Rate my opsec

Hello, if today i’m writing this post, it’s to share my actual opsec with Qubes, and get new ideas to improve my anonymity/security. My threat model is LE, i’m not doing anything illegal, but I want to exchange information without getting de-anonymized.

I’m looking to get two separate identity over the web, without any link between the both.

My current first identity ( Working trough Tor ) is :
WhonixWS => WhonixGW => sys-vpn => WhonixGW-2 => sys-net ( public wifi used with a wifi antenna )

The second identity is actually ( Working trough basic app such as Telegram, Discord & Snapchat. ) :
Anbox => WhonixGW-3 => sys-vpn-2 => sys-net ( the same public wifi used with a wifi antenna )

I got different VPN licenses ( Mullvad ), whonix gateway, etc… and everything else ( Names, pictures, emails, etc… ) different on both identity.

Every single app used out of Anbox/WhonixWS got his own TemplateVM/AppVM and are isolated from wifi ( Keepass, Veracrypt, etc… ). I’m open to any critic, and anything that I could do to enjoy more security/anonymity.

For a Snowden/10 rating I’d add I2P and rfc1149 to make traffic correlation harder.
Also buy a TEMPEST safe hoodie.

Some thoughts:

Security

• minimal templates and disposable appVMs
• Keepass > KeepassXC + Yubikey
• Coreboot / Libreboot
• Yubikey, Nitrokey, Onlykey
• firewall settings / pi-hole

Anonymity

• never use one of your listed messangers on any mobile devices (with the same / linked account)
• updates via .onion
• Librewolf
• Lokinet (with exit node)
• Session
• pi-hole unbound

Beside all security and anoymity:

• a good backup and recovery plan

Why did you delete your Dread account? You already leave a lot of traces by asking the same questions on different forums using the same keywords.

First thought -
The obvious challenge is this:
“public WiFi used with a WiFi antenna”.
Any disruption to that WiFi, or power, will allow for correlation.
Get a UPS
Better to use two sys-net with separate access points.

You don’t mention language, date/time, or use time.
Consider all of these.

I’m assuming you have reviewed the risks of using Tor over VPN

I’d add to other suggestions - read about other users and learn from
their errors.
Ross Ulbricht was identified at least in part by exactly this kind of
mistake.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

I’ll see to add a I2P & Lokinet into my chain of security, but i’ll get a very bad connection I think

• Get a UPS
  What do you mean by saying UPS?

• Better to use two sys-net with separate access points.
  I thought of using two different 4g from two phone.

• I’m assuming you have reviewed the risks of using Tor over VPN
  Well… the only risks I know is that the VPN can snitch you, and in certain case, see your traffic ( Like the exit node ) if the website isn’t encrypted with HTTPS. Using a VPN in my case will give me a better anonymity, but will increase my risks. That’s why I thought of using Tor before and after the VPN. Also, only using a trusted VPN that does not log anything, and pay using Monero.

Because i’m not using Dread anymore. I’m not doing anything illegal, so I won’t change my keywords. If I was doing anything illegal, I just want to tell you that you’re a snitch.

• minimal templates and disposable appVMs
  I got VM just as needed.

• firewall settings / pi-hole
  I tried to setup a pi-hole but it only works with static ip. What if instead I use the sys-firewall and only authorize the app ip i’m actually using? If for exemple i’m using Signal on that appVM, I actually only authorize Signal IP?

• Lokinet (with exit node)
  Unfortunately I can’t do a sys-lokinet because it only works if you run lokinet in the same appVM than your others apps, so I couldn’t run it with my Anbox ( Discord, Telegram, etc… ) and also in my Whonix wich is already using his own gateway.

Here, you have automated pihole installation:

For lokinet, unman asked for feedback and new tools to add. You will get my vote for lokinet

PS: Your issue is most probably linked to DNS. See Linux troubleshooting - Oxen Docs

Both are giving me errors.

The first one give me : Unable to find a match: 3isec-qubes-pihole

and the Lokinet still doesn’t work after that i add the dns line and dl the last version of resolvconf

Uninterruptible power supply.
You need to make sure that your two identities cant be correlated with
external events - e.g. power outage (accident or deliberate)

What have you done?
Have you installed the repository and the tool?

Uninterruptible power supply.
I definitely understand now, so they can do a correlation by shutting down the public wifi tho.

When i’m doing qubes-task it say usage etc… so it’s successfully downloaded in my dom0, but when i’m doing qubes-task install pihole, it open a white window with sys-firewall as title, and it’s writed : Unable to find a match: 3isec-qubes-pihole

I don’t see this.
What happens if you run sudo qubes-dom0-update from command line in dom0?
Do you see the 3isec Qubes dom0 repository being updated?
Are there any errors?

got the same error even after updating the bios. can you tell me where I can find the 3isec files from filesystem? I’m at the start

Because i’m not using Dread anymore

Of course not, you’re still using Dread.

I’m not doing anything illegal

That’s what you want the DGSE to read when they’ll find evidences by correlating your activities on different forums.
We both know that this is not true, and you’re trying to mitigate the risk of being caught by “LE” since you’re trying to sell things on the Dark net. Note that Qubes OS Team is not responsible for any of your activities.

so I won’t change my keywords

There’s no need to be aggressive, I’m just trying to give you some good advices to improve your OpSec.
Like dear @unman said, we’ve to learn from other mistakes before you are yourself in the category of “others”.

If I was doing anything illegal, I just want to tell you that you’re a snitch.

Thank you! I really appreciate it, it means the world to me LMAO.

you unmasked me…