_includes/nav.html

@@ -77,6 +77,22 @@
           </span>
         </details>
 
+        <!-- Hardware -->
+        <details class="nav-details">
+          <summary>
+            <span class="nav-summary">
+              Hardware
+              <span class="dropdown-toggle"></span>
+            </span>
+          </summary>
+          <span class="nav-dropdown">
+            <a class="dropdown-item" href="/hardware/#mobile"><span class="fas fa-mobile-alt fa-fw"></span> Mobile Devices</a>
+            <a class="dropdown-item" href="/hardware/#u2f"><span class="fas fa-key fa-fw"></span> U2F Security Keys</a>
+            <a class="dropdown-item" href="/hardware/#routers"><span class="fas fa-network-wired fa-fw"></span> Routers</a>
+            <a class="dropdown-item" href="/hardware/#laptops"><span class="fas fa-coins fa-fw"></span> Hardware Wallets</a>
+          </span>
+        </details>
+
         <!-- OS -->
         <details class="nav-details">
           <summary>

_includes/sections/hardware-wallets.html

@@ -0,0 +1,24 @@
+<h1 id="hardware-wallets" class="anchor"><a href="#hardware-wallets"><i class="fas fa-link anchor-icon"></i></a> Hardware Wallets</h1>
+
+{% include cardv2.html
+title="Trezor One"
+image="/assets/img/png/3rd-party/trezor-one.png"
+description='A fully open-source cryptocurrency wallet with support for over 1,000 coins/tokens. Trezor also has password manager functionality, supports GPG and SSH key storage functionality, and can act as a U2F key, making it a great backup for your U2F key (or vice versa).'
+website="https://trezor.io/"
+github="https://github.com/trezor"
+%}
+
+{% include cardv2.html
+title="Trezor Model T"
+badges="info:Upgrade Pick"
+image="/assets/img/png/3rd-party/trezor-model-t.png"
+description='The Trezor Model T supports all the same functionality as the Trezor One, as well as FIDO2 authentication support, a wider variety of coins/tokens, and a full color touchscreen for easier use.'
+website="https://trezor.io/"
+github="https://github.com/trezor"
+%}
+
+<h3>Worth Mentioning</h3>
+
+<ul>
+  <li><a href="https://www.ledger.com/">Ledger Nano X</a> - A great pick if you are an iOS user, or if the Trezor One does not support the coins/tokens you use. It does have some closed-source components, and it is not as intuitive to use as Trezor's devices.</li>
+</ul>

_includes/sections/mobile-devices.html

@@ -0,0 +1,65 @@
+<h1 id="mobile" class="anchor"><a href="#mobile"><i class="fas fa-link anchor-icon"></i></a> Mobile Hardware</h1>
+
+<p><em><strong>A note from the team:</strong> It is important to remember that you can only truly have privacy if the devices you use are secure. This includes security against both remote and physical attackers, and passive and active attacks. In the mobile computing space this dramatically limits your available options to devices that many would consider to be unsafe by default. You will need to make both software and lifestyle modifications to make these devices privacy-respecting. If you are unable or unwilling to do so, consider using mobile devices as little as possible, as they are at odds with your privacy almost by design. Please understand that we will never recommend any "privacy-respecting" mobile hardware that sacrifices your security.</em></p>
+
+<div class="container-fluid">
+
+  <div class="row mb-2">
+    <div class="col-lg-3 col-sm-12 pt-lg-5">
+      <img
+        src="/assets/img/png/3rd-party/pixel-3.png"
+        data-theme-src="/assets/img/png/3rd-party/pixel-3.png"
+        height="200"
+        width="200"
+        class="img-fluid d-block mr-auto ml-auto align-middle"
+        alt="Pixel 3 XL">
+    </div>
+    <div class="col">
+    <h2>Google Pixel 3</h2>
+    <p>The <strong>Google Pixel 3/3 XL</strong> and the <strong>Google Pixel 3a/3a XL</strong> are the only secure Android devices currently on the market that can be made privacy-respecting. They have hardware-backed keystores, verified boot functionality <em>with custom ROMs</em>, attestation support, as well as proper ongoing support for their firmware and proper ongoing support for software specific to the hardware used in the device, which is necessary for <em>complete</em> security updates.</p>
+
+    <h5><span class="badge badge-danger">Google OS</span></h5>
+    <p>Google Pixel devices come with a modified version of Android specific to Pixel devices. This software comes with added functionality specific to Pixel devices, but also is heavily linked with Google and Google Play Services. Using the stock ROM on a Google Pixel device is <em>strongly discouraged</em>. We recommend the use of either GrapheneOS or LineageOS to "de-Google" your device.</p>
+
+    <h5><span class="badge badge-success">GrapheneOS Support</span></h5>
+    <p>The Google Pixel supports GrapheneOS, the free and open-source mobile operating system <a href="/operating-systems/#mobile_os">we currently recommend</a> for use on mobile devices.</p>
+    <p>Note that using a custom Android operating system means you have to make the compromise between app availibility and stability, and having decent security and privacy. This operating system does not come with Google Play Services by default, nor is it possible to install Google Play Services or microG. We recommend using F-Droid for app installations as needed, and to avoid third-party apps as much as possible. For this reason, a Pixel with GrapheneOS may not be the best choice for less technical users and users requiring the use of many third-party apps.</p>
+
+    <h5><span class="badge badge-success">Titan M</span></h5>
+    <p>The Google Pixel 3 has a new hardware security chip, the Titan M, making it more secure than its predecessors or other Android devices. This chip is tasked with protecting your device against boot-time attacks, too many log-in attempts, and secure data storage, among other security-related processes. Unlike other mobile hardware security solutions such as ARM TrustZone, the Titan M is a dedicated chip with physically separate RAM and processing power, preventing sidechannel attacks (a la Spectre, Meltdown, Rowhammer).</p>
+    </div>
+  </div>
+
+  <div class="row mb-2">
+    <div class="col-lg-3 col-sm-12 pt-lg-5">
+      <img
+        src="/assets/img/png/3rd-party/iphone-11-pro.png"
+        data-theme-src="/assets/img/png/3rd-party/iphone-11-pro.png"
+        height="200"
+        width="200"
+        class="img-fluid d-block mr-auto ml-auto align-middle"
+        alt="iPhone 11 Pro">
+    </div>
+    <div class="col">
+    <h2>iPhone 11</h2>
+    <p>The <strong>iPhone 11 Pro</strong> and the <strong>iPhone 11</strong> are some of the most secure and tested mobile devices on the market. They support verified boot, strong sandboxing, and strong hardware security (Secure Enclave). They also receive regular and frequent security updates, and they will receive updates far longer than competing Android devices.</p>
+    <p>An iPhone does not make people compromise between the avalibility of third-party apps and having strong security and privacy from their device. Therefore we believe it is the most suitable option for less technical users, or users looking for a better out-of-the-box experience.</p>
+
+    <h5><span class="badge badge-danger">iCloud</span></h5>
+    <p>It is important to note that iOS comes with numerous iCloud integrations, many of which are enabled by default. We recommend advoiding the use of iCloud whenever possible to avoid your personal information being stored on Apple's servers, and we only recommend the use of an Apple ID for App Store use.</p>
+    <p>Contrary to popular belief, iCloud device backups are currently <strong>not</strong> End-to-End Encrypted. You should only backup your device using iTunes.</p>
+
+    <h5><span class="badge badge-success">No Known Exploits</span></h5>
+    <p>There are no known, major <em>hardware</em> exploits for the iPhone 11 series, making them a safer choice over older iPhone models. All iPhone models up to and including the iPhone X are affected by <strong>checkm8</strong>, a permanent unpatchable bootrom exploit that <em>may</em> compromise your device's security.</p>
+    <p>This does not mean an exploit is impossible: <strong>unc0ver</strong> is an iOS 13 software exploit that affects even the iPhone 11, however it has been patched in iOS 13.3.1. Always keeping your device up-to-date is the most important step to take to keep your devices secure.</p>
+    </div>
+  </div>
+
+</div>
+
+<h3>Worth Mentioning</h3>
+
+<ul>
+  <li><a href="https://devices.ubuntu-touch.io/device/FP2">Fairphone 2</a> <span class="badge badge-info">Ubuntu Touch</span> - The Fairphone 2 is an interesting look into modular, ethical, and sustainable mobile devices with an emphasis on open source. This our preferred hardware if you wish to run Ubuntu Touch, however using older and less tested hardware like this inherently forces you to make significant security compromises.</li>
+  <li><a href="https://redmine.replicant.us/projects/replicant/wiki/GalaxyS3I9300">Samsung Galaxy S3</a> and <a href="https://redmine.replicant.us/projects/replicant/wiki/GalaxyNote2N7100">Samsung Galaxy Note II</a> <span class="badge badge-info">ReplicantOS</span> - This is the best hardware available if you wish to run ReplicantOS, however using older hardware like this inherently forces you to make significant security and usability compromises.</li>
+</ul>

_includes/sections/resources.html

@@ -28,6 +28,14 @@
   description="Discover a variety of open source software built to protect your privacy and keep your digital data secure."
   %}
 
+  {% include card.html color="danger"
+  title="Hardware"
+  icon="fas fa-laptop"
+  iconcolor="dark"
+  page="/hardware/"
+  description="You can't protect your privacy without starting with the right hardware. Discover the devices for the job."
+  %}
+
   {% include card.html color="info"
   title="Operating Systems"
   icon="fas fa-desktop"
@@ -41,15 +49,7 @@
   icon="far fa-eye-slash"
   iconcolor="dark"
   page="/services/"
-  description="The PrivacyTools team is proud to launch a variety of privacy-centric online services, including a Mastodon instance, search engine, and more!"
-  %}
-
-  {% include card.html color="danger"
-  title="Donate"
-  icon="fas fa-donate"
-  iconcolor="dark"
-  page="/donate/"
-  description="We can't operate this site without the generous contributions we receive from our viewers. If you love privacy and our website please consider donating."
+  description="We are proud to operate a variety of privacy-centric services, including Mastodon, Matrix, and more!"
   %}
 
 </div>

_includes/sections/routers.html

@@ -0,0 +1,36 @@
+<h1 id="routers" class="anchor"><a href="#routers"><i class="fas fa-link anchor-icon"></i></a> Home Routers</h1>
+
+<div class="container-fluid">
+  <div class="row mb-2">
+    <div class="col-lg-3 col-sm-12 pt-lg-5 text-center">
+      <img
+        src="/assets/img/png/3rd-party/turris-omnia.png"
+        data-theme-src="/assets/img/png/3rd-party/turris-omnia.png"
+        height="200"
+        width="200"
+        class="img-fluid d-block mr-auto ml-auto align-middle"
+        alt="Turris Omnia">
+        <a class="btn btn-primary mt-4" href="https://www.turris.cz/en/omnia/" role="button"><i class="fas fa-external-link-alt fa-fw"></i> Website</a>
+    </div>
+    <div class="col">
+    <h2>Turris Omnia</h2>
+    <p><strong>Turris Omnia</strong> is a secure, high performance, and open-source home router. It has specifications that would allow it to easily handle Gigabit-level networking, as well as additional functionality (NAS, printserver, or other server type use-cases).</p>
+    <p>Turris Omnia was created by <strong>NIC.CZ</strong>, the non-profit .CZ domain registry behind many massive internet open-source projects including Knot (DNS Server), BIRD (Internet routing daemon), and FRED (Domain registry platform). As such, we believe they have the experience required to make a secure routing platform.</p>
+
+    <h5><span class="badge badge-success">OpenWrt</span></h5>
+    <p>Turris Omnia runs OpenWrt, the router operating system platform <a href="/operating-systems/#firmware">we recommend</a> for home users. It is an incredibly lightweight operating system perfect for this workload, and it is well supported by its developers.</p>
+
+    <h5><span class="badge badge-success">Secure Defaults</span></h5>
+    <p>Turris Omnia is configured securely and privately by default. It also features <strong>automatic updates</strong> that require no user interaction. The lack of updates is a security problem for most home router brands.</p>
+
+    <h5><span class="badge badge-info">Additional Functionality</span></h5>
+    <p>This device can be used for more than just routing. It is a highly extensible product, allowing you to do things like add mSATA storage. It features a SIM slot that can be used alongside an LTE USB or miniPCIe modem for backup connectivity. It comes with a "virtual server", which allows you to install normal Linux applications or even entirely seperate Linux distros like Ubuntu or Debian independently of the main software, improving security and allowing for safe software experimentation.</p>
+    </div>
+  </div>
+</div>
+
+<h3>Worth Mentioning</h3>
+
+<ul>
+  <li><a href="https://www.peplink.com/products/pepwave-surf-soho/">Pepwave Surf SOHO</a> - A lower-end business-class router with stable, secure, and easy-to-use firmware. Unlike most business-class routers, the interface is easy to use while still feature-rich.</li>
+</ul>

_includes/sections/security-keys.html

@@ -0,0 +1,24 @@
+<h1 id="u2f" class="anchor"><a href="#u2f"><i class="fas fa-link anchor-icon"></i></a> U2F Security Keys</h1>
+
+{% include cardv2.html
+title="SoloKeys"
+image="/assets/img/png/3rd-party/solokey.png"
+description='The SoloKey is the "first open-source FIDO2 security key", available in both USB-A and USB-C variants with optional NFC capability for mobile devices. It is less feature-rich compared to the YubiKey 5 lineup, but at $20 it is a great starting point for securing your accounts, or backup U2F authenticator.'
+website="https://solokeys.com/"
+github="https://github.com/solokeys"
+%}
+
+{% include cardv2.html
+title="YubiKey 5"
+badges="info:Upgrade Pick"
+image="/assets/img/png/3rd-party/yubikey-5c.png"
+description='The YubiKey 5 is a multi-protocol security key, providing strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign. It supports FIDO2, FIDO U2F, one-time password (OTP), and OpenPGP smart card functionality. It is available in a variety of form factors for desktop or laptop.'
+website="https://www.yubico.com/products/yubikey-5-overview/"
+github="https://github.com/yubico"
+%}
+
+<h3>Worth Mentioning</h3>
+
+<ul>
+  <li><a href="https://www.nitrokey.com/">Nitrokey</a> - A variety of security key products for different workloads. All Nitrokey products are open-source and customizable. The <a href="https://www.nitrokey.com/sites/default/files/NitrokeyFirmwareSecurityAuditReport05-2015.pdf">firmware</a> and <a href="https://www.nitrokey.com/sites/default/files/NitrokeyHardwareSecurityAuditReport08-2015.pdf">hardware</a> have been independently assessed by Cure53 in 2015. We have found that there is no best overall product (the <em>Pro 2</em> lacks Curve25519 while the lower-end <em>Start</em> supports it, for example) and they are lacking a variety of form factors such as USB-C and NFC that would be more convenient for many users.</li>
+</ul>

pages/hardware.html

@@ -0,0 +1,18 @@
+---
+layout: page
+permalink: /hardware/
+title: "Hardware"
+description: "Your privacy is only as strong as the devices you use."
+---
+
+{% include sections/mobile-devices.html %}
+
+{% include sections/security-keys.html %}
+
+{% include sections/routers.html %}
+<h3>Further Reading</h3>
+<ul>
+  <li><a href="https://routersecurity.org/">RouterSecurity.org</a> - A list of router configuration tips to keep your router and network secure.</li>
+</ul>
+
+{% include sections/hardware-wallets.html %}

pages/old.html

@@ -71,6 +71,14 @@ permalink: /classic/
 
 {% include sections/productivity-tools.html %}
 
+{% include sections/mobile-devices.html %}
+
+{% include sections/security-keys.html %}
+
+{% include sections/routers.html %}
+
+{% include sections/hardware-wallets.html %}
+
 {% include sections/operating-systems.html %}
 
 {% include sections/live-operating-systems.html %}