Hello, if today i’m writing this post, it’s to share my actual opsec with Qubes, and get new ideas to improve my anonymity/security. My threat model is LE, i’m not doing anything illegal, but I want to exchange information without getting de-anonymized.
I’m looking to get two separate identity over the web, without any link between the both.
My current first identity ( Working trough Tor ) is :
WhonixWS => WhonixGW => sys-vpn => WhonixGW-2 => sys-net ( public wifi used with a wifi antenna )
The second identity is actually ( Working trough basic app such as Telegram, Discord & Snapchat. ) :
Anbox => WhonixGW-3 => sys-vpn-2 => sys-net ( the same public wifi used with a wifi antenna )
I got different VPN licenses ( Mullvad ), whonix gateway, etc… and everything else ( Names, pictures, emails, etc… ) different on both identity.
Every single app used out of Anbox/WhonixWS got his own TemplateVM/AppVM and are isolated from wifi ( Keepass, Veracrypt, etc… ). I’m open to any critic, and anything that I could do to enjoy more security/anonymity.
First thought -
The obvious challenge is this:
“public WiFi used with a WiFi antenna”.
Any disruption to that WiFi, or power, will allow for correlation.
Get a UPS
Better to use two sys-net with separate access points.
You don’t mention language, date/time, or use time.
Consider all of these.
I’m assuming you have reviewed the risks of using Tor over VPN
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
I’d add to other suggestions - read about other users and learn from
their errors.
Ross Ulbricht was identified at least in part by exactly this kind of
mistake.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
Better to use two sys-net with separate access points.
I thought of using two different 4g from two phone.
I’m assuming you have reviewed the risks of using Tor over VPN
Well… the only risks I know is that the VPN can snitch you, and in certain case, see your traffic ( Like the exit node ) if the website isn’t encrypted with HTTPS. Using a VPN in my case will give me a better anonymity, but will increase my risks. That’s why I thought of using Tor before and after the VPN. Also, only using a trusted VPN that does not log anything, and pay using Monero.
Because i’m not using Dread anymore. I’m not doing anything illegal, so I won’t change my keywords. If I was doing anything illegal, I just want to tell you that you’re a snitch.
minimal templates and disposable appVMs
I got VM just as needed.
firewall settings / pi-hole
I tried to setup a pi-hole but it only works with static ip. What if instead I use the sys-firewall and only authorize the app ip i’m actually using? If for exemple i’m using Signal on that appVM, I actually only authorize Signal IP?
Lokinet (with exit node)
Unfortunately I can’t do a sys-lokinet because it only works if you run lokinet in the same appVM than your others apps, so I couldn’t run it with my Anbox ( Discord, Telegram, etc… ) and also in my Whonix wich is already using his own gateway.
Uninterruptible power supply.
You need to make sure that your two identities cant be correlated with
external events - e.g. power outage (accident or deliberate)
When i’m doing qubes-task it say usage etc… so it’s successfully downloaded in my dom0, but when i’m doing qubes-task install pihole, it open a white window with sys-firewall as title, and it’s writed : Unable to find a match: 3isec-qubes-pihole
I don’t see this.
What happens if you run sudo qubes-dom0-update from command line in dom0?
Do you see the 3isec Qubes dom0 repository being updated?
Are there any errors?
That’s what you want the DGSE to read when they’ll find evidences by correlating your activities on different forums.
We both know that this is not true, and you’re trying to mitigate the risk of being caught by “LE” since you’re trying to sell things on the Dark net. Note that Qubes OS Team is not responsible for any of your activities.
so I won’t change my keywords
There’s no need to be aggressive, I’m just trying to give you some good advices to improve your OpSec.
Like dear @unman said, we’ve to learn from other mistakes before you are yourself in the category of “others”.
If I was doing anything illegal, I just want to tell you that you’re a snitch.
Thank you! I really appreciate it, it means the world to me LMAO.