Formatting edits

This commit is contained in:
arcanedev 2021-11-26 14:06:08 +00:00
parent 00a56ee7f9
commit 1ad2409026
No known key found for this signature in database
GPG Key ID: 13BA4BD4C14170C0

View File

@ -196,7 +196,11 @@ As previously stated in the Traffic Leakage section, software-based routing shou
It is no secret that governments deliver malware based on anomalous internet activity, alternately put, flagged activity. While the common forms of investigations are typically conducted via physical device seizure, security mechanisms should be taken into account to stunt "passive" investigations. Browsers can be configured to disable the installation of extensions, device storage usage, setting alterations, theme changes, cookie restrictions, and cache deletions. The most important facets of private internet browsing include the browser security model, fingerprinting mitigations, and reliance on JavaScript.
For the security model, ungoogled variants of Chromium [^19] are advised. The security model exists unlike Gecko-based browser derivatives (i.e. Firefox).
Browser security and anti-fingerprinting do not always align. For instance, the TOR Browser is not unique based on fingerprinting. Tor Browser with JavaScript disabled is generally a secure setup despite being based on Gecko. Most browser-based vulnerabilities require JavaScript or some other browser-run code (fonts, WebGL, etc). Tor Browser on security setting "Safest" reduces this attack surface significantly. While Chromium browsers may have upped the ante in terms of security, many do not have any built-in anti-fingerprinting mechanisms. Some projects have taken the initiative to provide anti-fingerprinting configurations such as Bromite[^20] or Brave Browser[^21]. Using a privacy-tweaked configuration of Brave Browser is the best option for those who are not technical. However, many of the problems that plague vanilla Chromium can be mitigated with the right appended flags for process execution.
To further elaborate, whenever Chromium is executed, it can be ran by typing the following into terminal: `/usr/bin/chromium %U --disable-reading-from-canvas --disable-3d-apis --disable-component-update --disable-background-networking --user-agent="" --no-default-browser-check --incognito --disable-breakpad --no-crash-upload --no-report-upload --disable-crash-reporter --disable-speech-synthesis-api --disable-speech-api --disable-cloud-policy-on-signin --disable-print-preview --disable-drive --disable-full-history-sync --disable-sync`
To further elaborate, whenever Chromium is executed, it can be ran by typing the following into terminal:
```
/usr/bin/chromium %U --disable-reading-from-canvas --disable-3d-apis --disable-component-update --disable-background-networking --user-agent="" --no-default-browser-check --incognito --disable-breakpad --no-crash-upload --no-report-upload --disable-crash-reporter --disable-speech-synthesis-api --disable-speech-api --disable-cloud-policy-on-signin --disable-print-preview --disable-drive --disable-full-history-sync --disable-sync
```
These flags can also be appended directly to the `/usr/bin/Chromium` file so every execution forces the use of the flags. (See browser hardening configurations from Anonymous Planet[^22]).
### Search Engine Selection
@ -497,20 +501,16 @@ System security or hardening is vital for successful operations. Lack of hardeni
Hardening procedures fall in line with the concept of minimizing architecture and running processes on a system. This makes each system easier to audit with less noise/clutter, and reduces the attack surface for exploitation. Hardening should encompass patches, scans with most recent virus definitions, restrictive permissions, kernel hardening, purging unnecessary software, and disabling physical ports, unnecessary users, filesystems, firmware modules, compilers, and network protocols.
System hardening is far from a quick and easy process, unless you have preconfigured images for systems. For small operations lacking technical prowess, preconfigured operating systems such as TAILS or Whonix mentioned in the Operating System section assure the greatest security and the least hassle.
If the goal is to run a more persistent lightweight OS with minimal functionality, I suggest running a variant of Arch Linux that does not use SystemD (Consider runit, OpenRC, or s6). If wide community support is needed, Arch with a hardened configuration will be your best bet. For the tech-savvy, hardened variants of Gentoo are ideal.
The more persistence desired for the operation increases the complexity of the hardening. Some projects have been introduced to rival Xen-based hypervisors with minimalist GNU/Linux systems. Some development towards Whonix Host[^48] was started but has not yet come to fruition. PlagueOS[^49] is based on the Void musl build with numerous hardening mechanisms. This is designed to act strictly as a locked down hypervisor with all system activities conducted inside of Kicksecure/Whonix VMs. The VMs also are restricted by AppArmor profiles and are ran inside a `bwrap`[^50] sandboxed container. See the PARSEC repository for examples of how to implement bubblewrap profiles.[^51]
Note:
The listed hardening is incomplete and will not fit all operations and GNU/Linux systems. This is not meant to be a book on methods for defensive cybersecurity. For those concerned with exploitation of GNU/Linux systems, see the reference to Madaidan's hardening guide.[^52]
The more persistence desired for the operation increases the complexity of the hardening. Some projects have been introduced to rival Xen-based hypervisors with minimalist GNU/Linux systems. Some development towards Whonix Host[^48] was started but has not yet come to fruition. PlagueOS[^49] is based on the Void musl build with numerous hardening mechanisms. This is designed to act strictly as a locked down hypervisor with all system activities conducted inside of Kicksecure/Whonix VMs. The VMs also are restricted by AppArmor profiles and are ran inside a `bwrap`[^50] sandboxed container. See the PARSEC repository for examples of how to implement bubblewrap profiles.[^51]. Do note that the listed hardening is incomplete and will not fit all operations and GNU/Linux systems. This is not meant to be a book on methods for defensive cybersecurity. For those concerned with exploitation of GNU/Linux systems, see the reference to Madaidan's hardening guide.[^52]
## Physical Precautions
This wouldn't be a complete work on anti-forensics without some mention of physical precautions. While wireless transmitters are ill-advised, wireless technology can prove useful when larger proximity is needed. Directional antennas could allow you to stay hidden from cameras and remotely authenticate to a network.
With nuances added from the modern surveillance state, traffic cameras force your hand by revealing every intersection which you have passed through. There are a few methods to circumventing this privacy infringement. Darkened weather covers for your license plate (Warning: This method could result in a fine with the wrong officer) or a well-rigged bicycle rack could prevent cameras from picking up your plate number. Alternatively, if a destination is within a few miles of proximity you could either ride a bicycle (with a disguise), or decide to become a motorcyclist. With motocycles, the plate numbers are significantly smaller and could even be blocked by your feet on certain bikes. The helmet would stand to mask facial features, and the jacket would cover any identifiable features such as tattoos. Palantir has been involved in "predictive policing" leveraging footage obtained from traffic cameras to profile individuals.[^52]
With nuances added from the modern surveillance state, traffic cameras force your hand by revealing every intersection which you have passed through. There are a few methods to circumventing this privacy infringement. Darkened weather covers for your license plate (Warning: This method could result in a fine with the wrong officer) or a well-rigged bicycle rack could prevent cameras from picking up your plate number. Alternatively, if a destination is within a few miles of proximity you could either ride a bicycle (with a disguise), or decide to become a motorcyclist. With motocycles, the plate numbers are significantly smaller and could even be blocked by your feet on certain bikes. The helmet would stand to mask facial features, and the jacket would cover any identifiable features such as tattoos. Palantir has been involved in "predictive policing" leveraging footage obtained from traffic cameras to profile individuals.[^53]
It should go without saying that any tech devices that you purchase will have some identifier that could lead back to you. Make this a moot point and procure every device (even USBs) anonymously with cash. If you're out on a distant roadtrip, make some of your purchases. Wear a hat accompanied with some baggy clothes. Perform a slight change in your gait as you walk (uncomfortable shoes could help with this). Alternatively, pay that bum off the street to do your bidding.
## Use Cases