I need something trusted and secure. I need to make “onion layers security” with the most secure and hard to hack/crack software.

How to protect yourself from the government on the internet?

I’m from Russia and I need to post a few documents and articles on the internet, but I need to be 100% sure they won’t find me.

Please use simple English, basic tech terms and be as detailed as possible, or direct me via links to articles with information. But real good tips will be appreciated.

I just bought a new hard drive and I am going to install a new OS and other programs on it:

  1. Which OS? Windows 10, Linux, Qubes, Whonix etc, or use Whonix inside of Qubes? Which the most secure? If Linux, which version? How best to configure it?

  2. Do I then need to install a virtual machine on it? If so, which one?

  3. Which third party programs do I need on it? VPN?

  4. What browser to use? If Tor - What’s the best configuration for Tor browser? As I know just using Tor browser is not enough they still can find you. And should I use Chinese servers?

  5. Do I need an Antivirus? Antispyware? Which one?

I guess that should be enough?

  • You could use Qubes connected exclusively through TOR. No need for #2, #3 and #4 at that point. Qubes would provide you with the TOR browser. Good luck finding Antivirus/Antispyware for Qubes. So yeah, Qubes. Also, we don't do product recommendations here, as it's off-topic. :( This will likely be locked, but I decided to respond to you anyway. – Mark Buffalo Nov 27 '17 at 02:47
  • 2
    Use Tails. Tails doesn't let you forward any internet traffic which doesn't pass through Tor circuit. To hide yourself from your ISP that you are using Tor, use **Tor Pluggable Transport** like **meek**. – defalt Nov 27 '17 at 04:43
  • Tails works like this: if you are compromised through tails, you are owned. If you are compromised through Qubes, just the VM is compromised. You would have to escape that VM, which is destructible. – Mark Buffalo Nov 27 '17 at 04:50
  • 3
    If you are a person of interest, the government has seen this post. I expect asking this question is illegal in Russia (as with most countries - asking how to break laws is often frowned upon). – Tim Nov 27 '17 at 05:55
  • 2
    @MarkBuffalo As I explained in my post, a Qubes already provides even the browser with root access, so for all intents and purposes, it is already "owned", and it relies on Xen to protect it. With Tails, everything runs unprivileged, and an exploit is needed to bypass the firewall. This is where Whonix can come in. As long as it is used with hardware rather than a VM, it exposes an extremely small attack surface. I think there's actually a way to do that with Qubes as well (Tails/Qubes?), which eliminates the NOPASSWD sudo issue and as such does not rely exclusively on Xen for protection. – forest Nov 27 '17 at 07:07
  • 1
  • 1
    @user77680 while I appreciate your frustrations with your country, bashing of anyone here is not allowed. I removed both that one comment as well as the political comments by others. Unfortunately, we could write entire books on how to do what you want. Many books *have* been written. And that makes this question too broad. – schroeder Nov 27 '17 at 11:13

If your adversary is a nation state actor, and you need to ask this question on StackExchange, then you're doing it wrong. You cannot be "100% safe" from a determined, powerful adversary. While it's fallacious to say "if they want you, they'll get you", it is true that you cannot be 100% safe from any powerful adversary. They will always have 0days that you are not aware of, and will be tapping infrastructure you are not aware of.

1 Which OS? Windows 10, Linux, Qubes, Whonix etc, or use Whonix inside of Qubes? which the most secure? If Linux which version? How the best to configure it?

That depends on your threat model. Qubes is great for mitigating hardware-type attacks (such as a compromised NIC), but it uses the quite vulnerable Xen and has other nasty configuration issues, such as running with NOPASSWD sudo (which allows anyone to get root without a password). Whonix is good for a very specific threat model (IP disclosure), but when run in a VM rather than on physical hardware, you negate much of the benefit. The Russian government absolutely has VM escape 0days.

2 Then need to install virtual machine on it? which one?

Different VMs have different strengths and weaknesses. They can all be compromised with enough resources. QEMU for example runs in userspace, which allows it to be sandboxed via a command line option. The virtualization is done in the kernel by KVM, which is pretty secure. However QEMU is also buggy (as are all VMs), so unless it is being sandboxed and is using a chroot, it can be an issue.

3 Then which third party programs I need on it?

Not sure what you mean. It depends on your threat model. Use whatever well-regarded programs give you the features you require. Tails has many programs which are sandboxed for security, and which provide you with a decent amount of productivity software (audio editors, text editors, spreadsheet programs, collaboration programs, etc).

You do not want to use things like VPNs. Even if you trust the VPN provider, the technology was not designed for anonymity. In fact, the "private" in VPN is referring to IANA-reserved private addresses, not the right to privacy. They are designed to allow connecting two virtual network interfaces together, especially to get on a corporate network. They have been abused by companies that want your money by advertising the fact that their name has "private" in it, and that they do hide your IP against any naive adversary.

4 What browser to use? If TOR - What’s the best Configuration for TOR browser? As I know just using TOR browser is not enough they still can find you. and Use China server?

It's Tor, not TOR. And the best configuration is simply setting the security slider to high. This will disable JavaScript and certain other risky features. In contrast with what the other answer says, Tor was neither created by the government nor given away by them. The concept of onion routing was created by the Navy. Tor itself was created by Roger Dingledine. The computer mouse was created by DARPA, but that does not mean that your little Lenovo mouse is from the government!

While Tor itself is quite effective (so don't change its configuration!), Tor Browser is based on Firefox, which is not a perfect browser. However, it is the only browser that provides fingerprinting defense. There are 0days that governments and government contractors have that can compromise the browser, and if the browser is compromised, it can bypass Tor by connecting directly to a government-controlled server. There is no way to avoid this with complete certainty.

5 Need Antivirus? Antispyware? Which one?

This is actually harmful. AV is fine for low-level threats that are already known in the wild, but advanced malware can take advantage of an AV, compromising it to elevate privileges. AV software runs with high privileges, parsing any attacker-controlled data you throw at it. This is a recipe for disaster.

I guess that’'s should be enough?

Nope. If you're not using a hardened kernel with heavy monitoring and extensive syscall filters, you aren't even close to good enough. Protecting against a nation state adversary who is determined to attack you and is willing to spend plenty of resources on you requires expertise, many years of expertise. It would take me months and hundreds of pages worth of answers to even provide you with the basics. This is why threat modeling is so important. It allows you to determine who your adversary is, what their capabilities are, what their resources are, and what assets they are after. This makes it easier to protect yourself.

Thanks a lot for saving my ass.

Honestly, the Russian government will not be spending a lot of money to get you. You can raise the bar a good bit by using things like Whonix (on real hardware), Tails, or Qubes, but none of that is perfect.

You need to define a threat model. To expand a bit on your implied threat model regarding "posting some documents on the internet", that makes it a lot easier. For example, you won't have to worry too much about exploits, unless you tell everywhere where you are posting the documents to or stay a long time, giving the chance to attack you. When posting documents, the threat model involves avoiding retroactive tracking, with the assets not being your computer resources or anything like that, but simply your identity. Your adversary will only be able to target you after you post documents, not before, so you do not need to worry about them lying in wait with a 0day exploit to use against you. Using Tails is perfect for this, as it not only is amnesic and such resists forensic attacks, but it is designed to be fool-proof for anonymity, making it extremely difficult to shoot yourself in the foot. Keep those documents on an encrypted flash drive, use Tails to upload them (e.g. to Wikileaks), then get rid of the flash drive and move on with your life.

  • 1
    `NOPASSWD sudo`: Have you used Qubes? https://www.qubes-os.org/doc/vm-sudo/ Also, citation for "quite vulnerable Xen"? – Mark Buffalo Nov 27 '17 at 04:53
  • 3
    I've read that. It's very poorly thought out and assumes that Xen is invulnerable. That page is often scoffed at by those who promote defense in depth. In reality, many Xen vulnerabilities were _only_ exploitable because that is how Qubes operates, due to the vulnerabilities requiring ring 0 (via root) in the guest. – forest Nov 27 '17 at 04:54
  • 4
    As for Xen being vulnerable, just look at oss-sec, XSA embargos, and even Joanna's own rants in frustration about Xen devs not applying proactive mitigations (she helped fix a bit of it, though). You can also look at the impact of the latest XSAs. Chances are, a good portion of them require ring 0 (and thus are exploitable on Qubes, but not most other systems). Now I am not dissing Qubes, despite what you may assume. It is not ideal for some threat models involving software threats. It is great for mitigating hardware exploitation, better than many other OSes which only use DMAR for isolation. – forest Nov 27 '17 at 04:57
  • I get it, yeah. But it would be very helpful if you linked to references for what you're talking about in your post. – Mark Buffalo Nov 27 '17 at 05:00
  • +1 although, to be pedantic, Firefox is not the "only" browser that provides fingerprinting defenses. There's at least one other I know of, [Brave](https://brave.com/), that provides fingerprinting defense and is available on all popular desktop and mobile OSes. There are alternatives out there for those willing to look. – phyrfox Nov 27 '17 at 07:12
  • 1
    Brave has less than 10% of the fingerprinting defenses provided by Tor Browser. It pretty much only changes some settings, but it does not mitigate audiocontext fingerprinting, font fingerprinting, css @media element fingerprinting, javascript.now() precision fingerprinting, canvas fingerprinting (maybe), WebGL fingerprinting (maybe), timezone fingerprinting, thread concurrency fingerprinting, battery API fingerprinting (maybe), plugin fingerprinting, DPI resolution fingerprinting, header case/order fingerprinting, and many more. It is not a well-regarded browser in this context. – forest Nov 27 '17 at 07:15
  • Guest, The fact that they changed the original meaning doesn't make it fine in my book. @phyrfox, failfox is the browser with the worst security ever and it keeps at it constantly. Worst choice by far for something like this. And no, your assumption about the fingerprinting is incorrect. – Overmind Nov 27 '17 at 09:07
  • You have to specify threat model. It is true that Firefox is less secure than Chromium, but Chromium has many proxy bypass bugs and is trivial to fingerprint. Tor Browser, being based on a less secure browser, has to use noscript and the "security slider" to be of any use. The security/anonymity trade-off is one we could discuss for hours, but these comments are not the right place. – forest Nov 27 '17 at 11:25
  • Thanks Guest. Last thing, do you think it's good idea, and is it possible to install Whonix and Qubes on USB (flash drive) with tails on it? this way I should be fine? – user77680 Nov 28 '17 at 05:19
  • and what can you tell about "vir2us", and where can I get real knowledge of these "using a hardened kernel with heavy monitoring and extensive syscall filters" I will use it within Whonix and Qubes? – user77680 Nov 28 '17 at 05:30
  • Guest, have you tried gentoo hardened and lived off the grid? – user77680 Nov 28 '17 at 05:33
  • @user77680 (I am guest, just finally registered now) Hardened Gentoo is actually what I am using now. I do not "live off the grid" in the common sense, but I do try to minimize unnecessary information I give out. There is no one place you can get knowledge of things like that. It takes time and a lot of effort. My point was not so much that that is a realistic goal, more trying to emphasize how difficult it is to improve security beyond the basics if your adversary is well-resourced. And what is "vir2us"? The company? – forest Nov 28 '17 at 12:01
  • Yes, "vir2us" company which make money, and will sell my info to anyone probably :) https://www.vr2sinternational.com/about-us I will not bother them then.... Thanks a lot! – user77680 Nov 28 '17 at 17:10
  • Baal-zebub, if I connect through the tunnel to my friend's friend work lan, is it possible to trace my physical location (address)? The only address they will be able to find is that, that ISP have on file for that particular IP thus my friend's friend address, and it will be impossible for them to find my location, right? – user77680 Nov 29 '17 at 05:56
  • @user77680 That sounds like a new question, not really something that can be answered to your satisfaction in a comment. – forest Nov 29 '17 at 22:02

Edward Snowden used an OS called Tails and the Tor network. As a user you must have the knowledge to keep you apart. Your existing machine obviously has footprints but you can buy a new machine. You want to share docs to a site - make sure that site will not track you.

If you have to ask this rather unspecific question, the answer is: Not at all.

The good thing: You know, that you don't know enough. This is a lot better than just thinking installing tor-browser will make you invisible.

The bad thing: There is no single "make my computer secure" recipe. If your threat model are actually powerful government agencies which want to uncover your identity, any advise here will be dangerous for you, because it will fall short in some aspects.

Even when your tech would be 100% secure, you still need the right way to act to avoid being uncovered. There were already people being profiled by being offline while during TV shows. That's the level a sophisticated attacker works on and it is very hard for anybody to think of all possible implications of his actions.

As advice: Find someone who knows security stuff for a longer time and ask for help. This will help more than some howto which forgets to mention some important point. Of course reading a lot of security stuff will help a lot, but you need to get the knowledge, not a step by step guide to be able to reduce your fingerprint and information leaks.

  • I'm interested in reading your sources for people being profiled due to the times they were offline. It's not that I doubt it, but rather I'd like to read more about it. – forest Nov 27 '17 at 11:33
  • I don't find the reference just now, I think it was one of the early successes of criminal profiling (online). Maybe someone else can help? – allo Nov 27 '17 at 15:53

At first you need hardware you can trust. This is impossible for the consumer, because you can hardly buy any open hardware computer. Nearly all components of your computer and your network devices can include backdoors.

For a start you can read about intel backdoors (and here) or search for cisco backdoors or secret operations in CPUs (see sandsifter docs).

In the case of software it is very clear that you can not trust any software which hides the source code.

Lets assume you read all code and compile it your self. You will have a high security standard, but exploits (some are listed as CVE) can still be used against you.

This is just the public known threat, which you can read about in every specialized magazine. If you are paranoid, do not use the internet, perhaps not even a computer at all.

Jonas Stein
  • Not using the internet or computer reduces him to having to publish his documents physically, which is far more dangerous for this threat model. You may be able to use a program that reduces your online fingerprint, but it is not so easy to avoid leaving physical traces. – forest Nov 27 '17 at 11:29
  • @guest A reduced fingerprint can help a little against the data collection by advertisers, but is useless in this case. – Jonas Stein Mar 17 '19 at 18:09

Frankly, there is no real way to hide from the government. Do you really believe the government created TOR then turned it over to criminals to do what they want? Most likely not. They monitor it.

If you are concerned about anomninity from attackers, check out Kevin Mitnick's book The Art of Invisibility.

    Tor was not created by the US government. The concept of onion routing was created by the navy, but Tor was created by Roger Dingledine, who is not a government employee. Please do not spread FUD when you don't even know the origin of the software you speak of. – forest Nov 27 '17 at 06:53
  • If you think NSA will gladly hand over their secret Tor backdoor to the Russians, you haven't followed the political climate for the last 70 years. Or maybe you just didn't read the question. – pipe Nov 27 '17 at 08:58
  • Again, Tor was not made by the US government. They certainly have secret _0days_ for the browser, but 0days and backdoors are different, since one is intentional and the other is discovered. – forest Nov 27 '17 at 09:17
  • @guest Dingledine developed TOR under contract with the USNRL. While not making him an employee (something that the poster never claimed) it still means TOR appears to have been' created' by the US Navy, does it not? – schroeder Nov 27 '17 at 11:07
  • 2
    Tor (not TOR) at that time was far different. Being paid to implement something created by the Navy does not make it something created by the Navy. For example, the navy has no patent or copyright on Tor, which they would had it been developed in-house. At that level though, it becomes an issue of semantics, I suppose. – forest Nov 27 '17 at 11:22