-    name: Divest
-    image: /assets/img/android/divestos.svg
-    url: https://divestos.org/
-    sameAs: https://en.wikipedia.org/wiki/DivestOS
-    subjectOf:
-      "@context": http://schema.org
-      "@type": WebPage
-      url: "./"
 robots: nofollow, max-snippet:-1, max-image-preview:large
 ---
 <small>Protects against the following threat(s):</small>
@@ -70,38 +59,6 @@ By default, Android makes many network connections to Google to perform DNS conn
 
 If you want to hide information like this from an adversary on your network or ISP, you **must** use a [trusted VPN](../vpn.md) in addition to changing the connectivity check setting to **Standard (Google)**. It can be found in :gear: **Settings** → **Network & internet** → **Internet connectivity checks**. This option allows you to connect to Google's servers for connectivity checks, which, alongside the usage of a VPN, helps you blend in with a larger pool of Android devices.
 
-### DivestOS
-
-If GrapheneOS isn't compatible with your phone, DivestOS is a good alternative. It supports a wide variety of phones with *varying* levels of security protections and quality control.
-
-<div class="admonition recommendation" markdown>
-
-![DivestOS logo](../assets/img/android/divestos.svg){ align=right }
-
-**DivestOS** is a soft-fork of [LineageOS](https://lineageos.org).
-DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](../os/android-overview.md#verified-boot) on some non-Pixel devices. Not all supported devices support verified boot or other security features.
-
-[:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary }
-[:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" }
-[:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title="Documentation" }
-[:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" }
-[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title="Contribute" }
-
-</div>
-
-The [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) of firmware updates in particular will vary significantly depending on your phone model. While standard AOSP bugs and vulnerabilities can be fixed with standard software updates like those provided by DivestOS, some vulnerabilities cannot be patched without support from the device manufacturer, making end-of-life devices less safe even with an up-to-date alternative ROM like DivestOS.
-
-DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [control-flow integrity](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
-
-DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.
-
-DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's `INTERNET` and `SENSORS` permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://grapheneos.org/usage#exec-spawning), Java Native Interface [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features per-network full MAC address randomization, [`ptrace_scope`](https://kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, automatic reboot, and Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features#attack-surface-reduction).
-
-DivestOS uses F-Droid as its default app store. We normally [recommend avoiding F-Droid](obtaining-apps.md#f-droid), but doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repository, [DivestOS Official](https://divestos.org/fdroid/official). For these apps you should continue to use F-Droid **with the DivestOS repository enabled** to keep those components up to date. For other apps, our recommended [methods of obtaining them](obtaining-apps.md) still apply.
-
-DivestOS replaces many of Android's background network connections to Google services with alternative services, such as using OpenEUICC for eSIM activation, NTP.org for network time, and Quad9 for DNS. These connections can be modified, but their deviation from a standard Android phone's network connections could mean it is easier for an adversary on your network to deduce what operating system you have installed on your phone. If this is a concern to you, consider using a [trusted VPN](../vpn.md) and enabling the native VPN [kill switch](../os/android-overview.md#vpn-killswitch) to hide this network traffic from your local network and ISP.
-
 ## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](../about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.

docs/cloud.md

@@ -27,7 +27,7 @@ Nextcloud is [still a recommended tool](document-collaboration.md#nextcloud) for
 
 ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right }
 
-**Proton Drive** is an encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). The initial free storage is limited to 2GB, but with the completion of certain steps, additional storage can be obtained up to 5GB.
+**Proton Drive** is an encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). The initial free storage is limited to 2GB, but with the completion of [certain steps](https://proton.me/support/more-free-storage-existing-users), additional storage can be obtained up to 5GB.
 
 [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://proton.me/drive/privacy-policy){ .card-link title="Privacy Policy" }

docs/cryptocurrency.md

@@ -40,15 +40,8 @@ Many if not most cryptocurrency projects are scams. Make transactions carefully
 
 With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories.
 
-For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include:
-
-- [Official Monero client](https://getmonero.org/downloads) (Desktop)
-- [Cake Wallet](https://cakewallet.com) (iOS, Android, macOS)
-    - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet for iOS and Android is available at [Monero.com](https://monero.com).
-- [Feather Wallet](https://featherwallet.org) (Desktop)
-- [Monerujo](https://monerujo.io) (Android)
-
-For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or [I2P](alternative-networks.md#i2p-the-invisible-internet-project).
+<details class="info" markdown>
+<summary>Monero's resilience to mass surveillance</summary>
 
 In August 2021, CipherTrace [announced](https://web.archive.org/web/20240223224846/https://ciphertrace.com/enhanced-monero-tracing) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022.
 
@@ -56,8 +49,45 @@ Monero transaction graph privacy is limited by its relatively small ring signatu
 
 Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy.
 
+</details>
+
+### Monero wallets
+
+For optimal privacy, make sure to use a self-custody wallet where the [view key](https://www.getmonero.org/resources/moneropedia/viewkey.html) stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your view key, the provider can see almost everything you do (but not spend your funds). Some self-custody wallets where the view key does not leave your device include:
+
+- [Official Monero client](https://getmonero.org/downloads) (Desktop)
+- [Cake Wallet](https://cakewallet.com) (iOS, Android, Desktop)
+    - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet for iOS and Android is available at [Monero.com](https://monero.com).
+- [Feather Wallet](https://featherwallet.org) (Desktop)
+- [Monerujo](https://monerujo.io) (Android)
+
+### Monero nodes
+
+For maximum privacy (even with a self-custody wallet), you should run your own Monero node called the [Monero daemon](https://getmonero.org/downloads/#cli). Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor, [I2P](alternative-networks.md#i2p-the-invisible-internet-project), or a VPN.
+
+### Buying Monero
+
+[General tips for acquiring Monero](advanced/payments.md#acquisition){ .md-button }
+
+There are numerous centralized exchanges (CEX) as well as P2P marketplaces where you can buy and sell Monero. Some of them require identifying yourself (KYC) to comply with anti-money laundering regulations. However, due to Monero's privacy features, the only thing known to the seller is _that_ you bought Monero, but not how much you own or where you spend it (after it leaves the exchange). Some reputable places to buy Monero include:
+
+- [Kraken](https://kraken.com): A well-known CEX. Registration and KYC are mandatory. Card payments and bank transfers accepted. Make sure not to leave your newly purchased Monero on Kraken's platform after the purchase; withdraw them to a self-custody wallet. Monero is not available in all jurisdictions that Kraken operates in.[^1]
+- [Cake Wallet](https://cakewallet.com): A self-custody cross-platform wallet for Monero and other cryptocurrencies. You can buy Monero directly in the app using card payments or bank transfers (through third-party providers such as [Guardarian](https://guardarian.com) or [DFX](https://dfx.swiss)).[^2] KYC is usually not required, but it depends on your country and the amount you are purchasing. In countries where directly purchasing Monero is not possible, you can also use a provider within Cake Wallet to first buy another cryptocurrency such as Bitcoin, Bitcoin Cash, or Litecoin and then exchange it to Monero in-app.
+    - [Monero.com](https://monero.com) is an associated website where you can buy Monero and other cryptocurrencies without having to download an app. The funds will simply be sent to the wallet address of your choice.
+- [RetoSwap](https://retoswap.com) (formerly known as Haveno-Reto) is a self-custody, decentralized P2P exchange platform based on the [Haveno](https://haveno.exchange) project which is available for Linux, Windows, and macOS. Monero can be bought and sold with maximum privacy, since most trading counterparties do not require KYC, trades are made directly between users (P2P), and all connections run through the Tor network. It is possible to buy Monero via bank transfer, Paypal, or even by paying in cash (meeting in person or sending by mail). Arbitrators can step in to resolve disputes between buyer and seller, but be careful when sharing your bank account or other sensitive information with your trading counterparty. Trading with some accounts may be against those accounts' terms of service. Please note that you can only buy Monero on RetoSwap if you already own a small amount of Monero (currently a minimum of 0.11 XMR) in order to fund security deposits, although there are ongoing efforts to drop this requirement in the future.
+
 ## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
 - Cryptocurrency must provide private/untraceable transactions by default.
+
+<div class="admonition tip" markdown>
+<p class="admonition-title">Important notices</p>
+
+The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](about/notices.md).
+
+</div>
+
+[^1]: You may refer to the following pages for up-to-date information on countries in which Kraken does **not** allow the purchase of Monero: [Where is Kraken licensed or regulated?](https://support.kraken.com/hc/en-us/articles/where-is-kraken-licensed-or-regulated) and [Support for Monero (XMR) in Europe](https://support.kraken.com/hc/en-us/articles/support-for-monero-xmr-in-europe).
+[^2]: You may refer to the following pages for up-to-date information on countries in which Cake Wallet and Monero.com **only** allow the direct purchase of Monero (through third-party providers): [Which countries are served by DFX?](https://docs.dfx.swiss/en/faq.html#which-countries-are-served-by-dfx) and [What are the supported countries/regions? (Guardarian)](https://guardarian.freshdesk.com/support/solutions/articles/80001151826-what-are-the-supported-countries-regions).

docs/device-integrity.md

@@ -187,43 +187,3 @@ It is important to note that Auditor can only effectively detect changes **after
 No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
 
 If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service.
-
-## On-Device Scanners
-
-<small>Protects against the following threat(s):</small>
-
-- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy){ .pg-orange }
-
-These are apps you can install on your device which scan your device for signs of compromise.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Using these apps is insufficient to determine that a device is "clean", and not targeted with a particular spyware tool.
-
-</div>
-
-### Hypatia (Android)
-
-<div class="admonition recommendation" markdown>
-
-![Hypatia logo](assets/img/device-integrity/hypatia.svg#only-light){ align=right }
-![Hypatia logo](assets/img/device-integrity/hypatia-dark.svg#only-dark){ align=right }
-
-**Hypatia** is an open source real-time malware scanner for Android, from the developer of [DivestOS](android/distributions.md#divestos). It accesses the internet to download signature database updates, but does not upload your files or any metadata to the cloud (scans are performed entirely locally).
-
-[:octicons-home-16: Homepage](https://divestos.org/pages/our_apps#hypatia){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://divestos.org/pages/privacy_policy#hypatia){ .card-link title="Privacy Policy" }
-[:octicons-code-16:](https://github.com/divested-mobile/hypatia){ .card-link title="Source Code" }
-[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title=Contribute }
-
-<details class="downloads" markdown>
-<summary>Downloads</summary>
-
-- [:simple-fdroid: F-Droid](https://f-droid.org/packages/us.spotco.malwarescanner)
-
-</details>
-
-</div>
-
-Hypatia is particularly good at detecting common stalkerware: If you suspect you are a victim of stalkerware, you should [visit this page](https://stopstalkerware.org/information-for-survivors) for advice.

docs/financial-services.md

@@ -102,3 +102,10 @@ These services allow you to purchase gift cards for a variety of merchants onlin
 
 - Accepts payment in [a recommended cryptocurrency](cryptocurrency.md).
 - No ID requirement.
+
+<div class="admonition tip" markdown>
+<p class="admonition-title">Important notices</p>
+
+The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](about/notices.md).
+
+</div>

docs/mobile-browsers.md

@@ -262,50 +262,6 @@ These options can be found in :material-menu: → :gear: **Settings** → **Lega
 
 This disables update checks for the unmaintained Bromite adblock filter.
 
-## Mull (Android)
-
-<div class="admonition recommendation" markdown>
-
-![Mull logo](assets/img/browsers/mull.svg){ align=right }
-
-**Mull** is a privacy oriented and deblobbed Android browser based on Firefox. Compared to Firefox, it offers much greater fingerprinting protection out of the box, and disables JavaScript Just-in-Time (JIT) compilation for enhanced security. It also removes all proprietary elements from Firefox, such as replacing Google Play Services references.
-
-[:octicons-home-16: Homepage](https://divestos.org/pages/our_apps#mull){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://divestos.org/pages/privacy_policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://divestos.org/pages/browsers#tuningFenix){ .card-link title="Documentation" }
-[:octicons-code-16:](https://codeberg.org/divested-mobile/mull-fenix){ .card-link title="Source Code" }
-
-<details class="downloads" markdown>
-<summary>Downloads</summary>
-
-- [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/us.spotco.fennec_dos)
-
-</details>
-
-</div>
-
-<div class="admonition danger" markdown>
-<p class="admonition-title">Danger</p>
-
-Firefox (Gecko)-based browsers on Android [lack](https://bugzilla.mozilla.org/show_bug.cgi?id=1610822) [site isolation](https://wiki.mozilla.org/Project_Fission),[^1] a powerful security feature that protects against a malicious site performing a [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability))-like attack to gain access to the memory of another website you have open.[^2] Chromium-based browsers like [Brave](#brave) will provide more robust protection against malicious websites.
-
-</div>
-
-[^1]: This should not be mistaken for [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) (or dynamic [first party isolation](https://2019.www.torproject.org/projects/torbrowser/design/#identifier-linkability)), where website data such as cookies and cache is restricted so that a third-party embedded in one top-level site cannot access data stored under another top-level site. This is an important privacy feature to prevent cross-site tracking and **is** supported by Firefox on Android.
-[^2]: GeckoView also [does not](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196) take advantage of Android's native process sandboxing by using the [isolatedProcess](https://developer.android.com/guide/topics/manifest/service-element#isolated) flag, which normally allows an app to safely run less trusted code in a separate process that has no permissions of its own.
-
-Enable DivestOS's [F-Droid repository](https://divestos.org/fdroid/official) to receive updates directly from the developer. Downloading Mull from the default F-Droid repo will mean your updates could be delayed by a few days or longer.
-
-Mull enables many features upstreamed by the [Tor uplift project](https://wiki.mozilla.org/Security/Tor_Uplift) using preferences from [Arkenfox](desktop-browsers.md#arkenfox-advanced). Proprietary blobs are removed from Mozilla's code using the scripts developed for Fennec F-Droid.
-
-### Recommended Mull Configuration
-
-We would suggest installing [uBlock Origin](browser-extensions.md#ublock-origin) as a content blocker if you want to block trackers within Mull.
-
-Mull comes with privacy protecting settings configured by default. You might consider configuring the **Delete browsing data on quit** options in Mull's settings if you want to close all your open tabs when quitting the app automatically, or clear other data such as browsing history and cookies automatically.
-
-Because Mull has more advanced and strict privacy protections enabled by default compared to most browsers, some websites may not load or work properly unless you adjust those settings. You can consult this [list of known issues and workarounds](https://divestos.org/pages/broken#mull) for advice on a potential fix if you do encounter a broken site. Adjusting a setting in order to fix a website could impact your privacy/security, so make sure you fully understand any instructions you follow.
-
 ## Safari (iOS)
 
 On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so a browser like [Brave](#brave) does not use the Chromium engine like its counterparts on other operating systems.
@@ -365,6 +321,10 @@ This setting allows you to lock your private tabs behind biometrics/PIN when not
 
 This setting uses Google Safe Browsing (or Tencent Safe Browsing for users in mainland China or Hong Kong) to protect you while you browse. As such, your IP address may be logged by your Safe Browsing provider. Disabling this setting will disable this logging, but you might be more vulnerable to known phishing sites.
 
+- [x] Enable **Not Secure Connection Warning**
+
+This setting shows a warning screen if your connection to a website isn't using HTTPS. Safari will automatically try to upgrade the site to HTTPS, so you should only see this when there is no HTTPS connection available.
+
 - [ ] Disable **Highlights**
 
 Apple's privacy policy for Safari states:

docs/os/windows/hardening.md

@@ -0,0 +1,272 @@
+---
+title: System Hardening
+icon: material/monitor-lock
+---
+
+## Setting up Windows after Installation
+
+If you wish to limit the amount of data Microsoft obtains from your device, an [offline/local account](https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-local-or-offline-account-in/95097c32-40c4-48c0-8f3b-3bcb67afaf7c) is **recommended**.
+
+![user-account](/assets/img/windows/user-account.webp)
+
+<div class="admonition note" markdown>
+<p class="admonition-title">Note</p>
+
+Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation.
+
+So, You could also follow the guide by [ghacks.net](https://www.ghacks.net/2022/05/13/how-to-bypass-the-microsoft-account-requirement-during-windows-setup/) to bypass the Microsoft account requirement during setup and use Local account.
+</div>
+
+While setting up, it is recommended to use a generic name such as `user` and `host` and avoid identifying terms such as your name or operating system. This can make it more difficult for privileged `Win32` apps or attackers to discern your identity.
+
+For security, it's recommended to set up Windows Hello on all of your accounts because it uses the trusted platform module (TPM) if applicable, which protects against brute-force attacks; see the documentation: [How Windows Uses the TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm#windows-hello-for-business)
+
+- [ ] Toggle off all privacy related settings as shown in the image:
+
+![Privacy Settings](/assets/img/windows/privacy-settings.webp)
+
+## Encrypting the Drive
+
+After you have installed Windows, turn on full disk encryption (FDE) using BitLocker via the Control Panel.
+
+<div class="admonition info" markdown>
+<p class="admonition-title">Choosing the Way to Encrypt</p>
+
+It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order.
+
+</div>
+
+The best way is to go to the Control Panel by searching for it in the Start Menu or from the context menu (right-click) in File Explorer and set it up for all of the drives that you have.
+
+![Bitlocker in Control Panel](/assets/img/windows/Bitlocker%20Group%20Policies/bitlocker-control%20panel.webp)
+
+Bitlocker is suggested because of the native implementation by the OS and along with the usage of hardware to be resistant against encryption flaws.
+
+### Security policies for Bitlocker
+
+Enable the Following group policies before you start encrypting your drives.
+
+<div class="admonition tip" markdown>
+<p class="admonition-title">Tip</p>
+
+To go to it, search **Group Policy** in the **Windows Search Bar** and press **Enter** or type `gpedit.msc` in ++win+r++. Then, proceed as mentioned below.
+
+</div>
+
+General Policies :
+
+Go to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Bitlocker Drive Encryption`
+
+![Encryption & Cipher](/assets/img/windows/Bitlocker%20Group%20Policies/encryption-method-and-cipher.webp)
+![Disable DMA](/assets/img/windows/Bitlocker%20Group%20Policies/Disable%20DMA.webp)
+
+For OS drives :
+
+Go to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Bitlocker Drive Encryption` > `Operating System Drives`
+
+Enable Group policies as in the images below <!--(Check images side by side)--> :
+
+![Enforcing full encryption](/assets/img/windows/Bitlocker%20Group%20Policies/enforce-full-encryption.webp)
+![secure boot integrity validation](/assets/img/windows/Bitlocker%20Group%20Policies/Secure-boot-integrity-validation.webp)
+![TPM & PIN](/assets/img/windows/Bitlocker%20Group%20Policies/TPM+PIN.webp)
+![enhanced PINS](/assets/img/windows/Bitlocker%20Group%20Policies/enhanced-pins.webp)
+![Disallow others changing PIN](/assets/img/windows/Bitlocker%20Group%20Policies/disallow-user-from-changing-PIN.webp)
+
+For Fixed Drives :
+
+Go to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Bitlocker Drive Encryption` > `Fixed Data Drives` > `Enforce drive encryption type on fixed data drives`
+
+![Encryption Type](/assets/img/windows/Bitlocker%20Group%20Policies/fixed-drives.webp)
+
+These policies ensure that your drives are encrypted with `XTS-AES-256` Bit encryption, **fully**.
+
+### Setting up Pre-boot Authentication
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Update your TPM</p>
+
+Before enabling Bitlocker in your device,It is strongly recommended to update your TPM chip by downloading package only from **OEM** Websites.
+
+</div>
+
+As you are using Windows 11, TPM is used to encrypt and decrypt the drive but it is susceptible to [cold boot attacks](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/). So, it is recommended to use TPM + PIN to protect the drives
+
+After enabling all the group policies above, Go to Control panel and click on Add PIN. It can be alphanumeric if you had enabled the above policies.
+
+You can check if it's enabled by typing `manage-bde -status`. It will normally show in **Key Protectors**: **Numerical Password** (it's the recovery key) and **TPM And PIN**.
+
+<div class="admonition abstract" markdown>
+<p class="admonition-title">Disabling pre-boot Authentication (Not Recommended)</p>
+
+- open a **terminal** as an **administrator** and type this command `manage-bde -protectors -add c: -TPM`.
+- You can again check if it worked by typing `manage-bde -status c:` and it will show you **Numerical Password** and **TPM**
+
+</div>
+
+<div class="admonition info" markdown>
+<p class="admonition-title">Info</p>
+
+The above Group Policy configuration tells the TPM to release the encryption keys after entering PIN instead of releasing it on boot automatically.
+
+Doing this will set a double password. So, you enter the PIN to release the encryption keys from TPM & boot Windows and another credential to unlock your user account.
+
+The pre-boot PIN not only protects the OS drive but also other fixed drives used just for storage if bitlocker is enabled for that drive also.
+
+</div>
+
+When you do this, the encryption keys of your drive are only unlocked once you enter the PIN, and the decryption happens after. If you forget or lose the PIN, you won't be able to access your drives and OS anymore, and the only way to recover is using the Recovery Key provided during the initial setup of BitLocker. **Make sure you store it in a safe place**, such as a password manager, and keep backups of your Recovery Key or even use an encrypted USB drive.
+
+The preboot authentication is recommend to avoid data being accessed by removal of user Account passwords by methods like this - [How to Reset Windows 11 Password Without Any Software](https://youtu.be/0gOZoroPNuA) and access data even though Bitlocker is enabled and managed by TPM
+
+But when you use TPM + Startup PIN, nobody can restart to load the shell and bypass password. Because you need to enter your PIN to go to the Advanced Startup settings as in the video.
+
+Enabling or not-enabling is up to the user's threat model.
+
+If it's a personal device, Startup PIN + TPM is recommended.
+If a family computer, Normal Bitlocker (Managed by TPM) for OS drive is recommended.
+
+It is recommended to encrypt the OS drive at the least. Encrypting secondary drives either via Bitlocker or other encryption tools such as Veracrypt is upto the user's threat model.
+
+## Creation of User Account and usage
+
+- By Default Windows gives `administrator` access to the user account. Create another `standard` user account to reduce the attack surface enormously as most vulnerabilities today come from the fact that the user is always in `administrator` mode. In addition, you shouldn't use the same password for standard and administrator account.
+
+- Don't use admin account for any of your personal tasks!
+
+- Just restrict it to the standard account created.
+
+- Set [UAC](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings) settings to the [Highest Privilege](https://support.microsoft.com/en-us/windows/about-user-account-control-settings-d5b2046b-dcb8-54eb-f732-059f321afe18).
+
+- Only use your account for you, if someone needs to use your computer **ALWAYS** create another standard account, even if it's for a one-time use, even if it's your family or someone you trust. This person can plug a malicious USB, can connect to malicious Wi-Fi network, download infectious files, etc... without you knowing about it.
+
+- You might be afraid that the user accessing your device via another User account can access your Internal drive and access critical files violating your privacy. Refer, [Privacy page](windows/privacy/#restrict-access-to-data-drives) on How to restrict access to certain drives only or use EFS on a per-file basis. You can read more about EFS on [Privacy page](privacy.md).
+
+<div class="admonition tip" markdown>
+<p class="admonition-title">Tip</p>
+
+You should ALWAYS do the quick shortcut ++win+l++ to lock your device when you are away to prevent unauthorized access.
+
+</div>
+
+- If you don't like managing a standard account, then enforce authentication for Administrator accounts too like Standard ones by following the guide by [Wikihow](https://www.wikihow.tech/Require-UAC-Passwords-on-Administrator-Accounts)
+    - This way, Even administrators need to use Password to approve processes instead of just clicking `Yes` or `No`.
+
+## Securing the Boot chain
+
+- In your BIOS/UEFI settings, disable the booting of USB devices
+- Add a password to your BIOS/UEFI settings which restricts anyone from changing them.
+
+### Enabling Secure Boot
+
+- Windows 11 secures its bootloader by default by using Secure boot with the usage of TPM.
+
+- Windows 10, on the other hand, doesn't come with Secure boot enabled by default except for new devices.
+
+To enable Secure Boot from the PC BIOS menu. Follow this Step-by-Step Instructions by visiting this [documentation](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot?view=windows-11#re-enable-secure-boot).
+
+Visit: [https://docs.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-secure-boot-windows#check-secure-boot-status](https://docs.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-secure-boot-windows#check-secure-boot-status) on how to verify if enabled after enabling secure boot.
+
+### Firmware Protection
+
+As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
+
+**System Guard** lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
+
+- [x] Enable [System Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) by following the instructions of [Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to secure the boot chain.
+
+You can also know how to check if it is enabled or not in the guide.
+
+<div class="admonition note" markdown>
+<p class="admonition-title">Note</p>
+
+System Guard is mostly available on Windows Secured-Core PCs not on regular consumer devices. So, Before enabling it check the requirements of your Device.
+
+</div>
+
+## Protection against Malware and Viruses
+
+- Just use the built-in Windows Defender Security to protect against threats and stick to it. Don't use any other Antivirus or Anti-Malware software [as it can weaken your security and your privacy](https://wonderfall.space/windows-hardening/#microsoft-defender-antivirus).
+
+- [x] **Enable** [Windows Defender in a Sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) by launching a **terminal** as an **administrator** and copy/paste this command ```setx /M MP_FORCE_USE_SANDBOX 1```. Restart your device and check if there's a process called **MsMpEngCP.exe** by typing `tasklist` in the terminal to verify.
+
+- [ ] Disable Autoplay for devices so that malware hidden in USB don't execute on plugging in
+    ![Disable autoplay](/assets/img/windows/autoplay.webp)
+- [x] Enable [Controlled Folder Access](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders) in Windows defender settings. So, The Important folders you listed for protection doesn't get attacked or held hostage in case of a ransomware attack and also stops apps from accessing your important folders. This could also be used as a firewall for the filesystem such as Choosing the drives in the protected ones. And allowing each app when it request access to your device.
+
+- [x] Enable [Microsoft Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview). After installing by going to "[Turn Windows Features on or off](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard)" you can enable it. This runs Microsoft Edge in an Isolated Hyper-V container preventing unknown Malware from damaging the system.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+When you use Microsoft Defender Application Guard it bypasses the VPN you are using as when you use WDAG is launching the application in what is essentially a virtual machine, so it bypasses the host, where the VPN is connected.
+
+</div>
+
+- [x] Enable [Memory Integrity](https://support.microsoft.com/en-us/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also called Hypervisor-Protected Code Integrity) in Windows Defender settings which will run important system process isolated in an environment that cannot be attacked by viruses & malware.
+
+- [x] Enable `Display File Extensions` as most problems start here.
+
+<div class="admonition example" markdown>
+<p class="admonition-title">Enabling file extension</p>
+
+On standard Windows settings, Malware can hide itself if the filename is like: `Secure-File.txt.exe`
+
+What you see? A file named `Secure-File.txt`
+
+Of course the attacker can add a different icon to the file, so it looks like you open the file type extension you think.
+
+And if you open it, the Malware start's.
+
+Just Open the File Explorer's settings and change it to show File Extensions by clicking on `View` > `Show` or by configuring via [Registry Editor](https://github.com/beerisgood/Windows11_Hardening/blob/master/always%20display%20file%20typ%20extension)
+</div>
+
+## Apps
+
+- Avoid any types of Cleaning software at all cost. As Microsoft is working on its own implementation specfically designed for windows.
+- To Install apps, using the `winget` (Windows Package manager). More details in [Sandboxing page](/windows/sandboxing/#using-winget-to-install-sofwaret)
+
+## Security Improvements
+
+- Use [PeaZip](https://peazip.github.io/) archiver instead of 7-zip as it disables [Mark of the Web(MoW)](https://nolongerset.com/mark-of-the-web-details/) [support by default](https://github.com/nmantani/archiver-MOTW-support-comparison#*2) leading to execution of malicious instantly after extracting.
+
+- Using MS edge or brave over Firefox. Edge is recommended with MDAG mode for secure browsing if security is your priority. Brave is recommeded if content blocking is important for you (Brave shields)
+
+- [Check](https://learn.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt#how-to-check-if-kernel-dma-protection-is-enabled) if Kernel DMA protections is turned on.
+
+- Use [Winget](/windows/sandboxing/#using-winget-to-install-sofware) tool to remove Bloatware instead of third party apps.
+
+- [x] Block all incoming connections in Windows firewall.
+    - Go to `Firewall & Network Protection` in Windows defender security.
+    - Go to `Domain`, `Private` and `Public` network settings
+    - Scroll and check the box under **Incoming Connections**
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">A note regarding screen casting</p>
+
+If you try to cast your screen to another device or cast another device screen to your device via Wireless display (Optional feature). You won't be able to connect the devices. As we have blocked Incoming connections. Miracast (Wireless casting) requires incoming connection to send data back and forth to show the screen on other or vice versa.
+
+If you want to cast, then disable incoming connections in public network and cast your device and block connection again.
+
+There is no problem if you use normal Projection via cable.
+
+</div>
+
+## Keeping your device up-to-date
+
+You should keep your Windows Device up-to-date by enabling automatic updates. It is recommended to do so to keep your device with latest security fixes and new features.
+
+To get information about the latest updates, you can look at the [Windows Release Information](https://docs.microsoft.com/en-us/windows/release-health/windows11-release-information).
+
+It is recommended to stick to driver updates provided via Optional Updates, as they are thoroughly vetted by Microsoft for the stability of your device, and **do not rely on third-party apps for driver updates**. This way, you get the latest updates and security patches for your drivers along with firmware updates as long as your device is supported by the OEM.
+
+Some Hardware vendors like Nvidia, Intel has their own updater tool which will provide latest drivers.
+
+It is recommended to rather rely on Windows updates or first-party apps.
+
+**Credits** : The page is mostly made based on the recommendations of Windows Hardening Guide by [beerisgood](https://github.com/beerisgood/Windows11_Hardening)
+
+*[TPM]: Trusted Platform Module
+*[FDE]: Full Disk Encryption
+*[UAC]: User Account Control
+*[WDAG]: Windows Defender Application Guard
+*[SRTM]: Static Root-of-Trust Measurement

docs/os/windows/index.md

@@ -13,9 +13,9 @@ You can enhance your privacy and security on Windows without downloading any thi
 
 - Initial Installation (coming soon)
 - [Group Policy Settings](group-policies.md)
-- Privacy Settings (coming soon)
-- Application Sandboxing (coming soon)
-- Security Hardening (coming soon)
+- [Privacy Settings](privacy.md)
+- [Application Sandboxing](sandboxing.md)
+- [Security Hardening](hardening.md)
 
 <div class="admonition example" markdown>
 <p class="admonition-title">This section is new</p>

docs/os/windows/privacy.md

@@ -0,0 +1,86 @@
+---
+title: Achieving Privacy
+icon: material/incognito
+---
+
+## Using Microsoft account
+
+You should avoid sign in to Windows with a Microsoft account. As signing in to applications like Microsoft Office (which some users are required to do for their school or company) will trigger a dark pattern offering you to sign in to Windows, which will connect your device to your Microsoft account, and compels sending data to Microsoft servers and it is critical to reject this offer.
+
+It’s worth noting that according to [this study](https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf) it seems that Windows collects more telemetry when signed into a Microsoft Account.
+
+![Using account for specific app](/docs/assets/img/windows/signin-one-app.webp)
+
+You should log in to that specific app only if you need to.
+
+or
+
+Create another standard user account and connect it to Microsoft account if you are required for School or Work and keep the apps to that account alone. By restricting other data drive access, it is fully isolated from other profiles.
+
+## Telemetry
+
+To disable telemetry at full level, Open Group policy and navigate to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Data Collection and Preview builds` and choose as required
+
+![Disable telemetry](/docs/assets/img/windows/disable-telemetry.webp)
+
+The above works only if you use Enterprise or Education edition. If Professional, It will send required (Basic) data.
+
+If you read this article - [https://www.softscheck.com/en/blog/windows-10-enterprise-telemetry-analysis/](https://www.softscheck.com/en/blog/windows-10-enterprise-telemetry-analysis/), Enterprise even sends data even though telemetry is disabled. But there is no updated info about this available.
+
+Disabling full telemetry or sending basic data to Microsoft is totally upto the user's threat model.
+
+- [ ] Disable `Automatic Sample Submission` in Windows Defender, as the feature will send your files as a sample for Signature Database and might leak your data. You can do it via the below Group Policy so to not prompt you again and again constantly.
+
+    ```text
+    Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS > Send file samples when further analysis is required to Never Send.
+    ```
+
+- [ ] Disable Windows spotlight by navigating to `User Configuration` > `Administrative Templates` > `Windows Components` > `Cloud Content` and setting **Turn off all Windows Spotlight features** policy to enabled.
+
+<div class="admonition note" markdown>
+<p class="admonition-title">Note</p>
+
+This explicitly disables Windows spotlight features in Lockscreen and Desktop to sever unnecessary connections between Microsoft servers and the device.
+
+</div>
+
+- [ ] Disable Bing integration in Windows search, by navigating to `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`. This way your search queries for local indexed data is not sent to Microsoft.
+
+- [ ] Disable notification in the Lock screen in Windows settings
+    ![Lock screen notification](/docs/assets/img/windows/lock-screen-notifications.webp)
+
+- [ ] Disable Online Speech recognition and Voice activation
+        ![Alt text](/docs/docs/assets/img/windows/online-speech.webp)
+        ![Alt text](/docs/assets/img/windows/voice-activation.webp)
+
+- [ ] Disable delivery optimization in Windows Update settings.
+
+- Check all the App permissions and allow only necessary ones.
+
+## Hide MAC Address
+
+Go to `Settings` > `Network & Internet` > `Wifi`
+
+Enable **Random hardware addresses**
+
+## Restrict access to data drives
+
+To prevent other users from accessing your secondary data drives. Type `gpedit.msc` in Windows Run dialog box.
+
+Go to `User Configuration` > `Administrative Templates` > `Windows Components` > `File Explorer` and set the Group Policy as below.
+
+![Restrict-drive](/docs/assets/img/windows/drive-restriction.webp)
+
+The above configuration will restrict other users to the OS drive where Windows is installed. Making total isolation between your Account and other user account.
+
+If it's a shared drive with another person but you don't want the user to access sensitive data then use EFS. EFS encrypts the documents so that the user who encrypted it can only access it and not others.
+
+![EFS](/docs/assets/img/windows/EFS.gif)
+
+It is better to export the Private key certificate and store in a safe place so as to use the file later in other devices. To do so,
+
+Press, ++win+r++, Then type `certmgr.msc`, Under `Personal` > `Certificates`. Click the certificate that contains your username. Right Click and choose export. If you find this too tricky, then after using EFS for first time. You will see an encrypted locker Icon in system tray which help you in exporting on clicking it.
+
+To import in another device, simply open and install this certificate in that device and choose the above location. Then you can access EFS encrypted files in other system too.
+
+*[EFS]: Encrypted File System

docs/os/windows/sandboxing.md

@@ -0,0 +1,155 @@
+---
+title: Application Sandboxing
+icon: octicons/apps-16
+---
+
+## Native Application Sandboxing
+
+### Application Packaging by Windows
+
+Windows has two types of application packaging such as `.exe`/`.msi` (Win32) and `.appx`/`.msix` (UWA).
+
+#### Universal Windows Application (UWA)
+
+UWAs are processes that operate within the `AppContainer` is an application sandbox environment, which implements mechanisms for the restriction of `AppContainer` processes in terms of what system resources they can access. Basically, Application that is fully isolated and only given access to certain resources.
+
+#### Win32 Apps
+
+Win32 is the application platform of choice for developing and running classic Windows applications, that
+is, Win32 applications, that require direct access to Windows and hardware.
+
+The core of Win32 is the Win32 API implemented in the Windows SubDLLs (DLLs) and the ntdll.dll library file. With the combination of `SubDLLs` and `ntdll.dll`, the Win32 application has direct access to full system resources.
+
+#### A comparison between UWA and Win32
+
+| UWAs    | Windows |
+| :--------- | :---------------------------------- |
+|UWAs run as restricted, containerized `AppContainer` processes that run by accessing the WinRT API, a subset of COM functionalities and the Win32 API. They have specific properties that define process restrictions in terms of the system resources that processes can access.| Win32 applications run as Windows native, traditional processes that run by accessing the Win32 API and COM functionalities to their full extent and a subset of the WinRT API to directly access all system resources. They do not run as restricted processes, all system functionalities are by design directly available to them.|
+|Only a single instance of a given UWA may run at a given time. | Any number of instances of a given Win32 application may run simultaneously. |
+|UWAs are distributed as application packages, archive files with a pre-defined format and required content that is necessary for the deployment and operation of UWAs |The way in which Win32 applications are distributed is not restricted by the operating system. It is defined by the application vendors. |
+
+The above comparison gives a clear cut that UWA/UWP apps are the best ones to use in terms of sandboxing the app.
+
+### Choosing the way to install software
+
+UWA apps are primarily distributed through Microsoft store and are counter-signed by Microsoft while as third party UWA's are signed by the vendor without Microsoft's signature.
+
+It is recommended to use the UWA apps as they are sandboxed into their own containers.
+
+And for Win32 apps. If you are required to use Win32 apps. Install the application in the host and run it using [Windows Sandbox](/windows/sandboxing/#run-programs-instantly-in-sandbox).
+
+It is **recommended** to install in host and use in Sandbox to reduce your time installing the software again and again in Windows Sandbox.
+
+### Finding Win32 and UWP apps in Windows Store
+
+Generally, apps available in Microsoft store was UWP only before Windows 11 was launched but after the launch both Win32 and UWP apps co-exist in the store.
+
+At this point, it is difficult to differentiate between Win32 and UWP apps. To find which is UWP or Win32. Read below:
+
+When you see an app in store and scroll down to *Additional Information*  section and see if it asks for certain permissions like in the image below:
+
+![UWP in store](/assets/img/windows/UWP-in-MS-Store.webp)
+
+If the Win32 App, Microsoft store will explicitly state that it is Provided and Updated by `****`  and `Uses all System resources` as in the image below:
+
+![Win32 in store](/assets/img/windows/Win32-in-MS-Store.webp)
+
+<div class="admonition note" markdown>
+<p class="admonition-title">Un-sandboxed UWP apps</p>
+
+Some UWP apps in the store due to the lift of restrictions in Microsoft store developers can submit the app with a property named `runFullTrust` which disables sandboxing of that UWP application and shows that `Uses all System Resources` in *Additional Information* section such as Firefox. By this you can know if a UWP app is sandboxed or not.
+
+If it is sandboxed, it will show only certain permissions in *Additional Information* section.
+</div>
+
+<div class="admonition abstract" markdown>
+<p class="admonition-title">Note</p>
+
+Most apps will ask that if the app needs to be used for all users or just for your user account. It is best you keep the app to your user Account. So, We achieve better sandboxing between different user accounts.
+
+</div>
+
+#### Another way to find
+
+[rg-adguard.net](https://store.rg-adguard.net/) is a third party Microsoft store app which can be used to download `.appx` files (Installer for UWP) and install UWP apps. You can use this site to download Age Restricted apps in store and Install it. **Note** that paid apps don't work unless you connect a Microsoft Account.
+
+## Using Winget to Install Sofware
+
+Windows Package Manager winget command-line tool is bundled with Windows 11 and modern versions of Windows 10 by default as the App Installer.
+
+The winget command line tool enables users to discover, install, upgrade, remove and configure applications on Windows 10 and Windows 11 computers. This tool is the client interface to the Windows Package Manager service.
+
+More information here : [https://learn.microsoft.com/en-us/windows/package-manager/winget/](https://learn.microsoft.com/en-us/windows/package-manager/winget/)
+
+The Winget tool is a powerful tool to install apps that are safe, trusted and official ones. This should be used to avoid sketchy installers.
+
+Even you have apps installed via the traditional installer setup. You can continue using winget
+
+A Quick demo by ThioJoe - [https://youtu.be/uxr7m8wDeGA](https://youtu.be/uxr7m8wDeGA)
+
+Detailed info about the tool by Microsoft - [https://youtu.be/Lk1gbe_JTpY](https://youtu.be/Lk1gbe_JTpY)
+
+If you understood about Winget, then this tool - [https://winstall.app/](https://winstall.app/) is suggested to bulk install apps.
+
+Note : Be sure to install via Winget or using MSI installer to upgrade the app easily.
+
+### Benefits of winget
+
+There are general advantages in having a package manager regardless of the operating system.
+
+- Security : The packages that the package manager includes are usually safe because they’re verified by maintainers.
+- Automation : It’s easier to install or uninstall N applications using a package manager. No need to do it manually.
+- Maintenance : With a package manager usually you can update all your applications, including configurations.
+Exploration. Instead of searching manually in a browser for an application you can use the package manager. Since it’s centralized it should be easier to find what you want.
+
+## Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
+
+The sandbox is temporary like TailsOS running on a USB drive. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open it.
+
+You can know more from the Official [Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview).
+
+**Use case of Sandbox:** The Windows Sandbox can be used to run unknown software or if you want to isolate your Workspace from the host with only Specific set of apps, etc.
+
+### Using Sandbox
+
+To use Sandbox, you can create a configuration file as per the official Microsoft [Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) for your needs.
+
+So, when opening the file, sandbox opens with the Configurations you had set up in your file.
+
+If you do not understand the documentation, you can use [Windows Sandbox Editor](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor) instead. It is a GUI application that can be used to create configuration files easily.
+
+<div class="admonition note" markdown>
+<p class="admonition-title">Regarding Windows Sandbox Editor</p>
+
+The repository doesn't provide a package. So, you need to download the whole codebase. After, extracting the zip Windows Defender or other Antivirus software may flag the [exe](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/EXE) file as a malware. So, it is recommended to install it via the [Powershell Script](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/Install%20on%20desktop%20(in%20case%20of%20issue%20with%20EXE)) they provide.
+
+By default, You cannot execute Scripts in Powershell and it is restricted to commands only. It is recommend you allow the Terminal to `Unrestricted` mode and use it to install the editor via Script after that change it back to `Restricted` [execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2) to prevent accidental execution of malicious scripts in the future.
+
+</div>
+
+### Run programs instantly in Sandbox
+
+[Run in Sandbox](https://github.com/damienvanrobaeys/Run-in-Sandbox) is a tool to quickly run files in Windows Sandbox with a right click.
+
+We recommend you to use this software as it is convenient and easy to use and even credited by Microsoft.
+
+A full guide on How to use it can be found here: [https://www.systanddeploy.com/2021/11/run-in-sandbox-quick-way-to-runextract.html](https://www.systanddeploy.com/2021/11/run-in-sandbox-quick-way-to-runextract.html)
+
+Note: The same note of installing sandbox editor via PowerShell also applies here except this doesn't provide an `exe` at all.
+
+This page is based on the German BSI project - [SiSyPHuS Win10](https://www.bsi.bund.de/EN/Topics/Cyber-Security/Recommendations/SiSyPHuS_Win10/SiSyPHuS_node.html)'s Work Package 9 Dcoument.
+
+**For Advanced Users :**
+
+Sandboxie Plus, is a Sandboxing tool which uses File system and registry Virtualization techniques to sandbox every apps and at the same data not being lost like Windows Sandbox.
+
+Use this at your own Risk !
+
+*[UWA]:Universal Windows Applications
+*[UWP]:Universal Windows Platform
+*[SubDLLs]: Subsystem Dynamic link libraries
+*[ntdll.dll]: A core Windows library file that implements functions for interaction with the kernel.
+*[WinRT]: Windows Runtime
+*[COM]: Component Object Model

docs/os/windows/windows-overview.md

@@ -0,0 +1,105 @@
+---
+title: Windows Overview
+icon: fontawesome/brands/microsoft
+---
+
+## Windows
+
+Windows is a proprietary operating system created by Microsoft Inc. in 1985. It is primarily focused on personal computing and is now the most popular desktop OS, used by about [75%](https://gs.statcounter.com/os-market-share/desktop/worldwide) of all desktop users. However, it has its own privacy and security issues.
+
+## Issues present in Windows
+
+Over the years, Microsoft has demonstrated a lot of privacy-invasive behaviour with their software and services. They have continually taken advantage of the fact that Windows is the most wide-used desktop OS, and that most people don't change the default settings, in order to collect users' personal information.
+
+Windows 10 was [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, including:
+
+<div class="admonition quote" markdown>
+<p class="admonition-title">[Criticism of Microsoft - Wikipedia](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection)</p>
+
+User's contacts and calendar events, location data and history, "telemetry" (diagnostics data) ... and "advertising ID", as well as further data when the Cortana assistant is enabled.
+
+</div>
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. Only after [criticism](https://www.theverge.com/2016/7/21/12246266/france-microsoft-privacy-windows-10-cnil) from the France data protection commission, the [Electronic Frontier Foundation](https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive) and the [European Union](https://www.reuters.com/article/us-microsoft-dataprotection-eu-idUSKBN15Z1UI), Microsoft changed the way they collect telemetry, allowing users to choose between "Basic" (now renamed as `Required`) and "Full", with "Basic" mode collecting [much less telemetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects). Along with that, Microsoft collects a [lot more data from Windows 10](https://web.archive.org/web/20210711143017/https://privacytools.io/operating-systems/#win10).
+
+With the launch of Windows 11, a lot of [other](https://www.windowscentral.com/one-thing-microsoft-didnt-discuss-windows-11-privacy) [concerns](https://www.pcworld.com/article/539183/windows-11-review-an-unnecessary-replacement-for-windows-10.html) were raised, such as:
+
+- Integration of Microsoft Teams into the OS, which would encourage users to switch to the service, allowing Microsoft to collect even more data.
+- Removing the ability to have local accounts in Windows 11 Home, therefore forcing you to log into a Microsoft account so as to collect more data.
+- Having all data collection options on by default
+- Working with Amazon to bring Android apps to Windows through the Windows Subsystem for Android, likely allowing both Microsoft and Amazon to collect data about Android app usage on Windows.
+- Using users in a P2P way to distribute Windows updates to reduce load in Microsoft's servers without users' consent.
+
+## Choosing your Windows edition
+
+While using Windows, it is better to select either Windows **Enterprise** Edition or **Education** Edition because it gives more control over the system for hardening it for privacy and security by giving access to stops the OS from sending any Telemetry data using GP Editor.
+
+If you cannot get the above editions, you should opt for **Professional** Edition.
+
+### Editions to avoid
+
+- It is not recommended to use forks or modified versions of Windows such as Windows AME. It should be avoided at all cost. Since modified versions of Windows, such as AME, don't get updates, antivirus programs like Defender can fall out of date or be disabled entirely, opening you up to attacks.
+
+- Windows **Home** edition is **not** recommended as it does not have many advantages that Professional edition provides such as BitLocker Drive Encryption, Hyper-V, Windows Sandbox, etc. It also uploads Bitlocker Encryption keys to Microsoft servers which actually defies the aspect of the encryption implemented as the key was supposed to be hold by the user.
+
+#### Recommendations
+
+We recommend you choose Windows 11 over Windows 10 as it is the latest version and brings many security-related improvements with it by default such as [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot), [VBS](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs), [HVCI](https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard), etc. Windows 10 will stop getting updates after [October 14, 2025](https://docs.microsoft.com/en-us/lifecycle/products/windows-10-home-and-pro).
+
+### Installing Windows
+
+We recommend that you use the official [Media Creation tool](https://www.microsoft.com/software-download/windows11) to flash the ISO to the USB, over third-party options such as Rufus, Balena Etcher, etc., so that you don't tamper the ISO.
+
+#### Downloading ISO
+
+To download the ISO. Follow these steps :
+
+- Download Media Creation tool under `Windows 11 Installation Media`
+- Open a Command prompt terminal in the directory where `mediacreationtool.exe` is downloaded.
+- And Input the following Command :
+
+    ```text
+    mediacreationtool.exe /Eula Accept /Retail /MediaArch x64 /MediaLangCode en-US /MediaEdition Enterprise
+    ```
+
+- If it asks for Activation key, Use this Generic Key `XGVPP-NMH47-7TTHJ-W3FW7-8HV2C`. This will just allow you to download the ISO but activation is totally upon the user.
+- Accept the UAC prompt
+- Download the ISO file or flash to a USB as you wish
+
+<div class="admonition note" markdown>
+<p class="admonition-title">Note</p>
+
+- The ISO will consists **only** of Professional, Education & Enterprise editions with a size of ~4.2 GB (Instead of >5.5GB when you download the Multi-Edition ISO). When you download using the above way, no other editions such as Home are included in it.
+- If you want to change the language of the ISO file, Just change the `en-US` part with the appropriate language and country code as per your needs.
+
+</div>
+
+### Activating Windows
+
+Activating Education/Enterprise edition is different because for Enterprise Edition it needs to be a part of an enterprise network or buying an enterprise License for several devices and use it for your one device & for Education Edition it needs to be a part of school network or managed by a school administrator.
+
+For activating Professional edition, you can buy the license key from resellers (not recommended) or the [Microsoft Store](https://www.microsoft.com/d/windows-11-pro/dg7gmgf0d8h4?rtc=1).
+
+If you are currently using Pro and want to upgrade to Enterprise. Then, Follow the guide [here](https://www.kapilarya.com/how-to-upgrade-windows-11-pro-to-enterprise-edition)
+
+<div class="admonition abstract" markdown>
+<p class="admonition-title">Note</p>
+
+This guide will be mostly on Windows 11 but some of the recommendations can be applied to Windows 10 too.
+
+</div>
+
+<div class="admonition danger" markdown>
+<p class="admonition-title">Warning</p>
+
+If you are going to install Windows 11, then install it only on supported devices. It is not recommended to use tools/scripts that are available online to bypass the requirements which would break the security of Windows 11 which it is aimed for.
+
+**Never** download *Pirated* ISO Files
+
+</div>
+
+*[GP]: Group Policy
+*[VBS]: Virtualization-Based Security
+*[HVCI]: Hypervisor-Protected Code Integrity
+*[AME]: Ameliorated
+*[P2P]: Peer-to-Peer

docs/tools.md

@@ -84,14 +84,6 @@ For more details about each project, why they were chosen, and additional tips o
 
     - [Read Full Review :material-arrow-right-drop-circle:](mobile-browsers.md#cromite-android)
 
-- ![Mull logo](assets/img/browsers/mull.svg){ .lg .middle .twemoji } **Mull (Android)**
-
-    ---
-
-    **Mull** is a Firefox-based browser for Android centered around privacy and removing proprietary components.
-
-    - [Read Full Review :material-arrow-right-drop-circle:](mobile-browsers.md#mull-android)
-
 - ![Safari logo](assets/img/browsers/safari.svg){ .lg .middle .twemoji } **Safari (iOS)**
 
     ---
@@ -626,7 +618,6 @@ For encrypting your OS drive, we typically recommend using the encryption tool y
 <div class="grid cards" markdown>
 
 - ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji loading=lazy }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji loading=lazy } [GrapheneOS](android/distributions.md#grapheneos)
-- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji loading=lazy } [DivestOS](android/distributions.md#divestos)
 
 </div>
 
@@ -707,7 +698,6 @@ These tools may provide utility for certain individuals. They provide functional
 - ![MVT logo](assets/img/device-integrity/mvt.webp){ .twemoji loading=lazy } [Mobile Verification Toolkit](device-integrity.md#mobile-verification-toolkit)
 - ![iMazing logo](assets/img/device-integrity/imazing.png){ .twemoji loading=lazy } [iMazing (iOS)](device-integrity.md#imazing-ios)
 - ![Auditor logo](assets/img/device-integrity/auditor.svg#only-light){ .twemoji loading=lazy }![Auditor logo](assets/img/device-integrity/auditor-dark.svg#only-dark){ .twemoji loading=lazy } [Auditor (Android)](device-integrity.md#auditor-android)
-- ![Hypatia logo](assets/img/device-integrity/hypatia.svg#only-light){ .twemoji loading=lazy }![Hypatia logo](assets/img/device-integrity/hypatia-dark.svg#only-dark){ .twemoji loading=lazy } [Hypatia (Android)](device-integrity.md#hypatia-android)
 
 </div>
 

docs/vpn.md

@@ -298,7 +298,7 @@ We require all our recommended VPN providers to provide OpenVPN configuration fi
 - Support for strong protocols such as WireGuard & OpenVPN.
 - Killswitch built in to clients.
 - Multihop support. Multihopping is important to keep data private in case of a single node compromise.
-- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing.
+- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what the program is actually doing.
 - Censorship resistance features designed to bypass firewalls without DPI.
 
 **Best Case:**

includes/contributors.md

@@ -446,6 +446,9 @@
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/PASSK3YS"><img src="https://avatars.githubusercontent.com/u/54213179?v=4" width="100px;" loading=lazy /><br /><sub><b>Kieran Colfer</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=PASSK3YS" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/SamsungGalaxyPlayer"><img src="https://avatars.githubusercontent.com/u/12520755?v=4" width="100px;" loading=lazy /><br /><sub><b>Justin Ehrenhofer</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=SamsungGalaxyPlayer" title="Documentation">📖</a> <a href="#business-SamsungGalaxyPlayer" title="Business development">💼</a> <a href="#fundingFinding-SamsungGalaxyPlayer" title="Funding Finding">🔍</a></td>
     </tr>
+    <tr>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/bruch-alex"><img src="https://avatars.githubusercontent.com/u/173354246?v=4" width="100px;" loading=lazy /><br /><sub><b>Alex Bruch</b></sub></a><br /><a href="#translation-bruch-alex" title="Translation">🌍</a></td>
+    </tr>
   </tbody>
   <tfoot>
     <tr>

mkdocs.yml

@@ -211,7 +211,7 @@ extra:
       link: /zh-hant/
       lang: zh-Hant
       icon: https://raw.githubusercontent.com/twitter/twemoji/master/assets/svg/1f1ed-1f1f0.svg
-    - name: русский
+    - name: Русский
       link: /ru/
       lang: ru
       icon: https://raw.githubusercontent.com/twitter/twemoji/master/assets/svg/1f1f7-1f1fa.svg
@@ -391,6 +391,9 @@ nav:
           - !ENV [NAV_OPERATING_SYSTEMS_WINDOWS, "Windows"]:
               - "os/windows/index.md"
               - "os/windows/group-policies.md"
+              - "os/windows/privacy.md"
+              - "os/windows/hardening.md"
+              - "os/windows/sandboxing.md"
   - !ENV [NAV_RECOMMENDATIONS, "Recommendations"]:
       - "tools.md"
       - !ENV [NAV_INTERNET_BROWSING, "Internet Browsing"]:

theme/assets/img/android/divestos.svg

@@ -1 +0,0 @@
-<svg version="1.1" viewBox="0 0 128 128" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.256 0 0 .256 -1.534 -1.5359)"><path d="m506 256a250 250 0 0 1-248.51 250 250 250 0 0 1-251.48-247.01 250 250 0 0 1 245.5-252.95 250 250 0 0 1 254.41 243.98" fill="#fc5424"/><path d="m261.3 166.34c-48.1 0-76.959 33.794-76.959 89.541 0 56.98 28.859 89.787 76.959 89.787 48.347 0 77.207-33.794 77.207-89.787 0-56.98-28.86-89.541-77.207-89.541zm155.15 0c-35.52 0-61.668 19.241-61.668 49.334 0 25.407 14.062 41.193 52.295 53.033 24.913 7.6467 31.326 13.32 31.326 25.9 0 13.073-10.359 20.967-27.133 20.967-17.02 0-30.588-6.1668-43.168-16.773l-20.473 22.447c14.06 13.567 35.273 24.42 64.873 24.42 42.673 0 67.834-22.201 67.834-54.021 0-31.573-18.501-44.892-50.814-55.252-26.64-8.3867-33.053-12.828-33.053-23.682 0-10.853 8.8794-16.771 22.939-16.771 13.813 0 25.654 4.6866 37.494 14.307l18.746-21.955c-15.047-14.307-33.053-21.953-59.199-21.953zm-384.8 4.1934v170.94h51.307c43.66 0 85.1-17.514 85.1-86.334 0-70.547-43.165-84.607-88.799-84.607h-47.607zm229.65 25.408c22.94 0 34.781 16.773 34.781 59.939 0 43.413-11.595 60.186-34.781 60.186-22.2 0-34.533-16.772-34.533-60.186 0-43.167 11.84-59.939 34.533-59.939zm-189.19 3.9453h12.828c23.68 0 41.193 9.3738 41.193 55.254 0 45.387-16.281 56.98-40.701 56.98h-13.32v-112.23z"/></g></svg>

theme/assets/img/browsers/mull.svg

@@ -1 +0,0 @@
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.23559 0 0 .23559 1.8105e-7 .00017997)"><path d="m97.545 29.843s2.554-8.59 10.911-13c8.357-4.411 28.553-4.411 31.57-3.018 3.018 1.393 3.947 25.999 0 32.034-3.946 6.036-11.839 9.286-18.106 9.286-6.268 0-25.999-15.089-25.999-15.089z" fill="#e91e63"/><path d="m104.86 31.267s1.694-5.697 7.238-8.623c5.543-2.926 18.941-2.926 20.943-2.002s2.618 17.247 0 21.251-7.854 6.159-12.011 6.159c-4.158 0-17.248-10.009-17.248-10.009z" fill="#424242"/><path d="m46.206 29.843s-2.554-8.59-10.911-13c-8.356-4.411-28.553-4.411-31.57-3.018-3.018 1.393-3.946 25.999 0 32.034 3.946 6.036 11.839 9.286 18.106 9.286 6.268 0 25.999-15.089 25.999-15.089z" fill="#e91e63"/><path d="m38.888 31.267s-1.694-5.697-7.237-8.623c-5.544-2.926-18.941-2.926-20.943-2.002s-2.618 17.247 0 21.251 7.854 6.159 12.012 6.159 17.247-10.009 17.247-10.009z" fill="#424242"/></g><path d="m8.1036 7.1525s1.1318 0.00899 2.048 0.26551c0 0-2.3456 0.47637-4.178 1.6856 0 0 0.69618 0.036774 1.6126 0.18329 0 0-2.8064 2.0574-4.9931 5.1856 7.3768 1.4324 8.7289 9.3139 8.7289 9.3139 0.30485-0.48744 2.4372-1.9497 2.4372-1.9497 0.91786-10.59-0.71926-15.081-1.5827-16.652-1.5059 0.43396-2.9788 1.0762-4.0729 1.9677zm18.177 2.1344c0.91621-0.14654 1.6126-0.18329 1.6126-0.18329-1.8324-1.2093-4.1777-1.6856-4.1777-1.6856 0.91622-0.25656 2.048-0.26551 2.048-0.26551-1.0943-0.89148-2.567-1.5337-4.0731-1.9677-0.86343 1.5709-2.5006 6.0615-1.5827 16.652 0 0 2.1326 1.4623 2.4372 1.9497 0 0 1.3521-7.8815 8.7289-9.3139-2.1868-3.1279-4.9931-5.1856-4.9931-5.1856z" fill="#212121" stroke-width=".23559"/><g transform="matrix(.23559 0 0 .23559 1.8105e-7 .00017997)"><path d="m128.2 91.998c9.178-0.623 15.556 4.2 15.556 4.2-1.4-14.468-11.044-19.134-11.044-19.134 6.222 0.622 9.645 4.666 9.645 4.666-1.845-7.679-5.674-14.776-10.023-20.884 0.139 0.194 0.279 0.387 0.416 0.583-31.312 6.08-37.051 39.534-37.051 39.534-1.293-2.069-10.345-8.276-10.345-8.276-3.896-44.952 3.054-64.013 6.718-70.681-7.263-2.092-14.707-3.04-20.19-3.04-6.07 0-14.542 1.159-22.511 3.752 0.77-0.25 1.544-0.488 2.321-0.712 3.665 6.668 10.614 25.729 6.718 70.681 0 0-9.052 6.207-10.345 8.276 0 0-5.74-33.454-37.052-39.534 0.138-0.196 0.277-0.389 0.416-0.583-4.351 6.108-8.18 13.206-10.025 20.885 0 0 3.422-4.044 9.645-4.666 0 0-9.645 4.666-11.045 19.134 0 0 6.378-4.823 15.556-4.2 0 0-9.8 0.934-13.222 11.667 0 0 12.013-7.723 29.168-2.784 15.974 4.599 15.005 24.445 26.677 28.606 9.641 3.438 13.697-1.244 13.697-1.244s4.056 4.682 13.697 1.244c11.671-4.161 10.703-24.008 26.677-28.606 17.156-4.938 29.169 2.784 29.169 2.784-3.423-10.734-13.223-11.668-13.223-11.668z" fill="#e91e63"/><path d="m71.876 101.79c-10.66 0-15.61 4.697-15.61 4.697s10.557 14.105 15.61 14.352c5.053-0.247 15.61-14.352 15.61-14.352s-4.95-4.697-15.61-4.697z" fill="#212121"/><path d="m71.876 104.16c9.164 0 14.204 1.759 15.605 2.332l4e-3 -6e-3s-4.95-4.697-15.61-4.697-15.61 4.697-15.61 4.697l4e-3 6e-3c1.403-0.573 6.442-2.332 15.607-2.332z" fill="#424242"/><ellipse transform="matrix(.9602 -.2794 .2794 .9602 -15.818 30.286)" cx="98.317" cy="70.621" rx="10.771" ry="13.034" fill="#424242"/><circle cx="98.316" cy="69.891" r="6.81" fill="#332a24"/><circle cx="98.317" cy="69.891" r="4.375" fill="#4d4a47"/><circle cx="96.999" cy="68.527" r="1.761" fill="#fff"/><ellipse transform="matrix(-.9602 -.2794 .2794 -.9602 69.326 151.13)" cx="45.435" cy="70.621" rx="10.771" ry="13.034" fill="#424242"/><circle cx="45.435" cy="69.891" r="6.81" fill="#332a24"/><circle cx="45.435" cy="69.891" r="4.375" fill="#4d4a47"/><circle cx="44.117" cy="68.527" r="1.761" fill="#fff"/></g><path d="m30.064 21.674c2.1623-0.14678 3.6649 0.98948 3.6649 0.98948-0.32982-3.4085-2.6019-4.5078-2.6019-4.5078 1.4658 0.14654 2.2723 1.0993 2.2723 1.0993-0.421-1.7523-1.2819-3.3739-2.2664-4.7818 8.9e-4 -2.4e-4 0.0018-4.72e-4 0.0027-8.9e-4 -0.03223-0.04621-0.06527-0.09164-0.09801-0.13735 2.41e-4 2.32e-4 2.41e-4 4.72e-4 4.72e-4 7.04e-4 -0.38401-0.5395-0.78476-1.0463-1.1853-1.5148 1.1546-0.29802 2.322-0.98288 2.9981-2.0169 0.92988-1.4218 0.71101-7.219 0-7.5469-0.71101-0.32841-5.4688-0.32841-7.4376 0.71101-0.96545 0.50959-1.6006 1.255-1.9987 1.8833-0.59843-0.26056-1.2265-0.48343-1.8624-0.66672-1.7111-0.49286-3.4648-0.71619-4.7566-0.71619v25.744s0.95556 1.103 3.2269 0.29307c2.7496-0.98029 2.5215-5.6561 6.2849-6.7393 4.0418-1.1634 6.8717 0.65588 6.8717 0.65588-0.80642-2.5284-3.1155-2.7484-3.1155-2.7484z" fill="#5c4337" opacity=".1" stroke-width=".23559"/></svg>

theme/assets/img/device-integrity/hypatia-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" fill="#fff" version="1.1" viewBox="0 0 64 64"><path stroke-width="2.934" d="m29.623 0.50599-20.539 9.1251c-2.1126 0.93891-3.4916 3.0515-3.4916 5.3694v13.79c0 16.284 11.267 31.512 26.407 35.209 15.14-3.697 26.407-18.925 26.407-35.209v-13.79c0-2.3179-1.379-4.4305-3.4916-5.3694l-20.539-9.1251c-1.4964-0.67485-3.2569-0.67485-4.7533 0zm2.3766 31.19h20.539c-1.5551 12.089-9.6239 22.857-20.539 26.231v-26.202h-20.539v-16.724l20.539-9.1251z"/></svg>

theme/assets/img/device-integrity/hypatia.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><path fill="#1a1a1a" stroke-width="1.539" d="m16.933-1.6667e-7 -13.855 6.1576v9.2364c0 8.5436 5.9113 16.533 13.855 18.473 7.9433-1.9397 13.855-9.9291 13.855-18.473v-9.2364zm0 16.918h10.776c-0.81588 6.3423-5.0492 11.992-10.776 13.762v-13.747h-10.776v-8.7746l10.776-4.7875z"/><path fill="none" stroke-width=".265" d="m16.415 18.141h6.35v6.35h-6.35z"/></svg>