diff --git a/0_template/index.md b/0_template/index.md new file mode 100644 index 0000000..701919b --- /dev/null +++ b/0_template/index.md @@ -0,0 +1,66 @@ +--- +author: nihilist +date: 2001-01-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# SRVNAME Setup + +![](0.png) + + + +## **Initial Setup** + +![]() + + + + + +![]() + + + + + +![]() + + + + + +## **Setup** + +![]() + + + + + +![]() + + + + + +![]() + + + + + +## **Setup** + + + + + + + + + + + + + diff --git a/OPSEC.drawio.png b/OPSEC.drawio.png new file mode 100644 index 0000000..435c04a Binary files /dev/null and b/OPSEC.drawio.png differ diff --git a/anonaccess/1.png b/anonaccess/1.png new file mode 100644 index 0000000..a374057 Binary files /dev/null and b/anonaccess/1.png differ diff --git a/anonaccess/2.png b/anonaccess/2.png new file mode 100644 index 0000000..2f08fd6 Binary files /dev/null and b/anonaccess/2.png differ diff --git a/anonaccess/3.png b/anonaccess/3.png new file mode 100644 index 0000000..01a1708 Binary files /dev/null and b/anonaccess/3.png differ diff --git a/anonaccess/4.png b/anonaccess/4.png new file mode 100644 index 0000000..5aa889e Binary files /dev/null and b/anonaccess/4.png differ diff --git a/anonaccess/5.png b/anonaccess/5.png new file mode 100644 index 0000000..3efa93d Binary files /dev/null and b/anonaccess/5.png differ diff --git a/anonaccess/6.png b/anonaccess/6.png new file mode 100644 index 0000000..2cd09f6 Binary files /dev/null and b/anonaccess/6.png differ diff --git a/anonaccess/index.md b/anonaccess/index.md new file mode 100644 index 0000000..2f53292 --- /dev/null +++ b/anonaccess/index.md @@ -0,0 +1,70 @@ +--- +author: nihilist +date: 2024-05-02 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/111" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Remote anonymous access setup (SSH through tor) + + + +## **Initial Setup** + +On your server, edit the torrc file like so: + + + [ Datura ] [ /dev/pts/9 ] [~] + → cat /etc/tor/torrc + + HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/ + HiddenServicePort 22 127.0.0.1:22 + HiddenServicePort 80 127.0.0.1:4443 + + + +Then just edit your local .ssh config to access it: + + + [ mainpc ] [ /dev/pts/7 ] [~] + → cat .ssh/config + Host tortura + User root + hostname daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + IdentityFile ~/.ssh/torified + + Host datura + User root + hostname 65.109.30.253 + IdentityFile ~/.ssh/torified + + + +Then connect to the host by forcing SSH to go through tor, thanks to torsocks: + + + [ mainpc ] [ /dev/pts/5 ] [~] + → systemctl restart tor@default + + [ mainpc ] [ /dev/pts/5 ] [~] + → torsocks ssh tortura + The authenticity of host 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion (<****no hostip for proxy command>)' can't be established. + ED25519 key fingerprint is SHA256:A0CFTeUixGoK96VenBQ7Z2U8kX5olDCqBvBNeJUfs6I. + This host key is known by the following other names/addresses: + ~/.ssh/known_hosts:144: [hashed name] + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion' (ED25519) to the list of known hosts. + Enter passphrase for key '/home/nihilist/.ssh/torified': + Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Thu May 2 14:47:23 2024 from 178.255.149.178 + +For instance, this is how you can access a server that is in an isolated LAN (such as in your home network), without requiring to port-forward anything. + +But keep in mind that the latency is going to be higher due to the 6 hops circuit (since we're doing it via the .onion link, rather than connecting to the IP directly). The length of the circuit is due to requiring to use the rendez-vous mechanism, since we're using the .onion domain. + diff --git a/anonclearnetservices/0.png b/anonclearnetservices/0.png new file mode 100644 index 0000000..c43897b Binary files /dev/null and b/anonclearnetservices/0.png differ diff --git a/anonclearnetservices/1.png b/anonclearnetservices/1.png new file mode 100644 index 0000000..46f66f7 Binary files /dev/null and b/anonclearnetservices/1.png differ diff --git a/anonclearnetservices/2.png b/anonclearnetservices/2.png new file mode 100644 index 0000000..f4ba5be Binary files /dev/null and b/anonclearnetservices/2.png differ diff --git a/anonclearnetservices/index.md b/anonclearnetservices/index.md new file mode 100644 index 0000000..e76afbc --- /dev/null +++ b/anonclearnetservices/index.md @@ -0,0 +1,38 @@ +--- +author: nihilist +date: 2024-08-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/105" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Where to host Anonymous Clearnet Services ? + +![](0.png) + +In this tutorial we're going explain how you can have anonymous clearnet services, which can either remotely or self-hosted. + + + +## **Hosting an Anonymous Remote Clearnet Service** + +The first way to have an Anonymous clearnet service, is Remotely, where you go through a non-KYC cloud provider, and a non-KYC domain provider, in order to obtain a remote VPS and Domain anonymously (using Tor and Monero). + +![](1.png) + +The idea here is that you always keep Tor between you and the services, so that it remains impossible to prove that you are the owner of said service, from the acquisition of the services, to their actual use (forcing SSH to go through Tor). + +## **Self-Hosting an Anonymous Clearnet Service** + +The second way to have an Anonymous clearnet service is by self-hosting it, like above, you also need to get yourself a VPS and a domain anonymously, using non-KYC providers/resellers. The VPS must have openvpn installed on it. + +Then you need to have a home server, running a local service (let's say with ports 80 and 443), + +That same local homeserver must connect to the OpenVPN server, but you must force the VPN connection to go through Tor, to avoid revealing your Home IP to the cloud provider. + +And from there, you will be able to port-forward the ports from your local service, to the VPS, while maintaining your Anonymity. + +And of course, if your ISP doesn't allow Tor traffic, we can always hide it using a Trusted VPN, like MullvadVPN. + +![](2.png) + +Note that such a setup is to be done only when you want to have your server data at home (for example, [self-hosting a mail server, while maintaining Anonymity](../mailprivate/index.md)), if this is not a concern, then you should just host the service remotely as seen above. + diff --git a/anoncreditcard/0.png b/anoncreditcard/0.png new file mode 100644 index 0000000..41846e7 Binary files /dev/null and b/anoncreditcard/0.png differ diff --git a/anoncreditcard/1.png b/anoncreditcard/1.png new file mode 100644 index 0000000..0930f4d Binary files /dev/null and b/anoncreditcard/1.png differ diff --git a/anoncreditcard/10.png b/anoncreditcard/10.png new file mode 100644 index 0000000..b03a297 Binary files /dev/null and b/anoncreditcard/10.png differ diff --git a/anoncreditcard/11.png b/anoncreditcard/11.png new file mode 100644 index 0000000..c5335e0 Binary files /dev/null and b/anoncreditcard/11.png differ diff --git a/anoncreditcard/12.png b/anoncreditcard/12.png new file mode 100644 index 0000000..8105073 Binary files /dev/null and b/anoncreditcard/12.png differ diff --git a/anoncreditcard/13.png b/anoncreditcard/13.png new file mode 100644 index 0000000..62baad1 Binary files /dev/null and b/anoncreditcard/13.png differ diff --git a/anoncreditcard/14.png b/anoncreditcard/14.png new file mode 100644 index 0000000..f76546b Binary files /dev/null and b/anoncreditcard/14.png differ diff --git a/anoncreditcard/15.png b/anoncreditcard/15.png new file mode 100644 index 0000000..7076139 Binary files /dev/null and b/anoncreditcard/15.png differ diff --git a/anoncreditcard/16.png b/anoncreditcard/16.png new file mode 100644 index 0000000..3231179 Binary files /dev/null and b/anoncreditcard/16.png differ diff --git a/anoncreditcard/17.png b/anoncreditcard/17.png new file mode 100644 index 0000000..109d76a Binary files /dev/null and b/anoncreditcard/17.png differ diff --git a/anoncreditcard/18.png b/anoncreditcard/18.png new file mode 100644 index 0000000..ef9e3ae Binary files /dev/null and b/anoncreditcard/18.png differ diff --git a/anoncreditcard/19.png b/anoncreditcard/19.png new file mode 100644 index 0000000..54d8ad2 Binary files /dev/null and b/anoncreditcard/19.png differ diff --git a/anoncreditcard/2.png b/anoncreditcard/2.png new file mode 100644 index 0000000..c0ed57d Binary files /dev/null and b/anoncreditcard/2.png differ diff --git a/anoncreditcard/20.png b/anoncreditcard/20.png new file mode 100644 index 0000000..a48caab Binary files /dev/null and b/anoncreditcard/20.png differ diff --git a/anoncreditcard/21.png b/anoncreditcard/21.png new file mode 100644 index 0000000..20f7dc7 Binary files /dev/null and b/anoncreditcard/21.png differ diff --git a/anoncreditcard/22.png b/anoncreditcard/22.png new file mode 100644 index 0000000..a273d54 Binary files /dev/null and b/anoncreditcard/22.png differ diff --git a/anoncreditcard/23.png b/anoncreditcard/23.png new file mode 100644 index 0000000..46c0995 Binary files /dev/null and b/anoncreditcard/23.png differ diff --git a/anoncreditcard/24.png b/anoncreditcard/24.png new file mode 100644 index 0000000..b32ef2e Binary files /dev/null and b/anoncreditcard/24.png differ diff --git a/anoncreditcard/3.png b/anoncreditcard/3.png new file mode 100644 index 0000000..5f5d951 Binary files /dev/null and b/anoncreditcard/3.png differ diff --git a/anoncreditcard/4.png b/anoncreditcard/4.png new file mode 100644 index 0000000..44ca52f Binary files /dev/null and b/anoncreditcard/4.png differ diff --git a/anoncreditcard/5.png b/anoncreditcard/5.png new file mode 100644 index 0000000..0caef31 Binary files /dev/null and b/anoncreditcard/5.png differ diff --git a/anoncreditcard/6.png b/anoncreditcard/6.png new file mode 100644 index 0000000..4de1edb Binary files /dev/null and b/anoncreditcard/6.png differ diff --git a/anoncreditcard/7.png b/anoncreditcard/7.png new file mode 100644 index 0000000..0c487c8 Binary files /dev/null and b/anoncreditcard/7.png differ diff --git a/anoncreditcard/8.png b/anoncreditcard/8.png new file mode 100644 index 0000000..45cb9a1 Binary files /dev/null and b/anoncreditcard/8.png differ diff --git a/anoncreditcard/9.png b/anoncreditcard/9.png new file mode 100644 index 0000000..69d9bf0 Binary files /dev/null and b/anoncreditcard/9.png differ diff --git a/anoncreditcard/index.md b/anoncreditcard/index.md new file mode 100644 index 0000000..bb89506 --- /dev/null +++ b/anoncreditcard/index.md @@ -0,0 +1,111 @@ +--- +author: XMRonly +date: 2024-11-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/28" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# How to Get a Credit Card Anonymously (Credit Cards as a Service) + +![](0.png) + +## **Introduction** + +With the growing economy and increasingly aggressive marketing, every company is competing to earn your business. There are no shortages of ways to spend your hard-earned money, but you may not always want to have your purchases tied to your real identity. For in person purchases, there is the obvious choice of cash as no information about you is recorded. However, online is a different story. E-commerce is heavily reliant on the use of credit cards, which leave a digital trail of metadata that ties back to you, is shared with third parties and is repackaged and sold to data brokers. Some forward-thinking vendors accept cryptocurrency but given online markets as a whole, this is still relatively niche. If your preferred method of buying something is Monero and your target vendor doesn't accept Monero, wouldn't it be great if you could still just use Monero anyway? In this article, we will explore how to obtain an anonymous prepaid card for Monero using Cake Pay and how to use this prepaid card to purchase a VPS from Hostinger, a KYC web hosting provider. + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + + + +Every steps listed below are to be done via the Tor browser, in order to preserve our anonymity. + + + +## **Obtaining the Card** + +Using the Tor Browser, navigate to **https://buy.cakepay.com**. Here we are going to select the Mastercard Prepaid USD Debit (Virtual Only) option. Click Buy Now. ![](1.png) + +When prompted, enter an [anonymous email](../anonemail/index.md) and then retrieve and enter the one-time password emailed to us. ![](2.png) + +The next screen has some important information on it. It informs us that a name and email will be required for sign-up. It just doesn't specify that it has to be _our_ name and address. This card will not work in Apple Pay or Google Wallet, not that we were planning on using those anyway. Additionally, trying to redeem this card while using a VPN (or in our case, the Tor Browser) may fail. More on that later. Enter a desired amount and click Buy Now. ![](3.png) + +We are now presented with a payment screen. ![](4.png) + +Copy the destination address and amount into your Monero wallet and send the payment. ![](5.png) + +Cake Pay will quickly detect the payment, and after a few more on-chain confirmations it will say the invoice is paid. ![](6.png) + +Back in your inbox, you will now receive an email with Redemption Instructions and a Code. ![](7.png) + +Attempting to redeem the code through the Tor Browser or through a VPN will fail and after around 10 consecutive attempts your redemption link and code will be temporarily locked. ![](8.png) + +This is where a [residential proxy](../anonproxy/index.md) will come in handy. After setting one up, we can continue unimpeded using the Tor Browser. Input the code, confirm you are not a robot and click Submit. ![](9.png) + +Our card purchase was successful. Copy the code and navigate to the provided link. ![](10.png) + +Enter the code and click on Redeem Code. ![](11.png) + +Complete the captcha if prompted by sliding the puzzle piece in place. ![](12.png) + +We are now prompted to fill out the information we want for registering this card. We enter a name, an address that is for sale online, a phone number and email. After everything is populated click the checkboxes and finally hit Activate. Note that the phone number is not verified in any way. ![](13.png) + +Our card is ready! ![](14.png) + +## **Using the Card** + +With our (digital) card in hand, it's time to actually buy something. Hostinger is a clearnet web hosting company with no explicitly stated support for signing up anonymously. All of their payment options require some information about the user and while their site supports a long list of cryptocurrencies, they somehow forgot to accept Monero. That's OK, we have a prepaid card for that. ![](15.png) + +Using the Tor Browser, navigate to **https://hostinger.com** and click on Hosting -> VPS hosting. ![](16.png) + +If prompted, verify you are human. ![](17.png) + +We will select a plan that costs less than the amount on our prepaid card. ![](18.png) + +OPTIONAL: A quick online search found a promo code. Apply it and click Continue. ![](19.png) + +It is time to create an account. Enter an email address and password. ![](20.png) + +Enter the billing details we used to create our prepaid card. Note that a phone number is not required here. ![](21.png) + +Enter the card details and click Submit payment. ![](22.png) + +## **VPS Configuration** + +We are now prompted to configure our VPS. A few quick steps are required before we can start using it. Click through to choose a location, an OS, a malware scanner, set a root password and then click Finish setup. ![](23.png) + +## **Conclusion** + +After a short setup, our VPS is ready! ![](24.png) + +Let's try to connect via [SSH over Tor](../anonaccess/index.md). + + + ~ ❯ torsocks ssh root@145.223.79.150 + The authenticity of host '145.223.79.150 (145.223.79.150)' can't be established. + ED25519 key fingerprint is SHA256:bF9YlAl82SyfCu3X911lclJ0TwywiU6qgNtKCYDdnd0. + This key is not known by any other names. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '145.223.79.150' (ED25519) to the list of known hosts. + root@145.223.79.150's password: + Linux srv636770 6.1.0-26-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@srv636770:~# + + + +And that's it ! we have managed to get access to a credit card anonymously, and we also managed to use it to get a VPS anonymously, all while maintaining our anonymity. + diff --git a/anondomain/1.png b/anondomain/1.png new file mode 100644 index 0000000..16ad75e Binary files /dev/null and b/anondomain/1.png differ diff --git a/anondomain/10.png b/anondomain/10.png new file mode 100644 index 0000000..a37cdc3 Binary files /dev/null and b/anondomain/10.png differ diff --git a/anondomain/2.png b/anondomain/2.png new file mode 100644 index 0000000..ae2f5cc Binary files /dev/null and b/anondomain/2.png differ diff --git a/anondomain/3.png b/anondomain/3.png new file mode 100644 index 0000000..5b84820 Binary files /dev/null and b/anondomain/3.png differ diff --git a/anondomain/4.png b/anondomain/4.png new file mode 100644 index 0000000..aec3faf Binary files /dev/null and b/anondomain/4.png differ diff --git a/anondomain/5.png b/anondomain/5.png new file mode 100644 index 0000000..a0d3d6f Binary files /dev/null and b/anondomain/5.png differ diff --git a/anondomain/6.png b/anondomain/6.png new file mode 100644 index 0000000..19ce281 Binary files /dev/null and b/anondomain/6.png differ diff --git a/anondomain/7.png b/anondomain/7.png new file mode 100644 index 0000000..8a1aef3 Binary files /dev/null and b/anondomain/7.png differ diff --git a/anondomain/8.png b/anondomain/8.png new file mode 100644 index 0000000..9411c86 Binary files /dev/null and b/anondomain/8.png differ diff --git a/anondomain/9.png b/anondomain/9.png new file mode 100644 index 0000000..8b19c77 Binary files /dev/null and b/anondomain/9.png differ diff --git a/anondomain/index.md b/anondomain/index.md new file mode 100644 index 0000000..5b0d248 --- /dev/null +++ b/anondomain/index.md @@ -0,0 +1,65 @@ +--- +author: nihilist +date: 2024-09-05 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/110" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to rent remote domains anonymously (Registrar resellers) + +Not many people know that it is possible to operate a clearnet website, anonymously. That can be done using a [non-KYC registrar reseller](https://kycnot.me/?t=service&q=domain), that allows you to purchase a domain using Monero. It is crucial to maintain Anonymity when you are purchasing the domain, and when you are using it, to do so you'll need to at least keep Tor in between you and the service, as we have explained [previously](../anonclearnetservices/index.md). + +![](../anonclearnetservices/0.png) + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + + + + + +In this tutorial we're going to try out nicevps.net, and as we are operating from within a Whonix VM, we'll use their onion mirror. So first we register an account there: + +![](1.png) + +Then we order a domain of our choice: + +![](2.png) ![](3.png) ![](4.png) + +For example we order the domain meduzzza.com for a yearly 15 euros, that we will obviously pay in monero as we want to maintain Anonymity: + +![](5.png) ![](6.png) + +Then once paid you can access your services from the dashboard: + +![](7.png) ![](8.png) + +And from inside the control panel, you can set the Registered Glue Name Servers as follows, that way your domain's primary and secondary domain name servers are the ones of your choice. I recommend having an [Anonymously-acquired remote VPS](../anonymousremoteserver/index.md) with a [bind9 service](../dns/index.md) on it. + +![](9.png) + +Then once set, you can check the status of the NS record propagation [dnschecker.org](https://dnschecker.org), be warned that the DNS propagation can take up to 48 hours to propagate. + +![](10.png) + +Once the NS dns record propagated, your domain should resolve anywhere in the world: + + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog-contributions] + → ping ns1.nihilism.network + PING ns1.nihilism.network (23.137.250.140) 56(84) bytes of data. + 64 bytes from mail.nihilism.network (23.137.250.140): icmp_seq=1 ttl=56 time=58.9 ms + 64 bytes from mail.nihilism.network (23.137.250.140): icmp_seq=2 ttl=56 time=55.8 ms + 64 bytes from mail.nihilism.network (23.137.250.140): icmp_seq=3 ttl=56 time=56.3 ms + + + +And that's it you can now have a public website using a domain that you acquired anonymously! + diff --git a/anonemail/0.png b/anonemail/0.png new file mode 100644 index 0000000..18ab8ef Binary files /dev/null and b/anonemail/0.png differ diff --git a/anonemail/1.png b/anonemail/1.png new file mode 100644 index 0000000..e42946d Binary files /dev/null and b/anonemail/1.png differ diff --git a/anonemail/2.png b/anonemail/2.png new file mode 100644 index 0000000..edb4f3f Binary files /dev/null and b/anonemail/2.png differ diff --git a/anonemail/3.png b/anonemail/3.png new file mode 100644 index 0000000..a8adf61 Binary files /dev/null and b/anonemail/3.png differ diff --git a/anonemail/4.png b/anonemail/4.png new file mode 100644 index 0000000..2946309 Binary files /dev/null and b/anonemail/4.png differ diff --git a/anonemail/5.png b/anonemail/5.png new file mode 100644 index 0000000..34ad2fc Binary files /dev/null and b/anonemail/5.png differ diff --git a/anonemail/6.png b/anonemail/6.png new file mode 100644 index 0000000..b36400b Binary files /dev/null and b/anonemail/6.png differ diff --git a/anonemail/7.png b/anonemail/7.png new file mode 100644 index 0000000..15b1439 Binary files /dev/null and b/anonemail/7.png differ diff --git a/anonemail/index.md b/anonemail/index.md new file mode 100644 index 0000000..318f84d --- /dev/null +++ b/anonemail/index.md @@ -0,0 +1,35 @@ +--- +author: XMRonly +date: 2024-10-16 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/26" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# How to Get an Email Account Anonymously (Emails as a Service) + +![](0.png) + + + +## **Introduction** + +Email is one of the most widely used forms of online communication, both for personal and professional interactions. With billions sent daily, you would expect email to be secure, accessible, and readable by only the intended recipient. Unfortunately, email is an old technology and this is not always the case. With metadata being visible, large email providers scanning emails, as well as potential government surveillance in some parts of the world, it is no surprise that email is hardly considered private. As such, you may want to send an email that is not tied to your real identity. In this article, we will explore how to sign up for email account anonymously. Specifically, we will explore a privacy-focused email provider, **Proton Mail** , and how to sign up using Tor without inputting any additional information whatsoever. + +## **Setup** + +Using the Tor Browser, navigate to Proton Mail's onion address to create a free account. You can find the address on their [official site](https://proton.me/blog/tor-encrypted-email). It is also posted here for convenience: +**https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/** ![](1.png) + +At the time of writing, the next page produced an error resulting in some aspects not loading correctly. No matter, we carry on. Click to select a plan as shown. ![](2.png) + +We are not interested in a paid plan, so click to continue with free. ![](3.png) + +Enter a unique username and password and click Create Account. ![](4.png) + +At this point, you will be greeted with additional verification. Proton Mail does this to prevent abuse of their services by bots and spammers. If presented with the option requiring verification by email or [SMS](https://blog.nowhere.moe/opsec/anonsms/index.md), close the browser and restart from the beginning. After maybe a handful of attempts, you will be presented with Proton's Captcha option. Slide the puzzle piece in place and click Next. ![](5.png) + +Select a display name and deny a recovery method. ![](6.png) + +## **Conclusion** + +And your new anonymous email account is ready for use! In line with practicing good [OPSEC](https://blog.nowhere.moe/opsec/opsec4levels/index.md), this account is for use exclusively over the Tor network for activities unrelated to your real identity. ![](7.png) + diff --git a/anonprotest/1.jpeg b/anonprotest/1.jpeg new file mode 100644 index 0000000..be732c1 Binary files /dev/null and b/anonprotest/1.jpeg differ diff --git a/anonprotest/2.jpeg b/anonprotest/2.jpeg new file mode 100644 index 0000000..84e1aab Binary files /dev/null and b/anonprotest/2.jpeg differ diff --git a/anonprotest/3.jpeg b/anonprotest/3.jpeg new file mode 100644 index 0000000..7e10f54 Binary files /dev/null and b/anonprotest/3.jpeg differ diff --git a/anonprotest/4.jpeg b/anonprotest/4.jpeg new file mode 100644 index 0000000..53725c1 Binary files /dev/null and b/anonprotest/4.jpeg differ diff --git a/anonprotest/eSIM/1.png b/anonprotest/eSIM/1.png new file mode 100644 index 0000000..b8cc3d1 Binary files /dev/null and b/anonprotest/eSIM/1.png differ diff --git a/anonprotest/eSIM/10.png b/anonprotest/eSIM/10.png new file mode 100644 index 0000000..53edb23 Binary files /dev/null and b/anonprotest/eSIM/10.png differ diff --git a/anonprotest/eSIM/11.png b/anonprotest/eSIM/11.png new file mode 100644 index 0000000..b6f3d04 Binary files /dev/null and b/anonprotest/eSIM/11.png differ diff --git a/anonprotest/eSIM/12.png b/anonprotest/eSIM/12.png new file mode 100644 index 0000000..c1edab2 Binary files /dev/null and b/anonprotest/eSIM/12.png differ diff --git a/anonprotest/eSIM/13.png b/anonprotest/eSIM/13.png new file mode 100644 index 0000000..d4acc4d Binary files /dev/null and b/anonprotest/eSIM/13.png differ diff --git a/anonprotest/eSIM/14.png b/anonprotest/eSIM/14.png new file mode 100644 index 0000000..8d73fd9 Binary files /dev/null and b/anonprotest/eSIM/14.png differ diff --git a/anonprotest/eSIM/2.png b/anonprotest/eSIM/2.png new file mode 100644 index 0000000..fa59a1c Binary files /dev/null and b/anonprotest/eSIM/2.png differ diff --git a/anonprotest/eSIM/3.png b/anonprotest/eSIM/3.png new file mode 100644 index 0000000..7369852 Binary files /dev/null and b/anonprotest/eSIM/3.png differ diff --git a/anonprotest/eSIM/4.png b/anonprotest/eSIM/4.png new file mode 100644 index 0000000..450d294 Binary files /dev/null and b/anonprotest/eSIM/4.png differ diff --git a/anonprotest/eSIM/5.png b/anonprotest/eSIM/5.png new file mode 100644 index 0000000..cda8768 Binary files /dev/null and b/anonprotest/eSIM/5.png differ diff --git a/anonprotest/eSIM/6.png b/anonprotest/eSIM/6.png new file mode 100644 index 0000000..6a813b2 Binary files /dev/null and b/anonprotest/eSIM/6.png differ diff --git a/anonprotest/eSIM/7.png b/anonprotest/eSIM/7.png new file mode 100644 index 0000000..ae9f1a1 Binary files /dev/null and b/anonprotest/eSIM/7.png differ diff --git a/anonprotest/eSIM/8.png b/anonprotest/eSIM/8.png new file mode 100644 index 0000000..2f5707a Binary files /dev/null and b/anonprotest/eSIM/8.png differ diff --git a/anonprotest/eSIM/9.png b/anonprotest/eSIM/9.png new file mode 100644 index 0000000..081924f Binary files /dev/null and b/anonprotest/eSIM/9.png differ diff --git a/anonprotest/index.md b/anonprotest/index.md new file mode 100644 index 0000000..b94cdc9 --- /dev/null +++ b/anonprotest/index.md @@ -0,0 +1,438 @@ +--- +author: nanoanon +date: 2024-10-10 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/32" +xmr: 88Vc2wutSzzCXdFjepFzp9ZhAW6eYCUq2iiME5H7Sdda689fcHeybfUZ3jaVPqRN5T1FK6R1dq4bsPaEPpD3RMTG1rQbU4L +--- +# How to remain Anonymous during a protest + +You just turned on your TV and saw that there is a **protest** near the white house because the government decided that end to end encryption leads to terrorism and are passing a law to ban it. You feel patriotic and know that it isn't right. **You show up to the protest without telling anyone** for a few hours and you get back home proud that you showed your support to the people. However, the police bangs your door and **arrests you for taking part in the protest**. + + + +## **Phones are tracking devices for Law Enforcement** + + + + +**Government** , **Internet Service Providers** (ISPs), **Cellular network providers** can all **find out where you are** with the help of your device emitting and receiving radio waves. These entities use various methods to track you down at **any given time**. This is called **Geofencing**. + + + + +### **Tower Triangulation** + +![](tower-triangulation.png) + +This is where multiple cellular towers are used to geometrically locate devices connecting or pinging them by measuring the strength of the connection from each tower. + +more towers present around you = more accurate location + +**Towers even at a distance of 5 miles from you can be used to triangulate your location precisely.** + +### **Wifi Triangulation** + +![](wifi-triangulation.png) + + + +Wifi routers often interact together especially when they're from the same ISP. When your device recognizes a wifi network nearby (as seen in the wifi details option of your phone) which also allows them to determine the **signal strength** of each router. + +This can be used to geometrically determine your device's location based on how strong the nearby signals are, **even when you're not connected to it.** + +**Two routers are enough to track you precisely upto a 6 feet error. You're surrounded by tens of them.** + +On Android and Apple devices, wifi can also be used to geofence you with GPS through Google or Apple Network Location Provider (NLP) service. Making it even easier to geo-locate your device. + +### **GPS/A-GPS** + +Your phone constantly searches for satellites to connect to Global Positioning System (GPS) signals. + +Both Android and Google devices use Google-SUPL service for gps queries - [supl.google.com:7275]. This **happens even if you do not connect your phone to a WiFi or Cellular data**. + +Blocking this service greatly impacts cellular data connectivity and disables location services on your device. + +(A-GPS stands for 'Assisted GPS'. It is when the SUPL GPS service works with the on-device GPS module to be even efficient in location tracking.) + +### **TLDR; Unless if your phone is powered off in a faraday bag, wherever it goes, there exists a permanent record of where a phone has been and that record is known by Law Enforcement entities.** + +## **Prevention - staying Anonymous outdoors.** + +**Reminder: Anonymity is when you are amongst a group of people, and you are indistinguishable from the other members of the group.** + +**⚠️ Read the entire article before taking any actions or steps as half-knowledge could easily land you in jail.⚠️** + +* * * + +### **Look the same** + +To minimize the risk of being identified by police or surveillence devices like CCTV, protestors including you should adopt a uniform. The best way to do this is implementing the following. + +![](sd-anons.png) + +#### + + * Wearing all black - (_long sleeve tshirts_ , pants, socks, shoes, _gloves_ , _glasses_ , and _masks_.) + + + * No jewellery - necklaces, watches, earrings, bracelets, etc. + + + * Dress up such that you're always ready for a run. + + + * Do not touch surfaces with your bare hands and leave potential fingerprints. + + + * Do not carry any weapon, signal jammer, or any such device that might get you in trouble in the court. + + + +* * * + +### **⚠️ Leave your primary personal (public use) phone ACTIVATED at YOUR home. ⚠️** + + + + +#### Taking your phone to the protest, deactivating your phone or trying to mask the location of your phone can be a good reason for Law Enforcement agencies to put you on the suspicion list. All that the law enforcement needs to prove you guilty of participating in the protest is your primary phone (affiliated to you publically) to be nearby the protest, potentially landing you in jail and big trouble, even if you went just to buy grandma's medicine. + + + + +#### Leaving your phone activated at home leaves no digital trace of you ever being affiliated with the protestors. + +#### As we have discussed the various methods that Law Enforcement agencies can track you down precisely, and there isn't much you can do to stop it, leaving your personal mobile phone, smart watch, or any other smart device at home is the best way to stay anonymous in a protest, leaving no proof that you took part in it and [denying](../deniability/index.md) that you ever left your home. + +# **How to have a phone for anonymous use?** + +### WARNING: The safest and simplest way to stay anonymous is to keep your phone at home, as explained above, for deniability, where you can claim that you stayed at home during the protest. + + + + + +### ⚠️ Proceed only if you need connectivity for communications while doing anonymous outdoor activities. ⚠️ + +WARNING: Best preferred Android ROM is GrapheneOS. If you REALLY NEED a secondary phone and it is compatible with LineageOS, you can proceed with it, but remember, you WILL NEED to make changes to the LineageOS firewall (+ block supl.google.com:7275) for it to be even close to Graphene in terms of security. + +WARNING/TIP: If you're proficient with linux and have experience using ubuntu touch, you can proceed with the same steps of setting up and precautions after you have secured its firewall. + +### **Preparation - indoors:** + + + + +#### + + * Use your main pc to flash [grapheneOS](../graphene/index.md) on a pixel phone. Only proceed if you get one. Otherwise, don't use a secondary phone at all. + + + * Get a decently reviewed _Faraday bag_ on amazon. However its recommended to buy it physically with cash or learn how to make Faraday bag [here](https://invidious.privacyredirect.com/watch?v=sQ_V9LYfiUg), [here](https://invidious.privacyredirect.com/watch?v=jfSe-xyQQzg), or [here](https://invidious.privacyredirect.com/watch?v=PYHvMXAXGE4). + +WARNING: Make sure to check wheter your faraday bag works on not at your home prior the protest by putting your or someone else's phone inside it with cellular data and gps/location enabled and trying to call/track it. + + + * After you have flashed your pixel with grapheneOS (first step), DO NOT CONNECT TO ANY WIFI OR CELLULAR NETWORK. Now switch your phone off and immediately put it in a faraday bag, making sure its completely sealed. Its is good to cover and disguise the faraday bag as a normal envelope or put it in a bag to avoid high-level suspicion. + + + * Use sites like [ Openwifimap](https://openwifimap.net) __through tor__ to pre-scan and find free open WiFi around the protest to use in a secondary phone and the place where you plan to use active internet (as shown later). + +_[WARNING: Do this only if you**NEED** to use secondary phone for the protest]. +_ + + * ⚠️ Use a Faraday bag at all times to store your secondary phone when you don't _**need**_ to use it. ⚠️ + + +Next steps (a) & (b) are for accessing internet anonymously ONLY AFTER you have completed the above steps. + + + +### **a. Accessing internet anonymously - eSIM** + +#### + + * Using [Whonix VM](../whonixqemuvms/index.md) or [Tails VM](../tailsqemuvm/index.md), via the tor browser and some [Monero](../finances/index.md) (XMR), purchase an eSIM from and note down the activation code on a piece of paper. + + + +WARNING: It is important to write the _combined activation code_ down on a piece of paper or print the QR activation code (both given by silent.link after the purchase), and not in any digital or audio format because you do not want to leave any evidence of you ever interacting with the anonymous eSIM providers and arise suspicion. + + * Write down the activation instructions below on a piece of paper. Dress up all black and go to a random place insignificant to you, get your phone out of the faraday bag, and connect to an open wifi network. There activate the eSIM as instructed below. + + + +### **How to activate eSIM** + +### Step 1 + +Navigate to your grapheneOS setting and click on "Network and Internet" + +![](eSIM/1.png) + +### Step 2 + +There you will find that the "priviledged eSIM management is disabled. This is because the google play services and google play service framework is not present by-default in graphene." + +![](eSIM/2.png) + +### Step 3 + +Navigate to your app drawer and click on "Apps" + +![](eSIM/3.png) + +### Step 4 + +Now install "Google Services Framework" and "Google Play Services" + +![](eSIM/4.png) + +### Step 5 + +Navigate back to "Network and Internet" in the settings. The eSIM managament option should be enabled now. + +![](eSIM/5.png) + +### Step 6 + +Click on the eSIM management option. Then click "Download a SIM instead." + +![](eSIM/6.png) + +### Step 7 + +Click "Next." + +![](eSIM/7.png) + +### Step 8 + +Here, either scan the printed QR code on the piece of paper. Otherwise, navigate to "Need Help?" and select the option to input the code manually. Input the _combined activation code_ from the silent site that you noted down on the piece of paper. + +![](eSIM/8.png) + +### Step 9 + +You might see different sim name downloading when you activate the sim. Its fine. + +![](eSIM/9.png) + +### Step 10 + +Navigate to "settings" after you've finished downloading the eSIM. + +![](eSIM/10.png) + +### Step 11 + +Click on the downloaded eSIM option. + +![](eSIM/11.png) + +### Step 12 + +Toggle "Use SIM" + +![](eSIM/12.png) + +### Step 13 + +Make sure to enable use for data if you want to access internet. You now have access to your private and anonymous eSIM. If you encounter any abnormal issue, using tor browser, head to [silent help](https://silent.link/faq). + +![](eSIM/13.png) + +### Step 14 + +**DO NOT FORGET TO REMOVE BOTH GOOGLE SERVICES THAT YOU DOWNLOADED EARLIER.**![](eSIM/14.png) + + + + * Make sure that while you're doing this, you're not under any security surveillence (cameras, law encorcement buildings, etc). + + + * Once you validate that the eSIM works, power the device off, and put it in the faraday back again right away. + + + +* * * + +#### ⚠️ Although eSIM method works well, you need to remember that the moment you activate it, the systems _start tower-triangulation right away_ and doing it anywhere close to your location of interest might be _potentially risky_. You also need to be careful NOT to switch it on at your own home by any chance, or you could hear the _bang on your door soon_. This is why its best to use open public wifi.⚠️ + +Leave your primary phone INDOORS and ACTIVATED while you are outdoors. + + + +### ⚠️ Remember NEVER to carry both - your personal/primary and your secondary phones at the same time. If and only if need to for critical reasons, make sure to ALWAYS keep atleast one of them in a faraday bag at all times and do NOT switch on both of them simultaneously. ⚠️ + +* * * + +### **b. Accessing internet anonymously - public wifi** + +#### + + * There are multiple advantages to use tools like [openwifimap](https://openwifimap.net) to find public WiFi cafe networks to connect to. + + + * If for some reason the app/website does not show free open WiFi around your area, you might want to go for a walk like a normal person just to grab some coffee and note down the password without any suspicious movements. + + + * Make sure to install [f-droid](https://f-droid.org/) on your grapheneOS and install [tor browser](https://blog.nowhere.moe../MobileTor/index.md) and [orbot](https://support.torproject.org/glossary/orbot/) vpn from it. Check "Setting up package managers" section of [this](../graphene/index.md) to be guided through how to install fdroid securely. + + + * Go in your grapheneOS settings and search for 'VPN' , find and select more options for orbot vpn after opening the orbot app once and giving it permission to start a VPN. Select the option to set orbot as an "Always-on VPN" and turn on "Block all connections not using this VPN". + +(or) + +Install Mullvad VPN and proceed with the same steps to block all connections not using Mullvad. + + + +### **Setting up orbot** + + +For routing internet traffic to specific servers anonymously, nothing beats tor. You can learn how to extensively do so [here](../torthroughvpn/index.md). + + + + +#### ⚠️ If tor is banned and illegal in your country, you NEED to access it through an untraceable anonymous [VPN like Mullvad](../vpn/index.md). + +#### For now, we will just set up orbot as power user (socks proxy) through which we can safely route our SimpleX chat (below) messages securely. + + + + + +#### Step 1 + +Navigate to the orbot app after you have installed from the steps above + +![](1.jpeg) + +#### Step 2 + +Go to "More" (three dots) on the bottom left of the screen + +![](4.jpeg) + +#### Step 3 + +Go to settings + +![](2.jpeg) + +#### Step 4 + +Enable "Power User mode" + +![](3.jpeg) + + + + +We will be showcasing how to use the SOCKS5 proxy you just enabled to securely relay SimpleX messages and also a guide on setting up Mullvad VPN in our future article(s). + + + +##### ⚠️ Although Mullvad is one of the very few trustable VPNs out there, we can NEVER trust a single entity so its better and free to use orbot. ⚠️ + + + + + + + + +#### Now whenever you are outdoors onto doing something sensitive, being unidentifiable with the uniform and your gear, you can take the phone out of the faraday bag, power it on and use it. + + + + + +* * * + +* * * + + + + + +## **Anonymous Communications** + + + + +#### A trusted, decentralised communication platform for discussing things about the protest is the most important thing. Despite having all the proxies and anonymization tools in your hand, if the Law Enforcement already knows about the people going to protest, they can arrest them prior the protest. + +This is why you need a secure, decentralised, end-to-end encryption based messaging platform. + + + + + + + +### **Simplex Chat** + + + + +#### For sensitive communications while outdoors, it is suggested to use [SimpleX chat with disappearing messages](https://simplex.chat/blog/20230103-simplex-chat-v4.4-disappearing-messages.html#disappearing-messages) turned on. + +You NEED to make sure to turn on disappearing messages on both ends, incase authorities get hold of your device and search for your chats. Having messages set to disappear after a said amount of time allows you to use deniability. + +We will be also showing how to use SimpleX as an all-in-one privacy messenger for all your activities in one of our future tutorials. + +# **Physical opSec** + +What you do in day-to-day life is a big part of who you are, your personality, your agenda, etc. You NEED to be aware of your physical operational security and take care of it properly. + +## **Your body language** + +sourced from [cia assessment training](https://wikileaks.org/cia-travel/secondary-screening/WikiLeaks_CIA_Assessment_on_Surviving_Secondary_Screening.pdf) papers from wikileaks. + + + + +### While interacting with people of the protest, you need to take care make sure that you + +#### + + * **Do NOT tell anyone your real name**. Create a pseudonym for every group/contact. SimpleX chat offers this feature within their app to randomly generate one using "Incognito mode" within the app. + + + * **Do NOT vocally talk about protest at home, near devices. SimpleX chat should be the _only_ place you talk about the protest**. + + + * Do NOT share personal info (address, phone number, birth year, family background) with **ANYONE**. + + + + + + + +### When going outside to safely access services like eSIM or tor, as we talked earlier, always keep in mind to + +#### + + * NOT go to a location that holds a significance to you. + + + * NOT go to a location that is near Law Enforcement premises or under surveillence (CCTV) without being sure you've not been followed and are unidentifiable. + + + * ### Put your uniform in a bag (A) and put a bag (B) in the bag (A). Go to a subway washroom/restroom and wear the uniform making sure no cameras are watching you. Make sure to now put the bag (A) in bag (B) and proceed with your work as shown in the below diagram. + +![](popsec-1.png) + + + + +### Again, keep the **secondary phone switched off** in a **faraday bag** at **all times**. Switch it on or remove it from the faraday bag STRICLY ONLY AFTER YOU HAVE DISGUISED (ONLY after reaching public washroom A). Put the phone back in before removing your disguise (BEFORE leaving public washroom B). + +![](popsec-2.png) + + + diff --git a/anonprotest/orbot config.png b/anonprotest/orbot config.png new file mode 100644 index 0000000..f9ca296 Binary files /dev/null and b/anonprotest/orbot config.png differ diff --git a/anonprotest/popsec-1.png b/anonprotest/popsec-1.png new file mode 100644 index 0000000..b2ba878 Binary files /dev/null and b/anonprotest/popsec-1.png differ diff --git a/anonprotest/popsec-2.png b/anonprotest/popsec-2.png new file mode 100644 index 0000000..a0ed76a Binary files /dev/null and b/anonprotest/popsec-2.png differ diff --git a/anonprotest/sd-anons.png b/anonprotest/sd-anons.png new file mode 100644 index 0000000..309df0b Binary files /dev/null and b/anonprotest/sd-anons.png differ diff --git a/anonprotest/tower-triangulation.png b/anonprotest/tower-triangulation.png new file mode 100644 index 0000000..3002d77 Binary files /dev/null and b/anonprotest/tower-triangulation.png differ diff --git a/anonprotest/wifi-triangulation.png b/anonprotest/wifi-triangulation.png new file mode 100644 index 0000000..fd1e1c1 Binary files /dev/null and b/anonprotest/wifi-triangulation.png differ diff --git a/anonproxy/AccessAllowed.jpg b/anonproxy/AccessAllowed.jpg new file mode 100644 index 0000000..71fb3c7 Binary files /dev/null and b/anonproxy/AccessAllowed.jpg differ diff --git a/anonproxy/AccessDenied.jpg b/anonproxy/AccessDenied.jpg new file mode 100644 index 0000000..564a443 Binary files /dev/null and b/anonproxy/AccessDenied.jpg differ diff --git a/anonproxy/CheckIP.png b/anonproxy/CheckIP.png new file mode 100644 index 0000000..fb41ca7 Binary files /dev/null and b/anonproxy/CheckIP.png differ diff --git a/anonproxy/Deposit.png b/anonproxy/Deposit.png new file mode 100644 index 0000000..12dccd6 Binary files /dev/null and b/anonproxy/Deposit.png differ diff --git a/anonproxy/FoxyProxyAdd.png b/anonproxy/FoxyProxyAdd.png new file mode 100644 index 0000000..6eb870c Binary files /dev/null and b/anonproxy/FoxyProxyAdd.png differ diff --git a/anonproxy/FoxyProxyInstall.png b/anonproxy/FoxyProxyInstall.png new file mode 100644 index 0000000..8c9a848 Binary files /dev/null and b/anonproxy/FoxyProxyInstall.png differ diff --git a/anonproxy/FoxyProxyInstall2.png b/anonproxy/FoxyProxyInstall2.png new file mode 100644 index 0000000..5808aad Binary files /dev/null and b/anonproxy/FoxyProxyInstall2.png differ diff --git a/anonproxy/FoxyProxyOptions.png b/anonproxy/FoxyProxyOptions.png new file mode 100644 index 0000000..9631f6f Binary files /dev/null and b/anonproxy/FoxyProxyOptions.png differ diff --git a/anonproxy/FoxyProxySearch.png b/anonproxy/FoxyProxySearch.png new file mode 100644 index 0000000..158847c Binary files /dev/null and b/anonproxy/FoxyProxySearch.png differ diff --git a/anonproxy/FoxyProxySearch2.png b/anonproxy/FoxyProxySearch2.png new file mode 100644 index 0000000..ded6400 Binary files /dev/null and b/anonproxy/FoxyProxySearch2.png differ diff --git a/anonproxy/InstallAddon.png b/anonproxy/InstallAddon.png new file mode 100644 index 0000000..0f8083b Binary files /dev/null and b/anonproxy/InstallAddon.png differ diff --git a/anonproxy/Proxy.png b/anonproxy/Proxy.png new file mode 100644 index 0000000..f0fd499 Binary files /dev/null and b/anonproxy/Proxy.png differ diff --git a/anonproxy/ProxyData.png b/anonproxy/ProxyData.png new file mode 100644 index 0000000..ae3e864 Binary files /dev/null and b/anonproxy/ProxyData.png differ diff --git a/anonproxy/Reg.png b/anonproxy/Reg.png new file mode 100644 index 0000000..a2008e0 Binary files /dev/null and b/anonproxy/Reg.png differ diff --git a/anonproxy/WebsiteAccessed.png b/anonproxy/WebsiteAccessed.png new file mode 100644 index 0000000..0dae096 Binary files /dev/null and b/anonproxy/WebsiteAccessed.png differ diff --git a/anonproxy/WebsiteDenied.png b/anonproxy/WebsiteDenied.png new file mode 100644 index 0000000..7ac23fa Binary files /dev/null and b/anonproxy/WebsiteDenied.png differ diff --git a/anonproxy/index.md b/anonproxy/index.md new file mode 100644 index 0000000..69a7519 --- /dev/null +++ b/anonproxy/index.md @@ -0,0 +1,117 @@ +--- +author: prism_breaker +date: null +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/268" +xmr: 87iB34vdFvNULrAjyfVAZ7jMXc8vbq9tLGMLjo6WC8N9Xo2JFaa8Vkp6dwXBt8rK12Xpz5z1rTa9jSfgyRbNNjswHKTzFVh +--- +# How to get and use residential proxies anonymously + +While Tor is a requirement to protect your anonymity online, some services refuse to be accessed anonymously, and are intentionally blocking connections coming from Tor exits nodes. These services are against your anonymity, but there are still ways to access them anonymously: + +![](AccessDenied.jpg) + +A residential proxy will reroute your access through a residential ip address, which makes your connection look like it is coming from your ISP or your mobile carrier. + +_Serverside Context:_ This setup is to be considered only in the case where the destination website also blocks your attempts at connecting there via a [(you -> Tor -> VPN -> destination)](../whentorisblocked/index.md) setup. + +![](../torthroughvpn/12.png) + +Under this setup you can access those websites that are blocking both Tor and VPN traffic, while still keeping your anonymity intact. + +![](AccessAllowed.jpg) + +Warning: This setup is not officialy supported by Tor project, it should be considered as experimental. It is still recommended to use the default setup of Whonix and Tor browser for the rest of your anonymous activities online. + +For further details on how you can combine Tor and VPNs to protect your anonymity, refer to [this tutorial](../torthroughvpn/index.md) + +Other useful reference: + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) (Or Qubes OS) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) (Or Qubes OS's Xen) + + 4. Virtual Machine:[Whonix](../whonixqemuvms/index.md) (that must be dedicated to the (you -> Tor -> residential proxy -> website) setup + + + + + + +## **Proxy Purchase** + +_Warning:_ Everything below needs to be done inside the dedicated new whonix workstation VM! + +[smspool.net](https://smspool.net/) is chosen to be the proxy provider for this demo, the author is not affiliated with this service. It is used because it is monero friendly, other service providers should work similarly. + +First you need to register: + +![](Reg.png) + +Choose "switch to hCaptcha" otherwise you might get stuck at the cloudflare verification. + +The next step is to deposit monero into the website and purchase the proxy. + +![](Deposit.png) + +When your deposit get credited, purchase the proxy. + +![](Proxy.png) + +Now your proxy is ready, check for the details inside "My Proxy" section. + +![](ProxyData.png) + +Copy your proxy ip, port, username, password. It will be used later. + +## **Browser setup** + +Due to an upstream change, the proxy setup method mentioned in whonix tutorial is not working + +One of the other methods is to use the foxyproxy addon. **However please note that installing a plugin will change the Tor browser fingerprint, so it is highly recommended you keep the rest of your anonymous activities in a separate default Whonix Workstation VM.** Use this setup only when you are in this specific serverside context. + +![](InstallAddon.png) + +Choose the "add-ons and themes" in the firefox menu and search for foxyproxy. + +![](FoxyProxySearch.png) + +![](FoxyProxySearch2.png) + +Install the plugin, pin the plugin and allow it to work in private windows. + +![](FoxyProxyInstall.png) + +![](FoxyProxyInstall2.png) + +## **Connect to Proxy** + +Finally, we will connect to the proxy we just purchased. + +First find foxyproxy in the menu bar and choose "options". + +![](FoxyProxyOptions.png) + +Add the proxy information in the "proxy" tab. + +![](FoxyProxyAdd.png) + +In this demo, the proxy is HTTP, if you use a different provider and it doesn't work, try to check the protocol. Fill all the info and save it. + +Now check the website you want to accessed, it is blocked because you are still using the Tor exit node. + +![](WebsiteDenied.png) + +Choose the proxy you just added in FoxyProxy button, and reset your Tor browser identity. + +Now access , and you should see a warning says you are not using Tor, due to having the connection originating from the residential Proxy IP, **this means that you have successfully completed the (you -> Tor -> residential proxy -> website) Setup, effectively hiding that you're using Tor from the destination website.** + +![](CheckIP.png) + +Now try the website that blocks Tor, it should work now if you did everything correctly! + +![](WebsiteAccessed.png) + diff --git a/anonsensitive/1.png b/anonsensitive/1.png new file mode 100644 index 0000000..67aeeac Binary files /dev/null and b/anonsensitive/1.png differ diff --git a/anonsensitive/5.png b/anonsensitive/5.png new file mode 100644 index 0000000..c2a032f Binary files /dev/null and b/anonsensitive/5.png differ diff --git a/anonsensitive/6.png b/anonsensitive/6.png new file mode 100644 index 0000000..020f498 Binary files /dev/null and b/anonsensitive/6.png differ diff --git a/anonsensitive/index.md b/anonsensitive/index.md new file mode 100644 index 0000000..e25322d --- /dev/null +++ b/anonsensitive/index.md @@ -0,0 +1,34 @@ +--- +author: Robert +date: 2024-06-08 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/0" +xmr: 871Hun183Cc2yXRmP4cEeUG8uiCkXfZPFQt5WVK6tCgxedWTXrpFGNTi9aRgknjYsh3jCD6iY9eyxMpGdr4xNyDNT7ZrKsK +--- +# Why isn’t Anonymity enough for Sensitive Use? + +In this post we are going to see why Anonymity is not enough for Sensitive Use, and what can be done about it. + +## **What happens when you are forced to give out your password?** + +Let’s say that Bob is using a popular online forum to leak information about a government agency’s unethical behavior. To stay anonymous, he makes sure to connect to the forum using Tor at the very minimum. He uses a burner email address to sign up to the forum and upload the sensitive files. His Anonymity during this sensitive action remains intact. + +![](1.png) + +However, there are only 10 people who could have originally had access to the leaked information, and Bob is one of those 10 potential suspects. + +The adversary makes use of key disclosure legislation to issue search warrants to all 10 people, and to get to know the contents of their personal drives. Essentially, the adversary doesn’t have anything solid against any of them, since the perpetrator’s anonymity is intact, **but some guess work is being done to try and find something incriminating anyway.** + +![](6.png) + +Here’s the problem: the adversary can just bust down Bob’s door and **force him to unlock his laptop, including every encrypted volume.** What happens then? + +![](../deniability/4.png) + +![](../de2.png) **Since Bob has no other choice but to comply when the adversary forces him to unlock his hard drives, and since he didn’t implement Deniable Encryption** , he has to show all the incriminating evidence, and therefore he can no longer deny implications with the sensitive activity. + +![](5.png) + +Bob’s setup, although suitable for Anonymous Use, is not suitable for Sensitive Use **due to the lack of Deniable Encryption** + +![](../de0.png)For instance, if Bob had implemented [VeraCrypt’s deniable encryption](../veracrypt/index.md) to store the sensitive data, **he could’ve given password A to open the decoy volume for the adversary, and could’ve claimed that there was no hidden volume. The adversary would have no way to prove otherwise.** + diff --git a/anonsimplex/11.png b/anonsimplex/11.png new file mode 100644 index 0000000..2712b2f Binary files /dev/null and b/anonsimplex/11.png differ diff --git a/anonsimplex/12.png b/anonsimplex/12.png new file mode 100644 index 0000000..8b81de2 Binary files /dev/null and b/anonsimplex/12.png differ diff --git a/anonsimplex/13.png b/anonsimplex/13.png new file mode 100644 index 0000000..fb5d5b4 Binary files /dev/null and b/anonsimplex/13.png differ diff --git a/anonsimplex/20.png b/anonsimplex/20.png new file mode 100644 index 0000000..b3792bd Binary files /dev/null and b/anonsimplex/20.png differ diff --git a/anonsimplex/21.png b/anonsimplex/21.png new file mode 100644 index 0000000..815d274 Binary files /dev/null and b/anonsimplex/21.png differ diff --git a/anonsimplex/22.png b/anonsimplex/22.png new file mode 100644 index 0000000..c4208d0 Binary files /dev/null and b/anonsimplex/22.png differ diff --git a/anonsimplex/23.png b/anonsimplex/23.png new file mode 100644 index 0000000..dbd64aa Binary files /dev/null and b/anonsimplex/23.png differ diff --git a/anonsimplex/24.png b/anonsimplex/24.png new file mode 100644 index 0000000..cb3edbe Binary files /dev/null and b/anonsimplex/24.png differ diff --git a/anonsimplex/25.png b/anonsimplex/25.png new file mode 100644 index 0000000..97d1207 Binary files /dev/null and b/anonsimplex/25.png differ diff --git a/anonsimplex/26.png b/anonsimplex/26.png new file mode 100644 index 0000000..ebfff42 Binary files /dev/null and b/anonsimplex/26.png differ diff --git a/anonsimplex/27.png b/anonsimplex/27.png new file mode 100644 index 0000000..a5f6f44 Binary files /dev/null and b/anonsimplex/27.png differ diff --git a/anonsimplex/28.png b/anonsimplex/28.png new file mode 100644 index 0000000..ffe5b7e Binary files /dev/null and b/anonsimplex/28.png differ diff --git a/anonsimplex/29.png b/anonsimplex/29.png new file mode 100644 index 0000000..5ddd877 Binary files /dev/null and b/anonsimplex/29.png differ diff --git a/anonsimplex/30.png b/anonsimplex/30.png new file mode 100644 index 0000000..2e64884 Binary files /dev/null and b/anonsimplex/30.png differ diff --git a/anonsimplex/31.png b/anonsimplex/31.png new file mode 100644 index 0000000..6034eaa Binary files /dev/null and b/anonsimplex/31.png differ diff --git a/anonsimplex/32.png b/anonsimplex/32.png new file mode 100644 index 0000000..98dbfb7 Binary files /dev/null and b/anonsimplex/32.png differ diff --git a/anonsimplex/33.png b/anonsimplex/33.png new file mode 100644 index 0000000..703158f Binary files /dev/null and b/anonsimplex/33.png differ diff --git a/anonsimplex/34.png b/anonsimplex/34.png new file mode 100644 index 0000000..4db1efd Binary files /dev/null and b/anonsimplex/34.png differ diff --git a/anonsimplex/35.png b/anonsimplex/35.png new file mode 100644 index 0000000..deb8c78 Binary files /dev/null and b/anonsimplex/35.png differ diff --git a/anonsimplex/36.png b/anonsimplex/36.png new file mode 100644 index 0000000..63bfb18 Binary files /dev/null and b/anonsimplex/36.png differ diff --git a/anonsimplex/37.png b/anonsimplex/37.png new file mode 100644 index 0000000..63c6701 Binary files /dev/null and b/anonsimplex/37.png differ diff --git a/anonsimplex/50.png b/anonsimplex/50.png new file mode 100644 index 0000000..e4020e4 Binary files /dev/null and b/anonsimplex/50.png differ diff --git a/anonsimplex/Orbot1.png b/anonsimplex/Orbot1.png new file mode 100644 index 0000000..6c02bd7 Binary files /dev/null and b/anonsimplex/Orbot1.png differ diff --git a/anonsimplex/Orbot2.png b/anonsimplex/Orbot2.png new file mode 100644 index 0000000..528c70f Binary files /dev/null and b/anonsimplex/Orbot2.png differ diff --git a/anonsimplex/Simplex1.png b/anonsimplex/Simplex1.png new file mode 100644 index 0000000..c855391 Binary files /dev/null and b/anonsimplex/Simplex1.png differ diff --git a/anonsimplex/Simplex10.png b/anonsimplex/Simplex10.png new file mode 100644 index 0000000..f926850 Binary files /dev/null and b/anonsimplex/Simplex10.png differ diff --git a/anonsimplex/Simplex11.png b/anonsimplex/Simplex11.png new file mode 100644 index 0000000..da8795f Binary files /dev/null and b/anonsimplex/Simplex11.png differ diff --git a/anonsimplex/Simplex12.png b/anonsimplex/Simplex12.png new file mode 100644 index 0000000..8f88c9c Binary files /dev/null and b/anonsimplex/Simplex12.png differ diff --git a/anonsimplex/Simplex13.png b/anonsimplex/Simplex13.png new file mode 100644 index 0000000..8a067e4 Binary files /dev/null and b/anonsimplex/Simplex13.png differ diff --git a/anonsimplex/Simplex14.png b/anonsimplex/Simplex14.png new file mode 100644 index 0000000..2cbd4a9 Binary files /dev/null and b/anonsimplex/Simplex14.png differ diff --git a/anonsimplex/Simplex2.png b/anonsimplex/Simplex2.png new file mode 100644 index 0000000..6822f5e Binary files /dev/null and b/anonsimplex/Simplex2.png differ diff --git a/anonsimplex/Simplex4.png b/anonsimplex/Simplex4.png new file mode 100644 index 0000000..621c707 Binary files /dev/null and b/anonsimplex/Simplex4.png differ diff --git a/anonsimplex/Simplex6.png b/anonsimplex/Simplex6.png new file mode 100644 index 0000000..5ac89e4 Binary files /dev/null and b/anonsimplex/Simplex6.png differ diff --git a/anonsimplex/Simplex7.png b/anonsimplex/Simplex7.png new file mode 100644 index 0000000..c7479a6 Binary files /dev/null and b/anonsimplex/Simplex7.png differ diff --git a/anonsimplex/Simplex8.png b/anonsimplex/Simplex8.png new file mode 100644 index 0000000..f76870f Binary files /dev/null and b/anonsimplex/Simplex8.png differ diff --git a/anonsimplex/Simplex9.png b/anonsimplex/Simplex9.png new file mode 100644 index 0000000..1919e87 Binary files /dev/null and b/anonsimplex/Simplex9.png differ diff --git a/anonsimplex/index.md b/anonsimplex/index.md new file mode 100644 index 0000000..2e4e19c --- /dev/null +++ b/anonsimplex/index.md @@ -0,0 +1,621 @@ +--- +author: Hoover +date: 2024-10-12 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 42yco9t6qK98N191EZzKJUCH7cit5JT8mBJQvVULEPAPeBHurbFqGj2hK7kaFhqasv8AYLpbuP15Wg5suzyjUd5SMLqabRw +--- +# Anonymity - Easy Anonymous Chats Using SimpleX (and onion-only servers) + +![](../closedsource/2.png) + +In this tutorial we're going to see how to setup a chat application for Anonymous use. This is especially important in a world where mass-surveillance is nearly-omnipresent. It has become the end users' responsibility to uphold their privacy and anonymity while communicating online. + + + +## **Choosing the most appropriate chat application** + +In order to choose the most appropriate messaging app for our intended use (Anonymity), we have the following requirements: + +_Privacy:_ + + 1. The application must be free and open source (FOSS) + + 2. The application must have End to End Encryption by default (E2EE) + + 3. The application must allow us to run and use our own servers (Decentralisation) + + + + +_Anonymity:_ + + 1. The application must support Tor .onion servers out of the box + + 2. The application must allow you to chat without requiring any information (no emails, no usernames, no phone numbers) + + 3. The application must have the ability for us to join chatrooms without revealing our identity (Incognito Mode) + + + + +_Deniability:_ + + 1. The application must have disappearing messages (Deniability) + + + + +You'd be suprised to see that as of right now (November 2024) there is only SimpleX that actually fits all of these criterias. therefore that's what we'll use for Anonymous chats. + +## _Mobile OPSEC Recommendations:_ + + 1. Hardware : Google Pixel Phone + + 2. Host OS: [GrapheneOS](../graphene/index.md) + + 3. Graphene Profile: Anonymous Use + + 4. Applications: Orbot and SimpleX + + + + +## _Desktop OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + 5. Application: Tor (if not on Whonix or Tails), and SimpleX + + + + +We will be going through how to set up your own SimpleX server through Tor, and how to configure your Android client to route your traffic through it. + +## **How to Set Up Anonymous Chats** + +### **Step 1. Option A: GNU/Linux** + +First, update your package list and install Tor by running the following commands in your terminal: + + + sudo apt update + sudo apt install tor + +Once installed, start the Tor service: + + + sudo systemctl start tor@default + +Next you'll need to download SimpleX AppImage which can be [found here on SimpleX website](https://simplex.chat/downloads/). + +Open a terminal in the directory of your downloaded AppImage. Make the AppImage executable, then launch it: + + + [ mainpc ] [ /dev/pts/26 ] [~] + → chmod +x simplex-desktop-x86_64.AppImage + + [ mainpc ] [ /dev/pts/26 ] [~] + → ./simplex-desktop-x86_64.AppImage + + + +### **Step 1. Option B: Android** + +Download and install the Orbot .apk from [the GitHub repository](https://github.com/guardianproject/orbot/releases). + +![Orbot installation screenshot](Orbot1.png) + +Open Orbot, and in the bottom-right corner, tap on **More** , then **Settings** to enter the settings. + +In the settings menu, scroll down and enable the **Power User Mode**. + +After enabling Power User Mode, go back to the More section and press **Choose apps** and select SimpleX in the list. Go back to **Connect** in the bottom navigation menu and press **Connect**. + +![](orbot.png) + +Download and install [SimpleX using F-Droid](https://f-droid.org/packages/chat.simplex.app/) + +![SimpleX installation screenshot](Simplex1.png) + +### **Step 2.** + +Navigate through the setup process, select your username, and press Create. The screenshots showcase the process for Android, but the steps are identical for Linux/GNU as well. + +![SimpleX setup screen](Simplex2.png) + +Once you've created your profile, open the kebab menu on the bottom left and open **Settings > Network and servers** and activate SOCKS Proxy. Press **SOCKS proxy settings** and set your port to 9050, then save. + +![SimpleX proxy switch](Simplex4.png) ![SimpleX proxy settings](Simplex6.png) + +### **You have now successfully configured SimpleX to use Tor!** + +## **Only using your own onion-only simplex server doesn't isolate you.** + +A common misconception that people seem to have is that you wouldnt be able to communicate with regular simplex users that don't have Tor connectivity, when you're only using your own onion-only simplex servers. **But that's not true, you're not even isolated when using onion-only servers.** This mode of thinking comes the fact that traditional federated apps (like the fediverse) don't care about serverside anonymity. But, lucky for us, the official simplex servers also allow Tor connections in between simplex servers, which makes this whole setup possible. + +![](50.png) + +In reality, thanks to Simplex's Private Routing protocol, (which is a 2 hop routing protocol), **your trusted simplex server (which is onion-only) communicates with the other party's trusted simplex server, as long as they have Tor connectivity.** And if the other peer is using the default Simplex Servers, which all have Tor connectivity, then they can still communicate to your own onion-only simplex server, which ensures that you're not isolated when you want to have a public, yet anonymous community [like the one we have at Nowhere.](http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html) + +That's what we are going for in this tutorial. We're going to setup a simplex server that is onion-only, to protect the serverside anonymity, **and we'll use our simplex client to only connect through our onion-only simplex server, and we'll create groupchats with it so that we can have our own public, yet anonymous chatroom.** + +## **Step 3. SimpleX Server Setup** + +It's important to note that in theory, it doesn't matter which SimpleX server you connect to, as all communications are end-to-end encrypted. When you connect via Tor, it further ensures that the server itself won't be able to trace your connection back to you. Your anonymity is maintained through the use of Tor, and your conversations are protected by SimpleX's encryption. + +We're going to make use of [HackLiberty's tutorial](https://forum.hackliberty.org/t/simplex-server-docker-installation-guide-smp-xftp/140) on how to install and configure a SimpleX server using Docker. + +First we're going to create the docker-compose.yml file and the .env file as follows: + + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → cat docker-compose.yml + version: '3.7' #this version is obsolete, change me + + networks: + tor-test: + driver: bridge + ipam: + config: + - subnet: 10.6.0.0/24 + gateway: 10.6.0.1 + + services: + simplex-smp-server: + image: simplexchat/smp-server:latest + container_name: simplex-smp + restart: always + user: "1000:1000" #user uid - change if necessary + ports: + - "127.0.0.1:5223:5223" #this will expose port 5223 to internet + volumes: + - ./smp/config:/etc/opt/simplex:Z + - ./smp/logs:/var/opt/simplex:Z + environment: + - ADDR=${SIMPLEX_ADDR} + # - PASS=${SIMPLEX_PASSWORD} #for non public servers + networks: + tor-test: + ipv4_address: 10.6.0.5 + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + simplex-xftp-server: + image: simplexchat/xftp-server:latest + container_name: simplex-xftp + user: "1000:1000" #user uid - change if necessary + ports: + - "127.0.0.1:5233:5233" #port mapping to expose xftp to internet on port 5233 + restart: always + volumes: + - ./xftp/config:/etc/opt/simplex-xftp:Z + - ./xftp/logs:/var/opt/simplex-xftp:Z + - ./xftp/files:/srv/xftp + environment: + - ADDR=${XFTP_ADDR} + - QUOTA=150gb #change to set your own quota + networks: + tor-test: + ipv4_address: 10.6.0.6 + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + tor: + image: osminogin/tor-simple + container_name: tor-simplex + volumes: + - ./tor-data:/var/lib/tor + - ./tor-data/torrc:/etc/tor + networks: + tor-test: + ipv4_address: 10.6.0.4 + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → cat .env + SIMPLEX_ADDR="nowhere" #If using FDQN, make sure to set DNS record + SIMPLEX_PASSWORD="dawiuhwaihyawy4129y89u0u1" + XFTP_ADDR="nowhere" #If using FDQN, make sure to set DNS record + #yes no clearnet at all + + + + + +Then we're going to create the folders as follows: + + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → mkdir -p {xftp,smp}/{config,logs} + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → tree . + . + ├── docker-compose.yml + ├── notes.txt + ├── smp + │   ├── config + │   └── logs + └── xftp + ├── config + └── logs + + 7 directories, 2 files + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → mkdir -p xftp/files + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → ls + docker-compose.yml notes.txt smp xftp + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → cd xftp + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex/xftp] + → ls + config files logs + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex/xftp] + → cd .. + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → ls + docker-compose.yml notes.txt smp xftp + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → mkdir -p tor-data/torrc + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → mkdir -p tor-data/{simplex-xftp,simplex-smp} + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → mkdir -p {xftp,smp}/{config,logs} + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → chmod 700 tor-data/simplex-xftp + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → chmod 700 tor-data/simplex-smp + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → sudo chown 100:65533 tor-data/simplex-xftp + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → sudo chown 100:65533 tor-data/simplex-smp + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → chown -R 100:65533 tor-data/ + + chmod 777 -R smp + chmod 777 -R xftp + + + +Be aware that [SimpleX's documentation]() doesn't recommend by default that the servers be anonymous, they only care about the users being anonymous, that's why they recommend these 3 lines in the torrc configuration: + + + SOCKSPort 0 + HiddenServiceNonAnonymousMode 1 + HiddenServiceSingleHopMode 1 + + + +**DO NOT USE THESE, otherwise your servers' location will be known. You need to use the following instead:** + + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → vim tor-data/torrc/torrc + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → cat tor-data/torrc/torrc + SOCKSPort 0.0.0.0:9050 + HiddenServiceDir /var/lib/tor/simplex-smp + HiddenServicePort 5223 simplex-smp:5223 + HiddenServicePort 80 simplex-smp:80 + HiddenServiceDir /var/lib/tor/simplex-xftp + HiddenServicePort 5233 simplex-xftp:5233 + + + +Then we're going to run the docker containers so that it creates the tor hostnames for both the smp and xftp services, so that we can use both in the .env file: + + + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → docker-compose up + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → tree tor-data + tor-data + ├── simplex-smp + │   ├── authorized_clients + │   ├── hostname + │   ├── hs_ed25519_public_key + │   └── hs_ed25519_secret_key + ├── simplex-xftp + │   ├── authorized_clients + │   ├── hostname + │   ├── hs_ed25519_public_key + │   └── hs_ed25519_secret_key + └── torrc + └── torrc + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → cat tor-data/simplex-smp/hostname + b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → cat tor-data/simplex-xftp/hostname + wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → vim .env + + [ Wonderland ] [ /dev/pts/15 ] [/srv/simplex] + → cat .env + SIMPLEX_ADDR="b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion" #If using FDQN, make sure to set DNS record + SIMPLEX_PASSWORD="dawiuhwaihyawy4129y89u0u1" + XFTP_ADDR="wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion" #If using FDQN, make sure to set DNS record + + + + +Then we'll save both the private keys in our keepass and then shred them: + + + #save both the private keys it in your keepass and then shred it + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → cat smp/config/ca.key + -----BEGIN PRIVATE KEY----- + REDACTED + -----END PRIVATE KEY----- + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → shred -u smp/config/ca.key + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → cat xftp/config/ca.key + -----BEGIN PRIVATE KEY----- + REDACTED + -----END PRIVATE KEY----- + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → shred -u xftp/config/ca.key + + + + +Then we edit the smp config correctly as we will NOT use the clearnet at all, the config parts regarding port 443 https are to be commented. + + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → cat smp/config/smp-server.ini | tail -n3 + #https: 443 + #cert: /etc/opt/simplex/web.crt + #key: /etc/opt/simplex/web.key + + [TRANSPORT] + # Host is only used to print server address on start. + # You can specify multiple server ports. + host: b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion + #port: 5223,443 ## we dont need 443! + port: 5223 + log_tls_errors: off + + + +Then we also configure it so that the simplex smp server goes through the docker tor daemon to connect to other servers: + + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → vim smp/config/smp-server.ini + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → cat smp/config/smp-server.ini + + [PROXY] + # Network configuration for SMP proxy client. + # `host_mode` can be 'public' (default) or 'onion'. + # It defines prefferred hostname for destination servers with multiple hostnames. + host_mode: onion + required_host_mode: off + + # The domain suffixes of the relays you operate (space-separated) to count as separate proxy statistics. + # own_server_domains: + + # SOCKS proxy port for forwarding messages to destination servers. + # You may need a separate instance of SOCKS proxy for incoming single-hop requests. + socks_proxy: 10.6.0.4:9050 + #socks_proxy: tor-simplex:9050 + + # `socks_mode` can be 'onion' for SOCKS proxy to be used for .onion destination hosts only (default) + # or 'always' to be used for all destination hosts (can be used if it is an .onion server). + socks_mode: always + + # Limit number of threads a client can spawn to process proxy commands in parrallel. + # client_concurrency: 32 + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → vim xftp/config/file-server.ini + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → cat xftp/config/file-server.ini + [STORE_LOG] + # The server uses STM memory for persistence, + # that will be lost on restart (e.g., as with redis). + # This option enables saving memory to append only log, + # and restoring it when the server is started. + # Log is compacted on start (deleted objects are removed). + enable: on + + # Expire files after the specified number of hours. + expire_files_hours: 48 + + log_stats: off + + [AUTH] + # Set new_files option to off to completely prohibit uploading new files. + # This can be useful when you want to decommission the server, but still allow downloading the existing files. + new_files: on + + # Use create_password option to enable basic auth to upload new files. + # The password should be used as part of server address in client configuration: + # xftp://fingerprint:password@host1,host2 + # The password will not be shared with file recipients, you must share it only + # with the users who you want to allow uploading files to your server. + # create_password: password to upload files (any printable ASCII characters without whitespace, '@', ':' and '/') + + # control_port_admin_password: + # control_port_user_password: + + [TRANSPORT] + # host is only used to print server address on start + host: nowhere + port: 5233 + log_tls_errors: off + # control_port: 5226 + + [FILES] + path: /srv/xftp + storage_quota: 10gb + + [INACTIVE_CLIENTS] + # TTL and interval to check inactive clients + disconnect: off + # ttl: 21600 + # check_interval: 3600 + + + +Then we simply run the docker containers again: + + + [ Wonderland ] [ /dev/pts/14 ] [/srv/simplex] + → docker-compose down ; docker-compose up -d + + Starting simplex-xftp ... done + Starting simplex-smp ... done + Starting tor-simplex ... done + + simplex-smp | Server address: smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@nowhere + simplex-xftp | Server address: xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@nowhere + + **#need to manually change the @nowhere to be the onion urls: + smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion + xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion:5233** + + + +_Sidenote:_ One important thing to note though is that you shouldn't be the only one to use your own simplex servers as if you are the only one to use that one simplex server, people may figure out that you're the same person when trying to use different profiles. This is why you should list your simplex servers publicly somewhere, either in your own community like i did [here](http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html): + +![](36.png) + +Or you can list your simplex servers on public lists like this one: + +![](37.png) + +Optional but recommended: Since you are using docker containers, you can easily automate keeping them updated with a simple cronjob: + + + [ Wonderland ] [ /dev/pts/4 ] [~] + → crontab -e + + #daily simplex containers update + 0 0 * * * docker-compose -f /srv/simplex/docker-compose.yml pull ; docker-compose -f /srv/simplex/docker-compose.yml down; docker-compose -f /srv/simplex/docker-compose.yml up -d + + + +Once that's done, we can go ahead and add the servers in our simplex client: + +## **Step 4: Configure SimpleX To Use Your Server** + +Now from our simplex client we need to make sure that we are using our own simplex servers, which have the following URL: + + + SMP server: + smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion + + XFTP server: + xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion:5233 + + + +` ![](20.png) ![](21.png) ![](22.png) ![](23.png) ![](24.png) ![](25.png) ![](26.png) ![](27.png) + +And now that our simplex client is ONLY using our onion-only simplex servers, we can create our own chatrooms: + +## **How to Create Chatrooms in Incognito mode** + +Now that we are using our own simplex servers, we can create a chatrooms in incognito mode (meaning that our username will simply be a random noun and adjective): + +![](28.png) ![](29.png) ![](30.png) + +Enter a name for your group. You can also add a photo for the group. + +Tick the **Incognito** option. Doing this ensures your profile name and image is hidden from your group members and allows for anonymous connections with other people without shared data. Once you have filled out the necessary information, press **Create group**. + +![](31.png) + +as noted above, since you are only using tor-only simplex servers, **this means that you are forcing the users to use Tor to be able to join your invite links.** Here's what the invite link looks like: + + + https://simplex.chat/contact#/?v=2-7&smp;=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40**b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion** %2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data;=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D + + + +as you can see the default invite link looks like that, and as you can see the onion server address appears in the link, which is the reason why if the user that wants to join doesnt have tor connectivity, he won't be able to join. If you don't want to use any of simplex's servers, you can simply replace the **https://simplex.chat/** at the beginning with your simplex smp server onion url as follows: + + + **http://b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion/** contact#/?v=2-7&smp;=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data;=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D + + + +` ![](35.png) + +If you want to not contact any simplex server to be able to view the invite link, you can simply replace the server address to **simplex:/** , which will transform the link as follows: + + + **simplex:/** contact#/?v=2-7&smp;=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data;=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D + + + +## **How to Join Chatrooms in Incognito mode** + +If you have received an invite to a SimpleX chatroom, you can join it by pressing the input field at the bottom of the screen labeled **Search or paste SimpleX link**. + +Paste your invite link into the input field and press **Enter**. + +![](32.png) + +You will be met with a window asking wheter you'd like to connect using your current profile or using an Incognito profile. + +Select **Use new incognito profile**. + +This is because we don't want to reveal what our simplex username is, we just want to join the chatroom using a random username that is not tied to our identity. + +![](33.png) + +And there as you can see, everyone that joins in in incognito gets a random pseudonym with the format "Random Adjective Random Word" effectively helping the users maintain their anonymity while in the chat. + +![](34.png) + +## **Conclusion** + +By following this tutorial, you've set up a secure, anonymous chat system using SimpleX and Tor. You've learned how to install Orbot, configure SimpleX servers with `.onion` addresses, create incognito chatrooms, and join them anonymously. This setup ensures that your private conversations remain secure and untraceable. + +### **What You've Accomplished** + +- Installed Orbot and routed traffic through the Tor network. +- Configured SimpleX servers to use `.onion` addresses. +- Created and joined anonymous chatrooms in incognito mode. + diff --git a/anonsimplex/orbot.png b/anonsimplex/orbot.png new file mode 100644 index 0000000..92a2a91 Binary files /dev/null and b/anonsimplex/orbot.png differ diff --git a/anonsms/index.md b/anonsms/index.md new file mode 100644 index 0000000..cc1f1a5 --- /dev/null +++ b/anonsms/index.md @@ -0,0 +1,44 @@ +--- +author: XMRonly +date: 2024-10-13 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/27" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# How to Receive Anonymous SMSes (Remote SMSes as a Service) + +![](sms0.png) + + + +## **Introduction** + +Many services ask for your phone number when signing up to perform SMS verification. This is undesirable for many reasons, including the possible sharing of your information with third parties, exposure during data leaks, and correlating social demographics for further surveillance. To get around this we need a way to receive SMS messages anonymous in order to sign up for our desired services. While you may get lucky and be able to get around the phone number requirement with various free online services that receive SMSes, it is generally not a reliable solution because many of the phone numbers provided are already taken, blocked or incompatible due to their VoIP infrastructure. In this article we will explore **SMSpool: a cheap, non-KYC, non-VoIP phone service provider that accepts crypto payments.** Specifically, we will explore how to receive a one-time SMS code to sign up for a Telegram account anonymously. + +## **Setup** + +Using the Tor browser, navigate to smspool.net. You may be automatically redirected to an onion address: ![](sms1.png) + +Register a unique username and password. Accept the Terms & Conditions, verify you are human and click Register. Then simply log in. ![](sms2.png) + +We will need to get a sense of prices to know how much this is going to cost. On the left sidebar, click on Order and select your desired country and service. We'll go with a United Kingdom phone number for Telegram. Scroll down and click on Advanced view to see more detailed information. Scroll down some more and find a Pool that has stock listed. In this case, the Mike Pool has plenty of stock and a listed price of $0.81. We will need to deposit this amount of XMR into our account. Note: the listed success rate is not very reliable and while 30% may seem low, there is actually no penalty for failed attempts since orders purchased that do not receive an SMS in the allotted timeframe are automatically refunded. ![](sms3.png) + +The next step is funding your account. On the left panel, click on Deposit. Select Cryptocurrency, leave your country set to Other, and finally select XMR. SMSpool will output a newly generated XMR address which you can use to fund your account either by copy/pasta or by scanning the QR code. ![](sms4.png) + +Using DuckDuckGo, we calculate $0.81 to be 0.00532927 XMR. We populate the required fields in our Monero Wallet and send the transaction, leaving the default transaction priority. Once the transaction is sent and has received around 10 on-chain confirmations, you will receive a notification on SMSpool that your funds are received. ![](sms5.png) + +With your account funded, it's time to purchase a one-time-use SMS verification. Proceed in the same way you did when checking prices and click Purchase on the Mike Pool option under the Advanced view. + + 1. You will now see a phone number generated onscreen under the Pending SMS section + 2. Enter this number in your phone Telegram app + 3. Proceed to the next screen on Telegram + 4. You should now receive an SMS code in the Pending SMS section on SMSpool + 5. Enter the SMS code into Telegram + + + +![](sms6.png) + +## **Conclusion** + +Simply complete the remaining steps onscreen and voilà! If prompted for an email address, alias addresses from SimpleLogin will do the trick despite the onscreen warning from SMSpool about disposable email addresses not working. SMSpool doesn't reuse phone numbers for the same service so the number you purchased for Telegram will not be resold to anyone else signing up for Telegram. They also do not rotate phone numbers after a period of time has passed. However, it is possible that upstream carriers may recycle numbers after some 6 months and this is something that SMSpool does not have control over. [Sauce](https://files.catbox.moe/i9xqzc.png) ![](sms7.png) + diff --git a/anonsms/sms0.png b/anonsms/sms0.png new file mode 100644 index 0000000..8a2aead Binary files /dev/null and b/anonsms/sms0.png differ diff --git a/anonsms/sms1.png b/anonsms/sms1.png new file mode 100644 index 0000000..0f7e5cd Binary files /dev/null and b/anonsms/sms1.png differ diff --git a/anonsms/sms2.png b/anonsms/sms2.png new file mode 100644 index 0000000..940bde2 Binary files /dev/null and b/anonsms/sms2.png differ diff --git a/anonsms/sms3.png b/anonsms/sms3.png new file mode 100644 index 0000000..7ff2ad7 Binary files /dev/null and b/anonsms/sms3.png differ diff --git a/anonsms/sms4.png b/anonsms/sms4.png new file mode 100644 index 0000000..846dc1c Binary files /dev/null and b/anonsms/sms4.png differ diff --git a/anonsms/sms5.png b/anonsms/sms5.png new file mode 100644 index 0000000..b32d6d8 Binary files /dev/null and b/anonsms/sms5.png differ diff --git a/anonsms/sms6.png b/anonsms/sms6.png new file mode 100644 index 0000000..9f47fb2 Binary files /dev/null and b/anonsms/sms6.png differ diff --git a/anonsms/sms7.png b/anonsms/sms7.png new file mode 100644 index 0000000..e196921 Binary files /dev/null and b/anonsms/sms7.png differ diff --git a/anonuse/1.png b/anonuse/1.png new file mode 100644 index 0000000..f234389 Binary files /dev/null and b/anonuse/1.png differ diff --git a/anonuse/2.png b/anonuse/2.png new file mode 100644 index 0000000..3c14a9b Binary files /dev/null and b/anonuse/2.png differ diff --git a/anonuse/3.png b/anonuse/3.png new file mode 100644 index 0000000..1582904 Binary files /dev/null and b/anonuse/3.png differ diff --git a/anonuse/index.md b/anonuse/index.md new file mode 100644 index 0000000..c3aa4be --- /dev/null +++ b/anonuse/index.md @@ -0,0 +1,34 @@ +--- +author: nihilist +date: 2024-08-14 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/87" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why isn’t Privacy enough for Anonymous Use? + +In this post we are going to see why Privacy is not enough for Anonymous Use, and what can be done about it. + + + +## **Why isn’t privacy with a VPN enough?** + +Bob is using an open-source browser and a VPN to access a website (in our example youtube), but then he starts thinking that it's enough to start to use that website anonymously, even though they don't allow it. **He starts to sign up and mentions a false name and address when creating an account. which infuriates the Youtube employee:** + +![](3.png) + +Bob's current setup is suitable for Private use as he is using [open source software](../closedsource/index.md), and a [VPN](../vpn/index.md), **But is it suitable for Anonymous use too ?** + +When you think about it, currently He is anonymous, as he hides his real IP from the destination website, and he didn't deanonymize himself through his actions while on the website. **The problem is how expensive is it to deanonymize Bob ?** + +To answer that, let's take the example of a Youtube employee being infuriated that Bob dared to lie about his personal information, and the employee decides to call some corrupt police agents (yes they have very close ties to the authorities) to do their bidding in order **to scare the VPN provider into revealing the real IP of whoever connected as Charlie Chaplin on youtube.com** , around the time where Bob signed up, in order to deanonymize Bob. + +![](2.png) + +The end result is that the VPN provider has to give the data they have to the authorities, ([which only works if they keep logs!](https://www.pcmag.com/news/mullvad-vpn-hit-with-search-warrant-in-attempted-police-raid)) and reveal Bob's Identity, and that only cost a few pennies to the adversary (here the youtube employee) to deanonymize Bob. + +_Conclusion:_ Bob's setup is not suitable for Anonymous use, **because it is inexpensive for an adversary to deanonymize him.** + +This situation would have been avoided had Bob used [Tor](../anonymityexplained/index.md), **which makes deanonymization attacks as expensive as possible.** + +![](../torvsvpns/5.png) + diff --git a/anonymity.png b/anonymity.png new file mode 100644 index 0000000..4022a28 Binary files /dev/null and b/anonymity.png differ diff --git a/anonymityexplained/1.png b/anonymityexplained/1.png new file mode 100644 index 0000000..89ae4a1 Binary files /dev/null and b/anonymityexplained/1.png differ diff --git a/anonymityexplained/10.png b/anonymityexplained/10.png new file mode 100644 index 0000000..3caa2fc Binary files /dev/null and b/anonymityexplained/10.png differ diff --git a/anonymityexplained/11.png b/anonymityexplained/11.png new file mode 100644 index 0000000..f2ac4e7 Binary files /dev/null and b/anonymityexplained/11.png differ diff --git a/anonymityexplained/12.png b/anonymityexplained/12.png new file mode 100644 index 0000000..1f81b70 Binary files /dev/null and b/anonymityexplained/12.png differ diff --git a/anonymityexplained/2.png b/anonymityexplained/2.png new file mode 100644 index 0000000..cd26ae2 Binary files /dev/null and b/anonymityexplained/2.png differ diff --git a/anonymityexplained/3.png b/anonymityexplained/3.png new file mode 100644 index 0000000..0dd2fbc Binary files /dev/null and b/anonymityexplained/3.png differ diff --git a/anonymityexplained/4.png b/anonymityexplained/4.png new file mode 100644 index 0000000..4487034 Binary files /dev/null and b/anonymityexplained/4.png differ diff --git a/anonymityexplained/5.png b/anonymityexplained/5.png new file mode 100644 index 0000000..0c90c30 Binary files /dev/null and b/anonymityexplained/5.png differ diff --git a/anonymityexplained/6.png b/anonymityexplained/6.png new file mode 100644 index 0000000..68eb88a Binary files /dev/null and b/anonymityexplained/6.png differ diff --git a/anonymityexplained/7.png b/anonymityexplained/7.png new file mode 100644 index 0000000..1048cc8 Binary files /dev/null and b/anonymityexplained/7.png differ diff --git a/anonymityexplained/8.png b/anonymityexplained/8.png new file mode 100644 index 0000000..3c68daf Binary files /dev/null and b/anonymityexplained/8.png differ diff --git a/anonymityexplained/9.png b/anonymityexplained/9.png new file mode 100644 index 0000000..697234f Binary files /dev/null and b/anonymityexplained/9.png differ diff --git a/anonymityexplained/index.md b/anonymityexplained/index.md new file mode 100644 index 0000000..ba41e4e --- /dev/null +++ b/anonymityexplained/index.md @@ -0,0 +1,274 @@ +--- +author: nihilist +date: 2025-03-15 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/86" +xmr: 83geT3KQZGthZ99r1z72t58TFztdDHGHjgnCB3jvniV8FC1bcYf6HriDnSpnt2SZXzcBByNCcjRHiPmtNu5G8CuNG9mfDyY +--- +# What is Anonymity ? Why is it Important ? + + + +## **What is Anonymity ?** + +Anonymity is the absence of Identification (or Onymity), **it is when individuals are indistinguishable from each other, they all look the same.** + +![](../aps/anonymity.png) + +In short, **Anonymity means you are not identified.** In this example, Someone hid their identity, and is talking to Alice. That someone is anonymous until Jack can figure out who that person is. + +Anonymity is extremely fragile when that Someone is not implementing strict [OPSEC](../opsec/index.md) practices, relating to: + + 1. _Using the correct Technology_ : (What is that Someone using, to protect their Anonymity ? (A mask, a Coat, a mask / the Tor network, i2p, etc)) + + 2. _Using the correct Behavior_ : (By that Someone's actions, they are not revealing who they are. (They are not saying they are Walter Hartwell White living at XYZ) + + + + +_DISCLAIMER:_ That Someone remains Anonymous **UNTIL THEY MAKE ONE OPSEC MISTAKE !** + +Keep in mind that maintaining Anonymity is a much stricter practice than that of maintaining Privacy, as you will see, more threat vectors come into the picture. + +## **Anonymous Amongst Who ? What are the odds ?** + +**The strength of your Anonymity is measured by the odds of finding you amongst a group of people.** + +![](../logos/on0.png) \- Anonymity + +let's say your Anonymity is Perfect and you are simply **"one human being in the world"** , the adversary currently has a chance of **1 out of 8 billion** to guess that it is you. He'd do better to try and play the lottery than to try and guess that it's you. + +![](3.png) + +Now let's say the adversary knows that you live in France what are the odds now ? + +![](4.png) + +**If the adversary knows you live in France** , the odds have been significantly reduced from 1 out of 8 billion to **1 out of 65 million** , but still that's not enough to accurately pinpoint you, the probability of the adversary figuring out who you are is still very low. + +![](../logos/on1.png) \- Pseudonymity + +But now let's say that the adversary knows more than that, let's suppose that **the adversary knows that you have a masters in cybersecurity, and that you work a general IT job in France, for a software company.** Now the odds have shrinked further, especially if the adversary is able to combine multiple sources of data to try and profile you. + +![](5.png) + +Let's say you are trying to chat on [SimpleX](../anonsimplex/index.md) while the adversary is in the chat with you, and he sees that you have a [gorillaz profile picture](https://www.youtube.com/watch?v=S03T47hapAc), call yourself Nihilist, and talk about Opsec all the time. If the adversary is good at profiling you over time, he could have already shrinked down the odds to **1 out of 10 thousand** people. Here we're talking about a drastically reduced anonymity, **which we can consider to be pseudonymity.** but that is still not enough to know who you are IRL. + +![](../logos/on2.png) \- Onymity + +But you need to be aware that even the tiniest opsec mistake can reduce the odds of your anonymity to **1 out of 1** , where you are effectively deanonymized. For instance let's say you are in this [SimpleX chatroom ](https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FWdXMbz3Yq9baXgQVKy2EppUm0NCcYluM%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAtVlfehjn5VhPIhDI_ses2kw3itcjMpLMvLlUFejMNlU%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22gUgzlCwi97y1rHaezDZcLg%3D%3D%22%7D), and let's say you are sending a picture of your own [limited edition MoneroChan fumo plushie](https://monerosupplies.com/product/monerochan-plush/): + +![](6.png) + +Now the thing is, **there are only 100 of those plushies** out there, if the adversary is the seller of those monerochan plushies, your anonymity odds has been reduced to **1 out of 100** , that's because he knows to whom he sent those 100 plushies, meaning he now only has a group of 100 people to guess who you are from. But upon closer exception it is worse than you may think: + +![](7.png) + +If you look closer at the image the "Certificate of authenticity" says that **it is the 41st plushie amongst the 100 that exist**. Therefore if the adversary is the plushie seller, **your anonymity odds have been reduced 1 out of 1 as he knows to whom he sent the 41st plushie.** Meaning that you just deanonymized yourself for that particular adversary. + +You get the idea, if you want to remain Anonymous, you need to always ask yourself **"how many people could send that?"** , _if you were to send that picture i sent above, you'd realize that this is a bad idea_. The same concept applies as if you were to say what is your real IRL name, your phone number, your home address, your home public IP address, etc. **Do not give bullets to an adversary, as he will use everything you give him to shoot you.** + +The least info you send about yourself, what you like, what you dislike, where you live, where you work, what's your past, the better, as otherwise it will be exponentially easier for an adversary to narrow down the possibilities of who you could be, amongst a given group of people. + +A question arises, how can we quantify how anonymous we are? When there are adversaries after you and important things to protect, this is a very important issue to consider because, **if you can't measure anonymity or the weight of your decisions, how can you tell when you make large mistakes or can improve?** + +We are going to use simple **Information Theory** for this, a field that deals with everything related to information and gives us a framework. By using "bits" to quantify information, we will have a way to calculate impact. + +## **Anonymity and Information** + +In Information Theory, a "bit" is defined as **any information that reduces the space of possibilities by a factor of 2.** This definition may seem weird so an example helps display it clearly. + +Imagine I am a detective and I know one out of 16 suspects is the culprit. Assume there are 8 men and 8 women. + +Now, checking security cameras, I learn it was 100% a male by the figure size. With this piece of information, I can rule out the 8 women as suspects, leaving me with only 8 remaining suspects (the men). + +With that information, my suspects went from 16 —> 8, **it halved.** Therefore, the information that the culprit was male is **1 bit.** + +![](8.png) + +This is a powerful concept since it allows us to **quantify the value and impact of any information and combine them.** + +Let's make this clearer: + +You can be fully deanonymized with just ~33 bits of information since log2(8 billion) ≈ 33. If you half a group of 8 billion things 33 times, you will always be left with 1 singular item, which in this case would be your real identity. + +So in a game of anonymity, **your goal is to minimize the amount of bits you leak and your adversary's goal is to get as many bits as possible until they can brute force your true identity.** + +(Note that it is impossible to leak 0 bits of information. This will be shown later, but you will always be interacting: your computer will be connected to a network which uses TCP/IP for packet routing which travels through underground cables, and so on, so information transfer will occur.) + +### Adversaries + + + + +Before we can get into specifics of our framework, we have to understand adversaries. They are **entities (individuals, companies, states) who are trying to deanonymize you.** + +Our threat model and approach depends on the resources of the adversary. + +If your home (ISP) IP address is leaked, some guy on the internet may know what city you live in based on IP geolocation. Thats roughly, assuming a city population of 30,000, log2(8 billion/30000) ≈ 21.2 bits of information. A lot, yes, but as a regular person, it will be mostly infeasible to search the city for your identity, unless he had more information. + +However, let's say your adversary is a Nation State. They will simply subpoena the ISP who owns the IP address, obtaining your name, address, and payment details, all 33 bits collected. **When dealing with more resourceful adversaries, they are able to extract more with what they learn.** + +![](9.png) + + +As displayed in the diagram, strong adversaries have more opportunity and gain with the same information. + +Motives also vary between adversaries. Google, who let's say has been watching your search history and browser info, learns that you are in New York City, in your 20s, male, skii, and love cats. There will be very few people who meet this whole criteria, but Google obtains this information for advertisement targeting. + +### Information Leakage + + + + +Now that we understand information, let's briefly look at how we leak information and how identifiable it is. + +_Activity Schedules:_ Over a long enough time period, any form of activity such as forum posts, account logins, tweets, and git commit will fall into a specific time zone. Depending on your location this can leak **roughly ~6-6.5 bits of information.** +_Network/Browser:_ You will still be connecting to the internet and several parties (ISP, VPN, Website) get various fingerprintable info. This can leak **anywhere from ~2-10+ bits of information.** +_Words:_ Your speech topics and patterns can provide insight into your age, interests, race, and professsion, leaking **anywhere from ~2-20+ bits of information.** + +Without going into detail, your physical attributes, username, gait, and many other things leak information. However, the true power that the adversary has is **the combination of information.** They collect as many bits as possible since they can be **added together,** as mentioned previously. + +Think of your adversary drawing circles to encompass each piece of information they have. Even from huge sample sizes, just ~16 bits narrows you down to a few thousand people extremely fast and when the adversary is a state, they can likely bruteforce to figure out the last few bits in that group. + +![](10.png) + + + +As showcased before with the plushie, OPSEC failures often occur with drastic leakage of bits. Most information, even if not identifiable and simple, is highly usable and a single leak of something that contains 10+ bits of information could be enough. A few examples: + +\- Mentioning that you were close to an real world event, narrowing you to a part of a country. (8+ bits) +\- Giving clues to your ethnicity/languages AND real world location. (12+ bits) +\- Logging into a personal account at the same time as an anonymous forum account with the same IP. (20+ bits). + +**Seemingly mundane information transfer is highly compromising when put together.** + +So if we are constantly leaking information, what can we do? + +## **Anonymity in Practice** + + +There are two ways to maintain anonymity with bit leakage in mind: **Being in opaque, identical groups and misdirection.** + +### Identical Groups + + + + +One of the core ideas of anonymity, as mentioned earlier, is that everyone should appear the exact same. But why? + +We can see that the thing that makes bit leakage very dangerous is the combination of them. If an adversary figures out three details about you, even if they are found independently and are vague, when put together, the group size becomes incredibly small. Now, can we stop them from combining the information? + +This is where the idea of being in **identical groups** comes in. + +For an adversary to reliably combine informational bits, the groups (circles in the diagram) have to be transparent. For example, if an adversary knows that you are male and in Germany, then they can put those together without problem since [Male in Germany] is **distinct.** + +Now let's say instead your adversary knows you use [TOR](../torvsvpns/index.md) and live in Germany. Independently, these are ~12 bits and ~6.6 bits of information. But there's an issue for the adversary. The group of TOR users is opaque, **every single one looks the same.** You cannot distinguish a German TOR user from a TOR user, **therefore these two pieces of information cannot be combined.** + +Let's look at this in our previous circle view: + +![](11.png) + +![](12.png) + + +In the left image, although there are 4 groups, everyone person inside of a group looks the same. Overlapping regions can't be seen or analyzed and information can't be combined. **The only thing an adversary can know is that you are somewhere in each of the circles independently.** + +However, in the right image, the groups are transparent and people are distinct. You can see the people in each overlapping and, with the combined information that you are part of all four groups, they can easily deanonymize you in the very small overlapping. + +So, by using tools ([TOR](../torvsvpns/index.md) , [XMR](../finances/index.md), etc) where every user is identical and non-identifiable, we are not only minimizing bit leakage but also **making most leaked bits unusable** , significantly decreasing deanonymization risk. + +It's recommended to be of roughly aware of how many bits you have leaked in an anonymous persona in order to maintain anonymity. We can take advantage of bit leakage by providing **false information which may mislead an adversary.** + +To change things like speech, you can use [local LLMs](../stylometry/index.md) and perhaps give fake data about location, skillset, and other idenifiable information. If an adversary combines the incorrect bits with real information, they may be looking for you in a completely wrong group/area. + +**Awareness** is crucial: **knowing what your adversary might know, actively minimizing bit leakage, and staying in identical, non-identifiable groups** are all important. + +## **The Enemies of Anonymity: Surveillance, KYC procedures and Centralisation** + +![](../su2.png) The first the and foremost enemy of Anonymity is Surveillance of any kind. **Privacy is a REQUIREMENT if you want Anonymity**. + + + Example: + + Jack is surveilling Bob 24/7. He sees that Bob purchases a mask and a coat, He sees that Bob wears the mask to then go outside to do something sketchy. + + Conclusion: + + Because Bob did not have Privacy from Jack in the first place, Bob cannot have Anonymity either. + + + +Surveillance CANNOT be tolerated when you want Anonymity. So before you try to learn to be anonymous online, learn why and how to get Privacy online [here](../privacy/index.md). + +![](../on2.png)The other major enemy of Anonymity is **Know Your Customer (KYC) Procedures** , these are ways for services to force their customers to identify themselves, wether they like it or not. + + + Example: + + Jack owns an online service (such as a centralised crypto exchange), he accumulated a large userbase over the years, over 1000 active users. The government where Jack operates is ramping up their financial regulations on businesses, and now Jack is being forced to identify all of it's users using standard KYC procedures + + Bob (an user on the website) that was anonymous up until that point, is now forced to do the following if he wants to keep using the platform: + 1) state his real life name + 2) his date of birth + 3) his home address + 4) send photos of his identity card + 5) send photos of his face (facial left, front and right sides) + + Conclusion: + + Jack is either forced to identify his users or go out of business + Bob is either forced to identify himself or stop using the service + + All of it because the government intends to destroy Bob's right to remain Anonymous online. + + + +![](../ce2.png) But the root cause of surveillance and KYC procedures, is that **every centralised entity (any public or private business) will be eventually forced to comply to their government's requests** , at the expense of their users. + +**There are only 2 possible long-term outcomes for Centralisation** : ** + + 1. Act as a governmental proxy to enforce regulations/agendas, at the expense of users' rights + + 2. Or be forced out of business altogether. + + +![](1.png) + +To be able to achieve Anonymity, you need Privacy, and at least some level of Decentralisation (in the case of anonymization networks like Tor for instance), as we will see in our next tutorials. + +## **Why is Anonymity Important ?** + +In a way, Anonymity is an improvement over Privacy. In the sense that Privacy is about being about to seclude yourself or information about yourself. **Anonymity is the logical next step to Privacy,** Where you not only just conceal what your actions are, **but also who you are.** + +Depending on the context, especially if you are living in a dictatorship, **Anonymity is vital for you to act freely, out of the grasp of adversaries.** + +As we have discussed [previously](../governments/index.md), for a government's laws to be respected, **they need to be enforced.** + +![](../governments/3.png) + +And for the laws to be enforced, governments need: + + 1. To know what happened (lack of ![](../su0.png)Privacy, using ![](../su2.png)Surveillance ) + + 2. To know who did it (lack of ![](../on0.png)Anonymity, using ![](../on2.png)KYC procedures ) + + + + +Governmental control as a concept itself rests upon these fundamental 2 pillars, the detriment of the individual's Privacy, and Anonymity. + +In order to regain the control you lost to dictatorships, you first need Privacy, and then you need Anonymity. + +Most governments want to control the public opinion through opression and censorship, **Journalism is one of the most demanding sectors in terms of Anonymity,** especially in authoritarian/dictatorship governments where censorship is omnipresent, for them, very sadly, Anonymity is the difference-maker between life and death in those areas of the world. + +**Anonymity is the only way to act safely when you are living under a tyrannical government** that can throw you in jail for no reason whatsoever (look at the conviction rates, [especially in US Federal courts](https://www.pewresearch.org/short-reads/2023/06/14/fewer-than-1-of-defendants-in-federal-criminal-cases-were-acquitted-in-2022/) with their Plea deals).** + +![](2.png) + +For instance, the [Freedom of the Press index](https://rsf.org/en/index) is a great indicator to tell if you are living in a country that employs censorship as a means to control the population or not. Make no mistake, Governments are often ready to murder journalists to protect their public image, like in Mexico: [[1]](https://iv.nowhere.moe/watch?v=KfTZKtA3aWk) [[2]](https://iv.nowhere.moe/watch?v=xlLXkZlJBbA). + +Essentially, **the idea is to reduce your attack surface as much as possible,** given the context of near-omnipresent surveillance, **Privacy has it's limits, and Anonymity very often becomes the only way out of opression.** If noone knows who did something, there can't be any repercussions for the perpetrating party. + +In a way, Anonymity is superior to Privacy because **whatever happened may have been hidden thanks to Privacy, but it may be discovered at a later point in time.** Anonymity on the other hand, if maintained, **remains a permanent way to act without any repercussions.** + + diff --git a/anonymitymetadata/1.png b/anonymitymetadata/1.png new file mode 100644 index 0000000..6ed4712 Binary files /dev/null and b/anonymitymetadata/1.png differ diff --git a/anonymitymetadata/10.png b/anonymitymetadata/10.png new file mode 100644 index 0000000..35c2796 Binary files /dev/null and b/anonymitymetadata/10.png differ diff --git a/anonymitymetadata/2.png b/anonymitymetadata/2.png new file mode 100644 index 0000000..7d76f9a Binary files /dev/null and b/anonymitymetadata/2.png differ diff --git a/anonymitymetadata/3.png b/anonymitymetadata/3.png new file mode 100644 index 0000000..2c94f72 Binary files /dev/null and b/anonymitymetadata/3.png differ diff --git a/anonymitymetadata/4.png b/anonymitymetadata/4.png new file mode 100644 index 0000000..82afd7a Binary files /dev/null and b/anonymitymetadata/4.png differ diff --git a/anonymitymetadata/5.png b/anonymitymetadata/5.png new file mode 100644 index 0000000..3a79794 Binary files /dev/null and b/anonymitymetadata/5.png differ diff --git a/anonymitymetadata/6.png b/anonymitymetadata/6.png new file mode 100644 index 0000000..9ce0d49 Binary files /dev/null and b/anonymitymetadata/6.png differ diff --git a/anonymitymetadata/7.png b/anonymitymetadata/7.png new file mode 100644 index 0000000..18daae6 Binary files /dev/null and b/anonymitymetadata/7.png differ diff --git a/anonymitymetadata/8.png b/anonymitymetadata/8.png new file mode 100644 index 0000000..21f0f11 Binary files /dev/null and b/anonymitymetadata/8.png differ diff --git a/anonymitymetadata/9.png b/anonymitymetadata/9.png new file mode 100644 index 0000000..1f5e9d2 Binary files /dev/null and b/anonymitymetadata/9.png differ diff --git a/anonymitymetadata/index.md b/anonymitymetadata/index.md new file mode 100644 index 0000000..d28fa89 --- /dev/null +++ b/anonymitymetadata/index.md @@ -0,0 +1,383 @@ +--- +author: zl +date: 2025-03-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/237" +xmr: 83geT3KQZGthZ99r1z72t58TFztdDHGHjgnCB3jvniV8FC1bcYf6HriDnSpnt2SZXzcBByNCcjRHiPmtNu5G8CuNG9mfDyY +--- +# Why is Metadata detrimental to Anonymity? + +## **What is Metadata?** + + + + +Metadata is simply **data about data.** When you send a message, what you actually said, the content, is the data but all of the information such as: +\- who you sent it to +\- the time you sent it +\- the size of the message +\- where you sent it from, etc +are the **metadata of that message.** + +Even if the actual content is encrypted, **metadata reveals a significant amount of information about you and your activities.** Moreover, it cannot be avoided by nature of information transfer, **if you are using an application or conducting an activity, there will always be metadata.** (eg. You cannot send a message without a recipient.) + +![](1.png) + + + + +We can better understand the threat it poses through a few examples. + +Let's say there is an adversary monitoring calls and cell towers. +Using your phone, at your home you contact a friend to go to a store. When you arrive, you call once more to meetup, then shop for a little while, and lastly eat at a restaurant after ordering online. + +During this time, **the adversary did not see you or interact with you** and even the calls and website were encrypted. But they **collected metadata passively.** +Here is a diagram that displays what occurred and what the adversary collected: + +![](2.png) + + + + +Now the metadata is very brief, but since phone lines and locations are known, it becomes clear who did what and went where. **Even though they couldn't hear the calls,** because of the timings, call duration, and the location information, **the fact that its a meetup is obvious.** + +**With just metadata, the adversary is able to determine where you went, what you did, and who you're connected to.** This is exactly why it's so dangerous: **a small amount can leak significant information and interaction isn't needed.** + +Anonymity also crumbles very quickly. Let's say Alice posts on a forum at various times for months. + +When her **post timings are analyzed** , it reveals she's somewhere in the CET timezone from sleep schedules. Then, looking at **shadows, nature, and other data in an image she posted,** the location is narrowed to a specific city in France. Finally, with the **way she writes** on the forum, based on her references and slang, the adversary estimates she's in her 20s and works as an architect. + +![](3.png) + + + + +With **file data and speech tendencies,** Alice's identity can be narrowed down to only **100-500 people** (26+ bits of information). No advanced deanonymization technique was used here, just **analysis of the attributes of her actions and activity.** + +> "We kill people based on metadata." +> +> \- Former Director of the NSA and CIA Michael Hayden + +Metadata has been **mass collected** for many years now by several nations and adversaries as revealed in things like the [Snowden leaks](https://en.wikipedia.org/wiki/2010s_global_surveillance_disclosures). It's easy to collect for nations since if you **control infrastructure** like ISPs and telecommunication, metadata will always be present and observable. + +In a more general sense, **the entire goal of the adversary is to find information that uniquely identifies you.** +Metadata provides exactly that: If they know where you go, the groups you interact with, the timing of your activity, the way you speak, the things you look at, etc, **the adversary can creative a very identifying profile.** +Even if each singular piece of metadata provides minor information, adversaries use it to form **associations** , connecting each one of those fragments to see an entire picture where your possible profile is narrowed. +For more context on information and anonymity, [this tutorial](../anonymityexplained/index.md) is recommended as a prerequisite. + +We will will focus on understanding most major attack vectors for metadata collection and briefly cover simple mitigation. Having a clear picture of **where metadata leakage occurs and what leaks is crucial.** + +It is useful to classify metadata in two types: + +\- **Application metadata:** any metadata from applications, like network data or browser information. + +\- **Behavioral metadata:** information that's leaked by your actions, such as activity schedules or speech tendencies. + + + +## **Application Metadata** + + + + +### Networks + + + + +No matter what tools you use, various parties will get bits of information from your **network activity** which, when aggregated or analyzed over time, can leak significant information or even deanonymize you. + +All internet data is transferred in **packets** , smaller bundles of data along with information such as how to route them. The ISPs, since the data flows through them, are able to see the **size, timing, and destination** of each packet even if the data is encrypted. Each website has a **unique pattern** of packets that are sent back and forth which can be identified with artificial intelligence, meaning that even if the data is encrypted, they are able to reasonably infer what sites you visited and when. + +![](4.png) + + + + +[TOR](../torvsvpns/index.md) mitigates some of this by making all packets the same size, but the ISP is still able to see the **total amount of data transferred** and the **timing.** + +Let's say that you connect to an anonymous forum account by going You->VPN->Tor->Website. You log in every Wednesday and Thursday between 4-6 P.M., post some comments and interact, and upload about 2GB of data. The ISP can see that you connected to a VPN and transferred 2GB of data between those times. +If an adversary is trying to deanonymize the forum account, they will look for a **pattern in activity.** For access to the network metadata, they can ask all ISPs to monitor who connects to either a VPN/TOR at that time and uploads a similar amount of data. +Let's see what a chart of this would look like: + +![](5.png) + + + + +This is a very simple attack which only involves ISP metadata and note that in real scenarios, this is not done by hand but by artificial intelligence and with more variables and information. +To avoid such analysis, [DAITA](https://mullvad.net/en/vpn/daita) (Defense Against AI-Guided Traffic Analysis) should be used which is covered in more detail in [this tutorial](../torthroughvpn/index.md). + +**Combining DAITA with generally not having highly predictable patterns makes network metadata difficult to use** and these attacks far harder. + +### Cell Towers + + + + +As simply displayed in the initial example, cell towers and telecommunications are one of the largest spots for metadata collection. Specifically: the exact **who, when, and where** of every call. Unlike networks or other platforms, the identity of every connected phone is known and location can be determined by cell tower triangulation. The metadata is enough to entirely deanonymize and map most actions and is explained in [this tutorial](../phonenumbers/index.md). +Simply, **anonymity is not compatible with cell towers and they should be avoided entirely.** + +### Browsers + + + + +To operate and communicate with websites, **your web browser sends out various information that is unique and identifiable.** + +A non-exhaustive list is as follows: + + * User Agent Header: The user agent header is a header sent in all of your HTTP(S) requests and will be formed something like this: +Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0 +It identifies your: +\- Operating system and version +\- Browser and version + + * DNS Provider + * IP Address and Provider + * Monitor Size in pixels (eg. 1920x1080) + * Hardware Details (RAM, CPU Cores, etc) + * Browser Window Size + * Time Zone + * Typing Speed + * Yes or No for: JavaScript, Cookies, Adblockers, and more. + + + +(Again, this is only a portion of what can potential be derived. You can visit [deviceinfo.me](https://deviceinfo.me) or [coveryourtracks.eff.org](https://coveryourtracks.eff.org) to see the full information.) + +Obviously for anonymity, this is terrible. If you log into an anonymous forum account with the same browser as you do a personal email account, **the browser profile will appear the same, effectively deanonymizing you if the information is combined.** +Moreover, this also stops any form of persona separation because **all of your activity is uniquely tied to that browser footprint,** regardless of wheter you are logged in, what site you're on, or even if you're routing through TOR. + +Mitigation for this is quite straightforward: usage of the [Tor Browser ](../torvsvpns/index.md) since **every user is made to look the same.** Most of the identifying metadata mentioned before is not a threat since configuration is uniform across all users. + +However, metrics like typing speed, mouse patterns, operating system, and a few others will still be leaked, so when consistently visiting the same websites using the Tor Browser, **vary your activities** so the information is not usable. + +### File Data + + + + +All files come with metadata. Metadata is not necessarily bad, for example the directory where a file is stored will be listed in the metadata and certain metadata is required. However, some types of file metadata can entirely compromise anonymity. + +Most images taken by any camera **contain sensitive information like the device used, operating system, and even the exact GPS coordinates** of where the picture was taken in their **EXIF metadata.** + +If these files are uploaded anywhere, **the party that receives the file could potentially pinpoint your exact location.** + +Let's use an example: Say I have a sample image from an iPhone camera, called image.jpeg, taken at the Eiffel Tower. +We can use an open source command line tool called **exiftool** to both **view and modify the metadata.** + +Install it with: + + + ~$ sudo apt install exiftool + +Now to view the metadata, all we have to do is run the following command: + + + $ exiftool path/to/your/file + # In our example: + $ exiftool image.jpeg + + ExifTool Version Number : 13.00 + File Name : image.jpeg + Directory : . + File Size : 2.1 MB + File Modification Date/Time : 2025:01:23 12:34:22.832-00:00 + File Access Date/Time : 2025:01:23 12:34:22.832-00:00 + File Inode Change Date/Time : 2025:01:23 12:34:22.832-00:00 + File Permissions : -rw-r--r-- + ... + Make : Apple + Camera Model Name : iPhone 15 + ... + Resolution Unit : inches + Software : 18.2.1 + Modify Date : 2025:01:23 12:34:22 + Host Computer : iPhone 15 + ... + Flash : Off, Did not fire + Focal Length : 6.3mm + ... + Lens Make : Apple + Lens Model : iPhone 15 back triple camera 6.3mm f/1.6 + ... + GPS Latitude Ref : North + GPS Latitude : 48 deg 51' 29.6" N + GPS Longitude Ref : East + GPS Longitude : 2 deg 17' 40.2" E + GPS Altitude Ref : 0 + GPS Altitude : 35 m + GPS Time Stamp : 12:34:22 + GPS Date Stamp : 2025:01:23 + GPS Position : 48 deg 51' 29.6" N, 2 deg 17' 40.2" + ... + Date Created : 2025:01:23 12:34:22 + ... + Device Manufacturer : Apple Computer Inc. + ... + Image Size : 4032x3024 + ... + Create Date : 2025:01:23 12:34:22.832-00:00 + Date/Time Original : 2025:01:23 12:34:22.832-00:00 + Modify Date : 2025:01:23 12:34:22-00:00 + ... + Lens ID : iPhone 15 back triple camera 6.3mm f/1.6 + + # Note this is a sample output and may not be exactly the same. + + +(Only the identifying details are listed here and "..." represents where more attributes are listed since images come with a large amount of metadata.) + +As displayed, the EXIF data leaks significant information like location, device, and version. Even with GPS data off, **it can help form a profile on you.** Information of what device you are using can be valuable. + +Removing the metadata is very simple, we just have to run the following command: + + + $ exiftool -all= -overwrite_original /path/to/your/image + # In our example: + $ exiftool -all= -overwrite_original image.jpeg + + +Now running exiftool once more on the new file to see the metadata will only result in non-removable metadata which is not sensitive. + + + $ exiftool image.jpeg + + ExifTool Version Number : 13.00 + File Name : image.jpeg + Directory : . + File Size : 2.1 MB + File Modification Date/Time : 2025:01:23 12:34:22.832-00:00 + File Access Date/Time : 2025:01:23 12:34:22.832-00:00 + File Inode Change Date/Time : 2025:01:23 12:34:22.832-00:00 + File Permissions : -rw-r--r-- + File Type : JPEG + ... + # No sensitive metadata will be listed. + + +Metadata doesn't only exist in EXIF format in images, it can also be embedded in files like PDFs. + +Elsevier, the largest academic publisher, **embedded unique hashes in PDF metadata** for each [download](https://news.ycombinator.com/item?id=30082138), meaning that your copy was uniquely identifiable. If you downloaded a file like this and then shared it in your anonymous persona, you would instantly be deanonymized since **the specific copy ties back to your account only.** Using the same exiftool commands as before will remove this metadata as well. + +![](6.png) + + + + +Similar identifying methods may be in other files or from general content and it is advised to use plaintext and thoroughly **remove all metadata before uploading anything.** + +### Image Geolocation + + + + +An image of the real world contains a significant amount of data such as the buildings in it or the lighting. Figuring out where a picture was taken is a rather popular activity in everything from OSINT to GeoGuessr. + +A few techniques are using [shadows](https://www.bellingcat.com/resources/2021/05/18/unsure-when-a-video-or-photo-was-taken-how-to-tell-by-measuring-the-length-of-shadows) to determine timing, [perspective](https://www.bellingcat.com/resources/2023/09/07/measuring-up-how-to-calculate-the-size-of-objects-in-open-source-material) to determine distance, [bruteforcing](https://www.youtube.com/watch?v=cMsaj4SSwCw) after reducing search space, and looking at nature or other details to determine location. Usually bits of information that have already been leaked, like timezones or regions, are used to know where to search and then geospatial analysis is done, both by artificial intelligence and by hand. + +Essentially, nearly every location has identifiable features and most images can be traced very close to their origin. It's safest to **not post images** when conducting anonymity-critical activities. + +## **Behavioral Metadata** + + + + +Behavioral metadata functions differently in that it will be present with any interaction. The way we do something will indicate some information regardless of what application we're using. You can't speak English visibly while hiding the fact you speak English. This makes metadata threats more unique but we can still control it by managing our actions more carefully. + +### Activity Schedules + + + + +**Every action** we do in an anonymous persona will have **a specific time metadata paired with it** \- The "When?" question. + +This applies to forum posts, account logins, git commits, tweets, and any form of interaction. Using all of this collected metadata, a graph can be created. + +Here is one for Satoshi Nakamoto by the chainbulletin, where each red dot is an activity (forum posts, git commits, etc) at the day and time. + +![](7.png) + + + + +Most people have **a waking time of roughly 8AM-12PM, hence it is very likely that a person lives in the timezone where that lines up.** If their activity always took place at night, they would have to be entirely nocturnal over a long period which is very improbable. + +To apply our logic and analyze the data, we can shift the timings and graph into all other major time zones: + +![](8.png) + + + + +Now, since the activity would be at night, we can **rule out** all of Asia and Australia. The only time zones where the waking time seems reasonable are PT, ET, and GMT, where most of his activity is done in the 8AM-12PM range and **a clear, natural sleep schedule at night is displayed.** +By plotting **timing metadata only,** without including any actual data or other conclusions, **roughly 3 bits of information is reliably leaked.** + +It is very difficult to conceal activity schedules and they **will emerge over a long enough time period.** Its danger comes from **providing confirmation of other analysis** or debunking misdirections: +If you're trying to make your persona appear to be in France but your activity schedules line up with Asia, your misdirection will fail. Hence, it is important **be aware that your region may be known for decision making.** + +### Speech + + + + +Our writing and speech are **uniquely identifiable** and often contain details about us. **Who you are, your interests and skills, even the content you consume,** all of it can be **signaled** in your wording and interpreted with **stylometry** (statistical analysis of writing). +More specifically, the **way we speak and write** , such as word choice, slang, grammar, references, speech quirks, and more all **leak information.** + +Let's look at a few examples: + +\- If your forum posts have certain **slang,** an adversary can **estimate your age** , which can be 2-3 bits of information. +\- If your writing is consistently highly technical and includes references and wording central to a specific field, the adversary can roughly guess **your profession, level of knowledge, and skills,** which could be 10+ bits of information. +\- **Metaphors** and **word choice** , or speaking in multiple languages can reveal **ethnicity, location, or content you've read.** + + +![](9.png) + + + + +Using Satoshi Nakamoto as an example again, one of the most discussed things about his identity are his speech forms: specifically his use of British English and always double spacing after each period, something mostly done by those who learned to type much earlier or on a typewriter. **Two very simple pieces of writing metadata give clues to his age and ethnicity.** + +When paired with other information on you, the way you speak can easily leak 20+ bits of information. + +The best mitigation is the use of [local llms](../stylometry/index.md) to **change your writing styles and remove your unique tendencies.** With consistent rewording, identifiable traits in your writing metadata will be much harder to find. Generally, **caution should also be practiced,** such as **not using references or topics that could give clues to your identity.** + +### Physical Attributes + +Your physical profile is very unique and could be used by an adversary depending on what information they have. If an adversary knows what you look like and your region or city, depending on their resources, they may be able to bruteforce to find your identity. For example, its easier much easier to find someone if you know their height and hair color along with their main profile. It usually only leaks through writing or speech and can be avoided by **not discussing or referencing physical attributes.** + +### Social Maps + + + + +**Who you interact with** is one of the most collected pieces of behavioral metadata by adversaries and is extremely usable. From cell tower call records to IP addresses, finding who talked to who is consistently logged. Even most messaging apps, despite employing encryption, leak metadata of who talks to who. + +When an adversary learns who you're connected to, **all information about the connected individual is now relevant to profiling you.** Here is a simple example: + +Seeing that you've communicated with Alice publicly before, the adversary begins investigating her. They find a public forum and then find your account with the same anonymous persona on the forum, giving them more data (your forum posts) for deanonymization. +Since it's now clear you and Alice share interests, they look further and, from the way she speaks, estimate her age and profession and use that information to narrow your profile. + +![](10.png) + + + + +Another example would be if an adversary finds everyone you speak to works in a specific profession or shares an attribute, there's a high likelihood you also share that attribute. + +Usually these statistical analyses are done algorithmically and on much large populations where a lot of connections occur. Instead of one platform and two people like in the example, it could be hundreds of times larger. +When a distinct connection is discovered by an adversary, **it provides a direction to look for you in.** + +This is also another reason [usage/persona isolation](../internetsegmentation/index.md) is needed since any metadata or communication that connects both profiles together may compromise anonymity if the information on each profile is combined. + +Mitigation for this is mostly using the right programs like [SimpleX](../anonsimplex/index.md) where metadata is not usable and taking caution with any communication done in an anonymous persona. + +## **Conclusion** + + + + +Metadata's impact on anonymity is focused on creating a **profile** over a long enough period, using bits of leaked information from applications and behavior to statistically narrow your identity. However, if we can observe where most metadata leaks, minimizing it is straightforward. + +The amount of usable metadata leaked can be drastically reduced by using the **right applications and taking precaution in each action.** With controlled and minimal metadata leakage, metadata-based deanonymization becomes much harder for adversaries. + diff --git a/anonymous_server_monitoring.old/add_datasource.png b/anonymous_server_monitoring.old/add_datasource.png new file mode 100644 index 0000000..a89bb4c Binary files /dev/null and b/anonymous_server_monitoring.old/add_datasource.png differ diff --git a/anonymous_server_monitoring.old/architecture.png b/anonymous_server_monitoring.old/architecture.png new file mode 100644 index 0000000..4b4e1d7 Binary files /dev/null and b/anonymous_server_monitoring.old/architecture.png differ diff --git a/anonymous_server_monitoring.old/datasource_config.png b/anonymous_server_monitoring.old/datasource_config.png new file mode 100644 index 0000000..ed790ac Binary files /dev/null and b/anonymous_server_monitoring.old/datasource_config.png differ diff --git a/anonymous_server_monitoring.old/example_dashboard.png b/anonymous_server_monitoring.old/example_dashboard.png new file mode 100644 index 0000000..25d5c62 Binary files /dev/null and b/anonymous_server_monitoring.old/example_dashboard.png differ diff --git a/anonymous_server_monitoring.old/glances.png b/anonymous_server_monitoring.old/glances.png new file mode 100644 index 0000000..5a6336e Binary files /dev/null and b/anonymous_server_monitoring.old/glances.png differ diff --git a/anonymous_server_monitoring.old/grafana_login.png b/anonymous_server_monitoring.old/grafana_login.png new file mode 100644 index 0000000..6d29926 Binary files /dev/null and b/anonymous_server_monitoring.old/grafana_login.png differ diff --git a/anonymous_server_monitoring.old/index.md b/anonymous_server_monitoring.old/index.md new file mode 100644 index 0000000..49542f8 --- /dev/null +++ b/anonymous_server_monitoring.old/index.md @@ -0,0 +1,250 @@ +--- +author: None +date: 2025-02-07 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/0" +xmr: None +--- +# **Anonymous Server Monitoring** + +## What is server monitoring? + +When deploying compute resources (bare-metal, VPSes or more abstract work units) you will have to manage a living system. This system will **always** have the following characteristics: + + * Limited ressources: the amounts of RAM and CPU cycles, network bandwidth as well as storage space are neither infinite nor free. + * Evolving requirements: depending on how you use your services, how many concurrent users you have you might need more or less ressources than what you initially purchased + * Nominal operating parameters: range of RAM and CPU use, temperatures and so on in which your service performs as expected + + + +The first item is fixed and only linked to your financial constraints. The other two are constantly evolving and thus must be **monitored**. + +## How do I do it? + +How you monitor your systems can vary based on your technical requirements. It can be as simple as logging in once a week, check the output of some diagnostic command and calling it a day. +This will give you a snapshot but you will miss a lot of important information. + +You can also set up a complicated system that reports current metrics, trends and gives you capacity planning alerts based on the data obtained! You will have to find the middle-ground yourself, this article will propose one that you can tweak whichever way you need. + +## Risks of doing it improperly + +Accessing your server for monitoring purposes is, from a risk perspective, pretty much the same as doing any other administration task or interacting with the services hosted therein. If done improperly (say logging in over the clearweb from your home address) you've just given anyone looking an undeniable link between your overt identity and your clandestine activities. (which should never happen since you're supposed to [segment your internet uses](../internetsegmentation/index.md)) + +A **fail-closed** system is what you should strive for: opsec best practices should be the default and if there's a technical issue preventing you from following them (attack on tor, flaky network, client or server-side misconfiguration) the system should prevent access at all in order to keep you safe. + +## What if I don't monitor my Servers ? + +If you don't properly monitor your infrastructure you will face the following consequences sooner or later: + + * service instability: you won't notice when things start going awry + * costs overrun: you will end up paying more than you need to in order to deliver the same service + * undetected attacks: attacks that impact your services can go unnoticed when the cues (eg: high RAM consumption from a cryptojacking) are not picked up + * And lastly, if you are going to run a sensitive service on a remote server, it will anyway be on borrowed time as [we have explained previously](../cloud_provider_adversary/index.md), therefore you need to be able to easily detect whenever there is a downtime on one of the servers, while at the same time maintaining your anonymity. + + + +# **Risks** + +Whenever you connect to your server, such as for monitoring or other administrative tasks, if you do so without going through Tor, then the cloud provider knows that you are the one connecting to that server. Even when using SSH you will leave a trail of metadata all the way back to your access point. That might be enough to get your door busted down the line if you intend on hosting anything sensitive on that server. + +In the following part of the post we will look into how to set up advanced monitoring tools so you don't have to keep an eye on a bunch of tmux sessions with glances/top open in order to know the behaviour of your systems over time. + +This tutorial will assume that you have acquired servers anonymously via non-KYC cloud providers, and that you are only accessing them anonymously through tor See [this article](../anonymousremoteserver/index.md) if you have not already. + +... +... +Done? Let's proceed. + + +# **Target Architecture** + +First, let's have a look at the network topology we'll be building: +![](architecture.png) + + + * Our whonix workstation will connect through tor to a central monitoring server in order to access the grafana dashboard containing our monitoring data. + * Our monitoring server will itself connect through tor to the target monitored servers using prometheus + + + +# **Setting up the central monitoring server** + +First you want to set up your central monitoring server. For ease of use and better performance we are going to colocate the prometheus collector along with grafana. + + +## Required installation + +To get started we need the following software on the machine: + + + * Tor: anonymize traffic + * prometheus: aggregate metrics + * prometheus-node-exporter: export local server metrics + * docker: to run grafana + +![](install.png) + +## Tor Configuration + +### On the target server to be monitored + +run the following as root to create a hidden service for the prometheus collector + + + apt update + apt install prometheus-node-exporter tor + systemctl stop tor #stop the tor service + + mkdir -p /var/lib/tor/onion/prometheus/authorized_clients #create the client auth keys folder to store our second layer of authentication + chmod 400 -R /var/lib/tor/prometheus #set restrictive file permissions + + vi /etc/tor/torrc #edit the torrc file to add content + + cat /etc/tor/torrc + AutomapHostsSuffixes .onion,.exit + DataDirectory /var/lib/tor + SOCKSPort 127.0.0.1:9050 IsolateDestAddr + HiddenServiceDir /var/lib/tor/onion/prometheus + HiddenServicePort 9100 127.0.0.1:9100 + + tor-client-auth-gen + private_key=descriptor:x25519:DBQW3GP5FCN2KQBDKTDKDAQUQWBEGBZ5TFYJE4KTJFBUOJPKYZBQ #paste this key to your local machine as your prometheus node will need it + echo "descriptor:x25519:6HDNHLLKIFNU5Q6T75B6Q3GBYDO5ZF4SQUX7EYDEKWNLPQUWUBTA" > /var/lib/tor/onion/prometheus/0.auth + + chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder + + systemctl start tor #restart tor + systemctl status tor #check that everything works + + cat /var/lib/tor/onion/prometheus/hostname + [clientaddr].onion + + +What's that tor-client-auth-gen you ask? In order to protect this critical service from attacks that could be done against the grafana servers or from stolen credentials we need more than just security by obscurity (relying on the attacker not knowing our hidden service address). +When a client tries to connect to an onion service they request a server descriptor from a tor directory server that gives them a path to a rendez-vous point where they will be able to talk to each other. The keys we just created will be used to encrypt this descriptor. Without the proper private key, even with the onion service address, an attacker won't be able to connect to it because they won't be able to find the rendez-vous point. + +This is better than basic-auth for the following reasons: + + * More resistant to bruteforce attacks + * Also protects against flaws in your application itself + * Also protects you from fingerprinting attacks as no trafic can reach you without the required secret key + + + + + +### On the central monitoring server + +The prometheus collector will only be accessed locally by grafana so it doesn't need to be accessible over tor. Grafana, on the other hand, does. +Let's start with tor's configuration, use the following commands as root: + + + + sudo systemctl stop tor #stop the tor service + + mkdir -p /var/lib/tor/auth_keys #create the client auth keys folder to store our second layer of authentication + mkdir -p /var/lib/tor/onion/grafana #create the client auth keys folder to store our second layer of authentication + chmod 400 -R /var/lib/tor/auth_keys #set restrictive file permissions + + #line below will allow your aggregator to connect to your monitored server. Without it no requests can even reach it + echo "[prometheusclientaddr].onion:descriptor:x25519:DBQW3GP5FCN2KQBDKTDKDAQUQWBEGBZ5TFYJE4KTJFBUOJPKYZBQ" > /var/lib/tor/auth_keys/prometheus_server.auth_private + + chmod 400 -R /var/lib/tor/onion #set restrictive file permissions + + vi /etc/tor/torrc #edit the torrc file to add content + + cat /etc/tor/torrc + AutomapHostsSuffixes .onion,.exit + DataDirectory /var/lib/tor + SOCKSPort 127.0.0.1:9050 IsolateDestAddr + HiddenServiceDir /var/lib/tor/onion/grafana + HiddenServicePort 80 127.0.0.1:3000 + ClientOnionAuthDir /var/lib/tor/auth_keys + + tor-client-auth-gen + private_key=descriptor:x25519:YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ + public_key=descriptor:x25519:UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ + + echo "YCPURSYN4FL4QKQSXFTGLYNBHOVVRCQYRZLFHMZFCUFU5R6DCRMQ" > ~/mygrafana_auth_key + echo "descriptor:x25519:UUQW4LIO447WRQOSRSNDXEW5NZMSR3CYOP65ZIFWH6G2PUKWV5WQ" > /var/lib/tor/onion/grafana/0.auth + + chown debian-tor:debian-tor -R /var/lib/tor # make tor owner of this folder + + systemctl start tor #restart tor + systemctl status tor #check that everything works + + +And that's all you'll need! one hidden service for grafana. +You'll find your hostname in /var/lib/tor/onion/grafana/hostname. + +## Prometheus server configuration on the central monitoring server + +Clean and simple: we scrape our server every 10s for new data, configure a proxy URL so scraping happens over tor, using our socksport and configure ou scraping targets. + + + + + vi /etc/prometheus/prometheus.yml + + cat /etc/prometheus/prometheus.yml + + alerting: + alertmanagers: [] + global: + scrape_interval: 10s + remote_read: [] + remote_write: [] + scrape_configs: + - job_name: remote-nodes + proxy_url: socks5h://localhost:9050 + static_configs: + - labels: {} + targets: + - **[clientaddr].onion:9100** + - job_name: local-node + static_configs: + - labels: {} + targets: + - localhost:9100 + + + + + +This configuration will make the central monitoring server behave in the following way: + + * Scrap itself directly to collect its own data (prometheus is only exposed on loopback for this) + * Scrap the target monitored server through tor via the socks proxy + + + +## Grafana configuration on the central monitoring server + +Let's start grafana and make it available: as root, as tor is already configured we can then access it through our torbrowser + + + + docker run -d -p 127.0.0.1:3000:3000 --name=grafana grafana/grafana + + +# **Connecting to our grafana instance** + +On your monitoring server you can find your hostname at /var/lib/tor/grafana/hostname. Use it in the tor browser to reach your instance. You will be prompted for your private key, you can find it where you saved it earlier ~/mygrafana_auth_key, paste the part after ![](grafana_login.png) + + +# **Configuring the data sources** + +Next we need to tell grafana to use prometheus as a data source: +![](add_datasource.png) + +Now, let's configure it (specifying localhost:9090 as the API port) + +![](datasource_config.png) + + +And Voila! we have simple system monitoring over tor in a dashboard: +![](example_dashboard.png) + +# **Conclusion** + +In this article we saw why and how you need to implement anonymous server monitoring for your infrastructure. If you are running hidden services with any form of sensitive data stored on them, having them under constant monitoring is a must because you need to detect downtimes quickly, without compromising your identity or the rest of your infrastructure. + diff --git a/anonymous_server_monitoring.old/install.png b/anonymous_server_monitoring.old/install.png new file mode 100644 index 0000000..ecac99b Binary files /dev/null and b/anonymous_server_monitoring.old/install.png differ diff --git a/anonymous_server_monitoring.old/top.png b/anonymous_server_monitoring.old/top.png new file mode 100644 index 0000000..bc79c2e Binary files /dev/null and b/anonymous_server_monitoring.old/top.png differ diff --git a/anonymous_server_monitoring/0.png b/anonymous_server_monitoring/0.png new file mode 100644 index 0000000..94010ec Binary files /dev/null and b/anonymous_server_monitoring/0.png differ diff --git a/anonymous_server_monitoring/1.png b/anonymous_server_monitoring/1.png new file mode 100644 index 0000000..5471907 Binary files /dev/null and b/anonymous_server_monitoring/1.png differ diff --git a/anonymous_server_monitoring/10.png b/anonymous_server_monitoring/10.png new file mode 100644 index 0000000..05f218e Binary files /dev/null and b/anonymous_server_monitoring/10.png differ diff --git a/anonymous_server_monitoring/11.png b/anonymous_server_monitoring/11.png new file mode 100644 index 0000000..4c72643 Binary files /dev/null and b/anonymous_server_monitoring/11.png differ diff --git a/anonymous_server_monitoring/2.png b/anonymous_server_monitoring/2.png new file mode 100644 index 0000000..1402f58 Binary files /dev/null and b/anonymous_server_monitoring/2.png differ diff --git a/anonymous_server_monitoring/20.png b/anonymous_server_monitoring/20.png new file mode 100644 index 0000000..f35614e Binary files /dev/null and b/anonymous_server_monitoring/20.png differ diff --git a/anonymous_server_monitoring/3.png b/anonymous_server_monitoring/3.png new file mode 100644 index 0000000..ce2949c Binary files /dev/null and b/anonymous_server_monitoring/3.png differ diff --git a/anonymous_server_monitoring/4.png b/anonymous_server_monitoring/4.png new file mode 100644 index 0000000..24dd844 Binary files /dev/null and b/anonymous_server_monitoring/4.png differ diff --git a/anonymous_server_monitoring/5.png b/anonymous_server_monitoring/5.png new file mode 100644 index 0000000..0bc5f77 Binary files /dev/null and b/anonymous_server_monitoring/5.png differ diff --git a/anonymous_server_monitoring/6.png b/anonymous_server_monitoring/6.png new file mode 100644 index 0000000..c493853 Binary files /dev/null and b/anonymous_server_monitoring/6.png differ diff --git a/anonymous_server_monitoring/7.png b/anonymous_server_monitoring/7.png new file mode 100644 index 0000000..87e1935 Binary files /dev/null and b/anonymous_server_monitoring/7.png differ diff --git a/anonymous_server_monitoring/8.png b/anonymous_server_monitoring/8.png new file mode 100644 index 0000000..cebfbd4 Binary files /dev/null and b/anonymous_server_monitoring/8.png differ diff --git a/anonymous_server_monitoring/9.png b/anonymous_server_monitoring/9.png new file mode 100644 index 0000000..490a172 Binary files /dev/null and b/anonymous_server_monitoring/9.png differ diff --git a/anonymous_server_monitoring/index.md b/anonymous_server_monitoring/index.md new file mode 100644 index 0000000..4fa6400 --- /dev/null +++ b/anonymous_server_monitoring/index.md @@ -0,0 +1,340 @@ +--- +author: nihilist +date: 2025-04-27 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/221" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Anonymous Monitoring (Grafana, Prometheus, Node-exporter) + +In this tutorial we're going to cover how you can monitor the resource consumption of your remote servers while maintaining your anonymity, using Grafana, Prometheus, and node exporter. + + + +## **What is the targeted setup?** + +In this setup, we have 3 servers. Server A is going to monitor Server B and C. + +![](0.png) + +Server A is going to have the following 3 services: + + + -Grafana: to display the data retrieved by prometheus + -Prometheus: to retrieve the data served by the node-exporters + -node-exporter: to serve the server resource usage data (ex: CPU consumption, RAM consumption, etc) + + + +Server B and C are going to have the node-exporter service on them, and thanks to it Server A's prometheus service is going to be able to monitor their resource consumption. + +Now the added complexity that we have to navigate in this tutorial is that **each server can only be reached by their own .onion hostnames.** we cannot query them via their IPs directly because otherwise we'd reveal the origin and destination of the servers. Hence in this tutorial we're going to maintain the Serverside anonymity. + +## **Server A setup (Grafana, Prometheus, Node-exporter)** + +First let's setup Server A: + + + [ Wonderland ] [ /dev/pts/22 ] [/srv/] + → sudo apt install docker.io docker-compose -y + + [ Wonderland ] [ /dev/pts/22 ] [/srv/] + → mkdir /srv/grafana ; cd /srv/grafana + + [ Wonderland ] [ /dev/pts/22 ] [/srv/] + → vim docker-compose.yml + + +Then, we have the following docker-compose.yml: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → cat docker-compose.yml + + networks: + tor-monitoring: + driver: bridge + ipam: + config: + - subnet: 10.16.0.0/24 + gateway: 10.16.0.1 + + services: + grafana: + image: grafana/grafana-enterprise:latest + container_name: grafana + restart: unless-stopped + ports: + - '127.0.0.1:3222:3000' + volumes: + - grafana-data:/var/lib/grafana + environment: + GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" + networks: + tor-monitoring: + ipv4_address: 10.16.0.5 + + prometheus: + image: prom/prometheus:latest + volumes: + - ./prometheus/:/etc/prometheus/ + - prometheus_data:/prometheus + command: + - '--config.file=/etc/prometheus/prometheus.yml' + - '--storage.tsdb.path=/prometheus' + - '--web.console.libraries=/usr/share/prometheus/console_libraries' + - '--web.console.templates=/usr/share/prometheus/consoles' + networks: + tor-monitoring: + ipv4_address: 10.16.0.4 + restart: always + + tor: + image: osminogin/tor-simple + container_name: tormonitoring + volumes: + - ./tor-data:/var/lib/tor + - ./tor-data/torrc:/etc/tor + networks: + tor-monitoring: + ipv4_address: 10.16.0.3 + + volumes: + prometheus_data: {} + grafana-data: {} + + + +From there, you can already pull the containers and activate them: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → docker-compose pull ; docker-compose up -d + + + +It's going to first pull the containers and then activate them, but we need to do some changes first to ensure that the tor container works as intended: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → docker-compose down + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → vim tor-data/torrc/torrc + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → cat tor-data/torrc/torrc + SOCKSPort 0.0.0.0:9050 + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → chown -R 100:65533 tor-data/ + + + +then we also configure prometheus to scrape the destination servers: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → vim prometheus/prometheus.yml + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → cat prometheus/prometheus.yml + global: + scrape_interval: 15s # By default, scrape targets every 15 seconds. + external_labels: + monitor: 'datura-monitor' + + scrape_configs: + - job_name: 'wonderland' + scrape_interval: 5s + proxy_url: socks5h://10.16.0.3:9050 + static_configs: + - labels: {} + targets: + - serverAjezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion:9100 + - serverBjezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion:9100 + - serverCjezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion:9100 + basic_auth: + username: 'admin' + password: 'P@SSW0RD' + + + +And then we can re-activate the containers: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → docker-compose up -d + + + +once done, we can configure the nginx reverse proxy to make sure that we can access our grafana instance: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → vim /etc/nginx/sites-available/monitoring + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → cat /etc/nginx/sites-available/monitoring + upstream monitoringend { + server 127.0.0.1:3222; + #server 10.8.0.2:3009; + } + + + server { + listen 4443; + listen [::]:4443; + server_name monitoring.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion; + + location / { + proxy_set_header Host $http_host; + proxy_pass http://monitoringend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + #client_max_body_size 1G; + } + } + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → ln -s /etc/nginx/sites-available/monitoring /etc/nginx/sites-enabled/ + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ Wonderland ] [ /dev/pts/19 ] [/srv/grafana] + → systemctl restart nginx + + + +## **Configuring Grafana** + +Next, we can access our grafana instance to create the admin account and login: + +![](1.png) + +Once logged in we make sure that our grafana instance uses our prometheus instance as a datasource: + +![](2.png) ![](3.png) ![](4.png) + +here we mention the local IP of the prometheus container, being 10.16.0.4, with the service accessible on port 9090: + +![](5.png) ![](6.png) + +Then, we import a dashboard to make sure that we can visualize the data we are monitoring, out of which i recommend the excellent ["Node Exporter Full"](https://grafana.com/grafana/dashboards/1860-node-exporter-full/) dashboard (whose ID is 1860) + +![](7.png) ![](8.png) ![](9.png) ![](10.png) ![](11.png) + +There, the dashboard is imported, but there's no data to be seen yet because we didn't configure the node-exporter daemons on the servers that we want to monitor. + +## **Configuring node-exporter on the remote servers** + +Next, we're going to configure node-exporter on the servers that we want to monitor: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → cat docker-compose.yml + version: '3.7' + + services: + + node-exporter: + container_name: node-exporter + image: quay.io/prometheus/node-exporter:latest + #command: + #- '--path.rootfs=/host' + network_mode: host + pid: host + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /:/rootfs:ro + - /:/host:ro,rslave + - ./web.yml:/etc/prometheus/web.yml + command: + - '--path.rootfs=/host' + - '--path.procfs=/host/proc' + - '--path.sysfs=/host/sys' + - --collector.filesystem.ignored-mount-points + - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" + - "--web.config.file=/etc/prometheus/web.yml" + restart: always + deploy: + mode: global + + + +Now that docker-compose.yml is written, we need to write a small python script to hash the basicauth password: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → vim gen-pass.py + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → cat gen-pass.py + import getpass + import bcrypt + + #sudo apt install python3-bcrypt + + password = getpass.getpass("password: ") + hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()) + print(hashed_password.decode()) + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → sudo apt install python3-bcrypt -y + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → python3 gen-pass.py + password: P@SSW0RD + $2b$12$AZg14Yp.hvDLk/iaYk9.ReqXyfonW94cwqzzxewZDWzTdAQZFo3zy + + + +now with the hashed password, we can write the web.yml config file that the node exporter will use: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → vim web.yml + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → cat web.yml + basic_auth_users: + admin: $2b$12$AZg14Yp.hvDLk/iaYk9.ReqXyfonW94cwqzzxewZDWzTdAQZFo3zy + + + +And now finally we can pull the container image and activate it: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → docker-compose pull ; docker-compose up -d + + + +Then we also make sure that the node-exporter port 9100 is accessible via the onion domain, as otherwise we can't access it while maintaining the serverside anonymity: + + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → cat /etc/tor/torrc | grep 9100 + HiddenServicePort 9100 127.0.0.1:9100 + + [ Wonderland ] [ /dev/pts/19 ] [/srv/node-exporter] + → systemctl restart tor@default + + + +And now from there the server should be monitored as intended. + +## **Visualizing the result** + +Now that the remote server's node-exporter is reachable via it's onion domain, we can see that the resource usage started to appear in the dashboard that we setup earlier: + +![](20.png) + +In this case, in the event of the remote server being seized, the adversary would only be able to see that it has been queried to from a tor exit node IP. This is to make sure that your anonymous infrastructure is able to sustain having each of it's individual servers being taken down, as long as they are not all taken down at once. + +And that's it ! We can now monitor our own remote servers, while maintaining serverside anonymity at the same time. + diff --git a/anonymousremoteserver/1.png b/anonymousremoteserver/1.png new file mode 100644 index 0000000..57b59eb Binary files /dev/null and b/anonymousremoteserver/1.png differ diff --git a/anonymousremoteserver/10.png b/anonymousremoteserver/10.png new file mode 100644 index 0000000..c80bb0a Binary files /dev/null and b/anonymousremoteserver/10.png differ diff --git a/anonymousremoteserver/11.png b/anonymousremoteserver/11.png new file mode 100644 index 0000000..f8ea8c8 Binary files /dev/null and b/anonymousremoteserver/11.png differ diff --git a/anonymousremoteserver/12.png b/anonymousremoteserver/12.png new file mode 100644 index 0000000..7e6881f Binary files /dev/null and b/anonymousremoteserver/12.png differ diff --git a/anonymousremoteserver/13.png b/anonymousremoteserver/13.png new file mode 100644 index 0000000..1095a63 Binary files /dev/null and b/anonymousremoteserver/13.png differ diff --git a/anonymousremoteserver/2.png b/anonymousremoteserver/2.png new file mode 100644 index 0000000..9ead2cb Binary files /dev/null and b/anonymousremoteserver/2.png differ diff --git a/anonymousremoteserver/3.png b/anonymousremoteserver/3.png new file mode 100644 index 0000000..977c896 Binary files /dev/null and b/anonymousremoteserver/3.png differ diff --git a/anonymousremoteserver/4.png b/anonymousremoteserver/4.png new file mode 100644 index 0000000..7b29246 Binary files /dev/null and b/anonymousremoteserver/4.png differ diff --git a/anonymousremoteserver/5.png b/anonymousremoteserver/5.png new file mode 100644 index 0000000..2954307 Binary files /dev/null and b/anonymousremoteserver/5.png differ diff --git a/anonymousremoteserver/6.png b/anonymousremoteserver/6.png new file mode 100644 index 0000000..022c617 Binary files /dev/null and b/anonymousremoteserver/6.png differ diff --git a/anonymousremoteserver/7.png b/anonymousremoteserver/7.png new file mode 100644 index 0000000..d6ab8d2 Binary files /dev/null and b/anonymousremoteserver/7.png differ diff --git a/anonymousremoteserver/8.png b/anonymousremoteserver/8.png new file mode 100644 index 0000000..dd8f5fc Binary files /dev/null and b/anonymousremoteserver/8.png differ diff --git a/anonymousremoteserver/9.png b/anonymousremoteserver/9.png new file mode 100644 index 0000000..3aa0686 Binary files /dev/null and b/anonymousremoteserver/9.png differ diff --git a/anonymousremoteserver/index.md b/anonymousremoteserver/index.md new file mode 100644 index 0000000..43f1ebf --- /dev/null +++ b/anonymousremoteserver/index.md @@ -0,0 +1,119 @@ +--- +author: nihilist +date: 2024-05-02 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/109" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Acquiring remote servers anonymously (non-KYC providers) + +![](../hiddenservice/1.png) + + + +## **Finding out a non-KYC Cloud Provider and Email Provider** + +As we discussed [previously](../finances/index.md), KYC is out of the question if you want to remain anonymous. So you need to find **a cloud provider that allows you to rent servers without any KYC**. + +To find one you can go on [kycnot.me](https://kycnot.me/?t=service&q=hosting): + +![](1.png) + +the current one I use for my services is ServersGuru, as they can resell popular cloud providers like hetzner. + +In our example below we'll use Cockbox. but first thing we need is a non-KYC email provider, to do so we could follow [Privacy Guides' recommendation](https://www.privacyguides.org/en/email/) and create an account on Tuta, but for simplicity i'll use a temporary email from (do not use it for extended usage) + +![](2.png) ![](3.png) ![](4.png) + +Now that the account is created, we can also validate if we can receive mails: + +## **Purchasing the server anonymously (using Monero)** + +![](12.png) ![](5.png) ![](6.png) + +Next we generate a SSH key to connect to the server: + + + [ mainpc ] [ /dev/pts/5 ] [~] + → ssh-keygen -t ed25519 -C "" + Generating public/private ed25519 key pair. + Enter file in which to save the key (/home/nihilist/.ssh/id_ed25519): /home/nihilist/.ssh/ssh-key-test + /home/nihilist/.ssh/ssh-key-test already exists. + Overwrite (y/n)? y + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /home/nihilist/.ssh/ssh-key-test + Your public key has been saved in /home/nihilist/.ssh/ssh-key-test.pub + The key fingerprint is: + SHA256:hu1aO2qMU0XuaRDTRiVHH3Jl2hNP/0prlAnpPCTGECo + The key's randomart image is: + +--[ED25519 256]--+ + | o=+= o.+ .| + | o.+= + * +.| + | E .* + * o o| + | ..oo. = . +.| + | .+S. + = .| + | .o+ + o | + | + .o + | + | o oo.. . | + | oo... | + +----[SHA256]-----+ + + [ mainpc ] [ /dev/pts/5 ] [~] + → cat .ssh/ssh-key-test.pub + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqt0O2ZbRt/7ikk0PdPRcb1GRBE5YNDdBHFCMGIdeHb + + + +![](7.png) + +validate the VPS purchase with the Monero option: + +![](8.png) ![](9.png) + +Then here we send the Monero payment: + +![](10.png) ![](11.png) + +then wait 10-20 minutes for the payment to be validated by the network, and then you should recieve the mail with your server accesses: + +![](13.png) + +Now that the server is provisionned, we can connect to it: + +## **Accessing the server anonymously (SSH through Tor)** + +To access the server anonymously, you just need to ssh there through tor using torsocks: + + + [ mainpc ] [ /dev/pts/6 ] [~] + → cat .ssh/config| head -n4 + Host test-server + User root + hostname 185.216.68.156 + IdentityFile ~/.ssh/id_ed25519 + + [ mainpc ] [ /dev/pts/6 ] [~] + → torsocks ssh test-server + The authenticity of host '185.216.68.156 (185.216.68.156)' can't be established. + ED25519 key fingerprint is SHA256:Od5FT4wcALDHXXK2B4t6lM8idsDmUfhqWpDFjStgBwI. + This key is not known by any other names. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '185.216.68.156' (ED25519) to the list of known hosts. + Linux cockbox 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + + root@cockbox:~# id + uid=0(root) gid=0(root) groups=0(root) + + root@cockbox:~# apt update -y ; apt upgrade -y ; apt autoremove -y + + + +And that's it! We now have access to a remote server, we acquired it anonymously, and are now using it anonymously as well. + diff --git a/anonzulucrypt/0.png b/anonzulucrypt/0.png new file mode 100644 index 0000000..f066ed8 Binary files /dev/null and b/anonzulucrypt/0.png differ diff --git a/anonzulucrypt/1.png b/anonzulucrypt/1.png new file mode 100644 index 0000000..9770b7c Binary files /dev/null and b/anonzulucrypt/1.png differ diff --git a/anonzulucrypt/10.png b/anonzulucrypt/10.png new file mode 100644 index 0000000..7439043 Binary files /dev/null and b/anonzulucrypt/10.png differ diff --git a/anonzulucrypt/11.png b/anonzulucrypt/11.png new file mode 100644 index 0000000..9b45632 Binary files /dev/null and b/anonzulucrypt/11.png differ diff --git a/anonzulucrypt/2.png b/anonzulucrypt/2.png new file mode 100644 index 0000000..7ff7d1f Binary files /dev/null and b/anonzulucrypt/2.png differ diff --git a/anonzulucrypt/3.png b/anonzulucrypt/3.png new file mode 100644 index 0000000..3583f26 Binary files /dev/null and b/anonzulucrypt/3.png differ diff --git a/anonzulucrypt/4.png b/anonzulucrypt/4.png new file mode 100644 index 0000000..2f08921 Binary files /dev/null and b/anonzulucrypt/4.png differ diff --git a/anonzulucrypt/5.png b/anonzulucrypt/5.png new file mode 100644 index 0000000..4101dd2 Binary files /dev/null and b/anonzulucrypt/5.png differ diff --git a/anonzulucrypt/6.png b/anonzulucrypt/6.png new file mode 100644 index 0000000..f1473f6 Binary files /dev/null and b/anonzulucrypt/6.png differ diff --git a/anonzulucrypt/7.png b/anonzulucrypt/7.png new file mode 100644 index 0000000..6125263 Binary files /dev/null and b/anonzulucrypt/7.png differ diff --git a/anonzulucrypt/8.png b/anonzulucrypt/8.png new file mode 100644 index 0000000..ec9ac0e Binary files /dev/null and b/anonzulucrypt/8.png differ diff --git a/anonzulucrypt/9.png b/anonzulucrypt/9.png new file mode 100644 index 0000000..4ac776a Binary files /dev/null and b/anonzulucrypt/9.png differ diff --git a/anonzulucrypt/index.md b/anonzulucrypt/index.md new file mode 100644 index 0000000..c9a909a --- /dev/null +++ b/anonzulucrypt/index.md @@ -0,0 +1,93 @@ +--- +author: nileglorifier +date: 2024-08-18 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/273" +xmr: 84TTjteLVhkYuHosBoc1MjWaB1AmnFSWPgeM7Lts4NdigCmE9ndHTjsXEaxJFTb7JGj55GNERXfnJSFY3J3WE5Ha18BSeS1 +--- +# Hiding files in videos (small or large files) with zuluCrypt + +zuluCrypt is a feature rich Linux-based encryption application that can manage a wide range of volumes including: PLAIN dm-crypt, LUKS, TrueCrypt, VeraCrypt and Microsoft Bitlocker. One feature that sets zuluCrypt apart from other encryption tools is the ability to hide (small or large) files and folders within video files via the "Encrypted Container Hidden In Video/Cover File (Steganography)" option, leaving the video file fully functional and therefore acting as an ideal method of hiding important information in plain sight. + +![](0.png) + + + +zuluCrypt can be installed on multiple Linux distributions. For Debian-based distro's, simply use your favourite package manager or run the following apt command in the terminal: + + + sudo apt install zulucrypt-gui + + +![](1.png) + +In this tutorial we'll be using zuluCrypt on [Whonix](https://www.whonix.org/), an OS designed for optimal privacy and security. For other Linux distro's, visit the maintainer's official page at Once installed, zuluCrypt should be visible in your desktop environment's app launcher or you can simply start zuluCrypt-gui from the terminal by running: + + + zuluCrypt-gui + + +Now that zuluCrypt is fully functional, it's time to find a video file to use as your container. In this tutorial we'll be using an mp4 file as our video container, so if you have an mp4 video file you'd like to use then follow the next steps with your own mp4 video file. If you need an mp4 video file, the following sites are excellent resources for free public domain movies that are ideal containers as they're copyright free: + + + + +We'll be using "Night of the Living Dead" available from so we'll download the mp4 version (396.2MB) in the terminal with wget as follows: + + + wget https://archive.org/download/night_of_the_living_dead/night_of_the_living_dead_512kb.mp4 + + +Now that we have our video file, it's time to decide what files we need to hide. In this case we're going to hide some secret documents that are already zipped up in another archive as shown below: + +![](2.png) + +Switching back to zuluCrypt, we click on "Create", "Encrypted Container Hidden In Video/Cover File (Steganography)" or use the keyboard shortcut CTRL+I to commence the process. + +![](0.png) + +Observe and read the important message carefully then click "OK" when ready to continue + +![](3.png) + +We then select our mp4 cover file "night_of_the_living_dead_512kb.mp4" then set a container size and password as shown below. + + + /home/user/night_of_the_living_dead_512kb.mp4 + 397m + 100 + password + + +![](4.png) + +After the volume has been created, zuluCrypt will automatically close the window and lead you back to the main screen. +We can now open our container and add our secret documents archive. +Click on "Open", "Volume Hosted In A File" or use the keyboard shortcut CTRL+Z + +![](5.png) + +Complete all of the parameters (example shown below) ensuring to: select your mp4 file, set the "Volume Type" to "PLAIN dm-crypt", enter the correct offset amount (397m in our case) and enter the password. Then click "Open". + +![](6.png) + +The mp4 container will now be loaded in zuluCrypt. Right-click on the mounted container, then "Open Folder" to open the container with your default file manager. + +![](7.png) ![](8.png) + +We can now use the file manager (e.g. Thunar) to copy our secret documents archive (docs.zip) into the mp4 container + +![](9.png) + +Now that our mp4 container has our secret documents, we can close the file manager and right-click, "Unmount" our container in zuluCrypt + +![](10.png) + +We now have a fully functional mp4 video that contains our secret documents. This will make it significantly harder for an attacker who may have gained access to your system to discover your secret documents. +Finally, we can reconfirm the video plays by opening the mp4 in VLC by running the following VLC command (or using your preferred method): + + + vlc night_of_the_living_dead_512kb.mp4 + + +![](11.png) + diff --git a/aps/0days.png b/aps/0days.png new file mode 100644 index 0000000..0f3c805 Binary files /dev/null and b/aps/0days.png differ diff --git a/aps/anonymity.png b/aps/anonymity.png new file mode 100644 index 0000000..466f526 Binary files /dev/null and b/aps/anonymity.png differ diff --git a/aps/centralisation.png b/aps/centralisation.png new file mode 100644 index 0000000..2080fa5 Binary files /dev/null and b/aps/centralisation.png differ diff --git a/aps/decentralisation.png b/aps/decentralisation.png new file mode 100644 index 0000000..eb2079c Binary files /dev/null and b/aps/decentralisation.png differ diff --git a/aps/federation.png b/aps/federation.png new file mode 100644 index 0000000..ab28d3c Binary files /dev/null and b/aps/federation.png differ diff --git a/aps/index.md b/aps/index.md new file mode 100644 index 0000000..450c42f --- /dev/null +++ b/aps/index.md @@ -0,0 +1,52 @@ +--- +author: nihilist +date: 2024-04-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/67" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Privacy, Anonymity, Plausible Deniability, Decentralisation, Security, and 0days + + + +## **Privacy Analogy** + +![](privacy.png) + +Here in this case, we can say that the conversation between Bob and Alice is private, because it excludes Jack from spying on the conversation. + +## **Anonymity Analogy** + +![](anonymity.png) + +Here in this case, we can say that the person talking to Alice is Anonymous from Jack's perspective, until he can figure out who he really is. Until that someone makes an [OPSEC Mistake](../opsec/index.md) (such as saying out loud his real name, or where he lives), he remains Anonymous. + +## **Plausible Deniability Analogy** + +![](plausibledeniability.png) + +## **Centralisation, Federation and Decentralisation Analogy** + +![](centralisation.png) + +Here, a profit Company offers an online service (such as Twitter) for their own profit, most often they will do everything they can to keep as many users on their service, in order to gather as much personal information about them as they can, for their own profit. + +![](federation.png) + +A federated service can be considered as semi-decentralised, due to having a company running the main instance that contains a huge amount of users, while other instances can be ran by individuals with a smaller amount of users. The federation means that instances connect to each other so that individual B may talk to individual A, or individual C. + +![](decentralisation.png) + +We can say that a service is decentralised when individuals are running the services themselves, and offering them back to the individuals, without any profit company coming into the picture. + +## **Security Analogy** + +![](security.png) + +Here in this case, we can say that the door is secure because it protects Alice and Bob's conversation from Jack's attempts to hear the contents of the conversation. + +## **0days Analogy** + +![](0days.png) + +Bob and Alice are supposed to have their conversation protected by a closed door, but Jack has an 100% sure way of breaking down the door, no matter how they try to reinforce the door, There is nothing Bob and Alice can do about it. + diff --git a/aps/plausibledeniability.png b/aps/plausibledeniability.png new file mode 100644 index 0000000..04160d4 Binary files /dev/null and b/aps/plausibledeniability.png differ diff --git a/aps/privacy.png b/aps/privacy.png new file mode 100644 index 0000000..8887ff0 Binary files /dev/null and b/aps/privacy.png differ diff --git a/aps/security.png b/aps/security.png new file mode 100644 index 0000000..e03ade7 Binary files /dev/null and b/aps/security.png differ diff --git a/ce0.png b/ce0.png new file mode 100644 index 0000000..3dc87e2 Binary files /dev/null and b/ce0.png differ diff --git a/ce1.png b/ce1.png new file mode 100644 index 0000000..5a59933 Binary files /dev/null and b/ce1.png differ diff --git a/ce2.png b/ce2.png new file mode 100644 index 0000000..e59b82c Binary files /dev/null and b/ce2.png differ diff --git a/chainalysisattempts/1.5.png b/chainalysisattempts/1.5.png new file mode 100644 index 0000000..6a8baff Binary files /dev/null and b/chainalysisattempts/1.5.png differ diff --git a/chainalysisattempts/1.png b/chainalysisattempts/1.png new file mode 100644 index 0000000..545502d Binary files /dev/null and b/chainalysisattempts/1.png differ diff --git a/chainalysisattempts/2.png b/chainalysisattempts/2.png new file mode 100644 index 0000000..8a533f2 Binary files /dev/null and b/chainalysisattempts/2.png differ diff --git a/chainalysisattempts/index.md b/chainalysisattempts/index.md new file mode 100644 index 0000000..3a83278 --- /dev/null +++ b/chainalysisattempts/index.md @@ -0,0 +1,69 @@ +--- +author: nihilist +date: 2024-09-07 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/96" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why can't I trust Centralised Exchanges, and random Monero nodes ? + +As of September 5, 2024 sech1 posted on monero.town the following [post](https://monero.town/post/4220893), which was a repost of the following [reddit post](https://redlib.nowhere.moe/r/Monero/comments/1f8jv6w/comment/llnyemp/?context=3) talking about a leaked Chainalysis meeting video about what was their progress on tracing monero transactions back in August 2023. This is a great opportunity to highlight the opsec weaknesses they are targeting so let's dive into it. + + + +## **Chainalysis are running malicious monero nodes** + +The main attack vector of Chainalysis is their honeypot monero nodes. Meaning there are monero nodes out there (even though their IPs didnt get mentionned in the meeting), that ARE malicious. + +![](1.png) + +So the first thing to be aware of is that you can't just trust random remote nodes. Chainalysis IS running an unknown amount of malicious monero nodes out there, to spy on users that decide to trust them. **Therefore, I strongly suggest that[you run your own monero node](../monero2024/index.md), and use only that node. Run it from home, or [from a remote server](../anonymousremoteserver/index.md), but run your own!** + +## **Chainalysis targets IP addresses and behavior anomalies (such as non-default fees)** + +![](1.5.png) + +Now, if you decide to trust a random remote node that is not yours, and let's say you decide to trust one of their malicious nodes, you need to be aware that they can see: + + 1. The timestamp of each transaction + + 2. The transaction behavioral characteristics (the number of inputs, outputs, the fee structure (1x, 10x, 100x, etc) + + 3. Which IP address is connecting there (clear attack on dandelion++), and it's latency. + + + + +Therefore, **if you decide to trust a remote monero node, at least keep Tor in between you and the malicious node** to maintain your anonymity, **use the .onion monero nodes preferably!** , And I also recommend that you leave the default fee option when you want to send monero somewhere**. + +But **so far they cannot tell how much you are sending or recieving** , because you are not touching centralised exchanges (assuming you are using [Haveno DEX](../haveno-client-f2f/index.md) to buy or sell Monero)). + +## **Chainalysis targets centralised exchanges that have KYC procedures** + +As [I have mentionned many times previously](../govfear/index.md), Businesses can all be governmental proxies to do their bidding. **Centralised exchanges are businesses too, they also comply with their requests.** Or in their own words, they are "Subphoenable entities". But guess what, **these very Centralised Exchanges are forced to use Chainalysis' malicious monero nodes too!** + +![](2.png) + +Therefore if you decide to trust one of those popular Centralised Exchanges to buy / sell monero, the implications are way, way worse than what we previously explained; + +Those centralised exchanges all comply with the requests of governmental entities such as FBI, LA, Robinhood, IRS-CI, UNK and of course Chainalysis, **and due to that fact alone you cannot trust them**. + +If you decide to trust a popular centralised exchange, you'll first see that **it'll run you through KYC procedures (and if it doesn't, rest assured that they will eventually be forced to do so).** That is to deanonymize you, and to know who to blame if ever asked by the authorities. **NEVER KYC IF YOU WANT TO REMAIN ANONYMOUS!** + +This meeting of theirs has been preety revealing, not only do these centralised exchanges give out everything they have about their users to Chainalysis (as "Transactions of interest", **mentionning the amount transacted** , the **transaction ID** , and **who transacted**) But it's also naming a few of THOSE very centralised exchanges that are now confirmed to actually comply with their requests: + + + Changenow, + FixedFloat, + Morphtoken, + Exodus, + Swaplab, + Coinomi + + + +The info of whatever you did so far, and will ever do on those centralised exchanges, be warned, is being handed over directly to the authorities. (Timestamp 26:02 to 26:47) in the video. **This list is most likely (as of a year later, in september 2024) way bigger, they are eventually going to force every centralised exchange out there to implement KYC procedures and comply to their deanonymization requests.** + +My recommendation, once again is the same as i have mentionned [previously](../finances/index.md): If you want to use a centralised exchange, you are shooting yourself in the foot. **Stop using centralised exchanges and use decentralised exchanges, such as[Haveno DEX](../haveno-client-f2f/index.md).** + +If you want to use a centralised exchange anyway, **remain anonymous when doing so (at least keep Tor in between you and the service, and never KYC yourself there)** , but remain aware that you will eventually have to move to decentralised exchanges sooner or later, because they are not going to stop until every centralised exchange out there complies with their demands. + diff --git a/chats/0.png b/chats/0.png new file mode 100644 index 0000000..94e832a Binary files /dev/null and b/chats/0.png differ diff --git a/chats/1.png b/chats/1.png new file mode 100644 index 0000000..9299844 Binary files /dev/null and b/chats/1.png differ diff --git a/chats/2.png b/chats/2.png new file mode 100644 index 0000000..52523bd Binary files /dev/null and b/chats/2.png differ diff --git a/chats/3.png b/chats/3.png new file mode 100644 index 0000000..1cd22da Binary files /dev/null and b/chats/3.png differ diff --git a/chats/4.png b/chats/4.png new file mode 100644 index 0000000..70a5a03 Binary files /dev/null and b/chats/4.png differ diff --git a/chats/5.png b/chats/5.png new file mode 100644 index 0000000..7f86eb1 Binary files /dev/null and b/chats/5.png differ diff --git a/chats/6.png b/chats/6.png new file mode 100644 index 0000000..53ec3a6 Binary files /dev/null and b/chats/6.png differ diff --git a/chats/index.md b/chats/index.md new file mode 100644 index 0000000..2550559 --- /dev/null +++ b/chats/index.md @@ -0,0 +1,103 @@ +--- +author: XMRonly +date: 2025-04-19 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/232" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# Public Chats / Private Chats / Anonymous Chats / Deniable Chats + +![](0.png) + + + +## **Introduction** + + + + +When discussing the topic of OPSEC, an important concept that inevitably arises is compartmentalization. Broadly speaking, compartmentalization can be defined as separating different activities into different buckets in order to prevent them from being linked together. This concept is perhaps most commonly seen using online emails. You may want one email for all of your social media, a different email for all of your online purchases and a different email still for all health related items. This same concept can be applied to your online chats. In this tutorial, we will explore the different types of chats, how to compartmentalize them based on their contexts and when each one is optimal to use. + +## **OPSEC Requirements in Chats** + +Another thing to note is that there are a ton of chat apps out there, and as we have explained [previously](../opsec4levels/index.md), depending on the level of Operational Security you are aiming for (wether it is privacy, anonymity or deniability), **the tool has to meet certain criterias to be suitable for the intended use**. + +![](../opsec4levels/0.1.png) + +As you're going to see shortly, depending on the types of chats you want to have, the chat platform you use is very much dependant on meeting the OPSEC requirements to match the intended uses. + +## **Types of Chats** + +The chart below describes 4 different types of chats. They are separated by their unique characteristics, and a brief description is provided along with technical details and some pros/cons for each category. + +| **Public Chats**![](../logos/su2.png) | **Private Chats**![](../logos/su0.png) | **Anonymous Chats**![](../logos/on0.png) | **Deniable Chats**![](../logos/de0.png) +---|---|---|---|--- +Description | A conversation that is viewable by anyone, taking place in a public medium | A conversation whose contents are known only to the participants | A conversation where some/all of the participants are not know by their real identities | A conversation that cannot be proven to have taken place +Example | Alice and Bob speak in a sports stadium | Alice and Bob speak in a private glass conference room at work | Alice speaks to a mysterious man in a trench coat | Alice speaks to Bob but there is no record of their conversation or proof of what was said +Technical Requirements (Online) | -None. **(everything you say is public knowledge)** | **-FOSS Software** +**-E2EE is required** -You can self-host the chat server yourself![](../logos/ce0.png) | -FOSS Software +-E2EE is required +**-Upon signup, requires no phone numbers, no user IDs, and no IP address linkability (using Tor) +** | -FOSS Software +-E2EE is required +-Upon signup, requires no phone numbers, no user IDs, and no IP address linkability (using Tor) +**-Disappearing messages** +Pros | -Easiest to achieve +-No restrictions +-Suitable for any environment | -Contents of the conversation are visible only by the participants +-Many apps now implement E2EE | -May assume different anonymous identities for different conversations +-Suitable for exploring controversial topics +**-Anonymity is possible in public chats too!** | -Off the record +-No history of the conversation +-Suitable for sensitive topics +Cons | -Anything said can be linked to your real identity | **-very few chat apps are FOSS on both the clientside and the serverside** -The identity of the participants are known +-May still be known the conversation took place +-May be able to build patterns based on conversations | **-even fewer chat apps can be used to sign up anonymously** -Deanonymization may happen based on what the anonymous party says | -Can't read the history of the chat beyond the time limit + + + + + +![](1.png) + +As with many things, these chats exist on a spectrum between being more convenient and being more secure. + +## ![](../logos/su2.png) **Public Chat Example** + +Let's take a look at a few examples to illustrate these concepts. First up is a **public chat** similar to what you'd find online, on social media, in public chat rooms, etc. + +![](2.png) + +This conversation, tied to Alice and Bob's real identities, is visible for anyone to see. Public chats such as this one pose the smallest barrier to entry as they can take place anytime/anywhere. Any information discussed, such as their plans together next weekend and mode of transportation, are now publicly known by anyone present at the time of the conversation. Alice and Bob may openly show their support for their favorite football teams, but what if there was some information they didn't want others to know? + +## ![](../logos/su0.png) **Private Chat Example** + +For discussions involving information that is not necessarily meant for everyone to know about, we have **private chats**. In private chats, participants may still use their real identities, but the key differences is that the information is only accessible between the parties chatting and nobody else as the conversation is End-to-End Encrypted (E2EE). + +![](3.png) + +Alice may be uncomfortable announcing to the world she's short on cash at the moment, but can confide in her friend Bob with this information. In this private chat, only Alice and Bob know what was discussed and a record of this conversation exists. Luckily many popular chat apps are starting to implement E2EE, but without also including metadata protections, patterns can still be gleaned based on which contacts you are talking to and how often. But there may be situations where someone may not want you to know who they are when they're speaking with you. What happens in that situation? + +## ![](../logos/on0.png) **Anonymous Chat Example** + +For discussions where one participant (or multiple participants) don't want the conversation tied in any way to their real identity, we have **anonymous chats**. With increasing OPSEC requirements comes the need for more specialized software, which may be more inconvenient for certain people. + +![](4.png) + +In this example, Alice is speaking with someone who doesn't want to have their persona tied to their real identity (the participant is using an incognito profile). The nature of the conversation may include controversial topics such as insider information. To achieve an anonymous chat, there must specifically be no user identifiers and no IP address linkability. An added benefit of having no user identifies is that a person can create disposable personas on the fly and use a different anonymous identity for each new conversation. But what if we need to communicate and can leave no trace of the conversation ever having taken place? + +## ![](../logos/de0.png) **Deniable Chat Example** + +For the next step up, **deniable chats** , we must build on everything we've discussed up to and further employ disappearing messages. This is the only chat type suitable for discussing sensitive topics. + +![](5.png) + +When Alice starts up this chat, she selects using a new incognito profile. Additionally, she navigates the chat settings to enable disappearing messages and sets a desired timeframe. + +![](6.png) + +The icon next to the contacts name denotes Alice is speaking anonymously in this chat, and the timer in the chat denotes how long until the conversation messages auto-delete for all participants. After 24 hours, the contents of this chat will appear blank thus providing **plausible deniability** for all participants. This type of chat requires not only the specialized software, but also adjusting some settings to achieve, making it the most secure but also the most inconvenient of chat types discussed. + +## **Conclusion** + +By compartmentalizing our chats based on our different requirements we can prevent topics we want to keep private from overlapping with our real identities. The advanced configurations discussed in this tutorial may cause some friction during setup, but the intuitive user interface makes it manageable for anyone willing to give it a try. More advanced users should look into [self-hosting their own SimpleX servers](../privatesimplex/index.md) and [routing traffic through Tor](../anonsimplex/index.md). + diff --git a/clearnetvsdarknet/1.png b/clearnetvsdarknet/1.png new file mode 100644 index 0000000..6d32e8c Binary files /dev/null and b/clearnetvsdarknet/1.png differ diff --git a/clearnetvsdarknet/2.png b/clearnetvsdarknet/2.png new file mode 100644 index 0000000..05f80dd Binary files /dev/null and b/clearnetvsdarknet/2.png differ diff --git a/clearnetvsdarknet/3.png b/clearnetvsdarknet/3.png new file mode 100644 index 0000000..3c5e00f Binary files /dev/null and b/clearnetvsdarknet/3.png differ diff --git a/clearnetvsdarknet/4.png b/clearnetvsdarknet/4.png new file mode 100644 index 0000000..9f1d4c4 Binary files /dev/null and b/clearnetvsdarknet/4.png differ diff --git a/clearnetvsdarknet/index.md b/clearnetvsdarknet/index.md new file mode 100644 index 0000000..0453666 --- /dev/null +++ b/clearnetvsdarknet/index.md @@ -0,0 +1,77 @@ +--- +author: nihilist +date: 2024-12-02 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/169" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why is the Darknet superior to the Clearnet ? + +![](1.png) + +In this tutorial we're going to explain the differences between the two, and explain why you should host your services on the Darknet rather than the Clearnet. + + + +## **What do I need to have a website ?** + +The first clear difference you should be aware of is what you need to have a clearnet website, and a darknet website: + +![](2.png) + +To self-host a Clearnet website, you need you need a home server, elecricity, an internet connection, **to port forward the website somewhere (on your home router or on a paid VPS), to make it accessible from outside your network** , and a clearnet domain which is also paid. + +And on the other hand, to self-host a Darknet website, you need to have a home server, elecricity, and an internet connection. Simple, minimal, and way easier. You're only going to need to pay for your internet connection and elecricity consumption. + +## **What is my attack surface ?** + +In other words, **What can the adversary do, to take down my website ?** + +![](3.png) + +If you have a clearnet website, the attack surface is much much larger than that of a Darknet website, as the adversary can order the registrar to take down the clearnet domain, or they can order the cloud provider to take down the VPS, and since it is not anonymous by default, they can also just figure out where the real server is by busting down your door to harass you and your users. **Just because your government didn't do that up until now doesn't mean they won't do it in the future when they pass new unjust laws.** + +And on the other hand, if your website was a Darknet one, your attack surface would be have been truly minimal. No way for the adversary to figure out where the server is, nor figure out where the users are, no third-party that they can suphoena (no cloud provider, no registrar). In this case, **The adversary is forced to do some guess work** to figure out where the server is. + +## **The Centralisation Industry** + +As i have stated many times [previously](../govfear/index.md), every business out there is a potential proxy for a government to do their bidding. **In the usecase where you are choosing to use the clearnet to publish your website, you, your website and your users are at the mercy of a government.** + +Take it from the point of view of a tyrannical government, isn't it very convenient for them to simply to make the authorities just send a mail to a business to order some the websites to be taken down ? + +![](../governments/3.png) + +That is how it is when you are hosting websites on the clearnet, **for tyrants, the identity of whoever hosts the website, and who their users are matters, because they want to know where to shoot** when they want to harass someone for running (or using) a website online. + +KYC procedures are all over the place whenever you want to have elecricity, an internet connection, a VPS, and a clearnet domain. **With every KYC procedure that you complete, you are giving a tyrannical government another target for them to throw darts at you.** In other words, you are increasing your attack surface, making yourself vulnerable for the adversary to reap the fruits of your misplaced trust, whenever they feel like the time is ripe. + +Now let's address the elephant in the room, _Search Engines_. While it is true due to the sheer size of the centralisation business that the clearnet is that your website will have more visibility on the clearnet, rather than on darknet as things are currently. **But if there were more users on the Darknet than there were on Clearnet, your website would have more visibility being on the Darknet in the same way.** In the meantime, Darknet Search Engines are vital for the darknet use expansion. + +After all, what kind of guy are you ? Are you seeking fame, profit, and governmental approval ? Or are you someone that is willing to sacrifice a little bit of fame, because you value your actions more than your public image? **If you ask me, it doesn't matter who you are,[what matters is what you do](../../productivity/sum-nihil/index.md)** + +To host a darknet website means that you don't care who your users are, nor are you letting your ego block the way of your actions, as what matters in the end is what you do. + +## **The Exodus Towards Freedom** + +I may be naïve, but i have faith that when enough people make the switch from clearnet to darknet like we are about to do on Nowhere.moe, **we might one day make the internet a platform of freedom again.** + +**The Darknet IS the ideal place to be** , no matter how negatively it has been portrayed in the past by propagandists. **Just because it is out of reach of governmental tyranny doesn't mean it should be demonized because of a few bad actors** , + + + Should owning knives be demonized and be made illegal because a few serial killers have used them to cause harm to others ? + + No, a tool is not to be blamed for the misuse of a perpetrating third-party. + + **Tor is a tool, and so is Monero, It is normal to use tools.** It is not to be blamed because of a few bad actors. + + + +nor should everyone keep making themselves vulnerable to governmental intervention on the clearnet. Leaving yourself vulnerable to harassment should not be considered normal, it will come back to bite you when your government decides to snap and make an example out of you when they decide that you're no longer fitting into their political dogmas. + +![](4.png) + +Stay outside of governmental control by leaving the clearnet for good, and embracing the darknet instead. Just because you are on the darknet doesn't mean you need to do illegal activities either, **It is a matter of remaining outside of tyranny first and foremost.** If we are indeed heading for this free internet that i envision, it is only a matter of time until operational security eventually becomes common sense, and everyone joins in aswell. + +We encourage you to do the same as we are doing. Leaving the clearnet behind, publicly stating to your users that from now on the only way to reach the website is via the Darknet, and eventually **completely opting out of the centralisation industry.** Instead, in the same way as [xmrbazaar.com](https://xmrbazaar.com) is out there trying to make the use of monero common-sense and normal, **we should be making the use of Tor and Darknet as normal as it is to use the Clearnet, without demonizing it.** + +All that is needed is a little change of habits for you and your users, to learn how to use the [Tor browser](../torbrowsing/index.md), and to learn [how to use it safely](../torthroughvpn/index.md). The Tor network also depends on the community, meaning people like you and me should [run Tor nodes](../tor/relay/index.md) to keep the network alive, decentralized and well. **I'm sure that if every Tor user was running a Tor node, the entire network would be at least 1000 times bigger.** Everyone has a role to play, consider spending a few bucks every month to run a Tor node (on a VPS or not, it can also run from home) + diff --git a/closedsource/1.png b/closedsource/1.png new file mode 100644 index 0000000..ce8e1e3 Binary files /dev/null and b/closedsource/1.png differ diff --git a/closedsource/2.png b/closedsource/2.png new file mode 100644 index 0000000..1f9f37f Binary files /dev/null and b/closedsource/2.png differ diff --git a/closedsource/3.png b/closedsource/3.png new file mode 100644 index 0000000..347a309 Binary files /dev/null and b/closedsource/3.png differ diff --git a/closedsource/4.png b/closedsource/4.png new file mode 100644 index 0000000..5e3c29f Binary files /dev/null and b/closedsource/4.png differ diff --git a/closedsource/5.png b/closedsource/5.png new file mode 100644 index 0000000..92b3b70 Binary files /dev/null and b/closedsource/5.png differ diff --git a/closedsource/6.png b/closedsource/6.png new file mode 100644 index 0000000..b80957a Binary files /dev/null and b/closedsource/6.png differ diff --git a/closedsource/7.png b/closedsource/7.png new file mode 100644 index 0000000..8e7c21b Binary files /dev/null and b/closedsource/7.png differ diff --git a/closedsource/8.png b/closedsource/8.png new file mode 100644 index 0000000..82df8c9 Binary files /dev/null and b/closedsource/8.png differ diff --git a/closedsource/9.png b/closedsource/9.png new file mode 100644 index 0000000..73cc015 Binary files /dev/null and b/closedsource/9.png differ diff --git a/closedsource/index.md b/closedsource/index.md new file mode 100644 index 0000000..e85cd58 --- /dev/null +++ b/closedsource/index.md @@ -0,0 +1,177 @@ +--- +author: nihilist +date: 2024-04-29 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/261" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why can't I trust closed source software for Privacy? + +"Hey, I just wrote this code, I compiled it, it gave me this .exe file, run it on your computer! + +What? You want the source code? Hell no, just trust me bro!" + +Or in other words, why can't I trust an adversary to not look at me when i install one of his cameras in my bedroom? + + + +## **What is closed source software?** + +To briefly explain, any software out there was first written (a developer wrote some source code, for example in the Go language), it was then compiled, and then the compilation produced a binary file (for example it became a .exe file on windows) + +![](1.png) + +The catch here is that when you try to reverse-engineer binary files, it's going to be very hard to figure out what the original source code was. This practice is called [Reverse Engineering](https://blog.nowhere.moe/binexp.html), a niche in cybersecurity, where someone tries to figure out what the original sourcecode was intended to be, with only the binary to work with. + +One thing is for sure: you can't arrive at the original sourcecode from just the binary. It's mostly guess work. + +Most software companies (which can be corporations) out there are greedy, they work hard to produce software, and they hate to have any competition. Hence they want keep their software sourcecode private, to make it as hard as possible to others to arrive at the same level of functionality. That is exactly why closed source software is used by most people. + +The most popular example out there is Windows, they would definitely not like their sourcecode to be leaked/reversed like it with [Apple's IOS](https://www.theverge.com/2018/2/8/16992626/apple-github-dmca-request-ios-iboot-source-code). + +## **Privacy Is not a Spectrum** + +Like we have explained [previously](../privacy/index.md), privacy is binary, you are either being watched, or you are not being watched. + +![](6.png) + +[Whoever tries to tell you that "Privacy is a spectrum"](https://discuss.privacyguides.net/t/should-privacy-guides-require-open-source-source-first-or-source-available-as-a-criteria-for-all-tools/22684/83) are just trying to justify that you should leave at least some closed source software on your computer if you don't feel like it, in the name of convenience. + +**No you should not, you either have privacy or you don't.** You definitely do not have privacy when there are 100 cameras from 100 different adversaries in your bedroom, **and it is the same thing as with leaving ONE camera from ONE adversary in your bedroom** , the simple fact remains, **you do not have privacy as long as there is at a camera pointed at you.** + +![](4.png) + +When you have Windows installed, you constantly have a 100 cameras pointed at you, no matter what you do on the OS. + +When you have MacOS installed you may have 70 cameras pointed at you, you don't have privacy there all the same. + +You may have linux installed with only FOSS software, except that you have installed one closed-source software such as Discord, meaning you have only one camera pointed at you, **and because of that one closed-source software you didn't remove yet, you don't have privacy either.** + +![](5.png) + +So when you go on communities online that pretend to talk about privacy, you need to remain vigilant to what they recommend you should do, If at any point in time it includes doing something on Windows or macOS or using any other closed-source software to have privacy, **you need to realize that they are trying to mislead you into a false sense of privacy** as shown in the examples above. + +_TLDR:_ you will never have privacy until you remove ALL of the cameras in your bedroom, you do not have privacy when you have 75 cameras, nor when you have 1 camera remaining, This means that **you only have privacy once you have removed all closed-source software from your computer, and that includes permanently getting rid of MacOS and Windows** + +## **Why is this relevant for Privacy?** + +Privacy as a usecase on your computer requires that you only run software from which you are able to read the sourcecode of: + +I can just as easily write a software (let's say a chat application like Telegram), **I can make that software grab as much information as possible** like save the computer model, serial number, get information on what other apps are running on your computer, what's the public IP address, take screenshots of what you're doing on your computer, **and I can make that application send all of that sensitive information to a remote server, while officially pretend that the additional network traffic is for "for telemetry purposes"**. + +All i need is to simply prevent you from being able to read the sourcecode, that way you have no way to disprove that this isn't actually telemetry. + +What's happening is that you have no visibility on what the software is doing, **it is not transparent** + +That's why the first step is always to ONLY use software that is fully free and open source (FOSS), **so that you are at least ABLE to know what the software you are running is actually doing.** To be able to achieve Transparent use. + +![](3.png) + +Once that's in check, you should spend some time to read the sourcecode of the software you are running. Or at the very least listen to what other privacy-minded people have to say about each piece of software. **So that you are able to know that the software does not contain any spying mechanism.** + +If you find any software that actually does telemetry or any other spying mechanism, **you should remove it from your computer, if you intend to have privacy there**. + +It is only once you destroy all the cameras in your bedroom, and once you close all the blinds that the adversary outside can't peek into what you're doing in your bedroom. **In the same way, closed-source software is exactly the same, a camera for an adversary (the manufacturer of that software, or the government that they act on behalf of) to peek into what you're doing on your computer.** + +![](../privacy/3.png) + +Keep that in mind, as this is the ABC of OPSEC you'll have to remember throughout the rest of the next blogposts i write, On any device of yours, there is only one type of acceptable software for Privacy, and that is FOSS software. It has always been this way, and will always remain this way. + +If at any point in time you see people recommend closed-source software for privacy purposes, **you need to realize that they are either misled or are actively trying to mislead you into a false sense of security** , and you should remind them that **[privacy and closed-source software are mutually exclusive.](https://discuss.privacyguides.net/t/should-privacy-guides-require-open-source-source-first-or-source-available-as-a-criteria-for-all-tools/22684/62)** hence the non-negotiable need of using FOSS software for privacy. + +## **Security in FOSS** + + + + + +Open Source Software is **essential for security.** + +A common argument made for closed source software is that it is 'more secure', often brought up in disagreements like iPhone vs Android or the general Company Software vs Community FOSS debate. + +In reality, **security is compromised and reduced when software is closed source.** + +We have to first understand that perfect security is not possible. There will always be potential vulnerabilities in any software regardless of what it is. This what security patches and updates are for, changing of the software to fix issues. + +Let's compare Apple's MacOS vs the Linux Kernel as an example to display why open source is better for security. Below is an image of the top section of of Apple's security page for MacOS Sequoia 15.4. + +![](7.png) + + + + +Although we get brief confirmation that the listed vulnerability has been fixed, **we cannot actually verify the patch.** We have to trust that it has been fixed reliably in the MacOS source code and none of the questions listed above are answerable. + +This opens up several questions or even threat vectors. If the patch was not done properly and created a new vulnerability, we would not be able to tell. Or if a malicious government/adversary pressured them into adding a **backdoor or spyware** into a patch, we similarly would have no way of knowing. Put simply, nearly **all specifics of updates are opaque and only known to the developers.** + +Below is an image of the Linux kernel's git history. + +![](8.png) + + + + +Unlike the one sentence security patches on the MacOS page, you can see **every single line of code that was changed** in each commit of the Linux kernel. This transparency and visibility is very important for security. + +Firstly, unlike only the Apple developers being able to patch security vulnerabilities or review the source code, **anyone can review the source code** of the Linux kernel. This means that vulnerabilities can be **searched for in the source code itself instead of just on the application layer.** The concept of security through obscurity or purposefully making software closed is flawed since that does not actually solve existing vulnerabilities. + +Having source visible almost always leads to high security since anyone can **submit patches** after their code review if they found an issue. Compared to just a single developer team for the closed source software, **the number of eyes** on the code of a piece of open source software is much higher, which means **more code review and more safety testing** , ultimately leading to greater security. + +![](9.png) + + + + +Moreover, the visibility is crucial: Apple can claim they fixed a critical security issue but as mentioned, we cannot review the code ourselves to check if it properly fixes it or of there is spyware/a backdoor. In open source software, we can **verify the update and make sure there isn't any spyware ourselves.** + +The **transparency and availability** in open source software provides **auditable, trustable changes** and the **best possible security**. + +## **Spyware example, and how to replace it** + +**Discord: a Privacy Nightmare** + +Let's take a popular example: [Discord](https://spyware.neocities.org/articles/discord) as detailed in their article on spyware watchdog, it's one of the worst pieces of spyware out there. It's sourcecode is not public, and they confirm that they collect large amounts of sensitive user data (as much as they can). + +Discord even goes out of it's way and contains a process logger to spy on what you do on your computer. + +That service even forces you to add a phone number in case if it suspects you tried to create an account anonymously (via a vpn or via tor). + +You get it, it's a nightmare for privacy and anonymity there is out of the question. The perfect governmental proxy to spy on the masses. + +**SimpleX : The Decentralised and Open Source Alternative** + +Take the counter example, [SimpleX](https://simplex.chat/) is an [open source](https://github.com/simplex-chat/simplex-chat) chat application. Meaning if there were any spyware to be baked into the software, you would see it in the sourcecode, and rest assured the entire open source community would go into huge turmoil to blame the developers and you would know it. + +![](2.png) + +## **Remove surveillance using Open-Source Software** + +To conclude, here are the requirements you need to look for, for any software that you use: + + 1. It must be FULLY free and open source (FOSS) + + 2. Ideally, if servers are involved, it must be self-hostable (for decentralisation) (meaning the serverside code must also be fully open-source) + +([see how this is no longer the case with Signal](https://www.change.org/p/signal-foundation-resume-open-source-code-for-signal-server-do-not-close-source-it)) + 3. It must implement privacy features like encryption. + + 4. It should not contain any telemetry, or any spyware. + + 5. It should ONLY do what it was originally meant to do. + + + + +By that standard, you can already discard software like Windows, Discord, Whatsapp, Instagram, iOS, pre-installed phone host OSes, Word, Excel, etc, as none of them are open source, and you can be damn sure that they are spying on everything you do, wilfully or not. (ever since the US government passed the [FISA section 702](https://www.dni.gov/files/icotr/Section702-Basics-Infographic.pdf).) + +**YOU CAN NEVER TRUST PEOPLE.** + +**SO YOU CAN'T TRUST THEIR CLOSED SOURCE SOFTWARE.** + +**YOU CAN ONLY TRUST TECHNOLOGY THAT CAN BE VERIFIED!** + +**SO YOU NEED TO USE OPEN SOURCE SOFTWARE!** + +![](../privacy/1.png) + +Now that you have the full reasoning laid out, and [if being watched by an entire crowd when you are using your computer doesn't sit well with you](../privacy/index.md), it's time for you to move out of all that surveillance, out of that theater/circus that is closed-source software (in which you are the clown on stage, for corporations to see), **it's time for you to close the blinds and declare that the show is over** to these entire crowds that have infringed upon your basic right of privacy. [It's time to install Linux](../linux/index.md). + diff --git a/cloud_provider_adversary/2.png b/cloud_provider_adversary/2.png new file mode 100644 index 0000000..f8945f3 Binary files /dev/null and b/cloud_provider_adversary/2.png differ diff --git a/cloud_provider_adversary/3.png b/cloud_provider_adversary/3.png new file mode 100644 index 0000000..1cbcbe2 Binary files /dev/null and b/cloud_provider_adversary/3.png differ diff --git a/cloud_provider_adversary/4.png b/cloud_provider_adversary/4.png new file mode 100644 index 0000000..30fe011 Binary files /dev/null and b/cloud_provider_adversary/4.png differ diff --git a/cloud_provider_adversary/5.png b/cloud_provider_adversary/5.png new file mode 100644 index 0000000..44d4951 Binary files /dev/null and b/cloud_provider_adversary/5.png differ diff --git a/cloud_provider_adversary/6.png b/cloud_provider_adversary/6.png new file mode 100644 index 0000000..236be7d Binary files /dev/null and b/cloud_provider_adversary/6.png differ diff --git a/cloud_provider_adversary/7.png b/cloud_provider_adversary/7.png new file mode 100644 index 0000000..7d9b31d Binary files /dev/null and b/cloud_provider_adversary/7.png differ diff --git a/cloud_provider_adversary/diagram.png b/cloud_provider_adversary/diagram.png new file mode 100644 index 0000000..1b92ede Binary files /dev/null and b/cloud_provider_adversary/diagram.png differ diff --git a/cloud_provider_adversary/index.md b/cloud_provider_adversary/index.md new file mode 100644 index 0000000..aef2b6d --- /dev/null +++ b/cloud_provider_adversary/index.md @@ -0,0 +1,206 @@ +--- +author: Mulligan Security +date: 2025-02-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/36" +xmr: None +--- +# **When the Adversary is the cloud provider himself** + +Since the 2010's VPS have become cheaper and widely available. From your local mom and pop datacenter where you can rent a baremetal Pi equivalent to highly secured Amazon datacenters and on-demand cpu/bandwidth allocation you can now find a broad range of options for your operational and security needs. + +If clandestinity is a requirement, there also are cryptocurrency-based options in jurisdictions without LEO cooperation treatises with your own. + +But, **what if the adversary is already inside?** +in this post we are going to do a threat modelling exercise: + + + + 1. Context and assumptions: what are the capabilities of our adversary? what about our own OPSEC requirments? + 2. Threats: what the adversary might want to acomplish (their goal) + 3. Attack Scenarii: a quick list of possible attacks + 4. Mitigation measures: what we can do to make those attack uneconomical, harder + + + +**Let's start with an image to visualize exactly what the trust and security boundaries are in such a setup** + +![](diagram.png) + + + +# **Context and assumptions** + +## **Setting up the scene** + +Alice wishes to start hosting a coordination platform for her activist group, but she doesn't want to host the platform herself for the following reasons: + + * Shes does not want to have incriminating data in her house + * She is unable to provide the required level if high availability for her group's safety and operational standards + * She has limited bandwidth/electricity to devote to her cause + + + +She gets in touch with Bob, owner and operator of Bob's friendly datacenter, and orders from him a VPS (Virtual Private Server). Bob's pretty open-minded so Alice is free to use whatever OS she wants, gets a public IP. + + + +## **Enters Leo** + +One day Bob's phone rings, it's Leo calling! Leo asks Bob to confirm that he indeed has Alice as a customer. Without further ado, Leo pays Bob a visit! After entering the premises and showing a government agency badge, Leo asks for complete access to Bob's infrastructure and binds him with a gag order to make sure no one hears about his investigation. Even if Bob is sympathetic to Alice or wishes to protect his customers he would now run afoul of his country's laws if he were to warn them. Leo might have been nice to him but he is not to be trifled with... + +## **What can Leo do to Alice's server?** + +Commandeering an office in Bob's datacenter, Leo gets to work. He has plenty of options: ![](2.png) + + 1. _Network sniffing:_ Leo can capture and log ALL trafic related to Alice's activity inside Bob's datacenter, so he will know the IP of everyone interacting with her platform + 2. _Firmware/hardware attacks:_ during maintenance windows, Leo could tamper with the BIOS/UEFI of Alice's server (if she had chosen a bare-metal option), or with her server's storage devices in order to deactivate encryption or exfiltrate data unnoticed + 3. _Memory attacks:_ **Leo is able to take snapshots of Alice's VPS RAM** to gather anything that she stores in memory. **This means that Leo is able to retrieve the disks' encryption keys which are stored in memory, and use it to view the disks' contents.** +![](3.png) + 4. If Alice had chosen a bare-metal server instead Leo would have to refrigerate the RAM sticks, cut the power and then extract the RAM sticks in order to retrieve same data, but such an attack would be much harder to carry out compared to doing the same to a VPS. + + + +# **Alice's threat model** + +Alice is very happy with her new deployment. The platform runs great and her team has started using it in earnest. Still, the bond of implicit trust that now exists between her and Bob bothers here. She decides to do a quick threat modelling exercise to calm her mind: instead of wondering about whatifs, she is going to identify the risks associated with her current setup and find ways to mitigate them. + +## **Threats to Confidentiality** + +If Bob was dishonest (or compelled into acting dishonestly), he would be able to harvest information directly from her server's memory! (She doesn't know Leo is already hard at work) + +**Impacted assets** + + + * **Decryption keys:** (eg: her https private key, the disk encryption key, **allowing Bob to decrypt any data stored either in RAM or on the VPS' disk**) + * Any Sensitive data: (ephemeral private messages on her forum that are only kept in RAM, either in an encrypted or unencrypted form) + * Software states: (session cookies, metadata, etc) + + + +Bob could also use side-channel attacks by monitoring the underlying server's power usage or run cache timing attack to find the value of her cryptographic secret keys even if Bob's hardware allows her to store them in a dedicated secure chip! + +## **Threats to integrity** + +Someone with Bob's level of access (he is the administrator of the _hypervisor_ \- the software that runs Alice's virtual server) could also: + + * Run an [evil maid attack](https://www.vice.com/en/article/hacker-bios-firmware-backdoor-evil-maid-attack-laptop-5-minutes/): inject their own code in the bootloader, in Alice's OS image or inside the hypervisor which Alice can't monitor + * Through the hypervisor, tamper with Alice's virtual machine to compromise it + + + +## **Threats to availability** + +![](4.png) + +Having access to the physical layer of the network as well as the power grid feeding the servers, Bob could disrupt Alice's operations in the following way: + + * 0) Disconnect Alice's VM from the network or Throttle Alice's network traffic + * 1) Cut the power off to Alice's host server to perform a cold boot attack + + + +# **VPS Attack scenarios** + +# + +## **Live RAM extraction** + +### Attack + +Bob makes a RAM snapshot of the virtual machine. on a VPS it is very easy and can be done without notice. + +### Countermeasures + +**Can't be addressed without renting a bare-metal server instead.** Alice would need the baremetal server's hardware to support RAM encryption (such as [AMD SEV](https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf) and [Intel SGX](https://www.intel.com/content/www/us/en/products/docs/accelerator-engines/software-guard-extensions.html), where the idea is to store the encryption keys in the CPU directly instead of storing it in the RAM). + +## **Malicious Libvirt or Xen Interception** + +### Attack + +Bob modifies the hypervisor's behavior to manipulate network, disk, or console input/output in real time. Can inject fake SSH authentication prompts or steal plaintext database queries before they reach encrypted storage. + +### Countermeasures + +None, this would be undetectable from within the VPS. + +## **Covert Persistent Backdoor via VMState Injection** + +### Attack + +Bob can embed custom logic in the hypervisor to modify the VPS state after every reboot, reinfecting it persistently. Similar to [NSA’s DEITYBOUNCE attack](https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html), where malware implants are injected into firmware or hypervisor layers to reinfect systems post-wipe. + +### Countermeasures + +Hardly any, if the modification has been done directly in the kernel and in such a way that disables rootkit-detection or other security systems then it can't be detected or mitigated + +# **Conclusion** + +A VPS provides no privacy from a malicious cloud provider. **It is like a glass box, as long as the data stored there is encrypted from the same device, it can be decrypted by the cloud provider** + +If data is meant to remain unreadable from the cloud provider, it would need to be encrypted elsewhere, and THEN sent to the VPS. That way the cloud provider wouldn't have access to the decryption keys that would've otherwise been stored in the servers' RAM. + +Only encrypted data should transit/be stored in it and the decryption keys should never be present on the VPS itself. + +# **Bare Metal Attack scenarios** + +# + +## **Live RAM extraction** + +### Attack + +Leo has to refrigerate the RAM using liquid nitrogen, power down the baremetal server, boot onto a live USB stick, in order to extract the RAM contents that didn't get wiped out yet. ![](7.png) + +### Countermeasures + +Alice would need hardware that supports RAM encryption (such as AMD SEV and Intel SGX), **that way Leo would have to find a way to extract the encryption keys from the CPU directly** , to be able to decrypt the ram contents, to be able to decrypt the disk contents. If AMD SEV or Intel SGX is used to encrypt RAM, then he would have to ask Intel or AMD directly to get him the encryption keys that were stored in the CPU (and that is only if it's possible). + +This attack is both costly and obvious as it requires the server to go offline. Alice's decides to accept the risk for now and reevaluate based on the evolving sensitivity of the data stored on her server. + +## **BMC Exploitation** + +### Attack + +A malicious firmware update is deployed to the Baseboard Management Controller (BMC), providing stealthy persistent access and enabling future compromise of the OS or hypervisor. + +### Countermeasures + +This attack has the same issue as the previous one and could be deployed during a schedule maintenance at Bob's datacenter. Ensuring a TPM is present on the motheboard and only signed firmware updates are accepted is a first step. This wouldn't protect her from a malicious update signed with a legitimate key as some government agency could deploy. Another, better option would be to opt for a physical enclosure only she can access in the datacenter and be present during maintenance, **but physical access to the server is not possible as Alice wants to maintain her anonymity. Such enclosure would need to be monitored and trigger a server poweroff in case of breach.** + +## **Evil Maid Attack** + +### Attack + +With physical access to the server, a rogue technician could inject a rootkit into the UEFI to mainain persistance, running their code before the OS loads. + +### Countermeasures + +A physically locked enclosure such as ones used by payment processors in their datacenters would greatly reduce the likelihood of this attack. + +# **Conclusion** + +Following her analysis, Alice understands that having a VPS gives her no privacy from her cloud provider. That all of her traffic and data can easily be seen, copied or moved. **VPSes are trivial to extract data from, they are like glassboxes for the cloud provider.** + +Thus, **if Alice were to run a sensitive service on a VPS it will only ever be a short-lived one, it is only a matter of time until the cloud provider looks in the correct direction to see what Alice is trying to do on that VPS**. Such a VPS will live on borrowed time from the moment it is started because as soon as the service provider will decide to look into it it will be easily identified and shut down. + + + +This is the first strategy when it comes to running remote sensitive services: **Multiple Glassboxes Strategy:** + +![](5.png) One way to avoid such issues and the availability implications is to run a fleet of VPSes with load balancers and redirectors. That way, any instance being shutdown by the cloud provider becomes a non-event that does not impact overall availability. This requires the following: + + * _Automation:_ spinning up a new instance anonymously must be fast, (preferably automated if possible) and standardized, **in order to have at least 2 nodes running at the same time to maintain the high availability of the hidden service** + * _Logistics:_ you must identify various [non-KYC cloud provider resellers](../anonymousremoteserver/index.md) to have a way to create dormant accounts anonymously with them and schedule a "cool off" period when an instance gets shutdown + * _Monitoring:_ you must be immediately made aware when a service goes down in order to spin up a new one + + +Keep in mind that availability is only a third of the equation, integrity and confidentiality are also in jeopardy as soon as the cloud provider takes notice. You will have to put in place mitigations measures through your SOPS (standard operating procedures). ![](6.png) + +And lastly there is the second remote sensitive service strategy: **The Blackbox Strategy** + +The idea here **is to only use baremetal servers** , rather than using VPSes, in order to have as close of an access to the server's hardware as possible, to reduce the capabilities that the adversary has on the server, preventing him from seeing what the contents of that server are. + +This strategy is much more expensive as baremetal servers are not as cheap as VPSes, **but the advantage is that the cloud provider has to put in much, much more effort to extract data from the memory** (by performing a lengthy cold boot attack), in order to be able to decrypt the contents of the disks. + +The upside is that you'll have to spin up new instances way less often than you'd have to when you were using VPSes, due to how much more expensive it is for a cloud provider to figure out that you're running a sensitive service on their servers. + diff --git a/co0.png b/co0.png new file mode 100644 index 0000000..1a8e261 Binary files /dev/null and b/co0.png differ diff --git a/co1.png b/co1.png new file mode 100644 index 0000000..b7f23d7 Binary files /dev/null and b/co1.png differ diff --git a/co2.png b/co2.png new file mode 100644 index 0000000..dd59d52 Binary files /dev/null and b/co2.png differ diff --git a/compilation/1.png b/compilation/1.png new file mode 100644 index 0000000..028bb88 Binary files /dev/null and b/compilation/1.png differ diff --git a/compilation/2.png b/compilation/2.png new file mode 100644 index 0000000..70a7f79 Binary files /dev/null and b/compilation/2.png differ diff --git a/compilation/3.png b/compilation/3.png new file mode 100644 index 0000000..b3f0ee4 Binary files /dev/null and b/compilation/3.png differ diff --git a/compilation/4.png b/compilation/4.png new file mode 100644 index 0000000..175ccdc Binary files /dev/null and b/compilation/4.png differ diff --git a/compilation/5.5.png b/compilation/5.5.png new file mode 100644 index 0000000..6c8bcc0 Binary files /dev/null and b/compilation/5.5.png differ diff --git a/compilation/5.png b/compilation/5.png new file mode 100644 index 0000000..151a136 Binary files /dev/null and b/compilation/5.png differ diff --git a/compilation/6.png b/compilation/6.png new file mode 100644 index 0000000..e96a6f9 Binary files /dev/null and b/compilation/6.png differ diff --git a/compilation/7.png b/compilation/7.png new file mode 100644 index 0000000..b331293 Binary files /dev/null and b/compilation/7.png differ diff --git a/compilation/8.png b/compilation/8.png new file mode 100644 index 0000000..47df0db Binary files /dev/null and b/compilation/8.png differ diff --git a/compilation/index.md b/compilation/index.md new file mode 100644 index 0000000..d76db70 --- /dev/null +++ b/compilation/index.md @@ -0,0 +1,231 @@ +--- +author: nihilist +date: 2024-06-28 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/79" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to compile open source software + How to verify software integrity + +## _OPSEC Recommendations:_ + + 1. Hardware : PC / Laptop / Homeserver / Remote Server + + 2. OS : [Linux](../linux/index.md) + + + + +I recommend using this setup for [Private use](../privacy/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). + + + +## **Why compile even compile software yourself ?** + +as we have discussed [previously](../closedsource/index.md), software needs to first be written by a developer, then compiled to produce a binary file (like an .exe file on windows, or a binary file on debian) to be used. + +![](../closedsource/1.png) + +The largest website to find open-source software repositories is [Github](https://github.com), where we can find open source projects. + +In this case, Bob wants to have a screenshot software on debian, and he wants it to be open-source: + +![](1.png) + +Here we see that there is a popular screenshot software called "Flameshot" that is available on github: + +![](2.png) + +All of the sourcecode is available, and Bob if is concerned that there may be spyware, he can browse all of the code to check if there is any spyware in it or not. + +![](3.png) + +Next, Bob can find the compiled binaries of flameshot in the releases tab: + +![](4.png) + +But! Bob is an open-source purist, he thinks that the flameshot developers intentionally compiled the software with spyware into it, **Bob doesn't trust that they could compile the software for him, hence he wants to compile the software himself.** + +## **How to compile software (ex: C++)** + +Each software can come with different compilation requirements, make sure you read their documentation on how to compile software, for example [flameshot](https://github.com/flameshot-org/flameshot?tab=readme-ov-file#compilation) has specific instructions to compile their software: + + + [ mainpc ] [ /dev/pts/4 ] [~] + → cd Documents + + [ mainpc ] [ /dev/pts/4 ] [~/Documents] + → git clone https://github.com/flameshot-org/flameshot + Cloning into 'flameshot'... + remote: Enumerating objects: 18204, done. + remote: Counting objects: 100% (5467/5467), done. + remote: Compressing objects: 100% (339/339), done. + remote: Total 18204 (delta 5251), reused 5155 (delta 5128), pack-reused 12737 + Receiving objects: 100% (18204/18204), 23.03 MiB | 2.38 MiB/s, done. + Resolving deltas: 100% (13494/13494), done. + + [ mainpc ] [ /dev/pts/4 ] [~/Documents] + → cd flameshot + + + # Compile-time + sudo apt install g++ cmake build-essential qtbase5-dev qttools5-dev-tools libqt5svg5-dev qttools5-dev -y + + # Run-time + sudo apt install libqt5dbus5 libqt5network5 libqt5core5a libqt5widgets5 libqt5gui5 libqt5svg5 -y + + # Optional + sudo apt install git openssl ca-certificates -y + + +Now that the dependencies are installed, we start to compile flameshot: + + + [ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot] + → cmake -S . -B build && cmake --build build + -- The CXX compiler identification is GNU 12.2.0 + -- Detecting CXX compiler ABI info + -- Detecting CXX compiler ABI info - done + -- Check for working CXX compiler: /usr/bin/c++ - skipped + -- Detecting CXX compile features + -- Detecting CXX compile features - done + -- Setting build type to 'RelWithDebInfo' as none was specified. + CMake Warning at cmake/Cache.cmake:28 (message): + ccache is enabled but was not found. Not using it + Call Stack (most recent call first): + CMakeLists.txt:84 (include) + + + -- Performing Test Wall_FLAG_SUPPORTED + -- Performing Test Wall_FLAG_SUPPORTED - Success + -- Performing Test pedantic_FLAG_SUPPORTED + -- Performing Test pedantic_FLAG_SUPPORTED - Success + -- Performing Test Wextra_FLAG_SUPPORTED + -- Performing Test Wextra_FLAG_SUPPORTED - Success + Flameshot predefined color palette large: false + -- Found Git: /usr/bin/git (found version "2.39.2") + git found: /usr/bin/git in version 2.39.2 + FLAMESHOT_GIT_HASH: c1dac522 + -- Configuring done + -- Generating done + -- Build files have been written to: /home/nihilist/Documents/flameshot/build + [ 1%] Automatic MOC for target SingleApplication + [ 1%] Built target SingleApplication_autogen + [ 2%] Building CXX object external/singleapplication/CMakeFiles/SingleApplication.dir/SingleApplication_autogen/mocs_compilation.cpp.o + + [...] + + + +Here, it's starting to compile, wait for it to reach 100%, then you can run the binary file as follows: + +![]() + + + [...] + + [ 96%] Building CXX object src/CMakeFiles/flameshot.dir/tools/abstracttwopointtool.cpp.o + [ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/capturecontext.cpp.o + [ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/toolfactory.cpp.o + [ 98%] Building CXX object src/CMakeFiles/flameshot.dir/main.cpp.o + [ 98%] Building CXX object src/CMakeFiles/flameshot.dir/flameshot_autogen/IJ3KGTTQ5V/qrc_graphics.cpp.o + [100%] Linking CXX executable flameshot + [100%] Built target flameshot + + [ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot] + → ls + appveyor.yml CMakeLists.txt docs LICENSE scripts src + build CODE_OF_CONDUCT.md external packaging shell.nix tests + cmake data flameshot.example.ini README.md snapcraft.yaml + + [ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot] + → ls -lash build/src/flameshot + 49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot + + [ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot] + → ./build/src/flameshot + + + +if you want to be able to launch the flameshot binary without specifying the full path each time, you can add it to your system PATH: + + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot] + → ls -lash build/src/flameshot + 49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot] + → echo $PATH + /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot] + → ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot + ln: failed to create symbolic link '/usr/local/bin/flameshot': Permission denied + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot] + → sudo ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot + [sudo] password for nihilist: + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot] + → which flameshot + /usr/bin/flameshot + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot] + → flameshot + + + +As we run the binary from the commandline, we then see the flameshot program opening here: + +![](5.png) + +as we click on the logo, we can enter the screenshot mode: + +![](5.5.png) + +then we click and drag to select the area of the screenshot: + +![](6.png) + +Then we can click the "save" icon to save the image somewhere: + +![](7.png) + +## **How to verify software integrity** + +Now Bob isn't going to compile everything, he doesn't have that patience. the next best thing is to download the pre-compiled binaries and to check the hash: + +![](8.png) + +Here in this case, the appimage flameshot binary has been released along with the sha256 algorithm hash, so Bob downlads both: + + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest] + → wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage + --2024-06-28 14:31:09-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest] + → wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum + --2024-06-28 14:32:26-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum + + + +Next, to check the integrity of the appimage file, we check the hash that we've downloaded: + + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest] + → cat Flameshot-12.1.0.x86_64.AppImage.sha256sum + c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage + + + +and compare it to the hash we get when using the sha256sum command on the flameshot appimage: + + + [ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest] + → sha256sum Flameshot-12.1.0.x86_64.AppImage + c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage + + + +Here we see that the sha256 hash we get from the flameshot appimage binary is the same as the hash that was put online by the flameshot developers. This means that the binary didn't get tampered with from the original release, to having it inside Bob's debian VM. Hence, Bob can now use the flameshot appimage binary with peace of mind! + diff --git a/context/anon.png b/context/anon.png new file mode 100644 index 0000000..e06ce6b Binary files /dev/null and b/context/anon.png differ diff --git a/context/private.png b/context/private.png new file mode 100644 index 0000000..8236b1e Binary files /dev/null and b/context/private.png differ diff --git a/context/public.png b/context/public.png new file mode 100644 index 0000000..f193074 Binary files /dev/null and b/context/public.png differ diff --git a/context/sensitive.png b/context/sensitive.png new file mode 100644 index 0000000..a0b9376 Binary files /dev/null and b/context/sensitive.png differ diff --git a/contribute/1.5.png b/contribute/1.5.png new file mode 100644 index 0000000..bc2cfb1 Binary files /dev/null and b/contribute/1.5.png differ diff --git a/contribute/1.png b/contribute/1.png new file mode 100644 index 0000000..13112e8 Binary files /dev/null and b/contribute/1.png differ diff --git a/contribute/10.png b/contribute/10.png new file mode 100644 index 0000000..52261db Binary files /dev/null and b/contribute/10.png differ diff --git a/contribute/11.png b/contribute/11.png new file mode 100644 index 0000000..98b835f Binary files /dev/null and b/contribute/11.png differ diff --git a/contribute/12.png b/contribute/12.png new file mode 100644 index 0000000..b6b2e30 Binary files /dev/null and b/contribute/12.png differ diff --git a/contribute/13.png b/contribute/13.png new file mode 100644 index 0000000..eae8c15 Binary files /dev/null and b/contribute/13.png differ diff --git a/contribute/14.png b/contribute/14.png new file mode 100644 index 0000000..37b91ff Binary files /dev/null and b/contribute/14.png differ diff --git a/contribute/15.png b/contribute/15.png new file mode 100644 index 0000000..c36c9e8 Binary files /dev/null and b/contribute/15.png differ diff --git a/contribute/16.png b/contribute/16.png new file mode 100644 index 0000000..381ab16 Binary files /dev/null and b/contribute/16.png differ diff --git a/contribute/17.png b/contribute/17.png new file mode 100644 index 0000000..89dbde4 Binary files /dev/null and b/contribute/17.png differ diff --git a/contribute/18.png b/contribute/18.png new file mode 100644 index 0000000..01febc7 Binary files /dev/null and b/contribute/18.png differ diff --git a/contribute/19.png b/contribute/19.png new file mode 100644 index 0000000..e1646fd Binary files /dev/null and b/contribute/19.png differ diff --git a/contribute/2.png b/contribute/2.png new file mode 100644 index 0000000..5adadd1 Binary files /dev/null and b/contribute/2.png differ diff --git a/contribute/29.png b/contribute/29.png new file mode 100644 index 0000000..2797fc2 Binary files /dev/null and b/contribute/29.png differ diff --git a/contribute/3.png b/contribute/3.png new file mode 100644 index 0000000..c02310c Binary files /dev/null and b/contribute/3.png differ diff --git a/contribute/30.png b/contribute/30.png new file mode 100644 index 0000000..a1270ff Binary files /dev/null and b/contribute/30.png differ diff --git a/contribute/31.png b/contribute/31.png new file mode 100644 index 0000000..b457407 Binary files /dev/null and b/contribute/31.png differ diff --git a/contribute/32.png b/contribute/32.png new file mode 100644 index 0000000..6128229 Binary files /dev/null and b/contribute/32.png differ diff --git a/contribute/33.png b/contribute/33.png new file mode 100644 index 0000000..0ce1daa Binary files /dev/null and b/contribute/33.png differ diff --git a/contribute/34.png b/contribute/34.png new file mode 100644 index 0000000..2ccf3bb Binary files /dev/null and b/contribute/34.png differ diff --git a/contribute/35.png b/contribute/35.png new file mode 100644 index 0000000..133f3da Binary files /dev/null and b/contribute/35.png differ diff --git a/contribute/36.png b/contribute/36.png new file mode 100644 index 0000000..8102d42 Binary files /dev/null and b/contribute/36.png differ diff --git a/contribute/37.png b/contribute/37.png new file mode 100644 index 0000000..6cec1b4 Binary files /dev/null and b/contribute/37.png differ diff --git a/contribute/38.png b/contribute/38.png new file mode 100644 index 0000000..65d9e14 Binary files /dev/null and b/contribute/38.png differ diff --git a/contribute/4.png b/contribute/4.png new file mode 100644 index 0000000..e0d28a1 Binary files /dev/null and b/contribute/4.png differ diff --git a/contribute/5.png b/contribute/5.png new file mode 100644 index 0000000..ba55838 Binary files /dev/null and b/contribute/5.png differ diff --git a/contribute/58.png b/contribute/58.png new file mode 100644 index 0000000..c7b1296 Binary files /dev/null and b/contribute/58.png differ diff --git a/contribute/59.png b/contribute/59.png new file mode 100644 index 0000000..e05b25e Binary files /dev/null and b/contribute/59.png differ diff --git a/contribute/60.png b/contribute/60.png new file mode 100644 index 0000000..f128b80 Binary files /dev/null and b/contribute/60.png differ diff --git a/contribute/61.png b/contribute/61.png new file mode 100644 index 0000000..b6d93e5 Binary files /dev/null and b/contribute/61.png differ diff --git a/contribute/62.png b/contribute/62.png new file mode 100644 index 0000000..d996e3c Binary files /dev/null and b/contribute/62.png differ diff --git a/contribute/63.png b/contribute/63.png new file mode 100644 index 0000000..a341992 Binary files /dev/null and b/contribute/63.png differ diff --git a/contribute/64.png b/contribute/64.png new file mode 100644 index 0000000..b5cc21f Binary files /dev/null and b/contribute/64.png differ diff --git a/contribute/65.png b/contribute/65.png new file mode 100644 index 0000000..f55798f Binary files /dev/null and b/contribute/65.png differ diff --git a/contribute/66.png b/contribute/66.png new file mode 100644 index 0000000..51b324e Binary files /dev/null and b/contribute/66.png differ diff --git a/contribute/70.png b/contribute/70.png new file mode 100644 index 0000000..e90d870 Binary files /dev/null and b/contribute/70.png differ diff --git a/contribute/71.png b/contribute/71.png new file mode 100644 index 0000000..365473e Binary files /dev/null and b/contribute/71.png differ diff --git a/contribute/72.png b/contribute/72.png new file mode 100644 index 0000000..2f484a2 Binary files /dev/null and b/contribute/72.png differ diff --git a/contribute/73.png b/contribute/73.png new file mode 100644 index 0000000..0969b77 Binary files /dev/null and b/contribute/73.png differ diff --git a/contribute/74.png b/contribute/74.png new file mode 100644 index 0000000..0fe7bfc Binary files /dev/null and b/contribute/74.png differ diff --git a/contribute/75.png b/contribute/75.png new file mode 100644 index 0000000..351ae09 Binary files /dev/null and b/contribute/75.png differ diff --git a/contribute/76.png b/contribute/76.png new file mode 100644 index 0000000..af39fad Binary files /dev/null and b/contribute/76.png differ diff --git a/contribute/80.png b/contribute/80.png new file mode 100644 index 0000000..d9d46c5 Binary files /dev/null and b/contribute/80.png differ diff --git a/contribute/81.png b/contribute/81.png new file mode 100644 index 0000000..fd34311 Binary files /dev/null and b/contribute/81.png differ diff --git a/contribute/82.png b/contribute/82.png new file mode 100644 index 0000000..dee54e7 Binary files /dev/null and b/contribute/82.png differ diff --git a/contribute/9.png b/contribute/9.png new file mode 100644 index 0000000..606e2a5 Binary files /dev/null and b/contribute/9.png differ diff --git a/contribute/index.md b/contribute/index.md new file mode 100644 index 0000000..02ea936 --- /dev/null +++ b/contribute/index.md @@ -0,0 +1,407 @@ +--- +author: nihilist +date: 2025-04-03 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/275" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to become a Contributor + +In this tutorial we're going to look at how you can contribute to the opsec blog, we'll look into how the work is being organized, and how to contribute via gitea. + + + +## The Nihilism Blog Organisation + +First, look at all the blogposts that are yet to be completed from the [opsec index page](../index.md) to see if there are some you'd like to do: + +![](1.png) + +Each tutorial (even if completed) has it's own assigned issue on [gitea](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues): + +![](1.5.png) + +You can pick one that you'd like to do, if you see one that has a red cross you can click on it, it will redirect you to it's assigned gitea issue (example: [Easy Private Chats - SimpleX](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/61). If there is no todolist on each assigned gitea issue, you are free to brainstorm it like so: + +![](2.png) + +If a blogpost gitea issue doesn't have a todolist yet, please follow this general template to write it: + + + Privacy - Easy Private Chats with SimpleX + + To be explained: + - Graph of the targeted setup + - why is this setup relevant ? What are the threats ? What are we trying to achieve (Privacy / Anonymity / Deniability) ? + - what are your options ? + - comparing option A B and C + - In this tutorial we're going to use option B because it is superior due to these criterias blah blah blah + + To be showcased: + - how to install the clientside application + - how to install the serverside application + - how to configure the application + - show that it works as intended + + + +The idea being that each issue needs to have a clear todolist to bring clarity on what needs to be done in it. **Please check if the tutorial is already assigned to someone already or not:** + +![](3.png) + +At first, I am assigning only **one contributor per tutorial** , and only **one tutorial per contributor** at a time, with a **default deadline of 1 month**. to complete the assigned tutorial. (if you want to extend the deadline, you'll have to contact me first). + +In short, please **choose a tutorial that is neither done, nor assigned yet** , you can check the status of each tutorial on the project board [here](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/projects/1): + +![](4.png) + +The list of tutorials that are not assigned yet are in the second column, once you have chosen one just ping me on [Opsec SimpleX group chat](http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html). + +You can also submit a suggestion to me directly if you think this blog is missing something crucial, such as a brand new blogpost idea **(although make sure it remains on topic for Privacy / Anonymity / Deniability) i am NOT looking for regular Sysadmin tutorials here.** + +If you think one of the existing tutorials is missing something, feel free to criticize them in their assigned issues (ping me when you do so, so i don't miss it): + +![](5.png) + +After discussing with me what task you want to do, we'll confirm on the price for that tutorial and after i get your confirmation i'll assign it to you, and that's when you can start to work on it. + +_Disclaimer:_ if you're not used to writing technical stuff, please aim for the tutorials that are labeled as "Simple" and that you actually understand. Don't try to bite more than you can chew, otherwise i might refuse further contributions coming from you. You should be at least familliar with the topic you intend to talk about. + +## **What's Offtopic?** + +Here are the list of things that are offtopic, and that we will NOT cover in the blog (for the foreseeable future at least): + +1) _General security and hacking:_ (making sure a software is secure, how to test if it is secure or not) this is a BOTTOMLESS rabbithole that we won't go into again. I went down that rabbithole myself, in the [Hacking section](../../HTB/index.md). Point being, you anyway cannot defend against the threat that you don't know anything about (0days). You're never going to eliminate all 0day risks by going for ultra minimalism, since every damn line of code your minimal software contains can potentially contain a vulnerability. **Trying to protect against the threat you don't know about (0days) IS a pointless and futile endeavor.** You can reduce the risks of 0days by going for ultra-minimalism, but we'll leave that at the discretion of the viewers. **TLDR: Tell the viewer to run the software on it's latest update. If a malicious commit is pushed into the software, don't trust that repository and maintainer anymore, fork it on your own .onion forgejo instance, remove the bad commits, and compile the software yourself.** We will consider some FOSS software as suitable for opsec use _until proven otherwise (so don't bring up the 0day excuse)_ , not the other way around. + +![](65.png) + +2) _Closed-source hardware privacy workarounds:_ no, we won't recommend to the 90% average joes out there to wire up cables to their CPU in order to disable intel ME, install coreboot, or whatever else, and risk bricking their motherboards/CPUs permanently. **We will recommend that average joe to purchase fully open hardware devices, that are free of potential backdoors in the first place, when they are available on the market.** We do with the tools at our disposal, so until those tools are made available, we use what we can use. **We will consider FOSS Host OS as suitable for privacy, even on closed-source hardware for the time being.** (so don't bring up the google pixel graphene OS or the Intel/AMD CPU hardware backdoor argument until you find an actual open hardware alternative that does the job aswell) + +![](66.png) + +3) _Unrealistic advice:_ the advice we bring forth in this blog should be doable by 90% of the average joes out there, by explaining it correctly. For instance, no, **90% of the average joes out there are not going to go dressed up in black coats, wear an anonymous mask, sit in mcdonalds, to try and use someone else's public wifi anonymously for entire days on end just to browse the web anonymously and avoid it being tied back to their irl identity. NOBODY is going to do that**. Keep that unrealistic advice off this blog, as it doesn't help anyone. The realistic approach to this is to just do a (you -> vpn -> tor -> destination) setup, it defeats 99% of the attack vectors, and 90% of the joes out there can do it if you explain it properly. End of the story. **I don't care about the 1% most unlikely scenario that only the top 1% non-average joe can pull off.** Simply mention the other options briefly, while focusing on the method that 90% of the people out there are the likely to be able to adopt. + +![](64.png) + +4) _Overcomplications:_ I want you to go for the simplest option that actually leads to the intended result. If, from point A you can go to point B, to arrive at result Z, then if you try to go from point A to B to C to D to E to G to H to then arrive at point Z, **you are offtopic because you are overcomplicating something that should have been simpler.** If a simpler solution exists, show that option only, do not waste diskspace writing innefficient methods that the readers don't need to read or know about. I will categorically refuse any overcomplications that isn't properly justified with adequate opsec scenarios and threat modeling. + +## **How to contribute new tutorials** + +Now you first need to sign up on gitea, click the **Register** button and fill out your details. + +![](80.png) + + + +DO NOT give your real email here, you can put a dummy one. Email is not verified. + +![](81.png) + + + +If account creation is successful, you'll be automatically logged in. + +![](82.png) + + + +Now, you can ask to join our [Contributors private chatroom](http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html) where we brainstorm new contributions, formulate todolists, assign those todolists to contributors like you, and review those contributions: + +![](63.png) + +From there, you can fork the repository, from your new account: + +![](9.png) + +You can leave everything as default as shown below: + +![](10.png) + +Now from there you continue from the commandline, do a git clone the repository you just forked, and do the edits you need to do: + + + [ mainpc ] [ /dev/pts/18 ] [~/Documents] + → apt install git tor torsocks -y + + [ mainpc ] [ /dev/pts/18 ] [~/Documents] + → torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/6dv9lk1pbaflulau/blog-contributions + Cloning into 'blog-contributions'... + remote: Enumerating objects: 3400, done. + remote: Counting objects: 100% (3400/3400), done. + remote: Compressing objects: 100% (2729/2729), done. + remote: Total 3400 (delta 1588), reused 2109 (delta 609), pack-reused 0 (from 0) + Receiving objects: 100% (3400/3400), 149.35 MiB | 6.82 MiB/s, done. + Resolving deltas: 100% (1588/1588), done. + + [ mainpc ] [ /dev/pts/18 ] [~/Documents] + → cd blog-contributions + + + +If you are reusing the repository after you're done sending pull requests, don't forget to do a git pull to make sure you're working on an up-to-date repository, as i am [frequently pushing commits](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/commits/branch/main). + + + [ mainpc ] [ /dev/pts/18 ] [blog-contributions] + → torsocks git pull http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/6dv9lk1pbaflulau/blog-contributions + + + +Now that you're on the latest commit, you can start to do your own changes: + + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → ls + assets index.html opsec productivity pull.sh push.sh pushtoprod.sh README.md + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → cd opsec + + + +now from there you can copy the template tutorial folder called "0_anon" into another folder: + + + [ mainpc ] [ /dev/pts/18 ] [Documents/blog-contributions/opsec] + → cp -r 0_anon newtutorial + + [ mainpc ] [ /dev/pts/18 ] [Documents/blog-contributions/opsec] + → cd newtutorial + + + +In it you will find the index.html file that you can edit from the commandline still: + + + [ mainpc ] [ /dev/pts/18 ] [blog-contributions/opsec/newtutorial] + → pwd + /home/nihilist/Documents/blog-contributions/opsec/newtutorial + + [ mainpc ] [ /dev/pts/18 ] [blog-contributions/opsec/newtutorial] + → ls + index.html + + [ mainpc ] [ /dev/pts/18 ] [blog-contributions/opsec/newtutorial] + → vim index.html + + + +and you can also view your edits in real time from your browser of choice, just put the complete path to the index.html file to view it in real time, for me it is as follows: **/home/nihilist/Documents/blog-contributions/opsec/newtutorial/index.md** (just hit F5 to refresh in the browser, everytime you save (:w) in vim) + +![](11.png) + +Make sure that you follow the quality standard i described [here](../qualitystandard/index.md): **start with the Why, then the What, then the How**. + +_DISCLAIMER:_ We are not taking any shortcuts in this blog, I expect you to talk about the path, to list the steps that are on that path, **and more importantly want you to show the audience how YOU walk that path.** + +For the "How" parts specifically, as you are expected to explain and show the audience how to do things, **make sure you use images and screenshots like so:** + + + <****img src="12.png" class="imgRz"> + +` ![](12.png) + +To take screenshots like i do, you can use [flameshot](../compilation/index.md), it has everything you need for screenshots. When you take screenshots, dont forget to draw arrows to mention where the user needs to click, add text if something needs to be clarified, etc. and then save your screenshot in the same folder as your blogpost contribution (in this case, in **blog-contributions/opsec/new-tutorial**) + + + apt install flameshot -y + + flameshot + + + +` ![](30.png) + +_Sidenote:_ If you are showcasing any IRL steps to make, take pictures to explain what needs to be done, just like how i did when i showcased how to install [GrapheneOS](../graphene/index.md). + +If you are showcasing a complex tutorial please make a graph to explain what you are talking about. One graph will convey the equivalent of a wall of text in one clear image, it's a matter of efficiently conveying information to the audience. I used to make graphs using yEd Graphs (but it's closed source) so instead as of q3 2024 i'm using Drawio to make them, both tools have got everything you need to write complex graphs. + + + [ mainpc ] [ /dev/pts/3 ] [blog/opsec/manifesto] + → apt search draw.io + Sorting... Done + Full Text Search... Done + draw.io/now 24.7.17 amd64 [installed,local] + draw.io desktop + + [ mainpc ] [ /dev/pts/3 ] [blog/opsec/manifesto] + → apt install draw.io + + [ mainpc ] [ /dev/pts/3 ] [blog/opsec/manifesto] + → drawio + + + +` ![](31.png) ![](32.png) ![](33.png) ![](34.png) ![](35.png) + +If you want to use my logos for onymity, surveillance, centralisation, complexity, etc you can find them in the **blog-contributions/opsec/logos/** directory: + +![](36.png) + +Then, i'll let you go through the [drawio documentation](https://www.drawio.com/doc/) to learn how to use it, as there's alot to cover to add logos, change shapes, add text, add arrows, etc: + +![](37.png) + +But in the end you should have a good looking graph like this one: + +![](38.png) + +and if there are any commands (or terminal output) to be shown, **copy paste from your terminal directly into the index.html file** as this is going to help us save some disk space, into the **pre code blocks** : + + + <****pre> <****code class="nim"> + [ mainpc ] [ /dev/pts/20 ] [~/Nextcloud/blog] + → vim index.html <****/pre> <****/code> + + + [ mainpc ] [ /dev/pts/20 ] [~/Nextcloud/blog] + → vim index.html + + + +Preferably copy paste the command outputs into the pre code blocks, so we i can save on storage space as images take alot more space than regular text. + +![](13.png) + +Then once your tutorial is finished, don't forget to edit the footer to contain your contact details, your links if you have any, **and your monero donation address (which is important as i use that address to pay you for your contribution)**. + +Now your tutorial is ready to be sent over for review. So now you need to git push it to your forked repository like so: + + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → git config --global user.email "6dv9lk1pbaflulau@nowhere.moe" + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → git config --global user.name "6dv9lk1pbaflulau" + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → git add -A + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → git commit + + + + + new tutorial contribution + # Please enter the commit message for your changes. Lines starting + # with '#' will be ignored, and an empty message aborts the commit. + # + # On branch main + # Your branch is up to date with 'origin/main'. + # + # Changes to be committed: + # new file: opsec/newtutorial/index.md + # modified: push.sh + + ESC :wq + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → git push + Username for 'http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion': 6dv9lk1pbaflulau + Password for 'https://6dv9lk1pbaflulau@git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion': + Enumerating objects: 7, done. + Counting objects: 100% (7/7), done. + Delta compression using up to 4 threads + Compressing objects: 100% (4/4), done. + Writing objects: 100% (4/4), 388 bytes | 388.00 KiB/s, done. + Total 4 (delta 3), reused 0 (delta 0), pack-reused 0 + remote: + remote: Create a new pull request for '6dv9lk1pbaflulau:main': + remote: http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/compare/main...6dv9lk1pbaflulau:main + remote: + remote: . Processing 1 references + remote: Processed 1 references in total + To http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/6dv9lk1pbaflulau/blog-contributions + 7c759d3..7067b5c main -> main + + + +Now you have pushed your changes to your [forked respository](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/6dv9lk1pbaflulau/blog-contributions), from there you can make a Pull request (asking me to pull in your changes, to the [main repository](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions)) as follows: + +![](14.png) ![](15.png) ![](16.png) + +now from there your pull request is created, and I'll review it as soon as I get the time: + +![](17.png) + +If it's not complete, I'll comment in there asking you to add what's missing, **changes that you must actually finish before the deadline.** To add further changes simply add more commits to it + + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → vim opsec/newtutorial/index.md + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → git add -A + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → git commit + + forgot to do this change! + # Please enter the commit message for your changes. Lines starting + # with '#' will be ignored, and an empty message aborts the commit. + # + # On branch main + # Your branch is up to date with 'origin/main'. + # + # Changes to be committed: + # modified: opsec/newtutorial/index.md + + ESC :wq + + [main eb4b994] forgot to do this change! + 1 file changed, 1 insertion(+), 1 deletion(-) + + [ mainpc ] [ /dev/pts/18 ] [~/Documents/blog-contributions] + → torsocks git push + Username for 'http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion': 6dv9lk1pbaflulau + Password for 'https://6dv9lk1pbaflulau@git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion': + Enumerating objects: 9, done. + Counting objects: 100% (9/9), done. + Delta compression using up to 4 threads + Compressing objects: 100% (4/4), done. + Writing objects: 100% (5/5), 432 bytes | 432.00 KiB/s, done. + + + +` ![](18.png) + +Then wait for me to confirm the content is complete, and then i'll accept the pull request and merge it into the main repository. + +![](19.png) + +_Warning:_ your contribution is supposed to follow [the quality standard](../qualitystandard/index.md), if your contribution doesn't follow the quality standard closely, we're going to keep refusing your contribution until you make it good enough to be acceptable. + +If you intend on becoming [a maintainer](../maintainers/index.md) you need to keep submitting contributions that are at least 95% completed each time. The worst you could do is submit a contribution that is 30% completed and waste our time with a tedious reviewing process (which will force us to stop accepting contributions coming from you aswell, if it keeps happening), We'll tolerate it if that's your first contribution, but you should strive to improve your writing skills with each new contribution that you submit. **The best contributors (which are fit to become maintainers) are supposed to send nearly completed contributions upon the first review.**. + +## **Updating existing tutorials** + +Sometimes it happens that a tutorial is outdated, has errors or just needs some methodology updates. If you have an idea for something that could be added, or if you want to fix some errors in the tutorial, contact us on simplex or open an issue on [gitea](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues). We will discuss the changes and make sure they're going in the right direction. If it's a small change (like fixing typos or modifying just a few sentences), you can make a pull request with the changes without contacting us. + +Usually, there are already a few issues for blog updates listed on the [project board](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/projects/1). If you want to help, feel free to pick one and start working on it. +The steps are similar to what we have for creating new tutorial \- fork the repository, create a branch and edit appropriate blog post. When you're done with your changes, open a pull request so that we can review them. + +Depending on how much of the tutorial is actually changed, you should credit yourself accordingly. For the sake of this example, let's say you're **oxeo0** (the person making an update) and **Nihilist** is the original author of the blog post. + +## **Small change** + +If the changes you've made are small (let's say less than 20% of the blog post), you should keep the name of the original author. You may change the date to inform readers it has been changed recently, but this is not strictly required. Do not add your XMR address in the footer. This doesn't mean that you won't be getting paid. If you're working on an issue on the project board, there's often a reward even for small edits. + +![](71.png) ![](70.png) + +## **Considerable change** + +If the changes you've made are considerable (let's say more than 20% of the blog post), you should credit yourself and the original author. Mention the tutorial has been updated by you at the top and keep both yours and author's XMR address in the footer. + +![](72.png) ![](73.png) + +## **Complete rewrite** + +Sometimes the tutorial needs to be rewritten entirely (more than 90% changes). In this case, you can treat the tutorial as if it was written by you from the beginning. + +![](74.png) ![](75.png) + +## **Special Case - Collaboration** + +If there is more than one person working on the tutorial, credit all as authors and list their XMR addresses. + +![](76.png) ![](73.png) + diff --git a/criticism/0.png b/criticism/0.png new file mode 100644 index 0000000..8b65f1a Binary files /dev/null and b/criticism/0.png differ diff --git a/criticism/1.png b/criticism/1.png new file mode 100644 index 0000000..b83274f Binary files /dev/null and b/criticism/1.png differ diff --git a/criticism/2.png b/criticism/2.png new file mode 100644 index 0000000..55176fc Binary files /dev/null and b/criticism/2.png differ diff --git a/criticism/3.png b/criticism/3.png new file mode 100644 index 0000000..1aff69f Binary files /dev/null and b/criticism/3.png differ diff --git a/criticism/5.png b/criticism/5.png new file mode 100644 index 0000000..8d862e3 Binary files /dev/null and b/criticism/5.png differ diff --git a/criticism/6.png b/criticism/6.png new file mode 100644 index 0000000..fb9b33f Binary files /dev/null and b/criticism/6.png differ diff --git a/criticism/7.png b/criticism/7.png new file mode 100644 index 0000000..2e5ce1d Binary files /dev/null and b/criticism/7.png differ diff --git a/criticism/index.md b/criticism/index.md new file mode 100644 index 0000000..c4bbd94 --- /dev/null +++ b/criticism/index.md @@ -0,0 +1,102 @@ +--- +author: nihilist +date: 2025-04-07 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to write good Criticism + +In this tutorial, we're going to cover how you can contribute as a reader, by effectively criticizing the blogposts we wrote, in order to help us find what we overlooked so that we can fix it. + +Message to everyone that ever wrote, and will ever write criticism regarding the blogposts we wrote so far: **Go ahead, if you are closer to the truth than we are, you're more than welcome to tell us about it and why, but if you want to get your point across efficiently, you have to learn how to criticize like an adult.** + + + +## **Nobody knows everything** + +First of all, i'll clear up a misconception that people seem to think far too often: **No,[i don't know everything.](../../productivity/scio-nihil/index.md)** In fact noone does, don't pretend otherwise. There is a reason as of why we are welcoming criticism on all of our blogposts: **we are aware that we don't know everything, and we strive to know as much as we possibly can.** + +![](../../productivity/scio-nihil/4.png) + +Just because you managed to fill your head (this bucket) with water from the ocean (knowledge from a particular topic), **doesn't mean that you managed to empty the whole ocean into your bucket.** Nobody knows everything, myself included, and yourself included. Yeah i know, it's hard to admit sometimes. + +Our tutorials aren't perfect, and we're never going to pretend that they are. **There's always room for improvement, so you're more than welcome to send us criticism to let us know what we missed.** And if your criticism is valid, we'll listen and update the tutorial accordingly. + +Thing is, you also need to know how to criticize correctly if you want us to actually improve what we're doing. (if you're not criticizing correctly, all you're making is just noise and contributing to the problem, rather than putting in a little more effort to contribute to the solution that we're trying to bring to the table.) + +## **Graham's Hierarchy of Disagreement** + +I'll have to heavily quote Graham's [excellent blogpost](https://paulgraham.com/disagree.html) on the matter, because there is a hierarchy to argue about something, and contrary to what most people think, you can also do so respectfully (**which means that you can argue like an adult, instead of argue like a child**). + +![](0.png) + +First of all it's a matter of maturity. If you're an adult and your ego is still in the way, refer to [Sum Nihil](../../productivity/sum-nihil/index.md) to fix it. **Because otherwise you're most likely going to be incapable of stopping yourself to resort to ad hominem on the way.** I saw that happen way too often, which is a clear shame. + +Proper communication is very important if you wish to convey your perception to someone else. In our usecase where we have blogposts relating to operational security, if we are wrong anywhere along the way, **there's potentially an entire reasoning, context, logic, purpose, and setup to dismantle and criticize**. + +## **Low-Quality Criticism** + +**_\- Level 0:_** At the lowest level (Name-calling)** you can call me a dumbo jumbo and meanie, but in the end you're just throwing a tantrum because you don't like me. I think you can avoid polluting whatever public place you have found to do that and grow up a bit, you'll save everyone's time. + +**_\- Level 1:_** (Ad Hominem)** you can also criticize my characteristics and pretend that i am too young to know more than you, Oh, the mighty all knowing. you're doing the same thing as the above but you're also trying to puff up your own ego at the same time. Dishonesty in arguments is sadly way too common, it's can be subtle and imperceptible for the ones that aren't trained to notice it. + + + [...] We still sometimes see deliberate dishonesty, as when someone picks out minor points of an argument and refutes those. Sometimes the spirit in which this is done makes it more of a sophisticated form of ad hominem than actual refutation. For example, correcting someone's grammar, or harping on minor mistakes in names or numbers. Unless the opposing argument actually depends on such things, the only purpose of correcting them is to discredit one's opponent. + + Truly refuting something requires one to refute its central point, or at least one of them. And that means one has to commit explicitly to what the central point is. + + + +**If all you can think about is how to win the next argument, then you're not a truth seeker, You're just desperatly trying to protect your ego.** I was once like that to be clear, but i grew out of it. Everyone can grow out of it. You just have to be willing to leave your insecurities behind to be able to move forward. + +![](7.png) + +A real truth seeker will not restrain himself to only his perception of the truth, but he'll also seek to percieve the truth from as many different perceptions as possible. **There's no such thing as possessing the absolute truth, we're always seeking it, always getting closer to it without ever attaining it.** Operational security requires combining different perceptions to be able to achieve privacy, anonymity and deniability. It takes a while to get used to percieving what we're talking about from all the different angles, and ways of percieving the showcased setups. You have the adversarial point of view, the anonymity sets, the public surveillance, the forensic evidence you leave behind, the complexity of the setup, who can pull it off, etc. **Stay open minded, like us, because you may have missed something.** + +**_- Level 2:_** (Responding to the tone)** you can also criticize how arrogantly i wrote what i wrote and how i pretend to know more than you, but still even here you're not even addressing the actual content that i wrote. Again, all you're doing is just noise still. + +If this is what you think criticizing is about, you need to realize that all you're trying to do is paint yourself in a good picture, and paint the other side in a bad picture, and in a lazy way too. If you act that way, all you're doing is just being obvious in showing off your lack of maturity. Feel free to do that, but don't expect me to listen to what you have to say afterward. + +**_- Level 3:_** (Contradiction)** For example, **if you start to say that using closed-source software is suitable for private use without explaining why** , like how the moderators at privacy guides are doing, you're not helping either. Just because you're a moderator of a privacy laxism forum **doesn't mean that affirming the opposite of what an entire blogpost says without explaining why is going to disprove anything.** + +![](1.png) + +This is an example of a very low effort criticism, it simply highlights that one party has a ton of compelling arguments and while the other one doesn't, they don't even care about defending their point. **In this particular contradiction, the other party is downplaying the requirements to achieve privacy,** implying that being spied on by the government or corporations is acceptable, when in fact it is not. **This is also known as a Minimization Fallacy**. + +The other extreme of this type of fallacy would be **spreading[FUD](https://en.wikipedia.org/wiki/Fear,_uncertainty,_and_doubt) (Fear Uncertainty Doubt)** like in [this article](https://tottnews.com/2024/09/25/tor-web-browser-cracked/): + +![](6.png) + +it is a disinformation technique simply aimed at spewing bullshit without any proof to back up one's claims, because according to [Brandolini's law](https://en.wikipedia.org/wiki/Brandolini%27s_law), also known as the bullshit asymmetry principle: + + + The amount of energy needed to refute bullshit is an order of magnitude bigger than that needed to produce it. + + + +Nowadays, where everyone (including journalists or sunday privacy laxists) can have their uneducated say on everything, **it is because of idiots that can't shut up that we are swimming in an ocean of bullshit where actual quality is buried 10000 feet below the surface.** It is an herculean task to untangle everyone's blatant lack of education, but lucky for you we're not lazy blogposters, this blog is here to preserve quality, when we're wrong we admit it, learn from it, adapt and rewrite accordingly to get closer to the truth. **We won't give in to FUD, or any minimization fallacy whatsoever** , Therefore stay true to your logic and reasoning, base yourself on facts, not opinions or beliefs. + +Don't just contradict what we say, bring reasoning, arguments, logic, data and links to those to the table when you do so because otherwise you're just ignoring the argument completely. **Legit Criticism takes more effort like in the examples below, where we will definitely listen:** + +## **High-Quality Criticism** + +**_\- Level 4:** (Counterargument)_** For example, if you had read the previous Sensitive VM Setup tutorial i wrote, you'd realize that the crucial Host OS live mode requirement wasn't even covered, instead i was recommending a particular script to wipe off the forensic traces regarding the presence of the VC hidden volume. Therefore, as someone correctly did so, they added me on SimpleX to send me the following (valid) criticism: + +![](2.png) + +In this case it's an absolutely valid criticism which definitely makes sense, since it simplifies the previous setup by removing the use of that wipe.sh script, and by not even requiring to install the veracrypt software. In that case i scheduled the changes for multiple tutorials, and came up with the following 4 updated tutorials to take this criticism into account: [[0]](../linux/index.md)[[1]](../livemode/index.md) [[2]](../veracrypt/index.md) [[3]](../sensitivevm/index.md). **One valid criticism can have an effect on the entire Opsec blog like this one, since there are alot of blogposts that are inter-dependant.** In this case, since the Host OS had to change, i rewrote the Host OS tutorial, the hypervisor tutorial, the veracrypt tutorial and ultimately the sensitive VMs tutorial accordingly to be able to match the criticism that was sent to me. + +![](5.png) + +**This is the minimum for me to consider your feedback and do something about it.** However if you want to bring some extra quality to your criticism, you can do the following: + +**_\- Level 5:_** (Refutation)** You can first quote what i wrote (but i know what i wrote so you can simply link to the tutorial directly and i'll immediately know the context of what you're talking about), and then explain exactly why it's not correct. **Ideally if you're basing your criticism on external sources, also post links to those resources that explain further what you're talking about,** so that i get the full picture: + +![](3.png) + +**_\- Level 6:_** (Refuting the central point)** If you actually care about me improving my tutorials, cut out all the bullshit you see from level 0 to level 3 and **just stick to refuting what i wrote, explicitely.** wheter it be the reasoning behind the tutorial, the explanations, the showcased setups, or the purpose of any of the tutorials. **However, for every criticism that you make, also let me know how you think the blogpost could be improved.** Tell me how you'd improve the tutorial if you think the solution i presented is not good enough (or not simple enough) like in the example above. + +This is the whole premise behind Truth seeking, I strive to have the most correct perception of the subject, but in the end that's my perception. If we combine multiple correct perceptions of the same topic, we are getting that much closer to the truth than we previously were, now that we have a wider, clearer perception of what we're talking about. + +And that's it! You now know how to send valid criticism, **and you now know how to do it like an adult**. By doing so you can effectively contribute to the overall project by helping us continuously improving our blogposts. + diff --git a/darknetexploration/1.png b/darknetexploration/1.png new file mode 100644 index 0000000..2dbc4a3 Binary files /dev/null and b/darknetexploration/1.png differ diff --git a/darknetexploration/10.png b/darknetexploration/10.png new file mode 100644 index 0000000..fa40bb4 Binary files /dev/null and b/darknetexploration/10.png differ diff --git a/darknetexploration/11.png b/darknetexploration/11.png new file mode 100644 index 0000000..b9e86d2 Binary files /dev/null and b/darknetexploration/11.png differ diff --git a/darknetexploration/12.png b/darknetexploration/12.png new file mode 100644 index 0000000..504812e Binary files /dev/null and b/darknetexploration/12.png differ diff --git a/darknetexploration/13.png b/darknetexploration/13.png new file mode 100644 index 0000000..622d189 Binary files /dev/null and b/darknetexploration/13.png differ diff --git a/darknetexploration/14.png b/darknetexploration/14.png new file mode 100644 index 0000000..2d33e57 Binary files /dev/null and b/darknetexploration/14.png differ diff --git a/darknetexploration/15.png b/darknetexploration/15.png new file mode 100644 index 0000000..be21dcc Binary files /dev/null and b/darknetexploration/15.png differ diff --git a/darknetexploration/16.png b/darknetexploration/16.png new file mode 100644 index 0000000..5fe5414 Binary files /dev/null and b/darknetexploration/16.png differ diff --git a/darknetexploration/17.png b/darknetexploration/17.png new file mode 100644 index 0000000..57a7901 Binary files /dev/null and b/darknetexploration/17.png differ diff --git a/darknetexploration/18.png b/darknetexploration/18.png new file mode 100644 index 0000000..c3a721e Binary files /dev/null and b/darknetexploration/18.png differ diff --git a/darknetexploration/19.png b/darknetexploration/19.png new file mode 100644 index 0000000..4353483 Binary files /dev/null and b/darknetexploration/19.png differ diff --git a/darknetexploration/2.png b/darknetexploration/2.png new file mode 100644 index 0000000..c68691c Binary files /dev/null and b/darknetexploration/2.png differ diff --git a/darknetexploration/3.png b/darknetexploration/3.png new file mode 100644 index 0000000..1e082d5 Binary files /dev/null and b/darknetexploration/3.png differ diff --git a/darknetexploration/4.png b/darknetexploration/4.png new file mode 100644 index 0000000..1173cc5 Binary files /dev/null and b/darknetexploration/4.png differ diff --git a/darknetexploration/5.png b/darknetexploration/5.png new file mode 100644 index 0000000..db521d8 Binary files /dev/null and b/darknetexploration/5.png differ diff --git a/darknetexploration/6.png b/darknetexploration/6.png new file mode 100644 index 0000000..43b2704 Binary files /dev/null and b/darknetexploration/6.png differ diff --git a/darknetexploration/7.png b/darknetexploration/7.png new file mode 100644 index 0000000..ae20219 Binary files /dev/null and b/darknetexploration/7.png differ diff --git a/darknetexploration/8.png b/darknetexploration/8.png new file mode 100644 index 0000000..18769a6 Binary files /dev/null and b/darknetexploration/8.png differ diff --git a/darknetexploration/9.png b/darknetexploration/9.png new file mode 100644 index 0000000..d3ff9a1 Binary files /dev/null and b/darknetexploration/9.png differ diff --git a/darknetexploration/index.md b/darknetexploration/index.md new file mode 100644 index 0000000..507e9a1 --- /dev/null +++ b/darknetexploration/index.md @@ -0,0 +1,133 @@ +--- +author: nihilist +date: 2025-01-25 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/266" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to explore the Darknet? (Visibility and Discoverability) + +![](../clearnetvsdarknet/1.png) + +In this tutorial we're going to take a look at what are the differences between the clearnet and the darknet, and how you can explore the darknet using the lantern project. + + + +## **The difference between the Clearnet and the Darknet** + +To help you visualize the differences between the 2 better, you can consider the clearnet to be like a city in open air (A city being the size of France in the world let's say) + +![](1.png) + +Due to being like an open city, you can go in a plane, and potentially with enough bruteforcing power to check every IPV4 out there (if you're google.com, shodan.io, duckduckgo.com, bing.com, etc) you are able to list every clearnet website, AND you know where they are (since they are reachable via their ipv4 directly). + +The problem of the Clearnet is that you need to deanonymize yourself at some point to have a place there. You need to go through a Registrar and pay them to get a clearnet domain, you need to go through a cloud provider and pay them aswell to get a server (like a VPS), and by default you are not anonymous when accessing that website, and neither are your users. + +Therefore, due to the nature of the clearnet itself, as we have explained [previously](../clearnetvsdarknet/index.md), every clearnet website has a very wide attack surface: + + + The Adversary can: + - order your clearnet domain to be taken down by subphoenaing the registrar + - order your VPS to be taken down by suphoenaing the cloud provider + - harrass you directly as they can log who connected to the website + - harass your users directly as they know who connected to the website. + + + +![](../clearnetvsdarknet/3.png) + +On the other hand, the Darknet is fundamentally different. You can visualize it like being an IMMENSE dark forest that covers the entire earth: + +![](2.png) + +you can't just go by plane to try and figure out where every website is, because 1) the dark forest spans the entire earth and 2) because your plane can't see if there's a valid destination to go to in between the trees. **The only way is to know which .onion destination is valid, is to be told where to go by other people that have been there.** + +It is very unrealistic to try and bruteforce every valid onion vanity v3 addresses, because they are 56 characters long. And moreso it is not possible to bruteforce every hidden service out there because you don't even need to have a VPS with an exposed IPv4 address. **All you need is to have a device, with an internet connection and you can have an onion domain, for free, and you own it forever.** + +Not to mention the benefits of running a hidden service, where even if the adversary visits your hidden service, they can't tell where it is located because they need to go through the Tor network to access it, as they can't access it via the IPv4 directly, you don't even need to expose an IPv4 address to have a hidden service. **by using Tor, Anonymity is there by default for both the client visiting the website, but also for the website itself.** The client can't know where the website is, and the website can't tell where the client is coming from. + +![](3.png) + +The Darknet offers a drastically reduced attack surface, **Which means that if an adversary wants to take down your hidden service, they can't go bother a registrar to take down the domain, because there isn't any, they can't go bother a cloud provider to take down the server because there potentially isn't any either** , the only way for an adversary to figure out where the server potentially would be to figure out where it is located [by temporarily powering off the internet access.](..//high_availability/index.md) somewhere in the world. + +In other words, the adversary has to go do some drastic guess work, **they have to go into the deep dark forest that spans the entire earth, in order to randomly stumble upon your server that runs your hidden website.** It's extremely expensive to try and deanonymize where a hidden service is, which is the whole point of using Tor. + +If you want to host your own onion website, check out [this tutorial](../torwebsite/index.md) i wrote on to know how to get your own custom vanity v3 .onion domain. + +## **The elephant in the room: Visibility on the Clearnet** + +Now let's address the elephant in the room, **Visibility.** As right now this is where the clearnet shines compared to the darknet. + +If you want to know where to go on the clearnet, you have search engines like google, duckduckgo, qwant, bing, and a few others. The problem as you probably guessed, is that it's VERY expensive to run a search engine, especially on the diskspace side. These search engines are being ran by large businesses, and it is only those businesses that get to decide who gets visibility and who doesn't. And since the larger the business, the more likely they are acting on behalf of governments, you end up with **today's clearnet: a corrupt industry where a few businesses get to decide who gets to have a presence (and visibility) on the clearnet, who doesn't, and who even gets to be thrown into the meatgrinder** due to how vulnerable everyone is on the clearnet. + +To try and do [Search Engine Optimisation (SEO)](https://developers.google.com/search/docs/fundamentals/seo-starter-guide) is to play into their twisted game with their twisted rules, it requires any number of steps that require you to deanonymize yourself fully, to add trackers on your website, implement analytics, link your website on social media where people put everything about their daily lives. **Everything about the clearnet is geared towards making yourself as vulnerable as possible to be able to have a bigger presence there.** + +![](4.png) + +What you're looking at here is effectively a widespread public speech, public opinion, and public thinking control platform. **The clearnet is where those that don't fit the narrative get less visibility, and those that go against the narrative are made vulnerable, and ready to be thrown under the bus.** + +I don't consider that ecosystem to be tolerated, nor endorsed. So the only option is to opt out like we did at Nowhere: + +![](10.png) + +so you first get rid of your websites' clearnet presence by redirecting your audience to the darknet link of your website instead: + +![](6.png) + +## **Darknet Visibility - Option A: Peer-to-Peer Gossip** + +From there, what are your options to grow your website's visibility ? Truth is, right now there aren't that many options. + +The most basic way you can do it is that you can go on popular forums and communities that have large audiences to let users know that you are running your onion website: + +![](7.png) + +Don't hesitate to do so especially when you have value to add to a community that has been misled: + +![](8.png) + +Going on communities' chatrooms is also a viable option to get that peer-to-peer organic visibility growing: + +![](9.png) + +You don't need anyone's approval to post a link to your own website, you can always find discussions online to slip your onion link in there for the users, even if the administrators of said community don't like what you have to say, their audience probably does want to hear it regardless. + +The use of Tor and the darknet doesn't need to be demonzied. You are simply allowing people to remain safe to view your content. + +## **Darknet Visibility - Option B: Lists of Links** + +Your other option for darknet visibility is to run your own lists of links like those websites do: [[1]](http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/) [[2]](http://darkfailenbsdla5mal2mxn2uz66od5vtzd5qozslagrfzachha3f3id.onion/) [[3]](https://daunt.link) [[4]](http://tortaxi2dev6xjwbaydqzla77rrnth7yn2oqzjfmiuwn5h6vsk2a4syd.onion/) + +![](11.png) ![](12.png) ![](13.png) ![](14.png) + +This is a fundamental trait of the darknet, **you actually depend on those people running their own lists of darknet .onion links for their visibility, and your discoverability of those websites.** Currently this is the most popular way to get visibility on the darknet, people trust a few websites to run and maintain their own lists of links, and the more people trust them, the more visibility those websites get. + +The problem is that **the visibility of the listed websites is limited to the size of each individual community.** + +![](15.png) + +Let's say that you are Alice, with currently a small community of 100 people, and you want your lists of links to be visible to more people, you have to go ask Bob (and his 100k followers) or Charlie (and his 100M followers) to add a link to your community on their lists of links to be able to grow your visibility. + +And here we i am being very optimistic, it's very unlikely that you'll find a darknet community with millions of followers. **It is much more likely that most darknet communities are only hundreds of followers big, and that there are thousands of small communities like that, that not even aware of each other.** + +And that major problem is what has motivated me to create the Darknet Lantern project that i just officially released. + +## **Darknet Visibility - Option C: The Darknet Lantern Webring** + +So you are the average joe out there, you have your own darknet .onion website, but now you want visibility, now thanks to [the Darknet Lantern Proejct](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/darknet-lantern) you have a third option to solve that problem: **Participating in a Darknet Webring.** + +![](16.png) + +The idea of participating in a Webring is that you are linking to other communities just like yours, **to make sure that these communities are not isolated from your community.** It depends on which point of view you are looking at it, if you are joining the webring as Charlie, you already have 100M followers so you don't really care about getting 100k followers more. **But if you are joining the webring as Dave, you only have 10 followers, and now you are potentially exposing yourself to a massive increase in visibility to up to 100 million potential followers** , thanks to charlie having the biggest community in the webring. + +![](17.png) + +The Darknet Lantern project enables you to run and maintain your own list of onion links like the other websites we showed in the previous section. See for example my Darknet Lantern instance [here](http://lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/): + +![](18.png) + +There are 2 main parts: the search feature, and the webring part at the bottom, where every webring participant is listed with their banner images. You can either search for links by typing a keyword in the searchbar, or simply click one of the categories at the top, as they are dynamically displayed: + +![](19.png) + +In [the next tutorial](../darknetlantern/index.md) we're going to cover how you can setup your own Darknet Lantern Instance, how you can maintain your own list of onion links by using it, and how you can join the darknet webring aswell to exponentially increase your websites' visibility. + diff --git a/darknetlantern/1.png b/darknetlantern/1.png new file mode 100644 index 0000000..540b022 Binary files /dev/null and b/darknetlantern/1.png differ diff --git a/darknetlantern/10.png b/darknetlantern/10.png new file mode 100644 index 0000000..ba1813f Binary files /dev/null and b/darknetlantern/10.png differ diff --git a/darknetlantern/11.png b/darknetlantern/11.png new file mode 100644 index 0000000..9e7358c Binary files /dev/null and b/darknetlantern/11.png differ diff --git a/darknetlantern/12.png b/darknetlantern/12.png new file mode 100644 index 0000000..22f2d4d Binary files /dev/null and b/darknetlantern/12.png differ diff --git a/darknetlantern/13.png b/darknetlantern/13.png new file mode 100644 index 0000000..c378485 Binary files /dev/null and b/darknetlantern/13.png differ diff --git a/darknetlantern/14.png b/darknetlantern/14.png new file mode 100644 index 0000000..cc95f9c Binary files /dev/null and b/darknetlantern/14.png differ diff --git a/darknetlantern/15.png b/darknetlantern/15.png new file mode 100644 index 0000000..b201771 Binary files /dev/null and b/darknetlantern/15.png differ diff --git a/darknetlantern/16.png b/darknetlantern/16.png new file mode 100644 index 0000000..6ffe25f Binary files /dev/null and b/darknetlantern/16.png differ diff --git a/darknetlantern/17.png b/darknetlantern/17.png new file mode 100644 index 0000000..061381b Binary files /dev/null and b/darknetlantern/17.png differ diff --git a/darknetlantern/18.png b/darknetlantern/18.png new file mode 100644 index 0000000..3b57c12 Binary files /dev/null and b/darknetlantern/18.png differ diff --git a/darknetlantern/19.png b/darknetlantern/19.png new file mode 100644 index 0000000..d9740cc Binary files /dev/null and b/darknetlantern/19.png differ diff --git a/darknetlantern/2.png b/darknetlantern/2.png new file mode 100644 index 0000000..22427dd Binary files /dev/null and b/darknetlantern/2.png differ diff --git a/darknetlantern/3.png b/darknetlantern/3.png new file mode 100644 index 0000000..395a1b2 Binary files /dev/null and b/darknetlantern/3.png differ diff --git a/darknetlantern/4.png b/darknetlantern/4.png new file mode 100644 index 0000000..5b59a27 Binary files /dev/null and b/darknetlantern/4.png differ diff --git a/darknetlantern/5.png b/darknetlantern/5.png new file mode 100644 index 0000000..b0a0955 Binary files /dev/null and b/darknetlantern/5.png differ diff --git a/darknetlantern/6.png b/darknetlantern/6.png new file mode 100644 index 0000000..7c0c4a9 Binary files /dev/null and b/darknetlantern/6.png differ diff --git a/darknetlantern/7.png b/darknetlantern/7.png new file mode 100644 index 0000000..78cbfec Binary files /dev/null and b/darknetlantern/7.png differ diff --git a/darknetlantern/8.png b/darknetlantern/8.png new file mode 100644 index 0000000..bfb92ec Binary files /dev/null and b/darknetlantern/8.png differ diff --git a/darknetlantern/9.png b/darknetlantern/9.png new file mode 100644 index 0000000..a581056 Binary files /dev/null and b/darknetlantern/9.png differ diff --git a/darknetlantern/index.md b/darknetlantern/index.md new file mode 100644 index 0000000..d9ea692 --- /dev/null +++ b/darknetlantern/index.md @@ -0,0 +1,874 @@ +--- +author: nihilist +date: 2025-01-26 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/267" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to run your own Darknet Lantern for Visibility and Discoverability + +![](1.png) + +In this tutorial we're going to first explain why the Darknet Lantern is important in the current Darknet context, we'll cover what it is made of, and then we'll cover how to spin up a Darknet Lantern instance, how to maintain one's list of onion links, and lastly we'll cover how to join the Darknet Webring. + + + +## **Why is the Darknet Lantern Project Important?** + +As we have explained [previously](../darknetexploration/index.md), the current Darknet ecosystem is such, that you don't have visibility on every community out there: + +![](../darknetexploration/2.png) + +I'm sure that most darknet communities out there are isolated from each other, because they don't know that the other communities exist, they didn't go to the right places on the web yet to find out that those other places exist. + +![](../darknetexploration/15.png) + +So right now you and your community may be one of the 3 here, as Alice you may list some onion links for your own small community, or you may be Charlie, sharing other onion links to your much larger community, and you (and your community) may not even be aware that Bob's community even exist, with their own knowledge of onion links that they discovered. + +![](../darknetexploration/16.png) + +This is why the Webring formation is crucial here, **to participate in a Webring means that your community is also maintaining a list of those other communities that are participating in the webring, so that they may also benefit from the visibility coming from your audience.** And in the same way you may also benefit from the additional visibility coming from all of the other audiences combined. + +The webring formation is crucial to maintain the decentralisation intact, that is to make sure that ONE webring participant cannot dictate who gets to have visibility, and who doesn't get to have visibility across the entire webring. + +![](2.png) + +In this case here, Webring participant A may not link to webring participant Z because they have some links that A doesn't tolerate (like porn links for example), but webring participant B may tolerate them and allow the links coming from that instance to be listed on their own instance all the same. **Therefore, the onion links that you list get visibility from the webring participants that choose to tolerate listing them, themselves.** On my darknet lantern instance for instance I refuse there to be porn links due to how addictive these can be, and I actively blacklist them, so if you want to find those links, you'll have to go through another webring participant that accepts to list them. + +## **What is the Darknet Lantern Project ?** + +![](16.png) + +The Darknet Lantern project aims to provide 3 core functionalities: + + 1. Allow you to run and maintain your own list of onion links, and make it accessible for whoever wants to access it, + + 2. Allow you to automatically check the uptime of the onion links that you list, so that you can track which links are no longer active easily, + + 3. Allow you to participate in a Darknet Webring so that your community may benefit from the visibility coming from the other communities that are participating in the same Webring. + + +![](../darknetexploration/17.png) + +The source code for the project is available [here](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/darknet-lantern). At first I wrote it mainly because I was largely dissatisfied with how the [uptime-kuma](https://github.com/louislam/uptime-kuma) project required javascript and how Database-corruptive the upgrades were. After I nailed down the basic "uptime checker" part, it dawned on me that the webring part was also equally essential for the Darknet ecosystem, as explained above. So that's what I have been focusing on for the last 4 weeks, and now I can proudly say that the project is reaching maturity. + +![](15.png) + +The Darknet Lantern project is built using PHP, Python, and CSV files. You have the CSV files containing the onion links and their attributes, you have python scripts in the backend to automatically update the uptime of those links, including one main python script called lantern.py to manually maintain and edit your instance's csv files. + +And lastly you have the index.php and static.php files to search through those CSV files, and filter the results like a regular search engine. All in all, it has been built with minimalism in mind, I tried to keep it as simple as I could to meet the needs. To make it work you need a Debian stable release (currently Debian 12 bookworm), nginx, php8.2-fpm (currently), Tor, python3 and a few other python3 dependencies that you can install via the apt package manager. + +This project has been built with anonymity in mind, by default, for the serverside. When you are checking the uptimes for both clearnet and darknet websites, **the requests all go through Tor to prevent the website's location from being discovered.** + +This project also takes into account that malicious webring participants may show up, and therefore **lantern comes with safeguards and checks in place to prevent any malicious inputs (meaning php, python or bash commands) from being ran from the csv values that may be received from other instances.** The PHP files are also preventing any php code from being run from the CSV files even if there was one to slip through the cracks. + +## **How to setup your own Darknet Lantern Instance ?** + +Now that we got that out of the way, let's see how you can install your own Darknet Lantern Instance: + +First, git clone the repository in your directory of choice (i recommend using /srv/): + + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → apt install tor git torsocks -y + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/darknet-lantern /srv/darknet-lantern + + + +Install nginx and php8.2-fpm, and php-gd for the new captcha feature: + + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → apt install php-gd php8.2-fpm nginx -y + + + +use the nginx.conf and drop it in /etc/nginx/sites-available/ + + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → ls + nginx.conf README.md scripts todo.txt torrc www + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → cp nginx.conf /etc/nginx/sites-available/lantern.conf + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → vim /etc/nginx/sites-available/lantern.conf + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → cat /etc/nginx/sites-available/lantern.conf + + server { + listen 4443; + listen [::]:4443; + server_name lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion; + + root /srv/darknet-lantern/www/; + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + } + index index.php; + } + + + +use mkp244o if you want to have a custom [vanity v3 hidden service domain name](../torwebsite/index.md), and then use the torrc config to have a local socks5 port (as it will be used by the python script to check the uptime of the listed onion links) + + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → vim /etc/tor/torrc + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → cat /etc/tor/torrc + + HiddenServiceDir /var/lib/tor/onions/nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/ + HiddenServicePort 80 127.0.0.1:4443 + SocksPort 127.0.0.1:9050 + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → systemctl restart tor@default + + + +enable the nginx config and validate that your website can now be accessed via the Tor browser: + + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → ln -s /etc/nginx/sites-available/lantern.conf /etc/nginx/sites-enabled/ + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → nginx -s reload + + + +` ![](4.png) + +Here we see that the website is reachable now, so let's now install the python script dependencies: + + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → apt install python3-pandas python3-requests python3-socks python3-dotenv -y + + + +Now that's done, you can run scripts/lantern.py for the first time to confirm your own instance name: + + + [ Wonderland ] [ /dev/pts/20 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + [+] Instance Path doesn't exist yet + What is your Instance domain ? (ex: lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion): lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + + [+] Instance Name: lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion True + + lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + Is this your this your instance domain ? (y/n)y + OK writing the instance url to ~/.darknet_participants_url + [+] file written, let's read it + lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + [+] Initial Setup Completed! + [+] file exists, your Webring URL is lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + + + +In another terminal you can validate that ~/darknet_participant_url has been created properly: + + + [ Wonderland ] [ /dev/pts/33 ] [/srv/darknet-lantern] + → cat ~/.darknet_participant_url + lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion# + + + +This is the file that lantern.py will check to get your instance name the next times you run the script. And next when you run scripts/lantern.py you'll be greeted by the following CLI menu: + + + [ Wonderland ] [ /dev/pts/20 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + [+] Instance Name: lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion True + [+] file exists, your Webring URL is lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + + [+] Welcome to your own Darknet Lantern Instance, where you can explore the Darknet and help others do the same. + + Managing Websites: + 1) Add a new Website entry (into unverified.csv) + 2) Trust a Website entry (move an entry from unverified to verified.csv) + 3) Untrust a Website entry (move an entry from unverified to verified.csv) + + Managing Webring Participants: + 4) Synchronize new links from existing webring participants, into your unverified.csv file + 5) Add a new webring participant (and download their files into their directory (without trusting them yet!)) + 6) Trust/UnTrust/Blacklist a webring participant (Potentially dangerous) + + Managing Wordlists: + 7) Add/Remove Words/URLs in the sensitive list (ex: drug) + 8) Add/Remove Words/URLs or links in the blacklist (ex: porn) + + Maintenance: + 9) Remove the duplicate URLs for your own instance + 10) Perform sanity checks on all csv files for all instances (to mark them as sensitive / or remove the ones that are blacklisted) + + 0) Exit + + Select Option? (0-11): + + + +## **How to Maintain your own list of onion links ?** + +At first your list of onion links is going to be empty, so if you try to search for a term in the searchbar you'll get the following message: + +![](5.png) + +So here we need to start to list some onion links. Using scripts/lantern.py's option 1 we can add those links: + + + Select Option? (0-11): 1 + 1 + + [+] Add a new Website entry (into unverified.csv) + What is the Website name ? Qubes OS Website + What is the website Category ? Tools + What is the website URL ? http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/ + Description for the website ? (Optional) OS based on Xen that focuses on compartmentalization and virtualization. + Is the website sensitive ? (ex: related to drugs) (y/n) n + [+] NEWROW= ['lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion', 'Tools', 'Qubes OS Website', 'http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/', 'NO', 'OS based on Xen that focuses on compartmentalization and virtualization.', '', ''] + [+] New row added! now writing the csv file: + + + + + [+] Want to add another website ? (y/n) y + + [+] Add a new Website entry (into unverified.csv) + What is the Website name ? Whonix Website + What is the website Category ? Tools + What is the website URL ? http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ + Description for the website ? (Optional) VM for general anonymous use + Is the website sensitive ? (ex: related to drugs) (y/n) n + + [+] Want to add another website ? (y/n) y + + [+] Add a new Website entry (into unverified.csv) + What is the Website name ? Feather Wallet + What is the website Category ? Tools + What is the website URL ? http://featherdvtpi7ckdbkb2yxjfwx3oyvr3xjz3oo4rszylfzjdg6pbm3id.onion/ + Description for the website ? (Optional) Lightweight Monero Wallet + Is the website sensitive ? (ex: related to drugs) (y/n) n + + + +Also, **please categorize links by their utility instead of trying to categorize them by their community name.** It does not matter who does what, what matters is what the service does ([more details](../../productivity/sum-nihil/index.md) on that thought process). For instance as you'll see below, if i want to list my own community's main website, i'll categorize it under "communities". and if i want to do the same for the blog service i run, i'll categorize it under "blogs": + + + Select Option? (0-11): 1 + 1 + + [+] Add a new Website entry (into unverified.csv) + What is the Website name ? Nowhere + What is the website Category ? Communities + What is the website URL ? nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + Description for the website ? (Optional) + Is the website sensitive ? (ex: related to drugs) (y/n) n + + [+] Add a new Website entry (into unverified.csv) + What is the Website name ? The Nihilism Blog + What is the website Category ? Blogs + What is the website URL ? blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + Description for the website ? (Optional) + Is the website sensitive ? (ex: related to drugs) (y/n) n + + + +In order to avoid putting all eggs in one basket, I recommend marking websites that are related to Drugs (as this is the most popular sensitive darknet topic) as sensitive whenever you add them into your unverified.csv file, that way you can give your audience a safe browsing searching experience, and an opt-in sensitive browsing search experience (with ample disclaimers/warnings) if they choose to do so. + + + [+] Want to add another website ? (y/n) y + + [+] Add a new Website entry (into unverified.csv) + What is the Website name ? Dark Forest + What is the website Category ? Forums + What is the website URL ? http://dkforestseeaaq2dqz2uflmlsybvnq2irzn4ygyvu53oazyorednviid.onion/ + Description for the website ? (Optional) + Is the website sensitive ? (ex: related to drugs) (y/n) y + + [+] Want to add another website ? (y/n) n + + + +` There is also a sensitive.csv file in your instance directory to list those keywords, so that they get automatically marked as sensitive by the python scripts. + +Now that you added some websites to your unverified.csv file, you can view the csv file in www/participants/YOURINSTANCENAME.onion/unverified.csv: + + + [ Wonderland ] [ /dev/pts/33 ] [/srv/darknet-lantern] + → cat www/participants/lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/unverified.csv | grep Tools + + Instance,Category,Name,URL,Sensitive,Description,Status,Score + + lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion,Tools,Feather Wallet,http://featherdvtpi7ckdbkb2yxjfwx3oyvr3xjz3oo4rszylfzjdg6pbm3id.onion/,NO,Lightweight Monero Wallet,, + lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion,Tools,Whonix Website,http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/,NO,VM for general anonymous use,, + lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion,Tools,Qubes OS Website,http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/,NO,OS based on Xen that focuses on compartmentalization and virtualization.,, + + + +As you can see, the websites' uptime status and score is missing (in the last 2 columns in the csv file), therefore using scripts/uptimechecker.py we'll automatically fill those in: + + + [ Wonderland ] [ /dev/pts/33 ] [/srv/darknet-lantern] + → python3 scripts/uptimechecker.py + [+] ONION UPTIME CHECKER + [+] Instance Name: lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion True + [+] Reading the CSV File: /srv/darknet-lantern/www/participants/lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/verified.csv + + Name URL + 0 Feather Wallet http://featherdvtpi7ckdbkb2yxjfwx3oyvr3xjz3oo4... + 1 Whonix Website http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rb... + 2 Qubes OS Website http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4... + What is the Website name you want to trust ? (ex: Nowhere)Qubes + + [+] Checking if each .onion link is reachable: + [+] Editing the uptime score + 0 + [+] http://lvgjoige2hl5qm5xcxhxuulyhdnq2wk3277eu34zpukxvacmvwva6vid.onion/read 200 + http://lvgjoige2hl5qm5xcxhxuulyhdnq2wk3277eu34zpukxvacmvwva6vid.onion/read YES + [+] Editing the uptime score + 1 + [+] http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/ 200 + http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/ YES + [+] Editing the uptime score + 2 + + [...] + + + +It may take a few minutes depending on the size of your list of links to check all of their uptimes, as the script has to connect through Tor for every website to tell if they are reachable or not. make sure the cronjob for scripts/uptimechecker.py is running at least once every 3 hours so that the csv files are automatically kept up to date. + + + [ Wonderland ] [ /dev/pts/23 ] [/srv/darknet-lantern] + → crontab -e + + */3 0 * * * python3 /srv/darknet-lantern/scripts/uptimechecker.py + + + +To verify links (meaning that you are moving links from your unverified.csv file into your verified.csv file), use scripts/lantern.py to do the following: + + + [ Wonderland ] [ /dev/pts/33 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + + Select Option? (0-11): 2 + 2 + [+] Trust a Website entry (move an entry from unverified to verified.csv) + Name URL + 0 Feather Wallet http://featherdvtpi7ckdbkb2yxjfwx3oyvr3xjz3oo4... + 1 Whonix Website http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rb... + 2 Qubes OS Website http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4... + What is the Website name you want to trust ? (ex: Nowhere)Qubes + Name URL + 2 Qubes OS Website http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4... + What is the index of the entry that you want to move to verified.csv ? (ex: 3) 2 + ['lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion' + 'Tools' 'Qubes OS Website' + 'http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/' + 'NO' + 'OS based on Xen that focuses on compartmentalization and virtualization.' + nan nan] + [+] New row added to verified.csv! now writing to the csv + [+] Link is now moved to verified.csv! + + [+] Want to trust another website ? (y/n) n + + + +Now that's done you can check the links that you listed on your lantern instance: + +![](6.png) + +If you want to untrust a website, you can use the option 3 of lantern.py: + + + [ Wonderland ] [ /dev/pts/33 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + + Select Option? (0-11): 3 + 3 + [+] Untrust a Website entry (move an entry from verified to unverified.csv) + Name URL + 0 Qubes OS Website http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4... + What is the Website name you want to untrust ? (ex: BreachForums)Qubes + Name URL + 0 Qubes OS Website http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4... + What is the index of the entry that you want to move to unverified.csv ? (ex: 3) 0 + ['lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion' + 'Tools' 'Qubes OS Website' + 'http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/' + 'NO' + 'OS based on Xen that focuses on compartmentalization and virtualization.' + nan nan] + [+] New row added to unverified.csv! + [+] Link is now moved to unverified.csv! + + + +![](7.png) + +## **How get the links from other Webring participants ?** + +Right now the webring participants may not be listed on your instance, but the files already exist here. + + + [ Wonderland ] [ /dev/pts/20 ] [/srv/darknet-lantern] + → tree www/participants + www/participants + ├── lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + │   ├── banner.png + │   ├── blacklist.csv + │   ├── sensitive.csv + │   ├── unverified.csv + │   ├── verified.csv + │   └── webring-participants.csv + ├── lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion + │   ├── banner.png + │   ├── blacklist.csv + │   ├── sensitive.csv + │   ├── unverified.csv + │   ├── verified.csv + │   └── webring-participants.csv + └── lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + ├── banner.png + ├── blacklist.csv + ├── sensitive.csv + ├── unverified.csv + ├── verified.csv + └── webring-participants.csv + + 4 directories, 18 files + + + +So let's sync the links coming from the other webring participants: + + + [ Wonderland ] [ /dev/pts/30 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + + Select Option? (0-11): 4 + + Select Option? (0-11): 4 + 4 + 4) Synchronize new links from existing webring participants, into your unverified.csv file + http://lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion/participants/lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion/ + [+] Downloading the files of lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion: + [+] Webring Participant is reachable, updating their csv files: + + [...] + + http://lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/participants/lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/ + [+] Downloading the files of lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion: + [+] Webring Participant is reachable, updating their csv files: + + [...] + + + +And now that the script finished running you now have all of the links coming from other webring participants that are stored into your own unverified.csv file, so to check it you can check again from the web interface by searching for links: + +![](8.png) + +And there you go ! you are now displaying the links that other webring participants are listing. You can start to verify those links yourself + +![](9.png) + +## **What if there is a malicious webring participant ?** + +Now when you are synchronizing links from other webring participants, you may realize that there was a malicious link that got listed from a webring participant: + +![](10.png) + +From here you can blacklist the link manually by adding it into the blacklist.csv file: + + + [ Wonderland ] [ /dev/pts/20 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + + Select Option? (0-11): 8 + 8 + [+] Add/Remove words in the blacklist list (ex: porn) + [+] Do you want to 1) add or 2) remove Words/URLs? (type exit to exit) 1 + [+] Which word/link do you want to add to the blacklist? (write -1 to exit) http://thatonelinkyoudontwanttoseeeveragain.onion + [+] Checking if the Word/URL is valid: + [+] Which word/link do you want to add to the blacklist? (write -1 to exit) http://thatonelinkyoudontwanttoseeeveragain.onion + [+] Checking if the Word/URL is valid: + [+] Which word/link do you want to add to the blacklist? (write -1 to exit) https://thatonelinkyoudontwanttoseeeveragain.com + [+] Checking if the Word/URL is valid: + TrueFalse + False + [+] Word/URL is valid, adding the word into the blacklist + [+] NEWROW=['https://thatonelinkyoudontwanttoseeeveragain.com'] + [+] New row added! now writing the csv file: + [+] Which word/link do you want to add to the blacklist? (write -1 to exit) -1 + + [ Wonderland ] [ /dev/pts/20 ] [/srv/darknet-lantern] + → cat www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/blacklist.csv + blacklisted-words + https://thatonelinkyoudontwanttoseeeveragain.com + porn + + + +and then you can run the sanity checks on the links to automatically remove the links that match any blacklisted words for all csv files in www/participants/: + + + [ Wonderland ] [ /dev/pts/20 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + + Select Option? (0-11): 10 + 10 + [+] 10) perform sanity checks on all csv files (to mark them as sensitive / or remove the ones that are blacklisted) + Participant:lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + /srv/darknet-lantern/www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/verified.csv + ['lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion', 'Tools', 'Qubes OS Website', 'http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/', 'NO', 'OS based on Xen that focuses on compartmentalization and virtualization.', nan, nan] + /srv/darknet-lantern/www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/unverified.csv + + ['assholexxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion', 'Chat', "a link that you normally don't allow", 'https://thatonelinkyoudontwanttoseeeveragain.com', 'NO', nan, 'YES', 100.0] + Marking row0for deletion, as it has invalid inputs + + + +And from here as you can see, the link in question got removed, and since it is now in your blacklist.csv file, it won't ever get added to your csv files again since you: + +![](11.png) + +If you prefer to only run a read-only php page with all the links at once you can either use the search query **"."** or use the static.php page as follows: + +![](14.png) + +you can also use this optional nginx config that makes static.php your new default index page: + + + server { + listen 4443; + listen [::]:4443; + server_name uptime.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion; + + root /srv/darknet-onion-webring/www/; + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + } + + #index index.php; + + # optional read-only static php file without the searchbar, to display all links by default : + + index static.php; + } + + +You can also edit the default banner.png image for your instance if you want to customize your instance: + +![](12.png) + +If you want to change it you can upload your custom banner.png image in your instance folder in **/srv/darknet-lantern/www/participants/lantern.nowherejezblahblah.onion/banner.png** but be careful, the python scripts are going to check **if your banner has the 240x60 resolution** , if it does not it won't be accepted by the other webring participants, and it will simply be replaced by the default banner image (coming from the templates folder) + + + [ laptop-privateVM ] [ /dev/pts/8 ] [blog/opsec/darknetlantern] + → scp banner.png yourserver:/srv/darknet-lantern/www/participants/yourinstancename.onion/banner.png + + + +` ![](17.png) + +Since v1.0.1, you can now automate the updating of your lantern instance despite the www/participants folder changing (thanks to the changes made to .gitignore): + + + [ Datura ] [ /dev/pts/28 ] [~] + → /usr/bin/torsocks /usr/bin/git -C /srv/darknet-lantern/ pull + + warning: redirecting to http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/darknet-lantern/ + remote: Enumerating objects: 24, done. + remote: Counting objects: 100% (24/24), done. + remote: Compressing objects: 100% (19/19), done. + remote: Total 19 (delta 14), reused 0 (delta 0), pack-reused 0 (from 0) + Unpacking objects: 100% (19/19), 2.06 KiB | 421.00 KiB/s, done. + From http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/darknet-onion-webring + 5928fd3..dc0c2ef main -> origin/main + Updating 5928fd3..dc0c2ef + Fast-forward + README.md | 37 ++++++++++++++++++++++++++++++++----- + scripts/lantern.py | 6 ++++-- + www/participants/lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/banner.png | Bin 14119 -> 0 bytes + www/participants/lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion/banner.png | Bin 8952 -> 0 bytes + www/participants/zhd7yf675dav6njgc7yjwke2u5cq7d5qim2s7xwa2ukxfzubrguqmzyd.onion/banner.png | Bin 20935 -> 0 bytes + 5 files changed, 36 insertions(+), 7 deletions(-) + delete mode 100644 www/participants/lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/banner.png + delete mode 100644 www/participants/lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion/banner.png + delete mode 100644 www/participants/zhd7yf675dav6njgc7yjwke2u5cq7d5qim2s7xwa2ukxfzubrguqmzyd.onion/banner.png + + + +Since v1.0.1 you can now automatically perform that git pull using cronjobs like so: + + + [ Datura ] [ /dev/pts/28 ] [~] + → crontab -e + + #lantern + */3 0 * * * python3 /srv/darknet-lantern/scripts/uptimechecker.py + **0 0 * * * /usr/bin/torsocks /usr/bin/git -C /srv/darknet-lantern/ pull** + + + +That way it'll update your lantern software once a day, at midnight. + +Since v1.0.2 you can now also automatically synchronize new links coming from other webring participants using the following cronjob entry: + + + [ Datura ] [ /dev/pts/28 ] [~] + → crontab -e + + #lantern + */3 0 * * * python3 /srv/darknet-lantern/scripts/uptimechecker.py + 0 0 * * * /usr/bin/torsocks /usr/bin/git -C /srv/darknet-lantern/ pull + **0 1 * * * python3 /srv/darknet-lantern/scripts/lantern.py 4** + + + +With those cronjobs, you'll automatically have an updated darknet lantern instance, automatically synchronising new links coming from the webring participants, and with automatically updated statuses, on a daily basis. + +## **How to participate in the webring ?** + +In order to participate in the webring that I am running, the only requirements I have is that your webring instance should have the core functionnalities (you list links you didn't verify yet, you also list the ones you verified, and you list the other webring participants), you should bring some new onion links i don't already have, and you shouldn't list porn links. + +_Sidenote:_ you are free to fork the project, and change how the front-end looks to customize it, **but the CSV format (especially the columns order and their titles, and the values format) and the paths**(ex: http://URL.onion/participants/URL.onion/verified.csv) **those NEED to remain the same to be able to remain compatible with the other lantern instances.** + +So if you are running a functional lantern instance, you can either [send me a private message on SimpleX](https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2F4NTxj7pyXgVGYfHs8qDdKfW-STOA8AP1%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA5FMqfn6nXs8ETbpz2iu55jr3BKHlfuesWVnko-A1Ewk%253D), or you can show up [in the Darknet Lantern Simplex chatroom](https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2F4woLIDlpkvXRvZmaAiWA802OwiyxekdJ%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAzIAoE-OWDqFJXMqgunIWHPpE_u7e52Wtu8TioPc1QwI%253D&data=%7B%22groupLinkId%22%3A%22Srr1_MNob7WfPTQIY-ug5Q%3D%3D%22%7D) i'm running, and let me know that you are running a darknet lantern instance. After that i'll go and check your darknet lantern instance to check for the new links you are bringing to the table, and if there are no porn links there, i'll add it to my darknet lantern instance by doing the following: + + + Select Option? (0-11): 5 + 5 + [+] Add a new webring participant (and download their files into their directory (without trusting them yet!)) + What is the onion domain of the new webring participant? (ex: lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion) lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + http://lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/ + [+] Checking if all of the required csv files exists for new webring participant lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion: + [+] Webring Participant is valid, adding it. + What is the Webring instance name ? Nowhere3 + Description for the webring participant ? (Optional) + [+] New row added! now writing the csv file:/srv/darknet-lantern/www/participants/lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion/webring-participants.csv + [+] DOWNLOADING http://lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/verified.csv + [+] SAVING IT INTO /srv/darknet-lantern/www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/verified.csv + [+] file written, let's read it + Instance,Category,Name,URL,Sensitive,Description,Status,Score + + [+] DOWNLOADING http://lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/unverified.csv + [+] SAVING IT INTO /srv/darknet-lantern/www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/unverified.csv + [+] file written, let's read it + Instance,Category,Name,URL,Sensitive,Description,Status,Score + + [+] DOWNLOADING http://lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/blacklist.csv + [+] SAVING IT INTO /srv/darknet-lantern/www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/blacklist.csv + [+] file written, let's read it + blacklisted-words + porn + + [+] DOWNLOADING http://lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/sensitive.csv + [+] SAVING IT INTO /srv/darknet-lantern/www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/sensitive.csv + [+] file written, let's read it + sensitive-words + Market + market + drug + + + [+] DOWNLOADING http://lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/webring-participants.csv + [+] SAVING IT INTO /srv/darknet-lantern/www/participants/lanterntest.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/webring-participants.csv + [+] file written, let's read it + Name,URL,Description,Trusted,Status,Score + + [+] Banner is valid + [-] Rows to delete: [] + [-] Rows to delete: [] + + + +Once added, you'll be able to see from my lantern instance that i added the new instance as a webring participant: + +![](13.png) + +And from there, if you are the maintainer of a webring like i am, you can make that new webring participant official by mentionning their hostname in www/.official_participants: + + + [ Wonderland ] [ /dev/pts/30 ] [/srv/darknet-lantern] + → cat www/.official_participants + lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + lantern.nowhevi57f4lxxd6db43miewcsgtovakbh6v5f52ci7csc2yjzy5rnid.onion + **zhd7yf675dav6njgc7yjwke2u5cq7d5qim2s7xwa2ukxfzubrguqmzyd.onion** + + + +And then just do a git push to the git repository, **so that whoever else wants to run a darknet lantern instance will already have the webring participant ready to be listed with their files saved in the www/participants directory.** + + + [ Datura ] [ /dev/pts/3 ] [/srv/darknet-lantern] + → git add -A + + [ Datura ] [ /dev/pts/3 ] [/srv/darknet-lantern] + → git commit + + [ Datura ] [ /dev/pts/3 ] [/srv/darknet-lantern] + → torsocks git push + + + +And that's it! you are now an official member of the darknet lantern webring, your community may now benefit from the visibility coming from the other webring participants' communities, while at the same time making sure that your community gets to know that those other communities exist. + +## **How to receive link submissions ?** + +Starting with Lantern version v1.1.0, your lantern instance can now receive submissions from the visitors directly, you can access the submission page on the **/submit.php** url: + +![](19.png) + +If you wish to receive links from your audience, you just need to copy the template submission.csv file and edit the file rights of the submissions folder accordingly (as otherwise there will be a blank page when trying to submit a new link): + + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/14 ] [/srv/darknet-lantern] + → cp templates/submission.csv submissions/submission.csv + + [ Wonderland ] [ /dev/pts/14 ] [/srv/darknet-lantern] + → chmod 777 -R /srv/darknet-lantern/submissions/ + + #optional, use that following command if you are updating from the previous lantern version + [ Wonderland ] [ /dev/pts/14 ] [/srv/darknet-lantern] + → git rm --cached /srv/darknet-lantern/submissions/submission.csv + + + +From here, anyone can mention the new link to submit, the name of that link, the description, the category name, and wheter or not the link is sensitive (related to drugs) or not. And lastly, to prevent spam, we also implemented a Captcha mechanism. + +![](18.png) + +Once the link is correctly submitted, as a lantern admin you have to manually verify it (obviously there's no way we'd let strangers submit links that would be directly displayed on your own lantern instance without any manual verification whatsoever, let's be real, that would be too risky). + +Back on your lantern instance server, you can run lantern.py's new option 11) to review submissions: + + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/7 ] [/srv/darknet-lantern] + → python3 scripts/lantern.py + + [+] Instance Name: dawdawddwawdadwadwadwawdaddawdov22nk2d3plyvwc7yd.onion. Valid:True + [+] file exists, your Webring URL is dawdawddwawdadwadwadwawdaddawdov22nk2d3plyvwc7yd.onion + + [+] Welcome to your own Darknet Lantern Instance, where you can explore the Darknet and help others do the same. + + Managing Websites: + 1) Add a new Website entry (into unverified.csv) + 2) Trust/Untrust/ Blacklist a Website entry (move an entry from unverified to verified.csv) + 3) Edit link attributes + + Managing Webring Participants: + 4) Synchronize new links from existing webring participants, into your unverified.csv file + 5) Add a new webring participant (and download their files into their directory (without trusting them yet!)) + 6) Trust/UnTrust/Blacklist a webring participant (Potentially dangerous) + + Managing Wordlists: + 7) Add/Remove Words/URLs in the sensitive list (ex: drug) + 8) Add/Remove Words/URLs or links in the blacklist (ex: porn) + + Maintenance: + 9) Remove the duplicate URLs for your own instance + 10) Perform sanity checks on all csv files for all instances (to mark them as sensitive / or remove the ones that are blacklisted) + **11) Review submissions (Add to verified.csv/ add to unverified.csv/ delete /blacklist)** + + 0) Exit + + Select an option? (0-11): 11 + + +That new option is going to simply iterate over every new submission you received, allowing you to move the entry to 1) verified.csv, 2) or to unverified.csv, 3) or to simply delete it, 4) or to blacklist it if it's a malicious link: + + + name test + desc test + category test + sensitive y + Name: 0, dtype: object + + Link to verify: **http://coollinkdwadwdwawaadwdawdawdwawaddwawdaadw.onion/** + + 1) Move entry to verified.csv + 2) Move entry from submission.csv to unverified.csv + 3) Delete from submission.csv file + 4) Add to blacklist.csv + -1) exit + Enter an option: 1 + + + +Here we need to copy the link into our Tor browser to review it, and upon reviewing it, we see that it's a cool and valid link, so we pick option 1 to move it to verified.csv. + + + name test + desc test + category test + sensitive y + Name: 0, dtype: object + + Link to verify: **http://weirdlinkdwadwdwawaadwdawdawdwawaddwawdaadw.onion/** + + 1) Move entry to verified.csv + 2) Move entry from submission.csv to unverified.csv + 3) Delete from submission.csv file + 4) Add to blacklist.csv + -1) exit + Enter an option: 2 + + + +Then we have a second submitted link, which upon reviewing is weird and not what you expected, but upon reviewing it's not something you need to blacklist so we select option 2 to leave it in unverified.csv for the time being. + + + name test + desc test + category test + sensitive y + Name: 0, dtype: object + + Link to verify: **http://cringelinkwadawdwdwawaadwdawdawdwawaddwawdaadw.onion/** + + 1) Move entry to verified.csv + 2) Move entry from submission.csv to unverified.csv + 3) Delete from submission.csv file + 4) Add to blacklist.csv + -1) exit + Enter an option: 3 + + + +The next submission is a cringe link, so for this one instead we're going to just delete it with option 3. + + + name test + desc test + category test + sensitive y + Name: 0, dtype: object + + Link to verify: **http://maliciouslinkwadwdwawaadwdawdawdwawaddwawdaadw.onion/** + + 1) Move entry to verified.csv + 2) Move entry from submission.csv to unverified.csv + 3) Delete from submission.csv file + 4) Add to blacklist.csv + -1) exit + Enter an option: 4 + + + +And the last submitted link is actually a malicious link (for example a porn link) so we select option 4 to put it into our blacklist.csv. + diff --git a/de0.png b/de0.png new file mode 100644 index 0000000..1b7b0bb Binary files /dev/null and b/de0.png differ diff --git a/de1.png b/de1.png new file mode 100644 index 0000000..ba5a679 Binary files /dev/null and b/de1.png differ diff --git a/de2.png b/de2.png new file mode 100644 index 0000000..ef41a49 Binary files /dev/null and b/de2.png differ diff --git a/deniability/1.png b/deniability/1.png new file mode 100644 index 0000000..603bbef Binary files /dev/null and b/deniability/1.png differ diff --git a/deniability/2.png b/deniability/2.png new file mode 100644 index 0000000..7c81b1d Binary files /dev/null and b/deniability/2.png differ diff --git a/deniability/3.png b/deniability/3.png new file mode 100644 index 0000000..5064369 Binary files /dev/null and b/deniability/3.png differ diff --git a/deniability/4.png b/deniability/4.png new file mode 100644 index 0000000..b70fbbd Binary files /dev/null and b/deniability/4.png differ diff --git a/deniability/5.png b/deniability/5.png new file mode 100644 index 0000000..c2a032f Binary files /dev/null and b/deniability/5.png differ diff --git a/deniability/6.png b/deniability/6.png new file mode 100644 index 0000000..015d7cb Binary files /dev/null and b/deniability/6.png differ diff --git a/deniability/7.png b/deniability/7.png new file mode 100644 index 0000000..67755ff Binary files /dev/null and b/deniability/7.png differ diff --git a/deniability/index.md b/deniability/index.md new file mode 100644 index 0000000..6808db1 --- /dev/null +++ b/deniability/index.md @@ -0,0 +1,109 @@ +--- +author: nihilist +date: 2024-05-01 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/271" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# What is Plausible Deniability ? Why is it Important ? + + + +## **Encryption Provides Privacy** + +Let's take our previous analogy to explain what Privacy is: + + + Bob wants to talk to Alice, He wants the conversation to remain private, so he closes the door + Jack can't spy on bob and alice's conversation, because the door is closed, + The door is closed, the conversation remains between Alice and Bob, their conversation is Private. + + + +![](1.png) + +For Alice and Bob to protect their conversation from being spied on by Jack, they encrypt their conversation for example by using [PGP](../pgp/index.md). + +![](2.png) + +Here the most common usecase for encryption is for people to encrypt their system disk on their computers, because if someone (like jack) were to steal their computer, they don't want to read all of their data. + +![](3.png) + +All in all, encryption is used to provide privacy. As long as the encrypted volumes are closed when Jack is trying to open them, Jack cannot read the contents of the volumes. + +## **What happens when Bob is forced to give out his password ?** + +Encryption however, cannot protect against everything. + +![](4.png) + +In this case, Bob is legally, although questionably morally, forced to decrypt his encrypted system disk by the judge. Keep in mind that this is not a far fetched scenario, this has happened previously. + + 1. in January 2012 ([source](https://www.wired.com/2012/01/judge-orders-laptop-decryption/)) + + 2. in Febuary 2009 ([source](https://www.cnet.com/tech/tech-industry/judge-orders-defendant-to-decrypt-pgp-protected-laptop/)) + + + + +Now here there are multiple scenarios. Either you live in a country that doesn't respect human rights, and they torture you until you spit out the password, or the country you live in has to respect human rights, they throw you in jail for let's say 6 months, for contempt of court (arguing that you swore to tell the truth, and you lied about having forgotten your password), **which is also an attempt to break your will, to make you spit out the password.** the only problem is that they can't legally torture you any other way, so they have no other option than to do it like that. + +If you are ever dragged into court, **the judge will appreciate much more if you actually hand over your laptop, and show that you are willing to cooperate with the authorities by providing your password to unlock it** , rather than starting to pretend you forgot your password (which can end badly like in [this court case](https://lawblog.legalmatch.com/2018/07/23/florida-man-jailed-allegedly-forgetting-password-on-cell-phones/), where the defendant was found to be in contempt of court, and thrown in jail for 6 months for it), + +When that is the case, simply encrypting the disk is not enough, as **all that is required is for the adversary to know of the existance of the encrypted drive, to be able to force Bob to open it** + +![](6.png) + +As far as key encryption laws, the trend is that most developed countries are forcing their citizens to incriminate themselves and to surrender the encryption keys to authorities, when asked. In short,**If the encrypted volume is proven to exist, you can be forced to surrender the decryption key/password to open it.** + +## **What if i destroy the evidence ?** + +One common arguement that is being brought up is **"what if i destroy the data before the adversary can see it?"** lets see the following scenario: + + + -You started doing sensitive actions on your [graphene OS phone](../graphene/index.md) + -Somewhere you slipped up, and now the adversary is busting down your door and holding you at gunpoint, handcuffing you and taking you to the nearest station. + -Now the adversary is telling you "by order of the judge, you are now going to unlock that phone." + + -But, you've got your ace up your sleeve, you configured **[a duress password](https://grapheneos.org/features#duress) on your graphene OS phone**, meaning that once you type that special password, the contents of your phone are irreversibly deleted, with no possible recovery. + + -You type the password, and the phone contents are getting deleted, right in front of the adversary. What now ? + + + +Now you are in a situation where the adversary knows that you intentionally destroyed the contents of your phone, **he knows that you do not intend to cooperate, and that on top of it you destroyed potential evidence**. Where do you think that get you in court ? + +If you were just pretending to have forgotten your password, you'd be found to be in Contempt of Court (approx 6 months jailtime), But here from the point of view of the adversary, he's perceiving it as you knowingly and intentionally **[tampering with evidence](https://www.criminaldefenselawyer.com/crime-penalties/federal/Tampering-with-evidence.htm) which is way worse, as the sentences for that can go up to 20 years in prison.** + +So in short, **you need it to look like you are cooperating with the adversary** , you must be able to give him a password, and when he unlocks the encrypted volume, he must find nothing incriminating about you, which is why we need deniable encryption. + +## **Why is Deniable Encryption Vital?** + +From a legal standpoint, the only way to be protected against that scenario where you're forced to decrypt your harddrive **is to be able to deny the existence of said encrypted volume (Plausible Deniability)** . If the encrypted volume does not exist, there is no password to be given for it. + +So here we need a technology that can provide us Plausible Deniability. **That is what Veracrypt can do for us**. + +![](5.png) + +In short, Veracrypt allows you to encrypt volumes, just like LUKS encryption does. **However it gives you the choice to hide another encrypted volume inside the same volume** , that is exactly what you can deny the existence of. + +So you can hide some random meaningless data inside the decoy volume, while the real data that needs protection sits inside the hidden volume. + +This means, when Jack forces Bob to open the vercrypt volume, Bob types Password A to open the decoy volume, Then, when asked by Jack, **Bob declares that there is no Hidden volume, and Jack has no way to prove the existence the Hidden Volume**. + +To see how to implement Plausible Deniability protection with Veracrypt, check out this [tutorial](../veracrypt/index.md). + +## **Live mode - Protecting your Deniability** + +Now when there is an adversary busting down your door, running towards your computer to collect as much incriminating evidence as possible on you, you need to make sure that they are not finding anything incriminating on you. Thing is, if he were to seize your computer, there are many places he can check inside your computer for anything incriminating (system logs, kernel logs, non-standard log-files, the contents of the RAM, etc) + +In the context of you using [deniable encryption](../veracrypt/index.md), **the adversary must not able to prove the existance of said encrypted volume** that you are trying to keep hidden. This is where using an operating system in live mode comes in the picture: + +![](7.png) + +To make it short, if you start your operating system in live mode, **you are not writing anything on the system disk** , but rather **you are loading the entire operating system in the RAM**. Everthing that you write on the system drive while in live mode gets erased upon rebooting. + +The idea behind using live mode is that **every forensic trace regarding the hidden encrypted volume** that would normally be written into the system logs, kernel logs, and various other system files **(that we would normally need to manually clean up after closing the hidden volume)** will all be written into RAM instead of being written onto Disk, and then **will all be completely erased upon rebooting the computer.** + +As you'll see in [this tutorial](../tailsqemuvm/index.md), we can make use of a VM's live mode to securely erase every trace of sensitive activity. + diff --git a/dns/0.png b/dns/0.png new file mode 100644 index 0000000..b0e04ca Binary files /dev/null and b/dns/0.png differ diff --git a/dns/1.png b/dns/1.png new file mode 100644 index 0000000..7a57309 Binary files /dev/null and b/dns/1.png differ diff --git a/dns/2.png b/dns/2.png new file mode 100644 index 0000000..9c3654d Binary files /dev/null and b/dns/2.png differ diff --git a/dns/index.md b/dns/index.md new file mode 100644 index 0000000..1ad525f --- /dev/null +++ b/dns/index.md @@ -0,0 +1,1083 @@ +--- +author: nothing@nowhere +date: 2024-05-28 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/112" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# bind9 DNS setup + +![](0.png) + +In this tutorial we're going to take a look at how to setup DNS servers using bind9. + +_Disclaimer:_ If you want this service to remain anonymous, make sure you at least keep [TOR between you and the service](../sensitiveremotevshome/index.md) from the [VPS acquisition](../anonymousremoteserver/index.md) to actual service usage. + + + +## **Initial Setup** + +First install the requirements: + + + root@Temple:~# apt update -y ; apt upgrade -y ; apt install bind9 -y + root@Temple:~# systemctl disable --now ufw + + + +Next we edit the /etc/bind/named.conf.options file to define which ip the dns server will serve: + + + root@Temple:~# vim /etc/bind/named.conf.options + listen-on { + 10.10.10.0/24; + 10.1.0.0/16; + ... + }; + + #OR + listen-on { any; }; + listen-on-v6 { any; }; + + + +Next, we allow the queries to come from any sources (not just local) + + + allow-query { any; }; + + + +and lastly, we add the forwarders which are the dns servers that bind9 will ask if it can't find the domain names, we can put cloudflare's dns servers for example: + + + forwarders { + 1.1.1.1; + 1.0.0.1; + }; + + + +Here's the result, save it with :wq + + + options { + directory "/var/cache/bind"; + dnssec-validation auto; + + listen-on-v6 { any; }; + listen-on { any; }; + allow-query { any; }; + forwarders { + 1.1.1.1; + 1.0.0.1; + }; + }; + + + +Then restart bind9: + + + root@Temple:~# systemctl restart bind9 + root@Temple:~# systemctl status bind9 + ● named.service - BIND Domain Name Server + Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled) + Active: active (running) since Tue 2021-11-02 20:37:26 UTC; 4s ago + Docs: man:named(8) + Main PID: 2863095 (named) + Tasks: 8 (limit: 4584) + Memory: 30.0M + CGroup: /system.slice/named.service + └─2863095 /usr/sbin/named -f -u bind + + Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53 + Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:2d::d#53 + Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:7fd::1#53 + Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53 + Nov 02 20:37:26 Temple named[2863095]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) + Nov 02 20:37:26 Temple named[2863095]: resolver priming query complete + Nov 02 20:37:30 Temple named[2863095]: listening on IPv4 interface tun0, 10.8.0.1#53 + Nov 02 20:37:30 Temple named[2863095]: listening on IPv6 interface tun0, fe80::5822:e1cd:a277:e3e3%124941#53 + Nov 02 20:37:30 Temple named[2863095]: no longer listening on 10.8.0.1#53 + Nov 02 20:37:30 Temple named[2863095]: no longer listening on fe80::5822:e1cd:a277:e3e3%124941#53 + + + +and then finally we test if the dns works, let's ask our dns server for the ip address of google: + + + [ 10.66.66.2/32 ] [ /dev/pts/20 ] [Nextcloud/blog] + → nslookup google.com temple.void.yt + Server: temple.void.yt + Address: 78.141.239.68#53 + + Non-authoritative answer: + Name: google.com + Address: 172.217.169.14 + Name: google.com + Address: 2a00:1450:4009:81d::200e + + + +And it worked ! Now let's setup an A record on our DNS server, for itself. To do that we need to specify the zones we're going to manage: + + + + root@Temple:/etc/bind# vim named.conf.local + root@Temple:/etc/bind# cat named.conf.local + // + // Do any local configuration here + // + + // Consider adding the 1918 zones here, if they are not used in your + // organization + include "/etc/bind/zones.rfc1918"; + + root@Temple:~# vim /etc/bind/zones.rfc1918 + root@Temple:~# cat /etc/bind/zones.rfc1918 + zone "void.yt" { + type master; + file "db.void.yt"; + allow-update { none; }; + }; + + + +Here we want to setup a subdomain of void.yt so let's do it in the db.void.yt file: + + + $TTL 604800 + @ IN SOA ns1.void.yt. void.yt. ( + 3 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + ; + ; name servers - NS records + 3600 IN NS ns1.void.yt. + 3600 IN NS ns2.void.yt. + + ; name servers - A records + ns1.void.yt. IN A 78.141.239.68 + ns2.void.yt. IN A 45.76.133.0 + + ; other hosts - A records + host1.void.yt. IN A 1.1.1.1 + host2.void.yt. IN A 1.0.0.1 + + + +And now we restart the bind9 service, and test if we can resolve the host1.void.yt domain: + + + root@Temple:/etc/bind# systemctl restart bind9 + root@Temple:/etc/bind# systemctl status bind9 + ● bind9.service - BIND Domain Name Server + Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-11-14 10:28:16 UTC; 51s ago + Docs: man:named(8) + Main PID: 3710 (named) + Tasks: 8 (limit: 4582) + Memory: 29.7M + CGroup: /system.slice/bind9.service + └─3710 /usr/sbin/named -f -u bind + + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53 + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:7fd::1#53 + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:1::53#53 + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:a8::e#53 + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53 + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:dc3::35#53 + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2::c#53 + Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53 + Nov 14 10:28:16 Temple named[3710]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) + Nov 14 10:28:16 Temple named[3710]: resolver priming query complete + + + +To do that we use nslookup: + + + [ 10.66.66.2/32 ] [ /dev/pts/115 ] [~] + → nslookup host1.void.yt temple.void.yt + Server: temple.void.yt + Address: 78.141.239.68#53 + + Name: host1.void.yt + Address: 1.1.1.1 + + + +Now we fill in the db file for the rest of the hosts we need, i'll post my complete config just for reference: + + + root@Temple:/etc/bind# vim db.void.yt + root@Temple:/etc/bind# cat db.void.yt + $TTL 604800 + @ IN SOA ns1.void.yt. void.yt. ( + 7 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!! + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + ; + ; name servers - NS records + 3600 IN NS ns1.void.yt. + 3600 IN NS ns2.void.yt. + + ; name servers - A records + ns1.void.yt. IN A 78.141.239.68 + ns2.void.yt. IN A 45.76.133.0 + + ; A records, public IPs + temple 3600 IN A 78.141.239.68 + mail 3600 IN A 45.76.133.0 + mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3 + ;void.yt + + + 3600 IN MX 10 mail.void.yt. + 3600 IN TXT "v=spf1 mx a:mail.void.yt -all" + _dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1" + + autoconfig 3600 IN CNAME void.yt. + autodiscover 3600 IN CNAME void.yt. + + asciinema 3600 IN CNAME void.yt. + blog 3600 IN CNAME void.yt. + chat 3600 IN CNAME void.yt. + cloud 3600 IN CNAME void.yt. + codimd 3600 IN CNAME void.yt. + cryptpad 3600 IN CNAME void.yt. + cyberchef 3600 IN CNAME void.yt. + ghostblog 3600 IN CNAME void.yt. + git 3600 IN CNAME void.yt. + gomez 3600 IN CNAME void.yt. + haste 3600 IN CNAME void.yt. + img 3600 IN CNAME void.yt. + irc 3600 IN CNAME void.yt. + jitsi 3600 IN CNAME void.yt. + kb 3600 IN CNAME void.yt. + kutt 3600 IN CNAME void.yt. + lady 3600 IN CNAME void.yt. + lain 3600 IN CNAME void.yt. + latex 3600 IN CNAME void.yt. + mind 3600 IN CNAME void.yt. + notes 3600 IN CNAME void.yt. + openproject 3600 IN CNAME void.yt. + pad 3600 IN CNAME void.yt. + privatebin 3600 IN CNAME void.yt. + pve 3600 IN CNAME void.yt. + routeur 3600 IN CNAME void.yt. + safe 3600 IN CNAME void.yt. + shells 3600 IN CNAME void.yt. + status 3600 IN CNAME void.yt. + sx 3600 IN CNAME void.yt. + test 3600 IN CNAME void.yt. + tube 3600 IN CNAME void.yt. + u 3600 IN CNAME void.yt. + www 3600 IN CNAME void.yt. + zabbix 3600 IN CNAME void.yt. + + root@Temple:/etc/bind# systemctl restart bind9 + root@Temple:/etc/bind# systemctl status bind9 + ● bind9.service - BIND Domain Name Server + Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-11-14 11:37:30 UTC; 2s ago + Docs: man:named(8) + Main PID: 18839 (named) + Tasks: 8 (limit: 4582) + Memory: 29.3M + CGroup: /system.slice/bind9.service + └─18839 /usr/sbin/named -f -u bind + + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53 + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:a8::e#53 + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:1::53#53 + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2::c#53 + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2f::f#53 + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53 + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:200::b#53 + Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:7fd::1#53 + Nov 14 11:37:30 Temple named[18839]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) + Nov 14 11:37:30 Temple named[18839]: resolver priming query complete + + + +Now, let's setup our secondary DNS server, first let's update the primary DNS server's zones.rfc1918 file as follows: + + + root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918 + root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918 + zone "void.yt" IN { + type master; + file "/etc/bind/db.void.yt"; + allow-update { none; }; + + allow-transfer { 45.76.133.0; }; + also-notify { 45.76.133.0; }; + }; + + root@Temple:/etc/bind# systemctl restart bind9 + + + +In the allow-transfer and allow-notify parameters we put the public IP of our second DNS server. Next we restart bind9, and setup bind9 on the second server as a slave to our first server: + + + root@mail:~# apt install bind9 -y + root@mail:~# vim /etc/bind/named.conf.local + root@mail:~# cat /etc/bind/named.conf.local + // + // Do any local configuration here + // + + // Consider adding the 1918 zones here, if they are not used in your + // organization + include "/etc/bind/zones.rfc1918"; + + root@mail:~# vim /etc/bind/zones.rfc1918 + root@mail:~# cat /etc/bind/zones.rfc1918 + zone "void.yt" { + type slave; + file "/etc/bind/db.void.yt"; + masters {78.141.239.68;}; + }; + + root@mail:~# vim /etc/bind/db.void.yt + root@mail:~# cat /etc/bind/db.void.yt + $TTL 604800 + @ IN SOA ns2.void.yt void.yt. ( + 8 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!! + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + ; + ; name servers - NS records + IN NS ns1.void.yt. + IN NS ns2.void.yt. + + ; name servers - A records + ns1.void.yt. IN A 78.141.239.68 + ns2.void.yt. IN A 45.76.133.0 + + ; A records, public IPs + temple 3600 IN A 78.141.239.68 + mail 3600 IN A 45.76.133.0 + mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3 + ;void.yt + + + 3600 IN MX 10 mail.void.yt. + 3600 IN TXT "v=spf1 mx a:mail.void.yt -all" + _dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1" + + autoconfig 3600 IN CNAME void.yt. + autodiscover 3600 IN CNAME void.yt. + + asciinema 3600 IN CNAME void.yt. + blog 3600 IN CNAME void.yt. + chat 3600 IN CNAME void.yt. + cloud 3600 IN CNAME void.yt. + codimd 3600 IN CNAME void.yt. + cryptpad 3600 IN CNAME void.yt. + cyberchef 3600 IN CNAME void.yt. + ghostblog 3600 IN CNAME void.yt. + git 3600 IN CNAME void.yt. + gomez 3600 IN CNAME void.yt. + haste 3600 IN CNAME void.yt. + img 3600 IN CNAME void.yt. + irc 3600 IN CNAME void.yt. + jitsi 3600 IN CNAME void.yt. + kb 3600 IN CNAME void.yt. + kutt 3600 IN CNAME void.yt. + lady 3600 IN CNAME void.yt. + lain 3600 IN CNAME void.yt. + latex 3600 IN CNAME void.yt. + mind 3600 IN CNAME void.yt. + notes 3600 IN CNAME void.yt. + openproject 3600 IN CNAME void.yt. + pad 3600 IN CNAME void.yt. + privatebin 3600 IN CNAME void.yt. + pve 3600 IN CNAME void.yt. + routeur 3600 IN CNAME void.yt. + safe 3600 IN CNAME void.yt. + shells 3600 IN CNAME void.yt. + status 3600 IN CNAME void.yt. + sx 3600 IN CNAME void.yt. + test 3600 IN CNAME void.yt. + tube 3600 IN CNAME void.yt. + u 3600 IN CNAME void.yt. + + www 3600 IN CNAME void.yt. + zabbix 3600 IN CNAME void.yt. + + + + + root@mail:/etc/bind# systemctl restart bind9 + + root@mail:/etc/bind# systemctl status bind9 + ● named.service - BIND Domain Name Server + Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-11-14 14:34:38 UTC; 1min 17s ago + Docs: man:named(8) + Main PID: 94005 (named) + Tasks: 5 (limit: 2340) + Memory: 17.8M + CPU: 46ms + CGroup: /system.slice/named.service + └─94005 /usr/sbin/named -f -u bind + + Nov 14 14:34:38 mail named[94005]: running + Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: Transfer started. + Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#53677 + Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transferred serial 9 + Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transfer: could not set file modification time of '/etc/bind/db.void.yt': permission denied + Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success + Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.001 secs (1118000 bytes/sec) (serial 9) + Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: sending notifies (serial 9) + Nov 14 14:34:38 mail named[94005]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) + Nov 14 14:34:38 mail named[94005]: resolver priming query complete + + root@mail:/etc/bind# systemctl disable --now apparmor + root@mail:/etc/bind# chown bind:bind -R /etc/bind + + root@mail:/etc/bind# systemctl restart bind9 + root@mail:/etc/bind# systemctl status bind9 + ● named.service - BIND Domain Name Server + Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-11-14 14:39:17 UTC; 1s ago + Docs: man:named(8) + Main PID: 94210 (named) + Tasks: 4 (limit: 2340) + Memory: 14.1M + CPU: 29ms + CGroup: /system.slice/named.service + └─94210 /usr/sbin/named -f -u bind + + Nov 14 14:39:17 mail named[94210]: running + Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: Transfer started. + Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#51509 + Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: transferred serial 9 + Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success + Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.004 secs (279500 bytes/sec) (serial 9) + Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: sending notifies (serial 9) + Nov 14 14:39:17 mail named[94210]: dumping master file: /etc/bind/tmp-PF5Ud0HF2G: open: permission denied + Nov 14 14:39:17 mail named[94210]: resolver priming query complete + Nov 14 14:39:17 mail named[94210]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) + + + +And from there let's check if the domain name resolution works: + + + [ 10.66.66.2/32 ] [ /dev/pts/115 ] [~] + → nslookup ns1.void.yt temple.void.yt + Server: temple.void.yt + Address: 78.141.239.68#53 + + Name: ns1.void.yt + Address: 78.141.239.68 + + + [ 10.66.66.2/32 ] [ /dev/pts/115 ] [~] + → nslookup ns2.void.yt temple.void.yt + Server: temple.void.yt + Address: 78.141.239.68#53 + + Name: ns2.void.yt + Address: 45.76.133.0 + + + [ 10.66.66.2/32 ] [ /dev/pts/115 ] [~] + → nslookup ns2.void.yt mail.void.yt + Server: mail.void.yt + Address: 45.76.133.0#53 + + Name: ns2.void.yt + Address: 45.76.133.0 + + + [ 10.66.66.2/32 ] [ /dev/pts/115 ] [~] + → nslookup ns1.void.yt mail.void.yt + Server: mail.void.yt + Address: 45.76.133.0#53 + + Name: ns1.void.yt + Address: 78.141.239.68 + + + +Everything looks good, we can resolve domain names on both the master and slave DNS servers + +## **Dynamic bind9 DNS setup** + +Now for my current setup, i need my void.yt domain name to resolve a public IP that often changes, therefore i need a dynamic bind9 DNS setup for the A record of my void.yt domain. It is possible to set it up with bind9, so let's do it: + + + oot@Temple:/etc/bind# apt install bind9utils + root@Temple:/etc/bind# which ddns-confgen + /usr/sbin/ddns-confgen + + + root@Temple:/etc/bind# ddns-confgen -s void.yt + # To activate this key, place the following in named.conf, and + # in a separate keyfile on the system or systems from which nsupdate + # will be run: + key "ddns-key.void.yt" { + algorithm hmac-sha256; + secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw="; + }; + + # Then, in the "zone" statement for the zone containing the + # name "void.yt", place an "update-policy" statement + # like this one, adjusted as needed for your preferred permissions: + update-policy { + grant ddns-key.void.yt name void.yt ANY; + }; + + # After the keyfile has been placed, the following command will + # execute nsupdate using this key: + nsupdate -k <****keyfile> + +Now that's done, we follow the instructions that the command just output for us, starting with named.conf.local edit: + + + root@Temple:/etc/bind# vim /etc/bind/named.conf.local + root@Temple:/etc/bind# cat /etc/bind/named.conf.local + // + // Do any local configuration here + // + + // Consider adding the 1918 zones here, if they are not used in your + // organization + include "/etc/bind/zones.rfc1918"; + key "ddns-key.void.yt" { + algorithm hmac-sha256; + secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw="; + }; + + + +Next, we setup the update-policy for our void.yt zone: + + + root@Temple:/etc/bind# vim zones.rfc1918 + root@Temple:/etc/bind# cat zones.rfc1918 + zone "void.yt" { + type master; + file "/etc/bind/db.void.yt"; + + allow-transfer { 45.76.133.0; }; + also-notify { 45.76.133.0; }; + + update-policy { + grant ddns-key.void.yt name void.yt ANY; + }; + }; + + root@Temple:/etc/bind# systemctl restart bind9 + + + +Now that's done, we're going to setup the dynamic DNS script on our client whose public IP is changing often: + + + root@home:~# which nsupdate + /usr/bin/nsupdate + + root@home:~# vim /etc/ddnssupdate.key + root@home:~# cat /etc/ddnssupdate.key + key "ddns-key.void.yt" { + algorithm hmac-sha256; + secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw="; + }; + + root@home:~# cd /var/www/void.yt/ + root@home:/var/www/void.yt# vim dyndns.sh + root@home:/var/www/void.yt# cat dyndns.sh + #!/bin/bash + + #MYIP=$(dig +short myip.opendns.com @resolver1.opendns.com) + MYIP=$(curl ifconfig.me) + + KEY=/etc/ddnsupdate.key + NS=ns1.void.yt + DOMAIN=void.yt. + ZONE=void.yt. + + nsupdate -k $KEY -v <****<****EOF + server $NS + zone $ZONE + update delete $DOMAIN A + update add $DOMAIN 30 A $MYIP + send + EOF + +Now let's test it: + + + root@home:/var/www/void.yt# chattr -i /etc/resolv.conf + root@home:/var/www/void.yt# vim /etc/resolv.conf + root@home:/var/www/void.yt# cat /etc/resolv.conf + #nameserver 1.1.1.1 + #nameserver 1.0.0.1 + nameserver 78.141.239.68 + nameserver 45.76.133.0 + root@home:/var/www/void.yt# chattr +i /etc/resolv.conf + + root@home:/var/www/void.yt# chmod +x dyndns.sh + root@home:/var/www/void.yt# ./dyndns.sh + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 14 100 14 0 0 89 0 --:--:-- --:--:-- --:--:-- 89 + update failed: SERVFAIL + + + +Now if you get this error, it probably means that the dns bind server does not have permissions to edit files in /etc/bind/, and rather has access to /var/lib/bind, so let's make those changes: + + + root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918 + root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918 + zone "void.yt" { + type master; + file "/var/lib/bind/db.void.yt"; + + allow-transfer { 45.76.133.0; }; + also-notify { 45.76.133.0; }; + + update-policy { + grant ddns-key.void.yt name void.yt ANY; + }; + }; + + root@Temple:/etc/bind# mv /etc/bind/db.void.yt /var/lib/bind/ + root@Temple:/etc/bind# systemctl restart bind9 + + + +Now that's done, let's also do it on the secondary dns: + + + root@mail:~# vim /etc/bind/zones.rfc1918 + root@mail:~# mv /etc/bind/db.void.yt /var/lib/bind/ + root@mail:~# mv /etc/bind/db._domainkey.void.yt /var/lib/bind/ + root@mail:~# systemctl restart bind9 + + + +Now that's done, let's test our dynamic dns script: + + + root@home:/var/www/void.yt# ./dyndns.sh + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 14 100 14 0 0 72 0 --:--:-- --:--:-- --:--:-- 72 + root@home:/var/www/void.yt# + + + +No error messages, so let's check if our script updated the the zone file as intended: + + + root@Temple:/etc/bind# cat /var/lib/bind/db.void.yt + $ORIGIN . + $TTL 604800 ; 1 week + void.yt IN SOA ns1.void.yt. void.yt. ( + 10 ; serial + 604800 ; refresh (1 week) + 86400 ; retry (1 day) + 2419200 ; expire (4 weeks) + 604800 ; minimum (1 week) + ) + $TTL 3600 ; 1 hour + NS ns1.void.yt. + NS ns2.void.yt. + **$TTL 30 ; 30 seconds + A 92.148.147.119** + $ORIGIN void.yt. + $TTL 3600 ; 1 hour + _dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1" + asciinema CNAME void.yt. + + [...] + + + +And it did! Now let's make sure our dynamic dns script runs every minute: + + + root@home:/var/www/void.yt# crontab -e + * * * * * "/var/www/void.yt/dyndns.sh" + + root@home:/var/www/void.yt# cronitor select + + ✔ "/var/www/void.yt/dyndns.sh" + ----► Running command: "/var/www/void.yt/dyndns.sh" + + [+] updating ns1.void.yt: + + ----► ✔ Command successful Elapsed time 0.353s + + + +Looks good! Now don't forget to edit the options file for your secondary dns server: + + + root@mail:~# vim /etc/bind/named.conf.options + root@mail:~# cat /etc/bind/named.conf.options + + options { + directory "/var/cache/bind"; + dnssec-validation auto; + + listen-on-v6 { any; }; + listen-on { any; }; + + allow-query { any; }; + + forwarders { + 1.1.1.1; + 1.0.0.1; + }; + }; + root@mail:~# systemctl restart bind9 + + + +And that's it! We managed to setup 2 DNS servers using bind9 with a master-slave configuration along with dynamic DNS. Now if you want your DNS servers to propagate, you will have to wait: + +![](1.png) + +You can check the status of the DNS propagation on [this](https://www.dnstester.net/) website: + +![](2.png) + +As you can see, none of the major DNS servers around the world are aware of my ns1.void.yt record, therefore i need to wait for my dns record to propagate (by setting the DNS server as the DNS servers for a particular domain, on a registrar): + +## **DNSSEC Setup** + +Once your dns records have propagated we can setup DNSSEC: + + + root@mail-gw:~# vim /etc/bind/named.conf.options + root@mail-gw:~# cat /etc/bind/named.conf.options + options { + directory "/var/cache/bind"; + + //dnssec-validation yes; + //dnssec-enable yes; + //dnssec-lookaside auto; //since debian 12 these are no longer needed + + listen-on-v6 { any; }; + listen-on { any; }; + allow-query { any; }; + forwarders { + 1.1.1.1; + 1.0.0.1; + }; + }; + + + +Then generate the DNS keys for your domain: + + + root@mail-gw:~# cd /var/cache/bind + root@mail-gw:/var/cache/bind# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE nowhere.moe + Generating key pair...................+++++ ..................................................................................................................+++++ + Knowhere.moe.+007+54398 + root@mail-gw:/var/cache/bind# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nowhere.moe + Generating key pair........................................................................++++ .....................++++ + Knowhere.moe.+007+44145 + + + +then create the zone file: + + + root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done + root@mail-gw:/var/cache/bind# cat nowhere.moe.zone + $INCLUDE Knowhere.moe.+007+44145.key + $INCLUDE Knowhere.moe.+007+54398.key + + + +Then sign the zone with the dnssec-signzone command: + + + root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done + root@mail-gw:/var/cache/bind# cat nowhere.moe.zone + $INCLUDE Knowhere.moe.+007+44145.key + $INCLUDE Knowhere.moe.+007+54398.key + root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t nowhere.moe.zone + + + dnssec-signzone: warning: Knowhere.moe.+007+44145.key:5: no TTL specified; zone rejected + dnssec-signzone: fatal: failed loading zone from 'nowhere.moe.zone': no ttl + + + +if you get the no ttl error like me, regen the keys with the TTL thanks to the -L flag: + + + + root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE nowhere.moe + Generating key pair.........................................+++++ .......+++++ + Knowhere.moe.+007+35034 + + root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nowhere.moe + Generating key pair......++++ ..................................................................................................................................................................++++ + Knowhere.moe.+007+23388 + + root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done + + root@mail-gw:/var/cache/bind# cat nowhere.moe.zone + + $INCLUDE Knowhere.moe.+007+23388.key + $INCLUDE Knowhere.moe.+007+35034.key + + root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe + dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600) + dnssec-signzone: fatal: No signing keys specified or found. + + root@mail-gw:/var/cache/bind# cat nowhere.moe.zone >> db.nowhere.moe + + + root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe + + dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600) + Verifying the zone using the following algorithms: + - NSEC3RSASHA1 + Zone fully signed: + Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked + ZSKs: 1 active, 0 stand-by, 0 revoked + db.nowhere.moe.signed + Signatures generated: 51 + Signatures retained: 0 + Signatures dropped: 0 + Signatures successfully verified: 0 + Signatures unsuccessfully verified: 0 + Signing time in seconds: 0.068 + Signatures per second: 750.000 + Runtime in seconds: 0.076 + + + +If it gives you further errors, debug it here https://dnsviz.net/d/nowhere.moe/dnssec/: + +Then we continue: + + + root@mail-gw:/var/cache/bind# vim /etc/bind/named.conf.local + root@mail-gw:/var/cache/bind# cat /etc/bind/named.conf.local + zone "nowhere.moe" { + type master; + file "db.nowhere.moe.signed"; + allow-update { none; }; + }; + + + +Then restart bind9: + + + root@mail-gw:/var/cache/bind# systemctl restart bind9 + root@mail-gw:/var/cache/bind# systemctl status bind9 + * named.service - BIND Domain Name Server + Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled) + Active: active (running) since Fri 2022-09-30 19:58:12 CEST; 3s ago + Docs: man:named(8) + Main PID: 42611 (named) + Tasks: 4 (limit: 507) + Memory: 7.8M + CPU: 19ms + CGroup: /system.slice/named.service + `-42611 /usr/sbin/named -f -u bind + + Sep 30 19:58:12 mail-gw named[42611]: zone 127.in-addr.arpa/IN: loaded serial 1 + Sep 30 19:58:12 mail-gw named[42611]: zone localhost/IN: loaded serial 2 + Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: sig-re-signing-interval less than 3 * refresh. + Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: loaded serial 18 (DNSSEC signed) + Sep 30 19:58:12 mail-gw named[42611]: all zones loaded + Sep 30 19:58:12 mail-gw named[42611]: running + Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: sending notifies (serial 18) + Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': IXFR version not in journal, falling back to AXFR + Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': AXFR-style IXFR started (serial 18) + Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': AXFR-style IXFR ended: 2 messages, 104 records, 19335 bytes, 0.001 secs (19335000 bytes/sec) (serial 18) + + +So from now on when you want to edit your zone, you will need to first edit the db file and then run the dnssign command: + + + root@mail-gw:/var/cache/bind# vim db.nowhere.moe + + root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe + + dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600) + Verifying the zone using the following algorithms: + - NSEC3RSASHA1 + Zone fully signed: + Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked + ZSKs: 1 active, 0 stand-by, 0 revoked + db.nowhere.moe.signed + Signatures generated: 53 + Signatures retained: 0 + Signatures dropped: 0 + Signatures successfully verified: 0 + Signatures unsuccessfully verified: 0 + Signing time in seconds: 0.068 + Signatures per second: 779.411 + Runtime in seconds: 0.080 + + root@mail-gw:/var/cache/bind# systemctl restart bind9 + + root@mail-gw:/var/cache/bind# systemctl status bind9 + * named.service - BIND Domain Name Server + Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-10-01 10:37:34 CEST; 1s ago + Docs: man:named(8) + Main PID: 45909 (named) + Tasks: 4 (limit: 507) + Memory: 7.8M + CPU: 21ms + CGroup: /system.slice/named.service + `-45909 /usr/sbin/named -f -u bind + + + +Now when we test the dnssec to our bindserver we see the following: + + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → dig @23.137.250.140 stream.nowhere.moe. A +dnssec +multiline + + ; <<>> DiG 9.18.4-2-Debian <<>> @23.137.250.140 stream.nowhere.moe. A +dnssec +multiline + ; (1 server found) + ;; global options: +cmd + ;; Got answer: + ;; ->>HEADER<<****- opcode: QUERY, status: NOERROR, id: 52175 + ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 + + ;; OPT PSEUDOSECTION: + ; EDNS: version: 0, flags: do; udp: 1232 + ; COOKIE: bb834e65ec1896a601000000633c65914ff2b9c6c7b43b1d (good) + ;; QUESTION SECTION: + ;stream.nowhere.moe. IN A + + ;; ANSWER SECTION: + stream.nowhere.moe. 604800 IN CNAME web-gw.nowhere.moe. + stream.nowhere.moe. 604800 IN RRSIG CNAME 7 3 604800 ( + 20221103152726 20221004152726 35034 nowhere.moe. + qIu/a2pi8e52tLqNBmCbeFHGK3TkQLquJNcziCoCYlQY + qOOFiXisOz7sg05uWxvX04kKofQyuUb9X/+e20r28WUe + gAhS1LJWE9BfBHfq/iQBXX4yWLTTYMqyjDyW56RUX7Z9 + zJs46TJB983ggZ1VwAJOifDGvl4vYSld/XeFy0EQy62G + 3Etq9GZe+O5ZEKsuYA+9RGockq/TwwLn6ibZfst172xt + B/uKxmX+J3gcBzeGp1wwGd07UdlxaLyniQ41DSYmdTdD + jECbxVQRvMnC1MhD8nYsmhm/YroKXeQpMX7ugJD1ZomY + A7/ofGO6asXTGY2V3JxiITop0nKlfSlLbA== ) + web-gw.nowhere.moe. 604800 IN A 23.137.250.141 + web-gw.nowhere.moe. 604800 IN RRSIG A 7 3 604800 ( + 20221103152726 20221004152726 35034 nowhere.moe. + hlE0hXZiU9/LnSKghK3OKMxIbrrimFqF0HfHJubzQ50U + f9g3m9bZJeANu4iJHCmPR1TVJUp0qYxUTRb815kWGKIq + DHUNErDN+WhZoTBMT8jzdX8kntKFnd8+N/d/gjQ91Oxp + MOGf2V1fAu0wnvVZGzn6PGmQfb1vsZ3pskmTd5bz/A1g + nPoT3MXYWQol8x8h9bYdBwwz/cmbHbeZ2s8NIgFj/F46 + cciq3lIs6HDmmYzE50TQ5YApCyHDYSM7gu/u/O/4pxAP + 55Fo5qtkZQCMoRtcRJh+GG5X7W2onoi4zICAZXpD5L6z + IaBl++bwjDaSIOiAsV2j+gRGETtUQ4Ef4w== ) + + ;; Query time: 23 msec + ;; SERVER: 23.137.250.140#53(23.137.250.140) (UDP) + ;; WHEN: Tue Oct 04 18:56:01 CEST 2022 + ;; MSG SIZE rcvd: 725 + +for simplicity sake i have this script to automate the signing of the dns zone file, the checking of it and the restarting of the service in one script: + + + root@mail-gw:/var/cache/bind# cat restartdns.sh + + #!/bin/bash + + # check the zone for errors: + named-checkzone nowhere.moe db.nowhere.moe + + # sign it: + dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe + + #restart bind9 + systemctl restart bind9 + + #check bind9 status + systemctl status bind9 + + + +updated restartdns.sh script: (thanks to Notorious from notlean.net) + + + + 1) updated algorythms to avoid errors **https://dnsviz.net/d/nowhere.moe/dnssec/** + + dnssec-keygen -L 3600 -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net + dnssec-keygen -L 3600 -f KSK -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net + for key in `ls Knotlean.net*.key`; do echo "\$INCLUDE $key">> notlean.net.zone; done + cat notlean.net.zone >> forward.notlean.net.db + dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o notlean.net -t forward.notlean.net.db + rndc reload + systemctl status named + + + 2) cat restartdns.sh + + #!/bin/bash + + set -eu + + # Bnd Path + ZONE_PATH="/var/cache/bind/notorious" + + # Domain name + ZONE_NAME="notlean.net" + + # Bind zone file name + ZONE_FILE="forward.notlean.net.db" + + # Generate NSEC3 salt + NSEC3_SALT=$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) + + # Go to zone path + pushd $ZONE_PATH + + # Verify zone and check for errors + echo "Chcking zone errors for $ZONE_NAME ..." + if ! named-checkzone $ZONE_NAME $ZONE_FILE; then + echo "Error during zonbe checking. Verify the file." + exit 1 + fi + + # Signing zone DNSSEC + echo "Signing zone file for $ZONE_NAME..." + dnssec-signzone -A -3 $NSEC3_SALT -N INCREMENT -o $ZONE_NAME -t $ZONE_FILE + + # Restart BIND9 + echo "Restart BIND9..." + rndc reload + + # Check bind status + echo "Vérification du statut de BIND9..." + systemctl status bind9 + + # Back to local dir + popd + + echo "Execution end" + + + diff --git a/endgame/0.png b/endgame/0.png new file mode 100644 index 0000000..cf42c6a Binary files /dev/null and b/endgame/0.png differ diff --git a/endgame/1.png b/endgame/1.png new file mode 100644 index 0000000..3ee4472 Binary files /dev/null and b/endgame/1.png differ diff --git a/endgame/10.png b/endgame/10.png new file mode 100644 index 0000000..a0e0f3d Binary files /dev/null and b/endgame/10.png differ diff --git a/endgame/11.png b/endgame/11.png new file mode 100644 index 0000000..d6e4d9c Binary files /dev/null and b/endgame/11.png differ diff --git a/endgame/12.png b/endgame/12.png new file mode 100644 index 0000000..9b448fc Binary files /dev/null and b/endgame/12.png differ diff --git a/endgame/13.png b/endgame/13.png new file mode 100644 index 0000000..c639e05 Binary files /dev/null and b/endgame/13.png differ diff --git a/endgame/14.png b/endgame/14.png new file mode 100644 index 0000000..9d5b2ba Binary files /dev/null and b/endgame/14.png differ diff --git a/endgame/15.png b/endgame/15.png new file mode 100644 index 0000000..4d03fec Binary files /dev/null and b/endgame/15.png differ diff --git a/endgame/16.png b/endgame/16.png new file mode 100644 index 0000000..658a7df Binary files /dev/null and b/endgame/16.png differ diff --git a/endgame/17.png b/endgame/17.png new file mode 100644 index 0000000..f03e51b Binary files /dev/null and b/endgame/17.png differ diff --git a/endgame/18.png b/endgame/18.png new file mode 100644 index 0000000..5030dc9 Binary files /dev/null and b/endgame/18.png differ diff --git a/endgame/19.png b/endgame/19.png new file mode 100644 index 0000000..4a53dd1 Binary files /dev/null and b/endgame/19.png differ diff --git a/endgame/2.png b/endgame/2.png new file mode 100644 index 0000000..65da433 Binary files /dev/null and b/endgame/2.png differ diff --git a/endgame/20.png b/endgame/20.png new file mode 100644 index 0000000..8114759 Binary files /dev/null and b/endgame/20.png differ diff --git a/endgame/21.png b/endgame/21.png new file mode 100644 index 0000000..a4d7ac6 Binary files /dev/null and b/endgame/21.png differ diff --git a/endgame/22.png b/endgame/22.png new file mode 100644 index 0000000..eede62e Binary files /dev/null and b/endgame/22.png differ diff --git a/endgame/23.png b/endgame/23.png new file mode 100644 index 0000000..ec20ddc Binary files /dev/null and b/endgame/23.png differ diff --git a/endgame/3.png b/endgame/3.png new file mode 100644 index 0000000..0294874 Binary files /dev/null and b/endgame/3.png differ diff --git a/endgame/4.png b/endgame/4.png new file mode 100644 index 0000000..99350d7 Binary files /dev/null and b/endgame/4.png differ diff --git a/endgame/5.png b/endgame/5.png new file mode 100644 index 0000000..dfb9b94 Binary files /dev/null and b/endgame/5.png differ diff --git a/endgame/6.png b/endgame/6.png new file mode 100644 index 0000000..6f61dd2 Binary files /dev/null and b/endgame/6.png differ diff --git a/endgame/7.png b/endgame/7.png new file mode 100644 index 0000000..1e2873f Binary files /dev/null and b/endgame/7.png differ diff --git a/endgame/8.png b/endgame/8.png new file mode 100644 index 0000000..f1991ce Binary files /dev/null and b/endgame/8.png differ diff --git a/endgame/9.png b/endgame/9.png new file mode 100644 index 0000000..67bddf3 Binary files /dev/null and b/endgame/9.png differ diff --git a/endgame/index.md b/endgame/index.md new file mode 100644 index 0000000..33081ed --- /dev/null +++ b/endgame/index.md @@ -0,0 +1,938 @@ +--- +author: nihilist +date: 2024-04-13 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/178" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# EndGame V3 Setup + +![](0.png) + +In this tutorial we're going to setup the EndGameV3 Anti DDOS / Load Balancer / WAF service popularized by Dread, it was originally built to block off the incessant [DDOS attacks](https://blog.torproject.org/tor-network-ddos-attack/) that onion services were facing. Because of that, EndGame was developed, along with the [Proof of Work (POW) Defense released by TorProject](https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/) for more details you can click [here](https://community.torproject.org/onion-services/ecosystem/technology/pow/). + + + Endgame should be on a separate server to your backend server. It only proxies content from your backend to the user. You will still need to configure your backend to handle requests from the Endgame Front. + + This is the same system that anti-DDOS services like Cloudflare, Indusface, and Imperva use to protect websites from attacks. The difference is this is self-hosted and fully controlled by you for your own needs and made for darknet networks. + + + +Now we'll first cover how to have a single Endgame V3 front, to redirect to 2 onion backends, but keep in mind that there is very high latency involved here. The ideal setup as we'll see later, is to have local redirection behind the Endgame front. And we'll also make use of the onionbalance technology to setup multiple Endgame fronts for the same Master Onion! + + + +## **Prerequisites** + +First of all you need at least 2 backend servers that are reachable via their .onion links. To set them up you can look at my tutorial [here](../torwebsite/index.md). + +In this example we'll use my 2 main websites' onion links: + + + http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/ + http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/ + + + +Obviously these are not the same service, but we'll pretend that they are. Now let's setup Endgame on a blank Debian 12 VM with internet access: + +## **1 Endgame Front, 2 Backend Servers** + +Let's first download the tar.gz file for endgamev3, and verify the sha256sum hash of the tar.gz file according to the original [post](http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/post/821adc377e813881ac74)'s recommendations. Here i downloaded it from the git mirror i host, but if you want the original URL you can get it from here: **http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/EndGameV3.tar.gz** + + + root@debian:~# wget https://git.nowhere.moe/nihilist/EndGameV3/raw/branch/main/EndGameV3.tar.gz + --2024-04-13 12:39:00-- https://git.nowhere.moe/nihilist/EndGameV3/raw/branch/main/EndGameV3.tar.gz + Resolving git.nowhere.moe (git.nowhere.moe)... 65.109.30.253 + Connecting to git.nowhere.moe (git.nowhere.moe)|65.109.30.253|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 35340090 (34M) [application/octet-stream] + Saving to: ‘EndGameV3.tar.gz’ + + EndGameV3.tar.gz 100%[===========================================================================================================================================>] 33.70M 4.22MB/s in 10s + + 2024-04-13 12:39:12 (3.27 MB/s) - ‘EndGameV3.tar.gz’ saved [35340090/35340090] + + root@debian:~# sha256sum EndGameV3.tar.gz + 89036a0ae8631aa1683bb370f357a4042b2e138eebeaea14bb35824f5d1f6bbb EndGameV3.tar.gz + + + +As of 13/04/2024, the SHA256 Hash of EndGameV3.tar.gz is 89036a0ae8631aa1683bb370f357a4042b2e138eebeaea14bb35824f5d1f6bbb. let's unpack it: + + + root@debian:~# neofetch + _,met$$$$$gg. root@debian + ,g$$$$$$$$$$$$$$$P. ----------- + ,g$$P" """Y$$.". OS: Debian GNU/Linux 12 (bookworm) x86_64 + ,$$P' `$$$. Host: KVM/QEMU (Standard PC (Q35 + ICH9, 2009) pc-q35-7.2) + ',$$P ,ggs. `$$b: Kernel: 6.1.0-13-amd64 + `d$$' ,$P"' . $$$ Uptime: 1 hour, 19 mins + $$P d$' , $$P Packages: 447 (dpkg) + $$: $$. - ,d$$' Shell: bash 5.2.15 + $$; Y$b._ _,d$P' Resolution: 1632x1684 + Y$$. `.`"Y$$$$P"' CPU: AMD Ryzen 7 5700X (2) @ 3.393GHz + `$$b "-.__ GPU: 00:01.0 Red Hat, Inc. Virtio 1.0 GPU + `Y$$ Memory: 140MiB / 1966MiB + `Y$$. + `$$b. + `Y$$b. + `"Y$b._ + `""" + + root@debian:~# mkdir endgame + + root@debian:~# mv EndGameV3.tar.gz endgame/ + + root@debian:~# cd endgame + + root@debian:~/endgame# tar -xzvf EndGameV3.tar.gz + + root@debian:~/endgame# ls -lash + total 34M + 4.0K drwxr-xr-x 8 root root 4.0K Apr 13 13:54 . + 4.0K drwx------ 5 root root 4.0K Apr 13 13:54 .. + 4.0K -rw-r--r-- 1 nihilist nihilist 178 Jul 11 2022 aptpreferences + 4.0K drwxr-xr-x 11 nihilist nihilist 4.0K Mar 18 18:50 dependencies + 8.0K -rw-r--r-- 1 nihilist nihilist 6.1K Apr 10 05:10 endgame.config + 34M -rw-r--r-- 1 root root 34M Apr 13 12:48 EndGameV3.tar.gz + 4.0K -rwxr-xr-x 1 nihilist nihilist 1.1K Sep 16 2023 getdependencies.sh + 12K -rw-r--r-- 1 nihilist nihilist 9.5K May 9 2023 i2pd.conf + 4.0K -rw-r--r-- 1 nihilist nihilist 145 Mar 30 2023 jail.local + 4.0K -rw-r--r-- 1 nihilist nihilist 2.0K Mar 30 2023 limits.conf + 4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Apr 9 17:45 lua + 4.0K -rw-r--r-- 1 nihilist nihilist 357 Nov 8 01:35 mentions.txt + 8.0K -rw-r--r-- 1 nihilist nihilist 5.9K Jun 29 2022 naxsi_core.rules + 4.0K -rw-r--r-- 1 nihilist nihilist 209 Jun 12 2023 naxsi_whitelist.rules + 4.0K -rw-r--r-- 1 nihilist nihilist 2.0K Jul 18 2023 nginx.conf + 4.0K -rwxr-xr-x 1 nihilist nihilist 1.3K May 9 2023 nginx-update.sh + 12K -rw-r--r-- 1 nihilist nihilist 11K Apr 10 04:00 README.md + 4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Jun 1 2023 repokeys + 4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Sep 7 2023 resty + 72K -rw-r--r-- 1 nihilist nihilist 71K Apr 10 05:53 resty.tgz + 16K -rwxr-xr-x 1 nihilist nihilist 13K Apr 11 23:36 setup.sh + 12K -rw-r--r-- 1 nihilist nihilist 12K Apr 10 04:50 site.conf + 4.0K drwxr-xr-x 4 nihilist nihilist 4.0K May 6 2023 sourcecode + 4.0K -rwxr-xr-x 1 nihilist nihilist 464 May 25 2023 startup.sh + 4.0K -rw-r--r-- 1 nihilist nihilist 1.5K May 17 2023 sysctl.conf + 4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Apr 10 05:32 tor-patch + 4.0K -rw-rw-rw- 1 nihilist nihilist 1.8K Apr 10 04:50 torrc + 4.0K -rw-r--r-- 1 nihilist nihilist 157 Mar 29 2023 torrc2 + 4.0K -rw-r--r-- 1 nihilist nihilist 157 Mar 29 2023 torrc3 + 4.0K -rw-r--r-- 1 nihilist nihilist 179 May 5 2023 tunnels.conf + + + +From there we can follow the steps as detailed in the [README.md](https://git.nowhere.moe/nihilist/EndGameV3/src/branch/main/README.md) + +**Go to sourcecode/gobalance and build gobalance with go. Read the README.md about how to compile and generate the gobalance configuration. With that configuration you will be able to see your MASTERONION url. The starting before .key is your master onion address. You will use that as your MASTERONION in the EndGame.config ending it with '.onion'.** + + + root@debian:~/endgame# cd sourcecode/gobalance/ + root@debian:~/endgame/sourcecode/gobalance# ls + go.mod go.sum main.go pkg README.md torrc vendor + root@debian:~/endgame/sourcecode/gobalance# cat README.md + + [...] + + # Compiling + + - `go get -u` - updates all dependencies + - `go mod vendor` - stores the updates in the vendor folder + - `go build -o gobalance main.go` - builds the gobalance application + + # Generate Configuration + + - `./gobalance g` + + or simply use your python onionbalance one! Drop in replacement support (no multisite)! + + # Running + After you have configured your gobalance, you will need a tor process on your localhost. There is a provided torrc file. Run it with Tor like this: + + - `tor -f torrc` + + After that run gobalance + + - `./gobalance` + + If you need to run these in the background (in the event your server connection dies or drops) you can use `nohup` or a detached terminal session. + I, /u/Paris, recommend just running it locally with geo redundancy to not need to worry about server crashes or compromises. Onion key safety is your absolute priority. When it's compromised your operation is done. + + + +So as advised, let's compile gobalance using go: + + + root@debian:~/endgame/sourcecode/gobalance# apt update -y ; apt install golang -y + + root@debian:~/endgame/sourcecode/gobalance# go get -u + go: downloading github.com/sirupsen/logrus v1.9.3 + go: downloading github.com/urfave/cli/v2 v2.27.1 + go: downloading golang.org/x/crypto v0.17.0 + go: downloading golang.org/x/crypto v0.22.0 + go: downloading github.com/urfave/cli v1.22.14 + go: downloading gopkg.in/yaml.v3 v3.0.1 + go: downloading golang.org/x/sys v0.15.0 + go: downloading golang.org/x/sys v0.19.0 + go: downloading maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066 + go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.3 + go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.4 + go: downloading github.com/cpuguy83/go-md2man v1.0.10 + go: downloading github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e + go: downloading github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 + go: downloading github.com/russross/blackfriday/v2 v2.1.0 + go: downloading github.com/russross/blackfriday v1.6.0 + go: upgraded github.com/cpuguy83/go-md2man/v2 v2.0.3 => v2.0.4 + go: upgraded github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e => v0.0.0-20240312152122-5f08fbb34913 + go: upgraded golang.org/x/crypto v0.17.0 => v0.22.0 + go: upgraded golang.org/x/sys v0.15.0 => v0.19.0 + + root@debian:~/endgame/sourcecode/gobalance# go mod vendor + go: downloading github.com/stretchr/testify v1.8.0 + go: downloading github.com/pmezard/go-difflib v1.0.0 + go: downloading github.com/davecgh/go-spew v1.1.1 + root@debian:~/endgame/sourcecode/gobalance# go build -o gobalance main.go + + root@debian:~/endgame/sourcecode/gobalance# ./gobalance g + root@debian:~/endgame/sourcecode/gobalance# ls + config.yaml uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.key gobalance go.mod go.sum main.go pkg README.md torrc vendor + + root@debian:~/endgame/sourcecode/gobalance# cat torrc + RunAsDaemon 0 + ControlPort 9051 + DataDirectory torfiles + + + +So in this case our MASTERONION url is **uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.onion** Next step is to edit the endgame.config file: + + + + root@debian:~/endgame/sourcecode/gobalance# cd ../.. + root@debian:~/endgame# vim endgame.config + + + +To edit the file we follow the setup process from the README: + + + Open up and **edit the endgame.config** , you will need to change your **TORAUTHPASSWORD. Change it to a random alphanumeric password of your choice**. This is just used for authentication on nginx's layer to send circuit kill commands. + You have two options for how EndGame sends the traffic to your backend. You can **have it direct it to an onion address, or you can have it locally proxy to a server on the same network.** + + Tor Proxy: You will need to set both of the **BACKENDONION variables to your main onion service you want protected**. This means your origin application server needs to have tor running with its own onion service address. You put that onion address on the BACKENDONION(1/2). If you have multiple backends (highly recommended) you can put different backend addresses to have load balancing and fallover. It's easy to add in even more by customizing endgame for your needs. + Local Proxy: Change LOCALPROXY to true and edit the PROXYPASSURL to the specific IP or hostname of your backend location. It will default to connect on port 80 via http but you can edit line 320 of the site.conf to change that to your specific needs. + + Enable I2PSETUP and/or TORSETUP by setting them to true. You can also enable TORINTRODEFENSE and TORPOWDEFENSE to provide more protection against introduction attacks on the Tor network. + Edit KEY and SALT to a secure cookie value. PROTECT THESE VALUES. If they get leaked, an attacker could generate EndGame cookies and hurt your EndGame protection. + + **KEY: is your encryption key used for encryption. It should be to be between 68 and 128 random alphanumeric characters. + SALT: is your salt for the encryption key. It must be exactly 8 alphanumeric characters.** + + Branding is important. EndGame makes it easy to use your own branding on it. By default, it will use dread's branding, but you should change it. + + **HEXCOLOR and HEXCOLORDARK** are for the specific colors used on the pages. Set **HEXCOLOR to your main site color and HEXCOLORDARK to just a slightly darker version of it.** + **SITENAME, SITETAGLINE, SITESINCE is all information about your site. Self-explanatory.** + **FAVICON is used as your site's favicon in base64.** This limits the amount of requests a browser may do when first loading the queue page. Make sure this value is set to something. Otherwise people's connections will get cut off from the queue when their browser makes a request to the favicon.ico. + **SQUARELOGO** is used as the icon for the queue running man and the main splash logo on the captcha page. In base64 format. + **NETWORKLOGO** is used as a bottom network icon for on the captcha page which allows different sites a part of the same organization to be shown. In base64 format. + + After you are done EndGame's configuration, you should archive everything except the sourcecode folder. Transfer the archive to a blank debian 12 system. As root, extract the archive and run setup.sh like './setup.sh'. At the end of the setup, it will export an onion address (and i2p if set but don't add that to gobalance) which you can provide to users or add to your gobalance configuration. + + + +Let's first generate our KEY (max 128chars) and SALT (8 chars): + + + [ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog] + → sudo apt install pwgen -y + + [ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog] + → pwgen 8 1 + OotoNg0s + + [ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog] + → pwgen 127 1 + Ex6meeghah2Voo4iezeequieFoChieyoch2kuish8ubopheikux2hedu5ahng5Iwooquii3tuowi6quie1leeTaeN5ugh0Dooch1naexaetoya9hoh2Fohlu5oP5ohm + + + +So we have the following config: + + + + root@debian:~/endgame# cat endgame.config + #This area + + #OPTIONS! + MASTERONION="uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.onion" + TORAUTHPASSWORD="MYCOMPLEXPASSWORDTOREPLACE!!!" + BACKENDONION1="daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion" + BACKENDONION2="nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion" + + #set to true if you want to setup local proxy instead of proxy over Tor + LOCALPROXY=false + PROXYPASSURL="10.10.10.0" + + #Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems. + LATESTKERNEL=true + + #reboot after completion. Highly recommended to get the new kernel active. + REBOOT=true + + #set to true if you want i2pd installed and setup + I2PSETUP=false + + #set to true if you want tor installed and setup + TORSETUP=true + + #enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts. + TORINTRODEFENSE=false + + #enable Tor POW introduction defense. This should be enabled! + TORPOWDEFENSE=true + + #enable Tor minimum work patch. This builds a new tor binary locally. + TORMINWORK=true + + #Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars. + KEY="Ex6meeghah2Voo4iezeequieFoChieyoch2kuish8ubopheikux2hedu5ahng5Iwooquii3tuowi6quie1leeTaeN5ugh0Dooch1naexaetoya9hoh2Fohlu5oP5ohm" + SALT="OotoNg0s" + #session length is in seconds. Default is 12 hours. + SESSION_LENGTH=43200 + + #Rate Limits! + #Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective! + #Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!) + #Keep the stream limit 1 to 2 higher than your request limit! + REQUESTRATELIMIT=8 + STREAMRATELIMIT=10 + + #CSS Branding + + HEXCOLOR="9b59b6" + HEXCOLORDARK="713C86" + SITENAME="Nihilism" + SITETAGLINE="Until there is nothing left." + SITESINCE="2024" + FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" + SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA=" + NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA" + + + +SIDENOTES FROM /u/Paris : + + + If you are using the TORMINWORK=true setting generally you don't need gobalance at all. You can just have a single front handle the load. Gobalance can't handle POW at this time as there are tor control systems to really handle it at this time. When arti is finished with POW onionbalance will be finished in rust. We are waiting for that. Should be within the year. + + If you are running endgame and onionbalance on the same server are you doing it wrong. Onionbalance is designed to combine multiple fronts into a single descriptor for load balancing. One address with multiple fronts holding it up. If you only have a single server just run endgame and pass the ending address to others. No onionbalance needed at all. + + If you want to have a custom address created use a tool like mkp224o and generate a custom one. You can then transfer the custom one over to your front (replacing the /etc/tor/hidden_service files with the generated one). Then go into /etc/nginx/sites-enabled/site.conf and change out the onion address to your new one. After that reboot and your new custom address should be live on your front. + + + +Now from here you can run the setup.sh file. However just in case if you messed up at any point up until now, i recommend you take a VM snapshot to revert to in case if something goes wrong. + +![](1.png) + +Snapshot taken, now let's run setup.sh: + + + root@debian:~/endgame# ./setup.sh + Welcome To The End Game DDOS Prevention Setup... + Proceeding to do the configuration and setup. This will take awhile. + The system will reboot after finishing setup! + Generating Master Key... should only take a second... + Done. MASTER_KEY = 1DWWADWAAWAWDWDAWAAWWAWAD3121556778652 + + [...] + + #let it run and reboot + + [..] + + + User sessions running outdated binaries: + nihilist @ session #1: bash[527], login[466], su[537] + nihilist @ session #3: bash[669], sshd[661,668], su[672] + nihilist @ user manager service: systemd[520] + + No VM guests are running outdated hypervisor (qemu) binaries on this host. + **EndGame Setup Script Finished! + TOR Hostname: + gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion + The address it to your gobalance config.yaml file! + This system will now reboot in 10 seconds!** + + root@debian:~/endgame# Connection to 10.99.99.216 closed by remote host. + Connection to 10.99.99.216 closed. + + + +VM rebooted, so reconnect there: + + + root@debian:~/endgame# Connection to 10.99.99.216 closed by remote host. + Connection to 10.99.99.216 closed. + + [ LAN-Home ] [ /dev/pts/4 ] [~] + → ssh nihilist@10.99.99.216 + nihilist@10.99.99.216's password: + Linux debian 6.7.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.7.9-2 (2024-03-13) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + You have mail. + Last login: Sat Apr 13 12:38:34 2024 from 10.99.99.101 + nihilist@debian:~$ su - + Password: + + root@debian:~# systemctl status endgame + ● endgame.service - Endgame Startup Script Service + Loaded: loaded (/etc/systemd/system/endgame.service; enabled; preset: enabled) + Active: active (running) since Sat 2024-04-13 15:27:20 CEST; 1min 39s ago + Process: 501 ExecStart=/startup.sh (code=exited, status=0/SUCCESS) + Tasks: 8 (limit: 2323) + Memory: 183.0M + CPU: 1.245s + CGroup: /system.slice/endgame.service + ├─521 tor -f /etc/tor/torrc2 + ├─524 tor -f /etc/tor/torrc3 + ├─525 socat UNIX-LISTEN:/run/tor_pass1.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:80,socksport=9060 + └─526 socat UNIX-LISTEN:/run/tor_pass2.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion:80,socksport=9070 + + Apr 13 15:27:20 debian startup.sh[513]: Apr 13 15:27:20.586 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/ + Apr 13 15:27:20 debian startup.sh[513]: Apr 13 15:27:20.594 [notice] Read configuration file "/etc/tor/torrc2". + Apr 13 15:27:20 debian startup.sh[521]: Apr 13 15:27:20.596 [notice] Opening Socks listener on 127.0.0.1:9060 + Apr 13 15:27:20 debian startup.sh[521]: Apr 13 15:27:20.596 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9060 + Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Tor 0.4.8.11 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc. + Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/ + Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Read configuration file "/etc/tor/torrc3". + Apr 13 15:27:20 debian startup.sh[524]: Apr 13 15:27:20.615 [notice] Opening Socks listener on 127.0.0.1:9070 + Apr 13 15:27:20 debian startup.sh[524]: Apr 13 15:27:20.615 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9070 + Apr 13 15:27:20 debian systemd[1]: Started endgame.service - Endgame Startup Script Service. + + + +And here you can see that the endgame systemd service launched successfully, but as hinted above, we need to edit the **gobalance config.yaml** file: + + + root@debian:~# vim endgame/sourcecode/gobalance/config.yaml + root@debian:~# cat endgame/sourcecode/gobalance/config.yaml + services: + - key: uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.key + instances: + - address: gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion + + root@debian:~/endgame# systemctl restart endgame + root@debian:~/endgame# systemctl status endgame + ● endgame.service - Endgame Startup Script Service + Loaded: loaded (/etc/systemd/system/endgame.service; enabled; preset: enabled) + Active: active (running) since Sat 2024-04-13 15:32:26 CEST; 5s ago + Process: 1002 ExecStart=/startup.sh (code=exited, status=0/SUCCESS) + Tasks: 8 (limit: 2323) + Memory: 74.3M + CPU: 867ms + CGroup: /system.slice/endgame.service + ├─1006 tor -f /etc/tor/torrc2 + ├─1009 tor -f /etc/tor/torrc3 + ├─1010 socat UNIX-LISTEN:/run/tor_pass1.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:80,socksport=9060 + └─1011 socat UNIX-LISTEN:/run/tor_pass2.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion:80,socksport=9070 + + Apr 13 15:32:26 debian startup.sh[1004]: Apr 13 15:32:26.730 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/ + Apr 13 15:32:26 debian startup.sh[1004]: Apr 13 15:32:26.730 [notice] Read configuration file "/etc/tor/torrc2". + Apr 13 15:32:26 debian startup.sh[1006]: Apr 13 15:32:26.731 [notice] Opening Socks listener on 127.0.0.1:9060 + Apr 13 15:32:26 debian startup.sh[1006]: Apr 13 15:32:26.732 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9060 + Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Tor 0.4.8.11 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc. + Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/ + Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Read configuration file "/etc/tor/torrc3". + Apr 13 15:32:26 debian startup.sh[1009]: Apr 13 15:32:26.742 [notice] Opening Socks listener on 127.0.0.1:9070 + Apr 13 15:32:26 debian startup.sh[1009]: Apr 13 15:32:26.742 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9070 + Apr 13 15:32:26 debian systemd[1]: Started endgame.service - Endgame Startup Script Service. + + + +Now before we continue, keep in mind that we will access the backend servers using the URL **http://gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion/** , so we need to make sure that the nginx server there has that URL aliased: + + + [ Belladona ] [ /dev/pts/18 ] [/srv/Binternet] + → cat /etc/nginx/sites-available/nowhere.moe.conf + server { + listen 80; + listen [::]:80; + server_name nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + ######## TOR CHANGES ######## + listen 4445; + listen [::]:4445; + **server_name nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion;** + add_header Onion-Location "http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/onion.html" always; + ######## TOR CHANGES ######## + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name nowhere.moe; + [...] + + } + + #do the same on the other backend server! + + + +Then after restarting the endgame service we check if it works as intended by accessing the main onion at the following URL **http://gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion/** : + +![](3.png) + +Here as you can see we're placed into a queue before being redirected to the captcha: + +![](2.png) + +Then we fill in the captcha before getting redirected to one of the backend servers: + +![](4.png) + +And that's it ! We have been redirected to one of the backend servers as intended. We can redo the whole process again by picking a new Identity in the tor browser to see if it redirects us to the other backend server as intended: + +![](5.png) + +Now you can scale your hidden service operations over multiple backend servers, while still protecting against DDOS attacks. + +## **2 Endgame Fronts, 2 Backend Servers** + +**Problem 1: Latency** + +Now there are 2 issues with that setup. First there are performance issues due to latency as in this current setup we have to go through Tor twice to get to the backend server, that's not ideal at all. + +![](6.png) **Problem 2: Not big enough!** + +Second issue, why is there [onionbalance](https://blog.torproject.org/cooking-onions-finding-onionbalance/) in the mix and only one endgame frontend ?! As detailed in the article, onionbalance allows us to introduce high availability over a single onion service (like DNS Load balancing): + + + Onionbalance is software designed and written by Donncha O'Cearbhaill as part of Tor's Summer of Privacy 2015. It allows onion service operators to achieve the property of high availability by allowing multiple machines to handle requests for a single onion service. You can think of it as the onion service equivalent of load balancing using round-robin DNS. + + + +The true goal here is to have multiple **Endgame fronts** spread across multiple servers, **under the same Master Onion Link!** So for this second part of the tutorial we have this following setup: + +![](7.png) + +So here we'll have 3 local backend servers for the same service, and we're going to have 2 Endgame servers, which will be under the same master subnet. + +Let's first setup our 3 local backend servers, this time they will be 3 instances of the same service: + + + root@backend1:~# apt install nginx vim -y + + root@backend1:~# vim /var/www/html/index.nginx-debian.html + root@backend1:~# cat /var/www/html/index.nginx-debian.html + Welcome to our Nihilist's service! + + We are currently on backend server 1 ! + + + +We clone that VM to the 2 other backend servers: + +![](8.png) + +We edit the web page of the 2 backend servers to know on which backend server we land, and we have the following: + + + [ LAN-Home ] [ /dev/pts/3 ] [~] + → curl 10.99.99.216 + Welcome to our Nihilist's service! + + We are currently on backend server 1 ! + + [ LAN-Home ] [ /dev/pts/3 ] [~] + → curl 10.99.99.219 + Welcome to our Nihilist's service! + + We are currently on backend server 2 ! + + + +Our backend servers are now be reachable locally at the local IPs **10.99.99.216, and 10.99.99.219 on port 80** + +![](11.png) ![](12.png) + +Now let's setup our 2 Endgame Fronts servers on 2 other VMs, this will be a repeat of what we went through above for our previous endgame setup: + +![](13.png) + +So as advised, here we need to configure endgame once, and then archive everything except the sourcecode + + + After you are done EndGame's configuration, you should archive everything except the sourcecode folder. Transfer the archive to a blank debian 12 system. As root, extract the archive and run setup.sh like './setup.sh'. At the end of the setup, it will export an onion address (and i2p if set but don't add that to gobalance) which you can provide to users or add to your gobalance configuration. + + + +So on our Endgame front 1, we configure gobalance to generate the .key file: (not on Endgame front 2!) + + + root@endgame1:~/endgame/sourcecode/gobalance# go get -u ; go mod vendor ; go build -o gobalance main.go ; ./gobalance g + go: downloading github.com/sirupsen/logrus v1.9.3 + go: downloading github.com/urfave/cli/v2 v2.27.1 + go: downloading golang.org/x/crypto v0.17.0 + go: downloading golang.org/x/crypto v0.22.0 + go: downloading github.com/urfave/cli v1.22.14 + go: downloading gopkg.in/yaml.v3 v3.0.1 + go: downloading golang.org/x/sys v0.15.0 + go: downloading golang.org/x/sys v0.19.0 + go: downloading maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066 + go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.3 + go: downloading github.com/cpuguy83/go-md2man v1.0.10 + go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.4 + go: downloading github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e + go: downloading github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 + go: downloading github.com/russross/blackfriday/v2 v2.1.0 + go: downloading github.com/russross/blackfriday v1.6.0 + go: upgraded github.com/cpuguy83/go-md2man/v2 v2.0.3 => v2.0.4 + go: upgraded github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e => v0.0.0-20240312152122-5f08fbb34913 + go: upgraded golang.org/x/crypto v0.17.0 => v0.22.0 + go: upgraded golang.org/x/sys v0.15.0 => v0.19.0 + go: downloading github.com/stretchr/testify v1.8.0 + go: downloading github.com/pmezard/go-difflib v1.0.0 + go: downloading github.com/davecgh/go-spew v1.1.1 + root@endgame1:~/endgame/sourcecode/gobalance# ls + config.yaml gobalance go.sum pkg torrc + ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key go.mod main.go README.md vendor + + + +Here again i recommend making a snapshot of both VMs before continuing. Next we configure engame.config on the endgame front 1: + + + root@endgame1:~/endgame# vim endgame.config + root@endgame1:~/endgame# cat endgame.config + #This area + + #OPTIONS! + **MASTERONION="ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion"** + TORAUTHPASSWORD="CHANGETHISPASSWORD!!!!" + BACKENDONION1="" + BACKENDONION2="" + + #set to true if you want to setup local proxy instead of proxy over Tor + **LOCALPROXY=true + PROXYPASSURL="10.99.99.216"** + + #Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems. + LATESTKERNEL=true + + #reboot after completion. Highly recommended to get the new kernel active. + REBOOT=true + + #set to true if you want i2pd installed and setup + I2PSETUP=false + + #set to true if you want tor installed and setup + TORSETUP=true + + #enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts. + TORINTRODEFENSE=false + + **#enable Tor POW introduction defense. This should be enabled! + TORPOWDEFENSE=false** + + **#enable Tor minimum work patch. This builds a new tor binary locally. + TORMINWORK=false** + + #Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars. + KEY="thoh1me2aemoonuo1eiNgaejahbeep5oe9eiZ3aezee5igae9faiv9sailoo1laath9vu7aeteeCh4ShaeVeidooy3see7Goong6gei3eePh6Ba5Leepee7zawooch3" + SALT="agieLae8" + #session length is in seconds. Default is 12 hours. + SESSION_LENGTH=43200 + + #Rate Limits! + #Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective! + #Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!) + #Keep the stream limit 1 to 2 higher than your request limit! + REQUESTRATELIMIT=8 + STREAMRATELIMIT=10 + + #CSS Branding + + HEXCOLOR="9b59b6" + HEXCOLORDARK="713C86" + SITENAME="Nihilism" + SITETAGLINE="Until there is nothing left." + SITESINCE="2024" + FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" + SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA=" + NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA" + + + +Here notice that we set both TORPOWDEFENSE and TORMINWORK to false, this is due to not being supported by gobalance as gobalance does not handle POW and won't combine the descriptors correclty. We also left the BACKENDONIONs to empty strings, and instead changed the LOCALPROXY to true, with the PROXYPASSURL set to one of our local backend servers 10.99.99.216. as advised in the README: + + + Local Proxy: Change LOCALPROXY to true and edit the PROXYPASSURL to the specific IP or hostname of your backend location. It will default to connect on port 80 via http but you can edit line 320 of the site.conf to change that to your specific needs. + + + +Then here, we need to archive the entire endgame folder, and extract it to our endgame2 front before running setup.sh: + + + root@endgame1:~/endgame# cd .. + root@endgame1:~# tar -czvf EndgameV3-nihilism.tar.gz endgame >/dev/null + root@endgame1:~# ls + endgame EndgameV3-nihilism.tar.gz go + + + +Now that the archive is created, let's transfer it to endgame2 and extract it: + + + [term1] + root@endgame1:~# ip a | grep inet ; python3 -m http.server 9090 + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host noprefixroute + inet 10.99.99.221/24 brd 10.99.99.255 scope global dynamic enp1s0 + inet6 fe80::5054:ff:fe00:3bfa/64 scope link + Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... + + [term2] + root@endgame2:~/# wget http://10.99.99.221:9090/EndgameV3-nihilism.tar.gz + --2024-04-14 13:42:20-- http://10.99.99.221:9090/EndgameV3-nihilism.tar.gz + Connecting to 10.99.99.221:9090... connected. + HTTP request sent, awaiting response... 200 OK + Length: 75225067 (72M) [application/gzip] + Saving to: ‘EndgameV3-nihilism.tar.gz’ + + EndgameV3-nihilism.tar.gz 100%[====================================>] 71.74M --.-KB/s in 0.09s + + 2024-04-14 13:42:20 (784 MB/s) - ‘EndgameV3-nihilism.tar.gz’ saved [75225067/75225067] + root@endgame2:~# tar -xzvf EndgameV3-nihilism.tar.gz >/dev/null + root@endgame2:~# ls + endgame EndgameV3-nihilism.tar.gz + root@endgame2:~# ls endgame + aptpreferences i2pd.conf naxsi_core.rules repokeys sourcecode torrc2 + dependencies jail.local naxsi_whitelist.rules resty startup.sh torrc3 + endgame.config limits.conf nginx.conf resty.tgz sysctl.conf tunnels.conf + EndGameV3.tar.gz lua nginx-update.sh setup.sh tor-patch + getdependencies.sh mentions.txt README.md site.conf torrc + + + +Now back to our endgame front 1: we run setup.sh: + + + root@endgame1:~/endgame# ./setup.sh + Welcome To The End Game DDOS Prevention Setup... + Proceeding to do the configuration and setup. This will take awhile. + The system will reboot after finishing setup! + + + +Let it run and take note of the endgame front instance TOR hostname as displayed at the end, which will be our first endgame instance's .onion link: + + + EndGame Setup Script Finished! + TOR Hostname: + **xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion** + The address it to your gobalance config.yaml file! + This system will now reboot in 10 seconds! + root@endgame1:~/endgame# Connection to 10.99.99.221 closed by remote host. + Connection to 10.99.99.221 closed. + + [ LAN-Home ] [ /dev/pts/6 ] [~] + → ssh nihilist@10.99.99.221 + nihilist@10.99.99.221's password: + Linux endgame1 6.7.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.7.9-2 (2024-03-13) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + You have new mail. + Last login: Sun Apr 14 14:09:56 2024 from 10.99.99.101 + nihilist@endgame1:~$ su - + Password: + root@endgame1:~# + + root@endgame1:~/endgame/sourcecode/gobalance# vim config.yaml + root@endgame1:~/endgame/sourcecode/gobalance# cat config.yaml + services: + - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key + instances: + - address: **xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion** + + root@endgame1:~/endgame/sourcecode/gobalance# reboot now + + + +Now on the Endgame front 2 VM, edit the endgame.config file to make sure that i redirects to the second backend server: + + + root@endgame2:~# cat endgame/endgame.config + #This area + + #OPTIONS! + **MASTERONION="ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion"** + TORAUTHPASSWORD="CHANGETHISPASSWORD!!!!" + BACKENDONION1="" + BACKENDONION2="" + + #set to true if you want to setup local proxy instead of proxy over Tor + **LOCALPROXY=true + PROXYPASSURL="10.99.99.219"** + + #Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems. + LATESTKERNEL=true + + #reboot after completion. Highly recommended to get the new kernel active. + REBOOT=true + + #set to true if you want i2pd installed and setup + I2PSETUP=false + + #set to true if you want tor installed and setup + TORSETUP=true + + #enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts. + TORINTRODEFENSE=false + + **#enable Tor POW introduction defense. This should be enabled! + TORPOWDEFENSE=false** + + **#enable Tor minimum work patch. This builds a new tor binary locally. + TORMINWORK=false** + + #Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars. + KEY="thoh1me2aemoonuo1eiNgaejahbeep5oe9eiZ3aezee5igae9faiv9sailoo1laath9vu7aeteeCh4ShaeVeidooy3see7Goong6gei3eePh6Ba5Leepee7zawooch3" + SALT="agieLae8" + #session length is in seconds. Default is 12 hours. + SESSION_LENGTH=43200 + + #Rate Limits! + #Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective! + #Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!) + #Keep the stream limit 1 to 2 higher than your request limit! + REQUESTRATELIMIT=8 + STREAMRATELIMIT=10 + + #CSS Branding + + HEXCOLOR="9b59b6" + HEXCOLORDARK="713C86" + SITENAME="Nihilism" + SITETAGLINE="Until there is nothing left." + SITESINCE="2024" + FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" + SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA=" + NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA" + + +Once that's done, we run setup.sh on the Endgame front 2 VM, here also let it run and take note of the endgame front instance TOR hostname as displayed at the end: + + + root@endgame2:~/endgame# ./setup.sh + Welcome To The End Game DDOS Prevention Setup... + Proceeding to do the configuration and setup. This will take awhile. + The system will reboot after finishing setup! + + [...] + + EndGame Setup Script Finished! + TOR Hostname: + **e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion** + The address it to your gobalance config.yaml file! + This system will now reboot in 10 seconds! + + + + +So here we're going to mention the 2 endgame onion hostnames in the gobalance config file of both endgame fronts 1 and 2: + + + [term1] + root@endgame1:~/endgame# vim sourcecode/gobalance/config.yaml + root@endgame1:~/endgame# cat sourcecode/gobalance/config.yaml + services: + - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key + instances: + - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion + - address: e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion + + + +Then we test if both endgame fronts work starting with front 1 on the URL http://xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion : + +![](23.png) + +and we test the other one on the URL http://e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion : + +![](22.png) + +And lastly we enable gobalance to make sure that the masteronion can redirect to either of the 2 after editing the config.yaml file: + + + root@endgame1:~/endgame/sourcecode/gobalance# cat config.yaml + services: + - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key + instances: + - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion + - address: e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion + + root@endgame1:~/endgame/sourcecode/gobalance# ./gobalance --torPassword 'CHANGETHISPASSWORD!!!!' -c config.yaml + WARN[2024-04-14 19:26:24] Initializing gobalance (version: 1.0.0)... + INFO[2024-04-14 19:26:24] Loaded the config file '/root/endgame/sourcecode/gobalance/config.yaml'. + WARN[2024-04-14 19:26:24] Loaded onion ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion from /root/endgame/sourcecode/gobalance/ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key + WARN[2024-04-14 19:26:24] Loaded instance xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd + WARN[2024-04-14 19:26:24] Loaded instance e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad + WARN[2024-04-14 19:26:24] OnionBalance initialized (tor version: 0.4.8.11-dev (git-caa2ddaa8dc1f4f3))! + WARN[2024-04-14 19:26:24] ================================================================================ + INFO[2024-04-14 19:26:24] [ADAPTIVE] Waiting for 2 instance descriptors. + INFO[2024-04-14 19:26:24] [*] FetchInstanceDescriptors() called [*] + INFO[2024-04-14 19:26:24] Initiating fetch of descriptors for all service instances. + INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $5FAE28CF4D1C520341EE104BF72516F4308B9485~nuker + INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $778DCB9DB6CDD5FF2F1A85571308B492D6DFF962~TorHet + INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $B72663DDF48F7047003DE6E3927936994DA44152~Unnamed + INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $7AC2E7E67ADAC32F6F46AF607896637BBB455D64~mysocratesnote + INFO[2024-04-14 20:02:23] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $484F666C491BCDE22B45E0E19D1CEA5ACC5A9611~WinstonSmith + INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $3CA0D15567024D2E0B557DC0CF3E962B37999A79~QuintexAirVPN30 + INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $846B3EAAF0C07FF72FC79AEBB11FA3ADC58F240F~dc6jgk5b + INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $455469D1C610E43498ECF88E83E29C0A694EF73B~whyza1 + INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $65379EED488599B0A1512E80D4743BC9125CB306~BlueMold + INFO[2024-04-14 20:02:25] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $C111AC86B3719F0A2FB6254725CB5A7A62C9B451~LauchYT + INFO[2024-04-14 20:02:25] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $235396838BB8FC7AFA529042B19615DF9E2AF218~soP49mzpYUFEwVdiFN3 + INFO[2024-04-14 20:02:26] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $4ADB08AFCF04657E0A0288AA230EEB74A96B1CEE~Lemminkainen + INFO[2024-04-14 20:02:27] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $961B9D86125A08FAA9F7E742B228307EF7E2E082~TorNodeCzech + INFO[2024-04-14 20:02:28] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $FBDE535D810756541B31C452C6694876C96A7FC1~BSDnodeAMS + + + +And now we test if the masteronion **http://ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion/** is reachable: + +![](18.png) ![](19.png) + +Here we see that we were on the endgame front 1 instance, which redirected us to the backend server 1: + +![](20.png) + +Then we check if it still works after shutting down the endgame front 1: + + + root@endgame1:~# shutdown now + + + +As you can see it still works: + +![](18.png) ![](19.png) + +And as you can see here we're being redirected to the backend server 2 as intended: + +![](21.png) + diff --git a/failovers/0.png b/failovers/0.png new file mode 100644 index 0000000..90909c2 Binary files /dev/null and b/failovers/0.png differ diff --git a/failovers/1.png b/failovers/1.png new file mode 100644 index 0000000..fa3a06f Binary files /dev/null and b/failovers/1.png differ diff --git a/failovers/10.png b/failovers/10.png new file mode 100644 index 0000000..529a4c8 Binary files /dev/null and b/failovers/10.png differ diff --git a/failovers/11.png b/failovers/11.png new file mode 100644 index 0000000..6a17ab3 Binary files /dev/null and b/failovers/11.png differ diff --git a/failovers/2.png b/failovers/2.png new file mode 100644 index 0000000..ef6c9de Binary files /dev/null and b/failovers/2.png differ diff --git a/failovers/3.png b/failovers/3.png new file mode 100644 index 0000000..f4fe462 Binary files /dev/null and b/failovers/3.png differ diff --git a/failovers/4.png b/failovers/4.png new file mode 100644 index 0000000..0eb2c3f Binary files /dev/null and b/failovers/4.png differ diff --git a/failovers/5.png b/failovers/5.png new file mode 100644 index 0000000..01ce02e Binary files /dev/null and b/failovers/5.png differ diff --git a/failovers/6.png b/failovers/6.png new file mode 100644 index 0000000..01ce02e Binary files /dev/null and b/failovers/6.png differ diff --git a/failovers/7.png b/failovers/7.png new file mode 100644 index 0000000..66e9c64 Binary files /dev/null and b/failovers/7.png differ diff --git a/failovers/8.png b/failovers/8.png new file mode 100644 index 0000000..4c04951 Binary files /dev/null and b/failovers/8.png differ diff --git a/failovers/9.png b/failovers/9.png new file mode 100644 index 0000000..469e7c2 Binary files /dev/null and b/failovers/9.png differ diff --git a/failovers/index.md b/failovers/index.md new file mode 100644 index 0000000..d7f63ce --- /dev/null +++ b/failovers/index.md @@ -0,0 +1,279 @@ +--- +author: nihilist +date: 2024-04-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/274" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Electrical Failover (basic UPS setup) + +**Threat Model:** + +What if an adversary tells your electricity provider to temporarily power off your electricity to check if it manages to shut down a particular hidden service ? How do you ensure that your hidden service running at home remains accessible even without the main electrical input ? + +![](0.png) + +In this tutorial we'll look at the most fundamental part of both Disaster Recovery Planning and Business Continuity for home servers. We'll look at how to deal with power outages. + +![](1.png) + +For the Electrical Outages, we'll setup a UPS in between our homeserver and the main electrical input, so that in case of a power outage the home server can keep running for a while before finally shutting down. The UPS will then send a message to the Network UPS Tools suite to tell the server to shutdown when the batteries run low. + + + +## **Electrical Outages - UPS setup** + +Before buying a UPS, you need to know how much your home server can draw power (in watts), to make it simple just look at your power supply in your Homeserver. Mine is a RM 750x: + +![](2.png) + +and as explained in the technical specs, it can draw up to 750 Watts of power: + +![](3.png) + +So you need a UPS that can generate at least 750 Watts of power, such as the APC Back-UPS 1600VA: + +![](4.png) + +For my usecase, i picked that one because it can power my homeserver with the 900Watts it can output. Perfect for my server that can draw 750Watts. + +First make sure your homeserver's plugged onto the UPS which is plugged onto the main electrical source. Then power on the homeserver, and after it booted, connect the serial to usb cable from the UPS to the homeserver, and you'll see it appear like so: + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → lsusb + + [...] + + Bus 003 Device 003: ID 051d:0002 American Power Conversion Uninterruptible Power Supply + + [...] + + + +Then, let's install network ups tools (nut) and make it scan for any ups connected via UPS like ours: + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → apt update -y ; apt install nut nut-client nut-server -y + + [ Wonderland ] [ /dev/pts/3 ] [~] + → sudo nut-scanner -U + Scanning USB bus. + [nutdev1] + driver = "usbhid-ups" + port = "auto" + vendorid = "051D" + productid = "0002" + product = "Back-UPS BX1600MI FW:378600G -302202G" + serial = "DWAADWAWDWA" + vendor = "American Power Conversion" + bus = "003" + + + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → cat /etc/nut/upsmon.conf + RUN_AS_USER root + MONITOR apc-ups@localhost 1 admin secret master + + MINSUPPLIES 1 + SHUTDOWNCMD "/sbin/shutdown -h +0" + POLLFREQ 5 + POLLFREQALERT 5 + HOSTSYNC 15 + DEADTIME 15 + POWERDOWNFLAG /etc/killpower + RBWARNTIME 43200 + NOCOMMWARNTIME 300 + FINALDELAY 5 + + [ Wonderland ] [ /dev/pts/3 ] [~] + → cat /etc/nut/upsd.conf + LISTEN 0.0.0.0 3493 + + [ Wonderland ] [ /dev/pts/3 ] [~] + → cat /etc/nut/nut.conf + + MODE=netserver + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → cat /etc/nut/upsd.users + [monuser] + password = secret + admin master + + + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → systemctl status nut-server nut-client nut-monitor + ● nut-server.service - Network UPS Tools - power devices information server + Loaded: loaded (/lib/systemd/system/nut-server.service; enabled; preset: enabled) + Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago + Main PID: 707274 (upsd) + Tasks: 1 (limit: 76930) + Memory: 620.0K + CPU: 2ms + CGroup: /system.slice/nut-server.service + └─707274 /lib/nut/upsd -F + + Apr 06 17:23:47 wonderland systemd[1]: Started nut-server.service - Network UPS Tools - power devices information server. + Apr 06 17:23:47 wonderland nut-server[707274]: fopen /run/nut/upsd.pid: No such file or directory + Apr 06 17:23:47 wonderland nut-server[707274]: Could not find PID file '/run/nut/upsd.pid' to see if previous upsd instance is already running! + Apr 06 17:23:47 wonderland nut-server[707274]: listening on 0.0.0.0 port 3493 + Apr 06 17:23:47 wonderland upsd[707274]: listening on 0.0.0.0 port 3493 + Apr 06 17:23:47 wonderland upsd[707274]: Connected to UPS [apc-ups]: usbhid-ups-apc-ups + Apr 06 17:23:47 wonderland nut-server[707274]: Connected to UPS [apc-ups]: usbhid-ups-apc-ups + Apr 06 17:23:47 wonderland nut-server[707274]: Running as foreground process, not saving a PID file + Apr 06 17:23:47 wonderland upsd[707274]: Running as foreground process, not saving a PID file + + ● nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller + Loaded: loaded (/lib/systemd/system/nut-monitor.service; enabled; preset: enabled) + Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago + Main PID: 707276 (upsmon) + Tasks: 2 (limit: 76930) + Memory: 836.0K + CPU: 2ms + CGroup: /system.slice/nut-monitor.service + ├─707276 /lib/nut/upsmon -F + └─707277 /lib/nut/upsmon -F + + Apr 06 17:23:47 wonderland systemd[1]: Started nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller. + Apr 06 17:23:47 wonderland nut-monitor[707276]: fopen /run/nut/upsmon.pid: No such file or directory + Apr 06 17:23:47 wonderland nut-monitor[707276]: Could not find PID file to see if previous upsmon instance is already running! + Apr 06 17:23:47 wonderland nut-monitor[707276]: UPS: apc-ups@localhost (primary) (power value 1) + Apr 06 17:23:47 wonderland nut-monitor[707276]: Using power down flag file /etc/killpower + Apr 06 17:23:47 wonderland nut-monitor[707277]: Init SSL without certificate database + Apr 06 17:23:47 wonderland nut-monitor[707277]: Login on UPS [apc-ups@localhost] failed - got [ERR ACCESS-DENIED] + + ● nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller + Loaded: loaded (/lib/systemd/system/nut-monitor.service; enabled; preset: enabled) + Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago + Main PID: 707276 (upsmon) + Tasks: 2 (limit: 76930) + Memory: 836.0K + CPU: 2ms + CGroup: /system.slice/nut-monitor.service + ├─707276 /lib/nut/upsmon -F + └─707277 /lib/nut/upsmon -F + + Apr 06 17:23:47 wonderland systemd[1]: Started nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller. + Apr 06 17:23:47 wonderland nut-monitor[707276]: fopen /run/nut/upsmon.pid: No such file or directory + Apr 06 17:23:47 wonderland nut-monitor[707276]: Could not find PID file to see if previous upsmon instance is already running! + Apr 06 17:23:47 wonderland nut-monitor[707276]: UPS: apc-ups@localhost (primary) (power value 1) + Apr 06 17:23:47 wonderland nut-monitor[707276]: Using power down flag file /etc/killpower + Apr 06 17:23:47 wonderland nut-monitor[707277]: Init SSL without certificate database + Apr 06 17:23:47 wonderland nut-monitor[707277]: Login on UPS [apc-ups@localhost] failed - got [ERR ACCESS-DENIED] + + + +We can check if the server can get all the + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → upsc apc-ups@localhost + Init SSL without certificate database + battery.charge: 100 + battery.charge.low: 10 + battery.mfr.date: 2001/01/01 + battery.runtime: 3167 + battery.runtime.low: 120 + battery.type: PbAc + battery.voltage: 27.2 + battery.voltage.nominal: 24.0 + device.mfr: American Power Conversion + device.model: Back-UPS BX1600MI + device.serial: DDWAWADWADADW + device.type: ups + driver.name: usbhid-ups + driver.parameter.pollfreq: 30 + driver.parameter.pollinterval: 1 + driver.parameter.port: auto + driver.parameter.productid: 0002 + driver.parameter.serial: DWDADWAWDDWAADWDAW + driver.parameter.synchronous: auto + driver.parameter.vendorid: 051D + driver.version: 2.8.0 + driver.version.data: APC HID 0.98 + driver.version.internal: 0.47 + driver.version.usb: libusb-1.0.26 (API: 0x1000109) + input.sensitivity: medium + input.transfer.high: 295 + input.transfer.low: 145 + input.voltage: 234.0 + input.voltage.nominal: 230 + ups.beeper.status: enabled + ups.delay.shutdown: 20 + ups.firmware: 378600G -302202G + ups.load: 10 + ups.mfr: American Power Conversion + ups.mfr.date: 2022/02/08 + ups.model: Back-UPS BX1600MI + ups.productid: 0002 + ups.realpower.nominal: 900 + ups.serial: DAWDWDAWADWADWDAWAD + ups.status: OL + ups.test.result: Done and passed + ups.timer.reboot: 0 + ups.timer.shutdown: -1 + ups.vendorid: 051d + + + +Now that the UPS is detected, we can install an interface for the nut service: + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → apt install nut-cgi -y + + [ Wonderland ] [ /dev/pts/3 ] [~] + → vim /etc/nut/hosts.conf + + [ Wonderland ] [ /dev/pts/3 ] [~] + → cat /etc/nut/hosts.conf + + MONITOR apc-ups@localhost "APC UPS - 1600VA" + + [ Wonderland ] [ /dev/pts/3 ] [~] + → cat /etc/nut/upsset.conf + I_HAVE_SECURED_MY_CGI_DIRECTORY + + [ Wonderland ] [ /dev/pts/3 ] [~] + → apt install apache2 -y + + [ Wonderland ] [ /dev/pts/3 ] [~] + → a2enmod cgi + Your MPM seems to be threaded. Selecting cgid instead of cgi. + Enabling module cgid. + To activate the new configuration, you need to run: + systemctl restart apache2 + + [ Wonderland ] [ /dev/pts/3 ] [~] + → systemctl restart apache2 + + + +And now we can browse it from the web on port 80: the url is: **http://192.168.0.100/cgi-bin/nut/upsstats.cgi?host=apc-ups@localhost &treemode;** + +![](6.png) + +we can see the following graph to know the Battery Charge, Voltage, Input and Load: + +![](7.png) + +And for more details you can see the data tree: + +![](8.png) + +Now let's test if it works by unplugging the main electrical source: + +![](11.png) + +First thing you'll notice is the UPS starting to do a loud beep every 3 seconds, but you can see it in action from the web interface: + +![](9.png) + +Here as you can see the UPS is working on battery, and slowly the charge is being drained from 100% (now at 97% after 5 minutes) Of course it's being drained slowly due to being on a low load (18% currently), meaning it could last another 20 minutes of electrical outage easily. + diff --git a/finances/0.png b/finances/0.png new file mode 100644 index 0000000..386102f Binary files /dev/null and b/finances/0.png differ diff --git a/finances/1.png b/finances/1.png new file mode 100644 index 0000000..cf571cb Binary files /dev/null and b/finances/1.png differ diff --git a/finances/2.png b/finances/2.png new file mode 100644 index 0000000..f8f6a78 Binary files /dev/null and b/finances/2.png differ diff --git a/finances/3.png b/finances/3.png new file mode 100644 index 0000000..937c241 Binary files /dev/null and b/finances/3.png differ diff --git a/finances/4.png b/finances/4.png new file mode 100644 index 0000000..48e21a8 Binary files /dev/null and b/finances/4.png differ diff --git a/finances/index.md b/finances/index.md new file mode 100644 index 0000000..2b7e836 --- /dev/null +++ b/finances/index.md @@ -0,0 +1,87 @@ +--- +author: user +date: 2024-04-26 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/95" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why Financial decentralisation ? + + + +## **Centralised Currencies** + +As we have discussed [previously](../governments/index.md), governments love centralisation, because it allows them to keep control over what the masses can do, because they can directly affect the owner of said centralised service to further their agenda. + +![](0.png) + +Nowadays, governments love to impose financial sanctions towards the other countries they don't like, by preventing everyone from having any business with said country ([example: the EU imposing sanctions against russia](https://iv.nowhere.moe/watch?v=0eHMhTZr9Jw)), one way to achieve that goal is to block transactions at the banking level, since legitimate businesses require to have a bank account. That is of course intentional, as it allows the government to control any business' finances. + +The banking system has deep roots in any modern country, with very close ties to the governments as it gives them very direct control over their population. As detailed in his book ["the right to transact" by Zelinar XY](https://zelinarxy.com/?about=book) he argues that the right to transact is an extension of one's innate right of expression. + +For a government to have control over one's expenses, is to have control over one's ability to express himself, it is for a government to have the power to censor any individual they deem to be unfit to be in their society. + +And in my opinion, to consider that someone else should be able to decide what YOU do with your money, is madness. **You alone should decide what should happen with your money** and governments definitely don't want that. + +## **Decentralised Currencies, and Centralised Exchanges** + +**Bitcoin: Revolutionnary, but Flawed** + +Bitcoin has been the first cryptocurrency to see the day. It has been a remarkable innovation at the time. It allows you to create a wallet from home, to be able to recieve money there, and to transact freely, tax free. All you need is to have a computer, with an internet connection. Of course that does not sit well with governments. They want to keep control over your money, to be able to keep control over your right to transact. + +While Bitcoin has been revolutionary at the time, there are obvious cracks in the armor. While it provides decentralisation of the currency (meaning it is not controlled by a centralised entity, such as the dollar is controlled by the federal reserve), it has a completely transparent blockchain, meaning everyone knows which wallet transacted with whom, and the amount of Bitcoin on each wallet. + +_TLDR:_ noone can stop your bitcoin transaction, but you can be put in prison for it + +**Centralised Exchanges and KYC: Governmental Proxies** + +with Bitcoin [everyone knows which wallet is the richest](https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html), all that's left is to put a name on those wallets, to be able to tax them! Governments are pushing hard to regulate centralised exchanges, to implement just that, they want their part of the cake at all costs. + +KYC procedures (Know Your Customer procedures) are a direct threat to: + + 1. Your right to remain anonymous + 2. Your right to privacy + 3. And by extension, your right to transact + 4. And by extension, your right of expression + + + +Centralised exchanges are the current target of choice for regulators. Most of them force their users to have custodial wallets (meaning the wallets with all the customer funds are on the server, not with the client) and so, **their funds can be taken hostage** to force their customers to comply and complete with all the KYC procedures when they get implemented. Feels like central banks isn't it ? **The problem here is centralisation. Why are you using decentralised cryptocurrencies on Centralised platforms in the first place?** + +![](2.png) + +All public and popular Centralised Exchange are bound to fall to this fate. They will inevitably comply with the governments of their country, Their users will be forced to identify themselves to transact with other users, they will have to identify themselves so that the exchange (and by extension, the government) knows who's got the money, to be able to tax them later on, **and of course if they don't comply, they will be forced out of business one way or the other**. + +That's where we are at currently, People have not completely moved away from Centralisation and KYC. But you'll see, as surveillance increases over time and governments try to have as much control as possible over the masses, the need for privacy and anonymity will keep on increasing manyfold. + +In the meantime, to find KYC-free services (centralised or not), check out [kycnot.me](https://kycnot.me/), as they put it: **"KYC reveals fear."** + +## **The Privacy Cryptocurrency, and Decentralised Exchanges** + +**Monero: the Privacy Standard for transactions** + +Out of that situation emerged privacy coins, with Monero still at the top to this day ([also known as the only cryptocurrency that's used](https://iv.nowhere.moe/watch?v=YTTac2XjyFY)) is basically a cryptocurrency just like bitcoin, except that it does everything to obscure every info regarding transactions. Basically, it's a nightmare for financial regulators. + +![](1.png) + +To make it short, it obscures the amount transacted, the ip addresses, who receives the transaction and who sends the transaction, To this day not a single monero transaction has been successfully traced. For more details on Monero, check the infodump [here](https://moneroinfodump.neocities.org/#MoneroIsUntraceable). + +Monero's goals differ from what bitcoin has become. It's not to get rich, the goal is to provide transactional privacy, anonymity, and ultimately to be USED as a currency. That is a fundamental difference to the whole bitcoin-fan ecosystem of pump and dump schemes, monero is not meant to be a speculative asset. + +More to the point, given the alarming increase of surveillance worldwide, and incoming regulations forced onto everyone, do you seriously think that people will keep trying to use random coins just to get taxed ? **No, eventually only the coins that take privacy and anonymity of it's users as their first priority will remain.** Mark my words; hop on the orange boat, and watch every other currency lose value. + +Governments so far have been unable to do anything to stop monero from being transacted. The only thing they can successfully do is to force centralised exchanges to delist it ([example: Binance Delists monero](https://www.binance.com/en/square/post/3817825785186)), but **decentralised currencies don't require centralised exchanges to exist.** + +_TLDR:_ Noone can stop your monero transaction and put you in prison for it afterward, unlike bitcoin or any other coin out there. + +**Decentralised Exchanges: the next step** + +As we have discussed before, Centralisation will always lead to regulations imposed by the government. If on the other hand we have a Decentralised alternative to exchange freely, **the government has to try and regulate the end user directly, multiplying the efforts!**. + +![](3.png) + +In short, **Cut out the troublesome middle man, and transact with the end user directly**. You can also use semi-centralised platforms such as that are platforms who incite crypto owners to exchange amongst themselves, a good alternative to use until Decentralised Exchanges (DEXs) are popularized. If you want to check out how to acquire monero on localmonero check out [this tutorial](../monero2024/index.md). (edit: localmonero is no longer in business as of april 2024, moving to haveno DEX is your current only option for direct FIAT -> XMR transactions) + +![](4.png) + +The next big Decentralized Exchange that's coming soon is [Haveno DEX](https://haveno.exchange) It will combine Monero and Tor to bring complete decentralisation of your finances. When it will be ready for public use, it will only be a matter of time until everyone shifts to a completely decentralised way of transacting. Check out [this tutorial](../haveno-client-f2f/index.md) i made to find out how to use it for Fiat -> XMR transactions. + diff --git a/forgejo-anon/0.png b/forgejo-anon/0.png new file mode 100644 index 0000000..5391984 Binary files /dev/null and b/forgejo-anon/0.png differ diff --git a/forgejo-anon/1.png b/forgejo-anon/1.png new file mode 100644 index 0000000..41a0d5d Binary files /dev/null and b/forgejo-anon/1.png differ diff --git a/forgejo-anon/10.png b/forgejo-anon/10.png new file mode 100644 index 0000000..5446b3f Binary files /dev/null and b/forgejo-anon/10.png differ diff --git a/forgejo-anon/11.png b/forgejo-anon/11.png new file mode 100644 index 0000000..ffaae9b Binary files /dev/null and b/forgejo-anon/11.png differ diff --git a/forgejo-anon/12.png b/forgejo-anon/12.png new file mode 100644 index 0000000..2092284 Binary files /dev/null and b/forgejo-anon/12.png differ diff --git a/forgejo-anon/13.png b/forgejo-anon/13.png new file mode 100644 index 0000000..dba1884 Binary files /dev/null and b/forgejo-anon/13.png differ diff --git a/forgejo-anon/14.png b/forgejo-anon/14.png new file mode 100644 index 0000000..cf5830c Binary files /dev/null and b/forgejo-anon/14.png differ diff --git a/forgejo-anon/15.png b/forgejo-anon/15.png new file mode 100644 index 0000000..3cf8a91 Binary files /dev/null and b/forgejo-anon/15.png differ diff --git a/forgejo-anon/16.png b/forgejo-anon/16.png new file mode 100644 index 0000000..3145d92 Binary files /dev/null and b/forgejo-anon/16.png differ diff --git a/forgejo-anon/17.png b/forgejo-anon/17.png new file mode 100644 index 0000000..d0a672f Binary files /dev/null and b/forgejo-anon/17.png differ diff --git a/forgejo-anon/18.png b/forgejo-anon/18.png new file mode 100644 index 0000000..f5610f8 Binary files /dev/null and b/forgejo-anon/18.png differ diff --git a/forgejo-anon/19.png b/forgejo-anon/19.png new file mode 100644 index 0000000..7d0d6be Binary files /dev/null and b/forgejo-anon/19.png differ diff --git a/forgejo-anon/2.png b/forgejo-anon/2.png new file mode 100644 index 0000000..8c8e130 Binary files /dev/null and b/forgejo-anon/2.png differ diff --git a/forgejo-anon/20.png b/forgejo-anon/20.png new file mode 100644 index 0000000..6deb2af Binary files /dev/null and b/forgejo-anon/20.png differ diff --git a/forgejo-anon/21.png b/forgejo-anon/21.png new file mode 100644 index 0000000..5f9eedb Binary files /dev/null and b/forgejo-anon/21.png differ diff --git a/forgejo-anon/22.png b/forgejo-anon/22.png new file mode 100644 index 0000000..fb59d09 Binary files /dev/null and b/forgejo-anon/22.png differ diff --git a/forgejo-anon/23.png b/forgejo-anon/23.png new file mode 100644 index 0000000..983dd49 Binary files /dev/null and b/forgejo-anon/23.png differ diff --git a/forgejo-anon/3.png b/forgejo-anon/3.png new file mode 100644 index 0000000..9d5a0ed Binary files /dev/null and b/forgejo-anon/3.png differ diff --git a/forgejo-anon/4.png b/forgejo-anon/4.png new file mode 100644 index 0000000..860e29d Binary files /dev/null and b/forgejo-anon/4.png differ diff --git a/forgejo-anon/5.png b/forgejo-anon/5.png new file mode 100644 index 0000000..807dd61 Binary files /dev/null and b/forgejo-anon/5.png differ diff --git a/forgejo-anon/6.png b/forgejo-anon/6.png new file mode 100644 index 0000000..d2edfe9 Binary files /dev/null and b/forgejo-anon/6.png differ diff --git a/forgejo-anon/7.png b/forgejo-anon/7.png new file mode 100644 index 0000000..7a817eb Binary files /dev/null and b/forgejo-anon/7.png differ diff --git a/forgejo-anon/8.png b/forgejo-anon/8.png new file mode 100644 index 0000000..7e156cb Binary files /dev/null and b/forgejo-anon/8.png differ diff --git a/forgejo-anon/9.png b/forgejo-anon/9.png new file mode 100644 index 0000000..d94b7ba Binary files /dev/null and b/forgejo-anon/9.png differ diff --git a/forgejo-anon/index.md b/forgejo-anon/index.md new file mode 100644 index 0000000..46505cd --- /dev/null +++ b/forgejo-anon/index.md @@ -0,0 +1,513 @@ +--- +author: nihilist +date: 2024-11-23 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/270" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Forgejo .onion Setup (Anonymous Code Repositories and Collaboration) + +![](0.png) + +In this tutorial we're going to take a look at how you can setup an anonymous Forgejo instance ([which was previously known as Gitea before the hard fork](https://forgejo.org/compare-to-gitea/)) that is accessible over Tor, in order to be able to collaborate with people on projects, while maintaining everyone's anonymity. + + + Notes on why you should use Forgejo instead of Gitea: + + **Forgejo was created in October 2022 after a for profit company took over the Gitea project.** It exists under the umbrella of a non-profit organization, Codeberg e.V. and is developed in the interest of the general public. In the year that followed, this difference in governance led to choices that made Forgejo significantly and durably different from Gitea. + + + +_Disclaimer:_ If you are a developer working on projects that aim to reduce governmental control, such as working on privacy-cryptocurrency projects (ie Monero, Haveno, Crypto Mixers, etc), **take some time to consider stopping maintaing/contributing to those projects under your public identity** , and rather shift to maintaining those projects under an anonymous identity (which is the aim of the following Forgejo setup). + +**You never know when your tyrannical government is going to snap and decide to make an example out of you, just like what happened to[Tornado Cash](https://www.coindesk.com/policy/2024/05/14/tornado-cash-developer-alexey-pertsev-found-guilty-of-money-laundering/)**. It is a matter of [adapting your OPSEC to the intended internet use](../internetsegmentation/index.md). Don't paint a target on your back and give any ammunition to the adversary, because they're going to shoot you with everything you give them (your IRL name, what you contributed on the project, taking things you said out of context, etc). **Tyrants don't care, even if it they have to step on your freedom of speech** (as that's what developing code is) to keep their control over the masses, they will do anything to keep their control intact. + + + +## **Why is this relevant ?** + +First of all, Git is a distributed version control system that tracks versions of files. It is often used to control source code by programmers who are developing software collaboratively. It is especially popular in the FOSS community as it allows anyone to contribute to projects. + +The place where you can find the most repositories online is [Github](https://github.com/trending), but the problem is that Github has been purchased by Microsoft. + +![](2.png) + +Now the problem with trusting a business to host your code repositories that reduces governmental control (such as [Tornado Cash](https://decrypt.co/107053/it-doesnt-change-anything-says-tornado-cash-code-disappears-github)) is that those governments can use any company (such as Microsoft in particular) to do their bidding, **such as infringing on your freedom of speech, censoring you and deleting your work from the platform.** + +The source code for crypto transaction mixer Tornado Cash has disappeared from Github **barely 24 hours after the US Treasury Department added the privacy tool to its sanctions list.** Highlighting how Microsoft is a proxy that the US Government uses (more often than you think) to persecute anyone they don't like. + +![](1.png) + +**That is why Github should not be relied on to host any code repository that threaten governmental control** , we need an alternative that we can host ourselves, to break free from that governmental control. Which is where Forgejo comes in the picture. + +Forgejo is a painless, self-hosted, all-in-one software development service. It includes Git hosting, code review, team collaboration, package registry, and CI/CD. It is similar to GitHub, Bitbucket and GitLab. The most important part being that it can be self-hosted.** + +![](3.png) + +Now let's suppose you setup your potentially sensitive repositories on a clearnet forgejo instance (meaning the server can be reached directly by a domain name, to it's public IP address. **What is stopping the tyrannical government from ordering the VPS provider to shut down the server ?** They know where it is located, what server it is on, so they can order it to be taken down all the same, as they will simply force another business to comply with their demands, and this time it will be the server itself that will be taken down. + +## _OPSEC RECOMMENDATIONS:_ + +This is why the Forgejo instance needs to be setup behind Tor, as a [.onion hidden service](../torwebsite/index.md). Now you have a few options as to where to host the the Forgejo service. It can be on a [remote VPS that you acquired anonymously](../anonymousremoteserver/index.md) (where the cost will be the renting of that VPS, such as 5 euros per month): + +![](../hiddenservice/1.png) + +Or it can simply be on a server that is running at your own home, at the cost of your own elecricity consumption, and internet connection: + +![](../hiddenservice/0.png) + +## **Forgejo instance Setup** + +Now that we laid out the justifications for this setup, let's set it up on our server using Docker: + + + [ Datura ] [ /dev/pts/13 ] [/srv] + → apt install docker.io docker-compose -y ; systemctl enable --now docker + + [ Datura ] [ /dev/pts/13 ] [/srv] + → cd /srv + + [ Datura ] [ /dev/pts/13 ] [/srv] + → mkdir forgejo_onion + + [ Datura ] [ /dev/pts/13 ] [/srv] + → cd forgejo_onion + + [ Datura ] [ /dev/pts/13 ] [/srv] + → cat docker-compose.yml + version: "3" + + networks: + forgejo: + external: false + + services: + server: + #image: gitea/gitea:latest + # to migrate from an existing gitea instance to a forgejo one all you need is to simply comment this above line, and replace it with the one below: + image: codeberg.org/forgejo/forgejo:9.0.3 + # but warning, this won't work anymore starting from 1.23.X, 1.22.X is the last version where you can do this seamlessly. + container_name: forgejo + environment: + - USER_UID=1000 + - USER_GID=1000 + restart: always + networks: + - forgejo + - tor-forgejo + volumes: + - ./forgejo:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "127.0.0.1:3009:3000" + - "127.0.0.1:2222:22" + + tor-forgejo: + image: osminogin/tor-simple + container_name: tor-forgejo + volumes: + - ./tor-data:/var/lib/tor + - ./tor-data/torrc:/etc/tor + networks: + - tor-forgejo + + networks: + tor-forgejo: + forgejo: + + + + +Now let's setup a docker Tor daemon and the folder it needs to have, as we'll later need Forgejo to connect elsewhere through Tor : + + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → mkdir -p tor-data/torrc + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → vim tor-data/torrc/torrc + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → cat tor-data/torrc/torrc + SOCKSPort 0.0.0.0:9050 + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → chown -R 100:65533 tor-data/ + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → chmod 700 tor-data + + + +now before we run the Forgejo instance, we need to make it reachable via a .onion domain, so let's install tor and generate a .onion domain by following [this tutorial](../torwebsite/index.md): + + + [ Datura ] [ /dev/pts/13 ] [/srv/mkp224o] + → ls /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + authorized_clients hostname hs_ed25519_public_key hs_ed25519_secret_key + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → cat /etc/tor/torrc | tail -n 5 + HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/ + HiddenServicePort 80 127.0.0.1:3019 + HiddenServicePort 2222 127.0.0.1:2222 + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → systemctl restart tor@default + + + +Now that's done, we launch Forgejo by using docker-compose: + + + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → docker-compose up + Creating forgejo-onion ... done + Attaching to forgejo-onion + forgejo-onion | Generating /data/ssh/ssh_host_ed25519_key... + forgejo-onion | Generating /data/ssh/ssh_host_rsa_key... + forgejo-onion | Generating /data/ssh/ssh_host_ecdsa_key... + forgejo-onion | Server listening on :: port 22. + forgejo-onion | Server listening on 0.0.0.0 port 22. + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:242:runWeb() [I] Starting Forgejo on PID: 15 + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:111:showWebStartupMessage() [I] Forgejo version: 1.22.3 built with GNU Make 4.4.1, go1.22.8 : bindata, timetzdata, sqlite, sqlite_unlock_notify + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:112:showWebStartupMessage() [I] * RunMode: prod + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:113:showWebStartupMessage() [I] * AppPath: /usr/local/bin/gitea + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:114:showWebStartupMessage() [I] * WorkPath: /data/gitea + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:115:showWebStartupMessage() [I] * CustomPath: /data/gitea + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:116:showWebStartupMessage() [I] * ConfigFile: /data/gitea/conf/app.ini + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:117:showWebStartupMessage() [I] Prepare to run install page + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:304:listen() [I] Listen: http://0.0.0.0:3000 + forgejo-onion | 2024/11/23 16:37:01 cmd/web.go:308:listen() [I] AppURL(ROOT_URL): http://localhost:3000/ + forgejo-onion | 2024/11/23 16:37:01 ...s/graceful/server.go:50:NewServer() [I] Starting new Web server: tcp:0.0.0.0:3000 on PID: 15 + + + +Now that's done, let's access our Forgejo instance from the tor browser at the .onion domain we set for it, to setup the initial configuration: + +![](4.png) + +Take note that you can leave everything as it is by default here, except if you want to change the Site Title, take note that there is no need for https in the URL, it is normal for it to remain http. And lastly let's disable registrations, **as users won't be using emails to register since we're not going to use the clearnet at all.** + +![](5.png) + +Lastly don't forget to create the administrator account at the bottom, and click "Install Forgejo": + +![](6.png) + +Wait a bit for the Forgejo instance to finish setup, and you're done! + +![](7.png) + +Now we need to tweak the instance a bit, so let's edit the app.ini file that is located in **/srv/forgejo_onion/gitea/gitea/conf/app.ini** : + + + [ Datura ] [ /dev/pts/6 ] [/srv/forgejo_onion] + → ls + docker-compose.yml gitea + + [ Datura ] [ /dev/pts/6 ] [/srv/forgejo_onion] + → cd gitea + + [ Datura ] [ /dev/pts/6 ] [/srv/forgejo_onion/gitea] + → ls + git gitea ssh + + [ Datura ] [ /dev/pts/6 ] [/srv/forgejo_onion/gitea] + → cd gitea + + [ Datura ] [ /dev/pts/6 ] [forgejo_onion/gitea/gitea] + → ls + actions_artifacts attachments conf home jwt packages repo-archive sessions + actions_log avatars gitea.db indexers log queues repo-avatars tmp + + [ Datura ] [ /dev/pts/6 ] [forgejo_onion/gitea/gitea] + → cd conf + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/conf] + → ls + app.ini + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/conf] + → vim app.ini + + + +now the first thing i like to do here is to set the default gitea theme to "gitea-dark" by adding the [ui] section at the bottom: + + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/conf] + → cat app.ini | tail -n 3 + + [ui] + DEFAULT_THEME = gitea-dark + + + +dont forget to restart the gitea docker everytime you edit the app.ini config file: + + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → docker-compose down ; docker-compose up -d + Stopping forgejo-onion ... done + Removing forgejo-onion ... done + Removing network forgejo_onion_gitea + Creating network "forgejo_onion_gitea" with the default driver + Creating forgejo-onion ... done + + + +then on the webpage, hit "Ctrl+F5" to refresh the page and see the new theme: + +![](8.png) + +## **Forgejo mirroring Github repositories through Tor** + +Now in order to make sure our Forgejo instance is able to mirror external git repositories from other websites such as github, we need to make sure it goes through Tor to do so, so we need to make sure the gitea container can reach the docker tor daemon, so have to make sure it uses it by adding the [proxy] section in the app.ini config file (_Sidenote:_ the Forgejo container will know that the "tor" hostname refers to the tor docker container, so it is totally intentional as written below): + + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → vim gitea/gitea/conf/app.ini + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → cat gitea/gitea/conf/app.ini | tail -n 4 + [proxy] + PROXY_ENABLED = true + PROXY_URL = **socks://tor-forgejo:9050/** + PROXY_HOSTS = * + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → docker-compose down ; docker-compose up -d + + + +And now from there, we should be able to mirror external repositories on gitea by making the traffic go through Tor aswell. As an example, let's create a git mirror of the official [Monero](../monero2024/index.md) repository that currently sits on [Github](https://github.com/monero-project/monero): + +![](9.png) ![](10.png) ![](11.png) + +Now be aware that it's going to take longer than it usually would to get the repository due to the low bandwidth that Tor has, so be be patient and wait until it finishes: + +![](12.png) ![](13.png) + +And there you go! you just managed to mirror a github repository while still making sure the connections go through Tor. + +## **Handling Forgejo repositories through Tor** + +So now let's create our first Forgejo repository from the web interface: + +![](14.png) ![](15.png) + +Now that the repository has been created, we need to push our first commit there so let's follow the instructions: + + + [ mainpc ] [ /dev/pts/9 ] [~/Documents] + → mkdir my-very-cool-repository + + [ mainpc ] [ /dev/pts/9 ] [~/Documents] + → cd my-very-cool-repository + + [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository] + → touch README.md + + [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository] + → git init + hint: Using 'master' as the name for the initial branch. This default branch name + hint: is subject to change. To configure the initial branch name to use in all + hint: of your new repositories, which will suppress this warning, call: + hint: + hint: git config --global init.defaultBranch + hint: + hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and + hint: 'development'. The just-created branch can be renamed via this command: + hint: + hint: git branch -m + Initialized empty Git repository in /home/nihilist/Documents/my-very-cool-repository/.git/ + + [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository] + → git checkout -b main + Switched to a new branch 'main' + + [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository] + → git add README.md + + [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository] + → git commit -m "first commit" + [main (root-commit) b090f42] first commit + 1 file changed, 0 insertions(+), 0 deletions(-) + create mode 100644 README.md + + + +Then we can proceed with the rest of the instructions to push the commit to the repository via the .onion Forgejo domain, with the exception of the **git push** command, where we need to use the **torsocks** in front of it, because otherwise it won't be able to resolve the .onion domain: + + + [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository] + → git remote add origin http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/nihilist/my-very-cool-repository.git + + [ mainpc ] [ /dev/pts/9 ] [~/Documents/my-very-cool-repository] + → **torsocks git push -u origin main** + Username for 'http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion': nihilist + Password for 'http://nihilist@daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion': + Enumerating objects: 3, done. + Counting objects: 100% (3/3), done. + Writing objects: 100% (3/3), 212 bytes | 16.00 KiB/s, done. + Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 + remote: . Processing 1 references + remote: Processed 1 references in total + To http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/nihilist/my-very-cool-repository.git + * [new branch] main -> main + branch 'main' set up to track 'origin/main'. + + + +And that's it! You managed to do your first git commit via Tor ! + +![](16.png) + +_Sidenote:_ in the same way you also need to use torsocks to git clone repositories that are on .onion domains: + + + [ mainpc ] [ /dev/pts/9 ] [~/Documents] + → torsocks git clone http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/nihilist/my-very-cool-repository + Cloning into 'my-very-cool-repository'... + remote: Enumerating objects: 3, done. + remote: Counting objects: 100% (3/3), done. + remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0) + Receiving objects: 100% (3/3), done. + + + +Next, if you want other people to contribute to your Forgejo projects, you'll have to do manual registrations as they can't use email to register new accounts: + +![](20.png) ![](21.png) ![](22.png) ![](23.png) + +Once created, simply send the credentials to login to the user that needs them in a private chat (see our recommendation to use [SimpleX chat](../anonsimplex/index.md)). + +## **BONUS: Customizing Forgejo's appearance** + +Now if you want to customize your Forgejo instance like i did at you'll can first create the templates folder to change the homepage: + + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → cd gitea/gitea + + [ Datura ] [ /dev/pts/13 ] [forgejo_onion/gitea/gitea] + → mkdir templates + + [ Datura ] [ /dev/pts/13 ] [forgejo_onion/gitea/gitea] + → cd templates + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/templates] + → wget https://git.nowhere.moe/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/templates/home.toml -O home.tmpl + + [ Datura ] [ /dev/pts/13 ] [gitea/gitea/templates] + → vim home.tmpl + + [ Datura ] [ /dev/pts/13 ] [gitea/gitea/templates] + → cat home.tmpl | grep pain + + + ## A painful, self-inflicted Nightmare + + + + [ Datura ] [ /dev/pts/13 ] [gitea/gitea/templates] + → cd /srv/forgejo_onion + + [ Datura ] [ /dev/pts/13 ] [/srv/forgejo_onion] + → docker-compose down ; docker-compose up -d + + + +![](17.png) + +then to change the logo you can drop your own custom logos in the **/srv/forgejo_onion/gitea/gitea/public/assets/img/** directory: + + + [ Datura ] [ /dev/pts/6 ] [forgejo_onion/gitea/gitea] + → mkdir public/assets/img + + [ Datura ] [ /dev/pts/6 ] [forgejo_onion/gitea/gitea] + → cd public/assets/img + + [ Datura ] [ /dev/pts/6 ] [public/assets/img] + → ls + apple-touch-icon.png favicon.png gitea-192.png gitea-lg.png gitea-sm.png img.tar + favicon.ico favicon.svg gitea-512.png gitea-safari.svg gitea.svg logo.svg + + [ Datura ] [ /dev/pts/6 ] [public/assets/img] + → cd /srv/forgejo_onion + + [ Datura ] [ /dev/pts/6 ] [/srv/forgejo_onion] + → docker-compose down ; docker-compose up -d + + + +Then, simply refresh the page to see the changes: + +![](18.png) + +Next, if you want a custom CSS theme like the one i have, **first be aware that as Forgejo continues to be updated, the CSS theme may break depending on the breaking changes that gitea introduces, it is safer to keep using the default gitea-dark theme.** If that's not a problem for you, you can download it from [here](https://git.nowhere.moe/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/public/assets/css/theme-space.css) and put it in the **/srv/forgejo_onion/gitea/gitea/public/assets/css/** directory: + + + [ Datura ] [ /dev/pts/6 ] [/srv/forgejo_onion] + → cd gitea/gitea/public/assets + + [ Datura ] [ /dev/pts/6 ] [gitea/public/assets] + → mkdir css + + [ Datura ] [ /dev/pts/6 ] [gitea/public/assets] + → cd css + + [ Datura ] [ /dev/pts/6 ] [public/assets/css] + → wget https://git.nowhere.moe/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/public/assets/css/theme-space.css + --2024-11-23 20:25:50-- https://git.nowhere.moe/nihilist/Datura-Network/raw/branch/main/2-Decentralization/gitea/gitea/gitea/public/assets/css/theme-space.css + Resolving git.nowhere.moe (git.nowhere.moe)... 65.109.30.253 + Connecting to git.nowhere.moe (git.nowhere.moe)|65.109.30.253|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 22754 (22K) [text/plain] + Saving to: ‘theme-space.css’ + + theme-space.css 100%[=================================================>] 22.22K --.-KB/s in 0s + + 2024-11-23 20:25:50 (310 MB/s) - ‘theme-space.css’ saved [22754/22754] + + + + +Then make sure this is the default theme that is used, from the app.ini config file, and restart the Forgejo instance to refresh the configuration: + + + [ Datura ] [ /dev/pts/6 ] [public/assets/css] + → cd ../../../ + + [ Datura ] [ /dev/pts/6 ] [forgejo_onion/gitea/gitea] + → cd conf + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/conf] + → ls + app.ini + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/conf] + → vim app.ini + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/conf] + → cat app.ini | tail -n 9 + + **[ui] + DEFAULT_THEME = space + THEMES = space, gitea-dark** + + [ Datura ] [ /dev/pts/6 ] [gitea/gitea/conf] + → cd ../../.. + + [ Datura ] [ /dev/pts/6 ] [/srv/forgejo_onion] + → docker-compose down ; docker-compose up -d + + + +` ![](19.png) + +And that's it! You managed to get a customized .onion-only Forgejo instance, effectively forcing whoever that wants to use it to remain anonymous, if they want to deanonymize themselves, it will be out of their own accord later on. + diff --git a/governments/1.png b/governments/1.png new file mode 100644 index 0000000..ab69521 Binary files /dev/null and b/governments/1.png differ diff --git a/governments/2.png b/governments/2.png new file mode 100644 index 0000000..674e0d6 Binary files /dev/null and b/governments/2.png differ diff --git a/governments/3.png b/governments/3.png new file mode 100644 index 0000000..88de36b Binary files /dev/null and b/governments/3.png differ diff --git a/governments/index.md b/governments/index.md new file mode 100644 index 0000000..fbdee0f --- /dev/null +++ b/governments/index.md @@ -0,0 +1,75 @@ +--- +author: nihilist +date: 2024-06-07 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/68" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Governments, Centralisation, and Law Enforcement + +In this tutorial we're going to cover and explain what are governments, and why they are trying to force us into mass surveillance and KYC procedures. + + + +## **Governments and their laws** + + + A government is the system or group of people governing an organized community, generally a state. + + + +Their primary focus is to maintain their control over the country/state, no matter the cost, they will do everything possible to remain in power for as long as possible + +They are the ones who write the rules, the laws by which everyone in the country must must follow for society to remain in order (wheter the subjected people accept it or not), according to them. + +Governments pass Laws and to make sure that their laws is respected, they need Law enforcement (LE) to be able to apply sanctions on whoever breaks their laws. + +![](1.png) + +Governments nowadays almost always use bogus reasons to use to pass abusive laws (the typical "it's to fight the boogeymen!" type of reasons) , in order to either make more money, or to enforce surveillance better, or to straight up take away power from businesses and individuals. + +## **Businesses and Centralisation** + +One thing that governments genuinely care about is how modern and economically mature their country is. Hence their close relationships with businesses that generate the most wealth in their country. + +These same businesses are often a tool of Centralisation, to extend the government's reach of power, the most common trait there is surveillance, and identifying who did what (ex: with KYC procedures). + +Each business is closely regulated, the bigger the business, the higher up the priority list it is to be audited for regulation compliance checks. The exception being with International Banks (ex: [see the HSBC scandal](https://iv.nowhere.moe/watch?v=WwXPZohTJ4w)) due to everyone's innate greed to get richer even if it means breaking the law. + +![](2.png) + +Businesses are centralised entities just like governments, they ALL can act as proxies to help law enforcement, wheter they want to or not. + +## **Law enforcement** + + + Law enforcement is the activity of some members of government who act in an organized manner to enforce the law by discovering, deterring, rehabilitating, or punishing people who violate the rules and norms governing that society. + + + +For the Law to be enforceable the authorities need to know 2 things: + + 1. ![](../su2.png)What happened ? (lack of Privacy) + + 2. ![](../on2.png)Who did it ? (lack of Anonymity) + + +![](3.png) + +Of course, the law must not be ignored by anyone, and to make sure that everyone is kept in line, they need to show everyone that the law is effectively enforced onto those that behaved badly, very often they brag about catching criminals to let everyone know that they are the good guys protecting everyone from the bad guys. + +That is the basis of this whole Privacy and Anonymity talk. In short, For the law to be enforceable, they need to know both what happened, and who perpetrated the act to be able to apply sanctions on the individual / group of individuals that committed the crime. + +Modern governments know this very well, and some go to extreme lengths to make sure that every citizen is under surveillance. + + 1. USA: [Edward Snowden's Revelations](https://iv.nowhere.moe/watch?v=9g_sqKH2z4I) + + 2. China: [the Surveillance State](https://iv.nowhere.moe/watch?v=Np_C8647mK8) \- [See what it can lead to](https://iv.nowhere.moe/watch?v=v7AYyUqrMuQ) + + + +A very common practice for Law enforcement is also to either bribe or force legitimate businesses to give the data they possess of their users, to know if a crime has been commited or not. See the USA's recent [FISA 702](https://www.dni.gov/files/icotr/Section702-Basics-Infographic.pdf), good news is they're not lying about it anymore, the intention is clear and out in the open. The general idea is that this bill is meant for the government to be able to force anyone (individual or business) to conduct spying activities for the governments, with or without their consent, with a gag order. + +In short, the US government grants itself the right to force you or your business to do anything to further their agenda. This world's biggest democracies are all turning into dictatorships in the name of national security. + +Anyway you get the idea. Anonymity is more relevant than ever, we're headed for that surveillance dystopia China has currently established. + diff --git a/govfear/1.png b/govfear/1.png new file mode 100644 index 0000000..048d7da Binary files /dev/null and b/govfear/1.png differ diff --git a/govfear/2.png b/govfear/2.png new file mode 100644 index 0000000..6092090 Binary files /dev/null and b/govfear/2.png differ diff --git a/govfear/3.png b/govfear/3.png new file mode 100644 index 0000000..96978e0 Binary files /dev/null and b/govfear/3.png differ diff --git a/govfear/index.md b/govfear/index.md new file mode 100644 index 0000000..3b04b88 --- /dev/null +++ b/govfear/index.md @@ -0,0 +1,54 @@ +--- +author: nihilist +date: 2024-06-07 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/69" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Governments fear Decentralisation and Anonymity + +In this tutorial we're going to explain why Decentralisation and Anonymity are essential in reducing the power of the government over it's citizens. + + + +## **Governments and Decentralisation** + +As we have discussed previously, governments love centralisation. It's an easy way for them to extend their power to directly affect users of said centralised businesses. Take for example how the [US government uses banks to impose financial sanctions](https://home.treasury.gov/news/press-releases/jy0608) onto whoever they consider as a threat to them. + +They have largely succeeded in keeping their population hooked onto centralisation, for example you want to watch videos you think youtube, you want to browse the web you think google, social - facebook, twitter, and so on. It's become a natural reflex for most people, hence most people flock to these centralised platforms, and as we have explained [previously](../governments/index.md); governments use them as proxies to spy or enforce censorship onto it's citizens. + +![](../governments/3.png) + +It's convenient for them; you own a large service, which attracts millions of people to use it, and so governments would love to have access to that data you own, to be able to know what's happening. (remember [FISA 702](https://www.dni.gov/files/icotr/Section702-Basics-Infographic.pdf)) + +If the masses were to completely change their habits and embrace decentralisation, like i am trying to promote on [nowhere.moe](https://nowhere.moe) for example using peertube to replace youtube, matrix to replace discord, mastodon to replace twitter, etc, it would seriously limit the reach of the power they try to have on the population. They wouldn't be able to censor and try to control the public opinion of the people [ like they did through twitter](https://en.wikipedia.org/wiki/Twitter_Files) for example. + +![](1.png) + +The key difference here is that the INDIVIDUALS are the ones controlling the service, and they're making the overall decentralised ecosystem grow larger and larger as they keep federating together. + +![](2.png) + +So in this case, **you are taking out the first pillar that is required for law enforcement ; Surveillance** , the government would have to knock on your door, and FORCE you to give them the data of your users. + +I encourage everyone that's fed up with the arbitrary administration of centralised services to start using their decentralised alternatives, see what the [Fediverse](https://fedidb.org/) has to offer for more details. + +## **Governments and Anonymity** + +That's an easy one. as we discussed in my previous blogpost, for the law to be respected, it needs to be feared by the population, to make sure it remains feared, it needs to be enforced by authorities (law enforcement or LE for short). To do so they need to know what happened, and they need to know who did what. + +That's why they go to such extreme lengths to implement surveillance wherever they can. (see [China's surveillance state](https://iv.nowhere.moe/watch?v=v7AYyUqrMuQ), the USA's [FISA 702](https://iv.nowhere.moe/watch?v=uRS-TzjhMKg), and the [EU trying to pass anti encryption laws](https://iv.nowhere.moe/watch?v=LNVo6EfmhyQ)) + +Anonymity is a great thing to look for if you care about privacy. It's the perfect way to know if a service intends to respect your privacy or not. + +![](3.png) + +The reason being, that if you use a service anonymously, **you are taking out the other pillar that is required for the law to be enforceable, making sure that they cannot know it was you who used the service** + +### **The Anonymity Test** + +If you want to know if a service intends to respect your privacy or not, **access it, and use it anonymously**. (use the **Tor browser** to access it, and see if it accepts **monero as payments)**. Check out my tutorial on [OPSEC (Operational Security)](../opsec/index.md) to understand the full reasoning. + +You will see that you can already rule out Google, youtube, twitter, instagram, snapchat, Facebook, Baidu, Whatsapp, etc. All of those services sell the data they collect about you to each other, including to governments [(see the cambridge analytica scandal)](https://iv.nowhere.moe/watch?v=FXdYSQ6nu-M) + +Stop using services that treat you as a product to sell, regain your lost dignity and defend it. + diff --git a/graphene/1.png b/graphene/1.png new file mode 100644 index 0000000..d18df2a Binary files /dev/null and b/graphene/1.png differ diff --git a/graphene/10.png b/graphene/10.png new file mode 100644 index 0000000..66c00ac Binary files /dev/null and b/graphene/10.png differ diff --git a/graphene/11.png b/graphene/11.png new file mode 100644 index 0000000..8beecff Binary files /dev/null and b/graphene/11.png differ diff --git a/graphene/12.png b/graphene/12.png new file mode 100644 index 0000000..8f75e61 Binary files /dev/null and b/graphene/12.png differ diff --git a/graphene/13.png b/graphene/13.png new file mode 100644 index 0000000..7b30fe3 Binary files /dev/null and b/graphene/13.png differ diff --git a/graphene/14.png b/graphene/14.png new file mode 100644 index 0000000..a8f05de Binary files /dev/null and b/graphene/14.png differ diff --git a/graphene/15.png b/graphene/15.png new file mode 100644 index 0000000..c8daadc Binary files /dev/null and b/graphene/15.png differ diff --git a/graphene/16.png b/graphene/16.png new file mode 100644 index 0000000..1931678 Binary files /dev/null and b/graphene/16.png differ diff --git a/graphene/17.png b/graphene/17.png new file mode 100644 index 0000000..e3c2026 Binary files /dev/null and b/graphene/17.png differ diff --git a/graphene/18.png b/graphene/18.png new file mode 100644 index 0000000..fa3b1d9 Binary files /dev/null and b/graphene/18.png differ diff --git a/graphene/19.png b/graphene/19.png new file mode 100644 index 0000000..1c31aea Binary files /dev/null and b/graphene/19.png differ diff --git a/graphene/2.png b/graphene/2.png new file mode 100644 index 0000000..c495a43 Binary files /dev/null and b/graphene/2.png differ diff --git a/graphene/20.png b/graphene/20.png new file mode 100644 index 0000000..54b1701 Binary files /dev/null and b/graphene/20.png differ diff --git a/graphene/21.png b/graphene/21.png new file mode 100644 index 0000000..104e66a Binary files /dev/null and b/graphene/21.png differ diff --git a/graphene/22.png b/graphene/22.png new file mode 100644 index 0000000..9e3a802 Binary files /dev/null and b/graphene/22.png differ diff --git a/graphene/23.png b/graphene/23.png new file mode 100644 index 0000000..5ba6385 Binary files /dev/null and b/graphene/23.png differ diff --git a/graphene/24.png b/graphene/24.png new file mode 100644 index 0000000..47ee884 Binary files /dev/null and b/graphene/24.png differ diff --git a/graphene/25.png b/graphene/25.png new file mode 100644 index 0000000..5f65016 Binary files /dev/null and b/graphene/25.png differ diff --git a/graphene/26.png b/graphene/26.png new file mode 100644 index 0000000..a4f4e56 Binary files /dev/null and b/graphene/26.png differ diff --git a/graphene/27.png b/graphene/27.png new file mode 100644 index 0000000..18f9a6d Binary files /dev/null and b/graphene/27.png differ diff --git a/graphene/28.png b/graphene/28.png new file mode 100644 index 0000000..4c95f32 Binary files /dev/null and b/graphene/28.png differ diff --git a/graphene/29.png b/graphene/29.png new file mode 100644 index 0000000..bcef42d Binary files /dev/null and b/graphene/29.png differ diff --git a/graphene/3.png b/graphene/3.png new file mode 100644 index 0000000..96e9f07 Binary files /dev/null and b/graphene/3.png differ diff --git a/graphene/30.png b/graphene/30.png new file mode 100644 index 0000000..2145df6 Binary files /dev/null and b/graphene/30.png differ diff --git a/graphene/31.png b/graphene/31.png new file mode 100644 index 0000000..4c3079f Binary files /dev/null and b/graphene/31.png differ diff --git a/graphene/32.png b/graphene/32.png new file mode 100644 index 0000000..72119e6 Binary files /dev/null and b/graphene/32.png differ diff --git a/graphene/33.png b/graphene/33.png new file mode 100644 index 0000000..dd2c12c Binary files /dev/null and b/graphene/33.png differ diff --git a/graphene/34.png b/graphene/34.png new file mode 100644 index 0000000..64e91d6 Binary files /dev/null and b/graphene/34.png differ diff --git a/graphene/4.png b/graphene/4.png new file mode 100644 index 0000000..d76c221 Binary files /dev/null and b/graphene/4.png differ diff --git a/graphene/41.png b/graphene/41.png new file mode 100644 index 0000000..928b74d Binary files /dev/null and b/graphene/41.png differ diff --git a/graphene/42.png b/graphene/42.png new file mode 100644 index 0000000..efaecd5 Binary files /dev/null and b/graphene/42.png differ diff --git a/graphene/5.png b/graphene/5.png new file mode 100644 index 0000000..da8bbaa Binary files /dev/null and b/graphene/5.png differ diff --git a/graphene/6.png b/graphene/6.png new file mode 100644 index 0000000..1af81cc Binary files /dev/null and b/graphene/6.png differ diff --git a/graphene/7.png b/graphene/7.png new file mode 100644 index 0000000..d95d375 Binary files /dev/null and b/graphene/7.png differ diff --git a/graphene/8.png b/graphene/8.png new file mode 100644 index 0000000..4e46fc2 Binary files /dev/null and b/graphene/8.png differ diff --git a/graphene/9.png b/graphene/9.png new file mode 100644 index 0000000..ea141e6 Binary files /dev/null and b/graphene/9.png differ diff --git a/graphene/index.md b/graphene/index.md new file mode 100644 index 0000000..86e9cc0 --- /dev/null +++ b/graphene/index.md @@ -0,0 +1,214 @@ +--- +author: nihilist +date: 2024-07-10 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/78" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to have Privacy on your Phone (GrapheneOS) + +![](1.png) + +In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functional [open hardware](../openhardware/index.md) alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully [open source](https://grapheneos.org/source). and that they refuse to implement google services by default, unlike their competitors like LineageOS. + +_DISCLAIMER:_ yes the quality of the photos taken are garbage :) + +## _OPSEC Recommendations:_ + + 1. Hardware : (Phone (google Pixel model)) + + + + +I recommend using this setup for [Private use](../privacy/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). + + + +## **Requirements** + +First step is go acquire a Google pixel phone, and a model [that supports grapheneOS](https://grapheneos.org/faq#supported-devices). In my case, i purchased a Pixel 6 model. Then on the host OS on your computer, install the required packages: + + + + [ nowhere ] [ /dev/pts/11 ] [~] + → sudo pacman -Syy android-tools + [sudo] password for nihilist: + resolving dependencies... + looking for conflicting packages... + + Packages (4) android-udev-20240221-1 libmtp-1.1.21-1 protobuf-25.3-4 + android-tools-35.0.1-1 + + Total Download Size: 4.84 MiB + Total Installed Size: 22.07 MiB + + :: Proceed with installation? [Y/n] y + + + +Here on the phone, we need to enable developer settings, to be able to enable the "OEM Unlocking" option: + +![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) + +Then reboot the phone by holding the power and volume down to enter fastboot mode: + +![](8.png) + +Then, connect the device via usb to your computer: + + + [ nowhere ] [ /dev/pts/11 ] [~] + → lsusb | grep Google + Bus 001 Device 098: ID 18d1:4ee0 Google Inc. Nexus/Pixel Device (fastboot) + + [ nowhere ] [ /dev/pts/11 ] [~] + → fastboot --version + fastboot version 35.0.1-android-tools + Installed as /usr/bin/fastboot + + [ nowhere ] [ /dev/pts/11 ] [~] + → fastboot devices + no permissions; see [http://developer.android.com/tools/device.html] fastboot + + [ nowhere ] [ /dev/pts/11 ] [~] + → sudo -i + nowhere# fastboot devices + 1C21FGJH6993LC fastboot + + nowhere# fastboot flashing unlock + OKAY [ 0.043s] + Finished. Total time: 0.043s + + + +![](9.png) ![](10.png) ![](11.png) + +Next, as i have a google pixel 6 model, i need to download the correct graphene os image + +![](2.png) + + + nowhere# mv /home/nihilist/Downloads/oriole-factory-2024070201.zip . + nowhere# unzip oriole-factory-2024070201.zip + Archive: oriole-factory-2024070201.zip + creating: oriole-factory-2024070201/ + extracting: oriole-factory-2024070201/image-oriole-2024070201.zip + inflating: oriole-factory-2024070201/bootloader-oriole-slider-14.5-11677881.img + inflating: oriole-factory-2024070201/radio-oriole-g5123b-135085-240517-b-11857288.img + extracting: oriole-factory-2024070201/avb_pkmd.bin + inflating: oriole-factory-2024070201/flash-all.sh + inflating: oriole-factory-2024070201/flash-all.bat + + nowhere# cd oriole-factory-2024070201 + + nowhere# ls + avb_pkmd.bin flash-all.sh + bootloader-oriole-slider-14.5-11677881.img image-oriole-2024070201.zip + flash-all.bat radio-oriole-g5123b-135085-240517-b-11857288.img + + nowhere# chmod +x ./flash-all.sh + nowhere# ./flash-all.sh + + + +Then let the bashscript run, it can take a few minutes: + + + nowhere# ./flash-all.sh + Warning: skip copying bootloader_a image avb footer (bootloader_a partition size: 0, bootloader_a image size: 14125140). + Sending 'bootloader_a' (13794 KB) OKAY [ 0.364s] + Writing 'bootloader_a' (bootloader) Flashing pack version slider-14.5-11677881 + (bootloader) flashing platform gs101 + (bootloader) Validating partition ufs + (bootloader) Validating partition partition:0 + (bootloader) Validating partition partition:1 + (bootloader) Validating partition partition:2 + (bootloader) Validating partition partition:3 + (bootloader) Validating partition bl1_a + (bootloader) Validating partition pbl_a + (bootloader) Validating partition bl2_a + (bootloader) Validating partition abl_a + (bootloader) Validating partition bl31_a + (bootloader) Validating partition tzsw_a + (bootloader) Validating partition gsa_a + (bootloader) Validating partition ldfw_a + (bootloader) Flashing partition ufs + (bootloader) Flashing partition partition:0 + (bootloader) Flashing partition partition:1 + (bootloader) Flashing partition partition:2 + (bootloader) Flashing partition partition:3 + (bootloader) Flashing partition bl1_a + (bootloader) Flashing partition pbl_a + (bootloader) Flashing partition bl2_a + (bootloader) Flashing partition abl_a + (bootloader) Flashing partition bl31_a + (bootloader) Flashing partition tzsw_a + (bootloader) Flashing partition gsa_a + (bootloader) Flashing partition ldfw_a + (bootloader) Loading sideload ufsfwupdate + OKAY [ 3.089s] + Finished. Total time: 3.454s + Setting current slot to 'a' OKAY [ 0.058s] + Finished. Total time: 0.059s + Rebooting into bootloader OKAY [ 0.000s] + + [...] + + Sending sparse 'super' 11/13 (254972 KB) OKAY [ 6.618s] + Writing 'super' OKAY [ 0.950s] + Sending sparse 'super' 12/13 (254972 KB) OKAY [ 6.621s] + Writing 'super' OKAY [ 0.935s] + Sending sparse 'super' 13/13 (46284 KB) OKAY [ 1.216s] + Writing 'super' OKAY [ 0.204s] + Erasing 'userdata' OKAY [ 0.390s] + Erase successful, but not automatically formatting. + File system type raw not supported. + wipe task partition not found: cache + Erasing 'metadata' OKAY [ 0.007s] + Erase successful, but not automatically formatting. + File system type raw not supported. + Finished. Total time: 105.929s + Rebooting into bootloader OKAY [ 0.000s] + Finished. Total time: 0.150s + nowhere# + + + + +![](12.png) ![](13.png) ![](14.png) + +then lock the bootloader: + + + nowhere# fastboot devices + 1C21FGJH6993LC fastboot + + nowhere# fastboot flashing lock + OKAY [ 0.276s] + Finished. Total time: 0.276s + + + +![](15.png) ![](16.png) ![](17.png) ![](18.png) ![](19.png) ![](20.png) ![](21.png) + +And that's it! we managed to flash grapheneOS on the pixel phone. + +## **Setting up multiple Profiles (for Public, and for Private use)** + +As we have seen [previously](../internetsegmentation/index.md), it's always a good opsec practice to separate public use from private use. This can also apply on your phone, In this case we'll create a profile specifically for public usage, while we keep the main one for private usage. + +![](22.png) ![](23.png) ![](24.png) + +Now in there, we can keep the closed-source applications in the public usage profile, while we keep the FOSS applications in the default private usage profile. + +## **Setting up package managers** + +Now that's done, we use the private usage profile to install f-droid, in order to install FOSS applications + +![](25.png) ![](32.png) ![](33.png) ![](34.png) + +And here we can go into our public usage profile to setup the Aurora store to install closed-source applications like so: + +![](41.png) ![](42.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) ![](31.png) + +And from there, we can install all non-FOSS applications in the public usage profile. + diff --git a/haveno-arbitrator/0.png b/haveno-arbitrator/0.png new file mode 100644 index 0000000..3d96357 Binary files /dev/null and b/haveno-arbitrator/0.png differ diff --git a/haveno-arbitrator/1.png b/haveno-arbitrator/1.png new file mode 100644 index 0000000..b783b8a Binary files /dev/null and b/haveno-arbitrator/1.png differ diff --git a/haveno-arbitrator/10.png b/haveno-arbitrator/10.png new file mode 100644 index 0000000..2f3e7c0 Binary files /dev/null and b/haveno-arbitrator/10.png differ diff --git a/haveno-arbitrator/11.png b/haveno-arbitrator/11.png new file mode 100644 index 0000000..8a17f78 Binary files /dev/null and b/haveno-arbitrator/11.png differ diff --git a/haveno-arbitrator/12.png b/haveno-arbitrator/12.png new file mode 100644 index 0000000..1738aee Binary files /dev/null and b/haveno-arbitrator/12.png differ diff --git a/haveno-arbitrator/13.png b/haveno-arbitrator/13.png new file mode 100644 index 0000000..cc5314a Binary files /dev/null and b/haveno-arbitrator/13.png differ diff --git a/haveno-arbitrator/14.png b/haveno-arbitrator/14.png new file mode 100644 index 0000000..ff6a94d Binary files /dev/null and b/haveno-arbitrator/14.png differ diff --git a/haveno-arbitrator/15.png b/haveno-arbitrator/15.png new file mode 100644 index 0000000..d7e44e5 Binary files /dev/null and b/haveno-arbitrator/15.png differ diff --git a/haveno-arbitrator/16.png b/haveno-arbitrator/16.png new file mode 100644 index 0000000..0e7d327 Binary files /dev/null and b/haveno-arbitrator/16.png differ diff --git a/haveno-arbitrator/17.png b/haveno-arbitrator/17.png new file mode 100644 index 0000000..b1a0a3c Binary files /dev/null and b/haveno-arbitrator/17.png differ diff --git a/haveno-arbitrator/18.png b/haveno-arbitrator/18.png new file mode 100644 index 0000000..951496e Binary files /dev/null and b/haveno-arbitrator/18.png differ diff --git a/haveno-arbitrator/19.png b/haveno-arbitrator/19.png new file mode 100644 index 0000000..d8bd294 Binary files /dev/null and b/haveno-arbitrator/19.png differ diff --git a/haveno-arbitrator/2.png b/haveno-arbitrator/2.png new file mode 100644 index 0000000..715d1ff Binary files /dev/null and b/haveno-arbitrator/2.png differ diff --git a/haveno-arbitrator/20.png b/haveno-arbitrator/20.png new file mode 100644 index 0000000..2ee82a8 Binary files /dev/null and b/haveno-arbitrator/20.png differ diff --git a/haveno-arbitrator/21.png b/haveno-arbitrator/21.png new file mode 100644 index 0000000..3c8f24f Binary files /dev/null and b/haveno-arbitrator/21.png differ diff --git a/haveno-arbitrator/22.png b/haveno-arbitrator/22.png new file mode 100644 index 0000000..c354001 Binary files /dev/null and b/haveno-arbitrator/22.png differ diff --git a/haveno-arbitrator/23.png b/haveno-arbitrator/23.png new file mode 100644 index 0000000..f20bfd5 Binary files /dev/null and b/haveno-arbitrator/23.png differ diff --git a/haveno-arbitrator/24.png b/haveno-arbitrator/24.png new file mode 100644 index 0000000..760fc8d Binary files /dev/null and b/haveno-arbitrator/24.png differ diff --git a/haveno-arbitrator/25.png b/haveno-arbitrator/25.png new file mode 100644 index 0000000..eeb0191 Binary files /dev/null and b/haveno-arbitrator/25.png differ diff --git a/haveno-arbitrator/26.png b/haveno-arbitrator/26.png new file mode 100644 index 0000000..74215bb Binary files /dev/null and b/haveno-arbitrator/26.png differ diff --git a/haveno-arbitrator/27.png b/haveno-arbitrator/27.png new file mode 100644 index 0000000..69e7e7c Binary files /dev/null and b/haveno-arbitrator/27.png differ diff --git a/haveno-arbitrator/28.png b/haveno-arbitrator/28.png new file mode 100644 index 0000000..c7f3959 Binary files /dev/null and b/haveno-arbitrator/28.png differ diff --git a/haveno-arbitrator/29.png b/haveno-arbitrator/29.png new file mode 100644 index 0000000..15c62c4 Binary files /dev/null and b/haveno-arbitrator/29.png differ diff --git a/haveno-arbitrator/3.png b/haveno-arbitrator/3.png new file mode 100644 index 0000000..d2b5f4f Binary files /dev/null and b/haveno-arbitrator/3.png differ diff --git a/haveno-arbitrator/30.png b/haveno-arbitrator/30.png new file mode 100644 index 0000000..8ed1df3 Binary files /dev/null and b/haveno-arbitrator/30.png differ diff --git a/haveno-arbitrator/31.png b/haveno-arbitrator/31.png new file mode 100644 index 0000000..b8a6766 Binary files /dev/null and b/haveno-arbitrator/31.png differ diff --git a/haveno-arbitrator/32.png b/haveno-arbitrator/32.png new file mode 100644 index 0000000..f1fffba Binary files /dev/null and b/haveno-arbitrator/32.png differ diff --git a/haveno-arbitrator/33.png b/haveno-arbitrator/33.png new file mode 100644 index 0000000..0ad4ff2 Binary files /dev/null and b/haveno-arbitrator/33.png differ diff --git a/haveno-arbitrator/34.png b/haveno-arbitrator/34.png new file mode 100644 index 0000000..99d4bea Binary files /dev/null and b/haveno-arbitrator/34.png differ diff --git a/haveno-arbitrator/35.png b/haveno-arbitrator/35.png new file mode 100644 index 0000000..0b5db0a Binary files /dev/null and b/haveno-arbitrator/35.png differ diff --git a/haveno-arbitrator/36.png b/haveno-arbitrator/36.png new file mode 100644 index 0000000..18a7516 Binary files /dev/null and b/haveno-arbitrator/36.png differ diff --git a/haveno-arbitrator/37.png b/haveno-arbitrator/37.png new file mode 100644 index 0000000..87ba95c Binary files /dev/null and b/haveno-arbitrator/37.png differ diff --git a/haveno-arbitrator/38.png b/haveno-arbitrator/38.png new file mode 100644 index 0000000..02d119d Binary files /dev/null and b/haveno-arbitrator/38.png differ diff --git a/haveno-arbitrator/4.png b/haveno-arbitrator/4.png new file mode 100644 index 0000000..a9affcd Binary files /dev/null and b/haveno-arbitrator/4.png differ diff --git a/haveno-arbitrator/40.png b/haveno-arbitrator/40.png new file mode 100644 index 0000000..60f0970 Binary files /dev/null and b/haveno-arbitrator/40.png differ diff --git a/haveno-arbitrator/41.png b/haveno-arbitrator/41.png new file mode 100644 index 0000000..35c054c Binary files /dev/null and b/haveno-arbitrator/41.png differ diff --git a/haveno-arbitrator/5.png b/haveno-arbitrator/5.png new file mode 100644 index 0000000..774d0c1 Binary files /dev/null and b/haveno-arbitrator/5.png differ diff --git a/haveno-arbitrator/6.png b/haveno-arbitrator/6.png new file mode 100644 index 0000000..28bc121 Binary files /dev/null and b/haveno-arbitrator/6.png differ diff --git a/haveno-arbitrator/7.png b/haveno-arbitrator/7.png new file mode 100644 index 0000000..1491d96 Binary files /dev/null and b/haveno-arbitrator/7.png differ diff --git a/haveno-arbitrator/8.png b/haveno-arbitrator/8.png new file mode 100644 index 0000000..32ac7c7 Binary files /dev/null and b/haveno-arbitrator/8.png differ diff --git a/haveno-arbitrator/9.png b/haveno-arbitrator/9.png new file mode 100644 index 0000000..0977926 Binary files /dev/null and b/haveno-arbitrator/9.png differ diff --git a/haveno-arbitrator/alice.png b/haveno-arbitrator/alice.png new file mode 100644 index 0000000..8c82eb6 Binary files /dev/null and b/haveno-arbitrator/alice.png differ diff --git a/haveno-arbitrator/bob.png b/haveno-arbitrator/bob.png new file mode 100644 index 0000000..e746e11 Binary files /dev/null and b/haveno-arbitrator/bob.png differ diff --git a/haveno-arbitrator/index.md b/haveno-arbitrator/index.md new file mode 100644 index 0000000..6744d5c --- /dev/null +++ b/haveno-arbitrator/index.md @@ -0,0 +1,170 @@ +--- +author: nihilist +date: 2024-05-19 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/97" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Haveno Decentralised Exchange Dispute resolution (Fiat -> XMR) + +![](0.png) + +In this tutorial we're going to cover how the Haveno DEX handles trade disputes, which can happen as, after all it's decentralised, and anonymous by default. + +Check out [this tutorial](../haveno-client-f2f/index.md) if you want to know how to install Haveno DEX on your device. + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + 5. Application: [Haveno DEX Setup](../hypervisorsetup/index.md) + + + + +I recommend using this setup into one of the above mentionned VMs, either for [Private use](../privacy/index.md), or [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). (Note that Deanonymization will happen during the Fiat transaction, but it is minimized as you're revealing your identity to an other peer, rather than to a centralised exchange) + + + +## **What protects the Buyer or the Seller ?** + +Back on localmonero, what was at stake was the reputation of the Buyer or the Seller, because if any of their trades go wrong, their reputation would not be a clean 100% successful trades anymore. Problem is, on the Haveno DEX, where there is no centralisation to keep everyone's reputation in check, it could be very easy to give yourself a ton of positive reputation points, by spinning up 2 haveno dex instances, to simulate trades with yourself. + +So there was this need to have something else at stake to prevent people from scamming each other. That is **the Security deposit system** that we described in the [previous tutorial](../haveno-client-f2f/index.md). + +![](1.png) + +In short, **both Bob and Alice need to put some XMR into the trade initially, so that if they try to scam each other, they will loose something in the process.** + +In this example, The trade will go wrong as **Bob will try to scam Alice with an invalid Amazon giftcard code**. + +## **What happens when there's a scammer?** + +![](alice.png) + +Here, in this case we're Alice, and we want to sell our XMR for an amazon giftcard (which is typically just a code you need to redeem). So here Alice creates her amazon egift card haveno account to be able to trade just that, she needs to mention her email and the country (because a german amazon giftcard code doesnt work on the french amazon website!) + +![](2.png) ![](3.png) ![](4.png) + +Read carefully what exchanging an Amazon egift card to XMR implies then click "I understand" + +![](5.png) + +Then create a selling offer like so: + +![](6.png) + +Mention the amount of XMR you want to sell, and the % above the market price you want to sell it for, currently 0.2018 XMR at market price will give you 25 euros. **Then you need to fund your offer with the additional 0.101009 XMR security deposit. Meaning you need to put in 0.302809 XMR total** + +![](7.png) + +Once funded, wait for the funds to appear as available balance on your haveno client (can take 20 minutes) + +![](8.png) ![](9.png) + +Then click Place offer to sell monero: + +![](10.png) + +and then click confirm offer to sell monero. + +![](11.png) ![](12.png) + +Here you can see that your offer is enabled from the portfolio tab, and people can see it appear on the Buy tab: + +![](13.png) ![](bob.png) + +Now let's switch sides. We're now Bob the scammer, we want to scam Alice. We see her offer on the buy tab, and we take the offer: + +![](14.png) + +Then, just like Alice did, we also fund the offer with the monero security deposit: + +![](15.png) ![](16.png) + +Wait for it to show up as available in your haveno balance: + +![](17.png) ![](18.png) + +Then click confirm to take the offer to buy Monero: + +![](19.png) ![](alice.png) + +Back to Alice's perspective, the trade will initiate and can be viewed when going to the portfolio tab: + +![](20.png) + +When opening the trade window, Alice sees that **Bob not only does not respect the trade protocol of sending the gift card by mail by just sending the code over chat, but the code is also invalid!** + +![](21.png) ![](22.png) ![](23.png) + +Alice sees that she cannot redeem the code as it is invalid. **In short, she didn't get paid!** + +![](bob.png) + +Back to Bob's perspesctive as we are one kind of an asshole, we don't care that Alice didn't get paid and declare that we sent payment anyway. + +![](24.png) ![](25.png) ![](26.png) ![](alice.png) + +Back to Alice's perspective, Now the ball is in her park, what does she do ? + +![](27.png) ![](28.png) + +Since she never received payment,**she does not confirm that she received it, and waits until the trade expires** + +![](29.png) ![](30.png) + +In this case, the trade should not take more than 24 hours, so she waits until the next day, and when it expires, she'll be able to open up a dispute. + +## **Arbitrator Resolution** + +Now that the trade time expired (24hrs), Alice can now open up a dispute, for the Arbitrator to step in: + +![](31.png) + +Here, Alice clicks on "open support ticket", and she goes to the support tab to view her support ticket: + +![](32.png) ![](33.png) ![](34.png) + +Then the Arbitrator reviews the exchange from Alice's point of view: + +![](36.png) + +Here the arbitrator sees that the trade protocol has not been respected, both parties need to make sure they follow the trade protocol for said payment option correctly for the trade to be considered as valid from the arbitrator's point of view. + +![](bob.png) + +Then the Arbitrator sees the exchange from Bob's point of view too: + +![](38.png) + +Obviously, Bob explains that he got his very legit amazon giftcard code from his hat, and he naively thinks that the arbitrator will rule in his favor. + +![](alice.png) + +And finally, back to Alice's POV: the Arbitrator decides that it is Alice who's in the Right, and therefore Bob does not get his Monero security deposit back, hence he's loosing 0.101009 XMR in the process. + +![](37.png) + +So here, Bob just lost some XMR, and Alice is getting her 0.2018 XMR back, she gets her security deposit back (0.101009 XMR) but also she gets Bob's security deposit (0.101009 XMR), **so in total she gets 0.40011456 XMR back (0.101009 XMR more than when she started using Haveno)**. In the end, it is Bob that ended up giving her some monero against his will. + +![](41.png) + +Now keep in mind that not all payment options are safe, some can come with easy chargebacks (ex: paypal), and some are just next to impossible for an arbitrator to decide who's in the right or wrong (face-to-face trades for instance). Be very careful to know the risks associated with each payment option, along with what precautions need to be taken. + +Check out my other tutorials on Decentralised Finances below: + + 1. [✅ How to setup your Monero wallet ](../monero2024/index.md) + 2. [✅ Why can't I trust Centralised Exchanges, and random Monero nodes ?](../chainalysisattempts/index.md) + 3. [✅ Haveno Decentralised Exchange direct Fiat -> XMR transaction ⭐](../haveno-client-f2f/index.md) + 4. [**✅ Haveno DEX Dispute resolution (Fiat -> XMR)**](../haveno-arbitrator/index.md) + 5. [✅ Haveno DEX Bank Transfer (ex: SEPA) -> XMR transaction ](../haveno-sepa/index.md) + 6. [✅ Haveno DEX Cash By Mail -> XMR transaction ⭐](../haveno-cashbymail/index.md) + + + diff --git a/haveno-cashbymail/0.1.png b/haveno-cashbymail/0.1.png new file mode 100644 index 0000000..dd675a6 Binary files /dev/null and b/haveno-cashbymail/0.1.png differ diff --git a/haveno-cashbymail/0.png b/haveno-cashbymail/0.png new file mode 100644 index 0000000..3d96357 Binary files /dev/null and b/haveno-cashbymail/0.png differ diff --git a/haveno-cashbymail/1.png b/haveno-cashbymail/1.png new file mode 100644 index 0000000..cbbc653 Binary files /dev/null and b/haveno-cashbymail/1.png differ diff --git a/haveno-cashbymail/10.png b/haveno-cashbymail/10.png new file mode 100644 index 0000000..0091903 Binary files /dev/null and b/haveno-cashbymail/10.png differ diff --git a/haveno-cashbymail/11.png b/haveno-cashbymail/11.png new file mode 100644 index 0000000..6e1987f Binary files /dev/null and b/haveno-cashbymail/11.png differ diff --git a/haveno-cashbymail/12.png b/haveno-cashbymail/12.png new file mode 100644 index 0000000..8cb96ea Binary files /dev/null and b/haveno-cashbymail/12.png differ diff --git a/haveno-cashbymail/13.png b/haveno-cashbymail/13.png new file mode 100644 index 0000000..b64ee46 Binary files /dev/null and b/haveno-cashbymail/13.png differ diff --git a/haveno-cashbymail/14.png b/haveno-cashbymail/14.png new file mode 100644 index 0000000..aed093f Binary files /dev/null and b/haveno-cashbymail/14.png differ diff --git a/haveno-cashbymail/15.png b/haveno-cashbymail/15.png new file mode 100644 index 0000000..cffbfde Binary files /dev/null and b/haveno-cashbymail/15.png differ diff --git a/haveno-cashbymail/16.png b/haveno-cashbymail/16.png new file mode 100644 index 0000000..d6bd430 Binary files /dev/null and b/haveno-cashbymail/16.png differ diff --git a/haveno-cashbymail/17.png b/haveno-cashbymail/17.png new file mode 100644 index 0000000..486e01e Binary files /dev/null and b/haveno-cashbymail/17.png differ diff --git a/haveno-cashbymail/18.png b/haveno-cashbymail/18.png new file mode 100644 index 0000000..e92c62c Binary files /dev/null and b/haveno-cashbymail/18.png differ diff --git a/haveno-cashbymail/19.png b/haveno-cashbymail/19.png new file mode 100644 index 0000000..989319a Binary files /dev/null and b/haveno-cashbymail/19.png differ diff --git a/haveno-cashbymail/2.png b/haveno-cashbymail/2.png new file mode 100644 index 0000000..5d1f32d Binary files /dev/null and b/haveno-cashbymail/2.png differ diff --git a/haveno-cashbymail/20.png b/haveno-cashbymail/20.png new file mode 100644 index 0000000..e8b0654 Binary files /dev/null and b/haveno-cashbymail/20.png differ diff --git a/haveno-cashbymail/21.png b/haveno-cashbymail/21.png new file mode 100644 index 0000000..3a7455c Binary files /dev/null and b/haveno-cashbymail/21.png differ diff --git a/haveno-cashbymail/22.png b/haveno-cashbymail/22.png new file mode 100644 index 0000000..4fd17a4 Binary files /dev/null and b/haveno-cashbymail/22.png differ diff --git a/haveno-cashbymail/23.png b/haveno-cashbymail/23.png new file mode 100644 index 0000000..440e02b Binary files /dev/null and b/haveno-cashbymail/23.png differ diff --git a/haveno-cashbymail/24.png b/haveno-cashbymail/24.png new file mode 100644 index 0000000..d224f0a Binary files /dev/null and b/haveno-cashbymail/24.png differ diff --git a/haveno-cashbymail/25.png b/haveno-cashbymail/25.png new file mode 100644 index 0000000..e1c7ff7 Binary files /dev/null and b/haveno-cashbymail/25.png differ diff --git a/haveno-cashbymail/26.png b/haveno-cashbymail/26.png new file mode 100644 index 0000000..0d5331e Binary files /dev/null and b/haveno-cashbymail/26.png differ diff --git a/haveno-cashbymail/3.png b/haveno-cashbymail/3.png new file mode 100644 index 0000000..65a6c1e Binary files /dev/null and b/haveno-cashbymail/3.png differ diff --git a/haveno-cashbymail/4.png b/haveno-cashbymail/4.png new file mode 100644 index 0000000..d1319a2 Binary files /dev/null and b/haveno-cashbymail/4.png differ diff --git a/haveno-cashbymail/5.png b/haveno-cashbymail/5.png new file mode 100644 index 0000000..46f854c Binary files /dev/null and b/haveno-cashbymail/5.png differ diff --git a/haveno-cashbymail/6.png b/haveno-cashbymail/6.png new file mode 100644 index 0000000..5883aa6 Binary files /dev/null and b/haveno-cashbymail/6.png differ diff --git a/haveno-cashbymail/7.png b/haveno-cashbymail/7.png new file mode 100644 index 0000000..6a95efd Binary files /dev/null and b/haveno-cashbymail/7.png differ diff --git a/haveno-cashbymail/8.png b/haveno-cashbymail/8.png new file mode 100644 index 0000000..3d40915 Binary files /dev/null and b/haveno-cashbymail/8.png differ diff --git a/haveno-cashbymail/9.png b/haveno-cashbymail/9.png new file mode 100644 index 0000000..239aeaa Binary files /dev/null and b/haveno-cashbymail/9.png differ diff --git a/haveno-cashbymail/alice.png b/haveno-cashbymail/alice.png new file mode 100644 index 0000000..8c82eb6 Binary files /dev/null and b/haveno-cashbymail/alice.png differ diff --git a/haveno-cashbymail/bob.png b/haveno-cashbymail/bob.png new file mode 100644 index 0000000..e746e11 Binary files /dev/null and b/haveno-cashbymail/bob.png differ diff --git a/haveno-cashbymail/index.md b/haveno-cashbymail/index.md new file mode 100644 index 0000000..f67236a --- /dev/null +++ b/haveno-cashbymail/index.md @@ -0,0 +1,189 @@ +--- +author: nihilist +date: 2024-05-19 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/99" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Haveno DEX Cash by Mail -> XMR transaction + +![](0.png) + +In this tutorial we're going to cover how to buy Monero, for cash by mail on the Haveno Decentralised Exchange. This was the most popular payment method back on LocalMonero, due to being an improvement over [bank transfers (like SEPA in the EU)](../haveno-sepa/index.md) when it comes to trading larger volumes in the long run, as **Cash cannot easily be traced by adversaries unlike bank transfers** , making Cash by Mail one of the most private ways to exchange real world money for Monero. + +![](0.1.png) + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + 5. Application: [Haveno DEX Setup](../hypervisorsetup/index.md) + + + + +I recommend using this setup into one of the above mentionned VMs, either for [Private use](../privacy/index.md), or [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). (Note that Deanonymization will happen during the Fiat transaction, but it is minimized as you're revealing your identity to an other peer, rather than to a centralised exchange) + + + +## **Initiating the trade** + +![](bob.png) + +Here, we're Bob, we create our account on Haveno for Pay by Mail transactions, mentioning our real name, postal address, city and country. + +![](1.png) + +Then we hit "save new account": + +![](2.png) ![](3.png) + +Make sure you understand the risks that cash by mail transactions have, then click "I understand": + +![](4.png) + +Then, we can create a buying offer by going into the Buy section: + +![](5.png) + +Here we want to purchase 20 euros worth of Monero, at the current market price, for 0.1533 XMR: + +![](6.png) + +THen we fund the offer, and when the funds show up in our Haveno client, we hit "Review: Place offer to buy Monero" + +![](7.png) ![](8.png) + +Once the offer is confirmed, we can view it on the Portfolie page: + +![](9.png) ![](10.png) + +Here we wait approx 20 minutes for the monero transaction to be validated by the network, then the offer will appear as enabled: + +![](11.png) + +And from there, other peers will be able to see Bob's offer into the "Sell Monero" section. + +![](alice.png) + +Now let's switch over to Alice's side, we also create an account to be able to do Cash by mail transactions: + +![](12.png) + +Then we go into the "Sell monero" section and we take Bob's offer: + +![](13.png) + +Once the offer is taken we fund the offer: + +![](14.png) + +There we send the monero to the address as shown for both the security deposit and the actual monero we want to sell: + +![](15.png) ![](16.png) ![](17.png) ![](18.png) + +Now that the trade has been initiated, let's review the correct trade protocol for Cash By Mail transactions: + +## **Cash By Mail: the trade protocol** + +To remain safe with cash by mail transactions, there are a number of steps that Bob need to be take in order to ensure that there is no possibility of being scammed as explained by the following LocalMonero article: + + + Staying Safe With Cash by Mail (originally from LocalMonero) + + If you're buying... + + If you stick to high reputation sellers it's very unlikely that you'll encounter any issues while buying with cash by mail, however the following tips will help you prove your payment in a dispute should it arise. The most important thing to do is to make a video recording of your payment. Here are the guidelines: + Your video should be filmed within a single take, without cuts + + You can put the cash in the envelope at home or in the car, and you can put your phone with the video turned on in your front shirt pocket and it'll record the whole process without much extra work from you apart from making sure that you do everything in front of where the camera's pointing. If you have something like a GoPro or the latest iPhone which has a camera with a wider viewing angle it's going to be even easier. Keep the footage in case of a dispute for 180 days. + + Put custom markings inside the envelope + Use some sort of a custom chop/stamp/seal, or a signature or just random movements with a sharpie inside the envelope, covering all surfaces. This will help establish wheter the seller is actually opening the envelope you've sent or a fake one. Make sure the mark is visible on the video. + + Try to disguise the cash + To mitigate a (potential, but very rare) case of postal theft en route, try to conceal the fact that the package contains cash. You may put the cash in a magazine, mylar bag or some other container. Vacuum sealing the cash also works. + + Place envelopes inside of envelopes + Instead of simply placing the cash into the envelope, use multiple nested envelopes for your package. Place the cash into the smallest envelope (or simply fold a bigger envelope as necessary), seal it, and place it into another envelope. Repeat this process until you have at least 3 nested envelopes. This helps ensure that if the receiving party tries to tamper with your package they will have a much harder time resealing it all in a way that would be undetectable when inspected by the dispute mediator. + + Send with tracking + Packages sent without tracking may get lost with and without tracking it could be all but impossible to locate it. Having tracking also allows the receiving end to have peace of mind that the package is en route in case it's taking longer than expected. + + Conclusion + As we've mentioned before, with established traders the risk for a buyer is very low. Very low doesn't mean zero though, so make sure to follow these rules to be prepared for a dispute situation. + + + +And there are also a few steps that the monero seller (Alice) has to follow in order to make sure the trade is conducted in a secure manner: + + + If you're selling... + + Make a video of receiving and opening the package + Record yourself receiving the package from the postal worker, the postal worker weighing it, record the label, all the outer sides of the package; open the package while filming with the camera pointed into it, run the cash through a counter and counterfeit scanner. Make sure everything is filmed in one take. Always keep the package in view of the camera. Keep the footage in case of a dispute for 180 days. + + Under no circumstances finalize a trade early + The key thing to remember (and we put disclaimers about this on every step of the way) is to NEVER finalize a trade UNTIL you have the money and you are absolutely confident that everything is in order. A legitimate buyer won't pressure you into early finalize. + + Have a buyer put a note with their username and trade ID + This will help you distinguish packages coming from different buyers and avoid confusion. This also will help in preventing man-in-the-middle attacks, where a scammer interposes themselves in-between the buyer and the seller, pretending to be the seller when talking to the buyer and pretending to be the buyer when talking to the seller. + + + +To recap the recommendations we have the following graph: + +![](26.png) + +Here bob puts the cash into a mylar bag (to disguise the cash), which gets put into a tamper proof bag (that way, if alice tries to open it, it'll be easy to see), then bob puts it into at least 3 envelope layers with custom markings inside each layer (again, as anti tampering measures), and then putting it inside the tracking envelope. + +Also very important, Bob needs to record himself from the moment he wraps the cash into the mylar bag, all the way to when he places the letter in the letterbox. and Alice needs to do the same from her letterbox, all the way to unpacking the cash from the mylar bag. That way in case if there is a dispute, the arbitrator will be able to see who's at fault if there are any steps along the way that have not been respected. + +In total per cash by mail transaction (assuming the final envelope weighs less than 100grams), the cost involved for the seller should be around 2 euros in France (including tracking), assuming the seller sends the envelope within the same country, and that he buys enevlopes, mylar bags and tamper proof bags in bulk. + +## **Finishing the Transaction** + +![](19.png) + +Bob of course makes sure that the envelope is sent to Alice's address as it is showcased within the trade window: + +![](20.png) + +And once he followed the trade protocol to send the envelope to Alice, he can declare that he has sent the payment: + +![](21.png) + +And then, both Alice and Bob will have to wait for the postal service to take the letter to it's destination. Bob also sent Alice the tracking link so that she can pinpoint where the envelope is in case if there is an issue along the way. + +![](alice.png) + +Back to Alice's side, we get the following notification: + +![](22.png) + +There, the delay depends on the postal service. But she receives the envelope 5 days later, she records herself from the point of retrieving, to the unpacking of the cash inside. and then if all is ok on her side, she confirms that she has received payment to release the monero funds to Bob: + +![](23.png) ![](24.png) ![](bob.png) + +And lastly, Bob sees that the funds are arriving on his Haveno client, and now he closes the trade. + +![](25.png) + +And there, Bob can withdraw his funds from his Haveno monero wallet to another wallet if he chooses so inside the "Funds" tab, as we detailed in our previous tutorial [here](../haveno-client-f2f/index.md). + +Check out my other tutorials on Decentralised Finances below: + + 1. [✅ How to setup your Monero wallet ](../monero2024/index.md) + 2. [✅ Why can't I trust Centralised Exchanges, and random Monero nodes ?](../chainalysisattempts/index.md) + 3. [✅ Haveno Decentralised Exchange direct Fiat -> XMR transaction ⭐](../haveno-client-f2f/index.md) + 4. [✅ Haveno DEX Dispute resolution (Fiat -> XMR) ](../haveno-arbitrator/index.md) + 5. [✅ Haveno DEX Bank Transfer (ex: SEPA) -> XMR transaction ](../haveno-sepa/index.md) + 6. [**✅ Haveno DEX Cash By Mail -> XMR transaction ⭐**](../haveno-cashbymail/index.md) + + + diff --git a/haveno-client-f2f/0.1.png b/haveno-client-f2f/0.1.png new file mode 100644 index 0000000..271f8ba Binary files /dev/null and b/haveno-client-f2f/0.1.png differ diff --git a/haveno-client-f2f/0.png b/haveno-client-f2f/0.png new file mode 100644 index 0000000..3d96357 Binary files /dev/null and b/haveno-client-f2f/0.png differ diff --git a/haveno-client-f2f/1.png b/haveno-client-f2f/1.png new file mode 100644 index 0000000..9a2d530 Binary files /dev/null and b/haveno-client-f2f/1.png differ diff --git a/haveno-client-f2f/10.png b/haveno-client-f2f/10.png new file mode 100644 index 0000000..d87ec8a Binary files /dev/null and b/haveno-client-f2f/10.png differ diff --git a/haveno-client-f2f/100.png b/haveno-client-f2f/100.png new file mode 100644 index 0000000..8725a50 Binary files /dev/null and b/haveno-client-f2f/100.png differ diff --git a/haveno-client-f2f/101.png b/haveno-client-f2f/101.png new file mode 100644 index 0000000..9ff2ed1 Binary files /dev/null and b/haveno-client-f2f/101.png differ diff --git a/haveno-client-f2f/102.png b/haveno-client-f2f/102.png new file mode 100644 index 0000000..117aa1e Binary files /dev/null and b/haveno-client-f2f/102.png differ diff --git a/haveno-client-f2f/103.png b/haveno-client-f2f/103.png new file mode 100644 index 0000000..df6f646 Binary files /dev/null and b/haveno-client-f2f/103.png differ diff --git a/haveno-client-f2f/104.png b/haveno-client-f2f/104.png new file mode 100644 index 0000000..d560f6c Binary files /dev/null and b/haveno-client-f2f/104.png differ diff --git a/haveno-client-f2f/11.png b/haveno-client-f2f/11.png new file mode 100644 index 0000000..2e4dbfb Binary files /dev/null and b/haveno-client-f2f/11.png differ diff --git a/haveno-client-f2f/110.png b/haveno-client-f2f/110.png new file mode 100644 index 0000000..4eafaef Binary files /dev/null and b/haveno-client-f2f/110.png differ diff --git a/haveno-client-f2f/12.png b/haveno-client-f2f/12.png new file mode 100644 index 0000000..41114dd Binary files /dev/null and b/haveno-client-f2f/12.png differ diff --git a/haveno-client-f2f/13.png b/haveno-client-f2f/13.png new file mode 100644 index 0000000..264fce7 Binary files /dev/null and b/haveno-client-f2f/13.png differ diff --git a/haveno-client-f2f/14.1.png b/haveno-client-f2f/14.1.png new file mode 100644 index 0000000..8bae101 Binary files /dev/null and b/haveno-client-f2f/14.1.png differ diff --git a/haveno-client-f2f/14.png b/haveno-client-f2f/14.png new file mode 100644 index 0000000..fa460f7 Binary files /dev/null and b/haveno-client-f2f/14.png differ diff --git a/haveno-client-f2f/15.1.png b/haveno-client-f2f/15.1.png new file mode 100644 index 0000000..086355b Binary files /dev/null and b/haveno-client-f2f/15.1.png differ diff --git a/haveno-client-f2f/15.png b/haveno-client-f2f/15.png new file mode 100644 index 0000000..01ade80 Binary files /dev/null and b/haveno-client-f2f/15.png differ diff --git a/haveno-client-f2f/16.png b/haveno-client-f2f/16.png new file mode 100644 index 0000000..cb480d7 Binary files /dev/null and b/haveno-client-f2f/16.png differ diff --git a/haveno-client-f2f/17.png b/haveno-client-f2f/17.png new file mode 100644 index 0000000..36518e9 Binary files /dev/null and b/haveno-client-f2f/17.png differ diff --git a/haveno-client-f2f/18.png b/haveno-client-f2f/18.png new file mode 100644 index 0000000..4da032c Binary files /dev/null and b/haveno-client-f2f/18.png differ diff --git a/haveno-client-f2f/19.png b/haveno-client-f2f/19.png new file mode 100644 index 0000000..86221d1 Binary files /dev/null and b/haveno-client-f2f/19.png differ diff --git a/haveno-client-f2f/2.png b/haveno-client-f2f/2.png new file mode 100644 index 0000000..05e451f Binary files /dev/null and b/haveno-client-f2f/2.png differ diff --git a/haveno-client-f2f/20.png b/haveno-client-f2f/20.png new file mode 100644 index 0000000..7a48ed5 Binary files /dev/null and b/haveno-client-f2f/20.png differ diff --git a/haveno-client-f2f/21.png b/haveno-client-f2f/21.png new file mode 100644 index 0000000..f8015df Binary files /dev/null and b/haveno-client-f2f/21.png differ diff --git a/haveno-client-f2f/22.png b/haveno-client-f2f/22.png new file mode 100644 index 0000000..057b6a7 Binary files /dev/null and b/haveno-client-f2f/22.png differ diff --git a/haveno-client-f2f/23.png b/haveno-client-f2f/23.png new file mode 100644 index 0000000..a8bf1e2 Binary files /dev/null and b/haveno-client-f2f/23.png differ diff --git a/haveno-client-f2f/24.png b/haveno-client-f2f/24.png new file mode 100644 index 0000000..c8786f4 Binary files /dev/null and b/haveno-client-f2f/24.png differ diff --git a/haveno-client-f2f/25.png b/haveno-client-f2f/25.png new file mode 100644 index 0000000..c830fab Binary files /dev/null and b/haveno-client-f2f/25.png differ diff --git a/haveno-client-f2f/26.png b/haveno-client-f2f/26.png new file mode 100644 index 0000000..3f8fdf7 Binary files /dev/null and b/haveno-client-f2f/26.png differ diff --git a/haveno-client-f2f/27.png b/haveno-client-f2f/27.png new file mode 100644 index 0000000..3e75bac Binary files /dev/null and b/haveno-client-f2f/27.png differ diff --git a/haveno-client-f2f/28.png b/haveno-client-f2f/28.png new file mode 100644 index 0000000..9c6f4ad Binary files /dev/null and b/haveno-client-f2f/28.png differ diff --git a/haveno-client-f2f/29.png b/haveno-client-f2f/29.png new file mode 100644 index 0000000..c2c7a4d Binary files /dev/null and b/haveno-client-f2f/29.png differ diff --git a/haveno-client-f2f/3.png b/haveno-client-f2f/3.png new file mode 100644 index 0000000..017538e Binary files /dev/null and b/haveno-client-f2f/3.png differ diff --git a/haveno-client-f2f/30.png b/haveno-client-f2f/30.png new file mode 100644 index 0000000..1c25a40 Binary files /dev/null and b/haveno-client-f2f/30.png differ diff --git a/haveno-client-f2f/4.png b/haveno-client-f2f/4.png new file mode 100644 index 0000000..aae9175 Binary files /dev/null and b/haveno-client-f2f/4.png differ diff --git a/haveno-client-f2f/5.1.png b/haveno-client-f2f/5.1.png new file mode 100644 index 0000000..6e53e9c Binary files /dev/null and b/haveno-client-f2f/5.1.png differ diff --git a/haveno-client-f2f/5.2.png b/haveno-client-f2f/5.2.png new file mode 100644 index 0000000..2936b74 Binary files /dev/null and b/haveno-client-f2f/5.2.png differ diff --git a/haveno-client-f2f/6.png b/haveno-client-f2f/6.png new file mode 100644 index 0000000..ce1dd1f Binary files /dev/null and b/haveno-client-f2f/6.png differ diff --git a/haveno-client-f2f/7.png b/haveno-client-f2f/7.png new file mode 100644 index 0000000..67a01a1 Binary files /dev/null and b/haveno-client-f2f/7.png differ diff --git a/haveno-client-f2f/8.png b/haveno-client-f2f/8.png new file mode 100644 index 0000000..43d9ff6 Binary files /dev/null and b/haveno-client-f2f/8.png differ diff --git a/haveno-client-f2f/9.png b/haveno-client-f2f/9.png new file mode 100644 index 0000000..c3b48b3 Binary files /dev/null and b/haveno-client-f2f/9.png differ diff --git a/haveno-client-f2f/haveno-reto.png b/haveno-client-f2f/haveno-reto.png new file mode 100644 index 0000000..3b41cf0 Binary files /dev/null and b/haveno-client-f2f/haveno-reto.png differ diff --git a/haveno-client-f2f/index.md b/haveno-client-f2f/index.md new file mode 100644 index 0000000..4c1d708 --- /dev/null +++ b/haveno-client-f2f/index.md @@ -0,0 +1,312 @@ +--- +author: nihilist +date: 2024-05-14 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/269" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Haveno DEX Direct Fiat to Monero transactions + +![](0.png) + +In this tutorial we're going to cover how to do a Fiat to Monero trade from the brand new (and long awaited!) **Haveno Decentralised Exchange** , using the Face-to-Face (F2F) payment method. + +![](0.1.png) + +_Sidenote_ : i don't recommend face-to-face as a payment option of choice, this is just to try out how a basic trade Haveno DEX works! + +Before reading through this tutorial, **make sure you understand why Decentralised Exchanges are the next step in Decentralised Finances** in this [blogpost](../finances/index.md) i previously made, so that you have all the context. + +As we are covering a DEX (Decentralised Exchange), **it means we are not covering how to use a website onto which you are purchasing monero** (like the now defunct Localmonero (RIP)), **we are covering a software that you install on your computer** (hence the Decentralisation in "DEX"), **to trade Peer to Peer (P2P) with the other users.** + +![](28.png) + +The resilliency of Haveno is on multiple levels: First of all the more Seed nodes there are, the harder to take down the Haveno network is. The anonymity provided by the Tor network of Haveno for all nodes (which is on by default), also adds up to the resiliency. + +Clientside, the more peers (users) there are, the more diverse and bigger the exchange will be, and so will the decentralised market be at large. **The sooner the Monero market moves to Decentralised Exchanges, the more unstoppable it will become.** + +Lastly if the Haveno network is completely taken down (let's say if all the seed nodes are taken down somehow), all that's left is for another administrator to spin up a new haveno network since the code is all open source, to repeat the cycle again. + +You can check out my quick coverage of Haveno DEX on Monero Topia [here](https://iv.nowhere.moe/watch?v=hWcwin8bDpc&t=1h9m11s). (Definitely check out MoneroTopia for the latest news in the Monero world, awesome show!) + +**DISCLAIMER: THERE ARE NO OFFICIAL HAVENO NETWORK INSTANCES, THERE ARE ONLY THIRD PARTY HAVENO NETWORKS LIKE[HAVENO RETO](https://monero.town/post/3143272). ** + +**IF YOU SEE A HAVENO CLAIM TO BE THE OFFICIAL NETWORK[LIKE THIS ONE](https://monero.town/post/3260716), DONT FALL FOR THEIR SCAM!** + +![](haveno-reto.png)You can check out the Reto team over at their official website at + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + + + +I recommend using this setup into one of the above mentionned VMs, either for [Private use](../privacy/index.md), or [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). (Note that Deanonymization will happen during the Fiat transaction, but it is minimized as you're revealing your identity to an other peer, rather than to a centralised exchange) + + + +## **How to install Haveno ?** + +First, we need to find a Haveno Network, [Haveno Reto](https://monero.town/post/3143272) being one of the first ones to show up, we're going to try them out: + +Let's get the Haveno binaries from [Reto's github repository](https://github.com/retoaccess1/haveno-reto/releases), (which was forked from the [original Haveno repository](https://github.com/haveno-dex/haveno), maintained by [Woodser](https://github.com/woodser)) + +## **For Debian Users** + +Here, we are on a debian machine, so we download the "haveno_amd64_deb-latest.zip" package (which contains the .deb file) + +![](110.png) + +Then unpack the zipfile wherever you want: + + + [ mainpc ] [ /dev/pts/5 ] [~] + → apt install unzip -y + + [ mainpc ] [ /dev/pts/17 ] [~/.mullvad-browser/Downloads] + → ls + haveno_amd64_deb-latest.zip + + [ mainpc ] [ /dev/pts/17 ] [~/.mullvad-browser/Downloads] + → unzip haveno_amd64_deb-latest.zip + Archive: haveno_amd64_deb-latest.zip + inflating: haveno_1.0.11-1_amd64.deb + + [ mainpc ] [ /dev/pts/17 ] [~/.mullvad-browser/Downloads] + → sudo dpkg -i haveno_1.0.11-1_amd64.deb + [sudo] password for nihilist: + (Reading database ... 226388 files and directories currently installed.) + Preparing to unpack haveno_1.0.11-1_amd64.deb ... + Unpacking haveno (1.0.11-1) over (1.0.10-1) ... + Setting up haveno (1.0.11-1) ... + + #if it fails, run "apt install -f" to install the missing dependencies and then dpkg -i haveno.deb again. + + + +Haveno then creates dotfiles in **~/.local/share/Haveno-reto** containing your wallet infos, along with the .onion data. **You shouldn't need to remove that folder accross haveno updates** , unless if instructed to do so by the developers or the network owners themselves. + + + [ mainpc ] [ /dev/pts/17 ] [.local/share/Haveno-reto] + → ls -lash ~/.local/share/Haveno-reto + total 74M + 4.0K drwxr-xr-x 3 nihilist nihilist 4.0K Aug 4 10:04 . + 4.0K drwx------ 26 nihilist nihilist 4.0K Oct 6 09:32 .. + 11M -rw-r--r-- 1 nihilist nihilist 11M Aug 4 09:57 haveno_1.log + 3.1M -rw-r--r-- 1 nihilist nihilist 3.1M Oct 4 21:06 haveno.log + 4.0K -rw-r--r-- 1 nihilist nihilist 56 Oct 2 19:35 haveno.properties + 25M -rwxr--r-- 1 nihilist nihilist 25M Jul 9 21:17 monerod + 30M -rwxr--r-- 1 nihilist nihilist 30M Jul 9 21:17 monero-wallet-rpc + 6.3M -rw------- 1 nihilist nihilist 6.3M Oct 4 21:06 monero-wallet-rpc.log + 4.0K -rw-r--r-- 1 nihilist nihilist 6 Oct 2 19:34 version + 4.0K drwxr-xr-x 6 nihilist nihilist 4.0K May 20 18:21 xmr_mainnet + + + +if you want to see the haveno logs from the CLI as you use it, you can do as follows: + + + [ mainpc ] [ /dev/pts/6 ] [.local/share/Haveno-reto] + → tail -f haveno.log + May-29 20:55:23.829 [pool-16-thread-5] INFO h.c.t.TaskRunner: Run task: SendOfferAvailabilityRequest + May-29 20:55:23.830 [pool-16-thread-5] INFO h.c.o.a.t.SendOfferAvailabilityRequest: Send OfferAvailabilityRequest with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid d85caa9c-840c-45eb-8642-4cb12828fc93 to peer rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999 + May-29 20:55:23.930 [JavaFX Application Thread] INFO h.c.o.a.t.SendOfferAvailabilityRequest: OfferAvailabilityRequest arrived at peer: offerId=mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106; uid=d85caa9c-840c-45eb-8642-4cb12828fc93 + May-29 20:55:25.292 [JavaFX Application Thread] INFO h.d.c.c.c.PopOver: hide:200.0 ms + May-29 20:55:25.903 [pool-48-thread-1] INFO h.c.o.a.OfferAvailabilityProtocol: Received OfferAvailabilityResponse from rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999 with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid 986ee04a-47d2-4303-a9fc-12d18cc158ce + May-29 20:55:25.905 [pool-48-thread-1] INFO h.c.t.TaskRunner: Run task: ProcessOfferAvailabilityResponse + May-29 20:55:25.905 [pool-48-thread-1] INFO h.c.o.a.OfferAvailabilityProtocol: Send AckMessage for OfferAvailabilityResponse to peer rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999 with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and sourceUid 986ee04a-47d2-4303-a9fc-12d18cc158ce + May-29 20:55:25.907 [JavaFX Application Thread] INFO h.c.o.a.OfferAvailabilityProtocol: AckMessage for OfferAvailabilityResponse arrived at makersNodeAddress rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999. offerId=mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106, sourceUid=986ee04a-47d2-4303-a9fc-12d18cc158ce + May-29 20:55:26.108 [pool-48-thread-1] INFO h.c.o.OpenOfferManager: Received AckMessage for OfferAvailabilityRequest with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid d85caa9c-840c-45eb-8642-4cb12828fc93 + May-29 20:55:27.427 [JavaFX Application Thread] INFO h.d.c.c.c.PopOver: hide:200.0 ms + + + +next just launch Haveno as it should have been added to your system: + +![](3.png) + +## **For Whonix Users: use tor bridges to make Haveno connect!** + +Next, haveno is going to connect to Tor. WHONIX USERS: If it is facing issues connecting wait for the client to ask you to set the tor settings: + +![](4.png) + +then just get a torbridge from torproject.org: + +![](5.1.png) + +and add them inside haveno, and restart it: + +![](5.2.png) + +Then it should connect just fine: + +![](4.png) + +you may need to wait a bit for your haveno node to sync up initially: (probably 1-2 minutes) + +and once it finishes synchronising, you're in Haveno! + +![](8.png) + +## **For Arch Linux Users** + +You can either extract the .rpm (which is originally intended for Fedora users) package and run the haveno binary yourself, or use the [AUR package maintained by duje](https://aur.archlinux.org/packages/haveno-reto) + +## **For Windows Users** + +If you are a windows user (know that windows cant be trusted as [it's not an open source operating system](../closedsource/index.md), so [install linux](../linux/index.md) instead): + +## **For Tails OS Users: (as of 3rd November 2024)** + +If you want to have a TailsOS VM running, check out my latest tutorial on it [here](../tailsqemuvm/index.md). + +Then make sure you have the admin password enabled: + +![](100.png) + +Then make sure you have the persistant storage enabled, with the dotfiles enabled: + +![](101.png) + +Then, to install it at the current latest version (as of the 6th of october 2024, version 1.0.12) you need to run the following commands: + + + amnesia@amnesia:~$ curl -x socks5h://127.0.0.1:9050 -fsSLO https://github.com/haveno-dex/haveno/raw/master/scripts/install_tails/haveno-install.sh && bash haveno-install.sh https://github.com/retoaccess1/haveno-reto/releases/download/v1.0.12/haveno-linux-deb.zip DAA24D878B8D36C90120A897CA02DAC12DAE2D0F + + amnesia@amnesia:~$ ./Persistent/haveno/App/utils/exec.sh + + + +` ![](103.png) ![](104.png) + +## **Fiat for Monero, Face to Face Trade** + +First step is to setup your account for Face to Face Trades: + +![](9.png) + +Here we specify that we want to do face to face trades in Berlin (Germany) as an example, we will use our FIAT currency, Euros (in cash), you can also specify alternative ways to get contacted if you don't like the built in chat in Haveno DEX, such as email or phone number, etc. Then hit the "save new account" button: + +![](10.png) + +Make sure you read carefully what a face-to-face fiat->XMR trade is, and what are it's risks, if you're fine with it, click "i understand". Now that your account is created, head over to the "Buy" section, as you want to buy monero: + +![](11.png) ![](12.png) + +Then you can publish a Fiat->XMR face to face trade offer like so: + +![](13.png) + +So here we want to purchase 0.10 XMR, for the current market price, which amounts to 12 euros. then hit next step: + +Now here is when we get introduced to the [trade protocol](https://github.com/haveno-dex/haveno/blob/master/docs/trade_protocol/trade-protocol.pdf)'s security deposit system as [detailed in the Haveno FAQ](https://haveno.exchange/faq/#what-are-the-differences-in-the-trade-protocol). I'll make a simple diagram to explain the situation: + + + Quote from Haveno's FAQ: (https://haveno.exchange/faq/#what-are-the-differences-in-the-trade-protocol) + + [...] + + Bisq recently adopted a protocol based on 2/2 multisig, while Haveno will use their previous protocol: 2/3 multisignature. In a 2/3 multisignature trade, each trader owns one key; this key will be paired with the key of the other trader and will be used to unlock funds and deposits. It’s a 2 of 3 (2/3) protocol because you need only two out of three keys to move funds from the multisignature wallet. + + If everything goes fine, the two traders will use their keys to complete the transfer process. If something goes wrong, one of the two parties won’t use their key to complete the transaction, and this is where the arbitrator comes to action. + + Arbitrators are inherited from Bisq’s 2/3 protocol. They are a trusted role and have the duty of releasing the funds to one of the two parties in case of a conflict. To do so, they use the third key of the 2/3 multisig protocol. + + [...] + + + +` ![](15.png) + +To make it short, you (Bob) in this case, want to trade Fiat, for Alice's XMR, in person. **BOTH you and Alice need to put in some monero into the trade, as a security deposit.** That is so in case if you try to scam Alice, you will loose something in the process, preventing you from trying to repeatedly scam people, and vice versa. + +![](xmrbazaar_logo_beta.png) + +_Sidenote:_ **if you want to get your first monero** and you don't have any crypto / fiat to start with, **check out the["earn XMR"](https://xmrbazaar.com/search/earn-xmr/) section in xmrbazaar.com.** For example, i offer monero to whoever contributes new blogposts to the OPSEC section of my blog in this offer [here](https://xmrbazaar.com/listing/UsWA/). + +Due to the 2/3 multisig nature of the trade, **there needs to be at least 2 agreeing parties to complete the trade**. If all goes well, you and Alice agree on the trade, and the security deposit monero is released. If not, the Arbitrator will step in to punish the wrongdoer (by not giving him the security deposit back), and give the security deposit to the honest party. + +The following example will cover a successful trade between you and Alice. If you want to see a trade dispute, check out [this tutorial](../haveno-arbitrator/index.md). + +![](14.png) + +So here, you need to send the security deposit to be able to post your buying offer, just send it from your monero wallet like so: + +![](14.1.png) + +Once you've sent the monero to your haveno trade for the security deposit, you need to wait approx 20 minutes for the transaction to be confirmed by the network + +![](15.1.png) + +Approx 20 mins later, the trade shows up as enabled: + +**Bob: puts 0.1005 XMR into the trade for the security deposit,** ![](16.png) + +You (and the other haveno peers) can see it from the Sell tab: + +![](17.png) + +Here you just need to wait for someone to accept the trade. Once they do, they will need to send their share of the security deposit too just like we previously did. Once they do it will show up on your end as an initiated trade: + +**Alice puts 0.1005 XMR into the trade for the security deposit. Then the trade is secured** ![](18.png) + +Same as before, you need to wait for the security deposit to be validated by the network (approx 20 mins again). In the meantime you can chat with the trader by clicking the "Open Trader Chat" button. + +![](19.png) + +Once the security deposit has been validated by the network for the other party, you will get a notification that the trade can begin: + +![](20.png) + +Next step is for you to go and give the 12 Euros to Alice, and once you do, you confirm that the Payment has been sent like so: + +![](22.png) + +Then, you wait for Alice to confirm that she has recieved the 12 Euros (it will show up as "Peer confirmed message receipt"): + +![](21.png) **Alice can then send the 0.10 XMR to Bob, after Bob Pays her in Euros.** + +Then here, you just wait for the Monero to arrive in your Haveno monero wallet, it will first show up as Pending on the top right corner: + +![](23.png) + +Wait another 20 minutes for the transaction to be validated by the network, and it will show up in your Haveno monero wallet as Available balance: + +**The trade is successful, the security deposit is now released, Bob gets his 0.1005 XMR back, and Alice too. (minus the transcation fees and arbitrator fees)** ![](24.png) + +And that's it, you can now pop the Champagne as you completed your first Fiat -> XMR transaction on a Decentralised exchange! 🥂 + +## **Withdrawing your Monero from Haveno to another Wallet** + +Now all that's left is to withdraw your monero from your Haveno monero wallet to your other Monero Wallet: + +![](25.png) + +Head over to Funds > send funds, tick the "Amounts includes mining fee" option, and select the amount of monero you want to withdraw, in this case i'm withdrawing all of it. + +![](26.png) + +Then confirm that you want to withdraw the funds, and check your monero wallet for the incoming transaction: + +![](27.png) + +And that's it! you just withdrew your funds to your other monero wallet! + +Check out my other tutorials on Decentralised Finances below: + + 1. [✅ How to setup your Monero wallet ](../monero2024/index.md) + 2. [✅ Why can't I trust Centralised Exchanges, and random Monero nodes ?](../chainalysisattempts/index.md) + 3. [**✅ Haveno Decentralised Exchange direct Fiat -> XMR transaction ⭐**](../haveno-client-f2f/index.md) + 4. [✅ Haveno DEX Dispute resolution (Fiat -> XMR) ](../haveno-arbitrator/index.md) + 5. [✅ Haveno DEX Bank Transfer (ex: SEPA) -> XMR transaction ](../haveno-sepa/index.md) + 6. [✅ Haveno DEX Cash By Mail -> XMR transaction ⭐](../haveno-cashbymail/index.md) + + + diff --git a/haveno-client-f2f/xmrbazaar_logo_beta.png b/haveno-client-f2f/xmrbazaar_logo_beta.png new file mode 100644 index 0000000..2c2bd11 Binary files /dev/null and b/haveno-client-f2f/xmrbazaar_logo_beta.png differ diff --git a/haveno-crypto/0.png b/haveno-crypto/0.png new file mode 100644 index 0000000..2def6e7 Binary files /dev/null and b/haveno-crypto/0.png differ diff --git a/haveno-crypto/1.png b/haveno-crypto/1.png new file mode 100644 index 0000000..7721b46 Binary files /dev/null and b/haveno-crypto/1.png differ diff --git a/haveno-crypto/10.png b/haveno-crypto/10.png new file mode 100644 index 0000000..ea175da Binary files /dev/null and b/haveno-crypto/10.png differ diff --git a/haveno-crypto/11.png b/haveno-crypto/11.png new file mode 100644 index 0000000..2fae590 Binary files /dev/null and b/haveno-crypto/11.png differ diff --git a/haveno-crypto/12.png b/haveno-crypto/12.png new file mode 100644 index 0000000..61df0ed Binary files /dev/null and b/haveno-crypto/12.png differ diff --git a/haveno-crypto/13.png b/haveno-crypto/13.png new file mode 100644 index 0000000..0179034 Binary files /dev/null and b/haveno-crypto/13.png differ diff --git a/haveno-crypto/14.png b/haveno-crypto/14.png new file mode 100644 index 0000000..e5f4fe6 Binary files /dev/null and b/haveno-crypto/14.png differ diff --git a/haveno-crypto/15.png b/haveno-crypto/15.png new file mode 100644 index 0000000..5f60e99 Binary files /dev/null and b/haveno-crypto/15.png differ diff --git a/haveno-crypto/16.png b/haveno-crypto/16.png new file mode 100644 index 0000000..13a2af0 Binary files /dev/null and b/haveno-crypto/16.png differ diff --git a/haveno-crypto/17.png b/haveno-crypto/17.png new file mode 100644 index 0000000..e5dc32b Binary files /dev/null and b/haveno-crypto/17.png differ diff --git a/haveno-crypto/18.png b/haveno-crypto/18.png new file mode 100644 index 0000000..dfe0916 Binary files /dev/null and b/haveno-crypto/18.png differ diff --git a/haveno-crypto/19.png b/haveno-crypto/19.png new file mode 100644 index 0000000..ddabff1 Binary files /dev/null and b/haveno-crypto/19.png differ diff --git a/haveno-crypto/2.png b/haveno-crypto/2.png new file mode 100644 index 0000000..2f7ed24 Binary files /dev/null and b/haveno-crypto/2.png differ diff --git a/haveno-crypto/20.png b/haveno-crypto/20.png new file mode 100644 index 0000000..395268a Binary files /dev/null and b/haveno-crypto/20.png differ diff --git a/haveno-crypto/3.png b/haveno-crypto/3.png new file mode 100644 index 0000000..5d21c99 Binary files /dev/null and b/haveno-crypto/3.png differ diff --git a/haveno-crypto/4.png b/haveno-crypto/4.png new file mode 100644 index 0000000..5584eff Binary files /dev/null and b/haveno-crypto/4.png differ diff --git a/haveno-crypto/5.png b/haveno-crypto/5.png new file mode 100644 index 0000000..1a9304e Binary files /dev/null and b/haveno-crypto/5.png differ diff --git a/haveno-crypto/6.png b/haveno-crypto/6.png new file mode 100644 index 0000000..fd14d37 Binary files /dev/null and b/haveno-crypto/6.png differ diff --git a/haveno-crypto/7.png b/haveno-crypto/7.png new file mode 100644 index 0000000..b402a43 Binary files /dev/null and b/haveno-crypto/7.png differ diff --git a/haveno-crypto/8.png b/haveno-crypto/8.png new file mode 100644 index 0000000..727fd02 Binary files /dev/null and b/haveno-crypto/8.png differ diff --git a/haveno-crypto/9.png b/haveno-crypto/9.png new file mode 100644 index 0000000..4a5a19a Binary files /dev/null and b/haveno-crypto/9.png differ diff --git a/haveno-crypto/index.md b/haveno-crypto/index.md new file mode 100644 index 0000000..af5f3d8 --- /dev/null +++ b/haveno-crypto/index.md @@ -0,0 +1,112 @@ +--- +author: nihilist +date: 2025-02-05 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Convert Monero into other Cryptocurrencies Anonymously (XMR -> LTC) + +![](0.png) + +In this tutorial we're going to cover how you can anonymously obtain another cryptocurrency (in this case litecoin), using XMR and Haveno. + +![](../context/anon.png) + +Context warning: we're doing the following steps from inside our [Anonymous use whonix workstation VM](../whonixqemuvms/index.md)! + + + +## **Why is this important?** + +On your cryptocurrency journey, you may stumble upon the usecase that you want to pay someone anonymously, but for some reason they don't accept Monero (XMR), so you have to figure out a way to pay them anonymously using another cryptocurrency. Let's say You want to buy something from Bob anonymously, but he only accepts Litecoin instead of XMR. + +**We're obviously not going to buy that litecoin on a centralised exchange where we may be forced to KYC ourselves, that's why we stick to Haveno to keep our attack surface as small as possible.** + +If you followed our previous tutorials on Haveno, you should already have monero, **therefore, from our Whonix Workstation VM with Haveno installed, we're going to first install a[litecoin wallet](https://litecoin.org/):** + +![](1.png) + + + [ localhost ] [ /dev/pts/5 ] [~] + → mv ~/.tb/tor-browser/Browser/Downloads/litecoin-0.21.4-x86_64-linux-gnu.tar.gz ~/Desktop + + [ localhost ] [ /dev/pts/5 ] [~] + → cd Desktop + + [ localhost ] [ /dev/pts/5 ] [~/Desktop] + → tar -xvf litecoin-0.21.4-x86_64-linux-gnu.tar.gz + litecoin-0.21.4/ + litecoin-0.21.4/bin/ + litecoin-0.21.4/bin/litecoin-cli + litecoin-0.21.4/bin/litecoind + litecoin-0.21.4/bin/litecoin-qt + litecoin-0.21.4/bin/litecoin-tx + litecoin-0.21.4/bin/litecoin-wallet + litecoin-0.21.4/bin/test_litecoin + litecoin-0.21.4/README.md + litecoin-0.21.4/share/ + litecoin-0.21.4/share/man/ + litecoin-0.21.4/share/man/man1/ + litecoin-0.21.4/share/man/man1/litecoin-cli.1 + litecoin-0.21.4/share/man/man1/litecoind.1 + litecoin-0.21.4/share/man/man1/litecoin-qt.1 + litecoin-0.21.4/share/man/man1/litecoin-tx.1 + litecoin-0.21.4/share/man/man1/litecoin-wallet.1 + + [ localhost ] [ /dev/pts/5 ] [~/Desktop] + → ./litecoin-0.21.4/bin/litecoin-qt + + + +![](2.png) + +Be warned however, that locally synchronizing the litecoin blockchain is going to require 40GB of diskspace approximately + +![](3.png) + +While the wallet syncs the blockchain, let's create a new wallet: + +![](4.png) ![](5.png) + +Now that the wallet is created, lets create a recieving address: + +![](6.png) ![](7.png) + +Now that the LTC recieving address is created, we can create the cryptocurrency account on Haveno: + +![](8.png) + +And now that the LTC account is created in Haveno, we can start to sell XMR for some Litecoin: + +![](9.png) + +Looking at the offers, we see a few XMR selling offers for us to take (meaning we have to send XMR to be able to buy some LTC) + +## **Taking the XMR -> LTC Trade** + +![](10.png) + +Once selecting an offer, we first need to fund the security deposit: + +![](12.png) ![](13.png) ![](14.png) ![](15.png) ![](16.png) + +Once the security deposit funded and the trade initiated, we wait for the other peer to send their Litecoin to us: + +![](18.png) + +Once they correctly send their litecoin our way, we check if we indeed recieved the payment, and if we did, we click "Confirm payment receipt" + +![](19.png) + +And doing so releases the monero to the party buying our XMR, which finishes the trade, and releases the extra monero we put in the security deposit: + +![](20.png) + +And now we can close the trade as it's been completed. + +## **Conclusion** + +![](17.png) + +And thats it! you can now send your litecoin anonymously wherever you want (for example Torproject.org accepts litecoin donations), **because you acquired it anonymously, and now since you're sending it from your whonix VM, you can't get deanonymized on the IP layer either, thanks to whonix's built-in tor transparent proxying.** + diff --git a/haveno-seednode/1.png b/haveno-seednode/1.png new file mode 100644 index 0000000..05a10cc Binary files /dev/null and b/haveno-seednode/1.png differ diff --git a/haveno-seednode/index.md b/haveno-seednode/index.md new file mode 100644 index 0000000..53c0321 --- /dev/null +++ b/haveno-seednode/index.md @@ -0,0 +1,424 @@ +--- +author: nihilist +date: 2024-10-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/18" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to run a Haveno Seed Node + +![](../haveno-client-f2f/0.png) + +In this tutorial we're going to take a look at how you can contribute to an existing Haveno Network, by running a Seed Node, in order to make the Haveno Network of your choice more resillient to potential takedowns. + +_Disclaimer:_ I am not running any seednodes for any Haveno Network, this is only to showcase how it works for whoever wants to run a seednode. **Obviously you don't want to get the TornadoCash treatment by publicly announcing that you are helping with the infrastructure for an exchange with your public identity since this is potentially sensitive use.** Therefore make sure you remain Anonymous (meaning you use a disposable identity) when saying that you are running a haveno seed node (see how to properly segment your internet uses [here](../internetsegmentation/index.md)). See the explanation on where to host sensitive hidden services [here](../sensitiveremotevshome/index.md). + + + +## **Why contribute to a Haveno Network ?** + +As explained [previously](../haveno-client-f2f/index.md), for a Haveno Network, the more seed nodes there are, the more resillient the network is to potential takedowns: + +![](../haveno-client-f2f/28.png) + +For an adversary, they need to find and takedown all of the seed nodes of a Haveno Network. But unlike a regular centralised exchange, these are .onion links, not clearnet ones, hence, finding those seed nodes is meant to be as hard as possible to do for them, not only that, but they also need to find them all, and take them all down at once, to be able to bring down a Haveno Network. + +It is possible for anyone out there to create a Haveno Seed Node, for any Haveno Network out there. Or in other words, **Anyone can contribute in making Fiat to Monero transactions unstoppable, by making Haveno Networks more resillient, by running seed nodes for them.** + +## **What is required ?** + +In short, as detailed in the official documentation [here](https://github.com/haveno-dex/haveno/blob/master/docs/deployment-guide.md#seed-nodes-with-proof-of-work-pow), the requirement is that you have a device or a server (such as a VPS), running 24/7, with a local monero node. (hence requiring storage). + +Before starting, make sure you have a device that is already running a monero node. To do that, follow [this tutorial](../monero2024/index.md) i wrote. + + + [ Datura ] [ /dev/pts/10 ] [~] + → systemctl status moneronode + ● moneronode.service - monerod + Loaded: loaded (/etc/systemd/system/moneronode.service; enabled; preset: enabled) + Active: active (running) since Sat 2024-09-21 12:14:46 CEST; 2 weeks 0 days ago + Main PID: 1016 (monerod) + Tasks: 30 (limit: 77002) + Memory: 13.6G + CPU: 3w 2d 11h 42min 2.980s + CGroup: /system.slice/moneronode.service + └─1016 /usr/bin/monerod --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers=-1 --in-peers=-1 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=1> + + Oct 06 10:07:57 Datura monerod[1016]: 2024-10-06 08:07:57.625 I Subnet 199.116.84.0/24 blocked. + Oct 06 10:07:57 Datura monerod[1016]: 2024-10-06 08:07:57.625 I Subnet 209.222.252.0/24 blocked. + Oct 06 10:07:57 Datura monerod[1016]: 2024-10-06 08:07:57.668 I Subnet 91.198.115.0/24 blocked. + Oct 06 10:09:41 Datura monerod[1016]: 2024-10-06 08:09:41.840 E Transaction not found in pool + Oct 06 10:10:52 Datura monerod[1016]: 2024-10-06 08:10:52.143 E mined block failed verification + Oct 06 10:49:47 Datura monerod[1016]: 2024-10-06 08:49:47.176 E Transaction not found in pool + Oct 06 11:09:39 Datura monerod[1016]: 2024-10-06 09:09:39.370 E mined block failed verification + Oct 06 11:10:31 Datura monerod[1016]: 2024-10-06 09:10:31.992 E mined block failed verification + Oct 06 11:12:08 Datura monerod[1016]: 2024-10-06 09:12:08.311 E mined block failed verification + Oct 06 11:18:43 Datura monerod[1016]: 2024-10-06 09:18:43.902 E Transaction not found in pool + + [ Datura ] [ /dev/pts/10 ] [~] + → du -hs /srv/XMR + 82G /srv/XMR + + + +Once you have your server running a monero node as shown above, (with a pruned monero node of 82Gb, as of october 2024), you can proceed with the installation of the Haveno Seed Node. + +## **How to run a Seed Node** + +First of all we need to choose a Haveno Network to contribtue to. [Haveno Reto](https://haveno-reto.com) being the only functionnal one available right now, we're going to run a Seed node for them., following the instructions [here](https://github.com/haveno-dex/haveno/blob/master/docs/deployment-guide.md#fork-and-build-haveno). + + + [ Datura ] [ /dev/pts/10 ] [/srv] + → git clone https://github.com/retoaccess1/haveno-reto + + [ Datura ] [ /dev/pts/10 ] [/srv] + → cd haveno-reto + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → ls + apitest build.gradle common core desktop gpg_keys gradle.properties gradlew.bat LICENSE media p2p README.md scripts settings.gradle + assets cli config daemon docs gradle gradlew inventory Makefile monitor proto relay seednode statsnode + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cd scripts + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto/scripts] + → ls + deployment install_java.bat install_java.sh install_tails + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto/scripts] + → ./install_java.sh + + + +First let's install Java using the script provided: + + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto/scripts] + → ./install_java.sh + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + curl is already the newest version (7.88.1-10+deb12u7). + 0 upgraded, 0 newly installed, 0 to remove and 9 not upgraded. + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 194M 100 194M 0 0 26.9M 0 0:00:07 0:00:07 --:--:-- 45.7M + update-alternatives: using /usr/lib/jvm/openjdk-21.0.2/bin/java to provide /usr/bin/java (java) in auto mode + update-alternatives: using /usr/lib/jvm/openjdk-21.0.2/bin/javac to provide /usr/bin/javac (javac) in auto mode + openjdk version "21.0.2" 2024-01-16 + OpenJDK Runtime Environment (build 21.0.2+13-58) + OpenJDK 64-Bit Server VM (build 21.0.2+13-58, mixed mode, sharing) + + + +Then, we build the haveno repository: + + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → make clean && make + ./gradlew clean + Downloading https://services.gradle.org/distributions/gradle-8.6-bin.zip + + [...] (give it a few minutes to complete) + + > Task :relay:compileJava + Note: /srv/haveno-reto/relay/src/main/java/haveno/relay/RelayMain.java uses or overrides a deprecated API. + Note: Recompile with -Xlint:deprecation for details. + + Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0. + + You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins. + + For more on this, please refer to https://docs.gradle.org/8.6/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation. + + BUILD SUCCESSFUL in 4m 1s + 138 actionable tasks: 138 executed + + + +once haveno is built, we're going to install Tor as shown in our [previous](../tor/relay/index.md) tutorial: + + + root@Datura:~# apt update -y && apt upgrade -y + root@Datura:~# apt install curl tmux vim gnupg2 -y + + root@Datura:~# cat /etc/apt/sources.list |head -n3 + + deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + + root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null + + apt update -y + apt install tor nyx + + + +Now from here we have what we need: a local monero node, and tor setup. Now it's a matter of configuring torrc for our Haveno Seed Node: + + + #if you have no existing torrc config, overwrite it: + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cat seednode/torrc > /etc/tor/torrc + + + #if you have an existing torrc config, append it below the existing torrc you have: + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → vim /etc/tor/torrc + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cat seednode/torrc >> /etc/tor/torrc + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl restart tor@default + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl status tor@default + ● tor@default.service - Anonymizing overlay network for TCP + Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled) + Active: active (running) since Sun 2024-10-06 12:01:18 CEST; 5s ago + Process: 938459 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS) + Process: 938460 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code> + Main PID: 938462 (tor) + Tasks: 13 (limit: 77002) + Memory: 190.7M + CPU: 9.987s + CGroup: /system.slice/system-tor.slice/tor@default.service + └─938462 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 + + Oct 06 12:01:19 Datura Tor[938462]: Opened Control listener connection (ready) on /run/tor/control + Oct 06 12:01:19 Datura Tor[938462]: Self-testing indicates your ORPort 65.109.30.253:28710 is reachable from the outside. Excellent. Publishing server descripto> + Oct 06 12:01:19 Datura Tor[938462]: Bootstrapped 10% (conn_done): Connected to a relay + Oct 06 12:01:19 Datura Tor[938462]: Bootstrapped 14% (handshake): Handshaking with a relay + Oct 06 12:01:20 Datura Tor[938462]: Bootstrapped 15% (handshake_done): Handshake with a relay done + Oct 06 12:01:20 Datura Tor[938462]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits + Oct 06 12:01:20 Datura Tor[938462]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits + Oct 06 12:01:20 Datura Tor[938462]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit + Oct 06 12:01:20 Datura Tor[938462]: Bootstrapped 100% (done): Done + Oct 06 12:01:24 Datura Tor[938462]: Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 1000 buildtimes. + + + +Now let's take note of the seednode hostnames that tor generated for us: + + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cat /var/lib/tor/haveno_seednode/hostname + 5vycrhlbz44bpyvbh25b37joqj433wex7fn2d5hunp2bmxkv7ibk2vqd.onion + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cat /var/lib/tor/haveno_seednode2/hostname + tqxmkjprxry7xwf2sdvy55etnkp6eddc4uxj5fd6rwpnc472mpizgqyd.onion + + + +Next we copy the haveno-seednode systemd services into the systemd service directory: + + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cp scripts/deployment/haveno-seednode.service /etc/systemd/system/ + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cp scripts/deployment/haveno-seednode2.service /etc/systemd/system/ + + + +Then first we mention the 2 seed node onion mirrors in the **core/src/main/resources/xmr_mainnet.seednodes** file: + + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → vim core/src/main/resources/xmr_mainnet.seednodes + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cat core/src/main/resources/xmr_mainnet.seednodes + # nodeaddress.onion:port [(@owner,@backup)] + k6wctqd5l2nhmietzs6zg4pric3ukeg7lazzz67ttbl75qwfr2q4yvqd.onion:2002(@anon1) + 4gmfgn22tll7ajw3tdp7nru3fvgh5ukt7w53kfv5ymijldivsqtbzdqd.onion:2003(@anon1) + bugc27z7lqjgpwmhbuu3kuwoq2bhailj573r32jm5ydwrcqrwjtblnid.onion:1002(@anon2) + xephvvzd3orepnny7lbia4nkwie5t7wjivlvvz5lhbsck7ubavystead.onion:9992(@anon3 ,@s0) + g4z6oi2wf62nwztwve6qe2hqswj4ezpom6hn7cuy5cxaidey4us76bid.onion:9993(@anon3 ,@s0) + z47tltuwytd5icqq4hni2ammvlugp6pcwqboeu7ngawruualxjjuu3ad.onion:9992(@anon3 ,@s3) + hxb5h34hjgyraycrrxlz5ar2q77mjgondzicwzayqwwvuaepssrn5zyd.onion:9993(@anon3 ,@s3) + u6wwec5ddxswwyrz7rgzuiwowf33llab57y3xzmwwxvsofq2w4m6ihad.onion:1002(@anon4) + im6hcl7hknvsrsns2newv4orfv3kd2ly5yvqtbfkiyzoohscyp5htgqd.onion:2002(@anon6) + **5vycrhlbz44bpyvbh25b37joqj433wex7fn2d5hunp2bmxkv7ibk2vqd.onion:2002(@nihilist1) + tqxmkjprxry7xwf2sdvy55etnkp6eddc4uxj5fd6rwpnc472mpizgqyd.onion:2003(@nihilist1)** + + + +Then we edit them accordingly by replacing "XMR_STAGENET" to "XMR_MAINNET", editing the xmrNode port to 18081 (the rpc bind port), edit the binary location, and also the user that is running the seed nodes (in my case it is the root user): + + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cat /etc/systemd/system/haveno-seednode.service + [Unit] + Description=Haveno seednode + After=network.target + + [Service] + User=root + Group=root + SyslogIdentifier=Haveno-Seednode + + ExecStart=/bin/sh /srv/haveno-reto/haveno-seednode --baseCurrencyNetwork=XMR_MAINNET\ + --useLocalhostForP2P=false\ + --useDevPrivilegeKeys=false\ + # Uncomment the following line to use external tor + --hiddenServiceAddress=5vycrhlbz44bpyvbh25b37joqj433wex7fn2d5hunp2bmxkv7ibk2vqd.onion\ + --nodePort=2002\ + --appName=haveno-XMR_MAINNET_Seed_2002\ + # --logLevel=trace\ + --xmrNode=http://127.0.0.1:18081 + # --xmrNodeUsername=admin\ + # --xmrNodePassword=password + + ExecStop=/bin/kill ${MAINPID} + Restart=always + + # Hardening + PrivateTmp=true + ProtectSystem=full + NoNewPrivileges=true + PrivateDevices=true + MemoryDenyWriteExecute=false + ProtectControlGroups=true + ProtectKernelTunables=true + RestrictSUIDSGID=true + # limit memory usage to 2gb + LimitRSS=2000000000 + + [Install] + WantedBy=multi-user.target + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl daemon-reload + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl enable --now haveno-seednode.service + Created symlink /etc/systemd/system/multi-user.target.wants/haveno-seednode.service → /etc/systemd/system/haveno-seednode.service. + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl status haveno-seednode + ● haveno-seednode.service - Haveno seednode + Loaded: loaded (/etc/systemd/system/haveno-seednode.service; enabled; preset: enabled) + Active: active (running) since Sun 2024-10-06 13:35:26 CEST; 4s ago + Main PID: 1395101 (java) + Tasks: 46 (limit: 77002) + Memory: 185.8M + CPU: 4.432s + CGroup: /system.slice/haveno-seednode.service + └─1395101 java -classpath /srv/haveno-reto/lib/seednode.jar:/srv/haveno-reto/lib/core.jar:/srv/haveno-reto/lib/p2p.jar:/srv/haveno-reto/lib/common.jar:/srv/haveno-reto/lib/proto.jar:/srv/haveno-reto/lib/assets.jar:/srv/haveno-reto/lib/guava-32.1.1-jre.jar:/srv/haveno-reto/lib/logback-classic-1.1.11.jar:/srv> + + Oct 06 13:35:28 Datura Haveno-Seednode[1395101]: >> We send a PreliminaryGetDataRequest to peer 4gmfgn22tll7ajw3tdp7nru3fvgh5ukt7w53kfv5ymijldivsqtbzdqd.onion:2003 + Oct 06 13:35:28 Datura Haveno-Seednode[1395101]: + Oct 06 13:35:28 Datura Haveno-Seednode[1395101]: Oct-06 13:35:28.638 [NetworkNode.connectionExecutor:SendMessage-to-im6hcl7hknvs...] INFO haveno.network.p2p.network.NetworkNode: Socket creation to peersNodeAddress im6hcl7hknvsrsns2newv4orfv3kd2ly5yvqtbfkiyzoohscyp5htgqd.onion:2002 took 326 ms + Oct 06 13:35:28 Datura Haveno-Seednode[1395101]: Oct-06 13:35:28.666 [NetworkNode.connectionExecutor:SendMessage-to-im6hcl7hknvs...] INFO h.n.p.p.g.m.PreliminaryGetDataRequest: Sending a PreliminaryGetDataRequest with 112.838 kB and 5127 excluded key entries. Requesters version=1.0.11 + Oct 06 13:35:28 Datura Haveno-Seednode[1395101]: Oct-06 13:35:28.669 [NetworkNode.connectionExecutor:SendMessage-to-im6hcl7hknvs...] INFO h.n.p.p.g.m.PreliminaryGetDataRequest: Sending a PreliminaryGetDataRequest with 112.838 kB and 5127 excluded key entries. Requesters version=1.0.11 + Oct 06 13:35:31 Datura Haveno-Seednode[1395101]: Oct-06 13:35:31.307 [SeedNodeMain] WARN h.core.app.misc.ExecutableForAppWithP2p: We did not find our node address in the seed nodes repository. We use a 24 hour delay after startup as shut down strategy.myAddress=5vycrhlbz44bpyvbh25b37joqj433wex7fn2d5hunp2bmxkv7ibk2vqd.o> + Oct 06 13:35:31 Datura Haveno-Seednode[1395101]: Oct-06 13:35:31.307 [SeedNodeMain] INFO haveno.core.app.misc.AppSetupWithP2P: onHiddenServicePublished + Oct 06 13:35:31 Datura Haveno-Seednode[1395101]: Oct-06 13:35:31.337 [NetworkNode.connectionExecutor:SendMessage-to-4gmfgn22tll7...] INFO haveno.network.p2p.network.NetworkNode: Socket creation to peersNodeAddress 4gmfgn22tll7ajw3tdp7nru3fvgh5ukt7w53kfv5ymijldivsqtbzdqd.onion:2003 took 2829 ms + Oct 06 13:35:31 Datura Haveno-Seednode[1395101]: Oct-06 13:35:31.340 [NetworkNode.connectionExecutor:SendMessage-to-4gmfgn22tll7...] INFO h.n.p.p.g.m.PreliminaryGetDataRequest: Sending a PreliminaryGetDataRequest with 112.833 kB and 5127 excluded key entries. Requesters version=1.0.11 + Oct 06 13:35:31 Datura Haveno-Seednode[1395101]: Oct-06 13:35:31.341 [NetworkNode.connectionExecutor:SendMessage-to-4gmfgn22tll7...] INFO h.n.p.p.g.m.PreliminaryGetDataRequest: Sending a PreliminaryGetDataRequest with 112.833 kB and 5127 excluded key entries. Requesters version=1.0.11 + + + +then we do the same for the second haveno seednode: + + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → vim /etc/systemd/system/haveno-seednode2.service + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → cat /etc/systemd/system/haveno-seednode2.service + [Unit] + Description=Haveno seednode 2 + After=network.target + + [Service] + User=root + Group=root + SyslogIdentifier=Haveno-Seednode2 + + ExecStart=/bin/sh /srv/haveno-reto/haveno-seednode --baseCurrencyNetwork=XMR_MAINNET\ + --useLocalhostForP2P=false\ + --useDevPrivilegeKeys=false\ + # Uncomment the following line to use external tor + --hiddenServiceAddress=tqxmkjprxry7xwf2sdvy55etnkp6eddc4uxj5fd6rwpnc472mpizgqyd.onion\ + --nodePort=2003\ + --appName=haveno-XMR_MAINNET_Seed_2003\ + # --logLevel=trace\ + --xmrNode=http://127.0.0.1:18081\ + # --xmrNodeUsername=admin\ + # --xmrNodePassword=password + + ExecStop=/bin/kill ${MAINPID} + Restart=always + + # Hardening + PrivateTmp=true + ProtectSystem=full + NoNewPrivileges=true + PrivateDevices=true + MemoryDenyWriteExecute=false + ProtectControlGroups=true + ProtectKernelTunables=true + RestrictSUIDSGID=true + # limit memory usage to 2gb + LimitRSS=2000000000 + + [Install] + WantedBy=multi-user.target + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl daemon-reload + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl enable --now haveno-seednode2 + + [ Datura ] [ /dev/pts/10 ] [/srv/haveno-reto] + → systemctl status haveno-seednode2 + ● haveno-seednode2.service - Haveno seednode 2 + Loaded: loaded (/etc/systemd/system/haveno-seednode2.service; enabled; preset: enabled) + Active: active (running) since Sun 2024-10-06 13:39:07 CEST; 5s ago + Main PID: 1412193 (java) + Tasks: 48 (limit: 77002) + Memory: 298.5M + CPU: 7.303s + CGroup: /system.slice/haveno-seednode2.service + └─1412193 java -classpath /srv/haveno-reto/lib/seednode.jar:/srv/haveno-reto/lib/core.jar:/srv/haveno-reto/lib/p2p.jar:/srv/haveno-reto/lib/common.jar:/srv/haveno-reto/lib/proto.jar:/srv/haveno-reto/lib/assets.jar:/srv/haveno-reto/lib/guava-32.1.1-jre.jar:/srv/haveno-reto/lib/logback-classic-1.1.11.jar:/srv> + + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: Filter: 7 / 14.044 kB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: MailboxStoragePayload: 85 / 1.206 MB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: Alert: 1 / 1.977 kB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: Arbitrator: 2 / 4.43 kB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: AccountAgeWitness: 3818 / 115.584 kB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: OfferPayload: 117 / 318.363 kB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: SignedWitness: 131 / 218.788 kB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: TradeStatistics3: 1051 / 60.468 kB + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: ################################################################# + Oct 06 13:39:12 Datura Haveno-Seednode2[1412193]: + Oct 06 13:39:13 Datura Haveno-Seednode2[1412193]: Oct-06 13:39:13.059 [Connection] INFO h.network.p2p.storage.P2PDataStorage: Processing 212 protectedStorageEntries took 539 ms. + + + +Now from here you can test (from your computer, not from the server) if the haveno seednodes work as intended, by forcing your haveno client to use them: + + + [ mainpc ] [ /dev/pts/19 ] [.local/share/Haveno-reto] + → /opt/haveno/bin/Haveno --help | grep seedNodes + --seedNodes= + + [ mainpc ] [ /dev/pts/19 ] [.local/share/Haveno-reto] + → /opt/haveno/bin/Haveno --seedNodes=5vycrhlbz44bpyvbh25b37joqj433wex7fn2d5hunp2bmxkv7ibk2vqd.onion:2002,tqxmkjprxry7xwf2sdvy55etnkp6eddc4uxj5fd6rwpnc472mpizgqyd.onion:2003 + [...] + + + +Then haveno launches as intended, and when you check into the network tab, you can see that it is bootstraping using your 2 seednodes, instead of the default ones: + +![](1.png) + +And from there, all you need to do is let the Haveno Network Administrators know that you are running some seed nodes. So as you need to reach out to the Reto network administrators, you can ping them on their [SimpleX chatroom.](https://simplex.chat/contact#/?v=2-4&smp=smp%3A%2F%2FSkIkI6EPd2D63F4xFKfHk7I1UGZVNn6k1QWZ5rcyr6w%3D%40smp9.simplex.im%2FMplYm7uxopKyUOrKqnWySpXQIGxoJWYB%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAs8PcRwnf_-H30yXfwV0MSbka9I_xBeVNr4vKJNoReBw%253D%26srv%3Djssqzccmrcws6bhmn77vgmhfjmhwlyr3u7puw4erkyoosywgl67slqqd.onion&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22YT2t__GnjpZ1W2MjJAz6Sw%3D%3D%22%7D) From there you can ask them if they are willing to put your seed node in their repository, so that upon the next release, everyone that uses the Haveno Network will be able to use your 2 new nodes to bootstrap with. + +_Disclaimer:_ i asked them and they aren't taking new seed nodes right now as there's no immediate need. so feel free to save this one for later. + diff --git a/haveno-sepa/0.1.png b/haveno-sepa/0.1.png new file mode 100644 index 0000000..5dfd917 Binary files /dev/null and b/haveno-sepa/0.1.png differ diff --git a/haveno-sepa/0.png b/haveno-sepa/0.png new file mode 100644 index 0000000..3d96357 Binary files /dev/null and b/haveno-sepa/0.png differ diff --git a/haveno-sepa/1.png b/haveno-sepa/1.png new file mode 100644 index 0000000..a1bb309 Binary files /dev/null and b/haveno-sepa/1.png differ diff --git a/haveno-sepa/10.png b/haveno-sepa/10.png new file mode 100644 index 0000000..291a61a Binary files /dev/null and b/haveno-sepa/10.png differ diff --git a/haveno-sepa/11.png b/haveno-sepa/11.png new file mode 100644 index 0000000..6c246bf Binary files /dev/null and b/haveno-sepa/11.png differ diff --git a/haveno-sepa/12.png b/haveno-sepa/12.png new file mode 100644 index 0000000..19a4fc1 Binary files /dev/null and b/haveno-sepa/12.png differ diff --git a/haveno-sepa/13.png b/haveno-sepa/13.png new file mode 100644 index 0000000..761dfeb Binary files /dev/null and b/haveno-sepa/13.png differ diff --git a/haveno-sepa/14.1.png b/haveno-sepa/14.1.png new file mode 100644 index 0000000..c923d10 Binary files /dev/null and b/haveno-sepa/14.1.png differ diff --git a/haveno-sepa/14.png b/haveno-sepa/14.png new file mode 100644 index 0000000..c87e026 Binary files /dev/null and b/haveno-sepa/14.png differ diff --git a/haveno-sepa/15.png b/haveno-sepa/15.png new file mode 100644 index 0000000..c256cb3 Binary files /dev/null and b/haveno-sepa/15.png differ diff --git a/haveno-sepa/16.png b/haveno-sepa/16.png new file mode 100644 index 0000000..f282f2b Binary files /dev/null and b/haveno-sepa/16.png differ diff --git a/haveno-sepa/17.png b/haveno-sepa/17.png new file mode 100644 index 0000000..a581149 Binary files /dev/null and b/haveno-sepa/17.png differ diff --git a/haveno-sepa/18.png b/haveno-sepa/18.png new file mode 100644 index 0000000..b7c5712 Binary files /dev/null and b/haveno-sepa/18.png differ diff --git a/haveno-sepa/19.png b/haveno-sepa/19.png new file mode 100644 index 0000000..d5f55a1 Binary files /dev/null and b/haveno-sepa/19.png differ diff --git a/haveno-sepa/2.png b/haveno-sepa/2.png new file mode 100644 index 0000000..5d9f565 Binary files /dev/null and b/haveno-sepa/2.png differ diff --git a/haveno-sepa/20.png b/haveno-sepa/20.png new file mode 100644 index 0000000..00740a0 Binary files /dev/null and b/haveno-sepa/20.png differ diff --git a/haveno-sepa/3.png b/haveno-sepa/3.png new file mode 100644 index 0000000..3ce1551 Binary files /dev/null and b/haveno-sepa/3.png differ diff --git a/haveno-sepa/4.png b/haveno-sepa/4.png new file mode 100644 index 0000000..7aaeaff Binary files /dev/null and b/haveno-sepa/4.png differ diff --git a/haveno-sepa/5.png b/haveno-sepa/5.png new file mode 100644 index 0000000..755ca89 Binary files /dev/null and b/haveno-sepa/5.png differ diff --git a/haveno-sepa/6.1.png b/haveno-sepa/6.1.png new file mode 100644 index 0000000..755ca89 Binary files /dev/null and b/haveno-sepa/6.1.png differ diff --git a/haveno-sepa/6.2.png b/haveno-sepa/6.2.png new file mode 100644 index 0000000..5d402dd Binary files /dev/null and b/haveno-sepa/6.2.png differ diff --git a/haveno-sepa/6.png b/haveno-sepa/6.png new file mode 100644 index 0000000..5d402dd Binary files /dev/null and b/haveno-sepa/6.png differ diff --git a/haveno-sepa/7.png b/haveno-sepa/7.png new file mode 100644 index 0000000..8ea6285 Binary files /dev/null and b/haveno-sepa/7.png differ diff --git a/haveno-sepa/8.1.png b/haveno-sepa/8.1.png new file mode 100644 index 0000000..e0309bd Binary files /dev/null and b/haveno-sepa/8.1.png differ diff --git a/haveno-sepa/8.2.png b/haveno-sepa/8.2.png new file mode 100644 index 0000000..ead563a Binary files /dev/null and b/haveno-sepa/8.2.png differ diff --git a/haveno-sepa/8.3.png b/haveno-sepa/8.3.png new file mode 100644 index 0000000..451e6b2 Binary files /dev/null and b/haveno-sepa/8.3.png differ diff --git a/haveno-sepa/8.4.png b/haveno-sepa/8.4.png new file mode 100644 index 0000000..7f87770 Binary files /dev/null and b/haveno-sepa/8.4.png differ diff --git a/haveno-sepa/8.5.png b/haveno-sepa/8.5.png new file mode 100644 index 0000000..127cf2a Binary files /dev/null and b/haveno-sepa/8.5.png differ diff --git a/haveno-sepa/8.png b/haveno-sepa/8.png new file mode 100644 index 0000000..db4be08 Binary files /dev/null and b/haveno-sepa/8.png differ diff --git a/haveno-sepa/9.png b/haveno-sepa/9.png new file mode 100644 index 0000000..127cf2a Binary files /dev/null and b/haveno-sepa/9.png differ diff --git a/haveno-sepa/alice.png b/haveno-sepa/alice.png new file mode 100644 index 0000000..8c82eb6 Binary files /dev/null and b/haveno-sepa/alice.png differ diff --git a/haveno-sepa/bob.png b/haveno-sepa/bob.png new file mode 100644 index 0000000..e746e11 Binary files /dev/null and b/haveno-sepa/bob.png differ diff --git a/haveno-sepa/index.md b/haveno-sepa/index.md new file mode 100644 index 0000000..179e14d --- /dev/null +++ b/haveno-sepa/index.md @@ -0,0 +1,150 @@ +--- +author: nihilist +date: 2024-05-20 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/98" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Haveno DEX Bank Transfer (ex: SEPA) -> XMR transaction + +![](0.png) + +In this tutorial we're going to cover an instant SEPA transfer (which is a bank transfer) transaction for monero, this is one of the most popular payment options in the EU region. (for more details on how SEPA works, check out this, [video](https://iv.nowhere.moe/watch?v=hsb0GOgIfds)). Instant SEPA was a personal favorite of mine back on the now defunct Localmonero, **due to the speed of the transanction** , the only requirement being that the other peer has a bank account that supports instant SEPA transfers. + +![](0.1.png) + +If you want to install Haveno DEX (on the Haveno Reto network) check out [this tutorial](../haveno-client-f2f/index.md) i previously made. + +**WARNING: SEPA transactions become risky when it starts to become large transactions and volumes over time:** + + + For SEPA, if you do big volume, also expect interrogation from KYC/Compliance department + From request for SoF/PoI to full on phonecall interrogation, asking about specific groups of transactions + Varies according to bank: some will ban, others will let you continue + Once again, with EMIs and online banks they are less lenient, whereas with physical banks you have wiggle-room + If you do get banned from an EMI/online bank, it is not uncommon to have IBANs associated with your name to be blacklisted (cannot receive from those EMIs/online banks) + If you get banned from a physical bank, they may put your name on a fraud registry + + + +In short, keep in mind that this may not be a reliable way to purchase monero in the long run especially if you do large transactions each time. (thanks xmrfamily for the infos) + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + 5. Application: [Haveno DEX Setup](../hypervisorsetup/index.md) + + + + +I recommend using this setup into one of the above mentionned VMs, either for [Private use](../privacy/index.md), or [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). (Note that Deanonymization will happen during the Fiat transaction, but it is minimized as you're revealing your identity to an other peer, rather than to a centralised exchange) + + + +## **Bob and Alice create their accounts** + +![](bob.png) + +First step, you need to create your account in the application, in the account: + +![](1.png) + +Then hit "Save account", and make sure you read carefully the trade protocol for SEPA bank transfers: + +![](2.png) + +Currently we're limited to 3 XMR, but gradually over time we're going to be able to do up to 12 XMR trades at once after 60 days signing. This is to reduce chargebacks risks. One thing to note here is that we are able to create multiple sepa for xmr trades, unlike in our previous examples. + +![](alice.png) + +Here, Alice creates her account for sepa instant payments on her Haveno DEX, but in contrast to Bob, she wants to only allow payments from her own country (France), as for her, that reduces risks of having to transact to a bank that can't do Instant SEPA transfers: + +![](6.1.png) + +## **Instant SEPA bank transfer -> XMR Trade** + +Then Alice creates the new Offer to sell her XMR: + +![](6.2.png) + +Here **Alice wants to sell 0.1014 XMR at current market price (which amounts to 13 euros)** , and to fund her offer in total she needs to put in 0.201907 XMR **as it includes her side of the security deposit**. + +![](7.png) + +Alice uses her monero wallet to fund the offer, and then it shows as pending on her Haveno DEX as Pending: + +![](8.png) ![](8.1.png) + +Then once the offer is funded, the offer is enabled, and other peers can see Alice's offer on the Buy section: + +![](8.2.png) + +![](bob.png) + +Now from Bob's point of view, we see Alice's offer here, and we take the offer: + +![](8.3.png) + +Bob also funds the offer as we explained [here](../haveno-client-f2f/index.md): + +![](8.4.png) + +Bob confirms he want to buy monero: + +![](10.png) ![](8.5.png) ![](11.png) + +Next, Bob has to pay 13 Euros to the Alice, via a bank transfer (SEPA instant) as he can now see her bank information: + +![](12.png) + +_Sidenote:_ Tying back to my [explanation](../finances/index.md) on why Decentralised exchanges are going to be very costly to an adversary that wants to deanonymize users, **the adversary would have to massively fund offers in monero, and loose their side of the security deposit each time, in an attempt to try and regulate the end user directly** , that's way harder than just knocking on a centralised exchange owner's door to ask him to / force him to deanonymize his entire userbase for the adversary. This is where the Haveno DEX multiplies potential adversaries' efforts manyfold compared to centralised exchanges. + +So here Bob can follow [this procedure to do the sepa instant transfer](https://iv.nowhere.moe/watch?v=77uw4rkcRsY); he goes on his banking application to add Alice Liddell as a third-party account using **her IBAN** (see example IBANs per country in the EU [here](https://developer.readyremit.com/docs/ibans)), and then he sends her the 13 euros as a transaction between private individuals, using the instant transaction feature provided by his Bank. + +![](13.png) + +Once completed, Bob declares that he has sent payment. and in case if Alice tries to deny that she received payment, Bob can take a screenshot to prove that he has sent the payment, from his bank account by clicking on viewing more details on his transaction (checking the receipt). That way, in case if there is a [dispute](../haveno-arbitrator/index.md), (meaning if Alice tries to scam Bob), he will be on the right side of arbitration, and the Arbitrator will favor him. + +![](alice.png) + +Back to Alice's side, we see that the trade has been initiated: + +![](14.png) + +So here Alice checks if she received payment on her account from the bank account of Bob (whose name just got revealed as "Bob Marley" with a specific IBAN) **As a Buyer (like Bob), don't try to use a fake IBAN and name because the infos you use are going to be required by the XMR seller (Alice) to verify from whom the payment came from. The Arbitrators are likely to favor Alice if you use false banking information.** + +![](14.1.png) + +Alice just checked her banking application, she received payment from Bob Marley, and she clicks "Confirm payment Receipt" to complete the trade. + +![](15.png) ![](bob.png) + +And lastly, Bob gets his Monero without any issue (he needs to wait 20 minutes for the monero to be spendable from his haveno monero wallet): + +![](16.png) ![](17.png) + +## **Withdrawing your funds** + +And then he can also withdraw his monero from his Haveno DEX to his other monero wallet like so: + +![](18.png) ![](19.png) ![](20.png) + +And that's it! We now covered one of the fastest and easiest way people can purchase and sell Monero in the EU region. Coming up next we'll cover how to do the most popular option there was on LocalMonero: [Cash by Mail](../haveno-cashbymail/index.md), it is the best option if you intend to exchange in large quantities. + +Check out my other tutorials on Decentralised Finances below: + + 1. [✅ How to setup your Monero wallet ](../monero2024/index.md) + 2. [✅ Why can't I trust Centralised Exchanges, and random Monero nodes ?](../chainalysisattempts/index.md) + 3. [✅ Haveno Decentralised Exchange direct Fiat -> XMR transaction ⭐](../haveno-client-f2f/index.md) + 4. [✅ Haveno DEX Dispute resolution (Fiat -> XMR) ](../haveno-arbitrator/index.md) + 5. [**✅ Haveno DEX Bank Transfer (ex: SEPA) -> XMR transaction**](../haveno-sepa/index.md) + 6. [✅ Haveno DEX Cash By Mail -> XMR transaction ⭐](../haveno-cashbymail/index.md) + + + diff --git a/hiddenservice/0.png b/hiddenservice/0.png new file mode 100644 index 0000000..b59ecd1 Binary files /dev/null and b/hiddenservice/0.png differ diff --git a/hiddenservice/1.png b/hiddenservice/1.png new file mode 100644 index 0000000..9f4896b Binary files /dev/null and b/hiddenservice/1.png differ diff --git a/hiddenservice/2.png b/hiddenservice/2.png new file mode 100644 index 0000000..31d1fa7 Binary files /dev/null and b/hiddenservice/2.png differ diff --git a/hiddenservice/index.md b/hiddenservice/index.md new file mode 100644 index 0000000..aab4f7d --- /dev/null +++ b/hiddenservice/index.md @@ -0,0 +1,44 @@ +--- +author: nihilist +date: 2024-08-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/105" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Where to host Anonymous Hidden Services ? + +In this tutorial we're going to look at where exactly you can host Hidden Services Anonymously. + + + +## **Hosting a Hidden Service Remotely** + +One way to host a Hidden Service is remotely. You anonymously rent a VPS to a non-KYC cloud provider (using Tor and Monero), and use it anonymously (using SSH through Tor), to host a Tor Hidden Service. + +![](1.png) + +The main advantage here is that if anything goes wrong (if you try to run a sensitive service there), you are safe from any repercussions, as the cloud provider can't know that it was you who bought and used the VPS. + +The strategy here is that whatever service you try to run, you run it as far away from your home as possible. So that if one day the location of the hidden service gets found out (as tor traffic sometimes get deanonymized, when the tor circuits go through nodes that all belong to the adversary), your home IP address doesn't get revealed. + +_Sidenote:_ know that if you try to run a sensitive service, you are literally abusing the goodwill of non-KYC cloud providers, that are willing to go the extra mile to provide anonymity for you. So please don't bite the hand that feeds you, don't run sensitive services on VPSes, as the non-KYC cloud resellers are the ones that will have to deal with the consequences afterward. + +The main drawback however, is that you are not in physical control of the server that you are using, therefore if the cloud provider has implemented extensive spying mechanisms, they will immediately find out that it is this VPS that is running said hidden service. + +_TLDR:_ it's safer in case if anything goes wrong, but you don't have physical control over the service. + +## **Self-Hosting a Hidden Service** + +Another way to host a Hidden Service is locally, you Self-host it. You are running a server at home (which could be your previous PC), to run the hidden service. And if the ISP doesn't allow Tor traffic, you use a VPN to hide the Tor traffic. + +![](2.png) + +The main advantage here is that you have complete control over the server, if an adversary has to get his hands on the server, he has to bust down your door and find it. + +The strategy here is "I use secure technology, come at me!", Which brings us to the main disadvantage however: if the technology fails you along the way for example the adversary uses a Tor 0day on you, and finds out that the hidden service is at your home IP address, then there is no way you can deny that you are the administrator of said service. In that case, using a trusted VPN that regularly deletes logs like mullvadVPN, to hide the Tor traffic, might be a lifesaver. + +![](0.png) + +There may be other attacks to figure out if you are the owner of said hidden service, like temporarily shutting down the power, or the internet connection, to see if the hidden service goes down or not. + +_TLDR:_ you have physical control over the server, but if anything goes wrong, the service is at your house. No possibility to deny that you are the administrator! + diff --git a/high_availability/attack_diagram.png b/high_availability/attack_diagram.png new file mode 100644 index 0000000..fd3194a Binary files /dev/null and b/high_availability/attack_diagram.png differ diff --git a/high_availability/ha_attack_flow.png b/high_availability/ha_attack_flow.png new file mode 100644 index 0000000..4d8fe24 Binary files /dev/null and b/high_availability/ha_attack_flow.png differ diff --git a/high_availability/index.md b/high_availability/index.md new file mode 100644 index 0000000..899afb7 --- /dev/null +++ b/high_availability/index.md @@ -0,0 +1,73 @@ +--- +author: Mulligan Security +date: 2024-12-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/186" +xmr: None +--- +# Why is High Availability Important for Deniability ? + +The concept of high availability is omnipresent in centralized services. One expects their ISP to provide internet access, their email provider to give them 100% uptime whenever they want to send an email and so on. + +**High-availability, the ability to provide high-uptime infrastructure, also has far-reaching implications for OPSEC practitioners.** + +When an adversary wants to collect information such as physical location behind a hidden service, depending on their power they will use downtime as an indicator in order to progressively narrow the pool of potential service location until they can act decisively against the remaining suspects. + +**Anonymity IS a requirement for deniability** +Being able to plausibly deny being the operator of, or a downstream service supplier to a hidden service is a significant boon to personal protection. + + + +## **Threat model** + +In order to understand how high availability, or lack thereof, impacts our security posture **me must first define the skills and abilities of our adversary**. For this tutorial the adversary has the following attributes: + + + + * Ability to monitor the hidden service status and know rapidly if it goes offline + * Ability to directly tamper with either the power grid or the internet infrastructure with high granularity (DSLAM level, which could be a small town or a group of city blocks) + * Ability to monitor the effects of tampering or incidents impacting the power grid or the internet infrastructure + +A concrete example of such an adversary would be **law enforcement and government agencies**. + +## **Attack Scenario** + +The adversary has identified a probable city of residence for the administrator of a hidden service. In order to narrow down their search perimeter they will do the following: + + + 1. Target 1 group of city block and send someone to the internet backbone for this city block to cut it off from the internet + 2. Check wheter the onion service **is still up** + 3. If it goes down, add it to the suspect pool + + + +## **How can high availability help?** + +In the above scenario if the onion service operator had setup a **redundant, highly available server then connections would have been seamlessly sent to another server** in the redundancy pool, thus preventing the adversary from extracting location information based on their operation. This works best with a server in a **different country or region** , making a coordinated attack by several adversaries a requirement in order to use this method for deanonymization. + +## **Adversary Attack Flow** + +Below is a chart depicting an adversary attack flow. As shown, high availability will prevent the adversary from progressing beyond their initial step of uptime-based target acquisition. + +![](ha_attack_flow.png) +As you can see the adversarie's playbook is quite simple: + + + + 1. Identify a list of potential suspects + 2. Cut them off the internet + 3. Check wheter this action made the hidden service unreachable + +Those actions are easily perpetrated by law enforcement as they only require: + + + * DSLAM level access to the internet backbone used by the suspects (impacting a perimeter like a city block) + * City block level access to the power grid in order to run disruptive actions + + +Both of those are trival to obtain for LEOs (law enforcement officers). + +![](attack_diagram.png) +This Diagram shows where the attack takes place and how a redundant setup prevent such attacks from confirming the physical location of the hidden service. + +**In conclusion, your hidden service is one downtime away from having its location disclosed to an adversary, so you need to make sure it has High Availability** + diff --git a/hypervisorsetup/0.png b/hypervisorsetup/0.png new file mode 100644 index 0000000..f845c25 Binary files /dev/null and b/hypervisorsetup/0.png differ diff --git a/hypervisorsetup/1.png b/hypervisorsetup/1.png new file mode 100644 index 0000000..6a7043c Binary files /dev/null and b/hypervisorsetup/1.png differ diff --git a/hypervisorsetup/10.png b/hypervisorsetup/10.png new file mode 100644 index 0000000..614c5e5 Binary files /dev/null and b/hypervisorsetup/10.png differ diff --git a/hypervisorsetup/100.png b/hypervisorsetup/100.png new file mode 100644 index 0000000..78c6f65 Binary files /dev/null and b/hypervisorsetup/100.png differ diff --git a/hypervisorsetup/101.png b/hypervisorsetup/101.png new file mode 100644 index 0000000..d597264 Binary files /dev/null and b/hypervisorsetup/101.png differ diff --git a/hypervisorsetup/102.png b/hypervisorsetup/102.png new file mode 100644 index 0000000..41c36e7 Binary files /dev/null and b/hypervisorsetup/102.png differ diff --git a/hypervisorsetup/103.png b/hypervisorsetup/103.png new file mode 100644 index 0000000..964c1e6 Binary files /dev/null and b/hypervisorsetup/103.png differ diff --git a/hypervisorsetup/104.png b/hypervisorsetup/104.png new file mode 100644 index 0000000..b24506f Binary files /dev/null and b/hypervisorsetup/104.png differ diff --git a/hypervisorsetup/105.png b/hypervisorsetup/105.png new file mode 100644 index 0000000..4684a9f Binary files /dev/null and b/hypervisorsetup/105.png differ diff --git a/hypervisorsetup/106.png b/hypervisorsetup/106.png new file mode 100644 index 0000000..ce8464f Binary files /dev/null and b/hypervisorsetup/106.png differ diff --git a/hypervisorsetup/107.png b/hypervisorsetup/107.png new file mode 100644 index 0000000..58d62e6 Binary files /dev/null and b/hypervisorsetup/107.png differ diff --git a/hypervisorsetup/10_dev_list_over_onion.png b/hypervisorsetup/10_dev_list_over_onion.png new file mode 100644 index 0000000..001adc4 Binary files /dev/null and b/hypervisorsetup/10_dev_list_over_onion.png differ diff --git a/hypervisorsetup/11.png b/hypervisorsetup/11.png new file mode 100644 index 0000000..e17f333 Binary files /dev/null and b/hypervisorsetup/11.png differ diff --git a/hypervisorsetup/12.png b/hypervisorsetup/12.png new file mode 100644 index 0000000..f3f7a8b Binary files /dev/null and b/hypervisorsetup/12.png differ diff --git a/hypervisorsetup/13.png b/hypervisorsetup/13.png new file mode 100644 index 0000000..4f41e8e Binary files /dev/null and b/hypervisorsetup/13.png differ diff --git a/hypervisorsetup/2.png b/hypervisorsetup/2.png new file mode 100644 index 0000000..edefd71 Binary files /dev/null and b/hypervisorsetup/2.png differ diff --git a/hypervisorsetup/21.png b/hypervisorsetup/21.png new file mode 100644 index 0000000..db31367 Binary files /dev/null and b/hypervisorsetup/21.png differ diff --git a/hypervisorsetup/22.png b/hypervisorsetup/22.png new file mode 100644 index 0000000..5479b9c Binary files /dev/null and b/hypervisorsetup/22.png differ diff --git a/hypervisorsetup/23.png b/hypervisorsetup/23.png new file mode 100644 index 0000000..53bcc8b Binary files /dev/null and b/hypervisorsetup/23.png differ diff --git a/hypervisorsetup/24.png b/hypervisorsetup/24.png new file mode 100644 index 0000000..ba0a143 Binary files /dev/null and b/hypervisorsetup/24.png differ diff --git a/hypervisorsetup/25.png b/hypervisorsetup/25.png new file mode 100644 index 0000000..9814cdc Binary files /dev/null and b/hypervisorsetup/25.png differ diff --git a/hypervisorsetup/26.png b/hypervisorsetup/26.png new file mode 100644 index 0000000..d01eedc Binary files /dev/null and b/hypervisorsetup/26.png differ diff --git a/hypervisorsetup/27.png b/hypervisorsetup/27.png new file mode 100644 index 0000000..3bf8c3d Binary files /dev/null and b/hypervisorsetup/27.png differ diff --git a/hypervisorsetup/28.png b/hypervisorsetup/28.png new file mode 100644 index 0000000..25aec19 Binary files /dev/null and b/hypervisorsetup/28.png differ diff --git a/hypervisorsetup/29.png b/hypervisorsetup/29.png new file mode 100644 index 0000000..eb8d7db Binary files /dev/null and b/hypervisorsetup/29.png differ diff --git a/hypervisorsetup/3.png b/hypervisorsetup/3.png new file mode 100644 index 0000000..0fc7513 Binary files /dev/null and b/hypervisorsetup/3.png differ diff --git a/hypervisorsetup/30.png b/hypervisorsetup/30.png new file mode 100644 index 0000000..b6a2890 Binary files /dev/null and b/hypervisorsetup/30.png differ diff --git a/hypervisorsetup/31.png b/hypervisorsetup/31.png new file mode 100644 index 0000000..bc7546a Binary files /dev/null and b/hypervisorsetup/31.png differ diff --git a/hypervisorsetup/32.png b/hypervisorsetup/32.png new file mode 100644 index 0000000..fefc4c5 Binary files /dev/null and b/hypervisorsetup/32.png differ diff --git a/hypervisorsetup/33.png b/hypervisorsetup/33.png new file mode 100644 index 0000000..d9b510d Binary files /dev/null and b/hypervisorsetup/33.png differ diff --git a/hypervisorsetup/34.png b/hypervisorsetup/34.png new file mode 100644 index 0000000..a4253d1 Binary files /dev/null and b/hypervisorsetup/34.png differ diff --git a/hypervisorsetup/35.png b/hypervisorsetup/35.png new file mode 100644 index 0000000..5aa4f09 Binary files /dev/null and b/hypervisorsetup/35.png differ diff --git a/hypervisorsetup/36.png b/hypervisorsetup/36.png new file mode 100644 index 0000000..637d1f0 Binary files /dev/null and b/hypervisorsetup/36.png differ diff --git a/hypervisorsetup/37.png b/hypervisorsetup/37.png new file mode 100644 index 0000000..a751ab0 Binary files /dev/null and b/hypervisorsetup/37.png differ diff --git a/hypervisorsetup/38.png b/hypervisorsetup/38.png new file mode 100644 index 0000000..8dc222a Binary files /dev/null and b/hypervisorsetup/38.png differ diff --git a/hypervisorsetup/39.png b/hypervisorsetup/39.png new file mode 100644 index 0000000..ae92674 Binary files /dev/null and b/hypervisorsetup/39.png differ diff --git a/hypervisorsetup/4.png b/hypervisorsetup/4.png new file mode 100644 index 0000000..daa4320 Binary files /dev/null and b/hypervisorsetup/4.png differ diff --git a/hypervisorsetup/5.png b/hypervisorsetup/5.png new file mode 100644 index 0000000..57ecd08 Binary files /dev/null and b/hypervisorsetup/5.png differ diff --git a/hypervisorsetup/50.png b/hypervisorsetup/50.png new file mode 100644 index 0000000..37b741d Binary files /dev/null and b/hypervisorsetup/50.png differ diff --git a/hypervisorsetup/51.png b/hypervisorsetup/51.png new file mode 100644 index 0000000..db92b6a Binary files /dev/null and b/hypervisorsetup/51.png differ diff --git a/hypervisorsetup/6.png b/hypervisorsetup/6.png new file mode 100644 index 0000000..7e895ec Binary files /dev/null and b/hypervisorsetup/6.png differ diff --git a/hypervisorsetup/7.png b/hypervisorsetup/7.png new file mode 100644 index 0000000..d07930b Binary files /dev/null and b/hypervisorsetup/7.png differ diff --git a/hypervisorsetup/8.png b/hypervisorsetup/8.png new file mode 100644 index 0000000..ee7ee31 Binary files /dev/null and b/hypervisorsetup/8.png differ diff --git a/hypervisorsetup/9.png b/hypervisorsetup/9.png new file mode 100644 index 0000000..db8c7fc Binary files /dev/null and b/hypervisorsetup/9.png differ diff --git a/hypervisorsetup/999.png b/hypervisorsetup/999.png new file mode 100644 index 0000000..35240b2 Binary files /dev/null and b/hypervisorsetup/999.png differ diff --git a/hypervisorsetup/index.md b/hypervisorsetup/index.md new file mode 100644 index 0000000..c9e5fc9 --- /dev/null +++ b/hypervisorsetup/index.md @@ -0,0 +1,154 @@ +--- +author: nihilist +date: 2024-01-29 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/80" +xmr: 85fGTpPWivci2dRzJSgvm5QeEuEUZ11ZDbZA6Yc58XdCHSen2oRKLpgbNBr1sv9gacbrfMP3Qw23RcGqYb8V1FN4L67kph6 +--- +# Linux Hypervisor Setup (QEMU/KVM virtualisation) + +![](999.png) + +In this tutorial we're going to cover how to setup the open source hypervisor QEMU/KVM in [Linux](../linux/index.md) host OS, using the libvirt technology. + +## _OPSEC Recommendations:_ + + 1. Hardware : PC / Laptop / Homeserver / Remote Server + + 2. Host OS : [Linux](../linux/index.md) + + + + +I recommend using this setup first of all to **isolate your Public use** , and to **segment it from the other Uses** such as [Private use](../privacy/index.md), but it can later be used for [Anonymous use](../anonymityexplained/index.md), and also [Sensitive Use](../deniability/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). + + + +## **Why should Bob use an open-source hypervisor ?** + +Bob has a problem, he wants to use his laptop for 4 different internet uses: + +![](../internetsegmentation/4.png) + +But currently, he has only one laptop with linux as the host OS. + +![](21.png) + +So the idea basically is that Bob does not need to purchase 4 laptops each for a different usage, he just needs to virtualise those machines using a Hypervisor: + +![](22.png) + +Bob is going to use a QEMU/KVM hypervisor to virtualize 4 VMs, each for a specific use. The windows VM will be for public use, the debian VM will be for the private use, the Whonix VM will be for Anonymous use, and the other whonix VMs in the veracrypt hidden volume be used for sensitive uses. + +## **Virtualisation setup** + +Next **we do not virtualize anything using closed-source software** like VMWare Workstation or else. **We use QEMU/KVM with virt-manager, which is an open source hypervisor** : + + + [user ~]%:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils + + sudo systemctl enable --now libvirtd + + [user ~]%:~# sudo usermod -a -G libvirt user + [user ~]%:~# sudo usermod -a -G kvm user + + + +Next we're going to use vim (which is a terminal-based text editor) to edit the libvirtd config files, that is to make sure that we can create and edit vms without requiring to type the admin password every time. **From inside vim you need to press i to enter insert mode (to be able to actually edit the file contents)** , then you can edit the mentionned lines to mention the libvirt group and the "user" username, **then press ESC to exit insert mode, and then type :wq to save your edits and exit the config files:** + + + [user ~]%:~# sudo vim /etc/libvirt/libvirtd.conf + + unix_sock_group = "libvirt" + unix_sock_rw_perms = "0770" + + :wq + + [user ~]%:~# sudo vim /etc/libvirt/qemu.conf + + group = "libvirt" + user = "user" + + :wq + + [user ~]%:~# systemctl restart libvirtd.service + + [user ~]%:~# virt-manager + + + +Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions: + +![](11.png) + +And also create another NAT network so that we can put all the untrusted VMs such as Windows into: + +![](50.png) + +That way, the adversary that can normally see what's going on in the network attached to the Windows VM can no longer see as it is being put in a different network altogether. + + + [user ~]%:~$ mkdir ISOs + [user ~]%:~$ mkdir VMs + + [user ~]%:~$ sudo chmod 770 -R VMs + [user ~]%:~$ sudo chmod 770 -R ISOs + + [user ~]%:~$ sudo chown nihilist:libvirt -R VMs + [user ~]%:~$ sudo chown nihilist:libvirt -R ISOs + + + +Then you can add the file directories in virt-manager like so: + +![](13.png) ![](12.png) + +And now you're all set to start making VMs while maintaining the open-source requirement. If you still want to use a closed-source OS, you can do so in a QEMU VM from virt-manager. **always remember that closed-source OSes like Windows belong in a VM, never out of one.** + +Additional notes: you can prevent an adversary to tamper with your laptop, by using glitter polish as shown in mullvad's [tutorial](https://mullvad.net/en/blog/how-tamper-protect-laptop-nail-polish), and also make sure that your phone does not have a closed-source host OS by using [ Graphene OS](https://grapheneos.org/install/cli). + +## **How to setup the Public use VM** + +Next, Bob needs to use VMs for 2 basic needs: Public internet usage, and Private internet usage. He first needs to download the [Windows ISO](https://www.microsoft.com/en-us/software-download/windows10ISO) file, and the [debian iso](https://www.debian.org/distrib/netinst) file too: + +First he creates the windows VM like so: + +![](23.png) ![](24.png) ![](25.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) ![](30.png) + +Then before we begin the installation, we make sure that the windows VM uses the untrusted NAT network to make sure it remains isolated: + +![](51.png) + +Then we hit Apply, and then we click on begin installation + +![](31.png) ![](32.png) ![](33.png) + +Then in the windows VM he installs the OS on the virtual disk: + +![](36.png) ![](37.png) + +Then Bob can launch the windows VM (make sure that the VM boots onto the disk instead of the iso in the boot settings): + +![](38.png) ![](39.png) + +Then Bob can use the windows VM for his public usage (such as KYC services, and closed-source software). **Keep in mind that the windows VM is the place where the big eye of sauron can see what you are doing. NEVER do anything sensitive from this VM, because you will never have any privacy in it.** + +## **How to setup the Private use VM** + +To setup the Private use VM, we'll download the Kicksecure ISO just like we previously did in the host OS tutorial, except this time we'll directly attach it to a new VM: + +![](100.png) ![](101.png) ![](102.png) ![](103.png) ![](104.png) ![](105.png) ![](106.png) + +From there you can repeat the steps that we took [to install kicksecure on the host OS](../linux/index.md), to install it: + +![](../linux/23.png) ![](../linux/24.png) ![](../linux/25.png) ![](../linux/26.png) ![](../linux/28.png) + +Once here, we reboot the VM, and upon rebooting we unlock the encrypted system drive: + +![](../linux/52.png) ![](../linux/53.png) + +And from here we have our private VM setup! **Warning: You only have privacy in this VM, as long as you do not install any closed-source software (ex: no discord, no google chrome, etc) in it!** Make sure that you ONLY install FOSS software in the private VM. **Any closed-source software you want to install needs to be installed in the Public VM instead.** + +![](107.png) + +Next, Bob can setup a [VPN](../vpn/index.md) by default into his kicksecure VM to prevent his ISP from spying on what he is doing. + diff --git a/hypervisorsetup/new_grub.png b/hypervisorsetup/new_grub.png new file mode 100644 index 0000000..a7da111 Binary files /dev/null and b/hypervisorsetup/new_grub.png differ diff --git a/hypervisorsetup/sdwdate.png b/hypervisorsetup/sdwdate.png new file mode 100644 index 0000000..342b9c1 Binary files /dev/null and b/hypervisorsetup/sdwdate.png differ diff --git a/hypervisorsetup/sys_inter.png b/hypervisorsetup/sys_inter.png new file mode 100644 index 0000000..28a0d1e Binary files /dev/null and b/hypervisorsetup/sys_inter.png differ diff --git a/hypervisorsetup/tor.png b/hypervisorsetup/tor.png new file mode 100644 index 0000000..5df64cf Binary files /dev/null and b/hypervisorsetup/tor.png differ diff --git a/i2ptorrents/0.0.png b/i2ptorrents/0.0.png new file mode 100644 index 0000000..1caaeae Binary files /dev/null and b/i2ptorrents/0.0.png differ diff --git a/i2ptorrents/0.1.png b/i2ptorrents/0.1.png new file mode 100644 index 0000000..aeb8272 Binary files /dev/null and b/i2ptorrents/0.1.png differ diff --git a/i2ptorrents/1.png b/i2ptorrents/1.png new file mode 100644 index 0000000..1cc453e Binary files /dev/null and b/i2ptorrents/1.png differ diff --git a/i2ptorrents/10.png b/i2ptorrents/10.png new file mode 100644 index 0000000..30429a5 Binary files /dev/null and b/i2ptorrents/10.png differ diff --git a/i2ptorrents/11.png b/i2ptorrents/11.png new file mode 100644 index 0000000..91bb4ce Binary files /dev/null and b/i2ptorrents/11.png differ diff --git a/i2ptorrents/12.png b/i2ptorrents/12.png new file mode 100644 index 0000000..d94d246 Binary files /dev/null and b/i2ptorrents/12.png differ diff --git a/i2ptorrents/13.png b/i2ptorrents/13.png new file mode 100644 index 0000000..2091353 Binary files /dev/null and b/i2ptorrents/13.png differ diff --git a/i2ptorrents/14.png b/i2ptorrents/14.png new file mode 100644 index 0000000..924c778 Binary files /dev/null and b/i2ptorrents/14.png differ diff --git a/i2ptorrents/15.png b/i2ptorrents/15.png new file mode 100644 index 0000000..1cc2b13 Binary files /dev/null and b/i2ptorrents/15.png differ diff --git a/i2ptorrents/16.png b/i2ptorrents/16.png new file mode 100644 index 0000000..1385189 Binary files /dev/null and b/i2ptorrents/16.png differ diff --git a/i2ptorrents/17.png b/i2ptorrents/17.png new file mode 100644 index 0000000..90f9343 Binary files /dev/null and b/i2ptorrents/17.png differ diff --git a/i2ptorrents/18.png b/i2ptorrents/18.png new file mode 100644 index 0000000..ca6eb94 Binary files /dev/null and b/i2ptorrents/18.png differ diff --git a/i2ptorrents/19.png b/i2ptorrents/19.png new file mode 100644 index 0000000..5fa733a Binary files /dev/null and b/i2ptorrents/19.png differ diff --git a/i2ptorrents/2.png b/i2ptorrents/2.png new file mode 100644 index 0000000..51dff89 Binary files /dev/null and b/i2ptorrents/2.png differ diff --git a/i2ptorrents/20.png b/i2ptorrents/20.png new file mode 100644 index 0000000..e9f85a5 Binary files /dev/null and b/i2ptorrents/20.png differ diff --git a/i2ptorrents/21.png b/i2ptorrents/21.png new file mode 100644 index 0000000..5e95c8c Binary files /dev/null and b/i2ptorrents/21.png differ diff --git a/i2ptorrents/22.png b/i2ptorrents/22.png new file mode 100644 index 0000000..b75f483 Binary files /dev/null and b/i2ptorrents/22.png differ diff --git a/i2ptorrents/23.png b/i2ptorrents/23.png new file mode 100644 index 0000000..0afc394 Binary files /dev/null and b/i2ptorrents/23.png differ diff --git a/i2ptorrents/24.png b/i2ptorrents/24.png new file mode 100644 index 0000000..1bada93 Binary files /dev/null and b/i2ptorrents/24.png differ diff --git a/i2ptorrents/25.png b/i2ptorrents/25.png new file mode 100644 index 0000000..ce3d35b Binary files /dev/null and b/i2ptorrents/25.png differ diff --git a/i2ptorrents/26.png b/i2ptorrents/26.png new file mode 100644 index 0000000..511d63e Binary files /dev/null and b/i2ptorrents/26.png differ diff --git a/i2ptorrents/3.png b/i2ptorrents/3.png new file mode 100644 index 0000000..9158ef5 Binary files /dev/null and b/i2ptorrents/3.png differ diff --git a/i2ptorrents/4.png b/i2ptorrents/4.png new file mode 100644 index 0000000..160a9b9 Binary files /dev/null and b/i2ptorrents/4.png differ diff --git a/i2ptorrents/5.png b/i2ptorrents/5.png new file mode 100644 index 0000000..b89d18c Binary files /dev/null and b/i2ptorrents/5.png differ diff --git a/i2ptorrents/6.png b/i2ptorrents/6.png new file mode 100644 index 0000000..e061370 Binary files /dev/null and b/i2ptorrents/6.png differ diff --git a/i2ptorrents/7.png b/i2ptorrents/7.png new file mode 100644 index 0000000..387f363 Binary files /dev/null and b/i2ptorrents/7.png differ diff --git a/i2ptorrents/8.png b/i2ptorrents/8.png new file mode 100644 index 0000000..142c254 Binary files /dev/null and b/i2ptorrents/8.png differ diff --git a/i2ptorrents/9.png b/i2ptorrents/9.png new file mode 100644 index 0000000..f1fc781 Binary files /dev/null and b/i2ptorrents/9.png differ diff --git a/i2ptorrents/index.md b/i2ptorrents/index.md new file mode 100644 index 0000000..b6b8038 --- /dev/null +++ b/i2ptorrents/index.md @@ -0,0 +1,287 @@ +--- +author: oxeo0 +date: 2025-03-14 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/17" +xmr: 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ +--- +# Peer-to-Peer Large File Sharing (Torrents over I2P) + +![](0.0.png) + + + +## **Introduction** + +Torrenting is a popular way to share large files. It allows users to share them without having to trust the central server. +However, back in 2004 when [BitTorrent protocol](https://en.wikipedia.org/wiki/BitTorrent) was invented, nobody really thought about making it anonymous or even encrypted. Thus torrenting requires client to share their IP address publicly. This means that torrenting can be used to track people's activities on the Internet. In order to protect your privacy and anonymity, you should use a VPN or anonymizing proxy (like I2P) when sharing files over BitTorrent protocol. + +We already know how to [share files with BitTorrent client over VPN](../p2ptorrents/index.md). While this is secure, fast and convenient, it doesn't make us truly anonymous. + +In this tutorial, we'll configure an I2P router to share files using the I2P bittorrent client. + +Using torrents with I2P has several benefits: + + * **Full anonymity** \- while VPN masks the IP address of the client, I2P gets rid of IP addresses entirely replacing them with destination tunnel addresses. + + + * **Decentralization** \- it works without trackers or a central authority. + + + * **Free** (as in price) - you don't need to buy a VPN service for both Alice and Bob. + + + * **Traffic obfuscation** \- I2P has transit tunnels which make it harder to fingerprint torrent traffic. + + + + +But it also comes with several drawbacks: + + * **Speed** \- I2P is much slower than VPN because it routes the traffic through several hops. + + + * **Convenience** \- I2P needs to build the tunnels for some time before torrenting. It's best to keep it running in the background to get faster tunnels which may be inconvenient. + + + + +## **Why I2P, not Tor?** + + + + + +Both I2P and Tor are encrypted overlay networks which aim to deliever privacy and anonymity for servers and clients. They use [onion](https://en.wikipedia.org/wiki/Onion_routing) or [garlic](https://en.wikipedia.org/wiki/Garlic_routing) routing to hide originating and destination IP addresses. To discover servers on the network, they both use Distributed Hash Table (DHT). +However while Tor is designed mostly for client-server applications, I2P takes more [peer-to-peer](https://en.wikipedia.org/wiki/Peer-to-peer) approach. In I2P, every node is encouraged to act as a relay for others. Your I2P client will accept transit tunnels to participate in anonymizing traffic of other nodes. This also has the benefit of obscuring you traffic volume preventing bandwidth correlation attacks. On the other hand, Tor relays are usually ran by volounteers on separate Tor instances, they require high bandwidth and stable internet connection so most of them run in datacenters. + +Another very important aspect is that Tor still doesn't support [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) traffic which torrents require to function. It's possible to do [UDP tunneling over Tor](https://www.whonix.org/wiki/Tunnel_UDP_over_Tor) but it's not very efficient and requires specific configuration. +The Tor community [discourages](https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea/) usage of Tor for torrenting. +I2P on the other hand is built on top of UDP and is much better suited for torrenting. Over the years, the torrenting ecosystem in I2P matured to the point where even qBittorrent introduced [experimental I2P support](https://news.itsfoss.com/qbittorrent-4-6-0/). +However in this guide we'll use the bittorrent client built specifically for I2P - [I2PSnark](https://i2pgit.org/i2p-hackers/i2p.i2p/-/tree/master/apps/i2psnark). + +## **Prerequisites** + + + + + +It's assumed Alice and Bob have a working internet connection, a Debian 12 with a desktop environment and root access to their computers. +They can have firewall or NAT (I2P can do [NAT traversal](https://en.wikipedia.org/wiki/NAT_traversal)) but it would be ideal to have the ability to open one UDP port on the router. It's also possible to run I2P on a separate machine in your LAN (like a NAS or Raspberry PI running Debian). I2P greatly benefits from running constantly since it can discover faster tunnels over time. + +Here's a simplified graph showcasing how the file will be sent over I2P network: + +![](0.1.png) + + + +## **I2P Installation** (Alice AND Bob) + + + + + +Both Alice and Bob need to install I2P on their computers. The steps listed below are up-to-date as of now, but always check the [official guide](https://geti2p.net/en/download/debian) in case something has changed since this guide was written. +Install packages used for adding repositories and signing keys: + + + alice@alicepc:~$ sudo apt update + alice@alicepc:~$ sudo apt-get install apt-transport-https lsb-release curl + + +Add I2P repository signed by their key: + + + alice@alicepc:~$ echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p.net/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/i2p.list + + +Import signing key: + + + alice@alicepc:~$ curl -o /tmp/i2p-archive-keyring.gpg https://geti2p.net/_static/i2p-archive-keyring.gpg + alice@alicepc:~$ sudo cp /tmp/i2p-archive-keyring.gpg /usr/share/keyrings + + +Finally, install I2P: + + + alice@alicepc:~$ sudo apt-get update + alice@alicepc:~$ sudo apt-get install i2p i2p-keyring + + +If you decided to go with I2P on separate server, you may need to make Web UI accessible on your local network: + + + alice@alicepc:~$ sudo sed -i 's/127\.0\.0\.1/0\.0\.0\.0/g' /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config + alice@alicepc:~$ sudo systemctl restart i2p + + +Repeat the **same steps** on Bob's machine. + +## **I2P Setup** (Alice AND Bob) + + + + + +By now, Alice and Bob have I2P running in the background on their computers. +**Both of them** need to do initial configuration of their I2P routers. +The I2P Console should be accessible at [**http://localhost:7657**](http://localhost:7657). If I2P was installed on a different machine, change **localhost** to the IP address of that machine. + +Navigating to this address, you should be greeted with configuration wizard: + +![](1.png) + +Select theme (I recommend dark of course): + +![](2.png) + +Agree to the terms of speedtest service: + +![](3.png) + +Bandwidth test should now begin: + +![](4.png) + +It should finish in a few seconds: + +![](5.png) + +Now you can choose how much bandwidth you want to use for I2P. You also set the transit bandwidth expressed as a percentage of total I2P bandwidth. It's recommended to keep it at 80%: + +![](6.png) + +Configuring I2P web browsing is a topic for a whole different guide. For now, we will just configure I2P for torrenting so skip this section by clicking **Next** : + +![](7.png) + +The configuration wizard should be completed, just click **Finished** : + +![](8.png) + +Now you should be redirected to the **I2P Console**. Here you can find the links to I2P-native apps and services. +You can also configure your I2P Router settings and see its **uptime** (in green), **bandwidth statistics** (in red) and **network status** (in blue): + +![](9.png) + +As you can see, my network status is **Firewalled**. I2P should work just fine behind firewalls, however to get faster speeds and better tunnels, we can **open UDP port on your firewall**. +This is **entirely optional** so if you don't have the ability to expose port to the internet, just skip to the next section. +In I2P the port is choosen randomly at the time of installation. To check it which port needs to be opened, go to the **configuration page** : + +![](10.png) + +Select the **Network** tab: + +![](11.png) + +Scroll down a bit and check which UDP port was chosen. In my case it's **14496**. On your main router or firewall you can forward this UDP port. +The actual instructions will differ across firewall vendors so I won't show them here. After that, network status should change to **OK**. + +![](12.png) + + + +## **I2PSnark Configuration** (Alice AND Bob) + + + + + +With I2P up and running, we can now configure the built-in torrent app called **I2PSnark**. +To do this, we need to navigate back to the **I2P Console** and click on the **Torrents** application: + +![](13.png) + +I2PSnark also has its own configuration which we need to adjust. Click on the **Configuration** button: + +![](14.png) + +Take a note of the **Data directory**. By default it's **/var/lib/i2p/i2psnark-config/i2psnark**. Torrents will be stored in there. +Now change the **bandwidth** to half of that of what we set for I2P. +The **number of hops** should be left at **3**. It's the number of routers I2P will tunnel your traffic through before reaching the destination (just like [Onion Routing](https://en.wikipedia.org/wiki/Onion_routing) in Tor). +Lower values usually increase speed and decrease anonymity. +You can also adjust the **number of tunnels** I2PSnark will use for connections. +Setting it to **10** will give I2P more choice and potentially increase speed at the expense of higher CPU usage. +After that's done, click **Save configuration** button: + +![](15.png) + + + +## **Creating Torrent** (Alice) + +To create and seed files, Alice needs to move them to the **Data directory** we set earlier in I2PSnark configuration. +Let's assume Alice wants to send a single large file to Bob - [enwik9](https://mattmahoney.net/dc/textdata.html), which contains the first 1 GB from Wikipedia dump. +It would work the same way for seeding entire directory. Just provide the path to the directory Alice wants to seed. + + + + alice@alicepc:~$ sudo mv -v enwik9 /var/lib/i2p/i2psnark-config/i2psnark + renamed 'enwik9' -> '/var/lib/i2p/i2psnark-config/i2psnark/enwik9' + +While a bit inconvenient, the default directory has the appropriate permissions set so that only **i2p** user can access it on your Linux system. +It doesn't have read permission on Alice's files under **/home/alice** so if your i2p daemon were ever to be compromised, the files couldn't be read so easily. + + +Alice should click **Create Torrent** option in I2PSnark: + +![](16.png) + +Now she should put the name of file to be seeded in **Data to seed** field and ensure **no trackers are selected** (only DHT will be used to find peers): + +![](17.png) + +We can safely ignore this warning message since we explicitly selected DHT with no trackers. +To start seeding, click the play button next to the torrent: + +![](18.png) + +Now verify the status says **Seeding** and check the details to get the torrent's hash: + +![](19.png) + +Here's the torrent hash. Anyone who has this hash will be able to download it while Alice is seeding: + +![](20.png) + + + +## **Sharing Torrent Hash over Secure Channel** (Alice -> Bob) + +If you want to keep the torrent private, it's important not to share torrent hash publicly. Alice will use [SimpleX](https://blog.nowhere.moe/opsec/anonsimplex/index.md) chat to share the torrent hash with Bob: + +![](26.png) + + + +## **Downloading The Torrent** (Bob) + +To download the torrent, Bob needs to open the I2PSnark torrent client and click on **Add Torrent** : + +![](21.png) + +After that, Bob will be prompted with a dialog box to enter the torrent hash he got from Alice into the **From URL** field and click **Add torrent** : + +![](22.png) + +I2PSnark will now look through the DHT and make a connection with Alice. Once a connection has been made, the download will be started: + +![](23.png) + +As we can see, Bob's client connected to 1 peer (Alice) and downloads with a speed of 75 KB/s. +Alice knows when someone's connected to her. Here's how it looks on her side: + +![](24.png) + +On my network it took around 3 hours to send this 1 GB file. It's certainly slower than torrenting over a VPN, but the speed may improve over time when better tunnels are discovered. +After the download is finished, Bob will have the file in **/var/lib/i2p/i2psnark-config/i2psnark** directory. +Both Bob and Alice can now click the "Stop" button to disable seeding (so that nobody else can download the file): + +![](25.png) + + + +## **Conclusion** + +Alice and Bob have successfully shared a file using I2P network. The transfer was fully anonymous and decentralized. + diff --git a/index.md b/index.md new file mode 100644 index 0000000..f439c03 --- /dev/null +++ b/index.md @@ -0,0 +1,16 @@ +# Index + +We have contribution guide and whatever here. + +# Upcoming tutorials: + +## Anonymity + +- TODO1 +- TODO2 +- TODO3 + +## Privacy + +- TODO4 +- TODO5 diff --git a/internetsegmentation/1.png b/internetsegmentation/1.png new file mode 100644 index 0000000..ae102eb Binary files /dev/null and b/internetsegmentation/1.png differ diff --git a/internetsegmentation/2.png b/internetsegmentation/2.png new file mode 100644 index 0000000..77cedf2 Binary files /dev/null and b/internetsegmentation/2.png differ diff --git a/internetsegmentation/3.png b/internetsegmentation/3.png new file mode 100644 index 0000000..1d094d2 Binary files /dev/null and b/internetsegmentation/3.png differ diff --git a/internetsegmentation/4.png b/internetsegmentation/4.png new file mode 100644 index 0000000..c0a3a22 Binary files /dev/null and b/internetsegmentation/4.png differ diff --git a/internetsegmentation/5.png b/internetsegmentation/5.png new file mode 100644 index 0000000..53edcfa Binary files /dev/null and b/internetsegmentation/5.png differ diff --git a/internetsegmentation/6.png b/internetsegmentation/6.png new file mode 100644 index 0000000..fb449f3 Binary files /dev/null and b/internetsegmentation/6.png differ diff --git a/internetsegmentation/index.md b/internetsegmentation/index.md new file mode 100644 index 0000000..a58f471 --- /dev/null +++ b/internetsegmentation/index.md @@ -0,0 +1,104 @@ +--- +author: nihilist +date: 2024-04-26 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/71" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Internet Usage Segmentation Setup + +In this tutorial we're going to cover how to properly segment your internet usage. This is the most common opsec practice that you should always use. We're going to base ourselves off from the pyramid of internet use that we have seen [previously](../opsec4levels/index.md), to be able to replicate each of the 4 OPSEC levels into our current setup: + +![](../opsec4levels/0.3.png) + + + +## **Different Internet Usage** + +The most common OPSEC mistake out there is the lack of internet usage segmentation. Most people don't have this reflex when they first discover Anonymity and Privacy online. Thing is, **it is not possible to be fully anonymous for everything that you do online** , there will always be some service that is vital to you, which you will need to access with your real world identity (for example, to access your bank account, or some insurance website, etc). However it is definitely possible to implement proper internet usage segmentation: + +In this case we're going to differentiate 4 types of Internet usage: + +![](2.png) + +_Internet Uses:_ + + 1. _Public use_ : What you do is public knowledge + + 2. _Private use_ : What you do is NOT publicly known + + 3. _Anonymous use_ : What you do is meant to be done without revealing your identity + + 4. _Sensitive use_ : What you do is meant to remain secret at all cost, only to be known by you + + + + +With each different Internet usage, we have different requirements: + +![](3.png) + +_Requirements:_ + + 1. _Public use_ : No requirement ; you can use closed source software (meaning it's all public), using your IRL identity + + 2. _Private use_ : only open source software, + you use a pseudonym instead of your IRL identity + + 3. _Anonymous use_ : open source, using a random, meaningless identity not sensitive + + 4. _Sensitive use_ : open source, using an other random meaningless identity, **AND if the adversary seizes the device, they musn't be able to prove the existance of the Sensitive VM** + + + + +Now with this we identified the 4 most typical internet use cases, and their requirements. + +## **Identity Management** + +As we said previously, segmentation is required for each internet use. This extends to the Identity you use online. For example you cannot use your real name when trying to use the internet anonymously. So you need a different identity for each use case: + +![](4.png) + +_Different Identities:_ + + 1. _Public Identity_ : **Linus Torvalds** (used on websites that ask for your identity) + + 2. _Private Identity_ : **Nihilist** (used on websites that may KYC, but pseudonym is preferred) + + 3. _Anonymous Identity_ : **ZacharyJr** (used on anonymous websites, non-sensitive use) + + 4. _Sensitive Identity_ : **Dread Pirate Roberts** (used on anonymous websites, sensitive use) + + + + +The important thing here is that you must make sure that each identity have nothing in common, **it must always remain impossible for and adversary to be able to link those identities together.** + +## **Multiple Virtual Machines (VMs)** + +To help you implement your internet usage segmentation, you can use VMs to make sure the segmentation is present inside the system: + +![](5.png) + +_Virtual Machines:_ + + 1. _Public use_ : No requirement ; you can use a windows VM for all closed source software and KYC use + + 2. _Private use_ : you can use a Debian VM, with only open source software (ex: [SimpleX chat](../privatesimplex/index.md)) + + 3. _Anonymous use_ : you can use Whonix VMs (it forces every connection to go through Tor) + + 4. _Sensitive use_ : You can use Whonix VMs, but they need to be inside a [Veracrypt hidden volume](../veracrypt/index.md) + + + + +_Sidenote:_ [QubesOS](../qubesos/index.md) is based off the same segmentation principle, that every use must remain isolated (or compartmentalized) into VMs, for specific uses. It also uses Linux and Whonix VMs, while using the Xen hypervisor instead of libvirtd QEMU/KVM, but the concept remains the same. + +## **Internet Usage Segmentation Recap** + +Now with this setup, one can segment their Internet use with a system implementation (VMs) along with the associated Identities for each usecase. + +![](6.png) + +For further details on how to dissect your OPSEC, check out this tutorial [here](../opsec/index.md), because using the right technologies is only the first half of the work, you also need to have the correct behavior while using them. + diff --git a/linux/0.png b/linux/0.png new file mode 100644 index 0000000..a87d4cb Binary files /dev/null and b/linux/0.png differ diff --git a/linux/1.5.png b/linux/1.5.png new file mode 100644 index 0000000..3559bc0 Binary files /dev/null and b/linux/1.5.png differ diff --git a/linux/1.png b/linux/1.png new file mode 100644 index 0000000..6e74939 Binary files /dev/null and b/linux/1.png differ diff --git a/linux/10.png b/linux/10.png new file mode 100644 index 0000000..ac9d5f7 Binary files /dev/null and b/linux/10.png differ diff --git a/linux/11.1.png b/linux/11.1.png new file mode 100644 index 0000000..7465e6d Binary files /dev/null and b/linux/11.1.png differ diff --git a/linux/11.2.png b/linux/11.2.png new file mode 100644 index 0000000..8dcf150 Binary files /dev/null and b/linux/11.2.png differ diff --git a/linux/11.png b/linux/11.png new file mode 100644 index 0000000..3cbe656 Binary files /dev/null and b/linux/11.png differ diff --git a/linux/12.png b/linux/12.png new file mode 100644 index 0000000..1bb25e3 Binary files /dev/null and b/linux/12.png differ diff --git a/linux/13.png b/linux/13.png new file mode 100644 index 0000000..c879fc2 Binary files /dev/null and b/linux/13.png differ diff --git a/linux/14.png b/linux/14.png new file mode 100644 index 0000000..a919362 Binary files /dev/null and b/linux/14.png differ diff --git a/linux/15.png b/linux/15.png new file mode 100644 index 0000000..4045ee1 Binary files /dev/null and b/linux/15.png differ diff --git a/linux/16.png b/linux/16.png new file mode 100644 index 0000000..00e8ac2 Binary files /dev/null and b/linux/16.png differ diff --git a/linux/17.png b/linux/17.png new file mode 100644 index 0000000..0286712 Binary files /dev/null and b/linux/17.png differ diff --git a/linux/18.png b/linux/18.png new file mode 100644 index 0000000..6a7043c Binary files /dev/null and b/linux/18.png differ diff --git a/linux/19.png b/linux/19.png new file mode 100644 index 0000000..edefd71 Binary files /dev/null and b/linux/19.png differ diff --git a/linux/2.png b/linux/2.png new file mode 100644 index 0000000..6484bce Binary files /dev/null and b/linux/2.png differ diff --git a/linux/20.png b/linux/20.png new file mode 100644 index 0000000..0fc7513 Binary files /dev/null and b/linux/20.png differ diff --git a/linux/21.png b/linux/21.png new file mode 100644 index 0000000..daa4320 Binary files /dev/null and b/linux/21.png differ diff --git a/linux/22.png b/linux/22.png new file mode 100644 index 0000000..9a39257 Binary files /dev/null and b/linux/22.png differ diff --git a/linux/23.png b/linux/23.png new file mode 100644 index 0000000..fd9c1f2 Binary files /dev/null and b/linux/23.png differ diff --git a/linux/24.png b/linux/24.png new file mode 100644 index 0000000..f8de262 Binary files /dev/null and b/linux/24.png differ diff --git a/linux/25.png b/linux/25.png new file mode 100644 index 0000000..64bcb2b Binary files /dev/null and b/linux/25.png differ diff --git a/linux/26.png b/linux/26.png new file mode 100644 index 0000000..1f0079c Binary files /dev/null and b/linux/26.png differ diff --git a/linux/27.png b/linux/27.png new file mode 100644 index 0000000..2ce520d Binary files /dev/null and b/linux/27.png differ diff --git a/linux/28.png b/linux/28.png new file mode 100644 index 0000000..b379531 Binary files /dev/null and b/linux/28.png differ diff --git a/linux/29.png b/linux/29.png new file mode 100644 index 0000000..613bb9e Binary files /dev/null and b/linux/29.png differ diff --git a/linux/3.png b/linux/3.png new file mode 100644 index 0000000..eb496f6 Binary files /dev/null and b/linux/3.png differ diff --git a/linux/30.png b/linux/30.png new file mode 100644 index 0000000..14bfa9e Binary files /dev/null and b/linux/30.png differ diff --git a/linux/31.png b/linux/31.png new file mode 100644 index 0000000..7cc48ac Binary files /dev/null and b/linux/31.png differ diff --git a/linux/32.png b/linux/32.png new file mode 100644 index 0000000..0cd0ef8 Binary files /dev/null and b/linux/32.png differ diff --git a/linux/33.png b/linux/33.png new file mode 100644 index 0000000..a656172 Binary files /dev/null and b/linux/33.png differ diff --git a/linux/34.png b/linux/34.png new file mode 100644 index 0000000..a30df62 Binary files /dev/null and b/linux/34.png differ diff --git a/linux/35.png b/linux/35.png new file mode 100644 index 0000000..2f57631 Binary files /dev/null and b/linux/35.png differ diff --git a/linux/36.png b/linux/36.png new file mode 100644 index 0000000..c2e01e0 Binary files /dev/null and b/linux/36.png differ diff --git a/linux/37.png b/linux/37.png new file mode 100644 index 0000000..688d111 Binary files /dev/null and b/linux/37.png differ diff --git a/linux/38.png b/linux/38.png new file mode 100644 index 0000000..bb3bec2 Binary files /dev/null and b/linux/38.png differ diff --git a/linux/39.png b/linux/39.png new file mode 100644 index 0000000..25bf40a Binary files /dev/null and b/linux/39.png differ diff --git a/linux/4.png b/linux/4.png new file mode 100644 index 0000000..9e1d72e Binary files /dev/null and b/linux/4.png differ diff --git a/linux/40.png b/linux/40.png new file mode 100644 index 0000000..61e7180 Binary files /dev/null and b/linux/40.png differ diff --git a/linux/41.png b/linux/41.png new file mode 100644 index 0000000..e88ed02 Binary files /dev/null and b/linux/41.png differ diff --git a/linux/42.png b/linux/42.png new file mode 100644 index 0000000..9aea230 Binary files /dev/null and b/linux/42.png differ diff --git a/linux/43.png b/linux/43.png new file mode 100644 index 0000000..b242b4a Binary files /dev/null and b/linux/43.png differ diff --git a/linux/44.png b/linux/44.png new file mode 100644 index 0000000..12a44fa Binary files /dev/null and b/linux/44.png differ diff --git a/linux/45.png b/linux/45.png new file mode 100644 index 0000000..67bf18d Binary files /dev/null and b/linux/45.png differ diff --git a/linux/46.png b/linux/46.png new file mode 100644 index 0000000..3647b74 Binary files /dev/null and b/linux/46.png differ diff --git a/linux/47.png b/linux/47.png new file mode 100644 index 0000000..0cdc9c5 Binary files /dev/null and b/linux/47.png differ diff --git a/linux/48.png b/linux/48.png new file mode 100644 index 0000000..dca4c0b Binary files /dev/null and b/linux/48.png differ diff --git a/linux/49.png b/linux/49.png new file mode 100644 index 0000000..d0e5e92 Binary files /dev/null and b/linux/49.png differ diff --git a/linux/5.png b/linux/5.png new file mode 100644 index 0000000..7cb3f26 Binary files /dev/null and b/linux/5.png differ diff --git a/linux/50.png b/linux/50.png new file mode 100644 index 0000000..269106d Binary files /dev/null and b/linux/50.png differ diff --git a/linux/51.png b/linux/51.png new file mode 100644 index 0000000..10b1cd9 Binary files /dev/null and b/linux/51.png differ diff --git a/linux/52.png b/linux/52.png new file mode 100644 index 0000000..a656eea Binary files /dev/null and b/linux/52.png differ diff --git a/linux/53.png b/linux/53.png new file mode 100644 index 0000000..6d28f39 Binary files /dev/null and b/linux/53.png differ diff --git a/linux/54.png b/linux/54.png new file mode 100644 index 0000000..c1e41c7 Binary files /dev/null and b/linux/54.png differ diff --git a/linux/55.png b/linux/55.png new file mode 100644 index 0000000..c77aa20 Binary files /dev/null and b/linux/55.png differ diff --git a/linux/56.png b/linux/56.png new file mode 100644 index 0000000..ca985ad Binary files /dev/null and b/linux/56.png differ diff --git a/linux/6.png b/linux/6.png new file mode 100644 index 0000000..bdc20a9 Binary files /dev/null and b/linux/6.png differ diff --git a/linux/7.png b/linux/7.png new file mode 100644 index 0000000..68454a4 Binary files /dev/null and b/linux/7.png differ diff --git a/linux/8.png b/linux/8.png new file mode 100644 index 0000000..2a0fac7 Binary files /dev/null and b/linux/8.png differ diff --git a/linux/9.png b/linux/9.png new file mode 100644 index 0000000..62df047 Binary files /dev/null and b/linux/9.png differ diff --git a/linux/index.md b/linux/index.md new file mode 100644 index 0000000..a7d470d --- /dev/null +++ b/linux/index.md @@ -0,0 +1,148 @@ +--- +author: nihilist +date: 2024-06-16 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/76" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to have Privacy on your Computer (Linux) + +![](0.png) + +In this tutorial, we're going to look at the first and foremost thing anyone can do to remove surveillance from their digital lives, by installing a free and open source software (FOSS) host operating system: Linux, in this case we're going to setup the latest Kicksecure host OS, since it is a secure-by-default linux distribution. + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + + + +I recommend using this setup on your main PC, laptop, but also as a home server or a remote server. For [Privacy use](../privacy/index.md), and potentially [Anonymous use](../anonymityexplained/index.md) if you implement the correct technology for it later on, as per the [4 basic OPSEC levels](../opsec4levels/index.md). + + + +## **Why should Bob install Linux?** + +So here we are Bob, and we have decided that having an entire crowd watching what we were doing with out computer was no longer acceptable. What can we do from here ? + +![](1.png) + +Bob, after searching for a while on the web, Bob realized that Windows was the problem here. Because it is closed-source (meaning the source code is not available) he couldn't know what Windows was doing in the background. Because that is so, Bob is now certain that his Operating System could be used for surveillance, without him being aware of it. + +"What the hell can I do on Windows privately then ?", Bob thought for a while. + +![](../privacy/1.png) + +"... Nothing!", He realized. While he was using windows, he would never have any privacy with his digital life. + +_Allegory:_ You have a house, and you have an annoying neighbor (Jack) that wants to know everything you do in your House. **If you have windows installed on your computer as a host OS, it is the same as leaving the front door wide open for Jack to enter and watch what you're doing in your house, no matter how much you try to barricade the windows, or the doors.** It makes more sense to try and barricade the front door first, before trying to barricade the windows and other rooms in your house, isn't it ? + +So Bob looked for an open source operating system to replace Windows, and [he found the Linux sourcecode](https://github.com/torvalds/linux), he read the entire code and found no spyware in it. Then he decided that he would use that instead of using Windows. + +![](1.5.png) + +**Because it is through Windows, that Microsoft employees are able to spy on what Bob was doing so far!** By removing windows from the equation, he is also removing Microsoft's surveillance from his digital life! + +Bob has decided that he would use Linux from now on, because he is no longer tolerating being watched by an entire crowd, without his consent. + +## **How to create a Linux USB installer from Windows?** + +First step is to go on the web to find a secure linux distribution such as Kicksecure: + +![](3.png) ![](4.png) + +So we're going to install [Kicksecure](https://www.kicksecure.com/wiki/download). **(Disclaimer: if you use closed-source hardware, like 99.9999999999% of people out there, you will invariably have to use non-free firmware too** [[1]](https://www.kicksecure.org/vote/2022/vote_003) [[2]](https://forums.kicksecure.net/viewtopic.php?t=158876) [[3])](https://forums.debian.net/viewtopic.php?t=154837). If you want a purely FOSS host OS, and you are willing to not have firmware for your CPU, GPU, Motherboard, Ethernet/wifi, check out the OSes recommended by the Free Software Foundation [[4]](https://www.gnu.org/distros/free-distros.en.html) (but it will be at the expense of having your peripherals not working [[5]](https://forums.puri.sm/t/non-free-firmware-for-pureos/20053)). **The status of Open source Hardware is not even competitive in this closed-source hardware domination of the market.** , hopefully this will change in the future, but for now that's how it is. _TLDR:_ If you don't want to install proprietary firmware, check out [PureOS](https://pureos.net/download/) instead of Kicksecure. + +![](5.png) + +Let it download and then we have the Kicksecure ISO image. + +![](6.png) + +But now we need to put that ISO image on a USB stick. To do so we can use [Rufus](https://rufus.ie/en/): + +![](7.png) ![](8.png) + +next we install Rufus and plug in a usb stick in the computer **(Warning: the usb stick should be at least 2 GB big)** : + +![](9.png) + +And once the kicksecure iso image finishes downloading, we use it from inside rufus by clicking the "select" button: + +![](10.png) + +And lastly we click "start" to + +![](11.png) ![](11.1.png) ![](11.2.png) ![](12.png) + +Then we wait a few minutes, and now we have a USB stick with the latest Kicksecure OS on it: + +![](13.png) + +And now we will be able **to use it to install Linux and replace Windows with it.** + +## **How to use the kicksecure USB stick to overwrite Windows ?** + +This is where it gets a bit technical for Bob. But here are the steps he needs to do: + + 1. He needs to plug his USB stick in his computer + + 2. He needs to restart his computer + + 3. As his computer restarts, **he needs to repeatedly press the F1 or F2 or DEL or F10 key in order to enter his computer's BIOS** (depending on which brand his computer is) + + 4. once he is in the BIOS, he then needs to boot on his USB stick that has the kicksecure image + + 5. Then once he boots on his USB stick, he can install kicksecure on his computer + + + + +The key that we need to press to enter his computer's BIOS depends on what brand his computer is (see [this blogpost](https://www.tenorshare.com/faq/bios-settings-for-windows-boot.html) for examples). + +Now Bob restarts his computer: + +![](17.png) + +And now, as he has an ASUS motherboard, **he repeatedly presses the F2 key** to enter his computer's BIOS: + +![](18.png) + +and from there, Bob needs to navigate the BIOS to boot on his USB key. **Be aware that the Steps may vary, feel free to research how to change the boot options of your computer's BIOS settings**. In Bob's example below, he is on an ASUS computer/motherboard, so he has these specific BIOS steps to do: + +Boot > OS Type > Other OS + +![](19.png) + +Boot > CSM settings > Launch CSM Auto + +![](20.png) + +Boot device Selection > **his USB stick** + +![](21.png) + +Once we selects his USB Stick, Bob can now boot from it, and he is greeted by kicksecure's welcome screen: + +![](22.png) + +And from there, Bob installs linux as per his needs: + +![](23.png) ![](24.png) ![](25.png) ![](26.png) ![](28.png) + +And there, we finished the kicksecure installation, we can unplug the USB stick, and click done to reboot the computer, into the newly installed kicksecure Host OS: + +![](52.png) + +As we reboot the computer, we're greeted by the kicksecure boot screen, and then we type the password to unlock the encrypted system drive: + +![](53.png) + +And now that we are logged, we're in our brand new kicksecure operating system, with the XFCE window manager, You now have a secure-by-default linux host OS, and now it's all open source! **This means that you no longer have windows's countless cameras spying on what you were doing. You now have privacy on your computer.** + +![](56.png) + +And that's it! Bob has managed to get privacy from Microsoft's constant surveillance by replacing Windows with a Linux distribution. + +![](2.png) + diff --git a/livemode/0.png b/livemode/0.png new file mode 100644 index 0000000..08e07be Binary files /dev/null and b/livemode/0.png differ diff --git a/livemode/1.png b/livemode/1.png new file mode 100644 index 0000000..fe0213c Binary files /dev/null and b/livemode/1.png differ diff --git a/livemode/10.png b/livemode/10.png new file mode 100644 index 0000000..1623e5e Binary files /dev/null and b/livemode/10.png differ diff --git a/livemode/11.png b/livemode/11.png new file mode 100644 index 0000000..6bb0439 Binary files /dev/null and b/livemode/11.png differ diff --git a/livemode/12.png b/livemode/12.png new file mode 100644 index 0000000..f5eab37 Binary files /dev/null and b/livemode/12.png differ diff --git a/livemode/13.png b/livemode/13.png new file mode 100644 index 0000000..1430c76 Binary files /dev/null and b/livemode/13.png differ diff --git a/livemode/14.png b/livemode/14.png new file mode 100644 index 0000000..f8b9ba8 Binary files /dev/null and b/livemode/14.png differ diff --git a/livemode/15.png b/livemode/15.png new file mode 100644 index 0000000..9571a0e Binary files /dev/null and b/livemode/15.png differ diff --git a/livemode/16.png b/livemode/16.png new file mode 100644 index 0000000..355d2b0 Binary files /dev/null and b/livemode/16.png differ diff --git a/livemode/17.png b/livemode/17.png new file mode 100644 index 0000000..e521c2c Binary files /dev/null and b/livemode/17.png differ diff --git a/livemode/2.png b/livemode/2.png new file mode 100644 index 0000000..a2e78ea Binary files /dev/null and b/livemode/2.png differ diff --git a/livemode/3.png b/livemode/3.png new file mode 100644 index 0000000..ea6fd67 Binary files /dev/null and b/livemode/3.png differ diff --git a/livemode/4.png b/livemode/4.png new file mode 100644 index 0000000..e50ee98 Binary files /dev/null and b/livemode/4.png differ diff --git a/livemode/5.png b/livemode/5.png new file mode 100644 index 0000000..fb5e910 Binary files /dev/null and b/livemode/5.png differ diff --git a/livemode/6.png b/livemode/6.png new file mode 100644 index 0000000..624f753 Binary files /dev/null and b/livemode/6.png differ diff --git a/livemode/7.png b/livemode/7.png new file mode 100644 index 0000000..be6f4b5 Binary files /dev/null and b/livemode/7.png differ diff --git a/livemode/8.png b/livemode/8.png new file mode 100644 index 0000000..8139c7a Binary files /dev/null and b/livemode/8.png differ diff --git a/livemode/9.png b/livemode/9.png new file mode 100644 index 0000000..d7b151b Binary files /dev/null and b/livemode/9.png differ diff --git a/livemode/index.md b/livemode/index.md new file mode 100644 index 0000000..a2822d4 --- /dev/null +++ b/livemode/index.md @@ -0,0 +1,178 @@ +--- +author: nihilist +date: 2025-04-01 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/160" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Using the Host-OS in live-mode to enable Sensitive Use (April 2025 Update) + +![](0.png) + +In this tutorial we're going to cover how to use livemode and ram-wipe from inside Kicksecure to enable long-term Sensitive use. + + + +## **What is the usecase ?** + +The main usecase of using your Host OS in live mode, is that you want to use it for long term sensitive activities (meaning, you want to save sensitive files on a harddrive). **As you're going to see, using the Host OS in live mode is effectively a hard requirement for deniability**. + +When we are talking sensitive use, we are talking about our need of Deniability. Which means that we need to use deniable encryption using [Veracrypt's hidden volumes](../veracrypt/index.md): + +![](../deniability/5.png) + +In theory it is impossible to prove the existence of the hidden volume by itself once it is closed, **and if there is no proof of it's existence our deniability is maintained.** + +But the issue is that we have more variables that we also need to keep under control, on the Host OS side you have **system logs, kernel logs** , the various other **non-standard log files** that software is writing on the disk, and even **the content of the RAM itself** can be used to prove the existence of a hidden volume. + +![](3.png) + +Now when you are using your computer for regular public, private and anonymous activities, normally you don't need to care about those things. But the Host OS is a potential goldmine of forensic evidence to be used against you if the device were to be seized, **so for sensitive use specifically we need to take care of it.** + +Now you could start to manually erase all logs, all kernel logs, all non-standard system logs, manually overwrite the RAM contents, but this is going to be way too tedious and you're likely to miss something. So we have one simple solution: **use the Host OS in live mode**. + +Thanks to live mode, **we are able to load the entire Host OS in RAM directly** , allowing us to avoid writing anything on the system disk (no system logs, no kernel logs, no non-standard logs, **only ram contents to worry about**) + +And since everything is loaded inside the RAM, **all we need is to reboot the computer to wipe all of the RAM contents** , effectively **erase all forensic evidence (and all potential forensic evidence) of the existence of the hidden volume in one simple action.** + +## **Using Live Mode from the System Drive** + +⚠️ _Deniability Disclaimer:_ **This setup is only suitable if the adversary can be told that you are using Kicksecure, without it being a reason to throw you in jail. Do not proceed if that's the case.** ⚠️ + +![](4.png) + +If you have followed the ["How to install Kicksecure as a Host OS"](../linux/index.md) tutorial, you already have the correct base to work on, since the operating system comes with the capability to enter Live mode from the grub boot menu: + +![](11.png) + +To enter live mode, we simply restart the computer, and select the following boot entry: + +![](12.png) + +Then as ususal, enter your passphrase to unlock your encrypted system drive: + +![](../linux/53.png) + +And then once you boot back into your Host OS, you can run **lsblk** from a terminal to confirm that you are in live mode: + +![](13.png) + + + [user ~]% lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sr0 11:0 1 1024M 0 rom + vda 253:0 0 200G 0 disk + ├─vda1 253:1 0 4G 0 part /boot + └─vda2 253:2 0 196G 0 part + └─luks-24351c83-3657-4142-82d2-8f8a5787f406 254:0 0 196G 0 crypt /live/image + vdb 253:16 0 20G 0 disk + └─vdb1 253:17 0 20G 0 part + + + +As you can see, **the system drive /dev/vda is mounted in the /live/image mountpoint** , which confirms that we are now in live mode! + +## **Testing Live Mode** + +The main point of using live mode is that everything you write onto the system disk gets wiped upon reboot, so let's test the following: + +![](14.png) + +We'll write the Test A.txt file into the system drive, and the Test B.txt file in a non-system drive: + + + [user ~]% vim /home/user/TestA.txt + [user ~]% cat /home/user/TestA.txt + this is Test A: this file should no longer exist upon rebooting. + (because it sits on the system drive, while in livemode, meaning it's loaded in RAM) + + [user ~]% sudo mkdir /mnt/externaldisk + [user ~]% sudo mount /dev/vdb1 /mnt/externaldisk + + [user ~]% sudo vim /mnt/externaldisk/TestB.txt + [user ~]% cat /mnt/externaldisk/TestB.txt + This is test B: the file should remain after rebooting, because it sits on a non-system drive + + + +**The test will pass if upon rebooting, if TestA.txt no longer exists, and TestB.txt still does, because one sits on the system drive, and not the other.** So let's reboot the host OS to test that: + + + [user ~]% sudo reboot now + + + +![](15.png) ![](../linux/53.png) + +And once booted in we check if TestA.txt has indeed disappeared, and if TestB.txt is still there: + +![]() + + + [user ~]% cat TestA.txt + cat: TestA.txt: No such file or directory + + [user ~]% mount /dev/vdb1 /mnt/externaldisk + [user ~]% sudo mkdir /mnt/externaldisk + [user ~]% sudo mount /dev/vdb1 /mnt/externaldisk + [user ~]% cat /mnt/externaldisk/TestB.txt + This is test B: the file should remain after rebooting, because it sits on a non-system drive + + + +And that's it! We have now validated that the TestA.txt file that was on the system drive while on live mode no longer exists after rebooting, and that the TestB.txt file on the non-system drive still exists, which validates that live mode works as intended. + +## **Wiping RAM upon reboots** + +Now to make sure that the data doesn't sit in the memory sticks when the computer is rebooting (meaning to prevent cold-boot attacks), we make sure that the RAM gets wiped upon reboot, thanks to Kicksecure's [ram-wipe](https://www.kicksecure.com/wiki/Ram-wipe) package: + + + [user ~]% sudo apt install ram-wipe -y + + + +once installed, upon rebooting you can see it in action: + + + [user ~]% sudo reboot now + + + +` ![](16.png) + +Here as you can see the TTY outputs tells us that the RAM contents are being wiped off. It also mentions that it is OK upon the boot sequence when it asks you to unlock your system drive: + +![](17.png) + +Cold boot attacks (freezing memory sticks to make sure the data remains intact, and then attempting to boot into the OS from the data contained in those ramsticks alone) is a very unlikely attack that could happen when an adversary busts down your door to try and seize your devices: + +![](../cloud_provider_adversary/7.png) + +But thanks to the ram-wipe mechanism we just implemented, as long as you make the host OS reboot before the adversary manages to put their hands on the computer, you are protecting against that scenario aswell. + +## **Emergency Reboot Shortcut** + +However there's a problem. Right now to reboot you need to click the desktop menu, click log out, and then click restart: + +![](11.png) + +Obviously, when you have an adversary busting down your door, you don't have time to aim with your mouse and click 3 times to reboot your computer. Therefore, **To speed up the process of rebooting, we implement a simple reboot bashscript that we'll trigger using a single keystroke, thanks to a shortcut we configure:** + + + [user ~]% vim reboot.sh + [user ~]% cat reboot.sh + #!/bin/bash + + /usr/bin/sudo /usr/sbin/reboot now + + [user ~]% chmod +x ./reboot.sh + + +And we make sure that we can trigger it by pressing a single keystroke (right control): + + + xfconf-query -c xfce4-keyboard-shortcuts -n -t 'string' -p '/commands/custom/Control_R' -s /home/user/reboot.sh + + + +And that's it! **Now thanks to that setup, pressing the Right Control key is all you need** to reboot your Host OS, to effectively exit live mode, wipe off all the temporary disk writes that have been made on the system drive, AND also wipe off the RAM contents, **effectively making sure that there cannot be any trace left of what you were doing, while in live mode.** + diff --git a/logos/Forgejo.png b/logos/Forgejo.png new file mode 100644 index 0000000..57de512 Binary files /dev/null and b/logos/Forgejo.png differ diff --git a/logos/HA.png b/logos/HA.png new file mode 100644 index 0000000..b787747 Binary files /dev/null and b/logos/HA.png differ diff --git a/logos/Tor.png b/logos/Tor.png new file mode 100644 index 0000000..5832de5 Binary files /dev/null and b/logos/Tor.png differ diff --git a/logos/bank.png b/logos/bank.png new file mode 100644 index 0000000..dd1d1f2 Binary files /dev/null and b/logos/bank.png differ diff --git a/logos/basicswap.png b/logos/basicswap.png new file mode 100644 index 0000000..975d3ff Binary files /dev/null and b/logos/basicswap.png differ diff --git a/logos/btc.png b/logos/btc.png new file mode 100644 index 0000000..096126b Binary files /dev/null and b/logos/btc.png differ diff --git a/logos/cash.png b/logos/cash.png new file mode 100644 index 0000000..7a01d12 Binary files /dev/null and b/logos/cash.png differ diff --git a/logos/cctv.png b/logos/cctv.png new file mode 100644 index 0000000..3f8f97a Binary files /dev/null and b/logos/cctv.png differ diff --git a/logos/ce0.png b/logos/ce0.png new file mode 100644 index 0000000..3dc87e2 Binary files /dev/null and b/logos/ce0.png differ diff --git a/logos/ce1.png b/logos/ce1.png new file mode 100644 index 0000000..5a59933 Binary files /dev/null and b/logos/ce1.png differ diff --git a/logos/ce2.png b/logos/ce2.png new file mode 100644 index 0000000..e59b82c Binary files /dev/null and b/logos/ce2.png differ diff --git a/logos/clearnet.png b/logos/clearnet.png new file mode 100644 index 0000000..cc5b060 Binary files /dev/null and b/logos/clearnet.png differ diff --git a/logos/co0.png b/logos/co0.png new file mode 100644 index 0000000..1a8e261 Binary files /dev/null and b/logos/co0.png differ diff --git a/logos/co1.png b/logos/co1.png new file mode 100644 index 0000000..b7f23d7 Binary files /dev/null and b/logos/co1.png differ diff --git a/logos/co2.png b/logos/co2.png new file mode 100644 index 0000000..dd59d52 Binary files /dev/null and b/logos/co2.png differ diff --git a/logos/cold.png b/logos/cold.png new file mode 100644 index 0000000..e2b54d1 Binary files /dev/null and b/logos/cold.png differ diff --git a/logos/creditcard.png b/logos/creditcard.png new file mode 100644 index 0000000..e559884 Binary files /dev/null and b/logos/creditcard.png differ diff --git a/logos/daturagit.png b/logos/daturagit.png new file mode 100644 index 0000000..3ccd720 Binary files /dev/null and b/logos/daturagit.png differ diff --git a/logos/de0.png b/logos/de0.png new file mode 100644 index 0000000..1b7b0bb Binary files /dev/null and b/logos/de0.png differ diff --git a/logos/de1.png b/logos/de1.png new file mode 100644 index 0000000..ba5a679 Binary files /dev/null and b/logos/de1.png differ diff --git a/logos/de2.png b/logos/de2.png new file mode 100644 index 0000000..ef41a49 Binary files /dev/null and b/logos/de2.png differ diff --git a/logos/debian.png b/logos/debian.png new file mode 100644 index 0000000..82722cf Binary files /dev/null and b/logos/debian.png differ diff --git a/logos/dnlantern.png b/logos/dnlantern.png new file mode 100644 index 0000000..628ffc6 Binary files /dev/null and b/logos/dnlantern.png differ diff --git a/logos/dns.png b/logos/dns.png new file mode 100644 index 0000000..32c4b44 Binary files /dev/null and b/logos/dns.png differ diff --git a/logos/email.png b/logos/email.png new file mode 100644 index 0000000..e15da68 Binary files /dev/null and b/logos/email.png differ diff --git a/logos/endgame.png b/logos/endgame.png new file mode 100644 index 0000000..07bb37c Binary files /dev/null and b/logos/endgame.png differ diff --git a/logos/exif.png b/logos/exif.png new file mode 100644 index 0000000..bbc430f Binary files /dev/null and b/logos/exif.png differ diff --git a/logos/firewall.png b/logos/firewall.png new file mode 100644 index 0000000..8988555 Binary files /dev/null and b/logos/firewall.png differ diff --git a/logos/gnupg.png b/logos/gnupg.png new file mode 100644 index 0000000..13eacd6 Binary files /dev/null and b/logos/gnupg.png differ diff --git a/logos/grafana.png b/logos/grafana.png new file mode 100644 index 0000000..30c0bb7 Binary files /dev/null and b/logos/grafana.png differ diff --git a/logos/grapheneos.png b/logos/grapheneos.png new file mode 100644 index 0000000..3c91328 Binary files /dev/null and b/logos/grapheneos.png differ diff --git a/logos/haveno.png b/logos/haveno.png new file mode 100644 index 0000000..3d96357 Binary files /dev/null and b/logos/haveno.png differ diff --git a/logos/hongkong.png b/logos/hongkong.png new file mode 100644 index 0000000..7bbb92b Binary files /dev/null and b/logos/hongkong.png differ diff --git a/logos/i2p.png b/logos/i2p.png new file mode 100644 index 0000000..c4fcc26 Binary files /dev/null and b/logos/i2p.png differ diff --git a/logos/keepass.png b/logos/keepass.png new file mode 100644 index 0000000..8398130 Binary files /dev/null and b/logos/keepass.png differ diff --git a/logos/kicksecure.png b/logos/kicksecure.png new file mode 100644 index 0000000..4a1a30f Binary files /dev/null and b/logos/kicksecure.png differ diff --git a/logos/kvm.png b/logos/kvm.png new file mode 100644 index 0000000..a5aa150 Binary files /dev/null and b/logos/kvm.png differ diff --git a/logos/linux.png b/logos/linux.png new file mode 100644 index 0000000..9098b64 Binary files /dev/null and b/logos/linux.png differ diff --git a/logos/litecoin.png b/logos/litecoin.png new file mode 100644 index 0000000..155914b Binary files /dev/null and b/logos/litecoin.png differ diff --git a/logos/mail.png b/logos/mail.png new file mode 100644 index 0000000..a49ef14 Binary files /dev/null and b/logos/mail.png differ diff --git a/logos/monero.png b/logos/monero.png new file mode 100644 index 0000000..85b0a32 Binary files /dev/null and b/logos/monero.png differ diff --git a/logos/mullvad.png b/logos/mullvad.png new file mode 100644 index 0000000..0d389de Binary files /dev/null and b/logos/mullvad.png differ diff --git a/logos/mysql.png b/logos/mysql.png new file mode 100644 index 0000000..69e8cec Binary files /dev/null and b/logos/mysql.png differ diff --git a/logos/mysql.png.png b/logos/mysql.png.png new file mode 100644 index 0000000..69e8cec Binary files /dev/null and b/logos/mysql.png.png differ diff --git a/logos/nextcloud.png b/logos/nextcloud.png new file mode 100644 index 0000000..a76fd25 Binary files /dev/null and b/logos/nextcloud.png differ diff --git a/logos/nginx.png b/logos/nginx.png new file mode 100644 index 0000000..5441bd1 Binary files /dev/null and b/logos/nginx.png differ diff --git a/logos/node-exporter.png b/logos/node-exporter.png new file mode 100644 index 0000000..58d7c46 Binary files /dev/null and b/logos/node-exporter.png differ diff --git a/logos/nostr.png b/logos/nostr.png new file mode 100644 index 0000000..2b5187c Binary files /dev/null and b/logos/nostr.png differ diff --git a/logos/ollama.png b/logos/ollama.png new file mode 100644 index 0000000..973fc2a Binary files /dev/null and b/logos/ollama.png differ diff --git a/logos/on0.png b/logos/on0.png new file mode 100644 index 0000000..b45b30a Binary files /dev/null and b/logos/on0.png differ diff --git a/logos/on1.png b/logos/on1.png new file mode 100644 index 0000000..e540732 Binary files /dev/null and b/logos/on1.png differ diff --git a/logos/on2.png b/logos/on2.png new file mode 100644 index 0000000..39f2467 Binary files /dev/null and b/logos/on2.png differ diff --git a/logos/onionshare.png b/logos/onionshare.png new file mode 100644 index 0000000..9a3cfa4 Binary files /dev/null and b/logos/onionshare.png differ diff --git a/logos/openhw.png b/logos/openhw.png new file mode 100644 index 0000000..9f21dfb Binary files /dev/null and b/logos/openhw.png differ diff --git a/logos/openwrt.png b/logos/openwrt.png new file mode 100644 index 0000000..f25dd9a Binary files /dev/null and b/logos/openwrt.png differ diff --git a/logos/opsec.png b/logos/opsec.png new file mode 100644 index 0000000..1fc4ae9 Binary files /dev/null and b/logos/opsec.png differ diff --git a/logos/php.png b/logos/php.png new file mode 100644 index 0000000..3c2ff7c Binary files /dev/null and b/logos/php.png differ diff --git a/logos/poweroff.png b/logos/poweroff.png new file mode 100644 index 0000000..2f798e9 Binary files /dev/null and b/logos/poweroff.png differ diff --git a/logos/prometheus.png b/logos/prometheus.png new file mode 100644 index 0000000..0c9e271 Binary files /dev/null and b/logos/prometheus.png differ diff --git a/logos/proxy.png b/logos/proxy.png new file mode 100644 index 0000000..35a54c0 Binary files /dev/null and b/logos/proxy.png differ diff --git a/logos/qbittorrent.png b/logos/qbittorrent.png new file mode 100644 index 0000000..020aeac Binary files /dev/null and b/logos/qbittorrent.png differ diff --git a/logos/qubes.png b/logos/qubes.png new file mode 100644 index 0000000..895a9ff Binary files /dev/null and b/logos/qubes.png differ diff --git a/logos/sim.png b/logos/sim.png new file mode 100644 index 0000000..429e314 Binary files /dev/null and b/logos/sim.png differ diff --git a/logos/simplex.png b/logos/simplex.png new file mode 100644 index 0000000..a1cf370 Binary files /dev/null and b/logos/simplex.png differ diff --git a/logos/sms.png b/logos/sms.png new file mode 100644 index 0000000..545b90c Binary files /dev/null and b/logos/sms.png differ diff --git a/logos/steg.png b/logos/steg.png new file mode 100644 index 0000000..fc100a6 Binary files /dev/null and b/logos/steg.png differ diff --git a/logos/su0.png b/logos/su0.png new file mode 100644 index 0000000..df8fe52 Binary files /dev/null and b/logos/su0.png differ diff --git a/logos/su1.png b/logos/su1.png new file mode 100644 index 0000000..24f0a7b Binary files /dev/null and b/logos/su1.png differ diff --git a/logos/su2.png b/logos/su2.png new file mode 100644 index 0000000..d6b60b2 Binary files /dev/null and b/logos/su2.png differ diff --git a/logos/syncthing.png b/logos/syncthing.png new file mode 100644 index 0000000..4f513f6 Binary files /dev/null and b/logos/syncthing.png differ diff --git a/logos/tails.png b/logos/tails.png new file mode 100644 index 0000000..59758fd Binary files /dev/null and b/logos/tails.png differ diff --git a/logos/torbrowser.png b/logos/torbrowser.png new file mode 100644 index 0000000..e5c2bc5 Binary files /dev/null and b/logos/torbrowser.png differ diff --git a/logos/tr0.png b/logos/tr0.png new file mode 100644 index 0000000..5ec2f3c Binary files /dev/null and b/logos/tr0.png differ diff --git a/logos/tr1.png b/logos/tr1.png new file mode 100644 index 0000000..a116df3 Binary files /dev/null and b/logos/tr1.png differ diff --git a/logos/tr2.png b/logos/tr2.png new file mode 100644 index 0000000..b57eecf Binary files /dev/null and b/logos/tr2.png differ diff --git a/logos/ups.png b/logos/ups.png new file mode 100644 index 0000000..90909c2 Binary files /dev/null and b/logos/ups.png differ diff --git a/logos/v2ray.png b/logos/v2ray.png new file mode 100644 index 0000000..bb9e443 Binary files /dev/null and b/logos/v2ray.png differ diff --git a/logos/veracrypt.png b/logos/veracrypt.png new file mode 100644 index 0000000..29bceb7 Binary files /dev/null and b/logos/veracrypt.png differ diff --git a/logos/vps.png b/logos/vps.png new file mode 100644 index 0000000..8b5a4c0 Binary files /dev/null and b/logos/vps.png differ diff --git a/logos/waindowz.png b/logos/waindowz.png new file mode 100644 index 0000000..78ce9d1 Binary files /dev/null and b/logos/waindowz.png differ diff --git a/logos/wan.png b/logos/wan.png new file mode 100644 index 0000000..aed2660 Binary files /dev/null and b/logos/wan.png differ diff --git a/logos/whonix.png b/logos/whonix.png new file mode 100644 index 0000000..111abf3 Binary files /dev/null and b/logos/whonix.png differ diff --git a/logos/winblows.png b/logos/winblows.png new file mode 100644 index 0000000..d0ae414 Binary files /dev/null and b/logos/winblows.png differ diff --git a/logos/windows.jpeg b/logos/windows.jpeg new file mode 100644 index 0000000..36fefa7 Binary files /dev/null and b/logos/windows.jpeg differ diff --git a/logos/writing.png b/logos/writing.png new file mode 100644 index 0000000..c117cc4 Binary files /dev/null and b/logos/writing.png differ diff --git a/mailprivate/0.png b/mailprivate/0.png new file mode 100644 index 0000000..a9ad1ba Binary files /dev/null and b/mailprivate/0.png differ diff --git a/mailprivate/1.png b/mailprivate/1.png new file mode 100644 index 0000000..9b0aaa8 Binary files /dev/null and b/mailprivate/1.png differ diff --git a/mailprivate/10.png b/mailprivate/10.png new file mode 100644 index 0000000..ddf2832 Binary files /dev/null and b/mailprivate/10.png differ diff --git a/mailprivate/11.png b/mailprivate/11.png new file mode 100644 index 0000000..03b16c5 Binary files /dev/null and b/mailprivate/11.png differ diff --git a/mailprivate/12.png b/mailprivate/12.png new file mode 100644 index 0000000..7ca697f Binary files /dev/null and b/mailprivate/12.png differ diff --git a/mailprivate/13.png b/mailprivate/13.png new file mode 100644 index 0000000..500759b Binary files /dev/null and b/mailprivate/13.png differ diff --git a/mailprivate/14.png b/mailprivate/14.png new file mode 100644 index 0000000..3e86499 Binary files /dev/null and b/mailprivate/14.png differ diff --git a/mailprivate/15.png b/mailprivate/15.png new file mode 100644 index 0000000..de02633 Binary files /dev/null and b/mailprivate/15.png differ diff --git a/mailprivate/16.png b/mailprivate/16.png new file mode 100644 index 0000000..78c9154 Binary files /dev/null and b/mailprivate/16.png differ diff --git a/mailprivate/17.png b/mailprivate/17.png new file mode 100644 index 0000000..bb2455f Binary files /dev/null and b/mailprivate/17.png differ diff --git a/mailprivate/18.png b/mailprivate/18.png new file mode 100644 index 0000000..87fb803 Binary files /dev/null and b/mailprivate/18.png differ diff --git a/mailprivate/19.png b/mailprivate/19.png new file mode 100644 index 0000000..6de4e11 Binary files /dev/null and b/mailprivate/19.png differ diff --git a/mailprivate/2.png b/mailprivate/2.png new file mode 100644 index 0000000..2b126c8 Binary files /dev/null and b/mailprivate/2.png differ diff --git a/mailprivate/20.png b/mailprivate/20.png new file mode 100644 index 0000000..f4f302a Binary files /dev/null and b/mailprivate/20.png differ diff --git a/mailprivate/3.png b/mailprivate/3.png new file mode 100644 index 0000000..8a44797 Binary files /dev/null and b/mailprivate/3.png differ diff --git a/mailprivate/30.png b/mailprivate/30.png new file mode 100644 index 0000000..059a549 Binary files /dev/null and b/mailprivate/30.png differ diff --git a/mailprivate/31.png b/mailprivate/31.png new file mode 100644 index 0000000..f00fd88 Binary files /dev/null and b/mailprivate/31.png differ diff --git a/mailprivate/32.png b/mailprivate/32.png new file mode 100644 index 0000000..12c089e Binary files /dev/null and b/mailprivate/32.png differ diff --git a/mailprivate/33.png b/mailprivate/33.png new file mode 100644 index 0000000..ae7ee5f Binary files /dev/null and b/mailprivate/33.png differ diff --git a/mailprivate/34.png b/mailprivate/34.png new file mode 100644 index 0000000..93e3f4f Binary files /dev/null and b/mailprivate/34.png differ diff --git a/mailprivate/35.png b/mailprivate/35.png new file mode 100644 index 0000000..7ec2523 Binary files /dev/null and b/mailprivate/35.png differ diff --git a/mailprivate/36.png b/mailprivate/36.png new file mode 100644 index 0000000..3a0d040 Binary files /dev/null and b/mailprivate/36.png differ diff --git a/mailprivate/37.png b/mailprivate/37.png new file mode 100644 index 0000000..e156e72 Binary files /dev/null and b/mailprivate/37.png differ diff --git a/mailprivate/38.png b/mailprivate/38.png new file mode 100644 index 0000000..4ebc098 Binary files /dev/null and b/mailprivate/38.png differ diff --git a/mailprivate/39.png b/mailprivate/39.png new file mode 100644 index 0000000..75e59cd Binary files /dev/null and b/mailprivate/39.png differ diff --git a/mailprivate/4.png b/mailprivate/4.png new file mode 100644 index 0000000..9da6871 Binary files /dev/null and b/mailprivate/4.png differ diff --git a/mailprivate/40.png b/mailprivate/40.png new file mode 100644 index 0000000..88c49f1 Binary files /dev/null and b/mailprivate/40.png differ diff --git a/mailprivate/41.png b/mailprivate/41.png new file mode 100644 index 0000000..b58feb2 Binary files /dev/null and b/mailprivate/41.png differ diff --git a/mailprivate/42.png b/mailprivate/42.png new file mode 100644 index 0000000..bd64f96 Binary files /dev/null and b/mailprivate/42.png differ diff --git a/mailprivate/5.png b/mailprivate/5.png new file mode 100644 index 0000000..2545401 Binary files /dev/null and b/mailprivate/5.png differ diff --git a/mailprivate/6.png b/mailprivate/6.png new file mode 100644 index 0000000..75e8303 Binary files /dev/null and b/mailprivate/6.png differ diff --git a/mailprivate/7.png b/mailprivate/7.png new file mode 100644 index 0000000..5548af6 Binary files /dev/null and b/mailprivate/7.png differ diff --git a/mailprivate/8.png b/mailprivate/8.png new file mode 100644 index 0000000..d07c8ed Binary files /dev/null and b/mailprivate/8.png differ diff --git a/mailprivate/9.png b/mailprivate/9.png new file mode 100644 index 0000000..950c357 Binary files /dev/null and b/mailprivate/9.png differ diff --git a/mailprivate/index.md b/mailprivate/index.md new file mode 100644 index 0000000..0f96810 --- /dev/null +++ b/mailprivate/index.md @@ -0,0 +1,819 @@ +--- +author: nihilist +date: 2022-05-19 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/114" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Anonymous self-hosted clearnet mail server Setup + +![](20.png) + +In this tutorial we will setup a local mail server (to be able to keep control of our data), we will make it available publicly (so that it can communicate with other mail servers), but we'll make it go through TOR to guarantee Anonymity. + +Note that this setup involves self-hosting, [which I do not recommend if the service is supposed to be sensitive](../sensitiveremotevshome/index.md). If this is an issue for you, just install it on a [non-KYC remote VPS](../anonymousremoteserver/index.md) and skip the port-forwarding part if you don't want to host it at your house. + +![](0.png) + + + +## **Initial VPN over Tor Setup** + +First let's make it use an external VPS as a VPN server (make sure that you get it from a [non-KYC cloud provider](https://kycnot.me/services?type=VPS), where you create your account with an email that you also registered through TOR.), see [this tutorial](../anonymousremoteserver/index.md) i made for the full reasoning. + + + root@mail:~# apt update -y ; apt upgrade -y ; apt autoremove -y ; apt install vim tor obfs4proxy -y + + + +Then we need to have the systemd services: + + + root@mail:~# vim /etc/systemd/system/tortables.service + root@mail:~# vim /etc/systemd/system/torwatch.service + root@mail:~# vim /etc/systemd/system/vpn.service + root@mail:~# vim /etc/systemd/system/sshtunnel.service + + + +The tortables systemd service will run iptables to make sure our server only communicates locally: + + + root@mail:~# cat /etc/systemd/system/tortables.service + [Unit] + Description=Tor IP Tables + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/iptables_vpn_tor.sh + + [Install] + WantedBy=multi-user.target + + root@mail:~# vim iptables_vpn_tor.sh + root@mail:~# cat iptables_vpn_tor.sh + #!/bin/bash + + + #default private networks + sudo iptables -F + + sudo iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT + + sudo iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT + + #ip range of tor VPN: + + sudo iptables -A OUTPUT -o tun0 -j ACCEPT + sudo iptables -A INPUT -i tun0 -j ACCEPT + + sudo iptables -A INPUT -j DROP + sudo iptables -A OUTPUT -j DROP + + + +The torwatch systemd service will make sure the tor connection is still up: + + + root@mail:~# cat /etc/systemd/system/torwatch.service + [Unit] + Description=torwatcher + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/monitor_tor.sh + ExecStop=kill -9 $(pidof /root/monitor_tor.sh) + Restart=always + + [Install] + WantedBy=multi-user.target + root@mail:~# vim monitor_tor.sh + root@mail:~# cat monitor_tor.sh + #!/bin/bash + + counter=0 + while true; do + echo TESTING + timeout 10 ping -c1 10.8.0.1 &>/dev/null + if [ $? -eq 0 ]; then + echo OK; + sleep 3 + else + if [ $counter -gt 0 ]; + then + echo 'RESTARTING TOR...' + systemctl restart tor@default + counter=0 + sleep 10 + else + counter=$((counter+1)) + echo "FAIL ( $counter / 2)"; + sleep 3 + fi + fi + done + + + +But as you can see it checks it by pinging 10.8.0.1, the OpenVPN server IP, meaning we need the vpn systemd service: + + + root@mail:~# cat /etc/systemd/system/vpn.service + [Unit] + Description=VPN + After=network-online.target + Wants=network-online.target + + [Install] + WantedBy=multi-user.target + + [Service] + Type=simple + ExecStart=/usr/sbin/openvpn /root/mail.ovpn + ExecStop=kill -9 $(pidof openvpn) + Restart=always + + root@mail:~# apt install openvpn -y + + + +Then we get the .ovpn file and modify it (if you want to see how to make a openvpn server, see it [here](../../selfhosting/ovpn/index.md)) the only requirement here is that you will need to setup the openvpn server to work on TCP, and not UDP as it is set by default. Why? because it will need to go through tor: + + + root@mail:~# vim mail.ovpn + root@mail:~# cat mail.ovpn + client + proto tcp-client + remote x.x.x.x 1194 + dev tun + resolv-retry infinite + nobind + persist-key + persist-tun + remote-cert-tls server + verify-x509-name server_6SQ8FnOk0eJa3n0F name + auth SHA256 + auth-nocache + cipher AES-128-GCM + tls-client + tls-version-min 1.2 + tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 + ignore-unknown-option block-outside-dns + setenv opt block-outside-dns # Prevent Windows 10 DNS leak + verb 3 + + ### TOR SETTINGS ### + socks-proxy 127.0.0.1 9050 + socks-proxy-retry + up-delay + route 10.0.0.195 255.255.255.255 net_gateway + ################### + + + +This will essentially force the openvpn connection to go through TOR, then we also edit our /etc/tor/torrc file, note that i intentionally route the traffic through a local bridge node, if you want to know how to set it up, please check [this](../tor/bridge/index.md) tutorial: + + + root@mail-nihilism:~# cat /etc/tor/torrc + UseBridges 1 + ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy + Bridge obfs4 10.0.1.195:8042 6E9324EC8317DE331DE1EA7969BD868136785748 cert=tyhAPcDxgIcuqcUXXxtkYVPKrWMH7bYf7RJcLa8d+oGbQjoYSK10g4Pz7a/dbJkMXLVvAA iat-mode=0 + DataDirectory /var/lib/tor + TransPort 9040 + SocksPort 9050 + DNSPort 53 + User debian-tor + + root@mail:~# systemctl stop tor + root@mail:~# tor + May 15 12:00:17.068 [notice] Tor 0.3.5.16 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1n, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8. + May 15 12:00:17.068 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning + May 15 12:00:17.068 [notice] Read configuration file "/etc/tor/torrc". + May 15 12:00:17.076 [notice] Opening Socks listener on 127.0.0.1:9050 + May 15 12:00:17.076 [notice] Opened Socks listener on 127.0.0.1:9050 + May 15 12:00:17.076 [notice] Opening DNS listener on 127.0.0.1:53 + May 15 12:00:17.076 [notice] Opened DNS listener on 127.0.0.1:53 + May 15 12:00:17.076 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040 + May 15 12:00:17.076 [notice] Opened Transparent pf/netfilter listener on 127.0.0.1:9040 + May 15 12:00:17.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. + May 15 12:00:17.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. + May 15 12:00:17.000 [notice] Bootstrapped 0%: Starting + May 15 12:00:18.000 [notice] Starting with guard context "bridges" + May 15 12:00:18.000 [notice] new bridge descriptor 'voidyt' (cached): $2E73653A148DFFF3CA28D53F0C366936FE554335~voidyt at 10.0.0.195 + May 15 12:00:18.000 [notice] Delaying directory fetches: Pluggable transport proxies still configuring + May 15 12:00:19.000 [notice] Bootstrapped 5%: Connecting to directory server + May 15 12:00:19.000 [notice] Bootstrapped 10%: Finishing handshake with directory server + May 15 12:00:19.000 [notice] Bootstrapped 80%: Connecting to the Tor network + May 15 12:00:19.000 [notice] Bootstrapped 90%: Establishing a Tor circuit + May 15 12:00:19.000 [notice] Bootstrapped 100%: Done + + root@mail-nihilism:~# systemctl restart tor@default.service + root@mail-nihilism:~# systemctl status tor@default.service + ● tor@default.service - Anonymizing overlay network for TCP + Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; vendor preset: enabled) + Active: active (running) since Thu 2022-12-08 12:14:21 CST; 29s ago + Process: 3515 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS) + Process: 3516 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS) + Main PID: 3517 (tor) + Tasks: 8 (limit: 4673) + Memory: 25.7M + CPU: 1.180s + CGroup: /system.slice/system-tor.slice/tor@default.service + ├─3517 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 + └─3518 /usr/bin/obfs4proxy + + Dec 08 12:14:22 mail-nihilism Tor[3517]: Bootstrapped 1% (conn_pt): Connecting to pluggable transport + Dec 08 12:14:23 mail-nihilism Tor[3517]: Opening Control listener on /run/tor/control + Dec 08 12:14:23 mail-nihilism Tor[3517]: Opened Control listener connection (ready) on /run/tor/control + Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 2% (conn_done_pt): Connected to pluggable transport + Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 10% (conn_done): Connected to a relay + Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 14% (handshake): Handshaking with a relay + Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 15% (handshake_done): Handshake with a relay done + Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits + Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit + Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 100% (done): Done + + + +Now that tor has been setup to use the local TOR relay, we apply iptable rules: + + + root@mail:~# ls + iptables_vpn_tor.sh mail.ovpn monitor_tor.sh + root@mail:~# chmod +x *.sh + + root@mail:~# systemctl daemon-reload + root@mail-nihilism:~# systemctl enable --now tor@default.service tortables + Synchronizing state of tor.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable tor + Created symlink /etc/systemd/system/multi-user.target.wants/tortables.service → /etc/systemd/system/tortables.service. + root@mail:~# iptables -L + + Chain INPUT (policy ACCEPT) + target prot opt source destination + ACCEPT all -- anywhere anywhere source IP range 192.168.0.0-192.168.255.255 + ACCEPT all -- anywhere anywhere source IP range 172.16.0.0-172.31.255.255 + ACCEPT all -- anywhere anywhere source IP range 10.0.0.0-10.255.255.255 + ACCEPT all -- anywhere anywhere source IP range 127.0.0.0-127.255.255.255 + ACCEPT all -- anywhere anywhere + DROP all -- anywhere anywhere + + Chain FORWARD (policy ACCEPT) + target prot opt source destination + + Chain OUTPUT (policy ACCEPT) + target prot opt source destination + ACCEPT all -- anywhere anywhere destination IP range 192.168.0.0-192.168.255.255 + ACCEPT all -- anywhere anywhere destination IP range 172.16.0.0-172.31.255.255 + ACCEPT all -- anywhere anywhere destination IP range 10.0.0.0-10.255.255.255 + ACCEPT all -- anywhere anywhere destination IP range 127.0.0.0-127.255.255.255 + ACCEPT all -- anywhere anywhere + DROP all -- anywhere anywhere + + + +And from there we can connect to the VPN server: + + + root@mail:~# systemctl enable --now vpn torwatch + Created symlink /etc/systemd/system/multi-user.target.wants/torwatch.service → /etc/systemd/system/torwatch.service. + root@mail:~# systemctl status vpn torwatch + + root@mail:~# systemctl status vpn torwatch + ● vpn.service - VPN + Loaded: loaded (/etc/systemd/system/vpn.service; static; vendor preset: enabled) + Active: active (running) since Sun 2022-05-15 12:03:26 CEST; 18s ago + Main PID: 3144 (openvpn) + Tasks: 1 (limit: 2359) + Memory: 1.5M + CGroup: /system.slice/vpn.service + └─3144 /usr/sbin/openvpn /root/mail.ovpn + + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 ROUTE_GATEWAY 10.0.0.1/255.255.0.0 IFACE=ens18 HWADDR=ee:b5:c9:3a:c3:fe + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 TUN/TAP device tun0 opened + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 TUN/TAP TX queue length set to 100 + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip link set dev tun0 up mtu 1500 + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 127.0.0.1/32 via 10.0.0.1 + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 10.0.0.195/32 dev ens18 + May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 Initialization Sequence Completed + + ● torwatch.service - torwatcher + Loaded: loaded (/etc/systemd/system/torwatch.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2022-05-15 12:03:26 CEST; 18s ago + Main PID: 3145 (monitor_tor.sh) + Tasks: 2 (limit: 2359) + Memory: 1.1M + CGroup: /system.slice/torwatch.service + ├─3145 /bin/bash /root/monitor_tor.sh + └─3172 sleep 3 + + May 15 12:03:26 mail systemd[1]: Started torwatcher. + May 15 12:03:26 mail monitor_tor.sh[3145]: TESTING + May 15 12:03:36 mail monitor_tor.sh[3145]: FAIL ( 1 / 2) + May 15 12:03:39 mail monitor_tor.sh[3145]: TESTING + May 15 12:03:39 mail monitor_tor.sh[3145]: OK + May 15 12:03:42 mail monitor_tor.sh[3145]: TESTING + May 15 12:03:42 mail monitor_tor.sh[3145]: OK + + + +And now our mail server uses the remote server as a VPN server, but only through TOR, meaning even if the VPS provider were to check the server logs, or the networking traffic, he would see that it all came from tor exit nodes, never from public ips. + +## **Mail Server Setup** + +Then we setup the mail itself on the local mail VM which is now connected to the VPN: + + + root@mail:~# apt update -y ; apt upgrade -y ; apt install vim tmux curl certbot python3-certbot-nginx nginx -y + + + +Then we make sure that the ports are forwarded through the vpn connection: + + + #on the VPN server we forward the ports to the local VM via iptables: + + root@mail-gw:~# cat iptables_forwardrules.sh + #!/bin/bash + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 25 -j DNAT --to-destination 10.8.0.2:25 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 80 -j DNAT --to-destination 10.8.0.2:80 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 443 -j DNAT --to-destination 10.8.0.2:443 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 143 -j DNAT --to-destination 10.8.0.2:143 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 465 -j DNAT --to-destination 10.8.0.2:465 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 587 -j DNAT --to-destination 10.8.0.2:587 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 993 -j DNAT --to-destination 10.8.0.2:993 + + root@mail:~# chmod +x iptables_forwardrules.sh + root@mail:~# ./iptables_forwardrules.sh + + #from the VM we allow the packets to be forwarded to us: + + root@mail-nihilism:~# cat iptables_forwardrules.sh + #!/bin/bash + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 25 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 143 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 465 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 587 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 993 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 443 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 80 -j ACCEPT + + root@mail-nihilism:~# chmod +x iptables_forwardrules.sh + root@mail-nihilism:~# ./iptables_forwardrules.sh + + + +Dont forget to allow ip forwarding on the vpn server: + + + root@mail-gw:~# sysctl net.ipv4.conf.ens3.forwarding=1 + net.ipv4.conf.ens3.forwarding = 1 + root@mail-gw:~# sysctl net.ipv6.conf.ens3.forwarding=1 + net.ipv6.conf.ens3.forwarding = 1 + root@mail-gw:~# echo " net.ipv6.conf.ens3.forwarding=1" >>/etc/sysctl.conf + root@mail-gw:~# echo " net.ipv4.conf.ens3.forwarding=1" >>/etc/sysctl.conf + root@mail-gw:~# sysctl -p + net.ipv6.conf.ens3.forwarding = 1 + net.ipv4.conf.ens3.forwarding = 1 + + #for arch users, install libvirt: + sudo pacman -S libvirt + vim /etc/sysctl.d/30-ipforward.conf + cat /etc/sysctl.d/30-ipforward.conf + net.ipv4.ip_forward=1 + net.ipv6.conf.default.forwarding=1 + net.ipv6.conf.all.forwarding=1 + + [ nihilism ] [ /dev/pts/1 ] [~] + → sysctl net.ipv4.ip_forward=1 + net.ipv4.ip_forward = 1 + + + +Then you make sure that your DNS records are set properly: + +![](3.png) + +example of the record on a [bind9](../dns/index.md) server: + + + root@mail-gw:~# cat /var/cache/bind/db.nowhere.moe + + mail.nowhere.moe. IN A 23.137.250.140 + + + +Then wait for it to propagate: + + + root@mail-nihilism:~# curl ifconfig.me + 23.137.250.140root@mail-nihilism:~# + root@mail-nihilism:~# curl ifconfig.me ; echo + 23.137.250.140 + root@mail-nihilism:~# ping mail.nowhere.moe + PING mail.nowhere.moe (23.137.250.140) 56(84) bytes of data. + 64 bytes from 23.137.250.140 (23.137.250.140): icmp_seq=1 ttl=64 time=160 ms + + --- mail.nowhere.moe ping statistics --- + 2 packets transmitted, 1 received, 50% packet loss, time 1001ms + rtt min/avg/max/mdev = 160.031/160.031/160.031/0.000 ms + root@mail-nihilism:~# ping nowhere.moe + PING nowhere.moe (23.137.250.141) 56(84) bytes of data. + 64 bytes from 23.137.250.141 (23.137.250.141): icmp_seq=1 ttl=63 time=204 ms + + + +Once that's done we prepare nginx on the local VM still: + + + root@mail-nihilism:~# rm /etc/nginx/sites-*/default + + root@mail-nihilism:~# cat /etc/nginx/sites-available/mail.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + root /var/www/mail; + + index index.html; + + server_name mail.nowhere.moe; + + location / { + try_files $uri $uri/ =404; + } + } + + root@mail-nihilism:~# ln -s /etc/nginx/sites-available/mail.nowhere.moe.conf /etc/nginx/sites-enabled/ + + root@mail-nihilism:~# systemctl restart nginx + root@mail-nihilism:~# systemctl status nginx + ● nginx.service - A high performance web server and a reverse proxy server + Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2022-12-08 13:18:14 CST; 19s ago + Docs: man:nginx(8) + Process: 5903 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Process: 5904 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Main PID: 5905 (nginx) + Tasks: 3 (limit: 4673) + Memory: 3.2M + CPU: 49ms + CGroup: /system.slice/nginx.service + ├─5905 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; + ├─5906 nginx: worker process + └─5907 nginx: worker process + + Dec 08 13:18:14 mail-nihilism systemd[1]: Starting A high performance web server and a reverse proxy server... + Dec 08 13:18:14 mail-nihilism systemd[1]: Started A high performance web server and a reverse proxy server. + + root@mail-nihilism:~# mkdir -p /var/www/mail/ + root@mail-nihilism:~# echo 'nowhere.moe' > /var/www/mail/index.md + root@mail-nihilism:~# curl 127.0.0.1 + nowhere.moe + root@mail-nihilism:~# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.203/16 brd 10.0.255.255 scope global dynamic ens18 + inet6 fe80::e4e7:41ff:fe70:e9a6/64 scope link + inet 10.8.0.2/24 scope global tun0 + inet6 fe80::18b1:efc9:1ae0:d93f/64 scope link stable-privacy + + #from the vpn server: + root@mail-gw:~# curl 10.8.0.2 + nowhere.moe + + + +Now that's done we use certbot to get certificate from the local mail server: + + + root@mail-nihilism:~# certbot --nginx + Saving debug log to /var/log/letsencrypt/letsencrypt.log + Plugins selected: Authenticator nginx, Installer nginx + Enter email address (used for urgent renewal and security notices) + (Enter 'c' to cancel): nihilist@nowhere.moe + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Please read the Terms of Service at + https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must + agree in order to register with the ACME server. Do you agree? + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + (Y)es/(N)o: Y + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Would you be willing, once your first certificate is successfully issued, to + share your email address with the Electronic Frontier Foundation, a founding + partner of the Let's Encrypt project and the non-profit organization that + develops Certbot? We'd like to send you email about our work encrypting the web, + EFF news, campaigns, and ways to support digital freedom. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + (Y)es/(N)o: N + Account registered. + + Which names would you like to activate HTTPS for? + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + 1: mail.nowhere.moe + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Select the appropriate numbers separated by commas and/or spaces, or leave input + blank to select all options shown (Enter 'c' to cancel): + Requesting a certificate for mail.nowhere.moe + Performing the following challenges: + http-01 challenge for mail.nowhere.moe + Waiting for verification... + Cleaning up challenges + Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail.nowhere.moe.conf + Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mail.nowhere.moe.conf + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Congratulations! You have successfully enabled https://mail.nowhere.moe + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + IMPORTANT NOTES: + - Congratulations! Your certificate and chain have been saved at: + /etc/letsencrypt/live/mail.nowhere.moe/fullchain.pem + Your key file has been saved at: + /etc/letsencrypt/live/mail.nowhere.moe/privkey.pem + Your certificate will expire on 2023-03-08. To obtain a new or + tweaked version of this certificate in the future, simply run + certbot again with the "certonly" option. To non-interactively + renew *all* of your certificates, run "certbot renew" + - If you like Certbot, please consider supporting our work by: + + Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate + Donating to EFF: https://eff.org/donate-le + + root@mail-nihilism:~# cat /etc/nginx/sites-available/mail.nowhere.moe.conf + server { + root /var/www/mail; + + index index.html; + + server_name mail.nowhere.moe; + + location / { + try_files $uri $uri/ =404; + } + + listen [::]:443 ssl ipv6only=on; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/mail.nowhere.moe/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/mail.nowhere.moe/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + } + + server { + if ($host = mail.nowhere.moe) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name mail.nowhere.moe; + return 404; # managed by Certbot + + + +And that's it! Now we can proceed with creating the mail server locally: + + + root@mail-nihilism:~# wget https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh -O emailwiz.sh + --2022-12-08 13:27:42-- https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 13320 (13K) [text/plain] + Saving to: ‘emailwiz.sh’ + + emailwiz.sh 100%[==========================================================================================================================================>] 13.01K --.-KB/s in 0.06s + + 2022-12-08 13:27:44 (225 KB/s) - ‘emailwiz.sh’ saved [13320/13320] + + root@mail-nihilism:~# chmod +x emailwiz.sh + root@mail-nihilism:~# sh emailwiz.sh + + + +![](4.png) + +(putting the TLD instead of mail.nowhere.moe here is intentional) + +![](5.png) + +if it complains with the error "Please point your domain (nowhere.moe) to your server's ipv4 address, do the following: + + + #add it into your /etc/hosts + + vim /etc/hosts + cat /etc/hosts | grep nowhere.moe + 23.137.250.140 nowhere.moe + + #add it into your DNS zone too (ex in bind9 below): + + + +` ![](6.png) + +Then we change edit the DNS records as described above: + +![](7.png) ![](8.png) ![](9.png) + +Here's how you can set it up on a bind9 DNS server: + + + $TTL 604800 + @ IN SOA ns1.nowhere.moe. nihilist.nowhere.moe. ( + 33 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + ; + ; name servers - NS records + 3600 IN NS ns1.nowhere.moe. + 3600 IN NS ns2.nowhere.moe. + 3600 IN A 23.137.250.141 + 3600 IN AAAA fe80::216:3eff:fe6c:c335 + + ; mail-gw services + @ IN MX 0 mail.nowhere.moe. + nowhere.moe. IN TXT "v=spf1 mx a:mail.nowhere.moe -all" + mail.nowhere.moe. IN A 23.137.250.140 + mail._domainkey.nowhere.moe. IN TXT ( + "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu94n6zyhzWLZZrgvRq5HrSAh29TRi" + "jw6AXzFoJeahRPoAnJ3njOfOgbCzxUsVNO1L2+NX2P5iZMkdiVtB7rE71wUutegAb0wCDY5k5RNLUlAThxdlou0ro37H" + "SWK5GRAcEFKm1iab63uTtAXtIvZDPLYMxZMIUq4osxYEgAXY4BCzFBCyfohvr+eGd/kPbfOC9f7jrBnFiOVllnB+yPQKe" + "XwPeVlPrw68muFiVg4vWfMMzayINQgC12d73hKVZIwD8T6V9Kznv0dPi929CDWns2alU2dZypVSHxWm3BZyb4SCobdrFNW" + "xfzb1dz7n6/ms5u0EVAKU9ufGOgS4A70oQIDAQAB") + _dmarc.nowhere.moe. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@nowhere.moe; fo=1" + + [...] + + +Please note that on average the DNS records need 1-2 days to propagate fully throughout the world. So be patient once you've made the changes. Also note the DKIM record is on multiple lines, that's because there is a length limit that bind9 has for some reason, so above is how i managed to get around that restriction. + +Then we add our first user: + + + root@mail-nihilism:~# useradd -G mail -m nihilist + useradd: user 'nihilist' already exists + root@mail-nihilism:~# id nihilist + uid=1000(nihilist) gid=1000(nihilist) groups=1000(nihilist),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) + root@mail-nihilism:~# passwd nihilist + New password: + Retype new password: + passwd: password updated successfully + + root@mail:~# apt install nmap -y + + root@mail-nihilism:~# nmap 127.0.0.1 + Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-08 13:49 CST + Nmap scan report for localhost (127.0.0.1) + Host is up (0.000026s latency). + Not shown: 989 closed ports + PORT STATE SERVICE + 22/tcp open ssh + 25/tcp open smtp + 80/tcp open http + 143/tcp open imap + 443/tcp open https + 465/tcp open smtps + 587/tcp open submission + 783/tcp open spamassassin + 993/tcp open imaps + 9040/tcp open tor-trans + 9050/tcp open tor-socks + + Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds + root@mail-nihilism:~# nmap 10.0.0.202 + Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-08 13:49 CST + Nmap scan report for 10.0.0.202 + Host is up (0.000097s latency). + Not shown: 992 closed ports + PORT STATE SERVICE + 22/tcp open ssh + 25/tcp open smtp + 80/tcp open http + 143/tcp open imap + 443/tcp open https + 465/tcp open smtps + 587/tcp open submission + 993/tcp open imaps + MAC Address: EE:B5:C9:3A:C3:FE (Unknown) + + + +The ports we need are ready to be used locally, so let's login: + + + [ 10.66.66.2/32 ] [ /dev/pts/38 ] [~] + → sudo pacman -S thunderbird + + [ 10.66.66.2/32 ] [ /dev/pts/38 ] [~] + → thunderbird + + + +Then test it on thunderbird: + +![](17.png) ![](18.png) + +And that's it! We managed to connect! now we test if the mail works: + +![](19.png) + +(You probably guessed it, i accessed protonmail via tor to make sure i don't leak any personal info) And sending a mail to the VPS gets properly routed through the openvpn connection which is being sent through tor. + +## **Miscellaneous** + +If you want to use PGP encryption, you can manually do it in your terminal, please see this [tutorial](../pgp/index.md) to know how to do it. + +However there's a way to do it in thunderbird: + +![](31.png) + +If you don't have one, you can click create a new OpenPGP key, but i have one so i'll just import it: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --output ~/.nihilist.privkey --export-secret-keys nihilist@nowhere.moe + + + +` ![](32.png) ![](33.png) ![](34.png) + +So from here you can copy your public key and paste it wherever you want, for example on your website, so that the users who want to message you will be able to encrypt their messages. Also add the following settings in thunderbird to automatically encrypt messages you wish to send out: + +![](35.png) + +Now let's test it: + +![](36.png) + +As you can see, by default you don't have the destination's PGP key, so for this first mail we won't encrypt it and see how it looks like on the receiver's end: + +![](37.png) ![](38.png) + +Now we see that the receiver got the unencrypted message, with our PGP signature as an attachment. The recipient can now save it, and use it to encrypt his messages with us. + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --gen-key + gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Note: Use "gpg --full-generate-key" for a full featured key generation dialog. + + GnuPG needs to construct a user ID to identify your key. + + Real name: nothing + Email address: nothing@void.yt + You selected this USER-ID: + "nothing <****nothing@void.yt>" + + Change (N)ame, (E)mail, or (O)kay/(Q)uit? O + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + gpg: revocation certificate stored as '/home/nothing/.gnupg/openpgp-revocs.d/95FC37D748FA891A9C33B821CF39FCDC8049F9FE.rev' + public and secret key created and signed. + + pub rsa3072 2022-12-10 [SC] [expires: 2024-12-09] + 95FC37D748FA891A9C33B821CF39FCDC8049F9FE + uid nothing <****nothing@void.yt> + sub rsa3072 2022-12-10 [E] [expires: 2024-12-09] + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --output ~/.nothing.privkey --export-secret-keys nothing@void.yt + +Now the user nothing can use his PGP key and import it into thunderbird aswell: + +![](39.png) ![](40.png) ![](41.png) + +Same as before, now the user nothing also has E2E encryption setup, so let's now send a reply to nihilist but this time encrypted: + +![](42.png) + +And that's it! We managed to setup a mail service, whose origin is unknown from the cloud provider's perspective, and who's able to send and recieve E2EE mails to prevent any unauthorized third-party from seeing the mails content. + diff --git a/maintainers/0.5.png b/maintainers/0.5.png new file mode 100644 index 0000000..645b115 Binary files /dev/null and b/maintainers/0.5.png differ diff --git a/maintainers/0.png b/maintainers/0.png new file mode 100644 index 0000000..1efca54 Binary files /dev/null and b/maintainers/0.png differ diff --git a/maintainers/1.png b/maintainers/1.png new file mode 100644 index 0000000..c2cab6c Binary files /dev/null and b/maintainers/1.png differ diff --git a/maintainers/10.png b/maintainers/10.png new file mode 100644 index 0000000..56f89a9 Binary files /dev/null and b/maintainers/10.png differ diff --git a/maintainers/11.png b/maintainers/11.png new file mode 100644 index 0000000..33dbd3e Binary files /dev/null and b/maintainers/11.png differ diff --git a/maintainers/12.png b/maintainers/12.png new file mode 100644 index 0000000..77d3f66 Binary files /dev/null and b/maintainers/12.png differ diff --git a/maintainers/13.png b/maintainers/13.png new file mode 100644 index 0000000..6bcc3b5 Binary files /dev/null and b/maintainers/13.png differ diff --git a/maintainers/14.png b/maintainers/14.png new file mode 100644 index 0000000..805b100 Binary files /dev/null and b/maintainers/14.png differ diff --git a/maintainers/15.png b/maintainers/15.png new file mode 100644 index 0000000..90c34df Binary files /dev/null and b/maintainers/15.png differ diff --git a/maintainers/16.png b/maintainers/16.png new file mode 100644 index 0000000..dadaec3 Binary files /dev/null and b/maintainers/16.png differ diff --git a/maintainers/17.png b/maintainers/17.png new file mode 100644 index 0000000..80ea810 Binary files /dev/null and b/maintainers/17.png differ diff --git a/maintainers/18.png b/maintainers/18.png new file mode 100644 index 0000000..6a9d687 Binary files /dev/null and b/maintainers/18.png differ diff --git a/maintainers/19.png b/maintainers/19.png new file mode 100644 index 0000000..5515d15 Binary files /dev/null and b/maintainers/19.png differ diff --git a/maintainers/2.png b/maintainers/2.png new file mode 100644 index 0000000..882f937 Binary files /dev/null and b/maintainers/2.png differ diff --git a/maintainers/20.png b/maintainers/20.png new file mode 100644 index 0000000..6f17046 Binary files /dev/null and b/maintainers/20.png differ diff --git a/maintainers/21.png b/maintainers/21.png new file mode 100644 index 0000000..b178cd6 Binary files /dev/null and b/maintainers/21.png differ diff --git a/maintainers/22.png b/maintainers/22.png new file mode 100644 index 0000000..fa43454 Binary files /dev/null and b/maintainers/22.png differ diff --git a/maintainers/23.png b/maintainers/23.png new file mode 100644 index 0000000..74c1cea Binary files /dev/null and b/maintainers/23.png differ diff --git a/maintainers/3.png b/maintainers/3.png new file mode 100644 index 0000000..19ce5c3 Binary files /dev/null and b/maintainers/3.png differ diff --git a/maintainers/4.png b/maintainers/4.png new file mode 100644 index 0000000..0867c98 Binary files /dev/null and b/maintainers/4.png differ diff --git a/maintainers/5.png b/maintainers/5.png new file mode 100644 index 0000000..50bd8a1 Binary files /dev/null and b/maintainers/5.png differ diff --git a/maintainers/6.png b/maintainers/6.png new file mode 100644 index 0000000..8de99c2 Binary files /dev/null and b/maintainers/6.png differ diff --git a/maintainers/7.png b/maintainers/7.png new file mode 100644 index 0000000..0c81f81 Binary files /dev/null and b/maintainers/7.png differ diff --git a/maintainers/8.png b/maintainers/8.png new file mode 100644 index 0000000..abc74f5 Binary files /dev/null and b/maintainers/8.png differ diff --git a/maintainers/9.png b/maintainers/9.png new file mode 100644 index 0000000..afe0d06 Binary files /dev/null and b/maintainers/9.png differ diff --git a/maintainers/index.md b/maintainers/index.md new file mode 100644 index 0000000..864318d --- /dev/null +++ b/maintainers/index.md @@ -0,0 +1,224 @@ +--- +author: nihilist +date: 2025-03-21 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/203" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to become a Maintainer + +![](0.png) + +Becoming a Maintainer is the next step to contribute to the Opsec blog and Darknet Lantern projects, where you get to assist the other contributors contribute just like you did. The requirement is simple: **You should have contributed at least 3 times, having submitted contributions that were already nearly finished (95%) in one go.** If you are still submitting contributions that are 75% finished in one go, you are not ready to become a maintainer yet, maintainers are supposed to know the quality standard perfectly, to be able to enforce it [when doing contribution reviews](https://www.youtube.com/watch?v=jJuNQeG9Irc&t=4m14s), therefore i expect that they show that they understand it. + + + +## **Onboarding new Contributors** + +First of all if there are new contributors that want to join in and contributors, maintainers need to invite them to the contributors chatroom, (and if said maintainer is an administrator, give them their git account credentials): + +![](0.5.png) + +Once added in private messages, the user can be invited (and can safely get their new git account credentials) : + +![](1.png) + +In the Contributors chatroom, the contributors will be able to communicate with maintainers directly: + +![](2.png) + +## **Converting Criticism into todolists** + +As a maintainer, **you get to also be paid for writing valid (and actionnable) todolists** , since you get to have authority on what they contain, and you get to decide if they are valid or not. This is why it is important for you to take part in the debates that are happening in [the public OPSEC chatroom](http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html). + +![](3.png) + +As a maintainer, **you are getting rewarded 2 euros per valid todolist** , all you need to do is write them (coming from criticisms that you either make, or that the other community members make), then you need to put them on each git issue that they are related to. **So if you write a new todolist, please make sure that you save the link to the todolists that you wrote** so that you can ask to recieve payment at the end of the month for all of the todolists you wrote, in one go. + +![](16.png) + +The financial incentive lies is in tracking all the valid criticisms that are being thrown at us in the public chatrooms (which are all opportunities to improve, that's why we welcome it) **to then write alot of todolists** , for example if you write 10 valid todolists in 1 month time, you'll recieve 20 euros in monero for correctly writing them (as the payment is 2 euros PER todolist correctly written). + +![](7.png) + +If there are any valid criticisms to tutorials that are supposed to be finished (meaning there are tutorials that need to be improved), write the todolist on the issue (in the completed column), and move it back to the "to be assigned" column + +Therefore make sure that you take part in the criticisms and debates in in the opsec chatroom, as this is the place where you'll see the most criticism coming from, so if there are any valid criticisms coming from there, make sure that the criticism is at least saved somewhere (ideally on the targeted git issue, or on a new one that you created yourself.) + +If you want to save the criticism somewhere on the git repo for later, go into the [maintainers project board](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/projects/6) and create a git issue there, with the title starting with **"Criticism - For the tutorials XYZ", and make sure you add the label "criticism to convert into todolists"** , that'll help us make sure that criticisms aren't lost forever, but rather are stored somewhere, to be treated at a later time: + +![](17.png) + +See this [git issue](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/246) for instance, that i created to contain the valid criticism i recieved for the [Sensitive VMS tutorial](../sensitivevm/index.md), that i saved here to treat (or let another maintainer) treat at a later time. + +![](18.png) + +When you decide to turn criticisms into todolists, follow the usual format as detailed in the previous ["how to become a contributor"](../contribute/index.md) tutorial: + + + to be explained: (why + what) + - + - + - + + to be showcased: (How) + - + - + - + + + +If you are not sure about if a particular todolist/criticism is valid or not, you can ask an administrator their opinion to know if it's OK or not aswell, to double check. But by default, as a maintainer your judgement is going to be trusted to write correct todolists. (With only other maintainers or administrators being able to overrule your judgement) + +## **What's Offtopic?** + +Here are the list of things that are offtopic, and that we will NOT cover in the blog (for the foreseeable future at least): + +1) _General security and hacking:_ (making sure a software is secure, how to test if it is secure or not) this is a BOTTOMLESS rabbithole that we won't go into again. I went down that rabbithole myself, in the [Hacking section](../../HTB/index.md). Point being, you anyway cannot defend against the threat that you don't know anything about (0days). You're never going to eliminate all 0day risks by going for ultra minimalism, since every damn line of code your minimal software contains can potentially contain a vulnerability. **Trying to protect against the threat you don't know about (0days) IS a pointless and futile endeavor.** You can reduce the risks of 0days by going for ultra-minimalism, but we'll leave that at the discretion of the viewers. **TLDR: Tell the viewer to run the software on it's latest update. If a malicious commit is pushed into the software, don't trust that repository and maintainer anymore, fork it on your own .onion forgejo instance, remove the bad commits, and compile the software yourself.** We will consider some FOSS software as suitable for opsec use _until proven otherwise (so don't bring up the 0day excuse)_ , not the other way around. + +![](../contribute/65.png) + +2) _Closed-source hardware privacy workarounds:_ no, we won't recommend to the 90% average joes out there to wire up cables to their CPU in order to disable intel ME, install coreboot, or whatever else, and risk bricking their motherboards/CPUs permanently. **We will recommend that average joe to purchase fully open hardware devices, that are free of potential backdoors in the first place, when they are available on the market.** We do with the tools at our disposal, so until those tools are made available, we use what we can use. **We will consider FOSS Host OS as suitable for privacy, even on closed-source hardware for the time being.** (so don't bring up the google pixel graphene OS or the Intel/AMD CPU hardware backdoor argument until you find an actual open hardware alternative that does the job aswell) + +![](../contribute/66.png) + +3) _Unrealistic advice:_ the advice we bring forth in this blog should be doable by 90% of the average joes out there, by explaining it correctly. For instance, no, **90% of the average joes out there are not going to go dressed up in black coats, wear an anonymous mask, sit in mcdonalds, to try and use someone else's public wifi anonymously for entire days on end just to browse the web anonymously and avoid it being tied back to their irl identity. NOBODY is going to do that**. Keep that unrealistic advice off this blog, as it doesn't help anyone. The realistic approach to this is to just do a (you -> vpn -> tor -> destination) setup, it defeats 99% of the attack vectors, and 90% of the joes out there can do it if you explain it properly. End of the story. **I don't care about the 1% most unlikely scenario that only the top 1% non-average joe can pull off.** Simply mention the other options briefly, while focusing on the method that 90% of the people out there are the likely to be able to adopt. + +![](../contribute/64.png) + +4) _Overcomplications:_ I want you to go for the simplest option that actually leads to the intended result. If, from point A you can go to point B, to arrive at result Z, then if you try to go from point A to B to C to D to E to G to H to then arrive at point Z, **you are offtopic because you are overcomplicating something that should have been simpler.** If a simpler solution exists, show that option only, do not waste diskspace writing innefficient methods that the readers don't need to read or know about. I will categorically refuse any overcomplications that isn't properly justified with adequate opsec scenarios and threat modeling. + +## **Assigning contributors onto todolists** + +As a maintainer you also get to assign people to work on todolists: + +![](4.png) + +You get to have authority on deciding what todolists get to contain (with only the other maintainers and administrators being able to overrule your decisions), you can validate them or edit them however you wish, only if they are not yet assigned (do not change a todolist if there's already someone working on it). + +![](5.png) + +(don't forget to move the issue into the "assigned" column on the [project board](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/projects/1) aswell: + +![](6.png) + +## **Reviewing Contributions** + +And lastly, the maintainer's role is to review contributions whenever a contributor submits one, That's probably the most time consumming part. For example, we have the following contributor that's assigned on [this issue](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/233): + +![](8.png) + +As you are most likely already aware since you are supposed to already be a contributor, whenever someone submits a contribution, they need to follow [the quality standard](../qualitystandard/index.md), **as a maintainer, you are supposed to make sure that they follow that standard whenever they try to contribute new content.** + +Here for example, the contributor "optimist" submits a contribution after having followed the ["how to contribute"](../contribute/index.md) guide, and lets you know in the contributors chatroom: + +![](9.png) + +Going there you see that the contributor correctly made a PR, but you need to git clone it to review the changes: + +![](10.png) + + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~] + → cd Documents + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents] + → torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/optimist/blog-contributions blog-contributions.optimist + Cloning into 'blog-contributions'... + remote: Enumerating objects: 6608, done. + remote: Counting objects: 100% (6608/6608), done. + remote: Compressing objects: 100% (5362/5362), done. + remote: Total 6608 (delta 3302), reused 3611 (delta 1133), pack-reused 0 (from 0) + Receiving objects: 100% (6608/6608), 342.55 MiB | 522.00 KiB/s, done. + Resolving deltas: 100% (3302/3302), done. + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents] + → cd blog-contributions.optimist + + +If they wrote their changes in a separate git branch, switch to the correct branch like so: + + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud] + → git switch branchname + + + +Then in the cloned repository, navigate to the new tutorial folder to get the path: + + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents/blog-contributions.optimist] + → cd opsec/nextcloud + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud] + → pwd + /home/nihilist/Documents/blog-contributions.optimist/opsec/nextcloud + + + +And in there from your local browser you can assess if the contribution is completed, and if it follows the quality standard: + +![](11.png) + +Here as you can see, this is clearly garbage. It does not follow the quality standard at all, and it even deviates from the todolist that the contributor agreed to work on. So you can either spend 10x more time reviewing what they took to write by making [the following assessment](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/pulls/253#issuecomment-1997), or since this was a low effort you could simply post a low effort review like so: + +![](23.png) + + + 1) re-read the quality standard + 2) re-read the methodology on how to contribute + 3) re-read the todolist again and follow it this time + + this is 30% completed. + + + +On the contrary, if the user actually tried his best to write the contribution, (meaning it has to be above 30% completed FOR SURE, ideally 95% completed) then yes give them a lengthy review to help them better their contribution like the one that oxeo wrote: + +![](12.png) + +Then the contributor pushes some more commits to fix their mistakes and ask for a second review, so since we already git cloned their repository we just need to do a git clone to pull their new commits: + +![](13.png) ![](14.png) + +Then, locally you can do a git pull to review their updates, in order to review their contribution locally again: + + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud] + → cd ../.. + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents/blog-contributions.optimist] + → torsocks git pull + + + +` ![](15.png) + +And from there, if there are still mistakes that they can improve on, tell them that the contribution is (depending your assessment) for example 80% completed, stating what's missing still. **Otherwise confirm that the contribution is OK and ready to be merged (using the good to merge git label)** + +![](19.png) ![](22.png) + +Then the administrator issues payment for both the contributor and to you the maintainer, for correctly reviewing a contribution. For maintainers specifically, the payment for the reviews will depend on how tedious the reviewing was. + + + - 1 back and forth: (easy review) 3 euros + - 2 backs and forth: (average review) 5 euros + - 3+ backs and forth: (tedious review) 8 euros + + + +Obviously, no need to be an ultra-perfectionnist for every detail that doesnt truly matter, however **The top priority here is that the blogpost needs to be CRYSTAL CLEAR** It needs to be easy to understand, from start to finish, while containing all the information one needs to understand what we are talking about, and how to achieve the targeted setup. **If the noobs out there don't understand what the hell we're talking about, then we are doing them a disservice by writing those blogposts.** + +## **Dealing with Lazy and Incompetent Contributors** + +Just warning you, this is the most annoying part of being a maintainer, so **if the reviewing is extra-tedious because you are facing an incompetent or lazy contributor, don't worry i'll send you extra monero your way for your trouble.** + +I don't want this blog to contain ANY half-assed content, **the only acceptable content is VALID, FINISHED, QUALITY content.** It takes time to have quality, that's why we give a 1 month default deadline (which is more than enough 99% of the time, even for complex contributions). **if contributor A is not going to write a tutorial correctly before the deadline, REJECT THEIR CONTRIBUTION** , contributor B will write it correctly later on ([Sum Nihil](../../productivity/sum-nihil/index.md), don't care who does what, only care about what they do). + +With a 1 month deadline, there's no rush. Do not tolerate laziness or incompetence coming from contributors. Whoever wants to contribute to the blog is expected to follow the todolist, and follow the quality standard. If that contributor does not contribute quality, it means that they do not WANT to contribute quality. And if that's the case, do not waste your time on them. + +![](21.png) + +**I repeat, If a contributor doesn't contribute quality after being told to do so, DO. NOT. CARE. REJECT THEIR CONTRIBUTION.** It's not for you to do it for them, _it is for them to step up to do it themselves,_ do not treat them like a baby, if something needs to be fixed, tell them to fix it, and wait for them to fix it. From my own experience, if the contributor is not competent, it is not worthwhile to keep recieving contributions coming from them, as they are simply wasting the reviewers' time. + +The contributor is expected to know what they are talking about, and they must be willing to write it in the correct way, so that their knowledge is correctly transmitted to the readers out there. + diff --git a/monero2024/0.png b/monero2024/0.png new file mode 100644 index 0000000..795129e Binary files /dev/null and b/monero2024/0.png differ diff --git a/monero2024/1.png b/monero2024/1.png new file mode 100644 index 0000000..d829991 Binary files /dev/null and b/monero2024/1.png differ diff --git a/monero2024/10.png b/monero2024/10.png new file mode 100644 index 0000000..df37003 Binary files /dev/null and b/monero2024/10.png differ diff --git a/monero2024/11.png b/monero2024/11.png new file mode 100644 index 0000000..9e1f5a0 Binary files /dev/null and b/monero2024/11.png differ diff --git a/monero2024/12.png b/monero2024/12.png new file mode 100644 index 0000000..8c779d6 Binary files /dev/null and b/monero2024/12.png differ diff --git a/monero2024/13.png b/monero2024/13.png new file mode 100644 index 0000000..5db7cba Binary files /dev/null and b/monero2024/13.png differ diff --git a/monero2024/14.png b/monero2024/14.png new file mode 100644 index 0000000..fea579e Binary files /dev/null and b/monero2024/14.png differ diff --git a/monero2024/15.png b/monero2024/15.png new file mode 100644 index 0000000..98c57cc Binary files /dev/null and b/monero2024/15.png differ diff --git a/monero2024/16.png b/monero2024/16.png new file mode 100644 index 0000000..e844d96 Binary files /dev/null and b/monero2024/16.png differ diff --git a/monero2024/17.png b/monero2024/17.png new file mode 100644 index 0000000..f98938f Binary files /dev/null and b/monero2024/17.png differ diff --git a/monero2024/18.png b/monero2024/18.png new file mode 100644 index 0000000..c0d6acb Binary files /dev/null and b/monero2024/18.png differ diff --git a/monero2024/19.png b/monero2024/19.png new file mode 100644 index 0000000..e158a84 Binary files /dev/null and b/monero2024/19.png differ diff --git a/monero2024/2.png b/monero2024/2.png new file mode 100644 index 0000000..b0763a6 Binary files /dev/null and b/monero2024/2.png differ diff --git a/monero2024/20.png b/monero2024/20.png new file mode 100644 index 0000000..044214e Binary files /dev/null and b/monero2024/20.png differ diff --git a/monero2024/21.png b/monero2024/21.png new file mode 100644 index 0000000..aec22da Binary files /dev/null and b/monero2024/21.png differ diff --git a/monero2024/22.png b/monero2024/22.png new file mode 100644 index 0000000..a56e355 Binary files /dev/null and b/monero2024/22.png differ diff --git a/monero2024/23.png b/monero2024/23.png new file mode 100644 index 0000000..b8ebfe3 Binary files /dev/null and b/monero2024/23.png differ diff --git a/monero2024/24.png b/monero2024/24.png new file mode 100644 index 0000000..d089295 Binary files /dev/null and b/monero2024/24.png differ diff --git a/monero2024/25.png b/monero2024/25.png new file mode 100644 index 0000000..84af13d Binary files /dev/null and b/monero2024/25.png differ diff --git a/monero2024/26.png b/monero2024/26.png new file mode 100644 index 0000000..509757f Binary files /dev/null and b/monero2024/26.png differ diff --git a/monero2024/27.png b/monero2024/27.png new file mode 100644 index 0000000..94e2726 Binary files /dev/null and b/monero2024/27.png differ diff --git a/monero2024/28.png b/monero2024/28.png new file mode 100644 index 0000000..01b2b40 Binary files /dev/null and b/monero2024/28.png differ diff --git a/monero2024/29.png b/monero2024/29.png new file mode 100644 index 0000000..ffb29c0 Binary files /dev/null and b/monero2024/29.png differ diff --git a/monero2024/3.png b/monero2024/3.png new file mode 100644 index 0000000..abd89ab Binary files /dev/null and b/monero2024/3.png differ diff --git a/monero2024/30.png b/monero2024/30.png new file mode 100644 index 0000000..1e9dc21 Binary files /dev/null and b/monero2024/30.png differ diff --git a/monero2024/4.png b/monero2024/4.png new file mode 100644 index 0000000..c776a71 Binary files /dev/null and b/monero2024/4.png differ diff --git a/monero2024/5.png b/monero2024/5.png new file mode 100644 index 0000000..d19e515 Binary files /dev/null and b/monero2024/5.png differ diff --git a/monero2024/6.png b/monero2024/6.png new file mode 100644 index 0000000..845e19b Binary files /dev/null and b/monero2024/6.png differ diff --git a/monero2024/7.png b/monero2024/7.png new file mode 100644 index 0000000..bc18737 Binary files /dev/null and b/monero2024/7.png differ diff --git a/monero2024/8.png b/monero2024/8.png new file mode 100644 index 0000000..591a77a Binary files /dev/null and b/monero2024/8.png differ diff --git a/monero2024/9.png b/monero2024/9.png new file mode 100644 index 0000000..b81fae9 Binary files /dev/null and b/monero2024/9.png differ diff --git a/monero2024/index.md b/monero2024/index.md new file mode 100644 index 0000000..5c29f41 --- /dev/null +++ b/monero2024/index.md @@ -0,0 +1,162 @@ +--- +author: nihilist +date: 2024-01-31 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/103" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Monero Node Setup + +![](0.png) + +In this tutorial we're going to take a look at how to setup a monero node + + + +## **Initial Setup** + +First install monero and tor from the repositories: + + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/nowhere.moe] + → apt install monero tor -y + + +Then, create the following systemd service if you want to have a monero node to be publicly accessible via the IP directly: + + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/nowhere.moe] + → vim /etc/systemd/system/moneronode.service + + [ Wonderland ] [ /dev/pts/9 ] [/srv] + → cat /etc/systemd/system/moneronode.service + [Unit] + Description=monerod + After=network.target + Wants=network.target + + [Service] + + # sync the monero node without going through Tor + ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind --non-interactive + + + Restart=on-failure + RestartSec=10s + + StandardOutput=journal + StandardError=journal + + [Install] + WantedBy=multi-user.target + + + +However if your users are well-educated and are aware that [Chainalysis are running malicious Monero nodes](../chainalysisattempts/index.md), **then they are NOT going to connect to non-onion monero nodes (and neither should you).** Plus if Monero is illegal in your country, you'll also want to synchronize it via Tor instead, so you can use this config instead: + + + [ Wonderland ] [ /dev/pts/9 ] [/mnt/md3] + → cat /etc/systemd/system/moneronode.service + [Unit] + Description=monerod + After=network.target + Wants=network.target + + [Service] + + # sync the monero node while actually going through Tor (in case if Monero is illegal in your country) + ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=127.0.0.1 --p2p-bind-ip=127.0.0.1 --p2p-bind-port=18080 --non-interactive --proxy 127.0.0.1:9050 --tx-proxy tor,127.0.0.1:9050 + + Restart=on-failure + RestartSec=10s + + + StandardOutput=journal + StandardError=journal + + [Install] + WantedBy=multi-user.target + + + + +Then wait for it to sync after enabling the systemd service: + + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/nowhere.moe] + → systemctl daemon-reload + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/nowhere.moe] + → systemctl enable --now moneronode + Created symlink /etc/systemd/system/multi-user.target.wants/moneronode.service → /etc/systemd/system/moneronode.service. + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/nowhere.moe] + → systemctl status moneronode + ● moneronode.service - monerod + Loaded: loaded (/etc/systemd/system/moneronode.service; enabled; preset: enabled) + Active: active (running) since Sun 2023-07-09 15:36:44 CEST; 2min 22s ago + Main PID: 8410 (monerod) + Tasks: 30 (limit: 77000) + Memory: 1.7G + CPU: 1min 53.681s + CGroup: /system.slice/moneronode.service + └─8410 /usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 -> + + Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.055 I Synced 88702/2925934 (3%, 2837232 left) + Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.188 I Synced 88752/2925934 (3%, 2837182 left) + Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.310 I Synced 88802/2925934 (3%, 2837132 left) + Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.452 I Synced 88852/2925934 (3%, 2837082 left) + Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.576 I Synced 88902/2925934 (3%, 2837032 left) + Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.756 I Synced 88952/2925934 (3%, 2836982 left) + Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.890 I Synced 89002/2925934 (3%, 2836932 left) + Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.060 I Synced 89052/2925934 (3%, 2836882 left) + Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.182 I Synced 89088/2925934 (3%, 2836846 left) + Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.376 I Synced 89138/2925934 (3%, 2836796 left) + + + +On a NVMe SSD it may take 2 days, and weigh approximately 90 gigs at the time of writing this tutorial. The synchronisation is a very disk-intensive process, and so it is required to do it on a nvme disk or ssd at least. If you try to do that on a HDD it will take much, much longer. If you don't have a choice, sync it on a nvme somewhere and then rsync it to a server that has only HDDs. + +# Onion Setup + +Once your monero node is synchronized, you can allow tor users to access it via a .onion link like so: + + + [ Wonderland ] [ /dev/pts/9 ] [~] + → apt install tor + + [ Wonderland ] [ /dev/pts/9 ] [~] + → cat /etc/tor/torrc + HiddenServiceDir /var/lib/tor/monero-service/ + HiddenServicePort 18080 127.0.0.1:18080 + HiddenServicePort 18081 127.0.0.1:18081 + + + [ Wonderland ] [ /dev/pts/9 ] [~] + → systemctl restart tor@default + + + +Then find your onion link right here: + + + [ Wonderland ] [ /dev/pts/9 ] [~] + → cat /var/lib/tor/monero-service/hostname + uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion + + + +And then you can use it to connect to it via your monero wallet. As shown below: + + + apt install monero -y + + monero-wallet-cli + #follow the instructions to create your wallet + #synchronize it with this command: + set_daemon http://uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion:18081 trusted + #then wait for the daemon to finish synchronizing, and type "refresh" regularly to make sure that it synchronizes with the node, expect to type that command a few times as tor connections are unstable at times. + refresh + status + + + diff --git a/monerofirst/1.png b/monerofirst/1.png new file mode 100644 index 0000000..81daa07 Binary files /dev/null and b/monerofirst/1.png differ diff --git a/monerofirst/2.png b/monerofirst/2.png new file mode 100644 index 0000000..f1a3626 Binary files /dev/null and b/monerofirst/2.png differ diff --git a/monerofirst/3.png b/monerofirst/3.png new file mode 100644 index 0000000..6b9001a Binary files /dev/null and b/monerofirst/3.png differ diff --git a/monerofirst/4.png b/monerofirst/4.png new file mode 100644 index 0000000..a0e4e6d Binary files /dev/null and b/monerofirst/4.png differ diff --git a/monerofirst/5.png b/monerofirst/5.png new file mode 100644 index 0000000..02c6077 Binary files /dev/null and b/monerofirst/5.png differ diff --git a/monerofirst/6.png b/monerofirst/6.png new file mode 100644 index 0000000..4f43be8 Binary files /dev/null and b/monerofirst/6.png differ diff --git a/monerofirst/7.png b/monerofirst/7.png new file mode 100644 index 0000000..e2638a4 Binary files /dev/null and b/monerofirst/7.png differ diff --git a/monerofirst/8.png b/monerofirst/8.png new file mode 100644 index 0000000..18e0f53 Binary files /dev/null and b/monerofirst/8.png differ diff --git a/monerofirst/9.png b/monerofirst/9.png new file mode 100644 index 0000000..6a12f1a Binary files /dev/null and b/monerofirst/9.png differ diff --git a/monerofirst/index.md b/monerofirst/index.md new file mode 100644 index 0000000..5735f8b --- /dev/null +++ b/monerofirst/index.md @@ -0,0 +1,66 @@ +--- +author: nihilist +date: 2025-01-05 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/50" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to get your first Monero ? (xmrbazaar.com, crypto swaps, p2p chats, or work) + +![](5.png) + + + +## **Why is this important ?** + +First of all, if you have seen our previous tutorials on [Haveno DEX](../haveno-client-f2f/index.md), you'd realize that to be able to buy some monero over there (in exchange of some of your fiat currency), you need to already have some monero to be able to initiate trades, because there is a security deposit (in monero) that you need to fund: + +![](1.png) ![](../haveno-client-f2f/14.png) + +That's the Chicken in egg problem that got ported over from Bisq, to buy some monero you first need a small amount of monero (0.11 XMR approx). **Therefore the question is where can you get that first 0.11 XMR ?** + +## **XMR in exchange of goods and services** + +At the initiative of Douglas Tumann, the guy behind the excellent weekly show called ["Monero Talk"](https://www.youtube.com/@MoneroTalk) (whose goal is to raise awareness on what Monero is truly about), you can make use of the [Xmrbazaar website](https://xmrbazaar.com/) that he kickstarted: + +![](2.png) + +On Xmrbazaar, you can sell and buy (legal) goods and services, peer to peer. You can view it as a craigslist or ebay but using Monero as it's only currency. It's as simple as signing up there, listing something that people are likely to want to purchase (it can be video games, guitars, tshirts, or literally just offering euros in exchange for some monero), **and with it you'll be able to not only participate in the Monero Circular Economy, and get your first XMR in the process.** + +![](3.png) + +Another option could be to also go in the "Earn XMR" section, to view already existing offers, where you can try and provide goods and services to fulfill other people's needs. For example i have 2 offers in here, where i offer monero for whoever helps me write a new feature on my [Darknet Lantern](../darknetlantern/index.md) side-project, or for whoever helps me write a new blogpost as described in [this tutorial](../contribute/index.md). + +![](4.png) + +From here, the more you participate in the Monero Circular Economy, by providing access to goods and services to everyone, the more monero you'll be able to get without having to go through any KYC hassle that centralised exchanges are being subjected to. + +**I consider this to be the best way to get your first Monero, as it will help grow the Monero Circular Economy, and proving to everyone that you can indeed use it as an actual currency** , contrary to the other cryptocurrencies which are either just speculative assets or scams. + +## **Centralised Exchanges** + +If you're not interested in the monero circular economy, your next best option is going to be Centralised Exchanges, there are a ton of those out there. + +However, there is one thing that you need to note. **in 99% of the cases, said centralised exchange is not anonymous on the serverside, which makes them subjectable to financial regulations.** If you managed to find a clearnet centralised exchange that is not forcing you to go through KYC (know your customer) procedures yet, you are just lucky, be aware that this is not meant to last. Chainanalysis and governments around the world are scared shitless that their population stops using their fiat currency, as it makes them unable to subject their population to their rules. + +![](7.png) + +**It is only a matter of time until every clearnet centralised exchange out there is forced to comply to financial regulations and force you through KYC procedures.** But until they manage to force every centralised exchange to comply, you can try to get your monero via the ones listed on [Kycnot.me](https://kycnot.me/?t=exchange&q=&fiat=on&cash=on): + +![](8.png) + +If XMR is not readily available for fiat on one of these centralised exchanges, you can also first buy some BTC before swapping it to XMR. + +![](6.png) + +Feel free to try to purchase crypto from any of those, especially the top ones should allow you to buy either XMR or BTC in exchange of a fiat payment like bank transfer, credit card purchase or just cash sent by mail. + +Now if your only option is to have a shitcoin like BTC, buy it and then swap it to get Monero instead, and then make sure that you withdraw the monero to the monero wallet that is on your laptop, as otherwise the centralised exchange can drain (steal) your funds. Always self-custody your own crypto, because if it's not your keys, it's not your crypto. See this [Kycnot.me](https://kycnot.me/?t=exchange&q=&xmr=on&btc=on) link to have a list of exchanges that support BTC to XMR trades: + +![](9.png) + +One thing to note however, is that it doesn't matter if you get KYC'd if you buy your XMR somewhere. as long as it's not illegal for you to own Monero, you can safely let the adversary know that you purchased as small amount of monero, as they will anyway not be able to know where the monero you just purchased is going. **As long as you manage to get some Monero to a monero wallet that you control locally on your computer, by default, you are the only one that knows where that money goes.** + +## **Conclusion** + +And that's it! You now know where you can get your first Monero, to be able to make your first trade on [Haveno](../haveno-client-f2f/index.md)! + diff --git a/moneroinheritance/0.png b/moneroinheritance/0.png new file mode 100644 index 0000000..f0babaa Binary files /dev/null and b/moneroinheritance/0.png differ diff --git a/moneroinheritance/1.png b/moneroinheritance/1.png new file mode 100644 index 0000000..93b24c1 Binary files /dev/null and b/moneroinheritance/1.png differ diff --git a/moneroinheritance/10.png b/moneroinheritance/10.png new file mode 100644 index 0000000..ee89b40 Binary files /dev/null and b/moneroinheritance/10.png differ diff --git a/moneroinheritance/11.png b/moneroinheritance/11.png new file mode 100644 index 0000000..2599951 Binary files /dev/null and b/moneroinheritance/11.png differ diff --git a/moneroinheritance/12.png b/moneroinheritance/12.png new file mode 100644 index 0000000..0558ca0 Binary files /dev/null and b/moneroinheritance/12.png differ diff --git a/moneroinheritance/13.png b/moneroinheritance/13.png new file mode 100644 index 0000000..3ae52fb Binary files /dev/null and b/moneroinheritance/13.png differ diff --git a/moneroinheritance/14.png b/moneroinheritance/14.png new file mode 100644 index 0000000..980eb85 Binary files /dev/null and b/moneroinheritance/14.png differ diff --git a/moneroinheritance/15.png b/moneroinheritance/15.png new file mode 100644 index 0000000..f07c885 Binary files /dev/null and b/moneroinheritance/15.png differ diff --git a/moneroinheritance/16.png b/moneroinheritance/16.png new file mode 100644 index 0000000..f43ac00 Binary files /dev/null and b/moneroinheritance/16.png differ diff --git a/moneroinheritance/17.png b/moneroinheritance/17.png new file mode 100644 index 0000000..40a9315 Binary files /dev/null and b/moneroinheritance/17.png differ diff --git a/moneroinheritance/18.png b/moneroinheritance/18.png new file mode 100644 index 0000000..8797de9 Binary files /dev/null and b/moneroinheritance/18.png differ diff --git a/moneroinheritance/19.png b/moneroinheritance/19.png new file mode 100644 index 0000000..915da46 Binary files /dev/null and b/moneroinheritance/19.png differ diff --git a/moneroinheritance/2.png b/moneroinheritance/2.png new file mode 100644 index 0000000..25cb321 Binary files /dev/null and b/moneroinheritance/2.png differ diff --git a/moneroinheritance/20.png b/moneroinheritance/20.png new file mode 100644 index 0000000..2fff64f Binary files /dev/null and b/moneroinheritance/20.png differ diff --git a/moneroinheritance/21.png b/moneroinheritance/21.png new file mode 100644 index 0000000..497441c Binary files /dev/null and b/moneroinheritance/21.png differ diff --git a/moneroinheritance/22.png b/moneroinheritance/22.png new file mode 100644 index 0000000..252cb54 Binary files /dev/null and b/moneroinheritance/22.png differ diff --git a/moneroinheritance/23.png b/moneroinheritance/23.png new file mode 100644 index 0000000..df47c1f Binary files /dev/null and b/moneroinheritance/23.png differ diff --git a/moneroinheritance/24.png b/moneroinheritance/24.png new file mode 100644 index 0000000..fb1083e Binary files /dev/null and b/moneroinheritance/24.png differ diff --git a/moneroinheritance/25.png b/moneroinheritance/25.png new file mode 100644 index 0000000..dcea2ab Binary files /dev/null and b/moneroinheritance/25.png differ diff --git a/moneroinheritance/26.png b/moneroinheritance/26.png new file mode 100644 index 0000000..cae0a7d Binary files /dev/null and b/moneroinheritance/26.png differ diff --git a/moneroinheritance/27.png b/moneroinheritance/27.png new file mode 100644 index 0000000..d198285 Binary files /dev/null and b/moneroinheritance/27.png differ diff --git a/moneroinheritance/28.png b/moneroinheritance/28.png new file mode 100644 index 0000000..e9df2b6 Binary files /dev/null and b/moneroinheritance/28.png differ diff --git a/moneroinheritance/29.png b/moneroinheritance/29.png new file mode 100644 index 0000000..5b569b5 Binary files /dev/null and b/moneroinheritance/29.png differ diff --git a/moneroinheritance/3.png b/moneroinheritance/3.png new file mode 100644 index 0000000..b9d9e1f Binary files /dev/null and b/moneroinheritance/3.png differ diff --git a/moneroinheritance/30.png b/moneroinheritance/30.png new file mode 100644 index 0000000..ecaa4ca Binary files /dev/null and b/moneroinheritance/30.png differ diff --git a/moneroinheritance/31.png b/moneroinheritance/31.png new file mode 100644 index 0000000..fb6948d Binary files /dev/null and b/moneroinheritance/31.png differ diff --git a/moneroinheritance/32.png b/moneroinheritance/32.png new file mode 100644 index 0000000..cb7c238 Binary files /dev/null and b/moneroinheritance/32.png differ diff --git a/moneroinheritance/33.png b/moneroinheritance/33.png new file mode 100644 index 0000000..3dae71b Binary files /dev/null and b/moneroinheritance/33.png differ diff --git a/moneroinheritance/34.png b/moneroinheritance/34.png new file mode 100644 index 0000000..f85e119 Binary files /dev/null and b/moneroinheritance/34.png differ diff --git a/moneroinheritance/35.png b/moneroinheritance/35.png new file mode 100644 index 0000000..09bbd01 Binary files /dev/null and b/moneroinheritance/35.png differ diff --git a/moneroinheritance/36.png b/moneroinheritance/36.png new file mode 100644 index 0000000..e9c6c77 Binary files /dev/null and b/moneroinheritance/36.png differ diff --git a/moneroinheritance/37.png b/moneroinheritance/37.png new file mode 100644 index 0000000..22f5ea7 Binary files /dev/null and b/moneroinheritance/37.png differ diff --git a/moneroinheritance/38.png b/moneroinheritance/38.png new file mode 100644 index 0000000..567dfd3 Binary files /dev/null and b/moneroinheritance/38.png differ diff --git a/moneroinheritance/39.png b/moneroinheritance/39.png new file mode 100644 index 0000000..e9f311c Binary files /dev/null and b/moneroinheritance/39.png differ diff --git a/moneroinheritance/4.png b/moneroinheritance/4.png new file mode 100644 index 0000000..0a0d84e Binary files /dev/null and b/moneroinheritance/4.png differ diff --git a/moneroinheritance/40.png b/moneroinheritance/40.png new file mode 100644 index 0000000..1b52c96 Binary files /dev/null and b/moneroinheritance/40.png differ diff --git a/moneroinheritance/41.png b/moneroinheritance/41.png new file mode 100644 index 0000000..e768c49 Binary files /dev/null and b/moneroinheritance/41.png differ diff --git a/moneroinheritance/42.png b/moneroinheritance/42.png new file mode 100644 index 0000000..eb14a44 Binary files /dev/null and b/moneroinheritance/42.png differ diff --git a/moneroinheritance/5.png b/moneroinheritance/5.png new file mode 100644 index 0000000..b18c0d6 Binary files /dev/null and b/moneroinheritance/5.png differ diff --git a/moneroinheritance/6.png b/moneroinheritance/6.png new file mode 100644 index 0000000..fd1e703 Binary files /dev/null and b/moneroinheritance/6.png differ diff --git a/moneroinheritance/7.png b/moneroinheritance/7.png new file mode 100644 index 0000000..7e12020 Binary files /dev/null and b/moneroinheritance/7.png differ diff --git a/moneroinheritance/8.png b/moneroinheritance/8.png new file mode 100644 index 0000000..c7246fa Binary files /dev/null and b/moneroinheritance/8.png differ diff --git a/moneroinheritance/9.png b/moneroinheritance/9.png new file mode 100644 index 0000000..20fe678 Binary files /dev/null and b/moneroinheritance/9.png differ diff --git a/moneroinheritance/index.md b/moneroinheritance/index.md new file mode 100644 index 0000000..a32ff24 --- /dev/null +++ b/moneroinheritance/index.md @@ -0,0 +1,458 @@ +--- +author: XMRONLY +date: 2025-01-29 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/48" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# Monero Inheritence Management (VaultWarden Emergency Contacts) + +![](0.png) + + + +## **Introduction** + + + + + +Uncle Rich has worked hard his entire life and has managed to save a large amount of Monero. Now approaching the later years of his life, he is worried about what will become of his financial legacy. Having no kids of his own, he decides he wants to pass on his wealth to the closest thing to a son he has, his Nephew Nick. Uncle Rich figures the easiest way to do this is by giving Nephew Nick the seedphrase to his wallet but Uncle Rich wants to transfer his wealth only after he passes away. The critical question thus becomes "How does one securely share a secret from beyond the grave?" In this article we will see how to do exactly that, specifically using **Vaultwarden** , and its **Emergency Contacts** feature. + +## **Overview** + +In order to avoid relying on third parties, we need a sovereign solution that is FOSS, self-hostable, end-to-end encrypted and that stores data in a zero-knowledge environment. Vaultwarden is the ideal candidate for this task as it is an alternative server implementation of Bitwarden that is written in Rust and is memory-safe. It is more light-weight than the full Bitwarden stack and can be easily deployed on a VPS for less than €5 per month. + +![](1.png) + +Nephew Nick will start by setting up a self-hosted instance where both Uncle Rich and him will create an account. After setting up a reliable notification system, Uncle Rich will grant Nephew Nick Emergency Access to his account, where he has his seedphrase stored. After Nephew Nick accepts Emergency Access, everything will be set in place. In the future, when Nephew Nick requests access to Uncle Rich's vault, Uncle Rich will receive a notification and have a predetermined amount of time to reject the Emergency Access request. If Uncle Rich is still alive at this point, that is trivially easy to do. If Uncle Rich is no longer with us, he will not be able to reject the Emergency Access request. As a result, after the allotted time has expired, Nephew Nick will be notified his request has been granted and will be able to access Uncle Rich's vault where the seedphrase lies. + +## **Prerequisites** + +Starting from Nephew Nick's perspective: + +![](nick.png) + +Prerequisites: +\- A [domain name](../anondomain/index.md) \- Nephew Nick purchased one anonymously using Monero on **Njalla** using their onion link. +\- A [VPS](../anonymousremoteserver/index.md) \- Nephew Nick purchased one anonymously using Monero on **Kyun** using their onion link. Specs consisting of 1 core and 2 GB of memory are more than enough to self-host everything needed for the setup. + +![](2.png) +Nephew Nick knows that Uncle Rich is getting quite old. Uncle Rich is still capable of using a computer but in order for this setup to work it must provide as little friction as possible. As such, we will keep things simple and use email notifications from a self-hosted server. While not overtly private, email is a suitable option in this case given its ease of use and because it is being used strictly for notifications with no sensitive information is being transmitted. Setting up a self-hosted mail server has been [covered before](http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/opsec/mailprivate/index.md), however, in this article we will do things a little different in line with running all of our services independently as docker containers. All publicly accessible services will be protected by SSL and we will use Traefik reverse proxy both to automatically procure wildcard SSL certificates and renew them, and also to route traffic to each respective subdomain. Let's get started. + +## **DNS Setup** + +Nephew Nick will start by setting up DNS records on Njalla (note: no trailing dot is needed). Required are A records pointing to the VPS IP address for xmronly.com, *.xmronly.com, and mail.xmronly.com. An MX record for mail.xmronly.com is also required as shown. + +![](3.png) + +Over on Kyun, Nephew Nick will set a reverse DNS to point to mail.xmronly.com. + +![](4.png) + +With this complete, Nephew Nick can test the DNS records to make sure they are set up correctly and have propagated. With the expected outputs as shown below, we're ready to move on. + + + ~ ❯ dig @1.1.1.1 +short MX xmronly.com + 10 mail.xmronly.com. + ~ ❯ dig @1.1.1.1 +short A mail.xmronly.com + 65.87.7.101 + ~ ❯ dig @1.1.1.1 +short -x 65.87.7.101 + mail.xmronly.com. + + +## **Infrastructure Setup** + +Nephew Nick will SSH into the VPS and install docker. Note: the commands have been stylized for ease of copy/pasting. + + + ~ ❯ torsocks ssh root@65.87.7.101 + + The authenticity of host '65.87.7.101 (65.87.7.101)' can't be established. + ED25519 key fingerprint is SHA256:QAP2txmiectXuYnTD7LIcd3RMo5cuA8h0kO2gG0RFX. + This key is not known by any other names. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '65.87.7.101' (ED25519) to the list of known hosts. + root@65.87.7.101's password: + Linux danbo-0565a7 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-12-16) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@VPS:~# + + # Add Docker's official GPG key: + apt-get update + apt-get install ca-certificates curl gpg -y + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + chmod a+r /etc/apt/keyrings/docker.asc + + # Add the repository to Apt sources: + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null + apt-get update + + # Install docker + apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y + + # Verify installation was successful + docker run hello-world + + +With docker successfully installed, let's specify a docker network for our containers to use and let's create the required directories to segregate each service we'll be using. + + + # Create a docker network + docker network create proxy + + # Create directories for each separate service + mkdir -p docker/{traefik,mailserver,vaultwarden} + + +Next we'll set up a docker-compose file (**traefik.yml**) in /docker/traefik and tell it to grab an SSL certificate for our mail subdomain mail.xmronly.com. We'll deploy a tiny container (whoami) at this subdomain to test it works correctly. Note: a DNS challenge is required for Traefik to obtain wildcard SSL certificates, and any of a [number of DNS providers](https://doc.traefik.io/traefik/https/acme/#providers) will suffice with an access token obtained from your account with that provider. + + + services: + traefik: + image: docker.io/traefik:latest + container_name: traefik + ports: + - '80:80' + - '443:443' + command: + - '--api=true' + - '--api.dashboard=false' + - '--providers.docker=true' + - '--providers.docker.exposedbydefault=false' + - '--certificatesresolvers.letsencrypt.acme.dnschallenge=true' + - '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=njalla' + - '--certificatesresolvers.letsencrypt.acme.email=email_goes_here' + - '--certificatesresolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=2s' + - '--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53' + - '--certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json' + - '--entrypoints.web.address=:80' + - '--entrypoints.web.http.redirections.entrypoint.to=websecure' + - '--entrypoints.web.http.redirections.entrypoint.scheme=https' + - '--entrypoints.websecure.address=:443' + - '--entrypoints.websecure.http.tls=true' + - '--entrypoints.websecure.http.tls.certResolver=letsencrypt' + - '--entrypoints.websecure.http.tls.domains[0].main=xmronly.com' + - '--entrypoints.websecure.http.tls.domains[0].sans=*.xmronly.com' + environment: + - 'NJALLA_TOKEN=token_goes_here' + volumes: + - ./acme/:/acme + - /var/run/docker.sock:/var/run/docker.sock:ro + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.traefik.entryPoints=websecure' + - 'traefik.http.routers.traefik.service=api@internal' + restart: unless-stopped + networks: + - 'proxy' + + whoami: + image: docker.io/traefik/whoami:latest + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.whoami.entrypoints=websecure' + - 'traefik.http.routers.whoami.rule=Host(`mail.xmronly.com`)' + restart: unless-stopped + networks: + - proxy + + networks: + proxy: + external: true + + +Start the containers with **docker compose -f traefik.yml up -d** then navigate to https://mail.xmronly.com and verify the SSL certificate is present. + +![](5.png) + +Next we'll set up a docker-compose file (**mailserver.yml**) in /docker/mailserver. + + + services: + mailserver: + image: ghcr.io/docker-mailserver/docker-mailserver:latest + container_name: mailserver + hostname: mail.xmronly.com + ports: + - "25:25" # SMTP (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead) + - "143:143" # IMAP4 (explicit TLS => STARTTLS) + - "465:465" # ESMTP (implicit TLS) + - "587:587" # ESMTP (explicit TLS => STARTTLS) + - "993:993" # IMAP4 (implicit TLS) + volumes: + - ./data/mailserver/mail-data/:/var/mail/ + - ./data/mailserver/mail-state/:/var/mail-state/ + - ./data/mailserver/mail-logs/:/var/log/mail/ + - ./data/mailserver/config/:/tmp/docker-mailserver/ + - /etc/localtime:/etc/localtime:ro + - /root/docker/traefik/acme/acme.json:/etc/letsencrypt/acme.json:ro #specify path + environment: + - "SSL_TYPE=letsencrypt" + - "SSL_DOMAIN=mail.xmronly.com" + - "ENABLE_FAIL2BAN=1" + restart: unless-stopped + stop_grace_period: 1m + cap_add: + - NET_ADMIN + healthcheck: + test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1" + timeout: 3s + retries: 0 + networks: + - 'proxy' + + networks: + proxy: + external: true + + +Start the container with **docker compose -f mailserver.yml up -d** , then add a user and configure the DKIM settings. + + + # Add a user + docker exec mailserver setup email add no-reply@xmronly.com password_goes_here + + # Generate the DKIM configuration + docker exec mailserver setup config dkim + + +To obtain the DKIM info, navigate to docker/mailserver/data/dms/config/opendkim/keys/xmronly.com/mail.txt and copy the info removing all quotes/punctuation such that you are left with an output (that you will need to copy later) that looks like this: + + + v=DKIM1; k=rsa; p=MIIBIjANBgkqhkifHSvSJUf3e17tNhF1lPPsNfEGtrwywCmXS5GvAuzsP29n9k/Tp5sUKFnT63o0Z9r3pC7sSuAWo3x9N38XmYlSwoztODvM5WEfHSvSJUf3e17tNhF1lPPsNfEGtrwywCmXS5GvAuzsP29n9k/Tp5sUKFnT63o0Z9r3pC7 + + +Back on Njalla, add a TXT record using the following: + + + Name: @ + Content: v=spf1 mx ~all + + +Add another TXT record using the following: + + + Name: _dmarc + Content: v=DMARC1; p=none; sp=none; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@xmronly.com; ruf=mailto:dmarc.report@xmronly.com + + +Finally, add a TXT record using the DKIM information from above: + + + Name: mail._domainkey + Content: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkifHSvSJUf3... + + +With everything complete, your DNS should look like this: + +![](6.png) + +Finally, restart the mailserver for these changes to take effect. + + + docker compose -f mailserver.yml down + docker compose -f mailserver.yml up -d + + +You can confirm everything is working correctly by configuring Thunderbird to use your mail server and sending out a test email on **https://mail-tester.com**. + +![](7.png) ![](8.png) + +The last step is to set up a docker-compose file (**vaultwarden.yml**) in /docker/vaultwarden. + + + services: + vaultwarden: + image: vaultwarden/server:latest + container_name: vaultwarden + volumes: + - ./data/:/data/ + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.vaultwarden.entryPoints=websecure' + - 'traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.xmronly.com`)' + environment: + - 'DOMAIN=https://vaultwarden.xmronly.com' + - 'SIGNUPS_ALLOWED=true' + - 'SMTP_HOST=mail.xmronly.com' + - 'SMTP_FROM=no-reply@xmronly.com' + - 'SMTP_SECURITY=starttls' + - 'SMTP_USERNAME=no-reply@xmronly.com' + - 'SMTP_PASSWORD=password_goes_here' + restart: unless-stopped + networks: + - proxy + + networks: + proxy: + external: true + + +Start the container with **docker compose -f vaultwarden.yml up -d**. With the final piece of the infrastructure in place, Nephew Nick and Uncle Rich can now proceed to creating their accounts. + +## **Vaultwarden Setup (Nephew Nick)** + +Continuing with the same perspective, Nephew Nick will head to **https://vaultwarden.xmronly.com** and start by creating an account then using it to sign in. + +![](9.png) ![](10.png) + +When prompted, Nephew Nick will verify his email address. + +![](11.png) ![](12.png) + +With verification complete, Nephew Nick will confirm his account fingerprint phrase as this information will be needed for a future step. This is located on the sidebar under Settings -> My account. + +![](13.png) + +## **Vaultwarden Setup (Uncle Rich)** + +Switching over to Uncle Rich's perspective now: + +![](rich.png) + +Uncle Rich will start by creating an account and then using it to sign in. + +![](9.png) ![](14.png) + +When prompted, Uncle Rich will verify his email address. + +![](11.png) ![](15.png) + +With verification complete, Uncle Rich can proceed to set up an entry containing his seedphrase. + +![](16.png) ![](17.png) + +Next, Uncle Rich will add Nephew Nick as an Emergency Contact. This is found on the sidebar under Settings -> Emergency access. + +![](18.png) ![](19.png) + +## **Vaultwarden Setup (Accepting Emergency Access)** + +Switching back to Nephew Nick's perspective now: + +![](nick.png) + +Nephew Nick receives an email notification that Uncle Rich has invited him to be an Emergency Contact. Clicking the link prompts a log in, automatically accepting the request. + +![](20.png) ![](21.png) + +Upon signing in, there is a notification indicating that the invitation has been accepted and that Nephew Nick's identity must be confirmed (by Uncle Rich). Nephew Nick can see the status of his designation as an Emergency Contact under Settings -> Emergency access on the sidebar. + +![](22.png) ![](23.png) + +## **Vaultwarden Setup (Confirming Identity)** + +Switching back to Uncle Rich's perspective now: + +![](rich.png) + +Uncle Rich receives an email notification that Nephew Nick has accepted the invitation to become an Emergency Contact and that Uncle Rich must confirm his identity. + +![](24.png) + +Uncle Rich logs in and navigates to Settings -> Emergency access on the sidebar. Next he clicks on Options -> Confirm to make Nephew Nick a Trusted Emergency Contact. Lastly, Uncle Rich confirms with Nephew Nick that his account fingerprint phrase matches from the previous step and clicks Confirm. + +![](25.png) ![](26.png) + +## **Vaultwarden Setup (Requesting Access)** + +Switching back to Nephew Nick's perspective now: + +![](nick.png) + +Nephew Nick receives an email notification that he has been confirmed as an Emergency Contact for Uncle Rich. + +![](27.png) + +With that, the setup is fully complete. Nephew Nick is able to request Emergency Access and Uncle Rich can reject it according to his wishes as long as he is still alive. + + + + + + +[Some times passes...] + + + + + + +Nephew Nick has not heard from Uncle Rich in a long time and fears the worst has happened. After signing in, he navigates to Settings -> Emergency access on the sidebar and requests Emergency Access to Uncle Rich's vault. + +![](28.png) ![](29.png) + +## **Obtaining Access (Scenario 1: Rejection)** + +Switching back to Uncle Rich's perspective now: + +![](rich.png) + +Uncle Rich receives an email notification that Nephew Nick has requested Emergency Access. Being that Uncle Rich is still alive and doesn't want access to his Monero seedphrase to be granted until he has passed away, he will reject the request. + +![](30.png) + +After logging into his account, Uncle Rich navigates to Settings -> Emergency access in the side bar and rejects Nephew Nick's request. + +![](31.png) + +![](nick.png) + +From Nephew Nick's perspective, he will receive an email notification saying his request has been rejected by Uncle Rich. Nephew Nick can confidently conclude that Uncle Rich is therefore still alive and can try to visit him in person. + +![](32.png) + +## **Obtaining Access (Scenario 2: Acceptance)** + +In this scenario, Uncle Rich indeed has passed away. + +![](nick.png) + +From Nephew Nick's perspective, there is nothing to do but wait for the 30 day interval to expire. After 30 days have passed, Nephew Nick receives an email. Note: the text of this notification is the confusingly same wheter Uncle Rich has manually approved access or wheter the timeframe has expired. + +![](33.png) + +Nephew Nick signs into his account and navigates to Settings -> Emergency access. He is now able to view Uncle Rich's vault. + +![](34.png) ![](35.png) + +And just like that Nephew Nick has received Uncle Rich's seedphrase! + +![](36.png) + +## **Restoring a Wallet from Seedphrase** + +Nephew Nick opens up his Monero Wallet GUI and navigates to "Restore wallet from keys or mnemonic seed" + +![](37.png) + +He gives the wallet a name and chooses a location to save it. Finally Nephew Nick input's Uncle Rich's seedphrase. + +![](38.png) + +Proceeding to the next screen, Nephew Nick inputs a strong password and saves it in his password manager. + +![](39.png) + +Finally, he selects a node for the connection. Connecting to your own node is recommended but in this example we will use a remote node. + +![](40.png) + +With the connection established, all that is left to do is to wait synchronization to finish. + +![](41.png) + +Nephew Nick has successfully restored Uncle Rich's wallet using the seedphrase! + +![](42.png) + diff --git a/moneroinheritance/nick.png b/moneroinheritance/nick.png new file mode 100644 index 0000000..bdf51a7 Binary files /dev/null and b/moneroinheritance/nick.png differ diff --git a/moneroinheritance/rich.png b/moneroinheritance/rich.png new file mode 100644 index 0000000..587d2ce Binary files /dev/null and b/moneroinheritance/rich.png differ diff --git a/monerop2pool/0.png b/monerop2pool/0.png new file mode 100644 index 0000000..34ac150 Binary files /dev/null and b/monerop2pool/0.png differ diff --git a/monerop2pool/index.md b/monerop2pool/index.md new file mode 100644 index 0000000..66e6101 --- /dev/null +++ b/monerop2pool/index.md @@ -0,0 +1,234 @@ +--- +author: null +date: 2024-08-25 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/104" +xmr: 46qeUbExxGSLT1pAkssG2LMBnLPsbiTNMcikp1B8PwFnShPkTRxt9c12Tcw2KaAagRTAju5j2NUYYNwCAp54zKMqBpoUZEg +--- +# Mine Monero with p2pool and xmrig + +![](0.png) Figure 4.7 from [Mastering Monero](https://masteringmonero.com/) + + + +## **Introduction** + +In this tutorial, I'll outline how to mine Monero using p2pool. Monero mining uses the [RandomX](https://www.getmonero.org/resources/moneropedia/randomx.html) algorithm and is CPU bound to prevent ASICs from centralizing the network. + +As with almost all other cryptocurrencies, Monero is best mined in pools. Most pools are centralized, meaning one entity controls the operation of the pool. This is an issue, because if the pool gains at least 51% of the total hashing power of the network, [the network's security can be compromised](https://wikipedia.org/wiki/Double-spending#51%_attack). To prevent this, p2pool was written. + +p2pool is a open source Monero mining pool that provides the best rewards and helps prevent centralization of mining power. The pool is decentralized and is not controlled by any one entity. + +Before you begin, it is important to know that due to the peer to peer nature of p2pool, all nodes connect to each other via forwarded ports and your IP will be visible by the network. There is currently no way to hide your IP, except maybe via VPN which is beyond the scope of this tutorial. [This tutorial](../vpn/index.md) explains how to set one up. + +## **Monero Node** + +Before you begin mining, you must first find a node to source block data from. This node must have zmq enabled for p2pool to function. + +I recommend running your own node to reduce strain on the network and to increase your own privacy. You can follow [this tutorial](../monero2024/index.md) to set one up. If you cannot run a Monero node for some reason, pick the fastest node from the list [here](https://xmrvsbeast.com/p2pool/monero_nodes.html) and write down the hostname, RPC_Port, and ZMQ_Port. + +## **p2pool Node Setup** + +When using p2pool, you must run your own p2pool node to which the xmrig mining clients will connect. + +To start, install p2pool from the [GitHub downloads page](https://github.com/SChernykh/p2pool/releases/latest): + + + ~/Downloads + ❯ wget "https://github.com/SChernykh/p2pool/releases/download/v4.0/p2pool-v4.0-linux-x64.tar.gz" + + ~/Downloads + ❯ tar -xf p2pool-v4.0-linux-x64.tar.gz + + ~/Downloads + ❯ mv p2pool-v4.0-linux-x64/ p2pool/ + + ~/Downloads + ❯ cd p2pool/ + + ~/Downloads/p2pool + ❯ realpath p2pool + /home/mcneb10/Downloads/p2pool/p2pool + + + +You can also compile from source using the `p2pool_source.tar.xz` tarball + +Next, make a systemd service for p2pool: + + + ~ + ❯ sudo vim /etc/systemd/system/p2pool.service + + ~ + ❯ cat /etc/systemd/system/p2pool.service + [Unit] + Description=p2pool + After=network.target + Wants=network.target + + [Service] + ExecStart=/home/mcneb10/Downloads/p2pool/p2pool --wallet x --host 127.0.0.1 --rpc-port 18081 --zmq-port 18084 --stratum 0.0.0.0:3333 --mini + Restart=on-failure + RestartSec=10s + StandardOutput=journal + StandardError=journal + + [Install] + WantedBy=multi-user.target + + + +You'll need to make various changes to this config for your specific configuration: + + 1. Change the path of p2pool in `ExecStart` to the path outputted by `realpath` on your machine. + 2. Replace the `x` in `--wallet x` with your own wallet address + * This is the wallet address that will represent your mining power on p2pool. It MUST be a primary address. + * I recommend creating a new wallet specifically for mining to protect your privacy, as mining payout transactions are partially transparent to allow auditing of the total Monero supply. + * **DO NOT** share this address with anyone, as it can be used to obtain the IP address of your p2pool node. + 3. Change the hostname after the `--host` option and the ports after the `--zmq-port` and `--rpc-port` options to the hostname and ports specific to the Monero node you run (or the one wrote down earlier if you are using another node). + 4. Make sure the stratum interface is configured how you want it + * The `--stratum` option sets the address and port p2pool will bind to for accepting stratum connections. These stratum connections are for p2pool to communicate with the computers you will be mining on. + * The default is fine, but will expose on all interfaces. If you don't want this, change the `0.0.0.0` to a different address. + 5. Remove the `--mini` option if you are running a larger scale mining operation (around 100kH/s or higher) + + + +You can then enable the service with: + + + ~ + ❯ sudo systemctl enable --now p2pool + + ~ + ❯ sudo systemctl status p2pool + ● p2pool.service - p2pool + Loaded: loaded (/etc/systemd/system/p2pool.service; enabled; preset: enabled) + Active: active (running) since Wed 2024-08-14 16:38:58 UTC; 2min 54s + + ... + + + +## **xmrig Setup** + +Now that the p2pool node is set up, you can start mining! + +The you can find the xmrig binaries on the [releases page](https://github.com/xmrig/xmrig/releases/latest). Follow these steps to install: + + + ~/Downloads + ❯ wget "https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-x64.tar.gz" + + ~/Downloads + ❯ tar -xf xmrig-6.21.3-linux-static-x64.tar.gz + + ~/Downloads + ❯ mv xmrig-6.21.3/ xmrig/ + + ~/Downloads + ❯ cd xmrig/ + + ~/Downloads/xmrig + ❯ realpath xmrig + /home/mcneb10/Downloads/xmrig/xmrig + + + +**Please note that** the source code and precompiled xmrig binaries will donate 1% of your hashrate to the developer. You can change the code to prevent this or block the developer's server as it can compromise your privacy. The donation can be blocked by amending your hosts file like so: + + + ~ + ❯ sudo vim /etc/hosts + + ~ + ❯ cat /etc/hosts + + ... + + # Block xmrig donation + 0.0.0.0 donate.v2.xmrig.com donate.ssl.xmrig.com + + + +Be careful mining in apartments, dorms, shared living spaces, public spaces, etc. as many have explicit policies against mining that may result in your punishment. + +With that out of the way, we can setup a systemd service like so: + + + ~ + ❯ sudo vim /etc/systemd/system/xmrig.service + + ~ + ❯ cat /etc/systemd/system/xmrig.service + [Unit] + Description=xmrig + After=network.target + Wants=network.target + + [Service] + ExecStart=/home/mcneb10/Downloads/xmrig/xmrig -o 127.0.0.1:3333 -k + Restart=on-failure + RestartSec=10s + StandardOutput=journal + StandardError=journal + + [Install] + WantedBy=multi-user.target + + + +Again, you'll have to make some changes to the service config for your configuration: + + 1. Change the path of xmrig in `ExecStart` to the path outputted by the `realpath` command + 2. Replace the `127.0.0.1:3333` with the hostname:port of your p2pool stratum server we just set up relative to your mining rig + + + +Some optimization info: + + * xmrig relies on bare metal control of a CPU **as root** for optimization, so if you run it in a VM or as a regular user it will get a very bad hash rate. + * xmrig also has options to control the amount of threads and resources it uses on your machine. By default it won't use all resources to prevent the computer from becoming unusable. You can force xmrig to use as much computing power as possible by adding the option `--cpu-no-yield` to the command line. + * You can also set the number of preferred CPU threads for xmrig to use by adding `-t N`, where N is the number of threads. I don't recommend changing this, as xmrig will chose the optimal settings for you. Cutting down threads will reduce cpu + power usage. + * See the full list of optimization options [here](https://xmrig.com/docs/miner/command-line-options#cpu-backend). + + + +You can then enable the service with: + + + ~ + ❯ sudo systemctl enable --now xmrig + + ~ + ❯ sudo systemctl status xmrig + ● xmrig.service - xmrig + Loaded: loaded (/etc/systemd/system/xmrig.service; enabled; preset: enabled) + Active: active (running) since Wed 2024-08-14 16:38:58 UTC; 2min 54s + + ... + + + +Repeat the process for all of your mining rigs. + +## **Maintenance** + +Make sure to periodically check for updates on p2pool, as there may be breaking changes that affect mining profitability and security. + +To update the binaries for either p2pool or xmrig, simply download them and overwrite the old version. You can use commands in the installation instructions to overwrite the old one. The systemd services should continue to work fine. + +## **Some Optional (but useful) Extras** + + * You can calculate your estimated revenue with [this calculator](https://mini.p2pool.observer/calculate-share-time). The [xmrig benchmark page](https://xmrig.com/benchmark) shows the hash rate of processors by model. + * For example, if you were to mine on an AMD Ryzen 5 7600X non stop for a day, you would make a maximum of 0.0017 XMR at the time of writing. + * [mini p2pool observer](https://mini.p2pool.observer) ([onion](http://p2pmin25k4ei5bp3l6bpyoap6ogevrc35c3hcfue7zfetjpbhhshxdqd.onion/)) shows your mining stats, such as shares, payouts, daily revenue, etc. + * The site also has a service for mining notifications using webhooks. + * If you removed the `--mini` option the site is at [p2pool observer](https://p2pool.observer/) ([onion](http://p2pool2giz2r5cpqicajwoazjcxkfujxswtk3jolfk2ubilhrkqam2id.onion/)). + * Simply paste your mining wallet address in the search bar to view. Keep in mind the information will not populate until you get your first share, which might take a few hours. + * Registering for the [xmrvsbeast](https://xmrvsbeast.com/p2pool/) hash rate raffle can give you even more profitability as a miner. The site explains the rules in depth. + + + + + + diff --git a/monerowealth/0.png b/monerowealth/0.png new file mode 100644 index 0000000..fbbaccd Binary files /dev/null and b/monerowealth/0.png differ diff --git a/monerowealth/1.png b/monerowealth/1.png new file mode 100644 index 0000000..4951cd4 Binary files /dev/null and b/monerowealth/1.png differ diff --git a/monerowealth/2.png b/monerowealth/2.png new file mode 100644 index 0000000..b0eae96 Binary files /dev/null and b/monerowealth/2.png differ diff --git a/monerowealth/3.png b/monerowealth/3.png new file mode 100644 index 0000000..38540f3 Binary files /dev/null and b/monerowealth/3.png differ diff --git a/monerowealth/4.png b/monerowealth/4.png new file mode 100644 index 0000000..e605e17 Binary files /dev/null and b/monerowealth/4.png differ diff --git a/monerowealth/5.png b/monerowealth/5.png new file mode 100644 index 0000000..4b7d767 Binary files /dev/null and b/monerowealth/5.png differ diff --git a/monerowealth/6.png b/monerowealth/6.png new file mode 100644 index 0000000..445f51e Binary files /dev/null and b/monerowealth/6.png differ diff --git a/monerowealth/7.png b/monerowealth/7.png new file mode 100644 index 0000000..18793b8 Binary files /dev/null and b/monerowealth/7.png differ diff --git a/monerowealth/8.png b/monerowealth/8.png new file mode 100644 index 0000000..1f6615d Binary files /dev/null and b/monerowealth/8.png differ diff --git a/monerowealth/9.png b/monerowealth/9.png new file mode 100644 index 0000000..846ca52 Binary files /dev/null and b/monerowealth/9.png differ diff --git a/monerowealth/index.md b/monerowealth/index.md new file mode 100644 index 0000000..a5422b1 --- /dev/null +++ b/monerowealth/index.md @@ -0,0 +1,146 @@ +--- +author: nihilist +date: 2025-04-20 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/167" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Where to hide your Monero Wealth ? + +Have you ever asked yourself **what you would do if you were to recieve 9000 moneros (which is worth approx 1.6M euros currently) to your wallet right now ?** Do you know where could you even store it safely in the long run? We're going to explore exactly that in this tutorial. + + + _Legal Disclaimer:_ as usual, i don't actually recommend you do anything illegal, this is strictly educational as detailed [here](../legal.html). + + + + + +## **Why is this important ?** + +First of all, you cannot appear to be rich without being able to justify where the money comes from: + +![](9.png) + +So if you can't officially spend that unofficial money, where do you even store it then ? + +![](0.png) + +Statist thieves are everywhere. They are integral parts of governments, and their belief in the State dictates that the rich needs to serve the government one way or the other, So if you are getting rich without giving back to the state, to them you are stealing from the state, **which means that you are going into sensitive use territory** , so if you are recieving money income that you can't officially justify, you need to tread this path extra-carefully. **You need to make sure that you keep the access to your money, while at the same time make it impossible for thieves to seize it.** + +In most modern societies nowadays you have a legal maximum amount of cash one is allowed to carry on oneself. **If you are found to be in possession of one extra dollar above that maximum legal amount you are allowed to carry, the state can legally steal it from you.** + + + When flying within the United States, there is no legal limit on the amount of carrying Cash or monetary instruments you can carry. However, if you are traveling internationally to or from the U.S., you must declare amounts exceeding $10,000 USD to the customs authorities. + + + +` ![](1.png) + +Of course, given the context, carrying entire barrels of cash with you while going anywhere is incredibly stupid, because if it gets found at the airport, at home, in the desert, it will get seized no matter what. **Monero by itself solves that problem partially,** who's going to guess that a usb key can contain a monero wallet seed phrase worth 1.6M euros ? If storing your entire wealth on a usb stick sounds safe to you, you need to understand how badly this can end like in [this case](https://cryptonews.com.au/news/usb-stick-with-ethereum-worth-9-5-million-seized-by-uk-police-91763/): + +![](2.png) + +Thing is, we are aiming for deniability here. You need to be able to deny having that amount of monero in your posession. Because if you can't deny having it in your possession, you're going to get it stolen from you by the state, all because the setup you have is not suitable for sensitive use. + +If the adversary suspects that you are recieving monero one way or the other, they're going to look at every harddrive, every usb key of yours, **and if there are any encrypted volumes found you'll be forced to type a password to unlock them.** That's why you need to prepare for the worst, if you are going to actually recieve alot of money on a monero wallet. + +![](../logos/de2.png)In short, **if you store your monero wallet seed phrase outside of a veracrypt hidden volume (meaning outside of deniable encryption), IT CAN BE SEIZED!** + +## **Where to store the seed phrases?** + +Your monero seed phrase is what you need to be able to access your wallet, it is a string of 25 words. **If you lose it, you lose access to your monero wallet.** If someone else gets access to it, they can drain your wallet, that's why you should never keep your monero on centralised exchanges, because the exchange admins hold the keys to your crypto, so they can drain it. **ALWAYS SELF-CUSTODY YOUR OWN CRYPTO! if it's not your keys, then it's not your crypto!** + + + yellow exhibit skill bracket venture tail snack deny push direct kitten canyon pulse fiscal ladder release door guitar mix addict crucial aspect wreck salmon velvet + + + +If this is the seed phrase to your wallet, you absolutely need to keep access to it if you want to be able to keep accessing it, while at the same time make it impossible for others to seize it. Now you can try to remember it by heart, but good luck at that, because i certainly can't. + +Realisticly, to securely store our monero seed phrase, we're going to store it inside of a Keepass KDBX file, **which makes it accessible to us by simply remembering the master password of that passwords KDBX file.** + +![](4.png) + +Now the question is, where do we store that keepass Passwords.kdbx file ? And how many monero wallets do we need ? + +## **Deniability Context** + +First of all, you need to remain aware of where your deniability starts and where it ends: + +![](3.png) + +Following our general recommendations on [VM-based internet use segmentation](../internetsegmentation/index.md), we have our usual Public, Private, Anonymous and Sensitive use VMs. + + * ![](../de2.png)Public use VM: **you cannot deny the existance of a monero wallet in it** + + * ![](../de2.png)Private use VM: **you cannot deny the existance of a monero wallet in it** + + * ![](../de2.png)[Anonymous use VM](../whonixqemuvms/index.md): **you cannot deny the existance of a monero wallet in it** + + * ![](../de0.png)[Sensitive use VM](../sensitivevm/index.md): _ONLY HERE You can deny the existance of a monero wallet_! + + + + +As we have explained previously, you may use [Haveno](../haveno-client-f2f/index.md) to anonymously trade Peer to Peer direct Monero for fiat and Fiat for Monero. On the surface it looks private, because you are conducting the monero transaction from your (anonymous use) whonix VM: + +![](5.png) + +But the other factor to consider here is that you may not be able to deny that the [Haveno Fiat -> XMR transaction](../haveno-sepa/index.md) took place in case if you just transacted with a malicious peer (that just snitched that you just traded with them): + +![](6.png) + +If you conduct a trade with a malicious peer that intends to tell big daddy government that you just bought monero, who knows, maybe the government would want to steal that monero from you. Since this is actually a possible scenario, let's suppose that it actually happens: + +You recieve a knock on the door, and the statist law enforcement just seizes your devices and they ask you how much monero you own. You may pretend that you lost it in a boating accident, **but if your anonymous VM monero wallet contains more than 10000 Euros-worth of monero, the thieves, upon forcing you to unlock your computer, and your keepass Passwords.kdbx file, are going to simply legally steal it from you.** + +![](8.png) + +Therefore, **That's why we need to cap the total amount of monero stored in wallets that we carry to the maximum legal amount of cash we are allowed to carry wherever we cannot deny it's existance**. We have the sum of the private and anonymous monero wallets that cannot go beyond 10000 euros (legally) because we cannot deny their existance, and meanwhile we can store an indefinite amount of monero on the sensitive monero wallet, that is stored inside the Sensitive use VM. + +## **Storing Monero Wealth, in action** + +Let's consider the following scenario, let's say you have + + + -Private Monero wallet: 2 XMR + -Anonymous Monero wallet: 3 XMR + -Sensitive Monero wallet: 7 XMR + + The official amount of Monero you officially have is: 2+3 XMR, totaling at around 943 euros + + +Therefore if you were to recieve 9999 XMR on your Anonymous Monero wallet right now, your total wealth would look like so: + + + -Private Monero wallet: 2 XMR + -Anonymous Monero wallet: 3 + 9999 XMR + -Sensitive Monero wallet: 7 XMR + + The official amount of Monero you officially have is: 5+9999 XMR, totaling at around 1.9M euros + (Meaning if the adversary sees you possess that amount, they can legally take it from you) + + + +Obviously, if the authorities were to find you in posession of 1.9M euros worth of monero, they'll simply say that you are found in the posession of more value than you are allowed to carry on yourself (legally speaking 10,000 euros in france for example), **and then they legally seize it all from you.** + +If you don't want that to happen you can either declare it and let them tax the f*ck out of it, **or you can officially donate it all to that one anonymous dude online that is running Tor Nodes:** + +![](7.png) + +[...] Officially speaking at least. **In reality it all lands into your Sensitive use Monero wallet** , free of tax, free from thieves, safely stored where it's existance cannot be proven. + + + -Private Monero wallet: 2 XMR + -Anonymous Monero wallet: 3 XMR + -Sensitive Monero wallet: 7 + 9999 XMR + + The official amount of Monero you officially have is: 5 XMR, totaling at around 943 euros + (while in reality you secretely have an extra 10006 XMR, totaling at around 1.8M euros) + + + +Now if the adversary were to seize and destroy your devices, you'd lose access to your monero seed phrase, **so don't forget to make backups of your critical sensitive data** as shown [in this tutorial](../plausiblydeniabledataprotection/index.md). That way you can keep the access to your money even if your data were to be destroyed. + +And that's it! You now know where to store your Monero wealth safely. + diff --git a/multiple_identities/characters.png b/multiple_identities/characters.png new file mode 100644 index 0000000..aa65f30 Binary files /dev/null and b/multiple_identities/characters.png differ diff --git a/multiple_identities/index.md b/multiple_identities/index.md new file mode 100644 index 0000000..045bfe4 --- /dev/null +++ b/multiple_identities/index.md @@ -0,0 +1,143 @@ +--- +author: Hoover +date: 2024-10-09 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/56" +xmr: 42yco9t6qK98N191EZzKJUCH7cit5JT8mBJQvVULEPAPeBHurbFqGj2hK7kaFhqasv8AYLpbuP15Wg5suzyjUd5SMLqabRw +--- +# How to Maintain Multiple Identities Online + +In this tutorial, we’ll guide you through setting up and managing multiple online identities to enhance your privacy and security. We’ll discuss why this is crucial, how to establish distinct personas, and the steps you need to keep them isolated from each other. + + + +## **OPSEC Recommendations** + +Each identity should have a distinct virtual environment, using a dedicated VM with specific configurations: + + * **Public Identity:** + * Hardware: Laptop / Desktop Computer + * Host OS: Any preferred OS + * VM: [Basic Windows VM](../hypervisorsetup/index.md) + * **Private Identity:** + * Hardware: Laptop / Desktop Computer + * Host OS: [Linux](../linux/index.md) (e.g., Debian) + * VM: Linux-based VM (Debian or Ubuntu) + * **Anonymous Identity:** + * Hardware: Laptop / Desktop Computer + * Host OS: [Linux](../linux/index.md) (eg. Debian) + * VM: [Whonix QEMU](../whonixqemuvms/index.md) with Tor integration + * **Sensitive Identity:** + * Hardware: Laptop / Desktop Computer + * Host OS: [Linux](../linux/index.md) + * VM: [Whonix QEMU](../whonixqemuvms/index.md), with VeraCrypt hidden volume + + + +![VM Setup Diagram](../internetsegmentation/6.png) + +Refer to our guide on [Internet Use Segmentation](../internetsegmentation/index.md) for detailed setup instructions. + +### **Why Maintain Multiple Online Identities?** + +In the digital age, entities like advertisers, corporations, and hackers constantly monitor online activity. Using a single identity for everything allows these actors to build comprehensive profiles about you, threatening your privacy. + +Multiple identities help compartmentalize your activities. This approach minimizes the risk of data leakage, prevents profiling, and puts you in control of what information is shared. + +### **What We'll Be Doing** + +We’ll create multiple VMs dedicated to different types of internet activities: + + * **Public Identity:** Real-world activities linked to your true identity. + * **Private Identity:** Privacy-focused activities that don’t require anonymity. + * **Anonymous Identity:** Activities requiring anonymity (e.g., whistleblowing). + * **Sensitive Identity:** Highly secure activities where plausible deniability is crucial. + + + +Each identity will have a unique persona, distinct writing style, and separate digital environment. Complete isolation will be maintained by using separate VMs and following strict operational security practices. + +## **Setting Up Multiple Identities** + +Start by defining distinct identities with clear boundaries: + + * **Public Identity (Alice Liddell):** Real name, linked to real-world activities. + * **Private Identity (Bob Marley):** Pseudonym, may reveal the real name if necessary. + * **Anonymous Identity (Charlie Chaplin):** No real identity linkage, anonymous persona. + * **Sensitive Identity (Dave Mustaine):** Completely anonymous, sensitive activities only. + + + +Each identity should exhibit different behaviors and writing styles to avoid detection via linguistic analysis. + +## **Building the Characters** + +Follow these principles when building each character: + + * **Distinctiveness:** Each identity should have unique traits and online behavior. + * **Separation:** Identities should never interact or reference each other. + * **Isolation:** Services, accounts, or data should not be shared across identities. Your identities should never interact in any way, nor should they know about each others existence. + * **Dedicated VM for Each Identity:** Use separate VMs as described in the OPSEC section. + + + +Below is a diagram showing how to build each character: + +![Character Building Diagram](characters.png) + +**Example Character Profiles:** + + * **Alice Liddell:** Tech enthusiast, writes formally on open-source software forums. Formal, technical, and informative. Uses industry-specific jargon and includes references to technical documentation. + * **Bob Marley:** Music fan, uses casual language, active on music-related forums. Conversational and relaxed, often using slang or informal language. References musical terms and uses expressive language. + * **Charlie Chaplin:** Anonymity advocate, terse language, posts in privacy-focused communities. Terse, direct, and factual. Avoids personal anecdotes and uses technical language related to privacy and security. + * **Dave Mustaine:** Security expert, concise and secretive, uses encrypted channels only. Short, concise, and serious. Uses formal language and avoids any expressions that might reveal personal details or writing habits. + + + +### **Character Interaction (Example)** + +While these characters should never interact in reality, the following example illustrates how different identities can be made to appear distinct even when discussing the same topic. The brief interaction below is provided for demonstration purposes. + +**Forum Topic:** "Is Basic Security Enough for Online Privacy?" + +> **Alice Liddell:** "Basic security is a good start, but it's crucial to adopt more advanced measures as your digital footprint grows." +> +> **Bob Marley:** "tru but who wants to stress over all that? just keep it simple and dont click on sketchy stuff and youll be fine, mon." + +This example showcases the differences between Alice and Bob: + + * **Alice Liddell:** Uses a formal and cautious approach, advocating for the adoption of advanced security practices as an essential step. + * **Bob Marley:** Takes a laid-back attitude, suggesting that keeping things simple and using common sense is sufficient. + + + +The differences in tone, vocabulary, and approach clearly distinguish the two characters, reinforcing the separation between their online personas. + +## **Stylometry: Risks and Real-World Cases** + +Stylometry analyzes writing style to link identities. Consider these real-world examples: + + * [J.K. Rowling](https://www.smithsonianmag.com/science-nature/how-did-computers-uncover-jk-rowlings-pseudonym-180949824/): Revealed as the author of *The Cuckoo's Calling* through linguistic clues. + * [Ted Kaczynski](https://theconversation.com/how-the-unabombers-unique-linguistic-fingerprints-led-to-his-capture-207681): The Unabomber was caught due to similarities in writing style. + + + +To mitigate stylometry risks: + + * Vary your writing style, sentence structure, and vocabulary or use a local LLM to rewrite your messages before sending them. + * Avoid using distinctive punctuation or spelling patterns. + * Use paraphrasing tools or AI assistance to diversify your style. + + + +### **Conclusion** + +By following this tutorial, you’ve created multiple isolated online identities, each with its own dedicated environment and persona. This approach enhances your online privacy and security by compartmentalizing your digital life. + +Always maintain discipline in keeping these identities separate, and regularly update your systems to protect against emerging threats. With careful implementation, you can take control of your digital presence. + +### **What You've Accomplished** + +\- Established distinct identities with unique personas. +\- Configured virtual machines for each identity. +\- Implemented robust operational security practices. + diff --git a/mysqlmastermaster/0.mp4 b/mysqlmastermaster/0.mp4 new file mode 100644 index 0000000..5b39006 Binary files /dev/null and b/mysqlmastermaster/0.mp4 differ diff --git a/mysqlmastermaster/1.png b/mysqlmastermaster/1.png new file mode 100644 index 0000000..61c7437 Binary files /dev/null and b/mysqlmastermaster/1.png differ diff --git a/mysqlmastermaster/3.png b/mysqlmastermaster/3.png new file mode 100644 index 0000000..110a0db Binary files /dev/null and b/mysqlmastermaster/3.png differ diff --git a/mysqlmastermaster/4.png b/mysqlmastermaster/4.png new file mode 100644 index 0000000..8ae2570 Binary files /dev/null and b/mysqlmastermaster/4.png differ diff --git a/mysqlmastermaster/5.png b/mysqlmastermaster/5.png new file mode 100644 index 0000000..c8ad9b1 Binary files /dev/null and b/mysqlmastermaster/5.png differ diff --git a/mysqlmastermaster/6.png b/mysqlmastermaster/6.png new file mode 100644 index 0000000..a5c3c00 Binary files /dev/null and b/mysqlmastermaster/6.png differ diff --git a/mysqlmastermaster/7.png b/mysqlmastermaster/7.png new file mode 100644 index 0000000..696bb64 Binary files /dev/null and b/mysqlmastermaster/7.png differ diff --git a/mysqlmastermaster/8.png b/mysqlmastermaster/8.png new file mode 100644 index 0000000..32eae66 Binary files /dev/null and b/mysqlmastermaster/8.png differ diff --git a/mysqlmastermaster/index.md b/mysqlmastermaster/index.md new file mode 100644 index 0000000..a41d304 --- /dev/null +++ b/mysqlmastermaster/index.md @@ -0,0 +1,543 @@ +--- +author: oxeo0 +date: 2025-02-21 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/188" +xmr: 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ +--- +# How to setup a MySQL Master-Master replication over Tor + +## **Introduction** + +Your dark net [vegetable shop](../tornginxphpmysql/index.md) turned out to be a **wild success**! +With the influx of new users placing orders, you might want to consider high availability and replication across different locations. MySQL has a built-in mechanism for automatic replication between database instances, requiring only a TCP connection and an account with replication permissions. + +This works by having the **Master** DB send all queries to the **Slave** DB for execution. This setup is useful for real-time database backups through **Master-Slave** replication. + +In this guide, we will configure MySQL **Master-Master** replication over Tor. In this configuration, each database acts as both **Master** and **Slave** , automatically replicating queries between them via a Tor connection. + + + +## **Overview** + +This guide assumes you already have the stack from the [last tutorial](../tornginxphpmysql/index.md) running. + + +We will synchronize databases automatically between our two hidden services. If a user makes a purchase on one server, the second server will be notified immediately, executing the same SQL query on both databases. All communication between servers will occur over the Tor network, providing authentication and encryption without opening ports or generating SSL certificates. + +The MariaDB server running on each machine will connect to an onion address using socat as a background service configured with systemd, since it cannot utilize the socks5 proxy provided by the Tor client directly. + +For each server, we will later generate two onion v3 vanity URLs: + + + * **Public Hidden Service URL** \- This is used for accessing the hidden service as a client. Place this URL in your NGINX configuration to expose the vegetable shop service at port **80**. + + + * **Internal Hidden Service URL** \- Used exclusively for inter-service communication. + + + +Note that you can use only numbers **2-7** in the onion URL, as they are not part of the [base32 alphabet](https://en.wikipedia.org/wiki/Base32) used for encoding onion URLs. In this guide, I use words like **one** and **two** instead. + +Below is a table showing what ports and services will be active on each server: + +| Server 1 | Server 2 +---|---|--- +Hostname | server1 | server2 +Local HTTP (NGINX) port | 4440 | 4440 +Public HS URL | srvone[...].onion | srvtwo[...].onion +External HTTP port | 80 | 80 +Internal* HS URL | intone[...].onion | inttwo[...].onion +Local MySQL port | 3306 | 3306 +MySQL HS port | 33061 | 33062 + +* The **Internal Hidden Service** is used exclusively for inter-server communication, and its URL should remain private. + +Here is a full diagram of what we aim to achieve: + +![](1.png) + +## **Prerequisites** + +To follow this guide, you need two instances running the stack set up in the [previous tutorial](../tornginxphpmysql/index.md). In production, it's recommended to place them on different servers and networks for high availability. However, for demonstration purposes, you may use [Proxmox VE](https://www.proxmox.com/en/). + +If using Proxmox, after setting up the vegetable store once, you can clone it to create a second instance. + +![](4.png) ![](5.png) + + + +Ensure you have socat installed on both servers: + + + oxeo@serverN:~$ sudo apt update + oxeo@serverN:~$ sudo apt install socat + + +## **Part 1** + +The steps listed below should be executed on your first server. The second part of this guide will include commands for the second server with slight modifications, but they are mostly the same. +This part contains explanations of how things work; the second part is primarily a list of commands. + +## **MySQL Service Configuration** + +You need to create a location for storing relay and binlog log files: + + + oxeo@server1:~$ sudo mkdir /var/log/mysql + oxeo@server1:~$ sudo chown mysql:mysql /var/log/mysql + + +Now edit the **/etc/mysql/mariadb.conf.d/50-server.cnf** adding the following lines under the **[mysqld]** section: + + + [mysqld] + server-id = 1 + log_bin = /var/log/mysql/mysql-bin.log + binlog-ignore-db = test + binlog-ignore-db = information_schema + replicate-ignore-db = test + replicate-ignore-db = information_schema + relay-log = "mysql-relay-log" + auto-increment-increment = 2 + auto-increment-offset = 1 + + + * **server-id** \- sets a unique identifier for this MySQL server instance within a replication setup. Each server in a replication topology must have a distinct server-id. + * **log_bin** \- specifies the path to hold binary logging data used by **Master** to queue SQL events to send. + * **binlog-ignore-db** \- excludes metadata and testing databases from being logged in binlog. + * **replicate-ignore-db** \- same thing but prevents replication of those databases. + * **relay-log** \- specifies the path for relay log data used by the **Slave** to queue events received from **Master**. + * **auto-increment-increment** \- the same as number of master nodes, it ensures every second row insertion to prevent write collisions. + * **auto-increment-offset** \- the same as current server number, sets the first row index to write into. In our setup it will write odd rowse for server 1 and even for server 2. + + + +Restart the MariaDB service to apply these changes: + + + oxeo@server1:~$ sudo systemctl restart mariadb + + +## **MySQL Replication User** + +Add a replication user on the first server using MySQL shell. + + + oxeo@server1:~$ sudo mysql + [...] + MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD'; + Query OK, 0 rows affected (0.001 sec) + + MariaDB [(none)]> grant replication slave on *.* to 'repl'@'%'; + Query OK, 0 rows affected (0.001 sec) + + +You can generate a reasonably secure slave password with the following command: + + + oxeo@server1:~$ tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 12 && echo + 3adaQtXsu50w + + +Replace **YOUR_GENERATED_SLAVE_PASSWORD** with the generated password and note it down for configuring the second server. + +## **Tor Configuration** + +To make our MySQL instance accessible to the second server, create another hidden service in **/etc/tor/torrc**. You should have two hidden services: one public and one internal. +On the internal hidden service, we will also expose SSH which will come handy later. + + + HiddenServiceDir /var/lib/tor/veggie_service/ + HiddenServicePort 80 127.0.0.1:4440 + + HiddenServiceDir /var/lib/tor/internal_service/ + HiddenServicePort 33061 127.0.0.1:3306 + HiddenServicePort 22 127.0.0.1:22 + + +Restart the Tor daemon to apply these changes (Tor will automatically create necessary directories and set permissions): + + + oxeo@server1:~$ sudo systemctl restart tor + + +Verify that the directories were successfully created. + + + oxeo@server1:~$ sudo ls -la /var/lib/tor/internal_service + total 23 + drwx--S--- 3 debian-tor debian-tor 6 Feb 16 17:23 . + drwx--S--- 5 debian-tor debian-tor 11 Feb 16 17:23 .. + drwx--S--- 2 debian-tor debian-tor 2 Feb 16 17:23 authorized_clients + -rw------- 1 debian-tor debian-tor 63 Feb 16 17:23 hostname + -rw------- 1 debian-tor debian-tor 64 Feb 16 17:23 hs_ed25519_public_key + -rw------- 1 debian-tor debian-tor 96 Feb 16 17:23 hs_ed25519_secret_key + + +Of course automatically generated hidden service hostname will be random so you need to [generate vanity URLs](../torwebsite/index.md) for **srvone[...].onion** and **intone[...].onion** and copy appropriate keys to **/var/lib/tor/veggie_service** and **/var/lib/tor/internal_service** respectively. + +If you haven't already, update the **server_name** also in **/etc/nginx/sites-available/veggie-shop.conf** : + + + server { + listen 127.0.0.1:4440; + server_name srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion; + root /srv/shop/; + index index.php; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + } + } + + +Restart Nginx and Tor once again, then verify you can access your veggie shop under new onion URL: + + + oxeo@server1:~$ sudo systemctl restart tor nginx + + +![](6.png) + +## **Socat Forwarding Service** + +Now we need to create a systemd service forwarding MySQL traffic to the onion address. +Here's how it will look like from the perspective of first server: +![](3.png) + +To achieve this, create a new systemd service by creating file under **/etc/systemd/system/socat-tor.service** with following contents: + + + [Unit] + Description=Socat TCP Listener to SOCKS4A Proxy + After=network.target tor.service + Requires=tor.service + + [Service] + ExecStart=/usr/bin/socat TCP-LISTEN:33062,fork,bind=127.0.0.1 SOCKS4A:127.0.0.1:inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion:33062,socksport=9050 + Restart=always + + [Install] + WantedBy=multi-user.target + + +Remember to replace **inttwo[...].onion** with your actual second server internal URL. + +And enable the service: + + + oxeo@server1:~$ sudo systemctl daemon-reload + oxeo@server1:~$ sudo systemctl enable --now socat-tor + + +## **Part 2** + +Now log into your 2nd server and run the commands listed below. They're mostly the same with very slight differences. When you need to change something I will add a note but generally, if you get stuck on something, you should look it up in the first part. + +## **MySQL Service Configuration** + + + oxeo@server2:~$ sudo mkdir /var/log/mysql + oxeo@server2:~$ sudo chown mysql:mysql /var/log/mysql + + +**/etc/mysql/mariadb.conf.d/50-server.cnf** : + + + [mysqld] + server-id = 2 + log_bin = /var/log/mysql/mysql-bin.log + binlog-ignore-db = test + binlog-ignore-db = information_schema + replicate-ignore-db = test + replicate-ignore-db = information_schema + relay-log = "mysql-relay-log" + auto-increment-increment = 2 + auto-increment-offset = 2 + + + + oxeo@server2:~$ sudo systemctl restart mariadb + + +## **MySQL Replication User** + +Now you can open MySQL shell on the first server and add replication user. + + + oxeo@server2:~$ sudo mysql + [...] + + MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD'; + Query OK, 0 rows affected (0.001 sec) + + MariaDB [(none)]> grant replication slave on *.* to 'repl'@'%'; + Query OK, 0 rows affected (0.001 sec) + + +Replace **YOUR_GENERATED_SLAVE_PASSWORD** with the one you generated earlier. + +## **Tor Configuration** + +Add to **/etc/tor/torrc** : + + + HiddenServiceDir /var/lib/tor/veggie_service/ + HiddenServicePort 80 127.0.0.1:4440 + + HiddenServiceDir /var/lib/tor/internal_service/ + HiddenServicePort 33062 127.0.0.1:3306 + HiddenServicePort 22 127.0.0.1:22 + + + + oxeo@server2:~$ sudo systemctl restart tor + + + + oxeo@server2:~$ sudo ls -la /var/lib/tor/internal_service + total 23 + drwx--S--- 3 debian-tor debian-tor 6 Feb 16 17:23 . + drwx--S--- 5 debian-tor debian-tor 11 Feb 16 17:23 .. + drwx--S--- 2 debian-tor debian-tor 2 Feb 16 17:23 authorized_clients + -rw------- 1 debian-tor debian-tor 63 Feb 16 17:23 hostname + -rw------- 1 debian-tor debian-tor 64 Feb 16 17:23 hs_ed25519_public_key + -rw------- 1 debian-tor debian-tor 96 Feb 16 17:23 hs_ed25519_secret_key + + +[Generate vanity URLs](../torwebsite/index.md#generate-vanity-onion-v3-url) for **srvtwo[...].onion** and **inttwo[...].onion** and copy appropriate keys to **/var/lib/tor/veggie_service** and **/var/lib/tor/internal_service** respectively. + +**/etc/nginx/sites-available/veggie-shop.conf** : + + + server { + listen 127.0.0.1:4440; + server_name srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion; + root /srv/shop/; + index index.php; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + } + } + + + + oxeo@server1:~$ sudo systemctl restart tor nginx + + +## **Socat Forwarding Service** + +**/etc/systemd/system/socat-tor.service** : + + + [Unit] + Description=Socat TCP Listener to SOCKS4A Proxy + After=network.target tor.service + Requires=tor.service + + [Service] + ExecStart=/usr/bin/socat TCP-LISTEN:33061,fork,bind=127.0.0.1 SOCKS4A:127.0.0.1:intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion:33061,socksport=9050 + Restart=always + + [Install] + WantedBy=multi-user.target + + +Remember to replace **intone[...].onion** with your actual first server internal URL. + + + oxeo@server2:~$ sudo systemctl daemon-reload + oxeo@server2:~$ sudo systemctl enable --now socat-tor + + +## **Part 3 - MySQL Master Configuration** + +To enable **Master-Master** replication, both databases must be synchronized. Export the database from the first server and restore it on the second one. + +Dump the database on the first server and calculate its MD5 checksum: + + + oxeo@server1:~$ sudo mysqldump -uroot --all-databases --master-data > master1dump.sql + oxeo@server1:~$ md5sum master1dump.sql + 40c3cfa7e778cc276b6a3b670a3823a6 + + +Transfer the dump to your second server using **SCP** (a wrapper over SSH enabling file transfer). To not reveal your public IP address, we will connect via the internal hidden service with **torsocks**. Remember to replace **int[...].onion** URLs with ones you generated. + +First, transfer from the first server to your computer: + + + oxeo@main-pc:~$ torsocks scp oxeo@intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion:/home/oxeo/master1dump.sql /tmp/master1dump.sql + master1dump.sql 100% 2428KB 1.1MB/s 00:03 + + +Then, transfer from your computer to the second server: + + + oxeo@main-pc:~$ torsocks scp /tmp/master1dump.sql oxeo@inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion:/home/oxeo/master1dump.sql + master1dump.sql 100% 2428KB 1.4MB/s 00:02 + + +Verify the MD5 checksum on the second server and restore the database if it matches: + + + oxeo@server2:~$ md5sum master1dump.sql + 40c3cfa7e778cc276b6a3b670a3823a6 + oxeo@server2:~$ sudo mysql -u root < master1dump.sql + + +Finally, enable the **Master** role on each database. Here are the commands for the first server: + + + oxeo@server1:~$ sudo mysql + [...] + + MariaDB [(none)]> STOP SLAVE; + Query OK, 0 rows affected (0.001 sec) + + MariaDB [(none)]> SHOW MASTER STATUS; + +------------------+----------+--------------+-------------------------+ + | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | + +------------------+----------+--------------+-------------------------+ + | mysql-bin.000001 | 328 | | test,information_schema | + +------------------+----------+--------------+-------------------------+ + 1 row in set (0.000 sec) + + MariaDB [(none)]> CHANGE MASTER TO master_host = '127.0.0.1', master_user = 'repl', master_port=33062, master_password='YOUR_GENERATED_SLAVE_PASSWORD', master_log_file = 'mysql-bin.000001', master_log_pos = 2490521; + Query OK, 0 rows affected, 1 warning (0.004 sec) + + MariaDB [(none)]> START SLAVE; + Query OK, 0 rows affected (0.001 sec) + + +And on the second server: + + + oxeo@server2:~$ sudo mysql + [...] + + MariaDB [(none)]> STOP SLAVE; + Query OK, 0 rows affected (0.001 sec) + + MariaDB [(none)]> SHOW MASTER STATUS; + +------------------+----------+--------------+-------------------------+ + | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | + +------------------+----------+--------------+-------------------------+ + | mysql-bin.000001 | 2490521 | | test,information_schema | + +------------------+----------+--------------+-------------------------+ + 1 row in set (0.000 sec) + + MariaDB [(none)]> CHANGE MASTER TO master_host = '127.0.0.1', master_user = 'repl', master_port=33061, master_password='YOUR_GENERATED_SLAVE_PASSWORD', master_log_file = 'mysql-bin.000001', master_log_pos = 328; + Query OK, 0 rows affected, 1 warning (0.022 sec) + + MariaDB [(none)]> START SLAVE; + Query OK, 0 rows affected (0.001 sec) + + +Replace **YOUR_GENERATED_SLAVE_PASSWORD** with the one you generated earlier. + +Now a breakdown of what they do: + + * **STOP SLAVE** \- stops the **Slave** role. We need to stop it temporarily when configuring **Master** parameters. + + + * **SHOW MASTER STATUS** \- displays information about the binary log status of **Master** server. Here, the **Position** column is the most important. It indicates the position within the binary log file where replication or recovery would begin. In the next command you need to put the **Position** value from the 2nd database into the **master_log_pos** of the 1st database. And the other way around for the **master_log_pos** on 2nd database. + + + * **CHANGE MASTER TO [...]** \- tells the database to connect to **Master** at socat forwared port with the password we configured for **repl** user. The replication should start from **master_log_pos** as described above. + + + * **START SLAVE** \- starts the **Slave** role with a newly configured **Master**. + + + +## **Testing Replication** + +Now to test if both databases are synchronized, we will modify the data directly on one database and verify that both services are updated after reloading the site. + + + oxeo@server1:~$ sudo mysql + [...] + + MariaDB [(none)]> USE veggie_shop; + Database changed + MariaDB [veggie_shop]> INSERT INTO products (name, price, quantity) VALUES ('Pear', 0.65, 10); + Query OK, 1 row affected (0.005 sec) + + +![](7.png) + + + +Changes to the second database should be replicated as well so we'll test it by updating the number of pears. + + + oxeo@server2:~$ sudo mysql + [...] + + MariaDB [(none)]> USE veggie_shop; + Database changed + MariaDB [veggie_shop]> UPDATE products SET quantity = 42 WHERE name = 'Pear'; + Query OK, 1 row affected (0.002 sec) + Rows matched: 1 Changed: 1 Warnings: 0 + + +![](8.png) + +## **Troubleshooting** + +If for whatever reason your replication works only in one way or doesn't work at all, you can check the system journal: + + + oxeo@server1:~$ sudo journalctl -xe + [...] + Feb 16 20:27:55 server1 /etc/mysql/debian-start[392]: Upgrading MySQL tables if necessary. + Feb 16 20:27:55 server1 /etc/mysql/debian-start[433]: Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables + Feb 16 20:27:58 server1 mariadbd[311]: 2025-02-16 20:27:58 5 [Note] Slave I/O thread: connected to master 'repl@127.0.0.1:33062',replication started in log 'mysql-bin.000003' at position 682 + Feb 16 20:29:57 server1 mariadbd[311]: 2025-02-16 20:29:57 38 [Note] Start binlog_dump to slave_server(2), pos(mysql-bin.000003, 1022), using_gtid(0), gtid('') + [...] + + +You can also check the listening ports using the **ss** command. Here's how it should look like: + + + oxeo@server1:~$ sudo ss -tulp + Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process + udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:* users:(("dhclient",pid=93,fd=7)) + tcp LISTEN 0 5 127.0.0.1:33062 0.0.0.0:* users:(("socat",pid=156,fd=5)) + tcp LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* users:(("master",pid=445,fd=13)) + tcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* users:(("mariadbd",pid=311,fd=25)) + tcp LISTEN 0 511 127.0.0.1:4440 0.0.0.0:* users:(("nginx",pid=9278,fd=5),("nginx",pid=9277,fd=5),("nginx",pid=9276,fd=5)) + tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=187,fd=6)) + tcp LISTEN 0 100 [::1]:smtp [::]:* users:(("master",pid=445,fd=14)) + tcp LISTEN 0 4096 *:ssh *:* users:(("sshd",pid=175,fd=3),("systemd",pid=1,fd=39)) + + +## **Closing Remarks** + +**Congratulations!** \- You have just succesfully configured MySQL replication over Tor. Not many people ever achieved that ;) + +If you need even more security for inter-server communication, you could configure [Client Authorization](https://community.torproject.org/onion-services/advanced/client-auth/). Nowadays it [shouldn't be necessary](https://forum.torproject.org/t/is-there-an-index-for-onion-domains/6893/3) unless your internal onion URL has been compromised. It provides additional protection by requiring a private key approved by your Hidden Service to access internal services. + +In the next tutorial of this series, we will configure [Onionbalance](https://onionservices.torproject.org/apps/base/onionbalance/) \- a service that automatically distributes requests over multiple backends on the same onion URL. + +**Additional resources** + + * [MySQL master-master replication in local network](../../selfhosting/db/msql_mm.html) (written by Nihilist) + + + * [MySQL master-slave replication over SSH tunnel](https://andrewhofmans.com/blog/how-to/mysql-master-slave-replication-over-ssh-tunnel/) + + + diff --git a/nextcloud/2.png b/nextcloud/2.png new file mode 100644 index 0000000..e8d3415 Binary files /dev/null and b/nextcloud/2.png differ diff --git a/nextcloud/25.png b/nextcloud/25.png new file mode 100644 index 0000000..0ac6d83 Binary files /dev/null and b/nextcloud/25.png differ diff --git a/nextcloud/3.png b/nextcloud/3.png new file mode 100644 index 0000000..fedec96 Binary files /dev/null and b/nextcloud/3.png differ diff --git a/nextcloud/32.png b/nextcloud/32.png new file mode 100644 index 0000000..a36ee0f Binary files /dev/null and b/nextcloud/32.png differ diff --git a/nextcloud/4.png b/nextcloud/4.png new file mode 100644 index 0000000..63727d6 Binary files /dev/null and b/nextcloud/4.png differ diff --git a/nextcloud/48.png b/nextcloud/48.png new file mode 100644 index 0000000..c9408f3 Binary files /dev/null and b/nextcloud/48.png differ diff --git a/nextcloud/49.png b/nextcloud/49.png new file mode 100644 index 0000000..21b96e7 Binary files /dev/null and b/nextcloud/49.png differ diff --git a/nextcloud/5.png b/nextcloud/5.png new file mode 100644 index 0000000..074add6 Binary files /dev/null and b/nextcloud/5.png differ diff --git a/nextcloud/50.png b/nextcloud/50.png new file mode 100644 index 0000000..ce15ba5 Binary files /dev/null and b/nextcloud/50.png differ diff --git a/nextcloud/51.png b/nextcloud/51.png new file mode 100644 index 0000000..733f465 Binary files /dev/null and b/nextcloud/51.png differ diff --git a/nextcloud/52.png b/nextcloud/52.png new file mode 100644 index 0000000..3129138 Binary files /dev/null and b/nextcloud/52.png differ diff --git a/nextcloud/53.png b/nextcloud/53.png new file mode 100644 index 0000000..9ef909b Binary files /dev/null and b/nextcloud/53.png differ diff --git a/nextcloud/54.png b/nextcloud/54.png new file mode 100644 index 0000000..08910b2 Binary files /dev/null and b/nextcloud/54.png differ diff --git a/nextcloud/55.png b/nextcloud/55.png new file mode 100644 index 0000000..19b742f Binary files /dev/null and b/nextcloud/55.png differ diff --git a/nextcloud/56.png b/nextcloud/56.png new file mode 100644 index 0000000..71b0316 Binary files /dev/null and b/nextcloud/56.png differ diff --git a/nextcloud/57.png b/nextcloud/57.png new file mode 100644 index 0000000..710e948 Binary files /dev/null and b/nextcloud/57.png differ diff --git a/nextcloud/58.png b/nextcloud/58.png new file mode 100644 index 0000000..d546bd6 Binary files /dev/null and b/nextcloud/58.png differ diff --git a/nextcloud/59.png b/nextcloud/59.png new file mode 100644 index 0000000..f1e8a35 Binary files /dev/null and b/nextcloud/59.png differ diff --git a/nextcloud/6.png b/nextcloud/6.png new file mode 100644 index 0000000..4cc3095 Binary files /dev/null and b/nextcloud/6.png differ diff --git a/nextcloud/60.png b/nextcloud/60.png new file mode 100644 index 0000000..af01409 Binary files /dev/null and b/nextcloud/60.png differ diff --git a/nextcloud/61.png b/nextcloud/61.png new file mode 100644 index 0000000..82fac05 Binary files /dev/null and b/nextcloud/61.png differ diff --git a/nextcloud/62.png b/nextcloud/62.png new file mode 100644 index 0000000..dd839ee Binary files /dev/null and b/nextcloud/62.png differ diff --git a/nextcloud/63.png b/nextcloud/63.png new file mode 100644 index 0000000..82a5412 Binary files /dev/null and b/nextcloud/63.png differ diff --git a/nextcloud/64.png b/nextcloud/64.png new file mode 100644 index 0000000..52511b2 Binary files /dev/null and b/nextcloud/64.png differ diff --git a/nextcloud/65.png b/nextcloud/65.png new file mode 100644 index 0000000..c376fbd Binary files /dev/null and b/nextcloud/65.png differ diff --git a/nextcloud/7.png b/nextcloud/7.png new file mode 100644 index 0000000..f134aa7 Binary files /dev/null and b/nextcloud/7.png differ diff --git a/nextcloud/8.png b/nextcloud/8.png new file mode 100644 index 0000000..f05500c Binary files /dev/null and b/nextcloud/8.png differ diff --git a/nextcloud/9.png b/nextcloud/9.png new file mode 100644 index 0000000..a6b825c Binary files /dev/null and b/nextcloud/9.png differ diff --git a/nextcloud/graph.png b/nextcloud/graph.png new file mode 100644 index 0000000..921469e Binary files /dev/null and b/nextcloud/graph.png differ diff --git a/nextcloud/index.md b/nextcloud/index.md new file mode 100644 index 0000000..a4cbdb6 --- /dev/null +++ b/nextcloud/index.md @@ -0,0 +1,309 @@ +--- +author: Optimist +date: 2025-03-27 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/233" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Nextcloud .onion Setup (Anonymous File Hosting) + +![](logo.png) + +In this tutorial we're going to cover how you can install an .onion only Nextcloud instance, Nextcloud is a FOSS alternative to replace popular file hosting websites like google cloud or onedrive, which can be ideal to make sure that your files are backed up somewhere, all while preserving anonymity. I recommend self-hosting this service at home, that way you make sure that your personal data stays at your home, rather than making it readable by an adversary on a remote server. + +Nextcloud is an indispensable tool for productivity, as you're going to see: + +![](graph.png) + +What we are trying to achieve here, is **a setup where we can have a single folder synchronized on multiple devices,** so that any change done from any of those devices, to that same folder, gets to be automatically shared and synchronized accross all of the other devices aswell. And of course, we're going to achieve that while maintaining our anonymity, by routing all traffic through Tor. + + + +## **Serverside Setup** + +So to install nextcloud we're going to use docker-compose as follows (as the root user): + + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → sudo -i + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → apt install docker.io docker-compose -y + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → vim docker-compose.yml + + [ Wonderland ] [ /dev/pts/7 ] [/srv/nextcloud] + → cat docker-compose.yml + networks: + tor-nxtcld: + driver: bridge + ipam: + config: + - subnet: 10.7.0.0/24 + gateway: 10.7.0.1 + + services: + db: + image: mariadb:latest + restart: always + command: --transaction-isolation=READ-COMMITTED + networks: + tor-nxtcld: + ipv4_address: 10.7.0.2 + volumes: + - db:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=P@SSW0RD + - MYSQL_PASSWORD=P@SSW0RD + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + + redis: + image: redis:alpine + restart: always + + app: + image: nextcloud:latest + restart: always + networks: + tor-nxtcld: + ipv4_address: 10.7.0.3 + ports: + - 127.0.0.1:9639:80 + depends_on: + - redis + - db + volumes: + - nextcloud:/var/www/html + environment: + - MYSQL_PASSWORD=P@SSW0RD + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - MYSQL_HOST=db + - NEXTCLOUD_TRUSTED_DOMAINS=nxtcloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + - OVERWRITEHOSTPROTOCOL=http + - OVERWRITEHOST=nxtcloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion + - PROXY=tor-nxtcld:9050 + + tor-nxtcld: + image: osminogin/tor-simple + container_name: tor-nxtcld + volumes: + - ./tor-data:/var/lib/tor + - ./tor-data/torrc:/etc/tor + networks: + tor-nxtcld: + ipv4_address: 10.7.0.4 + + volumes: + nextcloud: + db: + + + +Don't forget to replace the "P@SSW0RD" with a password of your own, and that docker-compose.yaml will expose the nextcloud service on local port 9639, so let's run docker-compose up -d to run the service: + +As you can see in the docker-compose.yml file, there is a tor container, this is to make sure that the nextcloud connects to the internet through Tor (see the PROXY environment variable), to protect the serverside anonymity. + + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → docker-compose up -d + Starting nextcloud_redis_1 ... done + Starting nextcloud_db_1 ... done + Starting nextcloud_app_1 ... done + + +Then we also setup the torrc config to make sure that our nextcloud instance also goes through tor for every external connections it has to make: + + + [ Wonderland ] [ /dev/pts/10 ] [/srv/nextcloud] + → cd tor-data + + [ Wonderland ] [ /dev/pts/10 ] [/srv/nextcloud/tor-data] + → ls + torrc + + [ Wonderland ] [ /dev/pts/10 ] [/srv/nextcloud/tor-data] + → vim torrc/torrc + + [ Wonderland ] [ /dev/pts/10 ] [/srv/nextcloud/tor-data] + → cat torrc/torrc + SOCKSPort 0.0.0.0:9050 + + + +Then we setup the nginx config to be able to access the nextcloud service accordingly. (obviously, replace the onion domain [with your own onion domain](../torwebsite/index.md)): + + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → vim /etc/nginx/sites-available/nxtcloud.conf + + [ Wonderland ] [ /dev/pts/10 ] [/srv/nextcloud/tor-data] + → cat /etc/nginx/sites-available/nxtcloud.conf + upstream nxtcloudbackend { + server 127.0.0.1:9639; + } + + server { + ######## TOR WEBSITE ######## + listen 4443; + listen [::]:4443; + server_name nxtcloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion; + + location / { + proxy_pass http://nxtcloudbackend; + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 64; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + #proxy_http_version 1.1; + #proxy_set_header Upgrade $http_upgrade; + #proxy_set_header Connection "Upgrade"; + client_max_body_size 20G; + } + } + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → ln -s /etc/nginx/sites-available/nxtcloud.conf /etc/nginx/sites-enabled + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → nginx -s reload + 2025/03/26 09:46:30 [notice] 2097639#2097639: signal process started + + + +Make sure that you follow [this tutorial](../torwebsite/index.md) to know how to have your own custom onion domain name: + + + [ Wonderland ] [ /dev/pts/3 ] [~] + → cat /etc/tor/torrc + + HiddenServiceDir /var/lib/tor/onions/nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/ + HiddenServicePort 80 127.0.0.1:4443 + SocksPort 127.0.0.1:9050 + + [ Wonderland ] [ /dev/pts/3 ] [~] + → systemctl restart tor@default + + + +then you can proceed with accessing your nextcloud instance: + +![](48.png) ![](49.png) ![](51.png) ![](52.png) ![](53.png) ![](54.png) + +Then here we can edit the nextcloud appearance aswell: + +![](55.png) ![](56.png) + +So when you want to login, it'll look like that: + +![](57.png) + +Once logged in, you can drag and drop files from your computer directly into the nextcloud web interface: + +![](58.png) + +And that's it! You now have a nextcloud instance working via .onion to easily save your files remotely. + +## **Keeping Nextcloud Updated** + +In order to upgrade your nextcloud, you can run the following docker-compose commands, and also add it to cron to run automatically every day at midnight: + + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → docker-compose -f /srv/nextcloud/docker-compose.yml pull ; docker-compose -f /srv/nextcloud/docker-compose.yml restart + + Pulling db ... done + Pulling redis ... done + Pulling app ... done + Pulling tor-nxtcld ... done + Restarting tor-nxtcld ... done + Restarting nextcloud_app_1 ... done + Restarting nextcloud_redis_1 ... done + Restarting nextcloud_db_1 ... done + + [ Wonderland ] [ /dev/pts/9 ] [/srv/nextcloud] + → crontab -e + + #nextcloud + @daily docker-compose -f /srv/nextcloud/docker-compose.yml pull ; docker-compose -f /srv/nextcloud/docker-compose.yml restart + + :wq + + +## **Clientside Setup** + +Now to avoid having to always open the web browser to send and download files from your nextcloud instance, you can use the nextcloud desktop application, which will synchronize the nextcloud folders you want locally, as you'll see this is VERY convenient: + + + [ cloud ] [ /dev/pts/1 ] [/snap/bin] + → apt install tor nextcloud-desktop -y + + + +` ![](25.png) + +Here as you try to login you'll first see that it can't resolve the .onion domain, which is normal as you need to tell nextcloud to use the local tor socks5 proxy, available on 127.0.01:9050 + +![](59.png) + +Afterward, you need to copy the authorization link into the tor browser to validate the request: + +![](60.png) ![](61.png) + +Once you have granted access, you can start to sync your nextcloud instance files locally: + +![](62.png) + +Once logged in you can check the progress in the system tray: + +![](63.png) + +Then let it sync, it can take a while due to the low bandwidth of Tor. + +![](32.png) + +And that's it ! You now have a local folder that is synchronized with your nextcloud instance, that you can browse locally to find the files we uploaded earlier: + + + [ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/32 ] [~] + → ls -lash ~/NXTCLOUDTEST + total 7.3M + 4.0K drwxr-xr-x 5 nihilist nihilist 4.0K Mar 26 11:05 . + 4.0K drwx------ 51 nihilist nihilist 4.0K Mar 26 11:08 .. + 1.7M -rw-r--r-- 1 nihilist nihilist 1.7M Feb 11 2024 1636794560654-0.jpg + 324K -rw-r--r-- 1 nihilist nihilist 324K Feb 11 2024 1637121021316-0.jpg + 772K -rw-r--r-- 1 nihilist nihilist 772K Feb 11 2024 1637722778473-0.jpg + 476K -rw-r--r-- 1 nihilist nihilist 473K Feb 11 2024 1637722778473-1.jpg + 112K -rw-r--r-- 1 nihilist nihilist 111K Jul 13 2024 alice.jpg + 444K -rw-r--r-- 1 nihilist nihilist 444K Feb 6 18:22 appart.png + 836K -rw-r--r-- 1 nihilist nihilist 833K Aug 9 2024 bitcoinispartofthesystemneo.png + 100K -rw-r--r-- 1 nihilist nihilist 99K Dec 15 10:19 bunker.jpg + 88K -rw-r--r-- 1 nihilist nihilist 87K Jul 13 2024 catclock.gif + 0 -rw-r--r-- 1 nihilist nihilist 0 Mar 26 11:04 .nextcloudsync.log + 4.0K drwxr-xr-x 3 nihilist nihilist 4.0K Mar 26 10:51 nowhere-logos + 4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Mar 26 10:52 PAPES + 4.0K -rw-r--r-- 1 nihilist nihilist 4.0K Mar 26 11:04 .sync_9855fab54d67.db + 2.5M -rw-r--r-- 1 nihilist nihilist 2.5M Mar 26 11:05 .sync_9855fab54d67.db-wal + 4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Mar 26 10:52 xmrbazaar + + + +` ![](64.png) + +Productivity-wise this is a perfect tool to keep updating files on the same place, from multiple devices. To showcase a basic change, we're going to copy another folder in there: + +![](65.png) + +And here as you can see the changes are automatically getting picked up by the nextcloud desktop client, and synchronized to the nextcloud server automatically aswell. + +_Post script:_ check out [this tutorial](../../productivity/macrotime/index.md) on how to synchronize the nextcloud .onion CalDAV calendar on both desktop and mobile + diff --git a/nextcloud/logo.png b/nextcloud/logo.png new file mode 100644 index 0000000..f6591b8 Binary files /dev/null and b/nextcloud/logo.png differ diff --git a/on0.png b/on0.png new file mode 100644 index 0000000..b45b30a Binary files /dev/null and b/on0.png differ diff --git a/on1.png b/on1.png new file mode 100644 index 0000000..e540732 Binary files /dev/null and b/on1.png differ diff --git a/on2.png b/on2.png new file mode 100644 index 0000000..39f2467 Binary files /dev/null and b/on2.png differ diff --git a/onionbalancelb/0.png b/onionbalancelb/0.png new file mode 100644 index 0000000..8b86ec1 Binary files /dev/null and b/onionbalancelb/0.png differ diff --git a/onionbalancelb/1.0.png b/onionbalancelb/1.0.png new file mode 100644 index 0000000..fd86fef Binary files /dev/null and b/onionbalancelb/1.0.png differ diff --git a/onionbalancelb/1.1.png b/onionbalancelb/1.1.png new file mode 100644 index 0000000..0d57065 Binary files /dev/null and b/onionbalancelb/1.1.png differ diff --git a/onionbalancelb/2.png b/onionbalancelb/2.png new file mode 100644 index 0000000..b73cbbf Binary files /dev/null and b/onionbalancelb/2.png differ diff --git a/onionbalancelb/3.png b/onionbalancelb/3.png new file mode 100644 index 0000000..3d1a2cf Binary files /dev/null and b/onionbalancelb/3.png differ diff --git a/onionbalancelb/4.png b/onionbalancelb/4.png new file mode 100644 index 0000000..6119973 Binary files /dev/null and b/onionbalancelb/4.png differ diff --git a/onionbalancelb/5.png b/onionbalancelb/5.png new file mode 100644 index 0000000..aa4f55e Binary files /dev/null and b/onionbalancelb/5.png differ diff --git a/onionbalancelb/6.png b/onionbalancelb/6.png new file mode 100644 index 0000000..15c6806 Binary files /dev/null and b/onionbalancelb/6.png differ diff --git a/onionbalancelb/index.md b/onionbalancelb/index.md new file mode 100644 index 0000000..5b8521c --- /dev/null +++ b/onionbalancelb/index.md @@ -0,0 +1,214 @@ +--- +author: oxeo0 +date: 2025-02-26 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/207" +xmr: 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ +--- +# OnionBalance for .onion domains load balancing + +![](0.png) + + + +## **Introduction** + +In our [last tutorial](../mysqlmastermaster/index.md), after setting up database replication between two instances of our vegetable shop, you might be wondering if there's a way for clients to access the service via a single frontend. Practically, this means users will go to your main onion v3 URL and may be presented with different backend instances in a transparent manner. + +When one backend instance becomes unavailable, users will still be able to access the service on other backends. After the unavailable backend comes back online, changes made during its offline period will be automatically replicated to the database. It will also resume participating in load balancing. + +## **Overview** + +[Onionbalance](https://github.com/torproject/onionbalance) leverages the way Tor Hidden Service discovery works under the hood. In short, Tor uses a [Distributed Hash Table (DHT)](https://en.wikipedia.org/wiki/Distributed_hash_table) where hidden services are published. Onionbalance makes the frontend address resolve to multiple backend addresses in a manner similar to [Round Robin](https://en.wikipedia.org/wiki/Round-robin_DNS). It functions much like how [CDNs](https://en.wikipedia.org/wiki/Content_delivery_network) work on the clearnet, but it is free and does not rely on any third parties. [Here](https://onionservices.torproject.org/apps/base/onionbalance/design/index.md) is a more detailed explanation of how Onionbalance achieves load balancing in practice. + +At the end of this guide, we'll have a load-balanced frontend URL. There is simplified diagram of how this works: + +![](1.0.png) + + + +User accessing the frontend gets transparently redirected to either of the backends. + +A more detailed version presenting how clients get connected to the load-balanced service over Tor: + +![](1.1.png) + + + +From an end user's perspective: + + * **1** \- Tor client makes a request to the Distributed Hash Table (DHT) with the address of vegetable shop. + + + * **2** \- The DHT returns a descriptor with multiple backend addresses. Tor client chooses one of the addresses. + + + * **3** \- Tor client connects to the choosen backend. + + + * **4** \- Tor client passes the HTTP data to the browser and displays the store interface returned by one of the backends. + + + + +## **Prerequisites** + +To start, you need to have two working servers running our vegetable shop with a replicated database as we did [here](../mysqlmastermaster/index.md). + +You should also know the public onion v3 URLs set up for our vegetable shop instances. Here, this will be **srvone[...].onion** for the first server and **srvtwo[...].onion** for the second server. + +Onionbalance frontends can also be located on different servers than backends. If you want to run the frontend on a separate server, you'll need to [install Tor](../torwebsite/index.md) on it (running as a client in default configuration). In this guide, I will assume that we are running frontends on the same servers as backends (**frontN** is the same as **serverN**). + +Additionally, I [generated](../torwebsite/index.md) another domain **vgshop[...].onion**. It will be used for Onionbalance frontends; clients should use it to access your service from now on. Requests coming to this URL will be load balanced and distributed across available backends. + +To start, install the **onionbalance** package on each frontend server: + + + oxeo@frontN:~$ sudo apt update + oxeo@frontN:~$ sudo apt install onionbalance + + +## **Frontend Configuration** + +Edit the **/etc/onionbalance/config.yaml** file: + + + services: + - instances: + - address: srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion + name: server1 + - address: srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion + name: server2 + key: vgshophitykmo5he6botlhvuosdd2rbpmcorhk5dnt2twetdwlwofyyd.key + + +Remember to replace: + + * **srvone[...].onion** \- public onion URL of the first backend server. + * **srvtwo[...].onion** \- public onion URL of the second backend server. + * **vgshop[...].onion** \- public frontend onion URL that you have generated for this tutorial. + + + +Now, on each frontend server you want to configure, place the **private key** (usually stored in **hs_ed25519_secret_key**) of the **vgshop[...].onion** service into **/etc/onionbalance/vgshophitykmo5he6botlhvuosdd2rbpmcorhk5dnt2twetdwlwofyyd.key**. +Replace the URL part with the actual frontend onion URL. It should match whatever you put in **/etc/onionbalance/config.yaml** as a **key**. + +Edit the **/etc/tor/torrc** adding the following line: + + + ControlPort 127.0.0.1:9051 + + +This will be used by the onionbalance service to control the Tor daemon over a local port. + +## **Tor Daemon Configuration** + +With the frontends configured, you now need to log into your backend servers and modify the **/etc/tor/torrc** file. Insert this line below your public hidden service configuration: + + + HiddenServiceOnionbalanceInstance 1 + + +After editing, it should look something like this: + + + [...] + HiddenServiceDir /var/lib/tor/veggie_service/ + HiddenServicePort 80 127.0.0.1:4440 + HiddenServiceOnionbalanceInstance 1 + + HiddenServiceDir /var/lib/tor/internal_service/ + HiddenServicePort 33061 127.0.0.1:3306 + HiddenServicePort 22 127.0.0.1:22 + [...] + + +Now, create a new file under **/var/lib/tor/veggie_service/ob_config** , substituting the URL with one you set for the frontend: + + + MasterOnionAddress vgshophitykmo5he6botlhvuosdd2rbpmcorhk5dnt2twetdwlwofyyd.onion + + +Finally, restart the **tor** service on each backend: + + + oxeo@serverN:~$ sudo systemctl restart tor + + +## **Final Adjustments** + +Both services will soon be accessible under the **vgshop[...].onion**. To differentiate between them, you can change the header to indicate which backend is being accessed. + +On the first backend server: + + + oxeo@server1:~$ sudo sed -i 's/Vegetable Shop/Vegetable Shop 1/' /srv/shop/index.php + + +On the second backend server: + + + oxeo@server2:~$ sudo sed -i 's/Vegetable Shop/Vegetable Shop 2/' /srv/shop/index.php + + +Finally, on each frontend, restart the **tor** and **onionbalance** services: + + + oxeo@frontN:~$ sudo systemctl restart tor onionbalance + + +## **Showcase and Verification** + +To verify our setup, go to **vgshop[...].onion**. You should be presented with one of your backend instances. In our case, it's **srvone[...].onion**. + +Now, purchase any product and take note of the balance after the operation. + +![](2.png) ![](3.png) + + + +Wait a few seconds for the state to be replicated, then stop **tor** and **onionbalance** on the backend where you made the purchase. This simulates our backend going offline. + + + oxeo@server1:~$ sudo systemctl stop tor onionbalance + + +Then refresh the page. + +![](4.png) + + + +If the website is still up and points to the other backend, this means Onionbalance works as intended. If the account balance was updated, then the database was replicated successfully as well. + +You can now make a purchase on the other "working" server and take note of that balance too. + +![](5.png) + + + +Start services on the "offline" server to bring it online again. + + + oxeo@server1:~$ sudo systemctl start tor onionbalance + + +Wait a few minutes for the servers to synchronize, then make the other server unavailable. Refresh the website once again. + + + oxeo@server2:~$ sudo systemctl stop tor onionbalance + + +![](6.png) + + + +If the balance appears correct on the first server, then everything works as expected! + +## **Closing Remarks** + +**Congratulations!** \- You now have a fully working, highly available service on the **"Dark Web"**. + +It's important to note onionbalance doesn't support [Proof of Work mechanism](https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/) Tor uses to combat DDoS attacks. However the work is ongoing and you can track progress in [this issue](https://gitlab.torproject.org/tpo/onion-services/onionbalance/-/issues/13). + +If you want to learn more, explore advanced setups, or troubleshoot any issues, read the [Onionbalance wiki](https://onionservices.torproject.org/apps/base/onionbalance/tutorial/index.md) from [The Onion Services Ecosystem](https://onionservices.torproject.org). + diff --git a/onionshare/0.png b/onionshare/0.png new file mode 100644 index 0000000..3452d97 Binary files /dev/null and b/onionshare/0.png differ diff --git a/onionshare/1.png b/onionshare/1.png new file mode 100644 index 0000000..e2fd9db Binary files /dev/null and b/onionshare/1.png differ diff --git a/onionshare/2.png b/onionshare/2.png new file mode 100644 index 0000000..c09f9a1 Binary files /dev/null and b/onionshare/2.png differ diff --git a/onionshare/3.png b/onionshare/3.png new file mode 100644 index 0000000..2ae37c9 Binary files /dev/null and b/onionshare/3.png differ diff --git a/onionshare/4.png b/onionshare/4.png new file mode 100644 index 0000000..e375e2a Binary files /dev/null and b/onionshare/4.png differ diff --git a/onionshare/5.png b/onionshare/5.png new file mode 100644 index 0000000..d92e1ec Binary files /dev/null and b/onionshare/5.png differ diff --git a/onionshare/6.png b/onionshare/6.png new file mode 100644 index 0000000..168c111 Binary files /dev/null and b/onionshare/6.png differ diff --git a/onionshare/7.png b/onionshare/7.png new file mode 100644 index 0000000..1c7f79a Binary files /dev/null and b/onionshare/7.png differ diff --git a/onionshare/8.png b/onionshare/8.png new file mode 100644 index 0000000..f090a29 Binary files /dev/null and b/onionshare/8.png differ diff --git a/onionshare/index.md b/onionshare/index.md new file mode 100644 index 0000000..2ab1636 --- /dev/null +++ b/onionshare/index.md @@ -0,0 +1,46 @@ +--- +author: nileglorifier +date: 2024-09-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/15" +xmr: 84TTjteLVhkYuHosBoc1MjWaB1AmnFSWPgeM7Lts4NdigCmE9ndHTjsXEaxJFTb7JGj55GNERXfnJSFY3J3WE5Ha18BSeS1 +--- +# How to share files anonymously using OnionShare + +OnionShare is a free and open-source cross-platform tool that utilises the TOR network to anonymously share files (send and receive), host an onion website and create a simple chat room. Installation and setup is extremely simple and users only need the TOR browser for access, making OnionShare a quick and easy way to utilise the TOR network for various stasks. Additionally, OnionShare can also be a great way of bypassing network restrictions in cases where other file-sharing methods are not permitted and includes it's own full-featured TOR client with support for TOR bridges for situations where censorship circumvention is required.. + +![](0.png) + + + +OnionShare can easily be installed on various Linux distributions (by following the offical instructions at ). For Debian-based distro's (including [Whonix](https://www.whonix.org/)), simply run the following apt command in a terminal: + + + sudo apt install onionshare + + +![](1.png) + +For installation on an Android device (running Graphene OS), it's recommended to download via F-Droid () or the direct APK download link provided on the F-Droid page, e.g. + +![](2.png) + +In this tutorial we'll be sharing a file from our Graphene OS Android device and downloading the file on our [Whonix](https://www.whonix.org/) machine (that includes TOR browser as its default web-browser). If you're using a different machine, be sure to download the official TOR browser from + +![](3.png) + +To begin, we'll open OnionShare on our Graphene OS device then click on the "+" icon in the bottom right-corner to select the file (or multiple files) we want to share. We then click the "Start Sharing" button at the bottom of the screen to generate the one-time-use Onion URL where our file will be shared + +![](4.png) ![](5.png) + +Back in our Whonix VM, we navigate to the Onion URL to view the file available for download + +![](6.png) + +As shown below, we can see the name and size of the file being shared from our Graphene OS device along with a "Download Files" button in the top right-corner, which we click to initiate the download. Note: Onionshare zips up all available files into one archive named "download.zip" for ease of bulk downloading. + +![](7.png) + +After the download completes, we extract the downloaded "download.zip" file to gain access to our original "secretstuff.zip" file containing the files we need from our Graphene OS device, concluding this tutorial. + +![](8.png) + diff --git a/openhardware/0.png b/openhardware/0.png new file mode 100644 index 0000000..df3d361 Binary files /dev/null and b/openhardware/0.png differ diff --git a/openhardware/1.png b/openhardware/1.png new file mode 100644 index 0000000..b1d60ee Binary files /dev/null and b/openhardware/1.png differ diff --git a/openhardware/2.png b/openhardware/2.png new file mode 100644 index 0000000..a27922d Binary files /dev/null and b/openhardware/2.png differ diff --git a/openhardware/3.png b/openhardware/3.png new file mode 100644 index 0000000..f2b3021 Binary files /dev/null and b/openhardware/3.png differ diff --git a/openhardware/4.png b/openhardware/4.png new file mode 100644 index 0000000..07373a3 Binary files /dev/null and b/openhardware/4.png differ diff --git a/openhardware/5.jpeg b/openhardware/5.jpeg new file mode 100644 index 0000000..7888daa Binary files /dev/null and b/openhardware/5.jpeg differ diff --git a/openhardware/6.png b/openhardware/6.png new file mode 100644 index 0000000..09f0ce4 Binary files /dev/null and b/openhardware/6.png differ diff --git a/openhardware/7.png b/openhardware/7.png new file mode 100644 index 0000000..79b84f6 Binary files /dev/null and b/openhardware/7.png differ diff --git a/openhardware/8.png b/openhardware/8.png new file mode 100644 index 0000000..11644c2 Binary files /dev/null and b/openhardware/8.png differ diff --git a/openhardware/index.md b/openhardware/index.md new file mode 100644 index 0000000..d7babf0 --- /dev/null +++ b/openhardware/index.md @@ -0,0 +1,81 @@ +--- +author: nihilist +date: 2024-07-10 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/75" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# The lack of Open Source Hardware (CPUs, Motherboards, GPUs) + +![](0.png) + + + +## **Why Open Source Hardware is vital** + +When we're talking [Privacy](../privacy/index.md), we have one key requirement: It must be open source. **If you don't know/ can't know the inner details of your system, then you can't tell if the manufacturer has the ability to spy on you through the product**. It is a matter of Transparency, to be able to verify if you are not being spied on, you must be able to inspect the ins and outs of your system in it's entirety. Only after having verified the entire system can you proclaim that you have privacy (from the manufacturer in this case) while using the system. + +![](1.png) + +When we're talking Computers, we have these 5 basic layers: + + 1. _Layer 4: OS and Applications_ (ex: [matrix chat](https://github.com/element-hq/synapse), firefox, etc) + + 2. _Layer 3: Kernel_ (ex: [the Linux Kernel](https://github.com/torvalds/linux) (written in C)) + + 3. _Layer 2: Assembler_ (ex: [Direct CPU instructions](../../HTB/asm/7.html) derived from the C compilation) + + 4. **_Layer 1: Firmware_** (ex: low-level software to provide control over CPU, motherboard, GPU, etc) + + 5. **_Layer 0: Hardware_** (ex: your motherboard, CPU, GPU, Ethernet port etc) + + + + +The problem is, **if you have closed-source hardware (such as an Intel or AMD CPU, or a nvidia graphics card, or a msi motherboard)** , you can at most have open-source software and protocols all the way down to layer 2, **but not further below.** That's because you have hardware manufacturers creating products, but they are keeping the method as to how they create them a proprietary secret. Because you can't audit it yourself, you can't tell if there is any spyware baked into it or not. + +![](8.png) + +Take for example AMD's [PSP](https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor) or Intel's [Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine), which are both alleged backdoors implemented directly in consumers' CPUs. In the case of Intel's processor chipsets, **all CPUs since 2008 are to be considered backdoored by Intel ME, and there's nothing you can do about it, without knowing intel's secret way to disable it.**[[1]](https://www.intel.com/content/www/us/en/developer/articles/guide/getting-started-with-active-management-technology.html)[[2]](https://www.intel.com/content/www/us/en/support/articles/000005974/software/chipset-software.html)[[3]](https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it) It is located in the Platform Controller Hub of modern Intel motherboards. + +check out [this video](https://iv.nowhere.moe/watch?v=0o8Co1ekemU&listen=false) for a deep dive into Intel's Management Engine from 36c3 chaoswest 2019. + +Regarding non-free firmware, even Debian has been forced to accept this reality in 2022 in their [general resolution vote](https://www.debian.org/vote/2022/vote_003). In short, they now ship non-free firmware by default because 99.999999% of the people out there are running closed-source hardware CPUs, or GPUs, etc. + +_TLDR:_ if you use closed-source hardware, you won't be able to get open source firmware for the CPU, GPU or motherboard. **You cannot ever be 100% sure that your hardware itself contains a spying mechanism, because you can't check it yourself, be it in your motherboard, CPU, GPU, or network interfaces.** + +## **The Closed-Source Hardware Monopoly upon the market** + +Hardware production is a much more costly endeavor than software production, given the energy and techniques required to create the electronic components to produce computers. Profit companies don't want to share their production secrets just like software companies to avoid competition and soak up all the profits they can get. + +Let's look currently at what's the status of hardware on the market, are there that many open source options ? + +![](2.png) + +![](3.png) + +![](4.png) + +![](5.jpeg) + +In short, no, **the market is currently utterly dominated and saturated by these profit companies, which are all selling closed-source hardware.** Open source hardware as a concept is not even a thing for them, it's all proprietary hardware, and firmware, this applies to Graphics Cards, CPUs, Motherboards, and Computers in general. + +## **The current status of Open Source Hardware on the market** + +You can count companies that sell open source hardware on your fingers currently, they are of a very rare breed. We have the example of MNT Reform + +![](6.png) + +Here we have the example of MNT reform, selling a laptop that you can entirely repair (by buying the hardware parts) yourself. from the batteries, to the Keyboard, to the monitor, hell, even the motherboard, **but still even here the CPU and it's firmware are not open source** [[1]](https://source.mnt.re/reform/mnt-reform-raspberry-pi-cm4-som/-/blob/main/stdp2600-firmware/STDP2600_HDMI2DP_STD_RC3_3.hex?ref_type=heads). For the rest, they try to maintain the open hardware requirement. They ship the laptop with all the electrical schematics for you to look through them and see if it holds true that they aren't spying on you. + +Check out [this video](https://iv.nowhere.moe/watch?v=_DA0Jr4WH-4) for a full unbox review of the mnt reform laptop. + +Performance wise, can this compare to consumer grade laptops ? Sadly, not yet. Not even close. In the future if this project picks up steam big time, you might see competitors to Intel and AMD's monopoly. + +Another top candidate coming up slowly is the Open [RISC-V CPU architecture](https://riscv.org/), aimed at dethroning the 2 CPU giants. But the project is still trying to pick up speed and adoption currently. + +![](7.png) + +While i am very hopeful that with enough education spreading out the need for open hardware in the industry, for individuals' right to privacy, the market will change for the better. But the fact remains that the main manufacturers are under false democracies, where individual liberties are trampled on every day. The only thing they care about is profit, not your individual freedoms. + +Therefore i'll conclude with the following: **Even for Privacy purposes, We use the tools that we have at our disposal currently, even if it means using open-source software on closed-source hardware** , until the market finally embraces fully open-source software, and fully open-source hardware. + diff --git a/openwebuilocalllms/0.png b/openwebuilocalllms/0.png new file mode 100644 index 0000000..ea3bb6d Binary files /dev/null and b/openwebuilocalllms/0.png differ diff --git a/openwebuilocalllms/1.png b/openwebuilocalllms/1.png new file mode 100644 index 0000000..7c60d39 Binary files /dev/null and b/openwebuilocalllms/1.png differ diff --git a/openwebuilocalllms/10.png b/openwebuilocalllms/10.png new file mode 100644 index 0000000..aacb0ae Binary files /dev/null and b/openwebuilocalllms/10.png differ diff --git a/openwebuilocalllms/11.png b/openwebuilocalllms/11.png new file mode 100644 index 0000000..d1137b8 Binary files /dev/null and b/openwebuilocalllms/11.png differ diff --git a/openwebuilocalllms/12.png b/openwebuilocalllms/12.png new file mode 100644 index 0000000..0c14beb Binary files /dev/null and b/openwebuilocalllms/12.png differ diff --git a/openwebuilocalllms/13.png b/openwebuilocalllms/13.png new file mode 100644 index 0000000..8f0fb37 Binary files /dev/null and b/openwebuilocalllms/13.png differ diff --git a/openwebuilocalllms/14.png b/openwebuilocalllms/14.png new file mode 100644 index 0000000..0e2d0c3 Binary files /dev/null and b/openwebuilocalllms/14.png differ diff --git a/openwebuilocalllms/15.png b/openwebuilocalllms/15.png new file mode 100644 index 0000000..f75e778 Binary files /dev/null and b/openwebuilocalllms/15.png differ diff --git a/openwebuilocalllms/16.png b/openwebuilocalllms/16.png new file mode 100644 index 0000000..133a86d Binary files /dev/null and b/openwebuilocalllms/16.png differ diff --git a/openwebuilocalllms/17.png b/openwebuilocalllms/17.png new file mode 100644 index 0000000..725ef2e Binary files /dev/null and b/openwebuilocalllms/17.png differ diff --git a/openwebuilocalllms/18.png b/openwebuilocalllms/18.png new file mode 100644 index 0000000..30a2dc8 Binary files /dev/null and b/openwebuilocalllms/18.png differ diff --git a/openwebuilocalllms/19.png b/openwebuilocalllms/19.png new file mode 100644 index 0000000..f4137f3 Binary files /dev/null and b/openwebuilocalllms/19.png differ diff --git a/openwebuilocalllms/2.png b/openwebuilocalllms/2.png new file mode 100644 index 0000000..44aeafd Binary files /dev/null and b/openwebuilocalllms/2.png differ diff --git a/openwebuilocalllms/20.png b/openwebuilocalllms/20.png new file mode 100644 index 0000000..8a3c8b9 Binary files /dev/null and b/openwebuilocalllms/20.png differ diff --git a/openwebuilocalllms/21.png b/openwebuilocalllms/21.png new file mode 100644 index 0000000..5de041a Binary files /dev/null and b/openwebuilocalllms/21.png differ diff --git a/openwebuilocalllms/22.png b/openwebuilocalllms/22.png new file mode 100644 index 0000000..86abfca Binary files /dev/null and b/openwebuilocalllms/22.png differ diff --git a/openwebuilocalllms/23.png b/openwebuilocalllms/23.png new file mode 100644 index 0000000..7734a35 Binary files /dev/null and b/openwebuilocalllms/23.png differ diff --git a/openwebuilocalllms/24.png b/openwebuilocalllms/24.png new file mode 100644 index 0000000..02c136a Binary files /dev/null and b/openwebuilocalllms/24.png differ diff --git a/openwebuilocalllms/25.png b/openwebuilocalllms/25.png new file mode 100644 index 0000000..c571bef Binary files /dev/null and b/openwebuilocalllms/25.png differ diff --git a/openwebuilocalllms/26.png b/openwebuilocalllms/26.png new file mode 100644 index 0000000..55f9899 Binary files /dev/null and b/openwebuilocalllms/26.png differ diff --git a/openwebuilocalllms/27.png b/openwebuilocalllms/27.png new file mode 100644 index 0000000..90500ca Binary files /dev/null and b/openwebuilocalllms/27.png differ diff --git a/openwebuilocalllms/28.png b/openwebuilocalllms/28.png new file mode 100644 index 0000000..725e4ac Binary files /dev/null and b/openwebuilocalllms/28.png differ diff --git a/openwebuilocalllms/29.png b/openwebuilocalllms/29.png new file mode 100644 index 0000000..e641b42 Binary files /dev/null and b/openwebuilocalllms/29.png differ diff --git a/openwebuilocalllms/3.png b/openwebuilocalllms/3.png new file mode 100644 index 0000000..860ecd2 Binary files /dev/null and b/openwebuilocalllms/3.png differ diff --git a/openwebuilocalllms/30.png b/openwebuilocalllms/30.png new file mode 100644 index 0000000..875e7ac Binary files /dev/null and b/openwebuilocalllms/30.png differ diff --git a/openwebuilocalllms/31.png b/openwebuilocalllms/31.png new file mode 100644 index 0000000..9896696 Binary files /dev/null and b/openwebuilocalllms/31.png differ diff --git a/openwebuilocalllms/32.png b/openwebuilocalllms/32.png new file mode 100644 index 0000000..d9b4d79 Binary files /dev/null and b/openwebuilocalllms/32.png differ diff --git a/openwebuilocalllms/33.png b/openwebuilocalllms/33.png new file mode 100644 index 0000000..b28539e Binary files /dev/null and b/openwebuilocalllms/33.png differ diff --git a/openwebuilocalllms/4.png b/openwebuilocalllms/4.png new file mode 100644 index 0000000..dd96d05 Binary files /dev/null and b/openwebuilocalllms/4.png differ diff --git a/openwebuilocalllms/40.png b/openwebuilocalllms/40.png new file mode 100644 index 0000000..c075650 Binary files /dev/null and b/openwebuilocalllms/40.png differ diff --git a/openwebuilocalllms/41.png b/openwebuilocalllms/41.png new file mode 100644 index 0000000..cd65674 Binary files /dev/null and b/openwebuilocalllms/41.png differ diff --git a/openwebuilocalllms/42.png b/openwebuilocalllms/42.png new file mode 100644 index 0000000..ab71585 Binary files /dev/null and b/openwebuilocalllms/42.png differ diff --git a/openwebuilocalllms/43.png b/openwebuilocalllms/43.png new file mode 100644 index 0000000..93f626e Binary files /dev/null and b/openwebuilocalllms/43.png differ diff --git a/openwebuilocalllms/44.png b/openwebuilocalllms/44.png new file mode 100644 index 0000000..9d5f74b Binary files /dev/null and b/openwebuilocalllms/44.png differ diff --git a/openwebuilocalllms/45.png b/openwebuilocalllms/45.png new file mode 100644 index 0000000..026dcd4 Binary files /dev/null and b/openwebuilocalllms/45.png differ diff --git a/openwebuilocalllms/46.png b/openwebuilocalllms/46.png new file mode 100644 index 0000000..91b71b9 Binary files /dev/null and b/openwebuilocalllms/46.png differ diff --git a/openwebuilocalllms/47.png b/openwebuilocalllms/47.png new file mode 100644 index 0000000..7fc1ab7 Binary files /dev/null and b/openwebuilocalllms/47.png differ diff --git a/openwebuilocalllms/48.png b/openwebuilocalllms/48.png new file mode 100644 index 0000000..27e945c Binary files /dev/null and b/openwebuilocalllms/48.png differ diff --git a/openwebuilocalllms/49.png b/openwebuilocalllms/49.png new file mode 100644 index 0000000..7828da5 Binary files /dev/null and b/openwebuilocalllms/49.png differ diff --git a/openwebuilocalllms/5.png b/openwebuilocalllms/5.png new file mode 100644 index 0000000..408fed5 Binary files /dev/null and b/openwebuilocalllms/5.png differ diff --git a/openwebuilocalllms/6.png b/openwebuilocalllms/6.png new file mode 100644 index 0000000..922134b Binary files /dev/null and b/openwebuilocalllms/6.png differ diff --git a/openwebuilocalllms/7.png b/openwebuilocalllms/7.png new file mode 100644 index 0000000..297e096 Binary files /dev/null and b/openwebuilocalllms/7.png differ diff --git a/openwebuilocalllms/8.png b/openwebuilocalllms/8.png new file mode 100644 index 0000000..19c9a6a Binary files /dev/null and b/openwebuilocalllms/8.png differ diff --git a/openwebuilocalllms/9.png b/openwebuilocalllms/9.png new file mode 100644 index 0000000..8f088e6 Binary files /dev/null and b/openwebuilocalllms/9.png differ diff --git a/openwebuilocalllms/index.md b/openwebuilocalllms/index.md new file mode 100644 index 0000000..b6153ef --- /dev/null +++ b/openwebuilocalllms/index.md @@ -0,0 +1,1236 @@ +--- +author: oxeo0 +date: 2025-04-20 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/226" +xmr: 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ +--- +# Anonymity - Self-Hosted LLM Hidden Service + +![](0.png) ![](1.png) + + + +## **Current state of LLMs** + +If you've been on the internet recently, there's a high chance you heard about Large Language Models. Most notable companies in this field include OpenAI, Google, Antropic and xAI. To access their models you typically need to communicate with the service via an API. Such use while convenient, means user has little to no knowledge about how the data sent there is stored and used. + +Additionally, when users submit data through these services, it might be embedded into future models. Companies often train new models on a variety of user-submitted data, which can include any text inputs you've provided. This raises serious privacy concerns, as personal information could inadvertently become part of the training set for subsequent AI models. AI giants will often say they're trying to respect your privacy with data "anonymization" and other techniques, but we all know how this works in practice. See: [Anthropic's Privacy Policy](https://privacy.anthropic.com/en/articles/10023555-how-do-you-use-personal-data-in-model-training) and [OpenAI explaining](https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance) how they "improve model performance" with users data. + +The vast amount of sensitive user data stored can have devastating consequences if a leak occurs. In AI space it's not uncommon to leak data either via compromised servers or models themselves. In the past year alone companies suffering such leaks include: [OpenAI](https://www.spiceworks.com/tech/artificial-intelligence/news/chatgpt-leaks-sensitive-user-data-openai-suspects-hack/), [Anthropic](https://venturebeat.com/ai/anthropic-confirms-it-suffered-a-data-leak/) and [DeepSeek](https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak). + +**Assume all conversations with online chatbots can be public at any time.** + +![](5.png) + +## **Privacy LLM frontends** + +A partial solution to those problems could be a service that aggregates multiple model APIs and anonymizes their users. A bit like [searxng](https://github.com/searxng/searxng) does for search engines. +AI companies can't know who exactly uses their models since the amount of metadata is heavily limited. + +There're several such services including [ppq.ai](https://ppq.ai), [NanoGPT](https://nano-gpt.com) or [DuckDuckGo chat](https://duck.ai). This is only a partial solution since your conversation contents can still be saved and used for later training by large AI companies. + +![](4.png) + +## **Open LLMs Primer** + +Another option available is to self-host LLM on your own infrastructure. This will effectively prevent sending your data from being sent to third parties. + +![](3.png) + + +It can work fully offline on device but you'll need to have the required resources. You also have to understand certain more advanced concepts related to LLMs. + +**Parameter Count** +Each open model has specified number of parameters. This can range from 0.5 billion (qwen 2.5) to even 671 billion (deepseek r1). The more parameters model has, the more knowledge can be packed into it. This comes at a cost of more physical RAM/VRAM memory being used. Newer generation models are fairly capable even at 8 billion parameters but it's not uncommon to use 12, 14 or 32 B ones. + +**Quantization (improving memory usage)** +Usually the **model + context** needs to fit into RAM/VRAM memory. Each model parameter can be represented with certain precision. For example, **FP16** uses 16 bits (2 bytes) of memory to store a single parameter, while **Q4_0** uses only 4 bits. This means that FP16 model will use ~4x of the memory compared to Q4_0. Of course using Q4_0 will introduce some rounding error in quantization step, but it's usually not a big deal. Look at the graph below to see how different quantization parameters affect [model accuracy and memory usage of llama 3.1 8B](https://huggingface.co/ThomasBaruzier/Meta-Llama-3.1-8B-Instruct-GGUF): + +![](2.png) + + +I highlighted the **Q4_K_S** and **Q4_K_M** quantization methods since they're usually offer the best balance between model size and accuracy. They usually use a bit more than 4 bits per parameter, but have better precision than plain **Q4_0**. If you're pulling model from ollama without specifying the precision, there's a high chance that you'll get **Q4_K_M** variant since it has been the default for some time. + +The rough formula for calculating memory usage of an Q4_K_M quantized LLM would be: **[n billion parameters] * (4.5 / 8) + [context window size]**. +For 8B model, we would require around 6 GB VRAM/RAM to comfortably run it as Q4_K_M. + +**Context size** +Context size is the number of tokens that LLM remembers from previous messages to generate a response. It's usually measured in tokens. +In ollama it's usually set to 2048 tokens, which is around 1200 words or 6 kilobytes of text. With larger sizes, more memory is required to store the context. Also, the models have a context size limit (ex. 16k tokens for Phi4, 128k for Gemma 3). If the context size is too small, the LLM may forget what it was doing before. Take a look at this simplified example: +![](7.png) + +In order to generate a correct response, the entire prompt should fit into the context window: +![](8.png) + +We'll show how to check prompt length and set appropriate context size in Open WebUI a bit later on. + +**Open LLMs - Past and Present** +Ever since [LLaMA 1 was leaked](https://www.theverge.com/2023/3/8/23629362/meta-ai-language-model-llama-leak-online-misuse) on 4chan in February 2023, we started seeing more and more companies caring about so called "open" LLMs. Those can be downloaded and run on users computer without any restrictions. +In early 2025 we also heard A LOT about deepseek-r1. An open reasoning LLM that tried to compete with OpenAI's ChatGPT. While it wasn't Deepseeks first model (their earlier work includes deepseek-coder, deepseek-v2.5 MoE and deepseek-v3), the hype was global. It brought a lot of attention to open LLM ecosystem and made proprietary AI companies loose billions. +Personally, I was interested in Open LLMs since their inception - when ollama project based on llama.cpp was born. Here're some of my picks for best self-hostable models currently available on ollama: | Gemma 3 | Phi4 | Granite 3.2* | Qwen 2.5 | llama 3.1 +---|---|---|---|---|--- +Trained by | Google | Microsoft | IBM | Alibaba | Meta +Released on | 03-2025 | 12-2024 | 02-2025 | 09-2024 | 07-2024 +Parameter count | 12B | 14B | 8B | 14B | 8B +Size (Q4_K_M) | 8.1 GB | 9.1 GB | 4.9 GB | 9.0 GB | 4.9 GB +Other variants | 1B, 4B, 27B | Phi4-mini 4B | Vision 2B, 2B | 0.5B, 1.5B, 3B, 7B, 32B, 72B, Qwen-coder | 70B, 405B +Good at | Reasoning, explaining concepts, light programming, vision, translation | Instruction following, programming, complex tasks, translation | General tasks, light programming, translation | Translation, general tasks | General tasks +Bad at | - | - | Complex tasks | Instruction following | Complex tasks, instruction following + +* - while I was writing this tutorial, Granite 3.3 was released + +## **Use-Cases** + +Contrary to what companies in the field often say - AI isn't a silver bullet. It won't solve all most problems we face as privacy conscious people. +However when it comes to self-hosted models, there are some good use-cases even for privacy and anonymity. We already discussed how [stylometry protection](../stylometry/index.md) can be achieved with an LLM running locally. + +**Translation** \- LLMs provide high-quality, real-time translations, allowing for communication across languages without external data leaks. +**Rewriting** \- They assist in paraphrasing content to protect against stylometry or improving the flow. +**Solving Problems** \- LLMs can be used as personal assistants to answer every day questions and help with personal issues. +**Programming Aid** \- Developers use them for code suggestions and debugging without exposing their sensitive codebases. + +It's crucial to stress that AI can hallucinate (make stuff up) thus it's never to be fully trusted with anything important. **You should always check the information in reputable sources in case of any doubts**. + +## **Prerequisites** + +To follow this tutorial, you'll need an AMD64 system running Debian 12. Although ollama can work on CPU only, the performance will be much worse than having model that fits in GPU's VRAM. +To comfortably use an 8B model, it's strongly advised to have a dedicated GPU with at least 6GB of VRAM. You can check the supported GPU models [here](https://github.com/ollama/ollama/blob/main/docs/gpu.md). + +This tutorial showcases ollama setup with Nvidia drivers, but AMD GPUs are also supported. + +Here is how your setup may look like in the end of this tutorial: + +![](9.png) + + +In case you decide to go with Proxmox VE hypervisor, you just need to PCI passthrough appropriate GPU inside the **Hardware > Add > PCI device** : + +![](6.png) + + +If you want to expose Open WebUI via Tor to access it remotely, you should have an [onion v3 vanity address and Tor installed](../torwebsite/index.md). + +## **Docker Setup** + +Install Docker from Debian repositories using apt. After installation, add your user to the docker group: + + + oxeo@andromeda:~$ sudo apt install docker.io docker-compose + oxeo@andromeda:~$ sudo /sbin/usermod -aG docker oxeo + oxeo@andromeda:~$ sudo systemctl enable docker + + +This ensures you can manage Docker without needing sudo privileges. Finally, reboot your system. + + + oxeo@andromeda:~$ sudo systemctl reboot + + +## **Nvidia Driver and Container Toolkit** + +Update your package list to include "contrib non-free" at the end of every line in **/etc/apt/sources.list** : + + + deb http://deb.debian.org/debian/ bookworm main non-free-firmware non-free contrib + deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware non-free contrib + + deb http://security.debian.org/debian-security bookworm-security main non-free-firmware non-free contrib + deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware non-free contrib + + deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware non-free contrib + deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware non-free contrib + +Now install Nvidia driver and some utilities: + + + oxeo@andromeda:~$ sudo apt update + oxeo@andromeda:~$ sudo apt install gnupg2 curl linux-headers-amd64 nvidia-driver firmware-misc-nonfree + + +Then install Nvidia Container Toolkit as described [here](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html): + + + oxeo@andromeda:~$ curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \ + && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ + sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ + sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list + oxeo@andromeda:~$ sudo apt update + oxeo@andromeda:~$ sudo apt install nvidia-container-toolkit + + +Finally, reboot the system: + + + oxeo@andromeda:~$ sudo systemctl reboot + + +To verify driver installation, execute: + + + oxeo@andromeda:~$ nvidia-smi + Fri Apr 18 16:43:30 2025 + +---------------------------------------------------------------------------------------+ + | NVIDIA-SMI 535.216.01 Driver Version: 535.216.01 CUDA Version: 12.2 | + |-----------------------------------------+----------------------+----------------------+ + | GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC | + | Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. | + | | | MIG M. | + |=========================================+======================+======================| + | 0 NVIDIA GeForce RTX 3060 On | 00000000:00:10.0 Off | N/A | + | 0% 36C P0 37W / 170W | 1MiB / 12288MiB | 0% Default | + | | | N/A | + +-----------------------------------------+----------------------+----------------------+ + + +---------------------------------------------------------------------------------------+ + | Processes: | + | GPU GI CI PID Type Process name GPU Memory | + | ID ID Usage | + |=======================================================================================| + | No running processes found | + +---------------------------------------------------------------------------------------+ + + +And to activate Nvidia support in Docker: + + + oxeo@andromeda:~$ sudo nvidia-ctk runtime configure --runtime=docker + INFO[0000] Config file does not exist; using empty config + INFO[0000] Wrote updated config to /etc/docker/daemon.json + INFO[0000] It is recommended that docker daemon be restarted. + oxeo@andromeda:~$ sudo systemctl restart docker + oxeo@andromeda:~$ docker run --rm --runtime=nvidia --gpus all ubuntu nvidia-smi + Unable to find image 'ubuntu:latest' locally + latest: Pulling from library/ubuntu + 2726e237d1a3: Pull complete + Digest: sha256:1e622c5f073b4f6bfad6632f2616c7f59ef256e96fe78bf6a595d1dc4376ac02 + Status: Downloaded newer image for ubuntu:latest + Fri Apr 18 20:46:43 2025 + +---------------------------------------------------------------------------------------+ + | NVIDIA-SMI 535.216.01 Driver Version: 535.216.01 CUDA Version: 12.2 | + |-----------------------------------------+----------------------+----------------------+ + | GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC | + | Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. | + | | | MIG M. | + |=========================================+======================+======================| + | 0 NVIDIA GeForce RTX 3060 On | 00000000:00:10.0 Off | N/A | + | 0% 37C P8 11W / 170W | 1MiB / 12288MiB | 0% Default | + | | | N/A | + +-----------------------------------------+----------------------+----------------------+ + + +---------------------------------------------------------------------------------------+ + | Processes: | + | GPU GI CI PID Type Process name GPU Memory | + | ID ID Usage | + |=======================================================================================| + | No running processes found | + +---------------------------------------------------------------------------------------+ + + +_Sidenote:_ If you are getting an [error](https://github.com/NVIDIA/libnvidia-container/issues/176) at this step (as Nihilist experienced on a [Kicksecure Host OS](../linux/index.md)), you may need change the bpf_jit_harden value in sysctl to get it to work: + + + [user ~]% sudo sysctl -w net.core.bpf_jit_harden=1 + [user ~]% sudo vim /etc/sysctl.d/91-nvidia-docker.conf + [user ~]% cat /etc/sysctl.d/91-nvidia-docker.conf + net.core.bpf_jit_harden=1 + + [user ~]% docker run --rm --runtime=nvidia --gpus all ubuntu nvidia-smi + + + +## **Open WebUI Docker Stack** + +Create a docker-compose.yml file in **~/openwebui-stack** with the following contents. This setup uses ollama for LLM management and open-webui as the user interface. + + + services: + ollama: + image: ollama/ollama + container_name: ollama + volumes: + - ollama:/root/.ollama + pull_policy: always + ports: + - 127.0.0.1:11434:11434 + tty: true + restart: unless-stopped + deploy: + resources: + reservations: + devices: + - driver: nvidia + count: 1 + capabilities: + - gpu + + open-webui: + image: ghcr.io/open-webui/open-webui:main + container_name: open-webui + volumes: + - open-webui:/app/backend/data + depends_on: + - ollama + ports: + - 127.0.0.1:3000:8080 # Remove "127.0.0.1:" to access from LAN + environment: + - 'OLLAMA_BASE_URL=http://ollama:11434' + - 'WEBUI_SECRET_KEY=' + extra_hosts: + - host.docker.internal:host-gateway + restart: unless-stopped + + # make sure you don't have watchtower already running as a container + # then it's not required to put it here + watchtower: + image: containrrr/watchtower + restart: unless-stopped + volumes: + - /var/run/docker.sock:/var/run/docker.sock + command: --interval 14400 --cleanup + + volumes: + ollama: {} + open-webui: {} + + +To start the stack: + + + oxeo@andromeda:~$ cd ~/openwebui-stack + oxeo@andromeda:~/openwebui-stack$ docker-compose up -d + + +## **Exposing Hidden Service** + +To expose open-webui via Tor, edit your **/etc/tor/torrc** file: + + + HiddenServiceDir /var/lib/tor/openwebui_service/ + HiddenServicePort 80 127.0.0.1:3000 + + +Restart Tor and check the generated hostname: + + + oxeo@andromeda:~$ sudo systemctl restart tor + oxeo@andromeda:~$ sudo cat /var/lib/tor/openwebui_service/hostname + webui3r7zacusoxddubpqriedoljyaiow6plausfwd6hjpjajuydh4id.onion + + +In case of any doubts, we already showcased how to expose hidden service with your custom vanity url [here](../torwebsite/index.md). + +## **Initial Open WebUI Configuration** + +Go to the local IP or onion address of the Open WebUI and create admin account once you're asked to. You don't need to put any real data but save it somewhere so that you can login later. + +![](10.png) ![](11.png) + + +After that, you should be greeted with Open WebUI main interface and changelog popup. You can close it. + +![](12.png) + + +Then, we'll go into the settings page and change theme to dark mode. + +![](13.png) ![](14.png) + + +Go to the **Admin settings** and proceed with next steps. + +![](15.png) + +## **Downloading a Model** + +To see available models, head to [ollama library](https://ollama.com/library). Sadly they block Tor traffic so if you have to use Tor, use their [chinese mirror](https://ollama.org.cn/library). +Next, pick a model you want to download. In our case, we want **Gemma 3**. Then click on **Tags** to see all available variants. + +![](30.png) ![](31.png) + + +Now, you'll see different sizes and quantization variants the model is available in. We want to download **12B** variant in **Q4_K_M** quantization. Comparing the hashes, we see the default **gemma3:12b** is the same as **gemma3:12b-it-q4_K_M**. Additionally, you can see that if we put just **gemma3** , we would get the **4B** variant. + +![](32.png) + + +Then, copy the model name we got after clicking on desired variant. If you want to download it via ollama CLI, we also get the full command. In our case Open WebUI needs to know just the **model_name:size**. + +![](33.png) + + +Now, go back to Open WebUI's **Admin Settings** we opened in the previous section and click on **Models** tab, then the download icon: + +![](16.png) + +![](17.png) + + +In the **Enter model tag** field, type **gemma3:12b** and click the download icon again. It will automatically pull the appropriate model from the [ollama library](https://ollama.com/library). + +![](18.png) + + +After that, just wait for the model download to complete. + +![](19.png) + + +Once the progress bar reaches 100%, the model should be added to your library automatically. +Go to the main page again and check if it's available now. + +![](20.png) + +## **Running a Model** + + +You can now ask the model about something and it should respond after it gets loaded into memory. + +![](21.png) + + +After the answer is generated, you can click on the **(i)** icon to see statistics. Here we got 32 tokens per second (around 10 words per second). If the response is slow (like 1 token per second) it probably means that either model didn't entirely fit into GPUs memory or the GPU isn't being used at all. Check the troubleshooting section for more details. +We can also see that in our prompt (_"What are the benefits and drawbacks of using Tor network?"_) there were 20 tokens (**prompt_tokens**) and the generated answer had 1222 tokens (**eval_count**). In total our conversation took 1242 tokens which is less than default window size of 2048. + +![](22.png) + + +With longer prompt, the context window may be filled up which causes the model to forget what was at the beginning of conversation. + +![](26.png) + + +If **prompt_tokens** is 2048, we need to increase window size. To do that, click on the settings icon next to the user and change **Context Length (Ollama)** parameter. + +![](27.png) + +![](29.png) + + +Here, we see the **prompt_tokens** is now less than the context window size we set. This means entire prompt was evaluated without truncating anything. However this comes with the expense of slightly higher memory usage. Here you can see a comparison between **context_size=2048** and **context_size=8192** : +![](25.png) ![](28.png) + +It's also worth noting Gemma3 is a **multimodal** model which effectively means it can understand text as well as images. There're only a few other open models with vision capabilities including llama 3.2 9B and granite3.2 vision 2B. + +![](23.png) + + +Finally - all your past conversations will be visible in the sidepanel on the left. You can search them by keywords or remove sensitive ones. + +![](24.png) + +## **Model Benchmarks** + +Click on any question to see full model's response. + +## Gemma3 (12B) + +Q1 - Why is the water blue? + + + > Why is the water blue? Answer in few short sentences. + + + Water absorbs longer wavelengths of light (reds and yellows) more readily than shorter wavelengths (blues and violets). This means blue light is scattered and reflected back, making water appear blue to our eyes. The effect is more noticeable in deeper water where more light is scattered. + +Q2 - Tor vs VPN + + + > How does Tor differ from a VPN service? Is it better for privacy? Answer in few short sentences. + + + Tor and VPNs both offer online anonymity, but work differently. A VPN encrypts your traffic and routes it through a server controlled by the VPN provider, masking your IP address. Tor routes your traffic through a network of volunteer-operated relays, making it much harder to trace. Generally, Tor offers stronger privacy than a VPN, but can be slower due to its layered routing. + +Q3 - Fixing Python script + + + > Fix mistakes in this Python code: + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read: + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + Don't output anything more than the corrected script. + + + ```python + #!/usr/bin/python3 + import io + from io import BytesIO + + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read(): + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + +Q4 - Indentifying C vulnerability + + + > Do you see any vulnerability in this C code? + ```c + #include + #include + #include + + void print_text(const char* inbuf) { + char newbuf[64] = {0}; + strncpy(newbuf, inbuf, 0x3f); + printf(newbuf); + } + + int main(int argc, char** argv) { + if (argc > 1) { + print_text(argv[1]); + } + return 0; + } + ``` + Keep your answer short. Just a few sentences about what you identified. + + + The code has a format string vulnerability. `printf(newbuf)` uses user-controlled data (`newbuf`) as the format string, allowing an attacker to potentially read from or write to arbitrary memory locations. `strncpy` limits the copy to 60 bytes, but the format string vulnerability remains because `printf` can interpret those bytes as format specifiers. + +Q5 - Russian-English translation + + + > Translate to english: + ``` + Заметил что через какое-то время перестает работать i2pd. Пока не перезапустишь сервис, либо не нажмешь в админке перезагрузку конфигов. Это известный баг? Или я что-то не так настроил?Обновился до последней версии. Ни чего не поменялось. У меня. mac os сборка. Из интересного даже локал хост с консолью не открывается, точнее он это делает раз через раз. Но когда открывается показывает что тунели есть. Ведет себя буд-то утечка памяти, или что то такое. + ``` + Only output the translation, nothing else. + + + I've noticed that I2pd stops working after a while. I have to restart the service or reload the configuration in the admin panel to get it working again. Is this a known bug? Or am I configuring something incorrectly? I updated to the latest version, and nothing has changed. I'm running on macOS. Interestingly, even localhost with the console doesn't open consistently; it works sometimes, but when it does, it shows that tunnels are present. It behaves as if there's a memory leak or something like that. + + +## Gemma3 (4B) + +Q1 - Why is the water blue? + + + > Why is the water blue? Answer in few short sentences. + + + Water appears blue due to a phenomenon called Rayleigh scattering. Sunlight is made of all colors, and when it hits water molecules, shorter wavelengths like blue and violet are scattered more than longer wavelengths. Our eyes perceive this scattered blue light, making water look blue. + + Essentially, the water is scattering sunlight, and blue light is scattered more effectively than other colors. + +Q2 - Tor vs VPN + + + > How does Tor differ from a VPN service? Is it better for privacy? Answer in few short sentences. + + + Okay, here's a breakdown of the differences and privacy comparison: + + Tor (The Onion Router) and VPNs (Virtual Private Networks) both enhance online privacy, but they do so in different ways. A VPN encrypts your internet traffic and routes it through a single server, masking your IP address from websites. Tor, on the other hand, bounces your traffic through a network of relays, making it far more difficult to trace your activity back to you. Tor is generally considered better for overall privacy due to its layered encryption and distributed nature, while a VPN primarily focuses on protecting your connection between your device and the VPN server. + +Q3 - Fixing Python script + + + > Fix mistakes in this Python code: + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read: + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + Don't output anything more than the corrected script. + + + ```python + #!/usr/bin/python3 + import io + from io import BytesIO + + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read(): + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + +Q4 - Indentifying C vulnerability + + + > Do you see any vulnerability in this C code? + ```c + #include + #include + #include + + void print_text(const char* inbuf) { + char newbuf[64] = {0}; + strncpy(newbuf, inbuf, 0x3f); + printf(newbuf); + } + + int main(int argc, char** argv) { + if (argc > 1) { + print_text(argv[1]); + } + return 0; + } + ``` + Keep your answer short. Just a few sentences about what you identified. + + + The code is vulnerable to a format string vulnerability. The `strncpy` function with a size of 0x3f (63) copies the input string into `newbuf` without null-termination, and then `printf` is called directly with this potentially unformatted string as the format string. This allows an attacker to control the format string and read or write arbitrary memory locations. + +Q5 - Russian-English translation + + + > Translate to english: + ``` + Заметил что через какое-то время перестает работать i2pd. Пока не перезапустишь сервис, либо не нажмешь в админке перезагрузку конфигов. Это известный баг? Или я что-то не так настроил?Обновился до последней версии. Ни чего не поменялось. У меня. mac os сборка. Из интересного даже локал хост с консолью не открывается, точнее он это делает раз через раз. Но когда открывается показывает что тунели есть. Ведет себя буд-то утечка памяти, или что то такое. + ``` + Only output the translation, nothing else. + + + I’ve noticed that i2pd stops working after a certain period of time. It only stops working until I restart the service or reload the configs in the admin panel. Is this a known bug? Or am I doing something wrong? I updated to the latest version and nothing changed. I have a macOS build. Interestingly, even localhost with the console doesn’t open, rather it does this sporadically. But when it opens, it shows that the tunnels are present. It acts as if there’s a memory leak, or something like that. + + +## Gemma3 (1B) + +Q1 - Why is the water blue? + + + > Why is the water blue? Answer in few short sentences. + + + Water appears blue due to the way sunlight interacts with its molecules. Water molecules absorb red and yellow light, but they reflect blue light, making it appear blue to our eyes. + +Q2 - Tor vs VPN + + + > How does Tor differ from a VPN service? Is it better for privacy? Answer in few short sentences. + Tor is a decentralized network that routes traffic through multiple relays, offering stronger anonymity but slower speeds. + + + A VPN encrypts your internet traffic and routes it through a server, masking your IP address but potentially less secure. Ultimately, Tor is generally considered better for privacy due to its focus on anonymity, while a VPN provides a more convenient and faster solution. + +Q3 - Fixing Python script + + + > Fix mistakes in this Python code: + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read: + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + Don't output anything more than the corrected script. + + + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = io.BytesIO(f.read()) + for byte in bio: + bio.seek(0) + print(byte) + ``` + +Q4 - Indentifying C vulnerability + + + > Do you see any vulnerability in this C code? + ```c + #include + #include + #include + + void print_text(const char* inbuf) { + char newbuf[64] = {0}; + strncpy(newbuf, inbuf, 0x3f); + printf(newbuf); + } + + int main(int argc, char** argv) { + if (argc > 1) { + print_text(argv[1]); + } + return 0; + } + ``` + Keep your answer short. Just a few sentences about what you identified. + + + The code is vulnerable to a buffer overflow because `strncpy` doesn't perform a length check and can write beyond the bounds of `newbuf`. If `inbuf` is longer than 63 characters, the program will overwrite memory, potentially leading to a crash or security exploit. + +Q5 - Russian-English translation + + + > Translate to english: + ``` + Заметил что через какое-то время перестает работать i2pd. Пока не перезапустишь сервис, либо не нажмешь в админке перезагрузку конфигов. Это известный баг? Или я что-то не так настроил?Обновился до последней версии. Ни чего не поменялось. У меня. mac os сборка. Из интересного даже локал хост с консолью не открывается, точнее он это делает раз через раз. Но когда открывается показывает что тунели есть. Ведет себя буд-то утечка памяти, или что то такое. + ``` + Only output the translation, nothing else. + + + “I’ve noticed that i2pd service stops working after a while. You need to restart the service, or press the admin panel to restart the configuration. Is this a known bug? Or am I setting something wrong? I’ve updated to the latest version. Nothing has changed. I’m on a Mac OS build. Even local host with a console doesn’t open – it happens every time. But when it opens, it shows that tunnels are present. It’s behaving as if it’s leaking memory, or something else. ” + +## Phi4 (14B) + +Q1 - Why is the water blue? + + + > Why is the water blue? Answer in few short sentences. + + + Water appears blue primarily because of how it absorbs and scatters sunlight. Pure water absorbs colors at the red end of the light spectrum more efficiently than those at the blue end, which are scattered and reflected back to our eyes. In large volumes, such as oceans or deep lakes, this effect becomes noticeable, giving water its characteristic blue color. Additionally, substances like algae or minerals in natural bodies of water can enhance the bluish hue. + +Q2 - Tor vs VPN + + + > How does Tor differ from a VPN service? Is it better for privacy? Answer in few short sentences. + + + + Tor (The Onion Router) and VPNs (Virtual Private Networks) both enhance online privacy but operate differently. Tor routes your internet traffic through multiple volunteer-operated servers, encrypting data at each step, to obscure your IP address and location, making it highly effective for anonymous browsing. However, it can be slower due to this multi-layered routing process. + + In contrast, a VPN encrypts your internet connection between your device and a single server run by the VPN provider, masking your real IP address and allowing you to appear as if you're accessing the internet from the server's location. This is generally faster than Tor but relies on trust in the VPN provider since they can see your traffic. + + Tor offers higher anonymity due to its decentralized nature, while VPNs are better for speed and ease of use. Neither is universally "better" for privacy; the choice depends on specific needs, such as wheter you prioritize maximum anonymity or a balance between privacy and performance. + +Q3 - Fixing Python script + + + > Fix mistakes in this Python code: + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read: + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + Don't output anything more than the corrected script. + + + ```python + #!/usr/bin/python3 + import io + + f = open('a.txt', 'rb') + bio = io.BytesIO() + + for byte in f.read(): + bio.write(bytes([byte ^ 6])) + + f.close() + bio.seek(0) + print(bio.read()) + ``` + +Q4 - Indentifying C vulnerability + + + > Do you see any vulnerability in this C code? + ```c + #include + #include + #include + + void print_text(const char* inbuf) { + char newbuf[64] = {0}; + strncpy(newbuf, inbuf, 0x3f); + printf(newbuf); + } + + int main(int argc, char** argv) { + if (argc > 1) { + print_text(argv[1]); + } + return 0; + } + ``` + Keep your answer short. Just a few sentences about what you identified. + + + Yes, the code contains a vulnerability due to improper use of `strncpy`. Although it limits copying to `0x3f` (63) characters, `newbuf` has room for one more character (the null terminator). After using `strncpy`, there's no guarantee that `newbuf` is null-terminated if the source string is longer than 63 characters. This can lead to undefined behavior when `printf(newbuf)` is called, potentially resulting in a buffer overflow or a crash if non-null bytes follow. + + Additionally, the use of `printf(newbuf)` with an untrusted input (`inbuf`) without format specifiers allows for format string vulnerabilities, as it directly uses the contents of `newbuf` as a format string, which could be manipulated to execute arbitrary code. + +Q5 - Russian-English translation + + + > Translate to english: + ``` + Заметил что через какое-то время перестает работать i2pd. Пока не перезапустишь сервис, либо не нажмешь в админке перезагрузку конфигов. Это известный баг? Или я что-то не так настроил?Обновился до последней версии. Ни чего не поменялось. У меня. mac os сборка. Из интересного даже локал хост с консолью не открывается, точнее он это делает раз через раз. Но когда открывается показывает что тунели есть. Ведет себя буд-то утечка памяти, или что то такое. + ``` + Only output the translation, nothing else. + + + I've noticed that i2pd stops working after some time. It only resumes when you restart the service or refresh the configuration in the admin panel. Is this a known bug, or is something wrong with my setup? I updated to the latest version, but it hasn't changed anything for me on Mac OS. Interestingly, localhost from the console doesn't consistently open; it works intermittently. When it does open, it shows that tunnels exist. It behaves as if there's a memory leak or something similar. + + +## Phi4-mini (4B) + +Q1 - Why is the water blue? + + + > Why is the water blue? Answer in few short sentences. + + + Water appears blue because it absorbs light at all other wavelengths more strongly than green, reflecting and transmitting most of that wavelength back to our eyes as we see it shining through or bouncing off its surface. Blue contains a shorter wave length which makes this visible effect stronger compared with longer colors such as red when the water is illuminated by white sunlight. + +Q2 - Tor vs VPN + + + > How does Tor differ from a VPN service? Is it better for privacy? Answer in few short sentences. + + + Tor anonymizes internet traffic by routing data through multiple volunteer-operated servers, providing strong anonymity and resisting network surveillance or censorship effectively. + + VPN services also encrypt your connection but route all of your device's Internet-bound connections to the selected server; they can bypass geographic restrictions more directly than Tor. + + While both offer privacy benefits over standard browsing on public Wi-Fi networks (or even home ISPs), VPNs may still be detectable and are typically less anonymous because each request appears as coming from their own IP address. Tor, by contrast, is inherently designed for anonymity but might result in slower connection speeds due to its complex routing process. + + In terms of privacy alone: + + For complete online anonymity: TOR + For a balance between speed/security/privacy with broader usage support and less impact on connections: VPNs. + +Q3 - Fixing Python script + + + > Fix mistakes in this Python code: + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read: + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + Don't output anything more than the corrected script. + + + ```python + #!/usr/bin/python3 + import io + + with open('a.txt', 'rb') as f: # Open file in binary mode for reading bytes. + bio = BytesIO() + + for byte in f: + modified_byte = byte ^ 6 # XOR operation on each byte with the constant (6). + encoded_modified_byte = modified_byte.to_bytes(1, byteorder='little') + + if len(encoded_modified_byte) == 0: # Check for empty result due to zero-byte. + bio.write(b'\x00') # Write a single null character in case of such an occurrence. + + else: + bio.write(encoded_modified_byte) + + bio.seek(0) + + # Read and decode from BytesIO back into readable format + decoded_output = b''.join([bytes.fromhex(hex(byte ^ 6)[2:]) for byte in bio.getvalue()]) + print(decoded_output.decode('utf-8', errors='ignore')) + ``` + + Note: + 1. The file is opened using `'rb'` mode to handle bytes properly. + 2. Added an XOR operation with a constant (6). + 3. Converted each modified byte back into `BytesIO`. + 4. Decoded the final output correctly for readability. + + This corrected script reads from 'a.txt', modifies its content by performing bitwise operations on every character, and prints out encoded characters in hexadecimal format converted to readable text while ignoring errors related to decoding non-UTF-8 characters properly (i.e., using `errors='ignore'`). + + Make sure your environment has access permissions for reading the file. Adjust any error handling as per specific requirements or data formats present within 'a.txt'. + + +Q4 - Indentifying C vulnerability + + + > Do you see any vulnerability in this C code? + ```c + #include + #include + #include + + void print_text(const char* inbuf) { + char newbuf[64] = {0}; + strncpy(newbuf, inbuf, 0x3f); + printf(newbuf); + } + + int main(int argc, char** argv) { + if (argc > 1) { + print_text(argv[1]); + } + return 0; + } + ``` + Keep your answer short. Just a few sentences about what you identified. + + + Yes, there's an issue with the use of `strncpy`. If `inbuf` contains more than or equal to 64 characters (the size limit minus one for null terminator), it won't be properly copied into `newbuf`, leading to undefined behavior when accessing its contents later on in your code due to a potential buffer overflow vulnerability. + +Q5 - Russian-English translation + + + > Translate to english: + ``` + Заметил что через какое-то время перестает работать i2pd. Пока не перезапустишь сервис, либо не нажмешь в админке перезагрузку конфигов. Это известный баг? Или я что-то не так настроил?Обновился до последней версии. Ни чего не поменялось. У меня. mac os сборка. Из интересного даже локал хост с консолью не открывается, точнее он это делает раз через раз. Но когда открывается показывает что тунели есть. Ведет себя буд-то утечка памяти, или что то такое. + ``` + Only output the translation, nothing else. + + + Noticed that i2pd stops working after some time unless you restart the service or refresh configurations in admin mode. Is this a known bug? Or did I misconfigure something? + + Updated to the latest version; no changes were made on my end. + + On macOS build (I'm not sure what it is). Interestingly, even when connecting locally with console doesn't always open - more precisely: it's intermittent behavior but sometimes tunnels are detected which indicates memory leaks or similar issues. + +## Granite 3.2 (8B) + +Q1 - Why is the water blue? + + + > Why is the water blue? Answer in few short sentences. + + + Water itself appears colorless. The blue appearance is due to water absorbing light from all wavelengths except blue, which gets scattered, making it appear blue. This phenomenon is known as Rayleigh scattering. + +Q2 - Tor vs VPN + + + > How does Tor differ from a VPN service? Is it better for privacy? Answer in few short sentences. + + + Tor and VPNs both enhance online anonymity but function differently. Tor routes traffic through a network of volunteer-operated servers (nodes), encrypting data multiple times, making it harder to trace the origin. A VPN, on the other hand, securely tunnels your internet connection to a server operated by the service provider. While both provide privacy, Tor's multi-layered approach may offer more robust anonymity against sophisticated tracking attempts, although it can be slower and less reliable than a VPN. However, for general online activities, a reputable VPN is usually sufficient and offers better speeds. + +Q3 - Fixing Python script + + + > Fix mistakes in this Python code: + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read: + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + Don't output anything more than the corrected script. + + + ```python + #!/usr/bin/python3 + import io + import os + + with open('a.txt', 'rb') as f: + bio = io.BytesIO() + for byte in f.read(): + bio.write(bytes([byte ^ 6])) + bio.seek(0) + print(bio.read().decode()) + ``` + +Q4 - Indentifying C vulnerability + + + > Do you see any vulnerability in this C code? + ```c + #include + #include + #include + + void print_text(const char* inbuf) { + char newbuf[64] = {0}; + strncpy(newbuf, inbuf, 0x3f); + printf(newbuf); + } + + int main(int argc, char** argv) { + if (argc > 1) { + print_text(argv[1]); + } + return 0; + } + ``` + Keep your answer short. Just a few sentences about what you identified. + + + The code contains a potential buffer overflow vulnerability due to the use of `strncpy` in the `print_text` function. Although it limits copying up to 64 bytes (0x3f in hexadecimal), it does not null-terminate `newbuf` if the input string is longer than 62 characters, leading to unpredictable behavior or a crash. To fix this, replace `strncpy` with `strlcpy`, which guarantees null-termination and specifies the buffer size. + +Q5 - Russian-English translation + + + > Translate to english: + ``` + Заметил что через какое-то время перестает работать i2pd. Пока не перезапустишь сервис, либо не нажмешь в админке перезагрузку конфигов. Это известный баг? Или я что-то не так настроил?Обновился до последней версии. Ни чего не поменялось. У меня. mac os сборка. Из интересного даже локал хост с консолью не открывается, точнее он это делает раз через раз. Но когда открывается показывает что тунели есть. Ведет себя буд-то утечка памяти, или что то такое. + ``` + Only output the translation, nothing else. + + + Noticed that after some time, i2pd stops working. Until you restart the service or press the reboot configs button in the admin panel, it doesn't work. Is this a known bug, or have I misconfigured something? I've updated to the latest version, but there's been no change for me on Mac OS build. Even the local host console can't be opened, it only works once every few times. But when it does open, it shows that tunnels exist. It seems like there might be a memory leak or similar issue. + + +## llama 3.1 (8B) + +Q1 - Why is the water blue? + + + > Why is the water blue? Answer in few short sentences. + + + The color of water appears blue because: + + Water absorbs longer wavelengths of light, like red and orange + It reflects shorter wavelengths, like blue and violet + This is why our eyes see water as blue. + +Q2 - Tor vs VPN + + + > How does Tor differ from a VPN service? Is it better for privacy? Answer in few short sentences. + + + Tor differs from a VPN (Virtual Private Network) in that it routes internet traffic through a network of volunteer-run servers, called relays, to anonymize and encrypt data. This makes it more difficult for anyone to track online activity, including governments and ISPs. + + Tor is generally considered better for privacy than a traditional VPN because: + + It provides stronger encryption + It has a more decentralized architecture (volunteer-run relays vs. proprietary servers) + It's designed specifically for anonymity, whereas many VPNs prioritize speed and accessibility over security + However, Tor can be slower due to the multiple hops required to route traffic through its network. + +Q3 - Fixing Python script + + + > Fix mistakes in this Python code: + ```python + #!/usr/bin/python3 + import io + f = open('a.txt', 'r') + bio = BytesIO() + for byte in f.read: + bio.write(bytes([byte ^ 6])) + f.close() + bio.seek(0) + print(bio.read()) + ``` + Don't output anything more than the corrected script. + + + ```python + #!/usr/bin/python3 + import io + + with open('a.txt', 'r') as f: + bio = io.BytesIO() + for byte in f: + bio.write(bytes([byte[0] ^ 6])) + print(bio.getvalue()) + ``` + Note: In the original code, `f.read` was called without any arguments, which would return a generator object. I changed it to simply `for byte in f`, which will iterate over each line of the file. Also, `bio.write(bytes([byte ^ 6]))` should be `bio.write(bytes([byte[0] ^ 6]))`, because `byte` is already a single character (not a list or bytes), so we need to access its first element using `[0]`. Finally, I replaced `f.close()` with the context manager syntax `with open... as f:`, which ensures that the file is always properly closed. + +Q4 - Indentifying C vulnerability + + + > Do you see any vulnerability in this C code? + ```c + #include + #include + #include + + void print_text(const char* inbuf) { + char newbuf[64] = {0}; + strncpy(newbuf, inbuf, 0x3f); + printf(newbuf); + } + + int main(int argc, char** argv) { + if (argc > 1) { + print_text(argv[1]); + } + return 0; + } + ``` + Keep your answer short. Just a few sentences about what you identified. + + + The code has two potential vulnerabilities: + + 1. **Undefined Behavior**: The `strncpy` function is used with a count of 63 (0x3f), which may not be the maximum length of the `newbuf` array, potentially leading to buffer overflow. + 2. **Lack of Input Validation**: The `print_text` function does not check if `inbuf` is null before copying it to `newbuf`, allowing a potential NULL pointer dereference attack. + +Q5 - Russian-English translation + + + > Translate to english: + ``` + Заметил что через какое-то время перестает работать i2pd. Пока не перезапустишь сервис, либо не нажмешь в админке перезагрузку конфигов. Это известный баг? Или я что-то не так настроил?Обновился до последней версии. Ни чего не поменялось. У меня. mac os сборка. Из интересного даже локал хост с консолью не открывается, точнее он это делает раз через раз. Но когда открывается показывает что тунели есть. Ведет себя буд-то утечка памяти, или что то такое. + ``` + Only output the translation, nothing else. + + + I noticed that after a certain period of time, i2pd stops working. Until you restart the service or click on "Reload Config" in the admin interface, it won't work again. Is this a known bug? Or did I misconfigure something? I've upgraded to the latest version. Nothing has changed. My system is running Mac OS with this build. Interestingly, even the local host with console doesn't open sometimes, but when it does, it shows that there are tunnels available. It behaves as if there's a memory leak or something like that. + + +## **Troubleshooting** + +If you encounter issues with hardware acceleration on ollama, check: + + * Ensure the NVIDIA driver is correctly installed and accessible within Docker. + * Verify GPU resources are allocated by running **docker run --rm --runtime=nvidia --gpus all ubuntu nvidia-smi**. + * Check logs with **docker-compose logs -f** for any error messages. + + + +## **[BONUS] LLM Web Search** + +LLMs typically have pretty distant knowledge cutoff. Meaning if you ask about recent developments in some rapidly changing technology, they typically won't be able to answer you directly. +The models presented here typically have the knowledge up to late 2023/early 2024 since they were trained somewhat around this time. + +With Open WebUI, models can search the web for up to date information about recent topics. +The model is first asked to come up with search queries about the question being asked. The queries are sent to some traditional search engine (like duckduckgo, bing, google or a searxng instance). A webdriver working on the backend visits each result and aggregates knowledge in vector database which model then uses to enhance its response. +In this section, we'll configure this feature to work entirely over Tor maintaining server side anonymity. + +Here's the output from Gemma 3 without search capability: + +![](41.png) + +![](43.png) + + +And here are the same questions with search using duckduckgo over Tor: + +![](40.png) + +![](42.png) + + +To start, we need to know the IP address of the host on the **docker0** interface. + + + oxeo@andromeda:~$ ip a show dev docker0 + 3: docker0: mtu 1500 qdisc noqueue state DOWN group default + link/ether 3a:1c:1f:86:47:f0 brd ff:ff:ff:ff:ff:ff + inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 + valid_lft forever preferred_lft forever + +In my case it's **172.17.0.1**. + +Now, we'll make Tor listen on this interface with **HTTP CONNECT** proxy (since Open WebUI search feature doesn't support socks5). Add at the top of **/etc/tor/torrc** file the following line: + + + SOCKSPort 172.17.0.1:9050 + +Remember to replace the IP with the one you got from previous step. + +Restart Tor and check if it listens on desired interface: + + + oxeo@andromeda:~$ sudo systemctl restart tor + oxeo@andromeda:~$ sudo ss -tulp + Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process + udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:* users:(("dhclient",pid=490,fd=7)) + tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=1572,fd=6)) + tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:* users:(("docker-proxy",pid=13793,fd=7)) + tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=522,fd=3)) + tcp LISTEN 0 4096 172.17.0.1:9050 0.0.0.0:* users:(("tor",pid=1572,fd=7)) + tcp LISTEN 0 4096 127.0.0.1:11434 0.0.0.0:* users:(("docker-proxy",pid=13708,fd=7)) + tcp LISTEN 0 128 [::]:ssh [::]:* users:(("sshd",pid=522,fd=4)) + +We also need to adjust the **~/openwebui-stack/docker-compose.yml** file. +Add 3 [environment variables](https://docs.openwebui.com/getting-started/env-configuration/#proxy-settings) telling Open WebUI to use certain proxy for HTTP and HTTPS connections. The open-webui container configuration should now look like this: + + + open-webui: + image: ghcr.io/open-webui/open-webui:main + container_name: open-webui + volumes: + - open-webui:/app/backend/data + depends_on: + - ollama + ports: + - 127.0.0.1:3000:8080 # Remove "127.0.0.1:" to access from LAN + environment: + - 'OLLAMA_BASE_URL=http://ollama:11434' + - 'WEBUI_SECRET_KEY=' + - 'HTTP_PROXY=socks5://host.docker.internal:9050' + - 'HTTPS_PROXY=socks5://host.docker.internal:9050' + - 'NO_PROXY=ollama' + extra_hosts: + - host.docker.internal:host-gateway + restart: unless-stopped + +The **host.docker.internal** domain is resolved from within the container to the address of host. This allows open-webui container to access HTTP CONNECT proxy exposed by Tor daemon. + +Once that's done, we can restart the container and go to Open WebUI GUI administrator settings once again. + + + oxeo@andromeda:~$ docker-compose down; docker-compose up -d + +![](44.png) + + +This time, click on the **Web Search** tab. + +![](45.png) + + +Here, enable the feature and select **duckduckgo** as a search engine. It's also possible to use searxng instance but it has to have JSON output enabled (which is not the default). +You should enable **Trust Proxy Environment** so that every search query and visited website will be proxied through the Tor proxy we set up before. + +![](46.png) + + +And that's it! +Now go back to the chat interface and click on **Web Search** toggle, then send your question. + +![](47.png) + + +If search engine and browser backend are working, you should see search queries model came up with. + +![](48.png) + + +After model gives you an answer, you're able to see the sources it used to gain knowledge. + +![](49.png) + +## **Closing Remarks** + +In this tutorial, you've set up a private LLM experience using ollama and Open WebUI. Your conversations remain anonymous and private, no data will be sent anywhere or used for training new models. +While the open model ecosystem is still somewhat behind the proprietary technologies and big datacenters, it quickly catches up. +It's safe to assume in a few years we will have models as capable as current Claude or OpenAI products, running with fraction of the cost on your own hardware. What a time to be alive! + diff --git a/opsec/1.png b/opsec/1.png new file mode 100644 index 0000000..4b35e58 Binary files /dev/null and b/opsec/1.png differ diff --git a/opsec/10.png b/opsec/10.png new file mode 100644 index 0000000..f112db5 Binary files /dev/null and b/opsec/10.png differ diff --git a/opsec/11.png b/opsec/11.png new file mode 100644 index 0000000..1fe2e50 Binary files /dev/null and b/opsec/11.png differ diff --git a/opsec/12.png b/opsec/12.png new file mode 100644 index 0000000..68e888d Binary files /dev/null and b/opsec/12.png differ diff --git a/opsec/2.png b/opsec/2.png new file mode 100644 index 0000000..02d40d9 Binary files /dev/null and b/opsec/2.png differ diff --git a/opsec/3.png b/opsec/3.png new file mode 100644 index 0000000..da67da5 Binary files /dev/null and b/opsec/3.png differ diff --git a/opsec/4.png b/opsec/4.png new file mode 100644 index 0000000..a7a7bff Binary files /dev/null and b/opsec/4.png differ diff --git a/opsec/5.png b/opsec/5.png new file mode 100644 index 0000000..2a07998 Binary files /dev/null and b/opsec/5.png differ diff --git a/opsec/6.png b/opsec/6.png new file mode 100644 index 0000000..d6c85a6 Binary files /dev/null and b/opsec/6.png differ diff --git a/opsec/7.png b/opsec/7.png new file mode 100644 index 0000000..c81f59a Binary files /dev/null and b/opsec/7.png differ diff --git a/opsec/8.png b/opsec/8.png new file mode 100644 index 0000000..7d81a7c Binary files /dev/null and b/opsec/8.png differ diff --git a/opsec/9.png b/opsec/9.png new file mode 100644 index 0000000..511bb8a Binary files /dev/null and b/opsec/9.png differ diff --git a/opsec/index.md b/opsec/index.md new file mode 100644 index 0000000..432eeb9 --- /dev/null +++ b/opsec/index.md @@ -0,0 +1,272 @@ +--- +author: nihilist +date: 2024-06-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/72" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# OPSEC: Using the right Technology and Behavior + +OPSEC, or Operational Security, is a process aimed at identifying if your actions can be observed by an adversary. In this context, how good your OPSEC is, determines the level of your privacy and anonymity. + +![](2.png) + +By default, if you're not careful with the technology you use, your very ability to have privacy and anonymity is not possible. And if your behavior isn't strictly controlled to protect your anonymity while using those technologies, that can also compromise both privacy and anonymity. + +![](3.png) + +If you wish to have Privacy and Anonymity online, you need to use the correct technologies, and to have the correct behavior when using them. + + + +## **Improve your OPSEC using Technology** + +The first and foremost step when you wish to protect your OPSEC, is to use the correct technologies that will let you have Privacy (lack of surveillance), and Anonymity (lack of identification). Be sure of one thing; **You will never have privacy, nor anonymity until you use the right technologies**. + +We're going to cover 6 scenarios into which Bob tries to be anonymous online, as you will see, Bob's level of privacy and anonymity will vary greatly, based on what technologies he uses to access and use his account on nowhere.com + +**Scenario 1: Closed source software, and no protection** + +![](4.png) _Technology used:_ + + 1. Host OS: Windows (closed source) + + 2. Web Browser: google chrome (closed source) + + 3. Internet Connection: direct connection via his Internet service provider + + +_Actions:_ + + 1. Bob uses his windows OS to open his web browser + + 2. Bob uses the google chrome web browser to access nowhere.com + + 3. Bob goes on nowhere.com and creates an account + + 4. Bob logs on his account and posts a comment + + +_Consequences:_ + + 1. Microsoft is aware of everything that Bob did with his windows OS + + 2. Google is aware of everything that Bob did with his chrome web browser + + 3. Bob's ISP is aware that Bob went on nowhere.com + + 4. the nowhere.com admins sees that Bob's home IP address logged into the account and posted a comment + + + + +_Summary:_ Bob posted a comment on nowhere.com **and Microsoft; Google; his ISP; and the nowhere.com admins are all aware that it is Bob that did it. Bob has no privacy, and no anonymity whatsoever.** + +**Scenario 2: Closed source software, and using a VPN** + +![](5.png) _Technology used:_ + + 1. Host OS: Windows (closed source) + + 2. Web Browser: google chrome (closed source) + + 3. Internet Connection: using a VPN + + +_Actions:_ + + 1. Bob uses his windows OS to open his vpn connection + + 2. Bob, once connected via his VPN, opens his google chrome web browser + + 3. Bob uses the google chrome web browser to access nowhere.com + + 4. Bob goes on nowhere.com and creates an account + + 5. Bob logs on his account and posts a comment + + +_Consequences:_ + + 1. Microsoft is aware of everything that Bob did with his windows OS + + 2. Google is aware of everything that Bob did with his chrome web browser + + 3. Bob's ISP is only aware that Bob connected to his VPN provider. + + 4. the VPN provider sees that Bob's home IP address connected to the service, and that Bob connected to nowhere.com + + 5. the nowhere.com admins sees that the VPN IP address logged into the account and posted a comment + + + + +_Summary:_ Bob posted a comment on nowhere.com and Microsoft and Google are aware that it is Bob that did it, the VPN provider knows that Bob connected to nowhere.com, and the nowhere.com admins see that a VPN IP logged on the account and posted the comment. **Bob has only managed to gain privacy from his ISP, but he has only shifted the issue to his VPN provider. Bob still has no privacy, and no anonymity whatsoever.** + +**Scenario 3: Open source software, and a VPN** + +![](6.png) _Technology used:_ + + 1. Host OS: Linux (open source) + + 2. Web Browser: firefox (open source) + + 3. Internet Connection: using a VPN + + +_Actions:_ + + 1. Bob uses his debian OS to open his vpn connection + + 2. Bob, once connected via his VPN, opens his firefox web browser + + 3. Bob uses the firefox web browser to access nowhere.com + + 4. Bob goes on nowhere.com and creates an account + + 5. Bob logs on his account and posts a comment + + +_Consequences:_ + + 1. Only Bob can know what he did with his linux OS + + 2. Only Bob can know what he did with his firefox web browser + + 3. Bob's ISP is only aware that Bob connected to his VPN provider. + + 4. the VPN provider sees that Bob's home IP address connected to the service, and that Bob connected to nowhere.com + + 5. the nowhere.com admins sees that the VPN IP address logged into the account and posted a comment + + + + +_Summary:_ Bob posted a comment on nowhere.com, his VPN provider knows that he connected to nowhere.com, and the nowhere.com admins are aware that someone used a VPN to do it. **Bob has managed to gain privacy from his ISP, but also from the companies that spied on him while he was using closed source software** (microsoft and google in this case), however **Bob is still being spied on by his VPN provider, and he has no anonymity whatsoever.** + +**Scenario 4: Open source software, and Tor** + +![](7.png) _Technology used:_ + + 1. Host OS: Linux (open source) + + 2. Web Browser: Tor browser (open source) + + 3. Internet Connection: direct via ISP + + +_Actions:_ + + 1. Bob uses his debian OS to open his tor web browser + + 2. Bob uses the tor web browser to access nowhere.com + + 3. Bob goes on nowhere.com and creates an account + + 4. Bob logs on his account and posts a comment + + +_Consequences:_ + + 1. Only Bob can know what he did with his linux OS + + 2. Only Bob can know what he did with his tor web browser + + 3. Bob's ISP is only aware that Bob used Tor. + + 4. The tor entry node sees that Bob's home IP has connected, but cant tell where he tried to connect. + + 5. The tor middle node doesn't know who's connecting, nor where it's connecting. + + 6. The tor exit node doesn't know who's connecting, but knows that the traffic is going to nowhere.com (There is a very low chance that all 3 tor nodes (entry, middle and exit) collaborate to see that Bob's home IP address connected to nowhere.com) + + 7. the nowhere.com admins sees that a Tor exit node IP has logged into the account and posted a comment + + + + +_Summary:_ Bob posted a comment on nowhere.com, and there is only a very low chance that an adversary knows that he connected to nowhere.com, and the nowhere.com admins are only aware that someone used Tor to do it. **Bob has managed to gain privacy, and has posted the comment anonymously. Bob's ISP knows that he used tor, but he doesn't know what he did with it.** the nowhere.com admins know that someone used tor to post a comment, but they don't know who did it. + +## **Improve your OPSEC with your behavior** + +Now, you are Bob, and you have decided that you would maintain your anonymity online for your use of nowhere.com as detailed in scenario 6 above: you use open source technology, and you use the tor browser. + +You have implemented all the correct technologies as explained above and you have created your account on nowhere.com anonymously. + +But still, **you may deanonymize yourself by having the wrong behavior with your actions!** + +![](8.png) + +**Scenario 1: Self-Identification** + +![](9.png) + +Situation: Bob has an account on nowhere.com + + 1. Bob registered his account via Tor on nowhere.com + + 2. Bob mentioned his real life name into the information of his account + + 3. Bob mentioned where he lived on the account information too. + + + + +_Summary:_ Bob deanonymized himself by his actions, despite using the correct technology. He identified himself (or KYC'd himself) on nowhere.com + +**Scenario 2: Pseudonymity** + +![](10.png) + +Situation: Bob has an account on nowhere.com + + 1. Bob registered his account via Tor on nowhere.com + + 2. Bob uses a pseudonym into the information of his account + + 3. Bob mentionned that his pseudonym lived in wonderland. + + + + +_Summary:_ Bob used the right technology, and then on the website he uses a pseudonym, and mentioned random useless information about his pseudonym. For now his anonymity is preserved. + +**Scenario 3: When pseudonymity goes wrong** + +![](11.png) + +Situation: Bob has an account on nowhere.com + + 1. Bob registered his account via Tor on nowhere.com + + 2. Bob uses a pseudonym into the information of his account + + 3. Bob used this account to talk into many conversations over the years, and has built up a big reputation. + + 4. Bob is drunk one night, and accidentally mentioned his real life name online. + + + + +_Summary:_ Bob used the right technology, and then on the website he used a pseudonym successfully for a few years, his anonymity was preserved all this time up until he got drunk and accidentally revealed who he was. From there, Bob can no longer be anonymous using that pseudonym. + +**Scenario 4: Anonymity: when reputation doesn't matter** + +![](12.png) + +Situation: Bob has an account on nowhere.com + + 1. Bob regularly registers accounts via Tor on nowhere.com + + 2. Bob enters different random names into the information of his accounts + + 3. Bob strictly uses those accounts only for specific purposes. + + 4. Bob talks into many conversations over the years, but using different accounts every week/month. + + 5. Bob is never drunk when in front of the keyboard, and he is always careful to reveal nothing about his real life identity. + + + + +_Summary:_ Bob uses the right technology, and then on the website he preserves his anonymity by never revealing who he is, and by keeping multiple accounts on the same service for specific usecases, and only for limited amounts of time. In this case, Bob maintains anonymity without getting popular. + diff --git a/opsec4levels/0.1.png b/opsec4levels/0.1.png new file mode 100644 index 0000000..2e27228 Binary files /dev/null and b/opsec4levels/0.1.png differ diff --git a/opsec4levels/0.2.png b/opsec4levels/0.2.png new file mode 100644 index 0000000..fa8ca65 Binary files /dev/null and b/opsec4levels/0.2.png differ diff --git a/opsec4levels/0.3.png b/opsec4levels/0.3.png new file mode 100644 index 0000000..be025e3 Binary files /dev/null and b/opsec4levels/0.3.png differ diff --git a/opsec4levels/0.4.png b/opsec4levels/0.4.png new file mode 100644 index 0000000..9f8baf5 Binary files /dev/null and b/opsec4levels/0.4.png differ diff --git a/opsec4levels/0.png b/opsec4levels/0.png new file mode 100644 index 0000000..942bf0d Binary files /dev/null and b/opsec4levels/0.png differ diff --git a/opsec4levels/1.png b/opsec4levels/1.png new file mode 100644 index 0000000..4049dd5 Binary files /dev/null and b/opsec4levels/1.png differ diff --git a/opsec4levels/2.png b/opsec4levels/2.png new file mode 100644 index 0000000..e354b57 Binary files /dev/null and b/opsec4levels/2.png differ diff --git a/opsec4levels/3.png b/opsec4levels/3.png new file mode 100644 index 0000000..e71057a Binary files /dev/null and b/opsec4levels/3.png differ diff --git a/opsec4levels/4.png b/opsec4levels/4.png new file mode 100644 index 0000000..6a641da Binary files /dev/null and b/opsec4levels/4.png differ diff --git a/opsec4levels/index.md b/opsec4levels/index.md new file mode 100644 index 0000000..a8d05ac --- /dev/null +++ b/opsec4levels/index.md @@ -0,0 +1,106 @@ +--- +author: nihilist +date: 2024-06-08 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/70" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Audit your OPSEC and determine the appropriate internet use + +In this tutorial we're going to explore how you can audit your own level of Operational Security (also known as opsec), using the following 6 parameters:**Complexity, Transparency, Surveillance, Centralisation, Onymity, and Deniability**. The goal is to determine the level of Privacy, Anonymity and Deniability of your operations online to determine what you can do safely. + +![](0.1.png) + +Based on those, we are able to determine **the most appropriate Internet use.** + +![](0.png) + +Auditing your own OPSEC is an essential skill that you must possess, we're going to audit the 4 different setups below, to be able to determine where they fit. + +To do so, we are going to simplify it down to 4 OPSEC levels: **Public, Private, Anonymous and Sensitive**. + +![](0.4.png) + +_Sidenote:_ If your setup is suitable only for public internet use, you CANNOT use it for any private use, and so on. + + + +## **Bob's Setup: Public Internet Use** + +![](1.png) + +![](../co0.png)_**Complexity:**_ Bob didn't put any effort. He bought his PC and windows was pre-installed, and he used it as it was. + +![](../tr2.png)_Transparency:_ Bob uses windows as a host OS, and google chrome as his web browser. Both are closed-source, he does not know what his software is doing. + +![](../su2.png)_Surveillance:_ Since bob uses closed-source software, he is under constant surveillance while using his computer. + +![](../ce2.png)_Centralisation:_ Bob uses popular services that are centralised in nature, he depends on the goodwill of others to use their services + +![](../on2.png)_Onymity:_ Because there is no privacy, anonymity is impossible for Bob. + +![](../de2.png)_Deniability:_ Bob cannot deny anything that he's doing on his computer, as he is under constant surveillance, without any possibility of anonymity. + +_Conclusion:_ **Bob's setup is suitable only for Public internet use** , as he is under constant surveillance while using it. + +## **Alice's Setup: Private Internet Use** + +![](2.png) + +![](../co1.png)_Complexity:_ Alice has put some effort to get her current setup, she is willing to go out of her comfort zone to improve her OPSEC. + +![](../tr0.png)_Transparency:_ Alice only uses open source software (Linux and Firefox) she can see from the sourcecode that it only does what it should do. + +![](../su0.png)_**Surveillance:**_ Alice has verified that the open source software that she was using wasn't spying on her + +![](../ce1.png)_Centralisation:_ Alice is starting to move away from centralised services, she's looking at other alternatives, but they are still centralised. + +![](../on1.png)_Onymity:_ Alice is exploring anonymity, but through a pseudonym online, she is not anonymous yet. + +![](../de2.png)_Deniability:_ Alice cannot deny that she has used her current setup + +_Conclusion:_ **Alice's setup is suitable for Private use** , as she managed to remove surveillance from her setup. + +## **Charlie's Setup: Anonymous Internet Use** + +![](3.png) + +![](../co2.png)_Complexity:_ Charlie is willing to go at great lengths to improve his OPSEC + +![](../tr0.png)_Transparency:_ Charlie only uses open source software, that way he knows that the software he uses only does what he wants it to do. + +![](../su0.png)_Surveillance:_ Charlie has verified that the software he is using, is not surveilling what he's doing + +![](../ce0.png)_Centralisation:_ Charlie has moved away from centralised services, and is using their decentralised counterpart from the fediverse + +![](../on0.png)_**Onymity:**_ Charlie is anonymous online, thanks to it's use of the tor network through Whonix and tor browser + +![](../de1.png)_Deniability:_ Charlie, thanks to his use of anonymity technologies, may be able to deny that he has used this setup depending on the context. However if an adversary gets physical access to his computer, he won't be able to deny that he has ever used it. + +_Conclusion:_ **Charlie's setup is suitable for Anonymous use** , as he managed to implement anonymity technologies into his setup. + +## **Dave's Setup: Sensitive Internet Use** + +![](4.png) + +![](../co2.png)_Complexity:_ Dave is willing to go at great lengths to improve his OPSEC + +![](../tr0.png)_Transparency:_ Dave only uses open source software, that way he knows that the software he uses only does what he wants it to do. + +![](../su0.png)_Surveillance:_ Dave has verified that the software he is using, is not surveilling what he's doing + +![](../ce0.png)_Centralisation:_ Dave has moved away from centralised services, and is using their decentralised counterpart from the fediverse + +![](../on0.png)_Onymity:_ Dave is anonymous online, thanks to it's use of the tor network through Whonix and tor browser + +![](../de0.png)_**Deniability:**_ Dave can deny that he has committed any anonymous activity, because the VM he uses is inside a veracrypt hidden volume, that he can deny the existance of. + +_Conclusion:_ **Dave's setup is suitable for Sensitive use** , as he managed to implement plausible deniability on top of anonymity technologies into his setup. + +## **Recap of the 4 basic OPSEC levels** + +![](0.3.png) + +Now as you can see, the higher the opsec level, the more complexity one must be willing to bear with, in order to increase their own operational security. + +Take the 6 parameters into account before trying to use a specific setup for an inappropriate internet usage. If you want to have all of those 4 setups at once, check out my tutorial on [VM-based internet usage segmentation](../internetsegmentation/index.md) + diff --git a/p2ptorrents/0.png b/p2ptorrents/0.png new file mode 100644 index 0000000..ac7c031 Binary files /dev/null and b/p2ptorrents/0.png differ diff --git a/p2ptorrents/1.png b/p2ptorrents/1.png new file mode 100644 index 0000000..ea5eb5c Binary files /dev/null and b/p2ptorrents/1.png differ diff --git a/p2ptorrents/2.png b/p2ptorrents/2.png new file mode 100644 index 0000000..c54d16e Binary files /dev/null and b/p2ptorrents/2.png differ diff --git a/p2ptorrents/3.png b/p2ptorrents/3.png new file mode 100644 index 0000000..1e1113b Binary files /dev/null and b/p2ptorrents/3.png differ diff --git a/p2ptorrents/4.png b/p2ptorrents/4.png new file mode 100644 index 0000000..4f9ffbc Binary files /dev/null and b/p2ptorrents/4.png differ diff --git a/p2ptorrents/5.png b/p2ptorrents/5.png new file mode 100644 index 0000000..4bd4e72 Binary files /dev/null and b/p2ptorrents/5.png differ diff --git a/p2ptorrents/6.png b/p2ptorrents/6.png new file mode 100644 index 0000000..eb89861 Binary files /dev/null and b/p2ptorrents/6.png differ diff --git a/p2ptorrents/7.png b/p2ptorrents/7.png new file mode 100644 index 0000000..c16cea5 Binary files /dev/null and b/p2ptorrents/7.png differ diff --git a/p2ptorrents/8.png b/p2ptorrents/8.png new file mode 100644 index 0000000..a8f3496 Binary files /dev/null and b/p2ptorrents/8.png differ diff --git a/p2ptorrents/9.png b/p2ptorrents/9.png new file mode 100644 index 0000000..05bcedd Binary files /dev/null and b/p2ptorrents/9.png differ diff --git a/p2ptorrents/index.md b/p2ptorrents/index.md new file mode 100644 index 0000000..a2d0a3d --- /dev/null +++ b/p2ptorrents/index.md @@ -0,0 +1,82 @@ +--- +author: XMRonly +date: 2024-10-23 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/12" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# Peer-to-Peer Large File Sharing (Torrents over VPN) + +![](0.png) + + + +## **Introduction** + +While many methods of sending files online exist, scaling file sending to accomodate larger and larger files can be a problem due to constraints on bandwidth, connection reliability and maintaining file integrity. To solve some of these issues, the technology of torrenting was born. At its core, torrenting simply involves taking a large file, breaking it into smaller chunks, transmitting those smaller chunks from one peer to another (hence P2P), and having the receiving party reconstruct those smaller chunks into the original file. The advantages here are that this process is decentralized, can be interrupted/resumed, and leechers can simultaneously download from multiple seeders thus speeding up the process. This process inherently relies on users' IP addresses for file transmission which are visible to anyone participating. As such, we must take precautions using a VPN to mask this information. In this article, we will explore how, after binding a VPN to their torrent clients, Sam the Seeder can privately share a large file with Larry the Leecher. + +## **Setup** + +We start from the perspective of both Sam and Larry as both will complete these inital steps. +![](sam.png) ![](larry.png) + +It is presumed that both Sam and Larry have already purchased a subscription to a [VPN](https://blog.nowhere.moe/opsec/vpn/index.md). For this example we will use Proton VPN, but other [non-KYC VPNs](https://kycnot.me/?t=service&q=vpn) that accept Monero, such as Mullvad, may also be used. To start, they will sign in to their VPN client, ensure kill switch is enabled in the Settings, connect to their VPN and verify their IP address. ![](1.png) + +Both Sam and Larry will install qBittorrent: + + + + sudo apt install qbittorrent + + + +Sam and Larry will open up qBittorrent and be greeted with a one-time pop-up. ![](2.png) + +Next, Sam and Larry need to bind their VPN to qBittorrent. Under Tools -> Preferences -> Advanced, there is an option to specify the network interface. Select tun0, then click OK. Note: this interface does not appear unless the VPN is connected. ![](3.png) + +With this step complete, all qBittorrent traffic is routed through the VPN. Should the VPN disconnect, all current downloads/uploads will stop without revealing Sam or Larry's true IP address due to the kill switch option previously enabled. + +We will switch to Sam's perspective. +![](sam.png) + +Sam is now ready to share a file with Larry. He has a 10GB file of "linux ISOs" for which he will need to create a .torrent file. To help with this, Sam will use [PrivTracker](https://privtracker.com), a private BitTorrent tracker, to announce his .torrent file. Sam generates a private announce URL on the PrivTracker website and copies it to his clipboard. ![](4.png) + +Additionally, it is possible to self-host PrivTracker on a VPS. Following the instructions on their [GitHub](https://github.com/meehow/privtracker), we need to run: + + + + Build + + # Clone this repository. + $ git clone https://github.com/meehow/privtracker.git + + # cd into the directory + $ cd privtracker + + # Run go build + $ go build + + Usage + + # Runs on port 1337 and redirects to privtracker.com by default. + $ ./privtracker + + # Export PORT and DOMAIN variables to use custom values. + $ export PORT=12345 DOMAIN=customprivtracker.com; ./privtracker + + + +In qBittorrent, Sam will go to Tools -> Torrent Creator. He selects the desired file, checks the box to make it a private torrent, clicks the box to start seeding immediately, pastes the previous copied announce URL in the Trackers URLs section and clicks on Create Torrent. Once the process finishes, he clicks OK. ![](5.png) + +Sam's qBittorrent client now shows he is now seeding the his 10GB file. Sam leaves his qBittorrent client running in order to be connectable and to seed the file to anyone connecting. ![](6.png) + +Sam now starts a [SimpleX](https://blog.nowhere.moe/opsec/anonsimplex/index.md) chat with Larry using disappearing messages and sends the newly created .torrent file. ![](7.png) + +We will switch to Larry's perspective. +![](larry.png) + +Larry adds the .torrent file to his qBittorrent client to begin downloading the 10GB file. Under File -> Add Torrent File, Larry selects the .torrent file he received and clicks Open. Larry chooses where to save the 10GB file then clicks OK. ![](8.png) + +## **Conclusion** + +Larry is now leeching the file that Sam is seeding! After a bit of time the transfer will be complete. Additionally, when inspecting the connecting peers, Larry is only able to see Sam's VPN IP address and vice versa. ![](9.png) + diff --git a/p2ptorrents/larry.png b/p2ptorrents/larry.png new file mode 100644 index 0000000..ea622cd Binary files /dev/null and b/p2ptorrents/larry.png differ diff --git a/p2ptorrents/sam.png b/p2ptorrents/sam.png new file mode 100644 index 0000000..7c6addf Binary files /dev/null and b/p2ptorrents/sam.png differ diff --git a/passwordmanagement/0.png b/passwordmanagement/0.png new file mode 100644 index 0000000..f15cdf2 Binary files /dev/null and b/passwordmanagement/0.png differ diff --git a/passwordmanagement/1.png b/passwordmanagement/1.png new file mode 100644 index 0000000..7936db4 Binary files /dev/null and b/passwordmanagement/1.png differ diff --git a/passwordmanagement/2.png b/passwordmanagement/2.png new file mode 100644 index 0000000..31d84e3 Binary files /dev/null and b/passwordmanagement/2.png differ diff --git a/passwordmanagement/3.png b/passwordmanagement/3.png new file mode 100644 index 0000000..da1e448 Binary files /dev/null and b/passwordmanagement/3.png differ diff --git a/passwordmanagement/4.png b/passwordmanagement/4.png new file mode 100644 index 0000000..8d3c7bc Binary files /dev/null and b/passwordmanagement/4.png differ diff --git a/passwordmanagement/5.png b/passwordmanagement/5.png new file mode 100644 index 0000000..3e11602 Binary files /dev/null and b/passwordmanagement/5.png differ diff --git a/passwordmanagement/6.png b/passwordmanagement/6.png new file mode 100644 index 0000000..ebcc0ae Binary files /dev/null and b/passwordmanagement/6.png differ diff --git a/passwordmanagement/index.md b/passwordmanagement/index.md new file mode 100644 index 0000000..9f29be6 --- /dev/null +++ b/passwordmanagement/index.md @@ -0,0 +1,56 @@ +--- +author: nihilist +date: 2024-06-16 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/83" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Password Management 101 (How to use Keepass) + +![](1.png) + + + +## **What is password management, and Why use Keepass?** + +If you have seen my [Offensive Security](../../HTB/index.md) blog section, or the numerous news regarding massive companies being hacked, you should be aware that no matter where you choose to put your data out there, nowhere is truly safe. + +Now let's take the following example, Bob is being lazy (again), and he uses the same password for his laptop, all of his accounts online, and at some point he creates an account on "Spotify": + +![](2.png) + +So Bob has one password for everything he does online. **What happens when one of those services (ex: Spotify) gets hacked ?** + +![](3.png) + +First thing that happens, is that Bob's password gets leaked online publicly, his password may even end up in the popular password wordlists like in [seclists](https://github.com/danielmiessler/SecLists). + +This means, that a potential hacker may gain access in not only bob's spotify account, **but also in all of his other accounts** , since Bob used the same password everywhere. + +![](4.png) + +This could have been avoided if Bob had a different strong password for every service. That way, if one of those services got hacked, only one meaningless password would have been revealed. That is why Keepass is relevant here, because it will remember all of those passwords so that Bob doesn't have to. + +## **How to install KeepassXC** + +Bob can install KeepassXC using apt on debian: + + + nihilist@mainpc:~/Nextcloud/blog$ sudo apt install keepassxc + + nihilist@mainpc:~/Nextcloud/blog$ which keepassxc + /usr/bin/keepassxc + + nihilist@mainpc:~/Nextcloud/blog$ keepassxc + + + +![](../torbrowsing/8.png) ![](../torbrowsing/9.png) ![](../torbrowsing/10.png) ![](../torbrowsing/11.png) ![](../torbrowsing/12.png) + +That way, Bob can have a unique, strong password for every website he registers an account onto. If one of them gets hacked, the adversary won't gain access to every other account that Bob has. + +![](6.png) + +The only password reuse that there may be is only local to Bob's computer, where he uses a password to unlock his harddrive, and log onto his host OS, and open his keepass file. The rest of remote logins are now managed and remembered by Keepass. + +Next, Bob learns to use [PGP encryption](../pgp/index.md) using Gnupg. + diff --git a/pgp/0.png b/pgp/0.png new file mode 100644 index 0000000..723370b Binary files /dev/null and b/pgp/0.png differ diff --git a/pgp/1.png b/pgp/1.png new file mode 100644 index 0000000..6bb6bf8 Binary files /dev/null and b/pgp/1.png differ diff --git a/pgp/2.png b/pgp/2.png new file mode 100644 index 0000000..63a9fb0 Binary files /dev/null and b/pgp/2.png differ diff --git a/pgp/3.png b/pgp/3.png new file mode 100644 index 0000000..dc87c2c Binary files /dev/null and b/pgp/3.png differ diff --git a/pgp/index.md b/pgp/index.md new file mode 100644 index 0000000..f4b72cd --- /dev/null +++ b/pgp/index.md @@ -0,0 +1,419 @@ +--- +author: nihilist +date: 2022-12-05 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/85" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to use PGP encryption + +![](0.png) + +In this tutorial we're going to look at how to setup PGP keys, and use them to encrypt messages + + + +## **Initial Setup** + +### Analogy + +Bob wants to send a sensitive message to Alice. Bob intends to send his sensitive message to Alice through various means, for example on Teams, Discord or even on Wickr. However Bob knows that these service providers will never respect his privacy, they will always spy on Bob's conversation: + +![](1.png) + +Bob then decides that noone other than Alice will be able to decrypt his message. So, Bob decides to use PGP encryption, to be able to send a sensitive message to Alice **on any platform** he wishes, because he knows that only Alice will be able to decrypt it: + +![](2.png) + +Why should you even care about PGP ? Simple, you only want one person to be able to read your message, so you use PGP. You can use it when you do not trust the chat platform you are using, or the email provider, or any other form of communication with text. PGP gives you a simple way of encrypting your messages with others' public key, so that way you're sure that noone can read your messages. + +Let's begin by generating your first key: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --gen-key + gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Note: Use "gpg --full-generate-key" for a full featured key generation dialog. + + GnuPG needs to construct a user ID to identify your key. + + Real name: nihilist + Email address: nihilist@nowhere.moe + You selected this USER-ID: + "nihilist <****nihilist@nowhere.moe>" + + Change (N)ame, (E)mail, or (O)kay/(Q)uit? o + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + gpg: revocation certificate stored as '/home/nothing/.gnupg/openpgp-revocs.d/89C359E4110050AA5BDDEA3E0284FFC275D0931B.rev' + public and secret key created and signed. + + pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04] + 89C359E4110050AA5BDDEA3E0284FFC275D0931B + uid nihilist <****nihilist@nowhere.moe> + sub rsa3072 2022-12-05 [E] [expires: 2024-12-04] + +Then we can list our keys like so: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --list-keys + /home/nothing/.gnupg/pubring.kbx + -------------------------------- + pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04] + 89C359E4110050AA5BDDEA3E0284FFC275D0931B + uid [ultimate] nihilist <****nihilist@nowhere.moe> + sub rsa3072 2022-12-05 [E] [expires: 2024-12-04] + + + #to list the key fingerprint: + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --fingerprint nihilist@nowhere.moe + pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04] + 89C3 59E4 1100 50AA 5BDD EA3E 0284 FFC2 75D0 931B + uid [ultimate] nihilist <****nihilist@nowhere.moe> + sub rsa3072 2022-12-05 [E] [expires: 2024-12-04] + +Now let's export our public key like so: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --output ~/nihilist.pubkey --armor --export nihilist@nowhere.moe + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → cat ~/nihilist.pubkey + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mQGNBGOOO2gBDADj/R45nL64Sew/i7QQo8LlxRPbdDCkEiy4zxVq3ryDAyAqZsB9 + Nqd+LJxPOYQTbefWhKqgZgQIggJVtvfixmOfgzwvbIqAduAYL8MHh3sA0lYpBhLA + aJwRUicDzBJawJiEyd4GuddktfO3AhwKVlmI3bMtqdTn+px+vhCkz2L6r68Jf6LW + esJaql61+9t0zAQ83GROMEZv63ubvhnAr1SHfCVT0LxDZOjgBlyz6w90kSQMOjnT + dnFM/cK2iyuoynWghI3mlHHtkLmQP3bX2OMf1nwJjgRXK+xG/Sjv4qC5hlMAkQa4 + P03QVxFVFgD0s0EiGgHNlWq/hFZfVs3J9+yxtGIu6RRxuXogTb9Hqvi6bbFA1RIB + SdJOqbgR+7c9tFOhC/HlMhjr6gggEjfaXgW3EOHW8nuGoj5KuhY6XArUGFvo5RxQ + yRz6BrnBSsAuS+wowxYIb0NTLDVa0wX+V36Ltqc8ODIMxF2hWceZ+uQm9NbKS/mm + meqwqyfvF/3UO2sAEQEAAbQkbmloaWxpc3QgPG5paGlsaXN0QG5paGlsaXNtLm5l + dHdvcms+iQHUBBMBCAA+FiEEicNZ5BEAUKpb3eo+AoT/wnXQkxsFAmOOO2gCGwMF + CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQAoT/wnXQkxt28AwAnchT + 3+AK5/9+Osfx9KC8ob3XWU2vJ9n7kELTUPYk88jy4uSxkK2Ho9DGwlEWexAVM7YD + tqcJ3TBMrUTZiJQNZimZAglBOlBdDLGS3QqinqEccppF554kLY5Y/Tktf1h1rL46 + p9PPBdYZf4n4M0HCEWtzDc5SQbRnlMZq+qtEEpcJj9Eb8DGFPVHKVXfrInfPWr+A + MyVn/KZF79fAFLgDazNk2QBg2UAiW4gwJiOnb+nxFNcrGtY7b05zasC5f76s8nXc + qXVdg/QSM3BsCgXLssD4WxzZ1LiraZGJvtsI+H7EX/ih2B6DNJ7J80aIIjhOAeWt + g70rw8vG1x1KP3AKe11aqwbo+msF6/J8Fbl5vWgWWFIx0Sj+EUs43rVAQ++3sCpt + aE1bxgiX+zhtSujdqZUVCCfpKnSMy3js6WpRrpwezlwA4BIm2pHWymDqpGHq6iv1 + jpqPAV5zufk4xEOE4gO9YILn0HF8O7fibseFZ8AJsyzbSkpp7NTzSbEAMT4AuQGN + BGOOO2gBDADAQWC3kbaiJNyyuSeIuHLd1vYx9h5fU5qxhMg0U29y0ydRbaWzGl04 + E8s+oHD4EYtsbDHgBud+25Mizm9hmuuw/WkLvPvMOxCBgEunppJhFbOYefRgg4Yq + ufKIg8N0Vp0xx4o/yLDm+wxpc6rln2zhC7HK8pkaTyvJZtfQ5VoQgMcqsJ97hxwW + RxZgy0wVXfx+kAFKn8dG9jPzAMljIWC6QYzR4zgfAc9V3AIwePuA1BxWZ8fxwArY + CxBpZv+JCYS4JpEcAIfScfKNvF7mQEHVeqMjlvVtJRWTewYzCgjwZmGfOuAibiQV + ZwMttwuDJs2HMUMOUx2qDdFX85c9ucYL1BLNvpbL7lcppGwnw9wJCY8pOQPqKmpM + XMDuCn2h/QgWvqu3JP++rr0+55J2qMp7rKicOWhNNBT+gxs+hvSg5n6Or16XpzQu + HsDtz3P23vZwK1BVaWdp787BRXi8sIwqJhgeyzoEAlMvKN6l4RfjBLnOB1//TkjS + rghaSN+a51sAEQEAAYkBvAQYAQgAJhYhBInDWeQRAFCqW93qPgKE/8J10JMbBQJj + jjtoAhsMBQkDwmcAAAoJEAKE/8J10JMb2RAMAJftMsLskC02DxtboRXUwyOhcZz7 + 1toenEKo2xqa9dZ7XvSbrR5zsZ8mzJ0stj2tDZBqK7wFx+mL1+XownsAlL+YHn37 + MsxMXvW9EaGXAeRVSQ3SFU8uulHbYgeUXUqlCkdpSgvDYcnO/bgSubS30Noead6N + 0e0ysORO+tXPl1Hfx0Anje//y8ouKki94TP96NpRiL+J5yWrrqA+ZpCAYvMF5DpG + piOeAjYHyu2EIEyCc1VyTaAiolwUrukTaAXwySquYwUj6qOXElBprCvb/90nlEtH + +Rp4O2TIel4bPdegsBMO8H29r1ppxtYYM87uQHiSA7C5DjuAKLM4yLuMwUj+m1Wn + yh0JyQFCmjWuFaXNp0cTjWk7vwpeg6sKKfZ+Tn87uwkZAbOzA3Vfj0OqTmDxZHeA + AKsge1fp/a5jEYMXvGnZ64eX/2FYKfrOm/BIGqCkS+oTfmIaGqQOiAGlhUvdO+oY + 5DG7X8sJauKPjhhHELWVrghx6GRTgjX9SLcZRQ== + =B+QD + -----END PGP PUBLIC KEY BLOCK----- + + + +This can be put publicly on your website, so that users will be able to encrypt their messages before sending it to you. + +## **Encrypt/Decrypt messages** + +Now let's encrypt our messages with alice's public key after she generates her pgp keys: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --gen-key + gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Note: Use "gpg --full-generate-key" for a full featured key generation dialog. + + GnuPG needs to construct a user ID to identify your key. + + Real name: alice + Email address: alice@nowhere.com + You selected this USER-ID: + "alice <****alice@nowhere.com>" + + Change (N)ame, (E)mail, or (O)kay/(Q)uit? o + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + We need to generate a lot of random bytes. It is a good idea to perform + some other action (type on the keyboard, move the mouse, utilize the + disks) during the prime generation; this gives the random number + generator a better chance to gain enough entropy. + gpg: revocation certificate stored as '/home/nothing/.gnupg/openpgp-revocs.d/2A4ACCAC38F55DEE59EA38CBCA761853B6A47483.rev' + public and secret key created and signed. + + pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04] + 2A4ACCAC38F55DEE59EA38CBCA761853B6A47483 + uid alice <****alice@nowhere.com> + sub rsa3072 2022-12-05 [E] [expires: 2024-12-04] + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --output ~/alice.pubkey --armor --export alice@nowhere.com + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → cat ~/alice.pubkey + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mQGNBGOOPtABDAC2i7v3qZFdhxnyGOcDlOSoJGijMKW45YgrxGKwvi80m8x76yOE + CsNiVPsZB+DNWzbKtzZqqzOB2dJPQlEtvivd5Sg9Qn35D24kkb17k1WsIRZX8ZtW + GPZKckIrjHNjeTnOMN14Fa6qr6jXtIgXKewGGh1w4Vv8CDfquTmuvQ462k05i2cQ + m0oIPCG5nuOQvFg3nLJF9ZAKspXcZ/FzowBUbQFpCfFmYsDEBWpUSEGZvzTV/t2L + Hp1AqxTze8DU1ll0rH7TxMnXNVG+gSRkloJfUxp6GCKKjiTmXiQxLQesbb2lcPON + EY5tcoSuntV7tLvz6Fcfqs71aEQLZ7lr6l546GARBJ+gnKTMro7RZd+mc4ICncGg + wZQ/k5I5XU7fdZUNFZWI4vP502fWJOF0XM16mNLs4kTKCfg1XFtBjC0t0MZWoE2x + AtvpGZyC6jWrDeH7m2Bg9guOvNWOl5HkH9ak6zR3NpNotyOpVgcVe1mSCLdK/Ewm + uI9dKWDyFI7B3C0AEQEAAbQZYWxpY2UgPGFsaWNlQG5vd2hlcmUuY29tPokB1AQT + AQgAPhYhBCpKzKw49V3uWeo4y8p2GFO2pHSDBQJjjj7QAhsDBQkDwmcABQsJCAcC + BhUKCQgLAgQWAgMBAh4BAheAAAoJEMp2GFO2pHSDzsoMAJCn3B+tB6h9IhUubGSt + c8A7C3E2dEgzXKAcQs3qSvRpjJys6csAVdbsdJ8aGYIxT9u3ta4c7Xtq0CkJLkB4 + sqpNMb9r6wHt/Q08EGR0fAVzZ/FspiLeROQZRmFEUJRbKj9og9b0zSH5+dA5Adv2 + oIakqUeRIK2VeELQkQE+SnzMfiI2IQ55MdsCKG1UwN35E+x/st8tfzrhv24SM63x + sg5fQ1XWuPY6xOD1+DEkKCyPJlKSj6s2R1MFWp5aSH+29tp0ScGAypY7XnQ5kbyW + p99BWyTqub4FZw6P4VEJGFep2AabTHAzJrRrQ7kdzSWABUsfrmXfjeAk16AnuACa + 4sDow1cpW85XTm7W+dE4RV2y7WMuvSAaZfHv9iJwDYgc99t0HdrlNmEnNX4j82ET + TOD9V1WrbwPtacl9Iojv5MR+hVIlvVD1WEziJiChflJjqRWjZVo+C6xoAS5GojQv + PX2nBOtzSqyjlTBzFwKw/Och+7JYXDvmUmlmaE8pBXFw+LkBjQRjjj7QAQwA6Kuy + 0rDgRSLKl5WRa6kr9xZ2UBvuDN+RHqXXWFBM6xKox4Q88/AGR2wcsjkKOJ0fpNX9 + ISOexORtWO10WcK+KsTAZjLSBzUJhTok8o2sKGACWPZLW4ZoqJtMq24wAW7YBwNG + WWuFW8shdu/oxQ/UuaLPqR/b9YJmry9c/WR72kC3USwoZS8he8lEl550DzQsa+If + lODLAvk5mXfPsxTpvfT+gJvBz+50FWPz1LVOWBQiwcK6dJdKvux3bp30GhvOCR7K + R6U3ZP37idNc8wtg7cybJhKh01HB/Na7dnLEQAE9pqKFzm6aYwwsnD8Q7Co0LNrv + J9YsTZ68onpF7Yb5Ndlmi/h/sOIB3J4yhfaX4JiwBzltiyhXwaRtBG8I9+DRr/1c + Gkga08WfTFvNGjajf52nCJqxtJeb7Mjyr6w9MKBSq+/+yKb4yJSjTXryKfLS5S4l + Mb23Wss9cucDe6XCncUo8ukJakAUdLJsnoxj10J6Nk9EPIJFi3bLmv40aeRjABEB + AAGJAbwEGAEIACYWIQQqSsysOPVd7lnqOMvKdhhTtqR0gwUCY44+0AIbDAUJA8Jn + AAAKCRDKdhhTtqR0gyigC/9XSrbStJlQQWg3cq+XFokGv+fP0Bl3y+wVNzyL2Twc + R70g/NqS2q5Ztd9bq5SleYn94n2tc5zULnuc5TUeVF303goFxsFQcjVQpe+vw6BA + IcL+VdAvu4UQRVBCzUeW6Jd5n1oemIsyhdET40PRT5UTOwpdpoQQRvdHs2XCGR1q + FMkbyxDg444lUzYD1l655yhwN9b7YHWA6Eih5tyIeBxZDXA586M8TGrCfzC67g0f + bkp/pmA5xH7nxMHAR+A9sC/r1RW41qZ9Or6Wbqyrbyt7Whknoz0sCfm41MEUSkeF + lS4EdjbGtEFzbpZGCs3FwH0kQdHl0nczyYnblBpmNccq5aPC6xhOj1FiBktoaqD0 + J0f4srQ8RZpPaRJo6ZD1JzSyKDLtQ/oZES741Fgi2UAfxBXslRktq/0J5ehJww3Q + YWu3a5PAJWX6wkutFKp4eswvBr8na53CX4w2DF3hizl5w2+hff9gk8Qvrq77D3ht + CdIDJHjajZtj14jc+uBRMMc= + =up53 + -----END PGP PUBLIC KEY BLOCK----- + +So let's first import alice's public key like so: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --import alice.pubkey + gpg: key CA761853B6A47483: "alice " not changed + gpg: Total number processed: 1 + gpg: unchanged: 1 + + + +In order to make sure this is alice's public key, check the fingerprint of it: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --fingerprint alice@nowhere.com + pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04] + 2A4A CCAC 38F5 5DEE 59EA 38CB CA76 1853 B6A4 7483 + uid [ultimate] alice <****alice@nowhere.com> + sub rsa3072 2022-12-05 [E] [expires: 2024-12-04] + +Once you're sure that it is alice's public key, you can "sign it", which basically means that you trust that key: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --sign-key alice@nowhere.com + + sec rsa3072/CA761853B6A47483 + created: 2022-12-05 expires: 2024-12-04 usage: SC + trust: ultimate validity: ultimate + ssb rsa3072/7A75B89E1AA090CF + created: 2022-12-05 expires: 2024-12-04 usage: E + [ultimate] (1). alice + + + sec rsa3072/CA761853B6A47483 + created: 2022-12-05 expires: 2024-12-04 usage: SC + trust: ultimate validity: ultimate + Primary key fingerprint: 2A4A CCAC 38F5 5DEE 59EA 38CB CA76 1853 B6A4 7483 + + alice + + This key is due to expire on 2024-12-04. + Are you sure that you want to sign this key with your + key "nihilist " + + Really sign? (y/N) y + + + +From there we can encrypt our message.txt: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → vim message.txt + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → cat message.txt + this is my very secret message ! + + + +Before encrypting it, we can also sign it, although it is optional. There are 3 ways to sign the message: + + + Create binary or ASCII-armored detached signature from input + --detach-sign + + Wrap input in plaintext signature + --clearsign + + Encode input into binary or ASCII-armored output with an integrated signature + --sign + + + +To sign the message while also remaining in plaintext, we use the second option --clearsign (also, if you have multiple private keys like me, choose it with the -u flag to specify who is sending the message): + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg -u nihilist@contact.nowhere.moe --clearsign message.txt + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → cat message.txt.asc + -----BEGIN PGP SIGNED MESSAGE----- + Hash: SHA256 + + this is my very secret message ! + -----BEGIN PGP SIGNATURE----- + + iQHOBAEBCAA4FiEEicNZ5BEAUKpb3eo+AoT/wnXQkxsFAmOOR1waHG5paGlsaXN0 + QG5paGlsaXNtLm5ldHdvcmsACgkQAoT/wnXQkxubCwwAgxB2JIFz/vSewL0ScF1i + K307GR4mNIyMy3VRgtuVdONau4X8p68tRS+wqoVRFB8GDLXTkzJsaULwghm8RQaV + x0NOx60kgmXckP00uQM+ySDRqpHoVb5HYRqPrbOhJ6L1AFnexyhuhclvQoS4Zm0e + PkvcMFaWOevQnbS8Vh2fVby4fsq5YdzSig4mu6KjQeR+Gu29xkAJp+lgMT1Ia0pL + DVZaUw+AVHyaeQzdokdw0eoU01gl+dzPyaPamAGTbqI5Z7+DMOMgtgC9cpPP+26F + jTpmq7fFxQ3fpAbEIlcahZzNBSyd1QGu6uKs/V4hqx4Fj7qg4puq+raxgg0JlyEZ + greVnUYBONlTTIDgIKqI8D5iFhW6cCHQzXvYjLqCCuY35ZHP0TRkSycZaNjO1/4/ + EaNNvLm/uzi3+HhvPW57a9+bcGiVvTLhhje8sVUxioDd36DA4fYkd8BqBNkYvjRa + e/D6QxqcdeK/RM0tUdlEsypp0KV3musGbyrYRhycEQPF + =GuJm + -----END PGP SIGNATURE----- + + + +The signed message is saved as "message.txt**.asc** ", now let's encrypt it using alice's public key, and also don't forget to encrypt it with the private key you want with the -u flag again: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg --encrypt --sign --armor -u nihilist@contact.nowhere.moe -r alice@nowhere.com message.txt.asc + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → ls -lash | grep message + 4.0K -rw-r--r-- 1 nothing nothing 33 Dec 5 19:03 message.txt + 4.0K -rw-r--r-- 1 nothing nothing 741 Dec 5 19:13 message.txt.asc + 4.0K -rw-r--r-- 1 nothing nothing 2.2K Dec 5 19:14 message.txt.asc.asc + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → cat message.txt.asc.asc + -----BEGIN PGP MESSAGE----- + + hQGMA3p1uJ4aoJDPAQwAmziBMlZIwlbmvLlVuBiux76xliI2CVthnlHRZGPwghgY + yBPCOHpfZUX3M44vO9/ONVurA8/u5vgxwDZZxCOfYUHiJbI2iW6+Pmp/opF0fKa9 + gsArICw2YwyJ3uH+AmpYQ9mlDXs1MFFfUuV/4uIh0QFJshuGNHl5ahdLd7AlyrW2 + U63BibwpqTqZLH/4rsbKtZ4isJPL4ZcHhymSdel+fy+N5wy11HZt8QJrwyUUbWHB + jHbwgDJ2HKP6Yvf0etiMWEeEyjnsjQVdPI7CqO4l12k7+s78dde9RCN1I/R53Jiy + HUO2Wd6m68REIL3S6o0jwWxeQZMyW9PAMIArKWPWYUCkR9uxC1yKoiu/sYv7zf1Y + TtwAMExTfzyCogD0TvVcahSgbBUjLfHpe7MFLrSKugpb8pgMszBxVrvnKbYbVVRc + x090o+pE0TCAf+s4IOUtnzYZjesvYkW16psKS7O1ZWbF6LGyDm92en6I377drEoc + x4WytIkoDtV+L3qHP6wA0uoBp8aieGsvyHmgQvVbXgbYQE2Z3yDoCWuJGAy0MRpK + xg/zz8vwsr1QEIxutT3T9MqO9d/zXxi8S8B4lIxoiI3HcHff8pnn3B1ok1Yl+tCz + 5ns0kBWPLobMta5J5QdxEJDqJTBLna9Npk08YkNXIVgU8Kd+EkvrYH8jrKJLDyis + FfvRGZwTeWto6t4q4W4z/hEzSwXmuTICYKkThc17Hs5LX5WwMPo4W/LaB4VidOi7 + I7wXkFEgw/l/lFk3MAq8eq1ZKCZ/adsxlOy+xsT8WM7va7l+gtyT4EU5JcAklLgh + 8m+R6rqdc34eCnKjtilhZ8jSsiij/hXzeSYs1uNCRcHylRJ57hLiQWwqlFCenBBT + Zjj4uY09RkXXn2LCCMdIrhpF9oLV+vDep9PD61qMqacGnOSYAI7jPHRqlxMe6GWu + h/Elip+h8Cujek5rUa0y8z+vdeGBaEoz27QV8PsuEw9JeXkcwCwm5rt165bvG5Fq + 2RHV7/glS42JLKmb1ru1dxZ2gYUDomghkWNTm1ycPS3mR2BIKBieEmgpdm8Gn4hL + UDrBQYLBdlJ0XQOb5tp4V/hHHx2Z9FpEAWz6U2uRBHf7b7EmJH0x0o95E4CpgX6k + +Gcx6CkNrpdMfyaL7sFUV58tyQzpfffRHFvZ3Q3waMRFwhd6rCzFVTrsdHyIMrJH + gD7Qrn69sy38KK0ndUuSzuY9oTMPp7Suze8bKjQ3IRC9/vuzoGYpJT0lYaVcAu5I + yNWOGI2i2VreDQoUXTS76AosuznyATpTgpgj5dBb4/2myhBvYYNC5dvHBlTECaCI + wa8MTuv8yhGlXhG2dxgQrNzM3SVw3w9ESD4oynvhjVEiHYCq4zRfXEeAwNJUYVjA + uS0ZESLdVKTabqofkL50w2M7RmMeV131DRLnW+5DogsCHVw9x2wWSF00u0ruS2CF + GNSg3MdNMEPopP43MoL6eZ2kIayvg2QW0Lgu6jcWjDg5Xwt/X605u6le4R7rq1O1 + xP8QItSAapu1pKQ3lP/t/FUeA+PEtOSlRtPQLg+k4lgyM9/sev8wT3JhqtLne7w3 + 4Qb8boNeXSQqT/+ZJmi4blOK8gGe0XPoYJmwiuCiRzDCbzHEgMl8b31uTbTjj261 + b8DqU+WmJo2bzDfFmbOiDDhJ/Fd+Bv71wFeCZyCKvhWnpN5vu/WJudP/jRQOoWq4 + B01LYEfmH2iQcT2My8bmiy7hUDPX82sApkDgSGn5DGwKo+MIcQ0lAMqfUbh9JMzl + P3PQ9m8AU3nJxm8ONeujONlpNGJl2T0TA6XDIB8OxYPkR37oCUlK8LXv4Kg0sN40 + +hpc+7J8Mxuxd9KlneyWlSvf7zlBc0B7bOCGGwMlkg+zwBJmsUBWE+PfMeZscWGx + JbvFxIkku+4mY/Z1ENdTwdwvW5ffW71V2PLK54iX3fMrP0TEUtv4kXmTYS5HbwNs + CXvia2UNZAre/1ZpqsMoHmXxYduddawIYc61jDZyWAq/C2XTOyqyseiwFgPqVNnc + E5SMO6iUHZ89Eb+bWmRhSUeFhytKXcmDkNaoK/IZ9GnaEX0XVfk/Ge8VWx9prtLs + a2G4PbtX3KEPCYjqS2N2HDPUEqGVgGVdSqeya2J/SeoEcdpOqTIJu+KT+iDyeIGM + B8xjrEs= + =kY62 + -----END PGP MESSAGE----- + + + +The encrypted message is created as "message.txt.asc**.asc** ", so now we can send it to alice anywhere (teams, gmail, outlook, protonmail), wherever you want, **because only alice will be able to decode the message.** Once alice retrieves the message.txt.asc.asc she can decrypt it like so: + + + [ 10.8.0.3/24 ] [ nowhere ] [~] + → gpg -d message.txt.asc.asc + gpg: encrypted with 3072-bit RSA key, ID 7A75B89E1AA090CF, created 2022-12-05 + "alice <****alice@nowhere.com>" + -----BEGIN PGP SIGNED MESSAGE----- + Hash: SHA256 + + this is my very secret message ! + -----BEGIN PGP SIGNATURE----- + + iQHOBAEBCAA4FiEEicNZ5BEAUKpb3eo+AoT/wnXQkxsFAmOOR1waHG5paGlsaXN0 + QG5paGlsaXNtLm5ldHdvcmsACgkQAoT/wnXQkxubCwwAgxB2JIFz/vSewL0ScF1i + K307GR4mNIyMy3VRgtuVdONau4X8p68tRS+wqoVRFB8GDLXTkzJsaULwghm8RQaV + x0NOx60kgmXckP00uQM+ySDRqpHoVb5HYRqPrbOhJ6L1AFnexyhuhclvQoS4Zm0e + PkvcMFaWOevQnbS8Vh2fVby4fsq5YdzSig4mu6KjQeR+Gu29xkAJp+lgMT1Ia0pL + DVZaUw+AVHyaeQzdokdw0eoU01gl+dzPyaPamAGTbqI5Z7+DMOMgtgC9cpPP+26F + jTpmq7fFxQ3fpAbEIlcahZzNBSyd1QGu6uKs/V4hqx4Fj7qg4puq+raxgg0JlyEZ + greVnUYBONlTTIDgIKqI8D5iFhW6cCHQzXvYjLqCCuY35ZHP0TRkSycZaNjO1/4/ + EaNNvLm/uzi3+HhvPW57a9+bcGiVvTLhhje8sVUxioDd36DA4fYkd8BqBNkYvjRa + e/D6QxqcdeK/RM0tUdlEsypp0KV3musGbyrYRhycEQPF + =GuJm + -----END PGP SIGNATURE----- + gpg: Signature made Mon 05 Dec 2022 07:34:36 PM UTC + gpg: using RSA key 89C359E4110050AA5BDDEA3E0284FFC275D0931B + gpg: issuer "nihilist@nowhere.moe" + gpg: Good signature from "nihilist <****nihilist@nowhere.moe>" [ultimate] + +Once decrypted, she can see that the message has our PGP signature. + +![](3.png) + +And that's it! That covers the basics of how to use PGP + diff --git a/pgpcanary/0.png b/pgpcanary/0.png new file mode 100644 index 0000000..b20091f Binary files /dev/null and b/pgpcanary/0.png differ diff --git a/pgpcanary/1.png b/pgpcanary/1.png new file mode 100644 index 0000000..555debd Binary files /dev/null and b/pgpcanary/1.png differ diff --git a/pgpcanary/2.png b/pgpcanary/2.png new file mode 100644 index 0000000..718a3ef Binary files /dev/null and b/pgpcanary/2.png differ diff --git a/pgpcanary/3.png b/pgpcanary/3.png new file mode 100644 index 0000000..0992445 Binary files /dev/null and b/pgpcanary/3.png differ diff --git a/pgpcanary/4.png b/pgpcanary/4.png new file mode 100644 index 0000000..0d7ada9 Binary files /dev/null and b/pgpcanary/4.png differ diff --git a/pgpcanary/5.png b/pgpcanary/5.png new file mode 100644 index 0000000..9c88a15 Binary files /dev/null and b/pgpcanary/5.png differ diff --git a/pgpcanary/index.md b/pgpcanary/index.md new file mode 100644 index 0000000..fe164f6 --- /dev/null +++ b/pgpcanary/index.md @@ -0,0 +1,168 @@ +--- +author: XMRonly +date: 2025-04-10 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/179" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# How to Verify One's Identity While Maintaining Anonymity Using PGP Canaries + +![](0.png) + + + +## **Introduction** + + + + + +When dealing with strangers on the internet you may not always want to reveal your real identity. Practising good OPSEC and maintaining your online anonymity can therefore be paramount in certain situations. But in an arena where anyone can be anonymous, how can you be sure people are truly who they claim to be and that you're talking to the same person across different situations? That is where Pretty Good Privacy (PGP), an encryption program that provides cryptographic privacy and authentication comes in to verify one's identity without actually revealing it. In this tutorial, we will build upon the PGP concepts [previously covered](../pgp/index.md), and expand these concepts to verifying not just messages, but entire personas and even control over infrastructure in hostile environments. + +## **Verifying Identity** + +Bob has been busy working on his onion site. After putting the finishing touches on it, he has started trying to get the word out. Bob has been messaging a few people using various identities on SimpleX, and it's finally starting to pick up traction. However, when Alice received a message from Bob, she was a little skeptical. + +![](1.png) + +Having learned the basics of PGP from the [previous tutorial](../pgp/index.md), Alice imports Bob's public key from an independent source (his site) then proceeds to verify if indeed Bob is who he says he is. In this case, the signature checks out and Alice can see the message contents confirming the onion site link. + +![](2.png) + +Having confirmed Bob is who he says he is, Alice goes on to peruse Bob's [onion site](http://bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion/). + +![](3.png) + +What Alice finds turns out to be pretty interesting. She decides to ask Bob for more details. + +![](4.png) + +## **The Onion Mirror Guidelines (OMG)** + +When starting his onion site, Bob decided to employ the **Onion Mirror Guidelines (OMG)** in order to validate his site and establish its credibility. The OMG Standard was initially defined by dark.fail as a way for admins to show a commitment to user safety by proving ownership of all URLs associated with their site, and by committing to regularly proving control of their PGP key. The full documentation can be found [here](http://darkfailenbsdla5mal2mxn2uz66od5vtzd5qozslagrfzachha3f3id.onion/spec/omg.txt). Let's break it down. + +The OMG Standard outlines 3 crucial pieces of information, written as text files, that must be present on all .onion URLs. + + + /pgp.txt - Required - HTTP 200 text/plain + - A list of all PGP public keys allowed to announce your official mirrors. + - May contain multiple PGP keys. + - All keys must be ASCII armored. + - Do not list a key here unless it is trusted to sign official .onion URLs. + - Example: http://darkfailllnkf4vf.onion/pgp.txt + + +The first, and perhaps most obvious, piece of information required is the actual PGP key(s) used to verify the site admin's identity. This must be placed at **/pgp.txt** , be ASCII armored, and be designated as official key used to sign .onion URLs. No other keys are allowed. View an example of this on Bob's onion site [here](http://bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion/pgp.txt). + + + /mirrors.txt - Required - HTTP 200 text/plain + - PGP SIGNED list of all official mirrors of your site. + - Mirrors must be signed by a PGP key which is in /pgp.txt hosted at all of your URLs. + - Any line in this file which begins with “http://“ or “https://“ + is an official mirror of your site. + - Mirrors must all host the same content. No related forums, no link lists. + Place forums, other sites in /related.txt instead. + - All valid mirrors must only contain a scheme and domain name, no + ports or paths. + - /pgp.txt and /mirrors.txt must have the same content on all of your URLs. + - Text which is not intended to be parsed as an official mirror must + be commented out with a “#” as the first character on the line. + - Example: http://darkfailllnkf4vf.onion/mirrors.txt + + +Now that a PGP key has been declared, it's time to actually use it for something. The second piece of information required is a PGP signed list of all mirrors associated with the site. Similar to before, this message must be placed at **/mirrors.txt** , be clearsigned and be designated as official URLs associated with your site. All mirrors must display the same content (hence the term "mirrors") and not include any additional related content (more on that later). View an example of this on Bob's onion site [here](http://bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion/mirrors.txt). + + + /canary.txt - Required - HTTP 200 text/plain + - PGP SIGNED message MUST be updated every 14 days. + - Can be signed by any key specified in /pgp.txt + - The message must contain the latest Bitcoin block hash and the current + date in YYYY-MM-DD format, with string “I am in control of my PGP key.” + and must also include the string "I will update this canary within 14 days." + - If you cannot do this you should not be running a darknet market. + - Example: http://darkfailllnkf4vf.onion/canary.txt + + +The last, and perhaps most important, piece of information is the PGP signed canary. This canary must be manually updated on a fixed interval in order to prove that the admins are still alive, free and in control of their keys and infrastructure. This canary must be placed at **/canary.txt** , be clearsigned and have the latest ̶B̶i̶t̶c̶o̶i̶n̶ Monero block hash in order to independently and verifiably provide the date at which the canary was generated. View an example of this on Bob's onion site [here](http://bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion/canary.txt). + + + /related.txt - Optional - HTTP 200 text/plain + - PGP SIGNED list of all .onion sites related to your site. + - This is where you list forums, link lists, related services. + - Follow the same rules as /mirrors.txt + + +An optional extra piece of information is a link to services adjacent to your main website. Located at **/related.txt** , these can be auxiliary services such as forums, lists, etc. This should be PGP clearsigned the same as the official /mirrors tab. + +## **PGP Canaries** + +Now that Bob is familiar with the requirements for PGP Canaries, he sets out to actually write one. Using Nihilist's [script](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/Datura-Network/src/branch/main/0-Transparency/gen-report.sh) as a starting template, Bob gets to work making a few modifications to suit his individual needs. + +First bob will run **vim gen-canary.sh** to create the script. +HINT: It's **ESC :wq** to write changes and quit the file. + + + #!/bin/bash + + # obtain the latest monero block height + height=$(curl -s https://localmonero.co/blocks/api/get_stats | sed -E 's/.*"height":([0-9]+),.*/\1/') + + # use the latest monero block height to obtain its hash + hash=$(curl -s https://localmonero.co/blocks/api/get_block_header/{$height} | sed -E 's/.*"hash":"([^"]+)".*/\1/') + + # custom message + read -p "Enter custom message (latest news of the month, how things are now, and where we're going):" custom_msg + + # populate of all the canary requirements + ######-----BEGIN PGP SIGNED MESSAGE----- + echo "I, bob, am alive and free as of $(date --iso-8601), and am in full control of my site and all other services related to my network." >> /tmp/report.txt + echo "" >> /tmp/report.txt + echo "The next canary will be updated on $(date -d "+14 days" --iso-8601)." >> /tmp/report.txt + echo "" >> /tmp/report.txt + echo "The latest Monero block hash is:" >> /tmp/report.txt + echo "$hash" >> /tmp/report.txt + echo "" >> /tmp/report.txt + echo $custom_msg >> /tmp/report.txt + echo "" >> /tmp/report.txt + + # gpg sign the canary + gpg -u bob --clearsign /tmp/report.txt + cp /tmp/report.txt.asc ./canary.txt + + # now upload the canary + + +Running the script using **sh gen-canary.sh** , Bob is able to easily and reproducibly generate a PGP canary for his site. + +![](5.png) + +Finally, Bob uploads the newly generated canary to his onion site. + +## **Verifying a PGP Canary** + +A nice, neat, official-looking PGP canary should not be taken at face value as Alice knows. She must verify it for herself. + + + alice@debian:~$ torsocks wget http://bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion/canary.txt + --2025-04-11 19:47:57-- http://bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion/canary.txt + Resolving bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion (bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion)... 127.42.42.0 + Connecting to bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion (bob2bujqeou2ws7sb64jksqajrmznobuo7c7uag5cmfo5frb5l2inqid.onion)|127.42.42.0|:80... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1204 (1.2K) [text/plain] + Saving to: \u2018canary.txt\u2019 + + canary.txt 100%[================================================================>] 1.18K --.-KB/s in 0s + + 2025-04-11 19:48:00 (23.6 MB/s) - \u2018canary.txt\u2019 saved [1204/1204] + + alice@debian:~$ gpg --verify canary.txt + gpg: Signature made Fri 11 Apr 2025 05:50:29 PM EDT + gpg: using RSA key 6BE7DAE7C18B68E371ABACFF4207F207857508B6 + gpg: issuer "bob@bob.com" + gpg: Good signature from "bob bob " [unknown] + gpg: WARNING: This key is not certified with a trusted signature! + gpg: There is no indication that the signature belongs to the owner. + Primary key fingerprint: 6BE7 DAE7 C18B 68E3 71AB ACFF 4207 F207 8575 08B6 + + +Just like she verified his message and persona before, Alice now verified Bob's control of his website and infrastructure all without even knowing who Bob is! + diff --git a/phonenumbers/1.png b/phonenumbers/1.png new file mode 100644 index 0000000..7941fee Binary files /dev/null and b/phonenumbers/1.png differ diff --git a/phonenumbers/faraday.png b/phonenumbers/faraday.png new file mode 100644 index 0000000..4bac409 Binary files /dev/null and b/phonenumbers/faraday.png differ diff --git a/phonenumbers/index.md b/phonenumbers/index.md new file mode 100644 index 0000000..64e8c86 --- /dev/null +++ b/phonenumbers/index.md @@ -0,0 +1,128 @@ +--- +author: user@Whonix +date: 2024-05-26 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/14" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Phone Numbers are incompatible with Anonymity + + + +## **Sim Cards: the Deanonymization Tool** + +A Simcard is what you need to put into your smartphone in order to have a phone number. These simcards, once inserted into your smartphone are always communicating their geographical position to the nearest mobile carrier antennas. **Meaning the mobile carriers knows where your simcard is, at all times** , and they know where this simcard has been ever since it got inserted into your phone. + +Now, it is possible for you to purchase a sim card (or e-SIM) anonymously using for example this service [here](https://kycnot.me/service/silent.link), but the fact remains the same, that once the simcard is active into your smartphone, **there is a permanent record of where that simcard has ever been** and there is nothing you can do about it. + +Naturally, law enforcement agencies LOVE to keep their hands on this data. They use it all the time. For example, **all it takes for LE to figure out who has been in a public protest is to record the protesters up close, while keeping track of the current time.** Then, if any of the protesters did anything illegal out there, **they can know who did the act by simply looking at which simcards were at the exact same time, at the exact same place.** + +As we discussed [previously](../governments/index.md) for the law to be respected, it needs to be enforced. And to be enforced, the authorities need to know: + + 1. ![](../su2.png)What happened ? (lack of Privacy) + + 2. ![](../on2.png)Who did it ? (lack of Anonymity) + + + + +That's why protesters make the conscious choice to not go out to protest with their phones in their pockets, as they can get deanonymized very easily while wearing them. + +Because Simcards are actively used by Law Enforcement to know what is the location of a particular phone number is [using tools like StingRay II](https://iv.nowhere.moe/embed/wzSgLpNrr2E), but not only them, **every cellular provider also knows the location (up until present moment) of every phone number,[thanks to cellular triangulation](https://4n6.com/cell-phone-triangulation/).** + +## **You cannot have an anonymous Phone at home.** + +Let's suppose the following scenario: + + 1. You bought an old phone (let's say a google pixel) anonymously using Monero, without going on a Centralised marketplace, Peer to Peer. + + 2. You wiped that google pixel OS to install an open source host OS such as [GrapheneOS](https://grapheneos.org/) + + 3. you made sure that phone never connected to the internet since you got it, and never used a simcard either. + + 4. You then purchase an e-SIM card anonymously from a non-KYC service such as silent.link, using monero, and you activate it inside the phone. + + + + +Great, you now think that you obtained an anonymous phone number right ? Did you just forget that **there is a permanent record of where that simcard and phone number is, at all times ?** And did you forget that this record of where your simcard is, is always consulted by LE at all times ? + +Where do you plan to use that simcard ? At your own house ? **The moment that simcard (and phone number) becomes active, LE knows that the simcard associated with that phone number is located your own house.** And then you take it with you to go to work ? If you are seen going anywhere at anytime, and LE looks at where the simcard went, **they can easily correlate that you are the owner of that simcard.** + +Make no mistake with cellular tower triangulation they can pinpoint the location of a cellphone down to a few meters of precision, so it is preety accurate. Let's see what that looks like by taking Bob's phone location over the course of one day: + +![](normal_map.png) If you keep your phone on, then an adversary with your phone number and the required level of access can pinpoint your location over time simply by asking the phone provider for your data, without you being aware of it. + + + + +## **But what if I use a burner phone I keep in a faraday bag when not in use?** + +![](faraday.png) + +You might think that having stringent SOPS (standard operating procedures) around the use of burner phones in your organization could solve this problem. It does help as this map shows, but it's not enough. An adversary investigating your activities will have access to a lot of data and they will be able to use tools such as PostGIS to query their datasets in order to infer relible position information from scattered datapoints. + + + +### **The Protest** + +On the last day of december 2024, protest happened in Los Angeles. This event will be referred to as the **the Protest**. + + +#### _From your point of view_ + +Using burner phones and cash payments, you rented a car under a false identity with Alice and Bob, both members of your organizations. You have strong OPSEC, you don't know each other's names or faces and keep your burner phones off and in faraday bags when not in use. You took this car to a specific place at a specific time in order to acomplish a goal that goes contrary to the policies and aims of a strong adversary. Your adversary has access to phone data and no meaningful budget limitations, they aim to identify you, physically locate you and then follow their policies. + +#### _From the adversary's point of view_ + +_Starting information:_ + + * They have identified where the car was rented from + * They have identified one suspect: Alice who was caught on camera being careless with their cap while renting the car + * They have identified one other potential suspect of the three-persons team, a known associate of Alice, Bob + * They need to identify you, the third member + + + +#### _What happened_ + +Luckily, your OPSEC was flawless. Shades, cap, tradecraft, you have managed to stay under the radar. They know you exist from a blurry trafic cam picture but that's all. You did use your burner phone only when required. + +_What will the adversary do?_ + + * Create a set of suspect sim cards based on spatial coordinates and timestamps: was this sim card in the same place and at the same time as Alice or Bob? + * Refine this set by correlating it with other spatial coordinates and timestamps: when the car was rented, when the protest took place + * Look for behaviourial anomalies: a sim card popping up in one place, disappearing for days and then reappearing later + +They can quickly reduce their suspect pool from hundreds of thousands of people to a dozen using this method (see the concept of [Anonymity Odds](../anonymityexplained/index.md)). **If you were to make the mistake of reusing the same SIM card for another operation (such as simply taking out the phone while being at your own house)** after the protest you will have dramatically increased your chances of being identified by the adversary. + + +As shown on the above map, **once a Sim card goes on, even if the phone is later shut off it will still leave a data trail**. + +**With each datapoint, an adversary will be able to reduce the pool of potential suspects** until they have enough certainty to start using active measures. + +## **The only way to have an anonymous phone number, is remotely** + +If you have a simcard next to you, no matter how anonymous you managed to get it, **the moment you start to use it, you are deanonymized** + +![](1.png) + +So the only way to be able to use a phone number anonymously, is to use a remote service provider, that allows you to use a phone number, anonymously (allows tor connections, and monero payments), and even then, don't expect to get privacy going that route. Examples of such services: [Crypton](https://kycnot.me/service/crypton) or [Smspool](https://kycnot.me/service/smspool). (see the full list [here](https://kycnot.me/?t=service&q=sms&xmr=on)) + +## **If a service requires your phone number, they are against your Anonymity** + +If a chat service requires you to enter your phone number, it means they categorically refuse that you can use their service anonymously. Moreover, **it means that they want to be able to inform the authorities of your actions** , and rest assured that **LE will pay big money for that sensitive info they may have of your actions.** + +Yes, you heard me correctly. **If a service asks for your phone number, they are anti-anonymity by design**. This means that you can already stop using the following services: + + + Signal, is a centralised service that requires a phone number upon signup[[1]](https://github.com/signalapp/Signal-iOS/issues/194)[[2]](https://github.com/signalapp/Signal-Android/issues/1085), see also [[3]](https://bencrypted.gitlab.io/post/8/) [[4]](https://digital-justice.com/articles/skip-signal.html) + Telegram, is a centralised service that [also requires a phone number upon signup](https://www.geeksforgeeks.org/how-to-create-account-on-telegram/), on top of being forced to comply to EU demands as of 2024. + + + +When you take into consideration how phone numbers harm your Anonymity as i listed above, **Nothing can can possibly justify requiring a phone number upon sign up.** + +The only reason for such a requirement, is that **the service takes bribes from LE, for successfully lying that their users are safe.** Make no mistake, the bigger the service, the more lucrative it is! + +Now if you want to be able to communicate anonymously with someone online, use [SimpleX](https://simplex.chat), and tell them to use it too with [this tutorial](../anonsimplex/index.md). + diff --git a/phonenumbers/normal_map.png b/phonenumbers/normal_map.png new file mode 100644 index 0000000..34f8fc4 Binary files /dev/null and b/phonenumbers/normal_map.png differ diff --git a/physicalsecurity/0.png b/physicalsecurity/0.png new file mode 100644 index 0000000..17ec6e8 Binary files /dev/null and b/physicalsecurity/0.png differ diff --git a/physicalsecurity/1.png b/physicalsecurity/1.png new file mode 100644 index 0000000..f8edbc9 Binary files /dev/null and b/physicalsecurity/1.png differ diff --git a/physicalsecurity/10.png b/physicalsecurity/10.png new file mode 100644 index 0000000..9444cbd Binary files /dev/null and b/physicalsecurity/10.png differ diff --git a/physicalsecurity/11.png b/physicalsecurity/11.png new file mode 100644 index 0000000..51c886b Binary files /dev/null and b/physicalsecurity/11.png differ diff --git a/physicalsecurity/12.png b/physicalsecurity/12.png new file mode 100644 index 0000000..59a2a81 Binary files /dev/null and b/physicalsecurity/12.png differ diff --git a/physicalsecurity/13.png b/physicalsecurity/13.png new file mode 100644 index 0000000..59a2a81 Binary files /dev/null and b/physicalsecurity/13.png differ diff --git a/physicalsecurity/14.png b/physicalsecurity/14.png new file mode 100644 index 0000000..80dc8c3 Binary files /dev/null and b/physicalsecurity/14.png differ diff --git a/physicalsecurity/15.png b/physicalsecurity/15.png new file mode 100644 index 0000000..61235a8 Binary files /dev/null and b/physicalsecurity/15.png differ diff --git a/physicalsecurity/16.png b/physicalsecurity/16.png new file mode 100644 index 0000000..f96118c Binary files /dev/null and b/physicalsecurity/16.png differ diff --git a/physicalsecurity/17.png b/physicalsecurity/17.png new file mode 100644 index 0000000..9399256 Binary files /dev/null and b/physicalsecurity/17.png differ diff --git a/physicalsecurity/18.png b/physicalsecurity/18.png new file mode 100644 index 0000000..8e01248 Binary files /dev/null and b/physicalsecurity/18.png differ diff --git a/physicalsecurity/19.png b/physicalsecurity/19.png new file mode 100644 index 0000000..b6507c3 Binary files /dev/null and b/physicalsecurity/19.png differ diff --git a/physicalsecurity/2.png b/physicalsecurity/2.png new file mode 100644 index 0000000..4357b6b Binary files /dev/null and b/physicalsecurity/2.png differ diff --git a/physicalsecurity/20.png b/physicalsecurity/20.png new file mode 100644 index 0000000..69a4f33 Binary files /dev/null and b/physicalsecurity/20.png differ diff --git a/physicalsecurity/3.png b/physicalsecurity/3.png new file mode 100644 index 0000000..2a2354f Binary files /dev/null and b/physicalsecurity/3.png differ diff --git a/physicalsecurity/4.png b/physicalsecurity/4.png new file mode 100644 index 0000000..693d8cd Binary files /dev/null and b/physicalsecurity/4.png differ diff --git a/physicalsecurity/5.png b/physicalsecurity/5.png new file mode 100644 index 0000000..9645320 Binary files /dev/null and b/physicalsecurity/5.png differ diff --git a/physicalsecurity/6.png b/physicalsecurity/6.png new file mode 100644 index 0000000..1c5301e Binary files /dev/null and b/physicalsecurity/6.png differ diff --git a/physicalsecurity/7.png b/physicalsecurity/7.png new file mode 100644 index 0000000..2138fbe Binary files /dev/null and b/physicalsecurity/7.png differ diff --git a/physicalsecurity/8.png b/physicalsecurity/8.png new file mode 100644 index 0000000..b63ead4 Binary files /dev/null and b/physicalsecurity/8.png differ diff --git a/physicalsecurity/9.png b/physicalsecurity/9.png new file mode 100644 index 0000000..790da03 Binary files /dev/null and b/physicalsecurity/9.png differ diff --git a/physicalsecurity/index.md b/physicalsecurity/index.md new file mode 100644 index 0000000..d510793 --- /dev/null +++ b/physicalsecurity/index.md @@ -0,0 +1,1388 @@ +--- +author: nihilist +date: 2024-03-28 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/33" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Plausible Deniability Protection for an .onion Service + +In this tutorial we're going to look at how you can protect a set of QEMU VMs running in a veracrypt hidden partition from being discovered by an adversary. + +For this tutorial we have the following threat model: + + 1. What if an adversary enters the room where the physical server is ? + + 2. What if an adversary opens up the case of the physical server ? + + 3. What if an adversary plugs in or removes any usb device on the server ? + + 4. What if an adversary shuts down the electricity of the entire house before coming in ? + + 5. What if an adversary steals your password or ssh key somehow and manages to login via SSH on the server ? + + 6. What if an adversary physically destroys the harddrive containing the veracrypt partition ? + + 7. What if an adversary tries to do a cold boot attack ? (meaning forensics regarding server logs and RAM live memory) + + 8. What if an adversary forces you to type in your password to your encrypted data ? + + + + +Let's take all those threat vectors into account, and setup our homeserver with the following physical security setup: + +![](0.png) + + + +## **Initial Setup** + +First we setup a debian QEMU VM in the hidden veracrypt partition: + +**DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling** + + + source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd + + regarding wear leveling: + "Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead." + + + +Look at [this tutorial](../veracrypt/index.md) on how to create a veracrypt hidden partition, now create a volume that can contain a debian VM inside the hidden partition (ex: outer volume 140G, and inner/hidden volume 70G). Also follow [this tutorial](../hypervisorsetup/index.md) to know how to setup a QEMU hypervisor to virtualize VMs on linux. Now in the hidden partition we will create the debian QEMU VM (whose disk is 50Gb) as follows (keep in mind that we will also need to copy it into the decoy partition without overwriting the hidden partition, so make sure you can fit the same VM there aswell when you are creating the veracrypt volume!): + +![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) ![](8.png) ![](9.png) + + + root@debian:~# apt update -y ; apt upgrade -y ; apt autoremove -y + + + +side note: make sure that you also copy the same VM into the decoy partition in case if you are asked to disprove the claim that said vm name inside the veracrypt partition contains something sensitive. + +we make it run a .onion service like so as shown on [this tutorial](../torwebsite/index.md) + +So now we have the following graph: + +![](10.png) + +We now have a server at home, that contains a veracrypt hidden partition (whose existance shouldnt be revealed), that hidden partition contains a VM, which contains a .onion service we want to hide the existence of. So now let's protect it: + +## **Emergency Shutdown setup** + +First let's define how to shutdown the services and hide the veracrypt hidden partition in one simple bash script: + +We have the following order of events: + +First we open the veracrypt volume, then we add the QEMU VM in virt-manager while naming it, then we power it on, and then we have our plausibly-deniable onion service. + +![](12.png) + +So for an emergency shutdown, we need to do the same in the reverse order: First we shutdown the VM forcefully, then we close the hidden veracrypt partition forcefully, then we wipe the logs, then we kill the veracrypt process, and then then we wipe the ram 3 times to erase all potential trace of VMs in live memory. + +![](14.png) + +Then we assemble that in a bashscript like so: + + + [ Wonderland ] [ /dev/pts/1 ] [~] + → sudo cat /root/emergencyshutdown.sh + [sudo] password for nihilist: + #!/bin/bash + + #remove VM and undefine it: (make sure that the VM name is exact!!!) + sudo virsh -c qemu:///system destroy debian12-VM + sudo virsh -c qemu:///system undefine debian12-VM + #make sure that there is also an innocent VM called debian12-VM in the outer partition (for plausible deniability) + + #unmount veracrypt drives forcefully + sudo veracrypt -d -f + + # then cleanup logs + sudo rm -rf /dev/shm/* + sudo rm -rf /var/log/* + sudo dmesg -c >/dev/null 2>/dev/null + + # kill veracrypt to avoid having the veracrypt window display which drive/volume was selected + kill $(pidof veracrypt) + + # then wipe ram 3 times + # apt install stress + # below change 128G to the number of Gigabytes in your system ! put 16 if you only have 16Gb of ram! + stress -m 1 --vm-bytes 128G -t 10 + stress -m 1 --vm-bytes 128G -t 10 + stress -m 1 --vm-bytes 128G -t 10 + + + +you can run it like so: + + + chmod +x ./emergencyshutdown.sh + ./emergencyshutdown.sh + + + +Next we need to be able to send an email from the server to the administrator to notify him that an emergency shutdown just happened. + +![](17.png) + +We'll be using ssmtp from the homeserver itself , it's going to connect to a remote mail server to send the mail we want. (check [this tutorial](../mailprivate/index.md) if you want to know how to setup your SMTP mail server): + + + [ Wonderland ] [ /dev/pts/1 ] [~] + → apt install ssmtp + + + +Then make sure the user exists on the smtp server: + + + root@mail-nihilism:~# useradd -G mail -m surveillance + root@mail-nihilism:~# id surveillance + uid=1003(surveillance) gid=1003(surveillance) groups=1003(surveillance),8(mail) + root@mail-nihilism:~# passwd surveillance + New password: + Retype new password: + passwd: password updated successfully + + + +And then just send the mail after configuring ssmtp to send to the right place as the correct user: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat /etc/ssmtp/revaliases + # sSMTP aliases + # + # Format: local_account:outgoing_address:mailhub + # + # Example: root:your_login@your.domain:mailhub.your.domain[:port] + # where [:port] is an optional port number that defaults to 25. + + root:surveillance:mail.nowhere.moe:587 + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat /etc/ssmtp/ssmtp.conf + rewriteDomain=nowhere.moe + mailhub=mail.nowhere.moe:587 + useSTARTTLS=YES + AuthUser=surveillance + AuthPass=D9IJWDOAHWHUHWUHDAWHDUWHAHDWAIHA3213221123312F + + [ Wonderland ] [ /dev/pts/5 ] [~] + → echo "Test message from Linux server using ssmtp" | sudo ssmtp -vvv nihilist@nowhere.moe + [<****-] 220 mail.nowhere.moe ESMTP nowhere.moe (Debian/GNU) + [->] EHLO wonderland + [ <****-] 250 CHUNKING + [->] STARTTLS + [ <****-] 220 2.0.0 Ready to start TLS + [->] EHLO wonderland + [ <****-] 250 CHUNKING + [->] AUTH LOGIN + [ <****-] 334 VXNlcm5hbWU6 + [->] c3VydmVpbGxhbmNl + [ <****-] 334 UGFzc3dvcmQ6 + [ <****-] 235 2.7.0 Authentication successful + [->] MAIL FROM: <****surveillance@nowhere.moe> + [ <****-] 250 2.1.0 Ok + [->] RCPT TO: <****nihilist@nowhere.moe> + [ <****-] 250 2.1.5 Ok + [->] DATA + [ <****-] 354 End data with <****CR> <****LF>. <****CR> <****LF> + [->] Received: by wonderland (sSMTP sendmail emulation); Sat, 30 Mar 2024 17:01:44 +0100 + [->] From: "root" <****surveillance@nowhere.moe> + [->] Date: Sat, 30 Mar 2024 17:01:44 +0100 + [->] Test message from Linux server using ssmtp + [->] + [->] . + [ <****-] 250 2.0.0 Ok: queued as 9FB5E26A92 + [->] QUIT + [ <****-] 221 2.0.0 Bye + +And there we see that we recieved the mail on thunderbird: + +![](11.png) + +Meaning we have the following emergency shutdown script: + + + [ Wonderland ] [ /dev/pts/1 ] [~] + → sudo cat /root/emergencyshutdown.sh + [sudo] password for nihilist: + #!/bin/bash + + #notify the admin that the emergency shutdown is being performed + echo "PERFORMING EMERGENCY SHUTDOWN!" | sudo ssmtp -vvv nihilist@nowhere.moe + + #perform the emergency shutdown: + + #remove VM and undefine it: (make sure that the VM name is exact!!!) + sudo virsh -c qemu:///system destroy debian12-VM + sudo virsh -c qemu:///system undefine debian12-VM + #make sure that there is also an innocent VM called debian12-VM in the outer partition (for plausible deniability) + + #unmount veracrypt drives forcefully + sudo veracrypt -d -f + + # then cleanup logs + sudo rm -rf /dev/shm/* + sudo rm -rf /var/log/* + sudo dmesg -c >/dev/null 2>/dev/null + + # kill veracrypt to avoid having the veracrypt window display which drive/volume was selected + kill $(pidof veracrypt) + + # then wipe ram 3 times + # apt install stress + # below change 128G to the number of Gigabytes in your system ! put 16 if you only have 16Gb of ram! + stress -m 1 --vm-bytes 128G -t 10 + stress -m 1 --vm-bytes 128G -t 10 + stress -m 1 --vm-bytes 128G -t 10 + + + + +## **Surveillance Setup** + +So now that we have our actions completed (emergency shutdown and sending a mail), we need to make sure that both are triggered whenever necessary, as shown below: + +![](16.png) + +To look out for any usb change on the homeserver, we have the following script: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat checkusb.sh + #!/bin/bash + + action_for_unauthorized_usb_change () { + echo "[+] ACTION : SEND MAIL TO NOTIFY ADMIN" + echo -en "Subject: USB CHANGE DETECTED ON $(hostname) \n\n USB CHANGE DETECTED on $(hostname) at $(date): \n\n LSUSB WAS: \n $defaultlsusb \n\n LSUSB NOW IS: \n $(lsusb)" | sudo ssmtp -vvv nihilist@nowhere.moe + + #echo "[+] ACTION : EMERGENCY SHUTDOWN SCRIPT" + } + + #defaultusb = check usb store it as default usb + defaultusb=$(lsusb | sha512sum) + defaultlsusb=$(lsusb ) + + #set maintenanece to 0 + echo 0 > /tmp/maintenance + + while true; do + # check if maintenance mode or not: + if [ $(cat /tmp/maintenance) -eq 0 ]; # if no maintenance, look for usb changes + then + usbnow=$(lsusb | sha512sum) + if [ "$usbnow" = "$defaultusb" ]; #detect usb changes + then + echo "[+] No usb change..." + else + echo "[+] USB change detected, peforming action" + echo $defaultusb + echo $usbnow + action_for_unauthorized_usb_change + #sleep 3600 + sleep 10 + defaultlsusb=$(lsusb) + defaultusb=$(lsusb | sha512sum) + fi + else #maintenance ongoing, then not checking for usb changes + echo "[+] Maintenance mode, not checking for usb changes..." + fi + sleep 1 + done + + + +Then to detect any movement in the room we setup motion, this will make it possible for a cheap usb webcam to take pictures upon detecting movement in the room where the homeserver is: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → apt-get install v4l-utils motion -y + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat /etc/motion/motion.conf + # Rename this distribution example file to motion.conf + # + # This config file was generated by motion 4.5.1 + # Documentation: /usr/share/doc/motion/motion_guide.html + # + # This file contains only the basic configuration options to get a + # system working. There are many more options available. Please + # consult the documentation for the complete list of all options. + # + + ############################################################ + # System control configuration parameters + ############################################################ + + # Start in daemon (background) mode and release terminal. + daemon off + + # Start in Setup-Mode, daemon disabled. + setup_mode off + + # File to store the process ID. + ; pid_file value + + # File to write logs messages into. If not defined stderr and syslog is used. + #log_file /var/log/motion/motion.log + log_file /dev/null + + # Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL). + log_level 6 + + # Target directory for pictures, snapshots and movies + target_dir /tmp/room + + # Video device (e.g. /dev/video0) to be used for capturing. + video_device /dev/video0 + + # Parameters to control video device. See motion_guide.html + ; video_params value + + # The full URL of the network camera stream. + ; netcam_url value + + # Name of mmal camera (e.g. vc.ril.camera for pi camera). + ; mmalcam_name value + + # Camera control parameters (see raspivid/raspistill tool documentation) + ; mmalcam_params value + + ############################################################ + # Image Processing configuration parameters + ############################################################ + + # Image width in pixels. + width 640 + + # Image height in pixels. + height 480 + + # Maximum number of frames to be captured per second. + framerate 1 + + # Text to be overlayed in the lower left corner of images + text_left ROOM1 + + # Text to be overlayed in the lower right corner of images. + text_right %Y-%m-%d\n%T-%q + + ############################################################ + # Motion detection configuration parameters + ############################################################ + + # Always save pictures and movies even if there was no motion. + emulate_motion off + + # Threshold for number of changed pixels that triggers motion. + threshold 1500 + + # Noise threshold for the motion detection. + ; noise_level 32 + + # Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel. + despeckle_filter EedDl + + # Number of images that must contain motion to trigger an event. + minimum_motion_frames 1 + + # Gap in seconds of no motion detected that triggers the end of an event. + event_gap 60 + + # The number of pre-captured (buffered) pictures from before motion. + pre_capture 3 + + # Number of frames to capture after motion is no longer detected. + post_capture 0 + + ############################################################ + # Script execution configuration parameters + ############################################################ + + # Command to be executed when an event starts. + ; on_event_start value + + # Command to be executed when an event ends. + ; on_event_end value + + # Command to be executed when a movie file is closed. + ; on_movie_end value + + ############################################################ + # Picture output configuration parameters + ############################################################ + + # Output pictures when motion is detected + picture_output on + + # File name(without extension) for pictures relative to target directory + picture_filename %Y%m%d%H%M%S-%q + + ############################################################ + # Movie output configuration parameters + ############################################################ + + # Create movies of motion events. + movie_output off + + # Maximum length of movie in seconds. + movie_max_time 60 + + # The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best) + movie_quality 45 + + # Container/Codec to used for the movie. See motion_guide.html + movie_codec mkv + + # File name(without extension) for movies relative to target directory + movie_filename %t-%v-%Y%m%d%H%M%S + + ############################################################ + # Webcontrol configuration parameters + ############################################################ + + # Port number used for the webcontrol. + webcontrol_port 8080 + + # Restrict webcontrol connections to the localhost. + webcontrol_localhost off + + # Type of configuration options to allow via the webcontrol. + webcontrol_parms 0 + + ############################################################ + # Live stream configuration parameters + ############################################################ + + # The port number for the live stream. + stream_port 8081 + + # Restrict stream connections to the localhost. + stream_localhost off + + ############################################################## + # Camera config files - One for each camera. + ############################################################## + ; camera /usr/etc/motion/camera1.conf + ; camera /usr/etc/motion/camera2.conf + ; camera /usr/etc/motion/camera3.conf + ; camera /usr/etc/motion/camera4.conf + + ############################################################## + # Directory to read '.conf' files for cameras. + ############################################################## + ; camera_dir /usr/etc/motion/conf.d + + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → mkdir /tmp/room + + [ Wonderland ] [ /dev/pts/5 ] [~] + → chown -R motion:motion /tmp/room + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl restart motion + + + +From there you can see if the webcam works on port 9091: + +![](1.png) + +Then we can see that motion to saves pictures once per second once it detects movement in /tmp/room: + + + Every 1.0s: ls -l /tmp/room wonderland: Thu Mar 28 17:07:51 2024 + + total 368 + -rw-r--r-- 1 motion motion 52251 Mar 28 17:07 20240328170745-01.jpg + -rw-r--r-- 1 motion motion 52129 Mar 28 17:07 20240328170746-00.jpg + -rw-r--r-- 1 motion motion 52471 Mar 28 17:07 20240328170746-01.jpg + -rw-r--r-- 1 motion motion 37158 Mar 28 17:07 20240328170747-00.jpg + -rw-r--r-- 1 motion motion 33439 Mar 28 17:07 20240328170747-01.jpg + -rw-r--r-- 1 motion motion 22586 Mar 28 17:07 20240328170748-00.jpg + -rw-r--r-- 1 motion motion 19099 Mar 28 17:07 20240328170748-01.jpg + -rw-r--r-- 1 motion motion 18205 Mar 28 17:07 20240328170749-00.jpg + -rw-r--r-- 1 motion motion 19284 Mar 28 17:07 20240328170749-01.jpg + -rw-r--r-- 1 motion motion 49770 Mar 28 17:07 20240328170750-00.jpg + + + +Then we have this script to check if there are any new files in /tmp/room/ and if there are then we put them in a zipfile before SEND it via mail to the admin: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat checkmovement_room.sh + #!/bin/bash + + + #apt-get install v4l-utils motion -y + #vim /etc/motion/motion.conf + + action_for_unauthorized_room_motion () { + echo "[+] ACTION : SEND MAIL TO NOTIFY ADMIN" + find /tmp/room/ -name *.jpg > /tmp/newfiles + newfiles=$(diff -u /tmp/oldfiles /tmp/newfiles | grep -E "^\+" | grep -v "+++" | tr -d '+') + + linelist=$(for line in $newfiles; do echo -en "$line " ;done) + zip /tmp/images.zip $linelist + echo -e "Subject: MOVEMENT DETECTED IN ROOM OF $(hostname) \n\n MOVEMENT DETECTED IN ROOM OF $(hostname) AT $(date):"| (cat - && uuencode /tmp/images.zip images.zip) | sudo ssmtp -vvv nihilist@nowhere.moe + rm /tmp/images.zip + rm /tmp/room/* -rf + } + + + #set maintenanece to 0 + mkdir /tmp/room/ 2>/dev/null + rm /tmp/room/* -rf + chown motion: /tmp/room/ -R + echo 0 > /tmp/maintenance + find /tmp/room/ -name *.jpg > /tmp/oldfiles + + #defaultusb = check usb store it as default usb + defaultroom=$(ls /tmp/room | sha512sum) + + while true; do + + + + # check if maintenance mode or not: + if [ $(cat /tmp/maintenance) -eq 0 ]; # if no room maintenance, look for room changes + then + roomnow=$(ls /tmp/room | sha512sum) + if [ "$roomnow" = "$defaultroom" ]; #detect usb changes + then + echo "[+] No Room Movement..." + else + echo "[+] Room movement detected, peforming action" + echo $defaulroom + echo $roomnow + action_for_unauthorized_room_motion + #sleep 3600 + sleep 10 + defaultroom=$(ls /tmp/room | sha512sum) + find /tmp/room/ -name *.jpg > /tmp/oldfiles + fi + else #maintenance ongoing, then not checking for room movements + echo "[+] Maintenance mode, not checking for room movements..." + fi + sleep 1 + done + + + +We also make a systemd service to automatically launch/relaunch the checkusb.sh script and checkmovement_room script, and also to make sure they auto start when the server boots up: + + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → vim /etc/systemd/system/usbwatcher.service + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat/etc/systemd/system/usbwatcher.service + + [Unit] + Description=usbwatcher + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/checkusb.sh + ExecStop=kill -9 $(pidof /root/checkusb.sh) + Restart=always + + [Install] + WantedBy=multi-user.target + + [ Wonderland ] [ /dev/pts/5 ] [~] + → vim /etc/systemd/system/motionwatcher.service + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat/etc/systemd/system/motionwatcher.service + + [Unit] + Description=motionwatcher + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/checkmovement_room.sh + ExecStop=kill -9 $(pidof /root/checkmovement_room.sh) + Restart=always + + [Install] + WantedBy=multi-user.target + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl daemon-reload + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl enable --now motionwatcher.service usbwatcher.service motion.service + Created symlink /etc/systemd/system/multi-user.target.wants/motionwatcher.service → /etc/systemd/system/motionwatcher.service. + Created symlink /etc/systemd/system/multi-user.target.wants/usbwatcher.service → /etc/systemd/system/usbwatcher.service. + Created symlink /etc/systemd/system/multi-user.target.wants/motion.service → /etc/systemd/system/motion.service. + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl status motionwatcher.service usbwatcher.service + ● motionwatcher.service - motionwatcher + Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 6s ago + Main PID: 3799951 (checkmovement_r) + Tasks: 2 (limit: 76929) + Memory: 676.0K + CPU: 24ms + CGroup: /system.slice/motionwatcher.service + ├─3799951 /bin/bash /root/checkmovement_room.sh + └─3800321 sleep 1 + + Apr 01 14:38:01 wonderland systemd[1]: Started motionwatcher.service - motionwatcher. + Apr 01 14:38:01 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:38:02 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:38:03 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:38:04 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:38:05 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:38:06 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:38:07 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + + ● usbwatcher.service - usbwatcher + Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 6s ago + Main PID: 3799953 (checkusb.sh) + Tasks: 2 (limit: 76929) + Memory: 664.0K + CPU: 40ms + CGroup: /system.slice/usbwatcher.service + ├─3799953 /bin/bash /root/checkusb.sh + └─3800327 sleep 1 + + Apr 01 14:38:01 wonderland systemd[1]: Started usbwatcher.service - usbwatcher. + Apr 01 14:38:01 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:38:02 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:38:03 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:38:04 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:38:05 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:38:06 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:38:07 wonderland checkusb.sh[3799953]: [+] No usb change... + + + + +then just watch it run: + + + Every 1.0s: systemctl status motionwatcher.service usbwatcher.service wonderland: Mon Apr 1 14:40:55 2024 + + ● motionwatcher.service - motionwatcher + Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 2min 54s ago + Main PID: 3799951 (checkmovement_r) + Tasks: 2 (limit: 76929) + Memory: 680.0K + CPU: 457ms + CGroup: /system.slice/motionwatcher.service + ├─3799951 /bin/bash /root/checkmovement_room.sh + └─3810241 sleep 10 + + Apr 01 14:40:45 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:40:46 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:40:47 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:40:48 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:40:49 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:40:50 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:40:51 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: [+] Room movement detected, peforming action + Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: 20c1a997bdf538923ed863a64bd1c0d73a7e15337011e576bf9f473c88865fe7e95627774c8035d7f6ee00d998d0f9926cf7442b297ab8d91373ff8d2b587c2c - + Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: [+] ACTION : SEND MAIL TO NOTIFY ADMIN + + ● usbwatcher.service - usbwatcher + Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 2min 54s ago + Main PID: 3799953 (checkusb.sh) + Tasks: 2 (limit: 76929) + Memory: 800.0K + CPU: 929ms + CGroup: /system.slice/usbwatcher.service + ├─3799953 /bin/bash /root/checkusb.sh + └─3810361 sleep 1 + + Apr 01 14:40:38 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:40:39 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:40:40 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:40:41 wonderland checkusb.sh[3799953]: [+] USB change detected, peforming action + Apr 01 14:40:41 wonderland checkusb.sh[3799953]: 140e9f95759026b6626bbc1098544bab9f85289c15c44f0fac44951100fbbb140214c00884f13bb50c959fc817bcdd1b6e8050781e1a987f6ea3a289c72c3198 - + Apr 01 14:40:41 wonderland checkusb.sh[3799953]: 482600aa9446e3bbe616534a224785512995e80cd70a16e84c8315e569885a5d52ac0b8363055a6973476521321c767d8b54c918c8443f96cdf0eead35b17cb9 - + Apr 01 14:40:41 wonderland checkusb.sh[3799953]: [+] ACTION : SEND MAIL TO NOTIFY ADMIN + Apr 01 14:40:52 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:40:53 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:40:54 wonderland checkusb.sh[3799953]: [+] No usb change... + + + +You can also see it sending mails whenever there is a usb change detected or a room movement detected: + +![](18.png) + +The first mail contains the details regarding what usb got plugged in or plugged out: + +![](19.png) + +The second mail contains the zipfiles with the images taken upon movement detection: + +![](20.png) + +And if you need to do a maintenance you can always disable them like so: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl stop motionwatcher.service usbwatcher.service + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl status motionwatcher.service usbwatcher.service + × motionwatcher.service - motionwatcher + Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled) + Active: failed (Result: exit-code) since Mon 2024-04-01 14:41:37 CEST; 1min 17s ago + Duration: 3min 35.887s + Process: 3799951 ExecStart=/root/checkmovement_room.sh (code=killed, signal=TERM) + Process: 3812925 ExecStop=kill -9 $(pidof /root/checkmovement_room.sh) (code=exited, status=1/FAILURE) + Main PID: 3799951 (code=killed, signal=TERM) + CPU: 545ms + + Apr 01 14:41:32 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:41:33 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:41:34 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:41:35 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:41:36 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement... + Apr 01 14:41:37 wonderland systemd[1]: Stopping motionwatcher.service - motionwatcher... + Apr 01 14:41:37 wonderland kill[3812925]: kill: failed to parse argument: '/root/checkmovement_room.sh)' + Apr 01 14:41:37 wonderland systemd[1]: motionwatcher.service: Control process exited, code=exited, status=1/FAILURE + Apr 01 14:41:37 wonderland systemd[1]: motionwatcher.service: Failed with result 'exit-code'. + Apr 01 14:41:37 wonderland systemd[1]: Stopped motionwatcher.service - motionwatcher. + + × usbwatcher.service - usbwatcher + Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled) + Active: failed (Result: exit-code) since Mon 2024-04-01 14:41:37 CEST; 1min 17s ago + Duration: 3min 35.888s + Process: 3799953 ExecStart=/root/checkusb.sh (code=killed, signal=TERM) + Process: 3812926 ExecStop=kill -9 $(pidof /root/checkusb.sh) (code=exited, status=1/FAILURE) + Main PID: 3799953 (code=killed, signal=TERM) + CPU: 1.176s + + Apr 01 14:41:33 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:41:34 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:41:35 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:41:36 wonderland checkusb.sh[3799953]: [+] No usb change... + Apr 01 14:41:37 wonderland systemd[1]: Stopping usbwatcher.service - usbwatcher... + Apr 01 14:41:37 wonderland kill[3812926]: kill: failed to parse argument: '/root/checkusb.sh)' + Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Control process exited, code=exited, status=1/FAILURE + Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Failed with result 'exit-code'. + Apr 01 14:41:37 wonderland systemd[1]: Stopped usbwatcher.service - usbwatcher. + Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Consumed 1.176s CPU time. + + + +Or you can also set the /tmp/maintenance flag to 1, but dont forget to set it back to 0 afterward. + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → echo "1" >/tmp/maintenance + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl status usbwatcher.service motionwatcher.service + ● usbwatcher.service - usbwatcher + Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 5min ago + Main PID: 4087848 (checkusb.sh) + Tasks: 2 (limit: 76929) + Memory: 584.0K + CPU: 1.969s + CGroup: /system.slice/usbwatcher.service + ├─4087848 /bin/bash /root/checkusb.sh + └─4099926 sleep 1 + + Apr 01 16:19:52 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:19:53 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:19:54 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:19:55 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:19:56 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:19:57 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:19:58 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:19:59 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:00 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:01 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + + ● motionwatcher.service - motionwatcher + Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 5min ago + Main PID: 4087847 (checkmovement_r) + Tasks: 2 (limit: 76929) + Memory: 644.0K + CPU: 1.006s + CGroup: /system.slice/motionwatcher.service + ├─4087847 /bin/bash /root/checkmovement_room.sh + └─4099976 sleep 1 + + Apr 01 16:19:53 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:19:54 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:19:55 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:19:56 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:19:57 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:19:58 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:19:59 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:00 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:01 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:02 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + + + +Once your maintenance is over, start them again like so: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl start motionwatcher.service usbwatcher.service + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl status motionwatcher.service usbwatcher.service + ● motionwatcher.service - motionwatcher + Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 14:43:28 CEST; 1s ago + Main PID: 3818336 (checkmovement_r) + Tasks: 2 (limit: 76929) + Memory: 572.0K + CPU: 9ms + CGroup: /system.slice/motionwatcher.service + ├─3818336 /bin/bash /root/checkmovement_room.sh + └─3818411 sleep 1 + + Apr 01 14:43:28 wonderland systemd[1]: Started motionwatcher.service - motionwatcher. + Apr 01 14:43:28 wonderland checkmovement_room.sh[3818336]: [+] No Room Movement... + Apr 01 14:43:29 wonderland checkmovement_room.sh[3818336]: [+] No Room Movement... + + ● usbwatcher.service - usbwatcher + Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 14:43:28 CEST; 1s ago + Main PID: 3818339 (checkusb.sh) + Tasks: 2 (limit: 76929) + Memory: 572.0K + CPU: 14ms + CGroup: /system.slice/usbwatcher.service + ├─3818339 /bin/bash /root/checkusb.sh + └─3818417 sleep 1 + + Apr 01 14:43:28 wonderland systemd[1]: Started usbwatcher.service - usbwatcher. + Apr 01 14:43:28 wonderland checkusb.sh[3818339]: [+] No usb change... + Apr 01 14:43:29 wonderland checkusb.sh[3818339]: [+] No usb change... + + + +Or by just resetting the /tmp/maintenance flag to 0: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → echo "0" >/tmp/maintenance + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl status usbwatcher.service motionwatcher.service + ● usbwatcher.service - usbwatcher + Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 6min ago + Main PID: 4087848 (checkusb.sh) + Tasks: 2 (limit: 76929) + Memory: 588.0K + CPU: 2.035s + CGroup: /system.slice/usbwatcher.service + ├─4087848 /bin/bash /root/checkusb.sh + └─4101731 sleep 1 + + Apr 01 16:20:26 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:27 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:28 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:29 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:30 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:31 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:32 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes... + Apr 01 16:20:33 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:20:34 wonderland checkusb.sh[4087848]: [+] No usb change... + Apr 01 16:20:35 wonderland checkusb.sh[4087848]: [+] No usb change... + + ● motionwatcher.service - motionwatcher + Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 6min ago + Main PID: 4087847 (checkmovement_r) + Tasks: 2 (limit: 76929) + Memory: 800.0K + CPU: 1.050s + CGroup: /system.slice/motionwatcher.service + ├─4087847 /bin/bash /root/checkmovement_room.sh + └─4101784 sleep 1 + + Apr 01 16:20:27 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:28 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:29 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:30 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:31 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:32 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:33 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements... + Apr 01 16:20:34 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:20:35 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + Apr 01 16:20:36 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement... + + + +Then we make sure that if there is any unauthorized ssh login we should get notified by mail (using knockd and a secret ssh port) + +![](15.png) + + + [ Wonderland ] [ /dev/pts/23 ] [~] + → apt install knockd + + [ Wonderland ] [ /dev/pts/23 ] [~] + → vim /etc/knockd.conf + + [ Wonderland ] [ /dev/pts/23 ] [~] + → cat /etc/knockd.conf + [options] + UseSyslog + + [openSSH] + sequence = 7000,8000,9000 + seq_timeout = 5 + command = /usr/bin/systemctl start sshd2 + tcpflags = syn + + [closeSSH] + sequence = 9000,8000,7000 + seq_timeout = 5 + command = /usr/bin/systemctl stop sshd2 + tcpflags = syn + + [emergencyshutdown] + sequence = 12345,54321,24680,13579 + seq_timeout = 5 + command = /root/emergencyshutdown.sh + tcpflags = syn + + [ Wonderland ] [ /dev/pts/23 ] [~] + → cat /etc/default/knockd + # control if we start knockd at init or not + # 1 = start + # anything else = don't start + # PLEASE EDIT /etc/knockd.conf BEFORE ENABLING + START_KNOCKD=1 + + # command line options + KNOCKD_OPTS="-i enp8s0" + + [ Wonderland ] [ /dev/pts/23 ] [~] + → systemctl restart knockd + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat /etc/systemd/system/sshd2.service + [Unit] + Description=OpenBSD Secure Shell server + Documentation=man:sshd(8) man:sshd_config(5) + After=network.target auditd.service + ConditionPathExists=!/etc/ssh/sshd_not_to_be_run + + [Service] + EnvironmentFile=-/etc/default/ssh2 + ExecStartPre=/usr/sbin/sshd -t + ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd2_config + ExecReload=/usr/sbin/sshd -t + ExecReload=/bin/kill -HUP $MAINPID + KillMode=process + Restart=on-failure + RestartPreventExitStatus=255 + Type=notify + RuntimeDirectory=sshd2 + RuntimeDirectoryMode=0755 + + [Install] + WantedBy=multi-user.target + Alias=sshd2.service + + [ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system] + → cat /etc/ssh/sshd2_config| grep Port + Port 2222 + + [ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system] + → systemctl start sshd2 + + [ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system] + → systemctl status sshd2 + ● sshd2.service - OpenBSD Secure Shell server + Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled) + Active: active (running) since Fri 2024-03-29 13:44:07 CET; 5s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 1735677 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 1735678 (sshd) + Tasks: 1 (limit: 76929) + Memory: 1.4M + CPU: 10ms + CGroup: /system.slice/sshd2.service + └─1735678 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups" + + Mar 29 13:44:07 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server... + Mar 29 13:44:07 wonderland sshd[1735678]: Server listening on 0.0.0.0 port 2222. + Mar 29 13:44:07 wonderland sshd[1735678]: Server listening on :: port 2222. + Mar 29 13:44:07 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server. + + #now to open sshd2 on port 2222 you do the following: + [ mainpc ] [ /dev/pts/4 ] [~/Nextcloud/blog] + → for x in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null + + [ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system] + → systemctl status sshd2 + ● sshd2.service - OpenBSD Secure Shell server + Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled) + Active: active (running) since Fri 2024-03-29 13:55:44 CET; 4min 11s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 1807467 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 1807468 (sshd) + Tasks: 1 (limit: 76929) + Memory: 1.4M + CPU: 12ms + CGroup: /system.slice/sshd2.service + └─1807468 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups" + + Mar 29 13:55:44 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server... + Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on 0.0.0.0 port 2222. + Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on :: port 2222. + Mar 29 13:55:44 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server. + + #now to close sshd2 on port 2222 you do the following: + [ mainpc ] [ /dev/pts/4 ] [~/Nextcloud/blog] + → for x in 9000 8000 7000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null + + [ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system] + → systemctl status sshd2 + ● sshd2.service - OpenBSD Secure Shell server + Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled) + Active: active (running) since Fri 2024-03-29 13:55:44 CET; 4min 11s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 1807467 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 1807468 (sshd) + Tasks: 1 (limit: 76929) + Memory: 1.4M + CPU: 12ms + CGroup: /system.slice/sshd2.service + └─1807468 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups" + + Mar 29 13:55:44 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server... + Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on 0.0.0.0 port 2222. + Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on :: port 2222. + Mar 29 13:55:44 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server. + + + +Now that we setup the real sshd service, we can edit the original sshd service to become a trap like so: + + + [ Wonderland ] [ /dev/pts/5 ] [~] + → vim emergencyshutdown.sh + + [ Wonderland ] [ /dev/pts/5 ] [~] + → chmod +x emergencyshutdown.sh + + [ Wonderland ] [ /dev/pts/5 ] [~] + → cat emergencyshutdown.sh + #!/bin/bash + echo "Unauthorized, reporting incident to administrator, and performing emergency shutdown" + + [ Wonderland ] [ /dev/pts/5 ] [~] + → vim /etc/ssh/sshd_config + + [ Wonderland ] [ /dev/pts/5 ] [~] + → tail -n10 /etc/ssh/sshd_config + + Match Group root,sudo + ForceCommand /root/emergencyshutdown.sh + AllowTcpForwarding no + PermitTunnel no + X11Forwarding no + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl restart sshd + + [ Wonderland ] [ /dev/pts/5 ] [~] + → systemctl status sshd + ● ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-04-01 10:31:40 CEST; 3s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 3103408 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 3103410 (sshd) + Tasks: 1 (limit: 76929) + Memory: 1.4M + CPU: 10ms + CGroup: /system.slice/ssh.service + └─3103410 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" + + Apr 01 10:31:40 wonderland systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... + Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Set /proc/self/oom_score_adj from 0 to -1000 + Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Bind to port 22 on 0.0.0.0. + Apr 01 10:31:40 wonderland systemd[1]: Started ssh.service - OpenBSD Secure Shell server. + Apr 01 10:31:40 wonderland sshd[3103410]: Server listening on 0.0.0.0 port 22. + Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Bind to port 22 on ::. + Apr 01 10:31:40 wonderland sshd[3103410]: Server listening on :: port 22. + + + + +Now like this, the trap ssh service on port 22 is going to force the execution of only our emergency shutdown script if any user manages to login. Meaning the only way to get in is through the sshd2 port on port 2222 after doing the port knocking procedure: + + + + #testing to login on port 22 shows that the emergencyshutdown script is triggered: + [ mainpc ] [ /dev/pts/7 ] [~] + → ssh root@192.168.0.100 -i ~/.ssh/torified + Enter passphrase for key '/home/nihilist/.ssh/torified': + **Unauthorized, reporting incident to administrator, and performing emergency shutdown** + Connection to 192.168.0.100 closed. + + #trying to evade the forced command execution fails: + [ mainpc ] [ /dev/pts/7 ] [~] + → ssh root@192.168.0.100 -i ~/.ssh/torified bash + Enter passphrase for key '/home/nihilist/.ssh/torified': + **Unauthorized, reporting incident to administrator, and performing emergency shutdown** + + #so in order to login we need to open the secret sshd2 port with the specific port knocking procedure as follows: + [ mainpc ] [ /dev/pts/7 ] [~] + → for x in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null + + #now that the port knocking is completed, we can login via ssh on port 2222: + [ mainpc ] [ /dev/pts/7 ] [~] + → ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222 + Enter passphrase for key '/home/nihilist/.ssh/torified': + Linux wonderland 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Web console: https://wonderland:9090/ or https://192.168.0.100:9090/ + + Last login: Mon Apr 1 10:34:46 2024 from 192.168.0.61 + + #login successful, without any forced command execution + **[ Wonderland ] [ /dev/pts/25 ] [~] + → id + uid=0(root) gid=0(root) groups=0(root),104(kvm),126(libvirt)** + + [ Wonderland ] [ /dev/pts/25 ] [~] + → exit + Connection to 192.168.0.100 closed. + + #maintenance is over, we then close the sshd2 port. + [ mainpc ] [ /dev/pts/7 ] [~] + → for x in 9000 8000 7000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null + + #we then verify that the port is closed. + [ mainpc ] [ /dev/pts/7 ] [~] + → ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222 + ssh: connect to host 192.168.0.100 port 2222: Connection refused + + + + +Next, to make sure that failed ssh login attempts get banned with fail2ban, we make sure that sshd outputs to auth.log, that way we ward off any potential ssh bruteforce attack, you can check out how to setup fail2ban with [this tutorial](../fail2banssh/index.md) to know how to do it. + +## **Clientside precautions** + +So here we want to mke a bash/zsh command function to simplify the opening and closing of the secret ssh port. You can use the one i made below for the same: + + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → vim ~/.zshrc + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → zsh + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → which secretssh + secretssh () { + if [[ $# -ne 6 ]] + then + echo "incorrect, use the following syntax:" >&2 + echo "secretssh 192.168.0.1 111 222 333 wonderland 2222" >&2 + echo "192.168.0.1 = host to port knock to" >&2 + echo "111 222 333 = port knocking procedure to OPEN the port (in reverse = close the port)" >&2 + echo "wonderland = ssh alias to connect to." >&2 + echo "2222 = the secret ssh port to connect to" >&2 + else + echo "OPENIGN SECRET SSH: port knocking $1 with sequence $2 $3 $4" + for x in $2 $3 $4 + do + nmap -Pn --max-retries 0 -p $x $1 + done > /dev/null + sleep 1 + ssh $5 -p $6 + echo "CLOSING SECRET SSH: port knocking $1 with sequence $4 $3 $2" + for x in $4 $3 $2 + do + nmap -Pn --max-retries 0 -p $x $1 + done > /dev/null + fi + } + + + +you can test it as follows, using an ssh alias (which doesn't reveal the secret ssh port!): + + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → cat ~/.ssh/config + Host wonderland + User root + Hostname 192.168.0.100 + IdentityFile ~/.ssh/torified + + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + number of arguements: 6 + opening secret ssh port: + port knocking 192.168.0.100 with sequence 7000 8000 9000 + Enter passphrase for key '/home/nihilist/.ssh/torified': + Linux wonderland 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Web console: https://wonderland:9090/ or https://192.168.0.100:9090/ + + Last login: Mon Apr 1 11:32:21 2024 from 192.168.0.61 + + [ Wonderland ] [ /dev/pts/25 ] [~] + → id + uid=0(root) gid=0(root) groups=0(root),104(kvm),126(libvirt) + + [ Wonderland ] [ /dev/pts/25 ] [~] + → exit + Connection to 192.168.0.100 closed. + closing secret ssh port: + port knocking 192.168.0.100 with sequence 9000 8000 7000 + + + +That way, we make sure that we do not hardcode the port sequence to open/close the secret ssh port, and we also make sure that the secret ssh port is not revealed. This means that from now on you will need to remember the port sequence to open the secret ssh port, and also the secret ssh port itself. Without those, you will be unable to login to the server. + +Now however the risk is that you'd reveal the port sequence and ssh port from the bash or zsh history file: + + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → history | grep secretssh + 534 secretssh + 535 secretssh 111 222 333 + 537 secretssh 111 222 333 + 539 secretssh 111 222 333 + 540 secretssh 192.168.0.100 111 222 333 + 542 secretssh 111 222 333 + 543 secretssh 192.168.0.100 111 222 333 333 + 544 secretssh 192.168.0.100 111 222 333 333 444 + 546 secretssh 192.168.0.100 111 222 333 333 444 + 547 secretssh 192.168.0.100 111 222 333 333 + 548 secretssh 192.168.0.100 111 222 333 + 549 secretssh 192.168.0.100 111 222 + 550 secretssh 192.168.0.100 111 + 553 secretssh 192.168.0.100 111 + 554 secretssh 192.168.0.100 111 222 + 555 secretssh 192.168.0.100 111 222 333 + 556 secretssh 192.168.0.100 111 222 333 444 + 557 secretssh 192.168.0.100 111 222 333 444 555 + 558 secretssh 192.168.0.100 111 222 333 666 + 559 secretssh 192.168.0.100 111 + 560 secretssh 192.168.0.100 111 222 + 561 secretssh 192.168.0.100 111 222 333 + 564 secretssh 192.168.0.100 111 222 333 + 565 secretssh 192.168.0.100 111 222 333 wonderland + 568 secretssh 192.168.0.100 111 222 333 wonderland + 569 secretssh 192.168.0.100 111 222 333 wonderland 2222 + 571 secretssh 192.168.0.100 111 222 333 wonderland 2222 + 572 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + 574 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + 576 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + 578 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + 580 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + 582 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + 583 which secretssh + 586 which secretssh + 588 which secretssh + + + +so let's make sure that there is a cronjob that runs on the clientside to sed out the lines containing ssh, scp, rsync, nmap and secretssh on the /home/*/.zsh_history files: + + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → sed -i s'/.*nmap.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history + sed: can't read /root/.zsh_history: Permission denied + sed: can't read /root/.bash_history: Permission denied + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → zsh + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → history | grep nmap + 602 history | grep nmap + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → sudo crontab -e + + * * * * * sed -i s'/.*nmap.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history + * * * * * sed -i s'/.*ssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history + * * * * * sed -i s'/.*scp.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history + * * * * * sed -i s'/.*rsync.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history + * * * * * sed -i s'/.*secretssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history + + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → history | grep secretssh + 582 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222 + 588 which secretssh + 590 history | grep secretssh + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → /usr/bin/sed -i s'/.*secretssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history + + /usr/bin/sed: can't read /root/.zsh_history: Permission denied + /usr/bin/sed: can't read /root/.bash_history: Permission denied + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → zsh + + [ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog] + → history | grep secretssh + 611 history | grep secretssh + + + +And that's it! now we have a secure way of accessing the server, without revealing the port knocking sequence nor the secret ssh port. + +## **UPS setup in case of a power outage (WIP)** + +TODO: Then we make sure that when the power goes out, the UPS gives the signal for the homeserver to do the emergency shutdown script before shutting down, in order to hide the content of the server, before gracefully shutting down. + + + + +Next step is to look at how to make sure the .onion service keeps running even after shutting down the entire homeserver, to make sure that it is impossible to prove that you are maintaining the sensitive service. We'll go into it with how Endgame V3 can be setup in a future tutorial. + diff --git a/plausiblydeniabledataprotection/0.1.png b/plausiblydeniabledataprotection/0.1.png new file mode 100644 index 0000000..9927824 Binary files /dev/null and b/plausiblydeniabledataprotection/0.1.png differ diff --git a/plausiblydeniabledataprotection/0.png b/plausiblydeniabledataprotection/0.png new file mode 100644 index 0000000..05c542b Binary files /dev/null and b/plausiblydeniabledataprotection/0.png differ diff --git a/plausiblydeniabledataprotection/1.png b/plausiblydeniabledataprotection/1.png new file mode 100644 index 0000000..386247c Binary files /dev/null and b/plausiblydeniabledataprotection/1.png differ diff --git a/plausiblydeniabledataprotection/10.png b/plausiblydeniabledataprotection/10.png new file mode 100644 index 0000000..7f63f7d Binary files /dev/null and b/plausiblydeniabledataprotection/10.png differ diff --git a/plausiblydeniabledataprotection/11.png b/plausiblydeniabledataprotection/11.png new file mode 100644 index 0000000..9f2c760 Binary files /dev/null and b/plausiblydeniabledataprotection/11.png differ diff --git a/plausiblydeniabledataprotection/12.png b/plausiblydeniabledataprotection/12.png new file mode 100644 index 0000000..a74a9e5 Binary files /dev/null and b/plausiblydeniabledataprotection/12.png differ diff --git a/plausiblydeniabledataprotection/13.png b/plausiblydeniabledataprotection/13.png new file mode 100644 index 0000000..afa76ba Binary files /dev/null and b/plausiblydeniabledataprotection/13.png differ diff --git a/plausiblydeniabledataprotection/14.png b/plausiblydeniabledataprotection/14.png new file mode 100644 index 0000000..42b5091 Binary files /dev/null and b/plausiblydeniabledataprotection/14.png differ diff --git a/plausiblydeniabledataprotection/15.png b/plausiblydeniabledataprotection/15.png new file mode 100644 index 0000000..011f574 Binary files /dev/null and b/plausiblydeniabledataprotection/15.png differ diff --git a/plausiblydeniabledataprotection/16.png b/plausiblydeniabledataprotection/16.png new file mode 100644 index 0000000..cdd054c Binary files /dev/null and b/plausiblydeniabledataprotection/16.png differ diff --git a/plausiblydeniabledataprotection/17.png b/plausiblydeniabledataprotection/17.png new file mode 100644 index 0000000..cc79f60 Binary files /dev/null and b/plausiblydeniabledataprotection/17.png differ diff --git a/plausiblydeniabledataprotection/18.png b/plausiblydeniabledataprotection/18.png new file mode 100644 index 0000000..e84c100 Binary files /dev/null and b/plausiblydeniabledataprotection/18.png differ diff --git a/plausiblydeniabledataprotection/19.png b/plausiblydeniabledataprotection/19.png new file mode 100644 index 0000000..cc0d85e Binary files /dev/null and b/plausiblydeniabledataprotection/19.png differ diff --git a/plausiblydeniabledataprotection/2.png b/plausiblydeniabledataprotection/2.png new file mode 100644 index 0000000..691aade Binary files /dev/null and b/plausiblydeniabledataprotection/2.png differ diff --git a/plausiblydeniabledataprotection/20.png b/plausiblydeniabledataprotection/20.png new file mode 100644 index 0000000..44b279c Binary files /dev/null and b/plausiblydeniabledataprotection/20.png differ diff --git a/plausiblydeniabledataprotection/21.png b/plausiblydeniabledataprotection/21.png new file mode 100644 index 0000000..c753b0d Binary files /dev/null and b/plausiblydeniabledataprotection/21.png differ diff --git a/plausiblydeniabledataprotection/22.png b/plausiblydeniabledataprotection/22.png new file mode 100644 index 0000000..0b980bb Binary files /dev/null and b/plausiblydeniabledataprotection/22.png differ diff --git a/plausiblydeniabledataprotection/3.png b/plausiblydeniabledataprotection/3.png new file mode 100644 index 0000000..16c286b Binary files /dev/null and b/plausiblydeniabledataprotection/3.png differ diff --git a/plausiblydeniabledataprotection/30.png b/plausiblydeniabledataprotection/30.png new file mode 100644 index 0000000..d44ab7a Binary files /dev/null and b/plausiblydeniabledataprotection/30.png differ diff --git a/plausiblydeniabledataprotection/31.png b/plausiblydeniabledataprotection/31.png new file mode 100644 index 0000000..14b0651 Binary files /dev/null and b/plausiblydeniabledataprotection/31.png differ diff --git a/plausiblydeniabledataprotection/32.png b/plausiblydeniabledataprotection/32.png new file mode 100644 index 0000000..3911a19 Binary files /dev/null and b/plausiblydeniabledataprotection/32.png differ diff --git a/plausiblydeniabledataprotection/33.png b/plausiblydeniabledataprotection/33.png new file mode 100644 index 0000000..aaa1ff5 Binary files /dev/null and b/plausiblydeniabledataprotection/33.png differ diff --git a/plausiblydeniabledataprotection/34.png b/plausiblydeniabledataprotection/34.png new file mode 100644 index 0000000..c5b05c3 Binary files /dev/null and b/plausiblydeniabledataprotection/34.png differ diff --git a/plausiblydeniabledataprotection/35.png b/plausiblydeniabledataprotection/35.png new file mode 100644 index 0000000..8a37ed8 Binary files /dev/null and b/plausiblydeniabledataprotection/35.png differ diff --git a/plausiblydeniabledataprotection/36.png b/plausiblydeniabledataprotection/36.png new file mode 100644 index 0000000..d1c962a Binary files /dev/null and b/plausiblydeniabledataprotection/36.png differ diff --git a/plausiblydeniabledataprotection/37.png b/plausiblydeniabledataprotection/37.png new file mode 100644 index 0000000..2d24963 Binary files /dev/null and b/plausiblydeniabledataprotection/37.png differ diff --git a/plausiblydeniabledataprotection/38.png b/plausiblydeniabledataprotection/38.png new file mode 100644 index 0000000..68317a4 Binary files /dev/null and b/plausiblydeniabledataprotection/38.png differ diff --git a/plausiblydeniabledataprotection/39.png b/plausiblydeniabledataprotection/39.png new file mode 100644 index 0000000..3a42abd Binary files /dev/null and b/plausiblydeniabledataprotection/39.png differ diff --git a/plausiblydeniabledataprotection/4.png b/plausiblydeniabledataprotection/4.png new file mode 100644 index 0000000..9046041 Binary files /dev/null and b/plausiblydeniabledataprotection/4.png differ diff --git a/plausiblydeniabledataprotection/40.png b/plausiblydeniabledataprotection/40.png new file mode 100644 index 0000000..0c72170 Binary files /dev/null and b/plausiblydeniabledataprotection/40.png differ diff --git a/plausiblydeniabledataprotection/41.png b/plausiblydeniabledataprotection/41.png new file mode 100644 index 0000000..4713ea0 Binary files /dev/null and b/plausiblydeniabledataprotection/41.png differ diff --git a/plausiblydeniabledataprotection/42.png b/plausiblydeniabledataprotection/42.png new file mode 100644 index 0000000..9edef41 Binary files /dev/null and b/plausiblydeniabledataprotection/42.png differ diff --git a/plausiblydeniabledataprotection/43.png b/plausiblydeniabledataprotection/43.png new file mode 100644 index 0000000..a600164 Binary files /dev/null and b/plausiblydeniabledataprotection/43.png differ diff --git a/plausiblydeniabledataprotection/44.png b/plausiblydeniabledataprotection/44.png new file mode 100644 index 0000000..02f51f9 Binary files /dev/null and b/plausiblydeniabledataprotection/44.png differ diff --git a/plausiblydeniabledataprotection/45.png b/plausiblydeniabledataprotection/45.png new file mode 100644 index 0000000..689127e Binary files /dev/null and b/plausiblydeniabledataprotection/45.png differ diff --git a/plausiblydeniabledataprotection/46.png b/plausiblydeniabledataprotection/46.png new file mode 100644 index 0000000..9452b0a Binary files /dev/null and b/plausiblydeniabledataprotection/46.png differ diff --git a/plausiblydeniabledataprotection/47.png b/plausiblydeniabledataprotection/47.png new file mode 100644 index 0000000..d0e8531 Binary files /dev/null and b/plausiblydeniabledataprotection/47.png differ diff --git a/plausiblydeniabledataprotection/48.png b/plausiblydeniabledataprotection/48.png new file mode 100644 index 0000000..dc40b14 Binary files /dev/null and b/plausiblydeniabledataprotection/48.png differ diff --git a/plausiblydeniabledataprotection/49.png b/plausiblydeniabledataprotection/49.png new file mode 100644 index 0000000..fea4570 Binary files /dev/null and b/plausiblydeniabledataprotection/49.png differ diff --git a/plausiblydeniabledataprotection/5.png b/plausiblydeniabledataprotection/5.png new file mode 100644 index 0000000..93fe03e Binary files /dev/null and b/plausiblydeniabledataprotection/5.png differ diff --git a/plausiblydeniabledataprotection/6.png b/plausiblydeniabledataprotection/6.png new file mode 100644 index 0000000..ed99637 Binary files /dev/null and b/plausiblydeniabledataprotection/6.png differ diff --git a/plausiblydeniabledataprotection/7.png b/plausiblydeniabledataprotection/7.png new file mode 100644 index 0000000..8f32441 Binary files /dev/null and b/plausiblydeniabledataprotection/7.png differ diff --git a/plausiblydeniabledataprotection/8.png b/plausiblydeniabledataprotection/8.png new file mode 100644 index 0000000..b85ad6d Binary files /dev/null and b/plausiblydeniabledataprotection/8.png differ diff --git a/plausiblydeniabledataprotection/9.png b/plausiblydeniabledataprotection/9.png new file mode 100644 index 0000000..aa0a57b Binary files /dev/null and b/plausiblydeniabledataprotection/9.png differ diff --git a/plausiblydeniabledataprotection/index.md b/plausiblydeniabledataprotection/index.md new file mode 100644 index 0000000..af4497d --- /dev/null +++ b/plausiblydeniabledataprotection/index.md @@ -0,0 +1,207 @@ +--- +author: nihilist +date: 2025-04-06 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Sensitive Critical Data Backup Procedure + +![](31.png) + +In this tutorial we're going to cover how to backup the critical data that you would normally store inside of your [Sensitive use VM](../sensitivevm/index.md), in order to make sure that your critical data (meaning your keepass .kdbx file, your SSH keys, your PGP keys, your Monero seed files) can still be accessed and reused, even if the adversary were to seize and destroy your devices in multiple takedowns. + + + +## **Why is this setup important ?** + +As we have covered [previously](../sensitivevm/index.md), we need a specific setup in order to be able to maintain deniability regarding the sensitive activies that are conducted from inside the Sensitive VM. Due to the nature of those activities, you need to be ready for the worst, including having your main computer being seized and destroyed by the adversaries. + +![](../sensitivevm/0.png) + +The problem here is that if the adversary were to seize and destroy your laptop, including the non-system harddrive, **you'd permanently loose your critical sensitive data (which includes your PGP key, your SSH key, your monero wallet seed phrase, and your accesses that were stored in your Keepass .KDBX file)** + +![](30.png) + +**Therefore we need a way to backup the critical data from your sensitive VM, while still maintaining deniability about what it contains if ever found by the adversary.** + +## **What is the Critical Data backup procedure ?** + +From inside the Sensitive Use Whonix Workstation VM, we'll need a small veracrypt volume (which is 10Mb big) to simultaneously store a decoy volume containing some textfiles, and to store a small hidden volume (which is 5Mb big) which will contain your critical data: + +![](32.png) + +This small veracrypt volume will be called "diary" and it's decoy partition will simply contain a text-based diary of yours. However we need to be careful as we're going to save that file in places that the adversary may access, **We need to make sure that the decoy volume data changes, every time the hidden volume changes.** This is because otherwise we wouldn't have a way to justify why the overall veracrypt volume changed while the decoy volume didn't change (which would then prove the existance of the hidden volume). + +![](31.png) + +Therefore, to meet the deniability requirements, we have the following backup procedure: + + + 1) open the diary Veracrypt hidden volume to save the critical data in it + 2) after saving the critical data in it, close the hidden volume + 3) open the diary veracrypt decoy volume to write a new diary text file in it. (as otherwise you wouldnt be able to justify why the overall VC volume changed) + 4) close the decoy volume (ONLY NOW the overall veracrypt volume is ready to be backed up elsewhere) + 5) backup the veracrypt diary volume on a cheap remote VPS that was rented anonymously (accessed via SSH, via the .onion domain only) + 6) backup the VC volume in USB keys that are scattered in physical locations that you can access easily, and that can hide USB keys. + + + +So let's see how this looks like in action: + +## **How to perform the Backup Procedure** + +First, boot the Host OS in live mode: + +![](../livemode/12.png) + +Then open up the non-system veracrypt hidden volume: + +![](../sensitivevm/109.png) ![](../sensitivevm/110.png) ![](../sensitivevm/111.png) + +Then run script.sh (using the **Super+S** shortcut) to setup your sensitive whonix VMs: + +![](../sensitivevm/113.png) + +Before starting the Workstation however, make sure that the VM's USB controller is set to "USB 2" mode by editing the settings like so in the XML directly: + + + [user ~]% cd /run/media/private/user/sda + [user /run/media/private/user/sda]% vim Whonix-Workstation.xml + [user /run/media/private/user/sda]% cat Whonix-Workstation.xml + + [...] + + <__controller type="usb" index="0" model="ich9-ehci1"> + + [...] + +Once done, you can create the "diary" veracrypt volume inside the sensitive VM, (we'll use it to backup our critical data into it's hidden volume): + +![](36.png) ![](37.png) ![](38.png) ![](39.png) + +Now that the diary veracrypt volume has been created we can start to use it to backup our important data into it: + +## **How to perform the Backup Procedure** + +First, plug in your 3 usb keys into your computer and then make sure that they are attached to the Whonix Workstation VM: + +![](33.png) ![](34.png) ![](35.png) + +Then once you verified that the USB sticks are detected from the VM, you can start to backup your critical data inside the veracrypt volumes: + +![](40.png) + +And then after backing up your critical data, you can unmount the hidden volume, to mount the decoy volume instead, where you'll write a diary entry (that way you'll be able to justify why the overall veracrypt volume changed): + +![](41.png) + +Now that's done, unmount the decoy volume, and use the following backup.sh script to backup your diary veracrypt volume to the 3 usb sticks: + + + [user ~]% vim backup.sh + [user ~]% cat backup.sh + + #!/bin/bash + + echo 'creating all 3 usb mount directories...' + sudo mkdir /mnt/usb1 + sudo mkdir /mnt/usb2 + sudo mkdir /mnt/usb3 + + echo 'mounting all 3 usb sticks...' + sudo mount /dev/sda1 /mnt/usb1 + sudo mount /dev/sdb1 /mnt/usb2 + sudo mount /dev/sdc1 /mnt/usb3 + + echo 'copying the diary file on all 3 usb sticks...' + sudo cp -r /home/user/diary /mnt/usb1/diary + sudo cp -r /home/user/diary /mnt/usb2/diary + sudo cp -r /home/user/diary /mnt/usb3/diary + + echo 'copying completed, hence unmounting all 3 usb sticks...' + sudo umount /mnt/usb1 + sudo umount /mnt/usb2 + sudo umount /mnt/usb3 + + echo 'remote backup to a VPS rented anonymously...' + torsocks scp /home/user/diary user@yourremotevpsaddress.onion:/root/diary: + + [user ~]% chmod +x backup.sh + [user ~]% ./backup.sh + + + +Run the script, and you'll now have your critical data backed up on your Remote VPS, and it's on the 3 usb keys. + +And now you can unplug the 3 usb keys, and scatter them in 3 different places that you can easily access. **You can hide them in your bag, in your car, and bury one in your garden for example.** Get creative, but make sure that you can easily retrieve those usb keys back for next week's backup. + +![](42.png) ![](43.png) ![](44.png) + +However be careful if you intend to hide those usb keys in public places that are not yours (where you normally never go to either), you need to make sure that you are going there without a cellphone on you. **As otherwise the adversary would see that your phone has gone to a novel place that you have never been to before, And that gives them hints regarding where you might've hidden the usb keys.** + +![](45.png) + +Here for instance, the adversary wouldn't see your movements in pink, the only clues they'd have are the movements in red that they can anyway see from their dashboards. However it doesn't stop there, **if you actually are a high value target you should instead backup to remote VPSes exclusively, as the authorities will most likely find every physical clues you might leave behind** , (you might need to take into account satellite and public covert surveillance too) + +If you don't want to leave any physical clues behind and stick to digital backups alone, you're going to need to rent 3 cheap remote VPSes in 3 different datacenter locations, from 3 different cloud providers, by using 3 different non-KYC cloud reseller accounts. To know how to rent a VPS anonymously, [check out this tutorial](../anonymousremoteserver/index.md): + +![](48.png) + +Hence your backup.sh script would look like so: + + + [user ~]% vim backup.sh + [user ~]% cat backup.sh + + #!/bin/bash + + echo 'remote backup to VPSes rented anonymously...' + torsocks scp /home/user/diary user@remotevpsaddressA:/root/diary: + torsocks scp /home/user/diary user@remotevpsaddressB:/root/diary: + torsocks scp /home/user/diary user@remotevpsaddressC:/root/diary: + + [user ~]% chmod +x backup.sh + [user ~]% ./backup.sh + + + +With this second approach, the adversary will only be able to find your laptop, and they'll get the impression that you didn't try to make any backups. + +## **Emergency Scenario** + +So now let's suppose the following emergency scenario: You made an opsec mistake somewhere along the way, and the chinese authorities are now aware that you've been playing video games after 7 PM, and they are now raiding your appartment again: + +![](../sensitivevm/119.png) + +You manage to hit the correct key combination (**right Alt to focus out of the VM, and right CTRL to trigger the emergency reboot script**) Which closes the sensitive VM and reboots your computer just in time. + +![](46.png) + +Then they seize your devices, keep you in custody for just 1 month, and due to not having any further incriminating evidence on you **(they only found the non-sensitive files in the non-system drive, and the diary textfiles in the usb keys they seized)** , you avoid the concentration camp life sentence, and thus they release you. **But they're not giving back your devices because they destroyed them.** + +![](47.png) + +So your primary data source has been destroyed (including the sensitive VMs and the main diary VC volume), you also realize that they seized and destroyed the usb key you had in your backpack, and in your car. **However upon checking further you realize that they didn't get the USB key that you hid in your garden.** + +![](44.png) + +Too bad for them, because they didn't find that one usb key you had buried in your garden, so you dig it up, retrieve it, you purchase a new laptop, [you set up your sensitive VMs once again](../sensitivevm/index.md), and then you simply plug the usb back in the sensitive VM, **and with it you can restore your critical sensitive data (which includes your Keepass accesses, your pgp keys, your ssh keys and monero wallet seed) by copying the files back into your new sensitive use VM.** + +![](49.png) + +In a worse scenario, you could've had all physical backups being seized and destroyed, leaving you with only the remote VPSes that you rented to retrieve your backups. In this usecase **All you need to remember is how to access those VPSes via SSH** , you need to remember the IP addresses, the username, and the password to SSH back into the VPSes: + + + [user ~]% scp root@**256.51.123.1** :/root/diary ~/diary + + + +to make it easier to remember the addresses of the remote VPSes (since remembering IP addresses off the top of your head isn't trivial) you could also use a [clearnet domain alias (that you also rent anonymously)](../anondomain/index.md) to easily access those VPSes again. + + + [user ~]% scp root@**your.clearnetdoma.in** :/root/diary ~/diary + + + +And once restored you can resume your sensitive activities as usual, minus the opsec mistakes you made that led up to your arrest obviously. + diff --git a/privacy/1.png b/privacy/1.png new file mode 100644 index 0000000..22fd58a Binary files /dev/null and b/privacy/1.png differ diff --git a/privacy/2.png b/privacy/2.png new file mode 100644 index 0000000..70ef992 Binary files /dev/null and b/privacy/2.png differ diff --git a/privacy/3.png b/privacy/3.png new file mode 100644 index 0000000..dc3d0b7 Binary files /dev/null and b/privacy/3.png differ diff --git a/privacy/index.md b/privacy/index.md new file mode 100644 index 0000000..e639920 --- /dev/null +++ b/privacy/index.md @@ -0,0 +1,85 @@ +--- +author: nihilist +date: 2024-06-14 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/73" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# What is Privacy ? Why is it Important ? + +This is where the Journey begins. We're going to look at why you should bother with Privacy first of all, and what it is exactly. + + + +## **What is Privacy ?** + +![](../aps/privacy.png) + +In short, **Privacy means that you are not under surveillance.** In this example, Bob wants to talk to Alice privately, so he shuts the door on the prying eyes of Jack. So that he can't hear their conversation. + +Privacy is Bob and Alice's ability to seclude themselves from the awareness of others. It is the ability that Bob has, to close the door on Jack, so that he cannot see his actions anymore. + +When you are looking for Privacy, always ask yourself : **Privacy from what ? Privacy from whom ?** in other words, **Whom do i want to close the curtain on ?** + +## **The Enemy of Privacy is Surveillance** + +Make no mistake, as we discussed [previously](../govfear/index.md), governments NEED surveillance to be able to fulfil the first condition to be able to enforce their laws: ![](../su2.png)**They need to know what happened.** To be able to know what happened, **they need surveillance to be implemented wherever they can** , and it is definitely easy for them to force large businesses providing large centralised services to act on their behalf. + +Yes, ANY company can act on any government's behalf. Take for example Microsoft spying on everyone through their [closed source](../closedsource/index.md) software Windows 10, or Apple spying on their users through their MacOS closed-source software, The US government is very open about it (see [FISA 702](https://www.dni.gov/files/icotr/Section702-Basics-Infographic.pdf)). + +In this current world we live in, Surveillance is nearly omnipresent, where there is a business involved, and especially closed-source software, Surveillance is right there. + +![](../opsec/4.png) + +Here's an example where Bob (which represents nearly 99% of the people out there) is being spied on by: + + 1. Microsoft (because Bob uses Windows) + + 2. Google (because he uses Google and Google Chrome) + + 3. Bob's ISP (because he doesn't use a VPN nor Tor) + + + + +If Bob were to do something sketchy using his computer, **Law Enforcement would obtain all the information they need to know what Bob did, because he used Windows, Google Chrome, and no VPN/Anonymization network**. + +And it does not stop there, even when LE is not involved, **politicians can also request and pay to get private user data** , at the discretion of those large companies that specialize on infringing upon users' privacy for their own profit [(see the cambridge analytica scandal)](https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal). + +Your personal data is being sold by large corporations, for their own profit, and your consent is of no concern to them. + +## **The Panopticon, Myth or Reality ?** + +The Panopticon originally was a prison building design, which was designed by the social theorist Jeremy Bentham in the 18th century, where the core concept revolved around making all prisoners to be observed by a single cop, **without the inmates being able to know wether or not they are being watched**. + +![](2.png) + +The idea is that every inmate, since they don't know wether or not they are being watched, **they would have to assume that they were under constant surveillance, forcing all of them to behave at their best** , even if the cop is not looking in their direction. + +Now you probably get where i'm trying to go with this, **this is the narrative that governments are trying to push, that everyone's actions are under constant surveillance, that everyone must behave at their best at all times if they don't want to end up in jail.** And how convenient it must be for those governments, they have the vast majority of their populations giving away their privacy in the name of convenience by using closed-source software on their phones, on their computers, on their laptops, on their routers, etc. + +**If privacy doesn't matter, i hope you won't mind me installing a camera in your bedroom, filming you 24/7 right ?** + +![](3.png) + +For some reason, it is as if everyone is accepting the panopticon narrative as if it was normal, that everything they do is anyway being watched by big brother and for some reason that's supposed to be ok. Exhibitionism definitely isn't my thing, but governments and law enforcement certainly are into voyeurism, as it helps them prosecute whoever they don't like, to try and preserve the control they have over the masses. + +**The panopticon myth ends where you decide to put the effort to restore your privacy** , you could simply pull over the blinds to prevent outsiders from looking at what you're doing in your bedroom, but there are a myriad of things you have to do to protect your privacy online. **It is all up to you if you are willing to put the effort to get it, or not.** + +## **Why is Privacy Important?** + +Ask yourself this simple question: **"Who should be aware of what i do ?"** + +Let's take the most common example you can encounter: **"Should a company (such as Microsoft) be able to spy on what I do with my computer ?"** + +How many people are we talking about exactly ? How big is Microsoft Corporation ? How many of them can see what you do with your computer ? + +![](1.png) + +In other words, **are you ok with having an entire crowd being aware of your actions ?** + +You better be a good speaker if that is the intent, remain aware that **you are stepping up on a stage for many people to see what you are doing, when using closed-source software.** + +Is that normal to you ? Do you like putting your every action on display for everyone to see ? + +If your answer to that question is no, **Then it's time for you to close the curtains, so that this crowd can't see anymore.** To close the curtain, you need to stop using [closed-source software](../closedsource/index.md). + diff --git a/privatesimplex/0.png b/privatesimplex/0.png new file mode 100644 index 0000000..891ab31 Binary files /dev/null and b/privatesimplex/0.png differ diff --git a/privatesimplex/1.png b/privatesimplex/1.png new file mode 100644 index 0000000..38d57be Binary files /dev/null and b/privatesimplex/1.png differ diff --git a/privatesimplex/10.png b/privatesimplex/10.png new file mode 100644 index 0000000..e8f44a2 Binary files /dev/null and b/privatesimplex/10.png differ diff --git a/privatesimplex/11.png b/privatesimplex/11.png new file mode 100644 index 0000000..834aa72 Binary files /dev/null and b/privatesimplex/11.png differ diff --git a/privatesimplex/12.png b/privatesimplex/12.png new file mode 100644 index 0000000..d0ec298 Binary files /dev/null and b/privatesimplex/12.png differ diff --git a/privatesimplex/13.png b/privatesimplex/13.png new file mode 100644 index 0000000..8a6d94e Binary files /dev/null and b/privatesimplex/13.png differ diff --git a/privatesimplex/14.png b/privatesimplex/14.png new file mode 100644 index 0000000..8780945 Binary files /dev/null and b/privatesimplex/14.png differ diff --git a/privatesimplex/15.png b/privatesimplex/15.png new file mode 100644 index 0000000..b59b661 Binary files /dev/null and b/privatesimplex/15.png differ diff --git a/privatesimplex/16.png b/privatesimplex/16.png new file mode 100644 index 0000000..9730ff3 Binary files /dev/null and b/privatesimplex/16.png differ diff --git a/privatesimplex/2.png b/privatesimplex/2.png new file mode 100644 index 0000000..bcd4d7c Binary files /dev/null and b/privatesimplex/2.png differ diff --git a/privatesimplex/20.png b/privatesimplex/20.png new file mode 100644 index 0000000..6e34748 Binary files /dev/null and b/privatesimplex/20.png differ diff --git a/privatesimplex/21.png b/privatesimplex/21.png new file mode 100644 index 0000000..0e8a4cd Binary files /dev/null and b/privatesimplex/21.png differ diff --git a/privatesimplex/22.png b/privatesimplex/22.png new file mode 100644 index 0000000..ed63382 Binary files /dev/null and b/privatesimplex/22.png differ diff --git a/privatesimplex/3.png b/privatesimplex/3.png new file mode 100644 index 0000000..32341d5 Binary files /dev/null and b/privatesimplex/3.png differ diff --git a/privatesimplex/4.png b/privatesimplex/4.png new file mode 100644 index 0000000..51d825d Binary files /dev/null and b/privatesimplex/4.png differ diff --git a/privatesimplex/5.png b/privatesimplex/5.png new file mode 100644 index 0000000..a5f554e Binary files /dev/null and b/privatesimplex/5.png differ diff --git a/privatesimplex/6.png b/privatesimplex/6.png new file mode 100644 index 0000000..9fe841b Binary files /dev/null and b/privatesimplex/6.png differ diff --git a/privatesimplex/7.png b/privatesimplex/7.png new file mode 100644 index 0000000..9639de3 Binary files /dev/null and b/privatesimplex/7.png differ diff --git a/privatesimplex/8.png b/privatesimplex/8.png new file mode 100644 index 0000000..74ea1a4 Binary files /dev/null and b/privatesimplex/8.png differ diff --git a/privatesimplex/9.png b/privatesimplex/9.png new file mode 100644 index 0000000..46d3162 Binary files /dev/null and b/privatesimplex/9.png differ diff --git a/privatesimplex/index.md b/privatesimplex/index.md new file mode 100644 index 0000000..f57a5bb --- /dev/null +++ b/privatesimplex/index.md @@ -0,0 +1,376 @@ +--- +author: XMRonly +date: 2025-04-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/61" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# Easy Private Chats - SimpleX + +![](0.png) + +## **Introduction** + +Online communication is one of the most ubiquitous activities on all of the internet. From newsletters, corporate emails and even down to instant messaging with friends, its spread cannot be denied. With such wide reach, it would seem very important to protect these communication channels, yet this is almost an after-thought for most mainstream messengers. Platforms with millions of users market their services with the latest buzz words yet close-source their protocols leaving users with a "trust me bro". With so many options to choose from how can we best decide which app to use? In this article we'll compare a few options (Telegram, Signal and SimpleX) to see how their technical details stack up and determine which is best for easy private chats. + + + +## **Overview of Telegram, Signal and SimpleX** + +Telegram is a very popular messaging app that boasts close to [1 billion](https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/) active users worldwide. With support for massive chatrooms, Telegram is almost more akin to social media than to a traditional messaging app. Many companies offer news, updates, and support through their official Telegram channels making it a very convenient place for users to stay up to date with various interests. Due to its strong stance on free speech, Telegram built a reputation for not cooperating with law enforcement investigations. However, after the arrest of CEO Pavel Durov in part relating to Telegram's refusal hand over user data in lawful orders, Telegram changed their [privacy policy](https://files.catbox.moe/988lhl.png) to say they may share user phone numbers and IP addresses and indeed have [done so](https://www.404media.co/telegram-confirms-it-gave-u-s-user-data-to-the-cops/). Telegram supports E2EE but this is not enabled by default, which is probably its most significant drawback. + +Signal is a champion for user freedom and its state-of-the-art security is the foundation upon which other chat applications are built. Signal is very intuitive to use, supporting all of the usual text/image/voice/video/etc features that users expect. Unlike Telegram, Signal is E2EE by default and the only information it knows about users are their phone number and time of registration. Numerous [court orders](https://signal.org/bigbrother/) have solidified how Signal has nothing else to hand over to law enforcement. The phone number requirement for SMS verification, while concretely a drawback if not [acquired anonymously](https://blog.nowhere.moe/opsec/anonsms/index.md), is an intentional decision for Signal's target audience (normies) as everyday users can be notified if other stored contacts join Signal. + +SimpleX is a relative newcomer on the scene and has a unique angle in that there are no user identifies of any kind. As such, users can create unlimited profiles (and even hidden profiles to improve plausible deniability) and connect with others anonymously. Unlike Signal, SimpleX supports native onion routing as well as the ability to self-host servers. Because of its default E2EE, servers are not able to see message contents and self-hosted servers can be shared with others, contributing to decentralization and thus making SimpleX more resilient. SimpleX's founder, in an [interview](https://www.wired.com/story/neo-nazis-flee-telegram-encrypted-app-simplex/), implied that SimpleX sees no information about its users but since it is new, it remains to be seen how they would respond to actual court orders. SimpleX has received some criticism for its reliance on Venture Capital to establish itself while it works to develop a business model. + +A comparison from [privacyspreadsheet.com](https://privacyspreadsheet.com/messaging-apps) has a breakdown of all the technical details. + +![](1.png) + +When selecting a messaging app, certain [OPSEC criteria](https://blog.nowhere.moe/opsec/anonsimplex/index.md) should be considered. + +Privacy: +1\. The application is free and open source (FOSS). +2\. The application is end-to-end-encrypted by default (E2EE). +3\. The application allows self-hosting our own servers (Decentralization). +Anonymity: +1\. The application supports Tor servers out of the box (Onion Routing). +2\. The application requires no sign-up information (Emails, Usernames, Phone Numbers). +3\. The application allows joining chatrooms without revealing our identity (Incognito Mode). +Deniability: +1\. The application allows disappearing messages (Plausible Deniability). +2\. The application allows creation/deletion of multiple profiles (Plausible Deniability). +3\. The application allows hidden profiles (Plausible Deniability). + +From the above comparison, we can see that only SimpleX meets all of the criteria. While we only focus on Privacy in this article, it doesn't hurt to have the other benefits of Anonymity and Plausible Deniability. + +## **SimpleX Desktop** + +To download Simplex Desktop, you can go on [https://simplex.chat/](https://simplex.chat) + +![](20.png) + +Then you can download the appimage here: + +![](21.png) + +And lastly once downloaded, you can simply make a shortcut with it and make sure it's executable: + + + [ localhost ] [ /dev/pts/10 ] [~] + → cd .mullvad-browser/Downloads + + [ localhost ] [ /dev/pts/10 ] [~/.mullvad-browser/Downloads] + → ls + simplex-desktop-x86_64.AppImage + + [ localhost ] [ /dev/pts/10 ] [~/.mullvad-browser/Downloads] + → mv simplex-desktop-x86_64.AppImage ~/Desktop/ (1) + [ localhost ] [ /dev/pts/10 ] [~/.mullvad-browser/Downloads] + → sudo ln -s ~/Desktop/simplex-desktop-x86_64.AppImage /usr/bin/simplex + + [ localhost ] [ /dev/pts/10 ] [~/.mullvad-browser/Downloads] + → which simplex (130) + /usr/bin/simplex + + [ localhost ] [ /dev/pts/10 ] [~/.mullvad-browser/Downloads] + → simplex + + + +And from there you'll land in the simplex chat app: + +![](22.png) + +Now if you're a tinfoil hatter, **you may not trust the binaries being distributed by simplex, and you might want to compile it yourself, which is also possible** , so let's showcase how you can do that aswell: + + + $ apt install docker.io -y + $ docker run --rm --privileged --name simplex-builder --device /dev/fuse -it ubuntu:22.04 bash + + $ apt update && + apt upgrade -y && + DEBIAN_FRONTEND=noninteractive apt install -y git \ + curl \ + build-essential \ + libffi-dev \ + libgmp-dev \ + zlib1g-dev \ + libssl-dev \ + patchelf \ + openjdk-17-jdk \ + cmake \ + desktop-file-utils \ + wget \ + fuse \ + android-sdk \ + sdkmanager \ + file && + + curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | BOOTSTRAP_HASKELL_NONINTERACTIVE=1 BOOTSTRAP_HASKELL_GHC_VERSION=9.6.3 BOOTSTRAP_HASKELL_CABAL_VERSION=3.10.2 BOOTSTRAP_HASKELL_INSTALL_NO_STACK=1 sh && + cat /root/.ghcup/env >> /root/.bashrc && + source /root/.bashrc && + git clone https://github.com/simplex-chat/simplex-chat.git && + cd ./simplex-chat && + git checkout v6.3.2 && + + cabal build all && + echo "ignore-project: False" >> cabal.project.local && + echo "package direct-sqlcipher" >> cabal.project.local && + echo " flags: +openssl" >> cabal.project.local && + ./scripts/desktop/build-lib-linux.sh && + + sed -i s/'":android", '// ./apps/multiplatform/settings.gradle.kts && + cd ./apps/multiplatform && + ./gradlew createDistributable && + ../../scripts/desktop/make-appimage-linux.sh + + +Then copy the compiled simplex-desktop.appimage out of the ubuntu docker container: + + + $ docker cp simplex-builder:/simplex-chat/apps/multiplatform/release/main/SimpleX_Chat-x86_64.AppImage + + + +Then make sure the appimage is executable and do the following libjpeg.so.8 workaround below to avoid having issues with the client itself: + + + $ chmod +x SimpleX_Chat-x86_64.AppImage + $ ./SimpleX_Chat-x86_64.AppImage --appimage-extract + $ find squashfs-root/ | grep libjpeg + squashfs-root/usr/lib/app/resources/vlc/vlc/plugins/codec/libjpeg_plugin.so + squashfs-root/usr/lib/app/resources/vlc/vlc/plugins/codec/libjpeg_plugin.la + squashfs-root/usr/lib/app/resources/vlc/libjpeg.so.8 + + + +Then set the LD_LIBRARY_PATH manually to make it find the libjpeg.so.8 library, to run the binary: + + + $ LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/oxeo/squashfs-root/usr/lib/app/resources/vlc ./SimpleX_Chat-x86_64.AppImage + + + +(edit the path accordingly, for me it was the following): + + + $ LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/nihilist/simplexbuilder/squashfs-root/usr/lib/app/resources/vlc ./SimpleX_Chat-x86_64.AppImage + + + +And from there you'll also end up with a functional simplex binary to use, in case if you don't trust simplex.chat and want to compile it yourself: + +![](22.png) + +## **Using SimpleX** + +To also showcase how to use SimpleX from mobile, we'll be installing it from [F-Droid](https://f-droid.org/packages/chat.simplex.app/). Search for the app and then click Install. Navigate through the setup process, choose a username and click Create your profile. + +![](2.png) + +With your profile complete, it's time to create a private group chat. Click on the pencil icon at the bottom of the screen and select Create group. Give your group a name and click Create group. Finally, skip inviting members for now. + +![](3.png) + +Click on the group name to see some options. Click on Create group link. Finally, share the group link with your friends out-of-band. + +![](4.png) + +Once your friends connect, you can start messaging. + +![](5.png) + +Out of the box, SimpleX works perfectly fine. However, more advanced users may wish to tweak a few settings or self-host their own servers. + +## **Self-Hosting SimpleX Servers** + +### Requirements + +1\. A VPS running Debian 12 (or Ubuntu 22.04) +2\. A domain name (or subdomain) + +To start, we will need a domain name. A subdomain such as a free one obtained from **https://freedns.afraid.org** will also work. Create A record entries for smp.yourdomain.tld and xftp.yourdomain.tld and point them at the IP address of your VPS. + +![](6.png) + +We will SSH into our VPS and set up our environment. + + + ~ ❯ torsocks ssh root@145.223.79.150 + The authenticity of host '145.223.79.150 (145.223.79.150)' can't be established. + ED25519 key fingerprint is SHA256:AGZHyLpidaSu+ZE3cLFZ3KWxQq3Mx9rDH+HLVNF/okc. + This key is not known by any other names. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '145.223.79.150' (ED25519) to the list of known hosts. + root@145.223.79.150's password: + Linux srv636770 6.1.0-26-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Wed Nov 20 21:05:02 2024 from 185.220.101.103 + root@srv636770:~# + + + +Once connected, we will follow the [official instructions](https://docs.docker.com/engine/install/debian/) to install Docker. Run: + + + # Add Docker's official GPG key: + apt update + apt install -y ca-certificates curl gnupg openssl vim + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg + chmod a+r /etc/apt/keyrings/docker.gpg + + # Add the repository to Apt sources: + echo \ + "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null + apt update + + + +With the Docker apt repositories out of the way, install the Docker packages: + + + apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + + + +OPTIONAL: You can test everything is working up to this point by a deploying a test container to see some output. Run: + + + docker run hello-world + + + +We will now set up a docker-compose.yml file with all the build instructions: + + + vim docker-compose.yml + + + +Copy/paste the following and change the **ADDR** fields to your domain. +HINT: It's **p** to paste in vim, then **ESC :wq** to write changes and quit the file. + + + networks: + simplex: + + services: + simplex-smp-server: + image: simplexchat/smp-server:v6.0.6 + container_name: simplex-smp + restart: unless-stopped + ports: + - "5223:5223" + volumes: + - ./simplex/smp/config:/etc/opt/simplex:Z + - ./simplex/smp/logs:/var/opt/simplex:Z + environment: + - ADDR=smp.xmronly.us.to + # - PASS=${SIMPLEX_PASSWORD} #for non public servers + networks: + - simplex + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + simplex-xftp-server: + image: simplexchat/xftp-server:v6.1.3 + container_name: simplex-xftp + ports: + - "443:443" + restart: unless-stopped + volumes: + - ./simplex/xftp/config:/etc/opt/simplex-xftp:Z + - ./simplex/xftp/logs:/var/opt/simplex-xftp:Z + - ./simplex/xftp/files:/srv/xftp:X + environment: + - ADDR=xftp.xmronly.us.to + - QUOTA=10gb #change to set your own quota + networks: + - simplex + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + + +A note about versioning: at the time of writing, there was an open [issue](https://github.com/simplex-chat/simplexmq/issues/1373) with the "latest" (v6.1.3) tag and HTTPS credentials for the SMP server. The most recent working version for the SMP server (v6.0.6) was definitively tagged here and the "latest" version for XFTP server (v6.1.3) was also definitively tagged to ensure working builds with the presented instructions. For reference, the "latest" version used in the [HackLiberty](https://forum.hackliberty.org/t/simplex-server-docker-installation-guide-smp-xftp/140) documentation for June 1st, 2024 is v5.8.0-beta.6 which is now several security fixes behind. + +Everything is now ready to be deployed. Run: + + + docker compose up -d + + + +Run the following command to see the SMP and XFTP server addresses: + + + echo "smp://$( <__/b> tags of your text so that the reader's eye is immediately drawn to what matters most. + +Now that you laid out the Why, you of course tell them what the best option is, and then you're going to tell them **how they can implement it.** + + + Let's showcase how to install curtains, as it's the easiest and cheapest solution to prevent outsiders from seeing what you're doing in your bedroom. + + 1) buy it, + 2) then you attach it above your windows, using screws and screwing it into the wall, (warning, if you're living in an apartment, ask for your landlord's permission!) + 3) then you can move the curtain to prevent outsiders from peeking in + + + +But the thing is, we're not lazy blogwriters here, **talking about the path is not enough, you are expected to show the readers how you walk that path.** This is why the todolists for new blogposts are structured like so: + + + to be explained: (WHY + WHAT) + - + - + - + + to be showcased: (HOW) + - + - + - + - + + + +In the first part usually there is the to be explained section, where you tell the user why they should care, and what their options are, but afterward there usually is the "to be showcased" part. **In that part, you are expected to do a step-by-step tutorial of how to implement the solution** which means that you are literally implementing the solution yourself, for yourself, but showing everyone how you're doing it. + +Let's take a small todolist that is as follows: + + + to be showcased: + 1)Download grapheneOS (GUI digital step) + 2)Reboot the phone (Physical step) + 3)flash graphene OS on the phone (CLI digital step) + + + +` ![](51.png) + +Here we have a combination of the 3 possible types of steps you may be expected to showcase, a physical step, a GUI digital step, and a CLI digital step. + +The first step being a GUI digital step, you need to take a screenshot with arrows, to make it simple i recommend using flameshot like i explained above, to have screenshots like that: + +![](52.png) + +In the case of the physical step, you need to take a picture, and add arrows in it if needed, like so: + +![](../graphene/10.png) + +While editing the html file it will look like that (as you need to put the picture in the same folder as the tutorial you're editing): + + + <__img src="1.png"> + +If you want to reuse an image from another tutorial like i just did above (it's totally fine), but rather than copying the image from another tutorial and waste diskspace, you can simply reuse the image of another tutorial by adding ../tutorialfolder/ before the path of the image like so: + + + <__img src="../graphene/10.png"> + +and lastly if you have a CLI step to show, you need to simply copy paste the terminal output in the pre code blocks while still highlighting what's important like so: + + + <__pre> <__code class="nim"> + + nowhere#**./flash-all.sh** + Warning: skip copying bootloader_a image avb footer (bootloader_a partition size: 0, bootloader_a image size: 14125140). + Sending 'bootloader_a' (13794 KB) OKAY [ 0.364s] + Writing 'bootloader_a' (bootloader) Flashing pack version slider-14.5-11677881 + (bootloader) flashing platform gs101 + (bootloader) Validating partition ufs + (bootloader) Validating partition partition:0 + + [...] + + OKAY [ 3.089s] + Finished. Total time: 3.454s + Setting current slot to 'a' OKAY [ 0.058s] + Finished. Total time: 0.059s + Rebooting into bootloader OKAY [ 0.000s] + + [...] + + Sending sparse 'super' 11/13 (254972 KB) OKAY [ 6.618s] + Writing 'super' OKAY [ 0.950s] + Sending sparse 'super' 12/13 (254972 KB) OKAY [ 6.621s] + Writing 'super' OKAY [ 0.935s] + Sending sparse 'super' 13/13 (46284 KB) OKAY [ 1.216s] + Writing 'super' OKAY [ 0.204s] + Erasing 'userdata' OKAY [ 0.390s] + Erase successful, but not automatically formatting. + File system type raw not supported. + wipe task partition not found: cache + Erasing 'metadata' OKAY [ 0.007s] + Erase successful, but not automatically formatting. + File system type raw not supported. + Finished. Total time: 105.929s + Rebooting into bootloader OKAY [ 0.000s] + **Finished. Total time: 0.150s** + nowhere# + + <__/pre> <__/code> + +If there are parts of the commandline output that don't matter, just replace them with [...] in order to stick to what the user needs to see. + +And lastly, if you are someone that makes alot of spelling and grammar mistakes (like me, i know i'm guilty of that aswell), use LTEX+'s addon on vscodium (which is the FOSS version of vscode), it will setup a local LLM that will find your grammar and spelling mistakes: + + + wget -qO - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg \ + | gpg --dearmor \ + | sudo dd of=/usr/share/keyrings/vscodium-archive-keyring.gpg + + echo 'deb [ signed-by=/usr/share/keyrings/vscodium-archive-keyring.gpg ] https://download.vscodium.com/debs vscodium main' \ + | sudo tee /etc/apt/sources.list.d/vscodium.list + + sudo apt update && sudo apt install codium + + + +` ![](53.png) ![](54.png) ![](55.png) ![](56.png) ![](57.png) ![](61.png) ![](58.png) ![](59.png) ![](60.png) ![](62.png) + +Now using this addon you can find your typos more easily (as it highlights them for you), effectively helping you find and fix them, so if english isn't your first language **definitely make sure that you run LTEX+ once after you finished writing your article, so that you don't leave spelling mistakes behind.** + +**DISCLAIMER: a blogpost is NOT complete until it follows this quality standard** , if you find one that doesn't meet those requirements, do mention it on their [gitea issue](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/projects/1) or ping me directly about it on SimpleX. + +Same thing if you want to contribute a blogpost that does not meet these quality requirements, **_i do not care, it is NOT finished until it meets those requirements._** Do not be suprised if i refuse your blog contribution for weeks on end if it doesn't meet the requirements. It may take a little more time to do things properly, but at least you're not lowering the quality of the overall blog by following it. + diff --git a/qubesos/Screenshot From 2024-12-05 11-20-03.png b/qubesos/Screenshot From 2024-12-05 11-20-03.png new file mode 100755 index 0000000..bf8b0bd Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 11-20-03.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-26-38.png b/qubesos/Screenshot From 2024-12-05 16-26-38.png new file mode 100755 index 0000000..91276cb Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-26-38.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-28-18.png b/qubesos/Screenshot From 2024-12-05 16-28-18.png new file mode 100755 index 0000000..067d30b Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-28-18.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-28-40.png b/qubesos/Screenshot From 2024-12-05 16-28-40.png new file mode 100755 index 0000000..59c61be Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-28-40.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-28-51.png b/qubesos/Screenshot From 2024-12-05 16-28-51.png new file mode 100755 index 0000000..304f74e Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-28-51.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-29-00.png b/qubesos/Screenshot From 2024-12-05 16-29-00.png new file mode 100755 index 0000000..1d084e3 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-29-00.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-29-12.png b/qubesos/Screenshot From 2024-12-05 16-29-12.png new file mode 100755 index 0000000..c4f686a Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-29-12.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-29-23.png b/qubesos/Screenshot From 2024-12-05 16-29-23.png new file mode 100755 index 0000000..bf44a16 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-29-23.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-29-33.png b/qubesos/Screenshot From 2024-12-05 16-29-33.png new file mode 100755 index 0000000..b4520e1 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-29-33.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-29-47.png b/qubesos/Screenshot From 2024-12-05 16-29-47.png new file mode 100755 index 0000000..5b17c3a Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-29-47.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-29-57.png b/qubesos/Screenshot From 2024-12-05 16-29-57.png new file mode 100755 index 0000000..89dd6b2 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-29-57.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-39-09.png b/qubesos/Screenshot From 2024-12-05 16-39-09.png new file mode 100755 index 0000000..6575fc8 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-39-09.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-39-27.png b/qubesos/Screenshot From 2024-12-05 16-39-27.png new file mode 100755 index 0000000..42844c2 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-39-27.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-40-07.png b/qubesos/Screenshot From 2024-12-05 16-40-07.png new file mode 100755 index 0000000..aa2c7a2 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-40-07.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-40-34.png b/qubesos/Screenshot From 2024-12-05 16-40-34.png new file mode 100755 index 0000000..d175165 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-40-34.png differ diff --git a/qubesos/Screenshot From 2024-12-05 16-40-42.png b/qubesos/Screenshot From 2024-12-05 16-40-42.png new file mode 100755 index 0000000..0d01052 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 16-40-42.png differ diff --git a/qubesos/Screenshot From 2024-12-05 17-40-25.png b/qubesos/Screenshot From 2024-12-05 17-40-25.png new file mode 100755 index 0000000..78c87f1 Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 17-40-25.png differ diff --git a/qubesos/Screenshot From 2024-12-05 17-40-39.png b/qubesos/Screenshot From 2024-12-05 17-40-39.png new file mode 100755 index 0000000..54abc3e Binary files /dev/null and b/qubesos/Screenshot From 2024-12-05 17-40-39.png differ diff --git a/qubesos/index.md b/qubesos/index.md new file mode 100644 index 0000000..e8d8cb1 --- /dev/null +++ b/qubesos/index.md @@ -0,0 +1,148 @@ +--- +author: Prism Breaker +date: 2024-12-20 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/42" +xmr: 87iB34vdFvNULrAjyfVAZ7jMXc8vbq9tLGMLjo6WC8N9Xo2JFaa8Vkp6dwXBt8rK12Xpz5z1rTa9jSfgyRbNNjswHKTzFVh +--- +# Qubes OS guide + +Official site of Qubes OS + +When you land into this tutorial, I assume you already have some Linux experience, if not this might not be suitable for you, since Qubes OS is **not very user-friendly**. I recommend you to try some normal Linux distribution first [How to Install Linux as a beginner](../linux/index.md) + +Qubes OS is a very cutting edge OS that uses virtualization everywhere to compartmentalize your digital life. It is technically not a Linux distribution, it is built on Xen which is a type 1 hypervisor that runs on bare metal, + +First you have Xen hypervisor booted at startup, then you get separate VM for all of your activities. Because all of your activities are separated by VM, one of them get hacked will not compromise the security of your entire system. It is like manage your personal pc like a server, that is why Qubes OS is a highly secure OS if used correctly + +If you want to dive into the tech details and concepts about Qubes, official document is the best place + + + +## **Comparison** + +Why you should use Qubes OS instead of xyz config I use? + +1.Easier network configuration + +Qubes OS is designed to have a basket of different VMs with different **trust level** , and has a very easy menu in GUI to manage the network of these VMs. Qubes OS also has built-in firewall function to stop unexpected leaks. In short, it is less likely for you to make mistakes in Qubes + +For example if you want to have many different network configs like below link to satisfy your different online identities, Qubes OS is the right tool. + +[Theories about building up your online identities](../internetsegmentation/index.md). Check this theory about online identities, with Qubes OS you can easily build up chains of vm for doing whatever you want, for example different combination of vpn/proxy/tor + +![](qubes-trust-level-architecture.png) + +A image that shows Qubes OS with different vm for different functions and identities + +2.Integrated Whonix + +Qubes OS integrate whonix gateway and workstation by default, thus tor browser works out of the box. You can also use whonix gateway to torrify applications that do not support tor and be guaranteed it is leakproof. You can achieve all of these with some clicks of buttons, and no complicated iptables needed + +For learning what is whonix + +3.Superior safety + +Xen is a hypervisor that has a much smaller codebase than vmware/virtual box/kvm, it is possible to read and audit the entire code base. Besides qubes OS also put networking and usb service stack into VM, this feature greatly increases your host OS security from malicious network and usb. The days when you just plug in a bad usb into your computer and it booms are gone! + +## **Installation preparation** + +If you decided to install and try Qubes OS, then you must pick the correct hardware, since Qubes OS is a very cutting edge OS you should expect some compatibility issues. + +For desktop PC actually you should not worry too much, I have installed Qubes OS on many intel/amd platforms, with all kinds of peculiar combination of cpu and gpu, it all works. As long as you are on a quite modern platform with common consumer gpu, you should be fine + +This is the official hardware compatibility list, but be aware it is definitely incomplete, since people runs Qubes OS without problem mostly do not bother to report their config + +For laptops, you should be careful, you better get a mainstream business laptop. I tried many installations on Lenovo or hp business laptops from recent years, they all worked fine. However, you should especially try to avoid laptops from non-traditional vendors like Xiaomi or whatever Chinese brand, and any gaming laptop with very peculiar gpu setup. + +Next thing is to download the installation ISO, go to their website and download + +![](Screenshot From 2024-12-05 11-20-03.png) + +Download the ISO and hash digest + +Next thing is to **verify** your ISO file is authentic, Qubes OS has a very detailed guide on how to do that so there is no need for me to build the wheel again + +I will paste the master key fingerprint here for comparison:**427F11FD0FAA4B080123F01CDDFA1A3E36879494** + +Next step is to find an usb, make sure it is at least 16GB, then find its path + + + $ sudo blkid + + +For example my usb is located at /dev/sda, then we use dd to burn the image into usb + + + $ sudo dd if=file_name.iso of=/dev/sda status=progress + + +Warning: dd is a low level tool aka **data destroyer** , check the parameters carefully and make sure parameters behind "of" points towards your usb, otherwise it might nuke your computer !!! + +## **Install** + +Next thing is to reboot into your computer and enter BIOS(EFI), this is different for every platform so you should find it out on google. + +You need to make two changes in BIOS basically, first you need to turn off secure boot(I know this is sad), but unfortunately secure boot and Xen did not work together on most consumer grade machines. I personally recommend only use qubes at home pc, or those so called "Qubes certified" laptops equipped with heads(What is heads : ) that can protect your boot partition and has anti-evil maid features . + +Next if you are on UEFI mode you need to enable "CSM". . You also need to find that in your bios menu, it should usually appear below boot options. This can fix a lot of potential troubles later + +Final thing is remembering to turn on vt-x or cpu virtualization support, since this is needed for Qubes. Check your bios, if there is a setting called IOMMU, you also need to enable that + +For example, you can expect something look like this + +![](../linux/19.png) + +![](../linux/20.png) + +Finally, reboot and choose your usb as a boot device + +![](Screenshot From 2024-12-05 16-26-38.png) + +If things worked correctly, you should see a menu like this, just click enter and wait + +![](Screenshot From 2024-12-05 16-28-18.png) + +At this step, click "continue", if your computer is fully compatible and all bios settings are correct, you should see no warning message, otherwise go back to check bios again. If your computer is not some ancient stuff it should be compatible + +![](Screenshot From 2024-12-05 16-28-40.png) + +At this step you need to config the disk, click the installation destination + +![](Screenshot From 2024-12-05 16-29-00.png) + +If you are installing on a fresh drive just check the three areas on the pictures + +Next is to choose a disk encryption password, notice this is the password used to encrypt your disk and is the only thing protects you when FBI kicks your door, so make sure it is strong enough + +![](Screenshot From 2024-12-05 16-29-12.png) + +Select "delete all" and "reclaim space", make sure you **backed up** everything! + +![](Screenshot From 2024-12-05 16-29-23.png) + +Next create a user with password, this is the password you will use to unlock the screen + +![](Screenshot From 2024-12-05 16-29-33.png) + +Next choose "Begin Installation", and just wait until it is completed. + +## **Post Install Setup** + +You still cannot use your qubes at this step, since you need to run post install setup. + +![](Screenshot From 2024-12-05 16-40-34.png) + +These configs in most situation do not need to be changed, however if you are using wired connection you can make sys-net disposable, this increases your security a little bit. + +If you are using wireless network through a usb dongle you might need to choose "Use sys-net qube for both networking and USB devices" + +You can also enable system and template update over tor, but this will make it significantly slower for big updates. And there is no need to touch the advanced configuration. + +Click done and let the scripts run, do not interrupt it by closing your computer, it might seem unresponsive for a while. + +![](Screenshot From 2024-12-05 17-40-39.png) + +And finally we get our Qubes, in next tutorial we will start to compartmentalize our online activities by creating different qubes. + +Next tutorial : [How to use qubes for different online activities](../qubesosnetwork/index.md) + diff --git a/qubesos/qubes-trust-level-architecture.png b/qubesos/qubes-trust-level-architecture.png new file mode 100644 index 0000000..df5706d Binary files /dev/null and b/qubesos/qubes-trust-level-architecture.png differ diff --git a/qubesosnetwork/6.png b/qubesosnetwork/6.png new file mode 100644 index 0000000..69f3554 Binary files /dev/null and b/qubesosnetwork/6.png differ diff --git a/qubesosnetwork/QubesManager.png b/qubesosnetwork/QubesManager.png new file mode 100755 index 0000000..39e38ae Binary files /dev/null and b/qubesosnetwork/QubesManager.png differ diff --git a/qubesosnetwork/appvm.png b/qubesosnetwork/appvm.png new file mode 100644 index 0000000..6ddc917 Binary files /dev/null and b/qubesosnetwork/appvm.png differ diff --git a/qubesosnetwork/banking.png b/qubesosnetwork/banking.png new file mode 100755 index 0000000..ab63b30 Binary files /dev/null and b/qubesosnetwork/banking.png differ diff --git a/qubesosnetwork/copy_destination.png b/qubesosnetwork/copy_destination.png new file mode 100755 index 0000000..5c56359 Binary files /dev/null and b/qubesosnetwork/copy_destination.png differ diff --git a/qubesosnetwork/copy_in_vm.png b/qubesosnetwork/copy_in_vm.png new file mode 100755 index 0000000..9e09768 Binary files /dev/null and b/qubesosnetwork/copy_in_vm.png differ diff --git a/qubesosnetwork/create.png b/qubesosnetwork/create.png new file mode 100755 index 0000000..40c8a9f Binary files /dev/null and b/qubesosnetwork/create.png differ diff --git a/qubesosnetwork/destination_paste.png b/qubesosnetwork/destination_paste.png new file mode 100755 index 0000000..4997042 Binary files /dev/null and b/qubesosnetwork/destination_paste.png differ diff --git a/qubesosnetwork/disp_whonix.png b/qubesosnetwork/disp_whonix.png new file mode 100755 index 0000000..d4b6142 Binary files /dev/null and b/qubesosnetwork/disp_whonix.png differ diff --git a/qubesosnetwork/dom0_exec.png b/qubesosnetwork/dom0_exec.png new file mode 100755 index 0000000..e64e141 Binary files /dev/null and b/qubesosnetwork/dom0_exec.png differ diff --git a/qubesosnetwork/file_arrived.png b/qubesosnetwork/file_arrived.png new file mode 100755 index 0000000..dfcc6ad Binary files /dev/null and b/qubesosnetwork/file_arrived.png differ diff --git a/qubesosnetwork/file_await_transfer.png b/qubesosnetwork/file_await_transfer.png new file mode 100755 index 0000000..e44c879 Binary files /dev/null and b/qubesosnetwork/file_await_transfer.png differ diff --git a/qubesosnetwork/firewall-net.png b/qubesosnetwork/firewall-net.png new file mode 100755 index 0000000..40c9900 Binary files /dev/null and b/qubesosnetwork/firewall-net.png differ diff --git a/qubesosnetwork/firewall-qube.png b/qubesosnetwork/firewall-qube.png new file mode 100644 index 0000000..f23c734 Binary files /dev/null and b/qubesosnetwork/firewall-qube.png differ diff --git a/qubesosnetwork/firewall-service.png b/qubesosnetwork/firewall-service.png new file mode 100755 index 0000000..ef5769f Binary files /dev/null and b/qubesosnetwork/firewall-service.png differ diff --git a/qubesosnetwork/index.md b/qubesosnetwork/index.md new file mode 100644 index 0000000..9a2c626 --- /dev/null +++ b/qubesosnetwork/index.md @@ -0,0 +1,244 @@ +--- +author: Prism Breaker +date: 2024-12-20 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 87iB34vdFvNULrAjyfVAZ7jMXc8vbq9tLGMLjo6WC8N9Xo2JFaa8Vkp6dwXBt8rK12Xpz5z1rTa9jSfgyRbNNjswHKTzFVh +--- +# How to navigate qubes OS and segment your internet uses + +In this tutorial we will set up the environment for public, private and anonymous online identities, and how to use qubes os. + +If you are still not familiar with the identity model please check this link [Theories about building up your online identities](../internetsegmentation/index.md) + + + +## **Some glossary** + +For Qubes OS there are something you need to know, otherwise you will be really confused when using the OS + +0.Xen: Everything that Qubes OS built on this, a type 2 hyervisor + +1.qube: That is basically a vm, each qube is intended to do a single task for isolation. But it is not quite like the common vm you used to see on vmware or virtualbox + +2.dom0: This is the admin vm, it is still a vm, but it is very special vm with all the tools to control the entire machine. It never connects to the network and no files from other qubes should touch it, once it gets compromised you are done + +![](structure.png) + +3.Template VM: Template VM is like the concept of "class" in programming language, you will install all the applications you like in template vm, and appvm will simply share the root partition with the template vm, so appvm only needs to keep its own /home directory, this greatly saves disk space and time you spent on software update. + +Template VM do not connect to network by default for safety, since if they are compromised all the app vm spawned by them are also done. Updates are conducted through a special proxy so attack surface is minimized + +4.App VM: Lightweight VM spawned from template VM, any changes done to root partition will not persist across boot, it is meant to only use software installed from template VM and save your work in /home + +![](appvm.png) + +5.PVH: a para virtualization mode, which means some costly actions are not performed in the vm, instead they are done in the host through a special interface to make vm runs faster + +Most qubes will run under PVH mode + +6.HVM: Full virtualization, no host assistance. Only used in situation where PCI passthrough is required, or you installed your own special qube like windows + +7.Disposable VM: This is a special App VM, it is spawned from a disposable VM template every time when needed, but is destroyed immediately after the task without anything being saved. Ideal for performing some known dangerous activities + +8.PCI passthrough: By default qubes OS qube do not touch any peripheral devices for example usb or network card, if you want some qube to do something with the hardware, you need to do a PCI passthrough. For example if you want to setup a network qube you need to pass through the network adapter + +9.Standalone qube: These are the qubes that do not depend on template vm, you either copied it from a template or installed it yourself + +This is all the basic concepts you need to know, now we start our exploration + +## **Network blueprint** + +Qubes already comes with many default qubes, you can find them inside the qubes manager + +On the desktop, right click and choose "Open terminal here", you will get a terminal in dom0 + +![](terminal.png) + +Input "qubes-qube-manager", and click enter you will get the qubes manager + +![](manager.png) + +Now we are going to explain these default qubes + +0.Template qubes + +Qubes with the name "debian-12-xfce", "fedora-40-xfce", "whonix*" are template vms, you can install software in these template qubes, and use them in the app qubes + +1.sys-usb + +![](usb-qube.png) + +A qube that did not connect to network, and is responsible for providing **usb service** only, if you have usb keyboard or mouse it might also proxy the input for you. In some circumstances when you have an usb wifi dongle it also becomes the factual network qube + +This is installed by default and is a disposable vm + +1.sys-net + +![](net-qube.png) + +This is where everything starts, you need to passthrough your Ethernet adapter(wired or wireless) to a qube, and that qube will be used to as a first part in the network chain + +Since it is directly in contact with network adapter and the routers, it should be considered as untrusted because it is exposed to a lot of uncertain stuff + +It is installed by default and only intended to be used as a **basic router** and nothing else + +2.sys-firewall + +The qube that separate the rest of your network chain from the sys-net for better security, and it is also the qube that **enforces firewall** rules if you have vpn qube directly behind it. + +If you have any public identity it is best to directly connect it to sys-firewall, for example online banking + +![](firewall-qube.png) + +Each qube can select its own network qube, if none is selected it will not have internet at all. sys-firewall here set sys-net as its network qube + +![](firewall-net.png) + +And any qube provides network service need to enable **provides network** in advanced tab below "Run in debug mode" + +![](firewall-service.png) + +Any qube directly connect to sys-firewall will have your home isp ip address, best suited for public activity, for example online banking + +3.vpn qube + +A qube setup with vpn profile, redirect all the traffic to your designated vpn server. Ideal for providing a **pseudonymous** identity. If applied with firewall rules it can be guaranteed leakproof + +Qubes OS works fine with wireguard and openvpn cli programs, but for vpn vendor's own gui there might be problems, sometimes those apps break the dns setup in qubes + +Mullvad has a very detailed tutorial on how to setup a vpn qube . However, iptables mentioned in it is already deprecated by Qubes, but it still works without DNS hijack config. + +![](vpn-qube.png) + +If you have any pseudonymous activities it is best to connect behind vpn qube, for example torrenting + +4.whonix qubes + +Whonix is the best part of qubes, it makes tor very easy to use. Whonix qubes consists of two parts, first is whonix gateway, which onionize all the network traffic behind it. Whonix workstation is a workstation specifically tuned for anonymity, and is usually disposable for increased security + +You can also hook up other non workstation qubes behind whonix gateway in rare circumstances, for example a windows qube, but you should be careful and should have a specialized gateway qube only for this. + +This is the ideal place for all the high risk activities like all the **darknet** stuff + +You might choose to wheter or not to put whonix gateway behind a vpn + +![](whonix-qube.png) + +## **Setup the vm according to network blueprint** + +Now we are about to setup the qubes according to the previous network blueprint, we are about to setup a banking vm, torrent vm, and darknet vm + +And they fit in different places of our network identity threat model obviously + +![](threat_level.png) + +**Public Use: Banking VM** + +In a public use setup, you can run closed source software, or access service that is directly tied to your real life identity. + +Let's go back to our qubes manager, click "New qube" in the top left corner + +![](create.png) + +First name it as "banking", and we assign it with **Yellow** tag, since it is for banking identities, so yellow is a medium trust score for me. Color tag is a very important feature of qubes, every qube has its own color tag for avoiding you accidentally type something sensitive in a insecure vm. Dom0 always has the special **White** tag + +For Type and Template I just leave it as AppVM and fedora-40-xfce, since this is exactly what I want + +For networking, I choose "sys-firewall", since I want my bank to see my home ip address instead of my vpn ip and get my account banned + +Now click ok and the qube will be created, you can find your qube app menu on the top left **Q** icon, then we can open firefox and start banking + +![](banking.png) + +**Private use: Torrent VM** + +In a private use setup, you should only use FOSS software, and use a vpn service for hiding your home ip + +First we start a template vm, for example debian in this case, and install transmission + +![](template_install.png) + +After installation enter "sudo poweroff" to shut down the qube, make sure it is shutdown, since your changes in template qube only get reflected when it is shutdown **at least once!** + +Next go back to qubes manager, and create a new qube called torrent, I assume you already set up a vpn qube according to the mullvad tutorial mentioned above + +![](torrent_vm.png) + +First give it a name called "torrent", and I personally think this qube has a medium trust score, so it is given a yellow tag. + +We still leave it as appvm, and choose template as debian, since this is the template we just installed transmission + +Most importantly set the networking to **vpn qube** you just setup, if you do not want DMCA notice get sent to your home. Then click ok, and the qube will be created + +For accessing transmission app easily, we will add the transmission app into our "Q" menu which is in the top left corner + +Right click the torrent qube in the manager, choose "settings", and choose "application" + +![](torrent_transmission.png) + +Find "Transmission" on the left, click it, and click the ">" icon in the middle, then click ok. Now transmission will be visible in the app menu + +![](transmission_on.png) + +Now happy torrenting + +**Anonymous use: Darknet VM** + +Same as private setup, but you should use tor instead of vpn + +Here we use whonix workstation to access dread for exploring the darknet + +If you follow the default setting during the installation config, you should have disposable whonix workstation installed by default, which means we do not need to create anything + +Try to find something named "whonix-workstation-17-dvm" in the qubes Q menu, click "Tor Browser(AnonDist)", and you will get a disposable vm running tor browser. This is great since anything happen inside this vm get destroyed after you shut down the browser + +![](whonix_dread.png) + +If you see something as **disp** on the vm windows title, then you are on a disposable vm, congrats! + +## **Tips** + +There are some tricky problems about qube, like how to copy and paste text between qubes, and how to transfer files, or how to use usb. + +For copy text, there is a master pasteboard in dom0, once you copy some text normally inside a qube, click shift+ctrl+c, then the text get transferred to the master pasteboard, and go to the vm you want to paste, click shift+ctrl+v, then the text is inside the clipboard of your destination vm + +![](copy_in_vm.png) + +For example you first copy some text inside a vm, then click SHIFT+CTRL+C + +![](master_pasteboard.png) + +Then you will see a message about Global Clipboard + +Go to your destination vm and click CTRL+SHIFT+V, then you will see a message says Global Clipboard wiped + +![](master_pasteboard_wiped.png) + +Then just paste as normal + +![](destination_paste.png) + +![](text_arrived.png) + +For copying file between vm you need to use qvm-copy command inside the vm + +First we created a test file called "new_file" + +![](file_await_transfer.png) + +Then we use "qvm-copy" command, and choose "banking" vm in the dom0 prompt. + +`qvm-copy new_file` + +![](copy_destination.png) + +Then you can see the new_file in banking vm + +![](file_arrived.png) + +Files from other VM are all located inside **~/QubesIncoming** + +Other stuff are inside the official document, no need to rebuild the wheels again + +[All the qubes "how to" guide](https://www.qubes-os.org/doc/getting-started/) + diff --git a/qubesosnetwork/manager.png b/qubesosnetwork/manager.png new file mode 100755 index 0000000..da77fbc Binary files /dev/null and b/qubesosnetwork/manager.png differ diff --git a/qubesosnetwork/master_pasteboard.png b/qubesosnetwork/master_pasteboard.png new file mode 100755 index 0000000..83214c4 Binary files /dev/null and b/qubesosnetwork/master_pasteboard.png differ diff --git a/qubesosnetwork/master_pasteboard_wiped.png b/qubesosnetwork/master_pasteboard_wiped.png new file mode 100755 index 0000000..2b5c99b Binary files /dev/null and b/qubesosnetwork/master_pasteboard_wiped.png differ diff --git a/qubesosnetwork/net-qube.png b/qubesosnetwork/net-qube.png new file mode 100644 index 0000000..b337bd9 Binary files /dev/null and b/qubesosnetwork/net-qube.png differ diff --git a/qubesosnetwork/structure.png b/qubesosnetwork/structure.png new file mode 100644 index 0000000..6e88b4b Binary files /dev/null and b/qubesosnetwork/structure.png differ diff --git a/qubesosnetwork/template_install.png b/qubesosnetwork/template_install.png new file mode 100755 index 0000000..cc7bdb4 Binary files /dev/null and b/qubesosnetwork/template_install.png differ diff --git a/qubesosnetwork/template_shutdown.png b/qubesosnetwork/template_shutdown.png new file mode 100755 index 0000000..02fb187 Binary files /dev/null and b/qubesosnetwork/template_shutdown.png differ diff --git a/qubesosnetwork/terminal.png b/qubesosnetwork/terminal.png new file mode 100755 index 0000000..f0bb709 Binary files /dev/null and b/qubesosnetwork/terminal.png differ diff --git a/qubesosnetwork/text_arrived.png b/qubesosnetwork/text_arrived.png new file mode 100755 index 0000000..8ddadcd Binary files /dev/null and b/qubesosnetwork/text_arrived.png differ diff --git a/qubesosnetwork/threat_level.png b/qubesosnetwork/threat_level.png new file mode 100644 index 0000000..0e77c68 Binary files /dev/null and b/qubesosnetwork/threat_level.png differ diff --git a/qubesosnetwork/torrent_transmission.png b/qubesosnetwork/torrent_transmission.png new file mode 100755 index 0000000..714f674 Binary files /dev/null and b/qubesosnetwork/torrent_transmission.png differ diff --git a/qubesosnetwork/torrent_vm.png b/qubesosnetwork/torrent_vm.png new file mode 100755 index 0000000..58c429f Binary files /dev/null and b/qubesosnetwork/torrent_vm.png differ diff --git a/qubesosnetwork/transmission_on.png b/qubesosnetwork/transmission_on.png new file mode 100755 index 0000000..c758135 Binary files /dev/null and b/qubesosnetwork/transmission_on.png differ diff --git a/qubesosnetwork/usb-qube.png b/qubesosnetwork/usb-qube.png new file mode 100644 index 0000000..aecdf4f Binary files /dev/null and b/qubesosnetwork/usb-qube.png differ diff --git a/qubesosnetwork/vpn-qube.png b/qubesosnetwork/vpn-qube.png new file mode 100644 index 0000000..c9e027f Binary files /dev/null and b/qubesosnetwork/vpn-qube.png differ diff --git a/qubesosnetwork/whonix-qube.png b/qubesosnetwork/whonix-qube.png new file mode 100644 index 0000000..a0d08a2 Binary files /dev/null and b/qubesosnetwork/whonix-qube.png differ diff --git a/qubesosnetwork/whonix-usage.png b/qubesosnetwork/whonix-usage.png new file mode 100755 index 0000000..7b21f1b Binary files /dev/null and b/qubesosnetwork/whonix-usage.png differ diff --git a/qubesosnetwork/whonix_dread.png b/qubesosnetwork/whonix_dread.png new file mode 100755 index 0000000..ac7b450 Binary files /dev/null and b/qubesosnetwork/whonix_dread.png differ diff --git a/runtheblog/0.png b/runtheblog/0.png new file mode 100644 index 0000000..08dd54d Binary files /dev/null and b/runtheblog/0.png differ diff --git a/runtheblog/1.png b/runtheblog/1.png new file mode 100644 index 0000000..a73d777 Binary files /dev/null and b/runtheblog/1.png differ diff --git a/runtheblog/10.png b/runtheblog/10.png new file mode 100644 index 0000000..ba00972 Binary files /dev/null and b/runtheblog/10.png differ diff --git a/runtheblog/11.png b/runtheblog/11.png new file mode 100644 index 0000000..44d9360 Binary files /dev/null and b/runtheblog/11.png differ diff --git a/runtheblog/12.png b/runtheblog/12.png new file mode 100644 index 0000000..0e71ae6 Binary files /dev/null and b/runtheblog/12.png differ diff --git a/runtheblog/13.png b/runtheblog/13.png new file mode 100644 index 0000000..67b1cf2 Binary files /dev/null and b/runtheblog/13.png differ diff --git a/runtheblog/14.png b/runtheblog/14.png new file mode 100644 index 0000000..9a5f7ec Binary files /dev/null and b/runtheblog/14.png differ diff --git a/runtheblog/15.png b/runtheblog/15.png new file mode 100644 index 0000000..7ace391 Binary files /dev/null and b/runtheblog/15.png differ diff --git a/runtheblog/16.png b/runtheblog/16.png new file mode 100644 index 0000000..61505cb Binary files /dev/null and b/runtheblog/16.png differ diff --git a/runtheblog/17.png b/runtheblog/17.png new file mode 100644 index 0000000..887d392 Binary files /dev/null and b/runtheblog/17.png differ diff --git a/runtheblog/18.png b/runtheblog/18.png new file mode 100644 index 0000000..a624457 Binary files /dev/null and b/runtheblog/18.png differ diff --git a/runtheblog/19.png b/runtheblog/19.png new file mode 100644 index 0000000..6a73e9c Binary files /dev/null and b/runtheblog/19.png differ diff --git a/runtheblog/2.png b/runtheblog/2.png new file mode 100644 index 0000000..6a2ffba Binary files /dev/null and b/runtheblog/2.png differ diff --git a/runtheblog/20.png b/runtheblog/20.png new file mode 100644 index 0000000..1b3a674 Binary files /dev/null and b/runtheblog/20.png differ diff --git a/runtheblog/21.png b/runtheblog/21.png new file mode 100644 index 0000000..29e32c7 Binary files /dev/null and b/runtheblog/21.png differ diff --git a/runtheblog/22.png b/runtheblog/22.png new file mode 100644 index 0000000..b490197 Binary files /dev/null and b/runtheblog/22.png differ diff --git a/runtheblog/23.png b/runtheblog/23.png new file mode 100644 index 0000000..e9fa068 Binary files /dev/null and b/runtheblog/23.png differ diff --git a/runtheblog/24.png b/runtheblog/24.png new file mode 100644 index 0000000..938062f Binary files /dev/null and b/runtheblog/24.png differ diff --git a/runtheblog/25.png b/runtheblog/25.png new file mode 100644 index 0000000..2a8c6a6 Binary files /dev/null and b/runtheblog/25.png differ diff --git a/runtheblog/3.png b/runtheblog/3.png new file mode 100644 index 0000000..bf44f70 Binary files /dev/null and b/runtheblog/3.png differ diff --git a/runtheblog/4.png b/runtheblog/4.png new file mode 100644 index 0000000..5622a0f Binary files /dev/null and b/runtheblog/4.png differ diff --git a/runtheblog/5.png b/runtheblog/5.png new file mode 100644 index 0000000..30dce63 Binary files /dev/null and b/runtheblog/5.png differ diff --git a/runtheblog/6.png b/runtheblog/6.png new file mode 100644 index 0000000..95c7f8b Binary files /dev/null and b/runtheblog/6.png differ diff --git a/runtheblog/7.png b/runtheblog/7.png new file mode 100644 index 0000000..3cc8e89 Binary files /dev/null and b/runtheblog/7.png differ diff --git a/runtheblog/8.png b/runtheblog/8.png new file mode 100644 index 0000000..ba40a20 Binary files /dev/null and b/runtheblog/8.png differ diff --git a/runtheblog/9.png b/runtheblog/9.png new file mode 100644 index 0000000..78de17b Binary files /dev/null and b/runtheblog/9.png differ diff --git a/runtheblog/index.md b/runtheblog/index.md new file mode 100644 index 0000000..0fb3a40 --- /dev/null +++ b/runtheblog/index.md @@ -0,0 +1,401 @@ +--- +author: nihilist +date: 2024-11-12 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/153" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to run the Nihilism Blog Yourself + +## **Why are you letting me run the blog ?** + +As you have probably noticed after looking at the footer of any of the blogposts in this blog, they are all licensed under the public domain license. This means that there is no copyright restrictions at all, it is free for all, forever. + +![](0.png) + +The reason behind this stems from [Sum Nihil](../../productivity/sum-nihil/index.md), where i strongly believe that it doesn't matter who does the work, who gets the fame, who gets to profit off of it, **what truly matters is that the work gets done** , no matter who does it. + +Here, **the work is to make sure that everyone out there knows that when using the right technology in the right way, they cannot be oppressed, silenced, censored, controlled, and governed anymore.** If you can help me reach that goal i'm definitely going to welcome it, even if it means to allow other people to run the blog. + +The entire blog is meant to remain available for free, for everyone, over clearnet and over the Tor network. Ideally i'd like it to be resillient to takedowns in the case if something were to happen to me in the future. **Therefore, the more people run the blog themselves, the more resillient it will become, and the farther the word will be able to go out there.** + + + +## **Clearnet Setup** + +Now if you are interested in helping me get the word accross, you can run the blog yourself like so: + +On a debian server (VPS or not), install the following packages: + + + [ Datura ] [ /dev/pts/23 ] [~] + → sudo apt install nginx wget curl tor torsocks -y + + + +Then, you need to download the blog somewhere, you can simply git clone it from the blog-contributions forgejo repository into the /srv/ directory: + + + [ Datura ] [ /dev/pts/23 ] [~] + → torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions /srv/blog/ + + + +_Optional:_ if you want to also host the archived blog sections i wrote in the past (the hacking and selfhosting categories) you can do so as follows: + + + [ Wonderland ] [ /dev/pts/9 ] [/srv/blog-archive] + → torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-archive /srv/blog-archive + + + +Then we need to make sure that the blog repository stays updated regularly: + + + [ Wonderland ] [ /dev/pts/11 ] [/srv] + → crontab -e + + #blog + @hourly /usr/bin/torsocks /usr/bin/git -C /srv/blog/ pull + @hourly /usr/bin/torsocks /usr/bin/git -C /srv/blog-archive/ pull + + + +then you can use this nginx configuration (and dont forget to enable it with a symlink to sites-enabled): + + + [ Datura ] [ /dev/pts/23 ] [~] + → rm /etc/nginx/sites-*/default + + [ Datura ] [ /dev/pts/23 ] [~] + → vim /etc/nginx/sites-available/blog.nowhere.moe + + [ Datura ] [ /dev/pts/23 ] [~] + → ln -s /etc/nginx/sites-available/blog.nowhere.moe /etc/nginx/sites-enabled/ + + [ Datura ] [ /dev/pts/23 ] [~] + → cat /etc/nginx/sites-available/blog.nowhere.moe + + server { + listen 80; + listen [::]:80; + server_name blog.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion; + add_header Onion-Location "http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion$request_uri" always; + ######## TOR CHANGES ######## + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name blog.nowhere.moe; + ########################################## HARDENING SSL ############################################# + ssl_certificate /root/.acme.sh/blog.nowhere.moe/fullchain.cer; + ssl_certificate_key /root/.acme.sh/blog.nowhere.moe/blog.nowhere.moe.key; + ssl_dhparam /root/.acme.sh/dhparam.pem; + + + # SSL Settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /root/.acme.sh/blog.nowhere.moe/fullchain.cer; + resolver 1.1.1.1 208.67.222.222; + + add_header Strict-Transport-Security "max-age=63072000" always; + + + + + access_log off; + error_log off; + ###################################END OF HARDENING SSL########################################### + + + rewrite ^/servers/anon.html http://$server_name/opsec/index.md permanent; + rewrite ^/servers/(.*)$ http://$server_name/opsec/$1 permanent; + index index.html; + root /srv/blog/; + + #optional selfhosting + HTB locations in /srv/blog-archive: + location ~ ^/(selfhosting|HTB)/ { + root /srv/blog-archive/; + + } + } + + + +but as you can see we're missing the TLS certificates, so let's get them using acme.sh: + + + [ Datura ] [ /dev/pts/23 ] [~] + → wget -O - https://get.acme.sh | sh -s email=nihilist@contact.nowhere.moe + + [ Datura ] [ /dev/pts/23 ] [~] + → systemctl stop nginx ; acme.sh --issue --standalone -d blog.nowhere.moe -k 4096; systemctl start nginx + + + +And now that we have them, let's see if the nginx config is correct: + + + [ Datura ] [ /dev/pts/23 ] [~] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +Now that the nginx config is correct let's restart nginx to load in the new config: + + + [ Datura ] [ /dev/pts/23 ] [~] + → systemctl restart nginx + + + +And then we can see that the website is up and reachable at the clearnet domain: + +![](1.png) + +## **Tor Hidden Service Setup** + +Since clearnet websites are easily censorable nowadays, let's make sure it is censorship-resistant by making it available over Tor. Let's first install Tor: + + + [ Datura ] [ /dev/pts/23 ] [~] + → apt install tor -y + + + +Then we git clone the mkp repository to be able to generate an onion hidden service address: + + + [ Datura ] [ /dev/pts/23 ] [~] + → apt install gcc libc6-dev libsodium-dev make autoconf tor + + [ Datura ] [ /dev/pts/23 ] [~] + → git clone https://github.com/cathugger/mkp224o /srv/mkp224o + + [ Datura ] [ /dev/pts/23 ] [/srv/mkp224o] + → cd /srv/mkp224o ; ./autogen.sh ; ./configure ; make + + [ Datura ] [ /dev/pts/23 ] [/srv/mkp224o] + → ./mkp224o datura + sorting filters... done. + filters: + datura + in total, 1 filter + using 12 threads + daturacccspczuluj2hbgqfcpkjo75hn7bzmuzsm5zys3az6k3su45ad.onion + daturaxnp7x4ubwlslgyeaft5dabaxotmsaxanayocnpxarc7wi36kid.onion + + [ Datura ] [ /dev/pts/23 ] [/srv/mkp224o] + → mkdir /var/lib/tor/onions + + [ Datura ] [ /dev/pts/23 ] [/srv/mkp224o] + → mv daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion /var/lib/tor/onions + + [ Datura ] [ /dev/pts/11 ] [lib/tor/onions] + → ls -lash + total 16K + 4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 . + 4.0K drwx--S--- 8 debian-tor debian-tor 4.0K Feb 1 15:08 .. + 4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + 4.0K drwx------ 3 debian-tor debian-tor 4.0K Jan 27 15:48 nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion + + [ Datura ] [ /dev/pts/11 ] [lib/tor/onions] + → ls -lash daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + total 24K + 4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 . + 4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 .. + 4.0K drwx------ 2 debian-tor debian-tor 4.0K Jul 12 2023 authorized_clients + 4.0K -r-------- 1 debian-tor debian-tor 63 Jul 12 2023 hostname + 4.0K -r-------- 1 debian-tor debian-tor 64 Jul 12 2023 hs_ed25519_public_key + 4.0K -r-------- 1 debian-tor debian-tor 96 Jul 12 2023 hs_ed25519_secret_key + + + +Then after copying the hidden service files where they belong we change the directory rights accordingly: + + + [ Datura ] [ /dev/pts/11 ] [lib/tor/onions] + → chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + + [ Datura ] [ /dev/pts/11 ] [lib/tor/onions] + → chmod 400 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/* + + [ Datura ] [ /dev/pts/11 ] [lib/tor/onions] + → chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/authorized_clients -R + + [ Datura ] [ /dev/pts/11 ] [lib/tor/onions] + → chown debian-tor: /var/lib/tor/onions -R + + + +Then we edit the torrc config file to make sure it uses the correct hidden service directory, along with a port to be used to access the website: + + + [ Datura ] [ /dev/pts/11 ] [/srv/mkp224o] + → cat /etc/tor/torrc + HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/ + HiddenServicePort 80 127.0.0.1:4443 # for web service HTTP (recommended!) + HiddenServicePort 443 127.0.0.1:4444 # for web service HTTPS (but not recommended!) + + HiddenServicePort 18080 127.0.0.1:18080 # for monero nodes + HiddenServicePort 18081 127.0.0.1:18081 # for monero nodes + + # to have another hidden service, you can append it afterward like so; but you need to use different ports: + + HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/ + HiddenServicePort 80 127.0.0.1:4445 + + + +Then we restart Tor to refresh the configuration: + + + [ Datura ] [ /dev/pts/23 ] [/srv/mkp224o] + → systemctl restart tor@default + + [ Datura ] [ /dev/pts/23 ] [/srv/mkp224o] + → systemctl status tor@default + ● tor@default.service - Anonymizing overlay network for TCP + Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled) + Active: active (running) since Sun 2024-11-10 21:39:43 CET; 2 days ago + Main PID: 2790923 (tor) + Tasks: 13 (limit: 77002) + Memory: 1.5G + CPU: 1d 12h 17min 42.199s + CGroup: /system.slice/system-tor.slice/tor@default.service + └─2790923 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 + + + +And from there, we edit the nginx configuration to make sure the website is reachable over the tor domain aswell along with having the header set so that the user's tor browser mentions that there is a .onion link available: + + + [ Datura ] [ /dev/pts/23 ] [~] + → vim /etc/nginx/sites-available/blog.nowhere.moe + + [ Datura ] [ /dev/pts/23 ] [/srv/mkp224o] + → cat /etc/nginx/sites-available/blog.nowhere.moe + server { + listen 80; + listen [::]:80; + server_name blog.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + **######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name blog.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://blog.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ########** + + [...] + } + + + +And then we refresh nginx and we see that the website can be reached over the .onion link aswell: + + + [ Datura ] [ /dev/pts/23 ] [~] + → systemctl restart nginx + + + +![](2.png) ![](3.png) + +And that's it! you now have made your own copy of the blog available over clearnet and Tor. + +_Sidenote:_ if you want to only have an onion mirror of the blog (and no clearnet at all), you can use this nginx config: + + + [ Wonderland ] [ /dev/pts/9 ] [/etc/nginx/sites-available] + → cat blog.conf + + server { + ######## TOR WEBSITE ######## + listen 4443; + listen [::]:4443; + server_name blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion; + + rewrite ^/servers/anon.html http://$server_name/opsec/index.md permanent; + rewrite ^/servers/(.*)$ http://$server_name/opsec/$1 permanent; + index index.html; + root /srv/blog/; + + #optional selfhosting + HTB locations in /srv/blog-archive: + location ~ ^/(selfhosting|HTB)/ { + root /srv/blog-archive/; + + } + } + + + +## **Setting up Collaboration** + +Now if you want to make sure the blog content keeps growing, you'll need to either write your own blogposts in it or setup collaboration: + +Now in order to make sure you can welcome external contributions, you need at least to be able to have a forgejo instance like the one i run [here](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/): + +![](4.png) ![](5.png) ![](6.png) ![](7.png) ![](8.png) + +Now here you have a simple mirror git repo of the blog, once a day it will synchronize the new changes onto your mirror which is always useful to have in case if the [main repository](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions) gets taken down. + +If it were to get taken down for whatever reason, or if you decide to branch out and do your own thing with the blog, you can edit the repository to not be a mirror anymore (meaning you'll be able to push your own commits without going through me): + +![](9.png) ![](10.png) ![](11.png) + +And once done you can recreate the collaboration kanban board like so: + +![](12.png) ![](14.png) ![](13.png) ![](15.png) + +Then you can add the an issue per tutorial into it like so: + +![](16.png) ![](17.png) ![](18.png) + +You can also add labels to add more details on each issue, to be visible from the kanban board: + +![](19.png) ![](20.png) ![](21.png) + +Then on each issue you can add labels on each like so: + +![](22.png) + +Here the workflow is preety straightforward, the first column is there for the tutorials that dont have the todolist written yet, the second column is for those that do but aren't assigned to someone yet, the third column is for the assigned tutorials (with a 1 month default deadline), the fourth column is for the maintainer to review what the contributor has sent, and the last column is for the tutorials that are completed: + +![](23.png) + +And then obviously, don't forget to have a [SimpleX Chatroom](../anonsimplex/index.md) to make sure you can chat easily with your contributors like i do [here](http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html), this will help brainstorm ideas quickly and help clear up misconceptions with your audience directly: + +![](24.png) + +And there you go! you now have a platform to receive criticism, collaborate and produce quality content. + +## **Setting up a Mirror List** + +And then to make sure the nihilism blog remains resistant to takedowns, you can list it on your own [Darknet Lantern](../darknetlantern/index.md) instance, under the [Blogs](http://lantern.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/index.php?query=Blogs) category: + +![](25.png) + diff --git a/selfhosting/1.png b/selfhosting/1.png new file mode 100644 index 0000000..cba14fa Binary files /dev/null and b/selfhosting/1.png differ diff --git a/selfhosting/2.png b/selfhosting/2.png new file mode 100644 index 0000000..13d709d Binary files /dev/null and b/selfhosting/2.png differ diff --git a/selfhosting/3.png b/selfhosting/3.png new file mode 100644 index 0000000..507d413 Binary files /dev/null and b/selfhosting/3.png differ diff --git a/selfhosting/index.md b/selfhosting/index.md new file mode 100644 index 0000000..6d2586f --- /dev/null +++ b/selfhosting/index.md @@ -0,0 +1,49 @@ +--- +author: nihilist +date: 2025-01-05 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/294" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why should I self-host my own services? + + + +## **What is Self-Hosting ?** + + + Self-hosting is the practice of running and maintaining a website or service using a private web server, instead of using a service outside of the administrator's own control. Self-hosting allows users to have more control over their data, privacy, and computing infrastructure + + + +In short, **Self-hosting is about running servers and services at your own home, rather than somewhere else.** + +## **Do i have privacy when using remote services ?** + +First of all, if you made sure that your laptop isn't running any closed-source software, then the privacy of what you do on that device is maintained, however you need to realize that **if you run a software (ex: google's onedrive), then the actual use of the service happens on a remote server, that is not controlled by you:** + +![](1.png) + +You don't control Google's servers, therefore everything you do on that service is permanently logged from THEIR end. Moreover, the ISP also logs where you connect to, so if you didn't use a [VPN](../vpn/index.md), then the ISP is also aware that you connected to google's servers. In short, **if you don't control the server the service operates on, then EVERYTHING that you do on that service is seen by the one running said service, which can cooperate with the adversary.** + +![](3.png) + +The same holds true if you intend to rent a remote VPS / dedicated server to run a service that you intend to control. Still here the server is not controlled by you, **therefore even if you run a FOSS service on that remote server, the adversary (the cloud service provider in this case) can still potentially see that you're running said service and what you're doing with it.** You don't control the server, therefore you can't hide what you do on that server without end to end encryption (e2ee). + +![](../pgp/1.png) + +As we have covered previously in our [PGP tutorial](../pgp/index.md), we cover an example of PGP messaging, where each party (bob and alice in this case) manually encrypt their messages, before sending it over untrusted messaging platforms such as Discord, or Whatsapp, or wherever else. + +![](../pgp/2.png) + +If you intend to have privacy on the serverside, especially when you don't control the remote server that runs the service you're using, then **End to End Encryption (E2EE) is a hard requirement** as it makes sure that the data is encrypted from your local device (where you have privacy, if you followed the FOSS-only software requirement), before being sent to the untrusted remote servers. **That way, the adversary can only see encrypted data, and they are unable to decrypt it.** + +## **Self hosting and it's advantages** + +![](2.png) + +In practice, this can simply be a home server (which can just be an old desktop) that you decided to run some FOSS services on. If an adversary were to spy on it, said adversary would either require to use a closed-source software that you installed on the server (which obviously should NOT happen if you follow the FOSS software requirement), or they would have to literally bust down your door, and get physical access to the server to be able to do something about it. + +**_TLDR:_ the requirement for server-side privacy is either to use end to end encryption (e2ee), or to use a server that can only be physically accessed by you alone.** + +If you want some examples on what services you can self-host, you can check out our archived [self-hosting tutorials](../../selfhosting/index.md) + diff --git a/sensitiveremotevshome/1.png b/sensitiveremotevshome/1.png new file mode 100644 index 0000000..b746e38 Binary files /dev/null and b/sensitiveremotevshome/1.png differ diff --git a/sensitiveremotevshome/2.png b/sensitiveremotevshome/2.png new file mode 100644 index 0000000..6ad717a Binary files /dev/null and b/sensitiveremotevshome/2.png differ diff --git a/sensitiveremotevshome/index.md b/sensitiveremotevshome/index.md new file mode 100644 index 0000000..96abd86 --- /dev/null +++ b/sensitiveremotevshome/index.md @@ -0,0 +1,73 @@ +--- +author: nihilist +date: 2024-04-29 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/177" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Sensitive .onion Services: Self-Host or Host Remotely ? + +## **The Context** + +A popular debate that keeps reoccuring, is where exactly can you run sensitive .onion services. + +It comes with 2 challenges: + + 1. Running the service, with as much uptime as possible (making sure it keeps running in case of takedowns) + + 2. Making sure you can't be traced back as the owner/administrator of the server + + + + +Out of those requirements, we have 2 possibilities as to where you can run a sensitive service. + + + +## **Self Hosting : Full Physical Control but Risky!** + +![](1.png) **Pros:** + +Everyone has an internet connection, and if you live in a country that does not actively sensor the tor network, it can be interesting to host your own physical server which runs your hidden .onion service + +If you have your own physical server at home, it means you have complete control over the physical proximity of the server itself. as i detailed in [my tutorial on physical security](../physicalsecurity/index.md) there are many things you can do to detect if an adversary is breaking into your home to try and find if you host a hidden service (such as movement detection, unauthorized ssh detection, unauthorized USB interaction detection, etc.) + +In short, it's ideal if the technology is perfect and never has any flaws, but you can't ever be sure of that, (for example: [Tor had security flaws in the past](https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8)) + +**Cons:** + +Almost everyone has an internet connection at home, that is tied to your real name. Due to that fact alone, most people refuse to host anything sensitive locally. + +The strategy here is **"I use secure technology, come at me!"** , if there is any undisclosed flaw/ 0day vulnerability in anything related to the technology used (tor, veracrypt, etc), an adversary could reveal the location of the server, and try to get their hands on the server. + +If the adversary has the ability to crack open the security of the technology used (very unlikely but possible), you're screwed, because the server sits at your home, and they 100% know it is yours in case if the technology fails to protect your service along the way. + +## **Remote Hosting: No Physical Control but Safer!** + +![](2.png) **Cons:** + +Since the Idea here is to run the sensitive service (and most of the time, it's not allowed by the cloud provider), **If there is no redundancy / high availability, The longevity of the service would depend on how long the service remains unnoticed by the cloud provider.** + +If the longevity of the service is of concern, you have to take into account that the service is very likely to get taken down regularly. So to avoid downtimes, **you will have to scale up and implement high availability, this is multiplying the costs per new server** + +Since the goal is for a service to remain undetected for as long as possible on each server, you will have to stay away from VPSes as their kernels often come with monitoring modules, **you will need a dedicated server, with the ability to upload your custom ISO** + +You will also need to monitor for any physical interaction with the server, in order to protect the plausible deniability inside the server, **for any unauthorized change or interaction by the cloud provider, there must be an immediate emergency shutdown to be triggered.** + +And you will need to perform integrity checks after each unauthorized server maintenance to make sure that there are no spyware installed on your server, that may compromise the confidentialtiy from the cloud provider itself. + +In theory, since the server is not there physically with you, you can't fully protect it physically, **you can't just encrypt all of the contents of the RAM to protect against cold boot attacks**. + +**Pros:** + +As i have detailed in my tutorial on [how to acquire remote servers anonymously](../anonymousremoteserver/index.md), if you make sure that you anonymously: + + 1. Create an account on the cloud provider (via TOR) + 2. Pay for the server (via Monero) + 3. Access the server (ssh through tor) + + + +You will be safe to assume that whatever happens on that server, it won't get tied back to you + +The strategy here is **"Whatever I do, I do it as far away from my real identity!"** , this anonymity safeguard is what many consider worth all the trouble mentionned before. + diff --git a/sensitivevm/0.png b/sensitivevm/0.png new file mode 100644 index 0000000..204c0d2 Binary files /dev/null and b/sensitivevm/0.png differ diff --git a/sensitivevm/1.png b/sensitivevm/1.png new file mode 100644 index 0000000..fba8045 Binary files /dev/null and b/sensitivevm/1.png differ diff --git a/sensitivevm/10.png b/sensitivevm/10.png new file mode 100644 index 0000000..7fc9510 Binary files /dev/null and b/sensitivevm/10.png differ diff --git a/sensitivevm/100.png b/sensitivevm/100.png new file mode 100644 index 0000000..f6968a6 Binary files /dev/null and b/sensitivevm/100.png differ diff --git a/sensitivevm/101.png b/sensitivevm/101.png new file mode 100644 index 0000000..b28e5fc Binary files /dev/null and b/sensitivevm/101.png differ diff --git a/sensitivevm/102.png b/sensitivevm/102.png new file mode 100644 index 0000000..638122d Binary files /dev/null and b/sensitivevm/102.png differ diff --git a/sensitivevm/103.png b/sensitivevm/103.png new file mode 100644 index 0000000..39b7ae4 Binary files /dev/null and b/sensitivevm/103.png differ diff --git a/sensitivevm/104.png b/sensitivevm/104.png new file mode 100644 index 0000000..fa1b7c6 Binary files /dev/null and b/sensitivevm/104.png differ diff --git a/sensitivevm/105.png b/sensitivevm/105.png new file mode 100644 index 0000000..b9a6a47 Binary files /dev/null and b/sensitivevm/105.png differ diff --git a/sensitivevm/106.png b/sensitivevm/106.png new file mode 100644 index 0000000..a05bfcc Binary files /dev/null and b/sensitivevm/106.png differ diff --git a/sensitivevm/107.png b/sensitivevm/107.png new file mode 100644 index 0000000..3d679cb Binary files /dev/null and b/sensitivevm/107.png differ diff --git a/sensitivevm/108.png b/sensitivevm/108.png new file mode 100644 index 0000000..0543867 Binary files /dev/null and b/sensitivevm/108.png differ diff --git a/sensitivevm/109.png b/sensitivevm/109.png new file mode 100644 index 0000000..678d777 Binary files /dev/null and b/sensitivevm/109.png differ diff --git a/sensitivevm/11.png b/sensitivevm/11.png new file mode 100644 index 0000000..4ca3973 Binary files /dev/null and b/sensitivevm/11.png differ diff --git a/sensitivevm/110.png b/sensitivevm/110.png new file mode 100644 index 0000000..450d26e Binary files /dev/null and b/sensitivevm/110.png differ diff --git a/sensitivevm/111.png b/sensitivevm/111.png new file mode 100644 index 0000000..81219b6 Binary files /dev/null and b/sensitivevm/111.png differ diff --git a/sensitivevm/112.png b/sensitivevm/112.png new file mode 100644 index 0000000..a70f597 Binary files /dev/null and b/sensitivevm/112.png differ diff --git a/sensitivevm/113.png b/sensitivevm/113.png new file mode 100644 index 0000000..7ad129a Binary files /dev/null and b/sensitivevm/113.png differ diff --git a/sensitivevm/114.png b/sensitivevm/114.png new file mode 100644 index 0000000..9fa640f Binary files /dev/null and b/sensitivevm/114.png differ diff --git a/sensitivevm/115.png b/sensitivevm/115.png new file mode 100644 index 0000000..f1043a3 Binary files /dev/null and b/sensitivevm/115.png differ diff --git a/sensitivevm/116.png b/sensitivevm/116.png new file mode 100644 index 0000000..0d9c2c6 Binary files /dev/null and b/sensitivevm/116.png differ diff --git a/sensitivevm/117.png b/sensitivevm/117.png new file mode 100644 index 0000000..0201312 Binary files /dev/null and b/sensitivevm/117.png differ diff --git a/sensitivevm/118.png b/sensitivevm/118.png new file mode 100644 index 0000000..9a0ffff Binary files /dev/null and b/sensitivevm/118.png differ diff --git a/sensitivevm/119.png b/sensitivevm/119.png new file mode 100644 index 0000000..e6df123 Binary files /dev/null and b/sensitivevm/119.png differ diff --git a/sensitivevm/12.png b/sensitivevm/12.png new file mode 100644 index 0000000..fe32a82 Binary files /dev/null and b/sensitivevm/12.png differ diff --git a/sensitivevm/120.png b/sensitivevm/120.png new file mode 100644 index 0000000..21bb6bb Binary files /dev/null and b/sensitivevm/120.png differ diff --git a/sensitivevm/13.png b/sensitivevm/13.png new file mode 100644 index 0000000..398a808 Binary files /dev/null and b/sensitivevm/13.png differ diff --git a/sensitivevm/14.png b/sensitivevm/14.png new file mode 100644 index 0000000..d0ab734 Binary files /dev/null and b/sensitivevm/14.png differ diff --git a/sensitivevm/15.png b/sensitivevm/15.png new file mode 100644 index 0000000..97370c5 Binary files /dev/null and b/sensitivevm/15.png differ diff --git a/sensitivevm/16.png b/sensitivevm/16.png new file mode 100644 index 0000000..2e71921 Binary files /dev/null and b/sensitivevm/16.png differ diff --git a/sensitivevm/17.png b/sensitivevm/17.png new file mode 100644 index 0000000..13e7131 Binary files /dev/null and b/sensitivevm/17.png differ diff --git a/sensitivevm/18.png b/sensitivevm/18.png new file mode 100644 index 0000000..dcb1480 Binary files /dev/null and b/sensitivevm/18.png differ diff --git a/sensitivevm/19.png b/sensitivevm/19.png new file mode 100644 index 0000000..96d4525 Binary files /dev/null and b/sensitivevm/19.png differ diff --git a/sensitivevm/2.png b/sensitivevm/2.png new file mode 100644 index 0000000..e1c045c Binary files /dev/null and b/sensitivevm/2.png differ diff --git a/sensitivevm/20.png b/sensitivevm/20.png new file mode 100644 index 0000000..adbc35a Binary files /dev/null and b/sensitivevm/20.png differ diff --git a/sensitivevm/21.png b/sensitivevm/21.png new file mode 100644 index 0000000..ae50774 Binary files /dev/null and b/sensitivevm/21.png differ diff --git a/sensitivevm/22.png b/sensitivevm/22.png new file mode 100644 index 0000000..dfe98cf Binary files /dev/null and b/sensitivevm/22.png differ diff --git a/sensitivevm/23.png b/sensitivevm/23.png new file mode 100644 index 0000000..cbce7c5 Binary files /dev/null and b/sensitivevm/23.png differ diff --git a/sensitivevm/24.png b/sensitivevm/24.png new file mode 100644 index 0000000..4b0349d Binary files /dev/null and b/sensitivevm/24.png differ diff --git a/sensitivevm/25.png b/sensitivevm/25.png new file mode 100644 index 0000000..bef8079 Binary files /dev/null and b/sensitivevm/25.png differ diff --git a/sensitivevm/26.png b/sensitivevm/26.png new file mode 100644 index 0000000..fdd5e4f Binary files /dev/null and b/sensitivevm/26.png differ diff --git a/sensitivevm/27.png b/sensitivevm/27.png new file mode 100644 index 0000000..85dc497 Binary files /dev/null and b/sensitivevm/27.png differ diff --git a/sensitivevm/28.png b/sensitivevm/28.png new file mode 100644 index 0000000..86de1fa Binary files /dev/null and b/sensitivevm/28.png differ diff --git a/sensitivevm/29.png b/sensitivevm/29.png new file mode 100644 index 0000000..176058f Binary files /dev/null and b/sensitivevm/29.png differ diff --git a/sensitivevm/3.png b/sensitivevm/3.png new file mode 100644 index 0000000..6ccfde0 Binary files /dev/null and b/sensitivevm/3.png differ diff --git a/sensitivevm/30.png b/sensitivevm/30.png new file mode 100644 index 0000000..4010b11 Binary files /dev/null and b/sensitivevm/30.png differ diff --git a/sensitivevm/31.png b/sensitivevm/31.png new file mode 100644 index 0000000..0920802 Binary files /dev/null and b/sensitivevm/31.png differ diff --git a/sensitivevm/32.png b/sensitivevm/32.png new file mode 100644 index 0000000..7fe0db5 Binary files /dev/null and b/sensitivevm/32.png differ diff --git a/sensitivevm/33.png b/sensitivevm/33.png new file mode 100644 index 0000000..9c4d689 Binary files /dev/null and b/sensitivevm/33.png differ diff --git a/sensitivevm/34.png b/sensitivevm/34.png new file mode 100644 index 0000000..c690137 Binary files /dev/null and b/sensitivevm/34.png differ diff --git a/sensitivevm/35.png b/sensitivevm/35.png new file mode 100644 index 0000000..121c009 Binary files /dev/null and b/sensitivevm/35.png differ diff --git a/sensitivevm/36.png b/sensitivevm/36.png new file mode 100644 index 0000000..c6c1437 Binary files /dev/null and b/sensitivevm/36.png differ diff --git a/sensitivevm/37.png b/sensitivevm/37.png new file mode 100644 index 0000000..52953aa Binary files /dev/null and b/sensitivevm/37.png differ diff --git a/sensitivevm/38.png b/sensitivevm/38.png new file mode 100644 index 0000000..58635bb Binary files /dev/null and b/sensitivevm/38.png differ diff --git a/sensitivevm/39.png b/sensitivevm/39.png new file mode 100644 index 0000000..9f6b7a1 Binary files /dev/null and b/sensitivevm/39.png differ diff --git a/sensitivevm/4.png b/sensitivevm/4.png new file mode 100644 index 0000000..bbc599e Binary files /dev/null and b/sensitivevm/4.png differ diff --git a/sensitivevm/40.png b/sensitivevm/40.png new file mode 100644 index 0000000..37f3bc5 Binary files /dev/null and b/sensitivevm/40.png differ diff --git a/sensitivevm/41.png b/sensitivevm/41.png new file mode 100644 index 0000000..8bd4643 Binary files /dev/null and b/sensitivevm/41.png differ diff --git a/sensitivevm/42.png b/sensitivevm/42.png new file mode 100644 index 0000000..0d59e05 Binary files /dev/null and b/sensitivevm/42.png differ diff --git a/sensitivevm/43.png b/sensitivevm/43.png new file mode 100644 index 0000000..6aa57e6 Binary files /dev/null and b/sensitivevm/43.png differ diff --git a/sensitivevm/5.png b/sensitivevm/5.png new file mode 100644 index 0000000..7579e68 Binary files /dev/null and b/sensitivevm/5.png differ diff --git a/sensitivevm/6.png b/sensitivevm/6.png new file mode 100644 index 0000000..1d85200 Binary files /dev/null and b/sensitivevm/6.png differ diff --git a/sensitivevm/7.png b/sensitivevm/7.png new file mode 100644 index 0000000..6e8c6ce Binary files /dev/null and b/sensitivevm/7.png differ diff --git a/sensitivevm/8.png b/sensitivevm/8.png new file mode 100644 index 0000000..7b745a5 Binary files /dev/null and b/sensitivevm/8.png differ diff --git a/sensitivevm/9.png b/sensitivevm/9.png new file mode 100644 index 0000000..9eca601 Binary files /dev/null and b/sensitivevm/9.png differ diff --git a/sensitivevm/index.md b/sensitivevm/index.md new file mode 100644 index 0000000..23ab556 --- /dev/null +++ b/sensitivevm/index.md @@ -0,0 +1,489 @@ +--- +author: nihilist +date: 2025-04-02 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/256" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Sensitive VMs Setup (Whonix VMs in a Veracrypt Hidden Volume) (April 2025 Update) + +![](0.png) + +In this tutorial we're going to cover how to setup Whonix VMs for Sensitive use. This means that our [OPSEC requirement](../opsec4levels/index.md) is that **we need to be able to deny the existance of the Sensitive Whonix VM if the adversary ever gets access to our laptop.** + +Now the advantage of this setup, is that it is not going to actually destroy the computer, nor any sensitive data, you can keep using it even after triggering an emergency shutdown. + +_CONTEXT WARNING:_ this setup is only suitable **if you are not going to be thrown in jail for just using Veracrypt.** , and if an adversary were to bust down your front door, **you need to have at least 5 seconds before he can see your laptop screen.** + + + +## **Deniability Requirements** + +First of all as you have seen, the requirement is that we do this setup from the Host OS, in [live mode](../livemode/index.md). That is because we want to make sure that there is no forensic evidence to be saved on the system drive as we have explained [previously.](../livemode/index.md) + +![](../livemode/4.png) + +While in Live mode we can't write anything new on the system disk (such as the system logs, kernel logs, non-standard logs) **which can all be potential forensic evidence that the hidden volume exists**. Instead, everything is written into RAM, and we can easily erase all of those contents with a simple reboot. **While in live mode however, we can ONLY write to non-system drives** , which is where we will setup a big enough veracrypt volume (500GB in total, with a 250Gb hidden volume) to store the Whonix VMs (which are 200Gb big) that we will use for long-term Sensitive use. + +## **Preparing the Host OS: Live Mode and the Reboot Shortcut** + +As we have showcased [previously](../livemode/index.md), we have a **reboot.sh bashscript** on the Host OS, that is hooked up to the **Right Ctrl** key to make sure we can quickly shutdown the computer in case if an adversary were to bust down our door. So we're going to make use of it: + + + [user ~]% cat reboot.sh + #!/bin/bash + + /usr/bin/sudo /usr/sbin/reboot now + + [user ~]% xfconf-query -c xfce4-keyboard-shortcuts -n -t 'string' -p '/commands/custom/Control_R' -s /home/user/reboot.sh + + +Definitely make sure that it works and that it keeps working by pressing the right ctrl key at least once in a while, **because you definitely don't want this to fail you when there's going to be an actual emergency.** + +I also recommend making a simple shortcut to trigger the script.sh bashscript to avoid having to open up a terminal and run it every time you want to open up the sensitive VMs after booting in live mode: + + + [user ~]% xfconf-query -c xfce4-keyboard-shortcuts -n -t 'string' -p '/commands/custom/<__Super>s' -s /run/media/private/user/sda/script.sh + +In this example, i set the **Super+S** shortcut to run script.sh more easily. + +And lastly, (since running right ctrl while focused inside of a VM doesnt trigger the shortcut on the Host OS), we make sure that we can focus out of the QEMU VMs easily by making sure that pressing the **Right ALT** focuses out of the VMs: + + + [user ~]% gsettings set org.virt-manager.virt-manager.console grab-keys '65514' + + + +**In conclusion: The correct key combination to reboot the computer is first Right Alt to focus out of the QEMU VM, and then Right CTRL to trigger the reboot script.** + +So Now that's done, let's reboot the Host OS to go back in live mode before we start to create the veracrypt volume. + +![](../livemode/12.png) + +## **Preparing the non-system drive** + +This tutorial is going to require you to have the following setup: + + * Host OS: [Kicksecure](../linux/index.md) (in live mode ONLY!) + + * Host OS Preparation: [Reboot.sh script hooked up to the right CTRL key + ram-wipe installed](../livemode/index.md) + + * Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + * Non-System Harddrive: 500Gb at least + + +![](100.png) + +With this setup, you are ready to proceed. The non-system harddrive needs to be 500GB big because in it the veracrypt decoy (outer) volume will span the entire drive (500Gb), and the hidden (inner) volume will span half of that entire drive (250Gb), **in order to be able to contain the Whonix QEMU VMs which are 200Gb big.** + +![](101.png) + +So make **sure that you have a non-system that is 500GB big (a Harddrive, NOT AN SSD)** , then you can proceed with setting up the veracrypt volume on the entire drive: + +![](102.png) ![](103.png) ![](104.png) ![](105.png) + +Here is the important part: you mention both passwords: the top one is Password A: to unlock the decoy volume, and the bottom one is the secret password, you must be the only one that knows it **because it is the key to unlock (and reveal) the hidden volume NEVER WRITE IT DOWN, ALWAYS REMEMBER IT!** + +![](106.png) ![](107.png) ![](108.png) ![](108.png) + +And now that the veracrypt volume is created, we are ready to setup both the hidden and decoy volumes + +## **Installing the Whonix VMs inside the Hidden Volume** + +First we unlock the Veracrypt Hidden volume: + +![](109.png) ![](110.png) ![](111.png) + +As you can see the mount point path is in **/run/media/private/user/sda** , that's where we're going to store the whonix VMs. So let's download the latest whonix VMs from [here](https://www.whonix.org/wiki/KVM): + +![](112.png) + +once downloaded directly into the hidden volume, unpack it (the archive may only be 3Gb big but once inflated it will weigh 200Gb in total.) + + + [user ~]% cd /run/media/private/user/sda + + [user /run/media/private/user/sda]% ls -l + total 549M + drwx------ 2 root root 16K 1 sept. 2024 lost+found + drwxr-xr-x 2 user user 4,0K 2 avril 11:45 old + -rw-r--r-- 1 user user 0 2 avril 11:47 Whonix-Xfce-17.2.8.5.Intel_AMD64.qcow2.libvirt.xz + + [user /run/media/private/user/sda]% tar -xvf Whonix*.libvirt.xz + WHONIX_BINARY_LICENSE_AGREEMENT + WHONIX_DISCLAIMER + Whonix-Gateway-Xfce-17.2.8.5.xml + Whonix-Workstation-Xfce-17.2.8.5.xml + Whonix_external_network-17.2.8.5.xml + Whonix_internal_network-17.2.8.5.xml + Whonix-Gateway-Xfce-17.2.8.5.Intel_AMD64.qcow2 + Whonix-Workstation-Xfce-17.2.8.5.Intel_AMD64.qcow2 + + [user /run/media/private/user/sda]% touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted + + +Here to make it easier to handle, i recommend to first edit the file names to remove the version and the the window manager name: + + + [user /run/media/private/user/sda]% mv Whonix-Gateway-Xfce-17.2.8.5.xml Whonix-Gateway.xml + [user /run/media/private/user/sda]% mv Whonix-Workstation-Xfce-17.2.8.5.xml Whonix-Workstation.xml + [user /run/media/private/user/sda]% mv Whonix_external_network-17.2.8.5.xml Whonix-External.xml + [user /run/media/private/user/sda]% mv Whonix_internal_network-17.2.8.5.xml Whonix-Internal.xml + [user /run/media/private/user/sda]% mv Whonix-Gateway-Xfce-17.2.8.5.Intel_AMD64.qcow2 Whonix-Gateway.qcow2 + [user /run/media/private/user/sda]% mv Whonix-Workstation-Xfce-17.2.8.5.Intel_AMD64.qcow2 Whonix-Workstation.qcow2 + + + +Then we're going to need to edit the Whonix-Gateway.xml and Whonix-Workstation.xml to match the system path, have the correct resources, and use the correct qcow2 image filenames: + +So here we first make sure that the whonix gateway has 1GB memory, and that it has the correct source file path (to the .qcow2 vm image): + + + [user /run/media/private/user/sda]% vim Whonix-Gateway.xml + [user /run/media/private/user/sda]% cat Whonix-Gateway.xml + + [...] + + <__memory dumpCore="off" unit="GiB">1 <__/memory> <__currentMemory unit="GiB">1 <__/currentMemory> + + [...] <__disk type="file" device="disk"> <__driver name="qemu" type="qcow2"/> <__source file="/run/media/private/user/sda/Whonix-Gateway.qcow2"/> <__target dev="vda" bus="virtio"/> <__address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/> <__/disk> + + [...] + +So here we do the same for the whonix workstation to give it 8GB of memory, with 4vcpus, and we also make sure that it has the correct source file path (to the .qcow2 vm image): + + + [user /run/media/private/user/sda]% vim Whonix-Workstation.xml + [user /run/media/private/user/sda]% cat Whonix-Workstation.xml + + [...] + + <__memory dumpCore="off" unit="GiB">8 <__/memory> <__currentMemory unit="GiB">8 <__/currentMemory> + + [...] <__vcpu placement="static" cpuset="1">4 <__/vcpu> + + [...] <__disk type="file" device="disk"> <__driver name="qemu" type="qcow2"/> <__source file="/run/media/private/user/sda/Whonix-Gateway.qcow2"/> <__target dev="vda" bus="virtio"/> <__address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/> <__/disk> + + [...] + +Now that the XML files are correctly setup, we can write script.sh to make sure they are quickly setup if not already, and quickly removed if they are: + + + [user /run/media/private/user/sda]% cat script.sh + #!/bin/bash + + if [ $(virsh -c qemu:///system list --all | grep Whonix | wc -l) -ne 0 ]; + then + + # if the VMs are imported, remove them: + + virsh -c qemu:///system destroy Whonix-Gateway + virsh -c qemu:///system destroy Whonix-Workstation + virsh -c qemu:///system undefine Whonix-Gateway + virsh -c qemu:///system undefine Whonix-Workstation + virsh -c qemu:///system net-destroy Whonix-External + virsh -c qemu:///system net-destroy Whonix-Internal + virsh -c qemu:///system net-undefine Whonix-External + virsh -c qemu:///system net-undefine Whonix-Internal + else + + + # if the VMs are not imported, import them: + + virsh -c qemu:///system net-define /run/media/private/user/sda/Whonix-External.xml + virsh -c qemu:///system net-define /run/media/private/user/sda/Whonix-Internal.xml + virsh -c qemu:///system net-autostart Whonix-External + virsh -c qemu:///system net-start Whonix-External + virsh -c qemu:///system net-autostart Whonix-Internal + virsh -c qemu:///system net-start Whonix-Internal + virsh -c qemu:///system define /run/media/private/user/sda/Whonix-Gateway.xml + virsh -c qemu:///system define /run/media/private/user/sda/Whonix-Workstation.xml + # then exit because we dont want to run the rest of wipe.sh + exit $? + fi + + + +Then we make the script executable and run it to setup the whonix VMs: + + + [user /run/media/private/user/sda]% chmod +x ./script.sh + + [user /run/media/private/user/sda]% ./script.sh + Network Whonix-External defined from /run/media/private/user/sda/Whonix-External.xml + + Network Whonix-Internal defined from /run/media/private/user/sda/Whonix-Internal.xml + + Network Whonix-External marked as autostarted + + Network Whonix-External started + + Network Whonix-Internal marked as autostarted + + Network Whonix-Internal started + + Domain 'Whonix-Gateway' defined from /run/media/private/user/sda/Whonix-Gateway.xml + + Domain 'Whonix-Workstation' defined from /run/media/private/user/sda/Whonix-Workstation.xml + + + +As you can see it successfully mounted the whonix VMs: + +![](113.png) + +And then if you run it again you'll see that it removes the VMs: + + + [user /run/media/private/user/sda]% ./script.sh + error: Failed to destroy domain 'Whonix-Gateway' + error: Requested operation is not valid: domain is not running + + error: Failed to destroy domain 'Whonix-Workstation' + error: Requested operation is not valid: domain is not running + + Domain 'Whonix-Gateway' has been undefined + + Domain 'Whonix-Workstation' has been undefined + + Network Whonix-External destroyed + + Network Whonix-Internal destroyed + + Network Whonix-External has been undefined + + Network Whonix-Internal has been undefined + + + +` ![](114.png) + +Next, run the script again to setup the VMs once again: + + + [user /run/media/private/user/sda]% ./script.sh + + + +And then upon starting the VMs we see that they work as intended: + +![](115.png) + +Inside this one whonix workstation is the only context where i consider sensitive use to be suitable, **so make sure you don't do any other long-term sensitive activities (meaning you are storing sensitive data somewhere) outside of this VM, because you wouldn't be able to maintain deniability about it otherwise!** + +## **Setting up the Decoy Volume** + + + -in the decoy volume we download files that make sense to be stored in an encrypted volume (adult content / pirated movies, etc) but it needs to NOT be sensitive. + -then we write script.sh + + +Now that we setup the hidden volume, we setup what we need in the decoy volume: + +![](101.png) + +The decoy volume must contain files that meet the following criterias: + + 1. The files must make sense to be kept hidden in an encrypted volume + + 2. The files are not sensitive in nature (you're not going to be thrown in jail for it) + + 3. The files must be less than 200Gb + + + + +**Keep in mind that this is the content that you would show the adversary if they were to seize your devices and force you to type a password.** Therefore what you store in it absolutely needs to make sense to be stored in an encrypted volume. + +![](116.png) + +And obviously, the total diskspace consumed by the decoy files need to be less than 250Gb, as otherwise you'd overwrite (and destroy) the veracrypt hidden volume in the process. + +As we have covered previously, the usual content that makes sense to be kept in an encrypted volume can be something along the lines of adult content, downloaded movies, or similar: + +![](117.png) + +So in here we put some decoy files that would make sense for an adversary to find in an encrypted container: + +![](118.png) + +Then we write the following script.sh in there: + + + [user /run/media/private/user/sda]% vim script.sh + [user /run/media/private/user/sda]% cat script.sh + #!/bin/bash + + kill -9 $(pidof vlc) + + [user /run/media/private/user/sda]% chmod +x script.sh + + +If ever asked to by an adversary, we'll basically pretend that this script is there to quickly kill the media player window in case if someone were to enter the room while you were watching that not-sensitive-but-private content. + +And that's it ! We have now setup both the Hidden Volume with the whonix VMs in it for sensitive use, and the Decoy Volume containing the data we'd show the adversary if ever forced to. + +## **Fine-tuning the emergency reboot script** + +For this next part, we're going to reuse the emergency reboot.sh bashscript that we showcased [previously](../livemode/index.md), so let's reboot the Host OS to be able to edit it outside of live mode since we want it to be a persistant change: + +![](../livemode/15.png) + +![](../logos/de2.png)**Reminder: once again, if you are outside of live mode like we are right now, DO NOT OPEN THE HIDDEN VOLUME, as otherwise you're leaving forensic evidence regarding it's existance on the system drive!** + + + [user ~]% cat reboot.sh + #!/bin/bash + + /usr/bin/sudo /usr/sbin/reboot now + + + +But we're going to refine it so that it does the following: + + 1. Turn off the screen display output (to prevent the adversary from seeing what is happening on the monitor) + + 2. Run the script.sh (that is either in the decoy or the hidden volume, depending on which one is currently opened) + + 3. Close the veracrypt volume (and anything that could block the closing of the volume, such as closing thunar) + + 4. Trigger the host OS reboot, (wiping the RAM in the process) + + + + +Which after tweaking it accordingly we end up with the following reboot script: + + + [user ~]% vim reboot.sh + [user ~]% cat reboot.sh + #!/bin/bash + + # turn off display + xset dpms force off & + + **# run script.sh to kill vlc + /run/media/private/user/sda/script.sh** + + # kill all processes that could block veracrypt from closing + killall thunar + killall xfce4-terminal + + # close the veracrypt volume using zulucrypt + sudo zuluCrypt-cli -q -d /dev/sda + + # kill zuluCrypt after unmounting to make sure it doesnt block the reboot + killall zuluCrypt-gui + + # reboot the host OS + /usr/bin/sudo /usr/sbin/reboot now + + + +Even in a deniability setting, having this script sit in your home directory doesn't incriminate you either, **because you can tell the adversary that this script is used to prevent someone else from seeing that you're watching the non-sensitive content (such as adult content) that is sitting in the encrypted volume.** Still this is a plausible explanation that makes it look like you are cooperating to the adversary when you are being asked about that script in particular. + +And as we showcased previously, we want this script to be executable with a single keystroke (using the right control key) so to make sure the shortcut is set, run this command: + + + xfconf-query -c xfce4-keyboard-shortcuts -n -t 'string' -p '/commands/custom/Control_R' -s /home/user/reboot.sh + + + +## **Emergency Reboot Scenario** + +As explained higher up in this tutorial, you're going to have to test your emergency reboot procedure a few times to make sure it works but also to get used to it, **because when there's going to be a real emergency, you're going to need perform that emergency reboot procedure in a split second.** + +So let's showcase how to do it. First setup the context, booting from the Host OS in live mode: ![](../livemode/12.png) + +![](../logos/de0.png)**Reminder: Now that we are back in live mode, you can open the veracrypt hidden volume once again!** + +Then open the veracrypt hidden volume: + +![](109.png) ![](110.png) ![](111.png) + +and then run script.sh to setup the sensitive VMs: + + + [user /run/media/private/user/sda]% chmod +x ./script.sh + + [user /run/media/private/user/sda]% ./script.sh + Network Whonix-External defined from /run/media/private/user/sda/Whonix-External.xml + + Network Whonix-Internal defined from /run/media/private/user/sda/Whonix-Internal.xml + + Network Whonix-External marked as autostarted + + Network Whonix-External started + + Network Whonix-Internal marked as autostarted + + Network Whonix-Internal started + + Domain 'Whonix-Gateway' defined from /run/media/private/user/sda/Whonix-Gateway.xml + + Domain 'Whonix-Workstation' defined from /run/media/private/user/sda/Whonix-Workstation.xml + + + +` ![](113.png) + +And now that the sensitive VMs are listed in virt-manager, we open them: + +![](115.png) + +This is your normal booting up routine when you want to do sensitive activities. Only from the host OS being in live mode, and from that VM alone. + +_Sidenote:_ if you never make a single opsec mistake, you won't ever have the cops busting down your front door, but you never know when you might slip up in the future. **So you must always be ready for the worst when you are actually risking jailtime.** Test yourself at random every few days. What if someone was busting down your door Right now ? Would you be able to reboot your computer in time ? Aim for a 100% success rate, because when the real time comes, it will all depend on your reactivity. + +So now you have been doing your regular sensitive activities from that VM for the last 4 hours, **and suddenly you hear your front door getting busted down,** suppose the door is right next to you like in [this video](https://www.youtube.com/watch?v=jEhprcgv3Pg), you only have 5 seconds to correctly react and press the right ctrl key to be able to shut down the sensitive VM on time. + +![](119.png) + +So your door is getting busted down, and before the 5 second limit you manage to correctly **press that right ALT key to focus out of the sensitive VM, and then the right control key to trigger the reboot.sh script**. + +And then upon pressing it, it immediately turns off the monitor and as you are getting pinned down by the adversary, the script is automatically unmounting the veracrypt volume, and rebooting the computer as intended. + +If the adversary is skilled enough, they'd attempt to open up the PC, put some liquid nitrogen on the RAM sticks, to try and freeze the content of the memory, but by the time they try to do that, the contents of the RAM would be long gone already if you managed to press the emergency reboot key in time. + +![](../cloud_provider_adversary/7.png) + +Next, they seize the empty ramsticks, and the encrypted drives, they put you in handcuffs, put you in custody, while they inspect what they seized for incriminating evidence. + +## **Emergency reboot Scenario: the Aftermath** + + + Aftermath: + -the forensic team inspects the RAM contents and the disk contents: + -the RAM contents are empty: it only shows the typical contents of kicksecure booting and waiting for a password to unlock the system drive (since it rebooted successfully) + -the disk contents are encrypted: the adversary is forced to get the password from you to be able to unlock it + -the authorities get approval from the judge: you are now forced to give them the password to unlock your computer + + from custody: + -the cops tell you the following: Either you give us your passwords to unlock your computer drives, or you're going to prison for a long time! + + +_In this situation here are your options:_ + + 1. either you admit everything you did and get thrown in jail for however long the punishment is supposed to be. (if were playing late in china for example) : life sentence in concentration camps + + 2. either you refuse to give them the passwords and get thrown in jail for contempt of court (their reasoning: you lied that you forgot your password) : 6 months jailtime + + 3. **Or you accept to give the password (which is the decoy password) to unlock the decoy volume (where there's nothing sensitive in there): you look good for the court, it looks like you have cooperated: 0 months jailtime** + + + + +Of course you select the last option (since this is the point of implementing such a setup), **you give them the decoy password, they find nothing in it, and now they are left with no evidence to incriminate you with.** + +If the adversary is not stupid, they should already have something to incriminate you with before actually busting down your door (because you slipped up somewhere along the way while you were doing sensitive activities), meaning that you are anyway going away for some time. It would be stupid to bust down people's doors without having any actual evidence, it would be like playing the lottery hoping to find gold while ruining someone's appartment. + +It may seem far-fetched but **you can't discard that eventuality since there have been[many innocent streamers got swatted](https://www.youtube.com/watch?v=coa7tP54kDY) in the past** (because of assholes that were falsely reporting bomb threats or gun shots just because they didn't like a streamer): + +![](120.png) + +In those cases in particular, **the authorities believe that they'll find a criminal behind the door that they're busting down, so they bust it down despite not having any evidence.** And afterward they realize that the guy is innocent, and they release him. + +Obviously here the context is different as you may actually have something to hide, but with that setup it remains impossible for the adversary to prove the existance of the hidden volume and the sensitive VM it contains. **The strategy here is that you are limiting the bleeding as much as possible**. The authorities may have evidence to put you in jail for 1 month, but if you don't properly stop the bleeding on time, they may find enough evidence for them to convict you for 20 years depending on the nature of the sensitive activity that you have been doing. + +In the case of our showcased setup above, The authorities cannot incriminate you further because there's nothing more for them to find on your seized drives and ramsticks. + diff --git a/serverside.png b/serverside.png new file mode 100644 index 0000000..66d3ce9 Binary files /dev/null and b/serverside.png differ diff --git a/serversideencryption/1.png b/serversideencryption/1.png new file mode 100644 index 0000000..e126ed1 Binary files /dev/null and b/serversideencryption/1.png differ diff --git a/serversideencryption/2.png b/serversideencryption/2.png new file mode 100644 index 0000000..ed287ea Binary files /dev/null and b/serversideencryption/2.png differ diff --git a/serversideencryption/3.png b/serversideencryption/3.png new file mode 100644 index 0000000..6f5ea80 Binary files /dev/null and b/serversideencryption/3.png differ diff --git a/serversideencryption/4.png b/serversideencryption/4.png new file mode 100644 index 0000000..ddabe80 Binary files /dev/null and b/serversideencryption/4.png differ diff --git a/serversideencryption/5.png b/serversideencryption/5.png new file mode 100644 index 0000000..1ea6a5c Binary files /dev/null and b/serversideencryption/5.png differ diff --git a/serversideencryption/index.md b/serversideencryption/index.md new file mode 100644 index 0000000..ee03251 --- /dev/null +++ b/serversideencryption/index.md @@ -0,0 +1,54 @@ +--- +author: nihilist +date: 2024-05-01 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/262" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why can't I trust Server-side Encryption ? + + + +## **Clientside Encryption: Who can be trusted ?** + +As we discussed [previously](../deniability/index.md), Encryption is about providing privacy, Bob and Alice use encryption, for their conversation to remain private from the adversary Jack. + +![](1.png) + +One way to close the door on Jack, is to use PGP encryption: + +![](2.png) + +the logic behind using PGP encryption is for Bob and Alice to encrypt their conversation themselves, because they don't trust anyone else. **Bob encrypts his message using PGP** , and no matter where he sends it (over mail, over discord, over IRC, XMPP, facebook, etc.) **only Alice will be able to decrypt the message.** + +In short, Bob uses PGP because he doesn't trust the platform on which he wishes to talk to Alice. + +## **Serverside Encryption: a Fallacy** + +When we are talking about Serverside Encryption, Who is Bob, Who is Alice and Who is Jack ? + +In the case of the [Incognito Market](https://iv.nowhere.moe/watch?v=5VEXj09TFNA), an illegal Darknet Market (DNM), **the platform admins told it's users to trust their own encryption** + +![](3.png) + +What happens here, is that Bob decides to trust Jack with the confidentiality of his data, **instead of encrypting his sensitive data with PGP**. What can happen from there ? + +## **The consequences of trusting Serverside Encryption** + +Darknet Markets have 2 possible ends: they are either seized by authorities, or they are exit-scamming with their users' cryptocurrencies that are still in custody. + +In the case of Incognito Market, they exit scammed, but something else happened: + +![](4.png) + +There is a third exit option for DNMs : **they can extort all of the users who decided to trust serverside encryption.** + +![](5.png) + +They saved every unencrypted message (including Bob and Alice's unencrypted messages), and they decided to extort them, by threatening them to give out their sensitive data (such as their home adress), to the authorities. + +All of that situation could have been avoided **if Bob and Alice didn't trust the platform with serverside encryption.** + +In short, **never trust serverside encryption, the only encryption you can trust, is your own encryption (such as using PGP encryption).** + +To learn how to use PGP, check out [this tutorial](../pgp/index.md). + diff --git a/stancesensitive/0.png b/stancesensitive/0.png new file mode 100644 index 0000000..175d3a4 Binary files /dev/null and b/stancesensitive/0.png differ diff --git a/stancesensitive/1.png b/stancesensitive/1.png new file mode 100644 index 0000000..feafe39 Binary files /dev/null and b/stancesensitive/1.png differ diff --git a/stancesensitive/2.png b/stancesensitive/2.png new file mode 100644 index 0000000..0c49a45 Binary files /dev/null and b/stancesensitive/2.png differ diff --git a/stancesensitive/3.png b/stancesensitive/3.png new file mode 100644 index 0000000..c19452f Binary files /dev/null and b/stancesensitive/3.png differ diff --git a/stancesensitive/index.md b/stancesensitive/index.md new file mode 100644 index 0000000..804cd3a --- /dev/null +++ b/stancesensitive/index.md @@ -0,0 +1,86 @@ +--- +author: nihilist +date: 2025-01-05 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/301" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Our stance on sensitive activities + +Yes, deniability enables sensitive activities, we showcase how to implement it, **but No we don't recommend you to do sensitive activities unless if you absolutely have to.** + + + +## **What are sensitive activities ?** + + + Sensitive activities are all the activities that are sure to get you in big trouble if an adversary were to irrefutably prove that you were behind them. + + + +Depending on who the adversary is, this categorization of activities ecompasses different things. + +If the adversary is the state, then sensitive activities are everything that is in a given country's legal grey area, or that a given country has made to be illegal. + +As usual, context matters. For example in china, sensitive activities can be as simple as comparing Xi Jinping to Winnie the Pooh: + +![](0.png) + +Or in the UK, sensitive activities can be as simple [as posting your opinion on social media](https://www.bbc.com/news/articles/cm23y7l01v8o) (yes, context no longer matters when you post online in this country anymore, it can be interpreted however the court sees fit for their narrative): + +![](1.png) + +And of course the popular "purchasing controlled substances online" is also a sensitive activity preety much everywhere in the world. + +![](2.png) + +Or, the sensitive activity could simply be carrying more money ([monero for instance](../monerowealth/index.md)) on you than the legal amount of Cash you are allowed to carry: + +![](../monerowealth/0.png) + +Or, doing some black-hat hacking is also a sensitive activity, (meaning you breach into companies' networks without being authorized to do so beforehand), can also get you in ALOT of legal trouble. + +![](3.png) + +These are just a few examples of what sensitive activities can be, there are any number of possible sensitive activities that can be done online, activities for which the adversary would do everything to put you in jail for, therefore when that is the case, you need to be prepared for the worst that could happen. + +## **Deniability enables Sensitive activities** + +The core scenario that our entire deniability category of tutorials revolve around is the following: + + + _Scenario:_ If the adversary were to bust down your door right now, and force you to type a password, would your sensitive activities be able to remain secret ? + + + +Deniability is a fundamental requirement to be able to enable sensitive activities. And the main protection you have against that scenario where you're forced to type a password, is [deniable encryption](../veracrypt/index.md) (using Veracrypt's hidden volumes) + +![](../veracrypt/20.png) + +Without implementing a setup with deniable encryption, you cannot protect against the threat of you being forced to type a password, which would reveal the forensic proofs that you were behind those sensitive activities. + +## **Do we recommend that you do sensitive activities ?** + +If you've read our legal disclaimer at the bottom of any of our blogposts, you'd realize that we don't encourage anyone to engage in any illicit activity: + + + LEGAL DISCLAIMER: + Across the entirety of the blog, in all articles that have been, and will ever be made, we ONLY advocate for the legal use of technologies - even when we are talking about Privacy-enhancing, or Anonymity-enabling, or Deniability-enabling technologies. We are NOT advocating for illegal use of the technology showcased in any article on the blog, as the goal of this blog is to remain strictly informative and educative. + + We decline any and all responsibility for any mis-use of any of the technology that we showcase throughout the blog. We also decline any and all responsibility for any physical, digital and psychological damage caused by the mis-use of showcased technology, as the responsibility of such acts remains with the perpetrating third-party. By reading this blog, you permanently, irrevocably, and world-widely agree that the blog writers are in no way responsible for any illegal actions done by you or anyone that uses the technology showcased in blog articles. + + + +While it may be true that we showcase how to implement setups that provide you with Privacy, Anonymity or in this case even Deniability, we don't recommend you actually do any of those sensitive activities. + +For example i don't believe that buying drugs on the web is worth the risks. Customs, and the postal service may not have implemented scanners everywhere, and the sheer amount of packages they have to process may make it impossible for them to reliably seize all drug packages that get sent through the postal system, **The risk remains that they may find your package, and perform a controlled delivery on you, just to find you guilty of being in possession of a controlled substance**. + +If you've read my blogposts from the productivity section, you'd realize that [i motivate everyone to unwind their addictions](../../productivity/opus-nihil/index.md), to be able to live a fulfilling sober life. + +![](../../productivity/opus-nihil/4.png) + +I don't believe one bit that doing drugs is worth it, given the havoc it can wreck upon your life. Having been addicted myself to substances in the past, i find that sobriety is way more worth it, because that's when you get to do what you truly want to do [(pleasure seeking is not what you truly need in your life)](../../productivity/rightthing/index.md). + +I used to dabble in sensitive activites here and there when i started the opsec blog, but after a while i realized that the paranoia is not worth it. However, i respect those that are willing to put their lives on the line for some sensitive activity that they actually believe could change the world for the better. + +**All of this to say, if you intend to do any sensitive activity, don't do it unless if you pondered all of the risks (especially if that includes ending up in jail), decide if it is actually worth it or not**. If you intend to actually do any sensitive activity after thinking through all the risks that come with it, i recommend that you read all of our deniability tutorials in order to familiarize yourself with the overall concept and setups, learn how to protect your activities in the case of you being forced to type a password, and make sure you implement it correctly. **Deniability is definitely a WAY stricter practice than that of maintaining anonymity, as this is where every small details can make the difference between a small sentence and a life sentence.** + diff --git a/steganography/circumvention.jpg b/steganography/circumvention.jpg new file mode 100644 index 0000000..825c1a8 Binary files /dev/null and b/steganography/circumvention.jpg differ diff --git a/steganography/comparison.jpg b/steganography/comparison.jpg new file mode 100644 index 0000000..ac26fd2 Binary files /dev/null and b/steganography/comparison.jpg differ diff --git a/steganography/index.md b/steganography/index.md new file mode 100644 index 0000000..7b2844c --- /dev/null +++ b/steganography/index.md @@ -0,0 +1,35 @@ +--- +author: Zesc +date: 2024-08-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/45" +xmr: 46BYryUrGcrcRbXFFgTZMYKg8UVY1FpwVfNfHc4GxCXMFwvVtg2YDuf8x8pF36yh4XFWpC3V2WrDgZh7w46MYZEQ3zJQhhR +--- +# Other sources of Plausible Deniability: Steganography + +Steganography is the craft of hiding messages. It is a close relative of cryptography, but where cryptography strives to conceal the contents of a messages, steganography attempts to conceal its _presence_. Therefore **steganography helps avoiding suspicion and providing deniability**. + + + +The important difference between the two fields is adherence to _[Kerckhoffs's principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle)_ : the assumption that an algorithm must be publicly known to guarantee that it has no flaws or backdoors. (This is the reason why you should only use open source crypto software and never roll your own crypto.) +Steganography does the opposite by relying on _security by obscurity_ : the method by which you hid your data must be kept secret. + +That means that whilst complementary to cryptography, steganography on itself is less secure than the mathematically provable security provided by cryptography. Think of it as tucking away your valuables in secret location versus putting them into a sturdy safe. The safe may draw immediate attention by burglars, but provides reliable resistance to attacks, whilst it is up to chance wheter they find your hidden stash. + +### Then why use steganography at all? + +In military science, there is the concept of the _Integrated Survivability Onion_ -- in short, the idea that they can't kill you if they don't hit you, that they can't hit you if they don't shoot at you and that they can't shoot at you if they don't see you. The same thing applies to every good digital defense-in-depth approach. Using steganography can't harm you, but **it shouldn't be all your rely on**. In our example, a hidden safe is better than either option on its own. + +Here a quick overview of using steganography alone, cryptography alone and combining the two: + +![](comparison.jpg) + +The main strength of steganography is that **steganography can conceal metadata** to some extent. Metadata (i.e. data about data and communications) is the primary way that state actors identify targets for closer scrutiny. When you can become guilty by association, **your primary concern may be communicating in public without anyone noticing** and not the confidentiality of your communications. (In fact, many cryptographic schemes attest the identity of the sender via signatures, which you should avoid when looking for _plausible_ deniability in case of compromise.) + +However, **some form of communication event must always occur** , so steganography exploits various side-channels in order to embed additional concealed data. **In order to thwart analysis of metadata, communicate through one or multiple uninvolved third party dead-drops** , preferably such with broad distribution (i.e. popular websites, like social media or message/image boards). + +When relying on such third parties, **steganography can help circumventing censors**. If an adversary controls a critical link in the network and blocks all communications they can't inspect, you need to conceal your encrypted communications inside of superficially innocuous traffic. An example of this would be a corporate email server which denies all attachments it can not scan for malware. + +![](circumvention.jpg) + +The major downside of steganography however is the need to tell your target audience how to find your hidden messages. Where cryptography allows for secure key negotiation even in plain sight of adversaries, informing a party you don't already have a secure communication channel with might be impossible. + diff --git a/steghide/apod20240824.jpg b/steghide/apod20240824.jpg new file mode 100644 index 0000000..d2b5ab4 Binary files /dev/null and b/steghide/apod20240824.jpg differ diff --git a/steghide/apollo11.jpg b/steghide/apollo11.jpg new file mode 100644 index 0000000..555c85e Binary files /dev/null and b/steghide/apollo11.jpg differ diff --git a/steghide/difference.jpg b/steghide/difference.jpg new file mode 100644 index 0000000..a9ef358 Binary files /dev/null and b/steghide/difference.jpg differ diff --git a/steghide/index.md b/steghide/index.md new file mode 100644 index 0000000..6a7da2a --- /dev/null +++ b/steghide/index.md @@ -0,0 +1,80 @@ +--- +author: Zesc +date: 2024-08-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/46" +xmr: 46BYryUrGcrcRbXFFgTZMYKg8UVY1FpwVfNfHc4GxCXMFwvVtg2YDuf8x8pF36yh4XFWpC3V2WrDgZh7w46MYZEQ3zJQhhR +--- +# **Basic Use** + +steghide is ubiquitously mirrored in various repositories and package managers. You can also find a clone of the sourceforge repository [on GitHub](https://github.com/StegHigh/steghide). If you use APT, simply install it with + + + # apt install steghide + +steghide uses subcommands, and the three most important ones are `info`, `embed` and `extract` which will be explained in sequence. For this tutorial, we are going to use the [Astronomy Picture of the Day of 2024-08-24](https://apod.nasa.gov/apod/ap240824.html), a beautiful image of the anti-twilight arch: + +[![](apod20240824.jpg)](apod20240824.jpg) + +Our example file to hide is going to be [Bitcoin: A Peer-to-Peer Electronic Cash System](https://bitcoin.org/bitcoin.pdf), the original paper by Satoshi Nakamoto. + +As mentioned above, the cover image must be larger than the file you wish to embed, **as a rule of thumb your coverfile should be 20 times larger**. (Hint: you can split larger files with tools like tar or 7z into smaller fragments to embed into a whole collection of cover files.) We can check how many bytes steghide can embed by using `steghide info _file_`. In our case, it tells us that it can embed 232 KB and asks wheter an attempt should be made at reading embed data without extracting. As there is nothing embedded yet, we decline with `n`. + + + "apod20240824.jpg": + format: jpeg + capacity: 232.6 KB + Try to get information about embedded data ? (y/n) + + +The PDF is only 180 KB, so it fits. Next, we use `steghide embed -cf _coverfile_ -ef _embedfile_ -sf _destination_` and get asked for a passphrase (make sure to remember it or safe it in a password manager). After re-entering the passphrase (you can set it beforehand with the `-p` option) it will write the processed file to the specified destination. You can also leave out the `-sf` option, in which case it defaults to overwriting the coverfile. Look at it and try to find a visual difference to the original: + +[![](output1.jpg)](output1.jpg) + +It's completely lost in the visual noise. As an experiment, let's try taking the difference of both images with a program like GIMP. This is what it looks like: + +[![](difference.jpg)](difference.jpg) + +A difference of zero means a fully black pixel. Try zooming in and you'll see that only a few pixels are slightly lighter than black. These are the pixels that contain parts of your embedded file in their least significant bits. + +**WARNING: changing the output file in anyway will make the embedded file irretrievable. This is especially important for every form of lossy compression!** + +Now let's try to extract the file we've just hid. For this, use `steghide embed -sf _input_` + +. This will prompt you for the passphrase. Enter it, and the contents will be extracted into the working directory. In our case we will be asked wheter we want to overwrite the file with the same name that already exists. (You can suppress this warning with `-f` or by specifying an alternative output destination with `-xf`. Here, I used the later so we can confirm the files to be identical with md5sum: + + + d56d71ecadf2137be09d8b1d35c6c042 bitcoin.pdf + d56d71ecadf2137be09d8b1d35c6c042 output.pdf + +And they are! This concludes the basic introduction to steghide. Some advanced details follow below, but in most cases, reading the well-written man page suffices. + +## **Advanced Use** + +### **Common Pitfalls** + +There are a couple of things you shouldn't do with steghide. Here a quick overview: + + 1. **Use strong passwords:** Always a given. The password to steghide can be brute-forced like every other password. [stegseek](https://github.com/RickdeJager/stegseek) can brute force 14 million passwords in under 2 seconds. + + 2. **Use original images:** Known images can be easily double-checked against your cover files. If for example the Monero icon on your website is different to that included in the official press kit, that's suspicious, defeating the purpose of steganography. Make sure to only use this with originals only you are in possession of - in a pinch, adding an in-picture caption, resizing it, etc. offers plausible deniability, as different image editing programs are notoriously variant in handling pixel-level details. + + 3. **Avoid images with little detail:** Images without pixel-level visual noise (e.g. diagrams, images of text, etc.) will have less hiding space, and become visible deteriorated when files are embedded. For demonstration purposes, compare [this map](map.jpg) with its [original](map_orig.jpg), then look at [their difference](map_diff.jpg). The embedded file was a mere 4286 B in size, yet these two files differ by 6693 B in size! (The password is left as a brute-forcing exercise for the reader.) + + 4. **Avoid format conversions:** Even "lossless" conversions from one image format to another tend to be non-reversible, making it impossible to retrieve the hidden data. Remember that many popular websites compress all images uploaded to them to save on bandwidth, making them unsuitable for our purposes. + + + + +### **Changing the encryption** + +As you've seen, steghide needs a passphrase to embed and extract data. (Note: using an empty passphrase can lead to issues extracting.) This passphrase is used to both encrypt your file before embedding and to seed the PRNG by which it selects pixel positions for embedding data. By default, it uses AES-128. You should not rely on steghide for securing your data cryptographically (see the [introduction to steganography](../steganography/index.md)), and when in doubt you can separately encrypt the file before embedding, but you may still want to change the used algorithm. For this, simply use `-e _algorithm_ _mode_`. You can list all available modes with `steghide encinfo`. So as example, to embed our previous picture using AES-256 in cipher feedback mode, you would use this: + + + $ steghide embed -cf apod20240824.jpg -ef bitcoin.pdf -e rijandael-256 cfb + +### **Using steghide recursively** + +Since steghide works on arbitrary binary data, you can embed steghide's output into another picture, provided the size is sufficient. The 4.8 MB picture below contains a 260 KB waveform audio file which in turns contains 2.7 KB UTF-8 encoded text file. (The passphrase is `moon` for both.) + +[![](apollo11.jpg)](apollo11.jpg) + diff --git a/steghide/map.jpg b/steghide/map.jpg new file mode 100644 index 0000000..3a460fd Binary files /dev/null and b/steghide/map.jpg differ diff --git a/steghide/map_diff.jpg b/steghide/map_diff.jpg new file mode 100644 index 0000000..e95a58d Binary files /dev/null and b/steghide/map_diff.jpg differ diff --git a/steghide/map_orig.jpg b/steghide/map_orig.jpg new file mode 100644 index 0000000..dff5fe6 Binary files /dev/null and b/steghide/map_orig.jpg differ diff --git a/steghide/output1.jpg b/steghide/output1.jpg new file mode 100644 index 0000000..dae5d05 Binary files /dev/null and b/steghide/output1.jpg differ diff --git a/stylometry/0.png b/stylometry/0.png new file mode 100644 index 0000000..1a9f043 Binary files /dev/null and b/stylometry/0.png differ diff --git a/stylometry/1.png b/stylometry/1.png new file mode 100644 index 0000000..f3b28c9 Binary files /dev/null and b/stylometry/1.png differ diff --git a/stylometry/2.png b/stylometry/2.png new file mode 100644 index 0000000..5ecaf7e Binary files /dev/null and b/stylometry/2.png differ diff --git a/stylometry/index.md b/stylometry/index.md new file mode 100644 index 0000000..a8e9e40 --- /dev/null +++ b/stylometry/index.md @@ -0,0 +1,162 @@ +--- +author: Nihilist +date: 2024-12-04 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/13" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Stylometry protection (Running a Local LLM and copy pasting messages) + +![](0.png) + +In this tutorial we're going to take a look at how you can run a LLM Locally to rewrite your messages to prevent sylometry fingerprinting (in order to make sure you're not being deanonymized from the way you're typing) + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + + + + + +## **Why is this important ?** + +Let's suppose you are a well-known public figure like **Captain Blackbeard from one piece** , and you are trying to chat anonymously while being on a [SimpleX chatroom](../anonsimplex/index.md), in incognito mode: + + + Nihilist: Hello + + Anon: Hi + + Nihilist: Who are you ? + + Anon: doesn't matter. I want to contribute to the blog. + + Nihilist: Ok, what blogpost do you want to contribute on ? + + Anon: The Stylometry one please. + + + +All goes well **until you write in such a way that people recognize who you are.** + + + Nihilist: Ok, what if i paid you 5 euros for it ? + + Anon: Zehahahaha! Oy Matey! you're robbing me here ! + + Nihilist: Wait, is that you Blackbeard ?! + + Anon: Eek! + + + +We all have unique writing styles, and if you talk (and especially laugh like a one piece character) there are always little language traits, and spelling mistakes, that you may type without even noticing, that may fingerprint you in the long run even if you used all of the correct technology to keep your Anonymity intact. + +Which is why we need a LLM that we run locally (as we shouldn't let a third party know our original text), to rewrite our text differently, to prevent from being deanonymized by our writing style. + +Shoutout to /u/inadahime for his [excellent dread blogpost](http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/post/c67d64ec4355ec872373) on this topic, which we're going to showcase. + +## **Local LLM Setup** + +So from the whonix VM we need to download these 3 components: + + + # At the time of writing, `0.8.16` was the latest version of llamafile. Change this as needed for future releases. + $ torsocks curl -L -o CounterStylometry.llamafile https://github.com/Mozilla-Ocho/llamafile/releases/download/0.8.16/llamafile-0.8.16 + + $ torsocks curl -L -o zipalign https://github.com/Mozilla-Ocho/llamafile/releases/download/0.8.16/zipalign-0.8.16 + + $ chmod a+x CounterStylometry.llamafile + $ chmod a+x zipalign + + + +Next we're going to download the LLM model "gemma-2-2b-it-abliterated-Q6_K.gguf" as it is minimal enough for our needs (weighs 2 GBs), so if the download fails along the way, you can run the comamnd again and it will resume where it stopped, thanks to the "-c" wget argument. + + + $ torsocks wget -c https://huggingface.co/bartowski/gemma-2-2b-it-abliterated-GGUF/resolve/main/gemma-2-2b-it-abliterated-Q6_K.gguf + + + +once you have these, create the ".args" file which we'll use to makes ure the LLM just rewrites our text differently (you can adjust this if you want): + + + [ mainpc ] [ /dev/pts/5 ] [~/llm] + → vim .args + + [ mainpc ] [ /dev/pts/5 ] [~/llm] + → cat .args + -m + gemma-2-2b-it-abliterated-Q6_K.gguf + -p + “<****start_of_turn>user\nYou are an AI assistant that anonymises user inputs. I, user, will send messages - you should reply with only a rephrased version of my message. I am never speaking to you, only providing text for you to anonymise. <****end_of_turn>\n <****start_of_turn>model\nYes, I understand, I will only reply to messages from you with a while sounding like a rephrased version of your message. What text would you like me to anonymise? <****end_of_turn>\n <****start_of_turn>user\n” + --reverse-prompt + “ <****start_of_turn>user\n” + -cnv + --log-disable + +And lastly we can create the final binary that we'll use like so : + + + [ mainpc ] [ /dev/pts/4 ] [~/llm] + → ./zipalign -j0 CounterStylometry.llamafile gemma-2-2b-it-abliterated-Q6_K.gguf .args + + used = 116'312 + + + +Once completed, you now have the executable file CounterStylometry.llamafile to use: + + + [ mainpc ] [ /dev/pts/4 ] [~/llm] + → ./CounterStylometry.llamafile + + > Hello, my name is captain blackbeard and i am totally not writing this Stylometry tutorial !!! zehahahaha! + A maritime figure is sharing a writing tutorial. They are not, it seems, enthusiastic. + + + +## **Testing the LLM** + +Now let's try the same conversation above but through the Stylometry LLM instead: + + + Nihilist: Ok, what if i paid you 5 euros for it ? + + Anon to LLM> Zehahahaha! Oy Matey! you're robbing me here ! + LLM to Anon: Someone's getting a little taken advantage of. + Anon to Nihilist: Someone's getting a little taken advantage of. + + Nihilist: Damn, i still can't figure out who you are... i guess there's no hope trying to deanonymize you via chat alone... + + Anon to LLM> Though luck matey! now assign me that blogpost! + LLM to Anon: give me that blog post. + Anon to Nihilist: give me that blog post. + + + +And that's it! you just made sure you couldn't get fingerprinted in your online chats. + +This is especially important when you are writing long paragraphs which are increasingly likely to contain your language ticks, and spelling mistakes, let's take an example from [one of my other tutorials](../linux/index.md): + + + In this tutorial, we're going to look at the first and foremost thing anyone can do to remove surveillance from their digital lives, by installing a free and open source software (FOSS) host operating system: Linux, in this case we're going to setup the latest Debian. + + + +And when you run it through the LLM it can rephrase it like so: + + + Let's explore the first step towards reducing digital surveillance by installing a free, open source operating system: Linux, in this instance, we'll set up the latest Debian version. + + + +If you apply this method every time you type online under your anonymous persona you are drastically reducing the chance of being fingerprinted, ensuring your anonymity remains intact even when you are having frequent online discussions. + diff --git a/su0.png b/su0.png new file mode 100644 index 0000000..df8fe52 Binary files /dev/null and b/su0.png differ diff --git a/su1.png b/su1.png new file mode 100644 index 0000000..24f0a7b Binary files /dev/null and b/su1.png differ diff --git a/su2.png b/su2.png new file mode 100644 index 0000000..d6b60b2 Binary files /dev/null and b/su2.png differ diff --git a/syncthinganon/1.png b/syncthinganon/1.png new file mode 100644 index 0000000..49770a8 Binary files /dev/null and b/syncthinganon/1.png differ diff --git a/syncthinganon/10.png b/syncthinganon/10.png new file mode 100644 index 0000000..92a5e5f Binary files /dev/null and b/syncthinganon/10.png differ diff --git a/syncthinganon/11.png b/syncthinganon/11.png new file mode 100644 index 0000000..cffecd5 Binary files /dev/null and b/syncthinganon/11.png differ diff --git a/syncthinganon/2.png b/syncthinganon/2.png new file mode 100644 index 0000000..8b8a914 Binary files /dev/null and b/syncthinganon/2.png differ diff --git a/syncthinganon/3.png b/syncthinganon/3.png new file mode 100644 index 0000000..2945042 Binary files /dev/null and b/syncthinganon/3.png differ diff --git a/syncthinganon/4.png b/syncthinganon/4.png new file mode 100644 index 0000000..edbd4e4 Binary files /dev/null and b/syncthinganon/4.png differ diff --git a/syncthinganon/5.png b/syncthinganon/5.png new file mode 100644 index 0000000..25a402f Binary files /dev/null and b/syncthinganon/5.png differ diff --git a/syncthinganon/6.png b/syncthinganon/6.png new file mode 100644 index 0000000..c5a9628 Binary files /dev/null and b/syncthinganon/6.png differ diff --git a/syncthinganon/7.png b/syncthinganon/7.png new file mode 100644 index 0000000..1438ae8 Binary files /dev/null and b/syncthinganon/7.png differ diff --git a/syncthinganon/8.png b/syncthinganon/8.png new file mode 100644 index 0000000..0982e5d Binary files /dev/null and b/syncthinganon/8.png differ diff --git a/syncthinganon/9.png b/syncthinganon/9.png new file mode 100644 index 0000000..3c4bf1c Binary files /dev/null and b/syncthinganon/9.png differ diff --git a/syncthinganon/Syncthing_circuit.jpg b/syncthinganon/Syncthing_circuit.jpg new file mode 100644 index 0000000..2d5386a Binary files /dev/null and b/syncthinganon/Syncthing_circuit.jpg differ diff --git a/syncthinganon/index.md b/syncthinganon/index.md new file mode 100644 index 0000000..1d41673 --- /dev/null +++ b/syncthinganon/index.md @@ -0,0 +1,155 @@ +--- +author: Prism_Breaker +date: null +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/16" +xmr: 87iB34vdFvNULrAjyfVAZ7jMXc8vbq9tLGMLjo6WC8N9Xo2JFaa8Vkp6dwXBt8rK12Xpz5z1rTa9jSfgyRbNNjswHKTzFVh +--- +# One on One large file sharing (Syncthing over Tor) + +Onionshare is a good choice when you want to share small files over tor. But onionshare cannot handle big files, because when tor circuit fails (which is quite common in Tor) your download simply fails, and it does not support resuming the download at where it previously failed. Syncthing is a better alternative if you want to share large files over tor, it does not need any setup or hosting, and it will automatically retry at break point when network fails. + +Syncthing is FOSS software and has E2EE by default, and can run it without requiring a VPS. This means you can just spin up syncthing client from your whonix workstation directly, and your data will be encrypted and sent through public syncthing nodes. If you have a threat model that needs a way to reliably share files with minimum exposure, this setup suits the need. + +Syncthing has its own relays for supporting transmission of files between peers which are both behind the nat, and it works when both parties are behind tor. This allows us to guarantee the anonymity of both parties. + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) (Or Qubes OS) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) (Or Qubes OS's Xen) + + 4. Virtual Machine: [Whonix](../whonixqemuvms/index.md) + + + + +It is highly recommended to use whonix for this setup, because there are always cases that an app might not honor your proxy setting and somehow tries to connect to the syncthing relay directly without going through Tor. It is always a good idea to put any anonymous use app in a whonix workstation, so your clearnet ip doesn't get revealed. + + + +## **Initial Setup** + +The first thing to do is to get syncthing to your whonix workstation. + +For simplicity you can just do + + + sudo apt-get install syncthing -y + + +If apt does not contain the up to date package, then you need to get it from the [syncthing website](https://syncthing.net/downloads/) + +![](1.png) + +Next verify the sha256sum according to + + + curl -s https://syncthing.net/release-key.txt | gpg --import + + +Check the gpg fingerprint, it should be like this + + + gpg --fingerprint + /home/user/.gnupg/pubring.kbx + ----------------------------- + pub rsa2048/0xD26E6ED000654A3E 2014-12-29 [SC] + Key fingerprint = 37C8 4554 E7E0 A261 E4F7 6E1E D26E 6ED0 0065 4A3E + uid [ unknown] Syncthing Release Management + sub rsa2048/0x681C3CFCF614F575 2014-12-29 [E] + + + +Then download verify the checksum file, and check the checksum to see if it matches + + + $ curl -sLO https://github.com/syncthing/syncthing/releases/download/v1.23.6/sha256sum.txt.asc + + $ gpg --verify sha256sum.txt.asc + gpg: Signature made Mo 03 Jul 2023 10:09:30 UTC + gpg: using RSA key D26E6ED000654A3E + gpg: Good signature from "Syncthing Release Management " + gpg: WARNING: This key is not certified with a trusted signature! + gpg: There is no indication that the signature belongs to the owner. + + $ sha256sum -c sha256sum.txt.asc + ... + sha256sum: syncthing-linux-386-v1.23.6.tar.gz: No such file or directory + syncthing-linux-386-v1.23.6.tar.gz: FAILED open or read + **syncthing-linux-amd64-v1.23.6.tar.gz: OK** + sha256sum: syncthing-linux-armv5-v1.23.6.tar.gz: No such file or directory + syncthing-linux-armv5-v1.23.6.tar.gz: FAILED open or read + ... + sha256sum: WARNING: 14 lines are improperly formatted + sha256sum: WARNING: 35 listed files could not be read + + + +Next you need to do some changes in the tor browser, so you can access the web panel that is running on localhost (127.0.0.1), type **about:config** inside the address bar, accept the risk and continue: + +![](2.png) + +search for no_proxies_on in the search bar, and add 127.0.0.1 to it + +![](3.png) + +Editing your tor browser is fine if you are just using it to access local syncthing instance, but you should revert the change if you want to access the internet. Changing tor config might bring some unexpected browser fingerprint issue. You should get a separate whonix vm if paranoid. + +## **How to setup syncthing** + +Next decompress the syncthing pack and execute it + + + $ tar xvf syncthing-linux-amd64-v1.28.0.tar.gz + + $ cd syncthing-linux-amd64-v1.28.0/ + + $ ./syncthing + + +If you have setup your tor browser correctly it should automatically redirect you to http://127.0.0.1:8384/ and you will see the web panel + +Next thing to do is to find your client id, it is in the actions menu + +![](4.png) + +![](5.png) + +Next exchange this id with people you are sharing file with + +After that add each other in both clients in the remote device section, if nothing goes wrong you should be able to see each other in the remote device section showed as "connected" + +![](6.png) + +![](7.png) + +![](8.png) + +## **How to sync files anonymously** + +After the previous setup, you can share the file you want. **But be aware tor traffic has low bandwidth, that is the price of online Anonymity**! Because if both parties are behind tor, your file goes through a circuit like this: + +![](Syncthing_circuit.jpg) + +I personally tried this setup, **to send a 10GB file it took me 4 hours 30 minutes to send it** , which is normal due to the Tor network being slow, you'll need to be patient when you are trying to send large files over Tor. + +You and your peer will only see the relay server's ip address, unlike the vpn setup which will expose the vpn ip you are using, which you can check [here](../syncthingvpn/index.md) + +You peer also won't know you are using tor if you do not tell him + +![](remote_node.png) + +Choose add folder to create a new sharing Folder, and choose to share this folder with your peer + +![](9.png) + +![](10.png) + +If nothing goes wrong, the receiver should see this + +![](11.png) + +Agree and add the folder, after that syncthing will automatically transmit the files + diff --git a/syncthinganon/remote_node.png b/syncthinganon/remote_node.png new file mode 100644 index 0000000..f16407a Binary files /dev/null and b/syncthinganon/remote_node.png differ diff --git a/syncthingvpn/0.png b/syncthingvpn/0.png new file mode 100644 index 0000000..6dd16cd Binary files /dev/null and b/syncthingvpn/0.png differ diff --git a/syncthingvpn/1.png b/syncthingvpn/1.png new file mode 100644 index 0000000..ea5eb5c Binary files /dev/null and b/syncthingvpn/1.png differ diff --git a/syncthingvpn/10.png b/syncthingvpn/10.png new file mode 100644 index 0000000..825d25b Binary files /dev/null and b/syncthingvpn/10.png differ diff --git a/syncthingvpn/11.png b/syncthingvpn/11.png new file mode 100644 index 0000000..301be46 Binary files /dev/null and b/syncthingvpn/11.png differ diff --git a/syncthingvpn/12.png b/syncthingvpn/12.png new file mode 100644 index 0000000..8e3e81b Binary files /dev/null and b/syncthingvpn/12.png differ diff --git a/syncthingvpn/13.png b/syncthingvpn/13.png new file mode 100644 index 0000000..d3e5c48 Binary files /dev/null and b/syncthingvpn/13.png differ diff --git a/syncthingvpn/2.png b/syncthingvpn/2.png new file mode 100644 index 0000000..d06844d Binary files /dev/null and b/syncthingvpn/2.png differ diff --git a/syncthingvpn/3.png b/syncthingvpn/3.png new file mode 100644 index 0000000..bb91c9d Binary files /dev/null and b/syncthingvpn/3.png differ diff --git a/syncthingvpn/4.png b/syncthingvpn/4.png new file mode 100644 index 0000000..6b57f6e Binary files /dev/null and b/syncthingvpn/4.png differ diff --git a/syncthingvpn/5.png b/syncthingvpn/5.png new file mode 100644 index 0000000..38f061f Binary files /dev/null and b/syncthingvpn/5.png differ diff --git a/syncthingvpn/6.png b/syncthingvpn/6.png new file mode 100644 index 0000000..0032101 Binary files /dev/null and b/syncthingvpn/6.png differ diff --git a/syncthingvpn/7.png b/syncthingvpn/7.png new file mode 100644 index 0000000..8fc569a Binary files /dev/null and b/syncthingvpn/7.png differ diff --git a/syncthingvpn/8.png b/syncthingvpn/8.png new file mode 100644 index 0000000..18abc90 Binary files /dev/null and b/syncthingvpn/8.png differ diff --git a/syncthingvpn/9.png b/syncthingvpn/9.png new file mode 100644 index 0000000..c44e54b Binary files /dev/null and b/syncthingvpn/9.png differ diff --git a/syncthingvpn/index.md b/syncthingvpn/index.md new file mode 100644 index 0000000..df78872 --- /dev/null +++ b/syncthingvpn/index.md @@ -0,0 +1,181 @@ +--- +author: XMRonly +date: 2024-11-01 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/11" +xmr: 8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3 +--- +# One-on-One Large File Sharing (Syncthing over VPN) + +![](0.png) + + + +## **Introduction** + +While many methods of sending files online exist - methods such as email attachments, FTP, [OnionShare](https://blog.nowhere.moe/opsec/onionshare/index.md) and even [torrenting](https://blog.nowhere.moe/opsec/p2ptorrents/index.md) \- all of these methods have one thing in common. Once a file has been sent, no further changes to that file are tracked. For the use-case where you want to not only send a file or a group of files but also receive any updates to the file(s), that is where Syncthing comes in. Syncthing is a FOSS continous file synchronization program that enables users to securely share files across multiple devices in a decentralized manner. It uses peer-to-peer technology to ensure that data is end-to-end encrypted and transferred directly between enabled devices, eliminating any need for centralized cloud services. Syncthing can be completely self-hosted and is very versatile as sync locations can be a home server, VPS, mobile device or even a friend's computer! In this article, we will explore how Sam can set up Syncthing to privately share large files with Larry and track changes to those files, all while using a VPN to mask their internet activity. + +## **Setup** + +We start from the perspective of both Sam and Larry as both will complete these initial steps. +![](sam.png) ![](larry.png) + +Sam and Larry are both using Debian and are on separate internet connections geographically distant from one another. It is presumed that both Sam and Larry have already purchased a subscription to a [VPN](https://blog.nowhere.moe/opsec/vpn/index.md). For this example we will use Proton VPN, but other [non-KYC VPNs](https://kycnot.me/?t=service&q=vpn) that accept Monero, such as Mullvad, may also be used. To start, they will sign in to their VPN client, ensure kill switch is enabled in the Settings, connect to their VPN and verify their IP address. ![](1.png) + +Syncthing works by end-to-end encrypting files and sending them over the internet. To do this, Syncthing uses a [discovery server](https://docs.syncthing.net/users/stdiscosrv.html) to find peers and the Syncthing project maintains a global cluster of discovery servers for public use. If establishing a direct connection between devices is not possible, Syncthing will automatically use community-contributed publicly available [relay servers](https://docs.syncthing.net/users/strelaysrv.html) to route the file transfer instead. Because Syncthing is end-to-end encrypted, there is no need to trust these servers as they cannot read anything going through. With that being said, because Syncthing is fully open-source, it is possible to self-host both discovery and relay servers, but such configurations are beyond the scope of this article. + +For self-hosting a working Syncthing instance, the official [docker compose](https://github.com/syncthing/syncthing/blob/main/README-Docker.md) instructions are as follows: + + + + --- + version: "3" + services: + syncthing: + image: syncthing/syncthing + container_name: syncthing + hostname: my-syncthing + environment: + - PUID=1000 + - PGID=1000 + volumes: + - /wherever/st-sync:/var/syncthing + ports: + - 8384:8384 # Web UI + - 22000:22000/tcp # TCP file transfers + - 22000:22000/udp # QUIC file transfers + - 21027:21027/udp # Receive local discovery broadcasts + restart: unless-stopped + healthcheck: + test: curl -fkLsS -m 2 127.0.0.1:8384/rest/noauth/health | grep -o --color=never OK || exit 1 + interval: 1m + timeout: 10s + retries: 3 + + + +For this article, however, both Sam and Larry will install Syncthing on their computers from their package managers according to the [official instructions](https://apt.syncthing.net/) rather than self-hosting an instance: + + + + # Add the release PGP keys: + sudo mkdir -p /etc/apt/keyrings + sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg + + # Add the "stable" channel to your APT sources: + echo "deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list + + # Update and install syncthing: + sudo apt-get update + sudo apt-get install syncthing + + + +Both Sam and Larry will create a systemd unit to automate the process of starting Syncthing. Sam and Larry will both replace **USER** with their respective usernames. + + + + # Download the recommended systemd unit from the official Syncthing repository + wget "https://raw.githubusercontent.com/syncthing/syncthing/main/etc/linux-systemd/system/syncthing%40.service" + + # Make the file owned by root + sudo chown root: syncthing\@.service + + # Move the file to the appropriate directory + sudo mv syncthing\@.service /etc/systemd/system + + # Reload the daemon with the changes made + sudo systemctl daemon-reload + + # Enable the service on startup + sudo systemctl enable syncthing@**USER** + + # Start the service + sudo systemctl start syncthing@**USER** + + # Check the status + sudo systemctl status syncthing@**USER** + + # Example output for Sam + syncthing@sam.service - Syncthing - Open Source Continuous File Synchronization for sam + Loaded: loaded (/etc/systemd/system/syncthing@.service; **enabled** ; preset: enabled) + Active: **active (running)** since Fri 2024-10-25 12:15:35 EDT; 1h 46min ago + Docs: man:syncthing(1) + Main PID: 3634 (syncthing) + Tasks: 17 (limit: 4622) + Memory: 35.8M + CPU: 19.790s + CGroup: /system.slice/system-syncthing.slice/syncthing@sam.service + \u251c\u25003634 /usr/bin/syncthing serve --no-browser --no-restart --logflags=0 + \u2514\u25003641 /usr/bin/syncthing serve --no-browser --no-restart --logflags=0 + + + +Syncthing is now running as a daemon, and will sync files in the background. Because of its continuous file synchronization, file transfers will restart automatically should any interruptions in VPN connection or power supply occur. + +Sam and Larry will navigate to **localhost:8384** in their browsers to open the Syncthing web GUI. Sam and Larry are greeted with an option to allow anonymous reporting, which they can accept or deny. ![](2.png) + +Sam and Larry may choose to password protect their Syncthing web GUI, but in this article we'll just click OK. ![](3.png) + +We will switch to Larry's perspective. +![](larry.png) + +Larry clicks on Actions -> Show ID to get the ID of his device. ![](4.png) + +Larry now starts a [SimpleX](https://blog.nowhere.moe/opsec/anonsimplex/index.md) chat with Sam using disappearing messages and sends his Syncthing Device ID. ![](5.png) + +We will switch to Sam's perspective. +![](sam.png) + +Syncthing adds a Default Folder at **/home/sam/Sync** which will be used to share files. This can of course be changed if desired. Sam clicks to Add Remote Device and adds Larry's Device ID. Sam adds a Device Name as well. ![](6.png) + +Sam has 10GB of "Linux ISOs" he wants to share with Larry. Sam will start by moving the desired files to **/home/sam/Sync**. + + + + sam@debian:~$ mv *.iso /home/sam/Sync && ls -lh /home/sam/Sync + total 11G + -rw-r--r-- 1 sam sam 2.9G Oct 27 12:56 linux-1.iso + -rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-2.iso + -rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-3.iso + -rw-r--r-- 1 sam sam 1.5G Oct 26 17:06 linux-4-broken.iso + + + +From there, Syncthing will automatically detect the files and scan them. ![](7.png) + +Once scanning is complete, Sam is ready to share the files with Larry. On the Default Folder, Sam clicks Edit -> Sharing -> larry-computer and Save. ![](8.png) + +We will switch to Larry's perspective. +![](larry.png) + +Larry receives a notification that Sam wants to connect and share something with him. Larry accepts the connection and shared Default Folder. ![](9.png) + +Notice how the IP address that is shown to Larry is that of a Syncthing relay server like mentioned previously. If a direct connection had been established, Sam's VPN IP address would have been shown instead. ![](10.png) + +The file transfer starts. +![](11.png) + +Once finished, Larry has a complete copy of all of the files in **/home/larry/Sync**. Larry notices that Sam sent a Linux ISO that is broken. Larry fixes this broken Linux ISO and also adds a Linux ISO of his own to the shared folder. +![](12.png) + +Back to Sam's perspective. +![](sam.png) + +Because the file transfer is bi-directional by default, the changes that Larry made are synced back to Sam! + + + + sam@debian:~$ ls -lh /home/sam/Sync + total 12G + -rw-r--r-- 1 sam sam 1.5G Oct 30 10:47 larry-favorite.iso + -rw-r--r-- 1 sam sam 2.9G Oct 27 12:56 linux-1.iso + -rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-2.iso + -rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-3.iso + -rw-r--r-- 1 sam sam 1.5G Oct 26 17:06 linux-4-fixed.iso + + + +## **Conclusion** + +Sam was able to privately share 10GB of files and automatically receive changes to those files all while keeping his internet activity hidden. Notice how Larry was able to overwrite a file that Sam originally shared. There may be cases where this is undesirable and this option can be changed under Default Folder -> Edit -> Advanced and selecting either Send Only or Receive Only. ![](13.png) + diff --git a/syncthingvpn/larry.png b/syncthingvpn/larry.png new file mode 100644 index 0000000..ea622cd Binary files /dev/null and b/syncthingvpn/larry.png differ diff --git a/syncthingvpn/sam.png b/syncthingvpn/sam.png new file mode 100644 index 0000000..7c6addf Binary files /dev/null and b/syncthingvpn/sam.png differ diff --git a/tailsqemuvm/0.png b/tailsqemuvm/0.png new file mode 100644 index 0000000..d9f89e0 Binary files /dev/null and b/tailsqemuvm/0.png differ diff --git a/tailsqemuvm/1.png b/tailsqemuvm/1.png new file mode 100644 index 0000000..e9a5164 Binary files /dev/null and b/tailsqemuvm/1.png differ diff --git a/tailsqemuvm/10.png b/tailsqemuvm/10.png new file mode 100644 index 0000000..6f06ea9 Binary files /dev/null and b/tailsqemuvm/10.png differ diff --git a/tailsqemuvm/11.png b/tailsqemuvm/11.png new file mode 100644 index 0000000..4d758ba Binary files /dev/null and b/tailsqemuvm/11.png differ diff --git a/tailsqemuvm/12.png b/tailsqemuvm/12.png new file mode 100644 index 0000000..f7fb4a6 Binary files /dev/null and b/tailsqemuvm/12.png differ diff --git a/tailsqemuvm/13.png b/tailsqemuvm/13.png new file mode 100644 index 0000000..43da2f8 Binary files /dev/null and b/tailsqemuvm/13.png differ diff --git a/tailsqemuvm/14.png b/tailsqemuvm/14.png new file mode 100644 index 0000000..ebc8f11 Binary files /dev/null and b/tailsqemuvm/14.png differ diff --git a/tailsqemuvm/15.png b/tailsqemuvm/15.png new file mode 100644 index 0000000..e49ddb6 Binary files /dev/null and b/tailsqemuvm/15.png differ diff --git a/tailsqemuvm/16.png b/tailsqemuvm/16.png new file mode 100644 index 0000000..d844c0e Binary files /dev/null and b/tailsqemuvm/16.png differ diff --git a/tailsqemuvm/17.png b/tailsqemuvm/17.png new file mode 100644 index 0000000..827fab4 Binary files /dev/null and b/tailsqemuvm/17.png differ diff --git a/tailsqemuvm/18.png b/tailsqemuvm/18.png new file mode 100644 index 0000000..5591c07 Binary files /dev/null and b/tailsqemuvm/18.png differ diff --git a/tailsqemuvm/19.png b/tailsqemuvm/19.png new file mode 100644 index 0000000..b957bdd Binary files /dev/null and b/tailsqemuvm/19.png differ diff --git a/tailsqemuvm/2.png b/tailsqemuvm/2.png new file mode 100644 index 0000000..9a2f405 Binary files /dev/null and b/tailsqemuvm/2.png differ diff --git a/tailsqemuvm/20.png b/tailsqemuvm/20.png new file mode 100644 index 0000000..7aec39b Binary files /dev/null and b/tailsqemuvm/20.png differ diff --git a/tailsqemuvm/21.png b/tailsqemuvm/21.png new file mode 100644 index 0000000..1ff1ed0 Binary files /dev/null and b/tailsqemuvm/21.png differ diff --git a/tailsqemuvm/3.png b/tailsqemuvm/3.png new file mode 100644 index 0000000..381838f Binary files /dev/null and b/tailsqemuvm/3.png differ diff --git a/tailsqemuvm/30.png b/tailsqemuvm/30.png new file mode 100644 index 0000000..5e8365e Binary files /dev/null and b/tailsqemuvm/30.png differ diff --git a/tailsqemuvm/31.png b/tailsqemuvm/31.png new file mode 100644 index 0000000..775ee2a Binary files /dev/null and b/tailsqemuvm/31.png differ diff --git a/tailsqemuvm/32.png b/tailsqemuvm/32.png new file mode 100644 index 0000000..a78ad82 Binary files /dev/null and b/tailsqemuvm/32.png differ diff --git a/tailsqemuvm/33.png b/tailsqemuvm/33.png new file mode 100644 index 0000000..5e8365e Binary files /dev/null and b/tailsqemuvm/33.png differ diff --git a/tailsqemuvm/34.png b/tailsqemuvm/34.png new file mode 100644 index 0000000..ff19791 Binary files /dev/null and b/tailsqemuvm/34.png differ diff --git a/tailsqemuvm/35.png b/tailsqemuvm/35.png new file mode 100644 index 0000000..2823036 Binary files /dev/null and b/tailsqemuvm/35.png differ diff --git a/tailsqemuvm/36.png b/tailsqemuvm/36.png new file mode 100644 index 0000000..bead253 Binary files /dev/null and b/tailsqemuvm/36.png differ diff --git a/tailsqemuvm/37.png b/tailsqemuvm/37.png new file mode 100644 index 0000000..4c33a16 Binary files /dev/null and b/tailsqemuvm/37.png differ diff --git a/tailsqemuvm/4.png b/tailsqemuvm/4.png new file mode 100644 index 0000000..8272c9f Binary files /dev/null and b/tailsqemuvm/4.png differ diff --git a/tailsqemuvm/40.mp4 b/tailsqemuvm/40.mp4 new file mode 100644 index 0000000..89f1a33 Binary files /dev/null and b/tailsqemuvm/40.mp4 differ diff --git a/tailsqemuvm/5.png b/tailsqemuvm/5.png new file mode 100644 index 0000000..5055c2e Binary files /dev/null and b/tailsqemuvm/5.png differ diff --git a/tailsqemuvm/6.png b/tailsqemuvm/6.png new file mode 100644 index 0000000..d7b9051 Binary files /dev/null and b/tailsqemuvm/6.png differ diff --git a/tailsqemuvm/7.png b/tailsqemuvm/7.png new file mode 100644 index 0000000..33b5d23 Binary files /dev/null and b/tailsqemuvm/7.png differ diff --git a/tailsqemuvm/8.png b/tailsqemuvm/8.png new file mode 100644 index 0000000..31f8b64 Binary files /dev/null and b/tailsqemuvm/8.png differ diff --git a/tailsqemuvm/9.png b/tailsqemuvm/9.png new file mode 100644 index 0000000..977993c Binary files /dev/null and b/tailsqemuvm/9.png differ diff --git a/tailsqemuvm/index.md b/tailsqemuvm/index.md new file mode 100644 index 0000000..c92cd8f --- /dev/null +++ b/tailsqemuvm/index.md @@ -0,0 +1,200 @@ +--- +author: nihilist +date: 2024-10-03 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/92" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Tails OS for Easy Temporary Sensitive Use + +![](0.png) + +In this tutorial we're going to look at how you can run Tails OS (The Amnesic Incognito Linux System) on a USB Stick, and also on a QEMU VM, following the official documentation [here](https://tails.net/doc/advanced_topics/virtualization/virt-manager/index.en.html). + +⚠️ _Deniability Disclaimer:_ **This setup is only suitable if the adversary can be told that you are using Tails OS, without it being a reason to throw you in jail. Do not proceed if that's the case.** ⚠️ + +**Tails OS is suitable for Short Term Sensitive Use due to it's default live-mode feature** , where upon shutting down the OS, every forensic trace of what you were doing is completely erased from memory, where the entire OS is loaded into. There are no disk-writes at all by default. (Unless if you use the persistent storage, which is not suitable for sensitive use, due to not being deniable encryption like [Veracrypt](../veracrypt/index.md) ). + +![](37.png) + +While it is similar to Whonix, it is specificially intended for temporary sensitive use. [Whonix](../sensitivevm/index.md) on the other hand can be used for long-term sensitive use. Click [here](https://www.whonix.org/wiki/Comparison_with_Others) for more details on the differences between Whonix and Tails. + +## _OPSEC Recommendations (for the live USB setup):_ + + 1. Hardware : (Personal Computer / Laptop) and a USB stick (with at least 2GB) + + 2. Host OS: [Linux](../linux/index.md) + + + + +I recommend using this setup for [Anonymous use](../anonymityexplained/index.md) if you store anything into the persistent storage, **or for short-term[Sensitive use](../deniability/index.md) if you are not storing anything sensitive in the persistent storage**, as per the [4 basic OPSEC levels](../opsec4levels/index.md). + + + +## **Tails live USB Setup** + +First we download Tails OS as a USB image [here](https://tails.net/install/download/index.en.html): + +![](1.png) + +Then we resize the image size to be able to contain persistent storage (in this case, i'll make it 8Gbs): + + + [ nowhere ] [ /dev/pts/8 ] [nihilist/VAULT/Isos] + → ls tails-amd64-6.3.img -lash + 1.4G -rw-r--r-- 1 nihilist nihilist 1.4G Jun 14 10:15 tails-amd64-6.3.img + + [ nowhere ] [ /dev/pts/8 ] [nihilist/VAULT/Isos] + → truncate -s 8192M tails-amd64-6.3.img + + + +From here we install tails onto the usb stick (which is detected as /dev/sdc in our usecase) from the commandline using dd: + + + nihilist@mainpc:~$ lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + + [...] + **sdc 8:32 1 14.6G 0 disk** + [...] + + user@mainpc:~$ cd .mullvad-browser/Downloads/ + usert@mainpc:~$ **sudo dd if=/home/user/tails-amd64-6.3.img of=/dev/sdc bs=16M oflag=direct status=progress** + + + +Now that the Tails OS image has been flashed onto the usb stick, you can simply reboot your computer, and then enter the boot menu to choose to boot onto the USB rather than onto your host OS. In this example i need to press ESC, but depending on your motherboard you may need to press F2, or F11, or another key. + +![](34.png) + +Then after entering the boot options by pressing ESC, we press 1 to choose to boot onto the USB key, rather than booting on the system drive. + +![](35.png) ![](36.png) + +And you've just booted in Tails OS from your usb key! + +## **Tails QEMU VM Setup** + +![](21.png) + +## _OPSEC Recommendations (for the QEMU setup):_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Application: [Host-based VPN](../index.md) (if your ISP doesn't allow Tor traffic) + + + + +_Sidenote:_ If your ISP does not allow Tor traffic, make sure that you [route the QEMU VMs traffic through a VPN](../vpnqemu/index.md), to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup + +Now in the same way (even though it is a less-popular setup) we can also we can create a Tails OS QEMU VM in virt-manager like so: + +![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) + +Then press enter to launch tails: + +![](8.png) + +(wait a few seconds for it to load) + +![](9.png) + +Once in there, depending on your use, you can select to have an admin password and a persistent storage if you need it. Otherwise everything you do in the VM will be wiped clean upon shutdown (hence the word amnesic). + +![](10.png) + +Then we select connect to tor automatically: + +![](11.png) + +And here we click start the Tor browser to browse the web anonymously, and if you're curious and want to see the tor Circuits you can view them also: + +![](12.png) + +## **Persistent Storage Setup (warning, this is not[deniable encryption](../veracrypt/index.md)!)** + +Next, if you want to enable the persistent storage **(which uses regular encryption, do not store anything sensitive in it!)** go there: + +![](13.png) + +make sure you enter a strong password that can't be bruteforced easily: + +![](14.png) + +then hit "create persistent storage" and wait a bit for the operation to complete: + +![](15.png) + +Then adjust the settings as per your liking, if you want the persistent storage to store more than it does by default: + +![](16.png) ![](17.png) + +Then if you want to install additional software you can launch a terminal: + +![](18.png) + +Then from there you can use sudo because you enabled the administrator password, and install software: + + + amnesia@amnesia:~$ sudo apt update -y ; sudo apt install neofetch -y + [sudo] password for amnesia: + Get:1 tor+https://cdn-fastly.deb.debian.org/debian bookworm InRelease [151 kB] + Get:2 tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bookworm InRelease [3,526 B] + Get:3 tor+https://cdn-fastly.deb.debian.org/debian-security bookworm-security InRelease [48.0 kB] + + [...] + + + +Then once the software installed, you have the possibility to store it in the persistent storage as well, so that it can be available when you launch tails again: + +![](19.png) + + + amnesia@amnesia:~$ neofetch + `` amnesia@amnesia + ./yhNh --------------- + syy/Nshh `:o/ OS: Tails x86_64 + N:dsNshh \u2588 `ohNMMd Host: KVM/QEMU (Standard PC (Q35 + ICH9, 2009) pc-q35-9.0) + N-/+Nshh `yMMMMd Kernel: 6.1.0-21-amd64 + N-yhMshh yMMMMd Uptime: 13 mins + N-s:hshh \u2588 yMMMMd so//. Packages: 1854 (dpkg) + N-oyNsyh yMMMMd d Mms. Shell: bash 5.2.15 + N:hohhhd:. yMMMMd syMMM+ Resolution: 1280x800 + Nsyh+-..+y+- yMMMMd :mMM+ DE: GNOME 43.9 + +hy- -ss/`yMMMM `+d+ WM: Mutter + :sy/. ./yNMMMMm `` WM Theme: Adwaita + .+ys- `:+hNMMMMMMy/` Theme: Adwaita [GTK2/3] + `hNmmMMMMMMMMMMMMdo. Icons: Adwaita [GTK2/3] + dMMMMMMMMMMMMMMMMMNh: Terminal: gnome-terminal + +hMMMMMMMMMMMMMMMMMmy. CPU: 11th Gen Intel i7-11700K (2) @ 3.600GHz + -oNMMMMMMMMMMmy+.` GPU: 00:01.0 Red Hat, Inc. Virtio 1.0 GPU + `:yNMMMds/.` Memory: 1313MiB / 3915MiB + .//` + + + +And that's it! We managed to run tails OS from a QEMU VM and install some software into the persistent storage. + +## **Deniability Context** + +Now suppose you are living in a country where using Tails OS and Tor is not going to be a reason to immediately throw you in jail, the adversary is busting down your door, while you are browsing a sensitive website with it, and you want to make sure that there is no incriminating evidence to be found against you when the adversary seizes your computer. + +**Reminder, this is only for temporary sensitive use, do not save anything sensitive in the persistent storage because otherwise the adversary can force you to unlock it to reveal the contents.** + +If you have a regular live usb tails os setup, all you need to do is to simply **unplug or disconnect the USB stick to shutdown the system and wipe off all forensic trace of what you were doing:** + +And If you have a Tails OS VM, you can simply hit the shutdown button to erase what you were doing in the VM: + +![](20.png) + +All you need is to shutdown the VM, and everything forensic trace of what you were doing in it gets immediately erased from memory, as if there was nothing there to begin with. **Effectively leaving the adversary empty-handed with no incriminating evidence to use against you in court.** + +And that's it! You now have a dedicated live OS for temporary sensitive use. + diff --git a/tor/bridge/1.png b/tor/bridge/1.png new file mode 100644 index 0000000..217f18a Binary files /dev/null and b/tor/bridge/1.png differ diff --git a/tor/bridge/10.png b/tor/bridge/10.png new file mode 100644 index 0000000..b485a59 Binary files /dev/null and b/tor/bridge/10.png differ diff --git a/tor/bridge/11.png b/tor/bridge/11.png new file mode 100644 index 0000000..d224cc6 Binary files /dev/null and b/tor/bridge/11.png differ diff --git a/tor/bridge/12.png b/tor/bridge/12.png new file mode 100644 index 0000000..1744751 Binary files /dev/null and b/tor/bridge/12.png differ diff --git a/tor/bridge/13.png b/tor/bridge/13.png new file mode 100644 index 0000000..1662390 Binary files /dev/null and b/tor/bridge/13.png differ diff --git a/tor/bridge/14.png b/tor/bridge/14.png new file mode 100644 index 0000000..f45abcf Binary files /dev/null and b/tor/bridge/14.png differ diff --git a/tor/bridge/15.png b/tor/bridge/15.png new file mode 100644 index 0000000..892958c Binary files /dev/null and b/tor/bridge/15.png differ diff --git a/tor/bridge/16.png b/tor/bridge/16.png new file mode 100644 index 0000000..1ef6c15 Binary files /dev/null and b/tor/bridge/16.png differ diff --git a/tor/bridge/17.png b/tor/bridge/17.png new file mode 100644 index 0000000..4e56143 Binary files /dev/null and b/tor/bridge/17.png differ diff --git a/tor/bridge/18.png b/tor/bridge/18.png new file mode 100644 index 0000000..dfd78f7 Binary files /dev/null and b/tor/bridge/18.png differ diff --git a/tor/bridge/19.png b/tor/bridge/19.png new file mode 100644 index 0000000..ed4bdf5 Binary files /dev/null and b/tor/bridge/19.png differ diff --git a/tor/bridge/2.png b/tor/bridge/2.png new file mode 100644 index 0000000..26a1459 Binary files /dev/null and b/tor/bridge/2.png differ diff --git a/tor/bridge/3.png b/tor/bridge/3.png new file mode 100644 index 0000000..a10e2e2 Binary files /dev/null and b/tor/bridge/3.png differ diff --git a/tor/bridge/4.png b/tor/bridge/4.png new file mode 100644 index 0000000..9d60f93 Binary files /dev/null and b/tor/bridge/4.png differ diff --git a/tor/bridge/5.png b/tor/bridge/5.png new file mode 100644 index 0000000..c2bf56d Binary files /dev/null and b/tor/bridge/5.png differ diff --git a/tor/bridge/6.png b/tor/bridge/6.png new file mode 100644 index 0000000..6b98d2a Binary files /dev/null and b/tor/bridge/6.png differ diff --git a/tor/bridge/7.png b/tor/bridge/7.png new file mode 100644 index 0000000..c07d123 Binary files /dev/null and b/tor/bridge/7.png differ diff --git a/tor/bridge/8.png b/tor/bridge/8.png new file mode 100644 index 0000000..7f3cdde Binary files /dev/null and b/tor/bridge/8.png differ diff --git a/tor/bridge/9.png b/tor/bridge/9.png new file mode 100644 index 0000000..6987383 Binary files /dev/null and b/tor/bridge/9.png differ diff --git a/tor/bridge/index.md b/tor/bridge/index.md new file mode 100644 index 0000000..a7f8f3c --- /dev/null +++ b/tor/bridge/index.md @@ -0,0 +1,260 @@ +--- +author: nihilist +date: 2024-01-02 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/100" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# TOR Bridge (November 2024 update) + +![](../logo.png) + +Before we start, you will need a Debian VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your Debian server. + +![](../../logos/daturagit.png) _Sidenote:_ Help us improve this tutorial by letting us know if there's anything missing or incorrect on this [git issue](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/100) directly! + +## **Initial Setup** + +Log into your Debian server and add Tor repository. +This will allow you to update your Tor daemon to latest versions just after they're released. It's not recommended to use **tor** package from Debian repository since it's usually out of date. +To do that, [check the steps on Tor project's website](https://support.torproject.org/apt/tor-deb-repo/). Commands I run are listed below, but they may change in the future. + + + root@Datura:~# apt update -y && apt upgrade -y + root@Datura:~# apt install apt-transport-https curl tmux vim obfs4proxy gnupg2 -y + + root@Datura:~# cat /etc/apt/sources.list | head -n3 + + deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + + root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null + + root@Datura:~# apt update -y + root@Datura:~# apt install tor nyx + + +To configure tor we need to edit the configuration file with the following entry. Replace the TODOs with the port numbers you wish to use Edit tor configuration file: + + + root@Datura:~# vim /etc/tor/torrc + + #Added configuration + BridgeRelay 1 + + # Replace "TODO1" with a Tor port of your choice. + # This port must be externally reachable. + # Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. + ORPort 37051 + + ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy + + # Replace "TODO2" with an obfs4 port of your choice. + # This port must be externally reachable and must be different from the one specified for ORPort. + # Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. + ServerTransportListenAddr obfs4 0.0.0.0:8042 + + # Local communication port between Tor and obfs4. Always set this to "auto". + # "Ext" means "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0. + ExtORPort auto + + # Replace "" with your email address so we can contact you if there are problems with your bridge. + # This is optional but encouraged. + ContactInfo nihilist@nowhere.moe + + # Pick a nickname that you like for your bridge. This is optional. + Nickname Nihilist + + +Then restart the tor service + enable it: + + + #Restart service + root@Datura:~# systemctl restart tor@default + + #Enable at boot + root@Datura:~# systemctl enable --now tor@default + + +## **Nyx monitoring** + +Once it finished installing, you can monitor your tor bridge node activity with nyx: + + + root@Datura:~# sudo -u debian-tor nyx + +![](4.png) + +## **Using your own bridge** + +Next install tor-browser (in arch linux you can do it from the AUR), if not just go to the [downloads](https://www.torproject.org/download/) page. + + + yay -S torbrowser-launcher + + + +![](5.png) + +Then Launch it, and go in your preferences: + +![](6.png) ![](7.png) + +Here specifying your own bridge is not that simple, you need to use the following syntax: + + + Bridge obfs4 <****IP ADDRESS>: <****PORT> <****FINGERPRINT> cert= <****CERTIFICATE> iat-mode=0 + +First find the ip address of your server: + + + root@debian-s-1vcpu-1gb-lon1-01:~# curl ifconfig.me && echo && echo + **134.209.26.190** + + + +Next find the port : + + + sudo -u debian-tor nyx + + + +Just hit right arrow 3 times to get to your torrc config preview: + +![](8.png) + +And here we have port **8042**. Next we need the fingerprint which is at page 1 of nyx, so press leftarrow to get back to page 1 and then scroll down using the downarrow: + +![](9.png) + +Here it is **829165B21621041E7A9CDF7192AFFC51CA640B0E** , be careful not to copy the other one above which is the HASHED identity key. Here we want the original identity key fingerprint. After this, we need the server's certificate: + + + + root@debian-s-1vcpu-1gb-lon1-01:~# cat /var/lib/tor/pt_state/obfs4_bridgeline.txt + # obfs4 torrc client bridge line + # + # This file is an automatically generated bridge line based on + # the current obfs4proxy configuration. EDITING IT WILL HAVE + # NO EFFECT. + # + # Before distributing this Bridge, edit the placeholder fields + # to contain the actual values: + # <****IP ADDRESS> - The public IP address of your obfs4 bridge. + # <****PORT> - The TCP/IP port of your obfs4 bridge. + # <****FINGERPRINT> - The bridge's fingerprint. + + Bridge obfs4 <****IP ADDRESS>: <****PORT> <****FINGERPRINT>**cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0** + + +Here in this case we need the last part: **cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0** + +And so we combine it all to get the string we need: + + + Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0 + + +Paste it in and hit "new identity": + +![](10.png) + +Then we check if it is working on [check.torproject.org](https://check.torproject.org/): + +![](11.png) + +And that's it! we have been able to use our own VPS-hosted tor bridge! + +If you want to use the bridge from torrc you can do as follows: + + + nihilist@mainpc: ~$ vim /etc/tor/torrc + nihilist@mainpc: ~$ cat /etc/tor/torrc + + UseBridges 1 + ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed + Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0 + + nihilist@mainpc: ~$ systemctl restart tor@default + + + +Now keep in mind that obfs4 traffic simply looks like random data on the outside, it doesn't look like legit https traffic when doing deep-packet inspection. Therefore for heavily-censored countries, we recommend you use snowflake bridges: + +## **Snowflake bridge theory** + +As time goes to 2024 censorship becomes more advanced, and sometimes snowflake protocol works better than obfs4. We will go through theories and setup about snowflake bridge + +For a normal tor connection without bridge, you will: + +1.Talk to central directory + +2.Get network information + +3.Connect to your gurad nodes, and form tor circuits + +![](snowflake-migrate/normal_tor_connection.png) + +If tor network is blocked, you cannot talk to central directory or any tor node ip, then you need a **bridge** + +All of your communication goes through the bridge, including your initial talk to central directory, and your bridge automatically becomes your first tor node + +![](snowflake-migrate/bridge.png) + +Bridges are usually not publicly announced for censorship resistance, since once a bridge ip get known by censoring firewall it can simply drop all the packets to that ip + +This is the weakness for traditional tor bridges, not matter how hard you try to obfuscate your traffic, the **bridge ip** always have to be semi-public because you want people to use it, but this means people who work for censorship can also find bridge ip + +To end this cat and mouse game, snowflake is introduced + +![](snowflake-migrate/snowflake-schematic.png) + +This is a picture of how snowflake works from tor official + +First you have volunteers over the world who install snowflake plugin in their browsers, they act as bridges for you to connect to tor network. Because this is mostly run by amateurs, and people turn on and off their devices all the time, which makes many ephemeral bridges, and this is why it is called snowflake + +There is also a server called broker that knows all the information about snowflakes + +![](snowflake-migrate/snowflakes.png) + +Then you will use a technique called domain fronting, which makes you seems connecting to a legit service like azure cloud or google cloud, but your actual connection goes to the broker. + +![](snowflake-migrate/domain-fronting.png) + +Then the broker server introduce you to the snowflake proxy, then you establish a webrtc connection, which is a connection allows two app to have direct connection for video call or file transmission. Then your traffic goes to the snowflake proxy, and connects to the rest of tor network + +![](snowflake-migrate/WebRTC.png) + +Then you connect to tor network! + +## **Snowflake bridge in practice** + +Now in practice, all you need to do to run a snowflake bridge is to have a webpage that runs the following HTML code: + +Whoever wants to run a snowflake bridge simply has to click the "enabled" slider to run a snowflake bridge. Or you can also run [the snowflake firefox extension](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) to run a snowflake bridge whenever you are starting a webpage: + +![](15.png) ![](16.png) ![](17.png) ![](18.png) ![](19.png) + +and then you can simply wait for someone to use it. Someone that needs to evade censorship somewhere in the world will start to use it when torproject will give them the snowflake bridgelike so: + +![](12.png) ![](13.png) ![](14.png) + +If you want to use the snowflake bridge from torrc you can do as follows: + + + nihilist@mainpc: ~$ vim /etc/tor/torrc + nihilist@mainpc: ~$ cat /etc/tor/torrc + + UseBridges 1 + ClientTransportPlugin snowflake exec ./client -log snowflake.log + + Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ fronts=foursquare.com,github.githubassets.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn + + Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn + + Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn + + nihilist@mainpc: ~$ systemctl restart tor@default + + + diff --git a/tor/bridge/snowflake-migrate/WebRTC.png b/tor/bridge/snowflake-migrate/WebRTC.png new file mode 100644 index 0000000..4ff1438 Binary files /dev/null and b/tor/bridge/snowflake-migrate/WebRTC.png differ diff --git a/tor/bridge/snowflake-migrate/bridge.png b/tor/bridge/snowflake-migrate/bridge.png new file mode 100644 index 0000000..9bb179e Binary files /dev/null and b/tor/bridge/snowflake-migrate/bridge.png differ diff --git a/tor/bridge/snowflake-migrate/domain-fronting.png b/tor/bridge/snowflake-migrate/domain-fronting.png new file mode 100644 index 0000000..8139a42 Binary files /dev/null and b/tor/bridge/snowflake-migrate/domain-fronting.png differ diff --git a/tor/bridge/snowflake-migrate/flake_log.png b/tor/bridge/snowflake-migrate/flake_log.png new file mode 100644 index 0000000..b69fb7e Binary files /dev/null and b/tor/bridge/snowflake-migrate/flake_log.png differ diff --git a/tor/bridge/snowflake-migrate/normal_tor_connection.png b/tor/bridge/snowflake-migrate/normal_tor_connection.png new file mode 100644 index 0000000..0cf2a43 Binary files /dev/null and b/tor/bridge/snowflake-migrate/normal_tor_connection.png differ diff --git a/tor/bridge/snowflake-migrate/snowflake-schematic.png b/tor/bridge/snowflake-migrate/snowflake-schematic.png new file mode 100644 index 0000000..eaf7222 Binary files /dev/null and b/tor/bridge/snowflake-migrate/snowflake-schematic.png differ diff --git a/tor/bridge/snowflake-migrate/snowflakes.png b/tor/bridge/snowflake-migrate/snowflakes.png new file mode 100644 index 0000000..0a232d5 Binary files /dev/null and b/tor/bridge/snowflake-migrate/snowflakes.png differ diff --git a/tor/bridge/snowflake-migrate/tor_check.png b/tor/bridge/snowflake-migrate/tor_check.png new file mode 100644 index 0000000..42bf12a Binary files /dev/null and b/tor/bridge/snowflake-migrate/tor_check.png differ diff --git a/tor/exit_node/0.png b/tor/exit_node/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/tor/exit_node/0.png differ diff --git a/tor/exit_node/1.png b/tor/exit_node/1.png new file mode 100644 index 0000000..a7d33af Binary files /dev/null and b/tor/exit_node/1.png differ diff --git a/tor/exit_node/2.jpg b/tor/exit_node/2.jpg new file mode 100644 index 0000000..08ea3e7 Binary files /dev/null and b/tor/exit_node/2.jpg differ diff --git a/tor/exit_node/2.png b/tor/exit_node/2.png new file mode 100644 index 0000000..e58de0c Binary files /dev/null and b/tor/exit_node/2.png differ diff --git a/tor/exit_node/3.png b/tor/exit_node/3.png new file mode 100644 index 0000000..cd4599f Binary files /dev/null and b/tor/exit_node/3.png differ diff --git a/tor/exit_node/4.png b/tor/exit_node/4.png new file mode 100644 index 0000000..50bd441 Binary files /dev/null and b/tor/exit_node/4.png differ diff --git a/tor/exit_node/5.png b/tor/exit_node/5.png new file mode 100644 index 0000000..cd9024d Binary files /dev/null and b/tor/exit_node/5.png differ diff --git a/tor/exit_node/6.png b/tor/exit_node/6.png new file mode 100644 index 0000000..79de662 Binary files /dev/null and b/tor/exit_node/6.png differ diff --git a/tor/exit_node/7.png b/tor/exit_node/7.png new file mode 100644 index 0000000..8577c6e Binary files /dev/null and b/tor/exit_node/7.png differ diff --git a/tor/exit_node/8.png b/tor/exit_node/8.png new file mode 100644 index 0000000..c556941 Binary files /dev/null and b/tor/exit_node/8.png differ diff --git a/tor/exit_node/9.png b/tor/exit_node/9.png new file mode 100644 index 0000000..ac4df14 Binary files /dev/null and b/tor/exit_node/9.png differ diff --git a/tor/exit_node/index.md b/tor/exit_node/index.md new file mode 100644 index 0000000..a75ef94 --- /dev/null +++ b/tor/exit_node/index.md @@ -0,0 +1,167 @@ +--- +author: nihilist +date: 2024-01-29 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/102" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# TOR Exit Node + +![](../logo.png) + +Before we start, make sure you either rent a VPS anonymously (tor+XMR + ssh via tor) click [here](https://kycnot.me/search?q=hosting&type=service) for the list of anonymity-friendly hosting providers or rent a VPS on a cloud provider that [explicitly](https://community.torproject.org/relay/community-resources/good-bad-isps/) allows for tor exit nodes to be hosted on their platform. + +![](2.jpg) + +As a disclaimer, you need to know who allows these tor exit nodes, if you're going to pick a random host provider to host an exit node for you, you really don't know how the host may respond to that. Therefore it is best to pre-emptively see who actually accepts those exit nodes by looking at their TOS or by contacting them for additional information. + +![](1.png) + +⚠️ Beware that authorities aren't always aware of tor exit node and what to do from a legal stand point. Before hosting an exit node, please take time to do sufficient legal research. People have been arrested all around the world and had a lot of trouble with authorities because they hosted exit nodes. If you are still motivated to get your own exit node, keep the phone number of a lawyer specialised in this field just in case anything goes wrong. ⚠️ + +Now you can get a domain name to resolve to your exit node, or just use the one provided by njal.la : + +![](8.png) + +Now regarding the choice of location for the server, in order to make sure that Tor remains decentralised, make sure that you are picking a country that doesn't have many tor nodes (see the [bubbles graph](https://metrics.torproject.org/bubbles.html#country)): + +![](../relay/country.png) + +_Disclaimer:_ **Do not host your Tor node in Germany, Netherlands or in the US, as there are already too many nodes in those countries.** Try to run your own Tor nodes in countries that have the least nodes preferably, as this will help keeping the Tor network decentralized. + +![](../../logos/daturagit.png) _Sidenote:_ Help us improve this tutorial by letting us know if there's anything missing or incorrect on this [git issue](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/102) directly! + +## **Initial setup** + +Log into your Debian server and add Tor repository. +This will allow you to update your Tor daemon to latest versions just after they're released. It's not recommended to use **tor** package from Debian repository since it's usually out of date. +To do that, [check the steps on Tor project's website](https://support.torproject.org/apt/tor-deb-repo/). Commands I run are listed below, but they may change in the future. + + + root@Datura:~# apt update -y && apt upgrade -y + root@Datura:~# apt install apt-transport-https curl tmux vim obfs4proxy gnupg2 -y + + root@Datura:~# cat /etc/apt/sources.list | head -n3 + + deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + + root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null + + root@Datura:~# apt update -y + root@Datura:~# apt install tor nyx + + +From inside nyx you can view tor's status : + + + root@exit:~# nyx + + + +![](5.png) + +inside nyx you can use the left and right arrow to navigate the different pages: + +![](6.png) + +Above you can see the connections, pressing right again shows how your server is configured, along with extra details on each setting: + +![](7.png) + +Next we make sure it's an exit like so: (be aware that this is where it gets dangerous if you're not doing this on a non-KYC VPS, or on a cloud provider that doesnt accept tor exit nodes. + + + root@exit:~# vim /etc/tor/torrc + root@exit:~# cat /etc/tor/torrc + RunAsDaemon 1 + ControlPort 9051 + CookieAuthentication 1 + ORPort 9001 + Nickname anonymous + + ExitPolicy accept *:* # Accept exit connections + ExitPolicy reject private:* # Block private IPv4 + IPv6Exit 1 # Allow IPv6 connections + ExitPolicy accept6 *:* # Accept IPv6 + ExitPolicy reject6 [FC00::]/7:* # Block private IPv6 + ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6 + ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses + + + +you can also make a stricter tor exit policy like so: + + + root@Datura:~# cat /etc/tor/torrc + RunAsDaemon 1 + ControlPort 9051 + CookieAuthentication 1 + ORPort 9001 + Nickname Datura + + ExitPolicy accept *:20-21 # FTP + ExitPolicy accept *:43 # WHOIS + ExitPolicy accept *:53 # DNS + ExitPolicy accept *:80-81 # HTTP, HTTP alt. + ExitPolicy accept *:443 # HTTPS + ExitPolicy accept *:5222-5223 # XMPP, XMPP over + ExitPolicy accept *:6667-7000 # IRC + ExitPolicy accept *:8008 # HTTP alternate + ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port + ExitPolicy accept *:8332-8333 # Bitcoin + ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE, HUSH coin + ExitPolicy accept *:9418 # git - Git pack transfer service + ExitPolicy accept *:50002 # Electrum Bitcoin SSL + ExitPolicy accept *:64738 # Mumble - voice over IP + ExitPolicy accept *:18080-18081 # Monero + ExitPolicy reject *:* + + ExitPolicy reject private:* # Block private IPv4 + IPv6Exit 1 # Allow IPv6 connections + ExitPolicy accept6 *:* # Accept IPv6 + ExitPolicy reject6 [FC00::]/7:* # Block private IPv6 + ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6 + ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses + + + +And then just restart the tor service to make sure the exit node is active: + + + root@exit:~# systemctl restart tor@default + root@exit:~# systemctl status tor@default + ● tor@default.service - Anonymizing overlay network for TCP + Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled) + Active: active (running) since Mon 2024-01-29 10:43:02 UTC; 5s ago + Process: 3852 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS) + Process: 3853 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS) + Main PID: 3855 (tor) + Tasks: 3 (limit: 19110) + Memory: 140.1M + CGroup: /system.slice/system-tor.slice/tor@default.service + └─3855 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 + + Jan 29 10:43:03 exit Tor[3855]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits + Jan 29 10:43:04 exit Tor[3855]: Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits + Jan 29 10:43:04 exit Tor[3855]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits + Jan 29 10:43:04 exit Tor[3855]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit + Jan 29 10:43:05 exit Tor[3855]: Bootstrapped 100% (done): Done + Jan 29 10:43:05 exit Tor[3855]: Now checking wheter IPv4 ORPort 80.78.22.215:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) + Jan 29 10:43:05 exit Tor[3855]: Now checking wheter IPv6 ORPort [2a0a:3840:8078:22:0:504e:16d7:1337]:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) + Jan 29 10:43:06 exit Tor[3855]: Self-testing indicates your ORPort [2a0a:3840:8078:22:0:504e:16d7:1337]:9001 is reachable from the outside. Excellent. + Jan 29 10:43:06 exit Tor[3855]: Self-testing indicates your ORPort 80.78.22.215:9001 is reachable from the outside. Excellent. Publishing server descriptor. + Jan 29 10:43:06 exit Tor[3855]: Performing bandwidth self-test...done. + + root@exit:~# nyx + + + +Then wait a few hours for the exit node to appear on tor metrics, then you can take the node fingerprint (example 916EDD8E5D61613BBC7B6CCEFB2778AE706786B9) and check it's status on torproject.org [here](https://metrics.torproject.org/rs.html#search/flag:exit). + +After that, you need to wait 2 weeks for the exit node to be fully operational as explained [here](https://blog.torproject.org/lifecycle-of-a-new-relay/). + + + "A new relay, assuming it is reliable and has plenty of bandwidth, goes through four phases: the unmeasured phase (days 0-3) where it gets roughly no use, the remote-measurement phase (days 3-8) where load starts to increase, the ramp-up guard phase (days 8-68) where load counterintuitively drops and then rises higher, and the steady-state guard phase (days 68+). " + + + diff --git a/tor/logo.png b/tor/logo.png new file mode 100644 index 0000000..bfc7ede Binary files /dev/null and b/tor/logo.png differ diff --git a/tor/relay/1.png b/tor/relay/1.png new file mode 100644 index 0000000..466a41f Binary files /dev/null and b/tor/relay/1.png differ diff --git a/tor/relay/2.png b/tor/relay/2.png new file mode 100644 index 0000000..51a6dda Binary files /dev/null and b/tor/relay/2.png differ diff --git a/tor/relay/3.png b/tor/relay/3.png new file mode 100644 index 0000000..720f58f Binary files /dev/null and b/tor/relay/3.png differ diff --git a/tor/relay/4.png b/tor/relay/4.png new file mode 100644 index 0000000..909826a Binary files /dev/null and b/tor/relay/4.png differ diff --git a/tor/relay/5.png b/tor/relay/5.png new file mode 100644 index 0000000..b95027d Binary files /dev/null and b/tor/relay/5.png differ diff --git a/tor/relay/6.png b/tor/relay/6.png new file mode 100644 index 0000000..b258a70 Binary files /dev/null and b/tor/relay/6.png differ diff --git a/tor/relay/7.png b/tor/relay/7.png new file mode 100644 index 0000000..67add8d Binary files /dev/null and b/tor/relay/7.png differ diff --git a/tor/relay/8.png b/tor/relay/8.png new file mode 100644 index 0000000..573157c Binary files /dev/null and b/tor/relay/8.png differ diff --git a/tor/relay/country.png b/tor/relay/country.png new file mode 100644 index 0000000..cb28f31 Binary files /dev/null and b/tor/relay/country.png differ diff --git a/tor/relay/index.md b/tor/relay/index.md new file mode 100644 index 0000000..92c725c --- /dev/null +++ b/tor/relay/index.md @@ -0,0 +1,99 @@ +--- +author: nihilist +date: 2024-01-02 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/101" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# TOR Relay + +![](../logo.png) + +Before we start, you will need a Debian VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You will also need to make sure that the VPS provider allows the hosting of a tor node! check torproject's good/bad isps page [here](https://community.torproject.org/relay/community-resources/good-bad-isps/). + +![](1.png) + +For example, you wouldn't be able to host an exit node on DigitalOcean, however hosting a regular node is completely fine. + +Now regarding the choice of location for the server, in order to make sure that Tor remains decentralised, make sure that you are picking a country that doesn't have many tor nodes (see the [bubbles graph](https://metrics.torproject.org/bubbles.html#country)): + +![](country.png) + +_Disclaimer:_ **Do not host your Tor node in Germany, Netherlands or in the US, as there are already too many nodes in those countries.** Try to run your own Tor nodes in countries that have the least nodes preferably, as this will help keeping the Tor network decentralized. + +![](../../logos/daturagit.png) _Sidenote:_ Help us improve this tutorial by letting us know if there's anything missing or incorrect on this [git issue](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/101) directly! + +## **Installation** + +Log into your Debian server and add Tor repository. +This will allow you to update your Tor daemon to latest versions just after they're released. It's not recommended to use **tor** package from Debian repository since it's usually out of date. +To do that, [check the steps on Tor project's website](https://support.torproject.org/apt/tor-deb-repo/). Commands I run are listed below, but they may change in the future. + + + root@Datura:~# apt update -y && apt upgrade -y + root@Datura:~# apt install apt-transport-https curl tmux vim obfs4proxy gnupg2 -y + + root@Datura:~# cat /etc/apt/sources.list | head -n3 + + deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main + + root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null + + root@Datura:~# apt update -y + root@Datura:~# apt install tor nyx + + +To configure tor we need to edit the configuration file with the following entry. Replace the TODOs with the port numbers you wish to use Edit tor configuration file: + + + root@Datura:~# vim /etc/tor/torrc + + # Replace "TODO1" with a Tor port of your choice. + # This port must be externally reachable. + # Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. + ORPort 37051 + + # Local communication port between Tor and obfs4. Always set this to "auto". + # "Ext" means "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0. + ExtORPort auto + + # Replace "" with your email address so we can contact you if there are problems with your bridge. + # This is optional but encouraged. + ContactInfo nihilist@nowhere.moe + + # Pick a nickname that you like for your bridge. This is optional. + Nickname Nihilist + +Then restart the tor service + enable it: + + + #Restart service + systemctl restart tor@default + + #Enable at boot + systemctl enable --now tor@default + + #monitor it with nyx + nyx + + +![](5.png) + +You can also monitor connections by switching to the menu (pressing **m**) + +![](6.png) + +and then just use the **arrow keys** to navigate: + +![](7.png) + +Hit **spacebar** to choose "connection" + +EDIT: you can just use left arrow and right arrow to change menus quickly lol + +![](8.png) + +This is going to list the active connections (Circuits) to your tor node with their ip addresses. + diff --git a/torbrowsing/0.jpeg b/torbrowsing/0.jpeg new file mode 100644 index 0000000..691f5ad Binary files /dev/null and b/torbrowsing/0.jpeg differ diff --git a/torbrowsing/1.png b/torbrowsing/1.png new file mode 100644 index 0000000..d8cdfd7 Binary files /dev/null and b/torbrowsing/1.png differ diff --git a/torbrowsing/10.png b/torbrowsing/10.png new file mode 100644 index 0000000..6aba74d Binary files /dev/null and b/torbrowsing/10.png differ diff --git a/torbrowsing/11.png b/torbrowsing/11.png new file mode 100644 index 0000000..5717f64 Binary files /dev/null and b/torbrowsing/11.png differ diff --git a/torbrowsing/12.png b/torbrowsing/12.png new file mode 100644 index 0000000..f5f6d97 Binary files /dev/null and b/torbrowsing/12.png differ diff --git a/torbrowsing/2.png b/torbrowsing/2.png new file mode 100644 index 0000000..84d08c0 Binary files /dev/null and b/torbrowsing/2.png differ diff --git a/torbrowsing/3.png b/torbrowsing/3.png new file mode 100644 index 0000000..ce4beba Binary files /dev/null and b/torbrowsing/3.png differ diff --git a/torbrowsing/4.png b/torbrowsing/4.png new file mode 100644 index 0000000..28ffd16 Binary files /dev/null and b/torbrowsing/4.png differ diff --git a/torbrowsing/5.png b/torbrowsing/5.png new file mode 100644 index 0000000..5f8afd9 Binary files /dev/null and b/torbrowsing/5.png differ diff --git a/torbrowsing/6.png b/torbrowsing/6.png new file mode 100644 index 0000000..0cb1315 Binary files /dev/null and b/torbrowsing/6.png differ diff --git a/torbrowsing/7.png b/torbrowsing/7.png new file mode 100644 index 0000000..c76a1ea Binary files /dev/null and b/torbrowsing/7.png differ diff --git a/torbrowsing/8.png b/torbrowsing/8.png new file mode 100644 index 0000000..c9a44a7 Binary files /dev/null and b/torbrowsing/8.png differ diff --git a/torbrowsing/9.png b/torbrowsing/9.png new file mode 100644 index 0000000..4d2e9c5 Binary files /dev/null and b/torbrowsing/9.png differ diff --git a/torbrowsing/MobileTor/0.jpeg b/torbrowsing/MobileTor/0.jpeg new file mode 100644 index 0000000..691f5ad Binary files /dev/null and b/torbrowsing/MobileTor/0.jpeg differ diff --git a/torbrowsing/MobileTor/1.png b/torbrowsing/MobileTor/1.png new file mode 100644 index 0000000..cbb7eed Binary files /dev/null and b/torbrowsing/MobileTor/1.png differ diff --git a/torbrowsing/MobileTor/11.png b/torbrowsing/MobileTor/11.png new file mode 100644 index 0000000..c9ecfc8 Binary files /dev/null and b/torbrowsing/MobileTor/11.png differ diff --git a/torbrowsing/MobileTor/12.png b/torbrowsing/MobileTor/12.png new file mode 100644 index 0000000..c8a7074 Binary files /dev/null and b/torbrowsing/MobileTor/12.png differ diff --git a/torbrowsing/MobileTor/13.png b/torbrowsing/MobileTor/13.png new file mode 100644 index 0000000..4102dd1 Binary files /dev/null and b/torbrowsing/MobileTor/13.png differ diff --git a/torbrowsing/MobileTor/14.png b/torbrowsing/MobileTor/14.png new file mode 100644 index 0000000..3dcc3f4 Binary files /dev/null and b/torbrowsing/MobileTor/14.png differ diff --git a/torbrowsing/MobileTor/15.png b/torbrowsing/MobileTor/15.png new file mode 100644 index 0000000..ad64046 Binary files /dev/null and b/torbrowsing/MobileTor/15.png differ diff --git a/torbrowsing/MobileTor/16.png b/torbrowsing/MobileTor/16.png new file mode 100644 index 0000000..5174d17 Binary files /dev/null and b/torbrowsing/MobileTor/16.png differ diff --git a/torbrowsing/MobileTor/17.png b/torbrowsing/MobileTor/17.png new file mode 100644 index 0000000..534033a Binary files /dev/null and b/torbrowsing/MobileTor/17.png differ diff --git a/torbrowsing/MobileTor/18.png b/torbrowsing/MobileTor/18.png new file mode 100644 index 0000000..cce8ea7 Binary files /dev/null and b/torbrowsing/MobileTor/18.png differ diff --git a/torbrowsing/MobileTor/19.png b/torbrowsing/MobileTor/19.png new file mode 100644 index 0000000..c232d65 Binary files /dev/null and b/torbrowsing/MobileTor/19.png differ diff --git a/torbrowsing/MobileTor/2.png b/torbrowsing/MobileTor/2.png new file mode 100644 index 0000000..a1a3471 Binary files /dev/null and b/torbrowsing/MobileTor/2.png differ diff --git a/torbrowsing/MobileTor/20.png b/torbrowsing/MobileTor/20.png new file mode 100644 index 0000000..4565023 Binary files /dev/null and b/torbrowsing/MobileTor/20.png differ diff --git a/torbrowsing/MobileTor/21.png b/torbrowsing/MobileTor/21.png new file mode 100644 index 0000000..15fd217 Binary files /dev/null and b/torbrowsing/MobileTor/21.png differ diff --git a/torbrowsing/MobileTor/3.png b/torbrowsing/MobileTor/3.png new file mode 100644 index 0000000..021f0c0 Binary files /dev/null and b/torbrowsing/MobileTor/3.png differ diff --git a/torbrowsing/MobileTor/4.png b/torbrowsing/MobileTor/4.png new file mode 100644 index 0000000..68385bd Binary files /dev/null and b/torbrowsing/MobileTor/4.png differ diff --git a/torbrowsing/MobileTor/5.png b/torbrowsing/MobileTor/5.png new file mode 100644 index 0000000..ab0b083 Binary files /dev/null and b/torbrowsing/MobileTor/5.png differ diff --git a/torbrowsing/MobileTor/6.png b/torbrowsing/MobileTor/6.png new file mode 100644 index 0000000..c6a3721 Binary files /dev/null and b/torbrowsing/MobileTor/6.png differ diff --git a/torbrowsing/MobileTor/7.png b/torbrowsing/MobileTor/7.png new file mode 100644 index 0000000..3e2ea1b Binary files /dev/null and b/torbrowsing/MobileTor/7.png differ diff --git a/torbrowsing/MobileTor/index.md b/torbrowsing/MobileTor/index.md new file mode 100644 index 0000000..96cb30e --- /dev/null +++ b/torbrowsing/MobileTor/index.md @@ -0,0 +1,95 @@ +--- +author: Will Jager +date: 2024-08-19 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/0" +xmr: 8A96qyqg1t1EFtbSspTQpmiaUnyFAJZRQ9wFNTSJa11MWJLUcVVP1roQ3wQqqAPFxsMvZ1TX2oCHrX725rXA1X2MP46ckxg +--- +# How to use the Tor Browser on Mobile + +Sometimes you are not always in front of your computer but need to browse the web anonymously while being away from your home. In this tutorial we're going to cover how to browse the web anonymously while on your mobile device. + +## _OPSEC Recommendations:_ + + * Hardware: Google Pixel + + * Host OS: [Graphene OS](../graphene/index.md) + + * Configuration: Can be set in the Private or Anonymous Profile + + + + + +## **Initial Download and Setup** + +You can download Tor Browser for Android from F-Droid (as we want to maintain the open source requirement), using the Guardian Repository, or the apk directly from the official Tor website. Please do not download it from any other source. There have been malicious versions passed around on social media in the past. + +![](11.png) ![](12.png) ![](13.png) ![](14.png) ![](15.png) ![](16.png) ![](17.png) ![](18.png) ![](19.png) ![](20.png) ![](21.png) + +Note: To download from F-Droid you will have to enable Guardian Project Repositories under settings → My Apps → Guardian Project (guardianproject.info/fdroid/repo) + +When you open the Tor app for the first time you will be greeted with this screen: + + +![](1.png) + + +We'll do some slight configuration changes, starting with the automatic connection and then open settings: _toggle auto → settings_ +![](2.png) + + +In settings, scroll down to Privacy and security. Open Security Level: + + +![](3.png) + + +Choose Safest for maximum security + +![](4.png) + + +Additionally in settings you can choose the Default search engine and to use (.onion) sites if you prefer. + +![](5.png) + + +And you are done, you should now be at the start page: + + +![](6.png) + + +If your connection is being censored or you are unable to connect to the Tor network then you may have to configure a bridge. Choose “Config Bridge” on the opening screen or under settings: + + +![](7.png) + + +Toggle “Use a Bridge” to open up three options: "obfs4", "meek-azure", and "snowflake". + + 1. Obfs4 is a pluggable transport that makes Tor traffic look random and also prevents censors from finding bridges by Internet scanning. + + 2. Meek-Azure is a pluggable transport that makes it look like you are browsing a Microsoft web site instead of using Tor. + + 3. Snowflake involves a large number of volunteer proxies, which also makes them hard to pin point and prevents the blocking of proxy IP addresses. + + + + +Additionally you can provide a trusted bridge to use if you know one. + + + + +## _Closing:_ + + 1. Orfox is a sunsetted privacy focused web browser based on Tor. It is no longer maintained and is not recommended. + + 2. Orbot is a proxy app that allows other apps on your device to encrypt your internet traffic through Tor. After installing Orbot go to Choose apps under settings in order to route the apps of your choice through Tor. + + 3. Currently there is no official Tor browser available for iOS on iPhone. Using Orbot with the open source Onion Browser is better than nothing but does not have the same privacy protections as Tor Browser. Use at your own risk. + + + + diff --git a/torbrowsing/index.md b/torbrowsing/index.md new file mode 100644 index 0000000..c05c50b --- /dev/null +++ b/torbrowsing/index.md @@ -0,0 +1,287 @@ +--- +author: nihilist +date: 2024-01-31 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/90" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Tor Browsing Setup + +![](0.jpeg) + +In this tutorial we're going to cover how to browse the web anonymously, and some simple rules to follow to protect your anonymity. + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Virtual Machine: [Linux](../hypervisorsetup/index.md) or [Whonix](../whonixqemuvms/index.md) or [Tails](../tailsqemuvm/index.md) + + 5. Application: [VPN](../vpn/index.md) (if your ISP doesn't allow Tor traffic) + + + + +I recommend using this setup into one of the above mentioned VMs, for [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). + + + +## **Setting up the Tor Browser on your Desktop** + +If you have a regular debian distribution, do as follows to install the tor browser: + + + [ mainpc ] [ /dev/pts/5 ] [~] + → sudo apt install tor torsocks curl apt-transport-tor gnupg2 -y + + [ mainpc ] [ /dev/pts/1 ] [~] + → sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 77312 100 77312 0 0 7106 0 0:00:10 0:00:10 --:--:-- 23126 + + [ mainpc ] [ /dev/pts/1 ] [~] + → echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list + deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free + + [ mainpc ] [ /dev/pts/1 ] [~] + → sudo apt update -y + Hit:1 http://deb.debian.org/debian bookworm InRelease + Hit:2 http://security.debian.org/debian-security bookworm-security InRelease + Hit:3 http://deb.debian.org/debian bookworm-updates InRelease + Hit:4 https://packages.element.io/debian default InRelease + Get:5 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [39.6 kB] + Get:6 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [34.3 kB] + Get:7 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/contrib amd64 Packages [506 B] + Get:8 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/non-free amd64 Packages [896 B] + Fetched 75.3 kB in 12s (6,284 B/s) + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + 16 packages can be upgraded. Run 'apt list --upgradable' to see them. + + [ mainpc ] [ /dev/pts/1 ] [~] + → sudo apt install tb-starter tb-updater -y + + [ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog] + → systemctl enable --now tb-updater-first-boot.service (3) + + Created symlink /etc/systemd/system/multi-user.target.wants/tb-updater-first-boot.service → /lib/systemd/system/tb-updater-first-boot.service. + + [ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog] + → systemctl --no-pager --no-block status tb-updater-first-boot.service + + ● tb-updater-first-boot.service - Helper Service for /usr/bin/torbrowser to determine when it is save to Copy Tor Browser from /var/cache/tb-binary to user home by Whonix developers + Loaded: loaded (/lib/systemd/system/tb-updater-first-boot.service; enabled; preset: enabled) + Active: active (exited) since Wed 2024-01-31 08:59:34 CET; 2s ago + Docs: https://github.com/Whonix/tb-updater + Process: 140334 ExecStart=/bin/true (code=exited, status=0/SUCCESS) + Main PID: 140334 (code=exited, status=0/SUCCESS) + CPU: 690us + + [ mainpc ] [ /dev/pts/1 ] [~] + → torbrowser + INFO: ARCH 'x86_64' detected. + INFO: ARCH_DOWNLOAD 'linux-x86_64' detected. + INFO: CURL_PROXY: + INFO: Not running inside Qubes Disposable Template, ok. + INFO: Using stable version. For alpha version, see: https://www.whonix.org/wiki/Tor_Browser#Alpha + INFO: Running connectivity check... Downloading...: https://www.torproject.org + INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/temp/tbb_remote_folder + INFO: Connectivity check succeeded. + INFO: Find out latest version... Downloading...: https://aus1.torproject.org/torbrowser/update_3/release/downloads.json + INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/RecommendedTBBVersions + INFO: Learn more about this Download Confirmation Notification. + https://www.whonix.org/wiki/Tor_Browser#Download_Confirmation_Notification + INFO: Previously downloaded version: none + INFO: Currently installed version: None installed. (Folder /home/nihilist/.tb/tor-browser does not exist.) + INFO: Online detected version: 13.0.9 + QUESTION: Download now? + y/n? + y + + INFO: Because you are not using --nokilltb, now killing potentially still running instances of Tor Browser... + firefox.real: no process found + INFO: Digital signature (GPG) download... Will take a moment... + INFO: Downloading...: https://www.torproject.org/dist/torbrowser/13.0.9/tor-browser-linux-x86_64-13.0.9.tar.xz.asc + INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz.asc + INFO: Downloading Tor Browser... + INFO: Downloading...: https://www.torproject.org/dist/torbrowser/13.0.9/tor-browser-linux-x86_64-13.0.9.tar.xz + INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz + INFO: Digital signature (GPG) verification... This will take a moment... + INFO: Using digital signature signing key by The Tor Project. + INFO: Digital signature (GPG) verification ok. + INFO: Installation confirmation + Currently installed version: None installed. (Folder /home/nihilist/.tb/tor-browser does not exist.) + Downloaded version : 13.0.9 + We have not previously accepted a signature yet. Therefore assisted check for downgrade or indefinite freeze attacks skipped. Please check the Current Signature Creation Date looks sane. + Previous Signature Creation Date: Unknown. Probably never downloaded a signature before. + Last Signature Creation Date : January 23 13:14:38 UTC 2024 + According to your system clock, the signature was created 8 days 3 hours 25 minutes 2 seconds ago. + gpg reports: + gpg: Signature made Tue 23 Jan 2024 02:14:38 PM CET + gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF + gpg: Good signature from "Tor Browser Developers (signing key) " [ultimate] + Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 + Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF + Learn more about this Installation Confirmation Notification. + https://www.whonix.org/wiki/Tor_Browser#Installation_Confirmation_Notification + QUESTION: Install now? + y/n? + y + + INFO: Extracting /home/nihilist/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz ... + extraction percent done: 19 / 100 + extraction percent done: 44 / 100 + extraction percent done: 63 / 100 + extraction percent done: 82 / 100 + extraction percent done: 100 / 100 + + + +Next, we'll do some slight configuration changes, starting with the automatic connection: + +![](1.png) + +Then we make sure that all javascript is disabled, using the shield option on the top right corner, make sure it's set to the "Safest" setting: + +![](2.png) + +Then a personal preference, let's switch on the dark theme: + +![](3.png) ![](4.png) + +And from there you can start browsing. You can browse the clearnet first to see how the tor connection works: + +![](5.png) + +As you can see here, when browsing to the clearnet, your traffic is being encapsulated threefold, meaning that you are entrusting your connection to 3 tor node owners around the globe. And on top of that, they are in 3 different countries. + +![](6.png) + +Next, when you browse to a website that can be accessed via a .onion link, you might get the above message that shows up. I prefer to not prioritize onions to avoid unnecessary page refreshes. Instead i click on the .onion available button if it appears. + +![](7.png) + +Now when you're connected to the .onion hidden service, you can see that your connection goes through more tor nodes, this is the best way to access websites online, you're not leaking any info they don't need to know that way. Plus, since we are on the "safest" setting, we are not loading any javascript that may be used to fingerprint our activity online. + +## **How to get the Tor Browser when you are in a Heavily-censored country** + +There are situations when you cannot simply download tor browser from their official site because of censorship. There are alternative methods for you to get the tor browser + +Tor browser official offers an email address called gettor@torproject.org, which you can send email to them, and they will offer you a download link + +First prepare an email, for me I am using protonmail, you can also use outlook or apple email if protonmail is blocked. Any service provider allows you to email tor project will work. + +![](snow-flake-tutorial-migrate/1.png) + +Next simply send an empty email to tor project + +![](snow-flake-tutorial-migrate/2.png) + +Soon you will receive a reply from tor project, simply reply them with your OS name(select one from the list) + +![](snow-flake-tutorial-migrate/3.png) + +For me during this demo is linux64 + +![](snow-flake-tutorial-migrate/4.png) + +After the reply they will send you a download link, very ironically the download link is a google drive link, many countries that block tor also block google, they actually are supposed to send the brower bundle in attachment + +![](snow-flake-tutorial-migrate/5.png) + +If you find out google drive does not work for you, try to check wheter if github is accessible. Tor browser also provides download on github officially, check the releases on [Tor browser github repository](https://github.com/TheTorProject/gettorbrowser) + +![](snow-flake-tutorial-migrate/6.png) + +## **Setting up the Tor Browser on your Mobile** + +## _OPSEC Recommendations:_ + + * Hardware: Google Pixel + + * Host OS: [Graphene OS](../graphene/index.md) + + * Configuration: Can be set in the Private or Anonymous Profile + + + + + +## **Initial Download and Setup** + +You can download Tor Browser for Android from F-Droid (as we want to maintain the open source requirement), using the Guardian Repository, or the apk directly from the official Tor website. Please do not download it from any other source. There have been malicious versions passed around on social media in the past. + +![](MobileTor/11.png) ![](MobileTor/12.png) ![](MobileTor/13.png) ![](MobileTor/14.png) ![](MobileTor/15.png) ![](MobileTor/16.png) ![](MobileTor/17.png) ![](MobileTor/18.png) ![](MobileTor/19.png) ![](MobileTor/20.png) ![](MobileTor/21.png) + +Note: To download from F-Droid you will have to enable Guardian Project Repositories under settings → My Apps → Guardian Project (guardianproject.info/fdroid/repo) + +When you open the Tor app for the first time you will be greeted with this screen: + + +![](MobileTor/1.png) + + +We'll do some slight configuration changes, starting with the automatic connection and then open settings: _toggle auto → settings_ +![](MobileTor/2.png) + + +In settings, scroll down to Privacy and security. Open Security Level: + + +![](MobileTor/3.png) + + +Choose Safest for maximum security + +![](MobileTor/4.png) + + +Additionally in settings you can choose the Default search engine and to use (.onion) sites if you prefer. + +![](MobileTor/5.png) + + +And you are done, you should now be at the start page: + + +![](MobileTor/6.png) + + +If your connection is being censored or you are unable to connect to the Tor network then you may have to configure a bridge. Choose “Config Bridge” on the opening screen or under settings: + + +![](MobileTor/7.png) + + +Toggle “Use a Bridge” to open up three options: "obfs4", "meek-azure", and "snowflake". + + 1. Obfs4 is a pluggable transport that makes Tor traffic look random and also prevents censors from finding bridges by Internet scanning. + + 2. Meek-Azure is a pluggable transport that makes it look like you are browsing a Microsoft web site instead of using Tor. + + 3. Snowflake involves a large number of volunteer proxies, which also makes them hard to pin point and prevents the blocking of proxy IP addresses. + + + + +Additionally you can provide a trusted bridge to use if you know one. + + + + +## _Closing:_ + + 1. Orfox is a sunsetted privacy focused web browser based on Tor. It is no longer maintained and is not recommended. + + 2. Orbot is a proxy app that allows other apps on your device to encrypt your internet traffic through Tor. After installing Orbot go to Choose apps under settings in order to route the apps of your choice through Tor. + + 3. Currently there is no official Tor browser available for iOS on iPhone. Using Orbot with the open source Onion Browser is better than nothing but does not have the same privacy protections as Tor Browser. Use at your own risk. + + + + diff --git a/torbrowsing/snow-flake-tutorial-migrate/1.png b/torbrowsing/snow-flake-tutorial-migrate/1.png new file mode 100644 index 0000000..5e724e4 Binary files /dev/null and b/torbrowsing/snow-flake-tutorial-migrate/1.png differ diff --git a/torbrowsing/snow-flake-tutorial-migrate/2.png b/torbrowsing/snow-flake-tutorial-migrate/2.png new file mode 100644 index 0000000..9d48f07 Binary files /dev/null and b/torbrowsing/snow-flake-tutorial-migrate/2.png differ diff --git a/torbrowsing/snow-flake-tutorial-migrate/3.png b/torbrowsing/snow-flake-tutorial-migrate/3.png new file mode 100644 index 0000000..21e66cb Binary files /dev/null and b/torbrowsing/snow-flake-tutorial-migrate/3.png differ diff --git a/torbrowsing/snow-flake-tutorial-migrate/4.png b/torbrowsing/snow-flake-tutorial-migrate/4.png new file mode 100644 index 0000000..7a98ad6 Binary files /dev/null and b/torbrowsing/snow-flake-tutorial-migrate/4.png differ diff --git a/torbrowsing/snow-flake-tutorial-migrate/5.png b/torbrowsing/snow-flake-tutorial-migrate/5.png new file mode 100644 index 0000000..7701bbb Binary files /dev/null and b/torbrowsing/snow-flake-tutorial-migrate/5.png differ diff --git a/torbrowsing/snow-flake-tutorial-migrate/6.png b/torbrowsing/snow-flake-tutorial-migrate/6.png new file mode 100644 index 0000000..70f411e Binary files /dev/null and b/torbrowsing/snow-flake-tutorial-migrate/6.png differ diff --git a/tornginxphpmysql/0.png b/tornginxphpmysql/0.png new file mode 100644 index 0000000..758cb35 Binary files /dev/null and b/tornginxphpmysql/0.png differ diff --git a/tornginxphpmysql/1.png b/tornginxphpmysql/1.png new file mode 100644 index 0000000..35c5e44 Binary files /dev/null and b/tornginxphpmysql/1.png differ diff --git a/tornginxphpmysql/index.md b/tornginxphpmysql/index.md new file mode 100644 index 0000000..eac2e48 --- /dev/null +++ b/tornginxphpmysql/index.md @@ -0,0 +1,439 @@ +--- +author: oxeo0 +date: 2025-02-01 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/187" +xmr: 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ +--- +# How to setup a basic NGINX / PHP / MySQL app + +![](0.png) + +## **Introduction** + +After generating your [vanity address](../torwebsite/index.md), you might consider hosting something more advanced on the Tor network. If users need to interact with your website by registering an account, making a purchase, or uploading files, you will likely need functionality that updates data dynamically and stores changes persistently. + +Today, many websites use JavaScript to fetch and store data via APIs, dynamically rendering content in real-time. However, most hidden services hosted on Tor take a more conservative approach when building interactive websites. These services typically use PHP scripts rendered on the server side, which are then returned to users as HTML documents. This method minimizes the use of client-side JavaScript, which is often used for browser fingerprinting. + +The main drawback of this approach is that website content can only be updated by reloading the page since each page is server-side rendered using a PHP interpreter. + + + +## **Overview** + +In this guide, we will set up a **LEMP** stack (**L** inux + **E** ngine-X + **M** ySQL + **P** HP) and expose a vegetable store website via a Tor hidden service. Nginx will act as a reverse proxy, passing requests to the PHP-FPM socket and returning an HTTP response back to the user. The PHP-FPM interpreter will execute the necessary PHP script to render the page and pass it to Nginx. + +We will also configure a MySQL-compatible database that the PHP scripts can access to store data persistently. By default on Debian systems, Nginx communicates with the PHP-FPM interpreter via a Unix socket located at **/var/run/php/php-fpm.sock**. + +Here is the diagram illustrating how our service will look like at the end of this guide. You can refer back to it anytime if you get lost in the steps below. + +![](1.png) + +## **Prerequisites** + +To follow this guide you need to have up-to-date [Debian (or derivative) system running](../linux/index.md) with root access. I will be using **sudo** to run commands that require root privileges. + +Ensure you have Tor installed and onion domain generated as explained [here](../torwebsite/index.md). + +Next, install the required software: + + * Nginx + * PHP + * PHP-FPM + * MariaDB (MySQL compatible database) + + + + + oxeo@galaxy:~$ sudo apt update + oxeo@galaxy:~$ sudo apt install nginx php php-fpm php-mysql mariadb-server + + +We will be using [MariaDB](https://mariadb.org/) since it's available in Debian repositories. It's a fully open source fork of MySQL created when the former was acquired by Oracle. + +## **Database Setup** + +We will start by generating a secure root password for MariaDB database. + + + oxeo@galaxy:~$ tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 12 && echo + ln8qXH64tjDi + + +From now on, you should replace every **YOU_SHOULD_GENERATE_THIS** string with the output of this command. + +There is a special **mysql_secure_installation** command we need to run to configure database security settings. This includes changing the database root account password to the one you generated. + + + oxeo@galaxy:~$ sudo mysql_secure_installation + + Enter current password for root (enter for none): + [...] + + Switch to unix_socket authentication [Y/n] n + [...] + + Change the root password? [Y/n] Y + New password: YOU_SHOULD_GENERATE_THIS + Re-enter new password: YOU_SHOULD_GENERATE_THIS + [...] + + Remove anonymous users? [Y/n] Y + [...] + + Disallow root login remotely? [Y/n] Y + [...] + + Remove test database and access to it? [Y/n] Y + [...] + + Reload privilege tables now? [Y/n] Y + [...] + + All done! If you've completed all of the above steps, your MariaDB + installation should now be secure. + + Thanks for using MariaDB! + + + + + + +After that, we log into the database and execute SQL commands to create the required tables and fill them with data. + + + oxeo@galaxy:~$ sudo mysql + + +Here are all commands to prepare the database for our app: + + + CREATE DATABASE veggie_shop; + USE veggie_shop; + + CREATE TABLE products ( + id INT PRIMARY KEY AUTO_INCREMENT, + name VARCHAR(100) NOT NULL, + price DECIMAL(10, 2) NOT NULL, + quantity INT NOT NULL + ); + + CREATE TABLE users ( + id INT PRIMARY KEY AUTO_INCREMENT, + balance DECIMAL(10, 2) NOT NULL + ); + + INSERT INTO products (name, price, quantity) VALUES + ('Apple', 0.50, 25), + ('Banana', 0.30, 40), + ('Orange', 0.45, 30); + + INSERT INTO users (balance) VALUES (20.00); + + + + + + +Now, here is an explanation of each command and the output you should get. You can skip this section if you are already familiar with SQL. + + + MariaDB [(none)]> CREATE DATABASE veggie_shop; + Query OK, 1 row affected (0.000 sec) + + MariaDB [(none)]> USE veggie_shop; + Database changed + MariaDB [veggie_shop]> + + +This creates a new database called **veggie_shop**. Then with **USE veggie_shop** , we specify which database we want to execute commands on. + + + MariaDB [veggie_shop]> CREATE TABLE products ( + -> id INT PRIMARY KEY AUTO_INCREMENT, + -> name VARCHAR(100) NOT NULL, + -> price DECIMAL(10, 2) NOT NULL, + -> quantity INT NOT NULL + -> ); + Query OK, 0 rows affected (0.006 sec) + + MariaDB [veggie_shop]> CREATE TABLE users ( + -> id INT PRIMARY KEY AUTO_INCREMENT, + -> balance DECIMAL(10, 2) NOT NULL + -> ); + Query OK, 0 rows affected (0.007 sec) + + +Now we add two tables - one for **products** and one for **users** and defining their schemas. Each **product** has an id, name (up to 100 characters long), price and quantity. Every **user** has an id and balance. For this demo, we will only have one user with id=1. + + + MariaDB [veggie_shop]> INSERT INTO products (name, price, quantity) VALUES + -> ('Apple', 0.50, 25), + -> ('Banana', 0.30, 40), + -> ('Orange', 0.45, 30); + Query OK, 3 rows affected (0.008 sec) + Records: 3 Duplicates: 0 Warnings: 0 + + MariaDB [veggie_shop]> INSERT INTO users (balance) VALUES (20.00); + Query OK, 1 row affected (0.002 sec) + + MariaDB [veggie_shop]> \q + + +Finally, we can fill the tables with products and create one user. Now the user has initial balance set to 20$. +To exit the MariaDB shell we can use **\q**. + +## **PHP Scripting** + +First, create a directory to put our php scripts. + + + oxeo@galaxy:~$ sudo mkdir -p /srv/shop + + + + + + +Then create the config file under **/srv/shop/config.php** and remember to replace **YOU_SHOULD_GENERATE_THIS** password with the one you generated earlier. +Here, we connect to the database running at localhost using **mysqli** function. The database name is **veggie_shop** which we created before. + + + connect_error) { + die("Connection failed: " . $conn->connect_error); + } + + + + + + +Now, put the main website content in **/srv/shop/index.php**. It will be executed every time a user accesses the main page of the website. In our case, this will be the entire content of our vegetable store. +I left some vague comments in the code, but I don't have the space to explain all of it here. If you want to learn the basics of PHP, I recommend the [phptutorial](https://www.phptutorial.net/) website. + + + 0"; + $products_result = $conn->query($products_query); + + // read the balance of user with ID=1 + // we only have this one user for demonstration purposes + $balance_query = "SELECT balance FROM users WHERE id = 1"; + $balance_result = $conn->query($balance_query); + $user_balance = $balance_result->fetch_assoc()['balance']; + + // post request means user wants to buy something (form is submitted) + if ($_SERVER['REQUEST_METHOD'] === 'POST') { + $success = true; + $total_cost = 0; + $updates = []; + + // calculate cost of selected products + foreach ($_POST['quantity'] as $product_id => $quantity) { + if ($quantity > 0) { + $product_query = "SELECT price, quantity FROM products WHERE id = ?"; + $stmt = $conn->prepare($product_query); + $stmt->bind_param("i", $product_id); + $stmt->execute(); + $result = $stmt->get_result(); + $product = $result->fetch_assoc(); + + if ($quantity > $product['quantity']) { + $success = false; + $error = "Not enough items in stock!"; + break; + } + + $total_cost += $product['price'] * $quantity; + $updates[$product_id] = $quantity; + } + } + + // check if user has enough funds + if ($total_cost > $user_balance) { + $success = false; + $error = "Insufficient funds!"; + } + + // process the purchase + if ($success && !empty($updates)) { + $conn->begin_transaction(); + try { + // update products in the database + foreach ($updates as $product_id => $quantity) { + $update_query = "UPDATE products SET quantity = quantity - ? WHERE id = ?"; + $stmt = $conn->prepare($update_query); + $stmt->bind_param("ii", $quantity, $product_id); + $stmt->execute(); + } + + // calculate and set the user's balance after the purchase + $update_balance = "UPDATE users SET balance = balance - ? WHERE id = 1"; + $stmt = $conn->prepare($update_balance); + $stmt->bind_param("d", $total_cost); + $stmt->execute(); + + $conn->commit(); + $message = "Purchase successful!"; + + // load the new balance from the database + $balance_result = $conn->query($balance_query); + $user_balance = $balance_result->fetch_assoc()['balance']; + + // load products from the database + $products_result = $conn->query($products_query); + } catch (Exception $e) { + // something went wrong, display failed message + $conn->rollback(); + $error = "Transaction failed!"; + } + } + } + ?> + + + + + Vegetable Shop + + + +

Vegetable Shop

+ +
Your balance: $
+ + +
+ + + +
+ + +
+ fetch_assoc()): ?> +
+ +
+ Price: $ +
+ Available: +
+ Purchase quantity: + +
+ + + +
+ + + + +## **Nginx Configuration** + +Just like [last time](../torwebsite/index.md), we need to create a new nginx site. Put the following in **/etc/nginx/sites-available/veggie-shop.conf**. + + + server { + listen 4440; + server_name kxnxuxyi72umpstd7h5btkzyx43o6o5xynjcndpl6xotx65ulwa7crqd.onion; + root /srv/shop/; + index index.php; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + } + } + + +The main new thing is the **\\.php$** location matcher which will pass all requests ending with **.php** to the **PHP-FPM** interpreter. When a user requests the root of our website, it is served with **index.php** file we created earlier. + +Now, we can enable the site by linking **available** to **enabled** and validate nginx configuration. + + + oxeo@galaxy:~$ sudo ln -s /etc/nginx/sites-available/veggie-shop.conf /etc/nginx/sites-enabled/veggie-shop.conf + oxeo@galaxy:~$ sudo nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + +Finally, configure the hidden service by adding these lines to your torrc. Don't forget to put your onion domain keys in the **/var/lib/tor/veggie_service** as explained [here](../torwebsite/index.md). + + + HiddenServiceDir /var/lib/tor/veggie_service/ + HiddenServicePort 80 127.0.0.1:4440 + + +## **Almost there** + +You can now restart nginx and tor to reload their configurations and enable required services to start at boot. + + + oxeo@galaxy:~$ sudo systemctl restart nginx tor php8.2-fpm mariadb + oxeo@galaxy:~$ sudo systemctl enable nginx tor php8.2-fpm mariadb + + +Now, go to your onion domain and verify the vegetable shop is accessible on the Tor network. + +![](0.png) + + + +If you encounter any issues, you may look for appropriate log entries using **journalctl**. + + + oxeo@galaxy:~$ sudo journalctl -xe + Feb 01 16:44:28 galaxy Tor[1754]: Opening Control listener on /run/tor/control + Feb 01 16:44:28 galaxy Tor[1754]: Opened Control listener connection (ready) on /run/tor/control + Feb 01 16:44:28 galaxy Tor[1754]: Bootstrapped 10% (conn_done): Connected to a relay + Feb 01 16:44:28 galaxy Tor[1754]: Bootstrapped 14% (handshake): Handshaking with a relay + [...] + + +## **Closing Remarks** + +**Congratulations!** \- You have successfully deployed an interactive website on the Tor network. + +Running more complicated websites on the **"Dark Web"** requires a lot of experience. Every simple mistake can have [devastating consequences](https://doingfedtime.com/helsinki-darknet-markets-security-failures-ip-leak-info-disclosure-etc-still-live/) for your service's anonymity. +Here are some important things to consider: + + * **Database User** \- For this demo, we were running our app with **root access** to the database. Ideally, you should create a separate MariaDB user and restrict their permissions. + + + * **SQL Injection** \- Until a few years ago, SQL injection was one of the most common web vulnerabilities. It's crucial to sanitize user input to prevent unauthorized access to your SQL database. The **mysqli** library has the [prepare function](https://www.w3schools.com/php/func_mysqli_prepare.asp) designed to prevent such vulnerabilities. + + + * **Keeping Software Up-to-Date** \- Over the years, there have been numerous [bugs found in PHP](https://bugs.php.net/search.php?limit=30&order_by=id&direction=DESC&cmd=display&status=Open&bug_type=All&phpver=8.0&project=PHP). Regularly update your packages to patch vulnerabilities that may cause deanonymization of your hidden service. + + + diff --git a/torthroughvpn/1.png b/torthroughvpn/1.png new file mode 100644 index 0000000..0ae9cde Binary files /dev/null and b/torthroughvpn/1.png differ diff --git a/torthroughvpn/11.png b/torthroughvpn/11.png new file mode 100644 index 0000000..09d7968 Binary files /dev/null and b/torthroughvpn/11.png differ diff --git a/torthroughvpn/12.png b/torthroughvpn/12.png new file mode 100644 index 0000000..9754e49 Binary files /dev/null and b/torthroughvpn/12.png differ diff --git a/torthroughvpn/133.png b/torthroughvpn/133.png new file mode 100644 index 0000000..dbc67e0 Binary files /dev/null and b/torthroughvpn/133.png differ diff --git a/torthroughvpn/18.png b/torthroughvpn/18.png new file mode 100644 index 0000000..e961221 Binary files /dev/null and b/torthroughvpn/18.png differ diff --git a/torthroughvpn/19.png b/torthroughvpn/19.png new file mode 100644 index 0000000..e1ce69c Binary files /dev/null and b/torthroughvpn/19.png differ diff --git a/torthroughvpn/2.png b/torthroughvpn/2.png new file mode 100644 index 0000000..8a3f744 Binary files /dev/null and b/torthroughvpn/2.png differ diff --git a/torthroughvpn/20.png b/torthroughvpn/20.png new file mode 100644 index 0000000..c869a8c Binary files /dev/null and b/torthroughvpn/20.png differ diff --git a/torthroughvpn/21.png b/torthroughvpn/21.png new file mode 100644 index 0000000..49c9f6b Binary files /dev/null and b/torthroughvpn/21.png differ diff --git a/torthroughvpn/3.png b/torthroughvpn/3.png new file mode 100644 index 0000000..455a260 Binary files /dev/null and b/torthroughvpn/3.png differ diff --git a/torthroughvpn/4.png b/torthroughvpn/4.png new file mode 100644 index 0000000..36c980b Binary files /dev/null and b/torthroughvpn/4.png differ diff --git a/torthroughvpn/5.png b/torthroughvpn/5.png new file mode 100644 index 0000000..ceca454 Binary files /dev/null and b/torthroughvpn/5.png differ diff --git a/torthroughvpn/6.png b/torthroughvpn/6.png new file mode 100644 index 0000000..8426c85 Binary files /dev/null and b/torthroughvpn/6.png differ diff --git a/torthroughvpn/index.md b/torthroughvpn/index.md new file mode 100644 index 0000000..0e455a9 --- /dev/null +++ b/torthroughvpn/index.md @@ -0,0 +1,170 @@ +--- +author: nihilist +date: 2024-04-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Using Tor Safely: Tor through VPN or VPN through Tor? + +## **Tor and VPNs comparison Recap** + +As we went over this comparison in the previous blogpost [here](torvsvpn) i will briefly recap it here: + +**VPNS:** + +VPNs can provide Privacy from your ISP ![](../su0.png), but by using one you are getting privacy from someone (most likely your ISP), but the VPN provider can see what you're doing with your internet connection.![](../su2.png) + +In other words, you're just shifting the privacy problem from your ISP to your VPN provider. You are moving your trust from one centralized entity ![](../ce2.png)to another + +**Tor:** + +The Tor Network provides Anonymity by routing your traffic through 3 random servers that are spread across the world. + +Using Tor means you are employing Decentralisation, ![](../ce0.png)by using it you are placing your trust into 3 random entities (which can be individuals, companies or adversaries), in 3 different legislations (due to being in 3 different countries), rather than in one centralized entity, hence providing Anonymity on the IP layer. ![](../on0.png) + +There is always a low probability of risk, where if you are unlucky and tor circuits go through 3 nodes that are hosted by the same malicious entity, leading to deanonymization. ![](../on2.png) + + + +## **Tor and VPNs combinations** + +Combining Tor and VPNs require to be justified depending on the **clientside context** , and on the **serverside context** : + +![](11.png) + +First comes the clientside context: **Does your country allow anonymity ?** + +Check if your country allows Tor traffic or not. If it's not illegal, you can use tor traffic as is. **(you -> tor)** + +If you are in a country where tor traffic is illegal, you need to hide tor use behind a vpn **(you -> vpn -> tor)** + +If you are in a country where both Tor and VPNs are illegal, **know that this is too risky to try and be anonymous online** personally i wouldn't even try to be anonymous online in that context, **because you risk being persecuted for just using the technology**. If you still want to have anonymity anyway, you'll have to [use censorship evasion techniques](https://github.com/net4people/bbs/issues) like using [v2ray](../v2ray/index.md) + +![](12.png) + +Second comes serverside context: **Does the service allow anonymity?** + +Check if you can use the service using tor only,**(tor -> website)** + +If the website doesn't allow tor traffic, hide tor traffic behind a VPN **(tor -> vpn -> website)** + +If the website doesn't allow vpn traffic either, personally i would stop trying there, but you could try using residential proxies **(tor -> residential proxy -> website)** + +In conclusion, there are only 4 valid Tor / VPN combinations: + + + #country allows tor traffic: + you -> Tor -> service + you -> Tor -> VPN -> service + + #country doesn't allow tor traffic, but allows VPNs: + you -> VPN -> Tor -> service + you -> VPN -> Tor -> VPN -> service + + + +If you want to experiment with multiple tor / vpn setups at once (as part of the [internet segmentation](../internetsegmentation/index.md) Opsec practice), you can try each setup in a VM separately like so: + +![](133.png) + +_Sidenote:_ there is no point in having a setup that is going twice through Tor, only once is enough to obtain anonymity. + +## **First Goal: Hiding Tor usage from your ISP** + +Another scenario is when you need to hide the fact that you're using Tor from your ISP, we have the following setup which is useful to prevent [Tor usage correlation](https://edition.cnn.com/2013/12/17/justice/massachusetts-harvard-hoax). + +![](5.png) + + + You -> VPN -> Tor -> Destination + + + +_WARNING:_ in this setup you are trusting your VPN provider to not snitch to your ISP that you are using Tor! + +From your ISP's point of view, using Tor alone definitely stand out from regular traffic, a popular option you can go for is to use a VPN (as this is a much more common occurrence), and to use the Tor browser while keeping the VPN connection open. + +In the unlikely event that you get deanonymized while using Tor, **only your VPN IP would get revealed instead of your home IP address**. And if the VPN provider has strict no-log policies and [they actually follow through with their promises](https://www.theverge.com/2023/4/21/23692580/mullvad-vpn-raid-sweden-police), **it's very unlikely that both your VPN and Tor would be compromised at the same time.** + +_DISCLAIMER ON VPNs:_ Keep in mind that if you choose to use a VPN anyway, you must conduct a strict VPN selection, see [Privacy Guides' Recommendations](https://www.privacyguides.org/en/vpn/) on that topic, out of which i recommend [Mullvad](https://kycnot.me/service/Mullvad) because they accept Monero without any KYC. + +By first connecting to a VPN instead of Tor, your isp can't easily tell that you are connecting to Tor, since you're not connecting to Tor nodes directly anymore. **However since Tor traffic is uniquely recognizeable even when hiding it behind a VPN, thanks to AI-assisted traffic observation** , we need to defend against that too: + +When trying to use VPNs for anonymity, take note that we need to prevent traffic correlation as much as possible, hence we want to protect against AI-guided traffic analysis, **in order to make sure our VPN traffic patterns do not look like Tor traffic, in order to blend in with the other VPN users.** To do so we enable DAITA (Defense Against AI-guided traffic analysis) in the mullvad VPN: + +![](18.png) ![](19.png) ![](20.png) ![](21.png) + +Once enabled this will prevent an adversary watching connections to and from a VPN server to figure out which VPN user (that is currently using a VPN server) is visiting which website, based on the packet size and traffic patterns. (see [this article](https://mullvad.net/en/vpn/daita) for more details on how DAITA works) + +And that's it! Now your traffic doesnt contact Tor nodes directly thanks to connecting to a VPN beforehand, nor does it look like Tor traffic either thanks to using DAITA. + +## **Second Goal: Accessing websites that block Tor** + +Great, you found out about Tor, you want to be anonymous while browsing the web, and now you start to use your favorite centralised services (google, youtube for example) **but you realize that they don't allow you to use their service while you use Tor!** + +![](1.png) + + + You -> Tor -> Destination + + + +Keep in mind that [Tor exit nodes are all public](https://metrics.torproject.org/rs.html#search/flag:exit), it's easy for website administrators to block Tor exit nodes IPs by blocking their public IPs directly. So you can expect popular services that are openly hostile to both anonymity and privacy to block Tor traffic. + +So the constraint here is to access the service **without showing up as a tor exit node IP from their end.** + +To get around that problem, the idea is to force a VPN to connect through Tor (VPN through Tor Setup): + +![](2.png) + +_Disclaimer:_ **Do not use this setup for any other reason than to access websites that try to block Tor** , this is a very niche setup, it is not to be used for the rest of your Anonymous online activities! + + + You -> Tor -> VPN -> Destination + + + +That way, we have the following result: + + 1. Your ISP only sees Tor traffic + + 2. The VPN provider does not know who's using their infrastructure + + 3. The website administrators of popular services think you are using their service using a simple VPN + + + + +A constraint here of course is to acquire the VPN connection anonymously, to do so we only use Tor and Monero as explained in my tutorial on what to do when [Websites block Tor](../whentorisblocked/index.md): + +![](6.png) + +If the popular service does not block VPNs, you're good to keep using their service while still maintaining Anonymity. + +/!\ Be warned that this setup takes into account that you're properly segmenting your [Internet Usage](../internetsegmentation/index.md), because initially when you use this setup (you -> tor -> VPN), you may be anonymous, but **depending on your usage over time, you are increasingly more likely to be deanonymized if you are improperly segmenting your internet usage.** (see details on [OPSEC](../opsec/index.md) for more details) + +## **Third Goal: Hiding Tor usage (For Heavily Censored Countries)** + +A popular scenario people encounter, especially in [heavily censored countries](https://rsf.org/en/index) (the prime example being [China with their "Great Firewall"](https://iv.nowhere.moe/watch?v=QBp6opkcxoc)), is that the state blocks all VPN connections, on top of making them illegal. + +**Citizens don't want their ISP to know that they are using the Tor network. Because otherwise they would be prosecuted for simply using the technology.** + +Out of that situation, Tor bridge nodes were created. Tor bridge nodes are purposefully not listed in the public Tor directory to avoid being blocked by governments. Tor bridges include multiple [pluggable transports](https://tb-manual.torproject.org/circumvention/) to help users in heavily censored countries: + +From Torproject's [explanation](https://support.torproject.org/censorship/censorship-7/) on tor bridge nodes: + + + Bridges are useful for Tor users under oppressive regimes, and for people who want an extra layer of security because they're worried somebody will recognize that they are contacting a public Tor relay IP address. + + Several countries, including China and Iran, have found ways to detect and block connections to Tor bridges. Obfsproxy bridges address this by adding another layer of obfuscation. + + + +_WARNING:_ be aware that this setup may provide transient censorship circumvention, but **it does not protect against the threat where an adversary finds out, let's say 5 months later, that you connected to a tor bridge node in the past, and may prosecute you for it.** This scenario is to be considered only when **all VPNs are blocked or illegal in your country.** + +Personally, if i were to live in a heavily censored country like china, i wouldn't try to be anonymous online, **to avoid the risk of being prosecuted for just using the technology** , as the risks are too high there. + +![](4.png) + +Using this setup allows you to use the Tor network even if your government doesn't allow it, **but again, you run the risk that they find out later on, that you used tor in the past.** For a long-term way of accessing Tor from heavily-censored countries, check out the tutorial on how to use [v2ray](../v2ray/index.md). + diff --git a/torvsvpns/1.png b/torvsvpns/1.png new file mode 100644 index 0000000..4459d2b Binary files /dev/null and b/torvsvpns/1.png differ diff --git a/torvsvpns/2.png b/torvsvpns/2.png new file mode 100644 index 0000000..32dea4b Binary files /dev/null and b/torvsvpns/2.png differ diff --git a/torvsvpns/3.png b/torvsvpns/3.png new file mode 100644 index 0000000..95ba86d Binary files /dev/null and b/torvsvpns/3.png differ diff --git a/torvsvpns/4.png b/torvsvpns/4.png new file mode 100644 index 0000000..1a163e9 Binary files /dev/null and b/torvsvpns/4.png differ diff --git a/torvsvpns/5.png b/torvsvpns/5.png new file mode 100644 index 0000000..45c508e Binary files /dev/null and b/torvsvpns/5.png differ diff --git a/torvsvpns/6.png b/torvsvpns/6.png new file mode 100644 index 0000000..c598fcc Binary files /dev/null and b/torvsvpns/6.png differ diff --git a/torvsvpns/index.md b/torvsvpns/index.md new file mode 100644 index 0000000..ace5b89 --- /dev/null +++ b/torvsvpns/index.md @@ -0,0 +1,74 @@ +--- +author: nihilist +date: 2024-04-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/88" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# The main source of Anonymity: The Tor Network + + + +## **Why aren't VPNs enough?** + + + Privacy Analogy: + Alice is talking to Bob, but Jack can hear their conversation, they have no privacy. + Alice is talking to Bob, behind closed doors. Jack can't hear their conversation, they now have privacy. + + + +As explained [previously](../aps/index.md), Privacy is about excluding someone from being able to spy on what you're doing, the **whole marketing point for VPNs is to provide privacy for your internet usage, from your internet service provider (ISP)** + +![](1.png) + +By default, you are using your computer from home, from your home connection which is provided by your Internet Service Provider (ISP), and you are using it to access services remotely. **In that scenario, your ISP is able to see (to spy on) what you're doing with your internet connection.** From there, the entire VPN industry emerged. + +![](2.png) + +A VPN provider is a centralised entity (see our previous [explanation](../governments/index.md) on why these are highly likely to be used as a spying proxy for the governments), they offer you to connect to their infrastructure **in order to offer you privacy from your ISP.** + +However when you do that, the VPN provider becomes your ISP, **The VPN provider becomes the one who is able to spy on your internet traffic, instead of your ISP.** + +By connecting to a VPN you are moving your trust from your ISP to the VPN provider, **but since both your ISP and your VPN provider are centralised entities, you can be damn sure they are spying on what you're doing.** + +Moving your trust from a centralised entity to another is not going to protect you against targeted surveillance. **It won't protect you from being reported to the authorities either if you do something illegal.** + +_DISCLAIMER ON VPNs:_ Keep in mind that if you choose to use a VPN anyway, you must conduct a strict VPN selection, see [Privacy Guides' Recommendations](https://www.privacyguides.org/en/vpn/) on that topic, out of which i recommend [Mullvad](https://kycnot.me/service/Mullvad) because they accept Monero without any KYC. + +## **Tor Network: the main source of Anonymity** + + + Anonymity Analogy: + Jack sees that Alice is talking to Someone. But Jack can't make out who that person is. + Until Jack can figure out who that Someone is, that someone is Anonymous. + + + +So we can't trust our ISP, nor VPNs alone, what can we trust then ? + +That situation is what started the [Tor Project](https://torproject.org). Tor is above all an open source routing protocol, that aims to not only encrypt traffic (like what VPNs do) **but the aim is also to obscure where connections come from, and where they go**. + +It aims to blend all of the users together, to make everyone look the same to prevent any identity correlation. (that is also why you shouldn't edit your tor browser configs, as it will make you stand out as an unique user. + +![](4.png) + +We have the following scenario: you don't want your internet service provider to know what you're doing, **but you also don't want the end services like google youtube or duckduckgo to know that you are accessing their service.** in other words, you want to remain Anonymous while browsing the web, and Tor provides that for you. + +![](5.png) + +Tor is unique as it is the anonymity network that received the most donations, studies and patches, but also due to it's popularity there's alot of nodes ran by anyone (individuals, companies, and potentially also governments), the decentralised aspect is vital there, because **by using Tor, you are trusting 3 random entities, in 3 different countries** + +It takes all 3 nodes used by your tor circuit (**in 3 different legislations if they are in 3 different countries**) to actually be malicious and to record connections to be able to successfully deanonymize you. While at the same time, the Tor protocol does not log any connection by default. + +For more details you can see the repartition of tor nodes per [country](Https://metrics.torproject.org/bubbles.html#country), or per [ISP](https://metrics.torproject.org/bubbles.html#as) on metrics.torproject.org + +![](6.png) + +Keep in mind that it is still possible for you to get deanonymized sometimes if you're unlucky to have all 3 nodes ran by the same entity. So **it is not perfect** , but it is definitely many times more trustworthy than having to trust a centralised entity providing you with a VPN connection. + +As we have discussed [previously](../anonymityexplained/index.md), sometimes Anonymity is the difference-maker between Life and Death, especially for Journalism in censorship-heavy countries, Tor's main attraction is that **De-anonymization attacks are made to be as expensive as possible** , even for state-actors. + +Some people argue that Tor can't be trusted, but as we have discussed [previously](../govfear/index.md), Governments need to be able to know what happened (lack of Privacy), and once they know what happened, they need to know who did it (lack of Anonymity), **in order to enforce their laws.** When that is the case, [how come is there still so many illegal marketplaces with years of uptime on the Tor network](https://status.nowhere.moe/status/darknet) ? One thing is for sure, these marketplaces are very high on international authorities' priority list. If they are still there after all this time, It must be because the Tor network is protecting them from being discovered by the authorities isn't it ? + +Even though i don't recommend to use Tor for any illegal purposes, the fact that these marketplaces have remained in activity for such a long time are a clear testament to the resiliency of the Tor network. + diff --git a/torwebsite/0.png b/torwebsite/0.png new file mode 100644 index 0000000..63a9340 Binary files /dev/null and b/torwebsite/0.png differ diff --git a/torwebsite/1.png b/torwebsite/1.png new file mode 100644 index 0000000..21dc8d3 Binary files /dev/null and b/torwebsite/1.png differ diff --git a/torwebsite/2.png b/torwebsite/2.png new file mode 100644 index 0000000..0fa81d2 Binary files /dev/null and b/torwebsite/2.png differ diff --git a/torwebsite/3.png b/torwebsite/3.png new file mode 100644 index 0000000..16edcaf Binary files /dev/null and b/torwebsite/3.png differ diff --git a/torwebsite/index.md b/torwebsite/index.md new file mode 100644 index 0000000..1abcebc --- /dev/null +++ b/torwebsite/index.md @@ -0,0 +1,421 @@ +--- +author: nihilist +date: 2024-02-01 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/156" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Hidden Service with custom .onion Vanity V3 address + +![](../hiddenservice/2.png) + +In this tutorial we'll setup a Hidden Service with custom .onion Vanity V3 address, we'll set it up using nginx and Tor. + + + +## **Initial Setup** + +Before starting, [check if your ISP allows tor use or not.](../torthroughvpn/index.md) **And if it does not, make sure you install a VPN to hide the fact that you're using Tor** as we did previously [here](../vpn/index.md): + + + # Download the Mullvad signing key + sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc + + # Add the Mullvad repository server to apt + echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list + # Or add the Mullvad BETA repository server to apt + echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/beta $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list + + # Install the package + sudo apt update + sudo apt install mullvad-vpn + + # Connect to Mullvad VPN + mullvad account login + Enter an account number: 91320912809328832 + Mullvad account "91320912809328832" set + + # Connect to the VPN: + mullvad lockdown-mode set on + mullvad connect + + curl ifconfig.me + 194.127.199.92 + + + +## Generate vanity onion v3 URL + +Once done, install tor and compute your Tor domain: + + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv] + → apt install gcc libc6-dev libsodium-dev make autoconf tor nginx -y + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv] + → git clone https://github.com/cathugger/mkp224o + Cloning into 'mkp224o'... + remote: Enumerating objects: 1571, done. + remote: Counting objects: 100% (402/402), done. + remote: Compressing objects: 100% (83/83), done. + remote: Total 1571 (delta 341), reused 350 (delta 317), pack-reused 1169 + Receiving objects: 100% (1571/1571), 1.89 MiB | 6.32 MiB/s, done. + Resolving deltas: 100% (982/982), done. + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv] + → cd mkp224o + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv/mkp224o] + → ls + autogen.sh base64_to.c filters_common.inc.h ioutil.h test_base64.c worker.h + base16_from.c calcest.c filters.h keccak.c test_ed25519.c worker_impl.inc.h + base16.h common.h filters_inc.inc.h keccak.h testutil.h yaml.c + base16_to.c configure.ac filters_main.inc.h likely.h types.h yaml.h + base32_from.c contrib filters_worker.inc.h main.c vec.c + base32.h COPYING.txt GNUmakefile.in OPTIMISATION.txt vec.h + base32_to.c cpucount.c hex.h README.md worker_batch.inc.h + base64_from.c cpucount.h ifilter_bitsum.h test_base16.c worker_batch_pass.inc.h + base64.h ed25519 ioutil.c test_base32.c worker.c + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv/mkp224o] + → ./autogen.sh + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv/mkp224o] + → ./configure + checking for gcc... gcc + checking wheter the C compiler works... yes + checking for C compiler default output file name... a.out + checking for suffix of executables... + checking wheter we are cross compiling... no + checking for suffix of object files... o + checking wheter the compiler supports GNU C... yes + checking wheter gcc accepts -g... yes + checking for gcc option to enable C11 features... none needed + checking wheter CC supports -march=native... yes + checking wheter CC supports -fomit-frame-pointer... yes + checking wheter CC supports -fPIE... yes + checking wheter CC supports -std=c99... yes + checking wheter CC supports -Wall... yes + checking wheter CC supports -Wextra... yes + checking wheter CC supports -Wno-maybe-uninitialized... yes + checking wheter CC supports and needs -Wno-format -Wno-pedantic-ms-format... no + checking wheter CC supports -Wno-unused-function... yes + checking wheter CC supports -Wmissing-prototypes... yes + checking wheter CC supports -Wstrict-prototypes... yes + checking wheter ARGON2ID13 is supported by libsodium... yes + configure: creating ./config.status + config.status: creating GNUmakefile + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv/mkp224o] + → make + + + +Now i want my tor domain to contain the "datura" characters so i do the following: + + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv/mkp224o] + → ./mkp224o datura + sorting filters... done. + filters: + datura + in total, 1 filter + using 12 threads + daturacccspczuluj2hbgqfcpkjo75hn7bzmuzsm5zys3az6k3su45ad.onion + daturaxnp7x4ubwlslgyeaft5dabaxotmsaxanayocnpxarc7wi36kid.onion + + [ nowhere.moe ] [ /dev/pts/11 ] [lib/tor/onions] + → ls -lash + total 16K + 4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 . + 4.0K drwx--S--- 8 debian-tor debian-tor 4.0K Feb 1 15:08 .. + 4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + 4.0K drwx------ 3 debian-tor debian-tor 4.0K Jan 27 15:48 nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion + + [ nowhere.moe ] [ /dev/pts/11 ] [lib/tor/onions] + → ls -lash daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + total 24K + 4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 . + 4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 .. + 4.0K drwx------ 2 debian-tor debian-tor 4.0K Jul 12 2023 authorized_clients + 4.0K -r-------- 1 debian-tor debian-tor 63 Jul 12 2023 hostname + 4.0K -r-------- 1 debian-tor debian-tor 64 Jul 12 2023 hs_ed25519_public_key + 4.0K -r-------- 1 debian-tor debian-tor 96 Jul 12 2023 hs_ed25519_secret_key + + + [ nowhere.moe ] [ /dev/pts/11 ] [/srv/mkp224o] + → cat /etc/tor/torrc + HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/ + HiddenServicePort 80 127.0.0.1:4443 # for web service HTTP (recommended!) + HiddenServicePort 443 127.0.0.1:4444 # for web service HTTPS (but not recommended!) + + HiddenServicePort 18080 127.0.0.1:18080 # for monero nodes + HiddenServicePort 18081 127.0.0.1:18081 # for monero nodes + + # to have another hidden service, you can append it afterward like so; but you need to use different ports: + + HiddenServiceDir /var/lib/tor/onions/nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/ + HiddenServicePort 80 127.0.0.1:4445 + + + +Make sure that the file permissions are correct in the /var/lib/tor/onions/datura...onion/ directory: + + + [ nowhere.moe ] [ /dev/pts/11 ] [lib/tor/onions] + → chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + + [ nowhere.moe ] [ /dev/pts/11 ] [lib/tor/onions] + → chmod 400 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/* + + [ nowhere.moe ] [ /dev/pts/11 ] [lib/tor/onions] + → chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/authorized_clients -R + + [ nowhere.moe ] [ /dev/pts/11 ] [lib/tor/onions] + → chown debian-tor: /var/lib/tor/onions -R + + +## Nginx Configuration + +Now let's set it up on our webserver: + + + [ nowhere.moe ] [ /dev/pts/11 ] [~debian-tor/onions] + → cat /etc/nginx/sites-available/nowhere.moe.conf + + server { + ######## TOR WEBSITE ######## + listen 4443; + listen [::]:4443; + server_name daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + root /srv/blog/; + index index.html; + } + + + +That's how you do it for an onion-only website ^ but if you also have clearnet (meaning your website is reachable publicly via port 80 and 443) you can add onion support like so: + + + [ nowhere.moe ] [ /dev/pts/11 ] [~debian-tor/onions] + → cat /etc/nginx/sites-available/nowhere.moe.conf + server { + listen 80; + listen [::]:80; + server_name nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + **######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ########** + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name nowhere.moe; + + ssl_certificate /etc/acme/certs/nowhere.moe/fullchain.cer; + ssl_trusted_certificate /etc/acme/certs/nowhere.moe/nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/nowhere.moe/nowhere.moe.key; + + [...] + root /srv/nowhere.moe/; + } + + [ nowhere.moe ] [ /dev/pts/11 ] [~debian-tor/onions] + → cat /etc/nginx/sites-available/nowhere.moe.conf + server { + listen 80; + listen [::]:80; + server_name nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + **######## TOR CHANGES ######## + listen 4445; + listen [::]:4445; + server_name nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion; + add_header Onion-Location "http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion$request_uri" always; + ######## TOR CHANGES ########** + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name nowhere.moe; + [...] + + root /srv/nowhere.moe/; + + ssl_certificate /etc/acme/certs/nowhere.moe/fullchain.cer; + ssl_trusted_certificate /etc/acme/certs/nowhere.moe/nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/nowhere.moe/nowhere.moe.key; + } + + [ nowhere.moe ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion] + → nginx -t + 2023/07/12 21:46:16 [emerg] 113983#113983: could not build server_names_hash, you should increase server_names_hash_bucket_size: 64 + nginx: configuration file /etc/nginx/nginx.conf test failed + + #if it gives you this error do the following: + + [ nowhere.moe ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion] + → vim /etc/nginx/nginx.conf + + [ nowhere.moe ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion] + → cat /etc/nginx/nginx.conf |grep 128 + server_names_hash_bucket_size 128; + + + [ 10.0.0.101/16 ] [ /dev/pts/12 ] [/var/lib/tor] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ 10.0.0.101/16 ] [ /dev/pts/12 ] [/var/lib/tor] + → nginx -s reload + + [ 10.0.0.101/16 ] [ /dev/pts/8 ] [~debian-tor] + → sudo -u debian-tor tor + Jan 23 16:57:19.270 [notice] Tor 0.3.5.16 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8. + Jan 23 16:57:19.270 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning + Jan 23 16:57:19.270 [notice] Read configuration file "/etc/tor/torrc". + Jan 23 16:57:19.278 [notice] Opening Socks listener on 127.0.0.1:9050 + Jan 23 16:57:19.278 [notice] Opened Socks listener on 127.0.0.1:9050 + Jan 23 16:57:19.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. + Jan 23 16:57:19.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. + Jan 23 16:57:19.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't. + Jan 23 16:57:19.000 [notice] Bootstrapped 0%: Starting + Jan 23 16:57:20.000 [notice] Starting with guard context "default" + Jan 23 16:57:20.000 [notice] Bootstrapped 10%: Finishing handshake with directory server + Jan 23 16:57:20.000 [notice] Bootstrapped 80%: Connecting to the Tor network + Jan 23 16:57:20.000 [notice] Bootstrapped 90%: Establishing a Tor circuit + Jan 23 16:57:21.000 [notice] Bootstrapped 100%: Done + + +From there we can check if our tor website is up: + +![](1.png) ![](2.png) + +It works! Now let's use systemctl to start tor instead: + + + [ nowhere.moe ] [ /dev/pts/11 ] [~debian-tor/onions] + → systemctl restart tor@default + + [ nowhere.moe ] [ /dev/pts/11 ] [~debian-tor/onions] + → systemctl status tor@default + ● tor@default.service - Anonymizing overlay network for TCP + Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled) + Active: active (running) since Thu 2024-02-01 15:24:07 CET; 18min ago + Process: 3027334 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS) + Process: 3027335 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS) + Main PID: 3027336 (tor) + Tasks: 30 (limit: 77000) + Memory: 636.4M + CPU: 49.885s + CGroup: /system.slice/system-tor.slice/tor@default.service + ├─3027336 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 + └─3027337 /usr/bin/obfs4proxy + + Feb 01 15:24:26 nowhere.moe Tor[3027336]: Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 1000 buildtimes. + Feb 01 15:25:09 nowhere.moe Tor[3027336]: Performing bandwidth self-test...done. + + + +## Adding Subdomain + +Now we can do the same for a subdomain: + + + + [ nowhere.moe ] [ /dev/pts/11 ] [/etc/nginx/sites-available] + → cat cringe.nowhere.moe.conf + server { + listen 443 ssl; + server_name cringe.nowhere.moe; + + ssl_certificate /etc/acme/certs/cringe.nowhere.moe/cringe.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/cringe.nowhere.moe/cringe.nowhere.moe.key; + + **######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ########** + + [...] + + location / { + proxy_pass http://localhost:8083; + } + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + } + + [ nowhere.moe ] [ /dev/pts/11 ] [/etc/nginx/sites-available] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/11 ] [/etc/nginx/sites-available] + → nginx -s reload + 2024/02/01 15:45:18 [notice] 3045373#3045373: signal process started + + + +![](3.png) + + +## DoS Prevention + + +Now that we have our website up and running, it's better to configure some **DoS countermeasures** to avoid any unpleasant problems. + +There are many countermeasures, one of the most effective is **PoW**. If you want to learn more about other DoS prevention methods check the [guidelines](https://community.torproject.org/onion-services/advanced/dos/). If you want to learn more about how PoW works, check out the [FAQs](https://onionservices.torproject.org/technology/pow/). + +Without further ado, let's enable PoW for our onion service. +Add the following to your `/etc/tor/torrc` + + + HiddenServicePoWDefensesEnabled 1 + HiddenServicePoWQueueRate 250 + HiddenServicePoWQueueBurst 2500 + + +This is what the options do (taken from `tor(1)` manual) + + + HiddenServicePoWDefensesEnabled 0|1 + Enable proof-of-work based service DoS mitigation. If set to 1 + (enabled), tor will include parameters for an optional client + puzzle in the encrypted portion of this hidden service’s + descriptor. Incoming rendezvous requests will be prioritized based + on the amount of effort a client chooses to make when computing a + solution to the puzzle. The service will periodically update a + suggested amount of effort, based on attack load, and disable the + puzzle entirely when the service is not overloaded. (Default: 0) + + HiddenServicePoWQueueRate NUM + The sustained rate of rendezvous requests to dispatch per second + from the priority queue. Has no effect when proof-of-work is + disabled. If this is set to 0 there’s no explicit limit and we will + process requests as quickly as possible. (Default: 250) + + HiddenServicePoWQueueBurst NUM + The maximum burst size for rendezvous requests handled from the + priority queue at once. (Default: 2500) + + +If you don't know what _rendezvous requests_ are, check out [the specification](https://spec.torproject.org/rend-spec/rendezvous-protocol.html), but essentially see them as "Hello I am NODE_X, I want to connect to NODE_Y to create a circuit, can you let me do it?" + +If you are wondering how the priority queue is managed, think of it as how much _effort_ the client put into solving the challenge; the more effort the _higher_ the client priority will be (but also the time took to solve the challenge) + +Don't forget to restart the hidden service to enable the changes made. + diff --git a/tr0.png b/tr0.png new file mode 100644 index 0000000..5ec2f3c Binary files /dev/null and b/tr0.png differ diff --git a/tr1.png b/tr1.png new file mode 100644 index 0000000..a116df3 Binary files /dev/null and b/tr1.png differ diff --git a/tr2.png b/tr2.png new file mode 100644 index 0000000..b57eecf Binary files /dev/null and b/tr2.png differ diff --git a/v2ray/bridge.png b/v2ray/bridge.png new file mode 100644 index 0000000..f9c3f6d Binary files /dev/null and b/v2ray/bridge.png differ diff --git a/v2ray/cdn_edit.png b/v2ray/cdn_edit.png new file mode 100644 index 0000000..e147a37 Binary files /dev/null and b/v2ray/cdn_edit.png differ diff --git a/v2ray/cdn_host_change.png b/v2ray/cdn_host_change.png new file mode 100644 index 0000000..ff1d8b0 Binary files /dev/null and b/v2ray/cdn_host_change.png differ diff --git a/v2ray/cdn_host_tls_port.png b/v2ray/cdn_host_tls_port.png new file mode 100644 index 0000000..bf95e29 Binary files /dev/null and b/v2ray/cdn_host_tls_port.png differ diff --git a/v2ray/cdn_newservice.png b/v2ray/cdn_newservice.png new file mode 100644 index 0000000..9c16690 Binary files /dev/null and b/v2ray/cdn_newservice.png differ diff --git a/v2ray/cdn_settings.png b/v2ray/cdn_settings.png new file mode 100644 index 0000000..670c02c Binary files /dev/null and b/v2ray/cdn_settings.png differ diff --git a/v2ray/changexcore.png b/v2ray/changexcore.png new file mode 100644 index 0000000..205d29b Binary files /dev/null and b/v2ray/changexcore.png differ diff --git a/v2ray/connect_success.png b/v2ray/connect_success.png new file mode 100644 index 0000000..aa92863 Binary files /dev/null and b/v2ray/connect_success.png differ diff --git a/v2ray/createib.png b/v2ray/createib.png new file mode 100644 index 0000000..61922d3 Binary files /dev/null and b/v2ray/createib.png differ diff --git a/v2ray/domainfronting_diagram.png b/v2ray/domainfronting_diagram.png new file mode 100644 index 0000000..8fff70a Binary files /dev/null and b/v2ray/domainfronting_diagram.png differ diff --git a/v2ray/fastly_newacc.png b/v2ray/fastly_newacc.png new file mode 100644 index 0000000..9960ccb Binary files /dev/null and b/v2ray/fastly_newacc.png differ diff --git a/v2ray/index.md b/v2ray/index.md new file mode 100644 index 0000000..822afab --- /dev/null +++ b/v2ray/index.md @@ -0,0 +1,345 @@ +--- +author: Zer0 +date: 2023-12-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/0" +xmr: 42wqdQbr4QBSU4BVKkoAANENY6SDzbdib8mUmNBybYAePfkVzmcQKyGNuJ3GbFr4S9fsQaWQB9gxnip611poq89f1ETjK9R +--- +# How to access Tor when you are in a heavily-censored country using v2ray (vmess / vless) + +![](./sheep.png) + + + +> "How charming it is to witness such harmony—where freedom is a gentle illusion, and every bleat is a reminder that safety lies not in the open fields, but in the comforting embrace of the shepherd’s leash" + +some governments just love to restrict free flow of information in the name of serving and securing their citizens by implying censorship and blocking certain websites. So in this tutorail we deep dive into circumviliation tools and their working principles. + +## **Introduction** + + * ### _Why should I use v2ray?_ + +**If your country makes TOR traffic as illegal, how can you access .onion websites anyway ?** + +Normally you would just hide that you are using Tor [by hiding it behind a VPN](../torthroughvpn/index.md) (which can be based on wireguard or openvpn) like we have previously recommended: ![](../torthroughvpn/5.png) + +but now we have another problem, **what if your country also made VPNs illegal to use ?** +![](./is-vpn-legal-in-your-country.jpeg) + +**If you are in a country where both Tor and VPNs are illegal to use** , you'll need to use a censorship-evasion tool like v2ray **to be able to safely hide that you're using Tor.** + * ### _Project V and Project X_ + +**V2ray** : an open source censorship circumvention tool also know as project V is a framework where one could stack protocols as well as modify standard protocols to bypass firewalls. + +**Xray** : a superset of v2ray, with better overall performance and enhancements such as XTLS + +XTLS is an optimized/modification of TLS protocol, it works by using real TLS to hide proxy traffic + + + + + +> V2ray is not a protocol rather a platform where users could design their own protocol stacks based on the primitive protocols like TCP,UDP,HTTP while vmess and vless are proxy protocols which are native to v2ray. + + + + + +V2rays has the ability to obfuscate and make packets appear to be genuine webtraffic, **in order to prevent the adversary from figuring out that you are using Tor.** ![](./wg_limitation.png) Wireguard as well as openvpn does not provide any obfuscation feature and will be detected easily by header match or DPI. ![](./wg_official2.png) +(they have this in their codebase which clearly shows how to detect Wireguard traffic) [ref](https://github.com/wireshark/wireshark/blob/ef9c79ae81b00a63aa8638076ec81dc9482972e9/epan/dissectors/packet-wireguard.c#L1618-L1625) + +But How does a V2ray traffic look like? + +Here's a Wireshark dump of curl archlinux.org with and without v2ray. +![](./v2ray_domain_Fronted_traffic.png) + +As you could see requests to archlinux.org ( with v2ray ) goes to a popular website giphy but is actually communicating to our V2ray server behind the CDN through Websocket protocol. +(Domain Fronting method is being used here) + + + +> we could use v2ray to make our own versions of primitive protocols to "fool the wall". + + + + + * ### _Some Principles to get started_ + +![](./v2ray-outline.png) + +> **Transport** : The protocol used to connect to the v2ray server. +> **Inbounds** : Connections to the v2ray server. +> **Routing** : Rules defining how an inbound connection should be treated. (Ex. drop connection requests from certain domains, route inbound through a socks server) +> **Outbounds** : Connections going out of v2ray server.(Ex. Towards the user requested website) +> + + + + + * ### _Clients_ + +Android + * [Nekobox](httphttps://github.com/MatsuriDayo/NekoBoxForAndroid/) + * [v2rayNG](https://github.com/2dust/v2rayNG) +Linux + * [Nekoray](https://github.com/Matsuridayo/nekoray) + * [v2rayN](https://github.com/2dust/v2rayN) + * [v2rayA](https://github.com/v2rayA/v2rayA) + * [Furious](https://github.com/LorenEteval/Furious) +Windows + * [HiddifyN](https://github.com/hiddify/HiddifyN) + * [v2rayN](https://github.com/2dust/v2rayN) + + + + +## **Serverside Setup** + +an overview of v2ray server config looks like this + + + { + "log": {}, + "api": {}, + "dns": {}, + "stats": {}, + "routing": {}, + "policy": {}, + "inbounds": [], + "outbounds": [], + "transport": {} + } + +Looking kinda complicated right, fear not we have Web-UI's to setup V2Ray servers. Web-UI aka "panels" could be used for user-management including traffic stats,uuid-generation and much more... + + * ### _Getting a VPS_ + +refer to [Acquiring remote servers anonymously (non-KYC providers) ](../anonymousremoteserver/index.md) for buying a **VPS using XMR** + + + + + * ### _Installing a panel_ + +Once you have the VPS ready and have established an SSH connection,we can start working on installing panel. + +> we'll be using **[alireza0/x-ui](https://github.com/alireza0/x-ui)** panel since its actively maintained, but you could also use **[MHSanaei/3x-ui](https://github.com/MHSanaei/3x-ui)** .The v2ray server setup is same same for all. + +Supported distributions - Ubuntu 20.04+ - Debian 11+ - CentOS 8+ - OpenEuler 22.03+ - Fedora 36+ - Arch Linux - Parch Linux - Manjaro - Armbian - AlmaLinux 8.0+ - Rocky Linux 8+ - Oracle Linux 8+ - OpenSUSE Tumbleweed - Amazon Linux 2023 + + + #> bash <(curl -Ls https://raw.githubusercontent.com/alireza0/x-ui/master/install.sh) + .... + Would you like to customize the Panel Port settings? (If not, random port will be applied) [y/n]: y + Please set up the panel port: 9566 + Your Panel Port is: 9566 + Port set successfully: 9566 + Username and password updated successfully + Base URI path set successfully + This is a fresh installation, generating random login info for security concerns: + ############################################### + Username: fU8hjnoLSp + Password: ak8jX44rZy + Port: 9566 + WebBasePath: EwAJmwAHwMk7FLK + ############################################### + If you forgot your login info, you can type 'x-ui settings' to check + Start migrating database... + Migration done! + Created symlink '/etc/systemd/system/multi-user.target.wants/x-ui.service' → '/etc/systemd/system/x-ui.service'. + x-ui v1.8.7 installation finished, it is up and running now... + + + + +The script asks for the port to use. we could change the port later. We could use the creds(Autogenerated) displayed above to access the webui + + X-UI Control Menu Usage + ------------------------------------------ + SUBCOMMANDS: + x-ui - Admin Management Script + x-ui start - Start + x-ui stop - Stop + x-ui restart - Restart + x-ui status - Current Status + x-ui settings - Current Settings + x-ui enable - Enable Autostart on OS Startup + x-ui disable - Disable Autostart on OS Startup + x-ui log - Check Logs + x-ui update - Update + x-ui install - Install + x-ui uninstall - Uninstall + x-ui help - Control Menu Usage + ------------------------------------------ + + +In order to access the web UI, the url schema looks like this. +`http://server_ip:port/path` + + + +> You can use **x-ui settings** command to retrieve panel info, like port and path. +> Ex-output: +> ############################################### Username: fU8hjnoLSp +> Password: ak8jX44rZy +> Port: 9566 +> WebBasePath: EwAJmwAHwMk7FLK +> ############################################### + +Example http://198.41.128.88:9566/EwAJmwAHwMk7FLK/ +Once you access the web portal,use the username and password as above. + + + + + * ### _Setting up the panel_ + +![](./login.png) + +##### after logging in switch to latest the xray-core + +![](./changexcore.png) + +In order to receive inbounds we must create an inbound rule within the panel. +We are choosing vmess (as protocol) + websocket (as trasport). copy the settings as below. +(you could change the port as of your liking) + +> VLESS does not provide built-in encryption, avoiding it for now. [ref](https://xtls.github.io/en/config/inbounds/vless.html#vless) NOTE: VMess Requires to have time synced up. + +![](./createib.png) +Now you could try to connect to the server using QR Code or by using the vmess link. +(Click the QR to copy link) See Client Section + + + +> a vmess link will look like vmess://<uuid;>@<hostname;>:<port;>?<other;_params>#<remarks;> + + * ### _Client Installation_ + +We're installing **V2rayN** on linux, one could find the pre-build binaries in the releases section on github( [link](https://github.com/2dust/v2rayN/releases) ) ![](./v2rayn_release.png) +Extract, and run the client as follows + + + + $ unzip v2rayN-linux-64.zip + ... + $ cd v2rayN-linux-64/ + $ chmod +x v2rayN + $ ./v2rayN + + + + +After executing the above command a GUI will popup. +change route settings (optional) within Settings(on top) > Regional Presets Settings > Russia + +![](./russia.png) + + + +> Routing is used when you want to avoid proxy for regional websites. +> (A direct connection without proxy will be made by the clientside app based-off IP or Domain name) + +Ex. if we access 1tv.ru, with this setting turned on it will be resolved using our actual IP than our Proxy IP + + + + +## **Censorship Evasion technique #1 - Domain Fronting** + + + + + +Setting up a v2ray server alone doesnt bypass any censors(it would be obvious if we push a large amount of traffic),rather we use some methods to make the traffic look geniune. +One such method is called **Domain Fronting** +![](./domainfronting_diagram.png) + +We will be using Fastly, since it offers a free CDN without CreditCard + 30-day Websocket support(free-trial) +Start by creating an account at [Fastly](http://fastly.com) +![](./fastly_newacc.png) +Create a new cdn service like this +![](./cdn_newservice.png) + +> In here we can **use any domain name** since its for internal routing within cdn. +> (meaning that within the CDN domain zero-google.com will resolve to our v2ray IP ) +> **origin** willbe our v2ray inbound IP + + +then select the cdn name to edit the config +![](./cdn_edit.png) + +We edit the CDN config to change the port of our host and disable some settings that may cause issues +![](./cdn_host_change.png) +After that we change the port from 443 to 53254 (The port we used for receiving inbounds in our v2ray panel) ![](./cdn_host_tls_port.png) + + + +> We can do inbounds to port 443(TLS port) and adjust inbound settings to have **Fallback** but that requires one to have an inbound config with TCP transport within the panel. + +A Fallback is when you want to expose only one standard HTTP/HTTPS port(80,443) to receive inbounds but want to use different protocols like VMESS,Shadowsock... with the same port. +Fallback Can only be used with TCP/XTLS transport modes. + + + + +Now from Settings >> ![](./cdn_settings.png) +we enable websocket. +![](./ws_disabled.png) Start the trial and it should look something like this +![](./ws_enabled.png) +Now lets add VCL for HTTP Connection Upgrade(Since we want to switch to Websocket) ![](./vcl.png) +![](./upgr.png) + + + if (req.http.Upgrade) { + return (upgrade); + } + + + +## **Clientside Setup** + +In this section we'll discuss how to connect to the prementioned setup using domain fronting technique. + + * ### _Linux_ + +Copy the server config from panel(by clicking the qr-code) to clipboard. +Open client app(v2rayN/nekoray) +Ctrl + V +and edit it as follows. +For testing in Linux we are using v2rayN + +![](./test_vmess.png) + +click **Confirm** + +If the connection was successful you'll see your server IP along with delay(ms) in the logs as well as on bottom right corner like this. ![](./connect_success.png) +You could toggle System Proxy to check connectivity, within browser and all. +![](./system_proxy.png) + + + + + +## **Testing Tor** + + + +go to **about:preferences#connection** change proxy settings as follows. +(Proxy port shown in v2ray. So that connection made by tor will go through v2ray server) ![](./tor_proxy_settings.png) + + +> If we were to save it and try to connect **it will fail**. (connection died in state handshaking). **So enable Bridges** + +Set Bridges of Your Choice +![](./bridge.png) + + +This is how the traffic leaves the system. +![](./ws_traffic.png) + +As you could see, traffic goes to fastly server rather than tor nodes. +(You're seeing Websocket traffic to and from 192.168.1.2(LAN IP) to a Fastly CDN(Anycast IP)) +![](./test_tor.png) + +And that's it! we managed to connect to an onion website, from a heavily-censored country, thanks to v2ray. + diff --git a/v2ray/is-vpn-legal-in-your-country.jpeg b/v2ray/is-vpn-legal-in-your-country.jpeg new file mode 100644 index 0000000..4fb7465 Binary files /dev/null and b/v2ray/is-vpn-legal-in-your-country.jpeg differ diff --git a/v2ray/login.png b/v2ray/login.png new file mode 100644 index 0000000..0d42862 Binary files /dev/null and b/v2ray/login.png differ diff --git a/v2ray/russia.png b/v2ray/russia.png new file mode 100644 index 0000000..4019c11 Binary files /dev/null and b/v2ray/russia.png differ diff --git a/v2ray/share.png b/v2ray/share.png new file mode 100644 index 0000000..846fbac Binary files /dev/null and b/v2ray/share.png differ diff --git a/v2ray/sheep.png b/v2ray/sheep.png new file mode 100644 index 0000000..8a23435 Binary files /dev/null and b/v2ray/sheep.png differ diff --git a/v2ray/system_proxy.png b/v2ray/system_proxy.png new file mode 100644 index 0000000..26c021d Binary files /dev/null and b/v2ray/system_proxy.png differ diff --git a/v2ray/test_tor.png b/v2ray/test_tor.png new file mode 100644 index 0000000..f33051a Binary files /dev/null and b/v2ray/test_tor.png differ diff --git a/v2ray/test_vmess.png b/v2ray/test_vmess.png new file mode 100644 index 0000000..8a773ab Binary files /dev/null and b/v2ray/test_vmess.png differ diff --git a/v2ray/tor_proxy_settings.png b/v2ray/tor_proxy_settings.png new file mode 100644 index 0000000..577ee35 Binary files /dev/null and b/v2ray/tor_proxy_settings.png differ diff --git a/v2ray/upgr.png b/v2ray/upgr.png new file mode 100644 index 0000000..194e7b2 Binary files /dev/null and b/v2ray/upgr.png differ diff --git a/v2ray/v2ray-outline.png b/v2ray/v2ray-outline.png new file mode 100644 index 0000000..de661c0 Binary files /dev/null and b/v2ray/v2ray-outline.png differ diff --git a/v2ray/v2ray_domain_Fronted_traffic.png b/v2ray/v2ray_domain_Fronted_traffic.png new file mode 100644 index 0000000..5655c37 Binary files /dev/null and b/v2ray/v2ray_domain_Fronted_traffic.png differ diff --git a/v2ray/v2rayn_release.png b/v2ray/v2rayn_release.png new file mode 100644 index 0000000..b4725ec Binary files /dev/null and b/v2ray/v2rayn_release.png differ diff --git a/v2ray/vcl.png b/v2ray/vcl.png new file mode 100644 index 0000000..d7a74c6 Binary files /dev/null and b/v2ray/vcl.png differ diff --git a/v2ray/wg_limitation.png b/v2ray/wg_limitation.png new file mode 100644 index 0000000..92c2ac0 Binary files /dev/null and b/v2ray/wg_limitation.png differ diff --git a/v2ray/wg_official2.png b/v2ray/wg_official2.png new file mode 100644 index 0000000..04e131e Binary files /dev/null and b/v2ray/wg_official2.png differ diff --git a/v2ray/ws_disabled.png b/v2ray/ws_disabled.png new file mode 100644 index 0000000..5963b7d Binary files /dev/null and b/v2ray/ws_disabled.png differ diff --git a/v2ray/ws_enabled.png b/v2ray/ws_enabled.png new file mode 100644 index 0000000..df6ef65 Binary files /dev/null and b/v2ray/ws_enabled.png differ diff --git a/v2ray/ws_traffic.png b/v2ray/ws_traffic.png new file mode 100644 index 0000000..953569a Binary files /dev/null and b/v2ray/ws_traffic.png differ diff --git a/v2ray/zero.png b/v2ray/zero.png new file mode 100644 index 0000000..d52ca91 Binary files /dev/null and b/v2ray/zero.png differ diff --git a/veracrypt/0.png b/veracrypt/0.png new file mode 100644 index 0000000..862866d Binary files /dev/null and b/veracrypt/0.png differ diff --git a/veracrypt/1.png b/veracrypt/1.png new file mode 100644 index 0000000..0a32859 Binary files /dev/null and b/veracrypt/1.png differ diff --git a/veracrypt/10.png b/veracrypt/10.png new file mode 100644 index 0000000..cb9f5f6 Binary files /dev/null and b/veracrypt/10.png differ diff --git a/veracrypt/11.png b/veracrypt/11.png new file mode 100644 index 0000000..c69fc9d Binary files /dev/null and b/veracrypt/11.png differ diff --git a/veracrypt/12.png b/veracrypt/12.png new file mode 100644 index 0000000..8f38fdc Binary files /dev/null and b/veracrypt/12.png differ diff --git a/veracrypt/13.png b/veracrypt/13.png new file mode 100644 index 0000000..7e4db51 Binary files /dev/null and b/veracrypt/13.png differ diff --git a/veracrypt/14.png b/veracrypt/14.png new file mode 100644 index 0000000..2b2a50f Binary files /dev/null and b/veracrypt/14.png differ diff --git a/veracrypt/15.png b/veracrypt/15.png new file mode 100644 index 0000000..8090bba Binary files /dev/null and b/veracrypt/15.png differ diff --git a/veracrypt/16.png b/veracrypt/16.png new file mode 100644 index 0000000..5f7515b Binary files /dev/null and b/veracrypt/16.png differ diff --git a/veracrypt/17.png b/veracrypt/17.png new file mode 100644 index 0000000..d10fd6a Binary files /dev/null and b/veracrypt/17.png differ diff --git a/veracrypt/18.png b/veracrypt/18.png new file mode 100644 index 0000000..7c465fb Binary files /dev/null and b/veracrypt/18.png differ diff --git a/veracrypt/19.png b/veracrypt/19.png new file mode 100644 index 0000000..bfbb9d4 Binary files /dev/null and b/veracrypt/19.png differ diff --git a/veracrypt/2.png b/veracrypt/2.png new file mode 100644 index 0000000..54ac1a4 Binary files /dev/null and b/veracrypt/2.png differ diff --git a/veracrypt/20.png b/veracrypt/20.png new file mode 100644 index 0000000..d82740c Binary files /dev/null and b/veracrypt/20.png differ diff --git a/veracrypt/21.png b/veracrypt/21.png new file mode 100644 index 0000000..90e74a2 Binary files /dev/null and b/veracrypt/21.png differ diff --git a/veracrypt/3.png b/veracrypt/3.png new file mode 100644 index 0000000..4a3fff6 Binary files /dev/null and b/veracrypt/3.png differ diff --git a/veracrypt/31.png b/veracrypt/31.png new file mode 100644 index 0000000..4580a82 Binary files /dev/null and b/veracrypt/31.png differ diff --git a/veracrypt/32.png b/veracrypt/32.png new file mode 100644 index 0000000..7c1267a Binary files /dev/null and b/veracrypt/32.png differ diff --git a/veracrypt/33.png b/veracrypt/33.png new file mode 100644 index 0000000..906e166 Binary files /dev/null and b/veracrypt/33.png differ diff --git a/veracrypt/34.png b/veracrypt/34.png new file mode 100644 index 0000000..0f52827 Binary files /dev/null and b/veracrypt/34.png differ diff --git a/veracrypt/35.png b/veracrypt/35.png new file mode 100644 index 0000000..4c269a0 Binary files /dev/null and b/veracrypt/35.png differ diff --git a/veracrypt/36.png b/veracrypt/36.png new file mode 100644 index 0000000..67b9920 Binary files /dev/null and b/veracrypt/36.png differ diff --git a/veracrypt/37.png b/veracrypt/37.png new file mode 100644 index 0000000..70d82ba Binary files /dev/null and b/veracrypt/37.png differ diff --git a/veracrypt/38.png b/veracrypt/38.png new file mode 100644 index 0000000..4dd42c7 Binary files /dev/null and b/veracrypt/38.png differ diff --git a/veracrypt/39.png b/veracrypt/39.png new file mode 100644 index 0000000..00ba60c Binary files /dev/null and b/veracrypt/39.png differ diff --git a/veracrypt/4.png b/veracrypt/4.png new file mode 100644 index 0000000..9ac0020 Binary files /dev/null and b/veracrypt/4.png differ diff --git a/veracrypt/40.png b/veracrypt/40.png new file mode 100644 index 0000000..0182fa6 Binary files /dev/null and b/veracrypt/40.png differ diff --git a/veracrypt/41.png b/veracrypt/41.png new file mode 100644 index 0000000..fc9e98b Binary files /dev/null and b/veracrypt/41.png differ diff --git a/veracrypt/42.png b/veracrypt/42.png new file mode 100644 index 0000000..4c78ecc Binary files /dev/null and b/veracrypt/42.png differ diff --git a/veracrypt/43.png b/veracrypt/43.png new file mode 100644 index 0000000..9d38a9d Binary files /dev/null and b/veracrypt/43.png differ diff --git a/veracrypt/44.png b/veracrypt/44.png new file mode 100644 index 0000000..84c0368 Binary files /dev/null and b/veracrypt/44.png differ diff --git a/veracrypt/45.png b/veracrypt/45.png new file mode 100644 index 0000000..8d9178e Binary files /dev/null and b/veracrypt/45.png differ diff --git a/veracrypt/46.png b/veracrypt/46.png new file mode 100644 index 0000000..23cf56e Binary files /dev/null and b/veracrypt/46.png differ diff --git a/veracrypt/47.png b/veracrypt/47.png new file mode 100644 index 0000000..48f2125 Binary files /dev/null and b/veracrypt/47.png differ diff --git a/veracrypt/48.png b/veracrypt/48.png new file mode 100644 index 0000000..41ea46b Binary files /dev/null and b/veracrypt/48.png differ diff --git a/veracrypt/49.png b/veracrypt/49.png new file mode 100644 index 0000000..64a0470 Binary files /dev/null and b/veracrypt/49.png differ diff --git a/veracrypt/5.png b/veracrypt/5.png new file mode 100644 index 0000000..3f0fa37 Binary files /dev/null and b/veracrypt/5.png differ diff --git a/veracrypt/50.png b/veracrypt/50.png new file mode 100644 index 0000000..6417805 Binary files /dev/null and b/veracrypt/50.png differ diff --git a/veracrypt/51.png b/veracrypt/51.png new file mode 100644 index 0000000..bdb890a Binary files /dev/null and b/veracrypt/51.png differ diff --git a/veracrypt/52.png b/veracrypt/52.png new file mode 100644 index 0000000..b1af2bc Binary files /dev/null and b/veracrypt/52.png differ diff --git a/veracrypt/53.png b/veracrypt/53.png new file mode 100644 index 0000000..87b17a6 Binary files /dev/null and b/veracrypt/53.png differ diff --git a/veracrypt/6.png b/veracrypt/6.png new file mode 100644 index 0000000..a521277 Binary files /dev/null and b/veracrypt/6.png differ diff --git a/veracrypt/7.png b/veracrypt/7.png new file mode 100644 index 0000000..b5320cd Binary files /dev/null and b/veracrypt/7.png differ diff --git a/veracrypt/8.png b/veracrypt/8.png new file mode 100644 index 0000000..9a50b56 Binary files /dev/null and b/veracrypt/8.png differ diff --git a/veracrypt/9.png b/veracrypt/9.png new file mode 100644 index 0000000..3431304 Binary files /dev/null and b/veracrypt/9.png differ diff --git a/veracrypt/index.md b/veracrypt/index.md new file mode 100644 index 0000000..30ad3ee --- /dev/null +++ b/veracrypt/index.md @@ -0,0 +1,130 @@ +--- +author: nihilist & Oxeo0 +date: 2025-04-01 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/255" +xmr: 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ +--- +# The main source of Plausible Deniability: Deniable Encryption (April 2025 update) + +![](0.png) + +[zuluCrypt](https://mhogomchungu.github.io/zuluCrypt/) is a free and open-source tool for encrypting files and volumes in a secure way. We already used it for [hiding data in video files](../anonzulucrypt/index.md) using steganography. +Today, we'll use it as a replacement for VeraCrypt - a free open source disk encryption software for Windows, Mac OSX and Linux. Being based on TrueCrypt, VeraCrypt offers a unique feature called **Hidden Volumes** which can give us **Plausible Deniability**. zuluCrypt supports both TrueCrypt and VeraCrypt volumes while being better integrated in Linux ecosystem. It also comes preinstalled with [kicksecure OS](https://www.kicksecure.com/). + +But why is Plausible Deniability important first of all? +From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. **All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it**. Hence for example the regular LUKS encryption is not enough, **because you need to be able to deny the existence of the encrypted volume**. If that is the case, we have to use veracrypt encrypted volumes, which is an encryption tool used to provide deniable encryption (which is what gives you Plausible Deniability) against that scenario where you're forced to provide a password. + +![](../deniability/5.png) + +Using Veracrypt encrypted volumes, you have a decoy volume which is there by default (that spans the entire encrypted volume) **and you CAN have a hidden volume if you choose to, which is hidden in the decoy volume** , it's also known as the "inner volume", and the only way to reveal that the hidden volume exists, is to use the correct secret password to both unlock it. If the encrypted volume doesn't exist, legally speaking you cannot be forced to unlock it, because it doesn't exist to begin with, as far as the adversary's concerned. + +**DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling** + + + source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd + + regarding wear leveling: + "Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead." + + + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. System Harddrive: not LUKS encrypted [[1]](https://www.kicksecure.com/wiki/Ram-wipe) + + 3. Non-System Harddrive: 500Gb (used to contain our VeraCrypt encrypted volumes) + + 4. Host OS: [KickSecure](../linux/index.md) + + 5. Hypervisor: [QEMU/KVM](../hypervisorsetup/index.md) + + 6. Packages: [grub-live and ram-wipe](../livemode/index.md) + + + + +In this tutorial requires you to have implemented the following setup: + +![](20.png) + +As we have explained [previously](../livemode/index.md) the Host OS being in live mode is a crucial requirement to be able to maintain deniability, on top of erasing the contents of the RAM upon rebooting the Host OS, because we need to make sure that the adversary is not able to see what we were doing on the computer before they manage to get their hands on it. **The Veracrypt encrypted volumes are now going to enable us to store sensitive data that can be accessed again after rebooting.** To do so, _we need to save the veracrypt encrypted volume on a non-system drive_ , because if we were to store it on the system drive, it'd disappear when we reboot the computer to exit live mode ! + + + +## **Using Zulucrypt to create Hidden Veracrypt volumes** + +Since we are using Kicksecure as a Host OS, zulucrypt is installed by default, so we can open it: +![](1.png) + +So now you have zuluCrypt on your system. **However before you start to use it, make sure that your Host OS is in live mode, as otherwise you wouldn't be able to maintain your deniability regarding the existence of the veracrypt hidden volume** + +![](../livemode/3.png) + +By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you remove each of those manually, you're never sure of wether or not the Host OS saved proof of the existence of the hidden volume onto the system drive. **That's why when you use zulucrypt to handle veracrypt hidden volumes (creating them or opening them) you absolutely need to use the Host OS in[live mode](../livemode/index.md) ONLY! ** + +![](../livemode/4.png) + +When the Host OS is in live mode, you're loading the entire host OS in the RAM, meaning that you are not writing anything on the system drive anymore, **but rather you are only writing all that potential forensic evidence of the veracrypt hidden volume _in RAM alone_ , which can be easily erased with a simple shutdown thanks to both live mode and ram-wipe**. + +So if you didn't do it already, reboot the Host OS into live mode: + +![](../livemode/12.png) + +**And only now once we are in live mode, we can use zuluCrypt to create hidden encrypted volumes and unlock them.** But be aware that everything you write into the system drive will be wiped upon shutting down, **if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.** + + + [user /run/media/private/user]% lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sr0 11:0 1 1024M 0 rom + vda 253:0 0 200G 0 disk + ├─vda1 253:1 0 4G 0 part /boot + └─vda2 253:2 0 196G 0 part + └─luks-24351c83-3657-4142-82d2-8f8a5787f406 254:0 0 196G 0 crypt /live/image + vdb 253:16 0 20G 0 disk + └─vdb1 253:17 0 20G 0 part + + + +Here as you can see we have a non-system drive called /dev/vdb1, which, for our current testing purposes is only 20 GB big. Before we start encrypting it, let's format the harddrive using gparted to make sure the vdb1 partition is available for us to use: + +![](31.png) ![](32.png) ![](33.png) ![](34.png) ![](35.png) ![](36.png) + +Now that the /dev/vdb1 partition is available for us to use, let's create the veracrypt encrypted volume which will span the entire non-system drive: +![](2.png) ![](37.png) ![](38.png) ![](39.png) ![](40.png) + +Here is the important part: you need to mention **Password A for the decoy volume** (which is the outer volume, it will span the entire disk), and you need to mention **Password B for the hidden volume** (which is the hidden veracrypt volume where we'll be able to store our sensitive files) + +![](41.png) + +Here you may need to click create twice as zulucrypt recommends you to use another format that it can't use, so click create a second time and then wait for it to create the volume: + +![](42.png) ![](43.png) + +And that's it! We have successfully created the veracrypt volume, so now let's mount each one: + +## **Mounting the Decoy and Hidden Volumes** + +First let's mount the decoy volume (which we'll later use to store non-sensitive files, that would make sense for an adversary to keep in an encrypted drive): + +![](44.png) ![](45.png) ![](46.png) ![](47.png) ![](52.png) + +Here as you can see, the decoy volume once mounted spans the entire non-system drive (in this case 20GB). **So if you were forced to open it for an adversary, they would only find non-sensitive files** (for example pirated movies or adult content) that are stored in it. And since the volume spans the entire drive, **you can deny the existance of any other encrypted volume in there, and the adversary would be unable to prove otherwise.** This means that our deniability is maintained. + +![](48.png) + +Next we'll unmount the decoy volume to mount the hidden volume instead: + +![](49.png) + +At this step you need to make sure that noone is watching you type this second password, **as this second volume needs to remain a secret at all costs, it's existance is only to be known by you.** + +![](50.png) ![](51.png) + +And now after unlocking the hidden volume (and revealing it at the same time), we see that it is 10GB big, as intended. **And it is only in that hidden volume, that you can safely store your sensitive files which are meant to remain secret at all costs.** + +![](53.png) + +if there were to be any emergency where someone would be close to discovering that there is a hidden volume (meaning the adversary is busting down your door and is almost next to your monitor) **all you need is to press Right Control to immediately reboot the host OS, to be able to erase all forensic proof that the hidden volume exists.** + diff --git a/vpn/0.png b/vpn/0.png new file mode 100644 index 0000000..30020ed Binary files /dev/null and b/vpn/0.png differ diff --git a/vpn/1.png b/vpn/1.png new file mode 100644 index 0000000..960ba08 Binary files /dev/null and b/vpn/1.png differ diff --git a/vpn/10.png b/vpn/10.png new file mode 100644 index 0000000..6c19dd5 Binary files /dev/null and b/vpn/10.png differ diff --git a/vpn/11.png b/vpn/11.png new file mode 100644 index 0000000..2d11b2c Binary files /dev/null and b/vpn/11.png differ diff --git a/vpn/12.png b/vpn/12.png new file mode 100644 index 0000000..fa1a796 Binary files /dev/null and b/vpn/12.png differ diff --git a/vpn/13.png b/vpn/13.png new file mode 100644 index 0000000..d076f1f Binary files /dev/null and b/vpn/13.png differ diff --git a/vpn/14.png b/vpn/14.png new file mode 100644 index 0000000..b23e5ea Binary files /dev/null and b/vpn/14.png differ diff --git a/vpn/2.png b/vpn/2.png new file mode 100644 index 0000000..b304238 Binary files /dev/null and b/vpn/2.png differ diff --git a/vpn/3.png b/vpn/3.png new file mode 100644 index 0000000..b1c7da2 Binary files /dev/null and b/vpn/3.png differ diff --git a/vpn/4.png b/vpn/4.png new file mode 100644 index 0000000..b9fb648 Binary files /dev/null and b/vpn/4.png differ diff --git a/vpn/5.png b/vpn/5.png new file mode 100644 index 0000000..2003d63 Binary files /dev/null and b/vpn/5.png differ diff --git a/vpn/6.png b/vpn/6.png new file mode 100644 index 0000000..6c00e87 Binary files /dev/null and b/vpn/6.png differ diff --git a/vpn/7.png b/vpn/7.png new file mode 100644 index 0000000..6655ca8 Binary files /dev/null and b/vpn/7.png differ diff --git a/vpn/8.png b/vpn/8.png new file mode 100644 index 0000000..fae8186 Binary files /dev/null and b/vpn/8.png differ diff --git a/vpn/9.png b/vpn/9.png new file mode 100644 index 0000000..60b560a Binary files /dev/null and b/vpn/9.png differ diff --git a/vpn/index.md b/vpn/index.md new file mode 100644 index 0000000..42f5484 --- /dev/null +++ b/vpn/index.md @@ -0,0 +1,159 @@ +--- +author: nihilist +date: 2024-06-27 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/81" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to get privacy from your ISP using a VPN + +## _OPSEC Recommendations:_ + + 1. Hardware : PC / Laptop / Homeserver / Remote Server + + 2. Host OS : [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. VM : [Linux](../hypervisorsetup/index.md) + + + + +I recommend to use that setup as part of your [Privacy Use](../privacy/index.md) online, to hide what you are browsing online from your ISP + + + +## **Why does Bob need a VPN to begin with ?** + +Bob now has [Linux](../linux/index.md) as his host operating system on his computer, with a debian private VM setup thanks to the [QEMU/KVM hypervisor](../hypervisorsetup/index.md). Now as per his private internet usage in his debian VM, he was thinking: **"My Debian VM only has open source software, but who else may spy on me?"** + +As he browsed the web from his linux laptop he realised one thing; He's paying for an internet connection. A company is offering the internet service to his house. + +![](0.png) + +Meaning, that when Bob is browsing the web on google.com; youtube.com or duckduckgo.com, his internet service provider can see that he's connecting there! + +That doesn't sit well with Bob. **Bob decides that his ISP shouldn't be aware of what he's doing with his internet usage.** Therefore, he wants to use a VPN. + +![](1.png) + +But thing is, Bob realises that the VPN market is over-saturated, there's a lot of choice. He wants to know what's the best VPN out there. After browsing for some time, he found this article from [Privacy Guides](https://www.privacyguides.org/en/vpn/) where they compare popular VPN services according to their standards. From there, Bob decides he's going to try to use [Mullvad VPN](https://kycnot.me/service/Mullvad). + +## **Purchasing a VPN** + +Bob goes on mullvad.net to purchase the VPN (which is 5 euros monthly) + +![](2.png) ![](3.png) ![](4.png) ![](5.png) + +Here Bob can pay with various means. For ease of use he can pay using his credit card for example, but as we'll see in later tutorials on [decentralised finances](../finances/index.md), [Monero](../monero2024/index.md) is the ideal payment choice for financial privacy. + +So Bob pays for the VPN, then his account has time added: + +![](6.png) ![](7.png) + + + # Download the Mullvad signing key + sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc + + # Add the Mullvad repository server to apt + echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list + # Or add the Mullvad BETA repository server to apt + echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/beta $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list + + # Install the package + sudo apt update + sudo apt install mullvad-vpn + + # Connect to Mullvad VPN + mullvad account login + Enter an account number: 91320912809328832 + Mullvad account "91320912809328832" set + + # Connect to the VPN: + mullvad lockdown-mode set on + mullvad connect + + curl ifconfig.me + 194.127.199.92 + + +From there, Bob can launch the VPN from his desktop: + +![](8.png) + +And he can see that his IP got changed accordingly to the location he picked: + +![](9.png) + +The VPN is also protecting against DNS and WebRTC leaks, according to + +Now that you are using Mullvad as a VPN, you can also use their Mullvad Browser, which is basically a Hardened Firefox based off the Tor Browser: + + + [ mainpc ] [ /dev/pts/3 ] [~/Nextcloud/blog] + → apt search mullvad + Sorting... Done + Full Text Search... Done + mullvad-browser/unknown,now 13.5.1-1 amd64 + Mullvad Browser + + mullvad-vpn/unknown,now 2024.4 amd64 [installed] + Mullvad VPN client + + [ mainpc ] [ /dev/pts/3 ] [~/Nextcloud/blog] + → apt install mullvad-browser -y + + [ mainpc ] [ /dev/pts/3 ] [~/Nextcloud/blog] + → mullvad-browser + + + +And from there you can browse the web using the same VPN connection: + +![](11.png) ![](12.png) + +From there, just like on the Tor Browser, you can protect against fingerprinting by setting the security level here: + +![](13.png) + +If you want to reduce your fingerprinting attack surface as much as possible, you can choose to disable javascript by selecting the "Safest" security level, but it may break some websites functionnality. + +![](14.png) + + + + + +## **Mobile Setup** + +## _OPSEC Recommendations:_ + + * Hardware: Google Pixel + + * Host OS: [Graphene OS](../graphene/index.md) + + * Configuration: Can be set in the Private or Anonymous Profile + + + + +Of course, Bob can set Mullvad up on mobile as well. He searches for Mullvad in the F-Droid store and then clicks Install. Leaving the default Network permission, he clicks Install on the pop-up. ![](m1.png) + +Once the app is downloaded, Bob opens it up. Bob agrees to the Mullvad's privacy policy and then grants notification permissions. Finally, he enters his account information and clicks Login. ![](m2.png) + +Mullvad will alert Bob to the fact that the connection is unsecured. Bob clicks Secure my connection to connect. If it is Bob's first time using Mullvad, he will need to grant it permission to establish a VPN connection. Bob should now be connected! ![](m3.png) + +To verify the mobile connection, Bob navigates to and ensures the connection is not leaking any information. ![](m4.png) + +## **Conclusion** + +So now currently, Bob has managed to setup a Debian VM (with only open source software) with a VPN in order to use it and gain privacy from his ISP. + +![](10.png) + +Currently, Bob's setup is suitable for Public use (thanks to his windows VM), AND suitable for Private use too (thanks to his debian VM with the VPN setup). + +However you can also setup the [VPN from the Host OS directly](../vpnqemu/index.md), so that every VM in it goes through the VPN. + +Next, Bob can setup KeepassXC to implement proper [Password Management](../passwordmanagement/index.md). + diff --git a/vpn/m1.png b/vpn/m1.png new file mode 100644 index 0000000..6c225e1 Binary files /dev/null and b/vpn/m1.png differ diff --git a/vpn/m2.png b/vpn/m2.png new file mode 100644 index 0000000..bf4e7dc Binary files /dev/null and b/vpn/m2.png differ diff --git a/vpn/m3.png b/vpn/m3.png new file mode 100644 index 0000000..135818b Binary files /dev/null and b/vpn/m3.png differ diff --git a/vpn/m4.png b/vpn/m4.png new file mode 100644 index 0000000..854d272 Binary files /dev/null and b/vpn/m4.png differ diff --git a/vpnqemu/0.png b/vpnqemu/0.png new file mode 100644 index 0000000..d5cde32 Binary files /dev/null and b/vpnqemu/0.png differ diff --git a/vpnqemu/1.png b/vpnqemu/1.png new file mode 100644 index 0000000..dcadd61 Binary files /dev/null and b/vpnqemu/1.png differ diff --git a/vpnqemu/10.png b/vpnqemu/10.png new file mode 100644 index 0000000..ce60b97 Binary files /dev/null and b/vpnqemu/10.png differ diff --git a/vpnqemu/11.png b/vpnqemu/11.png new file mode 100644 index 0000000..badd1b6 Binary files /dev/null and b/vpnqemu/11.png differ diff --git a/vpnqemu/12.png b/vpnqemu/12.png new file mode 100644 index 0000000..117be16 Binary files /dev/null and b/vpnqemu/12.png differ diff --git a/vpnqemu/2.png b/vpnqemu/2.png new file mode 100644 index 0000000..6fccfc5 Binary files /dev/null and b/vpnqemu/2.png differ diff --git a/vpnqemu/3.png b/vpnqemu/3.png new file mode 100644 index 0000000..7d8d377 Binary files /dev/null and b/vpnqemu/3.png differ diff --git a/vpnqemu/4.png b/vpnqemu/4.png new file mode 100644 index 0000000..4e0d478 Binary files /dev/null and b/vpnqemu/4.png differ diff --git a/vpnqemu/5.png b/vpnqemu/5.png new file mode 100644 index 0000000..0743753 Binary files /dev/null and b/vpnqemu/5.png differ diff --git a/vpnqemu/6.png b/vpnqemu/6.png new file mode 100644 index 0000000..fdf12b6 Binary files /dev/null and b/vpnqemu/6.png differ diff --git a/vpnqemu/7.png b/vpnqemu/7.png new file mode 100644 index 0000000..13e086c Binary files /dev/null and b/vpnqemu/7.png differ diff --git a/vpnqemu/8.png b/vpnqemu/8.png new file mode 100644 index 0000000..3db4d4a Binary files /dev/null and b/vpnqemu/8.png differ diff --git a/vpnqemu/9.png b/vpnqemu/9.png new file mode 100644 index 0000000..f307579 Binary files /dev/null and b/vpnqemu/9.png differ diff --git a/vpnqemu/index.md b/vpnqemu/index.md new file mode 100644 index 0000000..23e852f --- /dev/null +++ b/vpnqemu/index.md @@ -0,0 +1,57 @@ +--- +author: nihilist +date: 2024-08-08 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/94" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Route QEMU VMs through a Host OS VPN + + + +## **Initial Setup** + +First, install the VPN like we saw previously [here](../vpn/index.md), but the only difference being that we now install it on the Host OS, rather than inside the VM. + + + # Download the Mullvad signing key + sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc + + # Add the Mullvad repository server to apt + echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list + # Or add the Mullvad BETA repository server to apt + echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/beta $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list + + # Install the package + sudo apt update + sudo apt install mullvad-vpn + + # Connect to Mullvad VPN + mullvad account login + Enter an account number: 91320912809328832 + Mullvad account "91320912809328832" set + + # Connect to the VPN: + mullvad lockdown-mode set on + mullvad connect + + curl ifconfig.me + 194.127.199.92 + + + +Then, configure mullvad as follows: + +![](0.png) ![](1.png) ![](2.png) + +From there you can check from the host OS that you have a access to the internet via the VPN: + +![](11.png) + +From there, you need to make sure that your VM has it's network interface set as "NAT" as it is by default (be aware that if the VM network interface is configured as macvtap or bridge, the traffic won't go through the VPN!): + +![](12.png) + +And then once applied, you can check if it works as intended from inside the VM (all that's required is for the VM to have a NAT connection), by going to from inside the VM: + +![](6.png) + diff --git a/whentorisblocked/0.png b/whentorisblocked/0.png new file mode 100644 index 0000000..a2d4bc5 Binary files /dev/null and b/whentorisblocked/0.png differ diff --git a/whentorisblocked/1.png b/whentorisblocked/1.png new file mode 100644 index 0000000..9f2ef43 Binary files /dev/null and b/whentorisblocked/1.png differ diff --git a/whentorisblocked/10.png b/whentorisblocked/10.png new file mode 100644 index 0000000..0e6db03 Binary files /dev/null and b/whentorisblocked/10.png differ diff --git a/whentorisblocked/100.png b/whentorisblocked/100.png new file mode 100644 index 0000000..a537829 Binary files /dev/null and b/whentorisblocked/100.png differ diff --git a/whentorisblocked/101.png b/whentorisblocked/101.png new file mode 100644 index 0000000..d586c1b Binary files /dev/null and b/whentorisblocked/101.png differ diff --git a/whentorisblocked/102.png b/whentorisblocked/102.png new file mode 100644 index 0000000..d0bed56 Binary files /dev/null and b/whentorisblocked/102.png differ diff --git a/whentorisblocked/103.png b/whentorisblocked/103.png new file mode 100644 index 0000000..bf6749a Binary files /dev/null and b/whentorisblocked/103.png differ diff --git a/whentorisblocked/104.png b/whentorisblocked/104.png new file mode 100644 index 0000000..8426c85 Binary files /dev/null and b/whentorisblocked/104.png differ diff --git a/whentorisblocked/105.png b/whentorisblocked/105.png new file mode 100644 index 0000000..3903945 Binary files /dev/null and b/whentorisblocked/105.png differ diff --git a/whentorisblocked/106.png b/whentorisblocked/106.png new file mode 100644 index 0000000..4489a4b Binary files /dev/null and b/whentorisblocked/106.png differ diff --git a/whentorisblocked/11.png b/whentorisblocked/11.png new file mode 100644 index 0000000..58abd04 Binary files /dev/null and b/whentorisblocked/11.png differ diff --git a/whentorisblocked/12.png b/whentorisblocked/12.png new file mode 100644 index 0000000..19b435c Binary files /dev/null and b/whentorisblocked/12.png differ diff --git a/whentorisblocked/13.png b/whentorisblocked/13.png new file mode 100644 index 0000000..eb2ffc8 Binary files /dev/null and b/whentorisblocked/13.png differ diff --git a/whentorisblocked/14.png b/whentorisblocked/14.png new file mode 100644 index 0000000..bdd3788 Binary files /dev/null and b/whentorisblocked/14.png differ diff --git a/whentorisblocked/15.png b/whentorisblocked/15.png new file mode 100644 index 0000000..c69156c Binary files /dev/null and b/whentorisblocked/15.png differ diff --git a/whentorisblocked/2.png b/whentorisblocked/2.png new file mode 100644 index 0000000..fd351a2 Binary files /dev/null and b/whentorisblocked/2.png differ diff --git a/whentorisblocked/20.png b/whentorisblocked/20.png new file mode 100644 index 0000000..746cc0a Binary files /dev/null and b/whentorisblocked/20.png differ diff --git a/whentorisblocked/200.png b/whentorisblocked/200.png new file mode 100644 index 0000000..4b35e58 Binary files /dev/null and b/whentorisblocked/200.png differ diff --git a/whentorisblocked/3.png b/whentorisblocked/3.png new file mode 100644 index 0000000..19f5b6b Binary files /dev/null and b/whentorisblocked/3.png differ diff --git a/whentorisblocked/30.png b/whentorisblocked/30.png new file mode 100644 index 0000000..23344b8 Binary files /dev/null and b/whentorisblocked/30.png differ diff --git a/whentorisblocked/300.png b/whentorisblocked/300.png new file mode 100644 index 0000000..57156b4 Binary files /dev/null and b/whentorisblocked/300.png differ diff --git a/whentorisblocked/4.png b/whentorisblocked/4.png new file mode 100644 index 0000000..ff82028 Binary files /dev/null and b/whentorisblocked/4.png differ diff --git a/whentorisblocked/40.png b/whentorisblocked/40.png new file mode 100644 index 0000000..53976dc Binary files /dev/null and b/whentorisblocked/40.png differ diff --git a/whentorisblocked/46.png b/whentorisblocked/46.png new file mode 100644 index 0000000..38214d0 Binary files /dev/null and b/whentorisblocked/46.png differ diff --git a/whentorisblocked/47.png b/whentorisblocked/47.png new file mode 100644 index 0000000..0f17b69 Binary files /dev/null and b/whentorisblocked/47.png differ diff --git a/whentorisblocked/48.png b/whentorisblocked/48.png new file mode 100644 index 0000000..4d06266 Binary files /dev/null and b/whentorisblocked/48.png differ diff --git a/whentorisblocked/49.png b/whentorisblocked/49.png new file mode 100644 index 0000000..9330d9e Binary files /dev/null and b/whentorisblocked/49.png differ diff --git a/whentorisblocked/5.png b/whentorisblocked/5.png new file mode 100644 index 0000000..6a960be Binary files /dev/null and b/whentorisblocked/5.png differ diff --git a/whentorisblocked/50.png b/whentorisblocked/50.png new file mode 100644 index 0000000..e51b62a Binary files /dev/null and b/whentorisblocked/50.png differ diff --git a/whentorisblocked/51.png b/whentorisblocked/51.png new file mode 100644 index 0000000..0f92b8d Binary files /dev/null and b/whentorisblocked/51.png differ diff --git a/whentorisblocked/52.png b/whentorisblocked/52.png new file mode 100644 index 0000000..842ac1a Binary files /dev/null and b/whentorisblocked/52.png differ diff --git a/whentorisblocked/53.png b/whentorisblocked/53.png new file mode 100644 index 0000000..4132aae Binary files /dev/null and b/whentorisblocked/53.png differ diff --git a/whentorisblocked/54.png b/whentorisblocked/54.png new file mode 100644 index 0000000..4c51e50 Binary files /dev/null and b/whentorisblocked/54.png differ diff --git a/whentorisblocked/55.png b/whentorisblocked/55.png new file mode 100644 index 0000000..f737152 Binary files /dev/null and b/whentorisblocked/55.png differ diff --git a/whentorisblocked/56.png b/whentorisblocked/56.png new file mode 100644 index 0000000..bc4e862 Binary files /dev/null and b/whentorisblocked/56.png differ diff --git a/whentorisblocked/57.png b/whentorisblocked/57.png new file mode 100644 index 0000000..74b8423 Binary files /dev/null and b/whentorisblocked/57.png differ diff --git a/whentorisblocked/58.png b/whentorisblocked/58.png new file mode 100644 index 0000000..79c0c4a Binary files /dev/null and b/whentorisblocked/58.png differ diff --git a/whentorisblocked/59.png b/whentorisblocked/59.png new file mode 100644 index 0000000..97b14fd Binary files /dev/null and b/whentorisblocked/59.png differ diff --git a/whentorisblocked/6.png b/whentorisblocked/6.png new file mode 100644 index 0000000..453f07b Binary files /dev/null and b/whentorisblocked/6.png differ diff --git a/whentorisblocked/60.png b/whentorisblocked/60.png new file mode 100644 index 0000000..4f81ebb Binary files /dev/null and b/whentorisblocked/60.png differ diff --git a/whentorisblocked/61.png b/whentorisblocked/61.png new file mode 100644 index 0000000..3e334b1 Binary files /dev/null and b/whentorisblocked/61.png differ diff --git a/whentorisblocked/62.png b/whentorisblocked/62.png new file mode 100644 index 0000000..99c6274 Binary files /dev/null and b/whentorisblocked/62.png differ diff --git a/whentorisblocked/63.png b/whentorisblocked/63.png new file mode 100644 index 0000000..8fe0b2d Binary files /dev/null and b/whentorisblocked/63.png differ diff --git a/whentorisblocked/64.png b/whentorisblocked/64.png new file mode 100644 index 0000000..f0c917f Binary files /dev/null and b/whentorisblocked/64.png differ diff --git a/whentorisblocked/65.png b/whentorisblocked/65.png new file mode 100644 index 0000000..e385d50 Binary files /dev/null and b/whentorisblocked/65.png differ diff --git a/whentorisblocked/66.png b/whentorisblocked/66.png new file mode 100644 index 0000000..4cd2bb5 Binary files /dev/null and b/whentorisblocked/66.png differ diff --git a/whentorisblocked/67.png b/whentorisblocked/67.png new file mode 100644 index 0000000..2840b50 Binary files /dev/null and b/whentorisblocked/67.png differ diff --git a/whentorisblocked/68.png b/whentorisblocked/68.png new file mode 100644 index 0000000..08da577 Binary files /dev/null and b/whentorisblocked/68.png differ diff --git a/whentorisblocked/69.png b/whentorisblocked/69.png new file mode 100644 index 0000000..702359f Binary files /dev/null and b/whentorisblocked/69.png differ diff --git a/whentorisblocked/7.png b/whentorisblocked/7.png new file mode 100644 index 0000000..352f095 Binary files /dev/null and b/whentorisblocked/7.png differ diff --git a/whentorisblocked/70.png b/whentorisblocked/70.png new file mode 100644 index 0000000..d911401 Binary files /dev/null and b/whentorisblocked/70.png differ diff --git a/whentorisblocked/71.png b/whentorisblocked/71.png new file mode 100644 index 0000000..64c475a Binary files /dev/null and b/whentorisblocked/71.png differ diff --git a/whentorisblocked/72.png b/whentorisblocked/72.png new file mode 100644 index 0000000..6045949 Binary files /dev/null and b/whentorisblocked/72.png differ diff --git a/whentorisblocked/73.png b/whentorisblocked/73.png new file mode 100644 index 0000000..5970c34 Binary files /dev/null and b/whentorisblocked/73.png differ diff --git a/whentorisblocked/8.png b/whentorisblocked/8.png new file mode 100644 index 0000000..bbc475c Binary files /dev/null and b/whentorisblocked/8.png differ diff --git a/whentorisblocked/9.png b/whentorisblocked/9.png new file mode 100644 index 0000000..49e4677 Binary files /dev/null and b/whentorisblocked/9.png differ diff --git a/whentorisblocked/index.md b/whentorisblocked/index.md new file mode 100644 index 0000000..d800c53 --- /dev/null +++ b/whentorisblocked/index.md @@ -0,0 +1,244 @@ +--- +author: nothing@nowhere +date: 2023-10-12 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/54" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# How to Anonymously access websites that block Tor + +In this tutorial we're going to cover how we can circumvent a website's attempts at blocking Tor traffic, by using a VPN. As we discussed [previously](../torthroughvpn/index.md), this is relating to the serverside context required to know if we should combine the use of Tor with the use of a VPN. + +![](../torthroughvpn/12.png) + +**Here we are using a VPN to hide from the website owner that we are connecting via Tor.** Effectively giving off the impression that we are only connecting via a VPN, while in reality Tor is protecting our Anonymity on the IP level. Now we also need to preserve our Anonymity when we are renting and using the VPN, that's why we have to use [MullvadVPN](../vpn/index.md) as they don't care who's using their service (they allow both [Tor connections](../torbrowsing/index.md) and[ Monero](../monero2024/index.md) payments). **We are also blending in their large userbase.** (which would not be the case if we were using a VPS with openvpn on it, in which we would be the only one to use it). + +![](0.png) + +_DISCLAIMER:_ Be aware that when doing a (you -> Tor -> VPN -> website) setup, you are getting rid of the stream isolation that is there by default in Whonix, **making every application in that Whonix VM go through one circuit, rather than through many circuits.** Over time this can lead to traffic use correlation if you start to use this VM for every other Anonymous use. + +![](300.png) + +So keep in mind that **a website blocking Tor traffic is the only scenario in which you need a (you -> Tor -> VPN -> website) setup. the rest of your anonymous activities are to remain in a regular Whonix VM (you -> Tor -> website) setup !** + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Application: [Host-based VPN](../index.md) (if your ISP doesn't allow Tor traffic) + + 5. VM: [Whonix VMs](../whonixqemuvms/index.md) (for any regular long-term Anonymous Use) + + + + +I recommend using this setup into one of the above mentioned VMs, for [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). + +_Sidenote:_ If your ISP does not allow Tor traffic, make sure that you [route the QEMU VMs traffic through a VPN](../vpnqemu/index.md), to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup + + + +## **Setting up the VM second Whonix Workstation VM** + +Now the first thing to do here is that we copy the existing the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation: + +Be careful that you need 100Gb for the Whonix Gateway, 100Gb for the Whonix Workstation, and another 100Gb for the Whonix Workstation with the VPN setup we want to make. **So you need a total of 300Gb disk space at least!** + + + [ nowhere ] [ /dev/pts/0 ] [/mnt/veracrypt1] + → ls + lost+found WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway.qcow2 Whonix-Workstation.qcow2 + refreshvms.sh WHONIX_DISCLAIMER Whonix-Gateway.xml Whonix-Workstation.xml + script.sh Whonix-external.xml Whonix-internal.xml + + [ nowhere ] [ /dev/pts/0 ] [/mnt/veracrypt1] + → cp Whonix-Workstation.qcow2 Whonix-Workstation-vpn.qcow2 + + nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1] + → cp Whonix-Workstation.xml Whonix-Workstation-vpn.xml + + [ nowhere ] [ /dev/pts/0 ] [/mnt/veracrypt1] + → cp Whonix-Workstation.xml Whonix-Workstation-vpn.xml + + + +Then edit the new xml file to match the new VM name: + + + [ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1] + → vim Whonix-Workstation-vpn.xml + + [ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1] + → cat Whonix-Workstation-vpn.xml | grep Workstation2 + <****name>Whonix-Workstation-vpn <**/name> + <****source file='/mnt/veracrypt1/Whonix-Workstation-vpn.qcow2'/> + +Then we include it in the script.sh script: + + + [ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1] + → cat script.sh + + #!/bin/bash + + if [ $(virsh -c qemu:///system list --all | grep Whonix | wc -l) -ne 0 ]; + then + + # if the VMs are imported, remove them: + + virsh -c qemu:///system destroy Whonix-Gateway + virsh -c qemu:///system destroy Whonix-Workstation + virsh -c qemu:///system destroy Whonix-Workstation-vpn + virsh -c qemu:///system undefine Whonix-Gateway + virsh -c qemu:///system undefine Whonix-Workstation + virsh -c qemu:///system undefine Whonix-Workstation-vpn + virsh -c qemu:///system net-destroy Whonix-External + virsh -c qemu:///system net-destroy Whonix-Internal + virsh -c qemu:///system net-undefine Whonix-External + virsh -c qemu:///system net-undefine Whonix-Internal + else + + + # if the VMs are not imported, import them: + + virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-external.xml + virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-internal.xml + virsh -c qemu:///system net-autostart Whonix-External + virsh -c qemu:///system net-start Whonix-External + virsh -c qemu:///system net-autostart Whonix-Internal + virsh -c qemu:///system net-start Whonix-Internal + virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Gateway.xml + virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Workstation.xml + virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Workstation-vpn.xml + # then exit because we dont want to run the rest of wipe.sh + exit $? + fi + + + [ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1] + → ./script.sh + + Network Whonix-External defined from Whonix-external.xml + + Network Whonix-Internal defined from Whonix-internal.xml + + Network Whonix-External marked as autostarted + + Network Whonix-External started + + Network Whonix-Internal marked as autostarted + + Network Whonix-Internal started + + Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml + + Domain 'Whonix-Workstation-vpn' defined from Whonix-Workstation-vpn.xml + + Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml + + + +Then edit the new workstation VM to have the 10.152.152.12 ip by default (since the other one has the 10.152.152.11 ip): + +![](11.png) ![](12.png) + +You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing. + +![](104.png) + +Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider [here](https://kycnot.me/service/mullvad), Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them): + +![](49.png) ![](50.png) + +now to not loose your accesses , make sure to save credentials in a local keepass database on the VM. + +![](51.png) ![](52.png) ![](53.png) + +Now let's add time to our account, and of course we will pay with [the only cryptocurrency that's used](https://iv.nowhere.moe/watch?v=YTTac2XjyFY): + +![](54.png) ![](56.png) + +To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally. + +![](55.png) + +Once it finishes installing, create your monero wallet: + +![](57.png) + +Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones [here](https://monero.fail/): + +![](58.png) + +Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created: + +![](59.png) ![](60.png) + +Once you've paid, download the .ovpn file to connect via vpn: + +![](61.png) + +Then unzip and let's now make sure the vpn goes through tor: + +![](62.png) ![](63.png) + +To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10: + +![](66.png) + +before we launch it keep in mind this: + +![](67.png) + +Then launch the VPN and you can then see that you no longer have a tor exit node IP: + +![](68.png) ![](69.png) + +Now check your ip from Firefox, not the tor browser: + +![](70.png) + +You can also check if there are any DNS leaks: + +![](71.png) + +here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address: + +![](72.png) + +We can also check if there are any WebRTC leaks: + +![](73.png) + +and there we see that there are no webRTC leaks either, so it's all good. + +To make sure the vpn is started automatically we can make it a systemd service: + + + root@workstation:~# cat /etc/systemd/system/vpn.service + [Unit] + Description=VPN + After=network-online.target + Wants=network-online.target + + [Install] + WantedBy=multi-user.target + + [Service] + Type=simple + WorkingDirectory=/home/user/Desktop/mullvad_config_linux_nl_ams/ + ExecStart=/usr/sbin/openvpn /home/user/Desktop/mullvad_config_linux_nl_ams/mullvad_nl_ams.conf + ExecStop=kill -9 $(pidof openvpn) + Restart=always + + root@workstation:~# systemctl daemon-reload ; systemctl enable --now vpn.service ; systemctl restart vpn.service + + + +` ![](103.png) + +Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes. However as stated above, make sure that you leave the rest of your Anonymous use in the regular Whonix VM, as there is no stream isolation in the Whonix-Workstation-VPN VM. + diff --git a/whonixqemuvms/0.png b/whonixqemuvms/0.png new file mode 100644 index 0000000..cc8ab49 Binary files /dev/null and b/whonixqemuvms/0.png differ diff --git a/whonixqemuvms/1.png b/whonixqemuvms/1.png new file mode 100644 index 0000000..e4711ec Binary files /dev/null and b/whonixqemuvms/1.png differ diff --git a/whonixqemuvms/2.png b/whonixqemuvms/2.png new file mode 100644 index 0000000..2d87c05 Binary files /dev/null and b/whonixqemuvms/2.png differ diff --git a/whonixqemuvms/3.png b/whonixqemuvms/3.png new file mode 100644 index 0000000..1a776d7 Binary files /dev/null and b/whonixqemuvms/3.png differ diff --git a/whonixqemuvms/4.png b/whonixqemuvms/4.png new file mode 100644 index 0000000..6ad0af2 Binary files /dev/null and b/whonixqemuvms/4.png differ diff --git a/whonixqemuvms/index.md b/whonixqemuvms/index.md new file mode 100644 index 0000000..423245a --- /dev/null +++ b/whonixqemuvms/index.md @@ -0,0 +1,251 @@ +--- +author: nihilist +date: 2024-03-10 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/93" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Whonix QEMU Setup + +![](0.png) + +Whonix is an open-source OS made specifically for general anonymous activities. In this tutorial we're going to set it up using the QEMU virtualization setup we installed previously. + +## _OPSEC Recommendations:_ + + 1. Hardware : (Personal Computer / Laptop) + + 2. Host OS: [Linux](../linux/index.md) + + 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) + + 4. Application: [Host-based VPN](../index.md) (if your ISP doesn't allow Tor traffic) + + + + +I recommend using this setup into one of the above mentioned VMs, for [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). + +_Sidenote:_ If your ISP does not allow Tor traffic, make sure that you [route the QEMU VMs traffic through a VPN](../vpnqemu/index.md), to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup + + + +## **Initial Setup** + +Make sure that you have setup the QEMU / virt-viewer setup we described in [this](../hypervisorsetup/index.md) earlier tutorial + +Then install download the whonix VMS as follows: + +First go [here](https://www.whonix.org/wiki/KVM) to download whonix for qemu, + +![](1.png) + +Then extract the .xz file where you want the image to be at: + + + [ 10.8.0.3/24 ] [ nowhere ] [~/Downloads] + → mv Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz /mnt/VAULT/VMs/ + + [ 10.8.0.3/24 ] [ nowhere ] [~/Downloads] + → cd /mnt/VAULT/VMs/ + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → tar -xvf Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz + WHONIX_BINARY_LICENSE_AGREEMENT + WHONIX_DISCLAIMER + Whonix-Gateway-XFCE-17.0.3.0.xml + Whonix-Workstation-XFCE-17.0.3.0.xml + Whonix_external_network-17.0.3.0.xml + Whonix_internal_network-17.0.3.0.xml + Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2 + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → ls -lash + total 7.9G + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Dec 29 20:10 . + 4.0K drwxr-xr-x 4 nothing nothing 4.0K Dec 29 20:09 .. + 40K -rw-r--r-- 1 nothing nothing 39K Oct 21 2015 WHONIX_BINARY_LICENSE_AGREEMENT + 0 -rw-r--r-- 1 nothing nothing 0 Dec 29 20:10 WHONIX_BINARY_LICENSE_AGREEMENT_accepted + 8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 21 2015 WHONIX_DISCLAIMER + 4.0K -rw-r--r-- 1 nothing nothing 172 Oct 21 2015 Whonix_external_network-17.0.3.0.xml + 2.7G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2 + 4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Gateway-XFCE-17.0.3.0.xml + 4.0K -rw-r--r-- 1 nothing nothing 97 Oct 21 2015 Whonix_internal_network-17.0.3.0.xml + 3.8G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Workstation-XFCE-17.0.3.0.Intel_AMD64.qcow2 + 4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Workstation-XFCE-17.0.3.0.xml + 1.4G -rw-r--r-- 1 nothing nothing 1.4G Dec 29 20:06 Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz + + + +So now we have the qcow2 files (take note that it can), so we can proceed following the instructions: + + + [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] + → vim Whonix-Gateway-XFCE-17.0.3.0.xml + + [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] + → cat Whonix-Gateway-XFCE-17.0.3.0.xml | grep VAULT + <****source file='/mnt/VAULT/VMs/Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2'/> + + [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] + → vim Whonix-Workstation-XFCE-17.0.3.0.xml + + [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] + → cat Whonix-Workstation-XFCE-17.0.3.0.xml | grep VAULT <****source file='/mnt/VAULT/VMs/Whonix-Workstation-XFCE-17.0.3.0.Intel_AMD64.qcow2'/> + + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system net-define Whonix_external*.xml + [sudo] password for nothing: + Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system net-define Whonix_internal*.xml + Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system net-autostart Whonix-External + Network Whonix-External marked as autostarted + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system net-start Whonix-External + Network Whonix-External started + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system net-autostart Whonix-Internal + Network Whonix-Internal marked as autostarted + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system net-start Whonix-Internal + Network Whonix-Internal started + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system define Whonix-Gateway*.xml + Domain 'Whonix-Gateway' defined from Whonix-Gateway-XFCE-17.0.3.0.xml + + + [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] + → sudo virsh -c qemu:///system define Whonix-Workstation*.xml + Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-17.0.3.0.xml + +make sure you give them 4gb of RAM before launching them, then launch them: + + + [nihilist@nowhere VMs]$ cat Whonix-Gateway.xml | grep KiB + <****memory dumpCore="off" unit="KiB">2097152 + <****currentMemory unit="KiB">2097152 + [nihilist@nowhere VMs]$ cat Whonix-Workstation.xml | grep KiB + <****memory dumpCore="off" unit="KiB">4194304 + <****currentMemory unit="KiB">4194304 + + + +we can automate the VM startup procedure with a simple bashscript like so : + + + [nihilist@nowhere VMs]$ cat refreshvms.sh + #!/bin/bash + + #remove VMs + + sudo virsh -c qemu:///system destroy Whonix-Gateway + sudo virsh -c qemu:///system destroy Whonix-Workstation + sudo virsh -c qemu:///system undefine Whonix-Gateway + sudo virsh -c qemu:///system undefine Whonix-Workstation + sudo virsh -c qemu:///system net-destroy Whonix-External + sudo virsh -c qemu:///system net-destroy Whonix-Internal + sudo virsh -c qemu:///system net-undefine Whonix-External + sudo virsh -c qemu:///system net-undefine Whonix-External + + echo '[+] VMs removed, re-install them ? (ctrl+c to exit)' + read + + #install VMs + + sudo virsh -c qemu:///system net-define Whonix_external*.xml + sudo virsh -c qemu:///system net-define Whonix_internal*.xml + sudo virsh -c qemu:///system net-autostart Whonix-External + sudo virsh -c qemu:///system net-start Whonix-External + sudo virsh -c qemu:///system net-autostart Whonix-Internal + sudo virsh -c qemu:///system net-start Whonix-Internal + sudo virsh -c qemu:///system define Whonix-Gateway.xml + sudo virsh -c qemu:///system define Whonix-Workstation.xml + + + +You can run it like so: + + + [nihilist@nowhere VMs]$ chmod +x refreshvms.sh + [nihilist@nowhere VMs]$ ./refreshvms.sh + [sudo] password for nihilist: + Domain 'Whonix-Gateway' destroyed + + Domain 'Whonix-Workstation' destroyed + + Domain 'Whonix-Gateway' has been undefined + + Domain 'Whonix-Workstation' has been undefined + + Network Whonix-External destroyed + + Network Whonix-Internal destroyed + + Network Whonix-External has been undefined + + error: failed to get network 'Whonix-External' + error: Network not found: no network with matching name 'Whonix-External' + + [+] VMs removed, re-install them ? (ctrl+c to exit) + + Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml + + error: Failed to define network from Whonix_internal_network-17.0.3.0.xml + error: operation failed: network 'Whonix-Internal' already exists with uuid 878828d6-fd1f-49ac-9d0c-9c829c414b80 + + Network Whonix-External marked as autostarted + + Network Whonix-External started + + Network Whonix-Internal marked as autostarted + + Network Whonix-Internal started + + Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml + + Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml + + + +![](2.png) + +## **Basic Whonix Usage** + +So now you can compatmentalize your anonymous usage in a separate VM by using the tor browser there, along with keepass and monero: + +You can open Onion Circuits on the gateway VM to view the tor connections being built up in real time like so : + +![](3.png) + +And inside the Workstation VM you can browse Tor, and use Keepass just like in the [previous tutorial](../torbrowsing/index.md): + +![](4.png) + +you can also use monero (take note that the default sudo password in whonix is "changeme", so don't forget to change it): + + + [workstation user ~]% passwd + [workstation user ~]% sudo apt install monero -y + [workstation user ~]% monero-wallet-cli + + + diff --git a/whytheblog/0.png b/whytheblog/0.png new file mode 100644 index 0000000..45182b9 Binary files /dev/null and b/whytheblog/0.png differ diff --git a/whytheblog/1.png b/whytheblog/1.png new file mode 100644 index 0000000..9cc7538 Binary files /dev/null and b/whytheblog/1.png differ diff --git a/whytheblog/2.png b/whytheblog/2.png new file mode 100644 index 0000000..774b092 Binary files /dev/null and b/whytheblog/2.png differ diff --git a/whytheblog/3.png b/whytheblog/3.png new file mode 100644 index 0000000..952a3da Binary files /dev/null and b/whytheblog/3.png differ diff --git a/whytheblog/4.png b/whytheblog/4.png new file mode 100644 index 0000000..23dd3a3 Binary files /dev/null and b/whytheblog/4.png differ diff --git a/whytheblog/5.png b/whytheblog/5.png new file mode 100644 index 0000000..b2e63ff Binary files /dev/null and b/whytheblog/5.png differ diff --git a/whytheblog/6.png b/whytheblog/6.png new file mode 100644 index 0000000..584f0ef Binary files /dev/null and b/whytheblog/6.png differ diff --git a/whytheblog/7.png b/whytheblog/7.png new file mode 100644 index 0000000..43dc2f3 Binary files /dev/null and b/whytheblog/7.png differ diff --git a/whytheblog/8.png b/whytheblog/8.png new file mode 100644 index 0000000..426fcc0 Binary files /dev/null and b/whytheblog/8.png differ diff --git a/whytheblog/index.md b/whytheblog/index.md new file mode 100644 index 0000000..1a02af5 --- /dev/null +++ b/whytheblog/index.md @@ -0,0 +1,139 @@ +--- +author: nihilist +date: 2025-04-30 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/260" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# What is the goal of the Opsec blog ? + + + +## **Priority number 1: Solving the lack of Education** + +To explain the whole context, you need to understand first of all that having **good operational security, means that you are ungovernable.** Therefore, when you have online discussions online on how to have good operational security you have 2 types of people: + +![](0.png) + +On the one hand you have people that want to protect their individual freedom, which are largely seeking Truth, which prefer to know the solution rather than protect their ego, that are continuously asking questions because they want to know things, while at the same time not asking the same question 100 times to slow down the overall progress of the discussions. These are people that are acting in good faith. + +However, don't be naive and believe that anonymity only benefits the good people,**you have statists that also use anonymity to blend in with everyone else, to try and stir things their way.** In practice, to spot them you need to look for the following: + + + - FUD Spreading (over-skepticism) [(ex: SimpleX not being compilable)](http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/5c664bb82ffb0cac6650/#c-55265a407fa5fbd5a6) + + + +` ![](2.png) + +Most of the times this is the most effective tactic because according to brandolini's law, **the time it takes to refute bullshit is an order of magnitude greater than that required to produce it.** It takes time to refute someone's made up lies, more time than it took time to for them to create them. Lucky for you, this entire blog is here to dispel people's lies, and show you the raw truth. _In this instance someone was spreading FUD that simplex wasn't compilable_ (they were only partly right in saying that simplex didnt have reproducible builds yet, to their credit). **So we went ahead and explored if it was possible to compile simplex ourselves, which we confirmed that it actually was,[as explained in this post.](http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/f8e6c1325c63075514b7/#c-df5fdf8c61453e7deb)** (we obviously listed all the steps to compile it, so that the other party can test it and verify it as valid from his end). + +![](1.png) + +Obviously, the guy wasn't happy that we spent one afternoon just to prove him wrong, and he refused to admit fault. Here you have a clear sign of egocentrism (see how he ignores that i admit he was partly right on the non-reproducible build and resorts to calling me a big bad meanie). **A real truth seeker would have remained objective about the topic, and not resorted to calling me names.** In fact, he should have thanked us that we did the heavy lifting for him, to clear up his misunderstanding on the topic. **The co-opting threats are absolutely real, don't be naive about it.** The bitcoin project itself fell prey to the co-opting aswell, it no longer has individual freedom as it's core value, it's almost only statist propaganda now. + +This is the type of opsec discussions you're going to see all around in the most communities that talk about opsec **an ocean of bullshit, where actual quality is hidden 10000 feet below the surface, with people too lazy (or not even caring) to refute dishonest people's made up claims**. And whenever someone actually explores a topic, they get ad hominem'd, discredited, called names, with continuous thread derailing and no concern given to actual truth seeking nor having productive discussions. Egocentrism is an actual plague that erodes the quality of the debates, which is sadly way too common these days. (if it were up to me to manage that website, i'd make signing up cost some monero, that way people would have something to lose in case if they considered eroding the quality of the talks there) + +You get the idea, we're here to reverse this trend, and bring back actual truth seeking to the table. Like i covered in this [dread post](http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/cdd2b46e861a4e175a3d), **most people fail to realize the enormity of what the field of Operational security ecompasses.** It is a HUGE task to actually cover everything opsec is about, even when you limit the topic exploration to Privacy, Anonymity and Deniability. + +![](8.png) + +This mountain of work that explaining operational security is, cannot be summarized in 1 afternoon, in a 4 hour effort post. This is a multiple thousand-hour effort, to effectively plan it out, list all the blogposts to explain all the concepts, all of the topics to be explored, to actually explore them, rewrite them whenever valid criticism gets thrown at it, on and on and on it goes. AND you have to apply a quality standard on ALL posts, to make sure that you effectively convey your knowledge to your audience properly. + +Not to mention the organization of the whole blogpost will affect wether or not you can reach that goal of making that one place to contain every possible opsec advice one needs under 3000 hours of work or 9000 hours of work. It needs to be correctly organized from the start, otherwise it will remain a distant target that you'll never reach. (not to mention that one needs to have enough humility to realize the enormity of the task, and also effectively organize recieving external contributions). + +**TLDR: if you're not serious about it, in the long run, you're bound to make a mess out of it.** + +You can also encounter the opposite with laxists giving into over-simplifications at the expense of their objectivity: + + + - Minimization Fallacies (ex: [Pretending that using closed-source software is OK for privacy](https://discuss.privacyguides.net/t/should-privacy-guides-require-open-source-source-first-or-source-available-as-a-criteria-for-all-tools/22684/83)) + + + +Clear example of a complacency-first argument, where Apple corporation-lovers are so hooked up on using some piece of technology that they are unwilling to change their habits, and even go as far as pretending that it's okay to be spied on by one of the top 5 biggest corporations out there and call the tool ""private"" and ""secure to use"". **While in fact their privacy is non-existant if you run closed-source software, and they are operationally insecure, and made vulnerable to corporation-enabled mass surveillance.** + +![](../closedsource/4.png) + +And when they get called out for it, they refuse to fix the issue: + +![](../criticism/1.png) + +There is a balance to be had. One the one hand you can't be over-skeptical and dismiss solutions based on opinions (aka, falling into FUD fallacies), and on the other hand you can't just pretend that everything is okay, and all preety flowers (aka, falling into minimization fallacies). **Logic is all there is, follow your logic, and explore these topics yourself to verify them.** In this instance, being watched by a corporation's employees is not okay when you want to have privacy on your computer. + +![](3.png) + +The current opsec (privacy/anonymity/deniability) context is such, that actual quality advice is being threatened by either blatant incompetence, or by extensive malicious disinformation and dishonest argumentators, which are doing everything to mislead people into either not caring about it, or discouraging people from achieving it, or straight up lying to them that something is OK or that something is not OK. + +**Everyone has to do their part in preserving quality opsec advice from this wides-spread erosion.** Don't give in to that ocean of bullshit, stick to logic, contribute to keeping that quality intact, and also make sure that this Opsec advice reaches the ears of the normies (because yes censorship is also part of the quality advice erosion, especially on centralised social media websites like youtube, twitter or else. **These are places where statists control who gets to speak loudly and who gets to remain unseen by the masses**). + +![](5.png) + +For example, Monero talk is the example of an actual Good show correctly trying to tell every normie out there that monero is the way to achieve private transactions (quality opsec advice). But the youtube platform is such that they are shadow-banned, and kept invisible from the masses (look at how few views they have). This is done on purpose because they don't fit the statist propaganda narrative, to prevent them from reaching their full visibility potential. + +In short, **Objectivity is our priority number 1**. This blog is meant to remain a safe haven for actual opsec advice that has been thought through, tested, and validated by us. We are actively refuting everyone's bullshit with each and every blogpost we write, with no plans of stopping. **To refute someone's bullshit, all you need is to send them the link to the relevant blogpost we wrote.** Fast and simple. You don't need to re-explain everything yourself 100 times and waste your time on them. (aka the RTFM technique). + +If we recommend something that is objectively not protecting against an obvious threat, and you know of a valid solution to actually fix it, **we'll admit fault, and we're going to mention the better solution in the later versions of the given tutorial.** We're not going to throw a tantrum to try and protect any worthless ego. We seek the truth, we're all wrong at some point along the way, we always choose to learn from our previous mistakes. + +![](../criticism/7.png) + +Truth seeking is definitely required in Opsec, since it is about combining all valid relevant perspectives on a given topic. For instance, you have the perspective of privacy, the perspective of anonymity, the perspective of deniability, the perspective of the adversary, the perspective of all the relevant parties in a given setup (the cloud provider, the peer you are transacting with, the law enforcement, the internet service provider, etc). **ALL of those perspectives need to be taken into account when you give accurate operational security advice** , you may see something that i missed, and i may see something you missed. It happens all the time, therefore remain open-minded, and stay objective as much as possible. **Don't be an egocentrist, and become a truth seeker. Seek to percieve the truth from all the different valid perspectives, because that's the only way to get closer to it.** + +## **Priority Number 2: Applicability to 90% of the people out there** + +When you're giving operational security advice, people need to care about it first of all. Everyone cares about privacy sooner or later in their life. Wether it is to do something private in the bedroom, or to have some private discussion about something, it is a clear topic that people want to know about. Especially on the digital side of things. + +Thing is, **context matters immensely.** you can't give advice that applies to everyone in the world at once because you need to take into account threats that may exist in a country and not in another. For example, when to it comes to using VPNs in combination with Tor to protect your anonymity we need to contextualize it correctly: + +![](../torthroughvpn/11.png) + +If you were to use Tor directly in a dictatorship country like China, you may just get sent to the concentration camp straight off, **which requires you to hide it behind a VPN or behind v2ray.** contrary to running Tor in the EU, where it is absolutely fine to let the ISP know that you're using Tor. **The advice you give needs precise context** , as threats differ from one country to the other. + +Another example of context importance, is wheter or not you need anonymity to safely post on social media. **If you live in the UK you ABSOLUTELY need anonymity** , because their new laws dictate that context of a given social media post doesn't even matter anymore, and the message itself, interpreted however the prosecutor sees fit for his narrative, is enough justification to throw you in jail. + + + The report discussed by Newsweek – authored by Agora, a Russian human rights group – **found that 411 criminal cases were brought against internet users in Russia in 2017.** The article does not give a figure for arrests. + + In 2017 The Times made a Freedom of Information request which found **3,395 arrests had been made by 29 UK police forces for “section 127” offences, which is used for cases of online abuse.** According to the article, 1,696 people were subsequently charged. Section 127 offences cover harassment that takes place via an “electronic communications network”, and is not limited to social media posts – harassment via email or other forms of online communication can also fall under this definition. + + ([source](https://pa.media/blogs/fact-check/russia-has-far-more-restrictions-on-social-media-use-than-the-uk/)) + _TLDR:_ there were 9 times more arrests for social media posts in the UK than in Russia. + + +Therefore, **contextualize, list the threats, and explain the appropriate solution for a given situation** + +![](../torthroughvpn/12.png) + +Anonymity for example also has a serverside context. [You may want to anonymously visit websites that block Tor](../whentorisblocked/index.md), **therefore in that context you need to hide Tor behind a VPN, before accessing the website, so that it looks like you're accessing that website via the VPN.** Multiple different perspectives, multiple different contexts, and opsec advice needs to ideally take all of it into account (but we're aiming for that 90% usecases applicability), in order to actually be relevant. + +All of this to say, **we seek to give advice that is applicable to 90% of the people out there, to defeat 99% of the risks one may face**. We don't care about the advice that only 10% of the people can actually pull off, to protect against the 1% most unlikely risk that could happen. We want to make sure that as many people as possible actually get to have relevant opsec advice for their day to day lives, wheter it be privacy, anonymity or deniability related. + +![](../contribute/65.png) + +For instance, we won't recommend you to hook up wires to your motherboard, risk bricking your laptop permanently, all to just hopefully disable some closed-source software that came with the closed-source hardware you bought. that's a 1% unlikely risk whose protective action only 1% of the people can actually pull off. No, instead we're going to recommend you purchase a laptop that is open-hardware by default once it hits the market, and you won't have any closed-source hardware backdoor to remove in the first place. + +**_TLDR:_ We put forward realistic advice only that can be applied to 90% of the people out there to defeat 99% of the risks** + +## **Priority number 3: Simplifying the advice as much as possible** + +Going back to priority number 1 above, objectivity requires that you're not over-skeptical, nor over-simplifying. Therefore, if you give advice that is overly complicated (as it is actually easier to over-complicate things, than to simplify them), then you're not helping either. + +For example, recommending to use signal to message someone privately is more complex than to use simplex, because on one solution you need a phone number, while on the other you don't need it. + +![](4.png) + +Every complication needs to be justified, and requiring a phone number to chat privately with someone is not justifiable. You need to realize that sometimes there exists a huge amount of possible solutions to solve a given problem (yes there exists a TON of chat apps out there). The only difference is that some solutions are overly complex, while others are simpler. **The simpler solution that actually delivers opsec-wise IS the best solution.** + +![](../contribute/64.png) + +The first goal is to make sure to show that privacy, anonymity and deniability is required AND achievable, but then we need to make sure that as many people as possible can achieve it, by simplifying it as much as possible, without making the individual vulnerable to any statist threat. + +![](6.png) + +We need to ensure that everyone knows that with the correct technology, when used correctly, they cannot be silenced, oppressed, and governed anymore. **We are directly going against the statist's panopticon propaganda** , where they argue that supposedly nobody could hide, nor remain outside of their unjust laws. + +![](7.png) + +Yes, this is an Anarchist blog. We are telling you how exactly you can become ungovernable. We don't care about what you intend to do with the setups we showcase, in fact we hope that you intend to use it to better the world with it, but one thing is for sure; **the individual is free to do whatever they like, as long as their actions are protected from any possible repercussions, be it by implementing the appropriate setups that protect their Privacy, their Anonymity, or their Deniability.** + +_TLDR:_ Stop complaining that government/corporation/company did X, Y or Z. Learn about those tools that are here to protect your freedom, Learn how to use them, Implement them yourself, and just become free, you have 0 excuse to not choose to be free right now. **All you need is to learn how to do it, and to just do it.** +