(Or “How I learned to start worrying and love privacy anonymity”)
Version 1.1.7, June 2023 by Anonymous Planet
Це послання до народу України. Ми настійно рекомендуємо вам використовувати Briar для спілкування. Ви можете знайти його тут: <https://briarproject.org/ . За допомогою цієї програми ви можете спілкуватися, навіть коли немає Інтернету. Посібник тут: https://briarproject.org/manual/uk/, Швидкий початок: https://briarproject.org/quick-start/uk/
This is a message for the people of Ukraine. We strongly recommend that you use Briar for communicating. You can find it here: https://briarproject.org/ With this application, you can communicate even when there is no internet. The manual is here: https://briarproject.org/manual/, quick-start guide here: https://briarproject.org/quick-start/
This guide is a work in progress. It will probably never be “finished”.
No affiliation with the Anonymous [Wikiless] [Archive.org] collective/movement.
There might be some wrong or outdated information in this guide because no one is perfect.
Your experience may vary. Remember to check regularly for an updated version of this guide.
This guide is a non-profit open-source initiative, licensed under Creative Commons Attribution-NonCommercial 4.0 International (cc-by-nc-4.0 [Archive.org]).
For mirrors see Appendix A6: Mirrors
For help in comparing versions see Appendix A7: Comparing versions
Feel free to submit issues (please do report anything wrong) using GitHub Issues at: https://github.com/Anon-Planet/thgtoa/issues
Feel free to come to discuss ideas at:
Rules for our chatrooms: https://anonymousplanet.org/chatrooms-rules.html
Matrix/Element Room: #anonymity:matrix.org
https://matrix.to/#/#anonymity:matrix.org
Matrix Space regrouping several rooms with similar interests: #privacy-security-anonymity:matrix.org
https://matrix.to/#/#privacy-security-anonymity:matrix.org.
Follow us on:
Twitter at https://twitter.com/AnonyPla
Mastodon at https://mastodon.social/@anonymousplanet
To contact me, see the updated information on the website or send an e-mail to contact@anonymousplanet.org
Please consider donating if you enjoy the project and want to support the hosting fees or support the funding of initiatives like the hosting of Tor Exit Nodes.
There are several ways you could read this guide:
You want to understand the current state of online privacy and anonymity not necessarily get too technical about it: Just read the Introduction, Requirements, Understanding some basics of how some information can lead back to you and how to mitigate those and A final editorial note sections.
You want to do the above but also learn how to remove some online information about you: Just read the above and add the Removing some traces of your identities on search engines and various platforms.
You want to do the above and create online anonymous identities online safely and securely: Read the whole guide.
Precautions while reading this guide and accessing the various links:
Documents/Files have a [Archive.org] link next to them for accessing content through Archive.org for increased privacy and in case the content goes missing. Some links are not yet archived or outdated on archive.org in which case we encourage you to ask for a new save if possible.
YouTube Videos have a [Invidious] link next to them for accessing content through an Invidious Instance (in this case yewtu.be hosted in the Netherlands) for increased privacy. It is recommended to use these links when possible. See https://github.com/iv-org/invidious [Archive.org] for more information.
Twitter links have a [Nitter] link next to them for accessing content through a Nitter Instance (in this case nitter.net) for increased privacy. It is recommended to use these links when possible. See https://github.com/zedeus/nitter [Archive.org] for more information.
Wikipedia links have a [Wikiless] link next to them for accessing content through a Wikiless Instance (in this case Wikiless.org) for increased privacy. It is recommended to use these links when possible. See https://codeberg.org/orenom/wikiless [Archive.org] for more information.
Medium links have [Scribe.rip] link next to them for accessing content through a Scribe.rip Instance for increased privacy. Again, it is recommended to use these links when possible. See https://scribe.rip/ [Archive.org] for more information.
If you are reading this in PDF or ODT format, you will notice plenty of ``` in place of double quotes (""). These ``` are there to ease conversion into Markdown/HTML format for online viewing of code blocks on the website.
If you do not want the hassle and use one of the browsers below, you could also just install the following extension on your browser: https://libredirect.github.io/ [Archive.org]:
Firefox: https://addons.mozilla.org/en-US/firefox/addon/libredirect/
Chromium-based browsers (Chrome, Brave, Edge): https://github.com/libredirect/libredirect/blob/master/chromium.md
If you are having trouble accessing any of the many academic articles referenced in this guide due to paywalls, feel free to use Sci-Hub (https://en.wikipedia.org/wiki/Sci-Hub [Wikiless] [Archive.org]) or LibGen (https://en.wikipedia.org/wiki/Library_Genesis [Wikiless] [Archive.org]) for finding and reading them. Because Science should be free. All of it. If you are faced with a paywall accessing some resources, consider using https://12ft.io/.
Finally note that this guide does mention and even recommends various commercial services (such as VPNs, CDNs, e-mail providers, hosting providers…) but is not endorsed or sponsored by any of them in any way. There are no referral links and no commercial ties with any of these providers. This project is 100% non-profit and only relying on donations.
Understanding of the English language (in this case American English).
Be a permanent resident in Germany where the courts have upheld the legality of not using real names on online platforms (§13 VI of the German Telemedia Act of 20071’2). Alternatively, be a resident of any other country where you can confirm and verify the legality of this guide yourself.
This guide will assume you already have access to some (Windows/Linux/macOS) laptop computer - ideally not a work/shared device - and a basic understanding of how computers work.
Have patience, as this process could take several weeks to complete if you want to go through all the content.
Have some free time on your hands to dedicate to this process (depending on which route you pick).
Be prepared to read a lot of references (do read them), guides (do not skip them), and tutorials thoroughly (do not skip them either).
Don’t be evil (for real this time)3.
Understand that there is no common path that will be both quick and easy.
This guide is not intended for:
Creating bot accounts of any kind.
Creating impersonation accounts of existing people (such as identity theft).
Helping malicious actors conduct unethical, criminal, or illicit activities (such as trolling, stalking, disinformation, misinformation, harassment, bullying, or fraud).
Use by minors.
TLDR for the whole guide: “A strange game. The only winning move is not to play” 4.
Making a social media account with a pseudonym or artist/brand name is easy. And it is enough in most use cases to protect your identity as the next George Orwell. There are plenty of people using pseudonyms all over Facebook/Instagram/Twitter/LinkedIn/TikTok/Snapchat/Reddit/… But the vast majority of those are anything but anonymous and can easily be traced to their real identity by your local police officers, random people within the OSINT5 (Open-Source Intelligence) community, and trolls6 on 4chan7.
This is a good thing as most criminals/trolls are not tech-savvy and will usually be identified with ease. But this is also a terrible thing as most political dissidents, human rights activists and whistleblowers can also be tracked rather easily.
This guide aims to provide an introduction to various de-anonymization techniques, tracking techniques, ID verification techniques, and optional guidance to creating and maintaining reasonably and truly online anonymous identities including social media accounts safely. This includes mainstream platforms and not only the privacy-friendly ones.
It is important to understand that the purpose of this guide is anonymity and not just privacy but much of the guidance you will find here will also help you improve your privacy and security even if you are not interested in anonymity. There is an important overlap in techniques and tools used for privacy, security, and anonymity but they differ at some point:
Privacy is about people knowing who you are but not knowing what you are doing.
Anonymity is about people knowing what you are doing but not knowing who you are 8.
(Illustration from9)
Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not … Mossad will be doing “Mossad things” 10 and will probably find you no matter how hard you try to hide11.
You must consider your threat model12 before going further.
(Illustration by Randall Munroe, xkcd.com, licensed under CC BY-NC 2.5)
Will this guide help you protect your privacy from OSINT researchers like Bellingcat13, Doxing14 trolls on 4chan15, and others that have no access to the NSA toolbox? More likely. Tho we would not be so sure about 4chan.
Here is a basic simplified threat model for this guide:
(Note that the “magical amulets/submarine/fake your own death” jokes are quoted from the excellent article “This World of Ours” by James Mickens, 2014.16)
Disclaimer: Jokes aside (magical amulet…). Of course, there are also advanced ways to mitigate attacks against such advanced and skilled adversaries but those are just out of the scope of this guide. It is crucially important that you understand the limits of the threat model of this guide. And therefore, this guide will not double in size to help with those advanced mitigations as this is just too complex and will require an exceedingly high knowledge and skill level that is not expected from the targeted audience of this guide.
The EFF provides a few security scenarios of what you should consider depending on your activity. While some of those tips might not be within the scope of this guide (more about Privacy than Anonymity), they are still worth reading as examples. See https://ssd.eff.org/en/module-categories/security-scenarios [Archive.org].
If you want to go deeper into threat modeling, see Appendix B3: Threat modeling resources.
You might think this guide has no legitimate use but there are many17‘18’19‘20’21‘22’23 such as:
Evading Online Censorship24
Evading Online Oppression
Evading Online Stalking, Doxxing, and Harassment
Evading Online Unlawful Government Surveillance
Anonymous Online Whistle Blowing
Anonymous Online Activism
Anonymous Online Journalism
Anonymous Online Legal Practice
Anonymous Online Academic Activities (For instance accessing scientific research where such resources are blocked). See note below.
…
This guide is written with hope for those good-intended individuals who might not be knowledgeable enough to consider the big picture of online anonymity and privacy.
Lastly, use it at your own risk. Anything in here is not legal advice and you should verify compliance with your local law before use (IANAL25). “Trust but verify”26 all the information yourself (or even better, “Never Trust, always verify”27). We strongly encourage you to inform yourself and do not hesitate to check any information in this guide with outside sources in case of doubt. Please do report any mistake you spot to us as we welcome criticism. Even harsh but sound criticism is welcome and will result in having the necessary corrections made as quickly as possible.
There are many ways you can be tracked besides browser cookies and ads, your e-mail, and your phone number. And if you think only the Mossad or the NSA/FSB can find you, you would be wrong.
First, you could also consider these more general resources on privacy and security to learn more basics:
The New Oil*: https://thenewoil.org/ [Archive.org]
Techlore videos*: https://www.youtube.com/c/Techlore [Invidious]
Privacy Guides: https://privacyguides.org/ [Archive.org]
Privacy Tools*: https://privacytools.io [Archive.org]
Note that these websites could contain affiliate/sponsored content and/or merchandising. This guide does not endorse and is not sponsored by any commercial entity in any way.
If you skipped those, you should really still consider viewing this YouTube playlist from the Techlore Go Incognito project (https://github.com/techlore-official/go-incognito [Archive.org]) as an introduction before going further: https://www.youtube.com/playlist?list=PL3KeV6Ui_4CayDGHw64OFXEPHgXLkrtJO [Invidious]. This guide will cover many of the topics in the videos of this playlist with more details and references as well as some added topics not covered within that series. This will just take you 2 or 3 hours to watch it all.
Now, here is a non-exhaustive list of some of the many ways you could be tracked and de-anonymized:
Disclaimer: this whole paragraph is about your public-facing Internet IP and not your local network IP.
Your IP address28 is the most known and obvious way you can be tracked. That IP is the IP you are using at the source. This is where you connect to the internet. That IP is usually provided by your ISP (Internet Service Provider) (xDSL, Mobile, Cable, Fiber, Cafe, Bar, Friend, Neighbor). Most countries have data retention regulations29 that mandate keeping logs of who is using what IP at a certain time/date for up to several years or indefinitely. Your ISP can tell a third party that you were using a specific IP at a specific date and time, years after the fact. If that IP (the original one) leaks at any point for any reason, it can be used to track down you directly. In many countries, you will not be able to have internet access without providing some form of identification to the provider (address, ID, real name, e-mail …).
Needless to say, that most platforms (such as social networks) will also keep (sometimes indefinitely) the IP addresses you used to sign-up and sign into their services.
Here are some online resources you can use to find some information about your current public IP right now:
Find your IP:
https://www.dnsleaktest.com/ (Bonus, check your IP for DNS leaks)
Find your IP location or the location of any IP:
Find if an IP is “suspicious” (in blacklists) or has downloaded “things” on some public resources:
https://iknowwhatyoudownload.com (Take this with a grain of salt, it might not show anything interesting and has limited data sources. This is more for fun than anything serious.)
Registration information of an IP (most likely your ISP or the ISP of your connection who most likely know who is using that IP at any time):
Check for open-services or open devices on an IP (especially if there are leaky Smart Devices on it):
Various tools to check your IP such as block-lists checkers and more:
Would you like to know if you are connected through Tor?
For those reasons, you will need to obfuscate and hide that origin IP (the one tied to your identification) or hide it through a combination of various means:
Using a public Wi-Fi service (free).
Using the Tor Anonymity Network30 (free).
Using VPN31 services anonymously (anonymously paid with cash or Monero).
Do note that, unfortunately, these solutions are not perfect, and you will experience performance issues32.
All those will be explained later in this guide.
DNS stands for “Domain Name System”33 and is a service used by your browser (and other apps) to find the IP addresses of a service. It is a huge “contact list” (phone book for older people) that works like asking it a name and it returns the number to call. Except it returns an IP instead.
Every time your browser wants to access a certain service such as Google through www.google.com. Your Browser (Chrome or Firefox) will query a DNS service to find the IP addresses of the Google web servers.
Here is a video explaining DNS visually if you are already lost: https://www.youtube.com/watch?v=vrxwXXytEuI [Invidious]
Usually, the DNS service is provided by your ISP and automatically configured by the network you are connecting to. This DNS service could also be subject to data retention regulations or will just keep logs for other reasons (data collection for advertising purposes for instance). Therefore, this ISP will be capable of telling everything you did online just by looking at those logs which can, in turn, be provided to an adversary. Conveniently this is also the easiest way for many adversaries to apply censoring or parental control by using DNS blocking34. The provided DNS servers will give you a different address (than their real one) for some websites (like redirecting thepiratebay.org to some government website). Such blocking is widely applied worldwide for certain sites35.
Using a private DNS service or your own DNS service would mitigate these issues, but the other problem is that most of those DNS requests are by default still sent in clear text (unencrypted) over the network. Even if you browse PornHub in an incognito Window, using HTTPS and using a private DNS service, chances are exceedingly high that your browser will send a clear text unencrypted DNS request to some DNS servers asking basically “So what’s the IP address of www.pornhub.com?”.
Because it is not encrypted, your ISP and/or any other adversary could still intercept (using a Man-in-the-middle attack36) your request will know and possibly log what your IP was looking for. The same ISP can also tamper with the DNS responses even if you are using a private DNS. Rendering the use of a private DNS service useless.
As a bonus, many devices and apps will use hardcoded DNS servers bypassing any system setting you could set. This is for example the case with most (70%) Smart TVs and a large part (46%) of Game Consoles37. For these devices, you will have to force them38 to stop using their hardcoded DNS service which could make them stop working properly.
A solution to this is to use encrypted DNS using DoH (DNS over HTTPS39), DoT (DNS over TLS40) with a private DNS server (this can be self-hosted locally with a solution like pi-hole41, remotely hosted with a solution like nextdns.io or using the solutions provided by your VPN provider or the Tor network). This should prevent your ISP or some go-between from snooping on your requests … except it might not.
Small in-between Disclaimer: This guide does not necessarily endorse or recommend Cloudflare services even if it is mentioned several times in this section for technical understanding.
Unfortunately, the TLS protocol used in most HTTPS connections in most Browsers (Chrome/Brave among them) will leak the Domain Name again through SNI42 handshakes (this can be checked here at Cloudflare: https://www.cloudflare.com/ssl/encrypted-sni/ [Archive.org] ). As of the writing of this guide, only Firefox-based browsers supports ECH (Encrypted Client Hello43 previously known as eSNI44) on some websites which will encrypt everything end to end (in addition to using a secure private DNS over TLS/HTTPS) and will allow you to hide your DNS requests from a third party45. And this option is not enabled by default either so you will have to enable it yourself.
[][50]
In addition to limited browser support, only web Services and CDNs46 behind Cloudflare CDN support ECH/eSNI at this stage47. This means that ECH and eSNI are not supported (as of the writing of this guide) by most mainstream platforms such as:
Amazon (including AWS, Twitch…)
Microsoft (including Azure, OneDrive, Outlook, Office 365…)
Google (including Gmail, Google Cloud…)
Apple (including iCloud, iMessage…)
YouTube
GitHub
…
Some countries like Russia48 and China49 might (unverified despite the articles) block ECH/eSNI handshakes at the network level to allow snooping and prevent bypassing censorship. Meaning you will not be able to establish an HTTPS connection with a service if you do not allow them to see what it was.
The issues do not end here. Part of the HTTPS TLS validation is called OCSP50 and this protocol used by Firefox-based browsers will leak metadata in the form of the serial number of the certificate of the website you are visiting. An adversary can then easily find which website you are visiting by matching the certificate number51. This issue can be mitigated by using OCSP stapling52. Unfortunately, this is enabled but not enforced by default in Firefox/Tor Browser. But the website you are visiting must also be supporting it and not all do. Chromium-based browsers on the other hand use a different system called CRLSets53’54 which is arguably better.
Here is a list of how various browsers behave with OCSP: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/ [Archive.org]
Here is an illustration of the issue you could encounter on Firefox-based browsers:
[][52]
Finally, even if you use a custom encrypted DNS server (DoH or DoT) with ECH/eSNI support and OCSP stapling, it might still not be enough as traffic analysis studies55 have shown it is still possible to reliably fingerprint and block unwanted requests. Only DNS over Tor was able to show efficient DNS Privacy in recent studies but even that can still be defeated by other means (see Your Anonymized Tor/VPN traffic).
One could also decide to use a Tor Hidden DNS Service or ODoH (Oblivious DNS over HTTPS56) to further increase privacy/anonymity but unfortunately, as far as we know, these methods are only provided by Cloudflare as of this writing (https://blog.cloudflare.com/welcome-hidden-resolver/ [Archive.org], https://blog.cloudflare.com/oblivious-dns/ [Archive.org]). These are workable and reasonably secure technical options but there is also a moral choice if you want to use Cloudflare or not (despite the risk posed by some researchers57).
Note that Oblivious DNS addresses an adversary that eavesdrops on one of the connections listed here but not all. It does not address a global passive adversary (GPA) who can eavesdrop on many or all of these connections: - traffic between the client resolver and the recursive resolver - the recursive resolver and the ODNS resolver - the ODNS resolver and an authoritative server.
Lastly, there is also this new possibility called DoHoT which stands for DNS over HTTPS over Tor which could also further increase your privacy/anonymity and which you could consider if you are more skilled with Linux. See https://github.com/alecmuffett/dohot [Archive.org]. This guide will not help you with this one at this stage, but it might be coming soon.
Here is an illustration showing the current state of DNS and HTTPS privacy based on our current knowledge.
[][56]
As for your normal daily use (non-sensitive), remember that only Firefox-based browsers support ECH (formerly eSNI) so far and that it is only useful with websites hosted behind Cloudflare CDN at this stage. If you prefer a Chrome-based version (which is understandable for some due to some better-integrated features like on-the-fly Translation), then we would recommend the use of Brave instead which supports all Chrome extensions and offers much better privacy than Chrome.
But the story does not stop there right. Now because after all this, even if you encrypt your DNS and use all possible mitigations. Simple IP requests to any server will probably allow an adversary to still detect which site you are visiting. And this is simply because the majority of websites have unique IPs tied to them as explained here: https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an-ip-address/ [Archive.org]. This means that an adversary can create a dataset of known websites for instance including their IPs and then match this dataset against the IP you ask for. In most cases, this will result in a correct guess of the website you are visiting. This means that despite OCSP stapling, despite ECH/eSNI, despite using Encrypted DNS … An adversary can still guess the website you are visiting anyway.
Therefore, to mitigate all these issues (as much as possible and as best as we can), this guide will later recommend two solutions: Using Tor and a virtualized (See Appendix W: Virtualization) multi-layered solution of VPN over Tor solution (DNS over VPN over Tor or DNS over TOR). Other options will also be explained (Tor over VPN, VPN only, No Tor/VPN) but are less recommended.
RFID stands for Radio-frequency identification58, it is the technology used for instance for contactless payments and various identification systems. Of course, your smartphone is among those devices and has RFID contactless payment capabilities through NFC59. As with everything else, such capabilities can be used for tracking by various actors.
But unfortunately, this is not limited to your smartphone, and you also probably carry some amount of RFID enabled device with you all the time such as:
Your contactless-enabled credit/debit cards
Your store loyalty cards
Your transportation payment cards
Your work-related access cards
Your car keys
Your national ID or driver license
Your passport
The price/anti-theft tags on object/clothing
…
While all these cannot be used to de-anonymize you from a remote online adversary, they can be used to narrow down a search if your approximate location at a certain time is known. For instance, you cannot rule out that some stores will effectively scan (and log) all RFID chips passing through the door. They might be looking for their loyalty cards but are also logging others along the way. Such RFID tags could be traced to your identity and allow for de-anonymization.
More information over at Wikipedia: https://en.wikipedia.org/wiki/Radio-frequency_identification#Security_concerns [Wikiless] [Archive.org] and https://en.wikipedia.org/wiki/Radio-frequency_identification#Privacy [Wikiless] [Archive.org]
The only way to mitigate this problem is to have no RFID tags on you or to shield them again using a type of Faraday cage. You could also use specialized wallets/pouches that specifically block RFID communications. Many of those are now made by well-known brands such as Samsonite60. You should just not carry such RFID devices while conducting sensitive activities.
See Appendix N: Warning about smartphones and smart devices
Geolocation is not only done by using mobile antennas triangulation. It is also done using the Wi-Fi and Bluetooth devices around you. Operating systems makers like Google (Android61) and Apple (IOS62) maintain a convenient database of most Wi-Fi access points, Bluetooth devices, and their location. When your Android smartphone or iPhone is on (and not in Plane mode), it will scan actively (unless you specifically disable this feature in the settings) Wi-Fi access points, and Bluetooth devices around you and will be able to geolocate you with more precision than when using a GPS.
This active and continuous probing can then be sent back to Google/Apple/Microsoft as part of their Telemetry. The issue is that this probing is unique and can be used to uniquely identify a user and track such user. Shops, for example, can use this technique to fingerprint customers including when they return, where they go in the shop and how long they stay at a particular place. There are several papers63’64 and articles65 describing this issue in depth.
This allows them to provide accurate locations even when GPS is off, but it also allows them to keep a convenient record of all Wi-Fi Bluetooth devices all over the world. Which can then be accessed by them or third parties for tracking.
Note: If you have an Android smartphone, Google probably knows where it is no matter what you do. You cannot really trust the settings. The whole operating system is built by a company that wants your data. Remember that if it is free then you are the product.
But that is not what all those Wi-Fi access points can do. Recently developed techs could even allow someone to track your movements accurately just based on radio interferences. What this means is that it is possible to track your movement inside a room/building based on the radio signals passing through. This might seem like a tinfoil hat conspiracy theory claim but here are the references66 with demonstrations showing this tech in action: http://rfpose.csail.mit.edu/ [Archive.org] and the video here: https://www.youtube.com/watch?v=HgDdaMy8KNE [Invidious]
Other researchers have found a way to count the people in a defined space using only Wi-Fi, see https://www.news.ucsb.edu/2021/020392/dont-fidget-wifi-will-count-you [Archive.org]
You could therefore imagine many use cases for such technologies like recording who enters specific buildings/offices (hotels, hospitals, or embassies for instance) and then discover who meets who and thereby tracking them from outside. Even if they have no smartphone on them.
[][63]
Again, such an issue could only be mitigated by being in a room/building that would act as a Faraday cage.
Here is another video of the same kind of tech in action: https://www.youtube.com/watch?v=FDZ39h-kCS8 [Invidious]
See Appendix N: Warning about smartphones and smart devices
There is not much you can do about these. Besides being non-identifiable in the first place.
These have been used at least since 2008 using an attack called “Jasager”67 and can be done by anyone using self-built tools or using commercially available devices such as Wi-Fi Pineapple68.
Here are some videos explaining more about the topic:
YouTube, Hak5, Wi-Fi Pineapple Mark VII https://www.youtube.com/watch?v=7v3JR4Wlw4Q [Invidious]
These devices can fit in a small bag and can take over the Wi-Fi environment of any place within their range. For instance, a Bar/Restaurant/Café/Hotel Lobby. These devices can force Wi-Fi clients to disconnect from their current Wi-Fi (using de-authentication, disassociation attacks69) while spoofing the normal Wi-Fi networks at the same location. They will continue to perform this attack until your computer, or you decide to try to connect to the rogue AP.
These devices can then mimic a captive portal70 with the exact same layout as the Wi-Fi you are trying to access (for instance an Airport Wi-Fi registration portal). Or they could just give you unrestricted access internet that they will themselves get from the same place.
Once you are connected through the Rogue AP, this AP will be able to execute various man-in-the-middle attacks to perform analysis on your traffic. These could be malicious redirections or simple traffic sniffing. These can then easily identify any client that would for instance try to connect to a VPN server or the Tor Network.
This can be useful when you know someone you want to de-anonymize is in a crowded place, but you do not know who. This would allow such an adversary to possibly fingerprint any website you visit despite the use of HTTPS, DoT, DoH, ODoH, VPN, or Tor using traffic analysis as pointed above in the DNS section.
These can also be used to carefully craft and serve you advanced phishing webpages that would harvest your credentials or try to make you install a malicious certificate allowing them to see your encrypted traffic.
How to mitigate those? If you do connect to a public wi-fi access point, use Tor, or use a VPN and then Tor (Tor over VPN) or even (VPN over Tor) to obfuscate your traffic from the rogue AP while still using it.
Tor and VPNs are not silver bullets. Many advanced techniques have been developed and studied to de-anonymize encrypted Tor traffic over the years71. Most of those techniques are Correlation attacks that will correlate your network traffic in one way or another to logs or datasets. Here are some examples:
[][67]
[][68]
[][69]
There are ways to mitigate these such as:
Do not use Tor/VPNs to access services that are on the same network (ISP) as the destination service. For example, do not connect to Tor from your University Network to access a University Service anonymously. Instead, use a different source point (such as a public Wi-Fi) that cannot be correlated easily by an adversary.
Do not use Tor/VPN from an obviously heavily monitored network (such as a corporate/governmental network) but instead try to find an unmonitored network such as a public Wi-Fi or a residential Wi-Fi.
Consider the use of multiple layers (such as what will be recommended in this guide later: VPN over Tor) so that an adversary might be able to see that someone connected to the service through Tor but will not be able to see that it was you because you were connected to a VPN and not the Tor Network.
Be aware again that this might not be enough against a motivated global adversary77 with wide access to global mass surveillance. Such an adversary might have access to logs no matter where you are and could use those to de-anonymize you. Usually, these attacks are part of what is called a Sybil Attack78. These adversaries are out of the scope of this guide.
Be also aware that all the other methods described in this guide such as Behavioral analysis can also be used to deanonymize Tor users indirectly (see further Your Digital Fingerprint, Footprint, and Online Behavior).
I also strongly recommend reading this very good, complete, and thorough (and more detailed) guide on most known Attack Vectors on Tor: https://github.com/Attacks-on-Tor/Attacks-on-Tor [Archive.org] as well as this recent research publication https://www.researchgate.net/publication/323627387_Shedding_Light_on_the_Dark_Corners_of_the_Internet_A_Survey_of_Tor_Research [Archive.org]
As well as this great series of blog posts: https://www.hackerfactor.com/blog/index.php?/archives/906-Tor-0day-The-Management-Vulnerability.html [Archive.org]
Recently, one of these attacks was attempted on the Tor Network with more information here: https://arstechnica.com/information-technology/2014/07/active-attack-on-tor-network-tried-to-decloak-users-for-five-months/ [Archive.org]
Lastly, do remember that using Tor can already be considered suspicious activity79, and its use could be considered malicious by some80.
This guide will later propose some mitigations to such attacks by changing your origin from the start (using public wi-fi’s for instance). Remember that such attacks are usually carried by highly skilled, highly resourceful, and motivated adversaries and are out of scope from this guide. It is also recommended that you learn about practical correlation attacks, as performed by intelligence agencies: https://officercia.mirror.xyz/WeAilwJ9V4GIVUkYa7WwBwV2II9dYwpdPTp3fNsPFjo [Archive.org]
Disclaimer: it should also be noted that Tor is not designed to protect against a global adversary. For more information see https://svn-archive.torproject.org/svn/projects/design-paper/tor-design.pdf [Archive.org] and specifically, “Part 3. Design goals and assumptions.”.
You have seen this in action/spy/Sci-Fi movies and shows, the protagonists always remove the battery of their phones to make sure it cannot be used. Most people would think that’s overkill. Well, unfortunately, no, this is now becoming true at least for some devices:
Such devices will continue to broadcast identity information to nearby devices even when offline using Bluetooth Low-Energy85. They do not have access to the devices directly (which are not connected to the internet) but instead use BLE to find them through other nearby devices86. They are using peer-to-peer short-range Bluetooth communication to broadcast their status through nearby online devices.
They could now find such devices and keep the location in some database that could then be used by third parties or themselves for various purposes (including analytics, advertising, or evidence/intelligence gathering).
See Appendix N: Warning about smartphones and smart devices
TLDR: Do not take such devices with you when conducting sensitive activities.
The IMEI (International Mobile Equipment Identity87) and the IMSI (International Mobile Subscriber Identity88) are unique numbers created by cell phone manufacturers and cell phone operators.
The IMEI is tied directly to the phone you are using. This number is known and tracked by the cell phone operators and known by the manufacturers. Every time your phone connects to the mobile network, it will register the IMEI on the network along with the IMSI (if a SIM card is inserted but that is not even needed). It is also used by many applications (Banking apps abusing the phone permission on Android for instance89) and smartphone Operating Systems (Android/IOS) for identification of the device90. It is possible but difficult (and not illegal in many jurisdictions91) to change the IMEI on a phone but it is probably easier and cheaper to just find and buy some old (working) Burner phone for a few Euros (this guide is for Germany remember) at a flea market or some random small shop.
The IMSI is tied directly to the mobile subscription or pre-paid plan you are using and is tied to your phone number by your mobile provider. The IMSI is hardcoded directly on the SIM card and cannot be changed. Remember that every time your phone connects to the mobile network, it will also register the IMSI on the network along with the IMEI. Like the IMEI, the IMSI is also being used by some applications and smartphone Operating systems for identification and is being tracked. Some countries in the EU for instance maintain a database of IMEI/IMSI associations for easy querying by Law Enforcement.
Today, giving away your (real) phone number is the same or better than giving away your Social Security number/Passport ID/National ID.
The IMEI and IMSI can be traced back to you in at least six ways:
The mobile operator subscriber logs will usually store the IMEI along with the IMSI and their subscriber information database. If you use a prepaid anonymous SIM (anonymous IMSI but with a known IMEI), they could see this cell belongs to you if you used that cell phone before with a different SIM card (different anonymous IMSI but same known IMEI).
The mobile operator antenna logs will conveniently keep a log of which IMEI. IMSI also keep some connection data. They know and log for instance that a phone with this IMEI/IMSI combination connected to a set of mobile antennas and how powerful the signal to each of those antennas were, allowing easy triangulation/geolocation of the signal. They also know which other phones (your real one for instance) connected at the same time to the same antennas with the same signal. This makes it possible to know precisely that this “burner phone” was always connected at the same place/time than this other “known phone” which shows up every time the burner phone is being used. This information can/is used by various third parties to geolocate/track you quite precisely92’93.
The manufacturer of the Phone can trace back the sale of the phone using the IMEI if that phone was bought in a non-anonymous way. Indeed, they will have logs of each phone sale (including serial number and IMEI), to which shop/person to whom it was sold. And if you are using a phone that you bought online (or from someone that knows you). It can be traced to you using that information. Even if they do not find you on CCTV94 and you bought the phone using cash, they can still find what other phone (your real one in your pocket) was there (in that shop) at that time/date by using the antenna logs.
The IMSI alone can be used to find you as well because most countries now require customers to provide an ID when buying a SIM card (subscription or pre-paid). The IMSI is then tied to the identity of the buyer of the card. In the countries where the SIM can still be bought with cash (like the UK), they still know where (which shop) it was bought and when. This information can then be used to retrieve information from the shop itself (such as CCTV footage as for the IMEI case). Or again the antenna logs can also be used to figure out which other phone was there at the moment of the sale.
The smartphone OS makers (Google/Apple for Android/IOs) also keep logs of IMEI/IMSI identifications tied to Google/Apple accounts and which user has been using them. They too can trace back the history of the phone and to which accounts it was tied in the past95.
Government agencies around the world interested in your phone number can and do use96 special devices called “IMSI catchers”97 like the Stingray98 or more recently the Nyxcell99. These devices can impersonate (to spoof) a cell phone Antenna and force a specific IMSI (your phone) to connect to it to access the cell network. Once they do, they will be able to use various MITM100 (Man-In-The-Middle Attacks) that will allow them to:
Tap your phone (voice calls and SMS).
Sniff and examine your data traffic.
Impersonate your phone number without controlling your phone.
…
Here is also a good YouTube video on this topic: DEFCON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real-Time https://www.youtube.com/watch?v=siCk4pGGcqA [Invidious]
For these reasons, it is crucial to get a dedicated anonymous phone number and/or an anonymous burner phone with a cash-bought pre-paid sim card that is not tied to you in any way (past or present) for conducting sensitive activities. It is also possible to get an anonymous pre-paid but preferably dedicated number from free and paid online services accepting anonymous cryptocurrencies like Monero. Get more practical guidance here: Getting an anonymous Phone number.
While there are some smartphones manufacturers like Purism with their Librem series101 who claim to have your privacy in mind, they still do not allow IMEI randomization which we believe is a key anti-tracking feature that should be provided by such manufacturers. While this measure will not prevent IMSI tracking within the SIM card, it would at least allow you to keep the same “burner phone” and only switch SIM cards instead of having to switch both for privacy.
See Appendix N: Warning about smartphones and smart devices
The MAC address102 is a unique identifier tied to your physical Network Interface (Wired Ethernet or Wi-Fi) and could of course be used to track you if it is not randomized. As it was the case with the IMEI, manufacturers of computers and network cards usually keep logs of their sales (usually including things like serial number, IMEI, Mac Addresses, …) and it is possible again for them to track where and when the computer with the MAC address in question was sold and to whom. Even if you bought it with cash in a supermarket, the supermarket might still have CCTV (or a CCTV just outside that shop) and again the time/date of sale could be used to find out who was there using the Mobile Provider antenna logs at that time (IMEI/IMSI).
Operating Systems makers (Google/Microsoft/Apple) will also keep logs of devices and their MAC addresses in their logs for device identification (Find my device type services for example). Apple can tell that the MacBook with this specific MAC address was tied to a specific Apple Account before. Maybe yours before you decided to use the MacBook for sensitive activities. Maybe to a different user who sold it to you but remembers your e-mail/number from when the sale happened.
Your home router/Wi-Fi access point keeps logs of devices that are registered on the Wi-Fi, and these can be accessed too to find out who has been using your Wi-Fi. Sometimes this can be done remotely (and silently) by the ISP depending on if that router/Wi-Fi access point is being “managed” remotely by the ISP (which is often the case when they provide the router to their customers).
Some commercial devices will keep a record of MAC addresses roaming around for various purposes such as road congestion103.
So, it is important again not to bring your phone along when/where you conduct sensitive activities. If you use your own laptop, then it is crucial to hide that MAC address (and Bluetooth address) anywhere you use it and be extra careful not to leak any information. Thankfully many recent OSes now feature or allow the possibility to randomize MAC addresses (Android, IOS, Linux, and Windows 10/11) with the notable exception of macOS which does not support this feature even in its latest Big Sur version.
See Appendix N: Warning about smartphones and smart devices
Your Bluetooth MAC is like the earlier MAC address except it is for Bluetooth. Again, it can be used to track you as manufacturers and operating system makers keep logs of such information. It could be tied to a sale place/time/date or accounts and then could be used to track you with such information, the shop billing information, the CCTV, or the mobile antenna logs in correlation.
Operating systems have protections in place to randomize those addresses but are still subject to vulnerabilities104.
For this reason, and unless you really need those, you should just disable Bluetooth completely in the BIOS/UEFI settings if possible or in the Operating System otherwise.
On Windows 10, you will need to disable and enable the Bluetooth device in the device manager itself to force randomization of the address for next use and prevent tracking.
In general, this should not be too much of a concern compared to MAC Addresses. BT Addresses are randomized quite often.
See Appendix N: Warning about smartphones and smart devices
All modern CPUs105 are now integrating hidden management platforms such as the now infamous Intel Management Engine106 and the AMD Platform Security Processor107.
Those management platforms are small operating systems running directly on your CPU as long as they have power. These systems have full access to your computer’s network and could be accessed by an adversary to de-anonymize you in various ways (using direct access or using malware for instance) as shown in this enlightening video: BlackHat, How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine https://www.youtube.com/watch?v=9fhNokIgBMU [Invidious].
These have already been affected by several security vulnerabilities in the past108 that allowed malware to gain control of target systems. These are also accused by many privacy actors including the EFF and Libreboot of being a backdoor into any system109.
There are some not so straightforward ways110 to disable the Intel IME on some CPUs and you should do so if you can. For some AMD laptops, you can disable it within the BIOS settings by disabling PSP.
Note that, to AMD’s defense, there were no security vulnerabilities found for ASP and no backdoors either. See https://www.youtube.com/watch?v=bKH5nGLgi08&t=2834s [Invidious]. In addition, AMD PSP does not provide any remote management capabilities contrary to Intel IME.
If you are feeling a bit more adventurous, you could install your own BIOS using Coreboot 111 or Libreboot (a distribution of Coreboot) if your laptop supports it. Coreboot allows users to add their own microcode or other firmware blobs in order for the machine to function, but this is based upon user choice, and as of Dec 2022, Libreboot has adopted a similar pragmatic approach in order to support newer devices in the Coreboot tree. (Thanks, kind Anon who corrected previous information in this paragraph.)
Check yourself:
If you are using Linux you can check the vulnerability status of your CPU to Spectre/Meltdown attacks by using https://github.com/speed47/spectre-meltdown-checker [Archive.org] which is available as a package for most Linux distros including Whonix. Spectre is a transient execution attack. There is also PoC code for Spectre v1 and v2 on iPhone devices here: https://github.com/cispa/BranchDifferent [Archive.org] and here https://misc0110.net/files/applespectre_dimva22.pdf [Archive.org]
If you are using Windows, you can check the vulnerability status of your CPU using inSpectre https://www.grc.com/inspectre.htm [Archive.org]
Some CPUs have unfixable flaws (especially Intel CPUs) that could be exploited by various malware. Here is a good current list of such vulnerabilities affecting recent widespread CPUs: https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability [Wikiless] [Archive.org]
Some of these can be avoided using Virtualization Software settings that can mitigate such exploits. See this guide for more information https://www.whonix.org/wiki/Spectre_Meltdown [Archive.org] (warning: these can severely impact the performance of your VMs).
This guide won’t go too deep into side-channel and microarchitecture attacks but we will highlight some issues with both Intel and AMD CPU architectures that will be mitigated throughout. It’s important to recognize hardware is just as susceptible to bugs, and therefore exploitation, regardless of manufacturer.
We will mitigate some of these issues in this guide by recommending the use of virtual machines on a dedicated anonymous laptop for your sensitive activities that will only be used from an anonymous public network.
In addition, we recommend the use of AMD CPUs instead of Intel CPUs.
Whether it is Android, iOS, Windows, macOS, or even Ubuntu. Most popular Operating Systems now collect telemetry information by default even if you never opt-in or opted-out112 from the start. Some like Windows will not even allow disabling telemetry completely without some technical tweaks. This information collection can be extensive and include a staggering number of details (metadata and data) on your devices and their usage.
Here are good overviews of what is being collected by those five popular OSes in their last versions:
Android/Google:
Just have a read at their privacy policy https://policies.google.com/privacy [Archive.org]
School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf [Archive.org]
IOS/Apple:
More information at https://www.apple.com/legal/privacy/en-ww/ [Archive.org] and https://support.apple.com/en-us/HT202100 [Archive.org]
School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf [Archive.org]
Apple does claim113 that they anonymize this data using differential privacy114 but you will have to trust them on that.
Windows/Microsoft:
Full list of required diagnostic data: https://docs.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004 [Archive.org]
Full list of optional diagnostic data: https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data [Archive.org]
macOS:
Ubuntu:
Not only are Operating Systems gathering telemetry services but so are Apps themselves like Browsers, Mail Clients, and Social Networking Apps installed on your system.
It is important to understand that this telemetry data can be tied to your device and help de-anonymizing you and later can be used against you by an adversary that would get access to this data.
This does not mean for example that Apple devices are terrible choices for good Privacy (tho this might be changing115), but they are certainly not the best choices for (relative) Anonymity. They might protect you from third parties knowing what you are doing but not from themselves. In all likelihood, they certainly know who you are.
Later in this guide, we will use all the means at our disposal to disable and block as much telemetry as possible to mitigate this attack vector in the Operating Systems supported in this guide. These will include Windows, macOS, and even Linux in some regard.
See Appendix N: Warning about smartphones and smart devices
You got it; your smartphone is an advanced spying/tracking device that:
Records everything you say at any time (“Hey Siri”, “Hey Google”).
Records your location everywhere you go.
Always records other devices around you (Bluetooth devices, Wi-Fi Access points).
Records your habits and health data (steps, screen time, exposure to diseases, connected devices data)
Records all your network locations.
Records all your pictures and videos (and most likely where they were taken).
Has most likely access to most of your known accounts including social media, messaging, and financial accounts.
Data is being transmitted even if you opt-out116, processed, and stored indefinitely (most likely unencrypted117) by various third parties118.
But that is not all, this section is not called “Smartphones” but “Smart devices” because it is not only your smartphone spying on you. It is also every other smart device you could have:
Your Smart Watch? (Apple Watch, Android Smartwatch …)
Your Fitness Devices and Apps119‘120? (Strava121’122, Fitbit123, Garmin, Polar124, …)
Your Smart Speaker? (Amazon Alexa125, Google Echo, Apple Homepod …)
Your Smart Transportation? (Car? Scooter?)
Your Smart Tags? (Apple AirTag, Galaxy SmartTag, Tile…)
Your Car? (Yes, most modern cars have advanced logging/tracking features these days126)
Any other Smart device? There are even convenient search engines dedicated to finding them online:
See Appendix N: Warning about smartphones and smart devices
Conclusion: Do not bring your smart devices with you when conducting sensitive activities.
Your metadata is all the information about your activities without the actual content of those activities. For instance, it is like knowing you had a call from an oncologist before then calling your family and friends successively. You do not know what was said during the conversation, but you can guess what it was just from the metadata127.
This metadata will also often include your location that is being harvested by Smartphones, Operating Systems (Android128/IOS), Browsers, Apps, Websites. Odds are several companies are knowing exactly where you are at any time129 because of your smartphone130.
This location data has been used in many judicial cases131 already as part of “geofencing warrants” 132 that allow law enforcement to ask companies (such as Google/Apple) a list of all devices present at a certain location at a certain time. In addition, this location data is even sold by private companies to the military who can then use it conveniently133. These warrants are becoming widely used by law enforcement134‘135’136.
If you want to experience yourself what a “geofencing warrant” would look like, here is an example: https://wigle.net/.
Now let us say you are using a VPN to hide your IP. The social media platform knows you were active on that account on November 4th from 8 am to 1 pm with that VPN IP. The VPN allegedly keeps no logs and cannot trace back that VPN IP to your IP. Your ISP however knows (or at least can know) you were connected to that same VPN provider on November 4th from 7:30 am to 2 pm but does not know what you were doing with it.
The question is: Is there someone somewhere that would have both pieces of information available137 for correlation in a convenient database?
Have you heard of Edward Snowden138? Now is the time to google him and read his book139. Also read about XKEYSCORE140’141, MUSCULAR142, SORM143, Tempora144 , and PRISM145.
See “We kill people based on Metadata”146 or this famous tweet from the IDF https://twitter.com/idf/status/1125066395010699264 [Archive.org] [Nitter].
See Appendix N: Warning about smartphones and smart devices
This is the part where you should watch the documentary “The Social Dilemma”147 on Netflix as they cover this topic much better than anyone else.
This includes is the way you write (stylometry) 148‘149, the way you behave150’151. The way you click. The way you browse. The fonts you use on your browser152. Fingerprinting is being used to guess who someone is by the way that user is behaving. You might be using specific pedantic words or making specific spelling mistakes that could give you away using a simple Google search for similar features because you typed comparably on some Reddit post 5 years ago using a not so anonymous Reddit account153. The words you type in a search engine alone can be used against you as the authorities now have warrants to find users who used specific keywords in search engines154.
Social Media platforms such as Facebook/Google can go a step further and can register your behavior in the browser itself. For instance, they can register everything you type even if you do not send it / save it. Think of when you draft an e-mail in Gmail. It is saved automatically as you type. They can register your clicks and cursor movements as well.
All they need to achieve this in most cases is Javascript enabled in your browser (which is the case in most Browsers including Tor Browser by default). Even with Javascript disabled, there are still ways to fingerprint you155.
While these methods are usually used for marketing purposes and advertising, they can also be a useful tool for fingerprinting users. This is because your behavior is unique or unique enough that over time, you could be de-anonymized.
Here are some examples:
Specialized companies are selling to, for example, law enforcement agencies products for analyzing social network activities such as https://mediasonar.com/ [Archive.org]
For example, as a basis of authentication, a user’s typing speed, keystroke depressions, patterns of error (say accidentally hitting an “l” instead of a “k” on three out of every seven transactions) and mouse movements establish that person’s unique pattern of behavior156. Some commercial services such as TypingDNA (https://www.typingdna.com/ [Archive.org]) even offer such analysis as a replacement for two-factor authentications.
This technology is also widely used in CAPTCHAS157 services to verify that you are “human” and can be used to fingerprint a user.
Analysis algorithms could then be used to match these patterns with other users and match you to a different known user. It is unclear whether such data is already used or not by Governments and Law Enforcement agencies, but it might be in the future. And while this is mostly used for advertising/marketing/captchas purposes now. It could and probably will be used for investigations in the short or mid-term future to deanonymize users.
Here is a fun example you try yourself to see some of those things in action: https://clickclickclick.click (no archive links for this one sorry). You will see it becoming interesting over time (this requires Javascript enabled).
Here is also a recent example just showing what Google Chrome collects on you: https://web.archive.org/web/https://pbs.twimg.com/media/EwiUNH0UYAgLY7V?format=jpg&name=4096x4096
Here are some other resources on the topic if you cannot see this documentary:
2017, Behavior Analysis in Social Networks, https://link.springer.com/10.1007/978-1-4614-7163-9_110198-1 [Archive.org]
2017, Social Networks and Positive and Negative Affect https://www.sciencedirect.com/science/article/pii/S1877042811013747/pdf?md5=253d8f1bb615d5dee195d353dc077d46&pid=1-s2.0-S1877042811013747-main.pdf [Archive.today]
2015, Using Social Networks Data for Behavior and Sentiment Analysis https://www.researchgate.net/publication/300562034_Using_Social_Networks_Data_for_Behavior_and_Sentiment_Analysis [Archive.org]
2016, A Survey on User Behavior Analysis in Social Networks https://www.academia.edu/30936118/A_Survey_on_User_Behaviour_Analysis_in_Social_Networks [Archive.org]
2017, DEF CON 25 presentation: DEF CON 25 - Svea Eckert, Andreas Dewes - Dark Data [Invidious]
2019, Influence and Behavior Analysis in Social Networks and Social Media https://sci-hub.se/10.1007/978-3-030-02592-2 [Archive.org]
So, how can you mitigate these?
This guide will provide some technical mitigations using Fingerprinting resistant tools but those might not be sufficient.
You should apply common sense and try to find your own patterns in your behavior and behave differently when using anonymous identities. This includes:
The way you type (speed, accuracy…).
The words you use (be careful with your usual expressions).
The type of response you use (if you are sarcastic by default, try to have a different approach with your identities).
The way you use your mouse and click (try to solve the Captchas differently than your usual way)
The habits you have when using some Apps or visiting some Websites (do not always use the same menus/buttons/links to reach your content).
…
You need to act and fully adopt a role as an actor would do for a performance. You need to become a different person, think, and act like that person. This is not a technical mitigation but a human one. You can only rely on yourself for that.
Ultimately, it is mostly up to you to fool those algorithms by adopting new habits and not revealing real information when using your anonymous identities. See Appendix A4: Counteracting Forensic Linguistics.
These are clues you might give over time that could point to your real identity. You might be talking to someone or posting on some board/forum/Reddit. In those posts, you might over time leak some information about your real life. These might be memories, experiences, or clues you shared that could then allow a motivated adversary to build a profile to narrow their search.
A real use and well-documented case of this was the arrest of the hacker Jeremy Hammond158 who shared over time several details about his past and was later discovered.
There are also a few cases involving OSINT at Bellingcat159. Have a look at their very informative (but slightly outdated) toolkit here: https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ/edit#gid=930747607 [Archive.org]
We have an OSINT discussion room in our Matrix community. Feel free to join at #OSINT:matrix.org
.
You can also view some convenient lists of some available OSINT tools here if you want to try them on yourself for example:
As well as this interesting Playlist on YouTube: https://www.youtube.com/playlist?list=PLrFPX1Vfqk3ehZKSFeb9pVIHqxqrNW8Sy [Invidious]
As well as those interesting podcasts:
https://www.inteltechniques.com/podcast.html
You should never share real individual experiences/details using your anonymous identities that could later lead to finding your real identity. You will see more details about this in the Creating new identities section.
“Hell is other people”, even if you evade every method listed above, you are not out of the woods yet thanks to the widespread use of advanced Face recognition by everyone.
Companies like Facebook have used advanced face recognition for years160’161 and have been using other means (Satellite imagery) to create maps of “people” around the world162. This evolution has been going on for years to the point we can now say “we lost control of our faces”163.
If you are walking in a touristy place, you will most likely appear in someone’s selfie within minutes without knowing it. That person could then go ahead and upload that selfie to various platforms (Twitter, Google Photos, Instagram, Facebook, Snapchat …). Those platforms will then apply face recognition algorithms to those pictures under the pretext of allowing better/easier tagging or to better organize your photo library. In addition to this, the same picture will provide a precise timestamp and in most cases geolocation of where it was taken. Even if the person does not provide a timestamp and geolocation, it can still be guessed with other means164’165.
Here are a few resources for even trying this yourself:
Bellingcat, Guide To Using Reverse Image Search For Investigations: https://www.bellingcat.com/resources/how-tos/2019/12/26/guide-to-using-reverse-image-search-for-investigations/ [Archive.org]
Bellingcat, Using the New Russian Facial Recognition Site SearchFace https://www.bellingcat.com/resources/how-tos/2019/02/19/using-the-new-russian-facial-recognition-site-searchface-ru/ [Archive.org]
Bellingcat, Dali, Warhol, Boshirov: Determining the Time of an Alleged Photograph from Skripal Suspect Chepiga https://www.bellingcat.com/resources/how-tos/2018/10/24/dali-warhol-boshirov-determining-time-alleged-photograph-skripal-suspect-chepiga/ [Archive.org]
Bellingcat, Advanced Guide on Verifying Video Content https://www.bellingcat.com/resources/how-tos/2017/06/30/advanced-guide-verifying-video-content/ [Archive.org]
Bellingcat, Using the Sun and the Shadows for Geolocation https://www.bellingcat.com/resources/2020/12/03/using-the-sun-and-the-shadows-for-geolocation/ [Archive.org]
Bellingcat, Navalny Poison Squad Implicated in Murders of Three Russian Activists https://www.bellingcat.com/news/uk-and-europe/2021/01/27/navalny-poison-squad-implicated-in-murders-of-three-russian-activists/ [Archive.org]
Bellingcat, Berlin Assassination: New Evidence on Suspected FSB Hitman Passed to German Investigators https://www.bellingcat.com/news/2021/03/19/berlin-assassination-new-evidence-on-suspected-fsb-hitman-passed-to-german-investigators/ [Archive.org]
Bellingcat, Digital Research Tutorial: Investigating a Saudi-Led Coalition Bombing of a Yemen Hospital https://www.youtube.com/watch?v=cAVZaPiVArA [Invidious]
Bellingcat, Digital Research Tutorial: Using Facial Recognition in Investigations https://www.youtube.com/watch?v=awY87q2Mr0E [Invidious]
Bellingcat, Digital Research Tutorial: Geolocating (Allegedly) Corrupt Venezuelan Officials in Europe https://www.youtube.com/watch?v=bS6gYWM4kzY [Invidious]
Even if you are not looking at the camera, they can still figure out who you are166, make out your emotions167, analyze your gait168‘169’170, read your lips171, analyze the behavior of your eyes172, and probably guess your political affiliation173’174.
Contrary to popular belief and pop culture, modern gait recognition systems aren’t fooled by simply changing how you walk (ex. with something uncomfortable in your shoe), as they analyze the way your body’s muscles move across your entire body, as you perform certain actions. The best way to fool modern gait recognition is to wear loose clothes that obscure the way your muscles move as you perform actions.
Other things than can be used to identify you include your earlobes, which are actually more identifiable than fingerprints, or even the shape of your skull. As such, soft headcoverings such as balaclavas are not recommendable for obscuring your identity - they make you look incredibly suspicious, while also conforming to the shape of your skull.
[][113]
(Illustration from https://www.nature.com/articles/s41598-020-79310-1 [Archive.org])
[][115]
(illustration from https://rd.springer.com/chapter/10.1007/978-3-030-42504-3_15 [Archive.org])
Those platforms (Google/Facebook) already know who you are for a few reasons:
Because you have or had a profile with them, and you identified yourself.
Even if you never made a profile on those platforms, you still have one without even knowing it175‘176’177‘178’179.
Because other people have tagged you or identified you in their holidays/party pictures.
Because other people have put a picture of you in their contact list which they then shared with them.
Here is also an insightful demo of Microsoft Azure you can try for yourself at https://azure.microsoft.com/en-us/services/cognitive-services/face/#demo where you can detect emotions and compare faces from different pictures.
Governments already know who you are because they have your ID/Passport/Driving License pictures and often added biometrics (Fingerprints) in their database. Those same governments are integrating those technologies (often provided by private companies such as the Israeli Oosto180, Clearview AI181‘182, or NEC183) in their CCTV networks to look for “persons of interest”184. And some heavily surveilled states like China have implemented widespread use of Facial Recognition for various purposes185’186 including possibly identifying ethnic minorities187. A simple face recognition error by some algorithm can ruin your life188’189.
Here are some resources detailing some techniques used by Law Enforcement today:
CCC video explaining current Law Enforcement surveillance capabilities: https://media.ccc.de/v/rc3-11406-spot_the_surveillance#t=761 [Archive.org]
EFF SLS: https://www.eff.org/sls [Archive.org]
Apple is making FaceID mainstream and pushing its use to log you into many services including the Banking systems.
The same goes with fingerprint authentication being mainstreamed by many smartphone makers to authenticate yourself. A simple picture where your fingers appear can be used to de-anonymize you190‘191’192’193.
The same goes with your voice which can be analyzed for various purposes as shown in the recent Spotify patent194.
Even your iris can be used for identification in some places195.
We can safely imagine a near future where you will not be able to create accounts or sign in anywhere without providing unique biometrics (A suitable time to re-watch Gattaca196, Person of Interest197 , and Minority Report198). And you can safely imagine how useful these large biometrics databases could be to some interested third parties.
In addition, all this information can also be used against you (if you are already de-anonymized) using deepfake199 by crafting false information (Pictures, Videos, Voice Recordings200…) and have already been used for such purposes201’202. There are even commercial services for this readily available such as https://www.respeecher.com/ [Archive.org] and https://www.descript.com/overdub [Archive.org].
See this demo: https://www.youtube.com/watch?v=t5yw5cR79VA [Invidious]
At this time, there are a few steps203 you can use to mitigate (and only mitigate) face recognition when conducting sensitive activities where CCTV might be present:
Wear a facemask as they have been proven to defeat some face recognition technologies204 but not all205.
Wear a baseball cap or hat to mitigate identification from high-angle CCTVs (filming from above) from recording your face. Remember this will not help against front-facing cameras.
Wear sunglasses in addition to the facemask and baseball cap to mitigate identification from your eye’s features.
Consider wearing special sunglasses (expensive, unfortunately) called “Reflectacles” https://www.reflectacles.com/ [Archive.org]. There was a small study showing their efficiency against IBM and Amazon facial recognition206.
All that might still be useless because of gait recognition mentioned earlier but there might be hope here if you have a 3D Printer: https://gitlab.com/FG-01/fg-01 [Archive.org]
(see Gait Recognition and Other Long-Range Biometrics)
(Note that if you intend to use these where advanced facial recognition systems have been installed, these measures could also flag as you as suspicious by themselves and trigger a human check)
Phishing207 is a social engineering208 type of attack where an adversary could try to extract information from you by pretending or impersonating something/someone else.
A typical case is an adversary using a man-in-the-middle209 attack or a fake e-mail/call to ask for your credential for a service. This could for example be through e-mail or through impersonating financial services.
Such attacks can also be used to de-anonymize someone by tricking them into downloading malware or revealing personal information over time. The only defense against those is not to fall for them and common sense.
These have been used countless times since the early days of the internet and the usual one is called the “419 scam” (see https://en.wikipedia.org/wiki/Advance-fee_scam [Wikiless] [Archive.org]).
Here is a good video if you want to learn a bit more about phishing types: Black Hat, Ichthyology: Phishing as a Science https://www.youtube.com/watch?v=Z20XNp-luNA [Invidious].
Using steganography or other techniques, it is easy to embed malware into common file formats such as Office Documents, Pictures, Videos, PDF documents…
These can be as simple as HTML tracking links or complex targeted malware.
These could be simple pixel-sized images210 hidden in your e-mails that would call a remote server to try and get your IP address.
These could be exploiting a vulnerability in an outdated format or an outdated reader211. Such exploits could then be used to compromise your system.
See these good videos for more explanations on the matter:
What is a File Format? https://www.youtube.com/watch?v=VVdmmN0su6E [Invidious]
Ange Albertini: Funky File Formats: https://www.youtube.com/watch?v=hdCs6bPM4is [Invidious]
You should always use extreme caution. To mitigate these attacks, this guide will later recommend the use of virtualization (See Appendix W: Virtualization) to mitigate leaking any information even in case of opening such a malicious file.
If you want to learn how to try detecting such malware, see Appendix T: Checking files for malware
So, you are using Tor Browser or Brave Browser over Tor. You could be using those over a VPN for added security. But you should keep in mind that there are exploits212 (hacks) that could be known by an adversary (but unknown to the App/Browser provider). Such exploits could be used to compromise your system and reveal details to de-anonymize you such as your IP address or other details.
A real use case of this technique was the Freedom Hosting213 case in 2013 where the FBI inserted malware214 using a Firefox browser exploit on a Tor website. This exploit allowed them to reveal details of some users. More recently, there was the notable SolarWinds215 hack that breached several US government institutions by inserting malware into an official software update server.
In some countries, Malware is just mandatory and/or distributed by the state itself. This is the case for instance in China with WeChat216 which can then be used in combination with other data for state surveillance217.
There are countless examples of malicious browser extensions, smartphone apps, and various apps that have been infiltrated with malware over the years.
Here are some steps to mitigate this type of attack:
You should never have 100% trust in the apps you are using.
You should always check that you are using the updated version of such apps before use and ideally validate each download using their signature if available.
You should not use such apps directly from a hardware system but instead, use a Virtual Machine for compartmentalization.
To reflect these recommendations, this guide will therefore later guide you in the use of Virtualization (See Appendix W: Virtualization) so that even if your Browser/Apps get compromised by a skilled adversary, that adversary will find himself stuck in a sandbox218 without being able to access identifying information or compromise your system.
There are readily available commercial and cheap “badUSB” 219devices that can take deploy malware, log your typing, geolocate you, listen to you or gain control of your laptop just by plugging them in. Here are some examples that you can already buy yourself:
Hak5, USB Rubber Ducky https://shop.hak5.org/products/usb-rubber-ducky-deluxe [Archive.org]
Hak5, O.MG Cable https://www.youtube.com/watch?v=V5mBJHotZv0 [Invidious]
AliExpress https://www.aliexpress.com/i/4000710369016.html [Archive.org]
Such devices can be implanted anywhere (charging cable, mouse, keyboard, USB key …) by an adversary and can be used to track you or compromise your computer or smartphone. The most notable example of such attacks is probably Stuxnet220 in 2005.
While you could inspect a USB key physically, scan it with various utilities, check the various components to see if they are genuine, you will most likely never be able to discover complex malware embedded in genuine parts of a genuine USB key by a skilled adversary without advanced forensics equipment221.
To mitigate this, you should never trust such devices and plug them into sensitive equipment. If you use a charging device, you should consider the use of a USB data blocking device that will only allow charging but not any data transfer. Such data blocking devices are now readily available in many online shops. You should also consider disabling USB ports completely within the BIOS of your computer unless you need them (if you can).
This might sound a bit familiar as this was already partially covered previously in the Your CPU section.
Malware and backdoors can be embedded directly into your hardware components. Sometimes those backdoors are implemented by the manufacturer itself such as the IME in the case of Intel CPUs. And in other cases, such backdoors can be implemented by a third party that places itself between orders of new hardware and customer delivery222.
Such malware and backdoors can also be deployed by an adversary using software exploits. Many of those are called rootkits223 within the tech world. Usually, these types of malware are harder to detect and mitigate as they are implemented at a lower level than the userspace224 and often in the firmware225 of hardware components itself.
What is firmware? Firmware is a low-level operating system for devices. Each component in your computer probably has firmware including for instance your disk drives. The BIOS226/UEFI227 system of your machine for instance is a type of firmware.
These can allow remote management and are capable of enabling full control of a target system silently and stealthily.
As mentioned previously, these are harder to detect by users but some limited steps that can be taken to mitigate some of those by protecting your device from tampering and use some measures (like re-flashing the bios for example). Unfortunately, if such malware or backdoor is implemented by the manufacturer itself, it becomes extremely difficult to detect and disable those.
This can be obvious to many but not to all. Most files have metadata attached to them. Good examples are pictures that store EXIF228 information which can hold a lot of information such as GPS coordinates, which camera/phone model took it, and when it was taken precisely. While this information might not directly give out who you are, it could tell exactly where you were at a certain moment which could allow others to use various sources to find you (CCTV or other footage taken at the same place at the same time during a protest for instance). You must verify any file you would put on those platforms for any properties that might hold any information that might lead back to you.
Here is an example of EXIF data that could be on a picture:
(Illustration from Wikipedia)
This also works for videos. Yes, videos too have geo-tagging, and many are very unaware of this. Here Is for instance a very convenient tool to geo-locate YouTube videos: https://mattw.io/youtube-geofind/location [Archive.org]
For this reason, you will always have to be incredibly careful when uploading files using your anonymous identities and check the metadata of those files.
Even if you publish a plain text file, you should always double or triple-check it for any information leakage before publishing. You will find some guidance about this in the Some additional measures against forensics section at the end of the guide.
Pictures/Videos often contain visible watermarks indicating who is the owner/creator but there are also invisible watermarks in various products aiming at identifying the viewer itself.
So, if you are a whistleblower and thinking about leaking some picture/audio/video file. Think twice. There are chances that those might contain invisible watermarking within them that would include information about you as a viewer. Such watermarks can be enabled with a simple switch in like Zoom (Video229 or Audio230) or with extensions231 for popular apps such as Adobe Premiere Pro. These can be inserted by various content management systems.
For a recent example where someone leaking a Zoom meeting recording was caught because it was watermarked: https://theintercept.com/2021/01/18/leak-zoom-meeting/ [Tor Mirror] [Archive.org]
Such watermarks can be inserted by various products232‘233’234‘235 using Steganography236 and can resist compression237 and re-encoding238’239.
These watermarks are not easily detectable and could allow identification of the source despite all efforts.
In addition to watermarks, the camera used for filming (and therefore the device used for filming) a video can also be identified using various techniques such as lens identification240 which could lead to de-anonymization.
Be extremely careful when publishing videos/pictures/audio files from known commercial platforms as they might contain such invisible watermarks in addition to details in the images themselves. There is no guaranteed 100% protection against those. You will have to use common sense.
Did you know your printer is most likely spying on you too? Even if it is not connected to any network? This is usually a known fact by many people in the IT community but few outside people.
Yes … Your printers can be used to de-anonymize you as well as explained by the EFF here https://www.eff.org/issues/printers [Archive.org]
With this (old but still relevant) video explaining how from the EFF as well: https://www.youtube.com/watch?v=izMGMsIZK4U [Invidious]
Many printers will print an invisible watermark allowing for identification of the printer on every printed page. This is called Printer Steganography241. There is no tangible way to mitigate this but to inform yourself on your printer and make sure it does not print any invisible watermark. This is important if you intend to print anonymously.
Here is an (old but still relevant) list of printers and brands who do not print such tracking dots provided by the EFF https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots [Archive.org]
Here are also some tips from the Whonix documentation (https://www.whonix.org/wiki/Printing_and_Scanning [Archive.org]):
Do not ever print in Color, usually, watermarks are not present without color toners/cartridges242.
Did you ever see a document with blurred text? Did you ever make fun of those movies/series where they “enhance” an image to recover seemingly impossible-to-read information?
Well, there are techniques for recovering information from such documents, videos, and pictures.
Here is for example an open-source project you could use yourself for recovering text from some blurred images yourself: https://github.com/beurtschipper/Depix [Archive.org]
This is of course an open-source project available for all to use. But you can imagine that such techniques have probably been used before by other adversaries. These could be used to reveal blurred information from published documents that could then be used to de-anonymize you.
There are also tutorials for using such techniques using Photo Editing tools such as GIMP such as https://medium.com/@somdevsangwan/unblurring-images-for-osint-and-more-part-1-5ee36db6a70b [Archive.org] followed by https://medium.com/@somdevsangwan/deblurring-images-for-osint-part-2-ba564af8eb5d [Scribe.rip] [Archive.org]
Finally, you will find plenty of deblurring resources here: https://github.com/subeeshvasu/Awesome-Deblurring [Archive.org]
Some online services could even help you do this automatically to some extent like MyHeritage.com enhance tool:
https://www.myheritage.com/photo-enhancer [Archive.org]
Here is the result of the above image:
Of course, this tool is more like “guessing” than really deblurring at this point, but it could be enough to find you using various reverse image searching services.
There are also techniques to deblur/depixelate parts in videos: see https://positive.security/blog/video-depixelation [Archive.org]
For this reason, it is always extremely important that you correctly redact and curate any document you might want to publish. Blurring is not enough, and you should always completely blacken/remove any sensitive data to avoid any attempt at recovering data from any adversary. Do not pixelized, do not blur, just put a hard black rectangle to redact information.
Contrary to widespread belief, Crypto transactions (such as Bitcoin and Ethereum) are not anonymous243. Most cryptocurrencies can be tracked accurately through various methods244’245.
Remember what they say on their page: https://bitcoin.org/en/you-need-to-know [Archive.org] and https://bitcoin.org/en/protect-your-privacy [Archive.org]: “Bitcoin is not anonymous”
The main issue is not setting up a random Crypto wallet to receive some currency behind a VPN/Tor address (at this point, the wallet is anonymous). The issue is mainly when you want to convert Fiat money (Euros, Dollars …) to Crypto and then when you want to cash in your Crypto. You will have few realistic options but to transfer those to an exchange (such as Coinbase/Kraken/Bitstamp/Binance). Those exchanges have known wallet addresses and will keep detailed logs (due to KYC246 financial regulations) and can then trace back those crypto transactions to you using the financial system247.
There are some cryptocurrencies with privacy/anonymity in mind like Monero but even those have some and warnings to consider248’249.
Use of “private” mixers, tumblers250 (centralized services that specialize in “anonymizing” cryptocurrencies by “mixing them”) and coinjoiners are risky as you don’t know what’s happening on them251 and can be trivially de-mixed252. Their centrally-controlled nature could also put you in trouble as they are more susceptible to money-laundering laws253.
This does not mean you cannot use Bitcoin anonymously at all. You can actually use Bitcoin anonymously as long as you do not convert it to actual currency, use a Bitcoin wallet from a safe anonymous network, and do not reuse addresses or consolidate outputs that were used when spending at different merchants. Meaning you should avoid KYC/AML regulations by various exchanges, avoid using the Bitcoin network from any known IP address, and use a wallet that provides privacy-preserving tools. See Appendix Z: Online anonymous payments using cryptocurrencies.
Overall, the best option for using Crypto with reasonable anonymity and privacy is still Monero and you should ideally not use any other for sensitive transactions unless you are aware of the limitations and risks involved. Please do read Appendix B2: Monero Disclaimer.
TLDR: Use Monero!
All companies are advertising their use of end-to-end encryption (E2EE). This is true for almost every messaging app and website (HTTPS). Apple and Google are advertising their use of encryption on their Android devices and their iPhones.
But what about your backups? Those automated iCloud/Google Drive backups you have?
Well, you should know that most of those backups are not fully end-to-end encrypted and will hold some of your information readily available for a third party. You will see their claims that data is encrypted at rest and safe from anyone … Except they usually do keep a key to access some of the data themselves. These keys are used for them indexing your content, recover your account, collecting various analytics.
There are specialized commercial forensics solutions available (Magnet Axiom254, Cellebrite Cloud255) that will help an adversary analyze your cloud data with ease.
Notable Examples:
Apple iCloud: https://support.apple.com/en-us/HT202303 [Archive.org] : “Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices.”.
Google Drive and WhatsApp: https://faq.whatsapp.com/android/chats/about-google-drive-backups/ [Archive.org]: “Media and messages you back up aren’t protected by WhatsApp end-to-end encryption while in Google Drive.”. Do however note that Facebook/Whatsapp have announced the rollout of encrypted backups on October 14th 2021 (https://about.fb.com/news/2021/10/end-to-end-encrypted-backups-on-whatsapp/ [Archive.org]) which should solve this issue.
Dropbox: https://www.dropbox.com/privacy#terms [Archive.org] “To provide these and other features, Dropbox accesses, stores, and scans Your Stuff. You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with”.
Microsoft OneDrive: https://privacy.microsoft.com/en-us/privacystatement [Archive.org]: Productivity and communications products, “When you use OneDrive, we collect data about your usage of the service, as well as the content you store, to provide, improve, and protect the services. Examples include indexing the contents of your OneDrive documents so that you can search for them later and using location information to enable you to search for photos based on where the photo was taken”.
You should not trust cloud providers with your (not previously and locally encrypted) sensitive data and you should be wary of their privacy claims. In most cases, they can access your data and provide it to a third party if they want to256.
The only way to mitigate this is to encrypt your data on your side and then only upload it to such services or just not use them at all.
Your Browser and Device Fingerprints257 are a set of properties/capabilities of your System/Browser. These are used on most websites for invisible user tracking but also to adapt the website user experience depending on their browser. For instance, websites will be able to provide a “mobile experience” if you are using a mobile browser or propose a specific language/geographic version depending on your fingerprint. Most of those techniques work with recent Browsers like Chromium-based258 browsers (such as Chrome/Edge) or Firefox259 unless taking specific measures. Browser and Device260 Fingerprinting are usually integrated into the Captcha services but also in other various services.
We will address Browser and Device Fingerprinting further down but this is a basic introduction to the methodology behind it and why it is used in practice.
It should also be noted that while some browsers and extensions will offer some fingerprint resistance, this resistance in itself can also be used to fingerprint you as explained here https://palant.info/2020/12/10/how-anti-fingerprinting-extensions-tend-to-make-fingerprinting-easier/ [Archive.org]
This guide will mitigate these issues by randomizing or hiding many of those fingerprinting identifiers by:
Using Virtualization (See Appendix W: Virtualization);
Using specific recommendations (See Appendix A5: Additional browser precautions with JavaScript enabled;
Using hardening Appendix V1: Hardening your Browsers);
and by using fingerprint-resistant browsers (like Brave or Tor Browser).
There was an attack published that can deanonymize users if they have a known alias. For example, an attacker trying to track the activities of a journalist can use that journalist’s public Twitter handle to link their anonymous identities with their public one. This breaks compartmentalization of identities and can lead to complete deanonymization, even of users who practice proper OPSEC.
The attack, published at https://leakuidatorplusteam.github.io/ [Archive.org], can be mitigated using the well-known NoScript extension and will be our preferred recommendation.
One loosely documented attack might take the following approach to fingerprinting: Alice is browsing the web using Firefox. The website she has just visited is using an invisible iframe
that creates long strings, e.g., sentences or hashes, to produce some non-user-viewable string. These strings are setting a certain font type, Arial. Whether the browser renders this is non-essential, it only matters if the font changes. The iframe
in this case serves no purpose but to identify whether a user has installed a certain font on their machine. If Alice is using a font that this frame has tried to render, then it is reported back to the website and to the person in control of the website.
The font renders a box with a specific height and width around itself, so that means a specific height and width of the text contained within. The iframe
keeps doing this for each installed font to create a list of installed fonts for Alice. Because of stylistic differences between each font family, the same string and the same font size will add up to a different height and a different width than Arial. It is used as a fallback font to display text that won’t display otherwise, in the case of a user not having that font on their machine and thus non-viewable from their browser.
If a font requested by an iframe
is not available, Arial will be used to show that text to the user. Every time the font measurement (identified by the dimensions of the box produced) changed, it means the font is present on Alice’s browser and her machine. By doing this for hundreds of fonts, websites can use this information to track users using their installed fonts across websites. Imagine a website then selling this “anonymized” information as a dataset to advertisement companies to serve you ads based on the websites you visit, because they know every font you have installed on your machine and can now track your identity across the internet. This attack is demonstrated here: Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask) by Dr. Nick Nikiforakis, PhD in Computer Science from KU Leuven. He explains how his team of researchers identified which sites were using such techniques on Alexa’s top 10,000 websites. Primarily, they found that of those, 145 were fingerprinting browsers. They were fingerprinted 100% of the time — whether they were using the Do Not Track header, a popular Privacy & Security setting in many browsers, did not matter.
Attacks such as invisible iframes and media elements can be avoided by blocking all scripts globally by using something like uBlock Origin https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm or by using NoScript https://chrome.google.com/webstore/detail/noscript/doojmbjmlfjjnbmnoijecmcbfeoakpjm. This is highly encouraged, not only to those wishing to be anonymous, but also to general web users.
Note: This attack is now prevented by default by an update of NoScript (11.4.8 and above) on all security levels in Tor Browser.
Installing the NoScript extension will prevent the attack by default only in private Windows using their new “TabGuard feature”. But can be enabled in the NoScript options to work on all Windows. See:
The researches who disclosed the issue also made an extension available below. Again, nothing is required in Tor Browser. This path is not our preferred path but is still available if you do not want to use NoScript.
Separating identities via separate browsers or even with VMs is not enough to avoid this attack. However, another solution is to make sure that when you start working with an anonymous identity, you entirely close all activities linked to other identities. The vulnerability only works if you’re actively logged into a non-anonymous identity. The issue with this is that it can hinder effective workflow, as multitasking across multiple identities becomes impossible.
Most of you have probably seen enough Crime dramas on Netflix or TV to know what forensics are. These are technicians (usually working for law enforcement) that will perform various analysis of evidence. This of course could include your smartphone or laptop.
While these might be done by an adversary when you already got “burned”, these might also be done randomly during a routine control or a border check. These unrelated checks might reveal secret information to adversaries that had no prior knowledge of such activities.
Forensics techniques are now very advanced and can reveal a staggering amount of information from your devices even if they are encrypted261. These techniques are widely used by law enforcement all over the world and should be considered.
Here are some recent resources you should read about your smartphone:
UpTurn, The Widespread Power of U.S. Law Enforcement to Search Mobile Phones https://www.upturn.org/reports/2020/mass-extraction/ [Archive.org]
New-York Times, The Police Can Probably Break Into Your Phone https://www.nytimes.com/2020/10/21/technology/iphone-encryption-police.html [Archive.org]
Vice, Cops Around the Country Can Now Unlock iPhones, Records Show https://www.vice.com/en/article/vbxxxd/unlock-iphone-ios11-graykey-grayshift-police [Archive.org]
I also highly recommend that you read some documents from a forensics examiner perspective such as:
EnCase Forensic User Guide, http://encase-docs.opentext.com/documentation/encase/forensic/8.07/Content/Resources/External%20Files/EnCase%20Forensic%20v8.07%20User%20Guide.pdf [Archive.org]
FTK Forensic Toolkit, https://accessdata.com/products-services/forensic-toolkit-ftk [Archive.org]
SANS Digital Forensics and Incident Response Videos, https://www.youtube.com/c/SANSDigitalForensics/videos
And finally, here is this very instructive detailed paper on the current state of IOS/Android security from the John Hopkins University: https://securephones.io/main.html262.
When it comes to your laptop, the forensics techniques are many and widespread. Many of those issues can be mitigated by using full disk encryption, virtualization (See Appendix W: Virtualization), and compartmentalization. This guide will later detail such threats and techniques to mitigate them.
There is a frequent adage among the infosec community: “Don’t roll your own crypto!”.
And there are reasons263‘264’265’266 for that:
We would not want people discouraged from studying and innovating in the crypto field because of that adage. So instead, we would recommend people to be cautious with “Roll your own crypto” because it is not necessarily good crypto:
Good cryptography is not easy and usually takes years of research to develop and fine-tune.
Good cryptography is transparent and not proprietary/closed source so it can be reviewed by peers.
Good cryptography is developed carefully, slowly, and rarely alone.
Good cryptography is usually presented and discussed in conferences and published in various journals.
Good cryptography is extensively peer-reviewed before it is released for use in the wild.
Using and implementing existing good cryptography correctly is already a challenge.
Yet, this is not stopping some from doing it anyway and publishing various production Apps/Services using their self-made cryptography or proprietary closed-source methods:
You should apply caution when using Apps/Services using closed-source or proprietary encryption methods. All the good crypto standards are public and peer-reviewed and there should be no issue disclosing the one you use.
You should be wary of Apps/Services using a “modified” or proprietary cryptographic method267.
By default, you should not trust any “Roll your own crypto” until it was audited, peer-reviewed, vetted, and accepted by the cryptography community268’269.
There is no such thing as “military-grade crypto”270‘271’272.
Cryptography is a complex topic and bad cryptography could easily lead to your de-anonymization.
In the context of this guide,we recommend sticking to Apps/Services using well-established, published, and peer-reviewed methods.
So, what to prefer and what to avoid as of 2021? You will have to look up for yourself to get the technical details of each app and see if they are using “bad crypto” or “good crypto”. Once you get the technical details, you could check this page for seeing what it is worth: https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html [Archive.org]
Here are some examples:
Hashes:
Prefer: SHA-3 or BLAKE2273
Still relatively ok to use: SHA-2 (such as the widely used SHA-256 or SHA-512)
Avoid: SHA-1, MD5 (unfortunately still widely used), CRC, MD6 (rarely used)
File/Disk Encryption:
Prefer:
Hardware Accelerated274: AES (Rijndael) 256 Bits with HMAC-SHA-2 or HMAC-SHA-3 (This is what Veracrypt, Bitlocker, Filevault 2, KeepassXC, and LUKS use by default). Prefer SHA-3.
Non-Hardware Accelerated: Same as accelerated above or if available consider:
ChaCha20275 or XChaCha20 (You can use ChaCha20 with Kryptor https://www.kryptor.co.uk, unfortunately, it is not available with Veracrypt).
Serpent276
TwoFish277
Avoid: Pretty much anything else
Password Storage:
Be skeptical of Argon2d, as it’s vulnerable to some forms of side-channels. Prefer Argon2i or Argon2id
Avoid: SHA-3, SHA-2, SHA-1, MD5
Browser Security (HTTPS):
Prefer: TLS 1.3 (ideally TLS 1.3 with ECH/eSNI support) or at least TLS 1.2 (widely used)
Avoid: Anything Else (TLS =<1.1, SSL =<3)
Signing messages/files with PGP/GPG:
Prefer ECDSA (ed25519)+ECDH (ec25519) or RSA 4096 Bits*
Avoid: RSA 2048 bits
SSH keys:
ED25519 (preferred) or RSA 4096 Bits*
Avoid: RSA 2048 bits
Warning: RSA and ED25519 are unfortunately not seen as “Quantum Resistant”279 and while they have not been broken yet, they probably will be broken someday into the future. It is just a matter of when rather than if RSA will ever be broken. So, these are preferred in those contexts due to the lack of a better possibility.
Here are some real cases of issues bad cryptography:
Telegram: https://democratic-europe.eu/2021/07/20/cryptographers-uncover-four-vulnerabilities-in-telegram/ [Archive.org]
Telegram: https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/ [Archive.org]
Some other examples can be found here: https://www.cryptofails.com/ [Archive.org]
Later this guide will not recommend “bad cryptography” and that should hopefully be enough to protect you?
Many people have the idea that privacy-oriented services such as VPN or E-Mail providers are safe due to their no-logging policies or their encryption schemes. Unfortunately, many of those same people forget that all those providers are legal commercial entities subject to the laws of the countries in which they operate.
Any of those providers can be forced to silently (without your knowing (using for example a court order with a gag order280 or a national security letter281) log your activity to de-anonymize you. There have been several recent examples of those:
2021, Proton, Proton logged IP address of French activist after an order by Swiss authorities (source link unavailable).
2021, WindScribe, Servers were not encrypted as they should have been allowing MITM attacks by authorities282.
2021, DoubleVPN servers, logs, and account info seized by law enforcement283.
2021, The Germany-based mail provider Tutanota was forced to monitor specific accounts for 3 months284.
2020, The Germany-based mail provider Tutanota was forced to implement a backdoor to intercept and save copies of the unencrypted e-mails of one user285 (they did not decrypt the stored e-mail).
2017, PureVPN was forced to disclose information of one user to the FBI286.
2014, an EarthVPN user was arrested based on logs provider to the Dutch Police287.
2013, Secure E-Mail provider Lavabit shuts down after fighting a secret gag order288.
2011, HideMyAss user was de-anonymized, and logs were provided to the FBI289.
Some providers have implemented the use of a Warrant Canary290 that would allow their users to find out if they have been compromised by such orders, but this has not been tested yet as far as we know.
Finally, it is now well known that some companies might be sponsored front ends for some state adversaries (see the Crypto AG story291 and Omnisec story292).
For these reasons, you mustn’t trust such providers for your privacy despite all their claims. In most cases, you will be the last person to know if any of your accounts were targeted by such orders and you might never know at all.
To mitigate this, in cases where you want to use a VPN, we will recommend the use of a cash/Monero-paid VPN provider over Tor to prevent the VPN service from knowing any identifiable information about you.
If the VPN provider knows nothing about you, it should mitigate any issue due to them not logging but logging anyway.
(Illustration: an excellent movie we highly recommend: Das Leben der Anderen293)
Many advanced techniques can be used by skilled adversaries294 to bypass your security measures provided they already know where your devices are. Many of those techniques are detailed here https://cyber.bgu.ac.il/advanced-cyber/airgap [Archive.org] (Air-Gap Research Page, Cyber-Security Research Center, Ben-Gurion University of the Negev, Israel) but also in this report https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf [Archive.org] (ESET, JUMPING THE AIR GAP: 15 years of nation-state effort) and include:
Attacks requiring malware implants:
Exfiltration of Data through a Malware infected Router: https://www.youtube.com/watch?v=mSNt4h7EDKo [Invidious]
Exfiltration of Data through observation of Light variation in a Backlit keyboard with a compromised camera: https://www.youtube.com/watch?v=1kBGDHVr7x0 [Invidious]
Exfiltration of Data through a compromised Security Camera (that could first use the previous attack) https://www.youtube.com/watch?v=om5fNqKjj2M [Invidious]
Communication from outsider to compromised Security Cameras through IR light signals: https://www.youtube.com/watch?v=auoYKSzdOj4 [Invidious]
Exfiltration of data from a compromised air-gapped computer through acoustic analysis of the FAN noises with a smartphone https://www.youtube.com/watch?v=v2_sZIfZkDQ [Invidious]
Exfiltration of data from a malware-infected air-gapped computer through HD LEDs with a Drone https://www.youtube.com/watch?v=4vIu8ld68fc [Invidious]
Exfiltration of data from a USB malware on an air-gapped computer through electromagnetic interferences https://www.youtube.com/watch?v=E28V1t-k8Hk [Invidious]
Exfiltration of data from a malware-infected HDD drive through covert acoustic noise https://www.youtube.com/watch?v=H7lQXmSLiP8 [Invidious]
Exfiltration of data through GSM frequencies from a compromised (with malware) air-gapped computer https://www.youtube.com/watch?v=RChj7Mg3rC4 [Invidious]
Exfiltration of data through electromagnetic emissions from a compromised Display device https://www.youtube.com/watch?v=2OzTWiGl1rM&t=20s [Invidious]
Exfiltration of data through magnetic waves from a compromised air-gapped computer to a Smartphone stored inside a Faraday bag https://www.youtube.com/watch?v=yz8E5n1Tzlo [Invidious]
Communication between two compromised air-gapped computers using ultrasonic soundwaves https://www.youtube.com/watch?v=yz8E5n1Tzlo [Invidious]
Exfiltration of Bitcoin Wallet from a compromised air-gapped computer to a smartphone https://www.youtube.com/watch?v=2WtiHZNeveY [Invidious]
Exfiltration of Data from a compromised air-gapped computer using display brightness https://www.youtube.com/watch?v=ZrkZUO2g4DE [Invidious]
Exfiltration of Data from a compromised air-gapped computer through vibrations https://www.youtube.com/watch?v=XGD343nq1dg [Invidious]
Exfiltration of Data from a compromised air-gapped computer by turning RAM into a Wi-Fi emitter https://www.youtube.com/watch?v=vhNnc0ln63c [Invidious]
Exfiltration of Data from a compromised air-gapped computer through power lines https://arxiv.org/pdf/1804.04014.pdf [Archive.org]
Attacks not requiring malware:
Observing a blank wall in a room from a distance to figure how many people are in a room and what they are doing295. Publication with demonstration: http://wallcamera.csail.mit.edu/ [Archive.org]
Observing a reflective bag of snacks in a room from a distance to reconstruct the entire room296. Publication with photographic examples: https://arxiv.org/pdf/2001.04642.pdf [Archive.org]
Measuring floor vibrations to identify individuals and determine their health condition and mood297. Publication with demonstration: https://engineering.cmu.edu/news-events/news/2020/02/17-mauraders-map.html [Archive.org]
Observing a light bulb from a distance to listen to the sound in the room298 without any malware: Demonstration: https://www.youtube.com/watch?v=t32QvpfOHqw [Invidious]. It should be noted that this type of attack is not new at all and there have been articles about such techniques as far back as 2013299 and that you can even buy devices to perform this yourself such as here: http://www.gcomtech.com/ccp0-prodshow/laser-surveillance-laser-listening.html [Archive.org]
Here is also a good video from the same authors to explain those topics: Black Hat, The Air-Gap Jumpers https://www.youtube.com/watch?v=YKRtFgunyj4 [Invidious]
Realistically, this guide will be of little help against such adversaries as such malware could be implanted on the devices by a manufacturer, anyone in the middle300, or by anyone with physical access to the air-gapped computer but there are still some ways to mitigate such techniques:
Do not conduct sensitive activity while connected to an untrusted/unsecured power line to prevent power line leaks.
Do not use your devices in front of a camera that could be compromised.
Use your devices in a soundproofed room to prevent sound leaks.
Use your devices in a Faraday cage to prevent electromagnetic leaks.
Do not talk about sensitive information where lightbulbs could be seen from outside.
Buy your devices from different/unpredictable/offline places (shops) where the probability of them being infected with such malware is lower.
Do not let anyone access your air-gapped computers except trusted people.
Have a look at the Whonix Documentation concerning Data Collection techniques here: https://www.whonix.org/wiki/Data_Collection_Techniques [Archive.org]
You might also enjoy looking at this service https://tosdr.org/ [Archive.org] (Terms of Services, Didn’t Read) that will give you a good overview of the various ToS of many services.
Have a look at https://www.eff.org/issues/privacy [Archive.org] for some more resources.
Have a look at https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects [Wikiless] [Archive.org] to have an overview of all known mass-surveillance projects, current, and past.
Have a look at https://www.gwern.net/Death-Note-Anonymity [Archive.org] (even if you don’t know about Death Note).
Consider finding and reading Michael Bazzell’s book “Open-Source Intelligence Techniques” (eighth edition as of this writing to find out more about recent OSINT techniques) https://inteltechniques.com/book1.html
Finally, check https://www.freehaven.net/anonbib/date.html [Archive.org] for the latest academic papers related to Online Anonymity.
If you still do not think such information can be used by various actors to track you, you can see some statistics for yourself for some platforms and keep in mind those are only accounting for the lawful data requests and will not count things like PRISM, MUSCULAR, SORM or XKEYSCORE explained earlier:
Google Transparency Report https://transparencyreport.google.com/user-data/overview [Archive.org]
Facebook Transparency Report https://transparency.facebook.com/ [Archive.org]
Apple Transparency Report https://www.apple.com/legal/transparency/ [Archive.org]
Cloudflare Transparency Report https://www.cloudflare.com/transparency/ [Archive.org]
Snapchat Transparency Report https://www.snap.com/en-US/privacy/transparency [Archive.org]
Telegram Transparency Report https://t.me/transparency [Archive.org] (requires telegram installed)
Microsoft Transparency Report https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report [Archive.org]
Amazon Transparency Report https://www.amazon.com/gp/help/customer/display.html?nodeId=GYSDRGWQ2C2CRYEF [Archive.org]
Dropbox Transparency Report https://www.dropbox.com/transparency [Archive.org]
Discord Transparency Report https://discord.com/blog/discord-transparency-report-q1-2022 [Archive.org]
GitHub Transparency Report https://github.blog/2021-02-25-2020-transparency-report/ [Archive.org]
Snapchat Transparency Report https://www.snap.com/en-US/privacy/transparency/ [Archive.org]
TikTok Transparency Report https://www.tiktok.com/transparency/en/information-requests-2021-2/ [Archive.org]
Reddit Transparency Report https://www.redditinc.com/policies/transparency-report-2021 [Archive.org]
Twitter Transparency Report https://transparency.twitter.com/ [Archive.org]
Personally, in the context of this guide, it is also interesting to have a look at your security model. And in this context,we only have one to recommend:
Zero-Trust Security301 (“Never trust, always verify”).
Here are some various resources about what Zero-Trust Security is:
DEFCON, Zero Trust a Vision for Securing Cloud, https://www.youtube.com/watch?v=euSsqXO53GY [Invidious]
From the NSA themselves, Embracing a Zero Trust Security Model, https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [Archive.org]
First, here is a small basic UML diagram showing your available options according to your skills/budget/time/resources.
You have no time at all:
You have extremely limited time to learn and need a fast-working solution:
You have time and more importantly motivation to learn:
You have no budget and even accessing a laptop is complicated or you only have your smartphone:
You only have one laptop available and cannot afford anything else. You use this laptop for either work, family, or your personal stuff (or both):
You can afford a spare dedicated unsupervised/unmonitored laptop for your sensitive activities:
But it is old, slow, and has bad specs (less than 6GB of RAM, less than 250GB disk space, old/slow CPU):
It is not that old, and it has decent specs (at least 8GB of RAM, 250GB of disk space or more, decent CPU):
It is new and it has great specs (more than 16GB or ideally 32GB of RAM, >250GB of disk space, recent fast CPU):
If it is an ARM-based M1/M2 Mac:
Not possible currently for these reasons:
Virtualization of Intel x86 images on ARM (M1/M2) hosts is still limited to commercial software (e.g., Parallels, Fusion) which are mostly not supported by Whonix, yet. They are very buggy and for advanced people only. Please seek this information yourself.
Virtualbox is now available natively for ARM64 architecture in a package as of October 2022. Download the “Developer preview for macOS/Arm64 (M1/M2) hosts”.
Whonix does not support macOS easily. “You need to build Whonix using the build script to get it running on Apple Silicon.” See the forum thread.
Tails is not supported on ARM64 architecture yet. See this thread for more information (keep in mind this page hasn’t been updated recently).
Qubes OS is not supported on ARM64 architecture yet, but there is work being done to make it available on aarch64, which may be delayed for the unforseeable future..
The general advice in this guide regarding virtualization software is that it’s costly. That said, you should probably get a dedicated laptop, capable of running virtualization software, preferably a 64-bit architecture, to be used for more sensitive activities and testing.
Do you have no IT skills at all the content of this guide look like an alien language to you? Consider:
The Tor Browser route (simplest of all)
The Tails route (excluding the persistent plausible deniability section).
You have some IT skills and mostly understand this guide so far, consider:
The Tails route (with the optional persistent plausible deniability section).
The Whonix route.
You have moderate to high IT skills, and you are already familiar with some of the content of this guide, consider:
You are an l33T hacker, “there is no spoon”, “the cake is a lie”, you have been using “doas” for years, and “all your base is belong to us”, and you have strong opinions on systemd.
Now that you know what is possible, you should also consider threats and adversaries before picking the right route.
If your main concern is a forensic examination of your devices, you should consider the Tor Browser route or the Tails route.
If your main concerns are remote adversaries that might uncover your online identity on various platforms, you should consider the Tails, Whonix, or Qubes OS routes (listed in order of difficulty).
If you want system-wide plausible deniability303‘304 despite the risks305’306, consider the Tails route, including the persistent plausible deniability section (see Persistent Plausible Deniability using Whonix within Tails).**
If you are in a hostile environment where Tor/VPN usage alone is impossible/dangerous/suspicious, consider the Tails route (without actually using Tor), or more advanced routes like Whonix or Qubes OS.
Low skills:
Low resources:
Medium resources:
Low to Medium motivation: Any Route
High motivation: TAILS, Whonix, Qubes OS Routes
High resources:
Low motivation: Any route
Medium to High motivation: TAILS, Whonix, Qubes OS Routes
Intermediate skills:
Low resources:
Low motivation: Any Route
Medium to High motivation: TAILS, Whonix, Qubes OS Routes
Medium resources:
Low motivation: Any Route
Medium to High motivation: TAILS, Whonix, Qubes OS Routes
High resources:
Highly skilled:
Low resources:
Low motivation: Any Route
Medium to High motivation: TAILS, Whonix, Qubes OS Routes
Medium resources:
High resources:
In all cases, you should read these two pages from the Whonix documentation that will give you in-depth insight into your choices:
You might be asking yourself: “How do I know if I’m in a hostile online environment where activities are actively monitored and blocked?”
First read more about it at the EFF here: https://ssd.eff.org/en/module/understanding-and-circumventing-network-censorship [Archive.org]
Check some data yourself here on the Tor Project OONI307 (Open Observatory of Network Interference) website: https://explorer.ooni.org/
Have a look at https://censoredplanet.org/ and see if they have data about your country.
Specific to China, look at https://gfwatch.org/ and https://www.usenix.org/system/files/sec21-hoang.pdf [Archive.org]
Test for yourself using OONI (this can be risky in a hostile environment).
See Appendix A2: Guidelines for passwords and passphrases.
Skip this step if you have no intention of creating anonymous accounts on most mainstream platforms but just want anonymous browsing or if the platforms you will use allow registration without a phone number.
This is rather easy. Leave your smartphone on and at home. Have some cash and go to some random flea market or small shop (ideally one without CCTV inside or outside and while avoiding being photographed/filmed) and just buy the cheapest phone you can find with cash and without providing any personal information. It only needs to be in working order.
A note regarding your current phone: The point of leaving your smartphone on is to create avoid leaking the fact that you’re not using the device. If a smartphone is turned off, this creates a metadata trail that can be used to correlate the time your smartphone was turned off with the activation of your burner. If possible, leave your phone doing something (for example, watching YouTube on auto-play) to obscure the metadata trail further. This will not make it impossible to correlate your inactivity, but may make it more difficult if your phone’s usage patterns can look convincing while you buy your burner.
We would recommend getting an old “dumbphone” with a removable battery (old Nokia if your mobile networks still allow those to connect as some countries phased out 1G-2G completely). This is to avoid the automatic sending/gathering of any telemetry/diagnostic data on the phone itself. You should never connect that phone to any Wi-Fi.
Site Note: Be careful of some sellers as shown here https://therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/ [Archive.org]
It will also be crucial not to power on that burner phone ever (not even without the SIM card) in any geographical location that could lead to you (at your home/work for instance) and never at the same location as your other known smartphone (because that one has an IMEI/IMSI that will easily lead to you). This might seem like a big burden, but it is not as these phones are only being used during the setup/sign-up process and for verification from time to time.
See Appendix N: Warning about smartphones and smart devices
You should test that the phone is in working order before going to the next step. But we will repeat ourselves and state that it is important to leave your smartphone at home when going (or turn it off before leaving if you must keep it) and that you test the phone at a random location that cannot be tracked back to you (and again, do not do that in front of a CCTV, avoid cameras, be aware of your surroundings). No need for Wi-Fi at this place either.
When you are certain the phone is in working order, disable Bluetooth then power it off (remove the battery if you can) and go back home and resume your normal activities. Go to the next step.
This is the hardest part of the whole guide. It is a SPOF (Single Point of Failure). The places where you can still buy prepaid SIM cards without ID registration are getting increasingly limited due to various KYC type regulations308.
So here is a list of places where you can still get them now: https://prepaid-data-sim-card.fandom.com/wiki/Registration_Policies_Per_Country [Archive.org]
You should be able to find a place that is “not too far” and just go there physically to buy some pre-paid cards and top-up vouchers with cash. Do verify that no law was passed before going that would make registration mandatory (in case the above wiki was not updated). Try to avoid CCTV and cameras and do not forget to buy a Top-Up voucher with the SIM card (if it is not a package) as most pre-paid cards will require a top-up before use.
See Appendix N: Warning about smartphones and smart devices
Double-check that the mobile operators selling the pre-paid SIM cards will accept the SIM activation and top-up without any ID registration of any kind before going there. Ideally, they should accept SIM activation and top-up from the country you live in.
We would recommend GiffGaff in the UK as they are “affordable”, do not require identification for activation and top-up, and will even allow you to change your number up to two times from their website. One GiffGaff prepaid SIM card will therefore grant you three numbers to use for your needs.
Power off the phone after activation/top-up and before going home. Do not ever power it on again unless you are not at a place that can be used to reveal your identity and ideally leave your real phone on but at home before going to the safe place with only your burner phone.
DISCLAIMER: Do not attempt this until you are done setting up a secure environment according to one of the selected routes. This step will require online access and should only be done from an anonymous network. Do not do this from any known/unsecured environment. Skip this until you have finished one of the routes.
There are many commercial services offering numbers to receive SMS messages online but most of those have no anonymity/privacy and can be of no help as most Social Media platforms place a limit on how many times a phone number can be used for registration.
There are some forums and subreddits (like r/phoneverification/) where users will offer the service of receiving such SMS messages for you for a small fee (using PayPal or some crypto payment). Unfortunately, these are full of scammers and very risky in terms of anonymity. You should not use those under any circumstance.
To this date, we do not know any reputable service that would offer this service and accept cash payments (by post for instance) like some VPN providers. But a few services are providing online phone numbers and do accept Monero which could be reasonably anonymous (yet less recommended than that physical way in the earlier chapter) that you could consider:
Recommended: Do not require any identification (even e-mail):
(Iceland based, accepts Monero) https://crypton.sh [Tor Mirror] [Archive.org]
(Ukraine based, accepts Monero) https://virtualsim.net/ [Archive.org]
Do require identification (valid e-mail):
(US California based, accepts Monero) https://mobilesms.io [Archive.org]
(Germany based, accepts Monero) https://www.sms77.io/ [Archive.org]
(Russia based, accepts Monero) https://onlinesim.ru/ [Archive.org]
There are some other possibilities listed here https://cryptwerk.com/companies/sms/xmr/ [Archive.org]. Use at your own risk.
Now, what if you have no money? Well, in that case, you will have to try your luck with free services and hope for the best. Here are some examples, use at your own risk:
Disclaimer: We cannot vouch for any of these providers. We recommend doing it yourself physically. In this case, you will have to rely on the anonymity of Monero and you should not use any service that requires any kind of identification using your real identity. Please do read Appendix B2: Monero Disclaimer.
It is more convenient, cheaper, and less risky to just get a pre-paid SIM card from one of the physical places that still sell them for cash without ID.
Skip this step if you have no intention of creating anonymous accounts on most mainstream platforms, but you will want anonymous browsing; or if the platforms which you will use allow registration without a phone number.
Get at least one or two decent size generic USB keys (at least 16GB but we would recommend 32GB).
Please do not buy or use gimmicky self-encrypting devices such as these: https://syscall.eu/blog/2018/03/12/aigo_part1/ [Archive.org]
Some might be very efficient309 but many are gimmicky gadgets that offer no real protection310.
You need to find safe places where you will be able to do your sensitive activities using some publicly accessible Wi-Fi (without any account/ID registration, avoid CCTVs).
This can be anywhere that will not be tied to you directly (your home/work) and where you can use the Wi-Fi for a while without being bothered. But also, a place where you can do this without being “noticed” by anyone.
If you think Starbucks is a clever idea, you may reconsider:
They probably have CCTVs in all their shops and keep those recordings for an unknown amount of time.
You will need to buy a coffee to get the Wi-Fi access code in most. If you pay for this coffee with an electronic method, they will be able to tie your Wi-Fi access with your identity.
Situational awareness is key, and you should be constantly aware of your surroundings and avoid touristy places like it was plagued by Ebola. You want to avoid appearing on any picture/video of anyone while someone is taking a selfie, making a TikTok video, or posting some travel pictures on their Instagram. If you do, remember chances are high that those pictures will end up online (publicly or privately) with full metadata attached to them (time/date/geolocation) and your face. Remember these can and will be indexed by Facebook/Google/Yandex/Apple and probably all three letters’ agencies.
While this will not be available yet to your local police officers, it could be in the near future.
You will ideally need a set of 3-5 separate places such as this to avoid using the same place twice. Several trips will be needed over the weeks for the various steps in this guide.
You could also consider connecting to these places from a safe distance for added security. See Appendix Q: Using long-range Antenna to connect to Public Wi-Fis from a safe distance.
This part of the guide will help you in setting up the simplest and easiest way to browse the web anonymously. It is not necessarily the best method and there are more advanced methods below with (much) better security and (much) better mitigations against various adversaries. Yet, this is a straightforward way of accessing resources anonymously and quickly with no budget, no time, no skills, and limited usage.
So, what is Tor Browser? Tor Browser (https://www.torproject.org/ [Archive.org]) is a web browser like Safari/Firefox/Chrome/Edge/Brave designed with privacy and anonymity in mind.
This browser is different from other browsers as it will connect to the internet through the Tor Network using Onion Routing. We first recommend that you watch this very nice introduction video by the Tor Project themselves: https://www.youtube.com/watch?v=JWII85UlzKw [Invidious]. After that, you should probably head over to their page to read their quick overview here: https://2019.www.torproject.org/about/overview.html.en [Archive.org]. Without going into too many technical details, Tor Browser is an easy and simple “fire and forget” solution to browse the web anonymously from pretty much any device. It is probably sufficient for most people and can be used from any computer or smartphone.
Here are several ways to set it up for all main OSes.
Warning: You should avoid installing extensions in Tor Browser, as they can be used to fingerprint and identify you.
Please see Appendix Y: Installing and using desktop Tor Browser.
Note on Tor Browser for Android: The development of Tor Browser for Android is behind desktop Tor Browser Bundle (TBB). Some features are not available yet. E.g., the desktop version of Tor now enables automatic bridges using Moat:
“Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent). It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org.”
Head over to:
Play Store: https://play.google.com/store/apps/details?id=org.torproject.torbrowser
F-Droid Store: It’s not yet there but you can add it manually following the instructions at https://support.torproject.org/tormobile/tormobile-7/ [Archive.org]
Install
Launch Tor Browser
After launching, click the upper right Settings icon
Select Settings > Privacy and security > Tor network
Select Config Bridge.
If needed (after reading the appendix above), activate the option and select the type of bridge you want:
Obfs4
Meek-Azure
Snowflake
If your internet isn’t censored, consider running one of the bridge types to help the network!
Easy: Obsf4 - You can run your own Obsf4 easily with these instructions. https://community.torproject.org/relay/setup/bridge/
Medium: Snowflake - More about Snowflakes here. https://snowflake.torproject.org/
Hard: Meek - This is the documentation. It’s not as simple. https://gitlab.torproject.org/legacy/trac/-/wikis/doc/meek/#how-to-run-a-meek-server-bridge
Personally, if you need to use a Bridge (this is not necessary for a non-hostile environment), you should pick a Meek-Azure. Those will probably work even if you are in China and want to bypass the Great Firewall. It is probably the best option to obfuscate your Tor activities if needed and Microsoft servers are usually not blocked.
Only available for Desktop Tor users: Recently, the Tor Project has made it incredibly simple to access Bridges with Connection Assist, and it is now automatically done in hostile or censored regions. Simply open the Tor Browser and the connection will be configured based on your needs on any hostile network. Previously, we had a list of options below this paragraph which were necessary to enable and configure bridges, but now that this is done automatically using moat. [Archive.org]
As with the desktop version, you need to know there are safety levels in Tor Browser. On Android, you can access these by following these steps:
Click the menu (bottom right)
Click Settings.
Head over to the Privacy and security section.
Click Security Settings.
You will find details about each level here: https://tb-manual.torproject.org/security-settings/ [Archive.org] but here is a summary:
Standard (the default):
Safer:
JavaScript is disabled on non-HTTPS websites
Some fonts and symbols are disabled
Any media playback is “click to play” (disabled by default)
Safest:
Javascript is disabled everywhere
Some fonts and symbols are disabled
Any media playback is “click to play” (disabled by default)
We would recommend the “Safer” level for most cases. The Safest level should be enabled if you think you are accessing suspicious or dangerous websites and/or if you are extra paranoid.
If you are extra paranoid, use the “Safest” level by default and consider downgrading to Safer is the website is unusable because of Javascript blocking.
However, the Safer level should be used with some extra precautions while using some websites: see Appendix A5: Additional browser precautions with JavaScript enabled.
Now, you are really done, and you can now surf the web anonymously from your Android device.
Please see Warning for using Orbot on Android.
Disclaimer: Onion Browser, following a 2018 release on iOS, has had IP leaks via WebRTC. It is still the only officially endorsed browser for the Tor network for iOS. Users should exercise caution when using the browser and check for any DNS leaks.
While the official Tor Browser is not yet available for iOS, there is an alternative called Onion Browser endorsed by the Tor Project311.
Head over to https://apps.apple.com/us/app/onion-browser/id519296448
Install
Disable Wi-Fi and Mobile Data
Launch Onion Browser
After Launching, click the upper right Settings icon (Disabling Wi-Fi and Mobile Data previously were to prevent Onion Browser from connecting automatically and to allow access to these options).
Select “Bridge Configuration” and read Appendix X: Using Tor bridges in hostile environments
If needed (after reading the appendix above), activate the option and select the type of bridge you want:
Obfs4
Snowflake
(Meek-Azure is unfortunately not available on Onion Browser for iOS (See commit 21bc18428 for more information.)
If your internet isn’t censored, consider running one of the bridge types to help the network!
Easy: Obsf4 - You can run your own Obsf4 easily with these instructions. https://community.torproject.org/relay/setup/bridge/
Medium: Snowflake - More about Snowflakes here. https://snowflake.torproject.org/
Hard: Meek - This is the documentation. It’s not as simple. https://gitlab.torproject.org/legacy/trac/-/wikis/doc/meek/#how-to-run-a-meek-server-bridge
Personally, if you need to use a Bridge (this is not necessary for a non-hostile environment), you should pick a Snowflake one (since Meek-Azure bridges are not available). Those will probably work even if you are in China and want to bypass the Great Firewall. It is probably the best option you have on iOS.
As with the desktop version, you need to know there are safety levels in Onion Browser. On iOS, you can access these by following these steps:
Click the shield icon (upper left)
You will have three levels to pick from
JavaScript is disabled
WebSockets, Geolocation, and XHR are disabled
No Video or Audio
Links cannot open Apps
WebRTC is blocked
Mixed HTTP/HTTPS is blocked
Ads and Pop-Ups are blocked
JavaScript partially allowed
WebSockets, Geolocation, and XHR are disabled
No Video or Audio
Links cannot open Apps
WebRTC is blocked
Mixed HTTP/HTTPS is blocked
Ads and Pop-Ups are blocked
JavaScript allowed
Audio and Video allowed
Links cannot open Apps
WebRTC is not blocked
Mixed HTTP/HTTPS is not blocked
Ads and Pop-Ups are blocked
We would recommend the “Silver” level for most cases. The Gold level should only be enabled if you think you are accessing suspicious or dangerous websites or if you are extra paranoid. The Gold mode will also most likely break many websites that rely actively on JavaScript.
As JavaScript is enabled in the Silver mode, please see Appendix A5: Additional browser precautions with JavaScript enabled.
Now, you are really done, and you can now surf the web anonymously from your iOS device.
This route is the easiest but is not designed to resist highly skilled adversaries. It is however usable on any device regardless of the configuration. This route is also vulnerable to correlation attacks (See Your Anonymized Tor/VPN traffic) and is blind to anything that might be on your device (this could be any malware, exploit, virus, remote administration software, parental controls…). Yet, if your threat model is quite low, it is probably sufficient for most people.
If you have time and want to learn, we recommend going for other routes instead as they offer far better security and mitigate far more risks while lowering your attack surface considerably.
This part of the guide will help you in setting up Tails if one of the following is true:
You cannot afford a dedicated laptop
Your dedicated laptop is just too old and too slow
You have very low IT skills
You decide to go with Tails anyway
Tails312 stands for The Amnesic Incognito Live System. It is a bootable Live Operating System running from a USB key that is designed for leaving no traces and forcing all connections through the Tor network.
You insert the Tails USB key into your laptop, boot from it and you have a full operating system running with privacy and anonymity in mind. As soon as you shut down the computer, everything will be gone unless you saved it somewhere.
Tails is an amazingly straightforward way to get going in no time with what you have and without much learning. It has extensive documentation and tutorials.
WARNING: Tails is not always up to date with their bundled software. And not always up to date with the Tor Browser updates either. You should always make sure you are using the latest version of Tails and you should use extreme caution when using bundled apps within Tails that might be vulnerable to exploits and reveal your location313.
It does however have some drawbacks:
Tails uses Tor and therefore you will be using Tor to access any resource on the internet. This alone will make you suspicious to most platforms where you want to create anonymous accounts (this will be explained in more detail later).
Your ISP (whether it is yours or some public Wi-Fi) will also see that you are using Tor, and this could make you suspicious in itself.
Tails does not include (natively) some of the software you might want to use later which will complicate things quite a bit if you want to run some specific things (Android Emulators for instance).
Tails uses Tor Browser which while it is very secure will be detected as well by most platforms and will hinder you in creating anonymous identities on many platforms.
Tails will not protect you more from the 5$ wrench314.
Tor in itself might not be enough to protect you from an adversary with enough resources as explained earlier.
Important Note: If your laptop is monitored/supervised and some local restrictions are in place, please read Appendix U: How to bypass (some) local restrictions on supervised computers.
You should also read Tails Documentation, Warnings, and limitations, before going further https://tails.boum.org/doc/about/warnings/index.en.html [Archive.org]
Taking all this into account and the fact that their documentation is great, we will just redirect you towards their well-made and well-maintained tutorial:
https://tails.boum.org/install/index.en.html [Archive.org], pick your flavor and proceed.
If you’re having an issue accessing Tor due to censorship or other issues, you can try using Tor Bridges by following this Tails tutorial: https://tails.boum.org/doc/anonymous_internet/tor/index.en.html [Archive.org] and find more information about these on Tor Documentation https://2019.www.torproject.org/docs/bridges [Archive.org]
If you think using Tor alone is dangerous/suspicious, see Appendix P: Accessing the internet as safely as possible when Tor/VPN is not an option
When using Tor Browser, you should click the little shield Icon (upper right, next to the Address bar) and select your Security level (see https://tb-manual.torproject.org/security-settings/ [Archive.org] for details). Basically, there are three.
Standard (the default):
Safer:
JavaScript is disabled on non-HTTPS websites
Some fonts and symbols are disabled
Any media playback is “click to play” (disabled by default)
Safest:
Javascript is disabled everywhere
Some fonts and symbols are disabled
Any media playback is “click to play” (disabled by default)
We would recommend the “Safer” level for most cases. The Safest level should be enabled if you think you are accessing suspicious or dangerous websites or if you are extra paranoid. The Safest mode will also most likely break many websites that rely actively on JavaScript.
If you are extra paranoid, use the “Safest” level by default and consider downgrading to Safer is the website is unusable because of Javascript blocking.
Lastly, while using Tor Browser on Tails on the “Safer” level, please consider Appendix A5: Additional browser precautions with JavaScript enabled
When you are done and have a working Tails on your laptop, go to the Creating your anonymous online identities step much further in this guide or if you want persistence and plausible deniability, continue with the next section.
Consider checking the https://github.com/aforensics/HiddenVM [Archive.org] project for Tails.
This project is a clever idea of a one-click self-contained VM solution that you could store on an encrypted disk using plausible deniability315 (see The Whonix route: first chapters and also for some explanations about Plausible deniability, as well as the How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives: section at the end of this guide for more understanding).
This would allow the creation of a hybrid system mixing Tails with the Virtualization options of the Whonix route in this guide.
Note: See Pick your connectivity method in the Whonix Route for more explanations about Stream Isolation
In short:
You could run non-persistent Tails from one USB key (following their recommendations)
You could store persistent VMs within a secondary container that could be encrypted normally or using the Veracrypt plausible deniability feature (these could be Whonix VMs for instance or any other).
You do benefit from the added Tor Stream Isolation feature (see Tor over VPN for more info about stream isolation).
In that case, as the project outlines it, there should be no traces of any of your activities on your computer and the sensitive work could be done from VMs stored into a Hidden container that should not be easily discoverable by a soft adversary.
This option is particularly interesting for “traveling light” and to mitigate forensics attacks while keeping persistence on your work. You only need 2 USB keys (one with Tails and one with a Veracrypt container containing persistent Whonix). The first USB key will appear to contain just Tails and the second USB will appear to contain just random garbage but will have a decoy volume which you can show for plausible deniability.
You might also wonder if this will result in a “Tor over Tor” setup, but it will not. The Whonix VMs will be accessing the network directly through clearnet and not through Tails Onion Routing.
In the future, this could also be supported by the Whonix project themselves as explained here: https://www.whonix.org/wiki/Whonix-Host [Archive.org] but it is not yet recommended as of now for end-users.
Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture. As a matter a fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [Archive.org]
Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means.
See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis [Wikiless] [Archive.org]
CAUTION: Please see Appendix K: Considerations for using external SSD drives and Understanding HDD vs SSD sections if you consider storing such hidden VMs on an external SSD drive:
Do not use hidden volumes on SSD drives as this is not supported/recommended by Veracrypt316.
Use instead file containers instead of encrypted volumes.
Make sure you do know how to clean data from an external SSD drive properly.
Here is my guide on how to achieve this:
Download the latest HiddenVM release from https://github.com/aforensics/HiddenVM/releases [Archive.org]
Download the latest Whonix XFCE release from https://www.whonix.org/wiki/VirtualBox/XFCE [Archive.org]
Prepare a USB Key/Drive with Veracrypt
Create a Hidden Volume on the USB/Key Drive (We would recommend at least 16GB for the hidden volume)
In the Outer Volume, place some decoy files
In the Hidden Volume, place the HiddenVM appimage file
In the Hidden Volume, place the Whonix XFCE ova file
Boot into Tails
Setup the Keyboard layout as you want.
Select Additional Settings and set an administrator (root) password (needed for installing HiddenVM)
Start Tails
Connect to a safe wi-fi (this is a required step for the rest to work)
Go into Utilities and Unlock your Veracrypt (hidden) Volume (do not forget to check the hidden volume checkbox)
Launch the HiddenVM appimage
When prompted to select a folder, select the Root of the Hidden volume (where the Whonix OVA and HiddenVM app image files are).
Let it do its thing (This will install Virtualbox within Tails with one click)
When it is done, it should automatically start Virtualbox Manager.
Import the Whonix OVA files (see Whonix Virtual Machines:)
Note, if during the import you are having issues such as “NS_ERROR_INVALID_ARG (0x80070057)”, this is probably because there is not enough disk space on your Hidden volume for Whonix. Whonix themselves recommend 32GB of free space but that’s probably not necessary and 10GB should be enough for a start. You can try working around this error by renaming the Whonix .OVA file to .TAR and decompressing it within Tails. When you are done with decompression, delete the OVA file and import the other files with the Import wizard. This time it might work.
Boot into Tails
Connect to Wi-Fi
Unlock your Hidden Volume
Launch the HiddenVM App
This should automatically open VirtualBox manager and show your earlier VMs from the first run
Ideally, you should get a dedicated laptop that will not be tied to you in any effortless way (ideally paid with cash anonymously and using the same precautions as previously mentioned for the phone and the SIM card). It is recommended but not mandatory. This guide will help you harden your laptop as much as possible to prevent data leaks through various means. There will be several lines of defense standing between your online identities and yourself which should prevent most adversaries from de-anonymizing you - besides state/global actors. It will take considerable resources.
This laptop should ideally be a clean, freshly installed laptop (running Windows, Linux, or macOS); which is clean of your normal day-to-day activities; and which is offline (never connected to your home network). In the case of a Windows laptop, and if you used it before such a clean install, it should also not be activated. Simply reinstall without a product key in the case that it came pre-activated. Specifically, in the case of MacBooks, it should never have been tied to your identity before in any means. So, buy secondhand with cash from an unknown stranger who does not know your identity.
This is to mitigate some future issues in case of online leaks (including telemetry from your OS or Apps) that could compromise any unique identifiers of the laptop while using it (MAC Address, Bluetooth Address, and Product key …). But also, to avoid being tracked back if you need to dispose of the laptop.
If you used this laptop before for different purposes (like your day-to-day activities), all its hardware identifiers are probably known and registered by Microsoft or Apple. If later any of those identifiers is compromised (by malware, telemetry, exploits, human errors …) they could lead back to you.
The laptop should have at least 250GB of Disk Space at least 6GB (ideally 8GB or 16GB) of RAM and should be able to run a couple of Virtual Machines at the same time. It should have a working battery that lasts a few hours. You should aim for something with large storage (1TB+) if possible because we will need as much as possible.
This laptop could have an HDD (7200rpm) or an SSD/NVMe drive. Both possibilities have their benefits and issues that will be detailed later.
All future online steps performed with this laptop should ideally be done from a safe network such as Public Wi-Fi in a safe place (see Find some safe places with decent public Wi-Fi). But several steps will have to be taken offline first.
We would strongly recommend getting a “business grade” laptop (meaning not consumer/gaming-grade laptop) if you can. For instance, some ThinkPad from Lenovo (my personal favorite).
This is because those business laptops usually offer better and more customizable security features (especially in the BIOS/UEFI settings) with longer support than most consumer laptops (Asus, MSI, Gigabyte, Acer…). The interesting features to look for are:
Better custom Secure Boot settings (where you can selectively manage all the keys and not just use the Standard ones)
HDD/SSD passwords in addition to just BIOS/UEFI passwords.
AMD laptops could be more interesting as some provide the ability to disable AMD PSP (the AMD equivalent of Intel IME) from the BIOS/UEFI settings by default. And, because AFAIK, AMD PSP was audited and contrary to IME was not found to have any “evil” functionalities317. However, if you are going for the Qubes OS Route consider Intel CPUs as Qubes OS does not support AMD with their anti-evil-maid system318.
Secure Wipe tools from the BIOS (especially useful for SSD/NVMe drives, see Appendix M: BIOS/UEFI options to wipe disks in various Brands).
Better control over the disabling/enabling of select peripherals (USB ports, Wi-Fis, Bluetooth, Camera, Microphone …).
Better security features with Virtualization.
Native anti-tampering protections.
Longer support with BIOS/UEFI updates (and subsequent BIOS/UEFI security updates).
Some are supported by Libreboot
These settings can be accessed through the boot menu of your laptop. Here is a good tutorial from HP explaining all the ways to access the BIOS on various computers: https://store.hp.com/us/en/tech-takes/how-to-enter-bios-setup-windows-pcs [Archive.org]
Usually how to access it is by pressing a specific key (F1, F2, or Del) at boot (before your OS).
Once you are in there, you will need to apply a few recommended settings:
Disable Bluetooth completely if you can.
Disable Biometrics (fingerprint scanners) if you have any if you can. However, you could add a biometric additional check for booting only (pre-boot) but not for accessing the BIOS/UEFI settings.
Disable the Webcam and Microphone if you can.
Enable BIOS/UEFI password and use a long passphrase instead of a password (if you can) and make sure this password is required for:
Accessing the BIOS/UEFI settings themselves
Changing the Boot order
Startup/Power-on of the device
Enable HDD/SSD password if the feature is available. This feature will add another password on the HDD/SSD itself (not in the BIOS/UEFI firmware) that will prevent this HDD/SSD from being used in a different computer without the password. Note that this feature is also specific to some manufacturers and could require specific software to unlock this disk from a completely different computer.
Prevent accessing the boot options (the boot order) without providing the BIOS/UEFI password if you can.
Disable USB/HDMI or any other port (Ethernet, Firewire, SD card …) if you can.
Disable Intel ME if you can (odds are very high you can’t).
Disable AMD PSP if you can (AMD’s equivalent to IME, see Your CPU)
Disable Secure Boot if you intend to use Qubes OS as they do not support it out of the box319. Keep it on if you intend to use Linux/Windows.
Check if your laptop BIOS has a secure erase option for your HDD/SSD that could be convenient in case of need.
Only enable those on a “need to use” basis and disable them again after use. This can help mitigate some attacks in case your laptop is seized while locked but still on OR if you had to shut it down rather quickly and someone took possession of it (this topic will be explained later in this guide).
So, what is Secure Boot320? In short, it is a UEFI security feature designed to prevent your computer from booting an operating system from which the bootloader was not signed by specific keys stored in the UEFI firmware of your laptop.
When the operating system (or the Bootloader321) supports it, you can store the keys of your bootloader in your UEFI firmware, and this will prevent booting up any unauthorized Operating System (such as a live OS USB or anything similar).
Secure Boot settings are protected by the password you set up to access the BIOS/UEFI settings. If you have that password, you can disable Secure Boot and allow unsigned OSes to boot on your system. This can help mitigate some Evil-Maid attacks (explained later in this guide).
In most cases, Secure Boot is disabled by default or is enabled but in “setup” mode which will allow any system to boot. For Secure Boot to work, your Operating System will have to support it and then sign its bootloader and push those signing keys to your UEFI firmware. After that, you will have to go to your BIOS/UEFI settings and save those pushed keys from your OS and change the Secure Boot from setup to user mode (or custom mode in some cases).
After doing that step, only the Operating Systems from which your UEFI firmware can verify the integrity of the bootloader will be able to boot.
Most laptops will have some default keys already stored in the secure boot settings. Usually, those are from the manufacturer itself or some companies such as Microsoft. So, this means that by default, it will always be possible to boot some USB disks even with secure boot. These include Windows, Fedora, Ubuntu, Mint, Debian, CentOS, OpenSUSE, Tails, Clonezilla, and many others. Secure Boot is however not supported at all by Qubes OS at this point.
In some laptops, you can manage those keys and remove the ones you do not want with a “custom mode” to only authorize your bootloader that you could sign yourself if you want to.
So, what is Secure Boot protecting you from? It will protect your laptop from booting unsigned bootloaders (by the OS provider) with for instance injected malware.
What is Secure Boot not protecting you from?
Secure Boot is not encrypting your disk and an adversary can still just remove the disk from your laptop and extract data from it using a different machine. Secure Boot is therefore useless without full disk encryption.
Secure Boot is not protecting you from a signed bootloader that would be compromised and signed by the manufacturer itself (Microsoft for example in the case of Windows). Most mainstream Linux distributions are signed these days and will boot with Secure Boot enabled.
Secure Boot can have flaws and exploits like any other system. If you are running an old laptop that does not benefit from new BIOS/UEFI updates, these can be left unfixed.
Additionally, several attacks could be possible against Secure Boot as explained (in-depth) in these technical videos:
Defcon 22, https://www.youtube.com/watch?v=QDSlWa9xQuA [Invidious]
BlackHat 2016, https://www.youtube.com/watch?v=0fZdL3ufVOI [Invidious]
So, it can be useful as an added measure against some adversaries but not all. Secure Boot in itself is not encrypting your hard drive. It is an added layer but that is it.
I still recommend you keep it on if you can.
Take a moment to set a firmware password according to the tutorial here: https://support.apple.com/en-au/HT204455 [Archive.org]
You should also enable firmware password reset protection (available from Catalina) according to the documentation here: https://support.apple.com/en-gb/guide/security/sec28382c9ca/web [Archive.org]
This feature will mitigate the possibility for some adversaries to use hardware hacks to disable/bypass your firmware password. Note that this will also prevent Apple themselves from accessing the firmware in case of repair.
At some point, you will inevitably leave this laptop alone somewhere. You will not sleep with it and take it everywhere every single day. You should make it as hard as possible for anyone to tamper with it without you noticing it. This is mostly useful against some limited adversaries that will not use a 5$ wrench against you322.
It is important to know that it is trivially easy for some specialists to install a key logger in your laptop, or to just make a clone copy of your hard drive that could later allow them to detect the presence of encrypted data in it using forensic techniques (more on that later).
Here is a good cheap method to make your laptop tamper-proof using Nail Polish (with glitter) https://mullvad.net/en/help/how-tamper-protect-laptop/ [Archive.org] 323 (with pictures).
While this is a good cheap method, it could also raise suspicions as it is quite “noticeable” and might just reveal that you “have something to hide”. So, there are more subtle ways of achieving the same result. You could also for instance make a close-up macro photography of the back screws of your laptop or just use a small amount of candle wax within one of the screws that could just look like usual dirt. You could then check for tampering by comparing the photographs of the screws with new ones. Their orientation might have changed a bit if your adversary was not careful enough (Tightening them exactly the same way they were before). Or the wax within the bottom of a screw head might have been damaged compared to before.
The same techniques can be used with USB ports where you could just put a tiny amount of candle wax within the plug that would be damaged by inserting a USB key in it.
In riskier environments, check your laptop for tampering before using it regularly.
This route will make extensive use of Virtual Machines324, they will require a host OS to run the Virtualization software. You have three recommended choices in this part of the guide:
Your Linux distribution of choice (excluding Qubes OS)
Windows 10/11 (preferably Home edition due to the absence of Bitlocker)
macOS (Catalina or higher up to Monterey)
In addition, chances are high that your Mac is or has been tied to an Apple account (at the time of purchase or after signing-in) and therefore its unique hardware identifiers could lead back to you in case of hardware identifiers leak.
Linux is also not necessarily the best choice for anonymity depending on your threat model. This is because using Windows will allow us to conveniently use Plausible Deniability325 (aka Deniable Encryption326) easily at the OS level. Windows is also unfortunately at the same time a privacy nightmare327 but is the only easy to set up option for using OS-wide plausible deniability. Windows telemetry and telemetry blocking are also widely documented which should mitigate many issues.
So, what is Plausible Deniability? You can cooperate with an adversary requesting access to your device/data without revealing your true secret. All this using Deniable Encryption328.
A soft lawful adversary could ask for your encrypted laptop password. At first, you could refuse to give out any password (using your “right to remain silent”, “right not to incriminate yourself”) but some countries are implementing laws329’330 to exempt this from such rights (because terrorists and “think of the children”). In that case, you might have to reveal the password or face jail time in contempt of court. This is where plausible deniability will come into play.
You could then reveal a password, but that password will only give access to “plausible data” (a decoy OS). The forensics will be well aware that it is possible for you to have hidden data but should not be able to prove this (if you do this right). You will have cooperated, and the investigators will have access to something but not what you actually want to hide. Since the burden of proof should lie on their side, they will have no options but to believe you unless they have proof that you have hidden data.
This feature can be used at the OS level (a plausible OS and a hidden OS) or at the files level where you will have an encrypted file container (similar to a zip file) where different files will be shown depending on the encryption password you use.
This also means you could set up your own advanced “plausible deniability” setup using any Host OS by storing for instance Virtual Machines on a Veracrypt hidden volume container (be careful of traces in the Host OS tho that would need to be cleaned if the host OS is persistent, see Some additional measures against forensics section later). There is a project for achieving this within Tails (https://github.com/aforensics/HiddenVM [Archive.org]) which would make your Host OS non-persistent and use plausible deniability within Tails.
In the case of Windows, plausible deniability is also the reason you should ideally have Windows 10/11 Home (and not Pro). This is because Windows 10/11 Pro natively offers a full-disk encryption system (Bitlocker331) where Windows 10/11 Home offers no full-disk encryption at all. You will later use third-party open-source software for encryption that will allow full-disk encryption on Windows 10/11 Home. This will give you a good (plausible) excuse to use this software. While using this software on Windows 10/11 Pro would be suspicious.
Note about Linux: So, what about Linux and plausible deniability? Yes, it is possible to achieve plausible deniability with Linux too. More information within the Linux Host OS section later.
Unfortunately, encryption is not magic and there are some risks involved:
Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture. As a matter a fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [Archive.org]
Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means. Avoid, if possible, the use of plausible deniability-capable software (such as Veracrypt) if your threat model includes hard adversaries. So, Windows users should in that case install Windows Pro as a Host OS and use Bitlocker instead.
See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis [Wikiless] [Archive.org]
Evil Maid Attacks332 are conducted when someone tampers with your laptop while you are away. To install to clone your hard drive, install malware or a key logger. If they can clone your hard drive, they can compare one image of your hard drive at the time they took it while you were away with the hard drive when they seize it from you. If you used the laptop again in between, forensics examiners might be able to prove the existence of the hidden data by looking at the variations between the two images in what should be an empty/unused space. This could lead to compelling evidence of the existence of hidden data. If they install a key logger or malware within your laptop (software or hardware), they will be able to simply get the password from you for later use when they seize it. Such attacks can be done at your home, your hotel, a border crossing, or anywhere you leave your devices unattended.
You can mitigate this attack by doing the following (as recommended earlier):
Have basic tamper protection (as explained previously) to prevent physical access to the internals of the laptop without your knowing. This will prevent them from cloning your disks and installing a physical key logger without your knowledge.
Disable all the USB ports (as explained previously) within a password-protected BIOS/UEFI. Again, they will not be able to turn them on (without physically accessing the motherboard to reset the BIOS) to boot a USB device that could clone your hard drive or install a software-based malware that could act as a key logger.
Set up BIOS/UEFI/Firmware passwords to prevent any unauthorized boot of an unauthorized device.
Some OSes and Encryption software have the Anti Evil Maid (AEM) protection that can be enabled. This is the case with Windows/Veracrypt and QubeOS (only on Intel CPUs).
Cold Boot attacks333 are trickier than the Evil Maid Attack but can be part of an Evil Maid attack as it requires an adversary to come into possession of your laptop while you are actively using your device or shortly afterward.
The idea is rather simple, as shown in this video334, an adversary could theoretically quickly boot your device on a special USB key that would copy the content of the RAM (the memory) of the device after you shut it down. If the USB ports are disabled or if they feel like they need more time, they could open it and “cool down” the memory using a spray or other chemicals (liquid nitrogen for instance) preventing the memory from decaying. They could then be able to copy its content for analysis. This memory dump could contain the key to decrypt your device. You will later apply a few principles to mitigate these.
In the case of Plausible Deniability, there have been some forensics studies335 about technically proving the presence of the hidden data with a simple forensic examination (without a Cold Boot/Evil Maid Attack) but these have been contested by other studies336 and by the maintainer of Veracrypt337 so we would not worry too much about those yet.
The same measures used to mitigate Evil Maid attacks should be in place for Cold Boot attacks with some added ones:
If your OS or Encryption software allows it, you should consider encrypting the keys within RAM too (this is possible with Windows/Veracrypt and will be explained later). Again see https://sourceforge.net/p/veracrypt/discussion/technical/thread/3961542951/ [Archive.org]
Do enable the option to Wipe keys from memory if a device is inserted in Veracrypt.
You should limit the use of Sleep stand-by and instead use Shutdown or Hibernate to prevent the encryption keys from staying in RAM when your computer goes to sleep. This is because sleep will maintain power in your memory for resuming your activity faster. Only hibernation and shutdown will actually clear the key from the memory338.
See also https://www.whonix.org/wiki/Cold_Boot_Attack_Defense [Archive.org] and https://www.whonix.org/wiki/Protection_Against_Physical_Attacks [Archive.org]
Here are also some interesting tools to consider for Linux users to defend against these:
https://github.com/0xPoly/Centry [Archive.org] (unfortunately unmaintained it seems)
https://github.com/hephaest0s/usbkill [Archive.org] (unfortunately unmaintained as well it seems)
https://askubuntu.com/questions/153245/how-to-wipe-ram-on-shutdown-prevent-cold-boot-attacks [Archive.org]
(Qubes OS, Intel CPU only) https://github.com/QubesOS/qubes-antievilmaid [Archive.org]
If you want better security, you should shut down your laptop completely every time you leave it unattended or close the lid. This should clean and/or release the RAM and provide mitigations against cold boot attacks. However, this can be a bit inconvenient as you will have to reboot completely and type in a ton of passwords into various apps. Restart various VMs and other apps. So instead, you could also use hibernation (not supported on Qubes OS). Since the whole disk is encrypted, hibernation in itself should not pose a large security risk but will still shut down your laptop and clear the memory while allowing you to conveniently resume your work afterward. What you should never do is using the standard sleep feature which will keep your computer on, and the memory powered. This is an attack vector against evil-maid and cold-boot attacks discussed earlier. This is because your powered-on memory holds the encryption keys to your disk (encrypted or not) and could then be accessed by a skilled adversary.
This guide will provide guidance later on how to enable hibernation on various host OSes (except Qubes OS) if you do not want to shut down every time.
As mentioned briefly earlier, these are data leaks and traces from your operating system and apps when you perform any activity on your computer. These mostly apply to encrypted file containers (with or without plausible deniability) than OS-wide encryption. Such leaks are less “important” if your whole OS is encrypted (if you are not compelled to reveal the password).
Let us say for example you have a Veracrypt encrypted USB key with plausible deniability enabled. Depending on the password you use when mounting the USB key, it will open a decoy folder or the sensitive folder. Within those folders, you will have decoy documents/data within the decoy folder and sensitive documents/data within the sensitive folder.
In all cases, you will (most likely) open these folders with Windows Explorer, macOS Finder, or any other utility and do whatever you planned to do. Maybe you will edit a document within the sensitive folder. Maybe you will search for a document within the folder. Maybe you will delete one or watch a sensitive video using VLC.
Well, all those Apps and your Operating System might keep logs and traces of that usage. This might include the full path of the folder/files/drives, the time those were accessed, temporary caches of those files, the “recent” lists in each app, the file indexing system that could index the drive, and even thumbnails that could be generated
Here are some examples of such leaks:
Windows ShellBags that are stored within the Windows Registry silently storing various histories of accessed volumes/files/folders339.
Windows Indexing keeping traces of the files present in your user folder by default340.
Recent lists (aka Jump Lists) in Windows and various apps keeping traces of recently accessed documents341.
Many more traces in various logs, please see this convenient interesting poster for more insight: https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download [Archive.org]
Gatekeeper342 and XProtect keeping track of your download history in a local database and file attributes.
Spotlight Indexing
Recent lists in various apps keeping traces of recently accessed documents.
Temporary folders keeping various traces of App usage and Document usage.
macOS Logs
…
Tracker Indexing
Bash History
USB logs
Recent lists in various apps keeping traces of recently accessed documents.
Linux Logs
…
Forensics could’ use all those leaks (see Local Data Leaks and Forensics) to prove the existence of hidden data and defeat your attempts at using plausible deniability and to find out about your various sensitive activities.
It will be therefore important to apply various steps to prevent forensics from doing this by preventing and cleaning these leaks/traces and more importantly by using whole disk encryption, virtualization, and compartmentalization.
Forensics cannot extract local data leaks from an OS they cannot access. And you will be able to clean most of those traces by wiping the drive or by securely erasing your virtual machines (which is not as easy as you think on SSD drives).
Some cleaning techniques will nevertheless be covered in the “Cover your Tracks” part of this guide at the very end.
Whether you are using simple encryption or plausible deniability encryption. Even if you covered your tracks on the computer itself. There is still a risk of online data leaks that could reveal the presence of hidden data.
Telemetry is your enemy. As explained earlier in this guide, the telemetry of Operating Systems but also from Apps can send staggering amounts of private information online.
In the case of Windows, this data could for instance be used to prove the existence of a hidden OS / Volume on a computer and would be readily available at Microsoft. Therefore, it is critically important that you disable and block telemetry with all the means at your disposal. No matter what OS you are using.
You should never conduct sensitive activities from a non-encrypted system. And even if it is encrypted, you should never conduct sensitive activities from the Host OS itself. Instead, you should use a VM to be able to efficiently isolate and compartmentalize your activities and prevent local data leaks.
If you have little to no knowledge of Linux or if you want to use OS-wide plausible deniability, we recommend going for Windows (or back to the Tails route) for convenience. This guide will help you hardening it as much as possible to prevent leaks. This guide will also help you hardening macOS and Linux as much as possible to prevent similar leaks.
If you have no interest in OS-wide plausible deniability and want to learn to use Linux, we will strongly recommend going for Linux or the Qubes OS route if your hardware allows it.
In all cases, the host OS should never be used to conduct sensitive activities directly. The host OS will only be used to connect to a public Wi-Fi Access Point. It will be left unused while you conduct sensitive activities and should ideally not be used for any of your day-to-day activities.
Consider also reading https://www.whonix.org/wiki/Full_Disk_Encryption#Encrypting_Whonix_VMs [Archive.org]
As mentioned earlier, we do not recommend using your daily laptop for sensitive activities. Or at least we do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at your own risk.
I also recommend that you do the initial installation completely offline to avoid any data leak.
You should always remember that despite the reputation, Linux mainstream distributions (Ubuntu for instance) are not necessarily better at security than other systems such as macOS and Windows. See this reference to understand why https://madaidans-insecurities.github.io/linux.html [Archive.org].
There are two routes here with Ubuntu or Debian based distros:
Using LUKS:
Without plausible deniability:
(Recommended and easy) Encrypt as part of the installation process: https://ubuntu.com/tutorials/install-ubuntu-desktop [Archive.org]
This process requires the full erasure of your entire drive (clean install).
Just check the “Encrypt the new Ubuntu installation for security”
(Tedious but possible) Encrypt after installation: https://help.ubuntu.com/community/ManualFullSystemEncryption [Archive.org]
With plausible deniability: See the next section The Detached Headers Way
Using Veracrypt:
For other distros, you will have to document yourself, but it will likely be similar. Encryption during install is just much easier in the context of this guide.
There are several ways to achieve plausible deniability on Linux343 and it is possible to achieve. Here are some more details about some of the ways we would recommend. All these options require some higher level of skills at using Linux.
While not supported yet by this guide, it is possible to achieve a form of deniability on Linux using LUKS by using detached LUKS headers. For now, we will redirect you toward this page for more information: https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header [Archive.org]
It is technically possible to not only use Veracrypt but also to achieve plausible deniability on a Linux Host OS by using Veracrypt for system full-disk encryption (instead of LUKS). This is not supported by Veracrypt (System encryption is only supported on Windows) and requires some tinkering with various commands. This is not recommended at all for unskilled users and should only be used at your own risk.
The steps to achieve this are not yet integrated into this guide but can be found here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/5779e55aae7fc06e4758 (this is a .onion address and requires Tor Browser).
During the install, just make sure you do not allow any data collection if prompted.
If you are not sure, just make sure you did not enable any telemetry and follow this tutorial if needed https://vitux.com/how-to-force-ubuntu-to-stop-collecting-your-data-from-your-pc/ [Archive.org]
Any other distro: you will need to document yourself and find out how to disable telemetry.
Disable Bluetooth if enabled by following this guide https://www.addictivetips.com/ubuntu-linux-tips/disable-bluetooth-in-ubuntu/ [Archive.org] or issuing the following command:
sudo systemctl disable bluetooth.service --force
Disable Indexing if enabled by default (Ubuntu >19.04) by following this guide https://www.linuxuprising.com/2019/07/how-to-completely-disable-tracker.html [Archive.org] or issuing the following commands:
sudo systemctl --user mask tracker-store.service tracker-miner-fs.service tracker-miner-rss.service tracker-extract.service tracker-miner-apps.service tracker-writeback.service
sudo tracker reset -hard
As explained previously, you should not use the sleep features but shut down or hibernate your laptop to mitigate some evil-maid and cold-boot attacks. Unfortunately, this feature is disabled by default on many Linux distros including Ubuntu. It is possible to enable it, but it might not work as expected. Follow this information at your own risk. If you do not want to do this, you should never use the sleep function and power off instead (and set the lid closing behavior to power off instead of sleep).
Follow one of these tutorials to enable Hibernate:
https://www.how2shout.com/linux/how-to-hibernate-ubuntu-20-04-lts-focal-fossa/ [Archive.org]
http://www.lorenzobettini.it/2020/07/enabling-hibernation-on-ubuntu-20-04/ [Archive.org]
https://blog.ivansmirnov.name/how-to-set-up-hibernate-on-ubuntu-20-04/ [Archive.org]
After Hibernate is enabled, change the behavior so that your laptop will hibernate when you close the lid by following this tutorial for Ubuntu 20.04 http://ubuntuhandbook.org/index.php/2020/05/lid-close-behavior-ubuntu-20-04/ [Archive.org] and this tutorial for Ubuntu 18.04 https://tipsonubuntu.com/2018/04/28/change-lid-close-action-ubuntu-18-04-lts/ [Archive.org]. There is no tutorial yet for Ubuntu 21.04 or 21.10 but the above for 20.04 should probably work too.
Unfortunately, this will not clean the key from memory directly when hibernating. To avoid this at the cost of some performance, you might consider encrypting the swap file by following this tutorial: https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap [Archive.org]
These settings should mitigate cold boot attacks if you can hibernate fast enough.
For Ubuntu, follow these steps https://help.ubuntu.com/community/AnonymizingNetworkMACAddresses [Archive.org].
Consider this tutorial which should still work: https://josh.works/shell-script-basics-change-mac-address [Archive.org]
As a light introduction for new Linux users, consider https://www.youtube.com/watch?v=Sa0KqbpLye4 [Invidious]
For more in-depth and advanced options, refer to:
This excellent guide: https://madaidans-insecurities.github.io/guides/linux-hardening.html [Archive.org]
This excellent wiki resource: https://wiki.archlinux.org/title/Security [Archive.org]
These excellent scripts are based on the guide and wiki above: https://codeberg.org/SalamanderSecurity/PARSEC [Archive.org]
These tools that can help you harden your Linux Kernel:
Kconfig-hardened-check: https://github.com/a13xp0p0v/kconfig-hardened-check
Consider installing Safing Portmaster from https://safing.io/portmaster/ [Archive.org] (Warning: there might be issues with some VPN clients. See: https://docs.safing.io/portmaster/install/status/vpn-compatibility [Archive.org]
Consider the use of KickSecure when using Debian: https://www.whonix.org/wiki/Kicksecure [Archive.org]
This interesting article: http://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html [Archive.org]
See Appendix G: Safe Browser on the Host OS
Note: Mac M1/M2 chips are now supported natively, or, if you wish to use commercial tools like VMWare Fusion or Parallels Desktop, but those are not covered in this guide. Seek this information yourself.
As mentioned earlier, we do not recommend using your daily laptop for sensitive activities. Or at least we do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at your own risk.
We also recommend that you do the initial installation completely offline to avoid any data leak.
Do not ever sign in with your Apple account using that Mac.
Stay Offline
Disable all data sharing requests when prompted including location services
Do not sign in with Apple
Do not enable Siri
As a light introduction for new macOS users, consider https://www.youtube.com/watch?v=lFx5icuE6Io [Invidious]
Now to go more in-depth in securing and hardening your macOS, we recommend reading this guide which covers many of the issues: https://www.bejarano.io/hardening-macos/ [Archive.org]
Here are the basic steps you should take after your offline installation:
First, you should set up a firmware password following this guide from Apple: https://support.apple.com/en-us/HT204455 [Archive.org]
Unfortunately, some attacks are still possible and an adversary could disable this password so you should also follow this guide to prevent disabling the firmware password from anyone including Apple: https://support.apple.com/en-gb/guide/security/sec28382c9ca/web [Archive.org]
Again, this is to prevent some cold-boot and evil-maid attacks by powering down your RAM and cleaning the encryption key when you close the lid. You should always either hibernate or shut down. On macOS, the hibernate feature even has a special option to specifically clear the encryption key from memory when hibernating (while you might have to wait for the memory to decay on other Operating Systems). Once again there are no easy options to do this within the settings so instead, we will have to do this by running a few commands to enable hibernation:
Open a Terminal
Run: sudo pmset -a destroyfvkeyonstandby 1
Run: sudo pmset -a hibernatemode 25
Now when you close the lid of your MacBook, it should hibernate instead of sleep and mitigate attempts at performing cold-boot attacks.
In addition, you should also set up an automatic sleep (Settings > Energy) so that your MacBook will hibernate automatically if left unattended.
Disable some unnecessary settings within the settings:
Disable Bluetooth
Disable the Camera and Microphone
Disable Location Services
Disable Airdrop
Disable Indexing
These are the infamous “unblockable telemetry” calls from macOS Big Sur disclosed here: https://sneak.berlin/20201112/your-computer-isnt-yours/ [Archive.org]
You could block OCSP reporting by issuing the following command in Terminal:
sudo sh -c 'echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts'
But you should document yourself on the actual issue before acting. This page is a good place to start: https://blog.jacopo.io/en/post/apple-ocsp/ [Archive.org]
Up to you really. We would block it because we do not want any telemetry at all from my OS to the mothership without my specific consent. None.
You should enable full disk encryption on your Mac using Filevault according to this part of the guide: https://github.com/drduh/macOS-Security-and-Privacy-Guide#full-disk-encryption [Archive.org]
Be careful when enabling. Do not store the recovery key at Apple if prompted (should not be an issue since you should be offline at this stage). You do not want a third party to have your recovery key.
Unfortunately, macOS does not offer a native convenient way of randomizing your MAC Address and so you will have to do this manually. This will be reset at each reboot, and you will have to re-do it each time to ensure you do not use your actual MAC Address when connecting to various Wi-Fis
You can do this by issuing the following commands in terminal (without the parentheses):
(Turn the Wi-Fi off) networksetup -setairportpower en0 off
(Change the MAC Address) sudo ifconfig en0 ether 88:63:11:11:11:11
(Turn the Wi-Fi back on) networksetup -setairportpower en0 on
See Appendix G: Safe Browser on the Host OS
As mentioned earlier, we do not recommend using your daily laptop for sensitive activities. Or at leastWedo not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at your own risk.
I also recommend that you do the initial installation completely offline to avoid any data leak.
You should follow Appendix A: Windows Installation
As a light introduction, consider watching https://www.youtube.com/watch?v=vNRics7tlqw [Invidious]
You should randomize your MAC address as explained earlier in this guide:
Go into Settings > Network & Internet > Wi-Fi > Enable Random hardware addresses
Alternatively, you could use this free piece of software: https://technitium.com/tmac/ [Archive.org]
See Appendix G: Safe Browser on the Host OS
See Appendix B: Windows Additional Privacy Settings
Veracrypt344 is the software we will recommend for full-disk encryption, file encryption, and plausible deniability. It is a fork of the well-known but deprecated and unmaintained TrueCrypt. It can be used for:
Full Disk simple encryption (your hard drive is encrypted with one passphrase).
Full Disk encryption with plausible deniability (this means that depending on the passphrase entered at boot, you will either boot a decoy OS or a hidden OS).
File container simple encryption (it is a large file that you will be able to mount within Veracrypt as if it were an external drive to store encrypted files within).
File container with plausible deniability (it is the same large file but depending on the passphrase you use when mounting it, you will either mount a “hidden volume” or the “decoy volume”).
It is to my knowledge the only (convenient and usable by anyone) free, open-source, and openly audited345 encryption software that also provides plausible deniability for widespread use and it works with Windows Home Edition.
Go ahead and download and install Veracrypt from: https://www.veracrypt.fr/en/Downloads.html [Archive.org]
After installation, please take a moment to review the following options that will help mitigate some attacks:
Encrypt the memory with a Veracrypt option346 (settings > performance/driver options > encrypt RAM) at a cost of 5-15% performance. This setting will also disable hibernation (which does not actively clear the key when hibernating) and instead encrypt the memory altogether to mitigate some cold-boot attacks. More details about this feature here: https://sourceforge.net/p/veracrypt/discussion/technical/thread/3961542951/ [Archive.org]
Enable the Veracrypt option to wipe the keys from memory if a new device is inserted (system > settings > security > clear keys from memory if a new device is inserted). This could help in case your system is seized while still on (but locked).
Enable the Veracrypt option to mount volumes as removable volumes (Settings > Preferences > Mount volume as removable media). This will prevent Windows from writing some logs about your mounts in the Event logs347 and prevent some local data leaks.
Be careful and have a good situational awareness if you sense something weird. Shut your laptop down as fast as possible.
If you do not want to use encrypted memory (because performance might be an issue), you should at least enable hibernation instead of sleep. This will not clear the keys from memory (you are still vulnerable to cold boot attacks) but at least should mitigate them if your memory has enough time to decay.
More details later in Route A and B: Simple Encryption using Veracrypt (Windows tutorial).
For this case, we will recommend the use of BitLocker instead of Veracrypt for the full disk encryption. The reasoning is that BitLocker does not offer a plausible deniability possibility contrary to Veracrypt. A hard adversary has then no incentive in pursuing his “enhanced” interrogation if you reveal the passphrase.
Normally, you should have installed Windows Pro in this case and the BitLocker setup is quite straightforward.
Basically, you can follow the instructions here: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838 [Archive.org]
But here are the steps:
Click the Windows Menu
Type “Bitlocker”
Click “Manage Bitlocker”
Click “Turn on Bitlocker” on your System Drive
Follow the instructions
Do not save your recovery key to a Microsoft Account if prompted.
Only save the recovery key to an external encrypted drive. To bypass this, print the recovery key using the Microsoft Print to PDF printer and save the key within the Documents folder. Delete that file later.
Encrypt Entire Drive (do not encrypt the used disk space only).
Use “New Encryption Mode”
Run the BitLocker Check
Reboot
Encryption should now be started in the background (you can check by clicking the Bitlocker icon on the lower right side of the taskbar).
Unfortunately, this is not enough. With this setup, your Bitlocker key can just be stored as-is in the TPM chip of your computer. This is rather problematic as the key can be extracted in some cases with ease348‘349’350’351.
To mitigate this, you will have to enable a few more options as per the recommendations of Microsoft352:
Click the Windows icon
Type Run
Type “gpedit.msc” (this is the group policy editor)
Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker > Operating System Drives
Double Click the “Require Additional Authentication at Startup”
Double Click the “Allow enhanced PINs for startup”
Close the Group Policy Editor
Click the Windows icon
Type Command to display the “Command Prompt”
Right Click on it and click “Run as Administrator”
Run manage-bde -protectors -delete c:
(this will delete current protection: the recovery key you will not need)
Run manage-bde -protectors -add c: -TPMAndPIN
(this will prompt you for a pre-boot password)
Run manage-bde -status
You are done
Now when you reboot your computer, you should ideally be prompted for:
A BIOS/UEFI boot password
An SSD/HDD unlock password (if the feature is available on your BIOS)
A Bitlocker Pre-Boot Pin Screen where you need to enter the password/passphrase you just set-up
And finally, the Windows Logon Screen where you can enter the credentials you set-up earlier
Again, as explained earlier. You should never use the sleep/stand-by feature to mitigate some cold-boot and evil-maid attacks. Instead, you should Shut down or hibernate. You should therefore switch your laptop from sleeping to hibernating when closing the lid or when your laptop goes to sleep.
(Note that you cannot enable hibernation if you previously enabled RAM encryption within Veracrypt)
The reason is that Hibernation will actually shut down your laptop completely and clean the memory. Sleep on the other hand will leave the memory powered on (including your decryption key) and could leave your laptop vulnerable to cold-boot attacks.
By default, Windows 10/11 might not offer you this possibility so you should enable it by following this Microsoft tutorial: https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/disable-and-re-enable-hibernation [Archive.org]
Open an administrator command prompt (right-click on Command Prompt and “Run as Administrator”)
Run: powercfg.exe /hibernate on
Now run the additional command: **powercfg /h /type full**
After that you should go into your power settings:
Open the Control Panel
Open System & Security
Open Power Options
Open “Choose what the power button does”
Change everything from sleep to hibernate or shutdown
Go back to the Power Options
Select Change Plan Settings
Select Advanced Power Settings
Change all the Sleep Values for each Power Plan to 0 (Never)
Make sure Hybrid Sleep is Off for each Power Plan
Enable Hibernate After the time you would like
Disable all the Wake timers
Now you will have to pick your next step between two options:
Route A: Simple encryption of your current OS
Pros:
Does not require you to wipe your laptop
No issue with local data leaks
Works fine with an SSD drive
Works with any OS
Simple
Cons:
You could be compelled by an adversary to reveal your password and all your secrets and will have no plausible deniability.
The danger of Online data leaks
Route B: Simple encryption of your current OS with later use of plausible deniability on files themselves:
Pros:
Does not require you to wipe your laptop
Works fine with an SSD drive
Works with any OS
Plausible deniability is possible with “soft” adversaries
Cons:
The danger of Online Data leaks
The danger of Local Data leaks (that will lead to more work to clean up those leaks)
Route C: Plausible Deniability Encryption of your Operating system (you will have a “hidden OS” and a “decoy OS” running on the laptop):
Pros:
No issues with local Data leaks
Plausible deniability is possible with “soft” adversaries
Cons:
As you can see, Route C only offers two privacy advantages over the others, and it will only be of use against a soft lawful adversary. Remember https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis [Wikiless] [Archive.org].
Deciding which route you will take is up to you. Route A is a minimum.
Always be sure to check for new versions of Veracrypt frequently to ensure you benefit from the latest patches. Especially check this before applying large Windows updates that might break the Veracrypt bootloader and send you into a boot loop.
NOTE THAT BY DEFAULT VERACRYPT WILL ALWAYS PROPOSE A SYSTEM PASSWORD IN QWERTY (display the password as a test). This can cause issues if your boot input is using your laptop’s keyboard (AZERTY for example) as you will have set up your password in QWERTY and will input it at boot time in AZERTY. So, make sure you check when doing the test boot what keyboard layout your BIOS is using. You could fail to log in just because of the QWERTY/AZERTY mix-up. If your BIOS boots using AZERTY, you will need to type the password in QWERTY within Veracrypt.
Skip this step if you used BitLocker instead earlier.
You do not have to have an HDD for this method, and you do not need to disable Trim on this route. Trim leaks will only be of use to forensics in detecting the presence of a Hidden Volume but will not be of much use otherwise.
This route is rather straightforward and will just encrypt your current Operating System in place without losing any data. Be sure to read all the texts Veracrypt is showing you, so you have a full understanding of what is going on. Here are the steps:
Launch VeraCrypt
Go into Settings:
Settings > Performance/driver options > Encrypt RAM
System > Settings > Security > Clear keys from memory if a new device is inserted
System > Settings > Windows > Enable Secure Desktop
Select System
Select Encrypt System Partition/Drive
Select Normal (Simple)
Select Single-Boot
Select AES as encryption Algorithm (click the test button if you want to compare the speeds)
Select SHA-512 as hash Algorithm (because why not)
Enter a strong passphrase (longer the better, remember Appendix A2: Guidelines for passwords and passphrases)
Collect some entropy by randomly moving your cursor around until the bar is full
Click Next as the Generated Keys screen
To rescue disk355 or not rescue disk, well that is up to you. We recommend making one (just in case), just make sure to store it outside your encrypted drive (USB key for instance or wait and see the end of this guide for guidance on safe backups). This rescue disk will not store your passphrase and you will still need it to use it.
Wipe mode:
If you have no sensitive data yet on this laptop, select None
If you have sensitive data on an SSD, Trim alone should take care of it356 but we would recommend one pass (random data) just to be sure.
If you have sensitive data on an HDD, there is no Trim, and we Swould recommend at least 1-pass.
Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward.
After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process.
Start the encryption and wait for it to complete.
You are done, skip Route B and go to the next steps.
There will be another section on creating encrypted file containers with Plausible Deniability on Windows.
This is only supported on Windows.
This is only recommended on an HDD drive. This is not recommended on an SSD drive.
Your Hidden OS should not be activated (with an MS product key). Therefore, this route will recommend and guide you through a full clean installation that will wipe everything on your laptop.
Read the Veracrypt Documentation https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html [Archive.org] (Process of Creation of Hidden Operating System part) and https://www.veracrypt.fr/en/Security%20Requirements%20for%20Hidden%20Volumes.html [Archive.org] (Security Requirements and Precautions Pertaining to Hidden Volumes).
This is how your system will look after this process is done:
(Illustration from Veracrypt Documentation, https://veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html [Archive.org])
As you can see this process requires you to have two partitions on your hard drive from the start.
This process will do the following:
Encrypt your second partition (the outer volume) that will look like an empty unformatted disk from the decoy OS.
Prompt you with the opportunity to copy some decoy content within the outer volume.
Create a hidden volume within the outer volume of that second partition. This is where the hidden OS will reside.
Clone your currently running Windows 10/11 installation onto the hidden volume.
Wipe your currently running Windows 10/11.
This means that your current Windows 10/11 will become the hidden Windows 10/11 and that you will need to reinstall a fresh decoy Windows 10/11 OS.
Mandatory if you have an SSD drive and you still want to do this against the recommendation: Disable SSD Trim in Windows357 (again this is NOT recommended at all as disabling Trim in itself is highly suspicious). Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks358 that could allow forensics to defeat your plausible deniability359360. The only way around this at the moment is to have a laptop with a classic HDD drive instead.
See [Appendix C: Windows Installation Media Creation][306] and go with the USB key route.
Insert the USB key into your laptop
See Appendix A: Windows Installation and proceed with installing Windows 10/11 Home.
See Appendix B: Windows Additional Privacy Settings
Remember to read https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html [Archive.org]
Do not connect this OS to your known Wi-Fi. You should download the Veracrypt installer from a different computer and copy the installer here using a USB key. Here are the steps:
Install Veracrypt
Start Veracrypt
Go into Settings:
Settings > Performance/driver options > Encrypt RAM (note that this option is not compatible with Hibernation your laptop and means you will have to shut down completely)
System > Settings > Security > Clear keys from memory if a new device is inserted
System > Settings > Windows > Enable Secure Desktop
Go into System and select Create Hidden Operating System
Read all the prompts thoroughly
Select Single-Boot if prompted
Create the Outer Volume using AES and SHA-512.
Use all the space available on the second partition for the Outer Volume
Use a strong passphrase (remember Appendix A2: Guidelines for passwords and passphrases)
Select yes to Large Files
Create some Entropy by moving the mouse around until the bar is full and select NTFS (do not select exFAT as you want this outer volume to look “normal” and NTFS is normal).
Format the Outer Volume
Open Outer Volume:
At this stage, you should copy decoy data onto the outer volume. So, you should have some sensitive but not so sensitive files/folders to copy there. In case you need to reveal a password to this Volume. This is a good place for your Anime/Mp3/Movies/Porn collection.
We recommend you do not fill the outer volume too much or too little (about 40%). Remember you must leave enough space for the Hidden OS (which will be the same size as the first partition you created during installation).
Use a strong passphrase for the Hidden Volume (obviously a different one than the one for the Outer Volume).
Now you will create the Hidden Volume, select AES and SHA-512
Fill the entropy bar until the end with random mouse movements
Format the hidden Volume
Proceed with the Cloning
Veracrypt will now restart and Clone the Windows where you started this process into the Hidden Volume. This Windows will become your Hidden OS.
When the cloning is complete, Veracrypt will restart within the Hidden System
Veracrypt will inform you that the Hidden System is now installed and then prompt you to wipe the Original OS (the one you installed previously with the USB key).
Use 1-Pass Wipe and proceed.
Now your Hidden OS will be installed, proceed to the next step
Now that the Hidden OS is fully installed, you will need to install a Decoy OS:
Insert the USB key into your laptop
See Appendix A: Windows Installation and proceed with installing Windows 10/11 Home again (do not install a different version and stick with Home).
See Appendix B: Windows Additional Privacy Settings
Now you will encrypt the Decoy OS:
Install Veracrypt
Launch VeraCrypt
Select System
Select Encrypt System Partition/Drive
Select Normal (Simple)
Select Single-Boot
Select AES as encryption Algorithm (click the test button if you want to compare the speeds)
Select SHA-512 as hash Algorithm (because why not)
Enter a short weak password (yes this is serious, do it, it will be explained later).
Collect some entropy by randomly moving your cursor around until the bar is full
Click Next as the Generated Keys screen
To rescue disk361 or not rescue disk, well that is up to you. We recommend making one (just in case), just make sure to store it outside your encrypted drive (USB key for instance or wait and see the end of this guide for guidance on safe backups). This rescue disk will not store your passphrase and you will still need it to use it.
Wipe mode: Select 1-Pass just to be safe
Pre-Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward.
After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process.
Start the encryption and wait for it to complete.
Your Decoy OS is now ready for use.
Time to test your setup:
Reboot and input your Hidden OS passphrase, you should boot within the Hidden OS.
Reboot and input your Decoy OS passphrase, you should boot within the Decoy OS.
Launch Veracrypt on the Decoy OS and mount the second partition using the Outer Volume Passphrase (mount it as read-only, by going into Mount Options and Selecting Read-Only) and it should mount the second partition as a read-only displaying your decoy data (your Anime/Porn collection). You are mounting it as read-only now because if you were to write data on it, you could override content from your Hidden OS.
Before going to the next step, you should learn the way to mount your Outer Volume safely for writing content on it. This is also explained in this official Veracrypt Documentation https://www.veracrypt.fr/en/Protection%20of%20Hidden%20Volumes.html [Archive.org]
You should do this from a safe, trusted space.
Basically, you are going to mount your Outer Volume while also providing the Hidden Volume passphrase within the Mount Options to protect the Hidden Volume from being overwritten:
Open Veracrypt
Select your Second Partition
Click Mount
Click Mount Options
Check the “Protect the Hidden volume…” Option
Enter the Hidden OS passphrase
Click OK
Enter your Outer Volume passphrase
Click OK
You should now be able to open and write to your Outer Volume to change the content (copy/move/delete/edit…)
This operation will not actually mount the Hidden Volume and should prevent the creation of any forensic evidence that could lead to the discovery of the Hidden OS. However, while you are performing this operation, both passwords will be stored in your RAM. You could still be vulnerable to a Cold-Boot Attack. To mitigate this, be sure to have the option to encrypt your RAM as instructed before.
We must make the Decoy OS as plausible as possible. We also want your adversary to underestimate your intelligence.
It is important to voluntarily leave some forensic evidence of your Decoy Content within your Decoy OS. This evidence will let forensic examiners see that you mounted your Outer Volume frequently to access its content.
Here are useful tips to leave some forensics evidence:
Play the content from the Outer Volume from your Decoy OS (using VLC for instance). Be sure to keep a history of those.
Edit documents and work on them.
Enable file indexing again on the Decoy OS and include the mounted Outer Volume.
Unmount it and mount it frequently to watch some content or move files around.
Copy some content from your Outer Volume to your Decoy OS and then delete it unsafely. Just put it in the Recycle Bin, which only someone who is naive would do, thinking it were deleted.
Have a Torrent Client installed on the Decoy OS; use it from time to time to download some similar stuff that you will leave on the Decoy OS.
You could have a VPN client installed on the Decoy OS with a known VPN of yours (non-cash paid).
Do not put anything suspicious on the Decoy OS such as:
This guide
Any links to this guide
Any suspicious anonymity software such as Tor Browser
Any Veracrypt volumes
Any documents on anonymity or security
The intention is to make your adversary believe you are not as smart as they thought, to deter them from searching deeper.
Remember that you will need valid excuses for this plausible deniability scenario to work:
You are using Veracrypt because you are using Windows 10/11 Home, which do not feature Bitlocker, but you still wanted reasonable Privacy.
You have two partitions because you wanted to separate the system from the data for easy organization, and because some geeky friend told you this was better for performance.
You have used a weak password for easy convenient booting of the system and a strong, long passphrase on the Outer Volume. You were too lazy to type a strong passphrase at each boot.
You encrypted the second partition with a different password than the system because you do not want anyone in your group/domain to see your stuff. You did not want that data available to anyone.
Take some time to read again the “Possible Explanations for Existence of Two Veracrypt Partitions on Single Drive” of the Veracrypt documentation here https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html [Archive.org]
Be careful:
You should never mount the Hidden Volume from the Decoy OS (NEVER EVER). If you did this, it would create forensic evidence of the Hidden Volume within the Decoy OS which could jeopardize your attempt at plausible deniability. If you did this anyway (intentionally or by mistake) from the Decoy OS, there are ways to erase forensic evidence that will be explained later at the end of this guide, so this mistake alone isn’t a huge deal if you follow the steps in Some additional measures against forensics.
Never use the Decoy OS from the same network (public Wi-Fi) as the Hidden OS.
When you do mount the Outer Volume from the Decoy OS, do not write any data within the Outer Volume. This could override what looks like empty space, but is in fact your Hidden OS. You should always mount it as read-only.
If you want to change the decoy content of the Outer Volume, you should use a Live OS USB Key that will run Veracrypt.
Note that you will not use the Hidden OS to perform sensitive activities, this will be done later from a VM within the Hidden OS. The Hidden OS is only meant to protect you from soft lawful adversaries that could gain access to your laptop and compel you to reveal your password.
Be careful of any tampering with your laptop. Evil-Maid Attacks can reveal your Hidden OS.
Remember Appendix W: Virtualization.
This step and the following steps should be done from within the Host OS. This can either be your Host OS with simple encryption (Windows/Linux/macOS) or your Hidden OS with plausible deniability (Windows only).
In this route, you will make extensive use of the free Oracle Virtualbox362 software. This is a virtualization software in which you can create Virtual Machines that emulate a computer running a specific OS (if you want to use something else like Xen, Qemu, KVM, or VMWARE, feel free to do so but this part of the guide covers Virtualbox only for convenience).
So, you should be aware that Virtualbox is not the virtualization software with the best track record in terms of security. Some of the reported issues363 have not been completely fixed to date364. If you are using Linux, and you possess a bit more technical skill, you should consider using KVM instead by following the guide available at Whonix here https://www.whonix.org/wiki/KVM [Archive.org] and here https://www.whonix.org/wiki/KVM#Why_Use_KVM_Over_VirtualBox.3F [Archive.org]
Some steps should be taken in all cases:
All your sensitive activities will be done from within a guest Virtual Machine running Windows 10/11 Pro (not Home this time), Linux, or macOS.
This has a few advantages that will help you remain anonymous:
It should prevent the guest VM OS (Windows/Linux/macOS), apps, and any telemetry within the VMs from accessing your hardware directly. Even if your VM is compromised by malware, the malware should not be able to access the Host OS and compromise your actual machine.
It will allow us to force all the network traffic from your VM to run through another Gateway VM that will direct all the traffic over the Tor Network. This is a network “kill switch”. Your VM will lose its network connectivity completely and go offline if the target network VM loses its connection to the Tor Network.
The VM itself, which only has internet connectivity through a Tor Network Gateway, will connect to your cash-paid VPN service through Tor.
DNS Leaks will be impossible because the VM is on an isolated network that must go through Tor no matter what.
There are seven possibilities within this route:
Recommended and preferred:
Use Tor alone (User > Tor > Internet)
Use VPN over Tor (User > Tor > VPN > Internet) in specific cases
Use a VPS with a self-hosted VPN/Proxy over Tor (User > Tor > Self-Hosted VPN/Proxy > Internet) in specific cases
Possible if required by context:
Use VPN over Tor over VPN (User > VPN > Tor > VPN > Internet)
Use Tor over VPN (User > VPN > Tor > Internet)
Not recommended and risky:
Use VPN alone (User > VPN > Internet)
Use VPN over VPN (User > VPN > VPN > Internet)
Not recommended and highly risky (but possible)
This is the preferred and most recommended solution.
With this solution, all your network goes through Tor, and it should be sufficient to guarantee your anonymity in most cases.
There is one main drawback tho: Some services block/ban Tor Exit nodes outright and will not allow account creations from those.
To mitigate this, you might have to consider the next option: VPN over Tor but consider some risks associated with it explained in the next section.
This solution can bring some benefits in some specific cases vs using Tor only where accessing the destination service would be impossible from a Tor Exit node. This is because many services will just outright ban, hinder, or block Tor Exit Nodes (see https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor [Archive.org]).
This solution can be achieved in two ways:
Paid VPN over Tor (easiest)
Paid Self-Hosted VPS configured as VPN/Proxy (most efficient in avoiding online obstacles such as captchas but requiring more skills with Linux)
As you can see in this illustration, if your cash (preferred)/Monero paid VPN/Proxy is compromised by an adversary (despite their privacy statement and no-logging policies), they will only find an anonymous cash/Monero paid VPN/Proxy account connecting to their services from a Tor Exit node.
If an adversary somehow manages to compromise the Tor network too, they will only reveal the IP of a random public Wi-Fi that is not tied to your identity.
If an adversary somehow compromises your VM OS (with malware or an exploit for instance), they will be trapped within the internal Network of Whonix and should be unable to reveal the IP of the public Wi-Fi.
This solution however has one main drawback to consider: Interference with Tor Stream Isolation365.
Stream isolation is a mitigation technique used to prevent some correlation attacks by having different Tor Circuits for each application. Here is an illustration to show what stream isolation is:
(Illustration from Marcelo Martins, https://stakey.club/en/decred-via-tor-network/ [Archive.org])
VPN/Proxy over Tor falls on the right-side366 meaning using a VPN/Proxy over Tor forces Tor to use one circuit for all activities instead of multiple circuits for each. This means that using a VPN/Proxy over Tor can reduce the effectiveness of Tor in some cases and should therefore be used only for some specific cases:
When your destination service does not allow Tor Exit nodes.
When you do not mind using a shared Tor circuit for various services. For instance, when using various authenticated services.
You should however consider not using this method when your aim is just to browse random various unauthenticated websites as you will not benefit from Stream Isolation and this could make correlation attacks easier over time for an adversary between each of your sessions (see Your Anonymized Tor/VPN traffic). If your goal however is to use the same identity at each session on the same authenticated services, the value of Stream isolation is lessened as you can be correlated through other means.
You should also know that Stream Isolation is not necessarily configured by default on Whonix Workstation. It is only pre-configured for some applications (including Tor Browser).
Also, note that Stream Isolation does not necessarily change all the nodes in your Tor circuit. It can sometimes only change one or two. In many cases, Stream Isolation (for instance within the Tor Browser) will only change the relay (middle) node and the exit node while keeping the same guard (entry) node.
More information at:
https://tails.boum.org/contribute/design/stream_isolation/ [Archive.org]
https://www.whonix.org/wiki/Tunnels/Introduction#Comparison_Table [Archive.org]
You might be wondering: Well, what about using Tor over VPN instead of VPN over Tor? Well, we would not necessarily recommend it:
Disadvantages:
Your VPN provider is just another ISP that will then know your origin IP and will be able to de-anonymize you if required. We do not trust them. We prefer a situation where your VPN provider does not know who you are. It does not add much in terms of anonymity.
This would result in you connecting to various services using the IP of a Tor Exit Node which is banned/flagged in many places. It does not help in terms of convenience.
Advantages:
The main advantage is that if you are in a hostile environment where Tor access is impossible/dangerous/suspicious, but VPN is okay.
This method also does not break Tor Stream isolation.
This also hides your Tor activities from your main ISP.
Note, if you are having issues accessing the Tor Network due to blocking/censorship, you could try using Tor Bridges. See Appendix X: Using Tor bridges in hostile environments.
It is also possible to consider VPN over Tor over VPN (User > VPN > Tor > VPN > Internet) using two cash/Monero paid VPNs instead. This means that you will connect the Host OS to a first VPN from your Public Wi-Fi, then Whonix will connect to Tor, and finally, your VM will connect to a second VPN over Tor over VPN (see https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor [Archive.org]).
This will of course have a significant performance impact and might be quite slow, but Tor is necessary somewhere for achieving reasonable anonymity.
Achieving this technically is easy within this route, you need two separate anonymous VPN accounts and must connect to the first VPN from the Host OS and follow the route.
Conclusion: Only do this if you think using Tor alone is risky/impossible but VPNs are okay. Or just because you can and so why not. This method will not lower your security/privacy/anonymity.
This route will not be explained nor recommended.
If you can use VPNs then you should be able to add a Tor layer over it. And if you can use Tor, then you can add an anonymous VPN over Tor to get the preferred solution.
Just using a VPN or even a VPN over VPN makes no sense as those can be traced back to you over time. One of the VPN providers will know your real origin IP (even if it is in a safe public space) and even if you add one over it, the second one will still know you were using that other first VPN service. This will only slightly delay your de-anonymization. Yes, it is an added layer … but it is a persistent centralized added layer, and you can be de-anonymized over time. This is just chaining 3 ISPs that are all subject to lawful requests.
For more info, please see the following references:
https://www.whonix.org/wiki/Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Tor_and_VPN_Services_Comparison [Archive.org]
https://www.whonix.org/wiki/Why_does_Whonix_use_Tor [Archive.org]
https://www.researchgate.net/publication/324251041_Anonymity_communication_VPN_and_Tor_a_comparative_study [Archive.org]
https://gist.github.com/joepie91/5a9909939e6ce7d09e29#file-vpn-md [Archive.org]
https://schub.wtf/blog/2019/04/08/very-precarious-narrative.html [Archive.org]
In the context of this guide, Tor is required somewhere to achieve reasonable and safe anonymity and you should use it if you can.
If you cannot use VPN nor Tor where you are, you probably are in a very hostile environment where surveillance and control are extremely high.
Just do not, it is not worth it and too risky. You can be de-anonymized almost instantly by any motivated adversary that could get to your physical location in a matter of minutes.
Do not forget to check back on Adversaries (threats) and Appendix S: Check your network for surveillance/censorship using OONI.
If you have absolutely no other option and still want to do something, see Appendix P: Accessing the internet as safely as possible when Tor/VPN is not an option (at your own risk) and consider The Tails route instead.
Connection Type | Anonymity | Ease of Access to online resources | Tor Stream isolation | Safer where Tor is suspicious/dangerous | Speed | Cost | Recommended |
---|---|---|---|---|---|---|---|
Tor Alone | Good | Medium | Possible | No | Medium | Free | Yes |
Tor over VPN | Good+ | Medium | Possible | Yes | Medium | Around 50€/y | If needed (Tor inaccessible) |
Tor over VPN over Tor | Best | Medium | Possible | Yes | Poor | Around 50€/y | Yes |
VPN over Tor | Good- | Good | No | No | Medium | Around 50€/y | If needed (convenience) |
Self-Hosted VPS VPN/Proxy over Tor | Good- | Very Good | No | Yes | Medium | Around 50€/y | If needed (convenience) |
VPN/Proxy over Tor over VPN | Good- | Good | No | Yes | Poor | Around 100€/y | If needed (convenience and Tor inaccessible) |
VPN/Proxy Alone | Bad | Good | N/A | Yes | Good | Around 50€/y | No. |
No Tor and VPN | Bad | Unknown | N/A | No | Good | Around 100€ (Antenna) | No. |
Unfortunately, using Tor alone will raise the suspicion of many destinations’ platforms. You will face many hurdles (captchas, errors, difficulties signing up) if you only use Tor. In addition, using Tor where you are could put you in trouble just for that. But Tor is still the best solution for anonymity and must be somewhere for anonymity.
If you intend to create persistent shared and authenticated identities on various services where access from Tor is hard, we recommend the VPN over Tor and VPS VPN/Proxy over Tor options (or VPN over Tor over VPN if needed). It might be a bit less secure against correlation attacks due to breaking Tor Stream isolation but provides much better convenience in accessing online resources than just using Tor. It is an “acceptable” trade-off IMHP if you are careful enough with your identity.
If your intent however is just to browse random services anonymously without creating specific shared identities, using tor friendly services; or if you do not want to accept that trade-off in the earlier option. Then we recommend using the Tor Only route to keep the full benefits of Stream Isolation (or Tor over VPN if you need to).
If cost is an issue, we recommend the Tor Only option if possible.
If both Tor and VPN access are impossible or dangerous then you have no choice but to rely on Public wi-fi safely. See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option
For more information, you can also see the discussions here that could help decide yourself:
Tor Project: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN [Archive.org]
Tails Documentation:
Whonix Documentation (in this order):
Some papers on the matter:
Skip this step if you want to use Tor only.
See Appendix O: Getting an anonymous VPN/Proxy
Skip this step if you cannot use Tor.
This route will use Virtualization and Whonix367 as part of the anonymization process. Whonix is a Linux distribution composed of two Virtual Machines:
The Whonix Workstation (this is a VM where you can conduct sensitive activities)
The Whonix Gateway (this VM will establish a connection to the Tor network and route all the network traffic from the Workstation through the Tor network).
This guide will therefore propose two flavors of this route:
You will be able to decide which flavor to use based on my recommendations. We recommend the second one as explained before.
Whonix is well maintained and has extensive and incredibly detailed documentation.
Later, you will create and run several Virtual Machines within Virtualbox for your sensitive activities. Virtualbox provides a feature called “Snapshots”368 that allow for saving the state of a VM at any point in time. If for any reason later you want to go back to that state, you can restore that snapshot at any moment.
I strongly recommend that you do make use of this feature by creating a snapshot after the initial installation/update of each VM. This snapshot should be done before its use for any sensitive/anonymous activity.
This will allow you to turn your VMs into a kind of disposable “Live Operating Systems” (like Tails discussed earlier). Meaning that you will be able to erase all the traces of your activities within a VM by restoring a Snapshot to an earlier state. Of course, this will not be “as good” as Tails (where everything is stored in memory) as there might be traces of this activity left on your hard disk. Forensics studies have shown the ability to recover data from a reverted VM369. Fortunately, there will be ways to remove those traces after the deletion or reverting to an earlier snapshot. Such techniques will be discussed in the Some additional measures against forensics section of this guide.
You should download a few things within the host OS:
The latest version of the Virtualbox installer according to your Host OS https://www.virtualbox.org/wiki/Downloads [Archive.org]
(Skip this if you cannot use Tor natively or through a VPN) The latest Whonix OVA file from https://www.whonix.org/wiki/Download [Archive.org] according to your preference (Linux/Windows, with a Desktop interface XFCE for simplicity or only with the text-client for advanced users)
This will conclude the preparations and you should now be ready to start setting up the final environment that will protect your anonymity online.
For ideal security, you should follow the recommendations provided here for each Virtualbox Virtual Machine https://www.whonix.org/wiki/Virtualization_Platform_Security#VirtualBox_Hardening [Archive.org] :
Disable Audio.
Do not enable Shared Folders.
Do not enable 2D acceleration. This one is done running the following command VBoxManage modifyvm "vm-id" --accelerate2dvideo on|off
Do not enable 3D acceleration.
Do not enable the Serial Port.
Remove the Floppy drive.
Remove the CD/DVD drive.
Do not enable the Remote Display server.
Enable PAE/NX (NX is a security feature).
Disable Advanced Configuration and Power Interface (ACPI). This one is done running the following command VBoxManage modifyvm "vm-id" --acpi on|off
Do not attach USB devices.
Disable the USB controller which is enabled by default. Set the Pointing Device to “PS/2 Mouse” or changes will revert.
Finally, also follow this recommendation to desync the clock you are your VM compared to your host OS https://www.whonix.org/wiki/Network_Time_Synchronization#Spoof_the_Initial_Virtual_Hardware_Clock_Offset [Archive.org]
This offset should be within a 60000-millisecond range and should be different for each VM and here are some examples (which can be later applied to any VM):
VBoxManage modifyvm "Whonix-Gateway-XFCE" --biossystemtimeoffset -35017
VBoxManage modifyvm "Whonix-Gateway-XFCE" --biossystemtimeoffset +27931
VBoxManage modifyvm "Whonix-Workstation-XFCE" --biossystemtimeoffset -35017
VBoxManage modifyvm "Whonix-Workstation-XFCE" --biossystemtimeoffset +27931
Also, consider applying these mitigations from VirtualBox to mitigate Spectre370/Meltdown371 vulnerabilities by running this command from the VirtualBox Program Directory. All of these are described here: https://www.whonix.org/wiki/Spectre_Meltdown [Archive.org] (be aware these can impact severely the performance of your VMs but should be done for best security).
Finally, consider the security advice from Virtualbox themselves here https://www.virtualbox.org/manual/ch13.html [Archive.org]
Skip this step if you do not intend to use Tor over VPN and only intend to use Tor or cannot.
If you intend to use Tor over VPN for any reason. You first must configure a VPN service on your host OS.
Remember that in this case, we recommend having two VPN accounts. Both paid with cash/Monero (see Appendix O: Getting an anonymous VPN/Proxy). One will be used in the Host OS for the first VPN connection. The other could be used in the VM to achieve VPN over Tor over VPN (User > VPN > Tor > VPN).
If you intend to only use Tor over VPN, you only need one VPN account.
See Appendix R: Installing a VPN on your VM or Host OS for instructions.
Skip this step if you cannot use Tor.
Start Virtualbox on your Host OS.
Import Whonix file Into Virtualbox following the instructions on https://www.whonix.org/wiki/VirtualBox/XFCE [Archive.org]
Start the Whonix VMs
Remember at this stage that if you are having issues connecting to Tor due to censorship or blocking, you should consider connecting using Bridges as explained in this tutorial https://www.whonix.org/wiki/Bridges [Archive.org].
Update the Whonix VMs by following the instructions on https://www.whonix.org/wiki/Operating_System_Software_and_Updates#Updates [Archive.org]
Shutdown the Whonix VMs
Take a snapshot of the updated Whonix VMs within Virtualbox (select a VM and click the Take Snapshot button). More on that later.
Go to the next step
Important Note: You should also read these very good recommendations over there https://www.whonix.org/wiki/DoNot [Archive.org] as most of those principles will also apply to this guide. You should also read their general documentation here https://www.whonix.org/wiki/Documentation [Archive.org] which will also provide tons of advice like this guide.
Using Whonix/Linux will require more skills on your side as these are Linux distributions. You will also encounter more difficulties if you intend to use specific software that might be harder to use on Whonix/Linux. Setting up a VPN over Tor on Whonix will also be more complicated than on Windows as well.
You can decide if you prefer to conduct your sensitive activities from the Whonix Workstation provided in the earlier section (highly recommended) or from a Custom VM that will use the Whonix Gateway like the Whonix Workstation (less secure but might be required depending on what you intend to do).
If you cannot use Tor, you can use a Custom VM of your choice that will ideally use an anonymous VPN, if possible, to then connect to the Tor network. Or you could go with the risky route: See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option
Skip this step if you cannot use Tor.
Just use the provided Whonix Workstation VM. It is the safest and most secure way to go on this route.
It is also the only VM that will provide Stream Isolation pre-configured for most apps by default372.
If you want additional software on the Workstation (such as another Browser), follow their guide here https://www.whonix.org/wiki/Install_Software [Archive.org]
Consider running Whonix in Live Mode if for extra malware protection, See https://www.whonix.org/wiki/Anti-Forensics_Precautions [Archive.org]
Do not forget to apply the VM hardening recommendations here: Virtualbox Hardening recommendations.
Consider using AppArmor on your Whonix Workstations by following this guide: https://www.whonix.org/wiki/AppArmor [Archive.org]
Be careful, any customization you make to the non-Whonix guest VMs (keyboard layout, language, time zone, screen resolution, or other) could be used to fingerprint your VMs later. See https://www.whonix.org/wiki/VM_Fingerprinting [Archive.org]
Use the Linux Distro of your choice. We would recommend Ubuntu or Fedora for convenience but any other would work too. Be sure to not enable any telemetry.
Refer to this tutorial https://www.whonix.org/wiki/Other_Operating_Systems [Archive.org] for detailed instructions.
Consider hardening the VM as recommended in Hardening Linux.
Use the Linux Distro of your choice. We would recommend Ubuntu or Fedora for convenience but any other would work too. Be sure to not enable any telemetry. You could go with the risky route: See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option
This time, we will recommend Brave browser.
See why here: Appendix V: What browser to use in your Guest VM/Disposable VM
See Appendix V1: Hardening your Browsers as well.
Be careful, any customization you make to the non-Whonix guest VMs (keyboard layout, language, time zone, screen resolution, or other) could be used to fingerprint your VMs later. See https://www.whonix.org/wiki/VM_Fingerprinting [Archive.org]
Go with the Official Windows 10/11 Pro VM and harden it yourself: see [Appendix C: Windows Installation Media Creation][306] and go with the ISO route.
Refer to this tutorial https://www.whonix.org/wiki/Other_Operating_Systems [Archive.org] for detailed instructions.
Shut down the Whonix Gateway VM (this will prevent Windows from sending out telemetry and allow you to create a local account).
Open Virtualbox
Select Machine > New > Select Windows 10 or Windows 11 64bit
Allocate a minimum amount of 2GB for Windows 10 and 4GB for Windows 11
Create a Virtual Disk using the VDI format and select Dynamically Allocated
Keep the disk size at 50GB for Windows 10 and 80GB for Windows 11 (this is a maximum; it should not reach that much)
Make sure PAE/NX is enabled in System > Processor
Select the VM and click Settings, Go into the Network Tab
Select “Internal Network” in the “Attached to” Field and select Whonix.
Go into the Storage Tab, Select the Empty CD and click the icon next to SATA Port 1
Click on “Choose a disk file” and select the Windows ISO you previously downloaded
Click ok and start the VM
Virtualbox will prompt you to either push a button to boot the ISO or ask you what to boot, select the ISO or click.
Follow the steps in Appendix A: Windows Installation
Start the Whonix Gateway VM
Back to your Windows
Windows 10: Go back into Settings then Network & Internet. Windows 11: Go into settings, click the upper left menu and pick “Network and Internet”
Windows 10: Click Properties (Below Ethernet). Windows 11: Click Ethernet
Windows 10: Edit IP settings. Windows 11: Edit IP assignment.
Windows 10: Enable IPv4 and set the following, Windows 11: Switch from DHCP to Manual and set the following:
IP address 10.152.152.50
(increase this IP by one for any other VM)
Subnet prefix length 18
(255.255.192.0
)
Gateway 10.152.152.10
(this is the Whonix Gateway)
(Windows 10) DNS 10.152.152.10
(this is again the Whonix Gateway)
(Windows 11) exit the IP assignment and select DNS server assignment and set it to 10.152.152.10
(this is again the Whonix Gateway)
Save
Windows might prompt you if you want to be “discoverable” on this network. Click NO. Always stay on a “public network” if prompted.
Every time you will power on this VM in the future, you should make sure to change its Ethernet Mac Address before each boot. You can do this in Virtualbox > Settings > Network > Advanced > Click the refresh button next to the MAC address. You can only do this while the VM is powered off.
See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option
Open Virtualbox
Select Machine > New > Select Windows 10 or 11 64bit
Allocate a minimum amount of 4GB of RAM for 11 , 2GB of RAM for 10.
Create a Virtual Disk using the VDI format and select Dynamically Allocated
In the System/Processor tab, make sure PAE/NX is enabled.
Keep the disk size at 80GB for 11, 50GB for 10 (this is a maximum; it should not reach that much)
Go into the Storage Tab, Select the Empty CD and click the icon next to SATA Port 1
Click on “Choose a disk file” and select the Windows ISO you previously downloaded
Click ok and start the VM
Virtualbox will prompt you to either push a button to boot the ISO or ask you what to boot, select the ISO or click.
Follow the steps in Appendix A: Windows Installation
Every time you will power on this VM in the future, you should make sure to change its Ethernet Mac Address before each boot. You can do this in Virtualbox > Settings > Network > Advanced > Click the refresh button next to the MAC address. You can only do this while the VM is powered off.
This time, we will recommend Brave browser.
See why here: Appendix V: What browser to use in your Guest VM/Disposable VM
See Appendix V1: Hardening your Browsers as well.
See Appendix B: Windows Additional Privacy Settings
Because sometimes you want to run mobile Apps anonymously too. You can also set up an Android VM for this purpose. As in other cases, ideally, this VM will also be sitting behind the Whonix Gateway for Tor network connectivity. But this can also be set up as VPN over Tor over VPN
Later in the VM settings during creation, go into Network and select Internal Network, Whonix.
Then on Android itself:
Select Wi-Fi
Select VirtWifi to connect
Go into the advanced Wi-Fi properties
Switch from DHCP to Static
IP address 10.152.152.50
(increase this IP by one for any other VM)
Subnet prefix length 18
(255.255.192.0
)
Gateway 10.152.152.10
(this is the Whonix Gateway)
DNS 10.152.152.10
(this is again the Whonix Gateway)
Just use the tutorials as is and see Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option
Two possibilities: AnBox or Android-x86
Personally, We would recommend AnBox over Android-x86 but it requires Linux
Basically follow the tutorial here for installing AnBox on the Whonix Workstation: https://www.whonix.org/wiki/Anbox [Archive.org] for running Android Applications within an AnBox VM.
Or follow the instructions here https://anbox.io/ to install on any other VM (Linux Only)
Basically, follow the tutorial here: https://www.android-x86.org/documentation/virtualbox.html [Archive.org]
Download the ISO file of your choice
Create a New VM.
Select Linux and Linux 2.6 / 3.x / 4.x 64 Bit.
In System:
Allocate at least 2048MB (2GB) memory
Uncheck the Floppy drive
In the Processor Tab, select at least 1 or more CPUs
Enable PAE/NX
In Display Settings, Change the adapter to VBoxVGA
In Audio Settings, Change to Intel HD Audio
Start the VM
Select Advanced if you want persistence, Live if you want a disposable Boot (and skip the next steps).
Select Auto Install on Selected Hard Disk
Select Run Android
Set up as you wish (disable all prompts for data collections). I recommend using the TaskBar Home.
Go into Settings, Android-x86 Options, and disable all collections.
Connect to VirtWifi Wi-Fi Network (see the above section if you are behind Whonix and want to use Tor)
You are now done and can now install any Android app.
Yes, you can actually run macOS within Virtualbox (on Windows/Linux/macOS host systems) if you want to use macOS. You can run any version of macOS you want.
During the following tutorials, before starting the macOS VM, make sure you do put the macOS VMs on the Whonix Network.
Select the VM and click Settings, Go into the Network Tab
Select “Internal Network” in the “Attached to” Field and select Whonix
Afterward, and during the install, you will need to input an IP address manually to connect through the Whonix Gateway.
Use these settings when prompted in the macOS installation process:
IP address 10.152.152.50
(increase this IP by one for any other VM)
Subnet prefix length 18
(255.255.192.0
)
Gateway 10.152.152.10
(this is the Whonix Gateway)
DNS 10.152.152.10
(this is again the Whonix Gateway)
Just use the tutorials as is and see Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option
Windows Host OS:
Virtualbox Catalina Tutorial: https://www.wikigain.com/install-macos-catalina-on-virtualbox-on-windows/ [Archive.org]
Virtualbox Big Sur Tutorial: https://www.wikigain.com/how-to-install-macos-big-sur-on-virtualbox-on-windows-pc/ [Archive.org]
Virtualbox Monterey Tutorial: https://www.wikigain.com/install-macos-monterey-on-virtualbox/ [Archive.org]
macOS Host OS:
Linux Host OS:
There are some drawbacks to running macOS on Virtual Machines. The main one is that they do not have a serial number (0 by default) and you will be unable to log in to any Apple-provided service (iCloud, iMessage…) without a genuine ID. You can set such IDs using this script: https://github.com/myspaghetti/macos-virtualbox [Archive.org] but keep in mind that randomly generated IDs will not work and using the ID of someone else will break their Terms of Services and could count as impersonation (and therefore could be illegal).
Note: We also ran in multiple issues with running these on AMD processors. This can be fixed so here is the configurationWeused which worked fine with Catalina, Big Sur and Monterey which will tell Virtualbox to emulate an Intel Processor instead:
VBoxManage modifyvm "macOSCatalina" ---cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff
VBoxManage setextradata "macOSCatalina" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "MacBookPro15,1"
VBoxManage setextradata "macOSCatalina" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Mac-551B86E5744E2388"
VBoxManage setextradata "macOSCatalina" "VBoxInternal/Devices/smc/0/Config/DeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"
VBoxManage setextradata "macOSCatalina" "VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC" 1
VBoxManage modifyvm "macOSCatalina" --cpu-profile "Intel Core i7-6700K"
VBoxManage setextradata "macOSCatalina" VBoxInternal2/EfiGraphicsResolution 1920x1080
Refer to Hardening macOS.
This time, we will recommend Brave browser.
See why here: Appendix V: What browser to use in your Guest VM/Disposable VM
See Appendix V1: Hardening your Browsers as well.
You will need something to store your data (logins/passwords, identities, and TOTP373 information).
For this purpose, we strongly recommend KeePassXC because of its integrated TOTP feature. This is the ability to create entries for 2FA374 authentication with the authenticator feature.
Remember this should ideally be installed on your Guest VM and not on your Host OS. You should never do any sensitive activities from your Host OS.
Here are the tutorials:
Tails: KeePassXC is integrated by default
Linux:
Download from https://keepassxc.org/download/ [Archive.org]
Follow the tutorial here https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_linux [Archive.org]
Windows:
Download from https://keepassxc.org/download/ [Archive.org]
Follow the tutorial here https://KeePassXC.org/docs/KeePassXC_GettingStarted.html#_microsoft_windows/ [Archive.org]
macOS:
Download from https://keepassxc.org/download/ [Archive.org]
Follow the tutorial here https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_macos [Archive.org]
Test that KeePassXC is working before going to the next step.
If you decided to not use a cash-paid VPN and just want to use Tor, skip this step.
If you cannot use a VPN at all in a hostile environment, skip this step.
Otherwise, see Appendix R: Installing a VPN on your VM or Host OS to install a VPN client on your client VM.
This should conclude the Route and you should now be ready.
You might be asking yourself if those VPN clients are trustworthy not to leak any information about your local environment to the VPN provider when using them in the “VPN over Tor” context.
This is a valid concern but should be taken with a grain of salt.
Remember that all VPN activities are happening from a sandboxed VM on an internal network behind a Network Gateway (the Whonix Gateway). It does not matter much if the VPN client leaves some identifiers on your guest VM. The guest VM is still sandboxed and walled-off from the Host OS. The attack surface is small especially when using the reputable and recommended VPN providers within the guides (iVPN, Mullvad, Proton VPN, and maybe Safing.io).
At best, the VPN client would know your local IP (internal IP) and some randomized identifiers but should not be able to get anything from the Host OS. And in theory, the VPN client should not send any telemetry back to the VPN provider. If your VPN client does this or asks this, you should consider changing the provider.
This step will allow you to configure your Host OS so that only the Whonix Gateway VM will have access to the internet. This will therefore prevent any “leak” from your Host OS while letting the Whonix Gateway establish the tor connectivity. The other VMs (Whonix Workstation or any other VM you installed behind it will not be affected)
There are three ways to do this:
The Lazy Way (not really recommended): not supported by Whonix and might have some security implications as you will expose the Whonix Gateway VM to the Public Wi-Fi network. We would recommend against this unless you are in a hurry or very lazy.
The Better Way (see further down): still not supported by Whonix but it will not expose the Whonix Gateway VM to the Public Wi-Fi network. This should keep things in check in terms of security.
The Best Way: Using an external USB Wi-Fi dongle and just disabling Wi-Fi on the Host OS/Computer.
This way is not supported by the Whonix project375 but I will go ahead and give this option anyway. This is helpful to prevent your Host OS from leaking any information while you are using the Whonix VMs.
Note that this option as-is will only work on Wi-Fis without a captive portal (where you must enter some information to unlock access).
The illustration below shows the result of this step:
For this to work, we will need to change some configurations on the Whonix Gateway VM. we will need to add a DHCP client to the Whonix Gateway to receive IP addresses from the network. To do those changes the Host OS will still have to have internet access allowed for now.
So here is how:
Be sure to have your Host OS connected to a safe Wi-Fi.
Through VirtualBox, start the Whonix Gateway VM
Start a Terminal on the VM
Install a DHCP client on the Whonix Gateway VM using the following command:
sudo apt install dhcpcd5
Now edit the Whonix Gateway VM network configuration using the following command:
sudo nano /etc/network/interfaces.d/30_non-qubes-whonix
Within the file change the following lines:
# auto eth0
to auto eth0
# iface eth0 inet dhcp
to iface eth0 inet dhcp
iface eth0 inet static
to # iface eth0 inet static
address 10.0.2.15
to # address 10.0.2.15
netmask 255.255.255.0
to # netmask 255.255.255.0
gateway 10.0.2.2
to # gateway 10.0.2.2
Save (using Ctrl+X and confirm with Y) and power off the VM from the top left menu
Go into the VirtualBox Application and select the Whonix Gateway VM
Click Settings
Click the Network Tab
For Adapter 1, change the “Attached To” value from “NAT” to “Bridged Adapter”
As “Name”, select your Wi-Fi network Adapter
Click OK and you are done with the VM configuration part
Now you must block internet access from your Host OS while still allowing the VM to connect. This will be done by connecting to Wi-Fi with the Host OS but without assigning itself an IP address. The VM will then use your Wi-fi association to get an IP address.
The goal here is to associate with a Wi-Fi network without having an internet connection. You will achieve this by deleting the Gateway from the connection after you are connected:
First, connect to the safe Wi-Fi of your choice
Open an administrative command prompt (right-click on Command Prompt and Run as Administrator)
Run the following command: route delete 0.0.0.0
(this deletes the Gateway from your IP configuration)
You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi
You can now start the Whonix Gateway VM which should now obtain an IP automatically from the Wi-Fi network and should provide Network to the other VMs behind (Whonix Workstation or other).
And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway VM) and it should be connected to the internet through Tor.
The goal here is to associate with a Wi-Fi network without having an internet connection. You will achieve this by deleting the Gateway from the connection after you are connected:
First, connect to the safe Wi-Fi of your choice
Open a Terminal
Run the following command: sudo ip route del default
(this deletes the Gateway from your IP configuration)
You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi
You can now start the Whonix Gateway VM which should now obtain an IP automatically from the Wi-Fi network and should provide Network to the other VMs behind (Whonix Workstation or other).
And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway VM) and it should be connected to the internet through Tor.
The goal here is to associate with a Wi-Fi network without having an internet connection. You will achieve this by deleting the Gateway from the connection after you are connected:
First, connect to the safe Wi-Fi of your choice
Open a Terminal
Run the following command: sudo route delete default
(this deletes the Gateway from your IP configuration)
You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi
You can now start the Whonix Gateway VM which should now obtain an IP automatically from the Wi-Fi network and should provide Network to the other VMs behind (Whonix Workstation or other).
And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway VM) and it should be connected to the internet through Tor.
This way will not go against Whonix recommendations (as it will not expose the Whonix Gateway to the Host OS) and will have the advantage of allowing connections not only to open Wi-Fis but also to the ones with a Captive Portal where you need to enter some information to access the internet.
Yet this will still not be supported by the Whonix project, but it is fine as the main concern for the earlier Lazy Way is to have the Whonix Gateway VM exposed to the Host Network, and it will not be the case here.
This option will require an additional VM between the Host OS and the Whonix Gateway to act as a Network Bridge.
For this purpose, I will recommend the use of a lightweight Linux Distro. Any will do but the easiest will be an Ubuntu-based distro and I would recommend the lightweight XUbuntu as it will be extremely easy to configure this setup.
Why XUbuntu and not Ubuntu or KUbuntu? Because XUbuntu uses an XFCE desktop environment which is lightweight and this VM will only serve as a proxy and nothing else.
Of course, you can also achieve this with any other Linux distro if you so decide you do not like XUbuntu.
This is how it will look at the end:
XUbuntu was picked due the performance of XFCE.
Make sure you are connected to a safe Wi-Fi for this operation.
First, you will need to download the latest XUbuntu Stable release ISO from https://xubuntu.org/download/
When you are done with the download, it is time to create a new VM:
Start VirtualBox Manager
Create a new VM and name it as you want, for example, “XUbuntu Bridge”
Select type “Linux”
Select Version “Ubuntu (64-bit)”
Leave other options to default and click Create
On the next screen, leave the default options and click Create
Select the newly create VM and click Settings
Select Network
For Adapter 1, Switch to Bridged Mode and pick your Wi-Fi adapter in the Name
Select Adapter 2 and enable it
Attach it to “Internal Network” and name it “XUbuntu Bridge”
Select Storage
Select the Empty CD drive
On the right side, click the CD icon and select “Choose a disk file”
Select the ISO of XUbuntu you previously downloaded and Click Ok
Start the VM
Select Start XUbuntu
Select Install XUbuntu
Pick your Keyboard Layout and click Continue
Select Minimal Installation and Download Updates while installing XUbuntu
Select Erase Disk and install XUbuntu and click Install Now
Select the Time Zone of your choice and click Continue
Pick some random names unrelated to you (my favorite username is “NoSuchAccount”)
Pick a password and require a password to login
Click Continue and wait for the install to finish and Restart
When you are done rebooting, log-in
Click the upper right connection icon (it looks like two rotating spheres)
Click Edit Connections
Select Wired Connection 2 (Adapter 2 previously configured in VirtualBox settings)
Select the IPv4 Tab
Change the Method to “Shared to other computers” and click Save
You are now done setting up the XUbuntu Bridge VM
By default, the Whonix Gateway has no DHCP client and will require one to get an IP from a shared network you configured earlier:
Through VirtualBox, start the Whonix Gateway VM
Start a Terminal on the VM
Install a DHCP client on the Whonix Gateway VM using the following command:
sudo apt install dhcpcd5
Now edit the Whonix Gateway VM network configuration using the following command:
sudo nano /etc/network/interfaces.d/30_non-qubes-whonix
Within the file change the following lines:
# auto eth0
to auto eth0
# iface eth0 inet dhcp
to iface eth0 inet dhcp
iface eth0 inet static
to # iface eth0 inet static
address 10.0.2.15
to # address 10.0.2.15
netmask 255.255.255.0
to # netmask 255.255.255.0
gateway 10.0.2.2
to # gateway 10.0.2.2
Save (using Ctrl+X and confirm with Y) and power off the VM from the top left menu
Go into the VirtualBox Application and select the Whonix Gateway VM
Click Settings
Click the Network Tab
For Adapter 1, change the “Attached To” value from “NAT” to “Internal Network”
As “Name”, select the internal network “XUbuntu Bridge” you created earlier and click OK
Reboot the Whonix Gateway VM
From the upper left menu, select System, Tor Control Panel, and check that you are connected (you should be)
You are done configuring the Whonix Gateway VM
Now you must block internet access from your Host OS while still allowing the XUbuntu Bridge VM to connect. This will be done by connecting to Wi-Fi with the Host OS but without assigning itself a gateway address. The VM will then use your Wi-fi association to get an IP address.
If necessary, from the XUbuntu Bridge VM, you will be able to launch a Browser to enter information into any captive/registration portal on the Wi-Fi network.
Only the XUbuntu Bridge VM should be able to access the internet. The Host OS will be limited to local traffic only.
The goal here is to associate with a Wi-Fi network without having an internet connection. You will achieve this by deleting the Gateway from the connection after you are connected:
First, connect to the safe Wi-Fi of your choice
Open an administrative command prompt (right-click on Command Prompt and Run as Administrator)
Run the following command: route delete 0.0.0.0
(this deletes the Gateway from your IP configuration)
You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi
You can now start the XUbuntu Bridge VM which should now obtain an IP automatically from the Wi-Fi network and should provide Network to the other VMs behind (Whonix Workstation or other).
If necessary, you can use the XUbuntu Bridge VM Browser to fill in any information on any captive/registration portal to access the Wi-Fi.
After that, you can start the Whonix Gateway VM which should obtain the Internet Connection from the XUbuntu Bridge VM.
And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway VM) and it should be connected to the internet through Tor.
The goal here is to associate with a Wi-Fi network without having an internet connection. You will achieve this by deleting the Gateway from the connection after you are connected:
First, connect to the safe Wi-Fi of your choice
Open a Terminal
Run the following command: sudo ip route del default
(this deletes the Gateway from your IP configuration)
You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi
You can now start the XUbuntu Bridge VM which should now obtain an IP automatically from the Wi-Fi network and should provide Network to the other VMs behind (Whonix Workstation or other).
If necessary, you can use the XUbuntu Bridge VM Browser to fill in any information on any captive/registration portal to access the Wi-Fi.
After that, you can start the Whonix Gateway VM which should obtain the Internet Connection from the XUbuntu Bridge VM.
And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway VM) and it should be connected to the internet through Tor.
The goal here is to associate with a Wi-Fi network without having an internet connection. You will achieve this by deleting the Gateway from the connection after you are connected:
First, connect to the safe Wi-Fi of your choice
Open a Terminal
Run the following command: sudo route delete default
(this deletes the Gateway from your IP configuration)
You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi
You can now start the XUbuntu Bridge VM which should now obtain an IP automatically from the Wi-Fi network and should provide Network to the other VMs behind (Whonix Workstation or other).
If necessary, you can use the XUbuntu Bridge VM Browser to fill in any information on any captive/registration portal to access the Wi-Fi.
After that, you can start the Whonix Gateway VM which should obtain the Internet Connection from the XUbuntu Bridge VM.
And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway VM) and it should be connected to the internet through Tor.
This way will not go against Whonix recommendations (as it will not expose the Whonix Gateway to the Host OS) and will have the advantage of allowing connections not only to open Wi-Fis but also to the ones with a Captive Portal where you need to enter some information to access the internet. Yet this will still not be supported by the Whonix project, but it is fine as the main concern for the earlier Lazy Way is to have the Whonix Gateway VM exposed to the Host Network, and it will not be the case here. This option is the best because the network will be completely disabled on the Host OS from booting up.
This option will require an additional VM between the Host OS and the Whonix Gateway to act as a Network Bridge and to connect to the Wi-Fi network. This option requires a working USB Wi-Fi Dongle that will be passed through to a bridge VM.
For this purpose, I will recommend the use of a lightweight Linux Distro. Any will do but the easiest will be an Ubuntu-based distro and I would recommend the lightweight XUbuntu as it will be extremely easy to configure this setup.
Why XUbuntu and not Ubuntu or KUbuntu? Because XUbuntu uses an XFCE desktop environment which is lightweight and this VM will only serve as a proxy and nothing else.
Of course, you can also achieve this with any other Linux distro if you so decide you do not like XUbuntu.
This is how it will look at the end:
Disable Networking on your Host OS completely (Turn off the on-board Wi-Fi completely)
Plug in and install your USB Wi-Fi Dongle. Connect it to a safe Public Wi-Fi. This should be easy and automatically installed by any recent OS (Windows 10/11, macOS, Linux).
By default, the Whonix Gateway has no DHCP client and will require one to get an IP from a shared network you will configure later, on a Bridge VM:
Through VirtualBox, start the Whonix Gateway VM
Start a Terminal on the VM
Install a DHCP client on the Whonix Gateway VM using the following command:
sudo apt install dhcpcd5
Now edit the Whonix Gateway VM network configuration using the following command:
sudo nano /etc/network/interfaces.d/30_non-qubes-whonix
Within the file change the following lines:
# auto eth0
to auto eth0
# iface eth0 inet dhcp
to iface eth0 inet dhcp
iface eth0 inet static
to # iface eth0 inet static
address 10.0.2.15
to # address 10.0.2.15
netmask 255.255.255.0
to # netmask 255.255.255.0
gateway 10.0.2.2
to # gateway 10.0.2.2
Save (using Ctrl+X and confirm with Y) and power off the VM from the top left menu
Make sure you are connected to a safe Wi-Fi for this operation.
First, you will need to download the latest XUbuntu Stable release ISO from https://xubuntu.org/download/
When you are done with the download, it is time to create a new VM:
Disconnect your host OS from the Wi-Fi you previously connected to with the dongle and forget the network.
Start VirtualBox Manager
Create a new VM and name it as you want, for example, “XUbuntu Bridge”
Select type “Linux”
Select Version “Ubuntu (64-bit)”
Leave other options to default and click Create
On the next screen, leave the default options and click Create
Select the newly create VM and click Settings
Select Network
For Adapter 1, Attach it to “Internal Network” and name it “XUbuntu Bridge”
Select Storage
Select the Empty CD drive
On the right side, click the CD icon and select “Choose a disk file”
Select the ISO of XUbuntu you previously downloaded and Click Ok
Select the USB Tab
On the right side, click the USB icon with a + sign (the second from the top)
Select the Wi-Fi Adapter Dongle from the list and make sure it is checked (leave the USB options to default)
Start the VM
Select Start XUbuntu
Select Install XUbuntu
Pick your Keyboard Layout and click Continue
Select Minimal Installation and do not check the Download Updates during the install option
Select Erase Disk and install XUbuntu and click Install Now
Select the Time Zone of your choice and click Continue
Pick some random names unrelated to you (my favorite username is “NoSuchAccount”)
Pick a password and require a password to login
Click Continue and wait for the install to finish and Restart
When you are done rebooting, log-in
Click the upper right connection icon (it looks like two rotating spheres)
Click Edit Connections
Select Wired Connection 1 (normally there should only be one)
Select the IPv4 Tab
Change the Method to “Shared to other computers” and click Save
Again, click the upper right connection icon
Connect to the safe Wi-Fi of your choice and if necessary, input the necessary information into a Captive Portal.
You are now done setting up the XUbuntu Bridge VM
At this stage, your Host OS should have no network at all and your XUbuntu VM should have a fully working Wi-Fi connection and this Wi-Fi connection will be shared to the Internal Network “XUbuntu Bridge”.
Now it is time to configure the Whonix Gateway VM to get access from the shared network from the bridge VM you just made on the earlier step:
Go into the VirtualBox Application and select the Whonix Gateway VM
Click Settings
Click the Network Tab
For Adapter 1, change the “Attached To” value from “NAT” to “Internal Network”
As “Name”, select the internal network “XUbuntu Bridge” you created earlier and click OK
Reboot the Whonix Gateway VM
From the upper left menu, select System, Tor Control Panel, and check that you are connected (you should be)
You are done configuring the Whonix Gateway VM
At this stage, your Whonix Gateway VM should be getting internet access from the XUbuntu Bridge VM which in turn is getting internet access from the Wi-Fi Dongle and sharing it. Your Host OS should have no network connectivity at all.
All the VMs behind the Whonix Gateway should now work fine without additional configuration.
Take a post-install VirtualBox snapshot of your VMs.
You are done and can now skip the rest to go to the Getting Online part.
Note that the guide has been updated to Qubes OS 4.1
As they say on their website, Qubes OS is a reasonably secure, free, open-source, and security-oriented operating system for single-user desktop computing. Qubes OS leverages and extensively uses Xen-based virtualization to allow for the creation and management of isolated compartments called Qubes.
Qubes OS is not a Linux distribution376 but a Xen distribution. It is different from Linux distributions because it will make extensive use of Virtualization and Compartmentalization so that any app will run in a different VM (Qube). As a bonus, Qubes OS integrates Whonix by default and allows for increased privacy and anonymity. It is highly recommended that you document yourself over Qubes OS principles before going this route. Here are some recommended resources:
Qubes OS Introduction, https://www.qubes-os.org/intro/ [Archive.org]
Qubes OS Video Tours, https://www.qubes-os.org/video-tours/ [Archive.org]
Qubes OS Getting Started, https://www.qubes-os.org/doc/getting-started/ [Archive.org]
YouTube, Life Behind the Tinfoil: A Look at Qubes and Copperhead - Konstantin Ryabitsev, The Linux Foundation https://www.youtube.com/watch?v=8cU4hQg6GvU [Invidious]
YouTube, We used the reasonably-secure Qubes OS for 6 months and survived - Matty McFatty [@themattymcfatty] https://www.youtube.com/watch?v=sbN5Bz3v-uA [Invidious]
YouTube, Qubes OS: How it works, and a demo of this VM-centric OS https://www.youtube.com/watch?v=YPAvoFsvSbg [Invidious]
This OS is recommended by prominent figures such as Edward Snowden, PrivacyGuides.org.
Qubes is the best option in this guide for people who are more comfortable with Linux and tech in general. But it has some downsides such as the lack of OS-wide plausible deniability, its hardware requirements, and its hardware compatibility. While you can run this on 4GB of RAM as per their requirements [Archive.org], the recommended RAM is 16GB. We would recommend against using Qubes OS if you have less than 8GB of RAM. If you want a comfortable experience, you should have 16GB, if you want a particularly enjoyable experience, you should have 24GB or 32GB.
The reason for this RAM requirement is that each app will run in a different VM and each of those VM will require and allocate a certain amount of memory that will not be available for other apps. If you are running native Windows apps within Qubes OS Qubes, the ram overhead will be significant.
You should also check their hardware compatibility here https://www.qubes-os.org/hcl/ [Archive.org] before proceeding. Your mileage might vary, and you might experience several issues about hardware compatibility that you will have to troubleshoot and solve yourself.
I think that if you can afford it and are comfortable with the idea of using Linux, you should go with this route as it is probably the best one in terms of security and privacy. The only disadvantage of this route is that it does not provide a way to enable OS-wide plausible deniability https://en.wikipedia.org/wiki/Plausible_deniability [Wikiless], unlike the Whonix route.
There are seven possibilities within this route:
Recommended and preferred:
Use Tor alone (User > Tor > Internet)
Use VPN over Tor (User > Tor > VPN > Internet) in specific cases
Use a VPS with a self-hosted VPN/Proxy over Tor (User > Tor > Self-Hosted VPN/Proxy > Internet) in specific cases
Possible if required by context:
Use VPN over Tor over VPN (User > VPN > Tor > VPN > Internet)
Use Tor over VPN (User > VPN > Tor > Internet)
Not recommended and risky:
Use VPN alone (User > VPN > Internet)
Use VPN over VPN (User > VPN > VPN > Internet)
Not recommended and highly risky (but possible)
This is the preferred and most recommended solution.
With this solution, all your network goes through Tor, and it should be sufficient to guarantee your anonymity in most cases.
There is one main drawback tho: Some services block/ban Tor Exit nodes outright and will not allow account creations from those.
To mitigate this, you might have to consider the next option: VPN over Tor but consider some risks associated with it explained in the next section.
This solution can bring some benefits in some specific cases vs using Tor only where accessing the destination service would be impossible from a Tor Exit node. This is because many services will just outright ban, hinder, or block Tor Exit Nodes (see https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor [Archive.org]).
This solution can be achieved in two ways:
Paid VPN over Tor (easiest)
Paid Self-Hosted VPS configured as VPN/Proxy (most efficient in avoiding online obstacles such as captchas but requiring more skills with Linux)
As you can see in this illustration, if your cash (preferred)/Monero paid VPN/Proxy is compromised by an adversary (despite their privacy statement and no-logging policies), they will only find an anonymous cash/Monero paid VPN account connecting to their services from a Tor Exit node.
If an adversary somehow manages to compromise the Tor network too, they will only reveal the IP of a random public Wi-Fi that is not tied to your identity.
If an adversary somehow compromises your VM OS (with malware or an exploit for instance), they will be trapped within the internal Network of Whonix and should be unable to reveal the IP of the public Wi-Fi.
This solution however has one main drawback to consider: Interference with Tor Stream Isolation377.
Stream isolation is a mitigation technique used to prevent some correlation attacks by having different Tor Circuits for each application. Here is an illustration to show what stream isolation is:
(Illustration from Marcelo Martins, https://stakey.club/en/decred-via-tor-network/ [Archive.org])
VPN/Proxy over Tor falls on the right-side378 meaning using a VPN/Proxy over Tor forces Tor to use one circuit for all activities instead of multiple circuits for each. This means that using a VPN/Proxy over Tor can reduce the effectiveness of Tor in some cases and should therefore be used only for some specific cases:
When your destination service does not allow Tor Exit nodes.
When you do not mind using a shared Tor circuit for various services. For instance for using various authenticated services.
You should however consider not using this method when your aim is just to browse random various unauthenticated websites as you will not benefit from Stream Isolation and this could make correlation attacks easier for an adversary between each of your sessions (see Your Anonymized Tor/VPN traffic).
More information at:
https://tails.boum.org/contribute/design/stream_isolation/ [Archive.org]
https://www.whonix.org/wiki/Tunnels/Introduction#Comparison_Table [Archive.org]
You might be wondering: Well, what about using Tor over VPN instead of VPN over Tor?
Disadvantages
Your VPN provider is just another ISP that will then know your origin IP and will be able to de-anonymize you if needed. We do not trust them. Prefer a situation where your VPN provider does not know who you are. It does not add much in terms of anonymity.
This would result in you connecting to various services using the IP of a Tor Exit Node which is banned/flagged in many places. It does not help in terms of convenience.
Advantages:
The main advantage is that if you are in a hostile environment where Tor access is impossible/dangerous/suspicious, but VPN is okay.
This method also does not break Tor Stream isolation.
Note, if you’re having issues accessing the Tor Network due to blocking/censorship, you could try using Tor Bridges (see Tor Documentation https://2019.www.torproject.org/docs/bridges [Archive.org] and Whonix Documentation https://www.whonix.org/wiki/Bridges [Archive.org]).
It is also possible to consider VPN over Tor over VPN (User > VPN > Tor > VPN > Internet) using two cash/Monero paid VPNs instead. This means that you will connect the Host OS to a first VPN from your Public Wi-Fi, then Whonix will connect to Tor, and finally, your VM will connect to a second VPN over Tor over VPN (see https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor [Archive.org]).
This will of course have a significant performance impact and might be quite slow, but Tor is necessary somewhere for achieving reasonable anonymity.
Achieving this technically is easy within this route, you need two separate anonymous VPN accounts and must connect to the first VPN from the Host OS and follow the route.
Conclusion: Only do this if you think using Tor alone is risky/impossible but VPNs are okay. Or just because you can and so why not. This method will not lower your security/privacy/anonymity.
This route will not be explained nor recommended.
If you can use VPNs then you should be able to add a Tor layer over it. And if you can use Tor, then you can add an anonymous VPN over Tor to get the preferred solution.
Just using a VPN or even a VPN over VPN makes no sense as those can be traced back to you over time. One of the VPN providers will know your real origin IP (even if it is in a safe public space) and even if you add one over it, the second one will still know you were using that other first VPN service. This will only slightly delay your de-anonymization. Yes, it is an added layer … but it is a persistent centralized added layer, and you can be de-anonymized over time. This is just chaining 3 ISPs that are all subject to lawful requests.
For more info, please see the following references:
https://www.whonix.org/wiki/Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Tor_and_VPN_Services_Comparison [Archive.org]
https://www.whonix.org/wiki/Why_does_Whonix_use_Tor [Archive.org]
https://www.researchgate.net/publication/324251041_Anonymity_communication_VPN_and_Tor_a_comparative_study [Archive.org]
https://gist.github.com/joepie91/5a9909939e6ce7d09e29#file-vpn-md [Archive.org]
https://schub.wtf/blog/2019/04/08/very-precarious-narrative.html [Archive.org]
In the context of this guide, Tor is required somewhere to achieve reasonable and safe anonymity and you should use it if you can.
If you cannot use VPN nor Tor where you are, you probably are in a very hostile environment where surveillance and control are extremely high.
Just do not, it is not worth it and too risky. You can be de-anonymized almost instantly by any motivated adversary that could get to your physical location in a matter of minutes.
Do not forget to check back on Adversaries (threats) and Appendix S: Check your network for surveillance/censorship using OONI.
If you have absolutely no other option and still want to do something, see Appendix P: Accessing the internet as safely as possible when Tor/VPN is not an option (at your own risk).
Connection Type | Anonymity | Ease of Access to online resources | Tor Stream isolation | Safer where Tor is suspicious/dangerous | Speed | Cost | Recommended |
---|---|---|---|---|---|---|---|
Tor Alone | Good | Medium | Possible | No | Medium | Free | Yes |
Tor over VPN | Good+ | Medium | Possible | Yes | Medium | Around 50€/y | If needed (Tor inaccessible) |
Tor over VPN over Tor | Best | Medium | Possible | Yes | Poor | Around 50€/y | Yes |
VPN over Tor | Good- | Good | No | No | Medium | Around 50€/y | If needed (convenience) |
Self-Hosted VPS VPN/Proxy over Tor | Good- | Very Good | No | No | Medium | Around 50€/y | If needed (convenience) |
VPN/Proxy over Tor over VPN | Good- | Good | No | Yes | Poor | Around 100€/y | If needed (convenience and Tor inaccessible) |
VPN/Proxy Alone | Bad | Good | N/A | Yes | Good | Around 50€/y | No |
No Tor and VPN | Bad | Unknown | N/A | No | Good | Around 100€ (Antenna) | No. At your own risk. |
Unfortunately, using Tor alone will raise the suspicion of many destinations’ platforms. You will face many hurdles (captchas, errors, difficulties signing up) if you only use Tor. In addition, using Tor where you are could put you in trouble just for that. But Tor remains the best solution for anonymity and must be somewhere for anonymity.
If you intend to create persistent shared and authenticated identities on various services where access from Tor is hard, we recommend the VPN over Tor and VPS VPN/Proxy over Tor options (or VPN over Tor over VPN if needed). It might be a bit less secure against correlation attacks due to breaking Tor Stream isolation but provides much better convenience in accessing online resources than just using Tor. It is an “acceptable” trade-off IMHP if you are careful enough with your identity.
If your intent however is just to browse random services anonymously without creating specific shared identities, using tor friendly services; or if you do not want to accept that trade-off in the earlier option. Then we recommend using the Tor Only route to keep the full benefits of Stream Isolation (or Tor over VPN if you need to).
If cost is an issue, we recommend the Tor Only option if possible.
If both Tor and VPN access are impossible or dangerous then you have no choice but to rely on Public wi-fi safely. See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option
For more information, you can also see the discussions here that could help decide yourself:
Tor Project: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN [Archive.org]
Tails Documentation:
Whonix Documentation (in this order):
Some papers on the matter:
Skip this step if you want to use Tor only or VPN is not an option.
See Appendix O: Getting an anonymous VPN/Proxy
Qubes OS uses LUKS for full disk encryption and it is technically possible to achieve a form of deniability by using detached LUKS headers. This is not yet integrated into this guide but you will find an evolving tutorial on how to achieve this here: https://forum.qubes-os.org/t/qubes-os-installation-detached-encrypted-boot-and-header/6205 and some more background information within the Linux Host OS section (see Note about plausible deniability on Linux).
You will follow the instructions from their own guide https://www.qubes-os.org/doc/installation-guide/ [Archive.org]:
(Secure Boot is not supported as per their FAQ: https://www.qubes-os.org/faq/#is-secure-boot-supported [Archive.org] so it should be disabled in the BIOS/UEFI settings.)
Download the latest Qubes OS 4.1.x installation ISO according to their hardware compatibility list.
Get and verify the Qubes OS Master Signing key: https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
Prepare a USB key with the Qubes OS ISO file
Install Qubes OS according to the installation guide:
If you want to use Tor or VPN over Tor: Check the "Enabling system and template updates over the Tor anonymity network using Whonix" during the last step. This will force all Qubes OS updates to go through Tor. While this will significantly reduce your update speed, it will increase your anonymity from the start. (If you are having issues connecting to Tor due to censorship or blocking, consider using Tor Bridges as recommended earlier. Just follow the tutorial provided here: https://www.whonix.org/wiki/Bridges [Archive.org])
If you want to use Tor over VPN or cannot use any of those, leave it unchecked.
Be absolutely sure that you are verifying the signature of the ISO, which you can find on this page: https://www.qubes-os.org/security/verifying-signatures/ [Archive.org]. Check by obtaining the fingerprint from multiple independent sources in several different ways as recommended. This is to ensure the image has not been tampered with. Do not skip this vital step even though you know you are getting the ISO from a trusted source, because it’s possible for the Qubes website to be compromised.
If you are prevented from using Tor, there is no point in installing the Whonix VM templates. You can disable Whonix installation during the post-installation, initial setup wizard.
To be sure your Qubes ISO hasn’t been tampered with, you should get the Qubes master key fingerprint from multiple different sources. This guide can be used as one source.
The Qubes master signing key fingerprint should match 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
.
Remember to read the guide to verifying signatures on the Qubes website: https://www.qubes-os.org/security/verifying-signatures/ [Archive.org].
Unfortunately, Qubes OS does not support hibernation379 which is an issue regarding cold-boot attacks. To mitigate those, I highly recommend that you configure Qubes OS to shut down on any power action (power button, lid closure). You can do set this from the XFCE Power Manager. Do not use the sleep features.
Warning, this step only works with Intel CPUs, a legacy BIOS, TPM 1.2. If you do not meet those requirements, skip this step.
Anti Evil Maid is an implementation of a TPM-based static trusted boot with a primary goal to prevent Evil Maid attacks. Installing and using AEM requires attaching a USB drive directly to dom0. So the user must make a choice between protecting dom0 from a potentially malicious USB drive, and protecting the system from Evil Maid attacks. Note that AEM is only compatible with Intel CPUs and Legacy boot options.
The preference for mitigating any evil maid attack is to maintain physical control of your device at all times. If that is not possible, then this might be relevant to your threat model.
Before deciding to use this system, please read Appendix B4: Important notes about evil-maid and tampering
See the following links for more details and installation instructions:
Remember this should be done from a safe place (see Find some safe places with decent public Wi-Fi and Appendix Q: Using long-range Antenna to connect to Public Wi-Fis from a safe distance):
In the upper right corner, Left-click the network icon and note the Wi-Fi SSID you want to connect to
Now right-click the network icon and select Edit Connections
Add one using the + sign
Select Wi-Fi
Enter the SSID of the desired network you noted before (if needed)
Select Cloned Mac Address
Select Random to randomize your Mac Address
Save
Now again Left-click the connection account and connect to the desired Wi-Fi
If this is an Open Wi-Fi requiring registration: You will have to start a browser to register
After you are connected, Start a Disposable Fedora Firefox Browser
Go into the upper left Menu
Select Disposable, Fedora, Firefox
Open Firefox and register (anonymously) into the Wi-Fi
Personally, we wouldn’t do it in-place and do a fresh install.
But if you really want to, it’s technically possible by following this guide: https://www.qubes-os.org/doc/upgrade/4.1/ [Archive.org]
After you are connected to a Wi-Fi you need to update Qubes OS and Whonix. You must keep Qubes OS always updated before conducting any sensitive activities. Especially your Browser VMs. Normally, Qubes OS will warn you about updates in the upper right corner with a gear icon. As this might take a while in this case due to using Tor, you can force the process by doing the following:
Click the upper left Applications icon
Select Qubes Tools
Select Qubes Update
Check the “Enable updates for Qubes without known available updates”
Select all the Qubes
Click Next and wait for updates to complete
If you checked the Tor option during install, be patient as this might take a while over Tor
Again, you should really do this ASAP. We would use a fresh install but it’s technically possible to do it in-place, see https://www.whonix.org/wiki/Release_Upgrade_Whonix_15_to_Whonix_16 [Archive.org]
Follow the instructions on https://www.whonix.org/wiki/Qubes/Install [Archive.org]. If you’re running Qubes 4.1.x, this is already done for you.
Disclaimer: This section is under construction and will be worked on heavily in the next releases. This section is for more advanced users.
While Qubes OS is already sandboxing everything by design, it is also useful to consider sandboxing apps themselves using AppArmor or SELinux.
“AppArmor is a Mandatory Access Control framework. When enabled, AppArmor confines programs according to a set of rules that specify what files a given program can access. This initiative-taking approach helps protect the system against both known and unknown vulnerabilities” (Debian.org).
Basically, AppArmor380 is an application sandboxing system. By default, it is not enabled but supported by Qubes OS.
About the Fedora VMs:
About the Debian VMs:
About any other Linux VM:
About the Whonix VMs, you should consider enabling and using AppArmor, especially on the Whonix VMs of Qubes OS:
First, you should head out and read https://www.whonix.org/wiki/AppArmor [Archive.org]
Secondly, you should head out again and read https://www.whonix.org/wiki/Qubes/AppArmor [Archive.org]
SELinux381 is similar to AppArmor. The differences between SELinux and AppArmor are technical details into which we will not get.
Here is a good explanation of what it is: https://www.youtube.com/watch?v=_WOKRaM-HI4 [Invidious]
In this guide and the context of Qubes OS, it is important to mention it as it is the recommended method by Fedora which is one of the default systems on Qubes OS.
So, head out and read https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/ [Archive.org]
You could make use of SELinux on your Fedora Templates. But this is up to you. Again, this is for advanced users.
Skip this step if you do not want to use a VPN and just use Tor only or if VPN is not an option either.
This tutorial should also work with any OpenVPN provider (Mullvad, IVPN, Safing.io, or Proton VPN for instance).
This is based on the tutorial provided by Qubes OS themselves (https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md [Archive.org]). If you are familiar with this process, you can follow their tutorial.
Alternatively, Mullvad also have a help article that guides you through setting up a Proxy VM https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/ [Archive.org].
Click the Applications icon (upper left corner)
Click Create Qubes VM
Name and label as you wish: I suggest “VPNGatewayVM”
Select Type: Standalone Qube copied from a template
Select Template: Debian-11 (the default)
Select Networking:
Select sys-whonix if you want to do VPN over Tor / Tor only (recommended)
Select sys-firewall if you want to do Tor over VPN / No Tor or VPN / Just VPN
Advanced: Check provides network
Check “Start Qube automatically on boot”
Create the VM
Using Tor Browser (be careful not to use any Clearnet Browser for this), download the necessary OpenVPN configuration files for Linux from your VPN provider.
This can be done by using the Qubes OS integrated Tor Browser by accessing the Applications icon (upper left corner) and selecting the Disposable Tor Browser application.
Launch a browser from a DisposableVM and download the necessary OpenVPN configuration files for Linux from your VPN provider. See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option.
When you are done downloading the configuration files within the Disposable Browser (usually a zip file), copy them to your ProxyVM VPN Gateway machine (using right-click on the file and send to another AppVM).
Skip this step if you are not going to use a VPN
Click the upper left corner
Select the VPN VM you just created
Open the Files of the VPN VM
Go into “Qubesincoming” > dispXXXX (This was your Disposable Browser VM)
Double Click your downloaded zip file containing your OpenVPN configuration files to unzip it
Now select the VPN VM again and start a terminal
Install OpenVPN with the following command sudo apt-get install openvpn
Copy all the OpenVPN configuration files provided by your VPN provider in /etc/openvpn/
For all the OpenVPN configuration files (for each location):
Edit each file using sudo nano configfile
(do not forget sudo to edit the file within /etc)
Change the protocol from “udp” to “tcp” (Tor does not support UDP)
Change the port to a supported (by your VPN provider) TCP port (like 80 or 443)
Save and exit each file
Edit the OpenVPN config file (/etc/default/openvpn) by typing sudo nano /etc/default/openvpn
Change #AUTOSTART="all"
to AUTOSTART="all"
(in other words, remove the “#”)
Save and Exit
Edit the Qubes firewall rules file (/rw/config/qubes-firewall-user-script) by typing “sudo nano /rw/config/qubes-firewall-user-script”
Add the following lines (without the quotes and remarks in parentheses)
virtualif=10.137.0.17
(This is the IP of the ProxyVM, this is not dynamic, and you might need to change it at reboot)
vpndns1=10.8.0.1
(This is the first DNS server of your VPN provider; it should not change)
vpndns2=10.14.0.1
(This is the second DNS server of your VPN provider; it should not change)
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
(These will block outbound traffic when the VPN is down, it is a kill switch, more information here https://linuxconfig.org/how-to-create-a-vpn-killswitch-using-iptables-on-linux [Archive.org] )
iptables -A OUTPUT -d 10.8.0.1 -j ACCEPT
iptables -A OUTPUT -d 10.14.0.1 -j ACCEPT
(These will allow DNS requests to your VPN provider DNS to resolve the name of the VPN servers in the OpenVPN configuration files)
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2
(These will redirect all DNS requests from the ProxyVM to the VPN provider DNS servers)
Restart the ProxyVM by typing “sudo reboot”
Test the ProxyVM VPN connectivity by starting a Browser within it and going to your VPN provider test page. It should now say you are connected to a VPN:
IVPN: https://www.ivpn.net/ [Archive.org] (check the top banner)
Proton VPN: Follow their instructions here https://protonvpn.com/support/vpn-ip-change/ [Archive.org]
Within the Applications Menu (upper left corner), Select the Disposable Fedora VM
Go into Qube Settings
Click Clone Qube and name it like “sys-VPNoverTor” for example
Again, within the Application Menu, Select the Clone you just created
Go into Qube Settings
Change the Networking to your ProxyVPN created earlier
Click OK
Start a Browser within the Whonix Workstation
Check that you have VPN connectivity, and it should work
You should now have a Disposable Browser VM that works with your cash/Monero paid VPN over Tor.
Reconfigure your Whonix Gateway VM to use your ProxyVM as NetVM instead of sys-firewall:
Within the Applications Menu (upper left corner), Select the sys-whonix VM.
Go into Qube Settings
Change the Networking NetVM to your ProxyVPN created earlier instead of sys-firewall
Click OK
Create a Whonix Workstation Disposable VM (follow this tutorial https://www.whonix.org/wiki/Qubes/DisposableVM [Archive.org])
Launch a browser from the VM and Check that you have VPN connectivity, and it should work.
Alternatively, you can also create any other type of disposable VM (but less secure than the Whonix one):
Within the Applications Menu (upper left corner), Select the Disposable Fedora VM
Go into Qube Settings
Click Clone Qube and name it like “sys-TorOverVPN” for example
Again, within the Application Menu, Select the Clone you just created
Go into Qube Settings
Change the Networking to your sys-whonix created earlier
Click OK
Start a Browser within the VM
Check that you have VPN connectivity, and it should work
You should now have a Disposable Browser VM that works with Tor over a cash/Monero paid VPN.
By now you should understand how easy it is to route traffic from one VM to the other with Qubes.
You can create several ProxyVMs for VPN accesses and keep the Whonix one for Tor. You just need to change the NetVM settings of the various VMs to change the layout.
You could have:
One VPN ProxyVM for the base Qubes OS connection
Use the sys-whonix VM (Whonix Gateway) getting its network from the first ProxyVM
A second VPN ProxyVM getting network from sys-whonix
Disposable VMs getting their NetVM from the second ProxyVM
This would result in User > VPN > Tor > VPN > Internet (VPN over Tor over VPN). Experiment for yourself. Qubes OS is great for these things.
See: Appendix V: What browser to use in your Guest VM/Disposable VM
Within the Applications Menu (upper left), Select the Fedora-36 template:
Go into Qube Settings
Clone the VM and name it “fedora-36-brave” (this VM template will have Brave)
Again, go into the Applications Menu and select the clone you just created
Go into Qube Settings
Change its network to the ProxyVPN and Apply
Launch a terminal from the VM
If you want to use Brave: apply the instructions from https://brave.com/linux/ [Archive.org] and run the following commands:
sudo dnf install dnf-plugins-core
sudo dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/x86_64/
sudo rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
sudo dnf install brave-browser
You should also consider hardening your browser, see Appendix V1: Hardening your Browsers
Edit the Whonix Disposable VM template and follow instructions here https://www.whonix.org/wiki/Install_Software [Archive.org]
Because sometimes you want to run mobile Apps anonymously too. You can also set up an Android VM for this purpose. As in other cases, ideally, this VM will also be sitting behind the Whonix Gateway for Tor network connectivity. But this can also be set up as VPN over Tor over VPN.
Since the Android-x86 does not work “well” with Qubes OS (my own experience). We will instead recommend using AnBox (https://anbox.io/ [Archive.org]) which works “well enough” with Qubes OS. More information can also be found at https://www.whonix.org/wiki/Anbox [Archive.org]
Later in the Qubes settings during creation:
Select Networking
Change to sys-whonix to put it behind the Whonix Gateway (over Tor).
Just use the tutorials as is. See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option.
Basically, follow the tutorial here:
Click the Applications icon (upper left corner)
Click Create Qubes VM
Name and label as you wish: we suggest “Android”
Select Type: Standalone Qube copied from a template
Select Template: Debian-11
Select Networking:
Select sys-whonix if you want to do VPN over Tor / Tor only (recommended)
Select sys-firewall if you want to do Tor over VPN / No Tor or VPN / Just VPN
Start the Qube and open a Terminal
Now you will have to follow the instructions from here: https://github.com/anbox/anbox-modules [Archive.org]:
Start by closing the AnBox Modules repository by running:
git clone https://github.com/anbox/anbox-modules.git
Go into the cloned directory
Run ./INSTALL.sh
(or follow the manual instructions on the tutorial)
Reboot the machine
Open a new terminal
Install Snap by running:
sudo apt install snapd
Now you will follow their other tutorial from here: https://github.com/anbox/anbox/blob/master/docs/install.md [Archive.org]:
Install AnBox by running:
snap install --devmode --beta anbox
To update AnBox later, run:
snap refresh --beta --devmode anbox
Reboot the machine
Open a terminal again and start the emulator by running:
anbox.appmgr
This should pop up an Android interface. Sometimes it will crash, and you might have to run it twice to make it work.
If you want to install apps on this emulator:
Install ADB by running:
sudo apt install android-tools-adb
First start Anbox (run anbox.appmgr
)
Grab the APK of any app you want to install
Now install any APK by running:
adb install my-app.apk
That’s it, you should now have an Android Qube over Tor (or anything else) capable of running pretty much any App you can sideload with ADB. This is, for now, the easiest way to get Android emulation on Qubes OS.
You will need somewhere to store your data (logins/passwords, identities, and TOTP382 information).
For this purpose, KeePassXC is recommended because of its integrated TOTP feature. This is the ability to create entries for 2FA383 authentication with the authenticator feature.
In the context of Qubes OS you should store your sensitive information within the vault Qube:
First, click the Applications icon (upper left) and select the vault Qube.
Click Qubes Settings
Select the Applications tab
From the list of available applications, add KeePassXC to the list of selected applications.
You are done and can now skip the rest to go to the “Creating your anonymous online identities” part.
See their tutorial here: https://github.com/Qubes-Community/Contents/blob/master/docs/os/windows/windows-tools41.md [Archive.org]
Correlation is a relationship between two or more variables or attributes. How are attributions determined? During digital forensic and incident response (DFIR), analysts typically look for indicators of compromise (IoCs) following events that call them to act. These indicators usually consist of IP addresses, names, databases; all of which can prescribe a certain behavioral “tag” to an individual or group. This is called attribution. A principal in statistics is that “correlation does not infer causality”. What this means is that, while you may leave certain traces on certain areas of a device or network, that only shows presence of action, i.e., not explicitly your presence. It doesn’t show who you are, it only resolves that something occurred and someone has done something.
Attribution is required to prove fault or guilt, and is the prime reason why people using the Tor network to access the dark web have been compromised: they left traces that were shown to be connected to their real identities. Your IP can be — but is usually not — a large enough indicator to attribute guilt. This is shown in the infamous NotPetya cyber attacks against the U.S., which were later also released upon Ukraine. Though the White House never said it was Russia’s doing, they attributed the attack to Russia’s (GRU) which is a direct office housing the Russian deniable warfare384 cyber divisions, uncommonly referred to as “spy makers” in the intelligence community (IC).
What is the point, you may ask? Well, bluntly speaking, this a perfect example because NotPetya, which is now undoubtedly the work of Russian cyber operations against foreign countries and governments, has still never been formally attributed to Russia, only to a known group within Russia (colloquially dubbed Cozy Bear) which can not be confirmed nor denied given that it is highly compartmentalized within the structure of Russia’s military. And it’s also in part because of the efforts used to disguise itself as a common Ransomware, and because it routinely used the servers of hacked foreign assets not linked to Russia or to its internal networks.
It’s all to show you the lengths that state actors will go to. You may not be aware of it, but foreign governments use concealment techniques such as the ones discussed in the sections of this guide. They routinely use Tor, VPNs to conceal traffic; they use hacked devices and access to stolen equipment to perform cyber espionage every day and it makes attribution incredibly difficult, if not improbable, from a forensic examiner’s point of view. The problem of correlation is trivial, and you can solve it by simply using IP hiding tools such as a VPN and the Tor network, but still be connected to your IRL name and IP through data leaks or other factors. You can not easily be attributed to your activities if you carefully follow and adopt the given techniques and skills discussed below.
(Illustrations by Randall Munroe, xkcd.com, licensed under CC BY-NC 2.5)
Captcha385 stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” are Turing tests386 puzzles you need to complete before accessing a form/website. You will mostly encounter those provided by Google (reCAPTCHA service387) and Cloudflare (hCaptcha388). hCaptcha is used on 15% of the internet by their own metrics389.
They are designed to separate bots from humans but are also clearly used to deter anonymous and private users from accessing services.
If you often use VPNs or Tor, you will quickly encounter many captchas everywhere390. Quite often when using Tor, even if you succeed in solving all the puzzles (sometimes dozens in a row), you will still be denied after solving the puzzles.
See https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor [Archive.org]
While most people think those puzzles are only about solving a little puzzle, it is important to understand that it is much more complex, and that modern Captchas uses advanced machine learning and risk analysis algorithms to check if you are human391:
They check your browser, cookies, and browsing history using Browser fingerprinting392.
They track your cursor movements (speed, accuracy) and use algorithms to decide if it is “human/organic”.
They track your behavior before/during/after the tests to ensure you are “human”393.
It is also highly likely that those platforms could already reliably identify you based on the unique way you interact with those puzzles. This could work despite obfuscation of your IP address / Browser and clearing all cookies.
Watch for example this DEF CON 25 presentation: DEF CON 25 - Svea Eckert, Andreas Dewes - Dark Data [Invidious]
You will often experience several in a row (sometimes endlessly) and sometimes exceedingly difficult ones involving reading undecipherable characters or identifying various objects on endless pictures sets. You will also have more captchas if you use an ad-blocking system (uBlock for example) or if your account was flagged for any reason for using VPNs or Tor previously.
You will also have (in my experience) more Captchas (Google’s reCAPTCHA) if you do not use a Chromium-based browser. But this can be mitigated by using a Chromium-based browsers such as Brave. There is also a Browser extension called Buster that could help you those https://github.com/dessant/buster [Archive.org].
As for Cloudflare (hCaptcha), you could also use their Accessibility solution here (https://www.hcaptcha.com/accessibility [Archive.org]) which would allow you to sign-up (with your anonymous identity created later) and set a cookie within your Browser that would allow you to bypass their captchas. Another solution to mitigate hCaptcha would be to use their own solution called “Privacy Pass”394 https://privacypass.github.io/ [Archive.org] in the form of a Browser extension you could install in your VM Browser.
You should therefore deal with those carefully and force yourself to alter the way you are solving them (speed/movement/accuracy/…) to prevent “Captcha Fingerprinting”.
Fortunately, as far as we are aware, these are not yet officially/publicly used to de-anonymize users for third parties.
To not have those issues, you should consider using a VPN over Tor. And the best option to avoid those is likely to use a self-hosted VPN/Proxy over Tor on a cash/Monero paid VPS server.
Phone verification is advertised by most platforms to verify you are human. But do not be fooled, the main reason for phone verification is not only to check if you are human but also to be able to de-anonymize you if needed.
Most platforms (including the privacy-oriented ones such as Signal/Telegram/Proton will require a phone number to register, and most countries now make it mandatory to submit a proof of ID to register395.
Fortunately, this guide explained earlier how to get a number for these cases: Getting an anonymous Phone number.
E-Mail verification is what used to be enough but is not anymore in most cases. What is important to know is that open e-mail providers (disposable e-mail providers for instance) are flagged as much as open proxies (like Tor).
Most platforms will not allow you to register using an “anonymous” or disposable e-mail. As they will not allow you to register using an IP address from the Tor network.
The key thing to this is that it is becoming increasingly difficult to sign-up for a free e-mail account anywhere without providing (you guessed it) … a cell phone number. That same cell phone number can be used conveniently to track you down in most places.
It is possible that those services (Proton for instance) might require you to provide an e-mail address for registration. In that case, we would recommend you create an e-mail address from these providers:
MailFence: https://mailfence.com/
Disroot: https://disroot.org
Autistici: https://autistici.org
Envs.net: https://envs.net/
Keep in mind that those do not provide a zero-access design (a zero-access design is where only you can access your e-mail - not even the service’s admins can read your messages). This means they can access your e-mail at rest in their database.
RiseUp’s warrant canary has been renewed late, with their Twitter posting a cryptic message seeming to tell users not to trust them. Due to the suspicious situation, this guide can no longer recommend them.
Also see: https://forums.whonix.org/t/riseup-net-likely-compromised/3195
For the https://riseup.net [Tor Mirror] (It has come to my attention that the site now, unfortunately, requires an invitation from a current registered user)
If you want to avoid communicating your anonymous e-mail addresses to various parties. We would strongly suggest considering using e-mail aliasing services such as:
https://simplelogin.io/ (preferred first choice due to more options available to the free tier)
These services will allow creating random aliases for your anonymous e-mail (on Proton for example) and could increase your general privacy if you do not want to disclose that e-mail for any purpose. They are both recommended by Privacyguides.org and Privacytools.io. I’m recommending them as well.
Obviously, Reddit does not do this (yet), but Facebook most likely does and will look for “suspicious” things in your details (which could include face recognition).
Some examples:
IP address from a country different than your profile country.
Age in the profile not matching the picture age.
Ethnicity in the profile not matching the picture ethnicity.
Language not matching the country language.
Unknown in anyone else contacts (Meaning nobody else knows you).
Locking down privacy settings after signing up.
Name that does not match the correct ethnicity/language/country?
The deal-breaker in most cases. As far as we know, only Facebook and LinkedIn (outside of financial services) have requested such verifications which involve sending pictures of some form of identification (passport, national ID card, driver’s license …). The only way to do this would involve creating fake official documents (forgery) using some decent Photoshop skills and this might be illegal in most places.
Therefore, this is a line we are not going to help you cross within this guide. Some services are offering such services online, but we think they are bad actors and are overstepping their boundaries.
In many countries, only law enforcement, some specific processes (such as GDPR requests), and some well-regulated financial services may request proof of identification. So, the legality of asking for such documents is debatable and we beieve such platforms should not be allowed to require those.
In few countries (like Germany), this practice is illegal and online platforms such as Facebook or LinkedIn are legally bound to allow you to use a pseudonym and remain anonymous.
As stated previously in this guide, many platforms will apply filters on the IPs of the users. Tor exit nodes are publicly listed, and VPN exit servers are “well known”. There are many commercial and free services providing the ability to block those IPs with ease (hi Cloudflare).
Many platforms’ operators and administrators do not want traffic from these IPs as they often drive a lot of unlawful/malicious/unprofitable traffic to their platforms. These platforms usually argue using one of the following points:
“Yet we still pay traffic for them so let us just deny them all instead.”
Fortunately, those systems are not perfect, and you will (still) be able to get around those restrictions by switching identities (in the case of Tor) and trying to access the website each time until you find an Exit Node that is not yet blacklisted.
Some platforms will allow you to log in with a Tor IP but not to sign up (See https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor [Archive.org]). Those platforms will keep a convenient, permanent log of the IP which you used during sign-up - And some will keep such logs indefinitely, e.g., all the IPs which you have used to log in (hi Facebook).
The tolerance is much higher with VPNs as they are not considered “open proxies”, but that will not stop many platforms from making them hard to use by forcing increasingly difficult CAPTCHAs on most VPN users.
For this reason, this guide does recommend the use of VPN over Tor (and not Tor over VPN) in certain use cases. Remember that the best option to avoid those is to use a self-hosted VPN/Proxy over Tor on a cash/Monero paid VPS.
Many platforms (like Google396) will check your browser for various capabilities and settings and block browsers they do not like. This is one of the reasons we recommend using Chromium-based browsers such as Brave Browser over Tor Browser within this VM.
Here are some of the things they check within recent browsers:
User-Agent: This is your Browser name and Version.
HTTP_ACCEPT Headers: This is the type of content your Browser can handle.
Time Zone and Time Zone Offset: Your time zone.
Screen Size and Color Depth: The resolution of your screen.
System Fonts: The typing fonts installed on your system.
Cookies support: If your browser supports cookies or not.
Hash of Canvas fingerprint and Hash of WebGL fingerprint: These are generated unique IDs based on your graphic rendering capabilities.
WebGL Vendor & Renderer: Name of your Video card
Do-Not-Track enabled or not: Well, yes, they can use your DNT information to track you
Language: The language of your Browser
Platform: The Operating System you are using
Touch Support: If your system supports touch (such as a phone/tablet or touchscreen-enabled laptop)
Ad Blocking use: If your browser block ads
AudioContext fingerprint: Like the Canvas and WebGL fingerprints these will fingerprint your audio capabilities.
CPU: What kind of CPU you are using and how many of them
Memory: How much memory you have in your System
Browser Permissions: Is your browser allowing some things like geolocation or microphone/webcam access.
Most of the time, those fingerprints will, unfortunately, be unique or nearly unique to your browser/system. This means that even If you log out from a website and then log back in using a different username, your fingerprint might remain the same if you did not take precautionary measures. An adversary could then use such fingerprints to track you across multiple services even if you have no account on any of them and are using adblocking. These fingerprints could in turn be used to de-anonymize you if you keep the same fingerprint between services.
Here are services you can use to check your browser fingerprints:
https://abrahamjuliot.github.io/creepjs/ (Probably the best overall)
(Chromium based browsers only) https://z0ccc.github.io/extension-fingerprints/#
Chances are you will find your browser fingerprint unique no matter what you do.
Some platforms will add this as a bonus step and require you to have an actual human interaction with a customer care representative. Usually by e-mail but sometimes by chat/phone. They will want to verify that you exist by asking you to reply to an e-mail/chat/phone call.
It is annoying but quite easy to deal with in our case. We are not making bots. This guide is for humans making human accounts.
Many platforms will delegate and rely on their users to moderate the others and their content. These are the “report” features that you will find on most platforms.
Getting reported thousands of times does not matter when you are Donald Trump or Kim Kardashian but if you as a sole “friendless” anonymous user gets reported even once, you might get suspended/flagged/banned instantly.
See Your Digital Fingerprint, Footprint, and Online Behavior.
Simple and efficient, some platforms will require you to perform a financial transaction to verify your account sometimes under the pretext of verifying your age. This could be a credit card verification or an exceedingly small amount bank wire. Some will accept a donation in a main cryptocurrency like Bitcoin or Ethereum.
While this might seem innocent, this is obviously an ID verification and de-anonymization method. This is just indirectly relying on third-party financial KYC397 regulations.
This is for instance now the case on YouTube for some European Users398 but also used by services like Amazon that requires a valid payment method for creating an account.
“Why do this user-verification ourselves when we can just ask others to deal with it?”
You will notice this, and you probably already encountered this. Some apps/platforms will ask/require you to sign in with a well-known and well-used reputable platform instead of their own system (Sign-in with Google/Facebook/Apple/Twitter).
This option is often presented as the “default one”, hiding away the “Sign-in with e-mail and password” with clever Dark Patterns399 and unfortunately sometimes needed.
This method will delegate the verification process on those platforms instead of assuming that you will not be able to create an anonymous Google/Facebook/Apple/Twitter account with ease.
Fortunately, it is still possible to this day to create those.
This is a common method used on some Crypto trading platforms and some dating Apps.
Some platforms/apps will require you to take a live picture of yourself either doing something (a wink, holding an arm up …) or showing a custom piece of information (a handwritten text, a passport, or ID) within the picture. Sometimes the platform/app will require several pictures to increase their certainty.
This guide will not cover this one (yet) as it is mainly used on financial platforms (that will be able to identify you with other means anyway) and some dating apps like Tinder400. Unfortunately, this method is now also sometimes being used on Facebook401 and Instagram as part of their verification methods (tho we did not face it yet so far).
In some cases, these verifications must be done from your Smartphone and with an “in-app” camera to prevent you from sending a previously saved (edited) image.
Recently even platforms such as PornHub decided to implement similar measures in the future402.
This verification is extremely hard to defeat but possible. A method to possibly defeat those would be to use “deep fake” technology software such as the open-source FaceSwap https://github.com/deepfakes/faceswap [Archive.org] to generate the required verification pictures using a randomly computer-generated face that would be swapped over the picture of a complicit model (or a stock photo).
Unfortunately, some apps require direct access to a smartphone camera to process the verification. In that case, you will need to find a way to do such “face swaps” on the fly using a filter and another way to feed this into the camera used by the app. A possible approach would be similar to this impressive project https://github.com/iperov/DeepFaceLive [Archive.org].
These can be triggered by any of the above and just means someone (usually specialized employees) will review your profile manually and decide whether it is real or not based on their subjective opinion.
Some countries have even developed hotlines where you can report any subversive content403.
Pros: Usually that verdict is “final”, and you will probably avoid further issues if you are good.
Cons: Usually that verdict is “final”, and you will probably be banned without any appeal possibility if you are not good. Sometimes those reviews end up on the platform just ghosting you and cancel you without any reason whatsoever. Any appeal will be left unanswered, ignored, or will generate some random dark pattern bug when trying to appeal that specific identity (this happens on Instagram for instance where if your account gets “suspended” obviously by some manual review, trying to complete the appeal form will just throw an error and tell you to try again later (We have been trying this same appeal for that identity for the past 6 months at least).
Now that you have a basic understanding of all the ways you can be de-anonymized, tracked, and verified. Let us get started at evading these while staying anonymous. Remember:
You cannot trust ISPs
You cannot trust VPS providers
You cannot trust public Wi-Fi providers
You cannot trust Mobile Network providers
You cannot trust VPN providers
You cannot trust any Online Platform
You cannot trust Tor
You cannot trust your Operating System
You cannot trust your Laptop
You cannot trust your Smartphone (especially Android)
You cannot trust your Smart devices
Above all, you cannot trust people
So what? Well instead of not trusting anyone or anything, we would advise to “Trust but verify”404 (or “Never trust, always verify” if you are more hardcore about it and want to apply Zero-Trust Security405) instead.
Do not start this process unless:
You consulted your local law for compliance and the legality of your actions.
You are aware of your threat model.
You are in a safe place with public Wi-Fi without your smartphone or any other smart device on you. And preferably in a place without CCTV filming you (remember to Find some safe places with decent public Wi-Fi and Appendix Q: Using long-range Antenna to connect to Public Wi-Fis from a safe distance)
You are fully done and preparing one of the routes.
Again, it is crucially important to understand that you will be unable to create most accounts without a valid phone number. Therefore, most of your anonymity on mainstream platforms depends on the anonymity of your online phone number and/or the burner phone with its pre-paid SIM card (if you use one). If your phone number is not anonymous or your burner phone can be traced back to you then you can be de-anonymized. If you cannot get this anonymous phone number and/or a physical SIM with a Burner phone, then you will have to restrict yourself to platforms not asking for phone number verification.
Remember to see Appendix N: Warning about smartphones and smart devices
This is the fun part where you will now create your identities from thin air. These identities do not exist but should be plausible and look “organic”. They should ideally have a story, a “legend” (yes this is the real term for this406).
What is a legend? Well, it is a full back-story for your character:
Age
Sex
Gender
Ethnicity
Place of Birth and date of Birth
Place of residence
Country of origin
Visited Countries (for travels for instance)
Interests and hobbies
Education History
Work experience
Health information
Religion if any
Goals
Family history
Family composition if any (Children? Spouse? Husband?)
Relationship Status if any (Married? Single?)
Spoken Languages
Personality traits (Introvert, Extrovert …)
…
All these should be crafted carefully for every single identity, and you should be incredibly careful to stick to the details of each legend when using those identities. Nothing can leak that could lead to your real persona. Nothing could leak that could compromise the consistency of your legend. Everything should always be consistent.
Tools that can help with this:
Now is also the moment where you could finally consider getting an online phone number as explained in the Online Phone Number (less recommended) section.
We will help you bit by listing a few tips we learned while researching over the years (disclaimer: this is based on my individual experiences alone):
“Some animals are more equal than others”.
Ethnicity is important and you will have fewer issues and attract less attention to verification algorithms if your identity is Caucasian/East-Asian than if it is Arabic/Black (yes, we tested this extensively and it is definitely an issue).
Age is important and you will have fewer issues if you are young (18-22) than if you are middle-aged or older. Platforms seem to be more lenient in not imposing restrictions on new younger audiences.
Sex/Gender is important, and you will have fewer issues if you are a female than if you are a male.
Country of origin is important, and you will have fewer issues if your identity is Norwegian than if it is Ukrainian, Nigerian, or Mexican.
Country of residence is important, and you will have fewer issues if your identity has its residence in Oslo or Paris than if you decide to live in Kyiv or Cairo.
Language is important and you will have fewer issues if you speak English or the language of your Identity than if you use a non-related language. Do not make a Norwegian-born Arabic 20-year-old female that speaks Ukrainian or Arabic.
Identities that are “EU residents” with an “EU IP” (VPN/Tor Exit IP) will benefit from GDPR protections on many platforms. Others will not. GDPR is your friend in most cases, and you should take this into account.
Similarly, origin IP geolocation (your IP/location when you go to “whatsmyipaddress.com”) should match your identity location as much as possible (When using a VPN over Tor, you can pick this in the VPN client if you use the VPN over Tor approach or just create a new identity in Tor Browser or Brave Tor Tab until you get an appropriate Exit node, or configure Tor to restrict your Exit Nodes). Consider excluding any exit IP that is not located in Western Europe/US/Canada/Japan/South Korea/Australia/New Zealand as you will have fewer issues. Ideally, you should get a European Union IP to get additional GDPR protection and if possible, a German exit IP due to their legal stance on using anonymous accounts on online platforms.
Brave Browser (Chromium-based) with a Private Tor Tab has a better acceptance level than Tor Browser (Firefox based). You will experience fewer issues with captchas and online platforms407 if you use Brave than if you use Tor Browser (feel free to try this yourself).
For every identity, you should have a matching profile picture associated with it. For this purpose, we recommend you just go to https://thispersondoesnotexist.com/ or https://generated.photos/face-generator* and generate a computer-generated profile picture (Do note that algorithms have been developed408’409 to detect these and it might not work 100% of the time). You can also generate such pictures yourself from your computer if you prefer by using the open-source StyleGan project here https://github.com/NVlabs/stylegan2 [Archive.org]. Just refresh the page until you find a picture that matches your identity in all aspects (age, sex, and ethnicity) and save that picture. It would be even better to have several pictures associated with that identity, butWedo not have an “easy way” of doing that yet.
*Warning: https://generated.photos/face-generator requires JavaScript to function and does a lot of fingerprinting. Most of it is being sent to Microsoft Clarity. Even with uBlock installed and on safer level, Tor Browser wasn’t efficient at blocking the fingerprinting. This obviously does not work on Safest level. On our tests, only Brave with agressive fingerprinting/ad shields did not send analytics.
Bonus, you could also make it more real by using this service (with an anonymous identity) https://www.myheritage.com/deep-nostalgia [Archive.org] to make a picture more lifelike. Here is an example:
Original: