For what I hope are obvious reasons, I don't want, and probably will never post my threat model publicly online. However, regardless of that, what I'm sure you will extrapolate from this post is that I live my life, digitally in particular, with a fairly high level threat model. This is not because I'm some super sophisticated criminal mastermind, but rather, I am at this level because I genuinely love playing around with this stuff. And I just happen to understand the importance of privacy and just how vital it is to a truly healthy society. I would like to extend a thanks to ProgressiveArchitect
for the sharing of the knowledge they have done on this subreddit, /privacytoolsio
, and the like. We may have never interacted, but nevertheless, your input into this community is truly interesting and extremely informative and educating. I'm sure those of you familiar with PA's setup will be able to draw some parallels with mine and their's.
I hope you all enjoy reading this write up.
I run Qubes OS on a Lenovo ThinkPad X230 laptop. Specs for it are as following: - i7-3520M - 16GB RAM - 1TB Samsung 860 Evo SSD - Qualcomm Atheros AR9285 wireless card
Additionally, I used a Raspberry Pi Model 3B+ and a Pomono SPI clip to replace the stock BIOS firmware with coreboot+me_cleaner. This wasn't done out of any "real" concern for the Intel ME (though of course proprietary black-boxes like it should be avoided at all costs and not trusted), but rather for open source enthusiasm and for increased security and faster boot times than what the stock BIOS firmware allows for. On that note about the ME, I don't believe the conspiracy theories that claim that it is a state-sponsored attack method for surveillance. I believe that Intel had good intentions for improving the lives of IT professionals who need to manage hundreds, if not thousands of remote machines. However, it has proven time and time again to be insecure, and I don't need the remote management and the "features" that it provides on my machines.
In Qubes, I use a combination of AppVMs and StandaloneVMs for a variety of different purposes. All VMs use PVH over HVM, except for the Mirage Unikernel Firewall, which uses PV, and the sys-net and sys-usb StandaloneVMs which have to use HVM because of PCI device passthrough. Right now most of my VMs are AppVMs, but for maintenance and compartmentalization reasons, I am considering moving more towards StandaloneVMs, despite the increase in disk space and bandwidth usage for updates.
General route of from Qubes to the Internet for anonymous browsing, general private browsing, accessing Uni services, and Uni-related anonymous browsing respectively: 1. Qubes->sys-mirage-firewall->sys-vpn-wg->sys-corridor->sys-whonix->whonix-ws-15-dvm to the internet. 2. Qubes->sys-mirage-firewall->sys-vpn-wg to the Internet. 3. Qubes->sys-mirage-firewall->uni-vpn-wg to the Internet. 4. Qubes->sys-mirage-firewall->uni-vpn-wg->uni-corridor->uni-whonix->uni-anon-research to the Internet.
(Note: the VPN name is substituted in the "vpn" above. I had to remove it to comply with this subreddit's rules. It is easy to identify what VPN it is as it randomly generates a long numaric string and has fantastic support for WireGuard.)
Search Engine: SearX, Startpage, and DuckDuckGo.
Password Manager: KeePassXC.
Notes: Standard Notes.
Messaging: Signal Desktop.
Media Playback: mpv.
Emails: I access my personal email within my personal Qubes domain and my Uni email using my Uni Qubes domains. My emails are downloaded to a local repository using isync, send using msmtp, and read using neomutt with html emails converted to plain text using w3m. Emails are sent in plain text too. All of the attachments in the emails (PDFs mostly) are automatically opened in DisposableVMs.
My personal Posteo email account has incoming encryption setup. This means that I emailed my public GPG key to an address correlated to my actual Posteo email address so that all email that I receive is encrypted with my public key and can only be decrypted using my private key. So even if my emails were intercepted and/or my account broken into, the contents of them are safe since they are encrypted as soon as they hit Posteo's servers.
I have setup a number of Posteo aliases that are completely segregated from the email I used to register my account. One of those is considered my "professional" email for my current job. I have another couple aliases, one dedicated for 33mail and another dedicated for Abine Blur. I make use of 33mail alias addresses for catch-all email addresses for registering for accounts that need to be under a username associated with my name anyways. This is for purposes like putting different compartmentalized, but still related emails to put onto my Resume. I use a different alias for each Resume I put out online. That way, when that information gets sold, traded, etc., I can easily trace it back to who
sold the information. For example, if I applied for a job online that required me to go through the process of registering an account through a third-party, say 'xyz Inc', the address I would register that account with would be [email protected]
, or something along those lines. Abine Blur is used much in the same manner but for accounts that don't need to be associated with my real name in any way, say online shopping on Amazon that I do under an many aliases, then ship to various address that I don't live at, but that I can visit with no problems. I use a different Blur address with each service like with 33mail for the same reasoning shown above.
The passwords for the accounts are encrypted and stored locally in each of the domains, however, my private key is stored in my vault domain, so even if an adversary were to compromise the domains, they wouldn't be able to steal my private key without exploiting the hypervisor. They would only be able to wait for me to authorize the usage of my private key in that domain, and even then, it could only be used to decrypt files. That is a concern that they can use my private key to decrypt messages, but they wouldn't be able to steal the key. With my personal email, the emails would also be encrypted locally anyway so they wouldn't be able to read them. My Uni email, in contrast, uses Outlook unfortunately, so there isn't any option to enable incoming encryption, and even if it was, I'm not sure how private it would be anyways.
For those looking for an in depth list of all my VMs, with explanations for the more obscure ones, I have listed them below. I have got a lot of templates, hence why I am considering moving over to StandaloneVMs, but as of right now:
- fedora-29-minimal: Base for the minimal VMs.
- fedora-29-uni-persist: Template for uni-campus and uni-home AppVMs.
- crypto: A work in progress VM for handling crypto transaction using cleansed Bitcoin and Monero.
- printing: Exactly as it sounds like. It is firewalled to only be able to connect to the network printer on my home network.
- sys-corridor: corridor is a Tor traffic whitelisting gateway that provides network to sys-whonix. It helps to provide an additional failsafe to defend against clearnet attacks.
- sys-mirage-firewall: A version of the Mirage Unikernel to act as an extremely minimal and resource light firewall. It is configured to only allow connections to the individual IP addresses my VPN's WireGuard servers as well as a select few internal IP addresses on my home network (router, home server, and Pi-Hole).
- uni-corridor: See sys-corridor for description. Provides network to uni-whonix.
- sys-vpn-wg: A system ProxyVM for my VPN.
- sys-net: Network stack isolation VM. Uses fedora minimal now.
- sys-usb: USB stack isolation VM. Uses fedora minimal now.
- uni-vpn-wg: A Uni ProxyVM for my VPN.
- uni-net: A ProxyVM for all Uni-related domains. Based off fedora minimal.
- uni-shared: Acts as an SMB network share for uni-campus and uni-home so that the documents and emails can be accessed easily between them.
- fedora-29-dvm: Default disposable Fedora VM.
- whonix-ws-15-dvm: Default disposable Whonix VM. This is where I do 95% of my online browsing.
- calendar: Exactly as it's named. Has a firewall rule to only allow connections to posteo.de.
- nas-access: Used to access my NAS and to watch content on it.
- pihole-access: Used to access my Pi-Hole through Firefox. Has a firewall rule to only allow connections to its IP address.
- router-access: Used to access my router through Firefox. Has a firewall so its only able to connect to 192.168.0.1.
- personal: Personal domain. Used to check personal emails, read rss feeds, stream YouTube videos, and internet banking.
- repos: Local copy of my repos. Has a firewall rule to only allow connections to the site hosting my git repo.
- uni-anon-resarch: Research for Uni.
- uni-campus: Domain for doing Uni work on campus.
- uni-home: Domain for doing Uni work at home.
- uni-whonix: Seperate Whonix gateway for Uni research.
- offline-archive-manager: For managing the offline archives that I burn to DVDs.
- personal-archive: Exactly as it's named.
- sys-whonix: Default Whonix gateway ProxyVM.
- vault: For storing GPG keys and other files.
- vault-dvm: DVM with no internet access. The Vault VMs use this as their DisposableVM.
- work-archive: Storing work archive documents (payslips, employment information, etc).
Phone: Motorola Moto G5s running Lineage OS 16.0 Pie no G-Apps or micro-G with the following Apps: - AdAway: Open Source hosts file-based ad blocker. (Requires root.) - AFWall+: Linux iptables front end. (Requires root.) - Amaze: File manager. - andOPT: 2FA app. I like it since it can export the entries to an AES encrypted file. - AntennaPod: Podcast manager. - AnySoftKeyboard - Simple Calendar - Simple Contacts Pro - DAVx5: CalDav syncronization with my calendar on my Posteo email account. - F-Droid - Fennec F-Droid: Web Browser. Has the same Firefox addons like on Qubes minus Vim Vixen. I used the app Privacy Settings to configure the about:config. - KeePassDX: Password manager. - KISS launcher - Magisk Manager - NewPipe: YouTube app replacement. - S.Notes: Standard Notes. - OsmAnd~: Maps and navigation. - Red Moon: Blue light filter. - SELinuxModeChanger: Exactly as it sounds. (Requires root.) - Shelter: Work profile manager. - Signal: Messaging. - Vinyl Music Player: Music player. - WireGuard: VPN protocol frontend. Is configured to use my VPN account. Is setup as an always-on and connected VPN.
As mentioned, I use Shelter to manage my work profile. In it I isolate the following apps: - Clover: *chan browser. - Orbot: For routing apps through Tor. Is setup as an always-on and connected VPN. - RedReader: Reddit client. - Tor Browser
Over the last several years, I have started using my phone less and less and taking advantage of less of what it has got to offer. I don't check email on my device. I have no real need to browse the Internet on it outside of watching videos using NewPipe, browsing Reddit, and various *chan boards.
On the Smart Phone side of things, I am considering purchasing an older used iPhone SE or 6S for use with MySudo when outside of my home as well as an iPod Touch for use on WiFi only for use inside my home. The iPhone would be kept inside of a faraday bag when I am at home and not using it. It would also be kept in the faraday bag whenever at home to avoid associating that device with my home address. The iPod Touch would be used for MySudo calls instead.
Future outlook and plan for my privacy and security:
To avoid as much deanonymisation of my privacy as possible, I'm only going to specify enough so that anyone reading this can get the jist of my situation in life. I am quite young (age 16 to 25) and I started along this privacy journey when I was even younger. I was never a very heavy social media user, however I did have an online presence if you looked hard enough. My name fortunately is a very common and short name, so that does help to bury information that I was not able to remove further in the vast trenches that is the Internet.
On the digital side of things, I mentioned that I have a dedicated Crypto AppVM for handling crypto currency transactions using Bisq. I have setup a dedicated bank account that I have periodically been transferring money into so that I can trade crypto. Unfortunately, I do not live in the US, so being able to effectively start trades with others is more difficult. I also do not have access to a credit card masking account like privacy.com (that I absolutely would use given the ability). I plan on getting an anonymous VPS to host my own Tor exit node for better speeds and to mitigate the possibility of malicious exit nodes. The country I live in has been a proponent of absolute dragnet surveillance on all activities occurring online and in real life, though the former is far more visible on this subreddit. I will be using crypto with cleaned Bitcoin (as seen with ProgressiveArchitect
's setup) for purchasing my VPN service, etc.
With future hardware, to replace my aging laptop, I am very hopeful for Xen, then eventually Qubes OS getting ported to Power9. When that happens I'll be getting a Raptor Computing Blackbird as a desktop. Maybe in the future I'll get a Purism Librem laptop, but for now my corebooted X230 works perfectly for my use cases. On that note, I have successfully build the Heads firmware for the X230 and I was able to get the minimal 4MB image flashed on my laptop. I did revert it back to my coreboot setup after playing around a little with it, and unfortunately I haven't had time since to do a full, complete flash of it.
On the physical/real life side of things, I plan on making use of various Trusts in order to hold assets, say to keep my name from being immediately visible on the title of my car. As of right now I am fortunate enough to have the title of my car under the name of someone who I trust. Unless I am legally required, and where there are immediate and absolute consequences, I use fake names in real life. With Uni, I am enrolled under my real name and address. This is a requirement and it is verified, so there is nothing that I can realistically do about it. As for other services, I plan on setting up a personal mailbox (PMB), etc if possible to use as a real, physical address that is associated with my real name and that is used for things like Government issued ID. In the future when I move again, I plan on renting a place in cash to try and keep my name dissociated with my real address. For those looking for reasoning on why one would want to do that, please read How to be Invisible by J.J. Luna. It's truly the Bible of physical privacy.
At this stage I am just going off on a ramble, so I should cut it short here.
I have just started and I live for this shit.
I'm utterly, utterly baffled. Stumped. Bemused. Befuddled. Bamboozled. I cannot explain this. At all.
I crash on my desktop, often (but not always) while opening Chrome. Crash can be 1m after boot, or 4 hours after boot. Machine blackscreens, stops responding, doesn't send anything to the monitor or respond to scroll lock or capslock.
Fairly standard - but I do NOT crash if there's a game running. Literally can run GW2 for as long as I need to, or warframe, or Titanfall, and it's solid as a rock.
I've arranged an RMA for my GPU as it's the most recent addition to the sytem (25 Feb 2014) and it was blackscreening on wake (but with a responsive PC/keyboard and the media server was still up), but I'm stumped. I've never seen anything like this.
What causes a rig to blackscreen when browsing or opening explorer, but doesn't have ANY problems when it's running high end games at max rez?
2500k @ 4.5GHz
R9 290 4GB Factory OC
700W Seasoninc PSU
1 SSD (OS + Games)
2 HDD (Stuff)
Midrange Gigabyte mobo, nothign special
8GB DDR3 @ 1600MHz
Win 8 64 Bit
EDIT: Memtest results are in. No problems found. Ran for 8 hours, zero errors. http://imgur.com/wDBxVES
Ran MS Defender, no viruses found.
Instaleld Avast, turned off MS Defender, full scan, no viruses found.
Files Detected: 11 D:\Media\Downloads\cgminer-3.8.5-windows.7z (PUP.Optional.Cgminer) -> Quarantined and deleted successfully. D:\Media\Downloads\DuplicateCleaner_setup (1).exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully. D:\Media\Downloads\DuplicateCleaner_setup.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully. D:\Media\Downloads\FileBot-setup.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully. D:\Media\Downloads\guiminer-scrypt_win32_binaries_v0.03.zip (PUP.BitCoinMiner) -> Quarantined and deleted successfully. D:\Media\Downloads\pooler-cpuminer-2.3.2-win64.zip (Riskware.BitcoinMiner) -> Quarantined and deleted successfully. D:\Media\Downloads\cgminer-3.8.5-windows\cgminer.exe (PUP.Optional.Cgminer) -> Quarantined and deleted successfully. D:\Media\Downloads\cpuminer\minerd.exe (Riskware.BitcoinMiner) -> Quarantined and deleted successfully. D:\Media\Downloads\LTC_minerz\poclbm.exe (Trojan.BtcMiner.TS) -> Quarantined and deleted successfully. D:\Media\Downloads\LTC_minerz\cgminer\cgminer.exe (PUP.BitCoinMiner) -> Quarantined and deleted successfully. D:\Media\Downloads\LTC_minerz\stratumproxy\mining_proxy.exe (PUP.Proxy.BCM) -> Quarantined and deleted successfully.
Wonder if I have (or hopefully had) a malware issue. GW2 is running in the background and it's still not crashed...
Ideas anyone? Am thinking about ordering a new CPU/Mobo and seeing if that fixes it - next on the list (after another crash) is going to be a W8 re-install.
OS re-installed and BIOS updated, still crashes. Definitely hardware. Definitely not RAM, definitely not storage (SSD or HDD). Crashes still independent of load - but most common when clicking on something (Firefox, Chrome or Evernote for example).
So the candicate list as far as I can work out is:
CPU (moderately likely, though stressing with linpack or OCCT or prime does not cause crashes, and it's happy while playing GW2) mobo (happy while gaming, unhappy when asked to execute a crappy little prgraom like Chrome. Weird? gotta be unlikely) PSU - Feeling like this is a likely candidate. GPU - but doesn't crash when rendering ~100 players at max res in GW2.
Soooooo.... can anyone think of a thing to test next?
Final edit: running on the onboard GPU on mah telly. Flawless, no crashes at all. I think it's the GPU, the 2D processing chip or whatever must've been borked.
Recap: new GPU, no crashes. All is now good!
It's done to focus on the mining process. Start it hassle-free within just a few minutes and forget the countless hours waisted to configure a bitcoin miner. It's easy to mine bitcoins, litecoin, bytecoins,monero and many more! 2. 3 Easy Methods to Buy Bitcoin Anonymously. Note: In June 2019, the popular website LocalBitcoins removed its option for in person cash trades. Method 1 – Paxful. If you’re looking to buy Bitcoins anonymously then the easiest way would be to buy Bitcoins in cash and in person. Use Paxful to find someone who is willing to sell Bitcoins for cash next to your physical location. It only takes 2.5 minutes to complete a Litecoin transaction compared to 10 minutes for Bitcoin. If you’re looking for quick payments, then Litecoin is the cryptocurrency for you. Unlike Bitcoins, the creation of Litecoins does not require computers with superior processors. Mining speed increases when your browser is active. Use CryptoTab browser for your everyday activities, visit your favorite sites, watch movies online, and take advantage of maximum mining power. CryptoTab browser utilizes processor resources more efficiently when the browser window is active. This way, you can make more money. Managing your mining machine is much easier when you can do this remotely. There are a number of ways to do this with 3rd party software (TeamViewer), but if you are going to manage your machine from your local network, Remote Desktop is hard to beat. Open File Explorer; Right Click This PC and Choose Properties; Click Advanced System Settings
Here I will Show you how to setup a CPU Miner and Proxy for windows. http://cryptodig.com/ If you liked the video you can donate goldcoin to my address: EF7S... Di tutorial kali ini saya tunjukan cara mengabungkan Hashrate beberapa PC miner Low spek menjadi satu sehingga hashrate yang di dapatkan akan jauh lebih besar. kita akan mengunakan XMRIG PROXY ... BTC.com is a popular block explorer bitcoin mining pool. This tutorial will demonstrate how to mine bitcoin on btc.com mining pool. #bitcoin #miningpool #cryptomining #mining #BTC. Hi, what’s up, guys! Welcome to Crypto Wrangler. In this channel, I handpick the most important crypto stories and share it in a simple clear way every morning at 10:00 am EST, including Bitcoin ... Just received 2 more BitMain AntMiner S9 BitCoin / BitCoin zcash SHA-256 ASIC miners. Watch as I inbox, wire to the power supply and configure. Return on investment is less than 80 Days!!