Git-Mirrors/into-the-crypt
1
0
Fork 0
mirror of https://0xacab.org/optout/into-the-crypt.git synced 2024-09-27 21:55:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

MD tweaks galore

Browse Source
This commit is contained in:
arcanedev 2021-08-09 22:49:51 +00:00
parent 75f7b62d61
commit 005cd0a3f9
No known key found for this signature in database
GPG Key ID: 13BA4BD4C14170C0
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -435,7 +435,8 @@ It should go without saying that any tech devices that you purchase will have so
## Use Cases
There is no way to address every threat model, therefore I have opted to provide mitigations to some of the justifiably paranoid cases.
1. Anonymous Activism
### Anonymous Activism
Anonymous activism may be seem counter-intuitive as activism typically implies attracting an audience in large numbers to support your cause. Unless you have a specific niche that lies in the darkest recesses of the internet such as forums on onion/i2p addresses, likely you will have to conform to expand your ideas to a larger audience. This involves communication with social media platforms that are more or less espionage outfits for intelligence agencies. Not only is the communication hostile, but anonymity is constantly challenged by the forced verification of phone numbers. Voice-over Internet Protocol (VoIP) numbers are dynamic internet numbers that can be provided via applications. For some time, this was a decent alternative to the privacy-invasive practice of SIM correlation. Unfortunately, the espionage outfits are beginning to filter out any VoIP-based phone numbers. To be more blunt, this is not for the purpose of security; the core is surveillance. If security was the primary goal, they would provide you with a key for setting up a time-based one time password (TOTP). Unfortunately all workarounds for this require money and time. Many legacy accounts have bypassed these practices by being fathered in. If these platforms must be used, your options stand to either purchase a legacy account from someone anonymously with cryptocurrency, or buy a burner SIM card and phone for the purpose of verification. If the goal is anonymity, based on where the traffic is coming in from alone, you will likely be flagged as suspicious, and a code will be sent to your number for verification. If they offer TOTP for accounts, turn it on. Likely if there is a flag for suspicious activity, you can leverage an offline password database for TOTP and the hassle with constant phone verification will be reduced. If phone verification is enforced solely, your options are to store the dumb phone without the battery and inside of an EMF shield faraday bag. Only use this in public locations (you can see why key-generated TOTP can save a lot of time). That addresses phone activation.
Another problem you may run into is that certain platforms do not provide a way of access without a mobile application (i.e. Instagram). While stronger permission controls have been imposed on applications in more recent mobile builds, correlation can still be made in a number of ways, even if on a segmented device. The best solution to mitigating correlation is to run an emulated Android on a hardened linux base. Consider finding the APK file to install the platform from the mobile device's browser to avoid the use of Google. If Google framework is not required to make the application run properly, do not flash it.
@ -444,7 +445,8 @@ If the virtualized Android is too close to home being on your host, there is no
Anonymity and activism are difficult to go hand-in-hand, albeit they need to. Playing on a platform of the adversary means conforming to their rules, and circumvention can be costly. Decentralization can mitigate issues with SIM correlation, hostile communication, and the need for an emulated Android system. However, adoption rates and exposure will significantly decrease.
2. Journalist
### Journalist
For all intents, the use-case of journalism varies widely, therefore I will isolate this to a more "paranoid" threat model. Let's make a few key assumptions:
1. You are investigating a nation-state.
2. Freedom of speech / lawful protection does not apply.
@ -457,7 +459,7 @@ If a live USB with minimal processing power is not your niche, consider running
If a mobile device is deemed a necessity, leverage GrapheneOS on a Google Pixel. Encrypt all communications through trusted services or peer-to-peer (P2P) applications like Briar. Route all device traffic through TOR with the use of Orbot. Keep the cameras blacked out with electrical or gorilla tape. The concept of treating all signals as hostile should be emphasized here as the hardware wireless chipset cannot be desoldered. Sensors and microphones can successfully be disabled, but the trend with smaller devices is that they run as a System on a Chip (SoC). In short, multiple functions necessary for the system to work are tied together in a single chip. Even if you managed not to fry the device from the desoldering process, you would have gutted the core mechanisms of the system, resulting in the newfound possession of a paperweight.
3. Market Vendor
### Market Vendor
Let's assume the vendor is selling some sort of vice found on the DEA's list of schedule 1 narcotics.
Fortunately in this use-case, unlike that of the anonymous activist, OPSEC is welcomed with open arms. In fact, vendors are even rated with their stealth (both from shipping and processing) as one of the highest criteria in consideration, along with the markets being TOR friendly, leveraging PGP, and ensuring full functionality without Javascript.