The Hitchhiker’s Guide to Online Anonymity

From TurnKey+MediaWiki
Jump to navigation Jump to search

Preword

(Or “How I learned to start worrying and love privacy”)

Version 0.9.9b (draft), July 2021 by AnonymousPlanet.

This guide is a DRAFT work in progress. While I am working constantly to correct issues, improve the content, general structure, and readability, it will probably never be “finished” and some parts might be incomplete as of this release.
Remember to check frequently for a new version of this guide.
This guide is a non-profit open-source initiative, licensed under Creative Commons Attribution 4.0 International (cc-by-4.0 [Archive.org]).

Find it online at:


Original: https://anonymousplanet.org Archive.org, Archive.today

Mirror: https://mirror.anonymousplanet.org Archive.org, Archive.today

Tor Mirror: http://thgtoa7imksbg7rit4grgijl2ef6kc7b56bp56pmtta4g354lydlzkqd.onion

Archive.today over Tor: http://archivecaslytosk.onion/anonymousplanet.org/guide.html


PDF versions (best format for the best readability) of this guide at:

Light Theme: https://anonymousplanet.org/guide.pdf Mirror Archive.org Tor Mirror

Dark Theme: https://anonymousplanet.org/guide-dark.pdf Mirror Archive.org Tor Mirror

Both at CryptPad.fr https://cryptpad.fr/drive/#/2/drive/view/Ughm9CjQJCwB8BIppdtvj5zy4PyE-8Gxn11x9zaqJLI/


Feel free to submit issues using GitHub Issues at: https://github.com/AnonymousPlanet/thgtoa/issues

Feel free to come discuss ideas at: Matrix/Element: #online-anonymity:matrix.org https://matrix.to/#/#online-anonymity:matrix.org

Follow me on:

Twitter at https://twitter.com/AnonyPla Nitter (cannot guarantee this account will stay up for long tho)

Mastodon at https://mastodon.social/@anonypla

Please consider donating if you enjoy the project and want to support the hosting fees (for the Tor hosting and the Tor Exit node).


There are several ways you could read this guide:

  1. You want to understand the current state of online privacy and anonymity not necessarily get too technical about it: Just read the Introduction, Requirements, Understanding some basics of how some information can lead back to you and how to mitigate those and A final editorial note sections.
  2. You want to do the above but also learn how to remove some online information about you: Just read the above and add the Removing some traces of your identities on search engines and various platforms.
  3. You want to do the above and create online anonymous identities online safely and securely: Read the whole guide.

Finally note that:

  1. This guide does mention and even recommends some commercial services in some sections (such as VPNs, CDNs, and hosting providers) but is not endorsed or sponsored by any of them in any way. There are no referral links and no commercial ties with any of these providers. This project is 100% non-profit.
  2. All external links to:
    • Documents/Files have an https://Archive.org link next to them for accessing content through Archive.org for increased privacy and in case the content goes missing. It is possible some links are not yet archived or outdated on archive.org in which case I encourage you to ask a new save if possible.
    • YouTube Videos have an [Invidious] link next to them for accessing content through an Invidious Instance (in this case yewtu.be hosted in the Netherlands) for increased privacy. See https://github.com/iv-org/invidious Archive.org for more information.
    • Twitter have a [Nitter] link next to them for accessing content through a Nitter Instance (in this case nitter.fdn.fr hosted in France) for increased privacy. See https://github.com/zedeus/nitter Archive.org for more information.
    • Wikipedia have a [Wikiless] link next to them for accessing content through a Wikiless Instance (in this case Wikiless.org) for increased privacy. See https://codeberg.org/orenom/wikiless Archive.org for more information.


If you are reading this in PDF format, you will be seeing plenty of ``` in place of double quotes (“”). These ``` should be ignored and are just there to facilitate conversion into Markdown/HTML format for on-line viewing.

Table of Contents

Requirements:

  • Be a permanent Adult resident in Germany where the courts have upheld up the legality of not using real names on online platforms (§13 VI of the German Telemedia Act of 20071’2). Alternatively, be an adult resident of any other country where you can validate and verify the legality of this guide yourself.
  • This guide will assume you already have access to some personal (Windows/Linux/MacOS) laptop computer (ideally not a work/shared device).
  • Have patience as this process could take several weeks to finalize if you want to go through all the content.
  • Have a little budget to dedicate to this process (you will need at least budget for an USB key).
  • Have some free time on your hands to dedicate to this process (or a lot depending on the route you pick).
  • Be prepared to read a lot of references (do read them), guides (do not skip them) and follow a lot of how-to tutorials thoroughly (do not skip them either).
  • Don’t be evil (for real this time)3.

Introduction:

TLDR for the whole guide: “A strange game. The only winning move is not to play”

Making a social media account with a pseudonym or artist/brand name is easy. And it is enough is most use cases to protect your identity as the next George Orwell. There are plenty of people using pseudonyms all over Facebook/Instagram/Twitter/LinkedIn/TikTok/Snapchat/Reddit/… But the vast majority of those are anything but anonymous and can easily be traced to their real identity by your local police officers, random people within the OSINT5 (Open-Source Intelligence) community and trolls6 on 4chan7.

This is a good thing as most criminals/trolls are not really tech savvy and will be identified with ease. But this is also a bad thing as most political dissidents, human rights activists and whistleblowers can also be tracked rather easily.

This updated guide aims to provide introduction to various de-anonymization techniques, tracking techniques, id verification techniques and optional guidance to creating and maintaining reasonably anonymous identities online including social media accounts safely. This includes mainstream platforms and not only privacy friendly ones.

It is important to understand that the purpose of this guide is anonymity and not just privacy but many of the guidance you will find here will also help you improve your privacy and security even if you are not interested in anonymity. There is an important overlap in techniques and tools used for privacy, security, and anonymity but they differ at some point:

  • Privacy is about people knowing who you are but not knowing what you are doing.
  • Anonymity is about people knowing what you are doing but not knowing who you are 8.

Privacyguide1.jpeg

(Illustration from9)

Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not … Mossad will be doing “Mossad things” 10 and will probably find you no matter how hard you try to hide11.

You must consider your threat model12 before going further.

Image2.jpeg

(Illustration by xkcd.com, licensed under CC BY-NC 2.5)

Will this guide help you protect your privacy from OSINT researchers like Bellingcat13 , Doxing14 trolls on 4chan15 and others that have no access to the NSA toolbox? More likely. Tho I would not be so sure about 4chan.

Here is a basic simplified threat model for this guide:

Image3.jpeg

(Note that the “magical amulets/submarine/fake your own death” jokes are quoted from 10)

Important Disclaimer: Jokes aside (magical amulet…). Of course, there are also advanced ways to mitigate attacks against such advanced and skilled adversaries but those are just out of scope of this guide. It is crucially important that you understand the limits of the threat model of this guide. And therefore, this guide will not double in size to help with those advanced mitigations as this is just too complex and will require a very high knowledge that is not expected from the targeted audience of this guide.

The EFF provides a few security scenarios of what you should consider depending on your activity. While some of those tips might not be within the scope of this guide (more about Privacy than Anonymity), they are still worth reading as examples. See https://ssd.eff.org/en/module-categories/security-scenarios Archive.org.

There are also quite a few more serious ways of making your threat model such as:


LINDDUN https://www.linddun.org/ Archive.org
STRIDE https://en.wikipedia.org/wiki/STRIDE_%28security%29 Wikiless Archive.org
DREAD https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29 Wikiless Archive.org
PASTA https://versprite.com/tag/pasta-threat-modeling/ Archive.org

And there are quite a few others too, see:


https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/ Archive.org
https://www.geeksforgeeks.org/threat-modelling/ Archive.org

You can find some introduction on these on these projects:


OWASP https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html Archive.org
Online Operations Security https://github.com/devbret/online-opsec/ Archive.org

It is also very important again to understand this guide is the humble result of years of experience, learning and testing from a single individual (myself) and that many of those systems that aim to prevent anonymity are opaque proprietary closed-source systems. Many of those guidelines are based on experience, on referenced studies and recommendations by other people and projects. These experiences take a lot of time, resources and are sometimes far from being scientific. There might be some wrong or outdated information in this guide too because I am not omniscient and humans make mistakes (feel free to report any using GitHub Issues). Your mileage may vary (a lot). Use at your own risk. Please do not take this guide as a definitive truth for everything because it is not. Plenty of mistakes have been written in the guide during the many previous drafts and fixed later when I was made aware of them. I have no doubts there are still some mistakes in here right now. All of those are fixed as soon as possible when discovered.


You might think this guide has no legitimate use but there are many such as:

  • Evading Online Censorship
  • Evading Online Oppression
  • Evading Online Stalking, Doxxing, and Harassment
  • Evading Online Unlawful Government Surveillance
  • Anonymous Online Whistle Blowing
  • Anonymous Online Activism
  • Anonymous Online Journalism
  • Anonymous Online Legal Practice
  • Anonymous Online Academic Activities (For instance accessing scientific research where such resources are blocked). See note below.

Note: that if you are having trouble accessing any of the many academic articles referenced in this guide, feel free to use Sci-Hub (https://en.wikipedia.org/wiki/Sci-Hub Wikiless Archive.org) or LibGen (https://en.wikipedia.org/wiki/Library_Genesis Wikiless Archive.org) for finding and reading them. Because science should be free. All of it.

This guide is written with hope for those good intended individuals who might not be knowledgeable enough to consider the big picture of online anonymity and privacy.

This guide is not intended for:

  • Creating machine accounts of any kind (bots).
  • Creating impersonation accounts of existing people (such as identity theft).
  • Helping malicious actors conduct unlawful or unethical activities (such as trolling, stalking, disinformation, misinformation, harassment, or any criminal activity).
  • Use by minors.

Feel free to report issues, recommend improvements or start a discussion on the GitHub repository if you want.

Again, use at your own risk. Anything in here is not legal advice and you should verify compliance with your local law before use (IANAL23). “Trust but verify”24 all the information yourself (or even better, “Never Trust, always verify”25). I strongly encourage you to inform yourself and do not hesitate to check any information in this guide with outside sources in case of doubt. Please do report any mistake you spot to me as I welcome criticism. Even harsh criticism and usually make the necessary corrections as quickly as possible.

Understanding some basics of how some information can lead back to you and how to mitigate some:

There are many ways you can be tracked besides browser cookies and ads, your e-mail, and your phone number. And if you think only the Mossad or the NSA/FSB can find you, you would be terribly wrong.

You might consider viewing this good YouTube playlist as an introduction before going further: https://www.youtube.com/playlist?list=PL3KeV6Ui_4CayDGHw64OFXEPHgXLkrtJO Invidious (from the Go Incognito project https://github.com/techlore-official/go-incognito Archive.org). This guide will cover many of those topics with more details and references as well as some additional topics not covered within that series but I would recommend the series as an introduction and it will just take you 2 or 3 hours to watch it all.

Now, here is a non-exhaustive list of some of the many ways you could be tracked and de-anonymized:

Your Network:

Your IP address:

Disclaimer: this whole paragraph is about your public facing Internet IP and not your local network IP

Your IP address26 is the most known and obvious way you can be tracked. That IP is the IP you are using at the source. This is where you connect to the internet. That IP is usually provided by your ISP (Internet Service Provider) (xDSL, Mobile, Cable, Fiber, Cafe, Bar, Friend, Neighbor). Most countries have data retention regulations27 which mandates keeping logs of who is using what IP at a certain time/date for up to several years or indefinitely. Your ISP can tell a third party that you were using a specific IP at a specific date and time, years after the fact. If that IP (the origin one) leaks at any point for any reason, it can be used to track down you directly. In many countries, you will not be able to have internet access without providing some form of identification to the provider (address, ID, real name, e-mail …).

Useless to say that most platforms (such as social networks) will also keep (sometimes indefinitely) the IP addresses you used to sign-up and sign-in to their services.

Here are some online resources you can use to find some information about your current public IP right now:

  • Registration information of an IP (most likely your ISP or the ISP of your connection who most likely know who is using that IP at any time):
  • Check for open-services or open-devices on an IP (especially if there are leaky Smart Devices on it):

For those reasons, we will need to obfuscate that origin IP (the one tied to your identification) or hide it as much as we can through a combination of various means:

  • Using a public Wi-Fi service (free).
  • Using the Tor Anonymity Network28 (free).
  • Using VPN29 services anonymously (anonymously paid with cash or Monero).

All those will be explained later in this guide.

Your DNS and IP requests:

DNS stands for “Domain Name System”30 and is a service used by your browser (and other apps) to find the IP addresses of a service. It is pretty much a huge “contact list” (phone book for older people) that works like asking it a name and it returns the number to call. Except it returns an IP instead.

Every time your browser wants to access a certain service such as Google through www.google.com. Your Browser (Chrome or Firefox) will query a DNS service to find the IP addresses of the Google web servers.

Here is a video explaining DNS visually if you are already lost: https://www.youtube.com/watch?v=vrxwXXytEuI Invidious

Usually, the DNS service is provided by your ISP and automatically configured by the network you are connecting to. This DNS service could also be subject to data retention regulations or will just keep logs for other reasons (data collection for advertising purposes for instance). Therefore, this ISP will be capable of telling everything you did online just by looking at those logs which can in turn be provided to an adversary. Conveniently this also the easiest way for many adversaries to apply censoring or parental control by using DNS blocking31. The provided DNS servers will give you a different address (than their real one) for some websites (like redirecting thepiratebay to some government website). Such blocking is widely applied worldwide for certain sites32.

Using a private DNS service or your own DNS service would mitigate these issues but the other problem is that most of those DNS requests are by default still sent in clear text (unencrypted) over the network. Even if you browse PornHub in an incognito Window, using HTTPS and using a private DNS service, chances are very high that your browser will send a clear text unencrypted DNS request to some DNS servers asking basically “So what’s the IP address of www.pornhub.com?”.

Because it is not encrypted, your ISP and/or any other adversary could still intercept (using a Man-in-the-middle attack33) your request will know and possibly log what your IP was looking for. The same ISP can also tamper with the DNS responses even if you are using a private DNS. Rendering the use of a private DNS service useless.

As a bonus, many devices and apps will use hardcoded DNS servers bypassing any system setting you could set. This is for example the case with most (70%) Smart TVs and a large part (46%) of Game Consoles34. For these devices, you will have to force them35 to stop using their hardcoded DNS service which could make them stop working properly.

A solution to this is to use encrypted DNS using DoH (DNS over HTTPS36), DoT (DNS over TLS37) with a private DNS server (this can be self-hosted locally with a solution like pi-hole38, remotely hosted with a solution like nextdns.io or using the solutions provider by your VPN provider or the Tor network). This should prevent your ISP or some middle-man from snooping on your requests … except it might not.

Small in-between disclaimer: This guide does not necessarily endorse or recommends Cloudflare services even if it is mentioned several times in this section for technical understanding.

Unfortunately, the TLS protocol used in most HTTPS connections in most Browsers (Chrome/Brave/Ungoogled-Chromium among them) will leak the Domain Name again through SNI39 handshakes (this can be checked here at Cloudflare: https://www.cloudflare.com/ssl/encrypted-sni/ Archive.org ). As of the writing of this guide, only Firefox based browsers supports ECH (Encrypted Client Hello40 previously known as eSNI41) on some websites which will encrypt everything end to end (in addition to using a secure private DNS over TLS/HTTPS) and will allow you to hide your DNS requests from a third party42. And this option is not enabled by default either so you will have to enable it yourself.

Image4.jpeg

In addition to limited browser support, only Web Services and CDNs43 behind Cloudflare CDN support ECH/eSNI at this stage44. This means that ECH and eSNI are not supported (as of the writing of this guide) by most mainstream platforms such as:

  • Amazon (including AWS, Twitch…)
  • Microsoft (including Azure, OneDrive, Outlook, Office 365…)
  • Google (including Gmail, Google Cloud…)
  • Apple (including iCloud, iMessage…)
  • Reddit
  • YouTube
  • Facebook
  • Instagram
  • Twitter
  • GitHub

Some countries like Russia45 and China46 will block ECH/eSNI handshakes at network level to allow snooping and prevent bypassing censorship. Meaning you will not be able to establish an HTTPS connection with a service if you do not allow them to see what it was.

The issues do not end here. Part of the HTTPS TLS validation is called OCSP47 and this protocol used by Firefox based browsers will leak metadata in the form of the serial number of the certificate of the website you are visiting. An adversary can then easily find which website you are visiting by matching the certificate number48. This issue can be mitigated by using OCSP stapling49. Unfortunately, this is enabled but not enforced by default in Firefox/Tor Browser. But the website you are visiting must also be supporting it and not all do. Chromium based browser on the other hand use a different system called CRLSets50’51 which is arguably better.

Here is a list of how various browser behave in relation with OCSP: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/ Archive.org

Here is an illustration of the issue you could encounter on Firefox based browsers:

Image5.jpeg

Finally, even if you use a custom encrypted DNS server (DoH or DoT) with ECH/eSNI support and OCSP stapling, it might still not be enough as traffic analysis studies52 have shown it is still possible to reliably fingerprint and block unwanted requests. Only DNS over Tor was able to demonstrate efficient DNS Privacy in recent studies but even that can still be defeated by other means (see Your Anonymized Tor/VPN traffic).

One could also decide to use a Tor Hidden DNS Service or ODoH (Oblivious DNS over HTTPS53) to further increase privacy/anonymity but unfortunately, as far as I know, these methods are only provided by Cloudflare as of this writing (https://blog.cloudflare.com/welcome-hidden-resolver/ Archive.org, https://blog.cloudflare.com/oblivious-dns/ Archive.org). I personally think these are viable and reasonably secure technical options but there is also a moral choice if you want to use Cloudflare or not (despite the risk posed by some researchers54).

Lastly, there is also this new option called DoHoT which stands for DNS over HTTPS over Tor which could also further increase your privacy/anonymity and which you could consider if you are more skilled with Linux. See https://github.com/alecmuffett/dohot Archive.org. This guide will not help you with this one at this stage but it might be coming soon.

Here is an illustration showing the current state of DNS and HTTPS privacy based on my current knowledge.

Image6.jpeg

As for your normal daily use (non-sensitive), remember that only Firefox based browsers support ECH (formerly eSNI) so far and that it is only useful with websites hosted behind Cloudflare CDN at this stage. If you prefer a Chrome based version (which is understandable for some due to some better integrated features like on-the-fly Translation), then I would recommend the use of Brave instead which supports all Chrome extensions and offers much better privacy than Chrome. Alternatively, if you do not trust Brave, you could also use Ungoogled-Chromium (https://github.com/Eloston/ungoogled-chromium Archive.org).

But the story does not stop there right. Now because after all this, even if you encrypt your DNS and use all possible mitigations. Simple IP requests to any server will probably allow an adversary to still detect which site you are visiting. And this is simply because the majority of websites have unique IPs tied to them as explained here: https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an-ip-address/ Archive.org. This mean that an adversary can create a dataset of known websites for instance including their IPs and then match this dataset against the IP you request. In most cases, this will result in a correct guess of the website you are visiting. This means that despite OCSP stapling, despite ECH/eSNI, despite using Encrypted DNS … An adversary can still guess the website you are visiting anyway.

Therefore, to mitigate all these issues (as much as possible and as best as we can), this guide will later recommend two solutions: Using Tor and a virtualized (See Appendix W: Virtualization) multi-layered solution of VPN over Tor solution. Other options will also be explained (Tor over VPN, VPN only, No Tor/VPN) but are less recommended.

Your RFID enabled devices:

RFID stands for Radio-frequency identification55, it is the technology used for instance for contactless payments and various identification systems. Of course, your smartphone is among those devices and has RFID contactless payment capabilities through NFC56. As with everything else, such capabilities can be used for tracking by various actors.

But unfortunately, this is not limited your smartphone and you also probably carry some amount of RFID enabled device with you all the time such as:

  • Your contactless enabled credit/debit cards
  • Your store loyalty cards
  • Your transportation payment cards
  • Your work-related access cards
  • Your car keys
  • Your national ID or driver license
  • Your passport
  • The price/anti-theft tags on object/clothing

While all these cannot be used to de-anonymize you from a remote online adversary, they can be used to narrow down a search if your approximate location at a certain time is known. For instance, you cannot rule out that some stores will effectively scan (and log) all RFID chips passing through the door. They might be looking for their loyalty cards but are also logging others along the way. Such RFID tags could be traced to your identity and allow for de-anonymization.

While all these cannot be used to de-anonymize you from a remote online adversary, they can be used to narrow down a search if your approximate location at a certain time is known. For instance, you cannot rule out that some stores will effectively scan (and log) all RFID chips passing through the door. They might be looking for their loyalty cards but are also logging others along the way. Such RFID tags could be traced to your identity and allow for de-anonymization.

More information over at Wikipedia: https://en.wikipedia.org/wiki/Radio-frequency_identification#Security_concerns Wikiless Archive.org and https://en.wikipedia.org/wiki/Radio-frequency_identification#Privacy Wikiless Archive.org

The only way to mitigate this problem is to have no RFID tags on you or to shield them again using a type of faraday cage. You could also use specialized wallets/pouches that specifically block RFID communications. Many of those are now made by well-known brands such as Samsonite57.

See Appendix N: Warning about smartphones and smart devices

The Wi-Fis and Bluetooth devices around you:

Geolocation is not only done by using mobile antennas triangulation. It is also done using the Wi-Fis and Bluetooth devices around you. Operating systems makers like Google (Android58) and Apple (IOS59) maintain a convenient database of most Wi-Fi access points, Bluetooth devices and their location. When your Android smartphone or iPhone is on (and not in Plane mode), it will scan passively (unless you specifically disable this feature in the settings) Wi-Fi access points and Bluetooth devices around you and will be able to geolocate you with more precision than when using a GPS.

This allows them to provide accurate locations even when GPS is off but it also allows them to keep a convenient record of all Bluetooth devices all over the world. Which can then be accessed by them or third parties for tracking.

Note: If you have an Android smartphone, Google probably knows where it is no matter what you do. You cannot really trust the settings. The whole operating system is built by a company that wants your data. Remember that if it is free then you are the product.

But that is not what all those Wi-Fis access points can do. Recently developed techs could even allow someone to track your movements accurately just based on radio interferences. What this means is that it is possible to track your movement inside a room/building based on the radio signals passing through. This might seem like a tinfoil hat conspiracy theory claim but here are the references60 with demonstrations showing this tech in action: http://rfpose.csail.mit.edu/ Archive.org and the video here: https://www.youtube.com/watch?v=HgDdaMy8KNE Invidious

You could therefore imagine many uses cases for such technologies like recording who enters specific buildings/offices (hotels, hospitals, or embassies for instance) and then discover who meets who and where by tracking them from outside. Even if they have no smartphone on them.

Image7.jpeg

Again, such issue could only be mitigated by being in room/building that would act as a faraday cage.

Here is another video of the same kind of tech in action: https://www.youtube.com/watch?v=FDZ39h-kCS8 Invidious

See Appendix N: Warning about smartphones and smart devices

Malicious/Rogue Wi-Fi Access Points:

These have been used since at least since 2008 using an attack called “Jasager”61 and can be done by anyone using self-built tools or using commercially available devices such as Wi-Fi Pineapple62.

Here are some videos explaining more about the topic:

These devices can fit in a small bag and can take over the Wi-Fi environment of any place within their range. For instance, a Bar/Restaurant/Café/Hotel Lobby. These devices can force Wi-Fi clients to disconnect from their current Wi-Fi (using de-authentication, disassociation attacks63) while spoofing the normal Wi-Fi networks at the same location. They will continue to perform this attack until your computer or yourself decides to try to connect to the rogue AP.

These devices can then mimic a captive portal64 with the exact same layout as the Wi-Fi you are trying to access (for instance an Airport Wi-Fi registration portal). Or they could just give you open access internet that they will themselves get from the same place.

Once you are connected through the Rogue AP, this AP will be able to execute various man-in-the-middle attacks to perform analysis on your traffic. These could be malicious redirections or just simple traffic sniffing. These can then easily identify any client that would for instance try to connect to a VPN server or to the Tor Network.

This can be useful when you know someone you want to de-anonymize is in a crowded place but you do not know who. This would allow such an adversary to possibly fingerprint any website you visit despite the use of HTTPS, DoT, DoH, ODoH, VPN or Tor using traffic analysis as pointed above in the DNS section.

These can also be used to carefully craft and serve you advanced phishing webpages that would harvest your credentials or try to make you install a malicious certificate allowing them to see your encrypted traffic.

Your Anonymized Tor/VPN traffic:

Tor and VPNs are not silver bullets. Many advanced techniques have been developed and studied to de-anonymize encrypted Tor traffic over the years65. Most of those techniques are Correlation attacks that will correlate your network traffic in one way or another to logs or datasets. Here are some classic examples:

  • Correlation Fingerprinting Attack: As illustrated (simplified) below, this attack will fingerprint66 your encrypted traffic (like the websites you visited) just based on the analysis of your encrypted traffic (without decrypting it). It can do so with a whopping 96% success rate. Such fingerprinting can be used by an adversary that has access to your source network to figure out some of your encrypted activity (such as which websites you visited).

Image8.jpeg

  • Correlation Timing Attacks: As illustrated (simplified) below, an adversary that has access to network connection logs (IP or DNS for instance, remember that most VPN servers and most Tor nodes are known and publicly listed) at the source and at the destination could correlate the timings to de-anonymize you without requiring any access to the Tor or VPN network in between. A real use case of this technique was done by the FBI in 2013 to de-anonymize67 a bomb threat hoax at Harvard University.

Image9.jpeg

  • Correlation Counting Attacks: As illustrated (simplified) below, an adversary that has no access to detailed connection logs (cannot see that you used Tor or Netflix) but has access to data counting logs could see that you have downloaded 600MB on a specific time/date that matches the 600MB upload at the destination. This correlation can then be used to de-anonymize you over time.

[[File:Image10.jpeg|750px]

There are ways to mitigate these such as:

  • Do not use Tor/VPNs to access services that are on the same network (ISP) as the destination service. For example, do not connect to Tor from your University Network to access a University Service anonymously. Instead use a different source point (such as a public Wi-Fi) that cannot be correlated easily by an adversary.
  • Do not use Tor/VPN from an obviously monitored network (such as a corporate/governmental Network) but instead try to find an unmonitored network such as a public Wi-Fi or a residential Wi-Fi.
  • Use multiple layers (such as what will be recommended in this guide later: VPN over Tor) so that an adversary might be able to see that someone connected to the service through Tor but will not be able to see that it was you because you were connected to a VPN and not the Tor Network.

Be aware again that this might not be enough against a motivated global adversary68 with wide access to global mass surveillance. Such adversary might have access to logs no matter where you are and could use those to de-anonymize you.

Be also aware that all the other methods described in this guide such as Behavioral analysis can also be used to deanonymize Tor users indirectly (see further Your Digital Fingerprint, Footprint, and Online Behavior).

I also strongly recommend reading this very good, complete and thorough guide on many Attack Vectors on Tor: https://github.com/Attacks-on-Tor/Attacks-on-Tor Archive.org as well as this recent research publication https://www.researchgate.net/publication/323627387_Shedding_Light_on_the_Dark_Corners_of_the_Internet_A_Survey_of_Tor_Research [Archive.org]

As well as this great series of blog posts: https://www.hackerfactor.com/blog/index.php?/archives/906-Tor-0day-The-Management-Vulnerability.html Archive.org

(In their defense, it should also be noted that Tor is not designed to protect against a Global adversary. For more information see https://svn-archive.torproject.org/svn/projects/design-paper/tor-design.pdf Archive.org and specifically, “Part 3. Design goals and assumptions.”.)

Lastly, do remember that using Tor can already be considered a suspicious activity69 and its use could be considered malicious by some70.

This guide will later propose some mitigations to such attacks by changing your origin from the start (using public wi-fi’s for instance).

Some Devices can be tracked even when offline:

You have seen this in action/spy/Sci-Fi movies and shows, the protagonists always remove the battery of their phones to make sure it cannot be used. Most people would think that’s overkill. Well, unfortunately no, this is now becoming true at least for some devices:

  • iPhones and iPads (IOS 13 and above)71’72
  • Samsung Phones (Android 10 and above)73
  • MacBooks (MacOS 10.15 and above)74

Such devices will continue to broadcast identity information to nearby devices even when offline using Bluetooth Low-Energy75. They do not have access to the devices directly (which are not connected to the internet) but instead use BLE to find them through other nearby devices76. They are basically using peer-to-peer short-range Bluetooth communication to broadcast their status through nearby online devices.

They could now locate such devices and keep the location in some database that could then be used by third parties or themselves for various purposes (including analytics, advertising or evidence/intelligence gathering).

See Appendix N: Warning about smartphones and smart devices

Your Hardware Identifiers:

Your IMEI and IMSI (and by extension, your phone number):

The IMEI (International Mobile Equipment Identity77) and the IMSI (International Mobile Subscriber Identity78) are unique numbers created by mobile phone manufacturers and mobile phone operators.

The IMEI is tied directly to the phone you are using. This number is known and tracked by the mobile phone operators and known by the manufacturers. Every time your phone connects to the mobile network, it will register the IMEI on the network along the IMSI (if a SIM card is inserted but that is not even needed). It is also used by many applications (Banking apps abusing the phone permission on Android for instance79) and smartphone Operating Systems (Android/IOS) for identification of the device80. It is possible but difficult (and not illegal in many jurisdictions81) to change the IMEI on a phone but it is probably easier and cheaper to just find and buy some old (working) Burner phone for a few Euros (this guide is for Germany remember) at a flea market or at some random small shop.

The IMSI is tied directly to the mobile subscription or pre-paid plan you are using and is basically tied to your phone number by your mobile provider. The IMSI is hardcoded directly on the SIM card and cannot be changed. Remember that every time your phone connects to the mobile network, it will also register the IMSI on the network along the IMEI. Like the IMEI, the IMSI is also being used by some applications and smartphone Operating systems for identification and are being tracked. Some countries in the EU for instance maintain a database of IMEI/IMSI associations for easy querying by Law Enforcement.

Today, giving away your (real) phone number is basically the same or better than giving away your Social Security number/Passport ID/National ID.

The IMEI and IMSI can be traced back to you by at least 6 ways:



  • The mobile operator subscriber logs which will usually store the IMEI along the IMSI and their subscriber information database. If you use a prepaid anonymous SIM (anonymous IMSI but with a known IMEI), they can see this cell belongs to you if you used that cell phone before with a different SIM card (different anonymous IMSI but same known IMEI).
  • The mobile operator antenna logs which will conveniently keep a log of which IMEI and IMSI also keep some connection data. They know and log for instance that a phone with this IMEI/IMSI combination connected to a set of Mobile antennas and how powerful the signal to each of those antennas was allowing easy triangulation/geolocation of the signal. They also know which other phones (your real one for instance) connected at the same time to the same antennas with the same signal which would make it possible to know precisely that this “burner phone” was always connected at the same place/time than this other “known phone” which shows up every time the burner phone is being used. This information can be used by various third parties to geolocate/track you quite precisely82’83.
  • The manufacturer of the Phone can trace back the sale of the phone using the IMEI if that phone was bought in a non-anonymous way. Indeed, they will have logs of each phone sale (including serial number and IMEI), to which shop/person it was sold to. And if you are using a phone that you bought online (or from someone that knows you). It can be traced to you using that information. Even if they do not find you on CCTV84 and you bought the phone cash, they can still find what other phone (your real one in your pocket) was there (in that shop) at that time/date by using the antenna logs.
  • The IMSI alone can be used to find you as well because most countries now require customers to provide an ID when buying a SIM card (subscription or pre-paid). The IMSI is then tied to the identity of the buyer of the card. In the countries where the SIM can still be bought with cash (like the UK), they still know where (which shop) it was bought and when. This information can then be used to retrieve information from the shop itself (such as CCTV footage as for the IMEI case). Or again the antenna logs can also be used to figure out which other phone was there at the moment of the sale.
  • The smartphone OS makers (Google/Apple for Android/IOs) also keep logs of IMEI/IMSI identifications tied to Google/Apple accounts and which user has been using them. They too can trace back the history of the phone and to which accounts it was tied in the past85.
  • Government agencies around the world interested in your phone number can and do use86 special devices called “IMSI catchers”87 like the Stingray88 or more recently the Nyxcell89. These devices can impersonate (to spoof) a cell phone Antenna and force a specific IMSI (your phone) to connect to it to access the cell network. Once they do, they will be able to use various MITM33 (Man-In-The-Middle Attacks) that will allow them to:
    • Tap your phone (voice calls and SMS).
    • Sniff and examine your data traffic.
    • Impersonate your phone number without controlling your phone.

Here is also a good YouTube video on this topic: DEFCON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time https://www.youtube.com/watch?v=siCk4pGGcqA Invidious

For these reasons, it is crucial to get dedicated an anonymous phone number and/or an anonymous burner phone with an anonymous pre-paid sim card that are not tied to you in any way (past or present) for conducting sensitive activities (See more practical guidance in Get an anonymous Phone number section).

While there are some smartphones manufacturers like Purism with their Librem series90 who claim to have your privacy in mind, they still do not allow IMEI randomization which I believe is a key anti-tracking feature that should be provided by such manufacturers. While this measure will not prevent IMSI tracking within the SIM card, it would at least allow you to keep the same “burner phone” and only switch SIM cards instead of having to switch both for privacy.

See Appendix N: Warning about smartphones and smart devices

Your Wi-Fi or Ethernet MAC address:

The MAC address91 is a unique identifier tied to your physical Network Interface (Wired Ethernet or Wi-Fi) and could of course be used to track you if it is not randomized. As it was the case with the IMEI, manufacturers of computers and network cards usually keep logs of their sales (usually including things like: Serial number, IMEI, Mac Addresses, …) and it is possible again for them to track where and when the computer with the MAC address in question was sold and to whom. Even if you bought it with cash in a supermarket, the supermarket might still have CCTV (or a CCTV just outside that shop) and again the time/date of sale could be used to find out who was there using the Mobile Provider antenna logs at that time (IMEI/IMSI).

Operating Systems makers (Google/Microsoft/Apple) will also keep logs of devices and their MAC addresses in their logs for device identification (Find my device type services for example). Apple can tell that the MacBook with this specific MAC address was tied to a specific Apple Account before. Maybe yours before you decided to use the MacBook for sensitive activities. Maybe to a different user who sold it to you but remembers your e-mail/number from when the sale happened.

Your home router/Wi-Fi access point keeps logs of devices that registered on the Wi-Fi and these can be accessed too to find out who has been using your Wi-Fi. Sometimes this can be done remotely (and silently) by the ISP depending if that router/Wi-Fi access point is being “managed” remotely by the ISP (which is often the case when they provide the router to their customers).

Some commercial devices will keep record of MAC addresses roaming around for various purposes such as road congestion92.

So, it is important again not to bring your phone along when/where you conduct sensitive activities. If you use your own laptop, then it is crucial to hide that MAC address (and Bluetooth address) anywhere you use it and be extra careful not to leak any information. Thankfully many recent OSes now feature or allow the option to randomize MAC addresses (Android, IOS, Linux and Windows 10) with the notable exception of MacOS which does not support this feature even in its latest Big Sur version.

See Appendix N: Warning about smartphones and smart devices

Your Bluetooth MAC address:

Your Bluetooth MAC is like the previous MAC address except it is for Bluetooth. Again, it can be used to track you as manufacturers and operating system makers keep logs of such information. It could be tied to a sale place/time/date or accounts and then could be used to track you with such information, the shop billing information, the CCTV, or the mobile antenna logs in correlation.

Operating systems have protections in place to randomize those addresses but are still subject to vulnerabilities93.

For this reason, and unless you really need those, you should just disable Bluetooth completely in the BIOS/UEFI settings if possible or in the Operating System otherwise.

On Windows 10, you will need to disable and enable the Bluetooth device in the device manager itself to force a randomization of the address for next use and prevent tracking.

See Appendix N: Warning about smartphones and smart devices

Your CPU:

All modern CPUs94 are now integrating hidden management platforms such as the now infamous Intel Management Engine95 and the AMD Platform Security Processor96.

Those management platforms are basically small operating systems running directly on your CPU as long as they have power. These systems have full access to your computer’s network and could be accessed by an adversary to de-anonymize you in various ways (using direct access or using malware for instance) as shown in this enlightening video: BlackHat, How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine https://www.youtube.com/watch?v=mYsTBPqbya8 Invidious.

These have already been affected by several security vulnerabilities in the past97 that allowed malware to gain control of target systems. These are also accused by many privacy actors including the EFF and Libreboot of being a backdoor into any system98.

There are some not so easy ways99 to disable the Intel IME on some CPUs and you should do so if you can. For some AMD laptops, you can disable it within the BIOS settings by disabling PSP.

Note that to AMD’s defense, so far and AFAIK, there were no security vulnerabilities found for ASP and no backdoors eithers: See https://www.youtube.com/watch?v=bKH5nGLgi08&t=2834s Invidious. In addition, AMD PSP does not provide any remote management capabilities contrary to Intel IME.

If you are feeling a bit more adventurous, you could install your own BIOS using Libreboot100 or Coreboot101 if your laptop supports it (be aware that Coreboot does contain some propriety code unlike its fork Libreboot).

In addition, some CPUs have unfixable flaws (especially Intel CPUs) that could be exploited by various malware. Here is a good current list of such vulnerabilities affecting recent widespread CPUs:

https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability Wikiless Archive.org

If you are using Linux you can check the vulnerability status of your CPU to Spectre/Meltdown attacks by using https://github.com/speed47/spectre-meltdown-checker Archive.org which is available as a package for most Linux distros including Whonix.

If you are using Windows, you can check the vulnerability status of your CPU using inSpectre https://www.grc.com/inspectre.htm Archive.org

Some of these can be avoided using Virtualization Software settings that can mitigate such exploits. See this guide for more information https://www.whonix.org/wiki/Spectre_Meltdown Archive.org (warning: these can severely impact the performance of your VMs).

I will therefore mitigate some of these issues in this guide by recommending the use of virtual machines on a dedicated anonymous laptop for your sensitive activities that will only be used from an anonymous public network.

Your Operating Systems and Apps telemetry services:

Whether it is Android, iOS, Windows, MacOS or even Ubuntu. Most popular Operating Systems now collect telemetry information by default even if you never opt-in or opted-out102 from the start. Some like Windows will not even allow disabling telemetry completely without some technical tweaks. This information collection can be extensive and include a staggering number of details (metadata and data) on your devices and their usage.

Here are good overviews of what is being collected by those 5 popular OSes in their last versions:

  • Windows/Microsoft:


Not only are Operating Systems gathering telemetry services but so are Apps themselves like Browsers, Mail Clients, and Social Networking Apps installed on your system.

It is important to understand that this telemetry data can be tied to your device and help de-anonymizing you and subsequently can be used against you by an adversary that would get access to this data.

This does not mean for example that Apple devices are terrible choices for good Privacy but they certainly not the best choices for (relative) Anonymity. They might protect you from third parties knowing what you are doing but not from themselves. In all likelihood, they certainly know who you are.

Later in this guide, we will use all the means at our disposal to disable and block as much telemetry as possible to mitigate this attack vector in the Operating Systems supported in this guide.

See Appendix N: Warning about smartphones and smart devices

Your Smart devices in general:

You got it; your smartphone is an advanced spying/tracking device that:

  • Records everything you say at any time (“Hey Siri”, “Hey Google”).
  • Records your location everywhere you go.
  • Always records other devices around you (Bluetooth devices, Wi-Fi Access points).
  • Records your habits and health data (steps, screen time, exposure to diseases, connected devices data)
  • Records all your network locations.
  • Records all your pictures and videos (and most likely where they were taken).
  • Has most likely access to most of your known accounts including social media, Messaging and Financial accounts.

Data is being transmitted even if you opt-out102, processed, and stored indefinitely (most likely unencrypted105) by various third parties106.

But that is not all, this section is not called “Smartphones” but “Smart devices” because it is not only your smartphone spying on you. It is also every other smart device you could have.

  • Your Smart Watch? (Apple Watch, Android Smartwatch …)
  • Your Fitness Devices and Apps107? (Strava108’109, Fitbit110, Garmin, Polar111, …)
  • Your Smart Speaker? (Amazon Alexa112, Google Echo, Apple Homepod …)
  • Your Smart Transportation? (Car? Scooter?)
  • Your Smart Tags? (Apple AirTag, Galaxy SmartTag, Tile…)
  • Your Car? (Yes, most modern cars have advanced logging/tracking features these days113)
  • Any other Smart device? There are even convenient search engines dedicated to finding them online:

See Appendix N: Warning about smartphones and smart devices

Yourself:

Your Metadata including your Geo-Location:

Your metadata is all the information about your activities without the actual content of those activities. For instance, it is like knowing you had a call from an oncologist before then calling your family and friends successively. You do not know what was said during the conversation but you can guess what it was just from the metadata114.

This metadata will also often include your location that is being harvested by Smartphones, Operating Systems (Android115/IOS), Browsers, Apps, Websites. Odds are there are several companies knowing exactly where you are at any time116 because of your smartphone117.

This location data has been used in many judicial cases118 already as part of “geofence warrants” 119 that allows law enforcement to ask companies (such as Google/Apple) a list of all devices present at a certain location at a certain time. In addition, this location data is even sold by private companies to the military who can then use it conveniently120.

Now let us say you are using a VPN to hide your IP. The social media platform knows you were active on that account on November 4th from 8am to 1pm with that VPN IP. The VPN allegedly keeps no logs and cannot trace back that VPN IP to your IP. Your ISP however knows (or at least can know) you were connected to that same VPN provider on November 4th from 7:30am to 2pm but does not know what you were doing with it.

The question is: Is there someone somewhere that would possibly have both pieces of information available121 for correlation in a convenient database?

Have you heard of Edward Snowden122? Now is the time to google him and read his book123. Also read about XKEYSCORE124’125, MUSCULAR126, SORM127, Tempora128 and PRISM129.

See “We kill people based on Metadata”130 or this famous tweet from the IDF https://twitter.com/idf/status/1125066395010699264 Archive.org Nitter.

See Appendix N: Warning about smartphones and smart devices

Your Digital Fingerprint, Footprint, and Online Behavior:

This is the part where you should watch the documentary “The Social Dilemma”131 on Netflix as they cover this topic much better than anyone else IMHO.

This includes is the way you write (stylometry) 132’133, the way you behave134’135. The way you click. The way you browse. The fonts you use on your browser136. Fingerprinting is being used to guess who someone is by the way that user is behaving. You might be using specific pedantic words or making specific spelling mistakes that could give you away using a simple Google search for similar features because you typed in a similar way on some Reddit post 5 years ago using a not so anonymous Reddit account137.

Social Media platforms such as Facebook/Google can go a step further and can register your behavior in the browser itself. For instance, they can register everything you type even if you do not send it / save it. Think of when you write an e-mail in Gmail. It is saved automatically as you type. They can register your clicks and cursor movements as well.

All they need to achieve this in most cases is Javascript enabled in your Browser (which is the case in most Browsers including Tor Browser by default).

While these methods are usually used for marketing purposes and advertising, they can also be a useful tool for fingerprinting users. This is because your behavior is most likely quite unique or unique enough that over time, you could be de-anonymized.

Here are some examples:

  • For example, as a basis of authentication, a user’s typing speed, keystroke depressions, patterns of error (say accidentally hitting an “l” instead of a “k” on three out of every seven transactions) and mouse movements establishes that person’s unique pattern of behavior138. Some commercial services such as TypingDNA (https://www.typingdna.com/ Archive.org) even offer such analysis as a replacement for two factor authentications.
  • This technology is also widely used in CAPTCHAS139 services to verify that you are “human” and can be used to fingerprint a user.

Analysis algorithms could then be used to match these patterns with other users and match you to a different known user. It is unclear if such data is already used or not by Governments and Law Enforcements agencies but it might be in the future. And while this is mostly used for advertising/marketing/captchas purposes now. It could and probably will be used for investigations in the short or mid-term future to deanonymize users.

Here is a fun example you try yourself to see some of those things in action: https://clickclickclick.click (no archive links for this one sorry). You will see it becoming interesting over time (this requires Javascript enabled).

Here is also a recent example just showing what Google Chrome collects on you: https://web.archive.org/web/https://pbs.twimg.com/media/EwiUNH0UYAgLY7V?format=jpg&name=4096x4096

Here are some other resources on topic if you cannot see this documentary:

So, how can you mitigate this these?

  • This guide will provide some technical mitigations using Fingerprinting resistant tools but those might not be sufficient.
  • You should apply common sense and try to identify your own patterns in your behavior and behave differently when using anonymous identities. This includes:
    • The way you type (speed, accuracy…).
    • The words you use (be careful with your usual expressions).
    • The type of response you use (if you are sarcastic by default, try to have a different approach with your identities).
    • The way you use your mouse and click (try to solve the Captchas differently than your usual way)
    • The habits you have when using some Apps or visiting some Websites (do not always use the same menus/buttons/links to reach your content).

Basically, you need to act and fully adopt a role as an actor would do for a performance. You need to become a different person, think, and act like that person. This is not a technical mitigation but a human one. You can only rely on yourself for that.

Ultimately, this is mostly up to you to fool those algorithms by adopting new habits and not revealing real information when using your anonymous identities.

Your Clues about your Real Life and OSINT:

These are clues you might give over time that could point to your real identity. You might be talking to someone or posting on some board/forum/Reddit. In those posts you might over time leak some information about your real life. These might be memories, experiences or clues you shared that could then allow a motivated adversary to build a profile to narrow their search.

A real use and well-documented case of this was the arrest of the hacker Jeremy Hammond140 who shared over time several details about his past and was later discovered.

There are also a few cases involving OSINT at Bellingcat141.Have a look at their very informative (but slightly outdated) toolkit here: https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ/edit#gid=930747607 Archive.org

You can also view some convenient lists of some available OSINT tools here if you want to try them on yourself for example:

As well as this interesting Playlist on YouTube: https://www.youtube.com/playlist?list=PLrFPX1Vfqk3ehZKSFeb9pVIHqxqrNW8Sy Invidious

As well as those interesting podcasts:

https://www.inteltechniques.com/podcast.html

You should never ever share real personal experiences/details using your anonymous identities that could later lead to finding your real identity.

Your Face, Voice, Biometrics and Pictures:

“Hell is other people”, even if you evade every method listed above, you are not out of the woods yet thanks to the widespread use of advanced Face recognition by everyone.

Companies like Facebook have used advanced face recognition for years142’143 and have been using other means (Satellite imagery) to create maps of “people” around the world144. This evolution has been going on for years to the point we can now say “We lost control of our faces”145.

If you are walking in a touristy place, you will most likely appear in someone’s selfie within minutes without knowing it. That person will then proceed to upload that selfie to various platforms (Twitter, Google Photos, Instagram, Facebook, Snapchat …). Those platforms will then apply face recognition algorithms to those pictures under the pretext of allowing better/easier tagging or to better organize your photo library. In addition to this, the same picture will provide a precise timestamp and in most cases geolocation of where it was taken. Even if the person does not provide a timestamp and geolocation, it can still be guessed with other means146’147.

Here are a few resources for even trying this yourself:

Even if you are not looking at the camera, they can still figure out who you are148, make out your emotions149, analyze your gait150 and probably guess your political affiliation151’152.

Image11.jpeg

Those platforms (Google/Facebook) already know who you are for a few reasons:

  • Because you have or had a profile with them and you identified yourself.
  • Even if you never made a profile on those platforms, you still have one without even knowing it153’154’155’156’157.
  • Because other people have tagged you or identified you in their holidays/party pictures.
  • Because other people have put a picture of you in their contact list which they then shared with them.

Here is also an insightful demo of Microsoft Azure you can try for yourself at https://azure.microsoft.com/en-us/services/cognitive-services/face/#demo where you can detect emotions and compare faces from different pictures.

Governments already know who you are because they have your ID/Passport/Driving License pictures and often added biometrics (Fingerprints) in their database. Those same governments are integrating those technologies (often provided by private companies such as the Israeli AnyVision158, Clearview AI159, or NEC160) in their CCTV networks to look for “persons of interest”161. And some heavily surveilled states like China have implemented widespread use of Facial Recognition for various purposes162 including possibly identifying ethnic minorities163. A simple face recognition error by some algorithm can ruin your life164.

Here are some resources detailing some techniques used by Law Enforcement today:

Apple is making FaceID mainstream and pushing its use it to log you in in various services including the Banking systems.

Same goes with fingerprint authentication being mainstreamed by many smartphone makers to authenticate yourself. A simple picture where your fingers appear can be used to de-anonymize you165’166’167.

Same goes with your voice which can be analyzed by for various purposes as shown in the recent Spotify patent168.

We can safely imagine a near future where you will not be able to create accounts or sign-in anywhere without providing unique biometrics (A good time to re-watch Gattaca169, Person of Interest170 and Minority Report171). And you can safely imagine how useful these large biometrics databases could be to some interested third parties.

In addition, all this information can also be used against you (if you are already de-anonymized) using deepfake172 by crafting false information (Pictures, Videos, Voice Recordings173…) and have already been used for such purposes174’175. There are even commercial services for this readily available such as https://www.respeecher.com/ Archive.org and https://www.descript.com/overdub Archive.org.

See this demo: https://www.youtube.com/watch?v=t5yw5cR79VA Invidious

At this time, there are a few steps176 you can use to mitigate (and only mitigate) face recognition when conducting sensitive activities where CCTV might be present:

  • Wear a facemask as they have been proven to defeat some face recognition technologies177 but not all178.
  • Wear a baseball cap or hat to mitigate identification from high angle CCTVs (filming from above) from recording your face. Remember this will not help against front-facing cameras.
  • Wear sunglasses in addition to the facemask and baseball cap to mitigate identification from your eye’s features.
  • Consider wearing special sunglasses (expensive unfortunately) called “Reflectacles” https://www.reflectacles.com/ Archive.org. There was a small study showing their efficiency against IBM and Amazon facial recognition179.

(Note that if you intend to use these where advanced facial recognition systems have been installed, these measures could also flag as you as suspicious by themselves and trigger a human check)

Phishing and Social Engineering:

Phishing180 is a social engineering181 type of attack where an adversary could try to extract information from you by pretending or impersonating something/someone else.

A typical case is an adversary using a man-in-the-middle33 attack or a fake e-mail/call to ask your credential for a service. This could for example be through e-mail or through impersonating financial services.

Such attacks can also be used to de-anonymize someone by tricking them into downloading malware or revealing personal information over time.

These have been used countless times since the early days of the internet and the usual one is called the “419 scam” (see https://en.wikipedia.org/wiki/Advance-fee_scam Wikiless Archive.org).

Here is a good video if you want to learn a bit more about phishing types: Black Hat, Ichthyology: Phishing as a Science https://www.youtube.com/watch?v=Z20XNp-luNA Invidious.

Malware, exploits, and viruses:

Malware in your files/documents/e-mails:

Using steganography or other techniques, it is easy to embed malware into common file formats such as Office Documents, Pictures, Videos, PDF documents…

These can be as simple as HTML tracking links or complex targeted malware.

These could be simple pixel sized images182 hidden in your e-mails that would call a remote server to try and get your IP address.

These could be exploiting a vulnerability in an outdated format or outdated reader. Such exploits could then be used to compromise your system.

See these good videos for more explanations on the matter:

You should always use extreme caution. To mitigate these attacks, this guide will later recommend the use of virtualization (See Appendix W: Virtualization) to mitigate leaking any information even in case of opening such a malicious file.

If you want to learn how to try detecting such malware, see Appendix T: Checking files for malware

Malware and Exploits in your apps and services:

So, you are using Tor Browser or Brave Browser over Tor. You could be using those over a VPN for added security. But you should keep in mind that there are exploits183 (hacks) that could be known by an adversary (but unknown to the App/Browser provider). Such exploits could be used to compromise your system and reveal details to de-anonymize you such as your IP address or other details.

A real use case of this technique was the Freedom Hosting184 case in 2013 where the FBI inserted malware185 using a Firefox browser exploit on a Tor website. This exploit allowed them to reveal details of some users. More recently, there was the notable SolarWinds186 hack that breached several US government institutions by inserting malware into an official software update server.

In some countries, Malware is just mandatory and/or distributed by the state itself. This is the case for instance in China with WeChat187 which can then be used in combination with other data for state surveillance188.

There are countless examples of malicious browser extensions, smartphone apps and various apps that have been infiltrated with malware over the years.

Here are some steps to mitigate this type of attack:

  • You should never have 100% trust in the apps you are using.
  • You should always check that you are using the updated version of such apps before use and ideally validate each download using their signature if available.
  • You should not use such apps directly from a hardware system but instead use a Virtual Machine for compartmentalization.

To reflect these recommendations, this guide will therefore later guide you in the use of Virtualization (See Appendix W: Virtualization) so that even if your Browser/Apps get compromised by a skilled adversary, that adversary will find himself stuck in a sandbox189 without being able to access identifying information, or compromise your system.

Malicious USB devices:

There are readily available commercial and cheap “badUSB” 190devices that can take deploy malware, log your typing, geolocate you, listen to you or gain control of your laptop just by plugging them in. Here are some examples that you can already buy yourself.

Such devices can be implanted anywhere (charging cable, mouse, keyboard, USB key …) by an adversary and can be used to track you or compromise your computer or smartphone. The most notable example of such attacks is probably Stuxnet191 in 2005.

While you could inspect an USB key physically, scan it with various utilities, check the various components to see if they are genuine, you will most likely never be able to discover complex malware embedded in genuine parts of a genuine USB key by a skilled adversary without advanced forensics equipment192.

To mitigate this, you should never trust such devices and plug them into sensitive equipment. If you use a charging device, you should consider the use of an USB data blocking device that will only allow charging but not any data transfer. Such data blocking devices are now readily available in many online shops. You should also consider disabling USB ports completely within the BIOS of your computer unless you need them (if you can).

Malware and backdoors in your Hardware Firmware and Operating System:

This might sound a bit familiar as this was already partially covered previously in the Your CPU section.

Malware and backdoors can be embedded directly into your hardware components. Sometimes those backdoors are implemented by the manufacturer itself such as the IME in the case of Intel CPUs. And in other cases, such backdoors can be implemented by a third party that places itself between orders of new hardware and customer delivery193.

Such malware and backdoors can also be deployed by an adversary using software exploits. Many of those are called rootkits194 within the tech world. Usually, these types of malwares are harder to detect and mitigate as they are implemented at a lower level than the userspace195 and often in the firmware196 of hardware components itself.

What is firmware? Firmware is a low-level operating system for devices. Each component in your computer probably has firmware including for instance your disk drives. The BIOS197/UEFI198 system of your machine for instance is a type of firmware.

These can allow remote management and capable of enabling full control on a target system silently and stealthily.

As mentioned previously, these are harder to detect by users but nevertheless some limited steps that can be taken to mitigate some those by protecting your device from tampering and use some measures (like re-flashing the bios for example). Unfortunately, if such malware or backdoor is implemented by the manufacturer itself, it becomes extremely difficult to detect and disable those.

Your files, documents, pictures, and videos:

Properties and Metadata:

This can be obvious to many but not to all. Most files have metadata attached to them. A good example are pictures which store EXIF199 information which can contain a lot of information such as GPS coordinates, which camera/phone model took it and when it was taken precisely. While this information might not directly give out who you are, it could tell exactly where you were at a certain moment which could allow others to use different sources to find you (CCTV or other footage taken at the same place at the same time during a protest for instance). It is important that you verify any file you would put on those platforms for any properties that might contain any information that might lead back to you.

Here is an example of EXIF data that could be on a picture:

Image12.jpeg

(Illustration from Wikipedia)

By the way, this also works for videos. Yes, videos too have geo-tagging and many are very unaware of this. Here Is for instance a very convenient tool to geo-locate YouTube videos: https://mattw.io/youtube-geofind/location Archive.org

For this reason, you will always have to be very careful when uploading files using your anonymous identities and check the metadata of those files.

Even if you publish a simple text file, you should always double or triple check it for any information leakage before publishing. You will find some guidance about this in the Some additional measures against forensics section at the end of the guide.

Watermarking:

Pictures/Videos/Audio:

Pictures/Videos often contain visible watermarks indicating who is the owner/creator but there are also invisible watermarks in various products aiming at identifying the viewer itself.

So, if you are a whistleblower and thinking about leaking some picture/audio/video file. Think twice. There are chances that those might contain invisible watermarking within them that would include information about you as a viewer. Such watermarks can be enabled with a simple switch in like Zoom (Video200 or Audio201) or with extensions202 for popular apps such as Adobe Premiere Pro. These can be inserted by various content management systems.

For a recent example where someone leaking a Zoom meeting recording was caught because it was watermarked: https://theintercept.com/2021/01/18/leak-zoom-meeting/ Archive.org

Such watermarks can be inserted by various products203’204’205’206 using Steganography207 and can resist compression208 and re-encoding209’210.

These watermarks are not easily detectable and could allow identification of the source despite all efforts.

In addition to watermarks, the camera used for filming (and therefore the device used for filming) a video can also be identified using various techniques such as lens identification211 which could lead to de-anonymization.

Be extremely careful when publishing videos/pictures/audio files from known commercial platforms as they might contain such invisible watermarks in addition to details in the images themselves.

Printing Watermarking:

Did you know your printer is most likely spying on you too? Even if it is not connected to any network? This is usually a known fact by many people in the IT community but few outside people.

Yes … Your printers can be used to de-anonymize you as well as explained by the EFF here https://www.eff.org/issues/printers Archive.org

With this (old but still relevant) video explaining how from the EFF as well: https://www.youtube.com/watch?v=izMGMsIZK4U Invidious

Basically, many printers will print an invisible watermark allowing for identification of the printer on every printed page. This is called Printer Steganography212.There is no real way to mitigate this but to inform yourself on your printer and make sure it does not print any invisible watermark. This is obviously important if you intend to print anonymously.

Here is an (old but still relevant) list of printers and brands who do not print such tracking dots provided by the EFF https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots Archive.org

Here are also some tips from the Whonix documentation (https://www.whonix.org/wiki/Printing_and_Scanning Archive.org):

Do not ever print in Color, usually watermarkings are not present without color toners/cartridges213.

Pixelized or Blurred Information:

Did you ever see a document with blurred text? Did you ever make fun of those movies/series where they “enhance” an image to recover seemingly impossible to read information?

Well, there are techniques for recovering information from such documents, videos, and pictures.

Here is for example an open-source project you could use yourself for recovering text from some blurred images yourself: https://github.com/beurtschipper/Depix Archive.org

Image13.jpeg

This is of course an open-source project available for all to use. But you can probably imagine that such techniques have probably been used before by other adversaries. These could be used to reveal blurred information from published documents that could then be used to de-anonymize you.

There are also tutorials for using such techniques using Photo Editing tools such as GIMP such as: https://medium.com/@somdevsangwan/unblurring-images-for-osint-and-more-part-1-5ee36db6a70b Archive.org followed by https://medium.com/@somdevsangwan/deblurring-images-for-osint-part-2-ba564af8eb5d Archive.org

Finally, you will find plenty of deblurring resources here: https://github.com/subeeshvasu/Awesome-Deblurring Archive.org

Some online services could even help you do this automatically to some extent like MyHeritage.com enhance tool:

https://www.myheritage.com/photo-enhancer Archive.org

Here is the result of the above image:

Image15.jpeg

Of course, this tool is more like “guessing” than really deblurring at this point but it could be enough to find you using various reverse image searching services.

For this reason, it is always extremely important that you correctly redact and curate any document you might want to publish. Blurring is not enough and you should always completely blacken/remove any sensitive data to avoid any attempt at recovering data from any adversary.

Your Crypto currencies transactions:

Contrary to popular belief, Crypto transactions (such as Bitcoin and Ethereum) are not anonymous214. Most crypto currencies can be tracked accurately through various methods215.

Remember what they say on their own page: https://bitcoin.org/en/you-need-to-know [Archive.org] and https://bitcoin.org/en/protect-your-privacy Archive.org:

“Bitcoin is not anonymous “

The main issue is not setting up a random Crypto wallet to receive some currency behind a VPN/Tor address (at this point, the wallet is anonymous). The issue is mainly when you want to convert Fiat money (Euros, Dollars …) to Crypto and then when you want to cash in your Crypto. You will have few realistic options but to transfer those to an exchange (such as Coinbase/Kraken/Bitstamp/Binance). Those exchanges have known wallet addresses and will keep detailed logs (due to KYC216 financial regulations) and can then trace back those crypto transactions to you using the financial system217.

There are some crypto currencies with privacy/anonymity in mind like Monero but even those have some and warnings to consider218’219.

Even if you use Mixers or Tumblers220 (services that specialize in “anonymizing” crypto currencies by “mixing them”), keep in mind this is only obfuscation221 and not actual anonymity222. Not only are they only obfuscation but they could also put you in trouble as you might end up exchanging your crypto against “dirty” crypto that was used in various questionable contexts223.

This does not mean you cannot use Bitcoin anonymously at all. You can actually use Bitcoin anonymously as long as you do not convert it to actual currency and use a Bitcoin wallet from a safe anonymous network. Meaning you should avoid KYC/AML regulations by various exchanges and avoid using the Bitcoin network from any known IP address. See Appendix Z: Paying anonymously online with BTC.

Overall, IMHO, the best option for using Crypto with reasonable anonymity and privacy is still Monero and you should ideally not use any other for sensitive transactions unless you are aware of the limitations and risks involved. Please do read this Monero Disclaimer.

Your Cloud backups/sync services:

All companies are advertising their use of end-to-end encryption (E2EE). This is true for almost every messaging app and website (HTTPS). Apple and Google are advertising their use of encryption on their Android devices and their iPhones.

But what about your backups? Those automated iCloud/google drive backups you have?

Well, you should probably know that most of those backups are not fully end to end encrypted and will contain some of your information readily available for a third party. You will see their claims that data is encrypted at rest and safe from anyone … Except they usually do keep a key to access some of the data themselves. These keys are used for them indexing your content, recover your account, collecting various analytics.

There are specialized commercial forensics solutions available (Magnet Axiom224, Cellebrite Cloud225) that will help an adversary analyze your cloud data with ease.

Notable Examples:


  • Apple iCloud: https://support.apple.com/en-us/HT202303 Archive.org : “Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. “.
  • Dropbox: https://www.dropbox.com/privacy#terms Archive.org “To provide these and other features, Dropbox accesses, stores, and scans Your Stuff. You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with”.
  • Microsoft OneDrive: https://privacy.microsoft.com/en-us/privacystatement Archive.org : Productivity and communications products, “When you use OneDrive, we collect data about your usage of the service, as well as the content you store, to provide, improve, and protect the services. Examples include indexing the contents of your OneDrive documents so that you can search for them later and using location information to enable you to search for photos based on where the photo was taken”.

You should not trust cloud providers with your (not previously and locally encrypted) sensitive data and you should be wary of their privacy claims. In most cases they can access your data and provide it to a third party if they want to.

The only way to mitigate this is to encrypt yourself your data on your side and then only upload it to such services.

Your Browser and Device Fingerprints:

Your Browser and Device Fingerprints226 are set of properties/capabilities of your System/Browser. These are used on most websites for invisible user tracking but also to adapt the website user experience depending on their browser. For instance, websites will be able to provide a “mobile experience” if you are using a mobile browser or propose a specific language/geographic version depending on your fingerprint. Most of those techniques work with recent Browsers like Chromium227 based browsers (such as Chrome) or Firefox228 unless taking special measures.

You can find a lot of detailed information and publications about this on these resources:

Most of the time, those fingerprints will unfortunately be unique or nearly unique to your Browser/System. This means that even If you log out from a website and then log back in using a different username, your fingerprint might remain the same if you did not take precautionary measures.

An adversary could then use such fingerprints to track you across multiple services even if you have no account on any of them and are using ad blocking. These fingerprints could in turn be used to de-anonymize you if you keep the same fingerprint between services.

It should also be noted that while some browsers and extensions will offer fingerprint resistance, this resistance in itself can also be used to fingerprint you as explained here https://palant.info/2020/12/10/how-anti-fingerprinting-extensions-tend-to-make-fingerprinting-easier/ Archive.org

This guide will mitigate these issues by mitigating, obfuscating, and randomizing many of those fingerprinting identifiers by using Virtualization (See Appendix W: Virtualization) and using by fingerprinting resistant Browsers.

Local Data Leaks and Forensics:

Most of you have probably seen enough Crime dramas on Netflix or TV to know what forensics are. These are technicians (usually working for law enforcement) that will perform various analysis of evidence. This of course could include your smartphone or laptop.

While these might be done by an adversary when you already got “burned”, these might also be done randomly during a routine control or a border check. These unrelated checks might reveal secret information to adversaries that had no prior knowledge of such activities.

Forensics techniques are now very advanced and can reveal a staggering amount information from your devices even if they are encrypted229. These techniques are widely used by law enforcement all over the world and should be considered.

Here are some recent resources you should read about your smartphone:

I also highly recommend that you read some documents from a forensics examiner perspective such as:

And finally, here is this very instructive detailed paper on the current state of IOS/Android security from the John Hopkins University: https://securephones.io/main.html230.

When it comes to your laptop, the forensics techniques are many and widespread. Many of those issues can be mitigated by using full disk encryption, virtualization (See Appendix W: Virtualization), and compartmentalization. This guide will later detail such threats and techniques to mitigate them.

Bad Cryptography:

There is a frequent adage among the infosec community: “Don’t roll your own crypto!”.

And there are reasons231’232’233 for that:

Personally, I would not want people discouraged from studying and innovating in the crypto field because of that adage. So instead, I would recommend people to be cautious with “Roll your own crypto” because it is not necessarily good crypto.

  • Good cryptography is not easy and usually takes years of research to develop and fine-tune.
  • Good cryptography is transparent and not proprietary/closed-source so it can be reviewed by peers.
  • Good cryptography is developed carefully, slowly, and rarely alone.
  • Good cryptography is usually presented and discussed in conferences, and published on various journals.
  • Good cryptography is extensively peer reviewed before it is released for use into the wild.
  • Using and implementing existing good cryptography correctly is already a challenge.

Yet, this is not stopping some from doing it anyway and publishing various production Apps/Services using their own self-made cryptography or proprietary closed-source methods.

  • You should apply caution when using Apps/Services using closed-source or proprietary encryption methods. All the good crypto standards are public and peer reviewed and there should be no issue disclosing the one you use.
  • You should be wary of Apps/Services using a “modified” or proprietary cryptographic method234.
  • By default, you should not trust any “Roll your own crypto” until it was audited, peer-reviewed, vetted, and accepted by the cryptography community235’236.
  • There is no such thing as “military grade crypto”237’238’239.

Cryptography is a complex topic and bad cryptography could easily lead to your de-anonymization.

In the context of this guide, I recommend sticking to Apps/Services using well established, published, and peer reviewed methods.

So, what to prefer and what to avoid as of 2021? You will have to look up for yourself to get the technical details of each app and see if they are using “bad crypto” or “good crypto”. Once you get the technical details, you could check this page for seeing what it is worth: https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html [Archive.org]

Here are some examples:

So, what to prefer and what to avoid as of 2021? You will have to look up for yourself to get the technical details of each app and see if they are using “bad crypto” or “good crypto”. Once you get the technical details, you could check this page for seeing what it is worth: https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html Archive.org

Here are some examples:

  • Hashes:
    • Prefer: SHA256 or SHA512
    • Avoid: SHA-1, MD5, CRC, MD6
  • File/Disk Encryption:
    • Prefer: AES 256 Bits with HMAC-SHA-2 or HMAC-SHA-3 (This is what Veracrypt, Bitlocker, Filevault 2, KeepassXC, and LUKS use)
    • Avoid: Anything else
  • Password Storage:
    • Prefer: argon2, scrypt, bcrypt, SHA-3 or if not possible at least PBKDF2 (only as a last resort)
    • Avoid: naked SHA-2, SHA-1, MD5
  • Browser Security (HTTPS):
    • Prefer: TLS 1.3 (ideally TLS 1.3 with ECH/eSNI support)
    • Avoid: Anything Else

Here are some real cases of issues bad cryptography:

No logging but logging anyway policies:

Many people have the idea that privacy-oriented services such as VPN or E-Mail providers are safe due to their no logging policies or their encryption schemes. Unfortunately, many of those same people forget that all those providers are legal commercial entities subject to the laws of the countries in which they operate.

Any of those providers can be forced to silently (without your knowing (using for example a court order with a gag order240 or a national security letter241) log your activity to de-anonymize you. There have been several recent examples of those:

  • 2021, DoubleVPN servers, logs, and account info seized by law enforcement242
  • 2021, The Germany based mail provider Tutanota was forced to monitor specific accounts for 3 months243
  • 2020, The Germany based mail provider Tutanota was forced to implement a backdoor to intercept and save copies of the unencrypted e-mails of one user244 (they did not decrypt the stored e-mail).
  • 2017, PureVPN was forced to disclose information of one user to the FBI245.
  • 2014, EarthVPN user was arrested based on logs provider to the Dutch Police246.
  • 2014, HideMyAss user was de-anonymized and logs were provided to the FBI247.
  • 2013, Secure E-Mail provider Lavabit shuts down after fighting a secret gag order248.

Some providers have implemented the use of a Warrant Canary249 that would allow their users to find out if they have been compromised by such orders but this has not been tested yet as far as I know.

Finally, it is now well known that some companies might be sponsored front-ends for some state adversaries (see the Crypto AG story250 and Omnisec story251).

For these reasons, it is important that you do not trust such providers for your privacy despite all their claims. In most cases, you will be the last person to know if any of your account was targeted by such orders and you might never know at all.

To mitigate this, in cases where you want to use a VPN, I will recommend the use of a cash/Monero-paid VPN provider over Tor to prevent the VPN service from knowing any identifiable information about you.

Some Advanced targeted techniques:

Image16.jpeg

(Illustration: excellent movie I highly recommend: Das Leben der Anderen252)

There are many advanced techniques that can be used by skilled adversaries253 to bypass your security measures provided they already know where your devices are. Many of those techniques are detailed here https://cyber.bgu.ac.il/advanced-cyber/airgap Archive.org (Air-Gap Research Page, Cyber-Security Research Center, Ben-Gurion University of the Negev, Israel) and include:

Here is also a good video from the same authors to explain those topics: Black Hat, The Air-Gap Jumpers https://www.youtube.com/watch?v=YKRtFgunyj4 Invidious

Realistically, this guide will be of little help against such adversaries as these malwares could be implanted on the devices by a manufacturer or anyone in the middle or by anyone with physical access to the air-gapped computer but there are still some ways to mitigate such techniques:

  • Do not conduct sensitive activity while connected to an untrusted/unsecure power line to prevent power line leaks.
  • Do not use your devices in front of a camera that could be compromised.
  • Use your devices in a soundproofed room to prevent sound leaks.
  • Use your devices in faraday cage to prevent electromagnetic leaks.
  • Do not talk sensitive information where lightbulbs could be observed from outside.
  • Buy your devices from different/unpredictable/offline places (shops) where the probability of them being infected with such malware is lower.
  • Do not let anyone access your air-gapped computers except trusted people.

Some bonus resources:

Notes:

If you still do not think such information can be used by various actors to track you, you can see some statistics for yourself for some platforms and keep in mind those are only accounting for the lawful data requests and will not count things like PRISM, MUSCULAR, SORM or XKEYSCORE explained earlier:

General Preparations:

Personally, in the context of this guide, it is also interesting to have a look at your security model. And in this context, I only have one to recommend:

Zero-Trust Security25 (“Never trust, always verify”).

Here are some various resources about what is Zero-Trust Security:


Picking your route:

Here is a small basic UML diagram showing your options. See the details below.

Image17.jpeg

Timing limitations:

  • You have very limited time to learn and need a fast-working solution:
    • Your best option is to go for the TAILS route (excluding the persistent plausible deniability section).
  • You have time and more importantly will to learn:
    • Go with any route.

Budget/Material limitations:

  • You only have one laptop available and cannot afford anything else. You use this laptop for either work, family, or your personal stuff (or both):
    • Your best option is to go for the TAILS route.
  • You can afford a spare dedicated unsupervised/unmonitored laptop for your sensitive activities:
    • But it is old, slow and has bad specs (less than 6GB of RAM, less than 250GB disk space, old/slow CPU):
      • You should go for the TAILS route.
    • It is not that old and it has decent specs (at least 6GB of RAM, 250GB of disk space or more, decent CPU):
      • You could go for TAILS, Whonix routes.
    • It is new and it has great specs (more than 8GB of RAM, >250GB of disk space, recent fast CPU):
      • You could go for any route but I would recommend Qubes OS if your threat model allows it.
    • If it is an ARM based M1 Mac:
      • Not possible currently for these reasons:
        • Virtualization of x86 images on ARM M1 Macs is still limited to commercial software (Parallels) which is not supported by Whonix yet.
        • Virtualbox is not available for ARM architecture yet.
        • Whonix is not supported on ARM architecture yet.
        • TAILS is not supported on ARM architecture yet.
        • Qubes OS is not supported on ARM architecture yet.

Your only option on M1 Macs is probably to stick with Tor Browses for now. But I would guess that if you can afford an M1 Mac you should probably get a dedicated x86 laptop for more sensitive activities.

Skills:

  • You have no IT skills at all the content of this guide looks like an alien language to you?
    • You should go with the TAILS route (excluding the persistent plausible deniability section).
  • You have some IT skills and mostly understand this guide so far
    • You should go with TAILS (including the persistent plausible deniability section) or Whonix routes.
  • You have moderate to high IT skills and you are already familiar with some of the content of this guide
    • You could go with anything you like but I would strongly recommend Qubes OS.
  • You are a l33T hacker, “there is no spoon”, “the cake is a lie”, you have been using “doas” for years and “all your base are belong to us”, and you have strong opinions on systemd.
    • This guide is not really meant for you and will not help you with your HardenedBSD on your hardened Libreboot laptop ;-)

Adversaries (threats):

  • If your main concern is forensic examination of your devices:
    • You should go with the TAILS route (with optional persistent plausible deniability).
  • If your main concerns are remote adversaries that might uncover your online identity in various platforms:
    • You could go with the Whonix or Qubes OS routes.
    • You could also go with TAILS (with optional persistent plausible deniability).
  • If you absolutely want system wide plausible deniability255’256 despite the risks257’258:
    • You could go with the TAILS Route including the persistent plausible deniability section.
    • You could go with the Whonix Route (on Windows Host OS only within the scope of this guide).
  • If you are in a hostile environment where Tor/VPN usage alone is impossible/dangerous/suspicious:
    • You could go with the TAILS route (without using Tor).
    • You could go with the Whonix or Qubes OS route (without actually using Whonix).

In all cases, you should read these two pages from the Whonix documentation that will give you in depth insight about your choices:

You might be asking yourself: “How do I know if I’m in a hostile online environment where activities are actively monitored and blocked?”

Steps for all routes:

Always use passphrases instead of passwords and use a different one for each service. Do not make it easy for an adversary to access all your information because you used the same password everywhere260.

You might also consider some memory tricks to build your password as explained on this blog post from Bruce Schneier: https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html Archive.org

Image18.jpeg

(Illustration by xkcd.com, licensed under CC BY-NC 2.5)

Get an anonymous Phone number:

Skip this step if you have no intention of creating anonymous accounts on most mainstream platforms but just want anonymous browsing or if the platforms you will use allow registration without a phone number.

Physical Burner Phone and prepaid SIM card:

Get a burner phone:

This is rather easy. Leave your smartphone off or power it off before leaving. Have some cash and go to some random flea market or small shop (ideally one without CCTV inside or outside and while avoiding being photographed/filmed) and just buy the cheapest phone you can find with cash and without providing any personal information. It only needs to be in working order.

Personally, I would recommend getting an old “dumbphone” with a removable battery (old Nokia if your mobile networks still allow those to connect as some countries phased out 1G-2G completely). This is to avoid the automatic sending/gathering of any telemetry/diagnostic data on the phone itself. You should never connect that phone to any Wi-Fi.

It will also be crucial not to power on that burner phone ever (not even without the SIM card) in any geographical location that could lead to you (at your home/work for instance) and never ever at the same location as your other known smartphone (because that one has an IMEI/IMSI that will easily lead to you). This might seem like a big burden but it is not as these phones are only being used during the setup/sign-up process and for verification from time to time.

Online Phone Number (less recommended):

DISCLAIMER: Do not attempt this until you are done setting up a secure environment according to one of the selected routes. This step will require online access and should only be done from an anonymous network. Do not do this from any known/unsecure environment. Skip this until you have finished one of the routes.

There are many commercial services offering numbers to receive SMS messages online but most of those have basically no anonymity/privacy and can be of no help as most Social Media platforms place a limit on how many times a phone number can be used for registration.

There are some forums and subreddits (like r/phoneverification/) where users will offer the service of receiving such SMS messages for you for a small fee (using PayPal or some crypto payment). Unfortunately, these are full of scammer and very risky in terms of anonymity. You should not use those under any circumstance.

To this date, I do not know any reputable service that would offer this service and accept cash payments (by post for instance) like some VPN providers. But there are a few services providing online phone numbers and do accept Monero which could be reasonably anonymous (yet less recommended than that physical way in the previous chapter) that you could consider:

See Appendix N: Warning about smartphones and smart devices

You should test that the phone is in working order before going to the next step. But I will repeat myself and state again that it is important to leave your smartphone at home when going (or turn it off before leaving if you must keep it) and that you test the phone at a random location that cannot be tracked back to you (and again, do not do that in front of a CCTV, avoid cameras, be aware of your surroundings). No need for Wi-Fi at this place either.

When you are certain the phone is in working order, disable Bluetooth then power it off (remove the battery if you can) and go back home and resume your normal activities. Go to the next step.

Get an anonymous pre-paid SIM card:

This is the hardest part of the whole guide. It is a SPOF (Single Point of Failure). The places where you can still buy prepaid SIM cards without ID registration are getting increasingly limited due to various KYC type regulations261.

So here is a list of places where you can still get them now: https://prepaid-data-sim-card.fandom.com/wiki/Registration_Policies_Per_Country Archive.org

Double-check that the mobile operators selling the pre-paid SIM cards will accept the SIM activation and top-up without any ID registration of any kind before going there. Ideally, they should accept SIM activation and top-up from the country you reside in.

Personally, I would recommend GiffGaff in the UK as they are “affordable”, do not require identification for activation and top-up and will even allow you to change your number up to 2 times from their website. One GiffGaff prepaid SIM card will therefore grant you 3 numbers to use for your needs.

Power off the phone after activation/top-up and before going home. Do not ever power it on again unless you are not at a place that can be used to reveal your identity and unless your smartphone is powered off before going to that “not your home” place.

There are some other possibilities listed here https://cryptwerk.com/companies/sms/xmr/ Archive.org. Use at your own risk.

DISCLAIMER: I cannot vouch for any of these providers and therefore I will still recommend doing it yourself physically. In this case you will have to rely on the anonymity of Monero and you should not use any service that requires any kind of identification using your real identity. Please do read this Monero Disclaimer.

Therefore IMHO, it is probably just more convenient, cheaper, and less risky to just get a pre-paid SIM card from one of the physical places who still sell them for cash without requiring ID registration. But at least there is an alternative if you have no other option.

Get an USB key:

Get at least one or two decent size generic USB keys (at least 16GB but I would recommend 32GB).

Please do not buy or use gimmicky self-encrypting devices such as these: https://syscall.eu/blog/2018/03/12/aigo_part1/ Archive.org

Some might be very efficient262 but many are gimmicky gadgets that offer no real protection263.

Find some safe places with decent public Wi-Fi:

You need to find safe places where you will be able to do your sensitive activities using some publicly accessible Wi-Fi (without any account/ID registration, avoid CCTVs).

This can be anywhere that will not be tied to you directly (your home/work) and where you can use the Wi-Fi for a while without being bothered. But also, a place where you can do this without being “noticed” by anyone.

If you think Starbucks is a good idea, you may reconsider:

  • They probably have CCTVs in all their shops and keep those recordings for an unknown amount of time.
  • You will need to buy a coffee to get the Wi-Fi access code in most. If you pay this coffee with an electronic method, they will be able to tie your Wi-Fi access with your identity.

Situational awareness is key and you should be constantly aware of your surroundings and avoid touristy places like it was plagued by Ebola. You want to avoid appearing on any picture/video of anyone while someone is taking a selfie, making a TikTok video or posting some travel picture on their Instagram. If you do, remember chances are high that those pictures will end up online (publicly or privately) with full metadata attached to them (time/date/geolocation) and your face. Remember these can and will be indexed by Facebook/Google/Yandex/Apple and probably all 3 letters agencies.

While this will not be available yet to your local police officers, it could be in the near future.

You will ideally need a set of 3-5 different places such as this to avoid using the same place twice. Several trips will be required over the weeks for the various steps in this guide.

You could also consider connect to these places from a safe distance for added security. See Appendix Q: Using long range Antenna to connect to Public Wi-Fis from a safe distance.

The TAILS route:

This part of the guide will help you in setting up TAILS if one of the following is true:

  • You cannot afford a dedicated laptop
  • Your dedicated laptop is just too old and too slow
  • You have very low IT skills
  • You decide to go with TAILS anyway

TAILS264 stands for The Amnesic Incognito Live System. It is a bootable Live Operating System running from a USB key that is designed for leaving no traces and forcing all connections through the Tor network.

You pretty much insert the Tails USB key into your laptop, boot from it and you have a full operating system running with privacy and anonymity in mind. As soon as you shut down the computer, everything will be gone unless you saved it somewhere.

Tails is a very easy way to get going in no time with what you have and without much learning. It has extensive documentation and tutorials.

WARNING: TAILS is not always up-to-date with their bundled software. And not always up-to-date with the Tor Browser updates either. You should always make sure you are using the latest version of Tails and you should use extreme caution when using bundled apps within Tails that might be vulnerable to exploits and reveal your location265.

It does however have some drawbacks:

  • Tails uses Tor and therefore you will be using Tor to access any resource on the internet. This alone will make you suspicious to most platforms where you want to create anonymous accounts (this will be explained in more details later).
  • Your ISP (whether it is yours or some public Wi-Fi) will also see that you are using Tor and this could make you suspicious in itself.
  • Tails does not include (natively) some of the software you might want to use later which will complicate things quite a bit if you want to run some specific things (Android Emulators for instance).
  • Tails uses Tor Browser which while it is very secure will be detected as well by most platforms and will hinder you in creating anonymous identities on many platforms.
  • Tails will not protect you more from the 5$ wrench11.
  • Tor in itself might not be enough to protect you from an adversary with enough resources as explained earlier.

Important Note: If your laptop is monitored/supervised and some local restrictions are in place, please read Appendix U: How to bypass (some) local restrictions on supervised computers.

You should also read Tails Documentation, Warnings, and limitations, before going further https://tails.boum.org/doc/about/warning/index.en.html Archive.org

Taking all this into account and the fact that their documentation is great, I will just redirect you towards their well-made and well-maintained tutorial:

https://tails.boum.org/install/index.en.html Archive.org , pick your flavor and proceed.

When you are done and have a working Tails on your laptop, go to the Creating your anonymous online identities step much further in this guide.

If you’re having issue accessing Tor due to censorship or other issues, you can try using Tor Bridges by following this TAILS tutorial: https://tails.boum.org/doc/first_steps/welcome_screen/bridge_mode/index.en.html [Archive.org] and find more information about these on Tor Documentation https://2019.www.torproject.org/docs/bridges Archive.org

If you think using Tor alone is dangerous/suspicious, see Appendix P: Accessing the internet as safely as possible when Tor/VPN is not an option


Persistent Plausible Deniability using Whonix within TAILS:

Consider checking the https://github.com/aforensics/HiddenVM Archive.org project for TAILS.

This project is a clever idea of a one click self-contained VM solution that you could store on an encrypted disk using plausible deniability255 (see The Whonix route: first chapters and also for some explanations about Plausible deniability, as well as the How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives: section at the end of this guide for more understanding).

This would allow the creation of a hybrid system mixing TAILS with the Virtualization options of the Whonix route in this guide.

Image19.jpeg

Note: See Pick your connectivity method in the Whonix Route for more explanations about Stream Isolation

In short:

  • You could run non-persistent TAILS from one USB key (following their recommendations)
  • You could store persistent VMs within a secondary contained that could be encrypted normally or using Veracrypt plausible deniability feature (these could be Whonix VMs for instance or any other).
  • You do benefit from the added Tor Stream Isolation feature (see Tor over VPN for more info about stream isolation).

In that case as the project outlines it, there should be no traces of any of your activities on your computer and the sensitive work could be done from VMs stored into a Hidden container that should not be easily discoverable by a soft adversary.

This option is particularly interesting for “traveling light” and to mitigate forensics attacks while keeping persistence on your work. You only need 2 USB keys (one with TAILS and one with a Veracrypt container containing persistent Whonix). The first USB key will appear to contain just TAILS and the second USB will appear to contain just random garbage but will have a decoy volume which you can show for plausible deniability.

You might also wonder if this will result in a “Tor over Tor” setup but it will not. The Whonix VMs will be accessing the network directly through clearnet and not through TAILS Onion Routing.

In the future, this could also be supported by the Whonix project themselves as explained here: https://www.whonix.org/wiki/Whonix-Host Archive.org but it not yet recommended as of now for end-users.

Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture11. As a matter a fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm Archive.org

Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means.

See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis Wikiless Archive.org

CAUTION: Please see Appendix K: Considerations for using external SSD drives and Understanding HDD vs SSD sections if you consider storing such hidden VMs on an external SSD drive:

  • Do not use hidden volumes on SSD drives as this is not supported/recommended by Veracrypt266.
  • Use instead file containers instead of encrypted volumes.
  • Make sure you do know how to clean data from an external SSD drive properly.

Here is my guide on how to achieve this:

  • Download the latest HiddenVM release from https://github.com/aforensics/HiddenVM/releases Archive.org
  • Download the latest Whonix XFCE release from https://www.whonix.org/wiki/VirtualBox/XFCE Archive.org
  • Prepare a USB Key/Drive with Veracrypt
    • Create a Hidden Volume on the USB/Key Drive (I would recommend at least 16GB for the hidden volume)
    • In the Outer Volume, place some decoy files
    • In the Hidden Volume, place the HiddenVM appimage file
    • In the Hidden Volume, place the Whonix XFCE ova file
  • Boot into TAILS
  • Setup the Keyboard layout as you want.
  • Select Additional Settings and set an administrator (root) password (needed for installing HiddenVM)
  • Start Tails
  • Connect to a safe wi-fi (this is a required step for the rest to work)
  • Go into Utilities and Unlock your Veracrypt (hidden) Volume (do not forget to check the hidden volume checkbox)
  • Launch the HiddenVM appimage
  • When prompted to select a folder, select the Root of the Hidden volume (where the Whonix OVA and HiddenVM app image files are).
  • Let it do its thing (This will basically install Virtualbox within Tails with one click)
  • When it is done, it should automatically start Virtualbox Manager.
  • Import the Whonix OVA files (see Whonix Virtual Machines:)

Note, if during the import you are having issues such as “NS_ERROR_INVALID_ARG (0x80070057)”, this is probably because there is not enough disk space on your Hidden volume for Whonix. Whonix themselves recommend 32GB of free space but that’s probably not necessary and 10GB should be enough for a start. You can try working around this error by renaming the Whonix *.OVA file to *.TAR and decompressing it within TAILS. When you are done with decompression, delete the OVA file and import the other files with the Import wizard. This time it might work.

Subsequent Runs:

  • Boot into TAILS
  • Connect to Wi-Fi
  • Unlock your Hidden Volume
  • Launch the HiddenVM App
  • This should automatically open VirtualBox manager and show your previous VMs from the first run

Steps for all other routes:

Get a dedicated laptop for your sensitive activities:

Ideally, you should get a dedicated laptop that will not be tied to you in any easy way (ideally paid with cash anonymously and using the same precautions as previously mentioned for the phone and the SIM card). It is recommended but not mandatory because this guide will help you harden your laptop as much as possible to prevent data leaks through various means. There will be several lines of defense standing between your online identities and yourself that should prevent most adversaries from de-anonymizing you besides state/global actors with considerable resources.

This laptop should ideally be a clean freshly installed Laptop (Running Windows, Linux or MacOS), clean of your normal day to day activities and offline (never connected to the network yet). In the case of a Windows laptop, and if you used it before such a clean install, it should also not be activated (re-installed without a product key). Specifically in the case of MacBooks, it should never have been tied to your identity before in any means. So, buy second-hand with cash from an unknown stranger who does not know your identity

This is to mitigate some future issues in case of online leaks (including telemetry from your OS or Apps) that could compromise any unique identifiers of the laptop while using it (MAC Address, Bluetooth Address, and Product key …). But also, to avoid being tracked back if you need to dispose of the laptop.

If you used this laptop before for different purposes (like your day-to-day activities), all its hardware identifiers are probably known and registered by Microsoft or Apple. If later any of those identifiers is compromised (by malware, telemetry, exploits, human errors …) they could lead back to you.

The laptop should have at least 250GB of Disk Space at least 6GB (ideally 8GB or 16GB) of RAM and should be able to run a couple of Virtual Machines at the same time. It should have a working battery that lasts a few hours.

This laptop could have an HDD (7200rpm) or an SSD/NVMe drive. Both possibilities have their benefits and issues that will be detailed later.

All future online steps performed with this laptop should ideally be done from a safe network such as a Public Wi-Fi in a safe place (see Find some safe places with decent public Wi-Fi). But several steps will have to be taken offline first.

Some laptop recommendations:

If you can afford it, you might consider getting a Purism Librem laptop (https://puri.sm Archive.org) or System76 laptops (https://system76.com/ Archive.org) while using Coreboot101 (where Intel IME is disabled from factory).

In other cases, I would strongly recommend getting Business grade laptops (meaning not consumer/gaming grade laptops) if you can. For instance, some ThinkPad from Lenovo (my personal favorite). Here are lists of laptops currently supporting Libreboot and others where you can flash Coreboot yourself (that will allow you to disable Intel IME or AMD PSP):

This is because those business laptops usually offer better and more customizable security features (especially in the BIOS/UEFI settings) with longer support than most consumer laptops (Asus, MSI, Gigabyte, Acer…). The interesting features to look for are IMHO:

  • Better custom Secure Boot settings (where you can selectively manage all the keys and not just use the Standard ones)
  • HDD/SSD passwords in addition to just BIOS/UEFI passwords.
  • AMD laptops could be more interesting as some provide the ability to disable AMD PSP (the AMD equivalent of Intel IME) from the BIOS/UEFI settings by default. And, because AFAIK, AMD PSP was audited and contrary to IME was not found to have any “evil” functionalities267. However, if you are going for the Qubes OS Route consider Intel as they do not support AMD with their anti-evil-maid system268.
  • Secure Wipe tools from the BIOS (especially useful for SSD/NVMe drives, see Appendix M: BIOS/UEFI options to wipe disks in various Brands).
  • Better control over the disabling/enabling of select peripherals (USB ports, Wi-Fis, Bluetooth, Camera, Microphone …).
  • Better security features with Virtualization.
  • Native anti-tampering protections.
  • Longer support with BIOS/UEFI updates (and subsequent BIOS/UEFI security updates).
  • Some are supported by Libreboot

Bios/UEFI/Firmware Settings of your laptop:

PC:

These settings can be accessed through the boot menu of your laptop. Here is a good tutorial from HP explaining all the ways to access the BIOS on various computers: https://store.hp.com/us/en/tech-takes/how-to-enter-bios-setup-windows-pcs Archive.org

Usually how to access it is pressing a specific key (F1, F2 or Del) at boot (before your OS).

Once you are in there, you will need to apply a few recommended settings:

  • Disable Bluetooth completely if you can.
  • Disable Biometrics (fingerprint scanners) if you have any if you can. However, you could add a biometric additional check for booting only (pre-boot) but not for accessing the BIOS/UEFI settings.
  • Disable the Webcam and Microphone if you can.
  • Enable BIOS/UEFI password and use a long passphrase260 instead of a password if you can and make sure this password is required for:
    • Accessing the BIOS/UEFI settings themselves
    • Changing the Boot order
    • Startup/Power-on of the device
  • Enable HDD/SSD password if the feature is available. This feature will add another password on the HDD/SSD itself (not in the BIOS/UEFI firmware) that will prevent this HDD/SSD from being used in a different computer without the password. Note that this feature is also specific to some manufacturers and could require specific software to unlock this disk from a completely different computer.
  • Prevent accessing the boot options (the boot order) without providing the BIOS/UEFI password if you can.
  • Disable USB/HDMI or any other port (Ethernet, Firewire, SD card …) if you can.
  • Disable Intel ME if you can.
  • Disable AMD PSP if you can (AMD’s equivalent to IME, see Your CPU)
  • Disable Secure Boot if you intend to use QubesOS as they do not support it out of the box269. Keep it on if you intend to use Linux/Windows.
  • Check if your laptop BIOS has a secure erase option for your HDD/SSD that could be convenient in case of need.

Only enable those on a “need to use” basis and disable then again after use. This can help mitigate some attacks in case your laptop is seized while locked but still on OR if you had to shut it down rather quickly and someone took possession of it (this topic will be explained later in this guide).

About Secure boot:

So, what is Secure Boot270? In short, it is a UEFI security feature designed to prevent your computer from booting an operating system from which the bootloader was not signed by specific keys stored in the UEFI firmware of your laptop.

Basically, when the Operating Systems (or the Bootloader271) supports it, you can store the keys of your bootloader in your UEFI firmware and this will prevent booting up any unauthorized Operating System (such as a live OS USB or anything similar).

Secure Boot settings are protected be the password you setup to access the BIOS/UEFI settings. If you have that password, you can disable Secure Boot and allow unsigned OSes to boot on your system. This can help mitigate some Evil-Maid attacks (explained later in this guide).

In most cases Secure Boot is disabled by default or is enabled but in “setup” mode which will allow any system to boot. For Secure Boot to work, your Operating System will have support it and then sign its bootloader and push those signing keys to your UEFI firmware. After that you will have to go to your BIOS/UEFI settings and save those pushed keys from your OS and change the Secure Boot from setup to user mode (or custom mode in some cases).

After doing that step, only the Operating Systems from which your UEFI firmware can verify the integrity of the bootloader will be able to boot.

Most laptops will have some default keys already stored in the secure boot settings. Usually those from the manufacturer itself or from some companies such as Microsoft. So, this means that by default, it will always be possible to boot some USB disks even with secure boot. These includes Windows, Fedora, Ubuntu, Mint, Debian, CentOS, OpenSUSE, TAILS, Clonezilla and many others. Secure Boot is however not supported at all by QubesOS at this point.

In some laptops, you can manage those keys and remove the ones you do not want with a “custom mode” to only authorize your own bootloader that you could sign yourself if you really want to.

So, what is Secure Boot protecting you from? It will protect your laptop from booting unsigned bootloaders (by the OS provider) with for instance injected malware.

What is Secure Boot not protecting you from?

  • Secure Boot is not encrypting your disk and an adversary can still just remove the disk from your laptop and extract data from it using a different machine. Secure Boot is therefore useless without full disk encryption.
  • Secure Boot is not protecting you from a signed bootloader that would be compromised and signed by the manufacturer itself (Microsoft for example in the case of Windows). Most mainstream Linux distributions are signed these days and will boot with Secure Boot enabled.
  • Secure Boot can have flaws and exploits like any other system. If you are running an old laptop that does not benefit from new BIOS/UEFI updates, these can be left unfixed.

Additionally, there are number of attacks that could be possible against Secure Boot as explained (in depth) in these technical videos:

So, it can be useful as an added measure against some adversaries but not all. Secure Boot in itself is not encrypting your hard drive. It is an added layer but that is it.

I still recommend you keep it on if you can.

Mac:

Take a moment to set a firmware password according to the tutorial here: https://support.apple.com/en-au/HT204455 Archive.org

You should also enable firmware password reset protection (available from Catalina) according to the documentation here: https://support.apple.com/en-gb/guide/security/sec28382c9ca/web Archive.org

This feature will mitigate the possibility for some adversaries to use hardware hacks to disable/bypass your firmware password. Note that this will also prevent Apple themselves from accessing the firmware in case of repair.

Physically Tamper protect your laptop:

At some point you will inevitably leave this laptop alone somewhere. You will not sleep with it and take it everywhere every single day. You should make it has hard as possible for anyone to tamper with it without you noticing it. This is mostly useful against some limited adversaries that will not use a 5$ wrench against you11.

It is important to know that it is trivially easy for some specialists to install a key logger in your laptop, or to just make a clone copy of your hard drive that could later allow them to detect the presence of encrypted data in it using forensic techniques (more on that later).

Here is a good cheap method to make your laptop tamper proof using Nail Polish (with glitter) https://mullvad.net/en/help/how-tamper-protect-laptop/ Archive.org 272 (with pictures).

While this is a good cheap method, it could also raise suspicions as it is quite “noticeable” and might just reveal that you “have something to hide”. So, there are more subtle ways of achieving the same result. You could also for instance make a close macro photography of the back screws of your laptop or just use a very small amount of candle wax within one of the screws that could just look like usual dirt. You could then check for tampering by comparing the photographs of the screws with new ones. Their orientation might have changed a bit if your adversary was not careful enough (Tightening them exactly the same way they were before). Or the wax within the bottom of a screw head might have been damaged compared to before.

Image20.jpeg

Same techniques can be used with USB ports where you could just put a tiny amount of candle wax within the plug that would be damaged by inserting an USB key in it.

In riskier environments, check your laptop for tampering before using on a regular basis.

The Whonix route:

Picking your Host OS (the OS installed on your laptop):

This route will make extensive use of Virtual Machines273, they will require a host OS to run the Virtualization software. You have 3 recommended choices in this part of the guide:

  • Your Linux distribution of choice (excluding Qubes OS)
  • Windows 10 (preferably Home edition due to the absence of Bitlocker)
  • MacOS (Catalina or higher)

In addition, changes are high that your Mac is or has been tied to an Apple account (at the time or purchase or after signing-in) and therefore its unique hardware identifiers could lead back to you in case of hardware identifiers leak.

Linux is also not necessarily the best choice for anonymity depending on your threat model. This is because using Windows will allow us to conveniently use Plausible Deniability255 (aka Deniable Encryption274) easily at the OS level. Windows is also unfortunately at the same time a privacy nightmare275 but is the only (convenient) option for using OS wide plausible deniability. Windows telemetry and telemetry blocking is also widely documented which should mitigate many issues.

So, what is Plausible Deniability? It is the ability for you to cooperate with an adversary requesting access to your device/data without revealing your true secret. All this using Deniable Encryption258.

A soft lawful adversary could ask for your encrypted laptop password. At first you could refuse to give out any password (using your “right to remain silent”, “right not to incriminate yourself”) but some countries are implementing laws276’277 to exempt this from such rights (because terrorists and “think of the children”). In that case you might have to reveal the password or maybe face jail time in contempt of court. This is where plausible deniability will come into play.

You could then reveal a password but that password will only give access to “plausible data” (a decoy OS). The forensics will be well aware that it is possible for you to have hidden data but should not be able to prove this (if you do this right). You will have cooperated and the investigators will have access to something but not what you actually want to hide. Since the burden of proof should lie on their side, they will have no options but to believe you unless they have a proof that you have hidden data.

This feature can be used at the OS level (a plausible OS and a hidden OS) or at the files level where you will have an encrypted file container (similar to a zip file) where different files will be shown depending on the encryption password you use.

This also means you could set-up your own advanced “plausible deniability” setup using any Host OS by storing for instance Virtual Machines on a Veracrypt hidden volume container (be careful for traces in the Host OS tho that would need to be cleaned if the host OS is persistent, see Some additional measures against forensics section later). There is a project for achieving this within TAILS (https://github.com/aforensics/HiddenVM Archive.org) which would make your Host OS non persistent and use plausible deniability within TAILS.

In the case of Windows, plausible deniability is also the reason you should ideally have Windows 10 Home (and not Pro). This is because Windows 10 Pro natively offers a full-disk encryption system (Bitlocker278) where Windows 10 Home offers no full-disk encryption at all. We will later use a third-party open-source software for encryption that will allow full-disk encryption on Windows 10 Home. This will give you a good (plausible) excuse to use this software. While using this software on Windows 10 Pro would be suspicious.

Note about Linux: So, what about Linux and plausible deniability? Yes, it is kind of possible to achieve plausible deniability with Linux too279. But it is complicated to set-up and IMHO requires a skill level high enough that you probably do not need this guide to help you try it.

Unfortunately, encryption is not magic and there are some risks involved:


Threats with encryption: The 5$ Wrench:

Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture11. As a matter a fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm Archive.org

Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means. Avoid, if possible, the use of plausible deniability capable software (such as Veracrypt) if your threat model includes hard adversaries. So, Windows users should in that case install Windows Pro as a Host OS and use Bitlocker instead.

See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis Wikiless Archive.org

Evil-Maid Attack:

Evil Maid Attacks280 are conducted when someone tampers with your laptop while you are away. For install to clone your hard drive, install malware or a key logger. If they can clone your hard drive, they can compare one image of your hard drive at the time they took it while you were away with the hard drive when they seize it from you. If you used the laptop again in between, forensics examiners might be able to prove the existence of the hidden data by looking at the variations between the two images in what should be an empty/unused space. This could lead to strong evidence of the existence of a hidden data. If they install a key logger or malware within your laptop (software or hardware), they will be able to simply get the password from you for later use when they seize it. Such attacks can be done at your home, your hotel, a border crossing or anywhere you leave your devices unattended.

You can mitigate this attack by doing the following (as recommended earlier):

  • Have a basic tamper protection (as explained previously) to prevent physical access to the internals of the laptop without your knowing. This will prevent them from cloning your disks and installing a physical key logger without your knowledge.
  • Disable all the USB ports (as explained previously) within a password protected BIOS/UEFI. Again, they will not be able to turn them on (without physically accessing the motherboard to reset the BIOS) to boot a USB device that could clone your hard drive or install a software-based malware that could act as a key logger.
  • Set-up BIOS/UEFI/Firmware passwords to prevent any unauthorized boot of an unauthorized device.
  • Some OSes and Encryption software have anti-EvilMaid protection that can be enabled. This is the case with Windows/Veracrypt and QubeOS.

Cold-Boot Attack:

Cold Boot attacks281 are trickier than the Evil Maid Attack but can be part of an Evil Maid attack as it requires an adversary to come into possession of your laptop while you are actively using your device or shortly afterward.

The idea is rather simple, as shown in this video282, an adversary could theoretically quickly boot your device on a special USB key that would copy the content of the RAM (the memory) of the device after you shut it down. If the USB ports are disabled or if they feel like they need more time, they could open it and “cool down” the memory using a spray or other chemicals (liquid nitrogen for instance) preventing the memory decaying. They could then be able to copy its content for analysis. This memory dump could contain the key to decrypt your device. We will later apply a few principles to mitigate these.

In the case of Plausible Deniability, there have been some forensics studies283 about technically proving the presence of the hidden data with a simple forensic examination (without a Cold Boot/Evil Maid Attack) but these have been contested by other studies284 and by the maintainer of Veracrypt285 so I would not worry too much about those yet.

The same measures used to mitigate Evil Maid attacks should be in place for Cold Boot attacks with some added ones:

  • If your OS or Encryption software allows it, you should consider encrypting the keys within RAM too (this is possible with Windows/Veracrypt and will be explained later)
  • You should limit the use of Sleep stand-by and instead use Shutdown or Hibernate to prevent the encryption keys from staying in RAM when your computer goes to sleep. This is because sleep will maintain power to your memory for resuming your activity faster. Only hibernation and shutdown will actually clear the key from the memory286.



See also https://www.whonix.org/wiki/Cold_Boot_Attack_Defense Archive.org and https://www.whonix.org/wiki/Protection_Against_Physical_Attacks Archive.org

Here are also some interesting tools to consider for Linux users to defend against these:


About Sleep, Hibernation and Shutdown:

If you want the better security, you should shut down your laptop completely every time you leave it unattended or close the lid. This should clean and/or release the RAM and provide mitigations against cold boot attacks. However, this can be a bit inconvenient as you will have to reboot completely and type in a ton of passwords into various apps. Restart various VMs and other apps. So instead, you could also use hibernation instead (not supported on Qubes OS). Since the whole disk is encrypted, hibernation in itself should not pose a large security risk but will still shutdown your laptop and clear the memory while allowing you to conveniently resume your work afterward. What you should never do it use the standard sleep feature which will keep your computer on and the memory powered. This is an attack vector against evil-maid and cold-boot attacks discussed earlier. This is because your powered on memory holds the encryption keys to your disk (encrypted or not) and could then be accessed by a skilled adversary.

This guide will provide guidance later on how to enable hibernation on various host OSes (except Qubes OS) if you do not want to shut down every time.


Local Data Leaks (traces) and forensics examination:

As mentioned briefly earlier, these are data leaks and traces from your operating system and apps when you perform any activity on your computer. These mostly apply to encrypted file containers (with or without plausible deniability) than OS wide encryption. Such leaks are less “important” if your whole OS is encrypted (if you are not compelled to reveal the password).

Let us say for example you have a Veracrypt encrypted USB key with plausible deniability enabled. Depending on the password you use when mounting the USB key, it will open a decoy folder or the sensitive folder. Within those folders, you will have decoy documents/data within the decoy folder and sensitive documents/data within the sensitive folder.

In all cases, you will (most likely) open these folders with Windows Explorer, MacOS Finder or any other utility and do whatever you planned to do. Maybe you will edit a document within the sensitive folder. Maybe you will search a document within the folder. Maybe you will delete one or watch a sensitive video using VLC.

Well, all those Apps and your Operating System might keep logs and traces of that usage. This might include the full path of the folder/files/drives, the time those were accessed, temporary caches of those files, the “recent” lists in each apps, the file indexing system that could index the drive and even thumbnails that could be generated

Here are some examples of such leaks:

Windows:

  • Windows ShellBags that are stored within the Windows Registry silently storing various histories of accessed volumes/files/folders287.
  • Windows Indexing keeping traces of the files present in your user folder by default288.
  • Recent lists (aka Jump Lists) in Windows and various apps keeping traces of recently accessed documents289.
  • Many more traces in various logs, please see this convenient interesting poster for more insight: https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download Archive.org

MacOS:

  • Gatekeeper and XProtect keeping track of your download history in a local database and file attributes.
  • Spotlight Indexing
  • Recent lists in various apps keeping traces of recently accessed documents.
  • Temporary folders keeping various traces of App usage and Document usage.
  • MacOS Logs

Linux:

  • Tracker Indexing
  • Bash History
  • USB logs
  • Recent lists in various apps keeping traces of recently accessed documents.
  • Linux Logs

Forensics could284’287 use all those leaks (see Local Data Leaks and Forensics) to prove the existence of hidden data and defeat your attempts at using plausible deniability and to find out about your various sensitive activities.

It will be therefore important to apply various steps to prevent forensics from doing this by preventing and cleaning these leaks/traces and more importantly by using whole disk encryption, virtualization, and compartmentalization.

Forensics cannot extract local data leaks from an OS they cannot access. And you will be able to clean most of those traces by wiping the drive or by securely erasing your virtual machines (which is not as easy as you think on SSD drives).

Some cleaning techniques will nevertheless be covered in the “Cover your Tracks” part of this guide at the very end.

Online Data Leaks:

Whether you are using simple encryption or plausible deniability encryption. Even if you covered your tracks on the computer itself. There is still a risk of online data leaks that could reveal the presence of hidden data.

Telemetry is your enemy. As explained earlier in this guide, the telemetry of Operating Systems but also from Apps can send staggering amounts of private information online.

In the case of Windows, this data could for instance be used to prove the existence of a hidden OS / Volume on a computer and would be readily available at Microsoft. Therefore, it is critically important that you disable and block telemetry with all the means at your disposal. No matter what OS you are using.

Conclusion:

You should never conduct sensitive activities from a non-encrypted system. And even if it is encrypted, you should probably never conduct sensitive activities from the Host OS itself. Instead, you should use a VM to be able to efficiently isolate and compartmentalize your activities and prevent local data leaks.

If you have little to no knowledge of Linux or if you want to use OS wide plausible deniability, I would recommend going for Windows (or back to the TAILS route) for convenience. This guide will help you hardening it as much as possible to prevent leaks. This guide will also help you hardening MacOS and Linux as much as possible to prevent similar leaks.

If you have no interest for OS wide plausible deniability and want to learn to use Linux, I would strongly recommend going for Linux or the Qubes route if your hardware allows it.

In all cases, the host OS should never be used to conduct sensitive activities directly. The host OS will only be used to connect to a public Wi-Fi Access Point. It will be left unused while you conduct sensitive activities and should ideally not be used for any of your day-to-day activities.

Consider also reading https://www.whonix.org/wiki/Full_Disk_Encryption#Encrypting_Whonix_VMs Archive.org

Linux Host OS:

As mentioned earlier, I do not recommend using your daily laptop for very sensitive activities. Or at least I do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the TAILS route or proceed at your own risks.

I also recommend that you do the initial installation completely offline to avoid any data leak.

You should always remember that despite the reputation, Linux mainstream distributions (Ubuntu for instance) are not necessarily better at security than other systems such as MacOS and Windows. See this reference to understand why https://madaidans-insecurities.github.io/linux.html Archive.org.

Full disk encryption:

There are two possibilities here with Ubuntu:

For other distros, you will have to document yourself but it will likely be similar. Encryption during install is just much easier in the context of this guide.

Reject/Disable any telemetry:

  • During the install, just make sure you do not allow any data collection if prompted.
  • If you are not sure, just make sure you did not enable any telemetry and follow this tutorial if needed https://vitux.com/how-to-force-ubuntu-to-stop-collecting-your-data-from-your-pc/ [Archive.org]
  • Any other distro: You will need to document yourself and find out yourself how to disable telemetry if there is any.

Disable anything unnecessary:

Hibernation:

As explained previously, you should not use the sleep features but shutdown or hibernate your laptop to mitigate some evil-maid and cold-boot attacks. Unfortunately, this feature is disabled by default on many Linux distros including Ubuntu. It is possible to enable it but it might not work as expected. Follow this information at your own risk. If you do not want to do this, you should never use the sleep function and power off instead (and probably set the lid closing behavior to power off instead of sleep).

Follow this tutorial to enable Hibernate: https://help.ubuntu.com/16.04/ubuntu-help/power-hibernate.html Archive.org

After Hibernate is enabled, change the behavior so that your laptop will hibernate when you close the lid by following this tutorial for Ubuntu 20.04 http://ubuntuhandbook.org/index.php/2020/05/lid-close-behavior-ubuntu-20-04/ Archive.org and this tutorial for Ubuntu 18.04 https://tipsonubuntu.com/2018/04/28/change-lid-close-action-ubuntu-18-04-lts/ Archive.org

Unfortunately, this will not clean the key from memory directly from memory when hibernating. To avoid this at the cost of some performance, you might consider encrypting the swap file by following this tutorial: https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap Archive.org

These settings should mitigate cold boot attacks if you can hibernate fast enough.

Hardening Linux:

As a light introduction for new Linux users, consider https://www.youtube.com/watch?v=Sa0KqbpLye4 Invidious

For more in-depth and advanced options, refer to:

Setting up a safe Browser:

See Appendix G: Safe Browser on the Host OS

MacOS Host OS:

Note: At this time, this guide will not support ARM M1 MacBooks (yet). Due to Virtualbox not supporting this architecture yet. It could however be possible if you use commercial tools like VMWare or Parallels but those are not covered in this guide.

As mentioned earlier, I do not recommend using your daily laptop for very sensitive activities. Or at least I do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the TAILS route or proceed at your own risks.

I also recommend that you do the initial installation completely offline to avoid any data leak.

Do not ever sign in with your Apple account using that Mac.

During the install:

  • Stay Offline
  • Disable all data sharing requests when prompted including location services
  • Do not sign-in with Apple
  • Do not enable Siri

Hardening MacOS:

As a light introduction for new MacOS users, consider https://www.youtube.com/watch?v=lFx5icuE6Io Invidious

Now to go more in-depth in securing and hardening your MacOS, I recommend reading this GitHub guide which should cover many of the issues: https://github.com/drduh/macOS-Security-and-Privacy-Guide Archive.org

Here are the basic steps you should take after your offline installation:

Enable Firmware password with “disable-reset-capability” option:

First you should set-up a firmware password following this guide from Apple: https://support.apple.com/en-us/HT204455 Archive.org

Unfortunately, some attacks are still possible and an adversary could disable this password so you should also follow this guide to prevent disabling the firmware password from anyone including Apple: https://support.apple.com/en-gb/guide/security/sec28382c9ca/web Archive.org

Enable Hibernation instead of sleep:

Again, this is to prevent some cold-boot and evil-maid attacks by powering down your RAM and cleaning the encryption key when you close the lid. You should always either hibernate or shutdown. On MacOS, the hibernate feature even has a special option to specifically clear the encryption key from memory when hibernating (while you might have to wait for the memory to decay on other Operating Systems). Once again there are no easy options to do this within the settings so instead, we will have to do this by running a few commands to enable hibernation:

  • Open a Terminal
  • Run: sudo pmset -a destroyfvkeyonstandby 1
    • This command will instruct MacOS to destroy the Filevault key on Standby (sleep)
  • Run: sudo pmset -a hibernatemode 25
    • This command will instruct MacOS to power off the memory during sleep instead of doing a hybrid hibernate that keeps the memory powered on. It will result in slower wakes but will increase battery life.

Now when you close the lid of your MacBook, it should hibernate instead of sleep and mitigate attempts at performing cold-boot attacks.

In addition, you should also setup an automatic sleep (Settings > Energy) to that your MacBook will hibernate automatically if left unattended.

Disable unnecessary services:

Disable some unnecessary settings within the settings:

  • Disable Bluetooth
  • Disable the Camera and Microphone
  • Disable Location Services
  • Disable Airdrop
  • Disable Indexing


Prevent Apple OCSP calls:

These are the infamous “unblockable telemetry” calls from MacOS Big Sur disclosed here: https://sneak.berlin/20201112/your-computer-isnt-yours/ Archive.org

You could block OCSP reporting by issuing the following command in Terminal:

  • sudo sh -c 'echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts'

But you should probably document yourself on the actual issue before acting. This page is a good place to start: https://blog.jacopo.io/en/post/apple-ocsp/ Archive.org

Up to you really. I would block it because I do not want any telemetry at all from my OS to the mothership without my specific consent. None.

Enable Full Disk encryption (Filevault):

You should enable full disk encryption on your Mac using Filevault according to this part of the guide: https://github.com/drduh/macOS-Security-and-Privacy-Guide#full-disk-encryption Archive.org

Be careful when enabling. Do not store the recovery key at Apple if prompted (should not be an issue since you should be offline at this stage). You do not want a third party to have your recovery key obviously.

MAC Address Randomization:

Unfortunately, MacOS does not offer a native convenient way of randomizing your MAC Address and so you will have to do this manually. This will be reset at each reboot and you will have to re-do it each time to ensure you do not use your actual MAC Address when connecting to various Wi-Fis

You can do by issuing the following commands in terminal (without the parentheses):

  • (Turn the Wi-Fi off) networksetup -setairportpower en0 off
  • (Change the MAC Address) sudo ifconfig en0 ether 88:63:11:11:11:11
  • (Turn the Wi-Fi back on) networksetup -setairportpower en0 on

Setting up a safe Browser:

See Appendix G: Safe Browser on the Host OS

Windows Host OS:

As mentioned earlier, I do not recommend using your daily laptop for very sensitive activities. Or at least I do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the TAILS route or proceed at your own risks.

I also recommend that you do the initial installation completely offline to avoid any data leak.

Installation:

You should follow Appendix A: Windows Installation

As a light introduction, consider watching https://www.youtube.com/watch?v=vNRics7tlqw Invidious

Enable MAC address randomization:

You should randomize your MAC address as explained earlier in this guide:
Go into Settings > Network & Internet > Wi-Fi > Enable Random hardware addresses
Alternatively, you could use this free piece of software: https://technitium.com/tmac/ Archive.org

Setting up a safe Browser:

See Appendix G: Safe Browser on the Host OS Enable some additional privacy settings on your Host OS:

Enable some additional privacy settings on your Host OS:

See Appendix B: Windows Additional Privacy Settings

Windows Host OS encryption:

If you intend to use system-wide plausible deniability:

Veracrypt is the software I will recommend for full disk encryption, file encryption and plausible deniability. It is a fork of the well-known but deprecated and unmaintained TrueCrypt. It can be used for

  • Full Disk simple encryption (your hard drive is encrypted with one passphrase).
  • Full Disk encryption with plausible deniability (this means that depending on the passphrase entered at boot, you will either boot a decoy OS or a hidden OS).
  • File container simple encryption (it is a large file that you will be able to mount within Veracrypt as if it was an external drive to store encrypted files within).
  • File container with plausible deniability (it is the same large file but depending on the passphrase you use when mounting it, you will either mount a “hidden volume” or the “decoy volume”).

It is to my knowledge the only (convenient and usable by anyone) free, open-source and openly audited292 encryption software that also provides plausible deniability for general use and it works with Windows Home Edition.

Go ahead and download and install Veracrypt from: https://www.veracrypt.fr/en/Downloads.html Archive.org

After installation, please take a moment to review the following options that will help mitigate some attacks:

  • Encrypt the memory with a Veracrypt option293 (settings > performance/driver options > encrypt RAM) at a cost of 5-15% performance. This setting will also disable hibernation (which does not actively clear the key when hibernating) and instead encrypt the memory altogether to mitigate some cold-boot attacks.
  • Enable the Veracrypt option to wipe the keys from memory if a new device is inserted (system > settings > security > clear keys from memory if a new device is inserted). This could help in case your system is seized while still on (but locked).
  • Enable the Veracrypt option to mount volumes as removable volumes (Settings > Preferences > Mount volume as removable media). This will prevent Windows from writing some logs about your mounts in the Event logs294 and prevent some local data leaks.
  • Be careful and have a good situational awareness, if you sense something weird. Shut your laptop down as fast as possible.
  • While Veracrypt newer versions do support Secure Boot, I would recommend disabling it from the BIOS as I prefer Veracrypt Anti-Evil Maid system over Secure Boot.

If you do not want to use encrypted memory (because performance might be an issue), you should at least enable hibernation instead of sleep. This will not clear the keys from memory (you are still vulnerable to cold boot attacks) but at least should mitigate them somewhat if your memory has enough time to decay.

More details later in Route A and B: Simple Encryption using Veracrypt (Windows tutorial).

If you do not intend to use system-wide plausible deniability:

For this case, I will recommend the use of BitLocker instead of Veracrypt for the full disk encryption. The reasoning is that BitLocker does not offer a plausible deniability possibility contrary to Veracrypt. A hard adversary has then no incentive in pursuing his “enhanced” interrogation if you reveal the passphrase.

Normally, you should have installed Windows Pro in this case and BitLocker setup is quite straight-forward.

Basically you can follow the instructions here: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838 Archive.org

But here are the steps:

  1. Click the Windows Menu
  2. Type “Bitlocker”
  3. Click “Manage Bitlocker”
  4. Click “Turn On Bitlocker” on your System Drive
  5. Follow the instructions
    1. Do not save your recovery key to a Microsoft Account if prompted.
    2. Only save the recovery key to an external encrypted drive. To bypass this, print the recovery key using the Microsoft Print to PDF printer and save the key within the Documents folder.
    3. Encrypt Entire Drive (do not encrypt the used disk space only).
    4. Use “New Encryption Mode”
    5. Run the BitLocker Check
    6. Reboot
  6. Encryption should now ne started in the background (you can check by clicking the Bitlocker icon in the lower right side of the taskbar).

Enable Hibernation (optional):

Again, as explained earlier. You should never use the sleep feature to mitigate some cold-boot and evil-maid attacks. Instead, you should Shut down or hibernate. You should therefore switch your laptop for sleeping to hibernating when closing the lid or when your laptop goes to sleep.

(Note that you cannot enable hibernation if you previously enabled RAM encryption within Veracrypt)

The reason is that Hibernation will actually shutdown your laptop completely and clean the memory. Sleep on the other hand will leave the memory powered on (including your decryption key) and could leave your laptop vulnerable to cold-boot attacks.

By default, Windows 10 might not offer you this possibility so you should enable it by following this Microsoft tutorial: https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/disable-and-re-enable-hibernation Archive.org

  1. Open an administrator command prompt (right click on Command Prompt and “Run as Administrator”)
    1. Run: powercfg.exe /hibernate on
    2. Now run the additional command: **powercfg /h /type full**
      1. This command will make sure your hibernate mode is full and will fully clean the memory (not securely tho).

After that you should go into your power settings:

  1. Open the Control Panel
  2. Open System & Security
  3. Open Power Options
  4. Open “Choose what the power button does”
  5. Change everything from sleep to hibernate or shutdown
  6. Go back to the Power Options
  7. Select Change Plan Settings
  8. Select Advanced Power Settings
  9. Change all the Sleep Values for each Power Plan to 0 (Never)
  10. Make sure Hybrid Sleep is Off for each Power Plan
  11. Enable Hibernate After the time you would like
  12. Disable all the Wake timers

Deciding which sub-route you will take:

Now you will have to pick your next step between two options:

  1. Route A: Simple encryption of your current OS
    1. Pros:
      1. Does not require you to wipe your laptop
      2. No issue with local data leaks
      3. Works fine with an SSD drive
      4. Works with any OS
      5. Simple
    2. Cons:
      1. You could be compelled by adversary to reveal your password and all your secrets and will have no plausible deniability.
      2. Danger of Online data leaks
  2. Route B: Simple encryption of your current OS with later use of plausible deniability on files themselves:
    1. Pros:
      1. Does not require you to wipe your laptop
      2. Works fine with an SSD drive
      3. Works with any OS
      4. Plausible deniability possible with “soft” adversaries
    2. Cons:
      1. Danger of Online Data leaks
      2. Danger of Local Data leaks (that will lead to more work to clean up those leaks)
  3. Route C: Plausible Deniability Encryption of your Operating system (you will have a “hidden OS” and a “decoy OS” running on the laptop):
    1. Pros:
      1. No issues with local Data leaks
      2. Plausible deniability possible with “soft” adversaries
    2. Cons:
      1. Requires Windows (this feature is not “easily” supported on Linux).
      2. Danger of online Data leaks
      3. Requires full wipe of your laptop
      4. No use with an SSD drive due to requirement of disabling Trim295 Operations296. This will severely degrade the performance/health of your SSD drive over time.

As you can see, Route C only offers two privacy advantages over the others and it will only be of use against a soft lawful adversary. Remember https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis Wikiless Archive.org.

Deciding which route you will take is up to you. Route A is a minimum.

Always be sure to check for new versions of Veracrypt frequently to ensure you benefit from the latest patches. Especially check this before applying large Windows updates that might break the Veracrypt bootloader and send you into a boot loop.

NOTE THAT BY DEFAULT VERACRYPT WILL ALWAYS PROPOSE A SYSTEM PASSWORD IN QWERTY (display the password as a test). This can cause issues if your boot input is using your laptop’s keyboard (AZERTY for example) as you will have setup your password in QWERTY and will input it at boot time in AZERTY. So, make sure you check when doing the test boot what keyboard layout your BIOS is using. You could fail to log-in just because the QWERTY/AZERTY mix-up. If your BIOS boots using AZERTY, you will need to type the password in QWERTY within Veracrypt.

Route A and B: Simple Encryption using Veracrypt (Windows tutorial)

Skip this step if you used BitLocker instead earlier.

You do not have to have an HDD for this method and you do not need to disable Trim on this route. Trim leaks will only be of use to forensics in detecting the presence of a Hidden Volume but will not be of much use otherwise.

This route is rather straightforward and will just encrypt your current Operating System in place without losing any data. Be sure to read all the texts Veracrypt is showing you so you have a full understanding of what is going on.

  1. Launch VeraCrypt
  2. Go into Settings:
    1. Settings > Performance/driver options > Encrypt RAM
    2. System > Settings > Security > Clear keys from memory if a new device is inserted
    3. System > Settings > Windows > Enable Secure Desktop
  3. Select System
  4. Select Encrypt System Partition/Drive
  5. Select Normal (Simple)
  6. Select Single-Boot
  7. Select AES as encryption Algorithm (click the test button if you want to compare the speeds)
  8. Select SHA-512 as hash Algorithm (because why not)
  9. Enter a strong passphrase (longer the better)260
  10. Collect some entropy by randomly moving your cursor around until the bar is full
  11. Click Next as the Generated Keys screen
  12. To rescue disk297 or not rescue disk, well that is up to you. I recommend making one (just in case), just make sure to store it outside your encrypted drive (USB key for instance, or wait and see the end of this guide for guidance on safe backups). This rescue disk will not store your passphrase and you will still need it to use it.
  13. Wipe mode:
    1. If you have no sensitive data yet on this laptop, select None
    2. If you have sensitive data on an SSD, Trim alone should take care of it298 but I would recommend 1 pass (random data) just to be sure.
    3. If you have sensitive data on an HDD, there is no Trim and I would recommend at least 1-pass.
  14. Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward.
  15. After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process.
  16. Start the encryption and wait for it to complete.
  17. You are done, skip Route B and go the next steps.

There will be another section on creating encrypted file containers with Plausible Deniability on Windows.

Route B: Plausible Deniability Encryption with a Hidden OS (Windows only)

This is only supported on Windows.

This is only recommended on an HDD drive. This is not recommended on an SSD drive.

Your Hidden OS should not be activated (with a MS product key). Therefore, this route will recommend and guide you through a full clean installation that will wipe everything on your laptop.

Read the Veracrypt Documentation https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html Archive.org (Process of Creation of Hidden Operating System part) and https://www.veracrypt.fr/en/Security%20Requirements%20for%20Hidden%20Volumes.html Archive.org (Security Requirements and Precautions Pertaining to Hidden Volumes).

This is how your system will look after this process is done:

Image22.jpeg

(Illustration from Veracrypt Documentation, https://veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html Archive.org)

As you can see this process requires you to have two partitions on your hard drive from the start.

This process will do the following:

  1. Encrypt your second partition (the outer volume) that will look like an empty unformatted disk from the decoy OS.
  2. Prompt you with the opportunity to copy some decoy content within the outer volume.
    1. This is where you will copy your decoy Anime/Porn collection from some external hard drive to the outer volume.
  3. Create a hidden volume within the outer volume of that second partition. This is where the hidden OS will reside.
  4. Clone your currently running Windows 10 installation onto the hidden volume.
  5. Wipe your currently running Windows 10.
  6. This means that your current Windows 10 will become the hidden Windows 10 and that you will need to reinstall a fresh decoy Windows 10 OS.

Mandatory if you have an SSD drive and you still want to do this against the recommendation: Disable SSD Trim in Windows299 (again this is NOT recommended at all as disabling Trim in itself is highly suspicious).Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks300 that could allow forensics to defeat your plausible deniability301302. The only way around this at the moment is to have a laptop with a classic HDD drive instead.

Step 1: Create a Windows 10 install USB key

See Appendix C: Windows Installation Media Creation and go with the USB key route.

Step 2: Boot the USB key and start the Windows 10 install process (Hidden OS)

Step 3: Privacy Settings (Hidden OS)

See Appendix B: Windows Additional Privacy Settings

Step 4: Veracrypt installation and encryption process start (Hidden OS)

Remember to read https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html Archive.org

Do not connect this OS to your known Wi-Fi. You should download Veracrypt installer from a different computer and copy the installer here using an USB key.

  1. Install Veracrypt
  2. Start Veracrypt
  3. Go into Settings:
    1. Settings > Performance/driver options > Encrypt RAM (note that this option is not compatible with Hibernation your laptop and means you will have to shut down completely)
    2. System > Settings > Security > Clear keys from memory if a new device is inserted
    3. System > Settings > Windows > Enable Secure Desktop
  4. Go into System and select Create Hidden Operating System
  5. Read all the prompts with thoroughly
  6. Select Single-Boot if prompted
  7. Create the Outer Volume using AES and SHA-512.
  8. Use all the space available on the second partition for the Outer Volume
  9. Use a strong passphrase260
  10. Select yes to Large Files
  11. Create some Entropy by moving the mouse around until the bar is full and select NTFS (do not select exFAT as we want this outer volume to look “normal” and NTFS is normal).
  12. Format the Outer Volume
  13. Open Outer Volume:
    1. At this stage, you should copy decoy data onto the outer volume. So, you should have some sensitive but not so sensitive files/folders to copy there. In case you need to reveal a password to this Volume. This is a good place for your Anime/Mp3/Movies/Porn collection.
    2. I recommend you do not fill the outer volume too much or too little (about 40%). Remember you must leave enough space for the Hidden OS (which will be same size as the first partition you created during installation).
  14. Use a strong passphrase260 for the Hidden Volume (obviously a different one than the one for the Outer Volume).
  15. Now you will create the Hidden Volume, select AES and SHA-512
  16. Fill the entropy bar until the end with random mouse movements
  17. Format the hidden Volume
  18. Proceed with the Cloning
  19. Veracrypt will now restart and Clone the Windows where you started this process into the Hidden Volume. This Windows will become your Hidden OS.
  20. When the cloning is complete, Veracrypt will restart within the Hidden System
  21. Veracrypt will inform you that the Hidden System is now installed and then prompt you to wipe the Original OS (the one you installed previously with the USB key).
  22. Use 1-Pass Wipe and proceed.
  23. Now your Hidden OS will be installed, proceed to next step

Step 5: Reboot and boot the USB key and start the Windows 10 install process again (Decoy OS)

Now that the Hidden OS is fully installed, you will need to install a Decoy OS.

  • Insert the USB key into your laptop
  • See Appendix A: Windows Installation and proceed with installing Windows 10 Home again (do not Install a different version and stick with Home).

Step 6: Privacy settings (Decoy OS)

See Appendix B: Windows Additional Privacy Settings

Step 7: Veracrypt installation and encryption process start (Decoy OS)

Now we will encrypt the Decoy OS:

  1. Install Veracrypt
  2. Launch VeraCrypt
  3. Select System
  4. Select Encrypt System Partition/Drive
  5. Select Normal (Simple)
  6. Select Single-Boot
  7. Select AES as encryption Algorithm (click the test button if you want to compare the speeds)
  8. Select SHA-512 as hash Algorithm (because why not)
  9. Enter a short weak password (yes this is serious, do it, it will be explained later).
  10. Collect some entropy by randomly moving your cursor around until the bar is full
  11. Click Next as the Generated Keys screen
  12. To rescue disk or not rescue disk, well that is up to you. I recommend making one (just in case), just make sure to store it outside your encrypted drive (USB key for instance, or wait and see the end of this guide for guidance on safe backups). This rescue disk will not store your passphrase and you will still need it to use it.
  13. Wipe mode: Select 1-Pass just to be safe
  14. Pre-Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward.
  15. After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process.
  16. Start the encryption and wait for it to complete.
  17. Your Decoy OS is now ready for use.

Step 8: Test your setup (Boot in Both)

Time to test your setup.

  • Reboot and input your Hidden OS passphrase, you should boot within the Hidden OS.
  • Reboot and input your Decoy OS passphrase, you should boot within the Decoy OS.
  • Launch Veracrypt on the Decoy OS and mount the second partition using the Outer Volume Passphrase (mount it as read-only, by going into Mount Options and Selecting Read-Only) and it should mount the second partition as a read-only displaying your decoy data (your Anime/Porn collection). You are mounting it as read-only now because if you were to write data on it, you could override content from your Hidden OS.

Step 9: Changing the decoy data on your Outer Volume safely

Before going to next step, you should learn the way to mount your Outer Volume safely for writing content on it. This is also explained in this official Veracrypt Documentation https://www.veracrypt.fr/en/Protection%20of%20Hidden%20Volumes.html Archive.org

You should do this from a safe trusted place.

Basically, you are going to mount your Outer Volume while also providing the Hidden Volume passphrase within the Mount Options to protect the Hidden Volume from being overwritten. Veracrypt will then allow you write data to the Outer volume without risking overwriting any data on the Hidden Volume.

This operation will not actually mount the Hidden Volume and should prevent the creation of any forensic evidence that could lead to the discovery of the Hidden OS. However, while you are performing this operation, both passwords will be stored in your RAM and therefore you could still be susceptible to a Cold-Boot Attack. To mitigate this, be sure to have the option to encrypt your RAM too.

  1. Open Veracrypt
  2. Select your Second Partition
  3. Click Mount
  4. Click Mount Options
  5. Check the “Protect the Hidden volume…” Option
  6. Enter the Hidden OS passphrase
  7. Click OK
  8. Enter your Outer Volume passphrase
  9. Click OK
  10. You should now be able to open and write to your Outer volume to change the content (copy/move/delete/edit…)

Step 10: Leave some forensics evidence of your outer Volume (with the decoy Data) within your Decoy OS

We must make the Decoy OS as plausible as possible. We also want your adversary to think you are not that smart.

Therefore, it is important to voluntarily leave some forensic evidence of your Decoy Content within your Decoy OS. This evidence will let forensic examiners see that you mounted your Outer Volume frequently to access its content.

Here are good tips to leave some forensics evidence:

  • Play the content from the Outer Volume from your Decoy OS (using VLC for instance). Be sure to keep a history of those.
  • Edit Documents and work in them.
  • Enable File Indexing again on the Decoy OS and include the Mounted Outer Volume.
  • Unmount it and mount it frequently to watch some Content.
  • Copy some Content from your Outer Volume to your Decoy OS and then delete it unsafely (just put it in the recycle Bin).
  • Have a Torrent Client installed on the Decoy OS use it from time to time to Download some similar stuff that you will leave on the Decoy OS.
  • You could have a VPN client installed on the Decoy OS with a known VPN of yours (non-cash paid).

Do not put anything suspicious on the Decoy OS such as:

  • This guide
  • Any links to this guide
  • Any suspicious anonymity software such as Tor Browser

Notes:

Remember that you will need valid excuses for this plausible deniability scenario to work:

Take some time to read again the “Possible Explanations for Existence of Two Veracrypt Partitions on Single Drive” of the Veracrypt documentation here https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html Archive.org

  • You are using Veracrypt because you are using Windows 10 Home which does not feature Bitlocker but still wanted Privacy.
  • You have two Partitions because you wanted to separate the System and the Data for easy organization and because some Geek friend told you this was better for performance.
  • You have used a weak password for easy convenient booting on the System and a Strong long passphrase on the Outer Volume because you were too lazy to type a strong passphrase at each boot.
  • You encrypted the second Partition with a different password than the System because you do not want anyone in your entourage to see your stuff. And so, you did not want that data available to anyone.

Be careful:

  • You should never mount the Hidden Volume from the Decoy OS (NEVER EVER). If you did this, it will create forensics evidence of the Hidden Volume within the Decoy OS that could jeopardize your attempt at plausible deniability. If you did this anyway (intentionally or by mistake) from the Decoy OS, there are ways to erase forensics evidence that will be explained later at the end of this guide.
  • Never ever Use the Decoy OS from the same network (public Wi-Fi) as the Hidden OS.
  • When you do mount the Outer Volume from the Decoy OS, do not write any Data within the Outer Volume as this could override what looks like Empty Space but is in fact your Hidden OS. You should always mount it as read-only.
  • If you want to change the Decoy content of the Outer Volume, you should use a Live OS USB Key that will run Veracrypt.
  • Note that you will not use the Hidden OS to perform sensitive activities, this will be done later from a VM within the Hidden OS. The Hidden OS is only meant to protect you from a soft adversary that could gain access to your laptop and compel you to reveal your password.
  • Be careful of any tampering with your laptop. Evil-Maid Attacks can reveal your hidden OS.

Virtualbox on your Host OS:

Pick your connectivity method:

Get an anonymous VPN/Proxy:

Whonix:

Tor over VPN:

Whonix Virtual Machines:

Pick your guest workstation Virtual Machine:

Linux Virtual Machine (Whonix or Linux):

Windows 10 Virtual Machine:

Android Virtual Machine:

MacOS Virtual Machine:

KeepassXC:

VPN client installation (cash/Monero paid):

(Optional) Allowing only the VMs to access the internet while cutting off the Host OS to prevent any leak:

Final step:

The Qubes Route:

Pick your connectivity method:

Get an anonymous VPN/Proxy:

Installation:

Lid Closure Behavior:

Connect to a Public Wi-Fi:

Update Qubes OS:

Hardening Qubes OS:

Setup the VPN ProxyVM:

Setup a safe Browser within Qube OS (optional but recommended):

Setup an Android VM:

KeePassXC:

Creating your anonymous online identities:

Understanding the methods used to prevent anonymity and verify identity:

Captchas:

Phone verification:

E-Mail verification:

User details checking:

Proof of ID verification:

IP Filters:

Browser and Device Fingerprinting:

Human interaction:

User Moderation:

Behavioral Analysis:

Financial transactions:

Sign-in with some platform:

Live Face recognition and biometrics (again):

Manual reviews:

Getting Online:

Creating new identities:

The Real-Name System:

About paid services:

Overview:

How to share files or chat anonymously:

Redacting Documents/Pictures/Videos/Audio safely:

Communicating sensitive information to various known organizations:

Maintenance tasks:

Backing-up your work securely:

Offline Backups:

Selected Files Backups:

Full Disk/System Backups:

Online Backups:

Files:

Information:

Synchronizing your files between devices Online:

Covering your tracks:

Understanding HDD vs SSD:

Wear-Leveling.

Trim Operations:

Garbage Collection:

Conclusion:

How to securely wipe your whole Laptop/Drives if you want to erase everything:

Linux (all versions including Qubes OS):

Windows:

MacOS:

How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives:

Windows:

Linux (non Qubes OS):

Linux (Qubes OS):

MacOS:

Some additional measures against forensics:

Removing Metadata from Files/Documents/Pictures:

TAILS:

Whonix:

MacOS:

Linux (Qubes OS):

Linux (non-Qubes):

Windows:

Removing some traces of your identities on search engines and various platforms:

Google:

Bing:

DuckDuckGo:

Yandex:

Qwant:

Yahoo Search:

Baidu:

Wikipedia:

Archive.today:

Internet Archive:

Some low-tech old-school tricks:

Hidden communications in plain sight:

How to spot if someone has been searching your stuff:

Some last OPSEC thoughts:

If you think you got burned:

If you have some time:

If you have no time:

A small final editorial note:

Donations:

Helping others staying anonymous:

Acknowledgements:

Appendix A: Windows Installation

Installation:

Privacy Settings:

Appendix B: Windows Additional Privacy Settings

Appendix C: Windows Installation Media Creation

Appendix D: Using System Rescue to securely wipe an SSD drive.

Appendix E: Clonezilla

Appendix F: Diskpart

Appendix G: Safe Browser on the Host OS

If you can use Tor:

If you cannot use Tor:

Appendix H: Windows Cleaning Tools

Appendix I: Using ShredOS to securely wipe an HDD drive:

Windows:

Linux:

Appendix J: Manufacturer tools for Wiping HDD and SSD drives:

Tools that provide a boot disk for wiping from boot:

Tools that provide only support from running OS (for external drives).

Appendix K: Considerations for using external SSD drives

Windows:

Trim Support:

ATA/NVMe Operations (Secure Erase/Sanitize):

Linux:

Trim Support:

ATA/NVMe Operations (Secure Erase/Sanitize):

MacOS:

Trim Support:

ATA/NVMe Operations (Secure Erase/Sanitize):

Appendix L: Creating a mat2-web guest VM for removing metadata from files

Appendix M: BIOS/UEFI options to wipe disks in various Brands

Appendix N: Warning about smartphones and smart devices

Appendix O: Get an anonymous VPN/Proxy

Cash/Monero-Paid VPN (preferred):

Self-hosted VPN/Proxy on a Monero/Cash-paid VPS (for skilled users familiar with Linux):

VPN VPS:

Socks Proxy VPS:

Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option

Appendix Q: Using long range Antenna to connect to Public Wi-Fis from a safe distance:

Appendix R: Installing a VPN on your VM or Host OS.

Appendix S: Check your network for surveillance/censorship using OONI

Appendix T: Checking files for malware

Integrity (if available):

Authenticity (if available):

Security (checking for actual malware):

Anti-Virus Software:

Manual Reviews:

Appendix U: How to bypass (some) local restrictions on supervised computers

Portable Apps:

Bootable Live Systems:

Precautions:

Appendix V: What browser to use in your Guest VM/Disposable VM

Appendix W: Virtualization

Appendix X: Using Tor bridges in hostile environments

Appendix Y: Windows AME download and installation

Download:

Installation:

Appendix Z: Paying anonymously online with BTC

Appendix A1: Recommended VPS hosting providers

Monero Disclaimer