TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
Electric Sheep by Other Names- Continued
Computers 102 for the Opsec Student
This is a continuation of Part 1, which started here⚠️.
Selecting your Set-Up
There are several different choices you'll have to make before you put your constructed identities into cyberspace. It's convenient to use the three-way split above- user-space applications, OS, and firmware- but in reverse, starting at the very base with firmware/hardware and then making future choices based on previous ones.
Firstly, the hardware and the firmware that come with it are a relatively open-ended pick for desktops and laptops. The only big issue for opsec is making sure you can get the OS you'll choose working with it, so be careful of:
Anything that doesn't have an Intel or AMD processor: these have far less OSes even worth considering for opsec
Anything with UEFI secure boot: not a deal-breaker, but check it allows booting with and installing different OSes
Macbooks: Apple designs devices from the ground up as tiny fortresses, with them as the gatekeeper¹³. It's possible to install most OSes on the Intel-based ones, but problems can be common, so it's safer just to avoid them.
Chromebooks: Chromebooks are designed as glorified web browsers. It's easier to accept that than try and bend them to your will.
Phones are sadly not so easy to pick, and in fact better avoided if you can do without. Despite the array of sensors and a baseband modem which acts as a location beacon making them a much more serious opsec risk³, cell phones make it even more difficult than more traditional computers to protect your privacy and anonymity. Two of the few options worth considering if a cell phone is a necessity are:
Google Pixel: an unlocked bootloader means you can install your own OS, and it's well-established enough that most alternative OSes support it. Depending on the OS you choose other devices may work equally well.
Librem 5: Purism's Librem 5 was built from scratch with opsec in mind, using a 100% open-source Linux distribution (PureOS)²³. It's still young though and doesn't have the tools, history and funding that Android or the Google Pixel have.
At the operating system level, several established systems exist built specifically for opsec-conscious users, so the best choice is to follow your newfound robot overlord to whichever it will accept. Take your pick from:
TAILS⚠️: if you're using a laptop or desktop and in the green zone of the threat level traffic light (see Chapter 1, Part 2), The Amnesic Incognito Live System is an easy but effective way to get started. It's installed on an (empty) USB stick and runs off that, coming with a good selection of software pre-installed and Tor set up for you²⁴ (see Chapter 3). See the link for more detailed documentation, including how to configure persistent storage. After all, TAILS is amnesic- it forgets any changes you made on shutdown by default²⁴!
Qubes OS⚠️: A more advanced, but equally more powerful, option for PCs is Qubes OS. It brings a rigorous approach to compartmentalization (see Chapter 1, Part 1) to technology by strictly limiting the flow of information between isolated groups of programs (called "Qubes")²⁵. This makes it more difficult to manage but also dramatically less vulnerable to serious damage if a software flaw is exploited and much more flexible in how it can be used. It is, for example, possible to create a TAILS-like use of Tor (see Chapter 3) by incorporating the Whonix operating system as a Qube²⁶. Detailed documentation is available at the linked website, showcasing the full power of the OS. Qubes does need to be installed on a hard drive or SSD, unlike TAILS; an external hard drive can be used for this if reconfiguring the internal disk is difficult or not an option.
GrapheneOS⚠️: For compatible models of Google Pixel, GrapheneOS is a security-hardened, privacy-oriented version of Android. Its work has supported significant improvements in the security of Android as a whole since it began in 2014, yet it continues to lead the way in smartphone opsec by far with its carefully engineered and well-hardened orchestra of software- an orchestra defined just as much by the purpose-built tools it includes as by the Google spyware it doesn't²⁷. Like Qubes it relies on the user to set things up to their own satisfaction. A good guide can be found here⚠️ (no relation to the GrapheneOS project), but some user may prefer to use Orbot for Tor with everything instead of a VPN. See Chapter 3 for further discussion. Installation instructions are at the linked OS website.
PureOS⚠️: PureOS is an operating system developed from Debian Linux with the goal of being 100% FOSS and bringing security and privacy to the masses. This means there's better choices for high-stakes opsec on PCs (TAILS and Qubes), but the opsec-oriented Librem 5 and its default OS are one of the best options for phones you can find. The OS's close relationship to desktop Linuxes gives unlimited potential for customization to any purpose with just a basic understanding of how the phone-specific utilities fit into the system. With such a novel system, though, it will take ingenuity and understanding from you rather than just a quick search for a "how-to" to practice such powers. PureOS comes installed on the Librem 5, or can be downloaded from the link.
Finally, with user-space applications the sky's the limit. What programs you need depends on what functions you'll need, making a list of recommendations extremely difficult- although for TAILS, the pre-installed software is always a good choice. Instead they're mostly listed under the appropriate categories later in this guide, with two exceptions: good choices for web browsing are Tor Browser (where you're using Tor) and a hardened²⁸ Firefox (when you aren't), while good messaging programs include Pidgin with the Off the Record plugin and Briar. All these programs are open source, and Pidgin and Firefox have large user bases while Briar and Tor Browser both focus strongly on various combinations of privacy and anonymity³¹ ³³.
Computers 102 for the Opsec Student
This is a continuation of Part 1, which started here⚠️.
Selecting your Set-Up
There are several different choices you'll have to make before you put your constructed identities into cyberspace. It's convenient to use the three-way split above- user-space applications, OS, and firmware- but in reverse, starting at the very base with firmware/hardware and then making future choices based on previous ones.
Firstly, the hardware and the firmware that come with it are a relatively open-ended pick for desktops and laptops. The only big issue for opsec is making sure you can get the OS you'll choose working with it, so be careful of:
Anything that doesn't have an Intel or AMD processor: these have far less OSes even worth considering for opsec
Anything with UEFI secure boot: not a deal-breaker, but check it allows booting with and installing different OSes
Macbooks: Apple designs devices from the ground up as tiny fortresses, with them as the gatekeeper¹³. It's possible to install most OSes on the Intel-based ones, but problems can be common, so it's safer just to avoid them.
Chromebooks: Chromebooks are designed as glorified web browsers. It's easier to accept that than try and bend them to your will.
Phones are sadly not so easy to pick, and in fact better avoided if you can do without. Despite the array of sensors and a baseband modem which acts as a location beacon making them a much more serious opsec risk³, cell phones make it even more difficult than more traditional computers to protect your privacy and anonymity. Two of the few options worth considering if a cell phone is a necessity are:
Google Pixel: an unlocked bootloader means you can install your own OS, and it's well-established enough that most alternative OSes support it. Depending on the OS you choose other devices may work equally well.
Librem 5: Purism's Librem 5 was built from scratch with opsec in mind, using a 100% open-source Linux distribution (PureOS)²³. It's still young though and doesn't have the tools, history and funding that Android or the Google Pixel have.
At the operating system level, several established systems exist built specifically for opsec-conscious users, so the best choice is to follow your newfound robot overlord to whichever it will accept. Take your pick from:
TAILS⚠️: if you're using a laptop or desktop and in the green zone of the threat level traffic light (see Chapter 1, Part 2), The Amnesic Incognito Live System is an easy but effective way to get started. It's installed on an (empty) USB stick and runs off that, coming with a good selection of software pre-installed and Tor set up for you²⁴ (see Chapter 3). See the link for more detailed documentation, including how to configure persistent storage. After all, TAILS is amnesic- it forgets any changes you made on shutdown by default²⁴!
Qubes OS⚠️: A more advanced, but equally more powerful, option for PCs is Qubes OS. It brings a rigorous approach to compartmentalization (see Chapter 1, Part 1) to technology by strictly limiting the flow of information between isolated groups of programs (called "Qubes")²⁵. This makes it more difficult to manage but also dramatically less vulnerable to serious damage if a software flaw is exploited and much more flexible in how it can be used. It is, for example, possible to create a TAILS-like use of Tor (see Chapter 3) by incorporating the Whonix operating system as a Qube²⁶. Detailed documentation is available at the linked website, showcasing the full power of the OS. Qubes does need to be installed on a hard drive or SSD, unlike TAILS; an external hard drive can be used for this if reconfiguring the internal disk is difficult or not an option.
GrapheneOS⚠️: For compatible models of Google Pixel, GrapheneOS is a security-hardened, privacy-oriented version of Android. Its work has supported significant improvements in the security of Android as a whole since it began in 2014, yet it continues to lead the way in smartphone opsec by far with its carefully engineered and well-hardened orchestra of software- an orchestra defined just as much by the purpose-built tools it includes as by the Google spyware it doesn't²⁷. Like Qubes it relies on the user to set things up to their own satisfaction. A good guide can be found here⚠️ (no relation to the GrapheneOS project), but some user may prefer to use Orbot for Tor with everything instead of a VPN. See Chapter 3 for further discussion. Installation instructions are at the linked OS website.
PureOS⚠️: PureOS is an operating system developed from Debian Linux with the goal of being 100% FOSS and bringing security and privacy to the masses. This means there's better choices for high-stakes opsec on PCs (TAILS and Qubes), but the opsec-oriented Librem 5 and its default OS are one of the best options for phones you can find. The OS's close relationship to desktop Linuxes gives unlimited potential for customization to any purpose with just a basic understanding of how the phone-specific utilities fit into the system. With such a novel system, though, it will take ingenuity and understanding from you rather than just a quick search for a "how-to" to practice such powers. PureOS comes installed on the Librem 5, or can be downloaded from the link.
Finally, with user-space applications the sky's the limit. What programs you need depends on what functions you'll need, making a list of recommendations extremely difficult- although for TAILS, the pre-installed software is always a good choice. Instead they're mostly listed under the appropriate categories later in this guide, with two exceptions: good choices for web browsing are Tor Browser (where you're using Tor) and a hardened²⁸ Firefox (when you aren't), while good messaging programs include Pidgin with the Off the Record plugin and Briar. All these programs are open source, and Pidgin and Firefox have large user bases while Briar and Tor Browser both focus strongly on various combinations of privacy and anonymity³¹ ³³.