Guide to Online Anonymity (by https://anonymousplanet.org/)

Use at your own risk. Please do not take this guide as a definitive truth for everything because it is not.
  • Introduction:
  • Understanding some basics of how some information can lead back to you and how to mitigate some:
    • Your Network:
      • Your IP address:
      • Your DNS and IP requests:
      • Your RFID enabled devices:
      • The Wi-Fis and Bluetooth devices around you:
      • Malicious/Rogue Wi-Fi Access Points:
      • Your Anonymized Tor/VPN traffic:
      • Some Devices can be tracked even when offline:
    • Your Hardware Identifiers:
      • Your IMEI and IMSI (and by extension, your phone number):
      • Your Wi-Fi or Ethernet MAC address:
      • Your Bluetooth MAC address:
    • Your CPU:
    • Your Operating Systems and Apps telemetry services:
    • Your Smart devices in general:
    • Yourself:
      • Your Metadata including your Geo-Location:
      • Your Digital Fingerprint, Footprint, and Online Behavior:
      • Your Clues about your Real Life and OSINT:
      • Your Face, Voice, Biometrics and Pictures:
      • Phishing and Social Engineering:
    • Malware, exploits, and viruses:
      • Malware in your files/documents/e-mails:
      • Malware and Exploits in your apps and services:
      • Malicious USB devices:
      • Malware and backdoors in your Hardware Firmware and Operating System:
    • Your files, documents, pictures, and videos:
      • Properties and Metadata:
      • Watermarking:
      • Pixelized or Blurred Information:
    • Your Crypto currencies transactions:
    • Your Cloud backups/sync services:
    • Your Browser and Device Fingerprints:
    • Local Data Leaks and Forensics:
    • Bad Cryptography:
    • No logging but logging anyway policies:
    • Some Advanced targeted techniques:
    • Some bonus resources:
    • Notes:
  • General Preparations:
    • Picking your route:
      • Timing limitations:
      • Budget/Material limitations:
      • Skills:
      • Adversaries (threats):
    • Steps for all routes:
      • Get an anonymous Phone number:
      • Get a USB key:
      • Find some safe places with decent public Wi-Fi:
    • The TAILS route:
      • Persistent Plausible Deniability using Whonix within TAILS:
    • Steps for all other routes:
      • Get a dedicated laptop for your sensitive activities:
      • Some laptop recommendations:
      • Bios/UEFI/Firmware Settings of your laptop:
      • Physically Tamper protect your laptop:
    • The Whonix route:
      • Picking your Host OS (the OS installed on your laptop):
      • Linux Host OS:
      • MacOS Host OS:
      • Windows Host OS:
      • Virtualbox on your Host OS:
      • Pick your connectivity method:
      • Get an anonymous VPN/Proxy:
      • Whonix:
      • Tor over VPN:
      • Whonix Virtual Machines:
      • Pick your guest workstation Virtual Machine:
      • Linux Virtual Machine (Whonix or Linux):
      • Windows 10 Virtual Machine:
      • Android Virtual Machine:
      • MacOS Virtual Machine:
      • KeepassXC:
      • VPN client installation (cash/Monero paid):
      • (Optional) allowing only the VMs to access the internet while cutting off the Host OS to prevent any leak:
      • Final step:
    • The Qubes Route:
      • Pick your connectivity method:
      • Get an anonymous VPN/Proxy:
      • Installation:
      • Lid Closure Behavior:
      • Connect to a Public Wi-Fi:
      • Update Qubes OS:
      • Hardening Qubes OS:
      • Setup the VPN ProxyVM:
      • Setup a safe Browser within Qube OS (optional but recommended):
      • Setup an Android VM:
      • KeePassXC:
  • Creating your anonymous online identities:
    • Understanding the methods used to prevent anonymity and verify identity:
      • Captchas:
      • Phone verification:
      • E-Mail verification:
      • User details checking:
      • Proof of ID verification:
      • IP Filters:
      • Browser and Device Fingerprinting:
      • Human interaction:
      • User Moderation:
      • Behavioral Analysis:
      • Financial transactions:
      • Sign-in with some platform:
      • Live Face recognition and biometrics (again):
      • Manual reviews:
    • Getting Online:
      • Creating new identities:
      • The Real-Name System:
      • About paid services:
      • Overview:
      • How to share files or chat anonymously:
      • Redacting Documents/Pictures/Videos/Audio safely:
      • Communicating sensitive information to various known organizations:
      • Maintenance tasks:
  • Backing-up your work securely:
    • Offline Backups:
      • Selected Files Backups:
      • Full Disk/System Backups:
    • Online Backups:
      • Files:
      • Information:
    • Synchronizing your files between devices Online:
  • Covering your tracks:
    • Understanding HDD vs SSD:
      • Wear-Leveling.
      • Trim Operations:
      • Garbage Collection:
      • Conclusion:
    • How to securely wipe your whole Laptop/Drives if you want to erase everything:
      • Linux (all versions including Qubes OS):
      • Windows:
      • MacOS:
    • How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives:
      • Windows:
      • Linux (non Qubes OS):
      • Linux (Qubes OS):
      • MacOS:
    • Some additional measures against forensics:
      • Removing Metadata from Files/Documents/Pictures:
      • TAILS:
      • Whonix:
      • MacOS:
      • Linux (Qubes OS):
      • Linux (non-Qubes):
      • Windows:
    • Removing some traces of your identities on search engines and various platforms:
      • Google:
      • Bing:
      • DuckDuckGo:
      • Yandex:
      • Qwant:
      • Yahoo Search:
      • Baidu:
      • Wikipedia:
      • Archive.today:
      • Internet Archive:
  • Some low-tech old-school tricks:
    • Hidden communications in plain sight:
    • How to spot if someone has been searching your stuff:
  • Some last OPSEC thoughts:
  • If you think you got burned:
    • If you have some time:
    • If you have no time:
  • A small final editorial note
 
Last edited by a moderator:

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Phishing and Social Engineering:​


Phishing is a social engineering type of attack where an adversary could try to extract information from you by pretending or impersonating something/someone else.


A typical case is an adversary using a man-in-the-middle attack or a fake e-mail/call to ask your credential for a service. This could for example be through e-mail or through impersonating financial services.


Such attacks can also be used to de-anonymize someone by tricking them into downloading malware or revealing personal information over time.


These have been used countless times since the early days of the internet and the usual one is called the “419 scam” (see https://en.wikipedia.org/wiki/Advance-fee_scam [Wikiless] [Archive.org]).


Here is a good video if you want to learn a bit more about phishing types: Black Hat, Ichthyology: Phishing as a Science
[Invidious].
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Malware, exploits, and viruses:​


Malware in your files/documents/e-mails:​


Using steganography or other techniques, it is easy to embed malware into common file formats such as Office Documents, Pictures, Videos, PDF documents…


These can be as simple as HTML tracking links or complex targeted malware.


These could be simple pixel sized images hidden in your e-mails that would call a remote server to try and get your IP address.


These could be exploiting a vulnerability in an outdated format or outdated reader. Such exploits could then be used to compromise your system.


See these good videos for more explanations on the matter:



You should always use extreme caution. To mitigate these attacks, this guide will later recommend the use of virtualization (See Appendix W: Virtualization) to mitigate leaking any information even in case of opening such a malicious file.


If you want to learn how to try detecting such malware, see Appendix T: Checking files for malware


 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Malware and Exploits in your apps and services:​


So, you are using Tor Browser or Brave Browser over Tor. You could be using those over a VPN for added security. But you should keep in mind that there are exploits (hacks) that could be known by an adversary (but unknown to the App/Browser provider). Such exploits could be used to compromise your system and reveal details to de-anonymize you such as your IP address or other details.


A real use case of this technique was the Freedom Hosting case in 2013 where the FBI inserted malware using a Firefox browser exploit on a Tor website. This exploit allowed them to reveal details of some users. More recently, there was the notable SolarWinds hack that breached several US government institutions by inserting malware into an official software update server.


In some countries, Malware is just mandatory and/or distributed by the state itself. This is the case for instance in China with WeChat which can then be used in combination with other data for state surveillance.


There are countless examples of malicious browser extensions, smartphone apps and various apps that have been infiltrated with malware over the years.


Here are some steps to mitigate this type of attack:


  • You should never have 100% trust in the apps you are using.
  • You should always check that you are using the updated version of such apps before use and ideally validate each download using their signature if available.
  • You should not use such apps directly from a hardware system but instead use a Virtual Machine for compartmentalization.

To reflect these recommendations, this guide will therefore later guide you in the use of Virtualization (See Appendix W: Virtualization) so that even if your Browser/Apps get compromised by a skilled adversary, that adversary will find himself stuck in a sandbox without being able to access identifying information, or compromise your system.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Malicious USB devices:​


There are readily available commercial and cheap “badUSB” devices that can take deploy malware, log your typing, geolocate you, listen to you or gain control of your laptop just by plugging them in. Here are some examples that you can already buy yourself.



Such devices can be implanted anywhere (charging cable, mouse, keyboard, USB key …) by an adversary and can be used to track you or compromise your computer or smartphone. The most notable example of such attacks is probably Stuxnet in 2005.


While you could inspect an USB key physically, scan it with various utilities, check the various components to see if they are genuine, you will most likely never be able to discover complex malware embedded in genuine parts of a genuine USB key by a skilled adversary without advanced forensics equipment.


To mitigate this, you should never trust such devices and plug them into sensitive equipment. If you use a charging device, you should consider the use of an USB data blocking device that will only allow charging but not any data transfer. Such data blocking devices are now readily available in many online shops. You should also consider disabling USB ports completely within the BIOS of your computer unless you need them (if you can).
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Malware and backdoors in your Hardware Firmware and Operating System:​


This might sound a bit familiar as this was already partially covered previously in the Your CPU section.


Malware and backdoors can be embedded directly into your hardware components. Sometimes those backdoors are implemented by the manufacturer itself such as the IME in the case of Intel CPUs. And in other cases, such backdoors can be implemented by a third party that places itself between orders of new hardware and customer delivery.


Such malware and backdoors can also be deployed by an adversary using software exploits. Many of those are called rootkits within the tech world. Usually, these types of malwares are harder to detect and mitigate as they are implemented at a lower level than the userspace and often in the firmware of hardware components itself.


What is firmware? Firmware is a low-level operating system for devices. Each component in your computer probably has firmware including for instance your disk drives. The BIOS/UEFI system of your machine for instance is a type of firmware.


These can allow remote management and capable of enabling full control on a target system silently and stealthily.


As mentioned previously, these are harder to detect by users but nevertheless some limited steps that can be taken to mitigate some those by protecting your device from tampering and use some measures (like re-flashing the bios for example). Unfortunately, if such malware or backdoor is implemented by the manufacturer itself, it becomes extremely difficult to detect and disable those.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Your files, documents, pictures, and videos:​


Properties and Metadata:​


This can be obvious to many but not to all. Most files have metadata attached to them. A good example are pictures which store EXIF information which can contain a lot of information such as GPS coordinates, which camera/phone model took it and when it was taken precisely. While this information might not directly give out who you are, it could tell exactly where you were at a certain moment which could allow others to use different sources to find you (CCTV or other footage taken at the same place at the same time during a protest for instance). It is important that you verify any file you would put on those platforms for any properties that might contain any information that might lead back to you.


Here is an example of EXIF data that could be on a picture:
2021 07 22 17 11

By the way, this also works for videos. Yes, videos too have geo-tagging and many are very unaware of this. Here Is for instance a very convenient tool to geo-locate YouTube videos: https://mattw.io/youtube-geofind/location [Archive.org]


For this reason, you will always have to be very careful when uploading files using your anonymous identities and check the metadata of those files.


Even if you publish a simple text file, you should always double or triple check it for any information leakage before publishing. You will find some guidance about this in the Some additional measures against forensics section at the end of the guide.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Watermarking:​


Pictures/Videos/Audio:​


Pictures/Videos often contain visible watermarks indicating who is the owner/creator but there are also invisible watermarks in various products aiming at identifying the viewer itself.


So, if you are a whistleblower and thinking about leaking some picture/audio/video file. Think twice. There are chances that those might contain invisible watermarking within them that would include information about you as a viewer. Such watermarks can be enabled with a simple switch in like Zoom (Video or Audio) or with extensions for popular apps such as Adobe Premiere Pro. These can be inserted by various content management systems.


For a recent example where someone leaking a Zoom meeting recording was caught because it was watermarked: https://theintercept.com/2021/01/18/leak-zoom-meeting/ [Archive.org]


Such watermarks can be inserted by various products using Steganography and can resist compression and re-encoding.


These watermarks are not easily detectable and could allow identification of the source despite all efforts.


In addition to watermarks, the camera used for filming (and therefore the device used for filming) a video can also be identified using various techniques such as lens identification which could lead to de-anonymization.


Be extremely careful when publishing videos/pictures/audio files from known commercial platforms as they might contain such invisible watermarks in addition to details in the images themselves.

Printing Watermarking:​


Did you know your printer is most likely spying on you too? Even if it is not connected to any network? This is usually a known fact by many people in the IT community but few outside people.


Yes … Your printers can be used to de-anonymize you as well as explained by the EFF here https://www.eff.org/issues/printers [Archive.org]


With this (old but still relevant) video explaining how from the EFF as well:
[Invidious]


Basically, many printers will print an invisible watermark allowing for identification of the printer on every printed page. This is called Printer Steganography.There is no real way to mitigate this but to inform yourself on your printer and make sure it does not print any invisible watermark. This is obviously important if you intend to print anonymously.


Here is an (old but still relevant) list of printers and brands who do not print such tracking dots provided by the EFF https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots [Archive.org]


Here are also some tips from the Whonix documentation(https://www.whonix.org/wiki/Printing_and_Scanning [Archive.org]):


Do not ever print in Color, usually watermarkings are not present without color toners/cartridges.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Pixelized or Blurred Information:​


Did you ever see a document with blurred text? Did you ever make fun of those movies/series where they “enhance” an image to recover seemingly impossible to read information?


Well, there are techniques for recovering information from such documents, videos, and pictures.


Here is for example an open-source project you could use yourself for recovering text from some blurred images yourself: https://github.com/beurtschipper/Depix [Archive.org]
2021 07 22 17 15

This is of course an open-source project available for all to use. But you can probably imagine that such techniques have probably been used before by other adversaries. These could be used to reveal blurred information from published documents that could then be used to de-anonymize you.


There are also tutorials for using such techniques using Photo Editing tools such as GIMP such as: https://medium.com/@somdevsangwan/unblurring-images-for-osint-and-more-part-1-5ee36db6a70b [Archive.org] followed by https://medium.com/@somdevsangwan/deblurring-images-for-osint-part-2-ba564af8eb5d [Archive.org]

2021 07 22 17 15 1

Finally, you will find plenty of deblurring resources here: https://github.com/subeeshvasu/Awesome-Deblurring [Archive.org]


Some online services could even help you do this automatically to some extent like MyHeritage.com enhance tool:


https://www.myheritage.com/photo-enhancer [Archive.org]


Here is the result of the above image:
2021 07 22 17 16

Of course, this tool is more like “guessing” than really deblurring at this point but it could be enough to find you using various reverse image searching services.


For this reason, it is always extremely important that you correctly redact and curate any document you might want to publish. Blurring is not enough and you should always completely blacken/remove any sensitive data to avoid any attempt at recovering data from any adversary.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Your Crypto currencies transactions:​


Contrary to popular belief, Crypto transactions (such as Bitcoin and Ethereum) are not anonymous. Most crypto currencies can be tracked accurately through various methods


Remember what they say on their own page: https://bitcoin.org/en/you-need-to-know [Archive.org] and https://bitcoin.org/en/protect-your-privacy [Archive.org]:


“Bitcoin is not anonymous “


The main issue is not setting up a random Crypto wallet to receive some currency behind a VPN/Tor address (at this point, the wallet is anonymous). The issue is mainly when you want to convert Fiat money (Euros, Dollars …) to Crypto and then when you want to cash in your Crypto. You will have few realistic options but to transfer those to an exchange (such as Coinbase/Kraken/Bitstamp/Binance). Those exchanges have known wallet addresses and will keep detailed logs (due to KYC financial regulations) and can then trace back those crypto transactions to you using the financial system.


There are some crypto currencies with privacy/anonymity in mind like Monero but even those have some and warnings to consider.


Even if you use Mixers or Tumblers (services that specialize in “anonymizing” crypto currencies by “mixing them”), keep in mind this is only obfuscation and not actual anonymity. Not only are they only obfuscation but they could also put you in trouble as you might end up exchanging your crypto against “dirty” crypto that was used in various questionable contexts.


This does not mean you cannot use Bitcoin anonymously at all. You can actually use Bitcoin anonymously as long as you do not convert it to actual currency and use a Bitcoin wallet from a safe anonymous network. Meaning you should avoid KYC/AML regulations by various exchanges and avoid using the Bitcoin network from any known IP address. See Appendix Z: Paying anonymously online with BTC.


Overall, IMHO, the best option for using Crypto with reasonable anonymity and privacy is still Monero and you should ideally not use any other for sensitive transactions unless you are aware of the limitations and risks involved. Please do read this Monero Disclaimer.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Your Cloud backups/sync services:​


All companies are advertising their use of end-to-end encryption (E2EE). This is true for almost every messaging app and website (HTTPS). Apple and Google are advertising their use of encryption on their Android devices and their iPhones.


But what about your backups? Those automated iCloud/google drive backups you have?


Well, you should probably know that most of those backups are not fully end to end encrypted and will contain some of your information readily available for a third party. You will see their claims that data is encrypted at rest and safe from anyone … Except they usually do keep a key to access some of the data themselves. These keys are used for them indexing your content, recover your account, collecting various analytics.


There are specialized commercial forensics solutions available (Magnet Axiom, Cellebrite Cloud) that will help an adversary analyze your cloud data with ease.


Notable Examples:


  • Apple iCloud: https://support.apple.com/en-us/HT202303 [Archive.org]: “Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. “.
  • Google Drive and WhatsApp: https://faq.whatsapp.com/android/chats/about-google-drive-backups/ [Archive.org]: “Media and messages you back up aren’t protected by WhatsApp end-to-end encryption while in Google Drive. “.
  • Dropbox: https://www.dropbox.com/privacy#terms [Archive.org] “To provide these and other features, Dropbox accesses, stores, and scans Your Stuff. You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with”.
  • Microsoft OneDrive: https://privacy.microsoft.com/en-us/privacystatement [Archive.org]: Productivity and communications products, “When you use OneDrive, we collect data about your usage of the service, as well as the content you store, to provide, improve, and protect the services. Examples include indexing the contents of your OneDrive documents so that you can search for them later and using location information to enable you to search for photos based on where the photo was taken”.

You should not trust cloud providers with your (not previously and locally encrypted) sensitive data and you should be wary of their privacy claims. In most cases they can access your data and provide it to a third party if they want to.


The only way to mitigate this is to encrypt yourself your data on your side and then only upload it to such services.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Your Browser and Device Fingerprints:​


Your Browser and Device Fingerprints are set of properties/capabilities of your System/Browser. These are used on most websites for invisible user tracking but also to adapt the website user experience depending on their browser. For instance, websites will be able to provide a “mobile experience” if you are using a mobile browser or propose a specific language/geographic version depending on your fingerprint. Most of those techniques work with recent Browsers like Chromium based browsers (such as Chrome) or Firefox unless taking special measures.


You can find a lot of detailed information and publications about this on these resources:



Most of the time, those fingerprints will unfortunately be unique or nearly unique to your Browser/System. This means that even If you log out from a website and then log back in using a different username, your fingerprint might remain the same if you did not take precautionary measures.


An adversary could then use such fingerprints to track you across multiple services even if you have no account on any of them and are using ad blocking. These fingerprints could in turn be used to de-anonymize you if you keep the same fingerprint between services.


It should also be noted that while some browsers and extensions will offer fingerprint resistance, this resistance in itself can also be used to fingerprint you as explained here https://palant.info/2020/12/10/how-...xtensions-tend-to-make-fingerprinting-easier/ [Archive.org]


This guide will mitigate these issues by mitigating, obfuscating, and randomizing many of those fingerprinting identifiers by using Virtualization (See Appendix W: Virtualization) and using by fingerprinting resistant Browsers.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Local Data Leaks and Forensics:​


Most of you have probably seen enough Crime dramas on Netflix or TV to know what forensics are. These are technicians (usually working for law enforcement) that will perform various analysis of evidence. This of course could include your smartphone or laptop.


While these might be done by an adversary when you already got “burned”, these might also be done randomly during a routine control or a border check. These unrelated checks might reveal secret information to adversaries that had no prior knowledge of such activities.


Forensics techniques are now very advanced and can reveal a staggering amount information from your devices even if they are encrypted. These techniques are widely used by law enforcement all over the world and should be considered.


Here are some recent resources you should read about your smartphone:



I also highly recommend that you read some documents from a forensics examiner perspective such as:



And finally, here is this very instructive detailed paper on the current state of IOS/Android security from the John Hopkins University: https://securephones.io/main.html.


When it comes to your laptop, the forensics techniques are many and widespread. Many of those issues can be mitigated by using full disk encryption, virtualization (See Appendix W: Virtualization), and compartmentalization. This guide will later detail such threats and techniques to mitigate them.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Bad Cryptography:​


There is a frequent adage among the infosec community: “Don’t roll your own crypto!”.


And there are reasons for that:


Personally, I would not want people discouraged from studying and innovating in the crypto field because of that adage. So instead, I would recommend people to be cautious with “Roll your own crypto” because it is not necessarily good crypto.


  • Good cryptography is not easy and usually takes years of research to develop and fine-tune.
  • Good cryptography is transparent and not proprietary/closed-source so it can be reviewed by peers.
  • Good cryptography is developed carefully, slowly, and rarely alone.
  • Good cryptography is usually presented and discussed in conferences, and published on various journals.
  • Good cryptography is extensively peer reviewed before it is released for use into the wild.
  • Using and implementing existing good cryptography correctly is already a challenge.

Yet, this is not stopping some from doing it anyway and publishing various production Apps/Services using their own self-made cryptography or proprietary closed-source methods.


  • You should apply caution when using Apps/Services using closed-source or proprietary encryption methods. All the good crypto standards are public and peer reviewed and there should be no issue disclosing the one you use.
  • You should be wary of Apps/Services using a “modified” or proprietary cryptographic method.
  • By default, you should not trust any “Roll your own crypto” until it was audited, peer-reviewed, vetted, and accepted by the cryptography community.
  • There is no such thing as “military grade crypto”.

Cryptography is a complex topic and bad cryptography could easily lead to your de-anonymization.


In the context of this guide, I recommend sticking to Apps/Services using well established, published, and peer reviewed methods.


So, what to prefer and what to avoid as of 2021? You will have to look up for yourself to get the technical details of each app and see if they are using “bad crypto” or “good crypto”. Once you get the technical details, you could check this page for seeing what it is worth: https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html [Archive.org]


Here are some examples:


  • Hashes:
    • Prefer: SHA256 (widely used), SHA512 (preferred), or SHA-3
    • Avoid: SHA-1, SHA-2, MD5 (unfortunately sill widely used, CRC, MD6 (rarely used)
  • File/Disk Encryption:
    • Prefer:
      • Hardware Accelerated: AES 256 Bits with HMAC-SHA-2 or HMAC-SHA-3 (This is what Veracrypt, Bitlocker, Filevault 2, KeepassXC, and LUKS use)
      • Non-Hardware Accelerated: Same as accelerated above or if available prefer ChaCha20 or XChaCha20 (You can use ChaCha20 with Kryptor https://www.kryptor.co.uk, unfortunately it is not available with Veracrypt).
    • Avoid: Pretty much anything else
  • Password Storage:
    • Prefer: argon2, scrypt, bcrypt, SHA-3 or if not possible at least PBKDF2 (only as a last resort)
    • Avoid: naked SHA-2, SHA-1, MD5
  • Browser Security (HTTPS):
    • Prefer: TLS 1.3 (ideally TLS 1.3 with ECH/eSNI support) or at least TLS 1.2 (widely used)
    • Avoid: Anything Else (TLS =<1.1, SSL =<3)
  • Signing with PGP/GPG:
    • Prefer ECDSA (ed25519)+ECDH (ec25519) or RSA 4096 Bits*
    • Avoid: RSA 2048 bits
  • SSH keys:
    • ED25519 (preferred) or RSA 4096 Bits*
    • Avoid: RSA 2048 bits
  • Warning: RSA and ED25519 are unfortunately not seen as “Quantum Resistant” and while they have not been broken yet, they probably will be broken someday into the future. It is probably just a matter of when rather than if RSA will ever be broken. So, these are preferred in those contexts due to the lack of a better option.

Here are some real cases of issues bad cryptography:


 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

No logging but logging anyway policies:​


Many people have the idea that privacy-oriented services such as VPN or E-Mail providers are safe due to their no logging policies or their encryption schemes. Unfortunately, many of those same people forget that all those providers are legal commercial entities subject to the laws of the countries in which they operate.


Any of those providers can be forced to silently (without your knowing (using for example a court order with a gag order or a national security letter) log your activity to de-anonymize you. There have been several recent examples of those:


  • 2021, DoubleVPN servers, logs, and account info seized by law enforcement
  • 2021, The Germany based mail provider Tutanota was forced to monitor specific accounts for 3 months
  • 2020, The Germany based mail provider Tutanota was forced to implement a backdoor to intercept and save copies of the unencrypted e-mails of one user (they did not decrypt the stored e-mail).
  • 2017, PureVPN was forced to disclose information of one user to the FBI.
  • 2014, EarthVPN user was arrested based on logs provider to the Dutch Police.
  • 2014, HideMyAss user was de-anonymized and logs were provided to the FBI.
  • 2013, Secure E-Mail provider Lavabit shuts down after fighting a secret gag order.

Some providers have implemented the use of a Warrant Canary that would allow their users to find out if they have been compromised by such orders but this has not been tested yet as far as I know.


Finally, it is now well known that some companies might be sponsored front-ends for some state adversaries (see the Crypto AG story and Omnisec story).


For these reasons, it is important that you do not trust such providers for your privacy despite all their claims. In most cases, you will be the last person to know if any of your account was targeted by such orders and you might never know at all.


To mitigate this, in cases where you want to use a VPN, I will recommend the use of a cash/Monero-paid VPN provider over Tor to prevent the VPN service from knowing any identifiable information about you.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Some Advanced targeted techniques:​

There are many advanced techniques that can be used by skilled adversaries to bypass your security measures provided they already know where your devices are. Many of those techniques are detailed here https://cyber.bgu.ac.il/advanced-cyber/airgap [Archive.org] (Air-Gap Research Page, Cyber-Security Research Center, Ben-Gurion University of the Negev, Israel) and include:


  • Attacks that require a malware implanted in some device:
    • Exfiltration of Data through a Malware infected Router:
      [Invidious]
    • Exfiltration of Data through observation of Light variation in a Backlit keyboard with a compromised camera:
      [Invidious]
      • Exfiltration of Data through a compromised Security Camera (that could first use the previous attack)
        [Invidious]
      • Communication from outsider to compromised Security Cameras through IR light signals:
        [Invidious]
    • Exfiltration of data from a compromised air-gapped computer through acoustic analysis of the FAN noises with a smartphone
      [Invidious]
    • Exfiltration of data from a malware infected air-gapped computer through HD Leds with a Drone
      [Invidious]
    • Exfiltration of data from a USB malware on an air-gapped computer through electromagnetic interferences
      [Invidious]
    • Exfiltration of data from a malware infected HDD drive through covert acoustic noise
      [Invidious]
    • Exfiltration of data through GSM frequencies from a compromised (with malware) air-gapped computer
      [Invidious]
    • Exfiltration of data through electromagnetic emissions from a compromised Display device
      [Invidious]
    • Exfiltration of data through magnetic waves from a compromised air-gapped computer to a Smartphone stored inside a Faraday bag
      [Invidious]
    • Communication between two compromised air-gapped computers using ultrasonic soundwaves
      [Invidious]
    • Exfiltration of Bitcoin Wallet from a compromised air-gapped computer to a smartphone
      [Invidious]
    • Exfiltration of Data from a compromised air-gapped computer using display brightness
      [Invidious]
    • Exfiltration of Data from a compromised air-gapped computer through vibrations
      [Invidious]
    • Exfiltration of Data from a compromised air-gapped computer by turning RAM into a Wi-Fi emitter
      [Invidious]
    • Exfiltration of Data from a compromised air-gapped computer through power lines https://arxiv.org/abs/1804.04014 [Archive.org]
  • Attacks that require no malware:
    • Observing a light bulb from a distance to listen to the sound in the room without any malware: Demonstration:
      [Invidious]

Here is also a good video from the same authors to explain those topics: Black Hat, The Air-Gap Jumpers
[Invidious]


Realistically, this guide will be of little help against such adversaries as these malwares could be implanted on the devices by a manufacturer or anyone in the middle or by anyone with physical access to the air-gapped computer but there are still some ways to mitigate such techniques:


  • Do not conduct sensitive activity while connected to an untrusted/unsecure power line to prevent power line leaks.
  • Do not use your devices in front of a camera that could be compromised.
  • Use your devices in a soundproofed room to prevent sound leaks.
  • Use your devices in faraday cage to prevent electromagnetic leaks.
  • Do not talk sensitive information where lightbulbs could be observed from outside.
  • Buy your devices from different/unpredictable/offline places (shops) where the probability of them being infected with such malware is lower.
  • Do not let anyone access your air-gapped computers except trusted people.
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Some bonus resources:​


 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Notes:​


If you still do not think such information can be used by various actors to track you, you can see some statistics for yourself for some platforms and keep in mind those are only accounting for the lawful data requests and will not count things like PRISM, MUSCULAR, SORM or XKEYSCORE explained earlier:


 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

General Preparations:​


Personally, in the context of this guide, it is also interesting to have a look at your security model. And in this context, I only have one to recommend:


Zero-Trust Security (“Never trust, always verify”).


Here are some various resources about what is Zero-Trust Security:


 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Picking your route:​


Here is a small basic UML diagram showing your options. See the details below.
2021 08 04 16 48
 

HEISENBERG

ADMIN
ADMIN
Joined
Jun 24, 2021
Messages
1,651
Solutions
2
Reaction score
1,769
Points
113
Deals
666

Timing limitations:​


  • You have very limited time to learn and need a fast-working solution:
    • Your best option is to go for the Tails route (excluding the persistent plausible deniability section).
  • You have time and more importantly will to learn:
    • Go with any route.
 
Top