Update: 3/20/2018, Avoid Qubes and Trust Tails Live. Burn it on an air gap, verify twice if lives depend on it. Use dd to rip the image back off the disk. Check it.
Update: 10/08/2017, Qubes 4.0 is buggy but secure for now. Package managers (apt-get, dnf) are total swiss cheese. Tor, VPN’s etc are being broken in near real time, unsure if its hacking, protocol bugs or timing attacks. Man in the middle attacks are really unstoppable on a known connection the whole linux ecosystem is vulnerable. Subgraph is workable if you update programs individually. Tor first, click new identity, install some more a few at a time. You can also use another connection and make a backup copy. Tails Live is is solid as usual, the browsers are all able to be hooked. Hidden and mobile for anything serious. Hard wired cameras that have been bought new from a local store and epoxy glued WILL stop covert entry. Glue the seams the screws all the ports including the Ethernet and the mouse. Use USB plugs so if its needed you can get back in to it if something happens. Take pictures of the unit at a measured distance and use some custom made glitter glue so you can know if its been tampered with.
Domestic extremist is code for terrorist. Anarchists, militia and sovereign citizens have been classified as such along with many other groups not having anything to do with terrorism. Hackers are considered soldiers and feared more than physical threats by governments worldwide. Anonymous was accused of plotting to bring down the power grid, an attempt to scare governments into action against them. Occupy Wallstreet had snipers trained on them several times despite being peaceful. Everyone remembers the MIAC report citing Ron Paul supporters as threats. Even privacy advocates that just talk about encryption or anonymity tools are extremists now. “Political language is designed to make lies sound truthful and murder respectable, and to give an appearance of solidity to pure wind.” -Orwell. These tactics are used to enable the roll out of counter terrorism tactics on anyone they’ve labeled. Whether you’re protesting in the street, protesting taxes or the state itself you’re now an extremist threat.
COINTELPRO tactics are not new but the FBI using the NSA’s capability’s without warrants against domestic persons for anything federal agencies want is new. It’s not just that they’re spying on people they dislike, hacking has become common place in their investigations. How long before the FBI is allowed to use the same MITM injection techniques and advanced malware as NSA uses? They’ll create modern day witch hunts against certain political targets that if convicted would advance their agenda in the media.
Challenges to the status quo of bureaucratic dictatorship, executive overreach or systemic corruption can lead to you being treated as a terrorist. This is the new reality. There is little middle ground between enemy of the state and globalist minion. This is the Bush era’s “If you’re not with us you’re with the terrorists” mentality. The surveillance state has decided that the fourth amendment is no longer relevant, that the rule of law is for us to follow not them. The select few that oversee the massive secret government rubber stamp everything and encourage the most invasive underhanded tactics. The end justifies the means in the age of terror.
They’re currently seeking to shift the Overton window right now on backdoors but hacking is next. Specifically they want to be allowed to present evidence in court from their hacking exploits but not be forced to reveal methods or the code involved. If this is allowed to pass you will be accepting a secret police that can at their will hack into your computer, view anything they want and if they want, frame you. You would have no ability to have experts challenge evidence because without the methods being exposed there’s nothing to challenge. The court would be forced to trust the FBI or other federal agency. Parallel construction already works in a similar fashion where one agency hands another inadmissible or secretly gathered evidence and forces agents to lie on the stand about how they became aware of certain facts.
Government shouldn’t be trusted with god like omniscience or Hollywood hacker style exploits, no one should. To hack someone is more of an intimate search than rifling through their car or home. Most people keep every detail of their life on their devices, their pictures, video’s, contacts etc. This type of search is not trivial, it’s not necessary in any way for people whom are just politically active or peaceful foes of the government. This is NOT how open free societies are supposed to run. Warrants are an essential check on government to prevent arbitrary searches. If a legal search turns up evidence prosecute or move on. Only they don’t move on, you stay on the list until you become uninteresting or die. I know from personal experience.
The only way to prove government hacking today is to have a lot of money and very smart experts. Even then the best like Kaspersky can only get a few lines of ineligible code out of the samples they analyze, this makes attribution a loose patchwork of connections. This is a government that makes F-22’s if you’re thinking a guy like me can “prove” that I got hacked by government you’re dreaming. Hacked in general, that’s not too hard to prove. The method they use to get it on a computer is the smoking gun of government intrusion. Most people have no clue that they’re hacked, they’re oblivious. For this reason they’re brazen they really can’t get caught even if you’re able to grab a sample or capture every packet. It’s totally deniable on every level.
What’s stopping them from using this on everyone? Laws? Congress? Diane Feinstein? Never going to happen they’re cheerleaders if anything. Even if you had real proof it would go nowhere, government won’t prosecute or stop itself. No one in the power structure cares as long as it doesn’t end up in the news. It’s actually much more likely given their history and what’s come out with Snowden that they’re hacking absolutely anyone of interest or as much as their budget can handle. A 60 billion dollar budget mind you. Hacking is the new wiretap.
They already “collect it all” but that isn’t enough. End to end encryption along with anonymity tools like Tor introduce blind spots for them. To a power crazed predator this is completely unacceptable. They have a complete disregard for your privacy, it’s a word without meaning to them. Any communication they can’t read is a threat. Absolute control of what they increasingly see as a prison population (no crypto for inmates!) is their endgame. We’re not being treated like US citizens the methods and ideology being used today is more in tune with an occupation than law and order governance.
I’m going to give you some of what I’ve learned about mitigating state level threats but if you don’t have some minimal experience with linux, networking and computers in general this will be very difficult. I’m assuming you’ve read a few books on computer security / hacking because without it you could have the best setup and fail due to simple misconfigurations let alone having an advanced adversary try to pick you apart. If you don’t have these prerequisites you can however use a live Tails or Subgraph DVD and still have great security.
UPDATE: It’s best to use Tails or Subgraph OS for secure messaging like chat or email. Qubes OS does not have exploit prevention and Tor does not prevent hacking. Use grsecurity in the vm, use an airgap for PGP.
Your starting point to the internet matters because of timing attacks / metadata. Public WIFI, anonymously bought 3G/4G dongles (used at locations not associated with you) or connections not belonging to you significantly decreases the chances of correlation in real time or at a later date. Tor is not magical it’s just three hops and governments own many of the nodes. Governments also share data with each other to identify Tor users.
What you read in the news about how they figure people out is mostly BS. They already know then put together something they can use in court and for media headlines. Whats a good bust without a good sleuth story demonstrating the competence and sophistication of the arresting agency? There’s a huge difference between the government knowing you’re part of a movement or group and proving it in court. Most of the time they can’t use the evidence 1. because it’s illegally obtained and 2. they would have to expose how they obtained it. They don’t expose methods to the public even when it comes to very large and important cases.
You don’t necessarily need to use Tor or Tails but a clean operating system and clean hardware is essential. Qubes OS provides both on a fresh install and this is why I highly recommend it. I understand that most people will still use their home connection and that’s fine but just keep in the back of your head that if you use the same alias for months on end assume they know it’s you (even with Tor).
Dive into PGP face first spend serious time learning how to use it. Do this with every app you’re using for security / anonymity. Good apps include but not limited to are: Signal, Jitsi, Pidgin w/ OTR, Coy, Ricochet and maybe even
UPDATE: Metadata is just as important as content in many situations. Using re-mailers with delays like Nymservers and I2P-Bote will make it near to impossible in the short term to figure out who’s talking to who. Be aware that PGP leaks metadata use one key pair per contact per screen name you use. Use the biggest key size possible.
Nothing is secure that’s connected to the internet. It’s only air gapped computers with high levels of physical security that I might call secure. Even air gap’s are now being attacked via their RF emissions(Tempest). Use USB’s with write locked firmware to ferry data. USB’s can be made secure but they don’t come from the local store like that. Security in layers is best. Always use a physical not virtual backstop. A backstop is something that ensures if someone does breach your host PC that the real IP is not exposed nor the rest of your network. A Raspberry PI running Tor can be used or a TPlink running WGRT or Portal can as well. An old PC is my favorite, PFsense is solid and can run Tor. It comes with OpenVPN just add a one or more Ethernet cards to it and you have a nice backstop. Make sure to use your knowledge of computer security to harden the backstop. Change the defaults etc. Don’t log into your backstop from the host PC use a live DVD because if your host PC is infected the backstop won’t be compromised. Do some research and find a guide that you like to use. Don’t use Tor over Tor as it’s not good for many reasons including drawing attention. If you’re using Tor in the host PC use a VPN for the backstop. For extra credit setup a layer 2 stealth IDS with security onion between you and the backstop.
Update 10/08/2017: Write blocked USB firmware https://www.apricorn.com/flash-keys If your unlock code won’t work to unlock the device consider it compromised.
You need a dedicated machine for anonymous net usage and one air gapped for PGP and encrypted storage. A yubi key and a read only OS might be good here like an updated version of Ubuntu Privacy Remix. Plugging any hardware into a secure machine is a threat such as a cell phone or other hardware, just use another normal use machine. Qubes OS does mitigate hardware malware. It’s possible very advanced adversaries like the NSA can get through the Xen hypervisor that provides virtualization to Qubes OS. They have a huge budget and recruit a whole lot of naive geniuses to develop exploits. NSA hackers are very good at using everything to their advantage they will hack your hardware and use it against you. They can infect Ethernet cards, GPU’s / video cards and likely even have CPU exploits which would blast through anything you use if dropped. Don’t use the same PC you use for work and your real identity for anonymous usage. A different hard drive or partition for each OS won’t work if they’re looking at you. GPU hacking is real and jelly malware is here for you to look at. A keylogger can be run from a video card or other hardware.
UPDATE: Destroy the wifi on your air gap the button is useless. Secure the air gap in a safe if possible. Encryption on any device that connects to the internet will not be secure.
Update 10/07/2017: Bios disable the WIFI if you can and secure is a relative term on an internet connected machine. Do your best.
I know this sounds more like a secure drop guide for journalists or hacktivists but if there’s a state adversary that has you in it’s sights or rather you’re on it’s auto hacking list. This type of security is what it takes to keep them out. Now most of us are not doing anything illegal on our computers but we do want to keep the government out.
We have to sign in to things to talk with our friends, to post social media. As things get worse being able to have secure channels of communication over the internet is key. Deny them the intel they need to divide and conquer your group. Deny them the intel on how to setup you or your friends. COINTELPRO 101 They target groups, create infighting, discredit the cause and run the whole group into the ground or in the direction of their choosing. That’s only possible if they have enough information about you and those around you. We only have enough money for so many PC’s. Virtualizing is the answer but not on any OS one that’s made for security and isolation. Isolate your social media on one Whonix VM and your secure comms on another. Use different Whonix gateways for each task as well as screen names, rotate them regularly.
Install Qubes OS on new hardware for best possible security: On the first boot it asks if you want the system to update through Tor uncheck that don’t update Qubes it likely won’t help security also it’s to risky. Check the Storage / USB virtualization it’s a great feature. If there’s ever a security flaw in Xen wait until it’s patched and reload everything with the latest image. If you don’t uncheck the Tor routed system updating you end up with persistent Tor guards that are unique across connections, you can change this in Qubes manager. In Fedora template edit /etc/hosts add 0.0.0.0 fedoraproject.org as well as 0.0.0.0 ntp.org Be quiet on the line don’t give up any info you don’t need to. Qubes is still rare.
UPDATE: Make certain that I/O MMU is turned ON / ACTIVE. Open a terminal in Dom0 type qubes-hcl-report to verify it’s working. Enable VT-d / AMD-v virtualization in your bios if it’s not ACTIVE. If you can’t get it to work I would suggest using Tails or Subgraph instead. This is extremely important don’t use Qubes without it. https://www.qubes-os.org/hcl/ Also look into Coreboot it’s not necessary but would add to your security. https://www.coreboot.org/
The NSA is king of MITM attacks and YES even on Tor after enough data is transferred they can get you. As fast as 50mb or 5 min when they know your location from what I’ve observed (USA). It all depends on how bad they want you, priority levels. Tor works but if they know you, your location then the games up very fast. I’ve seen many attacks come through package managers updating or installing. Never assume organizations crypto keys aren’t compromised. Open up Arm from the Whonix Gateway flip over to the torrc and change the max connection dirtyness to like 1-2 min or something and reset it before and after each install or update. Remember these are the guys hacking the randomness of Intel CPU’s encryption call me paranoid if it makes you feel more secure. It’s very important that you do not update the fedora23 template or install anything in it. Make a clone of the original if you want to do something with it. Same with the other templates make a clone if you want to do more than edit a file or something. The fedora template is the heart of your system, your firewall, your sys-usb and networking box. It’s a total system compromise if anything gets in.
UPDATE: Don’t update the VM’s at all if your getting attacked by a sophisticated nation state. Just the browser in whonix will be sufficient. Installing anything should be done quickly with multiple tor resets during the process. TOR HAS BEEN BROKEN by NSA it will not protect you from MITM. If you’re doing everything right this is how they’re going to attack you for persistence.
Don’t use the VM’s that come with the standard install on the VPN or home line if you can help it. All traffic should go through Tor.(Please donate) You can use Debian as a VPN gateway use resolvconf to stop dnsleaks, dnsleaktest.org check it with each change. If you’re not in a high threat group then using VPN is cool but sophisticated adversary’s can see VPN’s exit traffic easily, just saying…
Do a packet capture with your backstop and see what your Qubes is doing (tcpdump –I eth0 –s 65535 –w file (for wireshark viewing)). When you change connections this gets important. When you reset the VPN or chain them check it periodically. Mind the Whonix gateway VM persistent guards as well they’re unique enough to ID you. Remember to think from the other sides point of view. Just Imagine you can see the whole internet and you won’t be doing half bad.
Your final setup should be Home-ISP > Backstop-VPN > Qubes-Whonix-Tor > freedom!
You can add more VPN’s before or after Tor depending on what you like. Its recommended by many (the Grugq) if you’re up to something or not to have Tor first in the line on your backstop. Each time you make a new Whonix gateway you get new guards (first hop connection). For everyday use I usually use three Whonix gateways one for each task, twitter, music, searches etc. Be mindful of constant streams separate them from other tasks.
Make them work for a living! Whonix is likely the most targeted VM, it’s best to build your own custom VM. Make sure the browser fingerprint is identical to Whonix and TBB but custom it up hardcore otherwise. Patching the kernel with GR isn’t that hard just find one or two guides and smash something together. GR does not work in Qubes to my knowledge.
UPDATE: GR security does work in Qubes now. Compile the hardened kernel with Xen virtualization enabled in the config options. In Qubes there’s no exploit prevention beyond isolation and hardware virtualization. Think of Qubes as just a layer that protects the hardware and other VM’s. Building a GRsec hardened VM you can clone will give you a very high security setup. It’s worth the time and it’s exactly what you need to protect yourself from a smash n grab hack stealing chat / video crypto keys, unencrypted emails etc as can happen in whonix or the other stock VM’s. If you’re good at hardening an OS go this route or wait until Subgraph OS has a Qubes compatible build.
— Micah Lee (@micahflee) October 2, 2016
Read qubes-os.org documents for help getting things running the way you want. Don’t assume it’s a magic bullet or anything else. Use the offline VM vault for everything that doesn’t need internet to work (file transfers to USB’s). Dedicate a Whonix workstation as an offline VM. It’s a good choice as it has a lot of apps that come with it. Don’t contaminate VM’s dedicate them to the task.
When using normal operating systems like Ubuntu even if it’s hardened with something like GR Security the problem is that once they get through the browser, package installer (which from what I’ve experienced is a very simple task for them) it’s game over. They escalate privileges and drop stealth code that you can’t find with any tools. Then your hardware gets hit and when an APT gets in hardware any new normal OS is going to be more easily compromised or tracked. With Qubes they can still get through the browser but infecting the whole system is not as easy. When you’re done for the day and close the VM theres a good chance that whatever they dropped on you is gone. It’s a good practice depending on your threat model to delete VM’s after 30 days or so and make new. It’s a 5 min job or less depending on how long it takes to transfer files. Live linux DVD’s are great for this exact reason it’s always clean when you boot it. Ex. Subgraph, Tails, Pentoo (Tor not enabled by default), Qubes live (no Tor).
If you do get hacked I have some recommendations: If they make it obvious it might be a test you may want to play dumb and let them think they see everything. You’re just a stupid script kiddy or some retarded protester. If you’re some low level person they don’t mind your shenanigans. If you’re not low level then you know what the next move is… Acting paranoid is a huge red flag for them. I’m naturally paranoid and I seem to be irresistible to them so act cool, unbothered by it. Don’t threaten their malware they go nuts over that shit!
Copperhead OS is for Nexus Cell phones I’m using it right now and it appears to be secure even though the Qualcomm Snapdragon chip inside currently has a root vuln in it. Having a hardened open source cell phone OS is key in this climate. Encryption is on the chopping block right now and one of the only ways to ensure your device stays encrypted properly is to do it yourself. If and when Signal is able to be used on Copperhead it will be the hands down best phone OS in the world. The VPN client needs some work but you can use orbot and orweb (Tor) browser right now. It’s worth looking into. Never trust the security of proprietary system on a chip devices you don’t control (every cell phone has one). It’s probably better to blend in with your phone than try to secure it with something like Copperhead.
UPDATE: https://blog.torproject.org/blog/mission-improbable-hardening-android-security-and-privacy The scripts do use SuperUser so it will get rooted if you let it. Verified boot is not worth the rooted phone imo. Supports Google Nexus 5X, 6P.
Signal on Copperhead “For now, if you do not wish to use a Google account with Google Play, it is possible to download the Signal apks from one of the apk mirror sites (such as APK4fun, apkdot.com, or apkplz.com). To ensure that you have the official Signal apk, perform the following:
Download the apk.
Unzip the apk with unzip org.thoughtcrime.securesms.apk
Verify that the signing key is the official key with keytool -printcert -file META-INF/CERT.RSA
You should see a line with SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Make sure that fingerprint matches (the space was added for formatting).
Verify that the contents of that APK are properly signed by that cert with: jarsigner -verify org.thoughtcrime.securesms.apk. You should see jar verified printed out.
Then, you can install the Signal APK via adb with adb install org.thoughtcrime.securesms.apk. You can verify you’re up to date with the version in the app store with ApkTrack.”
A little on cell phones and you. We all know about cell tracking and intercepts but what about voice recognition? License plate readers, traffic cams, street cams with face recognition? Microphones in street lamps? Lots of things are connected today don’t forget them when ghosting about with a prepaid cell and an anon 4G. It’s all a question of how much resources they want to put into finding / tracking you. Soon enough this stuff will become more automated and able to track and correlate in real time. Are you the leader of a protest or just some guy with a sign? Best not to talk unencrypted if you don’t want voice recognition to tag your new IMSI and IMEI. Be sure to turn those devices off before you get home. Pulling the battery instead of a proper shutdown it won’t be able to send a final ping to the tower. Older cells are better burners.
UPDATE: If you’re getting surveilled by 5eyes or a wealthy nation state your Iphone or Android CAN be compromised don’t trust it. They can grab Signal’s ephemeral keys and decrypt future calls and texts they intercept for instance (delete after reading). Better to use a secure laptop. Cells are essentially swiss cheese to NSA if it’s them they ARE in your phone. They’re made this way on purpose. Copperhead OS is the best way to go to ensure end to end crypto works on a phone.
The best way not to get hacked is for them not to know it’s you aka being anonymous. Don’t sign into anything, don’t look like you and make sure to look like everyone else. Be the grey man of the internet, don’t even use a screen name if you don’t have to, change it monthly. The FOXACID servers are on automatic and if you’re on the list you get hacked as soon as it sees you. Security through anonymity can’t be emphasized enough. If you want to make a name for yourself then prepare to be found and famous in a jail cell even if you think you’re not doing anything illegal. Most of their hacking isn’t really about laws it’s about collecting intelligence, control and sometimes intimidation.
Depending on priority level your electronics might get replaced with ones that are modified by Tailored Access Operations. Think about everything that has a data connection like cable coaxial line or has power connected like adapters. If it has both data and power think where did it come from can I trust this? It will likely look identical to every other one like it except maybe on the inside. They want you to think it’s crazy to even consider the notion, ask yourself why? Try not to get any electronics through the mail.
Physical security is important. A good book on it is Low Tech Hacking, Street Smarts for Security Professionals. If someone can get to your computer or phone you’re screwed. Unless you’ve really done your homework and know the boot process inside and out it’s not safe to leave unattended or unsecured. For travel use nail polish with glitter in it over screws and access points. Take a few pictures from a known distance and compare if in doubt. Don’t think they won’t slip into your home and mess with your stuff, plant bugs or other things in your house. If you’re going to use cameras build the DVR yourself as store bought ones are full of security flaws and unencrypted. Use a Luks encrypted linux with zoneminder or a VeraCrypt encrypted windows instead. Lock down the USB ports with glue and disable them in the OS. Some people like to put shutdown / dismount scripts triggered by a USB plug in event instead to prevent a cold boot attack. If it’s connected to the network make sure it’s hardened and firewalled. You’d feel really dumb if someone used your security system against you.
UPDATE 10/07/2017: https://www.youtube.com/watch?v=4YYvBLAF4T8 Physical security needs to be as good as your digital. Single sided deadbolts for the night and electronic locks with the key lock cylinders glued for the day. Rotate the codes regularly. Keys are easy to photograph and reproduce. High security deadbolt plus electronic door knob = winning. Use epoxy it’s very important, the key is the backdoor to the electronic lock.
If you’re feeling adventurous building a z-wave security system isn’t too hard, Domoticz is the way to go. Do all the scripting in blocky it’s easy. I’ve found that certified means nothing do a lot of research on the devices and the z-wave stick before buying it. Compatibility is a serious issue with z-wave. Aeon Labs stuff is good and if it’s 100% gen5 encrypted then no one can get your home ID. These systems log your movements make sure to encrypt this as well.
UPDATE: No wireless at all not even disabled but intact on the board. An all hard wired alarm system is the only way to go. No remote administration, no ethernet connection.
Update 10/07/2017: You can use an all hard wired modern alarm system. Get the newest gear with cellular backup. Just make sure the rest of the physical security is solid. MAKE THEM BREAK IN!
I wrote this guide due to the extreme measures the government is taking against the people of the United States. Giving raw data to any federal agency with as much oversight as NSA (which is none) is completely unacceptable. Remember the Burr- Feinstein anti-crypto bill is a work of two individuals “overseeing” NSA. Terrorism today in reality is a small issue, we should be more afraid of falling down the stairs or getting in a car accident. ISIS was created by the massive incompetence and intentional malfeasance of multiple administrations middle east decisions. The justification for this massive dragnet surveillance is absurd, few people are killed each year out of 320 million total Americans. It’s not even a stat that can be comprehended it’s so small. 9/11 was bull shit just leave it out of the numbers or count it as state sponsored terror. Whats more is that the NSA’s scope has expanded well beyond agents of a foreign power or terrorism. It’s now for anything the DEA, DHS, ATF, SS or FBI requests. Those agencies selectively enforce laws on their political enemies, people like me. If I’m going to be a target I will at least fight back with sharing my knowledge. If we let this continue it’s not long before the local beat cop is watching you watch youtube while listening to you talk to your friend in the next city over because he’s bored.
You are not allowed under the constitution to view my internet traffic or my emails nor listen to my phone calls just because some lawyer in the bowls of NSA said it was ok. Even collecting it is a search because your computers view the metadata, scan the content and add it to searchable databases. Governments hacking into people’s property inside their home without a warrant is so far out of bounds it’s crazy I even have to say it. No not even just “fingerprinting” the machine is ok. That’s code you’re running on my CPU that I did not authorize. The level of mental gymnastics feds must do to justify this garbage is insane. Hacking is the attack on civil liberties the American people are not seeing or hearing about. It’s not isolated or done with just cause.
This piece is based on research. I do not have a source or classified material nor have I ever signed an NDA. My observations are from firsthand experience being targeted by a very advanced adversary, very likely the NSA. I haven’t sensationalized this at all I wrote what I believe to be true and asked questions for the reader to consider. Based on your view of the world you will draw your own conclusions on whether or not my understanding is correct. If it’s not quite as Orwellian as I’ve described it will be the second revolutionary conditions fully present themselves or someone like Hillary Clinton wins the Presidency.
UPDATE: “No matter how paranoid or conspiracy-minded you are, what the government is actually doing is worse than you imagine.”
The Internet is key to humanity’s future, without it we become North Korea. If we embrace a free and open Internet rather than suppress it an enlightened society can fix the world’s problems and go the stars. Don’t let them build their technocracy unopposed.
This work is protected by the First Amendment to Constitution of the United States of America