From dcf265743e55d788b2f9b5e218ddbc2bbcabc9c2 Mon Sep 17 00:00:00 2001 From: Zesc Date: Sat, 24 Aug 2024 16:01:33 +0200 Subject: [PATCH] Fixed typos and broken link --- opsec/anonclearnetservices/index.html | 2 +- opsec/anonpersona/index.html | 8 ++++---- opsec/anonsensitive/index.html | 2 +- opsec/anonuse/index.html | 2 +- opsec/anonymousremoteserver/index.html | 4 ++-- opsec/anonzulucrypt/index.html | 2 +- opsec/closedsource/index.html | 4 ++-- opsec/encryption/index.html | 6 +++--- opsec/endgame/index.html | 2 +- opsec/failover-wan/index.html | 2 +- opsec/finances/index.html | 4 ++-- opsec/governments/index.html | 2 +- opsec/graphene/index.html | 4 ++-- opsec/haveno-arbitrator/index.html | 4 ++-- opsec/haveno-cashbymail/index.html | 4 ++-- opsec/haveno-sepa/index.html | 6 +++--- opsec/hiddenservice/index.html | 2 +- opsec/mail/index.html | 8 ++++---- opsec/mailprivate/index.html | 2 +- opsec/manifesto/index.html | 6 +++--- opsec/matrixnew/index.html | 2 +- opsec/monero2024/index.html | 18 +++++++++--------- opsec/openhardware/index.html | 4 ++-- opsec/opsec/index.html | 12 ++++++------ opsec/opsec4levels/index.html | 2 +- opsec/physicalsecurity/index.html | 2 +- opsec/privacy/index.html | 4 ++-- opsec/sensitiveremotevshome/index.html | 2 +- opsec/serversideencryption/index.html | 4 ++-- opsec/tailsqemuvm/index.html | 16 ++++++++-------- opsec/tor/exit_node/index.html | 4 ++-- opsec/torbrowsing/index.html | 4 ++-- opsec/torthroughvpn/index.html | 6 +++--- opsec/torvsvpns/index.html | 4 ++-- opsec/veracrypt/index.html | 6 +++--- opsec/vpn/index.html | 2 +- opsec/whonix/index.html | 4 ++-- opsec/whonixqemuvms/index.html | 4 ++-- 38 files changed, 88 insertions(+), 88 deletions(-) diff --git a/opsec/anonclearnetservices/index.html b/opsec/anonclearnetservices/index.html index fb04c05..5b39659 100644 --- a/opsec/anonclearnetservices/index.html +++ b/opsec/anonclearnetservices/index.html @@ -96,7 +96,7 @@

And from there, you will be able to port-forward the ports from your local service, to the VPS, while maintaining your Anonymity.

And of course, if your ISP doesn't allow Tor traffic, we can always hide it using a Trusted VPN, like MullvadVPN.

-

Note that such a setup is to be done only when you want to have your server data at home (for exmaple, self-hosting a mail server, while maintaining Anonymity), if this is not a concern, then you should just host the service remotely as seen above.

+

Note that such a setup is to be done only when you want to have your server data at home (for example, self-hosting a mail server, while maintaining Anonymity), if this is not a concern, then you should just host the service remotely as seen above.

diff --git a/opsec/anonpersona/index.html b/opsec/anonpersona/index.html index ef545d5..a9e7b74 100644 --- a/opsec/anonpersona/index.html +++ b/opsec/anonpersona/index.html @@ -77,7 +77,7 @@

Self-Auditing

Let's first assume that you have a public internet presence online, you have a domain name registered to your name, and you host some services online.

-

Let's also assume that you have followed the previous tutorials, meaning you now have whonix VMs in a veracrypt hidden partition that you can deny the existance of (reminder: do NOT use SSDs, use HDDs otherwise devices that use wear-leveling can reveal the existance of a hidden partition).

+

Let's also assume that you have followed the previous tutorials, meaning you now have whonix VMs in a veracrypt hidden partition that you can deny the existence of (reminder: do NOT use SSDs, use HDDs otherwise devices that use wear-leveling can reveal the existence of a hidden partition).

So from now on your publicly you're going to PGP sign a message for everyone to see that you wish to sell the domain and all of it's subdomain services to someone else, and to message you over email/ or a chatrom for the price. The message can look as follows:


 Hi all, planning to stop all of my services soon due to lack of interest / or X Y Z.
@@ -86,7 +86,7 @@ Contact me at email@example.com to discuss this offer if you're interested.
 
 
-

Basically here you're going to want someone anonymous to buy your services, officially. Secretely you will simply have moved to an anonymous way of operating.

+

Basically here you're going to want someone anonymous to buy your services, officially. Secretly you will simply have moved to an anonymous way of operating.

Unless if you're hosting something incredible, Most likely noone will answer, but in the meantime you're going to audit your infrastructure on the following points:


@@ -159,12 +159,12 @@ A: Hey i want to buy your services, i can pay 2 XMR
 you: sure, here's my XMR address:
 A:payment sent, awaiting accesses 
 you: ok payment recieved, here is the domain transfer code for domainexample.com: mkmkkljnnuju, i made sure it was unlocked
-A:  ok i've created the transfer request on nicevps.net, it will get transfered in a few days (can take 2 weeks for example). Please send me the accesses to your public servers.
+A:  ok i've created the transfer request on nicevps.net, it will get transferred in a few days (can take 2 weeks for example). Please send me the accesses to your public servers.
 you: here is SSH root access for server A, B, and C  (typically the 2 dns servers, and the main public server)
 A: ok i changed all of the accesses, please send me the files for the X Y Z services that you host at home. i've created a temporary user you can SSH with to copy the files in /tmp/
 you: ok i just SCP'd (sent via SSH) the files in /tmp/
 A: recieved, thanks.
-you: Please publicly state, and PGP-sign that the domain, and all of it's servers have been bought by you, by mentionning the new name, email and the plan moving forward.
+you: Please publicly state, and PGP-sign that the domain, and all of it's servers have been bought by you, by mentioning the new name, email and the plan moving forward.
 A: Domain has been successfully transfered to nicevps.net, all good thanks.
 A: done, and added to the public page as an announcement, thanks.
 
diff --git a/opsec/anonsensitive/index.html b/opsec/anonsensitive/index.html
index 699044f..0e449e1 100644
--- a/opsec/anonsensitive/index.html
+++ b/opsec/anonsensitive/index.html
@@ -79,7 +79,7 @@
 

Since Bob has no other choice but to comply when the adversary forces him to unlock his hard drives, and since he didn’t implement Deniable Encryption, he has to show all the incriminating evidence, and therefore he can no longer deny implications with the sensitive activity.

Bob’s setup, although suitable for Anonymous Use, is not suitable for Sensitive Use due to the lack of Deniable Encryption

-

For instance, if Bob had implemented VeraCrypt’s deniable encryption to store the sensitive data, he could’ve given password A to open the decoy volume for the adversary, and could’ve claimed that there was no hidden volume. The adversary wouldn have no way to prove otherwise.

+

For instance, if Bob had implemented VeraCrypt’s deniable encryption to store the sensitive data, he could’ve given password A to open the decoy volume for the adversary, and could’ve claimed that there was no hidden volume. The adversary would have no way to prove otherwise.

diff --git a/opsec/anonuse/index.html b/opsec/anonuse/index.html index f5daa5e..51efbdf 100644 --- a/opsec/anonuse/index.html +++ b/opsec/anonuse/index.html @@ -71,7 +71,7 @@

Bob is using an open-source browser and a VPN to access a website (in our example youtube), but then he starts thinking that it's enough to start to use that website anonymously, even though they don't allow it. He starts to sign up and mentions a false name and address when creating an account. which infuriates the Youtube employee:

Bob's current setup is suitable for Private use as he is using open source software, and a VPN, But is it suitable for Anonymous use too ?

-

When you think about it, currently He is anonymous, as he hides his real IP from the destination website, and he didnt deanonymize himself through his actions while on the website. The problem is how expensive is it to deanonymize Bob ?

+

When you think about it, currently He is anonymous, as he hides his real IP from the destination website, and he didn't deanonymize himself through his actions while on the website. The problem is how expensive is it to deanonymize Bob ?

To answer that, let's take the example of a Youtube employee being infuriated that Bob dared to lie about his personal information, and the employee decides to call some corrupt police agents (yes they have very close ties to the authorities) to do their bidding in order to scare the VPN provider into revealing the real IP of whoever connected as Charlie Chaplin on youtube.com, around the time where Bob signed up, in order to deanonymize Bob.

The end result is that the VPN provider has to give the data they have to the authorities, (which only works if they keep logs!) and reveal Bob's Identity, and that only cost a few pennies to the adversary (here the youtube employee) to deanonymize Bob.

diff --git a/opsec/anonymousremoteserver/index.html b/opsec/anonymousremoteserver/index.html index 528144c..ce3436f 100644 --- a/opsec/anonymousremoteserver/index.html +++ b/opsec/anonymousremoteserver/index.html @@ -84,7 +84,7 @@ -

Now that the account is created, we can also validate if we can recieve mails:

+

Now that the account is created, we can also validate if we can receive mails:

@@ -185,7 +185,7 @@ root@cockbox:~# apt update -y ; apt upgrade -y ; apt autoremove -y
-

And that's it! We now have access to a remote server, we acquired it anonymously, and are now using it anonymously aswell.

+

And that's it! We now have access to a remote server, we acquired it anonymously, and are now using it anonymously as well.

diff --git a/opsec/anonzulucrypt/index.html b/opsec/anonzulucrypt/index.html index 973cc01..092dd6a 100644 --- a/opsec/anonzulucrypt/index.html +++ b/opsec/anonzulucrypt/index.html @@ -85,7 +85,7 @@ zuluCrypt-gui

Now that zuluCrypt is fully functional, it's time to find a video file to use as your container. In this tutorial we'll be using an mp4 file as our video container, so if you have an mp4 video file you'd like to use then follow the next steps with your own mp4 video file. -If you need an mp4 video file, the following sites are excellent resources for free public domain movies that are ideal containers as they're copywright free:
+If you need an mp4 video file, the following sites are excellent resources for free public domain movies that are ideal containers as they're copyright free:
https://www.publicdomaintorrents.info/index.html
https://archive.org/details/feature_films
https://publicdomainmovie.net/
diff --git a/opsec/closedsource/index.html b/opsec/closedsource/index.html index b160f3a..762a81b 100644 --- a/opsec/closedsource/index.html +++ b/opsec/closedsource/index.html @@ -80,7 +80,7 @@

The catch here is that when you try to reverse-engineer binary files, it's going to be very hard to figure out what the original source code was. This practice is called Reverse Engineering, a niche in cybersecurity, where someone tries to figure out what the original sourcecode was intended to be, with only the binary to work with.

One thing is for sure: you can't arrive at the original sourcecode from just the binary. It's mostly guess work.

-

Most software companies (which can be corporations) out there are greedy, they work hard to produce software, and they hate to have any competition. Hence they want keep their software sourcecode private, to make it as hard as possible to others to arrive at the same level of functionnality. That is exactly why closed source software is used by most people.

+

Most software companies (which can be corporations) out there are greedy, they work hard to produce software, and they hate to have any competition. Hence they want keep their software sourcecode private, to make it as hard as possible to others to arrive at the same level of functionality. That is exactly why closed source software is used by most people.

The most popular example out there is Windows, they would definitely not like their sourcecode to be leaked/reversed like it with Apple's IOS.

@@ -125,7 +125,7 @@
  • It should not contain any telemetry, or any spyware.

  • It should ONLY do what it was originally meant to do.

  • -

    By that standard, you can already discard software like Windows, Discord, Whatsapp, Instagram, iOS, pre-installed phone host OSes, Word, Excel, etc, as none of them are open source, and you can be damn sure that they are spying on everything you do, willfully or not. (ever since the US government passed the FISA section 702.)

    +

    By that standard, you can already discard software like Windows, Discord, Whatsapp, Instagram, iOS, pre-installed phone host OSes, Word, Excel, etc, as none of them are open source, and you can be damn sure that they are spying on everything you do, wilfully or not. (ever since the US government passed the FISA section 702.)

    YOU CAN NEVER TRUST PEOPLE.

    SO YOU CAN'T TRUST THEIR CLOSED SOURCE SOFTWARE.

    diff --git a/opsec/encryption/index.html b/opsec/encryption/index.html index 694d946..d167d76 100644 --- a/opsec/encryption/index.html +++ b/opsec/encryption/index.html @@ -120,12 +120,12 @@ The door is closed, the conversation remains between Alice and Bob, their conver

    Why is Plausible Deniability is Vital?



    -

    From a legal standpoint, the only way to be protected against that scenario where you're forced to decrypt your harddrive is to be able to deny the existance of said encrypted volume (Plausible Deniability) . If the encrypted volume does not exist, there is no password to be given for it.

    +

    From a legal standpoint, the only way to be protected against that scenario where you're forced to decrypt your harddrive is to be able to deny the existence of said encrypted volume (Plausible Deniability) . If the encrypted volume does not exist, there is no password to be given for it.

    So here we need a technology that can provide us Plausible Deniability. That is what Veracrypt can do for us.

    -

    In short, Veracrypt allows you to encrypt volumes, just like LUKS encryption does. However it gives you the choice to hide another encrypted volume inside the same volume, that is exactly what you can deny the existance of.

    +

    In short, Veracrypt allows you to encrypt volumes, just like LUKS encryption does. However it gives you the choice to hide another encrypted volume inside the same volume, that is exactly what you can deny the existence of.

    So you can hide some random meaningless data inside the decoy volume, while the real data that needs protection sits inside the hidden volume.

    -

    This means, when Jack forces Bob to open the vercrypt volume, Bob types Password A to open the decoy volume, Then, when asked by Jack, Bob declares that there is no Hidden volume, and Jack has no way to prove the existance the Hidden Volume.

    +

    This means, when Jack forces Bob to open the vercrypt volume, Bob types Password A to open the decoy volume, Then, when asked by Jack, Bob declares that there is no Hidden volume, and Jack has no way to prove the existence the Hidden Volume.

    To see how to implement Plausible Deniability protection with Veracrypt, check out this tutorial.

    diff --git a/opsec/endgame/index.html b/opsec/endgame/index.html index 4f5a1c7..4433c8f 100644 --- a/opsec/endgame/index.html +++ b/opsec/endgame/index.html @@ -63,7 +63,7 @@ Previous Page

    nihilist@mainpc - 2024-04-13

    EndGame V3 Setup

    -

    In this tutorial we're going to setup the EndGameV3 Anti DDOS / Load Balancer / WAF service popularized by Dread, it was originally built to block off the incessant DDOS attacks that onion services were facing. Because of that, EndGame was developped, along with the Proof of Work (POW) Defense released by TorProject for more details you can click here.

    +

    In this tutorial we're going to setup the EndGameV3 Anti DDOS / Load Balancer / WAF service popularized by Dread, it was originally built to block off the incessant DDOS attacks that onion services were facing. Because of that, EndGame was developed, along with the Proof of Work (POW) Defense released by TorProject for more details you can click here.

    
     Endgame should be on a separate server to your backend server. It only proxies content from your backend to the user. You will still need to configure your backend to handle requests from the Endgame Front.
     
    diff --git a/opsec/failover-wan/index.html b/opsec/failover-wan/index.html
    index ede1f4a..f606408 100644
    --- a/opsec/failover-wan/index.html
    +++ b/opsec/failover-wan/index.html
    @@ -96,7 +96,7 @@
     
     

    However that's not enough as when you enable USB tethering the USB device ID changes, so we enable USB tethering like so (ex: in Graphene OS you go to: Settings > Network and Internet > Hotspot & Tethering > Toggle USB Tethering ON) before adding it in the pfsense VM:

    -

    Now that the device is added, enable USB tethering from your phone , then let's make sure that it is proprely configured as a second WAN interface in pfsense:

    +

    Now that the device is added, enable USB tethering from your phone , then let's make sure that it is properly configured as a second WAN interface in pfsense:

    Here you see the pfsense VM detecting the usb device from console, however to make the setup simpler we'll set it up from the pfsense dashboard, from the VM inside the LAN network:

    diff --git a/opsec/finances/index.html b/opsec/finances/index.html index 9fecc8e..9393fd5 100644 --- a/opsec/finances/index.html +++ b/opsec/finances/index.html @@ -123,7 +123,7 @@ Monero: the Privacy Standard for transactions

    Out of that situation emerged privacy coins, with Monero still at the top to this day (also known as the only cryptocurrency that's used) is basically a cryptocurrency just like bitcoin, except that it does everything to obscure every info regarding transactions. Basically, it's a nightmare for financial regulators.

    -

    To make it short, it obscures the amount transacted, the ip addresses, who recieves the transaction and who sends the transaction, To this day not a single monero transaction has been successfully traced. For more details on Monero, check the infodump here.

    +

    To make it short, it obscures the amount transacted, the ip addresses, who receives the transaction and who sends the transaction, To this day not a single monero transaction has been successfully traced. For more details on Monero, check the infodump here.

    Monero's goals differ from what bitcoin has become. It's not to get rich, the goal is to provide transactional privacy, anonymity, and ultimately to be USED as a currency. That is a fundamental difference to the whole bitcoin-fan ecosystem of pump and dump schemes, monero is not meant to be a speculative asset.

    More to the point, given the alarming increase of surveillance worldwide, and incoming regulations forced onto everyone, do you seriously think that people will keep trying to use random coins just to get taxed ? No, eventually only the coins that take privacy and anonymity of it's users as their first priority will remain. Mark my words; hop on the orange boat, and watch every other currency lose value.

    Governments so far have been unable to do anything to stop monero from being transacted. The only thing they can successfully do is to force centralised exchanges to delist it (example: Binance Delists monero), but decentralised currencies don't require centralised exchanges to exist.

    @@ -135,7 +135,7 @@

    In short, Cut out the troublesome middle man, and transact with the end user directly. You can also use semi-centralised platforms such as https://localmonero.co that are platforms who incite crypto owners to exchange amongst themselves, a good alternative to use until Decentralised Exchanges (DEXs) are popularized. If you want to check out how to acquire monero on localmonero check out this tutorial. (edit: localmonero is no longer in business as of april 2024, moving to haveno DEX is your current only option for direct FIAT -> XMR transactions)

    -

    The next big Decentralized Exchange that's coming soon is Haveno DEX It will combine Monero and Tor to bring complete decentralisation of your finances. When it will be ready for public use, it will only be a matter of time until everyone shifts to a completely decentralised way of transacting. Check out this tutorial i made to find out how to use it for Fiat -> XMR transcations.

    +

    The next big Decentralized Exchange that's coming soon is Haveno DEX It will combine Monero and Tor to bring complete decentralisation of your finances. When it will be ready for public use, it will only be a matter of time until everyone shifts to a completely decentralised way of transacting. Check out this tutorial i made to find out how to use it for Fiat -> XMR transactions.

    diff --git a/opsec/governments/index.html b/opsec/governments/index.html index 00d23da..d1ea347 100644 --- a/opsec/governments/index.html +++ b/opsec/governments/index.html @@ -129,7 +129,7 @@ Law enforcement is the activity of some members of government who act in an orga

    Of course, the law must not be ignored by anyone, and to make sure that everyone is kept in line, they need to show everyone that the law is effectively enforced onto those that behaved badly, very often they brag about catching criminals to let everyone know that they are the good guys protecting everyone from the bad guys.

    -

    That is the basis of this whole Privacy and Anonymity talk. In short, For the law to be enforceable, they need to know both what happened, and who perpretated the act to be able to apply sanctions on the individual / group of individuals that commited the crime.

    +

    That is the basis of this whole Privacy and Anonymity talk. In short, For the law to be enforceable, they need to know both what happened, and who perpetrated the act to be able to apply sanctions on the individual / group of individuals that committed the crime.

    Modern governments know this very well, and some go to extreme lengths to make sure that every citizen is under surveillance.

    1. USA: Edward Snowden's Revelations

      diff --git a/opsec/graphene/index.html b/opsec/graphene/index.html index 3d73f91..d5558a5 100644 --- a/opsec/graphene/index.html +++ b/opsec/graphene/index.html @@ -63,7 +63,7 @@ Previous Page

      nihilist@mainpc - 2024-07-10

      How to install GrapheneOS on a Pixel Phone

      -

      In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functionnal open hardware alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully open source. and that they refuse to implement google services by default, unlike their competitors like LineageOS.

      +

      In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functional open hardware alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully open source. and that they refuse to implement google services by default, unlike their competitors like LineageOS.

      DISCLAIMER: yes the quality of the photos taken are garbage :)

      @@ -275,7 +275,7 @@ Finished. Total time: 0.276s
      -

      Setting up package manageers



      +

      Setting up package managers



      Now that's done, we use the private usage profile to install f-droid, in order to install FOSS applications

      diff --git a/opsec/haveno-arbitrator/index.html b/opsec/haveno-arbitrator/index.html index c57e52b..76eeffc 100644 --- a/opsec/haveno-arbitrator/index.html +++ b/opsec/haveno-arbitrator/index.html @@ -136,7 +136,7 @@

      Then click confirm to take the offer to buy Monero:

      -

      Back to Alice's perspective, the trade will intiate and can be viewed when going to the portfolio tab:

      +

      Back to Alice's perspective, the trade will initiate and can be viewed when going to the portfolio tab:

      When opening the trade window, Alice sees that Bob not only does not respect the trade protocol of sending the gift card by mail by just sending the code over chat, but the code is also invalid!

      @@ -152,7 +152,7 @@

      Back to Alice's perspective, Now the ball is in her park, what does she do ?

      -

      Since she never recieved payment, she does not confirm that she recieved it, and waits until the trade expires

      +

      Since she never received payment, she does not confirm that she received it, and waits until the trade expires

      In this case, the trade should not take more than 24 hours, so she waits until the next day, and when it expires, she'll be able to open up a dispute.

      diff --git a/opsec/haveno-cashbymail/index.html b/opsec/haveno-cashbymail/index.html index d25b50a..2a856ed 100644 --- a/opsec/haveno-cashbymail/index.html +++ b/opsec/haveno-cashbymail/index.html @@ -88,7 +88,7 @@

      Initiating the trade

      -

      Here, we're Bob, we create our account on Haveno for Pay by Mail transactions, mentionning our real name, postal address, city and country.

      +

      Here, we're Bob, we create our account on Haveno for Pay by Mail transactions, mentioning our real name, postal address, city and country.

      Then we hit "save new account":

      @@ -203,7 +203,7 @@ This will help you distinguish packages coming from different buyers and avoid c

      Back to Alice's side, we get the following notification:

      -

      There, the delay depends on the postal service. But she recieves the envelope 5 days later, she records herself from the point of retrieving, to the unpacking of the cash inside. and then if all is ok on her side, she confirms that she has recieved payment to release the monero funds to Bob:

      +

      There, the delay depends on the postal service. But she receives the envelope 5 days later, she records herself from the point of retrieving, to the unpacking of the cash inside. and then if all is ok on her side, she confirms that she has received payment to release the monero funds to Bob:

      diff --git a/opsec/haveno-sepa/index.html b/opsec/haveno-sepa/index.html index 718e370..540fe51 100644 --- a/opsec/haveno-sepa/index.html +++ b/opsec/haveno-sepa/index.html @@ -145,13 +145,13 @@ If you get banned from a physical bank, they may put your name on a fraud regist

      Sidenote: Tying back to my explanation on why Decentralised exchanges are going to be very costly to an adversary that wants to deanonymize users, the adversary would have to massively fund offers in monero, and loose their side of the security deposit each time, in an attempt to try and regulate the end user directly, that's way harder than just knocking on a centralised exchange owner's door to ask him to / force him to deanonymize his entire userbase for the adversary. This is where the Haveno DEX multiplies potential adversaries' efforts manyfold compared to centralised exchanges.

      So here Bob can follow this procedure to do the sepa instant transfer; he goes on his banking application to add Alice Liddell as a third-party account using her IBAN (see example IBANs per country in the EU here), and then he sends her the 13 euros as a transaction between private individuals, using the instant transaction feature provided by his Bank.

      -

      Once completed, Bob declares that he has sent payment. and in case if Alice tries to deny that she recieved payment, Bob can take a screenshot to prove that he has sent the payment, from his bank account by clicking on viewing more details on his transaction (checking the receipt). That way, in case if there is a dispute, (meaning if Alice tries to scam Bob), he will be on the right side of arbitration, and the Arbitrator will favor him.

      +

      Once completed, Bob declares that he has sent payment. and in case if Alice tries to deny that she received payment, Bob can take a screenshot to prove that he has sent the payment, from his bank account by clicking on viewing more details on his transaction (checking the receipt). That way, in case if there is a dispute, (meaning if Alice tries to scam Bob), he will be on the right side of arbitration, and the Arbitrator will favor him.

      Back to Alice's side, we see that the trade has been initiated:

      -

      So here Alice checks if she recieved payment on her account from the bank account of Bob (whose name just got revealed as "Bob Marley" with a specific IBAN) As a Buyer (like Bob), don't try to use a fake IBAN and name because the infos you use are going to be required by the XMR seller (Alice) to verify from whom the payment came from. The Arbitrators are likely to favor Alice if you use false banking information.

      +

      So here Alice checks if she received payment on her account from the bank account of Bob (whose name just got revealed as "Bob Marley" with a specific IBAN) As a Buyer (like Bob), don't try to use a fake IBAN and name because the infos you use are going to be required by the XMR seller (Alice) to verify from whom the payment came from. The Arbitrators are likely to favor Alice if you use false banking information.

      -

      Alice just checked her banking application, she recieved payment from Bob Marley, and she clicks "Confirm payment Receipt" to complete the trade.

      +

      Alice just checked her banking application, she received payment from Bob Marley, and she clicks "Confirm payment Receipt" to complete the trade.

      And lastly, Bob gets his Monero without any issue (he needs to wait 20 minutes for the monero to be spendable from his haveno monero wallet):

      diff --git a/opsec/hiddenservice/index.html b/opsec/hiddenservice/index.html index 22d567b..29b5146 100644 --- a/opsec/hiddenservice/index.html +++ b/opsec/hiddenservice/index.html @@ -78,7 +78,7 @@

      One way to host a Hidden Service is remotely. You anonymously rent a VPS to a non-KYC cloud provider (using Tor and Monero), and use it anonymously (using SSH through Tor), to host a Tor Hidden Service.

      The main advantage here is that if anything goes wrong (if you try to run a sensitive service there), you are safe from any repercussions, as the cloud provider can't know that it was you who bought and used the VPS.

      -

      The strategy here is that whatever service you try to run, you run it as far away from your home as possible. So that if one day the location of the hidden service gets found out (as tor traffic sometimess get deanonymized, when the tor circuits go through nodes that all belong to the adversary), your home IP address doesn't get revealed.

      +

      The strategy here is that whatever service you try to run, you run it as far away from your home as possible. So that if one day the location of the hidden service gets found out (as tor traffic sometimes get deanonymized, when the tor circuits go through nodes that all belong to the adversary), your home IP address doesn't get revealed.

      Sidenote: know that if you try to run a sensitive service, you are literally abusing the goodwill of non-KYC cloud providers, that are willing to go the extra mile to provide anonymity for you. So please don't bite the hand that feeds you, don't run sensitive services on VPSes, as the non-KYC cloud resellers are the ones that will have to deal with the consequences afterward.

      The main drawback however, is that you are not in physical control of the server that you are using, therefore if the cloud provider has implemented extensive spying mechanisms, they will immediately find out that it is this VPS that is running said hidden service.

      TLDR: it's safer in case if anything goes wrong, but you don't have physical control over the service.

      diff --git a/opsec/mail/index.html b/opsec/mail/index.html index 38b7380..bce1449 100644 --- a/opsec/mail/index.html +++ b/opsec/mail/index.html @@ -68,12 +68,12 @@

      So let's add a subdomain to point at our mail server, to do so you need to go to the DNS Zone settings to add a few entries starting with the MX record:

      -

      Here make sure you do not forget the trailing dot (.) at the end of the Target. Next you want to setup that mail subdomain aswell, and to do so you will do +

      Here make sure you do not forget the trailing dot (.) at the end of the Target. Next you want to setup that mail subdomain as well, and to do so you will do add a CNAME record, that is if your mail server is the SAME as your main server (mail.domain.com == domain.com):

      In the other case where your mailserver is NOT the same as the main server (mail.domain.com != domain.com) you will need an A record which is going to tell - Which IP to goto in order to reach that mail server: + Which IP to go to in order to reach that mail server:

      In this case we're going to make it point to our DigitalOcean VPS as usual and once it's done we can simply ssh into it:

      @@ -172,7 +172,7 @@ sh emailwiz.sh

      Then hit enter, and wait for the script to install postfix and dovecot. Luke intended this script to be run and to configure postfix and dovecot together. The main feature here is that once you create an user - added to the mail group, it's going make them able to recieve and send mail. + added to the mail group, it's going make them able to receive and send mail.

      @@ -206,7 +206,7 @@ passwd someone they are blocking port 25 (SMTP) which, in general indicates that they do not allow any mail hosting on their VPS, so for once i am not going to recommend DO

      -

      TLDR i am incredibly suprised at how difficult it is to setup your own email server. In france, most ISPs simply do not allow port 25 apart from OVH. +

      TLDR i am incredibly surprised at how difficult it is to setup your own email server. In france, most ISPs simply do not allow port 25 apart from OVH. Online, both DigitalOcean and Vultr block port 25 to avoid mail spam which makes me wonder where exactly do you even host your mail server. If anyone knows a particular hosting service that ALLOWS port 25 and other mail-specific ports (993 587 etc) please let me know.

      diff --git a/opsec/mailprivate/index.html b/opsec/mailprivate/index.html index 85d13a1..bb5fbe4 100644 --- a/opsec/mailprivate/index.html +++ b/opsec/mailprivate/index.html @@ -789,7 +789,7 @@ MAC Address: EE:B5:C9:3A:C3:FE (Unknown)

      As you can see, by default you don't have the destination's PGP key, so for this first mail we won't encrypt it and see how it looks like on the receiver's end:

      -

      Now we see that the receiver got the unencrypted message, with our PGP signature as an attachement. The recipient can now save it, and use it to encrypt his messages with us.

      +

      Now we see that the receiver got the unencrypted message, with our PGP signature as an attachment. The recipient can now save it, and use it to encrypt his messages with us.

      
       [ 10.8.0.3/24 ] [ nowhere ] [~]
       → gpg --gen-key
      diff --git a/opsec/manifesto/index.html b/opsec/manifesto/index.html
      index 05585d8..faa4ac8 100644
      --- a/opsec/manifesto/index.html
      +++ b/opsec/manifesto/index.html
      @@ -77,7 +77,7 @@
       

      At first, this blog started out as a hacking writeup blog, to show everyone how i hacked half of HackTheBox back in 2022, it was my way of showing that i understood how systems worked from the adversarial point of view. Then once i learned the pentesting methodology i realized that i was doing the same thing over and over again with different technologies, got bored with it, and decided to move on to Sysadmin topics.

      At that point, i dabbled heavily into the self-hosting community, running a servers at home, running every possible service from home, open source only, remaining the only one in control of my data, etc.

      But something was missing. I realized that Decentralisation and Privacy were not enough when reading the news, i realized that the very same governments that were supposed to be at the head of democracies were starting to turn into dictatorships. When that is the case, you have no choice but to fit into their view of a perfect law abiding citizen because any reason is a good reason to put you behind bars.

      -

      That's why i decided to move on to Anonymity topics specifically, because that is the key to remain in control of your freedom, is to make sure your sensitive actions remain secret, while portraying yourself as the perfect citizen. Wether you see this as right or wrong, it does not matter to me.

      +

      That's why i decided to move on to Anonymity topics specifically, because that is the key to remain in control of your freedom, is to make sure your sensitive actions remain secret, while portraying yourself as the perfect citizen. Whether you see this as right or wrong, it does not matter to me.

      What truly matters here, is exploring how you can use technology to protect your abilities, and enhance them.

      @@ -114,8 +114,8 @@ Honorable reasons: -Transcending -

      I am motivated by my will to purify, refine and enhance my abilities using tools and technology, and I want anyone that also shares that same drive, to be able to explore the full scope of what they can do aswell.

      -

      I am also motivated by my will to clear out any misconceptions and help everyone percieve technology for what it truly is, regardless of any morality or any political view. My blog aims to bring to light that any usage of any technology is to be justified with a clear reason, to be described, and showcased in great detail.

      +

      I am motivated by my will to purify, refine and enhance my abilities using tools and technology, and I want anyone that also shares that same drive, to be able to explore the full scope of what they can do as well.

      +

      I am also motivated by my will to clear out any misconceptions and help everyone perceive technology for what it truly is, regardless of any morality or any political view. My blog aims to bring to light that any usage of any technology is to be justified with a clear reason, to be described, and showcased in great detail.

      Yes, anyone that tries to mix politics and ideologies into technology, is merely trying to preserve what they are currently identified with. Such people cannot pretend to have an objective view when talking about anything.

      Transcending limitations is what i consider the most honorable way behind any action. Ultimately, this blog aims to showcase that Technology, when used correctly, can allow one to transcend any limitation. Be it to transcend surveillance, centralisation, deanonymization, lack of security. Any ability that we have as Humans, such as Privacy, Decentralisation, Anonymity, Security, Plausible Deniability can be protected and enhanced by using the correct Technology.

      TLDR: You want to know the most effective technologies that can enhance your life ? It's right there. Just read it up, understand what they are, understand why they are used, understand how they are used, and use them yourself.

      diff --git a/opsec/matrixnew/index.html b/opsec/matrixnew/index.html index 2f5c9ca..4274de1 100644 --- a/opsec/matrixnew/index.html +++ b/opsec/matrixnew/index.html @@ -132,7 +132,7 @@ networks: docker-compose run --rm -e SYNAPSE_SERVER_NAME=m.nowhere.moe -e SYNAPSE_REPORT_STATS=yes synapse generate
      -

      My matrix server will have the "m.nowhere.moe" domain name. The coturn config mentionned here is used for the VOIP support. Now let's generate the initial keys of the matrix server like so:

      +

      My matrix server will have the "m.nowhere.moe" domain name. The coturn config mentioned here is used for the VOIP support. Now let's generate the initial keys of the matrix server like so:

      
       [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
       → ./generateconfig.sh
      diff --git a/opsec/monero2024/index.html b/opsec/monero2024/index.html
      index 1424792..b790b8d 100644
      --- a/opsec/monero2024/index.html
      +++ b/opsec/monero2024/index.html
      @@ -63,7 +63,7 @@
         					Previous Page

      nihilist@mainpc - 2024-04-28

      How to acquire and use Monero

      -

      In this tutorial we're going to take a look at how to setup a monero wallet locally, how to recieve some monero there, and how to send monero to someone else.

      +

      In this tutorial we're going to take a look at how to setup a monero wallet locally, how to receive some monero there, and how to send monero to someone else.

      OPSEC Recommendations:

      1. Hardware : (Personal Computer / Laptop)

      2. @@ -71,7 +71,7 @@
      3. Hypervisor: libvirtd QEMU/KVM

      4. Virtual Machine: Linux or Whonix or Tails

      -

      I recommend using this setup into one of the above mentionned VMs, either for Private use, or Anonymous use, as per the 4 basic OPSEC levels.

      +

      I recommend using this setup into one of the above mentioned VMs, either for Private use, or Anonymous use, as per the 4 basic OPSEC levels.

      @@ -87,7 +87,7 @@

      Wallet Setup



      GUI Wallet Setup

      Now on whonix there can be some issues with syncing to the monero nodes over the CLI monero wallet, due to the slow tor network and connection timeouts, So we'll first cover how to install the GUI monero wallet:

      -

      First let's download the monero GUI wallet from https://getmonero.org: (.onion address: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion )

      +

      First let's download the monero GUI wallet from https://getmonero.org: (.onion address: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion )

      Then we unpack it on the desktop and run the appimage:

      
      @@ -140,7 +140,7 @@ LICENSE  extras  monero-gui-wallet-guide.pdf  monero-wallet-gui  monero-wallet-g
       
       
       
      -

      Here we pick a clearnet monero node (if you dont want to, scroll down to know how to setup a .onion monero node)

      +

      Here we pick a clearnet monero node (if you don't want to, scroll down to know how to setup a .onion monero node)

      @@ -152,7 +152,7 @@ LICENSE extras monero-gui-wallet-guide.pdf monero-wallet-gui monero-wallet-g

      Now with this setup we can use .onion monero nodes as follows (pick one you trust from https://monero.fail/ for example my .onion monero node at this URL: http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:18081

      -

      Here again, wait for the monero wallet to finish synchronizing to be able to recieve and send monero:

      +

      Here again, wait for the monero wallet to finish synchronizing to be able to receive and send monero:

      @@ -165,7 +165,7 @@ LICENSE extras monero-gui-wallet-guide.pdf monero-wallet-gui monero-wallet-g -

      Now we want to buy monero for euros, for speed i recommend just buying some using SEPA instant transfer if your bank accepts it. However if you don't mind waiting weeks, the preferred method on localmonero.co is cash-by-mail, as cash can't be traced. But still, it shoudln't matter even if you buy monero with your credit card to a random vendor, your bank will see that you sent money to someone, and if the vendor is malicious they may log that you bought some monero, but still they will be unable to know what you do with your monero. it's like retrieving cash from the bank, the bank knows you bought some cash but they can't know what you do with it.

      +

      Now we want to buy monero for euros, for speed i recommend just buying some using SEPA instant transfer if your bank accepts it. However if you don't mind waiting weeks, the preferred method on localmonero.co is cash-by-mail, as cash can't be traced. But still, it shouldn't matter even if you buy monero with your credit card to a random vendor, your bank will see that you sent money to someone, and if the vendor is malicious they may log that you bought some monero, but still they will be unable to know what you do with your monero. it's like retrieving cash from the bank, the bank knows you bought some cash but they can't know what you do with it.

      So here we want to find a vendor that offers monero for SEPA instant transfers, preferably someone who doesn't do KYC.

      The trade should go like this:

      @@ -174,11 +174,11 @@ LICENSE extras monero-gui-wallet-guide.pdf monero-wallet-gui monero-wallet-g
    2. 1) they send you the IBAN to send the bank transfer to,
    3. 2) you send them the money,
    4. 3) and then you declare that you have paid on monero,
    5. -
    6. 4) and then you wait 30 minutes approximately to recieve the monero.
    7. +
    8. 4) and then you wait 30 minutes approximately to receive the monero.
    9. if trade is completed smoothly, always rate vendors as trustworthy, as this is how localmonero works, always on trust.

      -

      Now that you recieved some monero, you can send them to whoever has a XMR address like i do:

      +

      Now that you received some monero, you can send them to whoever has a XMR address like i do:

      for example if you want to donate a few leftovers moneros like this feel free to do so:

      @@ -264,7 +264,7 @@ Important commands: 2 89uyMGJunXfSC375iEptD2WLCb5uidKJSEuUYL3n5fRMg6ccM7L5prSUi9YGgGFPS5T8Z95BJh93HKykUYWECmNfJhNFb9z localmonero
      -

      in this case, we'll use the 89uyMGJunXfSC375iEptD2WLCb5uidKJSEuUYL3n5fRMg6ccM7L5prSUi9YGgGFPS5T8Z95BJh93HKykUYWECmNfJhNFb9z address for all trades on haveno DEX. DO NOT USE IT ELSEWHERE! just like passwords, you want to have one per service. If you want to recieve monero from another place, create a new address.

      +

      in this case, we'll use the 89uyMGJunXfSC375iEptD2WLCb5uidKJSEuUYL3n5fRMg6ccM7L5prSUi9YGgGFPS5T8Z95BJh93HKykUYWECmNfJhNFb9z address for all trades on haveno DEX. DO NOT USE IT ELSEWHERE! just like passwords, you want to have one per service. If you want to receive monero from another place, create a new address.

      Check out my other tutorials on Decentralised Finances below:

      diff --git a/opsec/openhardware/index.html b/opsec/openhardware/index.html index e79b63f..0af931e 100644 --- a/opsec/openhardware/index.html +++ b/opsec/openhardware/index.html @@ -87,10 +87,10 @@

    The problem is, if you have closed-source hardware (such as an Intel or AMD CPU, or a nvidia graphics card, or a msi motherboard), you can at most have open-source software and protocols all the way down to layer 2, but not further below. That's because you have hardware manufacturers creating products, but they are keeping the method as to how they create them a proprietary secret. Because you can't audit it yourself, you can't tell if there is any spyware baked into it or not.

    -

    Take for example AMD's PSP or Intel's Management Engine, which are both alleged backdoors implemented directly in consummers' CPUs. In the case of Intel's processor chipsets, all CPUs since 2008 are to be considered backdoored by Intel ME, and there's nothing you can do about it, without knowing intel's secret way to disable it.[1][2][3] It is located in the Platform Controller Hub of modern Intel motherboards.

    +

    Take for example AMD's PSP or Intel's Management Engine, which are both alleged backdoors implemented directly in consumers' CPUs. In the case of Intel's processor chipsets, all CPUs since 2008 are to be considered backdoored by Intel ME, and there's nothing you can do about it, without knowing intel's secret way to disable it.[1][2][3] It is located in the Platform Controller Hub of modern Intel motherboards.

    check out this video for a deep dive into Intel's Management Engine from 36c3 chaoswest 2019.

    Regarding non-free firmware, even Debian has been forced to accept this reality in 2022 in their general resolution vote. In short, they now ship non-free firmware by default because 99.999999% of the people out there are running closed-source hardware CPUs, or GPUs, etc.

    -

    TLDR: if you use closed-source hardware, you won't be able to get open source firware for the CPU, GPU or motherboard. You cannot ever be 100% sure that your hardware itself contains a spying mechanism, because you can't check it yourself, be it in your motherboard, CPU, GPU, or network interfaces.

    +

    TLDR: if you use closed-source hardware, you won't be able to get open source firmware for the CPU, GPU or motherboard. You cannot ever be 100% sure that your hardware itself contains a spying mechanism, because you can't check it yourself, be it in your motherboard, CPU, GPU, or network interfaces.

    diff --git a/opsec/opsec/index.html b/opsec/opsec/index.html index 1bd65f8..ebd8995 100644 --- a/opsec/opsec/index.html +++ b/opsec/opsec/index.html @@ -79,7 +79,7 @@

    Improve your OPSEC using Technology

    -

    The first and foremost step when you wish to protect your OPSEC, is to use the correct technologies that will let you have Privacy (lack of surveillance), and Anonymity (lack of identification). Be sure of one thing; You will never have privacy, nor anonymity until you use the right techonologies.

    +

    The first and foremost step when you wish to protect your OPSEC, is to use the correct technologies that will let you have Privacy (lack of surveillance), and Anonymity (lack of identification). Be sure of one thing; You will never have privacy, nor anonymity until you use the right technologies.

    We're going to cover 6 scenarios into which Bob tries to be anonymous online, as you will see, Bob's level of privacy and anonymity will vary greatly, based on what technologies he uses to access and use his account on nowhere.com



    Scenario 1: Closed source software, and no protection

    @@ -210,8 +210,8 @@

    Situation: Bob has an account on nowhere.com

    1. Bob registered his account via Tor on nowhere.com

    2. -
    3. Bob mentionned his real life name into the information of his account

    4. -
    5. Bob mentionned where he lived on the account information too.

    6. +
    7. Bob mentioned his real life name into the information of his account

    8. +
    9. Bob mentioned where he lived on the account information too.

    Summary: Bob deanonymized himself by his actions, despite using the correct technology. He identified himself (or KYC'd himself) on nowhere.com



    @@ -223,7 +223,7 @@
  • Bob uses a pseudonym into the information of his account

  • Bob mentionned that his pseudonym lived in wonderland.

  • -

    Summary: Bob used the right technology, and then on the website he uses a pseudonym, and mentionned random useless information about his pseudonym. For now his anonymity is preserved.

    +

    Summary: Bob used the right technology, and then on the website he uses a pseudonym, and mentioned random useless information about his pseudonym. For now his anonymity is preserved.



    Scenario 3: When pseudonymity goes wrong

    @@ -232,7 +232,7 @@
  • Bob registered his account via Tor on nowhere.com

  • Bob uses a pseudonym into the information of his account

  • Bob used this account to talk into many conversations over the years, and has built up a big reputation.

  • -
  • Bob is drunk one night, and accidentally mentionned his real life name online.

  • +
  • Bob is drunk one night, and accidentally mentioned his real life name online.

  • Summary: Bob used the right technology, and then on the website he used a pseudonym successfully for a few years, his anonymity was preserved all this time up until he got drunk and accidentally revealed who he was. From there, Bob can no longer be anonymous using that pseudonym.



    @@ -242,7 +242,7 @@
    1. Bob regularly registers accounts via Tor on nowhere.com

    2. Bob enters different random names into the information of his accounts

    3. -
    4. Bob stricly uses those accounts only for specific purposes.

    5. +
    6. Bob strictly uses those accounts only for specific purposes.

    7. Bob talks into many conversations over the years, but using different accounts every week/month.

    8. Bob is never drunk when in front of the keyboard, and he is always careful to reveal nothing about his real life identity.

    diff --git a/opsec/opsec4levels/index.html b/opsec/opsec4levels/index.html index 5a5fe95..0cd7106 100644 --- a/opsec/opsec4levels/index.html +++ b/opsec/opsec4levels/index.html @@ -150,7 +150,7 @@

    Surveillance: Dave has verified that the software he is using, is not surveilling what he's doing

    Centralisation: Dave has moved away from centralised services, and is using their decentralised counterpart from the fediverse

    Onymity: Dave is anonymous online, thanks to it's use of the tor network through Whonix and tor browser

    -

    Deniability: Dave can deny that he has commited any anonymous activity, because the VM he uses is inside a veracrypt hidden volume, that he can deny the existance of.

    +

    Deniability: Dave can deny that he has committed any anonymous activity, because the VM he uses is inside a veracrypt hidden volume, that he can deny the existance of.

    Conclusion: Dave's setup is suitable for Sensitive use, as he managed to implement plausible deniability on top of anonymity technologies into his setup.

    diff --git a/opsec/physicalsecurity/index.html b/opsec/physicalsecurity/index.html index d2d367d..3a70afc 100644 --- a/opsec/physicalsecurity/index.html +++ b/opsec/physicalsecurity/index.html @@ -119,7 +119,7 @@ root@debian:~# apt update -y ; apt upgrade -y ; apt autoremove -y

    So now we have the following graph:

    -

    We now have a server at home, that contains a veracrypt hidden partition (whose existance shouldnt be revealed), that hidden partition contains a VM, which contains a .onion service we want to hide the existance of. So now let's protect it:

    +

    We now have a server at home, that contains a veracrypt hidden partition (whose existance shouldnt be revealed), that hidden partition contains a VM, which contains a .onion service we want to hide the existence of. So now let's protect it:

    diff --git a/opsec/privacy/index.html b/opsec/privacy/index.html index f575f9d..c49e750 100644 --- a/opsec/privacy/index.html +++ b/opsec/privacy/index.html @@ -89,7 +89,7 @@

    The Enemy of Privacy is Surveillance



    -

    Make no mistake, as we discussed previously, governments NEED surveillance to be able to fulfill the first condition to be able to enforce their laws: They need to know what happened. To be able to know what happened, they need surveillance to be implemented wherever they can, and it is definitely easy for them to force large businesses providing large centralised services to act on their behalf.

    +

    Make no mistake, as we discussed previously, governments NEED surveillance to be able to fulfil the first condition to be able to enforce their laws: They need to know what happened. To be able to know what happened, they need surveillance to be implemented wherever they can, and it is definitely easy for them to force large businesses providing large centralised services to act on their behalf.

    Yes, ANY company can act on any government's behalf. Take for example Microsoft spying on everyone through their closed source software Windows 10, or Apple spying on their users through their MacOS closed-source software, The US government is very open about it (see FISA 702).

    In this current world we live in, Surveillance is nearly omnipresent, where there is a business involved, and especially closed-source software, Surveillance is right there.

    @@ -97,7 +97,7 @@
    1. Microsoft (because Bob uses Windows)

    2. Google (because he uses Google and Google Chrome)

    3. -
    4. Bob's ISP (because he doesnt use a VPN nor Tor)

    5. +
    6. Bob's ISP (because he doesn't use a VPN nor Tor)

    If Bob were to do something sketchy using his computer, Law Enforcement would obtain all the information they need to know what Bob did, because he used Windows, Google Chrome, and no VPN/Anonymization network.

    And it does not stop there, even when LE is not involved, politicians can also request and pay to get private user data, at the discretion of those large companies that specialize on infringing upon users' privacy for their own profit (see the cambridge analytica scandal).

    diff --git a/opsec/sensitiveremotevshome/index.html b/opsec/sensitiveremotevshome/index.html index 4992cba..06527c1 100644 --- a/opsec/sensitiveremotevshome/index.html +++ b/opsec/sensitiveremotevshome/index.html @@ -94,7 +94,7 @@ Pros:

    Everyone has an internet connection, and if you live in a country that does not actively sensor the tor network, it can be interesting to host your own physical server which runs your hidden .onion service

    -

    If you have your own physical server at home, it means you have complete control over the physical proximity of the server itself. as i detailed in my tutorial on physical security there are many things you can do to detect if an adversary is breaking into your home to try and find if you host a hidden service (such as movement detection, unauthorized ssh detection, unauthorized USB interaction detection, etc)

    +

    If you have your own physical server at home, it means you have complete control over the physical proximity of the server itself. as i detailed in my tutorial on physical security there are many things you can do to detect if an adversary is breaking into your home to try and find if you host a hidden service (such as movement detection, unauthorized ssh detection, unauthorized USB interaction detection, etc.)

    In short, it's ideal if the technology is perfect and never has any flaws, but you can't ever be sure of that, (for example: Tor had security flaws in the past)



    diff --git a/opsec/serversideencryption/index.html b/opsec/serversideencryption/index.html index 2c36748..0b5f9d6 100644 --- a/opsec/serversideencryption/index.html +++ b/opsec/serversideencryption/index.html @@ -78,7 +78,7 @@

    One way to close the door on Jack, is to use PGP encryption:

    -

    the logic behind using PGP encryption is for Bob and Alice to encrypt their conversation themselves, because they don't trust anyone else. Bob encrypts his message using PGP, and no matter where he sends it (over mail, over discord, over IRC, XMPP, facebook, etc) only Alice will be able to decrypt the message.

    +

    the logic behind using PGP encryption is for Bob and Alice to encrypt their conversation themselves, because they don't trust anyone else. Bob encrypts his message using PGP, and no matter where he sends it (over mail, over discord, over IRC, XMPP, facebook, etc.) only Alice will be able to decrypt the message.

    In short, Bob uses PGP because he doesn't trust the platform on which you wish to talk to Alice.

    @@ -89,7 +89,7 @@
    -

    Serverside Encryption: a Phallacy



    +

    Serverside Encryption: a Fallacy



    When we are talking about Serverside Encryption, Who is Bob, Who is Alice and Who is Jack ?

    In the case of the Incognito Market, an illegal Darknet Market (DNM), the platform admins told it's users to trust their own encryption

    diff --git a/opsec/tailsqemuvm/index.html b/opsec/tailsqemuvm/index.html index b13d6d8..9f13442 100644 --- a/opsec/tailsqemuvm/index.html +++ b/opsec/tailsqemuvm/index.html @@ -89,7 +89,7 @@

    Tails Setup

    First we download Tails OS as a USB image here:

    -

    Then we resize the image size to be able to contain persistant storage (in this case, i'll make it 8Gbs):

    +

    Then we resize the image size to be able to contain persistent storage (in this case, i'll make it 8Gbs):

    
     [ nowhere ] [ /dev/pts/8 ] [nihilist/VAULT/Isos]
     → ls tails-amd64-6.3.img -lash
    @@ -110,7 +110,7 @@
     
     

    (wait a few seconds for it to load)

    -

    Once in there, depending on your use, you can select to have an admin password and a persistant storage if you need it. Otherwise everything you do in the VM will be wiped clean upon shutdown (hence the word amnesic).

    +

    Once in there, depending on your use, you can select to have an admin password and a persistent storage if you need it. Otherwise everything you do in the VM will be wiped clean upon shutdown (hence the word amnesic).

    Then we select connect to tor automatically:

    @@ -126,14 +126,14 @@
    -

    Persistant Storage Setup



    -

    Next, if you want to enable the persistant storage go there:

    +

    Persistent Storage Setup



    +

    Next, if you want to enable the persistent storage go there:

    make sure you enter a strong password that can't be bruteforced easily:

    -

    then hit "create persistant storage" and wait a bit for the operation to complete:

    +

    then hit "create persistent storage" and wait a bit for the operation to complete:

    -

    Then adjust the settings as per your liking, if you want the persistant storage to store more than it does by default:

    +

    Then adjust the settings as per your liking, if you want the persistent storage to store more than it does by default:

    Then if you want to install additional software you can launch a terminal:

    @@ -149,7 +149,7 @@ Get:3 tor+https://cdn-fastly.deb.debian.org/debian-security bookworm-security In [...]
    -

    Then once the software installed, you have the possibility to store it in the persistant storage aswell, so that it can be available when you launch tails again:

    +

    Then once the software installed, you have the possibility to store it in the persistent storage as well, so that it can be available when you launch tails again:

    
    @@ -176,7 +176,7 @@ Nsyh+-..+y+-   yMMMMd   :mMM+   DE: GNOME 43.9
                                                             
     
    -

    And that's it! We managed to run tails OS from a QEMU VM and install some software into the persistant storage.

    +

    And that's it! We managed to run tails OS from a QEMU VM and install some software into the persistent storage.

    diff --git a/opsec/tor/exit_node/index.html b/opsec/tor/exit_node/index.html index 733e000..74db22b 100644 --- a/opsec/tor/exit_node/index.html +++ b/opsec/tor/exit_node/index.html @@ -63,7 +63,7 @@ Previous Page

    nihilist - 29 / 01 / 2024

    TOR Exit Node

    -

    Before we start, make sure you either rent a VPS anonymously (tor+XMR + ssh via tor) click here for the list of anonymity-friendly hosting providers or rent a VPS on a cloud provider that explicitely allows for tor exit nodes to be hosted on their platform.

    +

    Before we start, make sure you either rent a VPS anonymously (tor+XMR + ssh via tor) click here for the list of anonymity-friendly hosting providers or rent a VPS on a cloud provider that explicitly allows for tor exit nodes to be hosted on their platform.

    As a disclaimer, you need to know who allows these tor exit nodes, if you're going to pick a random host provider to host an exit node for you, @@ -117,7 +117,7 @@ root@exit:~# nyx

    inside nyx you can use the left and right arrow to navigate the different pages:

    -

    Above you can see the connections, pressing right again shows how your server is configurated, along with extra details on each setting:

    +

    Above you can see the connections, pressing right again shows how your server is configured, along with extra details on each setting:

    Next we make sure it's an exit like so: (be aware that this is where it gets dangerous if you're not doing this on a non-KYC VPS, or on a cloud provider that doesnt accept tor exit nodes.

    
    diff --git a/opsec/torbrowsing/index.html b/opsec/torbrowsing/index.html
    index 756c925..1f5bd52 100644
    --- a/opsec/torbrowsing/index.html
    +++ b/opsec/torbrowsing/index.html
    @@ -72,7 +72,7 @@
         
  • Virtual Machine: Linux or Whonix or Tails

  • Application: VPN (if your ISP doesn't allow Tor traffic)

  • -

    I recommend using this setup into one of the above mentionned VMs, for Anonymous use, as per the 4 basic OPSEC levels.

    +

    I recommend using this setup into one of the above mentioned VMs, for Anonymous use, as per the 4 basic OPSEC levels.

    @@ -207,7 +207,7 @@ extraction percent done: 100 / 100

    As you can see here, when browsing to the clearnet, your traffic is being encapsulated threefold, meaning that you are entrusting your connection to 3 tor node owners around the globe. And on top of that, they are in 3 different countries.

    -

    Next, when you browse to a website that can be accessed via a .onion link, you might get the above message that shows up. I prefer to not prioritize onions to avoid unecessary page refreshes. Instead i click on the .onion available button if it appears.

    +

    Next, when you browse to a website that can be accessed via a .onion link, you might get the above message that shows up. I prefer to not prioritize onions to avoid unnecessary page refreshes. Instead i click on the .onion available button if it appears.

    Now when you're connected to the .onion hidden service, you can see that your connection goes through more tor nodes, this is the best way to access websites online, you're not leaking any info they don't need to know that way. Plus, since we are on the "safest" setting, we are not loading any javascript that may be used to fingerprint our activity online.

    diff --git a/opsec/torthroughvpn/index.html b/opsec/torthroughvpn/index.html index b3b051b..50857ad 100644 --- a/opsec/torthroughvpn/index.html +++ b/opsec/torthroughvpn/index.html @@ -64,8 +64,8 @@

    Using Tor Safely: Tor through VPN or VPN through Tor?



    -

    Tor and VPNs comparaison Recap

    -

    As we went over this comparaison in the previous blogpost here i will briefly recap it here:

    +

    Tor and VPNs comparison Recap

    +

    As we went over this comparison in the previous blogpost here i will briefly recap it here:

    VPNS:

    VPNs can provide Privacy from your ISP , but by using one you are getting privacy from someone (most likely your ISP), but the VPN provider can see what you're doing with your internet connection.

    In other words, you're just shifting the privacy problem from your ISP to your VPN provider. You are moving your trust from one centralized entity to another

    @@ -167,7 +167,7 @@ You -> VPN -> Tor -> Destination

    WARNING: in this setup you are trusting your VPN provider to not snitch to your ISP that you are using Tor!

    -

    From your ISP's point of view, using Tor alone definitely stand out from regular traffic, a popular option you can go for is to use a VPN (as this is a much more common occurence), and to use the Tor browser while keeping the VPN connection open.

    +

    From your ISP's point of view, using Tor alone definitely stand out from regular traffic, a popular option you can go for is to use a VPN (as this is a much more common occurrence), and to use the Tor browser while keeping the VPN connection open.

    In the unlikely event that you get deanonymized while using Tor, only your VPN IP would get revealed instead of your home IP address. And if the VPN provider has strict no-log policies and they actually follow through with their promises, it's very unlikely that both your VPN and Tor would be compromised at the same time.

    DISCLAIMER ON VPNs: Keep in mind that if you choose to use a VPN anyway, you must conduct a strict VPN selection, see Privacy Guides' Recommendations on that topic, out of which i recommend Mullvad because they accept Monero without any KYC.

    diff --git a/opsec/torvsvpns/index.html b/opsec/torvsvpns/index.html index 382a6c5..677f54c 100644 --- a/opsec/torvsvpns/index.html +++ b/opsec/torvsvpns/index.html @@ -111,14 +111,14 @@ Until Jack can figure out who that Someone is, that someone is Anonymous.

    We have the following scenario: you don't want your internet service provider to know what you're doing, but you also don't want the end services like google youtube or duckduckgo to know that you are accessing their service. in other words, you want to remain Anonymous while browsing the web, and Tor provides that for you.

    -

    Tor is unique as it is the anonymity network that recieved the most donations, studies and patches, but also due to it's popularity there's alot of nodes ran by anyone (individuals, companies, and potentially also governments), the decentralised aspect is vital there, because by using Tor, you are trusting 3 random entities, in 3 different countries

    +

    Tor is unique as it is the anonymity network that received the most donations, studies and patches, but also due to it's popularity there's alot of nodes ran by anyone (individuals, companies, and potentially also governments), the decentralised aspect is vital there, because by using Tor, you are trusting 3 random entities, in 3 different countries

    It takes all 3 nodes used by your tor circuit (in 3 different legislations if they are in 3 different countries) to actually be malicious and to record connections to be able to successfully deanonymize you. While at the same time, the Tor protocol does not log any connection by default.

    For more details you can see the repartition of tor nodes per country, or per ISP on metrics.torproject.org

    Keep in mind that it is still possible for you to get deanonymized sometimes if you're unlucky to have all 3 nodes ran by the same entity. So it is not perfect, but it is definitely many times more trustworthy than having to trust a centralised entity providing you with a VPN connection.

    As we have discussed previously, sometimes Anonymity is the difference-maker between Life and Death, especially for Journalism in censorship-heavy countries, Tor's main attraction is that De-anonymization attacks are made to be as expensive as possible, even for state-actors.

    Some people argue that Tor can't be trusted, but as we have discussed previously, Governments need to be able to know what happened (lack of Privacy), and once they know what happened, they need to know who did it (lack of Anonymity), in order to enforce their laws. When that is the case, how come is there still so many illegal marketplaces with years of uptime on the Tor network ? One thing is for sure, these marketplaces are very high on international authorities' priority list. If they are still there after all this time, It must be because the Tor network is protecting them from being discovered by the authorities isn't it ?

    -

    Even though i don't recommend to use Tor for any illegal purposes, the fact that these marketplaces have remained in activity for such a long time are a clear testament to the resilliency of the Tor network.

    +

    Even though i don't recommend to use Tor for any illegal purposes, the fact that these marketplaces have remained in activity for such a long time are a clear testament to the resiliency of the Tor network.

    diff --git a/opsec/veracrypt/index.html b/opsec/veracrypt/index.html index 811fc91..b301133 100644 --- a/opsec/veracrypt/index.html +++ b/opsec/veracrypt/index.html @@ -64,7 +64,7 @@

    Plausible Deniability Setup

    VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is based on Truecrypt, This tool will be used for Plausible Deniability.

    -

    But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existance of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, because you need to be able to deny the existance of the encrypted volume. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.

    +

    But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, because you need to be able to deny the existence of the encrypted volume. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.

    @@ -114,7 +114,7 @@ regarding wear leveling:

    Now from there we can create encrypted volumes (either as files or as entire drives). In this case we'll create an encrypted file:

    -

    Here we select that we want a Hidden veracrypt volume aswell (which will be able to deny it's existance).

    +

    Here we select that we want a Hidden veracrypt volume as well (which will be able to deny it's existence).

    Then we want it to be a simple file in my home directory

    @@ -129,7 +129,7 @@ regarding wear leveling:

    Then move your mouse to make sure the randomness of the encryption is best, then let it complete the formatting. If you are creating a large encrypted volume, it will take time to overwrite all the data. DO NOT SELECT QUICK FORMAT, or you risk having the hidden volume being discoverable by an adversary.

    -

    Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, the existance of this volume must never be revealed to anyone except you.. then we repeat the previous steps:

    +

    Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, the existence of this volume must never be revealed to anyone except you.. then we repeat the previous steps:

    Here we select the size we need for the hidden volume.

    diff --git a/opsec/vpn/index.html b/opsec/vpn/index.html index ed9d692..8e47b63 100644 --- a/opsec/vpn/index.html +++ b/opsec/vpn/index.html @@ -89,7 +89,7 @@

    Meaning, that when Bob is browsing the web on google.com; youtube.com or duckduckgo.com, his internet service provider can see that he's connecting there!

    That doesn't sit well with Bob. Bob decides that his ISP shouldn't be aware of what he's doing with his internet usage. Therefore, he wants to use a VPN.

    -

    But thing is, Bob realises that the VPN market is over-saturated, there's alot of choice. He wants to know what's the best VPN out there. After browsing for some time, he found this article from Privacy Guides where they compare popular VPN services according to their standards. From there, Bob decides he's going to try to use Mullvad VPN.

    +

    But thing is, Bob realises that the VPN market is over-saturated, there's a lot of choice. He wants to know what's the best VPN out there. After browsing for some time, he found this article from Privacy Guides where they compare popular VPN services according to their standards. From there, Bob decides he's going to try to use Mullvad VPN.

    diff --git a/opsec/whonix/index.html b/opsec/whonix/index.html index 5ed95d8..8b68da4 100644 --- a/opsec/whonix/index.html +++ b/opsec/whonix/index.html @@ -200,7 +200,7 @@ Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-16.0.9.0.xml

    Plausible Deniability Setup



    -

    There are times when you might be forced to reveal the contents of a harddrive. To combat this you can go for a "Plausible Deniability Setup" where you have a drive that can be split. In my case i use a harddrive for this purpose, so it is actually possible to completely wipe it's contents if needed unlike on a SSD.

    +

    There are times when you might be forced to reveal the contents of a hard drive. To combat this you can go for a "Plausible Deniability Setup" where you have a drive that can be split. In my case i use a hard drive for this purpose, so it is actually possible to completely wipe it's contents if needed unlike on a SSD.

    @@ -254,7 +254,7 @@ Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-16.0.9.0.xml

    You can go through the above setup we saw in the first part to setup the whonix VMs on both partitions.

    -

    Keep in mind that there may be forensics clues on the Host OS (like command history) that may lead to the VMs so you have to replicate the VMs on both partitions. Such a setup will allow you to completely deny the existance of the whonix VMs B and their real usage. Instead when you are forced to reveal the password of your harddrive you can give the password of the Decoy outer volume with password A. NEVER mention password B anywhere, memorize it yourself. So go through the above process to setup the whonix VMs on both partitions after installing the veracrypt hidden volume (do not select "will mount only on linux" otherwise it will give you an error.) Then we will use 2 scripts to ensure a quick setup and trackscleaning:

    +

    Keep in mind that there may be forensics clues on the Host OS (like command history) that may lead to the VMs so you have to replicate the VMs on both partitions. Such a setup will allow you to completely deny the existence of the whonix VMs B and their real usage. Instead when you are forced to reveal the password of your harddrive you can give the password of the Decoy outer volume with password A. NEVER mention password B anywhere, memorize it yourself. So go through the above process to setup the whonix VMs on both partitions after installing the veracrypt hidden volume (do not select "will mount only on linux" otherwise it will give you an error.) Then we will use 2 scripts to ensure a quick setup and trackscleaning:

    
     [ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
     → cat cleantraces.sh
    diff --git a/opsec/whonixqemuvms/index.html b/opsec/whonixqemuvms/index.html
    index 43dad7f..ec9883d 100644
    --- a/opsec/whonixqemuvms/index.html
    +++ b/opsec/whonixqemuvms/index.html
    @@ -72,7 +72,7 @@
         
  • Hypervisor: libvirtd QEMU/KVM

  • Application: Host-based VPN (if your ISP doesn't allow Tor traffic)

  • -

    I recommend using this setup into one of the above mentionned VMs, for Anonymous use, as per the 4 basic OPSEC levels.

    +

    I recommend using this setup into one of the above mentioned VMs, for Anonymous use, as per the 4 basic OPSEC levels.

    Sidenote: If your ISP does not allow Tor traffic, make sure that you route the QEMU VMs traffic through a VPN, to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup

    @@ -292,7 +292,7 @@ Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml

    And inside the Workstation VM you can browse Tor, and use Keepass just like in the previous tutorial:

    -

    you can also use monero (take note that the default sudo password in whonix is "changeme", so dont forget to change it):

    +

    you can also use monero (take note that the default sudo password in whonix is "changeme", so don't forget to change it):

    
     [workstation user ~]% passwd
     [workstation user ~]% sudo apt install monero -y