User Controls
Best security for my laptop
-
2016-07-11 at 3:30 AM UTCWhat's the best route a person can go as far as encryption and anonymity go?
I was thinking Ubuntu + TrueCrypt + Tails .....?
What do you all suggest? -
2016-07-11 at 4:07 AM UTCTruecrypt is deprecated, might i suggest looking into VeraCrypt instead? Also, basically encryption is a non issue if you're going to be live booting into TAILs(It is not recommended to run tails in a VM) at least in so far as OS security is concerned. Obviously data storage would warrant encryption.
For general privacy/anonymity i wouldn't go as far as using a specialized OS. Full disk encryption using VeraCrypt, your favorite distro, a trusted VPN, TOR and a few browser extensions should be enough(Primarily NoScript, HTTPS Everywhere, NoWebRTC). If you want to route other tools/apps through tor you might want to look into proxychains. -
2016-07-11 at 5:33 AM UTCTails on a second hand laptop with the hard drive taken out on public wifi connection.
-
2016-07-11 at 5:46 AM UTC
Tails on a second hand laptop with the hard drive taken out on public wifi connection.
Well yeah. But a good friend of mine once told me; before you go all out with 40 encryption algorithms 300 VPNs and over 9000 proxies you need to figure out your threat model. If all you want to do is download normie porn and read the anarchist cookbook a VPN is enough. In contrast, if you're in the infosec business or looking to download all the cheese pizza on the internet your privacy is critical to your operational security(read safety). In that case you might want to employ several sophisticated techniques to remain anonymous.
At the end of the day you want to be safe, but efficiency is also important in IT. -
2016-07-11 at 8:07 PM UTCI'd avoid using tails because the entire microcode injection (closed src stuff) is kinda sketch imho (read here: https://www.reddit.com/r/onions/comm...ls_a_backdoor/).. but a boot-only distro via live cd is a good option for sure still.
Also you should look into building a home-made parabolic wifi antenna (read: wokfi/cantenna), this can be made for maybe $10 or so and will allow you to pick up wifi from 5-10 miles away, so you can just crack some random WPA2-PSK and spoof your MAC to match that of something on their LAN or whatever.
The point Sophie makes about knowing your threat model is something that should definitely be taken into account though, the amount of precautions you need to take is relative to what exactly you're doing online and who exactly would be potentially interested in finding you.
As for VPN's, I tend to avoid them - Especially do not use commercially avaialble VPN's. If you insist on using a VPN i'd suggest obtaining your own server and installing and configuring OpenVPN yourself, that way you can actually ensure that all logfiles etc are symlinked to /dev/null instead of simply taking the word of the VPN provider that there are no logs. Also make sure you use OpenVPN as opposed to PPTP - the latter is inherently flawed as a VPN protocol.
My own personal anonymity setup from when I used to do blackhat was something as follows:
distro on boot-only live CD --> pick up random network w/ WokFi and spoof MAC --> tunnel through remote SSH w/ iptables whitelisting and similar stuff setup --> route all outgoing connections through TOR
opsec (or lack thereof) definitely needs to be taken into account too - i've seen many cases where people take a ridiculous amount of precautions on a technical level then slip up and get caught over a simple opsec failure
-
2016-07-11 at 9:12 PM UTCI'm fairly confident with my opsec. Let's assume hypothetically, that I'm trying to dodge the FBI, SS, CSS, and maybe NSA. Let's assume(hypothetically of course) that they are very interested in tracking me down, arresting me, and pulling data off of one of my laptops. Obviously I'm a little shit and they couldn't care less about the petty things I do, but for sack of discussion we'll pretend.
-
2016-07-11 at 11:16 PM UTCOK, well I guess there are a few different approaches to this. One way would be boot-only distro from live CD as already suggested, and another way would be to have an encrypted partition or whatever.
If you're going with the latter, then i'd definitely suggest employing some anti-forensics techiques (it will make the feds rage at the very least), for example you can whitelist known serial #'s for all USB's and HID's so when they attempt to use their forensics tools (not for actual hard disc forensics ofc... they'd just image the drive itself for that) it can just zero over the contents of the drive (i.e. the drive w/ their tools on with 'trolololololol' or whatever) - int 0x80 did a pretty interesting talk on anti-forensics which covers this method and also a bunch of other methods to make a forensic investigation far more complicated for the feds to deal with. You can find this here: https://www.youtube.com/watch?v=-HK1JHR7LIM
Personally i'd say a live CD is probably the best option of the two, but if you have data and tools that you need to store or need for each use therefore go with the latter, you really do need to take more precautions. Make sure to have a copy of DBAN (http://dban.org) laying around ready to use at a moment's notice.. i've heard of people setting things up with electromagnets so that a switch gets triggered when their door gets busted open and it fries the hard drive or whatever (not sure how effective this would be.. I'm sure they may still be able to recover SOME data as opposed to zeroing over the drive a bunch of times which would pretty much remove everything) - another thing you need to take into account when using an encrypted partition is the risk of cold-boot attacks (where they will freeze your RAM with liquid nitrogen so they can recover the encryption keys stored via volatile memory at a later date) - i've heard cold-boot attacks can be circumvented by attatching COCKodile clips to the RAM, but i'm not sure how this works exactly.
Also, if shit *DOES* hit the fan then it would probably be best to already have a backup plan in place. i.e. travel arrangements for a country with no extradition treaties and means of getting there undetected. Obviously the amount of necessary precautions are dependant on the riskiness of the situation.
Some of the info here might interest you, its from a 2600 submission by nachash - I'm guessing many people ITT have probably read it already but if not there may be some useful stuff here too. It's more geared towards running a tor hidden service but has some related stuff which can definitely be applied to these kind of things, that can be found here for those who may not have read it: https://pastebin.com/raw/GrV3uYh5
one last thing that should be taken into account is that in certain countries (I know in UK for sure) it is illegal to not hand over your encryption keys if ordered to do so by a court (and you will be sent to prison for refusing to do so) - I guess there's probably some similar rule in USA too, under CFAA or something similar. At that point I guess you'd have to make the choice whether what they'd find if you didn't hand over your keys would warrant a worse sentence than refusing to hand them over. -
2016-07-19 at 1:31 AM UTCHow you connect to the internet is probably the most important. If you fuck that up having your drive encrypted is the second most important.
Look at how other people have got busted:
DPR: bad opsec, got distracted by a couple fighting in the library, and probably other shit since they tracked him to the library
Daniel Rigmaiden: used a mobile hotspot but was busted with a stingray, didn't use tor afaik.
I also wouldn't trust vpn services to have your back or to be truthful about "absolutely no logs, promise".
And I wouldn't rely on tor:
https://news.ycombinator.com/item?id=12114069
Sounds like one of the main guys may be under subpoena and gag order, and lot's of people manage to get busted from it, I think it's always been javascript though.
Some infosec people say to hack a chinese windows xp box that you found with shodan or censys.io. Don't know how good an idea that is, they might be honey pots.
Really it depends how paranoid you want to be. And after all an IP address is not a person, but nobody wants to put that to the test of course. -
2016-07-25 at 10:21 AM UTC
Some infosec people say to hack a chinese windows xp box that you found with shodan or censys.io. Don't know how good an idea that is, they might be honey pots.
Really it depends how paranoid you want to be. And after all an IP address is not a person, but nobody wants to put that to the test of course.
A jump box is never a bad idea. Whether you hack it or acquire a VPS with false identification and/or cryptocurrency. Say you have an anonymous VPS hosted in Russia or whatever. What you do is install your favorite distro in a VM in a hidden veracrypt volume on your local box and connect to your VPS through TOR and SSH, install your tools/apps/whatever on your VPS and do everything remotely. It's efficient as well since all you'll be doing is sending commands through TOR to your terminal on your VPS, which will carry the load both resource and bandwidth wise and is especially important if you're running high bandwidth tools like scrapers, fuzzers or something like sqlmap for instance. -
2016-11-14 at 9:22 PM UTCthinkpad x60 \ thinkpad x200 \ thinkpad t400 + libreboot + FOSS operating system (slitaz, trisquel etc.) or Qubes OS if you prefer security through virtualization. Or even better, if your threat model includes the NSA, a linux distribution that runs from ram and implements kernel patches like PaX and gresecurity (hint: alpine linux)
-
2016-11-15 at 5:05 AM UTC
Originally posted by antinatalism Or even better, if your threat model includes the NSA
What type of folks would that be aside from terrorists? -
2016-11-15 at 5:30 AM UTC
Originally posted by SBTlauien What type of folks would that be aside from terrorists?
meme magician shitposters -
2016-11-15 at 5:41 AM UTC
Originally posted by antinatalism (hint: alpine linux)
Hey guys.. hey guys.. what should we call it...
How about ALPINE linux man ahh shiiit thats the one... because we're HIGH -
2016-11-15 at 5:46 AM UTCwhen they go low, we go HIGH
-
2016-11-15 at 3:52 PM UTCSteal your neighbours Wifi.