Tiny Disclaimer: No, this guide isn’t like OJ Simpson’s. It isn’t written for criminals, but for those who value security, anonymity, and privacy.Legal disclaimer: This post is as no more than a fun mental exercise.
Don’t use this guide or trust it
This guide is (paranoiac) cautious of tiny exploitable risks because the government is in the threat model. This threat level is inapplicable to most readers as they aren’t likely fleeing an oppressive surveillance state, protecting secrets for survival, or reading guides of this type. If the government is in your threat model, don’t trust this guide or anyone because trusting a bad egg or a compromised good egg can get you killed.
Perfect security will always be a fantasy; security will always be a gradient rather than black and white. It is up to each of us to determine which adversary models and threats are realistic enough to warrant the time, money, and effort of taking precautions against. Is the NSA going to burn through millions of dollars and a half dozen zero days just to target me? If the answer to this question is “probably not”, then there are a lot of precautions in this guide which will just be more trouble than it’s worth. My concern is that more novice users … might see a guide like this, realize the overwhelming futility of being “anonymous” on the internet, and just give up on trying altogether… when they could have just achieved a reasonable level of anonymity by just using Tails and a bit of compartmentalization.Anonymous ~ Explanation of security, threats, and critiques.
I’ve read hundreds of internet privacy guides and most provide a false sense of privacy by repeating similar canned solutions. For example, use a “no log” VPN outside the “fourteen eyes” in conjunction with Tor to avoid identification from tracking companies and governments. Sounds great, just like the story of ancient tribes using loud drums to avoid vicious dogs and hungry lions. Many dogs were scared away, but the lions learned to associate drum sounds to a meal and using a canned solution to secure your privacy is no different than telling the lions it’s meal time. Evidently, hungry lions learning to capture any prey represents billion dollar government cybersecurity entities learning to capture user privacy. To avoid the false sense of security trap, you have to assumes that the slightest weakness in any popular system has been exploited and compromised. This is well accepted belief because popular systems are a prime target for cybersecurity agencies, but a less popular system isn’t any more secure due to less targeted attacks (Security through obscurity sucks). There is no security in trusting companies/products, system obscurity, and not adapting to new threats. This guide discusses security, anonymity, and privacy from the ground up, but the underlying principals are more important than any of the tools, hardware, and software utilized. To truly have privacy you have to be private. Therefore, from a privacy perspective posting this with my real name is a very stupid decision and the same applies to having social media or using the internet. Now, it’s tough to move to a remote area and have nothing that connects to the internet. The opportunity cost for most people will not be worth it and people don’t want all data to be private.
The goal is to:
- secure as much private data as possible, while making the rest of our private data as anonymous as possible.
- not to trust privacy claims and not to have any false senses of security, while reasonably securing important information.
- encourage you not to follow this guide or any privacy guide to closely because once it gets popular you have to assume that it is a canned solution that has someway of being exploited.
Anyway off with the guide, but first a quick disclaimer. DON’T LET THIS GUIDE BE A CANNED SOLUTION. Do your own research and I encourage you to not buy into anything I say without finding strong evidence that support my statements.
Securing Ground Zero
Ground Zero Philosophy
Let’s assume everything is compromised and must be secured from the ground up. The first step is to secure Ground Zero. Ground Zero contains top secret data for your eyes only. A Ground Zero compromise is terminal, so it’s isolated from other systems. Securing it starts at the hardware and operating systems (OS) level. All devices that run an OS that you can’t rebuild are to be assumed as compromised systems. The hardware within that system provides you with the potential data you are to assume as compromised.
The biggest offender may be your cell phone as it has microphones, cameras, GPS receivers, wireless cards, and memory. This leaves potential for compromised audio, visual, location, and storage data on an OS level before we even get into any apps. It isn’t easy to install Fedora or another OS on there without a sufficient amount of modifying, so we are to assume it’s a compromised system. All essential private data can’t in any way be connected to our cell phones. IOT Devices are the newer offenders as they have closed source firmware that connects to the internet. To asses the level of compromised data we have to look at what hardware they have. Although the OS is limited by the sensors it has, it may be able to wireless get data from devices with more sensors. Therefore, Ground Zero systems will typically be a computer because we can:
- limit channels of communication with other devices and the environment.
- change the Operating System.
- modify hardware and easily avoid hardware DRM.
Securing Ground Zero Hardware
No built-in microphones, cameras, Bluetooth cards, WI-Fi cards, or network interface cards are allowed. All hardware must be audited for latest exploits. Disable any backdoors found or switch to hardware alternatives.
These days it’s probably impossible to find by hardware analysis, since the idea is to hide it well. Government cybersecurity agencies stay away from visible physical implants, due to it’s overt nature. Backdoors can be easily directly designed into the chips themselves and it isn’t feasible to create maps of the billions of transistor connections in a CPU to analyze. If experts were actively looking for backdoors in hardware, by the time it’s found the hardware will already be obsolete. So, there isn’t a simple procedural solution to get rid of backdoors.
Securing Ground Zero Hardware Backdoors
Secure your hardware from backdoors. Disable Intel Management Engine or AMD Platform Security Processor! Set “BIOS PSP Support” to disabled for AMD Processors, allegedly some AMD processor have this option. Use me_cleaner or the kill switch for older Intel Processors. If you can’t do this yourself, System76, ThinkPeguin, Purism, and Dell have options to ship with IME disabled. As newer firmwares and hardware come out backdoors become harder to disable. For example, IME is now integrated into the main CPU’s silicon. So, switch to older processors that have patches or alternative processors. As new hardware is released, new backdoors arise. You must vet your hardware carefully for anything that’s running in the negative ring space. The Negative Ring Space is above the operating system’s in the hierarchy. It includes the hypervisor, bios/system management, and other rings that “supposedly don’t exist.”
Securing Ground Zero BIOS/UEFI Backdoors
Be weary of manufacturers that lock the bios and have “features” like Computrace. Libreboot has a good list of easily flashable motherboards. Check audits for the BIOS or system manager you are flashing the system with.
Securing Ground Zero Hypervisor
Audit hypervisor and if it’s untrusted it’s game over.
I don’t know how to secure the hypervisor from backdoors. A backdoor risk in the hypervisor is a weak link for entry if the government is part of your threat model, but the solutions are unknown to me. If the hypervisor backdoor allows for Hyperjacking, you can’t trust a compromised virtual machine from accessing the host.
If Ground Zero is compromised, the game is over. You must delete everything and start with a new system from scratch. All files on that system are considered untrusted.
From a privacy perspective MacOS, Windows, and Ubuntu suck. Windows 10 spies on it’s users, when the options to turn off all the spyware still sends several unsolicited request to be sent to Microsoft servers. MacOS has issues like NTP pinging apples servers. Ubuntu has had several issues in the past of Amazon spyware. Qubes OS is a pretty good choice, it’s only flaw is System D.
What privacy risk do you think there is with NTP? Are you worried Apple will find out how out of sync your clock is?
Don’t want an operating system that makes any unsolicited network request if the Government is part of your security model. For everyday users, Apple is one of the better companies that allow you to turn many convent features off to gain privacy.
Secure Qubes OS (Ground Zero OS)
- High Priority Virtual Machines (VMs) Rules
- for secure top secret private data
- [x] No internet access for any high priority VMs
- [x] Files may be sent to it, but can’t escape
- [x] Vet files sent to it
- “Great. How?”
- Don’t use the “Copy to Other AppVM” functionality
- Leave the NetVM as N/A in the VM settings
- Make sure no devices are selected in the VM settings.
- [x] Only can communicate with disposable VMs
- [x] Files encrypted
- [x] Used in a reasonably secure environment
- [x] Compartmentalize different VMs
- Low Priority VMs
- for secret that aren’t top secret and any internet access
- [x] New VPN Tunnels weekly (low priority VMs with internet)
- [x] Internet at college or public places (low priority VMs with internet)
- [x] Different places to access the internet. Different times (low priority VMs with internet)
- [x] Assume every website is compromised and all data you read was read by someone else for low priority VMs (low priority VMs with internet)
- [x] Assume you are always being watched on low priority VMs. (low priority VMs with internet)
- [x] Use disposable VMs (low priority VMs with internet)
- [x] Check Security Audits for software used
- Root of All Evil, but some good
- [x] Compartmentalize ISPs, VPNs, Tor, I2P
- [x] FOOP and audits don’t guarantee safety, but help with reasonable security.
- Hard Drive
- [x] Different Encryptions
- [x] 60 Character passcode
- “If you’re using an ASCII character set, this would give you nearly 250 bits of entropy, which is well beyond overkill. “
- [x] No Meta Data for files when possible
- [x] Bios password protected and hard-drive encrypted
- Qubes encrypts by default, check the security tab in the bios if this is an option, and attackers can easily clone the encrypted data
- [x] Bios password protected and hard-drive encrypted
Alternative OS(Ground Zero OS)
Alternatively, an Live CD OS or completely offline OS can be used for GroundZero. Do not plug in untrusted peripheral devices into this system ever.
Ground Zero is now reasonably Secure
Let’s summarize why Ground Zero is now reasonably secure. All your top secret files are now compartmentalized in an appropriate High Priority VM. Your high priority VMs are never connected to the internet, only low priority VMs are connected. All low priority internet VMs are disposable VMs. Your hard drive is encrypted with a strong password. Ground Zero doesn’t contain any known hardware backdoors and all software used has recently been audited. There are different disposable VMs for different task. Disposable VMs that use the internet get new VPN Tunnels weakly. When accessing the internet, you use different ISP for different task. Yes, this implies you go to different locations to access the internet for different task. This may be infeasible if using a desktop. When in public you are to assume you are always being watched and do your best to keep a look out.
Necessary Evils of Online Services
When creating your own VPN service, make sure to use a residential IP that obviously isn’t your home residential IP. There are well categorized IP maps of data centers that you don’t want to be listed in. Don’t use any out of the box VPN service because it comes at a cost of trusting the companies that run them. Depending on the companies location they may be legally bound to disclose user info upon appropriate request while forced to plausibly deny all allegations of data disclosure. By creating your own VPN, you are shifting the trust from a VPN service to a VPS company. In this shift you are taking a layer of security into your own hands. Still, look for reasons that prove the VPS companies are untrustworthy and use them if you can’t find any reason not to. Although this may be a difficult task, the benefits are more control of the security, anonymity, data handling, speed, and less IP log worries. For those that can’t make their own VPN, find a reliable VPN Comparison Guide that’s kept updated before choosing any VPN company. If you do use a VPN service, learn how to choose a VPN service, compartmentalize VPNs to different low priority VMs, and change VPN tunnels weekly. Also, realize that these VPN companies are a prime target for government cybersecurity agencies. Certainty, don’t use any that are based in a location where key disclosure laws exist. Pay in cryptocurrencies and use that digital wallet for only that one thing only.
For many emails, you may prioritize anonymity over privacy and security. So, use disposable email accounts for anonymity. These disposable email accounts likely log IPs and browser fingerprint. So use a VPN and spin up several disposable VMs with different browsers to access different disposable email accounts from different disposable email account providers. Depending on the situation, you may want to use a Tor disposable email. There are other emails that you can’t have disposable, so find a good email comparison list. Secure information should not be sent via email. If your looking for a long term email, vet email providers on their privacy standards and know their is a greater chance of accidentally sacrificing parts anonymity and privacy. Therefore, any long term emails can’t be a part of Ground Zero, but can be a part of Ground One.
Declassifying Ground One
Ground One Philosophy
Ground One contains any devices, files, or accounts that can’t be a part of Ground Zero because they either don’t meet the Ground Zero security standards or they don’t contain data that you’d die to protect. All long term accounts, services, and unaudited apps fall in this category. In other words, this is where all the boring stuff happens and nothing in these systems can be linked to Ground Zero systems. Your phones, IOT devices, smart watches, and almost every tech device falls in this category. You are to assume all data in these systems are declassified to random strangers, governments, companies, or data sorting algorithms. The hardware within these system provides you with the potential data you are to assume to be sharing at anytime even when the device is presumably off. The most important philosophy of any ground one devices is that it can’t in anyway be linked to Ground Zero systems.
Phones for mundane data
It isn’t so obvious why after we discussed earlier about the strong encryption on a newer iPhone, they might not be considered a tool for anonymity but it is true. Cell phones are not devices that aid in you being anonymous. Take a look at your cell phone from a different angle for a second. It has ties to your Internet service provider, who has the ability to monitor all incoming and outgoing calls and texts that are not encrypted. Furthermore, they aren’t usually built to allow a bunch of tailoring to fit your needs. One can’t just throw a version of Debian on there without some serious background knowledge. As well, we are getting into a very digitized world where companies want to know our location and they want to be able to track that location to tailor their service to fit your needs. But in having these devices that potentially record our every footstep, we are removing ourselves from the anonymity we so desire. This is why I like services that work on both mobile and desktop environments. They give you the option to have a very usable and ready environment on your mobile device, but also the full frontal secure, privacy, and anonymity a desktop environment can give you.The Crypto Paper
You can still apply compartmentalization, but it won’t be as effective as it were in Ground Zero because there may be simple ways of linking all the data compartments to you that you have little control of accounting for. Both Apple and Google have had backdoors to governments in the past. Apple has removed it’s warrant canary since 2014 and Google has always been known to have close ties with government cybersecurity agencies. If you can’t control hardware backdoors, operating system, or sensors then you’re investing a great deal of time trying to store devices that are inherently unsecure. You are better off getting rid of it or using it for very boring normal usages that you don’t care about being spied on for doing. This may sound extreme, but a false sense of security and trust is much worse than being extra cautious. The best philosophy with these systems is to pretend you’re famous and you don’t want to do anything to get bad press from the paparazzi. Be as normal as possible and fit in with the crowd, while providing as little data as possible to complete any task.
Accounts. Services. Apps.
Every account/service/app must have the least amount of data to complete it’s function. Recommended readings:
Expect the unexpected
Security is proactive, not reactive. Actively look for attackers targeting your system and learn to see unforeseen breaches. The scariest attackers, don’t leave traces and are counting on the unexpected. Consider different points of attack and have multiple layers of security.