From 7342c5c51d4f4c79f12f28506bc1de185261e875 Mon Sep 17 00:00:00 2001 From: pterocles Date: Sat, 16 Jul 2022 00:02:12 -0400 Subject: [PATCH 1/8] guide: add additional OPSEC notes Loose lips (usually your own) sink ships. Signed-off-by: pterocles --- guide.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/guide.md b/guide.md index ce1cf02..3f54dc1 100644 --- a/guide.md +++ b/guide.md @@ -9219,9 +9219,13 @@ Most likely if someone went through your document to read it and re-placed it ca # Some last OPSEC thoughts: -Wait, what is OPSEC? Well, OPSEC means Operations Security[^456]. The basic definition is: "OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture ". +Wait, what is OPSEC? Well, OPSEC means Operations Security[^456]. The basic definition is: "OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture." -OPSEC is often just applying common sense and being cautious about your activities including in the physical world: +The important step here, and probably the easiest one, is a lesson you can take from the movie Fight Club: the first rule is that you **do not** talk about Fight Club. This applies to many aspects of your online operational security or OPSEC. Taking your time to go through this guide will reward you with the tools and knowledge to embrace a fuller, more secure experience on the internet. Rest assured that this guide will reveal things to you that will frustrate your enemy. You will learn how to protect your operating systems and lockdown your critical information and ensure mission success. But the one thing you must adhere to is this rule of thumb - do not talk about operation details. The biggest adversarial threat to you is OSINT (discussed below and throughout the document). The enemy will gather information on you based on what they observe about you and your activities online and in real life. + +Adversaries take many forms. To some, they are actors of a foreign government, while to others they may be simply a rival company's employee looking to find disgruntled workers to target for further pressuring. To most, the general task of OPSEC is that this is your ship - you must not do anything or say anything to sink your own ship. Simply expressing your frustration with your boss or your work conditions or your equipment, might be enough to generate not only a behavior profile but also a vector of attack. A disgruntled employee, in this example, is what generally provides enough information to warrant pressuring of that employee for further information and possibly even extortion, blackmail, or worse. Failure to implement basic OPSEC can lead to failure at various points. It can lead to serious injury or even death if your threat model is a determined attacker, foreign actor, and so on. + +You must live by the simple rule that "loose lips sink ships" - but also that they are usually your lips which will do the sinking. OPSEC is often just applying common sense and being cautious about your activities including in the physical world: - **Remember to use passphrases instead of passwords and use a different one for each service ([Appendix A2: Guidelines for passwords and passphrases]).** From 99cb214406fc5ebc6c71e672c5e66c189729b929 Mon Sep 17 00:00:00 2001 From: pterocles Date: Sat, 16 Jul 2022 10:40:40 -0400 Subject: [PATCH 2/8] guide: iOS Onion Browser leaking IP Since 2018, it is known to have a leak in `RTCPeerConnection`. This is something that the developers have said cannot be removed and thus, the functionality of the browser still contains this call, and users should be wary of using iOS until it is fixed. We will monitor the situation but it doesn't appear they can patch. Signed-off-by: pterocles --- guide.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/guide.md b/guide.md index 5f15726..c2da226 100644 --- a/guide.md +++ b/guide.md @@ -2085,6 +2085,8 @@ Now, you are really done, and you can now surf the web anonymously from your And ### iOS: +**Disclaimer: Onion Browser, following a 2018 release on iOS, has had IP leaks via WebRTC. It is still the only officially endorsed browser for the Tor network for iOS. Users should exercise caution when using the browser and check for any DNS leaks.** + While the official Tor Browser is not yet available for iOS, there is an alternative called Onion Browser endorsed by the Tor Project[^300]. - Head over to From 965ebb758918a93cf8b074d1bbe7eaa5ddde28b0 Mon Sep 17 00:00:00 2001 From: pterocles Date: Sat, 16 Jul 2022 10:40:40 -0400 Subject: [PATCH 3/8] guide: iOS Onion Browser leaking IP Since 2018, it is known to have a leak in `RTCPeerConnection`. This is something that the developers have said cannot be removed and thus, the functionality of the browser still contains this call, and users should be wary of using iOS until it is fixed. We will monitor the situation but it doesn't appear they can patch. Signed-off-by: pterocles --- guide.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/guide.md b/guide.md index 5f15726..c2da226 100644 --- a/guide.md +++ b/guide.md @@ -2085,6 +2085,8 @@ Now, you are really done, and you can now surf the web anonymously from your And ### iOS: +**Disclaimer: Onion Browser, following a 2018 release on iOS, has had IP leaks via WebRTC. It is still the only officially endorsed browser for the Tor network for iOS. Users should exercise caution when using the browser and check for any DNS leaks.** + While the official Tor Browser is not yet available for iOS, there is an alternative called Onion Browser endorsed by the Tor Project[^300]. - Head over to From b46d33f1b822d21c7e900d432f3ce6ac08e4a6b9 Mon Sep 17 00:00:00 2001 From: pterocles Date: Sat, 16 Jul 2022 21:12:55 -0400 Subject: [PATCH 4/8] guide: fix missing pointer for Anti Evil Maid Evil-Maid Attack section needed a reference to Anti Evil Maid section, and the pointer was missing. Signed-off-by: pterocles --- guide.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/guide.md b/guide.md index 5f15726..83610d4 100644 --- a/guide.md +++ b/guide.md @@ -2545,7 +2545,7 @@ You can mitigate this attack by doing the following (as recommended earlier): - Set up BIOS/UEFI/Firmware passwords to prevent any unauthorized boot of an unauthorized device. -- Some OSes and Encryption software have anti-EvilMaid protection that can be enabled. This is the case with Windows/Veracrypt and QubeOS (only on Intel CPUs). +- Some OSes and Encryption software have the [Anti Evil Maid (AEM)][Anti Evil Maid (AEM):] protection that can be enabled. This is the case with Windows/Veracrypt and QubeOS (only on Intel CPUs). ##### Cold-Boot Attack: @@ -13492,6 +13492,7 @@ See the [Some last OPSEC thoughts][Some last OPSEC thoughts:] section for some t [Note about Plausible Deniability:]: #note-about-plausible-deniability [Installation:]: #installation-3 [Lid Closure Behavior:]: #lid-closure-behavior + [Anti Evil Maid (AEM):]: #anti-evil-maid-aem [Connect to a Public Wi-Fi:]: #connect-to-a-public-wi-fi [Updating Qubes OS:]: #updating-qubes-os [Updating Whonix from version 15 to version 16:]: #updating-whonix-from-version-15-to-version-16 From d259dd75b36be42f01cb5d1412773a48469b2506 Mon Sep 17 00:00:00 2001 From: pterocles Date: Sat, 16 Jul 2022 23:23:43 -0400 Subject: [PATCH 5/8] guide: note about Correlation vs Attribution of activities A quick note about correlation and attribution. --- guide.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/guide.md b/guide.md index 5f15726..ed9793e 100644 --- a/guide.md +++ b/guide.md @@ -190,6 +190,7 @@ Finally note that this guide does mention and even recommends various commercial - [Setup a safe Browser within Qubes OS (optional but recommended):] - [Setup an Android VM:] - [KeePassXC:][3] +- [Quick note: Correlation vs Attribution:] - [Creating your anonymous online identities:] - [Understanding the methods used to prevent anonymity and verify identity:] - [Captchas:] @@ -5465,6 +5466,16 @@ In the context of Qubes OS you should store your sensitive information within th You are done and can now skip the rest to go to the "[Creating your anonymous online identities][Creating new identities:]" part. +# Quick note: Correlation vs Attribution + +**Correlation** is a relationship between two or more variables or **[attributes](https://www.digitalshadows.com/blog-and-research/cyber-attacks-the-challenge-of-attribution-and-response/)**. How are attributions determined? During digital forensic and incident response (DFIR), analysts typically look for indicators of compromise (IoCs) following events that call them to act. These indicators usually consist of IP addresses, names, databases; all of which can prescribe a certain behavioral "tag" to an individual or group. This is called attribution. A principal in statistics is that "correlation does not infer causality". What this means is that, while you may leave certain traces on certain areas of a device or network, that only shows presence of action, i.e., not explicitly your presence. It doesn't show who you are, it only resolves that something occurred and *someone* has done *something*. + +Attribution is required to prove fault or guilt, and is the prime reason why people using the Tor network to access the dark web have been compromised: they left traces that were shown to be connected to their real identities. Your IP can be — but is usually not — a large enough indicator to attribute guilt. This is shown in the infamous NotPetya cyber attacks against the U.S., which were later also released upon Ukraine. Though the White House never *said* it was Russia's doing, they attributed the attack to Russia's [(GRU)](https://www.reuters.com/article/us-britain-russia-gru-factbox/what-is-russias-gru-military-intelligence-agency-idUSKCN1MF1VK) which is a direct office housing the Russian deniable warfare[^311] cyber divisions, uncommonly referred to as "spy makers" in the intelligence community (IC). + +_What is the point_, you may ask? Well, bluntly speaking, this a perfect example because NotPetya, which is now undoubtedly the work of Russian cyber operations against foreign countries and governments, has still never been formally attributed to Russia, only to a known group within Russia (colloquially dubbed [Cozy Bear](https://wikiless.org/wiki/Cozy_Bear)) which can not be confirmed nor denied given that it is highly compartmentalized within the structure of Russia's military. And it's also in part because of the efforts used to disguise itself as a common Ransomware, and because it routinely used the servers of hacked foreign assets not linked to Russia or to its internal networks. + +It's all to show you the lengths that state actors will go to. You may not be aware of it, but foreign governments use concealment techniques such as the ones discussed in the sections of this guide. They routinely use Tor, VPNs to conceal traffic; they use hacked devices and access to stolen equipment to perform cyber espionage every day and it makes attribution incredibly difficult, if not improbable, from a forensic examiner's point of view. The problem of correlation is trivial, and you can solve it by simply using IP hiding tools such as a VPN and the Tor network, but still be connected to your IRL name and IP through data leaks or other factors. You can not easily be attributed to your activities if you carefully follow and adopt the given techniques and skills discussed below. + # Creating your anonymous online identities: ## Understanding the methods used to prevent anonymity and verify identity: @@ -13500,6 +13511,7 @@ See the [Some last OPSEC thoughts][Some last OPSEC thoughts:] section for some t [Setup a safe Browser within Qubes OS (optional but recommended):]: #setup-a-safe-browser-within-qubes-os-optional-but-recommended [Setup an Android VM:]: #setup-an-android-vm [3]: #keepassxc-1 + [Quick note: Correlation vs Attribution:]: #quick-note-correlation-vs-attribution [Creating your anonymous online identities:]: #creating-your-anonymous-online-identities [Understanding the methods used to prevent anonymity and verify identity:]: #understanding-the-methods-used-to-prevent-anonymity-and-verify-identity [Captchas:]: #captchas From af543faddded904038a95c5b1ff4e0ff5ac0b24e Mon Sep 17 00:00:00 2001 From: pterocles Date: Sat, 16 Jul 2022 23:29:49 -0400 Subject: [PATCH 6/8] guide: add missing ToC item for Anti Evil Maid Add missing pointer --- guide.md | 1 + 1 file changed, 1 insertion(+) diff --git a/guide.md b/guide.md index 83610d4..cc9880a 100644 --- a/guide.md +++ b/guide.md @@ -182,6 +182,7 @@ Finally note that this guide does mention and even recommends various commercial - [Note about Plausible Deniability:] - [Installation:] - [Lid Closure Behavior:] + - [Anti Evil Maid (AEM):] - [Connect to a Public Wi-Fi:] - [Updating Qubes OS:] - [Updating Whonix from version 15 to version 16:] From 3015f36c0f28d58977e96927110013ba2583d83e Mon Sep 17 00:00:00 2001 From: Alex Anderson Date: Sun, 17 Jul 2022 06:57:48 +0000 Subject: [PATCH 7/8] Updated OPSEC notes --- guide.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/guide.md b/guide.md index 3f54dc1..0125487 100644 --- a/guide.md +++ b/guide.md @@ -9227,6 +9227,8 @@ Adversaries take many forms. To some, they are actors of a foreign government, w You must live by the simple rule that "loose lips sink ships" - but also that they are usually your lips which will do the sinking. OPSEC is often just applying common sense and being cautious about your activities including in the physical world: +It is recommended that you learn about the common ways people mess up OPSEC [[Archive.org]][[1381]]. Whatever you do, take OPSEC seriously, and [Don't Fuck It Up!](https://www.youtube.com/watch?v=J1q4Ir2J8P8) + - **Remember to use passphrases instead of passwords and use a different one for each service ([Appendix A2: Guidelines for passwords and passphrases]).** - Make sure you are not keeping a copy of this guide anywhere unsafe after. The sole presence of this guide will most likely defeat all your plausible deniability possibilities. @@ -15024,3 +15026,5 @@ You can find some introduction on these on these projects: [1378]: https://web.archive.org/web/https://www.qubes-os.org/doc/anti-evil-maid/ [1379]: https://web.archive.org/web/https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html [1380]: https://web.archive.org/web/https://github.com/QubesOS/qubes-antievilmaid + [1381]: https://web.archive.org/web/20220717064253/https://dan-kir.github.io/2022/05/26/OPSEC-notes.html + [1382]: https://www.youtube.com/watch?v=J1q4Ir2J8P8 From adb2a1e1d12f933942aab97ee72083534ac48512 Mon Sep 17 00:00:00 2001 From: Alex Anderson Date: Sun, 17 Jul 2022 07:01:08 +0000 Subject: [PATCH 8/8] Moved line --- guide.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/guide.md b/guide.md index 0125487..2068256 100644 --- a/guide.md +++ b/guide.md @@ -9227,8 +9227,6 @@ Adversaries take many forms. To some, they are actors of a foreign government, w You must live by the simple rule that "loose lips sink ships" - but also that they are usually your lips which will do the sinking. OPSEC is often just applying common sense and being cautious about your activities including in the physical world: -It is recommended that you learn about the common ways people mess up OPSEC [[Archive.org]][[1381]]. Whatever you do, take OPSEC seriously, and [Don't Fuck It Up!](https://www.youtube.com/watch?v=J1q4Ir2J8P8) - - **Remember to use passphrases instead of passwords and use a different one for each service ([Appendix A2: Guidelines for passwords and passphrases]).** - Make sure you are not keeping a copy of this guide anywhere unsafe after. The sole presence of this guide will most likely defeat all your plausible deniability possibilities. @@ -9281,6 +9279,9 @@ It is recommended that you learn about the common ways people mess up OPSEC [[Invidious]][553] + +It is recommended that you learn about the common ways people mess up OPSEC [[Archive.org]][[1381]]. Whatever you do, take OPSEC seriously, and [Don't Fuck It Up!](https://www.youtube.com/watch?v=J1q4Ir2J8P8) + **FINAL OPSEC DISCLAIMER: KEEP YOUR ANONYMOUS IDENTITIES COMPLETELY SANDBOXED FROM YOUR NORMAL ENVIRONMENT AND REAL IDENTITY. DO NOT SHARE ANYTHING BETWEEN THE ANONYMOUS ENVIRONMENTS AND THE REAL IDENTITY ENVIRONMENT. KEEP THEM COMPLETELY COMPARTMENTALIZED ON EVERY LEVEL. MOST OPSEC FAILURES ARE DUE TO USERS ACCIDENTALLY LEAKING INFORMATION RATHER THAN TECHNICAL FAILURES.** # **If you think you got burned:**