This post is adapted from a presentation given at BSides Charm.

Abstract

As more data is collected at different layers of our digital lives an understanding of anonymity becomes a vital skill. While operational security (OPSEC) is important in practice, the technical setup for anonymity is a prerequisite to any operation. Given the range of use cases for anonymity and the many different actors who attempt to dismantle it, this design considers an environment in which everyone is an adversary. This article should serve as a start to finish guide on setting up a laptop for anonymous usage. While it will cover OPSEC in different sections this is not meant to be an exhaustive guide on the topic.

Introduction

Many companies are turning toward data collection and remote storage. This removes control from the consumer and provides their data and activities to be accessed by third parties. Each layer of usage provides a potential point for data insecurity; computer manufacturers, operating systems, applications, network access points, internet service providers, webpages, retailers, governments, and any partners of the controlling organizations with whom data is shared. Given the many points of failure and the possibility that any of these collections of data can be breached by an attacker, it is wise to treat every group as an adversary regardless of whether they are directly targeting you.

OPSEC is critical at every stage of operation. To ensure anonymity, operations will require significant planning and care during execution. Security researcher the grugq sums it up well with the following -

Strong OPSEC means low efficiency, while high efficiency necessitates weak OPSEC. The strength of the oppositional forces dictate the minimum security requirements of the covert organization. - the grugq (source)

Simply put, you must be willing to jump through hoops in order to preserve your anonymity.

The design covered in this guide is based off of a laptop and a Raspberry Pi. It utilizes the grugq’s PORTALofPi router which turns the Raspberry Pi into a Tor router. That is, all traffic routed through the Pi will be sent through Tor.

Acquiring Materials

The first stage in an operation is securely gathering the required equipment. System attributes will be leaked during normal operation. For example, your network adapter’s MAC address is available to the network access point your are connecting through. If the MAC address is associated with a specific laptop manufacturer, store, or region, that can help narrow down identification. While you can randomize a MAC address, not all system attributes are able to be changed. Due to this, it is necessary to dissociate any purchase from your concrete identity.

In order to do this you need a currency that is not associated with your identity. Most importantly, no credit and debit cards. Cash is an excellent option, as are prepaid gift cards (however, you will likely need to purchase these with cash). It is unlikely that there is a major scheme going on that correlates bill serial numbers to debit withdrawals. However, under the everyone is an adversary threat model, it is safer to acquire cash via cashback or other means (working, pan handling, etc).

Our bill of materials:

Laptop

Raspberry Pi 2

Micro SD Card

WiFi Adapter

Ethernet Cable

Burner Phone

USB Ethernet Adapter (optional)

Second Ethernet Cable (optional)

Bitcoin / Cash Cards

Altogether these items can be purchased for less than 500$. It is important to purchase them from a physical retailer so that they are not subject to interdiction by an adversary.

It is possible that sometime in the future the device you purchased will be recovered by an adversary. The serial numbers of the various parts of your device may be tracked to that specific retailer. It would then be possible to recover clues to your identity from the security footage. It can be beneficial to wear clothing that masks your face, for example, sunglasses and a baseball cap. There have been methods researched to defeat automated facial recognition, however, these methods may draw more attention than desired.

Bitcoin is the cryptocurrency of choice right now. It is easy to obtain and accepted by many retailers. There are a few ways to acquire Bitcoin, none of which are fool-proof in protecting anonymity. For example, Bitcoin ATMs have cameras and require a phone number. Mining over Tor provides more security than Bitcoin does by default, but Tor users can be deanonymized with certain attacks and it is likely that you would be mining from an IP address associated with you. Due to this it is crucial to use mixers. There is a possibility that a mixer is controlled by your adversary so using multiple mixers is advised.

The burner phone is another consideration. It should be purchased in a similar manner to the rest of the hardware; as anonymously as possible.

Hardware and Software Setup

The laptop will be the main device and should be properly secured. The webcam and microphone should be disconnected. The battery should be removed so it can be powered down easily. Any radios, such as Bluetooth and WiFi, should be removed or disabled.

The operating system choice is up to the user. The OS that the user is most knowledgeable of is what they will be able to operate most securely on. With that said, there are some good choices for the host system depending on preference:

Qubes OS isolates different areas of the system using virtualization, also sandboxes networking code and USB drivers.

Subgraph OS implements application containment, hardened kernel, and optional Tor proxy layer.

Hardened BSD is a great choice if you are partial toward BSD, it implements security features that are missing from FreeBSD.

Xubuntu does not contain any hardening features, but it is often chosen because so many applications are built for Ubuntu. Xubuntu is preferred over Ubuntu as the lighter desktop environment may run better on a budget laptop. (Edit: Thanks to Reddit user bestbirdaround for pointing out that stock Ubuntu does offer full disk encryption on install.)

For any operating system the disks should be encrypted. This prevents your adversary from recovering data from your disks when the system is not powered. It was mentioned previously to remove the battery from the laptop. This is so that if your laptop is stolen in a snatch and grab operation it will shut down when removed from the power source.

The Raspberry Pi will be used as a Tor router that fails closed. This design utilizes the PORTALofPi build script from security researcher the grugq. There are pending pull requests that add additional security features to the system that should be considered. This script configures an Arch Linux Raspberry Pi installation to act as a router for any computer connected to the Ethernet port. It forwards all traffic through Tor and when it cannot establish a connection through Tor it fails closed. If the laptop is compromised, this router adds an additional layer of protection from the public IP address being leaked.

This setup is significantly more secure if the Raspberry Pi connects to the internet via an Ethernet connection. This is incredibly inconvenient since most publicly available internet is offered through WiFi. In order to establish a connection via WiFi, the laptop will need to have some access to the Raspberry Pi in order to select networks and enter passwords. This access is established via SSH which requires some modifications to the iptables rules on the Raspberry Pi. This SSH connection is what provides attackers the opportunity to leak the public IP address of the system. If an attacker were to compromise the laptop, with access to keylogging or SSH keys, they could then move to the Raspberry Pi. This would allow them to leak the public IP address, circumventing Tor and deanonymizing the user. Further research is needed to lock down and isolate the SSH account and have it able to select and configure WiFi connections. Consider alternate methods to access the Pi, such as a monitor and keyboard.

The complete setup is the laptop connected to the Raspberry Pi via Ethernet, and the Raspberry Pi connected to the internet either via a USB WiFi adapter or a USB Ethernet adapter.

Burner phones require activation and some block activation via payphone. However, it is possible to activate them online via Tor. A phone is generally required when operating anonymously as many sites require SMS verification. Bitcoin ATMs also require a mobile number.

A Bitcoin wallet should be created to capture the Bitcoins you purchase. The Bitcoin core client syncs the entire blockchain to your computer. Since the computer is operating over Tor this is incredibly slow. Two alternatives are the Electrum client (native) and Blockchain.info (web).

Operating Securely

There are some basic OPSEC principles that should be established. A lot of these points are sourced from the grugq’s talk Opsec, Zoz’s talk Don’t Fuck It Up, and Whonix’s DoNot list.

Never operate from a location associated with you. There are attacks against Tor that can reveal your IP address. If your public IP address is revealed as your home or business then you are immediately identified. By operating from somewhere not associated with you, this will ideally only reveal your general location.

There are attacks against Tor that can reveal your IP address. If your public IP address is revealed as your home or business then you are immediately identified. By operating from somewhere not associated with you, this will ideally only reveal your general location. Be conscious of being tracked in public. There are technologies that make it easy to track people in public. Automated license plate recognition (ALPR) systems have been deployed on many police vehicles as well as by private companies. These systems use computer vision to extract the text of license plates. The license plate is associated with the location it is spotted at, effectively tracking any vehicle that is seen. There also exists a company Persistent Surveillance Systems that monitors large areas using high powered cameras attached to airplanes. This allows their customers to rewind on the movement of an area, tracking vehicles and people back to their source. Given these technologies and their limitations, it is best to travel more than 15 miles from any place associated with you, in a vehicle that cannot be tied to anyone you know. Consider using public transportation, though there are likely cameras monitoring both the vehicles and the stations. Bicycles and mopeds that do not require registration are a great solution. So may be a hired car in which you can pay cash.

Aerial surveillance can be less effective in groups of tall buildings.

Do not wear your regular uniform. Many people have a limited wardrobe. If what you wear can help narrow you down, (e.g., the person in Sometown, USA who wears all black) it is critical to wear different clothing while operating. Also cover any recognizable markings on your body, including tattoos.

Many people have a limited wardrobe. If what you wear can help narrow you down, (e.g., the person in Sometown, USA who wears all black) it is critical to wear different clothing while operating. Also cover any recognizable markings on your body, including tattoos. Leave your personal cellphone at home. Cellphones connect to many different companies during normal operation. Most significantly, the cell service provider for coverage and the operating system manufacturer for system analytics and built-in services. Any applications on the phone could also collect data. Each time the phone connects to a cell tower during normal operation, it should be assumed that the connection is logged and that your phone has then been associated with that location. There are also IMSI catchers that act as fake cell towers and collect a log of phones in that area. With all these technologies it is very easy for your phone to place you in a location at a specific time. It is best to simply leave the phone behind or disable it by removing the battery. Turning it off when you are operating can lead to a correlation between your phone being down and operations taking place. It should instead be kept in a plausible location that indicates normal use.

Cellphones connect to many different companies during normal operation. Most significantly, the cell service provider for coverage and the operating system manufacturer for system analytics and built-in services. Any applications on the phone could also collect data. Each time the phone connects to a cell tower during normal operation, it should be assumed that the connection is logged and that your phone has then been associated with that location. There are also IMSI catchers that act as fake cell towers and collect a log of phones in that area. With all these technologies it is very easy for your phone to place you in a location at a specific time. It is best to simply leave the phone behind or disable it by removing the battery. Turning it off when you are operating can lead to a correlation between your phone being down and operations taking place. It should instead be kept in a plausible location that indicates normal use. Keep the battery removed from the burner phone when it is not in use. Malware has been known to fake the phone off-state. In order to make sure that any phone is in the off state the battery should be removed.

Malware has been known to fake the phone off-state. In order to make sure that any phone is in the off state the battery should be removed. Only turn on the burner cellphone at locations that are not associated with you. Given the nature of the burner phone and its strong connections to your anonymous accounts, ensure that it is never turned on in a location associated with your real identity.

Given the nature of the burner phone and its strong connections to your anonymous accounts, ensure that it is never turned on in a location associated with your real identity. Never call anyone associated with you from the burner cellphone. Given the metadata that is collected in regards to who is in contact with whom, calling someone you know can link that phone to a social graph associated with you.

Given the metadata that is collected in regards to who is in contact with whom, calling someone you know can link that phone to a social graph associated with you. Store your devices securely when they are not in use. The Raspberry Pi is not configured to have an encrypted disk. This means that an adversary who gains physical access to the SD card can modify it arbitrarily. As well, physical implants could be installed on the laptop and the adapters (WiFi or Ethernet) could be replaced with dummy devices designed to call out to your adversary. Due to these physical attacks it is critical to store the devices in a reasonably secure and tamper evident manner when they are unattended.

The Raspberry Pi is not configured to have an encrypted disk. This means that an adversary who gains physical access to the SD card can modify it arbitrarily. As well, physical implants could be installed on the laptop and the adapters (WiFi or Ethernet) could be replaced with dummy devices designed to call out to your adversary. Due to these physical attacks it is critical to store the devices in a reasonably secure and tamper evident manner when they are unattended. Never log into accounts that are associated with your anonymous identities without Tor. It should be assumed that every site is logging the IPs associated with each account. Even a single login can circumvent the protection that Tor provides, revealing general information about your location and operations.

It should be assumed that every site is logging the IPs associated with each account. Even a single login can circumvent the protection that Tor provides, revealing general information about your location and operations. Never log into your personal accounts at the same time or from the same systems as your anonymous accounts. If logged in at the same time a correlation can develop between the two accounts. It should also be assumed that a system could be compromised. Logging into a personal account from a compromised system would give an adversary a direct revelation of who is operating on the system.

If logged in at the same time a correlation can develop between the two accounts. It should also be assumed that a system could be compromised. Logging into a personal account from a compromised system would give an adversary a direct revelation of who is operating on the system. Be conscious of advertisements and cookies that track users between sites. While this tracking does not directly reveal your identity, it can associate operations or remove separation between multiple identities that are being managed. You should take the necessary measures to avoid being tracked online while operating. This can include regularly clearing cookies, installing adblocking software, and disabling JavaScript where possible.

While this tracking does not directly reveal your identity, it can associate operations or remove separation between multiple identities that are being managed. You should take the necessary measures to avoid being tracked online while operating. This can include regularly clearing cookies, installing adblocking software, and disabling JavaScript where possible. Dissociate from yourself any cryptocurrency that is linked to your real identity. There are very few ways to acquire a cryptocurrency without revealing pieces of your identity to some entity. Purchasing in person will allow the person you are purchasing from to see your face. However unlikely, this person may be an agent of your adversary. Bitcoin ATMs will have a camera and require your burner’s SMS number (this also associates a picture of you with your burner number). Mining can reveal your IP address as it is a rather stationary activity. Connecting to a mining pool via Tor is a good option but Tor users’ IP addresses can be revealed by an attacker with sufficient resources. Given these constraints, you should always utilize mixers before spending your coins. Using multiple mixers is advisable in case the mixer you use is controlled by your adversary.

There are very few ways to acquire a cryptocurrency without revealing pieces of your identity to some entity. Purchasing in person will allow the person you are purchasing from to see your face. However unlikely, this person may be an agent of your adversary. Bitcoin ATMs will have a camera and require your burner’s SMS number (this also associates a picture of you with your burner number). Mining can reveal your IP address as it is a rather stationary activity. Connecting to a mining pool via Tor is a good option but Tor users’ IP addresses can be revealed by an attacker with sufficient resources. Given these constraints, you should always utilize mixers before spending your coins. Using multiple mixers is advisable in case the mixer you use is controlled by your adversary. Manage multiple plausible identities that would be investigated if your machine becomes compromised. Many people sabotage their own attempts at anonymity by using pieces of their real name as a username or a username that is associated with them in real life. In order to avoid this pitfall, it is suggested that while operating you work under an assumed identity.

Many people sabotage their own attempts at anonymity by using pieces of their real name as a username or a username that is associated with them in real life. In order to avoid this pitfall, it is suggested that while operating you work under an assumed identity. Change out your hardware. Given the possibility of compromise, and the contamination that can occur if any device you use becomes associated with you in real life, it is important to change devices. For example, using a burner cell phone to purchase Bitcoins from an ATM will associate that phone number with your picture. That phone should be considered compromised after such a usage and a new phone should be purchased.

Given the possibility of compromise, and the contamination that can occur if any device you use becomes associated with you in real life, it is important to change devices. For example, using a burner cell phone to purchase Bitcoins from an ATM will associate that phone number with your picture. That phone should be considered compromised after such a usage and a new phone should be purchased. Don’t make friends. Getting friendly and sharing details about your life will destroy your anonymity. Do not attempt to make personal connections when operating.

Once you are setup there are additional measures that can be taken to harden your security. Utilizing services that provide end-to-end encryption is good. Utilizing PGP achieves the same goal and does not rely on trusting a service provider. If not, using a host that compartmentalizes programs and data using virtual machines can add a layer of protection against system compromise.

You should also acquire a jumpbox, a server to be used that is purchased anonymously and not associated with you in any way. This server is where you will store any information on your operation such that if your hardware is compromised you do not become tied to an operation. This should be purchased with Bitcoin that has been mixed.

While a smart burner phone may increase the attack surface through which you could be deanonymized, if one is required for use of modern applications it is recommended to use a hardened operating system. One solution to this is CopperheadOS, a hardened version of Android. Unfortunately for this solution, the supported devices are expensive and do not qualify as good burner phones for anyone without an extensive budget.

Additionally, using Tor, you will often run into services like Cloudflare that require verification before accessing a website. This becomes incredibly tedious. Utilizing a VPN that you connect to through Tor will give you a clean IP address. You must be careful to not use the same IP address or VPN provider across multiple identities as this can lead to a break down in their compartmentalization.

Conclusion

Operating securely does require a significant budget, in terms of both time and money. It is not an easy process, and for the average person it will likely be viewed as an unnecessary expense. Anonymity also requires technical knowledge. No solution is completely secure, but to have reasonable levels of confidence in a system one must have the technical understanding of why and how it works and what its weak points are.