Git-Mirrors
/
into-the-crypt
mirror of https://0xacab.org/optout/into-the-crypt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix broken anonpla link

This commit is contained in:
arcanedev 2022-12-13 14:31:31 +00:00
parent cbd857c101
commit 54f123b3bc
No known key found for this signature in database
GPG Key ID: 13BA4BD4C14170C0
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -103,18 +103,22 @@ This section has been prioritized as hardware is at the core of your operations.
Unfortunately, there are no easy solutions in the realm of hardware. There are many rabbit holes one can take in regards to the avoidance of negative ring architecture (layers below the operating system), selecting processors that gut/avoid the use of MinixOS and Intel's management engine (ME), inherent vulnerabilities to the processor, chipsets that require proprietary blobs, and ultimately procuring hardware that isn't subject to side-loading attacks (can weaken device encryption).
Central processing units (CPU) have a narrowed list of options. For the vast majority of desktops and laptops, the competitors are Intel and AMD. Both of these CPUs have the potential for root level backdoors that are undetectable by your OS. Some privacy-oriented organizations, such as Purism and System76, claim to neutralize Intel's ME (See Purism's technical write-up[^4]). If you are going to select a system with an Intel CPU and detest this critical design, you are limited to a few options. You can shill out the money to System76 (disables ME) and Purism (neutralizes ME by gutting critical components), or you can flash the computer's motherboard with a Raspberry Pi by running the me_cleaner program[^5] (if supported processor/architecture) and installing coreboot[^6] in replace of the BIOS. The novice runs the risk of ruining their device, coupled with the fact that the setup was likely completed for legacy hardware that has unpatched vulnerabilities. This process is not a trivial task and will cause headaches for those who simply want the system to work. If you are not willing to shill out the money to one of these organizations that disables the ME and are not technologically savvy, consider using a CPU by AMD while noting that this is far from a silver bullet.This is not to say AMD's PSP is impervious to exploitation. See [^7].
Central processing units (CPU) have a narrowed list of options. For the vast majority of desktops and laptops, the competitors are Intel and AMD. Both of these CPUs have the potential for root level backdoors that are undetectable by your OS. Some privacy-oriented organizations, such as Purism and System76, claim to neutralize Intel's ME (See Purism's technical write-up[^4]). If you are going to select a system with an Intel CPU and detest this critical design, you are limited to a few options. You can shill out the money to System76 (disables ME) and Purism (neutralizes ME by gutting critical components), or you can flash the computer's motherboard with a Raspberry Pi by running the me_cleaner program[^5] (if supported processor/architecture) and installing coreboot[^6] in replace of the default BIOS. The novice runs the risk of ruining their device, coupled with the fact that the setup was likely completed for legacy hardware that has unpatched vulnerabilities. This process is not a trivial task and will cause headaches for those who simply want the system to work. If you are not willing to shill out the money to one of these organizations that disables ME and are not technologically savvy, consider using a CPU by AMD while noting that this is far from a silver bullet. This is not to say AMD's PSP is impervious to exploitation. See [^7].
## Operating System
Researching the right operating system (OS) for your specific operation can be a monstrous task. If Operations Security (OPSEC) is of utmost importance, then operating systems that generate excess logs and call home with telemetry and error reporting should be ruled out.
For desktop, this process eliminates Windows, Mac, and ChromiumOS/CloudReady from the race. While there are significant attempts at undermining Windows telemetry, this requires a substantial amount of effort that is bound to corrupt processes and retain the bloat from disabled software.
For desktop, this process eliminates Windows, Macintosh, and ChromiumOS/CloudReady from the race. While there are significant attempts at undermining telemetry on the distributions, this requires a substantial amount of effort that is bound to corrupt processes and retain the bloat from disabled software.
>Note: Solutions with Windows 10 aren't necessarily the anti-thesis to anti-forensics. These systems have excessive bloat, however they can pursue the same aims. Windows provides many areas to hide files amongst the system. Windows systems can also be an overload to inexperienced investigators with the caches, shellbags, shortcut files, monolithic registry hives, and a myriad of ways to set persistence mechanisms. This could force investigators to expend more time in the investigation. The reason it is avoided in this book is due to the proprietary blobs, bloatware, legacy protocols (which will continue to render it vulnerable to exploitation), and excess telemetry. In good faith, one could not claim to provide secure cryptography on a system that was designed for the aims of counterinsurgency.
GNU/Linux is one of the few operating system baselines that will not phone home and create excess logs locally. Even after making such a decision, whether that be Linux, BSD, or Xen, there are hundreds of derivatives to sift through. At the time of writing, the only anti-forensic friendly distributions designed to reduce the creation and storage of artifacts are TAILS and Whonix. However, any OS lacking telemetry with properly implemented full-disk encryption (FDE) and physical security is sufficient for the job of anti-forensics. If more persistence is desired while keeping distribution size minimal, hardened variants of Arch, Void, Gentoo, or Alpine are advised.
GNU/Linux is one of the few operating system baselines that will not phone home and create excess logs locally. Even after making such a decision, whether that be Linux, BSD, or Xen, there are hundreds of derivatives to sift through. At the time of writing, the only anti-forensic friendly distributions designed to reduce the creation and storage of artifacts are TAILS and Whonix. However, any OS lacking telemetry with properly implemented full-disk encryption (FDE) and physical security is sufficient for the job of anti-forensics. If more persistence is desired while keeping distribution size minimal, consider running hardened variants of the following distributions:
- Arch
- Void
- Gentoo
- Alpine
One more factor to consider for the OS selection is the service manager being used. There are plenty of security enthusiasts who justifiably denounce the use of the SystemD service manager (used to spawn processes like networking, scheduled tasks, logging, etc).[^8] There are a variety of service managers that have less bloat and a more simple codebase - OpenRC, runit, etc. The fact that most of these OSs are open-source results in the problem of funding. A side-project that has peaked a developer's interest often go long durations (if not permanently) without any efforts to maintain/patch. Some recommended OS alternatives without systemD at the time of writing include Artix (Arch variant)[^9], Void Linux[^10], and Alpine Linux[^11].
One more factor to consider for the OS selection is the service manager being used. There are plenty of security enthusiasts who justifiably denounce the use of the SystemD service manager (used to spawn processes like networking, scheduled tasks, logging, etc).[^8] There are a variety of service managers that have less bloat and a more simple codebase - OpenRC, runit, etc. The fact that most of these OSs are open-source results in the problem of funding. A side-project that has peaked a developer's interest often go long durations (if not permanently) without any efforts to maintain/patch. Some recommended OS alternatives without SystemD at the time of writing include Artix (Arch variant)[^9], Void Linux[^10], and Alpine Linux[^11].
>Note: Ideally, an operating system running a micro-kernel (minimal core) such as seL4 could be in the running. These alternatives are still too adolescent to advise with little community support.
@ -122,7 +126,7 @@ For mobile devices, options are extraordinarily limited. Phones are designed to
For Android, the best operating system to date is GrapheneOS.[^13] This operating system can only be flashed to Google Pixel variants. This is a security-centric OS that accounts for many hardening mechanisms from software to hardware. GrapheneOS encrypts the entire device using block-level encryption, unlike most Android versions which use file-level encryption. If physical forensics of the handset is an issue, GrapheneOS is the best solution.
GNU/Linux based phones, such as Pine64's Pine Phone[^14] or Purism's Librem 5,[^15] are now hitting the market. These devices are inherently insecure in early conception. One could consider these devices private but not secure. If an injection could reach the device, then all privacy is lost.
GNU/Linux based phones, such as Pine64's Pine Phone[^14] or Purism's Librem 5,[^15] are now hitting the market. These devices are inherently insecure in their early conceptions. One could consider these devices private but not secure. If an injection could reach the device, then all privacy is lost.
## Disable Logging
Disabling logs at the source is the best solution to ensure excess logs are not being stored. Daemons or processes can automate the process of log collection. This has its useful functions for both debugging and security (auditing), however it is detrimental to the idea of information retention. It is strongly advised to periodically shred the log files if not disabling the logging daemons entirely.
@ -730,7 +734,7 @@ Donations to support projects under https://git.arrr.cloud/WhichDoc are welcome
[^27]: Ungoogled Chromium binaries - https://ungoogled-software.github.io/ungoogled-chromium-binaries/
[^28]: Bromite Browser - https://www.bromite.org
[^29]: Brave Browser - https://brave.com
[^30]: The Hitchhikers Guide to Online Anonymity (Browser Hardening) - https://anonymousplanet-ng.org/guide.html#appendix-v1-hardening-your-browsers
[^30]: The Hitchhikers Guide to Online Anonymity (Browser Hardening) - https://anonymousplanet.org/guide.html#appendix-v1-hardening-your-browsers
[^31]: DuckDuckGo - https://duckduckgo.com
[^32]: Searx instances - https://searx.space/
[^33]: TAILS - https://tails.boum.org