diff --git a/opsec/anonymity/33.png b/opsec/anonymity/33.png index 6ee92f1..2f02f4d 100644 Binary files a/opsec/anonymity/33.png and b/opsec/anonymity/33.png differ diff --git a/opsec/index.html b/opsec/index.html index 4d6314d..53234f4 100644 --- a/opsec/index.html +++ b/opsec/index.html @@ -293,7 +293,7 @@

💻 Clientside - Getting Started

  1. ✅ The main source of Plausible Deniability: Veracrypt Hidden Partitions
    2. -
  2. 🟠 Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume)⭐
    3. +
  3. ✅ Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume)⭐
  4. 🟠 Plausibly Deniable Critical Data Backups

💻 Steganography - Hiding secrets in plain sight

diff --git a/opsec/sensitivevm/0.png b/opsec/sensitivevm/0.png new file mode 100644 index 0000000..0188ac7 Binary files /dev/null and b/opsec/sensitivevm/0.png differ diff --git a/opsec/sensitivevm/1.png b/opsec/sensitivevm/1.png new file mode 100644 index 0000000..a3ae1a5 Binary files /dev/null and b/opsec/sensitivevm/1.png differ diff --git a/opsec/sensitivevm/10.png b/opsec/sensitivevm/10.png new file mode 100644 index 0000000..7cc6b82 Binary files /dev/null and b/opsec/sensitivevm/10.png differ diff --git a/opsec/sensitivevm/11.png b/opsec/sensitivevm/11.png new file mode 100644 index 0000000..b694c7c Binary files /dev/null and b/opsec/sensitivevm/11.png differ diff --git a/opsec/sensitivevm/12.png b/opsec/sensitivevm/12.png new file mode 100644 index 0000000..03ee32a Binary files /dev/null and b/opsec/sensitivevm/12.png differ diff --git a/opsec/sensitivevm/13.png b/opsec/sensitivevm/13.png new file mode 100644 index 0000000..777efa7 Binary files /dev/null and b/opsec/sensitivevm/13.png differ diff --git a/opsec/sensitivevm/14.png b/opsec/sensitivevm/14.png new file mode 100644 index 0000000..94da2d8 Binary files /dev/null and b/opsec/sensitivevm/14.png differ diff --git a/opsec/sensitivevm/15.png b/opsec/sensitivevm/15.png new file mode 100644 index 0000000..4ebf012 Binary files /dev/null and b/opsec/sensitivevm/15.png differ diff --git a/opsec/sensitivevm/16.png b/opsec/sensitivevm/16.png new file mode 100644 index 0000000..e40cef3 Binary files /dev/null and b/opsec/sensitivevm/16.png differ diff --git a/opsec/sensitivevm/17.png b/opsec/sensitivevm/17.png new file mode 100644 index 0000000..9c7f17c Binary files /dev/null and b/opsec/sensitivevm/17.png differ diff --git a/opsec/sensitivevm/18.png b/opsec/sensitivevm/18.png new file mode 100644 index 0000000..a1eb818 Binary files /dev/null and b/opsec/sensitivevm/18.png differ diff --git a/opsec/sensitivevm/19.png b/opsec/sensitivevm/19.png new file mode 100644 index 0000000..6b54cf9 Binary files /dev/null and b/opsec/sensitivevm/19.png differ diff --git a/opsec/sensitivevm/2.png b/opsec/sensitivevm/2.png new file mode 100644 index 0000000..c7088b8 Binary files /dev/null and b/opsec/sensitivevm/2.png differ diff --git a/opsec/sensitivevm/20.png b/opsec/sensitivevm/20.png new file mode 100644 index 0000000..737b838 Binary files /dev/null and b/opsec/sensitivevm/20.png differ diff --git a/opsec/sensitivevm/21.png b/opsec/sensitivevm/21.png new file mode 100644 index 0000000..45dd96e Binary files /dev/null and b/opsec/sensitivevm/21.png differ diff --git a/opsec/sensitivevm/22.png b/opsec/sensitivevm/22.png new file mode 100644 index 0000000..4859c75 Binary files /dev/null and b/opsec/sensitivevm/22.png differ diff --git a/opsec/sensitivevm/23.png b/opsec/sensitivevm/23.png new file mode 100644 index 0000000..88de9d6 Binary files /dev/null and b/opsec/sensitivevm/23.png differ diff --git a/opsec/sensitivevm/24.png b/opsec/sensitivevm/24.png new file mode 100644 index 0000000..5c0e75d Binary files /dev/null and b/opsec/sensitivevm/24.png differ diff --git a/opsec/sensitivevm/25.png b/opsec/sensitivevm/25.png new file mode 100644 index 0000000..8136af6 Binary files /dev/null and b/opsec/sensitivevm/25.png differ diff --git a/opsec/sensitivevm/26.png b/opsec/sensitivevm/26.png new file mode 100644 index 0000000..40f60a2 Binary files /dev/null and b/opsec/sensitivevm/26.png differ diff --git a/opsec/sensitivevm/27.png b/opsec/sensitivevm/27.png new file mode 100644 index 0000000..ccc143c Binary files /dev/null and b/opsec/sensitivevm/27.png differ diff --git a/opsec/sensitivevm/28.png b/opsec/sensitivevm/28.png new file mode 100644 index 0000000..c4630cf Binary files /dev/null and b/opsec/sensitivevm/28.png differ diff --git a/opsec/sensitivevm/29.png b/opsec/sensitivevm/29.png new file mode 100644 index 0000000..ed30d3c Binary files /dev/null and b/opsec/sensitivevm/29.png differ diff --git a/opsec/sensitivevm/3.png b/opsec/sensitivevm/3.png new file mode 100644 index 0000000..e95d34b Binary files /dev/null and b/opsec/sensitivevm/3.png differ diff --git a/opsec/sensitivevm/30.png b/opsec/sensitivevm/30.png new file mode 100644 index 0000000..ae2b4b3 Binary files /dev/null and b/opsec/sensitivevm/30.png differ diff --git a/opsec/sensitivevm/31.png b/opsec/sensitivevm/31.png new file mode 100644 index 0000000..5791d88 Binary files /dev/null and b/opsec/sensitivevm/31.png differ diff --git a/opsec/sensitivevm/32.png b/opsec/sensitivevm/32.png new file mode 100644 index 0000000..af635af Binary files /dev/null and b/opsec/sensitivevm/32.png differ diff --git a/opsec/sensitivevm/33.png b/opsec/sensitivevm/33.png new file mode 100644 index 0000000..2bab1e0 Binary files /dev/null and b/opsec/sensitivevm/33.png differ diff --git a/opsec/sensitivevm/34.png b/opsec/sensitivevm/34.png new file mode 100644 index 0000000..3edfebc Binary files /dev/null and b/opsec/sensitivevm/34.png differ diff --git a/opsec/sensitivevm/35.png b/opsec/sensitivevm/35.png new file mode 100644 index 0000000..a740af9 Binary files /dev/null and b/opsec/sensitivevm/35.png differ diff --git a/opsec/sensitivevm/36.png b/opsec/sensitivevm/36.png new file mode 100644 index 0000000..93fc276 Binary files /dev/null and b/opsec/sensitivevm/36.png differ diff --git a/opsec/sensitivevm/37.png b/opsec/sensitivevm/37.png new file mode 100644 index 0000000..107d0c6 Binary files /dev/null and b/opsec/sensitivevm/37.png differ diff --git a/opsec/sensitivevm/38.png b/opsec/sensitivevm/38.png new file mode 100644 index 0000000..a88d768 Binary files /dev/null and b/opsec/sensitivevm/38.png differ diff --git a/opsec/sensitivevm/39.png b/opsec/sensitivevm/39.png new file mode 100644 index 0000000..ccf1a4e Binary files /dev/null and b/opsec/sensitivevm/39.png differ diff --git a/opsec/sensitivevm/4.png b/opsec/sensitivevm/4.png new file mode 100644 index 0000000..f5632a0 Binary files /dev/null and b/opsec/sensitivevm/4.png differ diff --git a/opsec/sensitivevm/5.png b/opsec/sensitivevm/5.png new file mode 100644 index 0000000..0eb486f Binary files /dev/null and b/opsec/sensitivevm/5.png differ diff --git a/opsec/sensitivevm/6.png b/opsec/sensitivevm/6.png new file mode 100644 index 0000000..3c63041 Binary files /dev/null and b/opsec/sensitivevm/6.png differ diff --git a/opsec/sensitivevm/7.png b/opsec/sensitivevm/7.png new file mode 100644 index 0000000..d1f34d0 Binary files /dev/null and b/opsec/sensitivevm/7.png differ diff --git a/opsec/sensitivevm/8.png b/opsec/sensitivevm/8.png new file mode 100644 index 0000000..50144a8 Binary files /dev/null and b/opsec/sensitivevm/8.png differ diff --git a/opsec/sensitivevm/9.png b/opsec/sensitivevm/9.png new file mode 100644 index 0000000..36e24aa Binary files /dev/null and b/opsec/sensitivevm/9.png differ diff --git a/opsec/sensitivevm/index.html b/opsec/sensitivevm/index.html new file mode 100644 index 0000000..459b3d4 --- /dev/null +++ b/opsec/sensitivevm/index.html @@ -0,0 +1,619 @@ + + + + + + + + + + + Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume) + + + + + + + + + + + + + + + + + + + +
+
+
+ + The Nihilism Blog +
+
+ +
+ +
+
+ + + +
+
+
+
+ Previous Page

nihilist@mainpc - 2024-10-29

+

Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume)

+ +

In this tutorial we're going to cover how to setup Whonix VMs for Sensitive use. This means that our OPSEC requirement is that we need to be able to deny the existance of the Sensitive Whonix VM if the adversary ever gets access to our laptop.

+

Now the advantage of this setup, is that it is not going to actually destroy the computer, nor any sensitive data, you can keep using it even after triggering an emergency shutdown.

+

CONTEXT WARNING: this setup is only suitable if you are not going to be thrown in jail for just using Veracrypt., and if an adversary were to bust down your front door, you need to have at least 5 seconds before he can see your laptop screen.

+ +

OPSEC Recommendations:

+
    +

  1. Hardware : (Personal Computer / Laptop)

    2. +

  2. Host OS: Linux

    3. +

  3. Hypervisor: libvirtd QEMU/KVM

    4. +

  4. Harddrive (HDD): 500GB and encrypted with Veracrypt (with a 250Gb Hidden Volume)

    5. +

  5. Virtual Machine:Whonix

    6. +
+ +
+
+
+
+ + +
+
+
+
+

How to setup the VMs inside the Veracrypt volumes



+

First, we're going to setup our veracrypt volumes on our 500Gb harddrive:

+ + + + + + + + + + +

And in our veracrypt outer (decoy) volume, we're going to setup the veracrypt inner (hidden) volume, and set it to be 250Gb big:

+ + + + + + + + + +

Now that the vercarypt volume has been setup, to highlight the mechanism, for the same harddrive, you have 2 passwords. Password A opens up the decoy volume, and Password B (which must remains secret, only to be known by you) opens up the hidden volume:

+ + + + +
+
+
+
+ +
+
+
+
+

Setting up the Hidden Volume



+

So now let's setup the hidden volume, where we will put the Sensitive Whonix QEMU VMs:

+ + +

Then, we're going to download the Whonix VMs and configure them to be used from inside the hidden veracrypt volume:

+ +

+[ nowhere ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ mv ~/Downloads/Whonix-Xfce-17.2.3.7.Intel_AMD64.qcow2.libvirt.xz /mnt/veracrypt1/
+
+[ nowhere ] [ /dev/pts/23 ] []
+→ tar -xvf Whonix-Xfce-17.2.3.7.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_BINARY_LICENSE_AGREEMENT
+WHONIX_DISCLAIMER
+Whonix-Gateway-Xfce-17.2.3.7.xml
+Whonix-Workstation-Xfce-17.2.3.7.xml
+Whonix_external_network-17.2.3.7.xml
+Whonix_internal_network-17.2.3.7.xml
+Whonix-Gateway-Xfce-17.2.3.7.Intel_AMD64.qcow2
+Whonix-Workstation-Xfce-17.2.3.7.Intel_AMD64.qcow2
+
+[ nowhere ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+
+
+

next, we simplify the files names:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ mv Whonix-Gateway-Xfce-17.2.3.7.xml Whonix-Gateway.xml
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ mv Whonix-Gateway-Xfce-17.2.3.7.Intel_AMD64.qcow2 Whonix-Gateway.qcow2
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ mv Whonix-Workstation-Xfce-17.2.3.7.xml Whonix-Workstation.xml
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ mv Whonix-Workstation-Xfce-17.2.3.7.Intel_AMD64.qcow2 Whonix-Workstation.qcow2
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ mv Whonix_external_network-17.2.3.7.xml Whonix-external.xml
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ mv Whonix_internal_network-17.2.3.7.xml Whonix-internal.xml
+
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ ls -l
+total 209745392
+drwx------ 2 root     root           16384 Sep  1 21:24 lost+found
+-rwxrwx--x 1 nihilist libvirt         1202 Jan  2  2024 refreshvms.sh
+-rwxrwx--- 1 nihilist libvirt        39649 Oct 21  2015 WHONIX_BINARY_LICENSE_AGREEMENT
+-rwxrwx--- 1 nihilist libvirt         4185 Oct 21  2015 WHONIX_DISCLAIMER
+-rwxrwx--- 1 nihilist libvirt          172 Oct 21  2015 Whonix_external_network-17.2.3.7.xml
+-rwxrwx--- 1 nihilist libvirt 107389386752 Nov  1 14:13 Whonix-Gateway.qcow2
+-rwxrwx--- 1 nihilist libvirt         3577 Sep  1 22:31 Whonix-Gateway.xml
+-rwxrwx--- 1 nihilist libvirt           97 Oct 21  2015 Whonix_internal_network-17.2.3.7.xml
+-rwxrwx--- 1 nihilist libvirt 107389386752 Nov  1 14:13 Whonix-Workstation.qcow2
+-rwxrwx--- 1 nihilist libvirt         3466 Sep  1 22:30 Whonix-Workstation.xml
+
+
+

And then we edit the .xml file of the gateway VM to give it 1GB of RAM and mentionning the correct .qcow2 path:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ vim Whonix-Gateway.xml 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ cat Whonix-Gateway.xml | grep emory
+  <memory dumpCore="off" unit="GiB">1</memory>
+  <currentMemory unit="GiB">1</currentMemory>
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ cat Whonix-Gateway.xml | grep qcow2
+      <driver name="qemu" type="qcow2"/>
+      <source file="/mnt/veracrypt1/Whonix-Gateway.qcow2"/>
+
+
+

And then we do the same for the .xml file of the workstation VM to give it 8GB of RAM and mentionning the correct .qcow2 path aswell:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ vim Whonix-Workstation.xml 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ cat Whonix-Workstation.xml | grep emory
+  <memory dumpCore="off" unit="GiB">8</memory>
+  <currentMemory unit="GiB">8</currentMemory>
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ cat Whonix-Workstation.xml | grep qcow2
+      <driver name="qemu" type="qcow2"/>
+      <source file="/mnt/veracrypt1/Whonix-Workstation.qcow2"/>
+
+
+

and from here we create script.sh that we put inside the veracrypt hidden volume, we will use it to automatically either import or remove both VMs into virt-manager depending on wether they are already imported or not.

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ vim script.sh
+
+[ nowhere ] [ /dev/pts/0 ] [~]
+→ cat /mnt/veracrypt1/script.sh
+#!/bin/bash
+
+if [ $(virsh -c qemu:///system list --all | grep Whonix | wc -l) -ne 0 ];
+then
+
+	# if the VMs are imported, remove them:
+
+	virsh -c qemu:///system destroy Whonix-Gateway
+	virsh -c qemu:///system destroy Whonix-Workstation
+	virsh -c qemu:///system undefine Whonix-Gateway
+	virsh -c qemu:///system undefine Whonix-Workstation
+	virsh -c qemu:///system net-destroy Whonix-External
+	virsh -c qemu:///system net-destroy Whonix-Internal
+	virsh -c qemu:///system net-undefine Whonix-External
+	virsh -c qemu:///system net-undefine Whonix-Internal
+else
+
+
+	# if the VMs are not imported, import them:
+
+	virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-external.xml
+	virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-internal.xml
+	virsh -c qemu:///system net-autostart Whonix-External
+	virsh -c qemu:///system net-start Whonix-External
+	virsh -c qemu:///system net-autostart Whonix-Internal
+	virsh -c qemu:///system net-start Whonix-Internal
+	virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Gateway.xml
+	virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Workstation.xml
+fi
+
+
+

So by default you have your QEMU VMs like so:

+ +

And to run the script to import the VMs you do as follows:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ chmod +x script.sh 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ ./script.sh 
+Network Whonix-External defined from Whonix-external.xml
+
+Network Whonix-Internal defined from Whonix-internal.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml
+
+
+

From there you'll see that the Whonix VMs are imported:

+ +

And now to remove them you can just run the same script again:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ ./script.sh
+error: Failed to destroy domain 'Whonix-Gateway'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation'
+error: Requested operation is not valid: domain is not running
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+Network Whonix-Internal has been undefined
+
+
+

And you'll see that the VMs are no longer there:

+ + +
+
+
+
+ +
+
+
+
+

Setting up the Decoy volume



+

Now that we have setup the hidden volume, let's close it so that we can setup the decoy volume (dont forget to exit the drive from the commandline, otherwise veracrypt will complain that the drive is busy):

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ cd ..
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ 
+
+
+

Now first dismount the hidden volume:

+ +

And then mount the decoy volume:

+ +

In the decoy volume, we want content that makes sense to be kept hidden in an encrypted volume while still not being considered as sensitive (meaning nothing that can get you into trouble like adult content, or movies that you pirated):

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ cd /mnt/veracrypt1 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ ls
+lost+found
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ sudo apt install yt-dlp vlc -y
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ yt-dlp https://www.youtube.com/watch\?v\=16efRG5H_Vc
+	
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ yt-dlp https://www.youtube.com/watch\?v\=HmZm8vNHBSU 
+
+
+ +

So in this example we're going to pretend we have pirated some movies and got some adult content, that way we have an excuse as to why we have an encrypted veracrypt volume if ever forced by an adversary. We then create the script.sh which will basically be used to kill the media player window:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ vim script.sh 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ chmod +x script.sh 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt/veracrypt1]
+→ cat script.sh 
+#!/bin/bash
+
+kill -9 $(pidof vlc)
+
+
+

If ever asked to by an adversary, we'll basically pretend that this script is there to quickly kill the media player window in case if someone were to enter the room while you were watching that not-sensitive-but-private content.

+ +
+
+
+
+ +
+
+
+
+

Emergency shutdown script setup



+

Now that we're done setting up both the hidden and the decoy volumes, we're going to setup the script that will launch either of the 2 script.sh scripts we just wrote, on top of also erasing all potential proof that the sensitive VM exists (meaning we erase all logs, all kernel logs, we fill the ram with random content 3 times, and we erase the command history):

+

First we need to make sure we can run veracrypt commands without requiring to be a sudo user:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ ls -lash /usr/bin/veracrypt 
+4.3M -rwxr-xr-x 1 root root 4.3M Sep  8 22:37 /usr/bin/veracrypt
+
+[ nowhere ] [ /dev/pts/1 ] [~]
+→ sudo chown root:nihilist /usr/bin/veracrypt
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo groupadd veracrypt
+[sudo] password for nihilist: 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo usermod -aG veracrypt $(whoami)
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ zsh
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo visudo -f /etc/sudoers.d/veracrypt 
+
+%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt, /usr/bin/mount, /usr/bin/umount, /usr/bin/uptime
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ whoami
+nihilist
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ veracrypt -d  -f
+
+
+

Now from there (after a reboot) you wont require sudo passwords to use veracrypt anymore. Next we need to be able to remove all logs without being the root user:

+

+[ nowhere ] [ /dev/pts/1 ] [~]
+→ sudo setfacl -Rm u:$(whoami):rwX /var/log 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ rm /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log -rf
+
+[ nowhere ] [ /dev/pts/1 ] [~]
+→ sudo setfacl -Rm u:$(whoami):rwX /dev/shm
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ rm /dev/shm/*.log /dev/shm/*/*.log /dev/shm/*/*/*.log -rf
+
+
+

Then we need to do the same but to remove all kernel logs:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo sysctl -w kernel.dmesg_restrict=0 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo vim /etc/sysctl.d/01-dmesg.conf.txt 
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ cat /etc/sysctl.d/01-dmesg.conf.txt 
+kernel.dmesg_restrict = 0
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo chown root:nihilist /usr/bin/dmesg
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo chmod 750 /usr/bin/dmesg
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo setcap cap_syslog=ep /usr/bin/dmesg
+
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ dmesg -c 
+
+
+

then we kill veracrypt's process to avoid having the veracrypt window display which drive/volume was selected:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ kill $(pidof veracrypt)
+
+
+

and then we overwrite the ram contents like so:

+

+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ sudo apt install stress -y
+
+#find how many GBs of ram you have:
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1
+125
+
+#do a stress test to fill those 125GBs of ram:
+[ nowhere ] [ /dev/pts/1 ] [/mnt]
+→ stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10 
+stress: info: [2659012] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
+stress: info: [2659012] successful run completed in 11s
+
+
+

so now we write the wipe.sh script, that we place at the home directory of our user:

+

+[ nowhere ] [ /dev/pts/1 ] [~]
+→ cd
+
+[ nowhere ] [ /dev/pts/1 ] [~]
+→ vim wipe.sh 
+
+[ nowhere ] [ /dev/pts/1 ] [~]
+→ cat wipe.sh 
+#!/bin/bash
+
+# run script.sh from inside the veracrypt volume:
+/mnt/veracrypt1/script.sh
+
+# close down the veracrypt volume:
+/usr/bin/veracrypt -d  -f
+
+# remove all system logs:
+rm /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log -rf
+rm /dev/shm/*.log /dev/shm/*/*.log /dev/shm/*/*/*.log -rf
+
+# remove all kernel logs:
+/usr/bin/dmesg -c >/dev/null 2>/dev/null 
+
+# kill the veracrypt process:
+kill $(pidof veracrypt)
+
+# erase the commandline history:
+echo '' > ~/.zsh_history
+echo '' > ~/.bash_history
+
+# overwrite the ram contents 3 times:
+stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10 
+stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10 
+stress -m 1 --vm-bytes $(free -ght | grep Mem | cut -d ' ' -f 12 | cut -d 'G' -f 1)G -t 10 
+
+[ nowhere ] [ /dev/pts/1 ] [~]
+→ chmod +x wipe.sh 
+
+
+

Now that we're setup, we need to be able to run that script using a shortcut to be ran from our desktop environment, I am currently using Cinnamon, therefore to create a shortcut for cinnamon you do as follows:

+ + + +

So basically from here, if you are not in a QEMU VM, you simply need to hit the shortcut "SUPER+R".

+

If you are focused in a QEMU VM, you need to do "CTRL+ALT" (to focus out of the QEMU VM), and then "SUPER+R" to run the wipe.sh script from the Host OS.

+ +

Now i'm also going to setup an optional shortcut "Super+V" to only run the /mnt/veracrypt1/script.sh script just so it is easier to setup the whonix VMs when inside the veracrypt hidden volume.

+ +

And we're now all setup! So let's try it out in both scenarios (from the decoy volume, and from the hidden volume):

+
+
+
+
+ + + +
+
+
+
+

Decoy Volume Scenario (watching non-sensitive content)

+

So first we open the veracrypt, and open the decoy volume:

+ + +

Then we open VLC, and we hit "Open file" and browse to our non-sensitive files:

+ + +

Then suddenly someone busts your front door, and you quickly press "Super+R", the VLC window immediately closes, and in 4 seconds you have the Veracrypt volume unmounted and the veracrypt window closed. Meanwhile the wipe.sh script is doing the remaining cleaning up operations in the background, which it will complete under 30 seconds.

+ +

And that's it ! if the adversary didnt get to your desk by the time you pressed the shortcut, he didnt get to see the content you were playing on your monitor.

+ +

Hidden Volume Scenario (using the sensitive VM)

+

+ + +

Once the hidden volume is mounted, we hit "Super+V" to quickly setup the whonix VMs:

+ +

And after a while of doing some actual sensitive stuff on the whonix VM you hear your front door being busted down, so you quickly hit "CTRL+ALT" to focus out of the VM, and then you hit "Super+R" to trigger the emergency shutdown procedure:

+ +

Here it also only takes 4 seconds after pressing "Super+R" to have your whonix VMs shutdown, and the veracrypt hidden volume closed, with the veracrypt window closed. And in the background, the script doing the remaining cleaning steps which will take 30 seconds to complete.

+

And that's it ! You now have a Sensitive VM ready to be used, and you have implemented the necessary measures to protect the deniability of it's existance, from an adversary.

+
+
+
+
+ + + +
+
+
+
+

In what context is there Deniability ?

+

With this setup, you have deniability the moment that the script finishes running, regarding the existance of the veracrypt hidden volume, and the whonix sensitive VMs. Meaning that it is impossible for an adversary that seizes your computer to prove the existance of the Whonix Sensitive VMs after the wipe.sh script finished running.

+

Of course, if you are ever forced to, ONLY give your decoy password to the adversary. The existance of the hidden volume, and of the secret password thats used to reveal it must remain a secret at all costs, it must remain known only by you.

+

If you are ever dragged into court, the judge will appreciate much more if you actually hand over your laptop, and show that you are willing to cooperate with the authorities by providing your password to unlock it, rather than starting to pretend you forgot your password (which can end badly like in this court case, where the defendant was found to be in contempt of court, and thrown in jail for 6 months for it).

+

If ever asked by the authorities on why you used veracrypt in your laptop, you can simply claim that it was to put your stash of adult content in it. Nothing incriminating about it, and it is plausible given that you dont want that laying around on your desktop, due to being of a private matter.

+ +
+
+
+
+ + + +
+
+
+
+

Nihilism

+

+ Until there is Nothing left.



Creative Commons Zero: No Rights Reserved
+ +

+
+ +
+

My Links

+

+ + RSS Feed
SimpleX Chat
+ +

+
+ +
+

About nihilist

+

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)

+
+ +
+ +
+
+ + + + + + + diff --git a/productivity/sum-nihil/index.html b/productivity/sum-nihil/index.html index ad901a3..e71baba 100644 --- a/productivity/sum-nihil/index.html +++ b/productivity/sum-nihil/index.html @@ -159,7 +159,7 @@ Exhalation: I am noone

Anonymity, when you don't matter anymore.



-

Suppose you want to start your own blog like i did, what are you doing it for? what is the reason behind it ? Are you doing this out of self interest, to grow your fame a little, to get recognition, applause, external validation, squeezing money out of your viewers, or perhaps improving your CV for your IRL carrier ? Or are you doing it because this work needs to be done ?

+

Suppose you want to start your own blog like i did, what are you doing it for? what is the reason behind it ? Are you doing this out of self interest, to grow your fame a little, to get recognition, applause, external validation, squeezing money out of your viewers, or perhaps improving your CV for your IRL career ? Or are you doing it because this work needs to be done ?

Who are you ? Are you someone that works for personal gain ? Or are you someone that works because the work needs to get done ?

If you go through my blog a bit, you may stumble on anonymous contributions, people that contributed to the blog anonymously. For them, it doesn't matter who did the work, all that matters is that the work gets done.

This also means that they are not looking for fame, recognition, applause, external validation. After all if you know you are right, why does it matter if people agree or disagree ?