Opsec Technical Guides

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Then, select Create an Encrypted File Container:

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Click the option that says “Hidden VeraCrypt Volume”

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Here, choose the location for this volume and check the option that says “Never save history.” 

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Make a selection of your preferred encryption algorithm and Hash Algorithm. The ones set by default are absolutely fine as well but you can change them if you want more security.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Next up, select the option “Use keyfiles.” 

Click the keyfiles option as seen in the image below:

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

You can generate and save the key here.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

On the next window, click “add files” and enter your key. You can also generate another key here if you want, clicking the “Generate Random Keyfile” option.

You can also use existing keys.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Finally, click “Format” and finish creating the volume which should now be visible.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now load this volume with contents that appear sensitive.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now follow the same steps.

Remember: This is a hidden volume, so consider its security your first priority.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Once done, this popup will appear. Read it carefully.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Browsers

Tor Browser

Tor browser is an effective way to maintain your privacy online. Tor uses .onion address extensions rather than the traditional .com and other such extensions.

You can download the Tor Browser here

Once downloaded, open the zip file and:

cd tordirectory

./start-tor-browser.desktop

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

It is a good practice to find the perfect balance between security and functionality when browsing the dark web. Disabling javascript is a good way to protect your privacy, but it also decreases functionality. It is recommended that you tweak these settings yourself to find your perfect balance.

Configure Security Settings

You can easily configure your browser security settings. Just click on the Onion icon in the top left (Image below).

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Go to “Privacy and Security Settings.” Here, you can simply adjust the slider to meet your desired security needs.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Noscript Basics

The advantage provided by Noscript depends on your selected security level in Tor. The main benefit of using Noscript is that you can tailor its use for different websites. Simply click the “S” icon in the top left next to the Tor onion icon. Select the option that says forbid scripts globally and that should disable javascript for every website you visit. You can also allow some websites to get past this block.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Tor Bridge

Sometimes, your internet service provider may detect Tor traffic and might disable your use of Tor. However, you can get past that by using a Tor Bridge. Using bridges for Tor is not always needed but it is one of those security measures that are always good to take beforehand.

Click open settings on the Popup connection box.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Click the option that says “Configure.” 

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Select “Yes” on the next screen.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Select transport type. By default, obfs3 is selected which is fine.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Click Connect. 

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Optionally, if Tor is already running you can:

  • Click the same onion icon on the top left
  • Open Network settings
  • Check “My ISP Blocks Connection” and then press Ok.
A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Use obfs3 – it is recommended by experts.

Pluggable Transports

These are extensions that can be added to Tor which use its pluggable transport API. Pluggable transport extensions allow users to disguise their internet traffic as something else, for example Skype traffic when you are using Tor browser.

The good thing is that many of these transport extensions are already included in the Bridge Options menu. 

FireFox

If you plan not to use Tor for your dark web activities, FireFox is a good alternative. Here is how to configure it:

Paste this into your FireFox URL bar: “about:config”.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users
  • geo.enabled = false
  • geo.wifi.uri =leave blank
  • network.http.accept.default = text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • network.http.use-cache = false
  • network.http.keep-alive.timeout = 600
  • network.http.max-persistent-connections-per-proxy = 16
  • network.proxy.socks_remote_dns = true
  • network.cookie.lifetimePolicy = 2
  • network.http.sendRefererHeader = 0
  • network.http.sendSecureXSiteReferrer = false
  • network.protocol-handler.external = false #set the default and all the sub-settings to false
  • network.protocol-handler.warn-external = true #set the default and all the sub-settings to true
  • network.http.pipelining = true
  • network.http.pipelining.maxrequests = 8
  • network.http.proxy.keep-alive = true
  • network.http.proxy.pipelining = true
  • network.prefetch-next = false
  • browser.cache.disk.enable = false
  • browser.cache.offline.enable = false
  • browser.sessionstore.privacy_level = 2
  • browser.sessionhistory.max_entries = 2
  • browser.display.use_document_fonts = 0
  • intl.charsetmenu.browser.cache = ISO-8859-9, windows-1252, windows-1251, ISO-8859-1, UTF-8
  • dom.storage.enabled = false
  • extensions.blocklist.enabled = false

Some other helpful options include:

  1. Disabling all plugins by going to addons > plugins
  2. Disabling all live bookmarks: bookmarks > toolbar > right click latest headlines > delete
  3. Disable all updates by going to tools > options > advanced > update
  4. Get extra privacy by enabling the “do not track” feature from options > privacy
  5. Enable private browsing by going to tools > options > privacy

Helpful plugins

While it’s not recommended to use too many plugins, here are a few that you can opt for if you really want to use plugins while browsing:

You can also check what kind of data your browser is sending by visiting ip-check.info

Router Configurations

For maximum privacy, it’s recommended to get a router compatible with an open source firmware. The two best firmwares for this purpose are Tomato and dd-wrt. 

You can, in some cases, use Tor directly on the router. You can also use a backup router as a “contingency plan” to establish secure connections for quick get-in and get-out. 

Some people also configure a Raspberry pi as a local device through which they re-route their connections.

Tomato / Tor version

Dd-wrt

Raspberry Pi

Anonymity Networking

Tor

You can find the standalone Tor daemon in Ubuntu/Debian/Arch package manager.    

sudo apt-get install tor

sudo pacman -S tor

You can also add their PPA to get the latest version from this link.

Tor can be used as a socks proxy with the browser bundle or Tor daemon. Just navigate to the Network Settings and the Proxy section of the desired service.

Select Socks 4 Proxy and enter 127.0.0.1 port 9050.

Doing so will re-route all your connections through Tor.

I2P

I2P is a less commonly used alternative to Tor. Like Tor, it doesn’t use any .com or .org extensions. Instead, it uses .i2p extensions.

Here’s how you can add i2p to the package list: 

  1. sudo apt-get update
  2. sudo apt-get install i2p

For ubuntu: sudo apt-add-repository ppa:i2p-maintainers/i2p

For Debian, click here.

Starting i2p in terminal:

i2p router start

You should check the configuration if you have trouble connecting to the i2p server. You can do so by visiting: localhost:7657/confignet

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Your router or firewall may be disabling the connection

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Here’s the basic port unblocking

IP Tables

  1. sudo iptables -A INPUT -p tcp —dport i2p port here -j ACCEPT
  2. sudo iptables -L

UFW

  1. sudo ufw allow i2p port here/tcp
  2. sudo ufw status

VPN

Community VPNs:

Free VPNs:

It is never recommended to use a free VPN. However, listed here is one that has been really helpful over the years.

VPNbook.com

Vpnbook.com is one of the very few free VPNs that actually work. However, you should alway use Tor on-top of the VPN to maintain your online privacy.

Proxy Chains

Sometimes, it becomes a necessity to use a proxy after the Tor exit node. 

The setup is very easy. 

  1. sudo apt-get install proxychains
  2. sudo nano /etc/proxychains.conf
  3. following ProxyList add
    socks4 127.0.0.1 9050 #Tor must go first
    socks5 ipaddress port
    proxies etc……
A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

To populate, you will have to search for a public socks proxy. 


Start FireFox in terminal: proxychains firefox

Operating Systems

The best way to maintain your online privacy is to get rid of all the traditional operating software, like Windows and MAC, and get Linux instead.

Flash Firmware

It is always a good practice to get a clean start. For this purpose, locate the firmware model on the motherboard of your computer and flash it.

Enabling a BIOS Boot Password

Press F12 to enter bios and find the security section.

Use Bootable Operating System

This guide will show you how to install TAILS on a USB from a virtual machine.

Now click “new” on the top left (image below).

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Name your virtual machine here and select Linux 32 or 64 bit depending on which version you downloaded.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

You should set the memory size to at least 1024 for smooth performance.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now, create a virtual hard drive.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

VDI image is recommended.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

At the next screen, you can select “dynamically allocated” and set the starting amount at a couple of gigabytes.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now select the image and click the start button.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

On the next screen, you should select the location of the .iso file that you downloaded.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Once started, head over to Applications > TAILS > TAILS Installer

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

At this point, make sure that the USB hard drive is connected. You will see a green plus over the USB icon (image below).

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now select “clone and install” and simply follow the installation steps.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Once started, you can create a persistent volume to store static content.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

On the next reboot, you will be asked if you wish to use the persistent volume or not. Use only when indicated.

LINUX

Recommended Base operating systems: Archlinux or Kali.

Debian Mint Ubuntu is a good alternative though.

Secure VM with Whonix and VirtualBox

Click file import appliance and select the Whonix Gateway .ova file:

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Keep the default settings as it is and then click the import button.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Repeat the same process for the workstation, select the .ova file.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now import without changing settings.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now select and start both applications at the same time.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

You will see a botting screen (see image below) once the Workstation has finished processing.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

At this point, you will need to keep both VM Windows open. However, most of your work will be in the Whonix-Workstation VM Window.

Base System

Here some of the essentials you need for top-notch privacy:

  • Disk Encryption: LVM encryption during install, encrypt home directory.
  • Bleachbit: Clearing day to day files. 
  • Secure-delete package: Wipes content securely

Secure Data-Wiping with Linux

You can make this step easier by using an operating software like TAILS. TAILS allows for minimal persistent storage and automatic memory wiping.

BleachBit

Using BleachBit is easy, but it is slightly less effective.

Start here:

sudo apt-get install bleachbit

sudo bleachbit

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users
A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

With BleachBit, you can shred files and folders from the file menu. You can also make free space by wiping excess data that exists without pointers.

file→Shred files

file→Shred folder

file→wipe free space

DBAN

Using DBAN requires advanced skill as it is booted from a USB or a CD drive. It is ideal when discarding a hard drive. 

You can download DBAN here. Once you have downloaded the .iso file, burn it on a CD or a USB drive. 

  • Select  “RCMP TSSIT OPS-II” for deletion method.
  • Now, select the drive
  • & prepare to wait for 12 or more hours.

Secure-Delete

It is slightly easier to use than DBAN and also much more effective than BleachBit. 

Again, you will need to boot from a CD or a USB drive.

Although properly deleting a file takes time, you can still use “Fast Mode” if you are in a hurry.

Here’s how to use it:

First:

 sudo apt-get secure-delete

If you are wiping a disk:

 fdisk-l

Now find the disk name. It should be /dev/sdxx

Here, you should encrypt your partition. More importantly, wipe the space that’s considered free. 

 sudo sfill /dev/sddisk#

If you need to clear swap space:

  1. cat /proc/swaps
  2. sudo swapoff /dev/sddisk#
  3. sudo sswap /dev/sddisk#
  4. sudo swapon /dev/sdFdisk#

If you don’t have enough time, you can use -m for 7 passes and -s for simple 1 pass.

 sudo srm file

Or

 sudo srm -r /directory

Or

 srm /dev/sddisk#

You might also be interested to wipe the memory at the end.

Enter:

 sudo sdmem

Physical Destruction

Before physically destroying the disk, try to encrypt it first, so even if you fail you will still be secure.

Open the drive

Find the platter, retrieve it

& then SMASH it

Now locate any memory chips and destroy them as well.

Make sure to not dispose it off in a normal garbage can. Be discrete with where you dispose it off. 

Cold-boot Attack

This is an old attack method which recovers encryption keys stored in RAM. Always use a DDR3 or better memory if possible. Ensure to shut down the computer when not using them.

Basic Communications

Another factor that can be used to build up an identity profile on you is your use of basic communication: spellings, grammar, and writing style. Authorities can single out similar patterns of communication and link them to your alternate identities. 

It’s important to remember that you should never use nicknames or even mention your location or music taste and other stuff which can be linked back to you later. 

Images

JPG, JPEG, TIF, and WAV files all store data in EXIF (Exchangable Image file format) format. EXIF data can have sensitive information, including geo-location and also information about the device that you use. 

To maintain privacy, always use PNG image format. 

Email Providers

As you might have noticed the theme by now, no one on the internet can be trusted. Therefore, you should not trust any email providers either, no matter how many security claims they make. Use PGP to stay protected with emails.

Protonmail.ch

Protonmail is a highly respected email client. However, it is invite-only and has a long waiting time – we’re talking several months.

Tutanota.com

Tutanota offers encrypted email services with OTP but you will have to configure PGP manually.

Mail2tor.com

When used with PGP, tor based email clients such as Mail2Tor are secure enough to be used daily.

Other options:

JABBER_XMPP/OTR

  • sudo apt-get install pidgin
  • go to tools→preferences
  • Logging: disable log all instant messages/log all chats
  • Go to proxy
  • Select Socks 4
  • enter: 127.0.0.1 9050
  • Go to this link
  • Under Security
  • Download/Install: Off-The-Record, Pidgin-GPG
  • Install any dependencies 
  • Activate Plugins in: Tools→Plugins
  • Once activated, select configure plugin for both

For OTR

  • First, generate a unique key
  • Now, enable Private messaging
  • Also disable logging
  • Automatically initiate private messaging (optional)
  • Select show OTR in tool-bar
  • If a conversation is not private, you will see a box saying “Not Private”
  • Click Start Private Conversation
  • If your partner has OTR properly configured, it will display private.

For PIDGIN-GPG

  1. select main key in options
  2. toggle encryption mode in conversations
  3. options→toggle openpgp encryption

Alternative Messaging Options

POND

Pond messages are asynchronous. They expire automatically after a week of being sent.

Other options:

GNUPG/PGP BASICS

PGP keys are unique identifiers that are not to be used across multiple accounts or on a public address.

Simple PGP on LINUX:

terminal

Ubuntu- sudo apt-get install gpa gnupg2

Arch- sudo pacman -s gpa gnupg2

How to generate keys:

  1. In terminal enter: gpg –gen-key or open gpa in terminal and it will prompt you to create one.
  1. Follow the prompts
  • Select option 1 in most cases – RSA and RSA (default)
  • Select at least 2048 key size
  • Key expiration, hit enter if not needed.
  • Make sure to not enter any real information
  • Also make sure to use a secure passphrase for the key
  • Then move the mouse as prompted. You can also type whatever you want. The goal is to create entropy.

Simple PGP with GNU Privacy Assistant

GPA will guide you through the creation process of your first key when you open it. Please do not put in any real information, unless intended.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users
A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Refresh or restart GPA and your keys will appear. Now click the clipboard.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Enter your message here: 

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now select the key you wish to sign in with: 

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

Now, you will see an encrypted message.

To decrypt it, click the mail icon on top (see image below). This will allow you to use the appropriate key.

A Comprehensive Guide to Anonymity and Privacy for Advanced Linux Users

More Details on GPA

Here’s how to export/import Public Key:

First, select your key-pair. Go to keys > export or import keys and proceed appropriately.

Here’s How to Export/import Private Key:
  1. Select your key-pair. Go to keys > export or import keys and proceed appropriately.
  1. Now either choose where to save it or paste the desired key directly.
Here’s how to verify a message:
  1. Keys > Imports
  2. Now paste the public key directly
  3. Select “window” > clipboard
  4. Paste the entire text
  5. Click icon with the green key
  6. It will now display the name of the previously imported key if the information is authenticated
Here’s how to verify a file:
  1. GPA
  2. Select→keys→import
  3. Paste the public key
  4. back to terminal
  5. gpg —verify file
PGP with Email

Thunderbird is the most widely known and used.

  1. sudo apt-get install thunderbird enigmail
  2. Open Thunderbird
  3. Open Preferences→enigmail→Preferences
  4. Set the GPG path, in Ubuntu default is /usr/bin/gpg

You can also cut and paste your messages directly from GPA into the message window.

TAILS PGP

TAILS has an OpenPGP applet

Additional Reading on PGP

PGP Versions

Some PGP Libraries are known to have weak encryption. PGP versions can also reveal the operating software that you use. Therefore, you should research strange PGP versions.

Validating Files with MD5 or SHA 1

SHA 1 SUM

Whenever a file is provided, ideally a SHA1/MD5/PGP Sum will be provided, which looks like a string of long characters. 

For LINUX terminal type: sha1sum filename

Output should be the same as the supplied string

MD5 SUM

Again, a SHA1/MD5/PGP string will be provided whenever a file is provided. It will also look like a long string of characters. 

In Linux terminal type: md5sum filename

The output should be the same as the supplied string.

Leave a Reply

Your email address will not be published. Required fields are marked *