diff --git a/opsec/graphene/index.html b/opsec/graphene/index.html index f1e68d4..5d9ee36 100644 --- a/opsec/graphene/index.html +++ b/opsec/graphene/index.html @@ -8,7 +8,7 @@ - How to install GrapheneOS on a Pixel Phone + How to have Privacy on your Phone (GrapheneOS) @@ -61,7 +61,7 @@
Previous Page

nihilist@mainpc - 2024-07-10

-

How to install GrapheneOS on a Pixel Phone

+

How to have Privacy on your Phone (GrapheneOS)

In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functional open hardware alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully open source. and that they refuse to implement google services by default, unlike their competitors like LineageOS.

diff --git a/opsec/haveno-client-f2f/index.html b/opsec/haveno-client-f2f/index.html index 68661ec..7e16758 100644 --- a/opsec/haveno-client-f2f/index.html +++ b/opsec/haveno-client-f2f/index.html @@ -181,10 +181,9 @@ May-29 20:55:27.427 [JavaFX Application Thread] INFO h.d.c.c.c.PopOver: hide:20

For Arch Linux Users

You can either extract the .rpm (which is originally intended for Fedora users) package and run the haveno binary yourself, or use the AUR package maintained by duje

For Windows Users

-

If you are a windows user (know that it cant be trusted as it's not an open source operating system, check out my tutorial here on how to install linux instead), if you're too lazy you can check out darknetreporter's tutorial:

- +

If you are a windows user (know that windows cant be trusted as it's not an open source operating system, so install linux instead):

-

For Tails OS Users: (as of 6th October 2024)

+

For Tails OS Users: (as of 3rd November 2024)

If you want to have a TailsOS VM running, check out my latest tutorial on it here.

Then make sure you have the admin password enabled:

diff --git a/opsec/index.html b/opsec/index.html index d51cdf7..92bcc7f 100644 --- a/opsec/index.html +++ b/opsec/index.html @@ -109,9 +109,9 @@

💻 Getting started

    -
  1. ✅ How to install Linux from a Windows PC ⭐
    2. -
  2. ✅ How to install and update programs on Linux
    3. -
  3. ✅ How to install GrapheneOS on a Pixel Phone
    4. +
  4. ✅ How to have Privacy on your Computer (Linux) ⭐
    5. +
  5. ✅ How to have Privacy on your Phone (GrapheneOS)
    6. +
  6. ❌ How to have Privacy on your Router (Opnsense)
  7. ❌ Easy Private Chats - SimpleX

@@ -125,6 +125,7 @@

💻 Privacy means Open Source (FOSS)

    +
  1. ✅ How to install and update programs on Linux
  2. ✅ How to compile open source software + How to verify software integrity
  3. ✅ How to Virtualize Machines (QEMU/KVM Hypervisor)
  4. ✅ How to get privacy from your ISP using a VPN
    5. @@ -286,11 +287,11 @@

    💻 Clientside - Getting Started

      +
    1. ✅ Using the Host-OS in live-mode to enable Sensitive Use
    2. ✅ The main source of Plausible Deniability: Deniable Encryption
      3. -
    3. ✅ Tails OS QEMU VM for Temporary Sensitive Use
      4. -
    4. ✅ Using the Host-OS in live-mode to prepare for long-term Sensitive Use
    5. 🟠 Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume)⭐
    6. 🟠 Plausibly Deniable Critical Data Backups
      7. +
    7. ✅ Tails OS QEMU VM for Temporary Sensitive Use

    💻 Steganography - Hiding secrets in plain sight

      diff --git a/opsec/linux/index.html b/opsec/linux/index.html index c0e6e40..f3901d5 100644 --- a/opsec/linux/index.html +++ b/opsec/linux/index.html @@ -8,7 +8,7 @@ - How to install Linux from a Windows PC + How to have Privacy on your Computer (Linux) @@ -61,7 +61,7 @@
      Previous Page

      nihilist@mainpc - 2024-06-16

      -

      How to install Linux from a Windows PC

      +

      How to have Privacy on your Computer (Linux)

      In this tutorial, we're going to look at the first and foremost thing anyone can do to remove surveillance from their digital lives, by installing a free and open source software (FOSS) host operating system: Linux, in this case we're going to setup the latest Debian.

      OPSEC Recommendations:

      @@ -175,7 +175,7 @@ -

      Here Bob decides that he wants to encrypt his whole harddrive too. That way, if someone were to steal his computer, without knowing his password, they would have no way to access Bob's local data.

      +

      Here Bob decides that he wants to encrypt his whole harddrive too. That way, if someone were to steal his computer, without knowing his password, they would have no way to access Bob's local data. (but be warned that for sensitive use, one shouldn't need to encrypt the system drive at all (more details).

      diff --git a/opsec/livemode/3.png b/opsec/livemode/3.png index 437b260..6829101 100644 Binary files a/opsec/livemode/3.png and b/opsec/livemode/3.png differ diff --git a/opsec/livemode/4.png b/opsec/livemode/4.png index a8284ac..ef84cda 100644 Binary files a/opsec/livemode/4.png and b/opsec/livemode/4.png differ diff --git a/opsec/livemode/index.html b/opsec/livemode/index.html index ae12e37..27aa821 100644 --- a/opsec/livemode/index.html +++ b/opsec/livemode/index.html @@ -63,6 +63,15 @@ Previous Page

      nihilist@mainpc - 2024-11-03

      Using the Host-OS in live-mode to prepare for long-term Sensitive Use

      +

      OPSEC Recommendations:

      +
        +

      1. Hardware : (Personal Computer / Laptop)

        2. +

      2. System Harddrive: not LUKS encrypted [1]

        3. +

      3. Non-System Harddrive: 500Gb (will be used to contain our Veracrypt encrypted volumes)

        4. +

      4. Host OS: Linux

        5. +

      5. Hypervisor: QEMU/KVM

        6. +
      +
      @@ -127,9 +136,9 @@ Fetched 101 kB in 1s (73.7 kB/s) Reading package lists... Done -

      Then we install the grub-live package

      +

      Then we install the grub-live package, and the ram-wipe package (warning, the ram-wipe package may cause your system to fail to boot in case if you encrypted the system drive using LUKS, click here for more details on this). Therefore i recommend having the Host OS system drive not encrypted until dracut supports LUKS encryption, but it shouldn't matter though, as the actual VMs that we'll be running will be on a non-system drive, which will be manually kept in deniable encryption.

      
-root@debian-tests:~# sudo apt-get install grub-live -y
+root@debian-tests:~#  apt install grub-live ram-wipe -y
      diff --git a/opsec/sensitivevm/0.png b/opsec/sensitivevm/0.png index 0188ac7..6b695d2 100644 Binary files a/opsec/sensitivevm/0.png and b/opsec/sensitivevm/0.png differ diff --git a/opsec/sensitivevm/index.html b/opsec/sensitivevm/index.html index 459b3d4..759e91f 100644 --- a/opsec/sensitivevm/index.html +++ b/opsec/sensitivevm/index.html @@ -90,6 +90,7 @@

      First, we're going to setup our veracrypt volumes on our 500Gb harddrive:

      +

      Here we're using a non-system drive, as we want to be able to store our veracrypt hidden volume contents in a persistent manner, accross reboots. (if we were to have the veracrypt volume on the system drive, it would be wiped off upon rebooting since the Host OS is in live mode.)

      diff --git a/opsec/veracrypt/index.html b/opsec/veracrypt/index.html index ca208c3..34ad37e 100644 --- a/opsec/veracrypt/index.html +++ b/opsec/veracrypt/index.html @@ -65,7 +65,26 @@

      VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is based on Truecrypt, This tool will be used for Plausible Deniability.

      But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, because you need to be able to deny the existence of the encrypted volume. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.

      - + +DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling +
      
+source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
+
+regarding wear leveling:
+"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
+
+
      +

      OPSEC Recommendations:

      +
        +

      1. Hardware : (Personal Computer / Laptop)

        2. +

      2. System Harddrive: not LUKS encrypted [1]

        3. +

      3. Non-System Harddrive: 500Gb (used to contain our Veracrypt encrypted volumes)

        4. +

      4. Host OS: Linux

        5. +

      5. Hypervisor: QEMU/KVM

        6. +

      6. Packages: grub-live and ram-wipe

        7. +
      + +
@@ -76,19 +95,8 @@
-

Initial Setup

-
-DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling -

-source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
-
-regarding wear leveling:
-"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
-
-
- - -

Let's install the .deb package for veracrypt:

+

Deniability Context

+

Let's install the .deb package for veracrypt (you can install it safely from non-live mode), so that the software is available whenever you want to use it while the host OS is in live mode: 


 [ mainpc ] [ /dev/pts/1 ] [~/Downloads]
@@ -111,12 +119,21 @@ regarding wear leveling:
 → veracrypt
+

So now that you have veracrypt installed, before you start to use veracrypt, you need to be aware of the lack of deniability you have when using the Host OS in regular mode:

+ +

By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you manually remove each of those manually, you're never sure of wether or not Host OS saved proof of the existence of the hidden volume onto the system drive. That's why you need to use the Host OS in live mode, to be able to use veracrypt.

+ +

That way, as you're loading the entire host OS in the RAM due to being in live mode, you are not writing anything on the system drive anymore, but rather only writing all that potential forensic evidence of the veracrypt hidden volume in RAM alone, which can be easily erased with a simple shutdown.

+

So now that we have installed veracrypt, let's reboot the Host OS into live mode:

+ -

Now from there we can create encrypted volumes (either as files or as entire drives). In this case we'll create an encrypted file:

+ +

And only now once we are in live mode, we can use veracrypt to create drives. But be aware that everything you write into the system drive will be wiped upon shutting down, if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.

+

So now from there we can create the encrypted volumes (either as files or as entire drives). In this example we'll create an encrypted file:

Here we select that we want a Hidden veracrypt volume as well (which will be able to deny it's existence).

-

Then we want it to be a simple file in my home directory

+

Then we want it to be a simple file in my home directory for testing purposes (so be aware that upon rebooting it will be erased due to being in the system drive). If you want it to not be erased upon rebooting, you'll need to put it in a non-system drive like in this tutorial.

Leave the default settings for the encryption

@@ -129,7 +146,7 @@ regarding wear leveling:

Then move your mouse to make sure the randomness of the encryption is best, then let it complete the formatting. If you are creating a large encrypted volume, it will take time to overwrite all the data. DO NOT SELECT QUICK FORMAT, or you risk having the hidden volume being discoverable by an adversary.

-

Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, the existence of this volume must never be revealed to anyone except you.. then we repeat the previous steps:

+

Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, the existence of this volume must never be revealed to anyone, only you should know about it. then we repeat the previous steps:

Here we select the size we need for the hidden volume.

@@ -158,6 +175,7 @@ regarding wear leveling:

And here you see that the volume mounted is now of the "hidden" type

+

And that's it! We now have setup a test veracrypt volume with a hidden volume, into which we can store some sensitive files.