[4NG3L]

Just wanted to throw a quick question in here about people's setups both physically and digitally.

I want to know how you guys secure your physical hardware such as laptops used, removing webcams, looking into removing built-in GPS Hardware, physical switches cutting off power to your machines, External storage, Hardware authentication devices, Routers, internet connections, SSD or HDD, etc etc etc

Security on your machine for example what operating systems do you guys run, how do you secure your machines through advanced settings, potential use of isolation and sandboxing things, routing your laptop through TOR, and once again etc etc etc

Finally, I'm interested in hearing about how many hops you guys go through to conduct your "activities", how u go about connecting to these hops (TOR, VPN, Proxies, RDPs), potential software you guys use when going about this, and once again again etc etc etc

I recommend not stating your step by step setup for LE reasons but it would be good to hear to harden other people's security

[s1ic3r]

Have you heard of Truecrypt? It was/is one of the best tools. It was discontinued for "unfixed security issues" and if you go to their site they are pushing people to Bitlocker or Veracrypt. Do some research and believe what you want but if you can get your hands on a copy it truly is one of the best tools for opsec. Also you can find tons of guides for using TailsOS in conjunction with VPN and TOR. Worth reading up on it if you aren't familiar.

[CorpTax]

Have you heard of Truecrypt? It was/is one of the best tools. It was discontinued for "unfixed security issues" and if you go to their site they are pushing people to Bitlocker or Veracrypt. Do some research and believe what you want but if you can get your hands on a copy it truly is one of the best tools for opsec. Also you can find tons of guides for using TailsOS in conjunction with VPN and TOR. Worth reading up on it if you aren't familiar.

It was rumored that the truecrypt dev received a gag order from the NSA of unknown contents either to scare him(by saying terrorists were using his software/wanted him to help break it) or make him aware of a bug in code. The dev wrote a cryptic messages back in the day on there site that hinted towards this and he shut the project down for reasons "lack of time to fix security vulns in the software". However the truecrypt site is not online anymore this was like 10 years ago and the site has been offline for most of that time. You can see snapshots of the old site on winki but it has been excluded from the internet archive for reason "at site owners request" < That tells you something. The website your talking about is just a section on sourceforge . net that explains truecrypt is outdated an you shouldn't use it because it hasn't been updated or maintained in 10 years. Veracrypt is a updated truecrypt that a group of dev's updated and now maintain to this day.

@s1ic3r Please tell me you are not using a 10 year old version of truecrypt when the dev already hinted at the fact that it likely had security vulns he became aware of that would allow someone to break it's encryption? The whole reason Vercrypt was created by community members was to bring back truecrypt functionality in a project that's regularly updated and maintained it even has the old trucrypt UI. Veracrypt is better in every way including offering stronger encryption algo's. Even if you think it's some conspiracy because 'Truecrypt was too strong to be allowed" that's irrelevant now because in those 10 years there have been changes in a lot of the encryption algo's themselves due to security reasons that Truecrypt won't have because it's outdated. Info = https://en.wikipedia.org/wiki/TrueCrypt

Ultimately because a company claimed the E4M model that truecrypt was built on had been stolen from them and was wrongly open sourced by a ex-employee under a false license. The guy got sued an truecrypt dev's paused development for awhile then came back again so likely the reason they ended the project probably had something to do with the lawsuit of the guy that released the E4M code which was still going on in 2016. A 2015 audit also stated truecrypt had no significant vulns at that time. But you should still use the newer Veracrypt that is maintained today.

[Funthine]

It would be silly and time-consuming to answer all these issues here by talking about op$ec setup personally, so I'll keep it simple and leave it at that. I won't write about all the basic settings like changing MAC.

For important activities you can follow the path of a BSD setup installed on a laptop bought with cash, with libreboot support. Why BSD? BSD has a lot of confidentiality built into it, but you will also find a lot of configuration in the installation, including hardening. Apart from that, if you are going to use a different distro, a btrfs encryption with LUKS is a must and SSD should not be used. The hardware components that come with the laptop such as Wi-Fi card, microphone, webcam etc. should be unplugged. HDD encryption, BIOS user and admin encryption should also be enabled in BIOS settings. Regardless of the distro you are using BSD, Debian, Arch, the apt key should be activated, PAM Auth should be activated. So far, I have touched on a simple hardware issue.

Software-wise, you should disable Network protocols that are not used on your Linux machine, close Kernel documents, disable PID processes completely.

ICMP Timestamps, NTP Clients, TCP Initial Sequence Numbers (ISNs), TCP Timestamps should be completely disabled to prevent correlation attacks.

Sysctl is a tool that can improve kernel security by changing certain kernel settings, so don't forget to configure sysctl as well.

You can use services like apparmor, audith for sandboxing. You will find all the details by searching, you need to create extra virtual machines with chroot, kvm/qemu, virtualbox and create different algorithms.

Chapter 2: Network. You should prepare an op$ec roadmap with solutions like OpenWRT, External Network Adapters, DNS configurations, DPI, TOR, SSH, RDP, SOCKS5, tunneling. You should adjust all your settings accordingly. I won't go into these in detail here, don't use a VPN, unless you have your own VPN service.

All of your personally important activities should be done over hacked Wi-Fis, and you should stay away from cafe alternatives such as starbucks that provide so-called free guest networks. You can create a remote machine with Raspberry PI, Orange PI. Do not have a smart cell phone in the location of your laptop, all of these will expose metadata.

After making sure that you have completed all the necessary settings on your host machine, you should delete your gateway ip settings before connecting to your virtual machines, so that an IP will be assigned to the virtual machine by your host machine and your host machine will not be able to access the internet.

You should have the best level of "NETWORK" knowledge to tunnel your virtual machines to each other with TOR, Offshore socks5 proxy services. All this takes some time, research and process.


The rules I have written so far will take you one step further, the further you go depends on your research power in your hands. That's all I will mention in general, you can apply these for your simple work. I know there are some things I have not written here. Warning Note> Stay away from honeypot pre-shipped systems like Whonix, Tails, etc., set everything up yourself. Manuel, Manuel, Manuel.

[4NG3L]

Have you heard of Truecrypt? It was/is one of the best tools. It was discontinued for "unfixed security issues" and if you go to their site they are pushing people to Bitlocker or Veracrypt. Do some research and believe what you want but if you can get your hands on a copy it truly is one of the best tools for opsec. Also you can find tons of guides for using TailsOS in conjunction with VPN and TOR. Worth reading up on it if you aren't familiar.

It was rumored that the truecrypt dev received a gag order from the NSA of unknown contents either to scare him(by saying terrorists were using his software/wanted him to help break it) or make him aware of a bug in code. The dev wrote a cryptic messages back in the day on there site that hinted towards this and he shut the project down for reasons "lack of time to fix security vulns in the software". However the truecrypt site is not online anymore this was like 10 years ago and the site has been offline for most of that time. You can see snapshots of the old site on winki but it has been excluded from the internet archive for reason "at site owners request" < That tells you something. The website your talking about is just a section on sourceforge . net that explains truecrypt is outdated an you shouldn't use it because it hasn't been updated or maintained in 10 years. Veracrypt is a updated truecrypt that a group of dev's updated and now maintain to this day.

@s1ic3r Please tell me you are not using a 10 year old version of truecrypt when the dev already hinted at the fact that it likely had security vulns he became aware of that would allow someone to break it's encryption? The whole reason Vercrypt was created by community members was to bring back truecrypt functionality in a project that's regularly updated and maintained it even has the old trucrypt UI. Veracrypt is better in every way including offering stronger encryption algo's. Even if you think it's some conspiracy because 'Truecrypt was too strong to be allowed" that's irrelevant now because in those 10 years there have been changes in a lot of the encryption algo's themselves due to security reasons that Truecrypt won't have because it's outdated. Info = https://en.wikipedia.org/wiki/TrueCrypt

Ultimately because a company claimed the E4M model that truecrypt was built on had been stolen from them and was wrongly open sourced by a ex-employee under a false license. The guy got sued an truecrypt dev's paused development for awhile then came back again so likely the reason they ended the project probably had something to do with the lawsuit of the guy that released the E4M code which was still going on in 2016. A 2015 audit also stated truecrypt had no significant vulns at that time. But you should still use the newer Veracrypt that is maintained today.

VeraCrypts a great tool however what is ur opinions on the hidden volume for the purposes of plausible deniability and what are your opinions on the concept of plausible deniability? I think its worth noting at the end of this msg for any "ghost readers" that hidden volumes run into problems when performing this on SSDs

I did not know about the situation with Truecrypt and LE though, cool info from you

[Katz]

first rule of opsec - dont be stupid

sharing ur opsec setup is, unfortunately, stupid

This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Leeching | https://breachforums.hn/Forum-Ban-Appeals if you feel this is incorrect.

[CorpTax]

Have you heard of Truecrypt? It was/is one of the best tools. It was discontinued for "unfixed security issues" and if you go to their site they are pushing people to Bitlocker or Veracrypt. Do some research and believe what you want but if you can get your hands on a copy it truly is one of the best tools for opsec. Also you can find tons of guides for using TailsOS in conjunction with VPN and TOR. Worth reading up on it if you aren't familiar.

It was rumored that the truecrypt dev received a gag order from the NSA of unknown contents either to scare him(by saying terrorists were using his software/wanted him to help break it) or make him aware of a bug in code. The dev wrote a cryptic messages back in the day on there site that hinted towards this and he shut the project down for reasons "lack of time to fix security vulns in the software". However the truecrypt site is not online anymore this was like 10 years ago and the site has been offline for most of that time. You can see snapshots of the old site on winki but it has been excluded from the internet archive for reason "at site owners request" < That tells you something. The website your talking about is just a section on sourceforge . net that explains truecrypt is outdated an you shouldn't use it because it hasn't been updated or maintained in 10 years. Veracrypt is a updated truecrypt that a group of dev's updated and now maintain to this day.

@s1ic3r Please tell me you are not using a 10 year old version of truecrypt when the dev already hinted at the fact that it likely had security vulns he became aware of that would allow someone to break it's encryption? The whole reason Vercrypt was created by community members was to bring back truecrypt functionality in a project that's regularly updated and maintained it even has the old trucrypt UI. Veracrypt is better in every way including offering stronger encryption algo's. Even if you think it's some conspiracy because 'Truecrypt was too strong to be allowed" that's irrelevant now because in those 10 years there have been changes in a lot of the encryption algo's themselves due to security reasons that Truecrypt won't have because it's outdated. Info = https://en.wikipedia.org/wiki/TrueCrypt

Ultimately because a company claimed the E4M model that truecrypt was built on had been stolen from them and was wrongly open sourced by a ex-employee under a false license. The guy got sued an truecrypt dev's paused development for awhile then came back again so likely the reason they ended the project probably had something to do with the lawsuit of the guy that released the E4M code which was still going on in 2016. A 2015 audit also stated truecrypt had no significant vulns at that time. But you should still use the newer Veracrypt that is maintained today.

VeraCrypts a great tool however what is ur opinions on the hidden volume for the purposes of plausible deniability and what are your opinions on the concept of plausible deniability? I think its worth noting at the end of this msg for any "ghost readers" that hidden volumes run into problems when performing this on SSDs

I did not know about the situation with Truecrypt and LE though, cool info from you

There have been mentions of issues with hidden volumes since the original TrueCrypt first introduced them where researchers looked at various ways to prove it was a hidden volume but I don't remember anyone ever coming up with a way to actually prove if volume had a hidden layer or not. (I never really researched it much either if someone did) Idk about the issues with SSD's I'll have too look into that but I'd say go ahead an use them anyway it doesn't hurt the underlying volumes security to use hidden volumes.

This thread will have problems probably with people willing to share many details about there methods just because it's better for them to not discuss it publicly I merely jumped in because I saw someone claiming Truecrypt was still a good option if you could find so I had to post the problems in using a 10 year old tool instead of the newer updated version.

[s1ic3r]

Have you heard of Truecrypt? It was/is one of the best tools. It was discontinued for "unfixed security issues" and if you go to their site they are pushing people to Bitlocker or Veracrypt. Do some research and believe what you want but if you can get your hands on a copy it truly is one of the best tools for opsec. Also you can find tons of guides for using TailsOS in conjunction with VPN and TOR. Worth reading up on it if you aren't familiar.

It was rumored that the truecrypt dev received a gag order from the NSA of unknown contents either to scare him(by saying terrorists were using his software/wanted him to help break it) or make him aware of a bug in code. The dev wrote a cryptic messages back in the day on there site that hinted towards this and he shut the project down for reasons "lack of time to fix security vulns in the software". However the truecrypt site is not online anymore this was like 10 years ago and the site has been offline for most of that time. You can see snapshots of the old site on winki but it has been excluded from the internet archive for reason "at site owners request" < That tells you something. The website your talking about is just a section on sourceforge . net that explains truecrypt is outdated an you shouldn't use it because it hasn't been updated or maintained in 10 years. Veracrypt is a updated truecrypt that a group of dev's updated and now maintain to this day.

@s1ic3r Please tell me you are not using a 10 year old version of truecrypt when the dev already hinted at the fact that it likely had security vulns he became aware of that would allow someone to break it's encryption? The whole reason Vercrypt was created by community members was to bring back truecrypt functionality in a project that's regularly updated and maintained it even has the old trucrypt UI. Veracrypt is better in every way including offering stronger encryption algo's. Even if you think it's some conspiracy because 'Truecrypt was too strong to be allowed" that's irrelevant now because in those 10 years there have been changes in a lot of the encryption algo's themselves due to security reasons that Truecrypt won't have because it's outdated. Info = https://en.wikipedia.org/wiki/TrueCrypt

Ultimately because a company claimed the E4M model that truecrypt was built on had been stolen from them and was wrongly open sourced by a ex-employee under a false license. The guy got sued an truecrypt dev's paused development for awhile then came back again so likely the reason they ended the project probably had something to do with the lawsuit of the guy that released the E4M code which was still going on in 2016. A 2015 audit also stated truecrypt had no significant vulns at that time. But you should still use the newer Veracrypt that is maintained today.

Just to be clear I am not saying I do use it.   It is on each of us as the end user to do your own research and believe what you want. Regardless, it's an interesting story to read into. Don't forget your tin foil hat! lol

[4NG3L]

Have you heard of Truecrypt? It was/is one of the best tools. It was discontinued for "unfixed security issues" and if you go to their site they are pushing people to Bitlocker or Veracrypt. Do some research and believe what you want but if you can get your hands on a copy it truly is one of the best tools for opsec. Also you can find tons of guides for using TailsOS in conjunction with VPN and TOR. Worth reading up on it if you aren't familiar.

It was rumored that the truecrypt dev received a gag order from the NSA of unknown contents either to scare him(by saying terrorists were using his software/wanted him to help break it) or make him aware of a bug in code. The dev wrote a cryptic messages back in the day on there site that hinted towards this and he shut the project down for reasons "lack of time to fix security vulns in the software". However the truecrypt site is not online anymore this was like 10 years ago and the site has been offline for most of that time. You can see snapshots of the old site on winki but it has been excluded from the internet archive for reason "at site owners request" < That tells you something. The website your talking about is just a section on sourceforge . net that explains truecrypt is outdated an you shouldn't use it because it hasn't been updated or maintained in 10 years. Veracrypt is a updated truecrypt that a group of dev's updated and now maintain to this day.

@s1ic3r Please tell me you are not using a 10 year old version of truecrypt when the dev already hinted at the fact that it likely had security vulns he became aware of that would allow someone to break it's encryption? The whole reason Vercrypt was created by community members was to bring back truecrypt functionality in a project that's regularly updated and maintained it even has the old trucrypt UI. Veracrypt is better in every way including offering stronger encryption algo's. Even if you think it's some conspiracy because 'Truecrypt was too strong to be allowed" that's irrelevant now because in those 10 years there have been changes in a lot of the encryption algo's themselves due to security reasons that Truecrypt won't have because it's outdated. Info = https://en.wikipedia.org/wiki/TrueCrypt

Ultimately because a company claimed the E4M model that truecrypt was built on had been stolen from them and was wrongly open sourced by a ex-employee under a false license. The guy got sued an truecrypt dev's paused development for awhile then came back again so likely the reason they ended the project probably had something to do with the lawsuit of the guy that released the E4M code which was still going on in 2016. A 2015 audit also stated truecrypt had no significant vulns at that time. But you should still use the newer Veracrypt that is maintained today.

VeraCrypts a great tool however what is ur opinions on the hidden volume for the purposes of plausible deniability and what are your opinions on the concept of plausible deniability? I think its worth noting at the end of this msg for any "ghost readers" that hidden volumes run into problems when performing this on SSDs

I did not know about the situation with Truecrypt and LE though, cool info from you

There have been mentions of issues with hidden volumes since the original TrueCrypt first introduced them where researchers looked at various ways to prove it was a hidden volume but I don't remember anyone ever coming up with a way to actually prove if volume had a hidden layer or not. (I never really researched it much either if someone did) Idk about the issues with SSD's I'll have too look into that but I'd say go ahead an use them anyway it doesn't hurt the underlying volumes security to use hidden volumes.

This thread will have problems probably with people willing to share many details about there methods just because it's better for them to not discuss it publicly I merely jumped in because I saw someone claiming Truecrypt was still a good option if you could find so I had to post the problems in using a 10 year old tool instead of the newer updated version.

The developers go over it in these sections 
- https://www.veracrypt.fr/en/Trim%20Operation.html
- https://www.veracrypt.fr/en/Wear-Leveling.html

was curious as to whether anyone had done a deep dive into this and what they concluded

[acantic22]

hard encryption for everything
anonymous services like TOR
use a public wifi from far away
dont be stupid and dont get greedy