mirror of
https://git.anonymousland.org/anonymousland/anonymousland.git
synced 2024-10-01 11:49:49 -04:00
Adjusted formatting.
This commit is contained in:
parent
e25e773869
commit
73b12aa3b0
@ -61,7 +61,9 @@ _Disclaimer: This is for education / research._
|
|||||||
|
|
||||||
#### __Important Concepts__
|
#### __Important Concepts__
|
||||||
|
|
||||||
This guide requires you to understand various important concepts in order to truly be anonymous on the internet. There is a vast array of concepts that will need to be thoroughly understood. You'll be able to make and choose your own model based upon this guide.
|
This guide requires you to understand various important concepts in order to truly be anonymous on the internet.
|
||||||
|
There is a vast array of concepts that will need to be thoroughly understood.
|
||||||
|
You'll be able to make and choose your own model based upon this guide.
|
||||||
|
|
||||||
* Understanding of TOR and its threats<!--(put link here) -->
|
* Understanding of TOR and its threats<!--(put link here) -->
|
||||||
* Understanding benefits and negatives of a VPN <!--(PUT LINK HERE) -->
|
* Understanding benefits and negatives of a VPN <!--(PUT LINK HERE) -->
|
||||||
@ -82,13 +84,23 @@ General Ideas:
|
|||||||
|
|
||||||
##### TOR
|
##### TOR
|
||||||
|
|
||||||
TOR or The Onion Router was originally developed to keep U.S. military communications secure, and is now used world-wide to bypass censorship. TOR will route your network traffic through 3 servers worldwide randomly. ``entry-node`` -> ``middle-node`` -> ``exit-node``. This setup means that the ``entry-node`` will only have your IP address, the ``middle-node`` will only see the IP of ``entry-node`` __NOT__ your IP address. ``exit-node`` is the only node which will see *all* of your network traffic.
|
TOR or The Onion Router was originally developed to keep U.S. military communications secure, and is now used world-wide to bypass censorship.
|
||||||
|
TOR will route your network traffic through 3 servers worldwide randomly.
|
||||||
|
``entry-node`` -> ``middle-node`` -> ``exit-node``.
|
||||||
|
This setup means that the ``entry-node`` will only have your IP address, the ``middle-node`` will only see the IP of ``entry-node`` __NOT__ your IP address.
|
||||||
|
``exit-node`` is the only node which will see *all* of your network traffic.
|
||||||
|
|
||||||
Utilizing TOR with other ``.onion`` sites, means that neither your IP nor the servers IP address is exposed. Like your traffic going through 3 nodes or "hops", the a server running on the TOR network also goes through the same, meaning that the ``exit-node`` *cannot* see your network traffic.
|
Utilizing TOR with other ``.onion`` sites, means that neither your IP nor the servers IP address is exposed. Like your traffic going through 3 nodes or "hops", the a server running on the TOR network also goes through the same, meaning that the ``exit-node`` *cannot* see your network traffic.
|
||||||
|
|
||||||
With TOR, anyone is able to setup a node meaning that you cannot possible trust anything, which there are many issues including a malicious ``exit-node``, setup by an adversary in an attempt to de-anonymize users. The TOR network is not as secure as many put it, there are a variety of attacks that can be used to de-anonymize users. An adversary can setup multiple malicious ``entry``, ``middle``, and ``exit`` nodes, then can DDoS other public TOR nodes which can either shut them offline or increase the already terrible speeds. This could force a user to connect to the adversary's malicious nodes. On a large DDoS scale, it is possible to be connected to all 3 malicious nodes, which would ultimately de-anonymize you.
|
With TOR, anyone is able to setup a node meaning that you cannot possible trust anything, which there are many issues including a malicious ``exit-node``, setup by an adversary in an attempt to de-anonymize users.
|
||||||
|
The TOR network is not as secure as many put it, there are a variety of attacks that can be used to de-anonymize users. An adversary can setup multiple malicious ``entry``, ``middle``, and ``exit`` nodes, then can DDoS other public TOR nodes which can either shut them offline or increase the already terrible speeds.
|
||||||
|
This could force a user to connect to the adversary's malicious nodes.
|
||||||
|
On a large DDoS scale, it is possible to be connected to all 3 malicious nodes, which would ultimately de-anonymize you.
|
||||||
|
|
||||||
Many people argue against using VPNs with TOR, though there can be real-world benefits to having a setup like this. If you are worried about an adversary knowing you are connecting to the TOR network this can be beneficial, but keep in mind your adversary can see you connect to the VPN. If you are concerned about a malicious ``entry-node``, using a VPN can mask your IP address in this case. If you are using an "amnesic" setup such as Tails or anon-whonix on QubesOS, you do not need to worry about having the same ``guard-node``.
|
Many people argue against using VPNs with TOR, though there can be real-world benefits to having a setup like this.
|
||||||
|
If you are worried about an adversary knowing you are connecting to the TOR network this can be beneficial, but keep in mind your adversary can see you connect to the VPN.
|
||||||
|
If you are concerned about a malicious ``entry-node``, using a VPN can mask your IP address in this case.
|
||||||
|
If you are using an "amnesic" setup such as Tails or anon-whonix on QubesOS, you do not need to worry about having the same ``guard-node``.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
@ -100,7 +112,13 @@ Here is a general thought process...
|
|||||||
|
|
||||||
* Always always always know what you are doing. You don't want to compromise yourself because you _thought_ you knew what you were doing. Make sure 100%. Do research **before**.
|
* Always always always know what you are doing. You don't want to compromise yourself because you _thought_ you knew what you were doing. Make sure 100%. Do research **before**.
|
||||||
|
|
||||||
* Have a strong mind. Most flaws are user error, meaning YOU. Having a strong mind is critical. You must be in a clear state of mind, and almost be "talking to yourself" mentally. Ask yourself before you do something "is this right". A good memory is CRITICAL. You are going to need to remember almost **EVERYTHING** you do on the internet if you want to do this _"properly"._ Don't be compromised because you forgot something. Let's eliminate user error. More on this subject will be later in this _guide._
|
* Have a strong mind. Most flaws are user error, meaning YOU. Having a strong mind is critical.
|
||||||
|
You must be in a clear state of mind, and almost be "talking to yourself" mentally.
|
||||||
|
Ask yourself before you do something "is this right".
|
||||||
|
A good memory is CRITICAL. You are going to need to remember almost **EVERYTHING** you do on the internet if you want to do this _"properly"._
|
||||||
|
Don't be compromised because you forgot something.
|
||||||
|
Let's eliminate user error.
|
||||||
|
More on this subject will be later in this _guide._
|
||||||
|
|
||||||
* Take over-procedures. Don't "skimp" out on encryption because you don't feel like entering in a password. Don't be lazy.
|
* Take over-procedures. Don't "skimp" out on encryption because you don't feel like entering in a password. Don't be lazy.
|
||||||
|
|
||||||
@ -134,7 +152,9 @@ You need to properly identify a *threat model*, an *adversary* along with perfor
|
|||||||
|
|
||||||
The most important part of your setup.
|
The most important part of your setup.
|
||||||
|
|
||||||
Threat modeling can become an advanced topic, you will need to learn how to balance security, privacy and anonymity. You'll need to properly layout and identify what you are protecting yourself from. Everyone has something to protect, whether it is passwords, location, internet activity, confidential documents, etc. The items you are trying to protect will be referred here as "assets".
|
Threat modeling can become an advanced topic, you will need to learn how to balance security, privacy and anonymity. You'll need to properly layout and identify what you are protecting yourself from.
|
||||||
|
Everyone has something to protect, whether it is passwords, location, internet activity, confidential documents, etc.
|
||||||
|
The items you are trying to protect will be referred here as "assets".
|
||||||
|
|
||||||
Ask yourself these basic questions:
|
Ask yourself these basic questions:
|
||||||
|
|
||||||
@ -142,9 +162,15 @@ Threat modeling can become an advanced topic, you will need to learn how to bala
|
|||||||
- Who am I trying to protect this from?
|
- Who am I trying to protect this from?
|
||||||
- What happens if I fail to protect this?
|
- What happens if I fail to protect this?
|
||||||
|
|
||||||
These are some basic questions to ask yourself when creating your threat model. Based upon your answers to these questions, will determine the route you must go. Example - You don't want your neighbor Joe to see you sleeping, so you close your blinds.
|
These are some basic questions to ask yourself when creating your threat model.
|
||||||
|
Based upon your answers to these questions, will determine the route you must go.
|
||||||
|
Example - You don't want your neighbor Joe to see you sleeping, so you close your blinds.
|
||||||
|
|
||||||
Developing a threat model will require a lot of time and effort. You will need to think of every possibility for your "assets". Using your resources. you will need to start documenting various tools and services will be a benefit to you, such as ProtonMail, TOR, Matrix, etc. The tools and services will all depend on your threat model.
|
Developing a threat model will require a lot of time and effort.
|
||||||
|
You will need to think of every possibility for your "assets".
|
||||||
|
Using your resources.
|
||||||
|
You will need to start documenting various tools and services will be a benefit to you, such as ProtonMail, TOR, Matrix, etc.
|
||||||
|
The tools and services will all depend on your threat model.
|
||||||
|
|
||||||
Examples:
|
Examples:
|
||||||
|
|
||||||
@ -163,7 +189,8 @@ Listed below are some useful resources for getting started.
|
|||||||
|
|
||||||
#### __Knowing Resources__
|
#### __Knowing Resources__
|
||||||
|
|
||||||
Along your journey, you'll need to have the proper resources at hand to deal with any sort of situation you will be facing. Get yourself accustomed to these resources to better understand various conceptions and prepare yourself.
|
Along your journey, you'll need to have the proper resources at hand to deal with any sort of situation you will be facing.
|
||||||
|
Get yourself accustomed to these resources to better understand various conceptions and prepare yourself.
|
||||||
|
|
||||||
##### Common Tools:
|
##### Common Tools:
|
||||||
|
|
||||||
@ -184,32 +211,58 @@ Along your journey, you'll need to have the proper resources at hand to deal wit
|
|||||||
|
|
||||||
What is _"cleaning up"?_
|
What is _"cleaning up"?_
|
||||||
|
|
||||||
Simply put, cleaning up is the process of deleting your various traces on the internet. For the average person, this will be a long and arduous process. You'll have to go through every single online account, email, activity, forum, message, game, etc. and literally delete *everything*. This may seem extremely tedious - but remember, your adversary can easily find these data points and exploit them.
|
Simply put, cleaning up is the process of deleting your various traces on the internet.
|
||||||
|
For the average person, this will be a long and arduous process.
|
||||||
|
You'll have to go through every single online account, email, activity, forum, message, game, etc. and literally delete *everything*.
|
||||||
|
This may seem extremely tedious - but remember, your adversary can easily find these data points and exploit them.
|
||||||
|
|
||||||
How to do this efficiently? Well... there is no "efficient" method, you just have to brute force this all of your data points have somewhat been eliminated.
|
How to do this efficiently? Well... there is no "efficient" method, you just have to brute force this all of your data points have somewhat been eliminated.
|
||||||
|
|
||||||
You can first start by going to various apps that you are already signed into, start to delete all of your activities, message, posts and friends. You'll have to do this for all of your "currently-known" services. After you've done this, make sure everything is deleted including your PfP, and change your username, anonymize as much data as possible such as changing username, email and other s. After you've done this, you are now ready to delete this account.
|
You can first start by going to various apps that you are already signed into, start to delete all of your activities, message, posts and friends.
|
||||||
|
You'll have to do this for all of your "currently-known" services.
|
||||||
|
After you've done this, make sure everything is deleted including your PfP, and change your username, anonymize as much data as possible such as changing username, email and others.
|
||||||
|
After you've done this, you are now ready to delete this account.
|
||||||
|
|
||||||
As for finding services you may have forgotten, look through your entire email and find services you may have signed up for and start to do the same process. Try to search up your commonly-used usernames to help you with this process. Do this for every single account, just to ensure there is not anything that you may have missed.
|
As for finding services you may have forgotten, look through your entire email and find services you may have signed up for and start to do the same process.
|
||||||
|
Try to search up your commonly-used usernames to help you with this process.
|
||||||
|
Do this for every single account, just to ensure there is not anything that you may have missed.
|
||||||
|
|
||||||
There are some services which exist that can help expedite this process, though be aware of the risks involved in doing this.
|
There are some services which exist that can help expedite this process, though be aware of the risks involved in doing this.
|
||||||
|
|
||||||
|
|
||||||
As for finding services you may have forgotten, look through your entire email and find services you may have signed up for and start to do the same process. Often times, search for ``register``, ``registration``, ``welcome``. These keywords are often times used. Try to search up your commonly-used usernames to help you with this process. Do this for every single account, just to ensure there is not anything that you may have missed. There are some services which exist that can help expedite this process, though be aware of the risks involved in doing this.
|
As for finding services you may have forgotten, look through your entire email and find services you may have signed up for and start to do the same process.
|
||||||
|
Often times, search for ``register``, ``registration``, ``welcome``.
|
||||||
|
These keywords are often times used.
|
||||||
|
Try to search up your commonly-used usernames to help you with this process.
|
||||||
|
Do this for every single account, just to ensure there is not anything that you may have missed.
|
||||||
|
There are some services which exist that can help expedite this process, though be aware of the risks involved in doing this.
|
||||||
|
|
||||||
Try to do searches on all of your identities and use this as a good way to help ensure that you've removed everything that you can. Utilize services such as [HaveIBeenpwned](https://haveibeenpwned.com) to ensure you haven't suffered any data breaches and use Sherlock to help find some of your missed accounts.
|
Try to do searches on all of your identities and use this as a good way to help ensure that you've removed everything that you can.
|
||||||
|
Utilize services such as [HaveIBeenpwned](https://haveibeenpwned.com) to ensure you haven't suffered any data breaches and use Sherlock to help find some of your missed accounts.
|
||||||
|
|
||||||
Doing this in the real-world is just as important as online. Your bank, local grocery store, etc. all share your information. This is a big deal.
|
Doing this in the real-world is just as important as online.
|
||||||
|
Your bank, local grocery store, etc. all share your information.
|
||||||
|
This is a big deal.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
#### __Desktop__
|
#### __Desktop__
|
||||||
|
|
||||||
Our desktop contains a massive amount of information. This device should be both secure & private. Without these 2 things, it can easily compromise you. *What is the point of using a secure messenger, if your desktop is compromised by the same adversary you are protecting against via your secure messenger and they can see all of your activity?*
|
Our desktop contains a massive amount of information.
|
||||||
|
This device should be both secure & private.
|
||||||
|
Without these 2 things, it can easily compromise you.
|
||||||
|
*What is the point of using a secure messenger, if your desktop is compromised by the same adversary you are protecting against via your secure messenger and they can see all of your activity?*
|
||||||
|
|
||||||
A massive amount of information is stored on our desktop, meaning that it contains a trove of our personal information. From search results to private documents. These items are **NOT** private on "traditional" operating systems.
|
A massive amount of information is stored on our desktop, meaning that it contains a trove of our personal information.
|
||||||
|
From search results to private documents.
|
||||||
|
These items are **NOT** private on "traditional" operating systems.
|
||||||
|
|
||||||
It is assumed that the average population is likely using Windows, Mac, or ChromeOS. These are absolutely terrible options for privacy. There are some efforts to "privatize" these operating systems, though due to the fact that they are all *closed-source*, means that many of these hardening methods that we would do, can just as easily fail if the OS itself is backdoored. If you are new to the "operating system realm", a good replacement / dual-boot for these would be Fedora or Manjaro. By "good", we assume the following: You are a beginner, you have little to none Linux experience or knowledge. These choices have been made for the easy installation and low maintenance.
|
It is assumed that the average population is likely using Windows, Mac, or ChromeOS.
|
||||||
|
These are absolutely terrible options for privacy.
|
||||||
|
There are some efforts to "privatize" these operating systems, though due to the fact that they are all *closed-source*, means that many of these hardening methods that we would do, can just as easily fail if the OS itself is backdoored.
|
||||||
|
If you are new to the "operating system realm", a good replacement / dual-boot for these would be Fedora or Manjaro.
|
||||||
|
By "good", we assume the following: You are a beginner, you have little to none Linux experience or knowledge.
|
||||||
|
These choices have been made for the easy installation and low maintenance.
|
||||||
|
|
||||||
The operating system you choose should not be based upon what is recommended here, you yourself will need to research what is best suited for your situation and needs.
|
The operating system you choose should not be based upon what is recommended here, you yourself will need to research what is best suited for your situation and needs.
|
||||||
|
|
||||||
@ -219,7 +272,12 @@ Those who are looking for some excitement or extremely into privacy, security an
|
|||||||
|
|
||||||
##### __QubesOS__
|
##### __QubesOS__
|
||||||
|
|
||||||
What is QubesOS? Simply put, QubesOS is a "reasonably secure operating system" and it will be the basis of our secure setup. It uses a method known as "security by compartmentalization". Simply put, most aspects of the OS are split into Qubes which can be thought of as virtual machines, meaning that if something gets compromised, the rest of the system can be safely used. Due to the way QubesOS is built, requirements will be heavy. Recommend at *least* 16GB of RAM with plenty of storage. The official requirements can be found [here](https://www.qubes-os.org/doc/system-requirements/).
|
What is QubesOS? Simply put, QubesOS is a "reasonably secure operating system" and it will be the basis of our secure setup.
|
||||||
|
It uses a method known as "security by compartmentalization".
|
||||||
|
Simply put, most aspects of the OS are split into Qubes which can be thought of as virtual machines, meaning that if something gets compromised, the rest of the system can be safely used.
|
||||||
|
Due to the way QubesOS is built, requirements will be heavy.
|
||||||
|
Recommend at *least* 16GB of RAM with plenty of storage.
|
||||||
|
The official requirements can be found [here](https://www.qubes-os.org/doc/system-requirements/).
|
||||||
|
|
||||||
Why should we use QubesOS?
|
Why should we use QubesOS?
|
||||||
|
|
||||||
@ -228,7 +286,9 @@ Why should we use QubesOS?
|
|||||||
- Still can be considered trusted even if a section is compromised
|
- Still can be considered trusted even if a section is compromised
|
||||||
- Can heavily utilize TOR, proxies and VPNs
|
- Can heavily utilize TOR, proxies and VPNs
|
||||||
|
|
||||||
QubesOS gives us an amazing amount of customization that we can harness for security. The sky is the limit with Qubes as it's based on VM's. Nothing ever leaves each VM so, each activity can be compartmentalized for amazing security.
|
QubesOS gives us an amazing amount of customization that we can harness for security.
|
||||||
|
The sky is the limit with Qubes as it's based on VM's.
|
||||||
|
Nothing ever leaves each VM so, each activity can be compartmentalized for amazing security.
|
||||||
|
|
||||||
Things needed for setup & installation:
|
Things needed for setup & installation:
|
||||||
|
|
||||||
@ -244,7 +304,8 @@ To first start off, [download](https://qubes-os.org/downloads/) the official ISO
|
|||||||
|
|
||||||
To verify the ISO, run the command: <br>
|
To verify the ISO, run the command: <br>
|
||||||
```md5sum -c Qubes-RX-x86_64.iso.DIGESTS``` <br>
|
```md5sum -c Qubes-RX-x86_64.iso.DIGESTS``` <br>
|
||||||
which should output ``Qubes-RX-x86_64.iso: OK``. If not, it can mean either the download is corrupt or compromised.
|
which should output ``Qubes-RX-x86_64.iso: OK``.
|
||||||
|
If not, it can mean either the download is corrupt or compromised.
|
||||||
|
|
||||||
![](../assets/Another_guide/img/Qubes-2.png)
|
![](../assets/Another_guide/img/Qubes-2.png)
|
||||||
|
|
||||||
@ -255,23 +316,36 @@ The output should read ``Good signature from "Qubes OS Release X Signing Key"``
|
|||||||
|
|
||||||
![](../assets/Another_guide/img/Qubes-3.png)
|
![](../assets/Another_guide/img/Qubes-3.png)
|
||||||
|
|
||||||
After verifying the integrity of the ISO, you are now able to use your desired flashing software. Ensure your flash drive is plugged in, and select it along with the ISO. Your flash drive will be erased. For Rufus users, select DD mode on format.
|
After verifying the integrity of the ISO, you are now able to use your desired flashing software.
|
||||||
|
Ensure your flash drive is plugged in, and select it along with the ISO.
|
||||||
|
Your flash drive will be erased.
|
||||||
|
For Rufus users, select DD mode on format.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
###### Installation
|
###### Installation
|
||||||
|
|
||||||
After booting to your installation medium click the "verify" option. Afterwords, theres a few things we need to do.
|
After booting to your installation medium click the "verify" option.
|
||||||
|
Afterwords, theres a few things we need to do.
|
||||||
|
|
||||||
- Set a *strong* encryption password. This is super important! Make it strong
|
- Set a *strong* encryption password.
|
||||||
|
This is super important! Make it strong
|
||||||
- Ensure __root__ is disabled
|
- Ensure __root__ is disabled
|
||||||
- Set a strong user account password
|
- Set a strong user account password
|
||||||
|
|
||||||
After you go through this, select "Begin Installation" and wait until it asks you to reboot. Now you are ready for the final configuration. Ensure you have all the Whonix options selected. If you are using a desktop **do not** select the ``sys-usb`` option. This will render your mouse and keyboard useless. Use ``sys-usb`` on a laptop! For increased anonymity it is recommended to chose updates over TOR. We also want our default qubes along with the default system qubes.
|
After you go through this, select "Begin Installation" and wait until it asks you to reboot.
|
||||||
|
Now you are ready for the final configuration.
|
||||||
|
Ensure you have all the Whonix options selected.
|
||||||
|
If you are using a desktop **do not** select the ``sys-usb`` option.
|
||||||
|
This will render your mouse and keyboard useless.
|
||||||
|
Use ``sys-usb`` on a laptop! For increased anonymity it is recommended to chose updates over TOR.
|
||||||
|
We also want our default qubes along with the default system qubes.
|
||||||
|
|
||||||
###### Qube Basic Setup
|
###### Qube Basic Setup
|
||||||
|
|
||||||
As for networking, if you have a VPN service such as ProtonVPN, you are able to utilize ``qtunnel`` and setup multiple VPNs. For each of our VPN qubes, we will need a ``sys-firewall``. If you wanted a dedicated ``sys-dns``, there are several guides on this:
|
As for networking, if you have a VPN service such as ProtonVPN, you are able to utilize ``qtunnel`` and setup multiple VPNs.
|
||||||
|
For each of our VPN qubes, we will need a ``sys-firewall``.
|
||||||
|
If you wanted a dedicated ``sys-dns``, there are several guides on this:
|
||||||
|
|
||||||
- [qubes-dns](https://github.com/3hhh/qubes-dns)
|
- [qubes-dns](https://github.com/3hhh/qubes-dns)
|
||||||
- [Pihole qube](https://github.com/92VV3M42d3v8/PiHole)
|
- [Pihole qube](https://github.com/92VV3M42d3v8/PiHole)
|
||||||
@ -286,9 +360,13 @@ We will now create additional qubes for our use.
|
|||||||
|
|
||||||
###### Template Setup
|
###### Template Setup
|
||||||
|
|
||||||
Templates are going to be the foundation of any QubesOS install. As such, it should also be carefully configured.
|
Templates are going to be the foundation of any QubesOS install.
|
||||||
|
As such, it should also be carefully configured.
|
||||||
|
|
||||||
You should not install all of your applications on a single template qube, instead you should have different templates for each purpose. This is done as a security measure along with helping us with proper compartmentalization. It's best to use minimal templates as most applications will likely not get used, but if you need more applications you can simply install them in a new template. Ensure to read the [official documentation](https://qubes-os.org/doc/templates/minimal) for minimal templates.
|
You should not install all of your applications on a single template qube, instead you should have different templates for each purpose.
|
||||||
|
This is done as a security measure along with helping us with proper compartmentalization.
|
||||||
|
It's best to use minimal templates as most applications will likely not get used, but if you need more applications you can simply install them in a new template.
|
||||||
|
Ensure to read the [official documentation](https://qubes-os.org/doc/templates/minimal) for minimal templates.
|
||||||
|
|
||||||
The official minimal templates are available:
|
The official minimal templates are available:
|
||||||
- Fedora
|
- Fedora
|
||||||
@ -325,17 +403,19 @@ Debian-11:
|
|||||||
sudo qubes-dom0-update qubes-template-debian-11
|
sudo qubes-dom0-update qubes-template-debian-11
|
||||||
```
|
```
|
||||||
|
|
||||||
When installing applications, it may be best to clone a minimal template and install the application on there for increased compartmentalization.
|
When installing applications, it may be best to clone a minimal template and install the application on there for increased compartmentalization.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
###### Onionizing Repositories
|
###### Onionizing Repositories
|
||||||
|
|
||||||
If you've opted to have updates over TOR, it is recommended that we also update our repositories on both dom0 and our templates. Changing our repositories over TOR helps increase anonymity as we'd be connecting to the onion site instead of the clearnet.
|
If you've opted to have updates over TOR, it is recommended that we also update our repositories on both dom0 and our templates.
|
||||||
|
Changing our repositories over TOR helps increase anonymity as we'd be connecting to the onion site instead of the clearnet.
|
||||||
|
|
||||||
dom0:
|
dom0:
|
||||||
|
|
||||||
In dom0, edit ``/etc/yum.repos.d/qubes-dom0.repo`` and we will comment out the ``metalink`` and then uncomment the onion ``baseurl``. After, update dom0 to ensure this is configured properly.
|
In dom0, edit ``/etc/yum.repos.d/qubes-dom0.repo`` and we will comment out the ``metalink`` and then uncomment the onion ``baseurl``.
|
||||||
|
After, update dom0 to ensure this is configured properly.
|
||||||
|
|
||||||
The same process above will take place in the ``/etc/qubes/repo-templates/qubes-templates.repo`` file.
|
The same process above will take place in the ``/etc/qubes/repo-templates/qubes-templates.repo`` file.
|
||||||
|
|
||||||
@ -360,7 +440,9 @@ Edit ``/etc/yum.repos.d/qubes-r[version].repo``, comment out the clearnet ``base
|
|||||||
|
|
||||||
###### Qube Basic Setup
|
###### Qube Basic Setup
|
||||||
|
|
||||||
As for networking, if you have a VPN service such as ProtonVPN, you are able to utilize ``qtunnel`` and setup multiple VPNs. For each of our VPN qubes, we will need a ``sys-firewall``. If you wanted a dedicated ``sys-dns``, there are several guides on this:
|
As for networking, if you have a VPN service such as ProtonVPN, you are able to utilize ``qtunnel`` and setup multiple VPNs.
|
||||||
|
For each of our VPN qubes, we will need a ``sys-firewall``.
|
||||||
|
If you wanted a dedicated ``sys-dns``, there are several guides on this:
|
||||||
|
|
||||||
- [qubes-dns](https://github.com/3hhh/qubes-dns)
|
- [qubes-dns](https://github.com/3hhh/qubes-dns)
|
||||||
- [Pihole qube](https://github.com/92VV3M42d3v8/PiHole)
|
- [Pihole qube](https://github.com/92VV3M42d3v8/PiHole)
|
||||||
@ -384,13 +466,19 @@ More:
|
|||||||
- ``sys-firewall-personal`` - Firewall for only ``personal``
|
- ``sys-firewall-personal`` - Firewall for only ``personal``
|
||||||
- ``personal-vault`` - Vault VM for only ``personal``
|
- ``personal-vault`` - Vault VM for only ``personal``
|
||||||
|
|
||||||
This can be used for a wide variety of activities, not just specifically "personal". Your setup should take heavy use of the ``sys-firewall`` VM. We can utilize the firewall to help maintain compartmentalization among our system. The firewall can be useful for preventing data leaks & sniffing along with enforcing VPN policies.
|
This can be used for a wide variety of activities, not just specifically "personal".
|
||||||
|
Your setup should take heavy use of the ``sys-firewall`` VM.
|
||||||
|
We can utilize the firewall to help maintain compartmentalization among our system.
|
||||||
|
The firewall can be useful for preventing data leaks & sniffing along with enforcing VPN policies.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
###### "Splitting"
|
###### "Splitting"
|
||||||
|
|
||||||
Let's startup by creating some basic qubes. To start, clone ``vault`` and create ``pgp-keys`` and ``ssh-keys`` to store our keys securely. Both should have __no internet access__. We will need to properly setup [split-pgp](https://qubes-os.org/doc/split-gpg) and [split-ssh](https://kushaldas/in/posts/using-split-ssh-in-qubesos-4-0.html). Using the "split" method, we are able to create an additional [split-browser](https://github.com/rustybird/qubes-split-browser) and a [split-dm-crypt](https://github.com/rustybird/qubes-split-dm-crypt).
|
Let's startup by creating some basic qubes.
|
||||||
|
To start, clone ``vault`` and create ``pgp-keys`` and ``ssh-keys`` to store our keys securely.Both should have __no internet access__.
|
||||||
|
We will need to properly setup [split-pgp](https://qubes-os.org/doc/split-gpg) and [split-ssh](https://kushaldas/in/posts/using-split-ssh-in-qubesos-4-0.html).
|
||||||
|
Using the "split" method, we are able to create an additional [split-browser](https://github.com/rustybird/qubes-split-browser) and a [split-dm-crypt](https://github.com/rustybird/qubes-split-dm-crypt).
|
||||||
|
|
||||||
More thoughts:
|
More thoughts:
|
||||||
|
|
||||||
@ -428,13 +516,15 @@ Debian:
|
|||||||
sudo apt install qubes-u2f
|
sudo apt install qubes-u2f
|
||||||
```
|
```
|
||||||
|
|
||||||
Finally, you must restart your Qubes. It's suggested you read the [u2f-proxy](https://qubes-os.org/doc/u2f-proxy) documentation.
|
Finally, you must restart your Qubes.
|
||||||
|
It's suggested you read the [u2f-proxy](https://qubes-os.org/doc/u2f-proxy) documentation.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
###### YubiKey
|
###### YubiKey
|
||||||
|
|
||||||
Using a YubiKey can help mitigate certain attacks such as password "snooping", along with increasing security. Read the [official documentation](https://qubes-os.org/doc/yubikey).
|
Using a YubiKey can help mitigate certain attacks such as password "snooping", along with increasing security.
|
||||||
|
Read the [official documentation](https://qubes-os.org/doc/yubikey).
|
||||||
|
|
||||||
Installation for template qubes:
|
Installation for template qubes:
|
||||||
|
|
||||||
@ -491,21 +581,35 @@ auth include yubikey
|
|||||||
|
|
||||||
###### GUI-VM
|
###### GUI-VM
|
||||||
|
|
||||||
This is for advanced users. Read the [official documentation](https://qubes-os.org/guivm-configuration).
|
This is for advanced users.
|
||||||
|
Read the [official documentation](https://qubes-os.org/guivm-configuration).
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
###### Backups
|
###### Backups
|
||||||
|
|
||||||
Creating proper backups securely is critical for any setup, especially this one here. You must understand the different backup techniques and solutions avaliable. For high security, it is recommended that we backup the system locally, meaning that we do not store our backups on the cloud. We should start to look at possible backup solutions. The built-in ``qvm-backup`` will work amazing for this. It provides security & authentication, which are both crucial to a proper backup solution. Ensure to read the [official documentation](https://github.com/qubes-os.org/doc/how-to-back-up-restore-and-migrate).
|
Creating proper backups securely is critical for any setup, especially this one here.
|
||||||
|
You must understand the different backup techniques and solutions available.
|
||||||
|
For high security, it is recommended that we backup the system locally, meaning that we do not store our backups on the cloud.
|
||||||
|
We should start to look at possible backup solutions.
|
||||||
|
The built-in ``qvm-backup`` will work amazing for this.
|
||||||
|
It provides security & authentication, which are both crucial to a proper backup solution.
|
||||||
|
Ensure to read the [official documentation](https://github.com/qubes-os.org/doc/how-to-back-up-restore-and-migrate).
|
||||||
|
|
||||||
It's suggested you have a high-speed SSD or M.2 for this procedure. There are "special" options described as "rugged", which has additional layer of armor and are generally waterproof. Ensure this drive is also high-capacity. In some cases, it may make sense to have an additional drive incase of failure or other malfunction. Going into redundancy, you also have the ability to setup a local RAID on your network. This would provide increased redundancy, though it can *potentially* decrease security, as having another system on the network, proper hardening, etc. but is unlikely to cause any harm with the proper configuration. You could setup a local NextCloud instance or another type of local network storage and utilize [wyng](https://github.com/tasket/wyng-backup).
|
It's suggested you have a high-speed SSD or M.2 for this procedure.
|
||||||
|
There are "special" options described as "rugged", which has additional layer of armor and are generally waterproof.
|
||||||
|
Ensure this drive is also high-capacity.
|
||||||
|
In some cases, it may make sense to have an additional drive incase of failure or other malfunction.
|
||||||
|
Going into redundancy, you also have the ability to setup a local RAID on your network.
|
||||||
|
This would provide increased redundancy, though it can *potentially* decrease security, as having another system on the network, proper hardening, etc. but is unlikely to cause any harm with the proper configuration.
|
||||||
|
You could setup a local NextCloud instance or another type of local network storage and utilize [wyng](https://github.com/tasket/wyng-backup).
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
##### Creating our aliases
|
##### Creating our aliases
|
||||||
|
|
||||||
For setting our foundation, we are going to be creating a variety of aliases and each of these aliases are going to each need an "arsenal". For step 1 we are going to need a password manager.
|
For setting our foundation, we are going to be creating a variety of aliases and each of these aliases are going to each need an "arsenal".
|
||||||
|
For step 1 we are going to need a password manager.
|
||||||
|
|
||||||
Upon creating our aliases we will have several different approaches:
|
Upon creating our aliases we will have several different approaches:
|
||||||
|
|
||||||
@ -526,35 +630,55 @@ If you are using QubesOS, we are able to utilize compartmentalization heavily in
|
|||||||
- ``sys-firewall-alias``
|
- ``sys-firewall-alias``
|
||||||
- ``sys-vpn-alias``
|
- ``sys-vpn-alias``
|
||||||
|
|
||||||
By doing this for each alias, you have now setup an amazing solution for compartmentalization. This only works if you utilize each qube for the specified task. Ensure that nothing will leave the qube. Ensure that all the ``alias`` qubes are properly routed via VPN or TOR to ensure proper setup. For a more advanced setup, you are able to utilize Whonix qubes. For each of our email addresses, we are able to setup email aliases using AnonAddy and SimpleLogin.
|
By doing this for each alias, you have now setup an amazing solution for compartmentalization.
|
||||||
|
This only works if you utilize each qube for the specified task.
|
||||||
|
Ensure that nothing will leave the qube.
|
||||||
|
Ensure that all the ``alias`` qubes are properly routed via VPN or TOR to ensure proper setup.
|
||||||
|
For a more advanced setup, you are able to utilize Whonix qubes.
|
||||||
|
For each of our email addresses, we are able to setup email aliases using AnonAddy and SimpleLogin.
|
||||||
|
|
||||||
Each of our aliases is going to need some sort of "story". We are not putting this story out to tell per say, but simply knowing basic information about our new alias would be important. Information including age, country, special food, and activities. We just need to make note of them, not giving any of this information away. It's crucial to blend in, therefore some of this information may be used in conversation. Remember, each alias we create is different, therefore there should be absolutely no connection between any of them. For each alias, you will need to "reset" your memory in a way. You must be able to organize information you know from all of your aliases. Grudges, friendships and other must not travel over, this is how you fail.
|
Each of our aliases is going to need some sort of "story".
|
||||||
|
We are not putting this story out to tell per say, but simply knowing basic information about our new alias would be important.
|
||||||
|
Information including age, country, special food, and activities.
|
||||||
|
We just need to make note of them, not giving any of this information away.
|
||||||
|
It's crucial to blend in, therefore some of this information may be used in conversation.Remember, each alias we create is different, therefore there should be absolutely no connection between any of them.
|
||||||
|
For each alias, you will need to "reset" your memory in a way.
|
||||||
|
You must be able to organize information you know from all of your aliases.
|
||||||
|
Grudges, friendships and other must not travel over, this is how you fail.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
#### __Secure Communications__
|
#### __Secure Communications__
|
||||||
|
|
||||||
Having a secure operating system is only 1 part that we need. We need to ensure that all of our communications stay secure. The most common method to this is using E2EE (End-to-end encryption). This encrypts your messages locally on your device before sending them out. Let's take a look at some of the basic types of messengers.
|
Having a secure operating system is only 1 part that we need.
|
||||||
|
We need to ensure that all of our communications stay secure.
|
||||||
|
The most common method to this is using E2EE (End-to-end encryption).
|
||||||
|
This encrypts your messages locally on your device before sending them out.
|
||||||
|
Let's take a look at some of the basic types of messengers.
|
||||||
|
|
||||||
Centralized: Meaning there is a single server / point of failure. If the server gets blocked you'll need to circumvent that.
|
Centralized: Meaning there is a single server / point of failure.
|
||||||
|
If the server gets blocked you'll need to circumvent that.
|
||||||
|
|
||||||
Decentralized: Multiple servers, not a single authority meaning it's much more censorship resistent.
|
Decentralized: Multiple servers, not a single authority meaning it's much more censorship resistent.
|
||||||
|
|
||||||
The main differences between centralized and decentralized is that a single authority cannot easily block a decentralized network as there is not a single server unlike centralized. Decentralized services are *sometimes* prone to leaking metadata and may cause issues when federated.
|
The main differences between centralized and decentralized is that a single authority cannot easily block a decentralized network as there is not a single server unlike centralized.Decentralized services are *sometimes* prone to leaking metadata and may cause issues when federated.
|
||||||
|
|
||||||
Here's a list of great messengers and services that you'll be able to use.
|
Here's a list of great messengers and services that you'll be able to use.
|
||||||
|
|
||||||
- [Signal](https://signal.org) A great messenger for friends & family. Requires a phone number as it acts as a replacement to SMS / MMS.
|
- [Signal](https://signal.org) A great messenger for friends & family.
|
||||||
|
Requires a phone number as it acts as a replacement to SMS / MMS.
|
||||||
|
|
||||||
- [Session](https://getsession.org) Censorship-resistent messenger. A fork of Signal without the phone-number requirement. Session has built-in onion-routing.
|
- [Session](https://getsession.org) Censorship-resistent messenger.
|
||||||
|
A fork of Signal without the phone-number requirement.
|
||||||
|
Session has built-in onion-routing.
|
||||||
|
|
||||||
- [Matrix](https://matrix.org) Matrix provides a federated platform, which allows for anyone to host their own server, meaning that it is resistent to censorship.
|
- [Matrix](https://matrix.org) Matrix provides a federated platform, which allows for anyone to host their own server, meaning that it is resistent to censorship.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
#### __Secure Hardware__
|
#### __Secure Hardware__
|
||||||
|
|
||||||
You should not be trying to setup a secure system if the hardware itself cannot be trusted. Anything can be pre-loaded with malicious code designed to compromise security, especially how mass-production has been increasing over time, meaning they just need to compromise a device on the production line.
|
You should not be trying to setup a secure system if the hardware itself cannot be trusted.Anything can be pre-loaded with malicious code designed to compromise security, especially how mass-production has been increasing over time, meaning they just need to compromise a device on the production line.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
@ -562,11 +686,15 @@ You should not be trying to setup a secure system if the hardware itself cannot
|
|||||||
|
|
||||||
Here is a list of "everyday"-type carry / use.
|
Here is a list of "everyday"-type carry / use.
|
||||||
|
|
||||||
USB Data Blocker: This USB device has the data pins removed from it, this sits from your USB female to your USB male, acting as a "middle man". It's impossible for data to travel between. Useful for public USB ports or untrusted devices. Very useful if you're at an airport, hotel or other public area in which you need to charge a USB device.
|
USB Data Blocker: This USB device has the data pins removed from it, this sits from your USB female to your USB male, acting as a "middle man".
|
||||||
|
It's impossible for data to travel between.
|
||||||
|
Useful for public USB ports or untrusted devices.
|
||||||
|
Very useful if you're at an airport, hotel or other public area in which you need to charge a USB device.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
[PortaPow USB Data Blocker](https://www.amazon.com/PortaPow-3rd-Gen-Data-Blocker/dp/B00QRRZ2QM/) - The gold standard of USB data blocking. This is a USB-A connector with a built-in "SmartChip" designed to increase charging speeds.
|
[PortaPow USB Data Blocker](https://www.amazon.com/PortaPow-3rd-Gen-Data-Blocker/dp/B00QRRZ2QM/) - The gold standard of USB data blocking.
|
||||||
|
This is a USB-A connector with a built-in "SmartChip" designed to increase charging speeds.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
@ -574,7 +702,8 @@ USB Data Blocker: This USB device has the data pins removed from it, this sits f
|
|||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
[PortaPow Pure USB Data Blocker (Multicolored)](https://www.amazon.com/PortaPow-Pure-USB-Data-Blocker/dp/B07W928WRR/) - This USB-A Data Blocker is made of transparent plastic, meaning that you can physically verify that the data pins have been removed along with the removal of their "SmartChip". therefore increasing security.
|
[PortaPow Pure USB Data Blocker (Multicolored)](https://www.amazon.com/PortaPow-Pure-USB-Data-Blocker/dp/B07W928WRR/) - This USB-A Data Blocker is made of transparent plastic, meaning that you can physically verify that the data pins have been removed along with the removal of their "SmartChip".
|
||||||
|
Which will prevent an additional attack surface from being used.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
@ -592,8 +721,11 @@ USB Data Blocker: This USB device has the data pins removed from it, this sits f
|
|||||||
|
|
||||||
[Malicious Cable Detector](https://hak5.org/products/malicious-cable-detector-by-o-mg) - Can be configured to detect malicious cables
|
[Malicious Cable Detector](https://hak5.org/products/malicious-cable-detector-by-o-mg) - Can be configured to detect malicious cables
|
||||||
|
|
||||||
Hardware Key: A small little device that can be used for MFA and GPG. Very useful to have a physical device. Something like this is recommended to have a backup clone and stored in a safe location such as a safe.
|
Hardware Key: A small little device that can be used for MFA and GPG.
|
||||||
|
Very useful to have a physical device.
|
||||||
|
Something like this is recommended to have a backup clone and stored in a safe location such as a safe.
|
||||||
|
|
||||||
- Faraday Pouch - This will block all radio waves and signals, which can ensure that absolutely connectionn is traveling out of your devices. It completely air-gaps the device.
|
- Faraday Pouch - This will block all radio waves and signals, which can ensure that absolutely connectionn is traveling out of your devices.
|
||||||
|
It completely air-gaps the device.
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
Loading…
Reference in New Issue
Block a user