OP 06 October, 2024 - 04:18 PM
Hello everyone, I'm not sure if there were similar topics on the forum (I looked, but didn't find any), so I'll write my own.
In this post, I'll only describe what's been weighing on my mind for a long time, what I think about this, and also ask for a couple of pieces of advice
. I'm interested in the question of how to effectively achieve the maximum level of anonymity. I mean methods that allow you to maximally secure your system (PC), starting from the hardware level and ending with network manipulations, but secure it so that the OPSEC process is not too expensive, difficult, and complicates further use (i.e. it is advisable to carry out the work as long as it is effective).
I'll give a couple of simple examples of ineffective and inconvenient (in my opinion), but very safe solutions:
- on Linux, use distributions that do not use systemd
- use the Linux-libre kernel instead of the usual one
- use only those distros that are recognized by the FSF
The advice above is literally destructive because they are the reasons for holy wars, while at the same time making a "phantom" contribution to the user's OPSEC and causing a lot of inconvenience associated with a lack of skills / knowledge
Now I'll move on to what I currently have in mind regarding "correct" anonymity.
1. Using coreboot instead of UEFI / BIOS. A controversial topic, since coreboot is not supported on all boards, and porting it to your own is a big problem
the problem with uefi / bios is not in factory backdoors (although this too) but also in vulnerabilities such as bypassing secure boot. This creates the possibility of infection with a bootkit, which is very unpleasant, so I would like to hear your opinion about coreboot, is it worth it?
2. Using dualboot
unfortunately, not all people are rich enough to implement several devices for themselves, thereby securing the workplace.
Personally, I need both a fairly secure and free OS and a fairly convenient user-friendly OS. Unfortunately, I haven't found a single and balanced one. That's why I want to make a dualboot bundle:
Some Linux (arch, devuan) + Win10. Win10 will have 1 drive purely for cracked software, games, Linux will have 2 drives for other tasks. The question is: Is it possible to implement power off for drives #1 and #2 when using Win10? And vice versa, power off for drive #3 when using Linux. This will greatly increase security and will help avoid compromising the data of the second system when infecting the first. + I'd like to hear about dualboot loaders like GRUB. Maybe they have some flaws? What's your general opinion?
ps from the advantages of dualboot - no emulator qemu kvm will be able to emulate windows as deeply as its native version for various tests
3. Using amd instead of intel
on boards with an intel chipset there is an Intel Management Engine microcontroller, it has its own ipv4 interface, its own mac address. What is your opinion?
ps a question about hardware! - can someone tell me which motherboard can be purchased, from the conditions: am4 socket, adequate price, the ability to flash under coreboot (not necessary) or flash current uefi / bios images from the manufacturer without exploits and critical vulnerabilities? (vulnerabilities that can be exploited only under certain rare conditions or only with physical access should not be considered critical or even high)
4. using secure images \ distro
you can choose arch or devuan as the main axis, roll out a firewall and updates + conduct an audit I do not consider a difficult task (for everything suspicious there are VMs that will also be used on our main system)
win10 the original axis is installed and cleaned from telemetry and other crap using different tools from the network
your recommendations?
5. whonix under qemu / kvm on our main system (everything is clear here)
there are a couple of questions about using a torified VM, I would like to know: how to use monero wallets? (I will use other people's trusted nodes) via tor it takes a fucking long time to synchronize, or is it interrupted at all
the situation with btc wallets is the same? tell me how to speed it up and which wallets are better to use? is it possible to install a mobile emulator on a VM? there was a problem on a VM on Windows, in VirtualBox in the settings the amd-v / intel-vt checkbox is unavailable, although the processor supports virtualization and is enabled in the BIOS, how is that? and maybe you can give general recommendations on how to speed up and optimize the VM, I will not throw the GPU
6. full-disk encryption veracrypt (everything is clear here too)
I'm not sure, but it seems like it is possible to implement a scheme when entering password # 1 we get to a certain system # 1, and entering password # 2 we get to system # 2, this will solve 2 problems at once: creating plausible deniability in the case when the password is forcibly knocked out of you and the ability to simplify dualboot (maybe I'm talking bullshit, because I've never heard of how such "double" encryption is implemented and how it works, and whether this is even possible, I'm not sure if it is possible to implement a method with power off unused disks?). What is your opinion on this?
7. (not opsec related) long term data storage (15+ years)
there is a lot of data and a lot of external hdd bought from official sellers, there is both sensitive and not so sensitive data, how can it be stored? external hard drives just gather dust in a foam box and a sturdy box, can data be lost as a result of very long downtime? if so, how to avoid this?
8. (let's move a little physically away from the PC) flashing your devices is a sound idea, so is it worth flashing your toroid to relatively free OS? tell me what OS you used yourself and their shortcomings, will it be possible to create a virtual container in them for state. applications that are potentially backdoors? they will have access only to the allocated ROM memory. This also optimizes battery / traffic consumption for all sorts of background junk Google processes
It is worth touching the router, do I need to flash the router for openwrt? can I configure jokes there to speed up udp / tcp traffic? the obvious advantages are zapret, the ability to roll out vpn, the ability to roll out dnscrypt, the ability to roll out bittorrent + tools for creating information noise
Basically, this is only what worries me, for a competent opsec there are a ton of topics to study, for whom this topic will not be enough
Maybe I forgot or missed something, then I will edit or add a comment later. If I screwed up somewhere - point it out, I will be glad to any advice or comments
In this post, I'll only describe what's been weighing on my mind for a long time, what I think about this, and also ask for a couple of pieces of advice
. I'm interested in the question of how to effectively achieve the maximum level of anonymity. I mean methods that allow you to maximally secure your system (PC), starting from the hardware level and ending with network manipulations, but secure it so that the OPSEC process is not too expensive, difficult, and complicates further use (i.e. it is advisable to carry out the work as long as it is effective).
I'll give a couple of simple examples of ineffective and inconvenient (in my opinion), but very safe solutions:
- on Linux, use distributions that do not use systemd
- use the Linux-libre kernel instead of the usual one
- use only those distros that are recognized by the FSF
The advice above is literally destructive because they are the reasons for holy wars, while at the same time making a "phantom" contribution to the user's OPSEC and causing a lot of inconvenience associated with a lack of skills / knowledge
Now I'll move on to what I currently have in mind regarding "correct" anonymity.
1. Using coreboot instead of UEFI / BIOS. A controversial topic, since coreboot is not supported on all boards, and porting it to your own is a big problem
the problem with uefi / bios is not in factory backdoors (although this too) but also in vulnerabilities such as bypassing secure boot. This creates the possibility of infection with a bootkit, which is very unpleasant, so I would like to hear your opinion about coreboot, is it worth it?
2. Using dualboot
unfortunately, not all people are rich enough to implement several devices for themselves, thereby securing the workplace.
Personally, I need both a fairly secure and free OS and a fairly convenient user-friendly OS. Unfortunately, I haven't found a single and balanced one. That's why I want to make a dualboot bundle:
Some Linux (arch, devuan) + Win10. Win10 will have 1 drive purely for cracked software, games, Linux will have 2 drives for other tasks. The question is: Is it possible to implement power off for drives #1 and #2 when using Win10? And vice versa, power off for drive #3 when using Linux. This will greatly increase security and will help avoid compromising the data of the second system when infecting the first. + I'd like to hear about dualboot loaders like GRUB. Maybe they have some flaws? What's your general opinion?
ps from the advantages of dualboot - no emulator qemu kvm will be able to emulate windows as deeply as its native version for various tests
3. Using amd instead of intel
on boards with an intel chipset there is an Intel Management Engine microcontroller, it has its own ipv4 interface, its own mac address. What is your opinion?
ps a question about hardware! - can someone tell me which motherboard can be purchased, from the conditions: am4 socket, adequate price, the ability to flash under coreboot (not necessary) or flash current uefi / bios images from the manufacturer without exploits and critical vulnerabilities? (vulnerabilities that can be exploited only under certain rare conditions or only with physical access should not be considered critical or even high)
4. using secure images \ distro
you can choose arch or devuan as the main axis, roll out a firewall and updates + conduct an audit I do not consider a difficult task (for everything suspicious there are VMs that will also be used on our main system)
win10 the original axis is installed and cleaned from telemetry and other crap using different tools from the network
your recommendations?
5. whonix under qemu / kvm on our main system (everything is clear here)
there are a couple of questions about using a torified VM, I would like to know: how to use monero wallets? (I will use other people's trusted nodes) via tor it takes a fucking long time to synchronize, or is it interrupted at all
the situation with btc wallets is the same? tell me how to speed it up and which wallets are better to use? is it possible to install a mobile emulator on a VM? there was a problem on a VM on Windows, in VirtualBox in the settings the amd-v / intel-vt checkbox is unavailable, although the processor supports virtualization and is enabled in the BIOS, how is that? and maybe you can give general recommendations on how to speed up and optimize the VM, I will not throw the GPU
6. full-disk encryption veracrypt (everything is clear here too)
I'm not sure, but it seems like it is possible to implement a scheme when entering password # 1 we get to a certain system # 1, and entering password # 2 we get to system # 2, this will solve 2 problems at once: creating plausible deniability in the case when the password is forcibly knocked out of you and the ability to simplify dualboot (maybe I'm talking bullshit, because I've never heard of how such "double" encryption is implemented and how it works, and whether this is even possible, I'm not sure if it is possible to implement a method with power off unused disks?). What is your opinion on this?
7. (not opsec related) long term data storage (15+ years)
there is a lot of data and a lot of external hdd bought from official sellers, there is both sensitive and not so sensitive data, how can it be stored? external hard drives just gather dust in a foam box and a sturdy box, can data be lost as a result of very long downtime? if so, how to avoid this?
8. (let's move a little physically away from the PC) flashing your devices is a sound idea, so is it worth flashing your toroid to relatively free OS? tell me what OS you used yourself and their shortcomings, will it be possible to create a virtual container in them for state. applications that are potentially backdoors? they will have access only to the allocated ROM memory. This also optimizes battery / traffic consumption for all sorts of background junk Google processes
It is worth touching the router, do I need to flash the router for openwrt? can I configure jokes there to speed up udp / tcp traffic? the obvious advantages are zapret, the ability to roll out vpn, the ability to roll out dnscrypt, the ability to roll out bittorrent + tools for creating information noise
Basically, this is only what worries me, for a competent opsec there are a ton of topics to study, for whom this topic will not be enough
Maybe I forgot or missed something, then I will edit or add a comment later. If I screwed up somewhere - point it out, I will be glad to any advice or comments
![[Image: Nuttela-Signature.gif]](https://i.ibb.co/VT79K5v/Nuttela-Signature.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)
