Securing Your System

No system is secure.

If you are connected to the internet you are vulnerable. Agents from innocuous cookies to malicious actors are tracking you, mining your identifying information, planting code on your system. But the more you secure yourself the less usable the net becomes. Many pages will stop loading if they can't identify you. If your browser refuses to supply information, websites refuse connections or refuse to reply.

In the information age being too secure becomes a red flag. If you are too dark servers see you as a threat. You are the guy in a black hoodie and mask walking in the liquor store. You are hiding your identity so you must be up to no good. That's how security sees it. So that's how you must see it.

Abstraction, subterfuge, and misdirection are all better than stealth and secrecy. Give them what they want, but not who you are.

The best way to protect your privacy, and your identity, online is to offer servers false or misleading information that is plausible and acceptable. Deflection is better than blocking. It is one of the oldest magician's tricks – give them something to look at and they will not notice what you don't want them to see. Hackers call it spoofing.

For the purpose of operational security we need to do a little work before we venture forth.

This post will help you set up a simple, secure, obfuscated system to obscure your activity online. This isn't 100% secure. Nothing is. Operational security, or lack thereof, is most likely to blow your cover even using a completely spoofed system. You can have the best security in the world, but if you make your password - p@ssword you are screwed. If you log into your ISP email or your online banking from your “secure” system, it is no longer anonymous.

You can not take your mask off and put it back on with the security camera running.

Operational Security is the key. Secure your system. Set up a secure (spoofed) online identity and stick with it. Have another system for clear, unspoofed, browsing – checking your bank, your mail, and your facebook – and keep your secure system secure.

We're going to show you how to do that on one system, but it's tricky. Separate computers would be better. Logging in from a different location in a different state would be better. But we trade security for convenience in a constant tight-wire walk.

Keep in mind no system is secure. Nothing you do online is secure. Nothing you put on your system is ever really deleted. You leave a trail wherever you go, whatever you do. We can confuse the trail, but a persistent tracker can uncover the real trail which leads right back to you.

The first step is securing your system. We suggest a dedicated system that will only be used for secure work, but we also realize not everyone can afford multiple systems, so we will create virtual systems on one machine.

The first step is cleaning your system to give us a fresh starting point. As said earlier, nothing is ever completely deleted, so a fresh new system would be best or at least a new hard drive. But we can work with a good refurbished or re-purposed machine. We will clean the drive, as well as it can be cleaned.

First download a live copy of Debian Linux from the Debian website and burn it onto a stick. Even if you're already using Linux, start fresh. Follow the instructions on the Debian site. Once you have the stick you will use it to install Debian on your system. Choose the complete install using the whole drive and encryption.

This will reformat the drive, wiping it clean, overwrite the drive multiple times with random bits, then encrypt the drive. Create a really strong password/pass phrase for the encrypted drive. I suggest at least ten characters mixing upper case, lower case, numbers, and special characters.

Once Debian is installed and running you should update and upgrade. Then restart.

Now you have a fresh clean system. Next we want to install VirtualBox. Instructions are on their website. It's free. VirtualBox allows us to run virtual systems that are isolated from our main system. Once VirtualBox is installed you can install Whonix inside VirtualBox.

Whonix is an obfuscation platform based on the TOR network. You will need both the Whonix Gateway and the Whonix Workstation. Once you download the files you can import them into VirtualBox. Both the Gateway and the Workstation are Linux virtual machines and come with both user and root passwords set to “changeme” - Change them!

Start up the Gateway first. Change the passwords to something secure. Update and upgrade. Then start the Workstation and repeat. Once the two are up and running you can click the link on the Workstation's desktop to install the Tor Browser. With everything updated and working, we suggest shutting down – shut down the Workstation first, then the Gateway.

The Gateway should always be started first and closed last.

It's my suggestion that you now right click on the Workstation and clone it. Click the box to generate a new mac address and name the new system whatever you like. This will be the one you use as a workstation, keeping the other for future cloning. You can have several virtual systems for different tasks to add to your obfuscation. This allows you to dump an entire virtual system if you think it is compromised and clone a new one.

For better security you can also clone the Gateway, but using a single gateway for all your workstation clones is adequate security in most cases.

In a future post we will discuss spoofing an online personae for Google, Twitter, Facebook, or whatever social media site you prefer. The cloned workstations configuration allows us to have one virtual machine for social networks and another for deeper stealth.

Once you use a workstation for connecting to social media it is tagged to the personae you will create, so we need to keep them separate.

Again, we trade security for convenience. But Virtual Box and cloned workstations allow you to have systems with different levels of security for different purposes all nicely sectioned off in the sandbox. Multiple systems on a single piece of hardware – and you can burn the systems without the cost of burning the hardware.