Git-Mirrors/into-the-crypt
1
0
Fork 0
mirror of https://0xacab.org/optout/into-the-crypt.git synced 2025-04-18 14:45:48 -04:00
Code Issues Packages Projects Releases Wiki Activity

misc updates to references & footnotes

Browse Source
This commit is contained in:
arcanedev 2023-05-23 15:22:38 +00:00
parent 5bac55d014
commit 311eb347fb
No known key found for this signature in database
GPG Key ID: 13BA4BD4C14170C0
1 changed files with 77 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
README.md
View File

@ -375,7 +375,7 @@ To date, Linux Unified Key Setup (LUKS) and Veracrypt[^39] are the two most nota
#### Offline Password Managers
Security often comes down to the basics; Make your devices/accounts/services hard to crack. Feds & private forensics companies may be able to allocate ridiculous amounts of computing power against your services to see logs and compromise your accounts, but their brute forcing efforts can be rendered useless.
Consider offline variants of KeePass[^40] for secure password storage, then consider placing the KeePass database inside of a hidden veracrypt. Having a password with an absurd amount of characters such as `dHK&*/4pk_!i??5R=^K}~FU!kxF{fG}*&>oMdRt([);7?=v(e^,ch_n)r()]:&k$D@f4#G"Y\v_5-*i$E[+)"bT*@BF+{hkvn7[B]{qq'[~]3@+-Ju6C(@<]=TEM6a\h$c+:W[k$=;Jy[Un7&~NtvK*{Bn` is enough to stunt any brute force attempt. Cryptographic security can only be as strong as the key being used.
Consider offline variants of KeePass[^40] for secure password storage, then consider placing the KeePass database inside of a hidden VeraCrypt volume. Having a password with an absurd amount of characters such as `dHK&*/4pk_!i??5R=^K}~FU!kxF{fG}*&>oMdRt([);7?=v(e^,ch_n)r()]:&k$D@f4#G"Y\v_5-*i$E[+)"bT*@BF+{hkvn7[B]{qq'[~]3@+-Ju6C(@<]=TEM6a\h$c+:W[k$=;Jy[Un7&~NtvK*{Bn` is enough to stunt any brute force attempt. Cryptographic security can only be as strong as the key being used.
> Note: A 20-character random password (letters, numbers, and symbols) provides 132.877 bits of security (compare to 128 bit symmetric encryption keys).
@ -391,7 +391,7 @@ PIM is treated as a secret value that controls the number of iterations used by
> Note: Larger-value PIMs also increase the time complexity of attacks, at the expense of time taken to perform password hashing. Most cryptologists would argue that a PIMs should not be treated as a secret parameter (or at least, such secrecy should not be relied on). The user's own password should be the source of security. Password hashing, in general, is a mitigation for users with less-than-secure passwords. As a person who values security against the world's most powerful attackers, one should make a point to not rely on password hashing for security.
## Obscurity
Security professionals will often preach that security through obscurity is an inadequate method of security and should never be a way of addressing your current threat model. The original basis is the distinction "security through obscurity" vs "security by design," often cited as "Kerkhoff's Principle," which concludes a secure cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Kerckhoff's Principal[^] is sometimes cited in terms of Shannon's Maxim[^]: "One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them," or more simply "The enemy knows the system." With the maxim in mind, "security though obscurity" is specifically a cryptographic principal which has been extended to include any system designed with security. It is not discouraged to use security through obscurity. However, it is discouraged to rely on security through obscurity instead of relying on security by design. Obscurity can be used as an additional layer, but security should be guaranteed by the design, with obscurity used only as a padding against unforeseen vulnerabilities.
Security professionals will often preach that security through obscurity is an inadequate method of security and should never be a way of addressing your current threat model. The original basis is the distinction "security through obscurity" vs "security by design," often cited as "Kerkhoff's Principle," which concludes a secure cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Kerckhoff's Principal[^41] is sometimes cited in terms of Shannon's Maxim[^42]: "One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them," or more simply "The enemy knows the system." With the maxim in mind, "security though obscurity" is specifically a cryptographic principal which has been extended to include any system designed with security. It is not discouraged to use security through obscurity. However, it is discouraged to rely on security through obscurity instead of relying on security by design. Obscurity can be used as an additional layer, but security should be guaranteed by the design, with obscurity used only as a padding against unforeseen vulnerabilities.
A threat model with the application of anti-forensics should not adhere strictly to one distinction of security vs design. Cryptographic software can perform means of obscurity. For instance, Veracrypt produces cryptographically secured volumes that contain differential hidden volumes for plausible deniability. These hidden volumes can hinder the effectiveness of an amateur (and perhaps well-versed) investigator. We are not claiming the process to be systematically flawless, however security has never been fault-less. If you have applied some of the cryptographic advice heeded in the book like full-disk encryption (FDE), and the adversary has managed to gain unbridled, decrypted access to your computer regardless, it becomes self-evident that obscurity is friend when the design has been bypassed or simply failed.
@ -409,7 +409,7 @@ Another example is the use of stylometry in forensic linguistics to identify the
In recent years, stylometry has been used to identify the authors of fake news and propaganda. For instance, researchers at University of California Berkeley used stylometry to identify the authors of fake news articles and bots on social media platforms.
The Unabomber, Ted Kaczynski, was de-anonymized using stylometry. Kaczynski was a domestic terrorist who sent a series of letters and package bombs to universities and airlines between 1978 and 1995, resulting in three deaths and 23 injuries. In 1995, he sent a 35,000-word manifesto called "Industrial Society and Its Future" (also known as the "Unabomber Manifesto") to several newspapers, promising to stop the bombings if the manifesto was published. The FBI and the U.S. Department of Justice were able to use stylometry to identify Kaczynski as the author of the manifesto by comparing it to a set of writing samples from Kaczynski's personal papers. One of the key pieces of evidence was the use of the word "you" which Kaczynski used quite frequently in his manifesto as well as in his personal writings. The analysis also revealed that Kaczynski had a preference for short, simple words and that he used similar grammatical structures and sentence patterns in both his manifesto and his personal writings[^].
The Unabomber, Ted Kaczynski, was de-anonymized using stylometry. Kaczynski was a domestic terrorist who sent a series of letters and package bombs to universities and airlines between 1978 and 1995, resulting in three deaths and 23 injuries. In 1995, he sent a 35,000-word manifesto called "Industrial Society and Its Future" (also known as the "Unabomber Manifesto") to several newspapers, promising to stop the bombings if the manifesto was published. The FBI and the U.S. Department of Justice were able to use stylometry to identify Kaczynski as the author of the manifesto by comparing it to a set of writing samples from Kaczynski's personal papers. One of the key pieces of evidence was the use of the word "you" which Kaczynski used quite frequently in his manifesto as well as in his personal writings. The analysis also revealed that Kaczynski had a preference for short, simple words and that he used similar grammatical structures and sentence patterns in both his manifesto and his personal writings[^43].
In addition to the stylometry, the FBI also used forensic linguistics to analyze the language and grammar used in the letters and manifesto and found that they matched the writing style of Kaczynski's known writings. In April 1996, the FBI searched Kaczynski's cabin in Lincoln, Montana, and found evidence linking him to the Unabomber crimes, including bomb components and a typewriter used to type some of the Unabomber letters. Ted Kaczynski pleaded guilty in 1998 and was sentenced to eight life sentences without the possibility of parole.
@ -423,7 +423,7 @@ Journalists and other writers who are operating in a hostile environment can als
- Use a variety of writing styles and formats, such as handwriting, dictation software, and text-to-speech software.
- Use synonyms and vary sentence structures.
- Use a different writing medium for different projects.
- Use stylometric anonymization tools such as JStylo[^], Anonymouth[^], and Stylo[^].
- Use stylometric anonymization tools such as JStylo[^44], Anonymouth[^45], and Stylo[^46].
It is important to note that these countermeasures don't guarantee the anonymity but it makes the identification process more difficult. These techniques are constantly evolving and changing, so it's important for journalists and writers to stay informed about the latest developments in stylometry and anonymization techniques.
@ -433,7 +433,7 @@ It is important to note that these countermeasures don't guarantee the anonymity
Standard security mechanisms are inadequate for the purpose of anti-forensics. Nation-States and Advanced Persistent Threat (APT) groups do not play by the rules. All bets are on that no matter how hardened your system kernel is or how safe your OPSEC precautions may be, there is always a point of compromise. An unpatched vulnerability is waiting to be exploited against your system. If your device is emitting traffic, all bets are on that with enough resources, these groups will be able to decrypt the traffic. Maybe it won't be today, but it certainly will be in the not-so-distant future. If you are a target, chances are that you are already compromised. Use the masses as cover; open deviation is ill-advised.
#### SSID Naming Conventions
As stated in the beginning, a common theme throughout this writing has been to avoid unique identifiers. Regardless of your chosen router setup, avoid using unique naming conventions for service set identifiers (SSID) broadcasting. Typically, wardriving would be hostile to the aims or privacy. However, catalogues of wardriving submissions such as Wigle can provide valuable intelligence which can then be applied to broadcasted SSIDs. A prime example of leveraging intelligence submitted to Wigle can be observed from their statistics page[^], showcasing the most common SSID names. At the time of writing along with the foreseeable future, `xfinity` leads the pack, with variations of preset names such as `NETGEAR##` following behind.
As stated in the beginning, a common theme throughout this writing has been to avoid unique identifiers. Regardless of your chosen router setup, avoid using unique naming conventions for service set identifiers (SSID) broadcasting. Typically, wardriving would be hostile to the aims or privacy. However, catalogues of wardriving submissions such as Wigle can provide valuable intelligence which can then be applied to broadcasted SSIDs. A prime example of leveraging intelligence submitted to Wigle can be observed from their statistics page[^47], showcasing the most common SSID names. At the time of writing along with the foreseeable future, `xfinity` leads the pack, with variations of preset names such as `NETGEAR##` following behind.
While providing a use-case for naming conventions regarding SSID broadcasting, I should make it clear that blending should be applied across the board for any device that is broadcasting.
@ -461,15 +461,15 @@ For example, a journalist could configure a dead man's switch to wipe the memory
There are various ways to implement a dead man's switch, such as using USB devices, system events, or panic buttons. A physical wired dead man's switch reduces attack surface and intricacy, however remote switches can also be used to propagate a panic signal to all nodes on a network. This can be useful in situations where multiple journalists are working together and need to quickly destroy sensitive information if their operation is compromised.
Implementing a panic signal to invoke a dead man's switch can involve several steps, depending on the specific requirements and the systems involved. Here is a general overview of the process, with some references that provide more detailed information:
1. Define the panic signal: The first step is to define the panic signal that will trigger the dead man's switch. This can be a button, a keyboard shortcut, a voice command, or any other type of signal that can be captured by the system.
2. Capture the panic signal: The next step is to capture the panic signal and convert it into a system event that can be handled by the dead man's switch. This can be done using various methods such as using keyboard hooks, USB device monitoring, or voice recognition.
3. Create a script or program to handle the panic signal: Once the panic signal is captured, you need to create a script or program that can handle the panic signal and invoke the dead man's switch. This script or program should be able to run on the target system and be able to interact with the system's resources.
4. Configure the dead man's switch: After the panic signal is captured and handled, you need to configure the dead man's switch to respond to the panic signal. This can involve defining the actions that should be taken when the panic signal is received, such as shutting down the system, wiping memory, encrypting data, or sending an alert.
5. Test the dead man's switch: Before deploying the dead man's switch, you should test it to ensure that it works as expected and that it does not cause any unintended consequences. You can test the dead man's switch by simulating a panic signal and observing the system's response.
1. Define the panic signal that will trigger the dead man's switch. This can be a button, a keyboard shortcut, a voice command, or any other type of signal that can be captured by the system.
2. Capture the panic signal and convert it into a system event that can be handled by the dead man's switch. This can be done using various methods such as using keyboard hooks, USB device monitoring, or voice recognition.
3. Create a script or program to handle the panic signal and invoke the dead man's switch. This script or program should be able to run on the target system and be able to interact with the system's resources.
4. Configure the dead man's switch to respond to the panic signal. This can involve defining the actions that should be taken when the panic signal is received, such as shutting down the system, wiping memory, encrypting data, or sending an alert.
5. Before deploying the dead man's switch, you should test it to ensure that it works as expected and that it does not cause any unintended consequences. You can test the dead man's switch by simulating a panic signal and observing the system's response.
After the dead man's switch, aka killswitch, is configured, we can move on to the commands to issue. If we wanted to securely wipe the random access memory before shutting down, we could issue the `sdmem -v` command to verbosely clean the RAM following activation. Any form of shell command that is compatible with the particular GNU/Linux system can be ran based on a specified system behavior. See resources at the end of this section [^41], [^42], and [^43] for USB dead man's switch. In a nutshell, these tools are configured to watch system USB events. When a change occurs, the switch commands are invoked. Panic buttons are another form of a killswitch that remain active on your display and are ready to invoke at any moment. (Centry.py[^44] is a good example of a panic button).
After the dead man's switch, aka killswitch, is configured, we can move on to the commands to issue. If we wanted to securely wipe the random access memory before shutting down, we could issue the `sdmem -v` command to verbosely clean the RAM following activation. Any form of shell command that is compatible with the particular GNU/Linux system can be ran based on a specified system behavior. See resources at the end of this section [^48], [^49], and [^50] for USB dead man's switch. In a nutshell, these tools are configured to watch system USB events. When a change occurs, the switch commands are invoked. Panic buttons are another form of a killswitch that remain active on your display and are ready to invoke at any moment. (Centry.py[^50] is a good example of a panic button).
There are USB devices known as "Mouse Jigglers" that are used by forensic teams after device seizure. These jigglers are serial devices plugged in to interface with the system to keep the screenlock from being invoked. There are easy preventative software-based solutions such as USBCTL[^45] that can prevent these devices for operating, however this will likely be picked up on and human mouse jigglers can take their place. Ideally a process can be utilized to detect such a device and invoke a shutdown process. A mitigation for the human mouse jigglers could be implementing forced authentication every half hour to an hour. If the credentials have not been entered, the user session could be terminated, memory could be cleared, or the shutdown command could even be invoked.
There are USB devices known as "Mouse Jigglers" that are used by forensic teams after device seizure. These jigglers are serial devices plugged in to interface with the system to keep the screenlock from being invoked. There are easy preventative software-based solutions such as USBCTL[^51] that can prevent these devices for operating, however this will likely be picked up on and human mouse jigglers can take their place. Ideally a process can be utilized to detect such a device and invoke a shutdown process. A mitigation for the human mouse jigglers could be implementing forced authentication every half hour to an hour. If the credentials have not been entered, the user session could be terminated, memory could be cleared, or the shutdown command could even be invoked.
Despite what triggers the dead man's switch, if the operation falls under a life or death category, one should consider implementing this safeguard.
@ -488,7 +488,7 @@ Canaries have been used in a variety of contexts in information security:
### Canary Statement
One way a journalist could use a canary is by publishing a "canary statement" on their website or social media accounts. This statement would contain information that would be unlikely to change, such as the journalist's phone number or a specific phrase that they use frequently. If the journalist is later arrested or otherwise prevented from publishing, they can have a trusted contact check to see if the canary statement is still present. If it is not, it would indicate that the journalist's website or social media accounts have been compromised, and that any information published on them should not be trusted.
There can be canaries that are cryptographically signed simply stating that no legal subpoenas have been issued. More advanced uses, such as Kicksecure's canary[^] or the QubesOS canary template[^], can include raw query output displaying the current block of a public ledger of say Bitcoin, along with performing curl requests to determine recently posted articles from various news organizations. These canaries are often cryptographically signed to ensure that they have not been tampered with. See the following example:
There can be canaries that are cryptographically signed simply stating that no legal subpoenas have been issued. More advanced uses, such as Kicksecure's canary[^52] or the QubesOS canary template[^53], can include raw query output displaying the current block of a public ledger of say Bitcoin, along with performing curl requests to determine recently posted articles from various news organizations. These canaries are often cryptographically signed to ensure that they have not been tampered with. See the following example:
```
-----BEGIN PGP SIGNED MESSAGE-----
@ -521,9 +521,9 @@ ZKgeW/TZy6xx/KQkKYLBCdu6oCzMsBH857d3P5lO+T1MJuqRe8RFDRvqAg2ZE4VT
```
### Cryptographic Canary with an IDS
There are many setups one could configure to use with an Intrusion Detection System (IDS). I'll provide one example with the use of an open-source tool known as Tripwire.
There are many setups one could configure to use with an Intrusion Detection System (IDS). I'll provide one example with the use of an open-source tool known as Tripwire[^54].
1. Configure Tripwire: After installing Tripwire, you will need to configure it to monitor the files and systems that you want to protect. This involves defining the files, directories, and systems to be monitored, as well as the parameters for monitoring and alerting. Tripwire provides a comprehensive configuration guide that explains how to set up monitoring and alerting.
1. Configure Tripwire: After installing Tripwire, you will need to configure it to monitor the files and systems that you want to protect. This involves defining the files, directories, and systems to be monitored, as well as the parameters for monitoring and alerting.
2. Create a database of file hashes: Tripwire uses cryptographic hashes to verify the integrity of files. You will need to create a database of file hashes to compare against the files being monitored. To do this, you can use the Tripwire command-line interface to generate a hash of the files and store them in a database.
3. Monitor the files: Once the database of file hashes has been created, Tripwire will start monitoring the files and systems defined in the configuration. If any changes are detected, Tripwire will generate an alert and log the changes in a report.
4. Respond to alerts: When an alert is generated, you should respond by reviewing the log and report generated by Tripwire to determine the nature and extent of the changes. Depending on the severity of the changes, you may need to take action, such as restoring the files from a backup, investigating the cause of the changes, or taking other measures to secure the system.
@ -549,7 +549,7 @@ Here's a simple step-by-step method on how a journalist could set up a poisoned
As mentioned with many other topics throughout this writing, canaries are not infallible and should not be relied upon solely. They play a part in the security ecosystem that could help determine tampering or interference with documents, services, and infrastructure.
## Play on Resources
Earlier, it was said that these groups have unlimited resources; this is not entirely true. The one resource which they lack is time. While they have infinite funds to allocate towards password and key cracking methods, so long as quantum physics strays behind computing, time is their main constraint. Taking methods from obscurity, the use of non-default encryption algorithms and hashing mechanisms for keys substantially increases the amount of time the analyst must expend on cracking. If the analyst cannot identify the hash function or cipher, they must try all possible options. Even if the correct password is obtained, this becomes useless without the proper cipher. For instance, Veracrypt uses over fifteen combinations of individual encryption algorithms and cascaded/stacked ciphers. Complement this with the five supported hash functions, and we are looking at 75 possible combinations of symmetric ciphers and one-way hash functions. As stated by ElcomSoft,[^46] "Trying all possible combinations is about 175 times slower compared to attacking a single combination of AES+SHA-512."
Earlier, it was said that these groups have unlimited resources; this is not entirely true. The one resource which they lack is time. While they have infinite funds to allocate towards password and key cracking methods, so long as quantum physics strays behind computing, time is their main constraint. Taking methods from obscurity, the use of non-default encryption algorithms and hashing mechanisms for keys substantially increases the amount of time the analyst must expend on cracking. If the analyst cannot identify the hash function or cipher, they must try all possible options. Even if the correct password is obtained, this becomes useless without the proper cipher. For instance, Veracrypt uses over fifteen combinations of individual encryption algorithms and cascaded/stacked ciphers. Complement this with the five supported hash functions, and we are looking at 75 possible combinations of symmetric ciphers and one-way hash functions. As stated by ElcomSoft,[^55] "Trying all possible combinations is about 175 times slower compared to attacking a single combination of AES+SHA-512."
Hypothetically, if the algorithm/hash combination is known by the attacker, here is where the cascading algorithms display their value:
@ -575,7 +575,7 @@ For an adversary who gains a foothold on your system(s) without the physically r
For critical operations, reduce reliance on wireless radio transmissions. Consider the process of removing all radio transmitter chipsets, otherwise known as airgapping, to mitigate a medley of threats.
Methods of "jumping" airgaps have been found in the past.[^47] One must be sure to remove all hardware which could be used for communication. This includes Wi-Fi cards (often Bluetooth and Wi-Fi are within the same physical card), Bluetooth card (if you have a Bluetooth card separate from your Wi-Fi card), microphones (communications protocols have been devised to transmit data through ultrasonic audio). Many modern OSs still have the drivers to support these protocols, and the attacks surface therefore still exists), speakers (usable for data exfiltration using the same means), physical ports (USB, SD, headphone jack). Even power cords have been used as a means of compromise (on both laptop and desktop systems).
Methods of "jumping" airgaps have been found in the past.[^56] One must be sure to remove all hardware which could be used for communication. This includes Wi-Fi cards (often Bluetooth and Wi-Fi are within the same physical card), Bluetooth card (if you have a Bluetooth card separate from your Wi-Fi card), microphones (communications protocols have been devised to transmit data through ultrasonic audio). Many modern OSs still have the drivers to support these protocols, and the attacks surface therefore still exists), speakers (usable for data exfiltration using the same means), physical ports (USB, SD, headphone jack). Even power cords have been used as a means of compromise (on both laptop and desktop systems).
The traditional methods of interfacing with the internet stand to be the most secure. Systems using direct ethernet connection is optimal. While this is not a technical "airgap," this does prevent packet communications from being analyzed over the air.
@ -599,7 +599,7 @@ If you're on a tight budget, purchasing the material from reputable vendors and
Pre-made Faraday bags are also available for purchase, but it's important to ensure that you are buying from a reputable vendor, as cheaper options may not provide the same level of shielding. Vendors often recommend surrounding an enclosure multiple times with repeated testing to ensure that the device is not able to receive various signals.
If the operation is mobile (I suspect it is if you cannot remove [radio transmitters](#radio-transmitters)), best practice is to store each item in its own Faraday enclosure and then store them inside a larger shielded enclosure. When you add or transfer items, the devices don't leak signal when the outer enclosure is opened. Think two is one, and one is none. MITRE even has a defense matrix that highlights RF shielding being used to reduce or remove undesired radio interference.^[]
If the operation is mobile (I suspect it is if you cannot remove [radio transmitters](#radio-transmitters)), best practice is to store each item in its own Faraday enclosure and then store them inside a larger shielded enclosure. When you add or transfer items, the devices don't leak signal when the outer enclosure is opened. Think two is one, and one is none. MITRE even has a defense matrix that highlights RF shielding being used to reduce or remove undesired radio interference.[^57]
## Noise
Generating excess noise through logging or traffic can be an excellent method to throw investigators for a whirl. Anyone who has worked with security logging mechanisms for system auditing can attest that noise is the enemy of understanding. Traffic in mass can be hard to piece together, especially if it's not all being generated by you. For the natural sadists who want to more or less troll, consider hosting services such as a TOR node. Instead of trying to find pertinent clues in a small pond, investigators are trying to search a great lake, or perhaps the rivers of Nanthala National Forest. To couple the size, the clues they find may even lead them down false bends. So long as the data is not revealing information relevant to your operation(s), this will stand to make the water a little more murky.
@ -626,7 +626,7 @@ We are in an age where we are constantly connected. Dropping off for even a few
Regarding the creation of online accounts and personas, don't use identifiable names. Your operations should be treated as a second life that should be appropriately segmented. While you may find some of your ideas to be profound/esoteric and want to reuse and redistribute across platforms - refrain. You're only creating a trail that could come back to bite you. Not only should you segment your usernames creative talents, but ensure that projects also become segmented. The more you divulge into separate projects, the less connection you want to have - unless of course they are related and you desire the marketing crossover.
The physical use of your device, from pinging telecommunications infrastructure to local area network (LAN) connections will rat you out. Geofencing requests have gained increasing popularity with American law enforcement. Google self-reported, "Year over year, Google has observed over a 1,500% increase in the number of geofence requests it received in 2018 compared to 2017; and to date, the rate has increased over 500% from 2018 to 2019."[^48]
The physical use of your device, from pinging telecommunications infrastructure to local area network (LAN) connections will rat you out. Geofencing requests have gained increasing popularity with American law enforcement. Google self-reported, "Year over year, Google has observed over a 1,500% increase in the number of geofence requests it received in 2018 compared to 2017; and to date, the rate has increased over 500% from 2018 to 2019."[^58]
After the physical side is dealt with, the digital side can start to be addressed. Just like scripts can be implemented to increase efficiency, they can also be used to aid and/or create alibis.
@ -635,15 +635,15 @@ Often times a double-edged pendulum comes to swing. If an investigator were to b
You will likely not come out unscathed from the psychological toll of withholding secrets. Not only do fabrications add unneeded complexity into your relationships by forcing you to drain energy keeping narratives intact, but they place you in a state of isolation from others. All tyranny stems from deceit, and your own psyche can stand to be a worse tyrant than the state. Make sure the endeavor is worth the burden.
"As we have seen, every personal secret has the effect of a sin or of guilt—whether or not it is, from the standpoint of popular morality, a wrongful secret. Now another form of concealment is the act of "withholding"—it being usually emotions that are withheld. As in the case of secrets, so here also we must make a reservation: self-restraint is healthful and beneficial; it is even a virtue. This is why we find self-discipline to have been one of man's earliest moral attainments. Among primitive peoples it has its place in the initiation ceremonies, chiefly in the forms of ascetic continence and the stoical endurance of pain and fear. Self-restraint, however, is here practiced within the secret society as something undertaken in company with others. But if self-restraint is only a private matter, and perhaps devoid of any religious aspect, then it may be as harmful as the personal secret." - C. G. Jung, Modern Man in Search of a Soul[^49]
"As we have seen, every personal secret has the effect of a sin or of guilt—whether or not it is, from the standpoint of popular morality, a wrongful secret. Now another form of concealment is the act of "withholding"—it being usually emotions that are withheld. As in the case of secrets, so here also we must make a reservation: self-restraint is healthful and beneficial; it is even a virtue. This is why we find self-discipline to have been one of man's earliest moral attainments. Among primitive peoples it has its place in the initiation ceremonies, chiefly in the forms of ascetic continence and the stoical endurance of pain and fear. Self-restraint, however, is here practiced within the secret society as something undertaken in company with others. But if self-restraint is only a private matter, and perhaps devoid of any religious aspect, then it may be as harmful as the personal secret." - C. G. Jung, Modern Man in Search of a Soul[^59]
## False Compromise
Malware with computing is still in the early stages. It truly is the wild west in many regards. For an extra layer of plausible deniability, embed a tailored backdoor or malware variant. This method will not protect you if there are logs that correlate your activity and no logs correlating connection attempts.
Malware with computing is still in the early stages. It truly is the wild west in many regards. For an extra layer of plausible deniability, one could embed a tailored backdoor or malware variant. This method will not protect you if there are logs that correlate your activity and no logs correlating connection attempts, nor should this be wholly relied on.
The vast majority of cases related to online operations become unsolved mysteries in the archives of law enforcement. Most happenings become heresay or mere hunches. Take APT groups and nation-states as an example; the majority of cyberwarfare that occurs today is between state-funded APT groups with a primary focus of non-attribution. Despite how many correlating clues lead back to the APT groups and their communications with nation-states, the water remains murky. In replacement or in conjunction with the killswitch, consider weaponizing your own variant of ransomware. You could create a maintain ownership of the key or you could accept the loss of your data. The malware could also perform shred functions as with any script that you could program. Not only does the embedded malware render your data inaccessible, but it provides another level of plausible deniability. "I was not aware my infrastructure was being used for that." Technically, "malware" implies the application of code that will create adverse or undesired action to the system. This is not truly malware, but rather programmed code designed to mimic malicious function.
The vast majority of cases related to online operations become unsolved mysteries in the archives of law enforcement. Most happenings become heresay or mere hunches. Take APT groups and nation-states as an example; the majority of cyberwarfare that occurs today is between state-funded APT groups with a primary focus of non-attribution. Despite how many correlating clues lead back to the APT groups and their communications with nation-states, the water remains murky. In replacement or in conjunction with the killswitch, consider weaponizing your own variant of ransomware. You could create and maintain ownership of the key or you could accept the loss of your data. The malware could also perform shred functions as with any script that you could program. Not only does the embedded malware render your data inaccessible, but it provides another level of plausible deniability. "I was not aware my infrastructure was being used for that." Technically, "malware" implies the application of code that will create adverse or undesired action to the system. This is not truly malware, but rather programmed code designed to mimic malicious function.
On GNU/Linux, there are many ways to embed malware on the system. Some of which leverage crontabs or other variants of scheduling tools. Aliases can be altered to perform malicious functions rather than the desired results. System process in `bin/` directories can perform unintended tasks, or simply be swapped out and/or linked to alternate processes. Some files such as `/etc/rc.local` or `/home/$USER/.bashrc` can contain commands to execute upon booting to the disk or logging into a user account respectively. Analyzing the newest trends of threat actors can useful to determine indicators of compromise (IOC). Kinsing[^50] and other threat actors that leverage new vulnerabilities to compromise internet-facing systems and embed crypto-miners provide insight into the world of persistence, along with a competitive nature that stunts competition. The sub-sections listed below identify remnant items that could signal a past compromise to forensic analysts.
On GNU/Linux, there are many ways to embed malware on the system. Some of which leverage crontabs or other variants of scheduling tools. Aliases can be altered to perform malicious functions rather than the desired results. System process in `bin/` directories can perform unintended tasks, or simply be swapped out and/or linked to alternate processes. Some files such as `/etc/rc.local` or `/home/$USER/.bashrc` can contain commands to execute upon booting to the disk or logging into a user account respectively. Analyzing the newest trends of threat actors can useful to determine indicators of compromise (IOC). Kinsing[^60] and other threat actors that leverage new vulnerabilities to compromise internet-facing systems and embed crypto-miners provide insight into the world of persistence, along with a competitive nature that stunts competition. The sub-sections listed below identify remnant items that could signal a past compromise to forensic analysts.
### Cron example
`echo "*/30 * * * * sh /etc/.newinit.sh >/dev/null 2>&1" > /etc/$crondir`
@ -659,6 +659,8 @@ Many hardened systems append the mount the `/tmp/` and `/dev/shm/` partitions wi
### Placing SSH keys under the root user
Unexpected SSH keys can be a sign of compromise, and they typically do not belong under `/root/.ssh/` directory as they are primarily controlled by a less-privileged user account.
> Note: There are plenty of remote access tools rife with abuse that could also be installed on the system to hint at compromise. Additionally, there are plenty of instances of remote access trojans that could be obtained from a variety of virus sharing platforms.
## Traceless Procurement
There are a few concepts to touch on this topic.
1. Avoid main vendors such as Amazon. Either go directly to the vendor or order through an IT Ma' & Pop shop.
@ -676,19 +678,19 @@ Monero is often hailed as the privacy king of cryptocurrency. While it has comme
"The fundamental problem of coin mixing methods though is that transaction data is not being hidden through encryption. RingCT is a system of disassociation where information is still visible in the blockchain. Mind that a vulnerability might be discovered at some point in the future which allows traceability since Moneros blockchain provides a record of every transaction that has taken place."
This operates similar to a mixnet where it is difficult to discern the originating address from a transaction. One of Monero's developers publicly admits that "zk-SNARKs provides much stronger untraceability characteristics than Monero (but a much smaller privacy set and much higher systemic risks)." Intelligence agencies have placed their eyes on Monero for some time. The United States has even brought in a private firm called CipherTrace who claims to have built tools capable of tracing transactions.[^51] At the time of writing, these are unsubstantiated claims; there is no evidence to suggest that Monero has been de-obfuscated.
This operates similar to a mixnet where it is difficult to discern the originating address from a transaction. One of Monero's developers publicly admits that "zk-SNARKs provides much stronger untraceability characteristics than Monero (but a much smaller privacy set and much higher systemic risks)." Intelligence agencies have placed their eyes on Monero for some time. The United States has even brought in a private firm called CipherTrace who claims to have built tools capable of tracing transactions.[^61] At the time of writing, these are unsubstantiated claims; there is no evidence to suggest that Monero has been de-obfuscated.
Pirate Chain's ARRR addresses the fungibility problem of Zcash by removing the transparent address schema (t-tx) and forcing all transactions to use Sapling shielded transactions (z-tx). "By consistently utilizing zk-SNARKs technology, Pirate leaves no usable metadata of users transactions on its blockchain." This means that even if the blockchain was compromised down the line, the adversary would obtain little to no useful metadata. The transactions contain no visible amount to no visible address from no visible address. The underlying cryptography would have to be broken or the viewing/spending keys would have to be intercepted in order to peer into the transactions. For an adversary without key possession, the trace is baseless. "A little bit of math can accomplish what all the guns and barbed wire cant: a little bit of math can keep a secret." - Edward Snowden
While I could write mounds of literature diving into the depths of cryptocurrency, I have brought forth only what is useful to the aims of anti-forensics. There is no real purpose in regurgitating quotations from various whitepapers and protocol designs. Any further research into the matter is up to you. If this has peaked your interest, consider diving into the various communities, protocol specifications, and whitepapers.
- Further information pertaining to zk-SNARKs - [^52]
- Monero (XMR) Whitepaper - [^53]
- Pirate Chain Whitepaper - [^54]
- Further information pertaining to zk-SNARKs - [^62]
- Monero (XMR) Whitepaper - [^63]
- Pirate Chain Whitepaper - [^64]
## Defensive Mechanisms
System security or hardening is vital for successful operations. Lack of hardening could result in your machines being cut through like hot butter. Center for Internet Security (CIS)[^55] and Defense Information Systems Agency (DISA) with Standard Technical Implementation Guides[^56] both have decent system hardening standards that are to be applied to all DoD contractor, government, and affiliated nodes. For Linux and Unix systems, Kernel Self-Protection Project (KSPP)[^57] is a great resource for kernel configuration settings.
System security or hardening is vital for successful operations. Lack of hardening could result in your machines being cut through like hot butter. Center for Internet Security (CIS)[^65] and Defense Information Systems Agency (DISA) with Standard Technical Implementation Guides[^66] both have decent system hardening standards that are to be applied to all DoD contractor, government, and affiliated nodes. For Linux and Unix systems, Kernel Self-Protection Project (KSPP)[^67] is a great resource for kernel configuration settings.
Hardening procedures fall in line with the concept of minimizing architecture and running processes on a system. This makes each system easier to audit with less noise/clutter, and reduces the attack surface for exploitation. Hardening should encompass patches, scans with most recent virus definitions, restrictive permissions, kernel hardening, purging unnecessary software, and disabling physical ports, unnecessary users, filesystems, firmware modules, compilers, and network protocols.
@ -696,7 +698,7 @@ System hardening is far from a quick and easy process, unless you have preconfig
If the goal is to run a more persistent lightweight OS with minimal functionality, I suggest running a variant of Arch Linux that does not use SystemD (Consider runit, OpenRC, or s6). If wide community support is needed, Arch with a hardened configuration will be your best bet. For the tech-savvy, hardened variants of Gentoo are ideal.
The more persistence desired for the operation increases the complexity of the hardening. Some projects have been introduced to rival Xen-based hypervisors with minimalist GNU/Linux systems. Some development towards Whonix Host[^58] was started but has not yet come to fruition. PlagueOS[^59] is based on the Void musl build with numerous hardening mechanisms. This is designed to act strictly as a locked down hypervisor with all system activities conducted inside of Kicksecure/Whonix VMs. The VMs also are restricted by AppArmor profiles and are ran inside a `bwrap`[^60] sandboxed container. See the PARSEC repository for examples of how to implement bubblewrap profiles.[^61]. Do note that the listed hardening is incomplete and will not fit all operations and GNU/Linux systems. This is not meant to be a book on methods for defensive cybersecurity. For those concerned with exploitation of GNU/Linux systems, see the reference to Madaidan's hardening guide.[^62]
The more persistence desired for the operation increases the complexity of the hardening. Some projects have been introduced to rival Xen-based hypervisors with minimalist GNU/Linux systems. Some development towards Whonix Host[^68] was started but has not yet come to fruition. PlagueOS[^69] is based on the Void musl build with numerous hardening mechanisms. This is designed to act strictly as a locked down hypervisor with all system activities conducted inside of Kicksecure/Whonix VMs. The VMs also are restricted by AppArmor profiles and are ran inside a `bwrap`[^70] sandboxed container. See the PARSEC repository for examples of how to implement bubblewrap profiles.[^71]. Do note that the listed hardening is incomplete and will not fit all operations and GNU/Linux systems. This is not meant to be a book on methods for defensive cybersecurity. For those concerned with exploitation of GNU/Linux systems, see the reference to Madaidan's hardening guide.[^72]
## Vehicle Tracking
Vehicles and privacy are starting to become a wicked problem ushered in by manufacturers. In today's connected world, cars are no longer just a mode of transportation. Modern vehicles are equipped with a variety of sensors and cameras that can collect data about the car's performance, location, and usage. Almost every vehicle following 1996 has embedded systems, OnStar or the more modern Starlink, that have a default opt-in policy. This data can include information about the car's speed, fuel efficiency, and maintenance needs, as well as the car's location and travel history. Some cars also have cameras that can collect data about the driver and passengers, such as facial recognition data and biometric information.
@ -754,9 +756,9 @@ In addition, cars with data communication modules have a potential vulnerability
This wouldn't be a complete work on anti-forensics without some mention of physical precautions. While wireless transmitters are ill-advised, wireless technology can prove useful when larger proximity is needed. Directional antennas could allow you to stay hidden from cameras and remotely authenticate to a network.
With nuances added from the modern surveillance state, traffic cameras force your hand by revealing every intersection which you have passed through. There are a few methods to circumventing this privacy infringement. Darkened weather covers for your license plate (Warning: This method could result in a fine with the wrong officer) or a well-rigged bicycle rack could prevent cameras from picking up your plate number. Alternatively, if a destination is within a few miles of proximity you could either ride a bicycle (with a disguise), or decide to become a motorcyclist. With motorcycles, the plate numbers are significantly smaller and could even be blocked by your feet on particular bikes. The helmet would stand to mask facial features, and the jacket would cover any identifiable features such as tattoos. While on the subject of tattoos, it is worth mentioning that Palantir has been involved in "predictive policing" leveraging footage obtained from traffic cameras to profile individuals.[^63]
With nuances added from the modern surveillance state, traffic cameras force your hand by revealing every intersection which you have passed through. There are a few methods to circumventing this privacy infringement. Darkened weather covers for your license plate (Warning: This method could result in a fine with the wrong officer) or a well-rigged bicycle rack could prevent cameras from picking up your plate number. Alternatively, if a destination is within a few miles of proximity you could either ride a bicycle (with a disguise), or decide to become a motorcyclist. With motorcycles, the plate numbers are significantly smaller and could even be blocked by your feet on particular bikes. The helmet would stand to mask facial features, and the jacket would cover any identifiable features such as tattoos. While on the subject of tattoos, it is worth mentioning that Palantir has been involved in "predictive policing" leveraging footage obtained from traffic cameras to profile individuals.[^73]
Any tech devices that you purchase will have some identifier that could lead back to you. Make this a moot point and procure every device (even USBs) anonymously with cash. If you're out on a distant road trip, make some of your purchases. Wear a hat accompanied with some baggy clothes. Perform a slight change in your gait as you walk (uncomfortable shoes could help with this). Alternatively, pay someone via proxy to do your bidding.
Any devices that you purchase will have some identifier that could lead back to you. Make this a moot point and procure every device (even USBs) anonymously with cash. If you're out on a distant road trip, make some of your purchases. Wear a hat accompanied with some baggy clothes. Perform a slight change in your gait as you walk (uncomfortable shoes could help with this). Alternatively, pay someone via proxy to do your bidding.
## Use Cases
There is no way to address every threat model, therefore I have opted to provide mitigations to some of the justifiably paranoid cases.
@ -784,18 +786,22 @@ It's evident that poking powerful players could result in irreversible consequen
The OS selection should be oriented towards amnesia. TAILS could be leveraged with a USB, and the drive in the system could simply be a dummy (filled with insignificant data, vacation pictures, etc). The physical wireless chipset should be removed and replaced with a wireless dongle and attached only when needed. While I prefer hardware over software mitigations, you may not wish to fry the USB ports or de-solder the SATA ports. The BIOS should be password-protected, and the USB ports at the very least can be disabled from the menu. If you will be operating from public locations, consider running a blank keyboard with a privacy screen covering the LED.
Fortunately, amnesiac solutions are growing. One can run TAILS with the HiddenVM project.[^64] HiddenVM is precompiled VirtualBox binaries to allow running virtual machines without an installation directly on TAILS. HiddenVM leverages the TAILS amnesiac system with Veracrypt's hidden partitions for plausible deniability. In this way, Whonix can be ran from TAILs and there will not be an overlapping use of TOR.
Fortunately, amnesiac solutions are growing. One can run TAILS with the HiddenVM project.[^74] HiddenVM is precompiled VirtualBox binaries to allow running virtual machines without an installation directly on TAILS. HiddenVM leverages the TAILS amnesiac system with Veracrypt's hidden partitions for plausible deniability. In this way, Whonix can be ran from TAILs and there will not be an overlapping use of TOR.
If a live USB with minimal processing power is not your niche, consider running a hardened base OS such as PlagueOS, to act as a hypervisor that runs amnesiac virtual machines such as Whonix. If the option is taken to avoid live boot, the hardware specification becomes more important. First off, it would be in your best interest to use at least 16GB of RAM. Secondly, consider using one SSD and one HDD. The HDD will be used to hold files, while the SSD is used for facilitating performance for the host OS. As previously stated, HDDs can be wiped by degaussing or overwriting physical sectors while this should be assumed an impossibility for an SSD. Each VM on the host should have a primary function; separate cases and even processes should have separate VMs. For the more technical, sandboxing applications can be used to add nested layers of security. Consider using a sandboxed profile[^60] for your virtualization software, whether it be KVM[^65] or VirtualBox[^66]. Inside the VM, use sandboxing to isolate your processes.
If a live USB with minimal processing power is not your niche, consider running a hardened base OS such as PlagueOS, to act as a hypervisor that runs amnesiac virtual machines such as Whonix. If the option is taken to avoid live boot, the hardware specification becomes more important. First off, it would be in your best interest to use at least 16GB of RAM. Secondly, consider using one SSD and one HDD. The HDD will be used to hold files, while the SSD is used for facilitating performance for the host OS. As previously stated, HDDs can be wiped by degaussing or overwriting physical sectors while this should be assumed an impossibility for an SSD. Each VM on the host should have a primary function; separate cases and even processes should have separate VMs. For the more technical, sandboxing applications can be used to add nested layers of security. Consider using a sandboxed profile[^70] for your virtualization software, whether it be KVM[^76] or VirtualBox[^77]. Inside the VM, use sandboxing to isolate your processes.
> Note: Amnesiac computing is highly advised for journalists with state targets on their back. Most malware will not be able to persist through different sessions, and often they will have to interact with hostile platforms and networks.
If a mobile device is deemed a necessity, leverage GrapheneOS on a Google Pixel. Encrypt all communications through trusted services or peer-to-peer (P2P) applications like Briar.[^67] Route all device traffic through TOR with the use of Orbot. Keep the cameras blacked out with electrical or gorilla tape. The concept of treating all signals as hostile should be emphasized here as the hardware wireless chipset cannot be de-soldered. Sensors and microphones can successfully be disabled, but the trend with smaller devices is that they run as a System on a Chip (SoC). In short, multiple functions necessary for the system to work are tied together in a single chip. Even if you managed not to fry the device from the de-soldering process, you would have gutted the core mechanisms of the system, resulting in the newfound possession of a paperweight.
If a mobile device is deemed a necessity, leverage GrapheneOS on a Google Pixel. Encrypt all communications through trusted services or peer-to-peer (P2P) applications like Briar.[^78] Route all device traffic through TOR with the use of Orbot. Keep the cameras blacked out with electrical or gorilla tape. The concept of treating all signals as hostile should be emphasized here as the hardware wireless chipset cannot be de-soldered. Sensors and microphones can successfully be disabled, but the trend with smaller devices is that they run as a System on a Chip (SoC). In short, multiple functions necessary for the system to work are tied together in a single chip. Even if you managed not to fry the device from the de-soldering process, you would have gutted the core mechanisms of the system, resulting in the newfound possession of a paperweight.
### Market Vendor
Let's assume the vendor is selling some sort of vice found on the DEA's list of schedule 1 narcotics. Fortunately in this use-case, unlike that of the anonymous activist (or the journalist in some cases), OPSEC is welcomed with open arms. In fact, vendors are even rated for their stealth (both from shipping and processing) as one of the highest criteria in consideration, along with the markets being TOR friendly, leveraging PGP, and ensuring full functionality without JavaScript. Given the ongoing nature of these operations, and that they are tailored towards privacy and security, a more persistent system will likely be the best fit.
The same recommendation for the journalist with a persistent setup using VMs for isolated processes on a hardened hypervisor, such as QubesOS or PlagueOS, is ideal. A completely amnesiac system is less necessary when you are not forced to interact with hostile sites that can arbitrarily run code via the use of JavaScript. While I would give a nod to those that take such precaution and exist solely in volatile memory, it is likely unnecessary and more of a hassle than the degraded performance is worth.
The same recommendation for the journalist with a persistent setup using VMs for isolated processes on a hardened hypervisor, such as QubesOS or PlagueOS, is ideal. A completely amnesiac system is less necessary when you are not forced to interact with hostile sites that can arbitrarily run code via the use of JavaScript. While I would give a nod to those that take such precautions and exist solely in volatile memory, it is likely unnecessary and more of a hassle than the degraded performance is worth.
While on the subject of free enterprise, underground markets often take form outside of the common marketplace. Another avenue for vendors who wish to escape market fees and association could be to leverage pastebin infrastructure such as PrivateBin[^79] for temporary postings to serve as a catalogue. They can choose from a list of different instances hosting the tooling, and while self-defeating to the purpose of minimalism, could even proceed to host their own instance(s). If a review system is needed for the market, a variety of forums could be used for this purpose.
> Note: Should a vendor pursue a catalogue distribution or temporary postings on PrivateBin instances, it will be critical that proper steps are taken to ensure that the post, along with the original poster's identity has not changed hands. For further details regarding identity validation, please see [Signature-Based Identification]((#signature-based-identification). Failure to cryptographically validate the post properly could pose harm to the buyer.
## Conclusion
As stated earlier, relevancy in the tech industry is difficult to maintain in perpetuity. The proposed concepts applied with adequate discipline and mapping stand to render investigations ineffective at peering into operations. Most mistakes take place in the beginning and come back later to haunt an operation. The success stories are never highlighted. For instance, there are plenty of vendors across marketplaces that have gone under the radar for years. OPSEC properly exercised would not leave a trail for the intelligence community; thus obscure and cryptographic implementations like steganography or FDE would not have to be relied on. I hope to learn that some of this material aids dissidents and journalists to combat regimes rooted in authoritarianism, coupled with privacy-minded individuals who have the desire to be left alone. Freedom and privacy have never been permitted by the state, nor are they achieved through legislature, protests, petitions; they are reclaimed by blatant non-compliance, loopholes, and violence. Every man possesses the right of revolution, and every revolution is rooted in treason, non-conformity, and ultimately to escape from subservience. In a world where they proclaim that you should have nothing to hide, respond with "I have nothing to show."
@ -960,40 +966,41 @@ https://github.com/benbusby/whoogle-search
[^38]: Minisign - https://github.com/jedisct1/minisign/
[^39]: Veracrypt - https://www.veracrypt.fr/code/VeraCrypt/
[^40]: KeepassXC - https://keepassxc.org
[^41]: USB dead man's switch - https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-kill-cord-dead-man-switch/
[^42]: Kerckhoffs, A. (1883). La cryptographie militaire. Journal des sciences militaires, 9, 538, 161191.
[^43]: Shannon, C. E. (1949). Communication theory of secrecy systems. Bell System Technical Journal, 28(4), 656-715.
[^44]: "Stylometry and the Unabomber: An Exploration of Authorship Attribution" by J. Pennebaker, J. Mehl and R. Niederhoffer (2003)
[^45]: Koppel, M., Schler, J., & Argamon, S. (2009). Stylometry with audience annotations: determining the audience of non-individualized text. Journal of the American Society for Information Science and Technology, 60(6), 1123-1139.
[^46]: Koppel, M., Schler, J., & Argamon, S. (2008, August). Anonymouth: A stylometry-based tool for authorship anonymization. In Proceedings of the 17th ACM conference on Information and knowledge management (pp. 713-720). ACM.
MITRE Countermeasures - https://d3fend.mitre.org/technique/d3f:RFShielding/
[^47]: Eder, M., Kestemont, M., & François, T. (2015). Stylometry with R: a package for computational text analysis. Journal of Statistical Software, 63(6), 1-29.
[^48]: Wigle - https://wigle.net/stats#ssidstats
[^49]: USBKill - https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py
[^50]: Silk Guardian - https://github.com/NateBrune/silk-guardian
[^51]: Centry Panic Button - https://github.com/AnonymousPlanet/Centry
[^52]: USBCTL - https://github.com/anthraxx/usbctl
[^53]: https://download.whonix.org/developer-meta-files/canary/canary.txt
[^54]: https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-template.txt
[^41]: Kerckhoffs, A. (1883). La cryptographie militaire. Journal des sciences militaires, 9, 538, 161191.
[^42]: Shannon, C. E. (1949). Communication theory of secrecy systems. Bell System Technical Journal, 28(4), 656-715.
[^43]: "Stylometry and the Unabomber: An Exploration of Authorship Attribution" by J. Pennebaker, J. Mehl and R. Niederhoffer (2003)
[^44]: Koppel, M., Schler, J., & Argamon, S. (2009). Stylometry with audience annotations: determining the audience of non-individualized text. Journal of the American Society for Information Science and Technology, 60(6), 1123-1139.
[^45]: Koppel, M., Schler, J., & Argamon, S. (2008, August). Anonymouth: A stylometry-based tool for authorship anonymization. In Proceedings of the 17th ACM conference on Information and knowledge management (pp. 713-720). ACM.
[^46]: Eder, M., Kestemont, M., & François, T. (2015). Stylometry with R: a package for computational text analysis. Journal of Statistical Software, 63(6), 1-29.
[^47]: Wigle - https://wigle.net/stats#ssidstats
[^48]: USBKill - https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py
[^49]: Silk Guardian - https://github.com/NateBrune/silk-guardian
[^50]: Centry Panic Button - https://github.com/AnonymousPlanet/Centry
[^51]: USBCTL - https://github.com/anthraxx/usbctl
[^52]: Whonix Canary - https://download.whonix.org/developer-meta-files/canary/canary.txt
[^53]: https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-template.txt
[^54]: Tripwire IDS - https://github.com/Tripwire/tripwire-open-source
[^55]: Elcomsoft Forensics - https://blog.elcomsoft.com/2020/03/breaking-veracrypt-containers/
[^56]: Jumping Airgaps - https://arxiv.org/pdf/2012.06884.pdf
[^57]: Geofence Requests - https://assets.documentcloud.org/documents/6747427/2.pdf
[^58]: Jung, C. G. (1955). Modern Man in Search of a Soul
[^59]: Kinsing Crypto-Miner - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
[^60]: CipherTrace - https://ciphertrace.com/ciphertrace-announces-worlds-first-monero-tracing-capabilities/
[^61]: ZkSnarks - https://z.cash/technology/zksnarks
[^62]: Monero Whitepaper - https://www.getmonero.org/resources/research-lab/pubs/whitepaper_annotated.pdf
[^63]: Pirate Chain Whitepaper - https://pirate.black/files/whitepaper/The_Pirate_Code_V2.0.pdf
[^64]: CIS - https://www.cisecurity.org
[^65]: DISA STIGs - https://public.cyber.mil/stigs
[^66]: KSPP - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[^67]: Whonix Host - https://www.whonix.org/wiki/Whonix-Host
[^68]: PlagueOS - https://0xacab.org/whichdoc/plagueos
[^69]: BubbleWrap Sandbox - https://github.com/containers/bubblewrap
[^70]: SalamanderSecurity's PARSEC repository - https://codeberg.org/SalamanderSecurity/PARSEC
[^71]: Linux Hardening - https://madaidans-insecurities.github.io/guides/linux-hardening.html
[^72]: FOIA request for Palantir operations - https://www.documentcloud.org/search/projectid:51061-Palantir-September-2020
[^73]: HiddenVM - https://github.com/aforensics/HiddenVM
[^74]: KVM - https://www.linux-kvm.org/
[^75]: Oracle VirtualBox - https://virtualbox.org
[^76]: Briar P2P Messenger - https://briarproject.org
[^57]: MITRE Countermeasures - https://d3fend.mitre.org/technique/d3f:RFShielding/
[^58]: Geofence Requests - https://assets.documentcloud.org/documents/6747427/2.pdf
[^59]: Jung, C. G. (1955). Modern Man in Search of a Soul
[^60]: Kinsing Crypto-Miner - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
[^61]: CipherTrace - https://ciphertrace.com/ciphertrace-announces-worlds-first-monero-tracing-capabilities/
[^62]: ZkSnarks - https://z.cash/technology/zksnarks
[^63]: Monero Whitepaper - https://www.getmonero.org/resources/research-lab/pubs/whitepaper_annotated.pdf
[^64]: Pirate Chain Whitepaper - https://pirate.black/files/whitepaper/The_Pirate_Code_V2.0.pdf
[^65]: CIS - https://www.cisecurity.org
[^66]: DISA STIGs - https://public.cyber.mil/stigs
[^67]: Kernel Self-Protection Project - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[^68]: Whonix Host - https://www.whonix.org/wiki/Whonix-Host
[^69]: PlagueOS - https://0xacab.org/whichdoc/plagueos
[^70]: BubbleWrap Sandbox - https://github.com/containers/bubblewrap
[^71]: SalamanderSecurity's PARSEC repository - https://codeberg.org/SalamanderSecurity/PARSEC
[^72]: Linux Hardening - https://madaidans-insecurities.github.io/guides/linux-hardening.html
[^73]: FOIA request for Palantir operations - https://www.documentcloud.org/search/projectid:51061-Palantir-September-2020
[^74]: HiddenVM - https://github.com/aforensics/HiddenVM
[^76]: KVM - https://www.linux-kvm.org/
[^77]: Oracle VirtualBox - https://virtualbox.org
[^78]: Briar P2P Messenger - https://briarproject.org
[^79]: PrivateBin - https://github.com/PrivateBin/PrivateBin