<p>In this tutorial we're going to take a look at how to manage your online Anonymity.</p>
</br><b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b>
"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
</pre></code>
<p>This tutorial is based on my previous explanation on <ahref="../opsec/index.html">OPSEC</a> make sure that you take it into account before proceeding.</p>
<imgsrc="100.png"class="imgRz">
<p>So, we basically want 3 ways to access websites. The first being while using tor, for complete anonymity, to do that we'll use whonix. The second is to do the same but to masquerade it with a non-KYC VPN which will also be acquired anonymously to be used only in the case of a website blocking tor exit nodes, and the last one is without any protection, for websites you cannot use without KYC.</p>
<imgsrc="101.png"class="imgRz">
<p>As a safety measure for Anonymity, there will be a veracrypt hidden partition in use for plausible deniability.</p>
<imgsrc="102.png"class="imgRz">
<p>To prepare the computer for those tasks, we will rely on opensource software to avoid any tracking, we'll remove logs from linux. </p>
<p>And lastly, we're going to take a look at how to keep track of your accesses to the websites you access anonymously</p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<divid="anon3">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<h2><b>Initial Setup </b></h2>
<p>First let's make sure all logs get erased upon system shutdown as described in my previous tutorial on <ahref="../antiforensics/index.html">host OS hardening</a> (by piping all logs to go to the /tmp/ folder):</p>
<p>We also make sure that the script to remove logs also includes shutting down the VMs and closes the veracrypt volume just like the emergency shutdown script we detailed in <ahref="../physicalsecurity/index.html">the previous tutorial on homeserver physical security</a>:</p>
<p>In the shutdown.sh script we also make sure that the VMs are removed, and that the veracrypt volumes are unmounted, before clearing up the logs.</p>
<p>Next we're going to install libvirt as seen in our previous tutorial on host os hardening<ahref="../antiforensics/index.html">here</a>:</p>
<p>Be aware that the 3 VMs we need to place in a veracrypt container all weigh 100GB each so <b>you need 300Gb for all 3 VMs</b>, so you need at least 2x300Gb to replicate the setup in the decoy partition, <b>so pick a 1.2TB harddrive instead</b>, with some additional space <b>so preferably a 1.8TB</b> one just to be safe, unlike as shown below (a 500gb disk which is not enough!)</p>
<p>So let's now setup the hidden partition there:</p>
<p>Now that's done, let's setup the whonix and workstations templates, we will then copy them in the veracrypt harddrive afterward to edit them. So let's go <ahref="https://www.whonix.org/wiki/KVM#Download_Whonix">here</a> to download whonix for QEMU:</p>
<p>Next we edit the XML files to have the working VMs, for which we will give 2GB of ram for the gateway, and 4GB of ram for the workstation while also specifying the path to their .qcow2 volumes:</p>
error: Requested operation is not valid: domain is not running
error: Failed to destroy domain 'Whonix-Workstation'
error: Requested operation is not valid: domain is not running
Domain 'Whonix-Gateway' has been undefined
Domain 'Whonix-Workstation' has been undefined
Network Whonix-External destroyed
Network Whonix-Internal destroyed
Network Whonix-External has been undefined
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
[+] VMs removed, re-install them ? (ctrl+c to exit)
Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
error: Failed to define network from Whonix_internal_network-17.0.3.0.xml
error: operation failed: network 'Whonix-Internal' already exists with uuid 48298ccf-9352-4b21-b6c4-17ad13ad1d6d
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
</pre></code>
<p>Then launch the VMs from virt-manager:</p>
<imgsrc="2.png"class="imgRz">
<p>let's start with the Gateway:</p>
<imgsrc="3.png"class="imgRz">
<imgsrc="4.png"class="imgRz">
<imgsrc="5.png"class="imgRz">
<imgsrc="6.png"class="imgRz">
<imgsrc="9.png"class="imgRz">
<p>Now that's done you can also finish the initial setup for the workstation:</p>
<imgsrc="7.png"class="imgRz">
<imgsrc="8.png"class="imgRz">
<p>So from here you can use whonix regularly to browse with the tor browser, don't forget to disable javascript and to always keep the browser up to date like so:</p>
<imgsrc="10.png"class="imgRz">
<p>As suggested above, we'll also upgrade the VMs, and to go further we'll install unattended upgrades (note whonix's default system credentials are <b>user:changeme</b>:</p>
<p>Next step is to have the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation:</p>
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
[+] VMs removed, re-install them ? (ctrl+c to exit)
Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
</code></pre>
<p>Now with this if you are forced to give away the password for that harddrive, you can give them this decoy partition, and they'll find the whonix VMs you've copied there.</p>
<p>So now dismount the veracrypt partition, to do that you need to first remove the VMs with the script, and then you need to EXIT the folder, otherwise it'll complain and tell you that the target drive is busy and can't be unmounted: </p>
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
[+] VMs removed, re-install them ? (ctrl+c to exit)
Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
</code></pre>
<p>You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing.</p>
<imgsrc="104.png"class="imgRz">
<p>Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider <ahref="https://kycnot.me/service/mullvad">here</a>, Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them): </p>
<imgsrc="49.png"class="imgRz">
<imgsrc="50.png"class="imgRz">
<p>now to not loose your accesses , make sure to save credentials in a local keepass database on the VM.</p>
<p>Now let's add time to our account, and of course we will pay with <ahref="https://iv.nowhere.moe/watch?v=YTTac2XjyFY">the only cryptocurrency that's used</a>:</p>
<p>To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally.</p>
<imgsrc="55.png"class="imgRz">
<p>Once it finishes installing, create your monero wallet:</p>
<imgsrc="57.png"class="imgRz">
<p>Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones <ahref="https://monero.fail/">here</a>:</p>
<imgsrc="58.png"class="imgRz">
<p>Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created: </p>
<imgsrc="59.png"class="imgRz">
<imgsrc="60.png"class="imgRz">
<p>Once you've paid, download the .ovpn file to connect via vpn:</p>
<imgsrc="61.png"class="imgRz">
<p>Then unzip and let's now make sure the vpn goes through tor:</p>
<imgsrc="62.png"class="imgRz">
<imgsrc="63.png"class="imgRz">
<p>To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10:</p>
<imgsrc="66.png"class="imgRz">
<p>before we launch it keep in mind this:</p>
<b>DISCLAIMER: While on a VPN, DO NOT use the tor browser, this will make the entire tor browsing visible from the VPN server. In this particular setup you need to use Firefox while the VPN connection is active!!! Make sure that all tor-related applications are shutdown before starting the VPN. I suggest to close everything, and then only have the terminal and firefox open before launching the VPN.</b>
<imgsrc="67.png"class="imgRz">
<p>Then launch the VPN and you can then see that you no longer have a tor exit node IP:</p>
<imgsrc="68.png"class="imgRz">
<imgsrc="69.png"class="imgRz">
<p>Now check your ip from Firefox, not the tor browser:</p>
<imgsrc="70.png"class="imgRz">
<p>You can also check if there are any DNS leaks:</p>
<imgsrc="71.png"class="imgRz">
<p>here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address:</p>
<imgsrc="72.png"class="imgRz">
<p>We can also check if there are any WebRTC leaks:</p>
<imgsrc="73.png"class="imgRz">
<p>and there we see that there are no webRTC leaks either, so it's all good.</p>
<p>To make sure the vpn is started automatically we can make it a systemd service:</p>
<p>Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes.</p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /white -->
<divid="anon2">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<divid="anon1">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<h2><b>Anonymity management</b></h2></br></br>
<p>To implement Anonymity Management, simply ask yourselves the following questions:</p>
<p>First question to answer is "Is the activity Sensitive, and will I need to be able to deny it's existence ?" If the answer is no, then we have the following questions:</p>
<imgsrc="105.png"class="imgRz">
<p>If the website requires you to give it your home address like Amazon for example, you can forget trying to be anonymous because you'll anyway need to de-anonymize yourself with your actions, no matter how you accessed the website.</p>
<p>If the website doesn't block tor exit nodes, browse it via the Whonix VMs. But if it does, then use the VPN through Tor setup to circumvent the blockage.</p>
<p>And lastly, for all websites you browsed to anonymously, make sure you log it to have an global view of your online anonymity.</p>
<imgsrc="106.png"class="imgRz">
<p>If your activities are sensitive enough that you need to be able to deny their existence, then we make use of veracrypt's plausible deniability features, and we open the whonix VMs from inside the hidden partition.</p>
<p>And there the same questions apply, but you better remain anonymous while you conduct said sensitive activities.</p>