updated

2024-11-05 22:02:04 +01:00 · 2024-11-05 22:02:04 +01:00 · 4db17584a4
commit 4db17584a4
parent 0325e6034b
10 changed files with 60 additions and 32 deletions
--- a/opsec/graphene/index.html
+++ b/opsec/graphene/index.html
@ -8,7 +8,7 @@
    <meta name="author" content="">
    <link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">

-    <title>How to install GrapheneOS on a Pixel Phone</title>
+    <title>How to have Privacy on your Phone (GrapheneOS)</title>

    <!-- Bootstrap core CSS -->
    <link href="../../assets/css/bootstrap.css" rel="stylesheet">
@ -61,7 +61,7 @@
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
  					<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-07-10</ba></p>
-<h1>How to install GrapheneOS on a Pixel Phone </h1>
+<h1>How to have Privacy on your Phone (GrapheneOS) </h1>
 <img src="1.png" class="imgRz">
 <p>In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functional <a href="../openhardware/index.html">open hardware</a> alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully <a href="https://grapheneos.org/source">open source</a>. and that they refuse to implement google services by default, unlike their competitors like LineageOS.</p>
          
--- a/opsec/haveno-client-f2f/index.html
+++ b/opsec/haveno-client-f2f/index.html
@ -181,10 +181,9 @@ May-29 20:55:27.427 [JavaFX Application Thread] INFO  h.d.c.c.c.PopOver: hide:20
          <h2><b>For Arch Linux Users</b></h2>
 <p>You can either extract the .rpm (which is originally intended for Fedora users) package and run the haveno binary yourself, or use the <a href="https://aur.archlinux.org/packages/haveno-reto">AUR package maintained by duje</a></p>
          <h2><b>For Windows Users </b></h2>
-<p> If you are a windows user (know that it cant be trusted as <a href="../closedsource/index.html">it's not an open source operating system</a>, check out my tutorial here on <a href="../linux/index.html">how to install linux</a> instead), if you're too lazy you can check out darknetreporter's tutorial: </p>
-<iframe class="rumble" width="640" height="360" src="https://rumble.com/embed/v4wro7n/?pub=4" frameborder="0" allowfullscreen></iframe>
+<p> If you are a windows user (know that windows cant be trusted as <a href="../closedsource/index.html">it's not an open source operating system</a>, so <a href="../linux/index.html">install linux</a> instead): </p>
 <!--          <h2><b>For Tails OS Users: Use BrandyJson's Script!</b></h2>-->
-          <h2><b>For Tails OS Users: (as of 6th October 2024)</b></h2>
+          <h2><b>For Tails OS Users: (as of 3rd November 2024)</b></h2>
 <p>If you want to have a TailsOS VM running, check out my latest tutorial on it <a href="../tailsqemuvm/index.html">here</a>.</p>
 <p>Then make sure you have the admin password enabled:</p>
 <img src="100.png" class="imgRz">
--- a/opsec/index.html
+++ b/opsec/index.html
@ -109,9 +109,9 @@
        </ol></br>
 <p>💻 Getting started</p>
 <ol>
-                <li><a href="linux/index.html">✅ How to install Linux from a Windows PC ⭐</a></li>
-                <li><a href="linuxprograms/index.html">✅ How to install and update programs on Linux </a></li>
-                <li><a href="graphene/index.html">✅ How to install GrapheneOS on a Pixel Phone</a></li>
+                <li><a href="linux/index.html">✅ How to have Privacy on your Computer (Linux) ⭐</a></li>
+                <li><a href="graphene/index.html">✅ How to have Privacy on your Phone (GrapheneOS)</a></li>
+                <li><a href="https://git.nowhere.moe/nihilist/blog-contributions/issues/161">❌ How to have Privacy on your Router (Opnsense)</a></li>
 				<li><a href="https://git.nowhere.moe/nihilist/blog-contributions/issues/61">❌ Easy Private Chats - SimpleX</a></li>
 </ol></br>

@ -125,6 +125,7 @@
 <div style="float: right; width: 50%;">
 <p>💻 Privacy means Open Source (FOSS)</p>
 <ol>
+                <li><a href="linuxprograms/index.html">✅ How to install and update programs on Linux </a></li>
                <li><a href="compilation/index.html">✅ How to compile open source software + How to verify software integrity </a></li>
                <li><a href="hypervisorsetup/index.html">✅ How to Virtualize Machines (QEMU/KVM Hypervisor)</a></li>
                <li><a href="vpn/index.html">✅ How to get privacy from your ISP using a VPN</a></li>
@ -286,11 +287,11 @@

        <p>💻 Clientside - Getting Started </p>
        <ol>
+                <li><a href="livemode/index.html">✅ Using the Host-OS in live-mode to enable Sensitive Use</a></li>
                <li><a href="veracrypt/index.html">✅ The main source of Plausible Deniability: Deniable Encryption</a></li>
-                <li><a href="tailsqemuvm/index.html">✅ Tails OS QEMU VM for Temporary Sensitive Use</a></li>
-                <li><a href="livemode/index.html">✅ Using the Host-OS in live-mode to prepare for long-term Sensitive Use</a></li>
                <li><a href="sensitivevm/index.html">🟠 Sensitive use VMs Setup (Whonix VMs in a Veracrypt Hidden Volume)⭐</a></li>
                <li><a href="plausiblydeniabledataprotection/index.html">🟠 Plausibly Deniable Critical Data Backups</a></li>
+                <li><a href="tailsqemuvm/index.html">✅ Tails OS QEMU VM for Temporary Sensitive Use</a></li>
        </ol></br>
 <p>💻 Steganography - Hiding secrets in plain sight</p>
 <ol>
--- a/opsec/linux/index.html
+++ b/opsec/linux/index.html
@ -8,7 +8,7 @@
    <meta name="author" content="">
    <link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">

-    <title>How to install Linux from a Windows PC </title>
+    <title>How to have Privacy on your Computer (Linux) </title>

    <!-- Bootstrap core CSS -->
    <link href="../../assets/css/bootstrap.css" rel="stylesheet">
@ -61,7 +61,7 @@
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
  					<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-06-16</ba></p>
-<h1>How to install Linux from a Windows PC  </h1>
+<h1>How to have Privacy on your Computer (Linux)  </h1>
 <img src="0.png" style="width:250px">
 <p>In this tutorial, we're going to look at the first and foremost thing anyone can do to remove surveillance from their digital lives, by installing a free and open source software (FOSS) host operating system: Linux, in this case we're going to setup the latest Debian.</p>
 <p><h2><u>OPSEC Recommendations:</u></h2></p>
@ -175,7 +175,7 @@
 <img src="29.png" class="imgRz">
 <img src="30.png" class="imgRz">
 <img src="31.png" class="imgRz">
-<p>Here Bob decides that he wants to encrypt his whole harddrive too. That way, if someone were to steal his computer, without knowing his password, they would have no way to access Bob's local data.</p>
+<p>Here Bob decides that he wants to encrypt his whole harddrive too. That way, if someone were to steal his computer, without knowing his password, they would have no way to access Bob's local data. (but be warned that for sensitive use, one shouldn't need to encrypt the system drive at all (<a href="../livemode/index.html">more details</a>).</p>
 <img src="32.png" class="imgRz">
 <img src="33.png" class="imgRz">
 <img src="34.png" class="imgRz">
--- a/opsec/livemode/3.png
+++ b/opsec/livemode/3.png
--- a/opsec/livemode/4.png
+++ b/opsec/livemode/4.png
--- a/opsec/livemode/index.html
+++ b/opsec/livemode/index.html
@ -63,6 +63,15 @@
  					<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-11-03</ba></p>
 <h1>Using the Host-OS in live-mode to prepare for long-term Sensitive Use </h1>
 <img src="../deniability/7.png" class="imgRz">
+<p><h2><u>OPSEC Recommendations:</u></h2></p>
+<ol>
+    <li><p>Hardware : (Personal Computer / Laptop)</p></li>
+    <li><p>System Harddrive: not LUKS encrypted <a href="https://www.kicksecure.com/wiki/Ram-wipe">[1]</a></p></li>
+    <li><p>Non-System Harddrive: 500Gb (will be used to contain our <a href="../veracrypt/index.html">Veracrypt</a> encrypted volumes)</p></li>
+    <li><p>Host OS: <a href="../linux/index.html">Linux</a></p></li>
+    <li><p>Hypervisor: <a href="../hypervisorsetup/index.html">QEMU/KVM</a></p></li>
+</ol>
+
          
 	       </div>
 			</div><!-- /row -->
@ -127,9 +136,9 @@ Fetched 101 kB in 1s (73.7 kB/s)
 Reading package lists... Done

 </code></pre>
-<p>Then we install the grub-live package</p>
+<p>Then we install the grub-live package, and the ram-wipe package <b>(warning, the ram-wipe package may cause your system to fail to boot in case if you encrypted the system drive using LUKS, click <a href="https://www.kicksecure.com/wiki/Ram-wipe">here</a> for more details on this)</b>. Therefore i recommend having the <a href="../linux/index.html">Host OS</a> system drive not encrypted until dracut supports LUKS encryption, but it shouldn't matter though, as the actual VMs that we'll be running will be on a non-system drive, which will be manually kept in <a href="../veracrypt/index.html">deniable encryption</a>.</p>
 <pre><code class="nim">
-root@debian-tests:~# sudo apt-get install grub-live -y
+root@debian-tests:~#  apt install grub-live ram-wipe -y

 </pre></code>

--- a/opsec/sensitivevm/0.png
+++ b/opsec/sensitivevm/0.png
--- a/opsec/sensitivevm/index.html
+++ b/opsec/sensitivevm/index.html
@ -90,6 +90,7 @@
 <p>First, we're going to setup our veracrypt volumes on our 500Gb harddrive:</p>
 <img src="2.png" class="imgRz">
 <img src="3.png" class="imgRz">
+<p>Here we're using a non-system drive, as we want to be able to store our veracrypt hidden volume contents in a persistent manner, accross reboots. (if we were to have the veracrypt volume on the system drive, it would be wiped off upon rebooting since the Host OS is in live mode.)</p>
 <img src="4.png" class="imgRz">
 <img src="5.png" class="imgRz">
 <img src="6.png" class="imgRz">
--- a/opsec/veracrypt/index.html
+++ b/opsec/veracrypt/index.html
@ -65,7 +65,26 @@
 <img src="0.png" style="width:250px">
 <p>VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is based on Truecrypt, This tool will be used for Plausible Deniability. </p>
 <p>But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, <b>because you need to be able to deny the existence of the encrypted volume</b>. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.</p>
-          
+
+<b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b>
+<pre><code class="nim">
+source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
+
+regarding wear leveling:
+"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
+
+</pre></code>
+<p><h2><u>OPSEC Recommendations:</u></h2></p>
+<ol>
+    <li><p>Hardware : (Personal Computer / Laptop)</p></li>
+    <li><p>System Harddrive: not LUKS encrypted <a href="https://www.kicksecure.com/wiki/Ram-wipe">[1]</a></p></li>
+    <li><p>Non-System Harddrive: 500Gb (used to contain our Veracrypt encrypted volumes)</p></li>
+    <li><p>Host OS: <a href="../linux/index.html">Linux</a> </p></li>
+    <li><p>Hypervisor: <a href="../hypervisorsetup/index.html">QEMU/KVM</a></p></li>
+    <li><p>Packages: <a href="../linux/livemode.html">grub-live and ram-wipe</a></p></li>
+</ol>
+
+ 
 	       </div>
 			</div><!-- /row -->
 	    </div> <!-- /container -->
@ -76,19 +95,8 @@
 	    <div class="container">
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
-          <h2><b>Initial Setup </b></h2>
-</br>
-<b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b>
-<pre><code class="nim">
-source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
-
-regarding wear leveling:
-"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
-
-</pre></code>
-
-
-<p>Let's install the .deb package for veracrypt: </p>
+          <h2><b>Deniability Context </b></h2>
+<p>Let's install the .deb package for veracrypt (you can install it safely from non-live mode), so that the software is available whenever you want to use it while the host OS is in live mode: </p>
 <img src="1.png" class="imgRz">
 <pre><code class="nim">
 [ mainpc ] [ /dev/pts/1 ] [~/Downloads]
@ -111,12 +119,21 @@ regarding wear leveling:
 → veracrypt

 </code></pre>
+<p>So now that you have veracrypt installed, before you start to use veracrypt, you need to be aware of the lack of deniability you have when using the Host OS in regular mode:</p>
+<img src="../livemode/3.png" class="imgRz">
+<p>By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you manually remove each of those manually, you're never sure of wether or not Host OS saved proof of the existence of the hidden volume onto the system drive. <b>That's why you need to use the Host OS in <a href="../livemode/index.html">live mode</a>, to be able to use veracrypt.</b></p>
+<img src="../livemode/4.png" class="imgRz">
+<p>That way, as you're loading the entire host OS in the RAM due to being in live mode, you are not writing anything on the system drive anymore, <b>but rather only writing all that potential forensic evidence of the veracrypt hidden volume <u>in RAM alone</u>, which can be easily erased with a simple shutdown</b>.</p>
+<p>So now that we have installed veracrypt, let's reboot the Host OS into live mode:</p>
+<img src="../livemode/2.png" class="imgRz">

-<p>Now from there we can create encrypted volumes (either as files or as entire drives). In this case we'll create an encrypted file: </p>
+
+<p><b>And only now once we are in live mode, we can use veracrypt to create drives.</b> But be aware that everything you write into the system drive will be wiped upon shutting down, <b>if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.</b></p>
+<p> So now from there we can create the encrypted volumes (either as files or as entire drives). In this example we'll create an encrypted file: </p>
 <img src="2.png" class="imgRz">
 <p>Here we select that we want a Hidden veracrypt volume as well (which will be able to deny it's existence).</p>
 <img src="3.png" class="imgRz">
-<p>Then we want it to be a simple file in my home directory</p>
+<p>Then we want it to be a simple file in my home directory for testing purposes (so be aware that <u>upon rebooting it will be erased due to being in the system drive</u>). If you want it to not be erased upon rebooting, you'll need to put it in a non-system drive like in <a href="../sensitivevm/index.html">this tutorial.</a></p>
 <img src="4.png" class="imgRz">
 <p>Leave the default settings for the encryption</p>
 <img src="5.png" class="imgRz">
@ -129,7 +146,7 @@ regarding wear leveling:
 <p>Then move your mouse to make sure the randomness of the encryption is best, then let it complete the formatting. If you are creating a large encrypted volume, it will take time to overwrite all the data. <b>DO NOT SELECT QUICK FORMAT, or you risk having the hidden volume being discoverable by an adversary.</b> </p>
 <img src="9.png" class="imgRz">
 <img src="10.png" class="imgRz">
-<p>Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, <b>the existence of this volume must never be revealed to anyone except you.</b>. then we repeat the previous steps:</p>
+<p>Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, <b>the existence of this volume must never be revealed to anyone, only you should know about it</b>. then we repeat the previous steps:</p>
 <img src="11.png" class="imgRz">
 <img src="12.png" class="imgRz">
 <p>Here we select the size we need for the hidden volume. </p>
@ -158,6 +175,7 @@ regarding wear leveling:
 <img src="21.png" class="imgRz">
 <p>And here you see that the volume mounted is now of the "hidden" type</p>
 <img src="22.png" class="imgRz">
+<p>And that's it! We now have setup a test veracrypt volume with a hidden volume, into which we can store some sensitive files.</p>

 				</div>
 			</div><!-- /row -->