Hello everyone, I'm not sure if there were similar topics on the forum (I searched, but didn't find any) so I'll write my own
In this post I'll only write about what's been weighing on my mind for a long time, what I think about this, and also ask for a couple of pieces of advice
I'm interested in the question of effectively achieving the maximum level of anonymity. I mean methods that allow you to maximally secure your system (PC) from the hardware level to network manipulations, but secure it so that the OPSEC process is not too expensive, difficult, and complicates further use (i.e. it is advisable to carry out the work as long as it is effective).
I'll give a couple of simple examples of ineffective and inconvenient (in my opinion), but very safe solutions:
- on Linux, use distributions that do not use systemd
- use Linux-libre kernel instead of the usual
- use only those distros that are recognized by the FSF
The advice above is literally destructive because they are the reasons for holy wars, while at the same time making a "phantom" contribution to the user's OPSEC and causing a lot of inconvenience associated with a lack of skills / knowledge
Now I will move on to what I currently have in mind regarding "correct" anonymity.
1. Using coreboot instead of UEFI / BIOS. A controversial topic, since coreboot is not supported on all boards, and porting it to your own is a serious problem
the problem with uefi / bios is not in factory backdoors (although this too) but also in vulnerabilities such as bypassing secure boot. This creates the possibility of infection with a bootkit, which is very unpleasant, so I would like to hear your opinion about coreboot, is it worth it?
2. Using dualboot
unfortunately, not all people are rich enough to implement several devices for themselves, thereby securing the workplace.
Personally, I need both a fairly secure and free OS and a fairly convenient user-friendly OS, unfortunately I have not found a single and balanced one, so I want to make a dualboot bundle:
Some Linux (arch, devuan) + Win10, win10 will have 1 drive purely for cracked software, games, linux will have 2 drives for other tasks, the question is: Is it possible to implement power off for drives #1 #2 when using win10? and vice versa, power off for drive #3 when using linux, this will greatly increase security, and it will be possible to avoid compromising the data of the second system when infecting the first + I would like to hear about bootloaders for dualboot like GRUB, maybe they have some flaws? what is your general opinion?
p.s. from the advantages of dualboot - no emulator qemu kvm can emulate windows as deeply as its native version for various tests
3. Using amd instead of intel
on boards with an intel chipset there is an Intel Management Engine microcontroller, it has its own ipv4 interface, its own mac address. What do you think?
p.s. a question about hardware! - can someone tell me which motherboard can be purchased, from the conditions: am4 socket, adequate price, the ability to flash under coreboot (not necessary) or flash current uefi / bios images from the manufacturer without exploits and critical vulnerabilities? (vulnerabilities that can be exploited only under certain rare conditions or only with physical access should not be considered critical or even high)
4. using secure images \ distro
you can choose arch or devuan as the main axis, roll out a firewall and updates + conduct an audit I do not consider a difficult task (for everything suspicious there are VMs that will also be used on our main system)
win10 the original axis is installed and cleaned from telemetry and other crap using various tools from the network
your recommendations?
5. whonix under qemu / kvm on our main system (everything is clear here)
there are a couple of questions about using a torified VM, I would like to know: how to use monero wallets? (I will use other people's trusted nodes) via tor it takes a fucking long time to synchronize, or is it interrupted at all
is the situation with btc wallets the same? tell me how to speed it up and which wallets are better to use? is it possible to install a mobile emulator on a VM? there was a problem on a VM on Windows, in virtualbox in the settings the amd-v / intel-vt checkbox is unavailable, although the processor supports virtualization and is enabled in the bios, how is that? and maybe you can give general recommendations on how to speed up and optimize the VM, I will not pass the GPU
6. full-disk encryption veracrypt (everything is clear here too)
I'm not sure, but it seems like it is possible to implement a scheme when entering password #1 we get to a certain system #1, and entering password #2 we get to system #2, this will solve 2 problems at once: creating plausible deniability in the case when they forcefully knock the password out of you and the ability to simplify dualboot (maybe I'm talking bullshit, because I've never heard of how such "double" encryption is implemented and how it works, and whether this is even possible, I'm not sure if it is possible to implement a method with power off unused disks?).
What is your opinion on this?
7. (not opsec related) long-term data storage (15+ years)
there is a lot of data and a lot of external hdds bought from official sellers, the data is both sensitive and not so sensitive, how can it be stored? external hard drives just gather dust in a foam box and a sturdy box, can the data be lost as a result of very long downtime? if so, how can this be avoided?
8. (let's move a little physically away from the PC) flashing your devices is a sound idea, so is it worth flashing your toroid to relatively free OS? Tell me what OS you used and their flaws, will it be possible to create a virtual container in them for government applications that are potentially backdoors? They will only have access to the allocated ROM memory. It also optimizes battery / traffic consumption for all sorts of background garbage Google processes
It is worth touching the router, do I need to flash the router for openwrt? Can I configure there some tricks to speed up udp / tcp traffic? The obvious advantages are zapret, the ability to roll out VPN, the ability to roll out dnscrypt, the ability to roll out bittorrent + tools for creating information noise
Basically, this is only what worries me, for a competent opsec there are a lot of topics to study, for whom this topic will not be enough
Perhaps I forgot or missed something, then I will edit or add a comment later. If I fucked up somewhere - indicate, I will be glad to any advice or comment
In this post I'll only write about what's been weighing on my mind for a long time, what I think about this, and also ask for a couple of pieces of advice
I'm interested in the question of effectively achieving the maximum level of anonymity. I mean methods that allow you to maximally secure your system (PC) from the hardware level to network manipulations, but secure it so that the OPSEC process is not too expensive, difficult, and complicates further use (i.e. it is advisable to carry out the work as long as it is effective).
I'll give a couple of simple examples of ineffective and inconvenient (in my opinion), but very safe solutions:
- on Linux, use distributions that do not use systemd
- use Linux-libre kernel instead of the usual
- use only those distros that are recognized by the FSF
The advice above is literally destructive because they are the reasons for holy wars, while at the same time making a "phantom" contribution to the user's OPSEC and causing a lot of inconvenience associated with a lack of skills / knowledge
Now I will move on to what I currently have in mind regarding "correct" anonymity.
1. Using coreboot instead of UEFI / BIOS. A controversial topic, since coreboot is not supported on all boards, and porting it to your own is a serious problem
the problem with uefi / bios is not in factory backdoors (although this too) but also in vulnerabilities such as bypassing secure boot. This creates the possibility of infection with a bootkit, which is very unpleasant, so I would like to hear your opinion about coreboot, is it worth it?
2. Using dualboot
unfortunately, not all people are rich enough to implement several devices for themselves, thereby securing the workplace.
Personally, I need both a fairly secure and free OS and a fairly convenient user-friendly OS, unfortunately I have not found a single and balanced one, so I want to make a dualboot bundle:
Some Linux (arch, devuan) + Win10, win10 will have 1 drive purely for cracked software, games, linux will have 2 drives for other tasks, the question is: Is it possible to implement power off for drives #1 #2 when using win10? and vice versa, power off for drive #3 when using linux, this will greatly increase security, and it will be possible to avoid compromising the data of the second system when infecting the first + I would like to hear about bootloaders for dualboot like GRUB, maybe they have some flaws? what is your general opinion?
p.s. from the advantages of dualboot - no emulator qemu kvm can emulate windows as deeply as its native version for various tests
3. Using amd instead of intel
on boards with an intel chipset there is an Intel Management Engine microcontroller, it has its own ipv4 interface, its own mac address. What do you think?
p.s. a question about hardware! - can someone tell me which motherboard can be purchased, from the conditions: am4 socket, adequate price, the ability to flash under coreboot (not necessary) or flash current uefi / bios images from the manufacturer without exploits and critical vulnerabilities? (vulnerabilities that can be exploited only under certain rare conditions or only with physical access should not be considered critical or even high)
4. using secure images \ distro
you can choose arch or devuan as the main axis, roll out a firewall and updates + conduct an audit I do not consider a difficult task (for everything suspicious there are VMs that will also be used on our main system)
win10 the original axis is installed and cleaned from telemetry and other crap using various tools from the network
your recommendations?
5. whonix under qemu / kvm on our main system (everything is clear here)
there are a couple of questions about using a torified VM, I would like to know: how to use monero wallets? (I will use other people's trusted nodes) via tor it takes a fucking long time to synchronize, or is it interrupted at all
is the situation with btc wallets the same? tell me how to speed it up and which wallets are better to use? is it possible to install a mobile emulator on a VM? there was a problem on a VM on Windows, in virtualbox in the settings the amd-v / intel-vt checkbox is unavailable, although the processor supports virtualization and is enabled in the bios, how is that? and maybe you can give general recommendations on how to speed up and optimize the VM, I will not pass the GPU
6. full-disk encryption veracrypt (everything is clear here too)
I'm not sure, but it seems like it is possible to implement a scheme when entering password #1 we get to a certain system #1, and entering password #2 we get to system #2, this will solve 2 problems at once: creating plausible deniability in the case when they forcefully knock the password out of you and the ability to simplify dualboot (maybe I'm talking bullshit, because I've never heard of how such "double" encryption is implemented and how it works, and whether this is even possible, I'm not sure if it is possible to implement a method with power off unused disks?).
What is your opinion on this?
7. (not opsec related) long-term data storage (15+ years)
there is a lot of data and a lot of external hdds bought from official sellers, the data is both sensitive and not so sensitive, how can it be stored? external hard drives just gather dust in a foam box and a sturdy box, can the data be lost as a result of very long downtime? if so, how can this be avoided?
8. (let's move a little physically away from the PC) flashing your devices is a sound idea, so is it worth flashing your toroid to relatively free OS? Tell me what OS you used and their flaws, will it be possible to create a virtual container in them for government applications that are potentially backdoors? They will only have access to the allocated ROM memory. It also optimizes battery / traffic consumption for all sorts of background garbage Google processes
It is worth touching the router, do I need to flash the router for openwrt? Can I configure there some tricks to speed up udp / tcp traffic? The obvious advantages are zapret, the ability to roll out VPN, the ability to roll out dnscrypt, the ability to roll out bittorrent + tools for creating information noise
Basically, this is only what worries me, for a competent opsec there are a lot of topics to study, for whom this topic will not be enough
Perhaps I forgot or missed something, then I will edit or add a comment later. If I fucked up somewhere - indicate, I will be glad to any advice or comment
