Last Updated: 8/23/23

Introduction

Hello all, I go by “snotknot” online. I am a security enthusiast who always wanted to write one of these threads. Before we get started, it’s important to know that although I am passionate about what I will be teaching in these threads, that doesn’t mean you should blindly trust everything I say. You definitely need to do your own research too and you should use this thread more as a template and not a “go-to” resource. It’s easy to know what’s fact and what’s lies when you become more experienced at the craft, but as a beginner it can be tricky and you’re likely to be deceived. This thread of course won’t be bullet proof and there may be some things that I get wrong.

Upon reading these threads, you will obtain a greater understanding of the techniques that the best at their craft use to remain anonymous on the internet, enhance their privacy, as well as their security. AKA: The title is a bit misleading, it’s not just a security thread as you’ll quickly come to realize.

I cannot stress this enough - These threads do not cover “everything”. Teaching EVERY detail of EVERY aspect of these various crafts would be way too time consuming and overall not efficient as there are way too many situational variables that differ from person to person. On top of that: You, the reader, will not remember everything taught regardless. You are better off instead trying to learn these various topics via trial and error and it will all come naturally with time.

Reading only does so much, you also need to have some hands on experience to balance it out. You can spend 5 years reading books on how to drive as well as the laws, etc., but you will never actually learn driving if you don’t get behind the wheel. Make sense?

Throughout this thread in particular, you will realize that I often reference hackers for my examples to help demonstrate points. I do that not because I condone hacking, but rather because hackers are big targets for Law Enforcement. This makes them relatively good examples to use when it comes to the topic of anonymity, which is a topic we will be covering on quite a bit throughout these threads.

It is expected that you are not a novice user, but instead someone who is heavily interested in learning the topics of anonymity, privacy, and security. If you’re an average Joe, you probably wouldn’t have stumbled upon this thread. These threads are designed for people who want to obtain the appropriate knowledge to min-max their anonymity, privacy, and security, or simply people who are interested in said topics and just want to read. If you either don’t care about these topics, or don’t plan on implementing the mentioned techniques into your setup, this thread isn’t for you

Lastly, don’t expect this thread to be proofread by an English professor. There will be some grammatical errors here and there, and there will certainly be lots of comma splicing and run-on sentences.

Let’s get started.

If you plan on Min-maxing your privacy, security, or anonymity and plan on being an advanced user, then please take the time read the thread linked below. You should also learn the mentioned prerequisites listed in the next section (assuming you don’t already meet the criteria).

You will realize that I will touch on and teach topics that were already covered in the Jolly Rogers thread. This is due to the fact that I already wrote those portions of my thread before including Jolly Roger’s thread as a resource. I recommend reading them as I may introduce a few new things.

Jolly Roger’s Security Thread (2014)

Link (clearnet): https://afga.neocities.org/cyber/1B-JOLLY-ROGER.PDF

Mirror (clearnet): https://www.lopp.net/pdf/Jolly_Rogers_Security_thread_for_Beginners.pdf

Prerequisites

“Why do I need these prerequisites?”

Answer: As already mentioned, these threads are not for novice users. Therefore, the solution isn’t “Slap on a VPN, Install firefox, uBlock Origin, and a password manager”.

Maximizing your security (for example) as much as you can is a lot easier if you know how computers work and how they network with other computers. Knowing how information systems work; how data is stored, secured, retrieved, etc. helps drastically when making decisions on the actions you will take. This is just one example. We can go on for eons. Understanding is key if you want to expand past the point of a basic user. Another example would be understanding how browser tracking works. This will make you realize that the solution above with VPNs, firefox, ublock and a password manager isn’t enough to counter browser tracking. You’re going to need, for example, a hardened firefox user.js file (and NOT: Brave, or any other bs like that). Even this won’t be 100% perfect as we still want a CONVENIENT TO USE browser that doesn’t break websites when we visit them, meaning we won’t be able to counter everything. If we want the “best” privacy and security, we might as well just use Tor at that point. However, nobody wants to daily drive Tor. So what do we do? We make compromises.

I gave examples for security and privacy, what about anonymity? I’ll give a real life example that actually happened with a Harvard student.

Let’s say you’re a novice user trying to be anonymous while committing a crime. You skip the fundamentals, therefore you make the mistake of connecting to Tor, without a bridge, ON YOUR COLLEGES WI-FI NETWORK, to make a bomb threat. Not a good idea. You don’t have to be a genius or know any of the fundamentals to know why this is a bad idea. The obvious takeaway is to simply not make bomb threats, but most people (tech savvy or not) are smart enough to know that you shouldn’t do something illegal on your schools network. Although that is true, the biggest takeaway is that he didn’t use a bridge (or even put in the effort to use a different network other than his schools ffs).

If the student knew the fundamentals, he’d know better.

He would know that:

  • tor relay IPs are public knowledge and that Tor doesn’t hide the fact that you’re using Tor
  • from a basic OpSec perspective, he shouldn’t be connected to a WiFi network that is tied to his identity in any way regardless if he used a bridge or not
  • he should be implementing anti forensic methods; keeping everything off disk using encrypted external media (i.e, USBs), tails (or something similar)
  • his encrypted external media should have evidence (if any) in Hidden volumes that utilize nested encryption, with each cipher having minimum 256-bit keys
  • his Tails persistence volume (if any)(as well as all volumes) should have a password that is intentionally overkill
  • Javascript disabled on Tor (This is mainly for people who are connecting to .onion sites, but it can be good advice for the clearnet too as he probably was using the clearnet)

If he had all of these methods in place at the time of his threat, he would not have gotten caught. He also admitted to the police that it was him, which didn’t help either.

Police checked who was using Tor on the school network at the time of the threat, he was the only student using Tor. Even with the poor methods he used, it is still VERY likely that he wouldn’t have been sent to jail if he didn’t admit to police that it was him. He could have argued (IN COURT, not to the police) that he just happened to be using Tor for other unrelated legitimate purposes around the same time the threat occured. The police didn’t know for sure it was him, they only confronted him because it was convenient how he just “happened” to be using Tor at the time of the threat, which lead police to question him. He assumed he was already busted and that it was over, so he gave up and admitted to his crime. In reality, they had no evidence; only a leed. He himself gave police the final piece to the puzzle with his confession that turned a leed into a solved case.

This is why it’s a bad idea to be a novice average Joe if you’re wanting to do anything illegal or advanced. He’s using these tools (his computer, the internet, Tor) without knowing how they work. His lack of knowledge put him in jail. Or in this case, his lack of knowledge is what put him in a situation where his stupidity got him in jail. He wouldn’t have confessed to the police who knocked on his door if he didn’t give them the information required to knock on his door :)

The chances of you too facing negative consequences will be greater if you follow in his footsteps and run before you can walk.

Regardless if what you’re doing is illegal or legal, you will be deceived with the degree of privacy/anonymity/security that you have; thinking it’s good, when in reality it’s probably not so good.

The prereqs:

  • Basic computer science fundamentals
  • Networking Fundamentals (IP addresses, subnetting, OSI Model, Routing, Switching)
  • Virtual Machine knowledge and experience, if you will be using VMs

  • Linux fundamentals

    Don’t overthink it. They’re not that advanced/technical. Notice the keyword “fundamentals”. You don’t have to get your PHD in computer science, networking, or linux.

Don’t meet the prerequisites?

If you currently do not meet the bar when it comes to the listed prerequisites, this section will provide you with some material to help jump start your journey.

Computer Science

100+ Computer Science Concepts Explained: https://www.youtube.com/watch?v=-uleG_Vecis

(x86)

I am going to key in here and write this section AS WELL as linking you outside sources to prevent you from making a popular mistake.

It is important to know that x86 is a CPU architecture. This is also known as an ISA, or “Instruction Set Architecture”. x86 is a “CISC”, or “Complex Instruction Set Computer” architecture. What this means is that it is a powerful CPU architecture used by more power demanding computers such as Desktops & laptops. x86 is the ISA used by most computers in the world including the one you’re using right now, most likely.

The 2nd most popular CPU architecture (ISA) is ARM. ARM is a “RISC”, or “Reduced Instruction Set Computer” architecture. As the name implies, it is a reduced CPU architecture for smaller, less demanding computers such as smartphones or embedded devices. Newer Apple computers are starting to use ARM, with Apple’s new M1 & M2 chips.

ISA’s are essentially a way for software to communicate with the CPU. How is the CPU going to execute code if the software isn’t designed for the CPU architecture? This is why software that run on Windows won’t run on your phone or vice versa, unless if they’re ported to a different platform.

The mistake that people make while learning about ISA’s are that they try to learn EVERY detail about x86, ARM, or both. This is a HUGE mistake. ISA’s are very complex and you do not need to know all of the various details, unless if you’re trying to create an operating system from scratch using that architecture or whatever. This is similar to trying to learn EVERYTHING about cryptography. You’re not a cryptographer. If you try to learn everything about everything then you’re going to burn yourself out. It is NOT possible. There is not one single human on the planet who knows “everything” about IT, or even any of its subsets: cryptography, cybersecurity, etc. You just have people who are really good at certain aspects of IT than others. Lower your expectations and don’t be so harsh. Study smarter, not harder.

Not that I cleared that up, I will leave you with this: What you need to focus on is the fact that x86 exists, ARM also exists, know the differences between the two (one is CISC, the other is RISC), and then learn how an x86 CPU executes code. That’s all a CPU is, right? It just executes instructions.

This will require you to learn how RAM works as well. Temporary data is stored in RAM, right? RAM is volatile. Nonvolatile (permanent) storage would be your HDD/SSD.

Your RAM (Memory) will have what’s called a “stack”, also referred to as a memory stack. This stack will contain values, which are logical memory addresses that are made up of hexadecimal values. The memory addresses indicate where in the logical memory space the data is located. Let’s say the integer “4” is stored in memory. Well, then 0x4 could be stored at the memory address: 0x0012FF90.

“0x0012FF90” is just an example. Don’t think too deep into it.

0x4 is “4” in hex, “0x” just indicates that the value is a hex value. Not all hex values have to begin with “0x”, it’s just a universal indicator of a hex value.

The numbering system we use in the real world is decimal notation. This is base10, correct? The characters in base10 are: 1234567890.

Hex is base16, and the characters are 12345689ABCDEF. It’s just 1-9, then A-F.

CPUs execute machine code, and the type of machine code they execute is binary (base2). When humans read the code of a compiled binary, they read what’s called “Op codes”, AKA “Operation Codes” which will be written in Hex instead of Binary. OpCodes are another form of machine code, and is the variant that humans read. This is because it’s a more convenient way for humans to read the compiled binary. We don’t wanna sit here and read binary all day, right?

Next, you need to learn how the CPU interacts with these memory addresses, which contain instructions to execute on the CPU.

This is where the x86 CPU pointers come into play. I will now redirect you to a source that will teach the rest of the basics of x86 pointers as well as a basic assembly rundown.

Hopefully this helps.

Malware analysis - part 1: My intro to x86 assembly (Credit: cocomelonc): https://cocomelonc.github.io/tutorial/2021/10/03/malware-analysis-1.html

Intro to x86 Assembly Language (Credit: Davy Wybiral): https://www.youtube.com/playlist?list=PLmxT2pVYo5LB5EzTPZGfFN0c2GDiSXgQe

VMs

Virtualization Explained (Credit: PowerCert Animated Videos): https://www.youtube.com/watch?v=UBVVq-xz5i0

Link to VirtualBox, one of the many publicly available hypervisors: https://www.virtualbox.org/wiki/Downloads

How to create a Win10 VM using VirtualBox (Credit: TopNotch Programmer): https://www.youtube.com/watch?v=sBzL_zoYt6o

Linux

Wikipedia: https://en.wikipedia.org/wiki/Linux

Linux in 100 Seconds (Credit: Fireship): https://www.youtube.com/watch?v=rrB13utjYV4

Below is a video showing you how to virtualize Ubuntu, the most popular Linux distribution, using VirtualBox.

How to install Ubuntu 22.10 LTS in VirtualBox 2023 (Credit: TopNotch Programmer): https://www.youtube.com/watch?v=hYaCCpvjsEY

Below is a video that will introduce you to the terminal & basic commands to run.

Introduction to Linux and Basic Linux Commands for Beginners (Credit: sakitech): https://www.youtube.com/watch?v=IVquJh3DXUA

Networking

These videos posted by Network Direction are what helped me personally learn networking. I took in depth notes on Google Docs and studied them. I advise you doing the same.

Network Fundamentals (Credit: Network Direction): https://www.youtube.com/watch?v=cNwEVYkx2Kk

Here is another similar playlist made by someone else. I have not watched these personally, however they appear to be high quality and the instructor seems to be good.

Networking Fundamentals (Credit: Practical Networking) https://www.youtube.com/playlist?list=PLIFyRwBY_4bRLmKfP1KnZA6rZbRHtxmXi

Real world example of TCP using Wireshark (Credit: Chris Greer) https://www.youtube.com/watch?v=HCHFX5O1IaQ

tips for successfully reading this thread

  • Don’t skip ahead/skim through the thread, read in order
  • Don’t skip the prerequisites (you’re just making it harder; you wouldn’t skip to advanced math before learning basic math, right?)
  • if there is something you do not understand, use Google to fill in any voids

Reality check

Unfortunately, the world that we live in today does not value privacy. They have fucking smart fridges now collecting your data as well as the other 50 IoT devices that you probably have in your house. Everything is becoming “modern” and integrating technology for no reason. Some useful, most are pointless and a reason to steal and sell your data. People these days are so stupid that companies are like “we have this useful product that can make your life easier but it spies on you and collects your data!” and people eat that shit up and only see the pros and don’t give a fuck about the privacy cons because the lack of privacy is so normalized in today’s world. Companies are slowly shoving the mindset of “privacy doesn’t matter” into the minds of our generation to “normalize” it for their own gain. The problem with security minded individuals aren’t that these devices exist, but rather their lack of configuration to better suit your privacy and needs. How do you really know your amazon Alexa isn’t just a microphone in your living room for the feds or hackers to leverage? Any modern day phone is sealed shut and are a pain in the ass to open without using Bob the Builder’s tool kit and avoiding the warranty, so how do you know your phone is really off when you power it off? The lack of reassurance from proprietary closed source software and hardware is what makes them scary and questionable by many across the globe. You’re essentially just trusting the manufacturing company without any reason to be secure.

If you’re interested, Edward Snowden covers more on this topic on his podcast with Joe Rogan. You can check it out here.

Privacy vs. Anonymity

I know it may be confusing at times to understand the differences between privacy and anonymity, so I created this newly added section to help people better understand the differences. It’s not as complicated as it may seem.

With privacy, we’re essentially controlling who has and doesn’t have access to our data. For example, let’s say we want to detach ourselves from central tech companies. We can do this by running the Linux operating system, using the Firefox web browser, as well as the DuckDuckGo search engine. By doing all of this, we’re successfully detached from all of the major tech companies that are known for collecting and selling off your data to the highest bidder.

How, you may ask? Let’s break it down.

Pros of using Linux:

  • Not using a Microsoft product (Microsoft of course being the company we are trying to avoid)
  • Not using windows = less malware will be designed to run on our system (vast majority of malware is written for Windows, with the second being MacOS)
  • Linux is open source, which guarantees full control over your system
  • The only thing windows is better for is photo/video editing, and gaming. Linux is better or just as good as Windows for everything else

Pros of using Firefox:

  • Alternative to Chrome, which is developed and maintained by Google, which is one of the evil tech companies we’re trying to avoid from spying on us
  • Firefox uses its own engine which is way more secure than Chrome or Chromium variants (Brave, Opera, etc.)
  • Data is stored locally, as apposed to Chrome where it’s stored over the internet to Google servers
  • Less of a resource hog than Chrome

Pros of using DuckDuckGo:

  • Alternative to Google, which again, is one of the companies we’re trying to avoid
  • Allegedly doesn’t collect your personal information, therefore you likely won’t be involved in Data breaches (at least from DuckDuckGo)
  • Allegedly doesn’t log your IP address and blocks tracking cookies

This gives us more power over who has our data as it guarantees other big companies (Microsoft, and Google) aren’t actively spying on us and collecting our data. With the setup above, it rules Google and Microsoft out of the picture. If we don’t use any social media, then Twitter, Facebook, etc. won’t have our data either. This allows us to pick and choose exactly what companies do and don’t have our data. The companies who have our data is determined by which companies we register accounts for and actively use. Privacy also gives us the option to decide who has access to our data, and for how long. For example, I despise Google, but I can’t live without YouTube. This means that Google can still collect my data whenever I’m on YouTube. That’s fine. I’m willing to trade off some data collection for access to YouTube. Allowing Google to collect my data for the hour I’m on YouTube every day is better than allowing Google to always spy on me by constantly using their various products such as YouTube, and their search engine Google 24/7. Less data is being collected on me, for a shorter time frame. The second I disconnect from Youtube, I’m completely disconnected from all major tech companies as YouTube is the only social media that I “actually” use. In contrast, compare this to if I used every social media out there while running Windows and Google Chrome. This would mean Microsoft, Google, Twitter, Reddit, Facebook, and Tiktok at the minumum would all be actively collecting my data 24/7.

The Dark Web, The Deep Web, The Clearnet, and the differences

If you ask the average Joe what the dark web is, they likely will have no idea what you’re talking about. Many have “heard” of the dark web but never knew it actually existed. Well, contrary to their belief, the dark web is very much a thing.

Many also get the dark web and the deep web mixed up with eachother, and many believe they are the same thing. The dark web is different from the deep web.

In terms of the clearnet, or the “clear web”, most people know what that is.

Darkweb

The darkweb is a subset of the deepweb where darknets live. The silk road, Tor, that’s all the darkweb. You may hear people call the darkweb the deepweb. They’re not wrong. The darkweb can be called the deepweb, but the deepweb can’t be called the darkweb.

(Wikipedia)

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user’s location.

The “specific software” they’re referring to is Tor, which is configured in a way to allow access to darknet websites and is required to access the dark web. The darknets are the actual webservers hosting the darknet websites and are often referred to as “hidden services”, or “onion servers”.

Tor (The Onion Router) is a web browser based on Firefox that allows access to the dark web. It was given the name, “The Onion Router” because it offers “layers” (like an onion) of protection to anyone using it on the internet. This is also why any darknet webserver has the “.onion” extension at the end of the URL.. hence why they’re called onion servers.

Most of this should be a refresher from the Jolly Rogers security thread (linked in the Introduction section).

Enough boring lore, what is the dark web and why is it used? All types of content (even those that are illegal) can be hosted on the dark web. There’s no restrictions. There are no “guidelines” you have to follow while using the dark web. It’s just an anarchy version of the internet. The only exceptions are forums and other types of sites on the darkweb that have their own unique admin specific rules, but those rules are only unique to that darknet. For example, many morally pruden darknet admins will prohibit any form of doxxing, child exploitation material, or any other form of illegal content. They do this mainly so that their servers won’t be targetted by Law enforcement, but many of the admins do it for their own moral reasons as well.

Dread is a great example. Dread is essentially a free-speech version of reddit that is hosted on a darknet. It’s also way better than reddit if you’re looking for security related topics and other nerdy computer stuff.

I want to take a minute to explain the Silk Road, which was an anonymous darknet marketplace used to sell drugs and other services. In fact, the Jolly Rogers security thread that you read was written by a silk road user. The Silk Road doesn’t exist today as the owner of it was arrested and the site was shutdown. However, there are still many other marketplaces today that are trying to mimic the success of the Silk Road. Everyone on the dark web knows the origin of the Silk Road as it’s a staple in the Dark web world. I’ll link a documentary down below, I highly recommend watching it as there are many OPSEC mistakes to learn from that Ross (the owner) made that lead to not only his arrest, but many others as well as the ultimate shutdown of the Silk Road.

Documentary: https://www.youtube.com/watch?v=GpMP6Nh3FvU

OpSec lessons: https://www.youtube.com/watch?v=HBTYVVUBAGs&t

Deep Web

The deep web is essentially any part of the clearnet (or clear web) that cannot be indexed by a search engine. For example, if you log into your Google account and go into your settings, that settings page lives in the deep web. You obviously can’t just find the URL to your Google account’s settings on the Google search engine, that doesnt make any sense. Even if you send that URL to someone, they’re going to have to authenticate with your credentials before they can even access your settings page. There’s a lot of underlying backend services and webservers that are responsible for powering a variety of other frontend services and webservers. That’s a big part of the deepweb.

Clearnet

The clearnet, also known as the “clear web” or “surface web”, are the normal parts of the internet that you’re used to. Google, YouTube, that’s all the clearnet. If you don’t need Tor to access it, it’s mostly safe to say it’s the clearnet.

Black Web

The “black web” doesn’t exist. When people say “black web”, what they really mean is the dark web. If you don’t believe me, just google “black web” and google will be like “wtf are you talking about? you mean the dark web?”

OPSEC

Operational Security (OPSEC) as a whole is a pretty broad term initially used in the Military just like a lot of IT terminology. It’s all the same concept but in security it’s essentially the small details or things you do that may be used to identify you. An example is you posting personal information on social media, that’s bad OPSEC. This doesn’t mean you can’t post personal information on the internet, but rather you should keep your personal life and public life separate.

There’s typically three “lives” that you will have to live: personal life, online life, and anonymous life.

Personal life: Your personal life is reserved for immediate friends and family. This is where you post personally identifiable information.

Online life: Your online life is reserved for your online activities. If you want privacy between your personal life and online life, then you obviously need to make sure that you don’t cross reference personal information into your online life and vice versa. For example, you as the reader know my online life because you’re reading my blog which is tied to my online life. With a bit of effort, anyone can identify who I am personally as this isn’t my anonymous life, therefore I don’t really take steps to prevent people from identifying me.

Anonymous life: Self explanatory. Your anonymous life is reserved for the side of you where you want to remain anonymous online. If you perform any illegal actiities, this is probably where it resides. At least it should be. If you legally and nonchalantly browse the dark web, you also should prioritize anonymity under every circumstance.

For your anonymous life, don’t brag to anyone about the things you’re doing online that could potentially be illegal. Don’t tell anything to anyone. Keep to yourself, even if what you’re doing is legal. It doesn’t matter. Legal or illegal, your goal is to not be unmasked. You make that at a lot easier if you nonstop talk about everything you do while giving details about unique attributes of your life on the same persona attached to your illegal activities. The key is segmentation.

OPSEC Reality Check

This section will shine light towards the reality of how scary the internet can be even when you make the smallest things public. You then will think twice before posting something online. This section won’t even cover .1% of the methods used to track people.

I encourage you to do some research on OSINT, short for Open Source Intelligence. What is it? How is it performed? Watch documentaries of some osint investigations. You will find out how scary the internet can at times be, and what methods people use to track people online.

There is a game called Geoguessr. A lot of the players of this game also participate in OSINT investigations. The most notable example I can think of is rainbolt, where fans will send him pictures of dead family members, asking rainbolt to geolocate the image. They want to find out where the picture was taken so that they can visit that location and relive the memories or recreate the picture.

Another example (a more OG example) is GeoWizard. He has a series on his channel where he geolocates fan submitted pictures, more are vacation photos. He pinpoints the exact location with JUST the image. He doesn’t try to track them down on social media to get clues on where they potentially went on vacation, none of that. He only uses clues in the pictures.

The lack of OPSEC is something that even the most experienced security experts struggle with from time to time. Nobody is perfect which is why I created this section because there’s a lot of things that we may do that don’t seem like such a bad idea but in reality can actually be used to identify us. The following examples are designed to be a reality check of how scary even the smallest details you make public can haunt you later in life. I was reading an OPSEC related post on a security form a while back ago (edit: it just so happens to be that that thread was the Jolly Rogers thread linked above haha. I get a few things off as I was writing purely off memory, but it’s still useful knowledge.). The OPSEC post author mentioned something along the lines of a fellow user on the form who mentioned in one of his posts that he was watching an old show on Netflix the night prior and even mentioned the movie by name. The author of the OPSEC post then went on to explain why this is a bad idea. Can you answer why this is a bad idea without reading ahead? Congratulations if you can. Now let’s talk about why this isn’t a good idea. First of all, nobody cares about what you did last night. Let’s start there. You’re over sharing in your post, this is what is called “information disclosure”. This is an example of you disclosing way more information than necessary to the public. You might as well include at the bottom of your post your full name, SSN, and where you spent your evening today. Many believe this is perfectly fine because they believe it doesn’t matter what they say online if they’re anonymous regardless. Their mindset is, “I can say anything I want because nobody can prove that message came from me or that user account is ran by me!”. This is you being cocky and assuming you can’t get be unmasked. Shut up, you’re supposed to be a ghost on the internet. That’s like hacking into a server and then uploading a bunch of ASCII dicks and messages saying “your security is trash”. You’re literally just telling them that you’re there and making your presence known.

Summary: Don’t overshare, or share anything about your personal life.

This makes the job of police, or someone trying to identify you easier because now they know you watched a specific old movie last night. They have the movie, and date. If they’re the police, all they have to do is subpoena Netflix for the list of people or accounts that watched that particular movie on that particular date. You’re helping them narrow down their subjects. It’s an old ass movie in this case so that makes it even easier. If they have a previously recorded first/last name, country, or state that they collected from a previous OPSEC mistake of yours, then they now have a name tied to an account, an IP address to compare and cross reference connections with, or a country to cross reference where the connection was made. Notice how that list is getting smaller and smaller? Eventually they will find you. Don’t even make your continent public. Anything can be used by the feds, it’s a cat and mouse game if you’re trying to do anything illegal.

Last story I promise. I’ll make this one up. Let’s say you’re on a security thread tied to an account where you try to remain anonymous. You create a post and within that post, you mention that you went to Walmart and bought a bunch of apples. Can this be used to identify you? If you believe doing this is a bad idea, then you’re in the minority of people who are correct. However, if you’re someone who thinks there is nothing wrong with this because “who the fuck is going to check the security footage at every Walmart in the world to find a guy buying apples?” then you’re an example of someone who is bad at OPSEC. Remember how I mentioned to not get cocky earlier? This is you not only assuming that this won’t happen, but you’re also assuming that it’d be that hard for police to do. You’re assuming that the police have no prior data about you. For all you know they could have your full name, address, etc. but the only reason you’re not in jail is because they need proof that you own that account and made that post. They now have that proof because they have Walmart’s security footage of you purchasing a “bunch” of apples which lines up with your post. Might not be the most rock solid evidence in the world but it’s one extra thing they have on you and it’s definitely something that will help convince a judge. Even if they don’t know who you are, now they do because your face is on camera, the credit card you used to buy your groceries can ID you, they have footage of your car so they know what car you drive, and they have your license plate on camera. See how scary that is? If they know who you are then it wasn’t even hard for them to narrow down what Walmart’s to get the camera footage from because they know where you live due to them knowing who you are, so they just went to the closest few Walmart’s. It’s not like you live in California but drove to New York City to buy apples, no they obviously know to check the closest stores.

Never assume you’re not on the radar of police. For all you know they could have no idea who you are or they could be driving to your house with a search warrant as you’re reading this. You have no way of knowing for sure so don’t assume and be cocky, it’s not like the police are going to send you a text message on your phone saying “hey btw we’re watching you!”. Never get comfortable in your tracks thinking you’re safe and always be one step ahead, by being paranoid and constantly checking your security to make sure it’s the best it can be. Even when you think you have a pretty good setup and believe there’s nothing you can do to improve, you still need to ask the occasional question of “am I sure there is nothing else I can do to improve my setup?”.

LEO & Snitch

I covered on this in my OPSEC sections, but I decided to make this its own section because of how important it is. LEO (Law Enforcement Officers) can and will interrogate your snitch friends. This is one of the main reasons as to why you should not involve your friends in any illegal activities you are participating in. I will reiterate this again: I don’t support or condone illegal activities.

If I have any true crime readers, you know the power of interrogations. There are plenty of interrogation videos publicly available on the internet such as YouTube for you to watch. If you’re dumb enough to talk during an interrogation in the first place, only then do you have to worry about the tactics that detectives will use.

You’re not legally obligated to talk throughout interrogations. Use the 5th ammendment to your advantage.

Quick summary:

  1. Keep to yourself
  2. Work alone
  3. Nobody will go to jail for you

Forensics

Computer forensics is something you need to really buckle down and study. Being aware of how computers function and the methods that police or someone trying to identify you will use on you to help identify or arrest you is crucial. Same goes for if someone gains unauthorized physical access to your computer or one of your drives. Police who work in forensics have one job: to find evidence on your computer to preserve for court to get you arrested. Your job is to obviously make their job harder so that doesn’t happen to you. If there’s no evidence on your computer, then what are they going to show up to court with? The answer is nothing… for the most part. It’s obviously trickier than that, fortunately though not by much. Assuming they don’t have evidence that you freely gave them by OPSEC mistakes online, then all that falls into consideration is what’s on your computer and any other devices.

Search warrant:

A search warrant is a court order that a magistrate or judge issues to authorize law enforcement officers to conduct a search of a person, location, or vehicle for evidence of a crime and to confiscate any evidence they find.

Search warrants are going to be what you need to look out for. The judge who signs the search warrant specifies what items are to be searched for and ceased. The judge very likely will specify any electronics such as but aren’t limited to:

  • computer(s)
  • any storage devices (HDD’s, SSD’s, USB’s, SD Card’s, etc.)

Essentially anything with an electronic chip in it will likely be on that list. If you didn’t take steps to prevent evidence from being stored or wiped on your devices, then you probably are going to be caught and arrested.

FYI: Anyone can use these methods, not just police.

I’ll go over a couple of methods that police may use when they find files that may be potential evidence. They have to verify that it’s valid evidence and ties to your activities, correct? One method they may use is by checking the MAC times of your files. MAC stands for “Modified, Accessed, Created”. As you probably have guessed, these are the times a particular file on your computer was last modified, accessed, and when it was created. On Windows, if you right click on a file and go to “Properties”, you can see the MAC times. These times will be used to help create a timeline of your activities or may be proof that you last used something at a particular time.

Windows also has the capability of showing what programs on your computer were last ran, at what times, for how long, by what user, etc. There’s a lot of methods that can be used on all operating systems, but Windows in particular makes these methods very easy to do. These are just a couple examples of methods that police will likely use. This is why keeping everything off disk is crucial so that there’s no files that can act as evidence that ties to your activities. Instead, all evidence should be maintained on some sort of external media (USB, SD Card, etc.) so that you can easily nuke these drives to permanently remove any evidence that was previously stored on them. You can nuke an SSD that has your Windows (or whatever OS you use) installed on it too if you’re being an idiot and storing everything directly to your computer’s main storage, but doing so would nuke your main OS install as well as any other data. It’ll also take ages since you’re trying to nuke a drive with a large capacity.

You hopefully know that files you delete on your computer aren’t actually “deleted”. When you delete a file, your operating system will mark the bytes containing the deleted file as space that can be overwrote for other data. Only when the bytes are successfully overwrote is when the file is truly deleted.

Deleted files that haven’t been overwrote can be recovered not only by police, but anyone who downloads a file recovery tool which are easy to find online. Run one of these programs against a random flash drive you own, you’ll probably find files you forgot you ever made. This means if you sell an old Hard Drive to someone, they could potentially access some of your data even if you format it.

Formatting will rarely “overwrite” the old data. Formatting will typically remove the old partition table containing the old file system from the drive and then build a new partition table with the new file system. Formatting doesn’t overwite the data, it only deletes the file systems journal which contains the pointers to the data (information & location of files on the drive).

You having to frequently nuke drives with evidence on them is another reason why you need to store them on small capacity external media, because it’s more convenient to nuke a 32gb USB Flash Drive than a 500gb SSD.

Also, if you create a file that you know will be considered as evidence, don’t name the file any keywords that could hint your intentions. Let’s say you’re buying drugs on some sketchy ass marketplace (It’s an example. Don’t do drugs kids). Don’t name your file “top 10 drugs from (nameOfMarketplace)”. If you’ve ever used a file recovery application before, you may have realized that maybe files were recovered but they don’t contain any contents. You can only see the name of the file, meaning you know it existed at one point.

If you don’t know how nuking a drive works, the program will overwrite the segments on the drive containing the data with other random data to overwrite it with fake data. However, it’s not always perfect and some segments may be missed. This is why you should run multiple passes when nuking a drive to ensure everything has been overwrote. One segment containing the metadata (name of file, etc) maybe was missed by the nuke, but the segments containing the actual contents of the file were successfully overwrote. Now you’re left with metadata of a file but you don’t have the contents. That’s why you may often see files with little to no file size.

Do you see how this is bad if you name a file something that could help police? If they run a file recovery tool on your drive, they could find metadata of a file that existed at some point in time, even though they don’t have the contents. They have the name which alone may be evidence you participated in activities. In this hypothetical example, they are now aware that you know that particular marketplace exists due to you naming it by name in your file name, and they also know you likely visited that marketplace at some point due to you having a list of their best products. If you’re interrogated and claim that you weren’t aware the marketplace exists, but then police find this file, it will be evidence that counters your claim of “not knowing it exists”.

Having a BIOS password is also a pretty smart idea. This will obviously require an administrator password to access the BIOS on your computer. This all will also help if anything gets stolen, not much they can do. If they’re not tech savvy they’ll probably just throw it away or try to sell it. Their only other option will be to hard wipe it. Either way your data won’t be in their hands. Same thing goes for any flash drives or other external media that may be lost or stolen.

Tails

I love tails, it’s great. If you want to try it out, you can install the ISO from their site and virtualize it with KVM, Virtual Box, or whatever hypervisor of choice. Only run Tails in a VM if you’re testing out the features to see if you like it (some features also don’t work virtualized or are pointless). Don’t unironically virtualize Tails if you’re genuinely wanting privacy. I’ll discuss a couple reasons not to, but for a full list you can visit:

https://tails.boum.org/doc/advanced_topics/virtualization/index.en.html

Tails is one of the best tools that you can utilize if you’re wanting to remain anonymous online. Even for general security needs, depending on your situation. Tails is considered an “amnesiac” operating system because it’s an anti-forensics operating system that runs portable on external media such as a flash drive. It’s a live boot OS that comes prepackaged with many security driven features by default such as automatically spoofing your MAC address with every boot, routing your traffic over the Tor network, and much more. Tails does so much more than that and if you want a full comprehensive list then you should check their website. They go into all of the details. I only use tails if I want to be anonymous, I don’t daily drive Tails as my main OS or use it to log into my personal online accounts. That’s stupid. You either go all out and remain fully anonymous with Tails or you use a normal setup such as Windows, MacOS or Linux. There’s no in between in most cases.

Most people use tails if they want to be a ghost and leave zero trace of their activity as if nothing ever happened. You can do that if you know how to properly utilize Tails and its features. The reason why tails is deployed as a live boot is to keep as much off your actual computer’s hard drive as possible. When you run a virtual machine, that virtual machine leaves traces on your host machine. How do you think that VM runs? It’s running locally on your computer as you hopefully know. Leaving traces of evidence on your computer obviously isn’t the best idea so you need to prevent that. Tails does that for you since it’s a portable plug and play OS. You’re just using your computer as the “control station” to control Tails.

Also, do not download anything to disk on Tails. Many people believe that since they’re booting off a Tails USB, that any files they download will be stored to the USB. This is not true, the file will be temporarily stored to your computers hard drive. If you download something, specify the download location to your persistent volume (google “tails persistent volume tutorial”, if you don’t know what it os. it’s very easy to setup) or another safe option such as another USB. Just remember that if the file is potential evidence, whatever drive it’s on will need to be wiped afterwards. Wiping a file instead of an entire drive is also a valuable option in some situations but it’s just overall easier and also more secure to wipe an entire drive. I won’t show you how to use Tails. I promise it’s not hard… it really isn’t. Do 5 minutes of googling and watch a YouTube video or two and I you’ll get it in no time. Tails also isn’t the only “security driven OS” out there. There’s many, but Tails, QubesOS, and Whonix are the most popular.

Tails by default routes all network traffic through the Tor network. Yes, all of it. Any applications you use, if you ping something in your terminal, it all will go through Tor. The reason this is great is because typically on a normal computer running the Tor browser, only the Tor browser will be routing its traffic over Tor. What about other applications running in the background on your computer? Those won’t be going over Tor. This means you have other background services snitching on you because their traffic is being sent over your real IP address or your VPN or whatever. You’re not very anonymous if you’re doing a bunch of illegal acticities while your personal OneDrive account on your host machine is downloading a file off the internet or is updating, are you? If you gain enough attention to get the feds at your home then your computer will probably have enough evidence for you to be charged.

Operating Systems

Many people overthink what OS they want to use. It obviously comes down to preference, what you need, and what you’re capable of using.

A good rule of thumb is to avoid Windows at all costs if you are doing anything illegal/sketchy online and must remain anonymous. Windows is known to have backdoors and overall is proven to be a telemetry spyware garbage OS that sends everything imaginable to Microsoft servers. For example, Microsoft stores a copy of your Bitlocker key without your knowledge.

It honestly doesn’t really matter as long as you know the risks that come with your OS of choice. For example, both MacOS and Windows are closed source proprietary operating systems. This means the source code isn’t public so you don’t actually know what’s going in the background on your computer. There’s no way to verify. You also need to be aware of the amount of bloated stuff Microsoft jams into their shitty operating system that runs over the network. So again, think about that when you’re doing anything fishy, questionable or illegal. Same goes for MacOS and linux in terms of applications running in the background although barely as much on linux. Also, both Windows and MacOS are terrible options from a security perspective. I won’t go too deep into detail but just know that of the three, Linux is the least targeted for hackers because most people run the other two. From a privacy perspective, Linux is your best option all the way. Linux is also open source and you have full control over your computer unlike MacOS or Windows.

You hopefully are able to tell that this is only relevant if you’re simply trying to increase your privacy/security online and not necessarily be relevant for being “anonymous”. If that’s your goal then the security driven operating systems below are for you.

Security/Anonymity Driven Operating Systems

This section will cover Tails, Whonix, and QubesOS.

You obviously don’t “have” to use these OS’s to be anonymous on the internet, however it is recommended as they are designed for that exact purpose and take care of many factors for you. Can you take an ubuntu machine and configure it to be anonymous online? Of course you can, but it’s more convenient to simply boot into a Tails USB, or a Whonix VM.

Whonix is another security driven OS similar to Tails, but instead of being designed to run in a live boot environment off external media, Whonix is designed to run in a virtual machine. If you want to leverage a security driven OS but don’t want to power down your computer to boot into a live boot USB then Whonix can be useful. Whonix allows you to switch in between your host OS and your Whonix VM simultaneously. Whonix obviously runs on a hypervisor on top of your host OS using Virtualbox, KVM, or whichever hypervisor. Depending on your needs Whonix may be useful but Tails is an anti-forensics amnesiac OS and most importantly, it runs off external media and doesn’t store anything to your actual computer. Due to Whonix running in a VM, the files to that VM will be stored to your actual computer.

Yes, you can store the VM files to encrypted external media and boot off it that way to keep it off disk, but you still oppose the risk of your host OS performing activities automatically in the background either locally or over the internet that can ruin your OPSEC and unmask you without you knowing. Are there ways to counter this? Of course, remember how I said earlier to have an open mind and use what works for you? You can obviously create your own unique workarounds and modify your setup to make it bend to your needs. You just need to make sure that you’re not taking shortcuts that can ruin your OPSEC and only use these workarounds if they’re efficient and convenient. If having access to your host OS is a must, then you can create a workaround by disabling the NIC on your host OS by “ifconfig down”’ing it or whatever method works best to ensure nothing on your host can call out to the internet. There are ways to make it work and if putting in the effort to make these workarounds and exceptions in able to use Whonix sounds valuable to you, then go ahead and do it. For me however, it just sounds easier and more efficient to power off my computer, plug in my Tails USB, and boot directly into it. I never really find myself needing access to my host OS because all of the files I ever end up needing are either on my Tails persistent volume, or other encrypted external media. If you’re going to use Whonix, I recommend using it for KVM if you’re on linux.

Now let’s talk about QubesOS. QubesOS is a security driven OS that uses virtualization and compartmentalization to harden your security using permission restricted “qubes” or contained virtualized environments that are separate from every other aspect of your computer. Unlike Tails or Whonix, QubesOS is designed to be installed bare-metal to your system and runs as its own hypervisor. QubesOS is a type-1 VM that uses XEN to function with bare-metal speeds. Ready for some homework? Take 30-45 minutes of your time and go to QubesOS’s website and read their documentation on how QubesOS works and why it’s great. They also have a FAQ section that answers a lot of interesting questions. Their website does a really great job at explaining in great detail how QubesOS works, holding your hand along the way and making it really easy to follow along and understand.

QubesOS Intro Link (clearnet):

https://www.qubes-os.org/intro/

QubesOS FAQ Link (clearnet): https://www.qubes-os.org/faq/

After reading through the material above, you can start to see how valuable QubesOS is. It really is one of the best options out there if you’re looking to turn a spare workstation you have into a dedicated “privacy friendly” computer. That’s the only way I personally would use QubesOS. The concept of QubesOS is great and it does offer a lot of value at its current state, but daily driving it or replacing it as your main OS is a really bad idea as it can be non user-friendly at times and arise a lot of issues from time to time. If you’re a beginner to Linux or unix environments or IT in general, do not try QubesOS. It is very advanced and will put a ton of stress on a typical user. Don’t let that discourage you though, QubesOS truly is a masterpiece but to utilize the most out of it you need to know how virtualization and compartmentalization works. You need to understand the basics of QubesOS, and how it uses isolation to keep your data safe. All of this can be answered on their site. It took me an hour, if that, of reading their site and watching reviews on YouTube to understand how QubesOS works on a basic level. If you have a dedicated drive or computer to store it on, it’s great, but if Windows for example is the only OS on your computer, then don’t expect to replace it with QubesOS and have a fun time. QubesOS is great, but not as your “one OS for everything daily driver” type of great. It’s great for when you want privacy, but other than that you want to boot back into your Linux distro of choice, Windows, MacOS, etc.

QubesOS is very resource heavy as you’d probably expect due to the amount of virtualization it uses. If you have anything below 16gb of RAM and at least a quad core CPU, don’t even try it. It’s definitely doable with less than 16gb but you’ll likely run out pretty quickly after having a few qubes open. I’ve also heard they’re pretty strict on hardware requirements. If you really want to get fancy, you can use Qubes-Whonix. Yes, it’s exactly what you’re imagining. It’s whonix built into QubesOS. Instead of your host OS being Windows, Fedora, Arch, etc. while using Whonix, it’s QubesOS.

All of these different security based operating systems are great and have their pros and cons. If you’re trying to be a ghost on the internet, Tails is your best bet. If you’re just looking for a security friendly VM to fire up, whonix is great. If you want an OS that is shockingly good at privacy, use QubesOS. That doesn’t mean however, that you can’t use whonix or QubesOS to be fully anonymous, tails is just better suited for that directly out of the box in my opinion without configuration. Again, these setups can be modified.

Cryptography

We as end users of a computer have the privilege of leveraging encryption. Can you imagine how hectic the internet, software, applications, etc. would all be if it weren’t for encryption? Encryption is also what you’re mostly going to be using to increase your privacy, anonymity, freedom, and security. A very large portion of activities that we do on our computers benefit from encryption and we often don’t even realize it, we just take it for granted. That’s exactly how it should be.

It’s recommended to take time to learn how encryption works and why it’s viable. You should know what a cipher is as well as cipher-text. What are a few ciphers out there? You should study how a basic cipher works at a basic level, an example could be a substitutional cipher such as Rot13. You don’t necessarily need to explain with great detail how these different types of ciphers work, but understand what they are and the basics of them. You should at least know how a substitutional cipher works though, they’re very simple and a great introduction to learning encryption basics. I won’t go into private and public keys because the Jolly Rogers security thread covered more on that. The very, and I mean the absolute VERY vast majority of people don’t know everything about encryption and how each cipher works in great detail. That’s too much nor is it really relevant or viable information worth studying in most cases. What is worth studying however, is the basics of how encryption works. You should also know the difference between encryption, encoding, hashing, and hash salting. They are all different.

With encryption, you take the data you’re trying to encrypt (plaintext), and you use the encryption algorithm (cipher) to encrypt the data and scramble it into a form (ciphertext) that is only readable by the private key, also known as the “decryption key”.

The goal with encryption is that the data in which is being encrypted is meant to be securely stored temporarily, rather in a system or during transit, and is designed to be decrypted at some point in time. Does that make sense? The data that is encrypted is eventually going to be decrypted.

With hashing, there’s no “unhashing” or reversing it back to plaintext with a key like you do with encryption. Once you hash data, there’s no reversing it. You can attempt to crack the hash value (the output result of hashed data), but that often takes a lot of computing power and is typically only successful if it’s a weak string that was hashed such as a weak password. With hashing, you use a hash function (similar to an encryption algorithm (cipher)), and then the hash function will scramble the plaintext data into a fixed-bit string value referred to as the hash value, or “checksum”.

An example of someone running the “Get-FileHash” command in a Powershell instance to get the MDF checksum of an .exe file:

File hashes are essentially the “fingerprints” of digital files. If even one byte of the file is modified, the file will be assigned a completely different hash value.

That’s the difference between encryption and hashing, that encryption is designed to temporarily secure data and then decrypt it when appropriate, whereas hashing is designed to permanently secure data without ever “dehashing” or “reversing the hash” back to plaintext.

Encryption is typically used during online communications. For example, let’s say you’re messaging someone on your phone using an encrypted messaging app such as Facebook Messenger or Snapchat. When you send someone a message, the contents of your message (plaintext) are encrypted during transit to the receiver. Once it arrives at the receiver, the private encryption key (the key required to reverse the ciphertext back to plaintext) then decrypts the data and shows it in plain text to the person you’re messaging. Hashing is typically used to securely store user data to a database. For example, let’s say you’re creating a Google account. Google hashes your data (some of it), they don’t store it in plaintext on their servers. This includes your password. If Google suffers a data breach, your password won’t be leaked because your password is hashed. This means the hash value equivalent of your password is stored in Google’s servers, not your actual password. Are you following along? The hacker won’t have access to all of the user passwords stored on the server he compromised, but rather the password hashes. He can’t get your actual password unless if he manages to crack your password hash, but considering Google has a pretty good password policy, that very likely won’t happen. This means that even Google doesn’t know your password because even they can’t decrypt it. Why? Because it’s HASHED, not encrypted. They do have access to whatever data they encrypt however, since they own the private encryption keys to decrypt them. This should be obvious. You’re using their servers.

So, to put this all together for it to make sense, I’ll hit you with this final example. Let’s say you make a Snapchat account and you message your friends. What does Snapchat have access to and what do they not have access to? Let’s start with what they don’t have access to. Snapchat does not have access to your password because your password is hashed before they store it on their servers. This goes for whatever other data they hash, but your password is definitely at least hashed (or so they claim). What they do have access to is your messages because they’re encrypted. They’re obviously encrypted, correct? That’s the only logical answer because it’d be impossible for them to be hashed due to your messages having to be unscrambled back into its original form for it to readable for the recipient, correct?? RIGHT?? Hopefully that makes sense.

Here’s your homework. Try to decode this (you won’t have the knowledge on how to decode this from reading this thread, but if you do your own research you can figure it out. Hint: It uses a substitutional cipher):

Pbatenghyngvbaf vs lbh jrer noyr gb qrpbqr guvf. Ubj qvq lbh qb vg? Qvq lbh cerqvpg vg jnf ebg13 be fbzr bgure sbez bs n fhofgvghgvba pvcure whfg ol ybbxvat ng vg? Qvq lbh hfr n pvcure qrgrpgbe fhpu nf gur bar sebz qpbqr? Ertneqyrff, tbbq wbo.

~ fabgxabg

The message above is actually “encrypted”, to be technical, but the type of cipher (substitution) is extremely old (literally, we’re talking hundreds of years) to the point that it’s considered encoding by many because the key is not kept secret and doesn’t follow kerckhoff’s principle.

Kerckhoffs’s principle:

a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Encoding is just encryption’s little brother, because encoding is designed to scramble data into a bunch of random characters but it’s also designed to be easily decoded or unscrambled back to its original form. With encryption on the other hand, it’s not designed to be easily unscrambled. It’s designed to be securely encrypted and only decrypted by the private key which its methods are complex and unknown (follows kerckhoff’s principle). Hundreds of years ago that was a viable way of encrypting messages, but it’s so outdated now that the key is well known and is pretty much now as useful as encoding. If you want to get REALLY fucking technical and nerdy, it’s considered encrypting because it’s still considered cryptography, even speaking a different language can be considered cryptography. Other people who have the key to decrypt what you’re saying (if they speak the same language) can understand your message. Cryptography obviously isn’t just limited to computers and has existed for centuries. Did you know that languages were actually created for that very reason? People wanted to communicate but they only wanted to be understood by their allies. Hence why different languages were created because knowledge is power, and they wanted to keep that knowledge a secret and out of the hands of their adversaries while talking or writing.

The current encryption standards that are mainly used today are AES and RSA. Both of these follow the “standards” of modern-day cryptography and follow kerckhoff’s principle. AES (Advanced Encryption Standard), was created when an alternative for DES (Data Encrpytion Standard) was required.

We utilitze AES daily as most websites are running over HTTPS, which utilize SSL/TLS. Both of these use AES. Cryptography advances with technology and time. AES will be useless years from now (maybe in 10 years, maybe in a hundred) when we have quantum computing and further advanced crpytography.

I saved hash salting for last because it’s boring as fuck. Hash salting is when random bytes of data are appended either into the hash value or at the end of the hash value. This makes cracking the hash harder as the threat actor will also have to work around the salted bits of the hash. Depending on the methods used for salting, the threat actor may have to determine the algorith used for the salting procedure to find out how it works and how to work around it. If bits are simply appended at the end, you usually can just remove the bits if you know which bits are the salted bits and not part of the hash.

Encrypting Drives, Files & VMs

Encrypting your drives is an easy thing that we all can do that brings a lot of value. There’s pretty much no reason not to; it’s fast, easy, and brings many benefits. The main reason is to keep your data safe. If your computer gets lost, stolen, or ceased by police, they will be met with an encrypted file system that requires a passphrase to decrypt it and allow access to it. If you lose your computer, then at least whoever finds it will be out of luck getting hands on your data and will be forced to sell it or wipe it. Same for if your computer is stolen. If police cease your computer, then they may have the capabilities to force you to give up the passphrase. I don’t know much about those laws so you may have to do some googling if you care. The point is however, that if it ever gets to that point then it shouldn’t matter regardless because you should have kept anything incriminating off disk and instead on encrypted external media that you wiped afterwards, correct?

Other benefits that come from utilizing encryption on all your drives is if you install malware, it won’t spread to other partitions or drives since the malware can’t read or write to said partition/drive due to it being encrypted. However, if the drive is decrypted and mounted to your malware infested file system, the encryption will obviously be useless.

It’s a good idea to encrypt everything you can, within reason. It’s not convenient to encrypt literally every file and folder on your file system, but if you have a folder that contains sensitive documents in it, it won’t hurt to encrypt it real quick. Even a password protected zip file will work. Full disk encryption of your OS drive is a good start, but once you boot into your OS drive and enter the passphrase to decrypt it, the encryption benefits will disappear until the computer is shut down and encrypted once again. After all, this doesn’t really matter, right? The only reason we’re even encrypting our OS drive/partition in the first place is to prevent the data from being accessible by someone who steals our computer. This means that if your only layer of encryption is your OS drive and then you download malware that compromises your decrypted OS drive and file system, there won’t be any additional layers of encryption that will prevent the attacker from obtaining sensitive data. Any files/folders will be there for them to potentially obtain. If the important files/folders are encrypted, the damage of the compromise will be way less severe as they’ll only be able to access low hanging fruit that isn’t encrypted. Again, you don’t have to necessarily encrypt every file and folder, but rather the files and folders that contain extremely sensitive information that you wouldn’t want anyone obtaining if they were to theoritically compromise your system in the future. Is there a folder on your system including tax documents? May want to encrypt that with a relatively strong password.

Another good idea is to encrypt any virtual machines you may end up using. When you create a virtual machine, the hypervisor will store files belonging to the virtual machine on your system. These files are what make up the VM. If these files are hypothetically stolen by malware, the threat actor will have a copy of your VM and will be able to boot into your VM and access its contents. Granted, they’ll need to access the windows/mac/linux/etc. user password to log in, but what if they crack it because you used a weak password such as “123”? What if you enabled auto login without a password? If it’s hypothetically a VM that you used for finance related activities and they happen to obtain access to it, they will be able to use that VM from the last state you left it in.

This should also be obvious but I’ll mention it anyway: It’s obviously a good idea from an OpSec perspective to encrypt any VMs you end up using for illegal activities. That encrypted VM should also be stored on encrypted external media such as a flash drive or SD card.

A good rule is to not download stupid shit. If you google “free gta 5 cheats download” and download them, then you’re likely going to install a form of malware including spyware or at the very least bloatware.

IOT Devices

Internet Of Things (IOT) devices are as explained from Google:

“pieces of hardware, such as sensors, actuators, gadgets, appliances, or machines, that are programmed for certain applications and can transmit data over the internet or other networks”.

This essentially means your typical smart device (i.e., smart fridges, smart watches), fitness trackers, smart security systems, and so on. In my opening section “Reality Check”, I threw a lot of shade towards IOT devices. The example that I used was the Amazon Alexa and I pretty much said it’s a corporate spying device that listens to everything you say. Avoiding IOT devices whenever possible is a really great idea not only for your privacy, but your wallet. There definitely are certain IOT devices that offer genuine advantages or convenience, but you need to be aware of the privacy concerns that come with owning them. This definitely isn’t me trying to say that you should never use these devices under any circumstances. Avoiding anything from Google, Facebook, or Amazon is a great starting place. These three companies are all very well known for their tendencies to heavily collect and sell your data. I know most people don’t care if Amazon knows or collects data based on their shopping habits. Who cares, right? The real privacy invasion is the risk of these devices being used to secretly spy on you. This is way more common from a device manufactured by one of these big name companies due to their high amounts of funding to make this happen. Since these devices are made by giant companies, they know people will buy their shit no matter what the product is. This makes their products even more open for these types of risks, and a bigger target for Law Enforcement to make a deal with these companies to create their own backdoor. Devices owned by these big companies are primarily all closed source proprietary garbage, and again, you’re blindly putting all of your trust into these devices. Bigger companies farm more traffic therefore making user data a valuable selling point for them to profit on, so you bet your ass 50% of the code that run these devices are going to be instructions to collect your data.

Buying products from big name companies may be questionable, but what about buying an IOT device from some cheap Chinese company? These devices will probably lack privacy, security, and efficiency due to them being cheap. At least with big name companies you know you’re going to get a product that is relatively secured with strong encryption and the alike. Knock off brand IOT devices are a big thing you want to avoid as their security flaws oppose a severe threat to your network. Hackers often target low hanging fruit to compromise whatever they can so that they can leverage or spread access across a network. These IOT devices are just another node on your network, so if they lack security then you’re putting your entire network at risk just because you bought some shitty $10 WiFi enabled smart light bulb. Do not add devices to your network that are littered with security flaws, that’s very basic security knowledge. That’s like going out of your way to purposely download an application to your computer that is vulnerable to exploits.

Part II

Part II can be found here.