The "Solution"

So in wake of all the ME/PSP/TrustZone, UEFI/firmware exploits, pozzed OSs, Vault7 CIA stuff, etc, what would be the best realistic alternative or "solution" for the average tech person?

Here's my example (please criticize it and give better solutions)...
""Hardware:""
CPU: AMD FX 8370 (One of the last "modern" powerful CPUs that do not contain PSP. The resulting heat generated by this kind of CPU has to be tolerated anyways since this example needs to be able to support multiple VMs, gaming, etc.)

Motherboard: One of the lower end mobos listed here asrock.com/Feature/3TB/index.asp that do not have UEFI, or at least does not mention it. I read from a thread that the M5A99X Evo 2 may have coreboot running on it, and provided this link coreboot.org/pipermail/coreboot/2012-February/068459.html But from what I read in that, it only mentions he got it halfway working? For a noob tech that's not a very helpful solution. It sure would be nice to see a coreboot fully supported desktop AM3+ mobo, even if just one of the mobos, but I have not seen any such thing so far.

Rest of the hardware is whatever.

""Operating System:""
OpenBSD (or Gentoo if you can configure a non-systemd version of it.)
This way on top of a hopefully secure OS running on non-pozzed hardware, you can run VMs with whatever OS you need the its functions for. For example, for gaming, you can start up a virtual machine running Win7 with GPU card passthrough; or for private internet browsing, start up a virtual machine running Tails. This way, you can run whatever you want, on privacy and security friendly hardware and OS. inb4 Arch, Arch is pozzed with systemd.

""P2P Chat Software:""
Tox.chat (i've seen some anons criticize it, but did not give any reason or evidence)

""Browser:""
Firefox or a fork (Palemoon), with all the necessary configurations and addons https:// privacytoolsio.github.io/privacytools.io/
Tor Browser

""VPN:""
One that is not in the Five Eyes, and have strong encryption + no log policies. Was going to link to thatoneprivacysite but it seems it got shut down. :(


Even if its not truly secure, it's at least a best effort progress compared to the mainstream options, and cuts down on the attack surface area(getting rid of me/psp, uefi, etc). For the old Thinkpads people, old thinkpad laptops are not realistic (from what I can see) for running multiple VMs, gaming, etc. while at the same time preserve some degree of control over privacy and security.

What do you think? Is it all truly vanity?

Other urls found in this thread:

tomoyo.osdn.jp/
youtube.com/watch?v=kvmWLRddzaM
github.com/corna/me_cleaner
bitbucket.org/piotrkarbowski/better-initramfs.git
twitter.com/NSFWRedditImage

Apparently I am terrible at formatting. Sorry anons.

Read Vault 7 >>> CIA Niggers hate old comodo firewall.

Download old comodo firewall.

cis_5.12.256249_x86
cis_5.12.256249_x64

extract the exe with 7zip >>> clean install, your XP/7 is now secure.

Use a router. >>> Put openwrt in it.

Why? stock routers have kernels old as my nanny. CIA Niggers break them if (((needed)))

That's a minimal set. A secured OS that werks AND A ROUTER WITH RECENT KERNEL

L0L
0
L

@ anything VPN related. Really?

Do your own SSH >>> SHELL

I'd like to interject here for a moment with some URLs

tomoyo.osdn.jp/

youtube.com/watch?v=kvmWLRddzaM

Mandatory Access Control (MAC) implementation for Linux.

But then that remote machine might as well as be your personal machine since the only traffic coming to and from it would be linked to you. With a VPN, many people use a remote machine and so the traffic coming from it can't in theory be linked to a single machine.

So you go in on a shared VPS with a few other anons and run a Tor exit node.

coreboot AM3+ mobos would be the best solution but I don't see this happening in any time. Also the recent version of the M5A99 is the Evo R2, which might be different again
I wonder if it makes sense to get a non-UEFI board from the same manufacturer you don't trust because their UEFI. Their legacy bios might be pozzed as well.

The easiest solution is to get one of those old chinkpads and flash them with libreboot.
Then install a linux without systemd on it. Disadvantage is just that your hardware is fucking slow.

also FX-8370 is an overclocked FX-8350
Those cpus are overkill for internet browsing and as you will likely have a gaming machine already, the FX-6300 or 4300 would be sufficient for online use.

You're right, this is really all that matters and you can extend this approach as much as your threat model or paranoia demands. Look into Qubes too.

if you are truly a target of the CIA, you need to log off. Your only serious communication options are courier, dead drop, or face to face. airgapped pc. etc.

There will never be a complete and bulletproof solution since exploits will always exist for everything. The thing to do is reduce attack surface and mitigate as many attacks as possible with whatever attack surface you have. Use OSS and OSH whenever possible and of course, install gentoo.

I have seen those Russian made CPUs online but never for sale. Where would I find one? I would rather the FSB spy on me than the NSA.

Absolutely this. In addition, your paranoia should match your threat model.

Basic security from skids and malware? Block ads. Don't download shady shit.

Corporate datamining and dragnet surveillance? VPNs/TOR only. Vetted FOSS. Thinking before you post. Don't leave a trail between accounts. Try to dox yourself from time to time. Be conscious of how you speak and what can be used as a shibboleth to detect your writing.

Trying not to get pwned by the CIA/NSA? It's not a matter of installing this or that on your computer. That encompasses a whole range of security measures that will thoroughly destabilize your life. You will have to live on the lam because any piece of technology will be hacked eventually, and your location calculated. You'll be buying burner phones and laptops constantly, using random open wifi networks as you flee from place to place. Only then are you reasonably safe from the watchful eye of Panopticon.

Everyone is target of the CIA. But they're not all-powerful, so if you take the right steps they won't be able to pnw your computer. The thing is, most people are addicted to social media, games, smartphones, and other things that will prevent them from taking those steps.

Yes, but for what purpose? Are you part of some resistance movement or terrorist organization? Are you trying to destabilize the system?
Otherwise it's all just larping or some useless illegal shit like selling/buying drugs.
Now don't get me wrong, I torify almost everything on my system but that's just because I feel personally uneasy. I don't really care that much about 100% NSA-proof opsec, not even to the point that I would disable JS or connect only in a VM, which is a bare minimum.

What's special about that version of Comodo Firewall?

The problem is with older CPUs that they don't have SMEP/SMAP(and other ) the only way to get that is with newer ones or grsecurity has the software implementation of it which is better than smep/smap sadly grsecurity will be going private & customer only so you'll be stuck on 4.9 LTS with current patchset ( which is million times better than vanilla Linux kernel )

That's not lack of care, that's just being stupid. Javascript has been the main exploit vector in browsers after Flash and Java died. You wouldn't keep Java on either.


Afaik some CIA niggers mentioned that the later versions are easier to own and were frustrated that many targets stayed at the old version because they knew.

What are you, the CIA?

But yeah, I'm not super paranoid either. Random Asus laptop + GNU + Linux + suckless tools + text browser + Tor + common sense.

How do you block UEFI from phoning home / connecting to the internet? Is it like the ME where it can only use the onboard LAN port?
This is really scary

My point is that if you're not trying to actively bring down the system (and I hope somebody does) then you're just larping. What's point of opsec if you're not actually going to do something worthwhile? What's operational security without an operation? Pointless security.

Non systemD noob OS should be PCLinuxOS, it even ships with Palemoon. It's what I'm putting on my gfs pc after her pre-systemd ubuntu is unsupported.

It's not pointless. Having stuff running on your computer that you didn't put there is a problem. You become part of the botnet, and your hardware can be used to cause mayhem, or even just listen in on your surroundings at home that are supposed to be private.
And even if none of that happens to me, I still don't want cia niggers fingers up my asshole. They can go fondle their own damn computers.

It's not completely new. PXE has been around for a long time and can boot kernel over the local network, via TFTP.
Maybe you can rip out all your network devices like ethernet, wifi, etc. and just do everything via serial port. Since serial is no longer standard, it's possible UEFI and ME aren't setup to use that. You'll probably have to buy an I/O card. I woudln't trust anything USB, that's much too complicated.

What about something simpler yet robust. Debian? I suppose Tails uses it because Tails is FBI honeypot or something?

It works fine ok with Tor, but Tor support in Tox is more of an afterthough (you need a TCP relay), rather than design. The alternatives specifically designed for Tor use (ie can exist in complete absence of clearnet nodes) are generally preferred in Tor land.

Only in the form of Tor browser when sandboxed in a VM. What about Chromium for general browsing?

This is a difficult one and people often make mistakes there, especially amerifats who are not allowed to acquire bitcoins anonymously. Yet bitcoin is one of the few ways to pay a non-US company in US-hostile country (some parts of eastern europe, balcans and asia are generally good choice).

Obvious bait.

Holy shit bro. All it takes is adding "-systemd" to your package.use. Its not rocket surgery.

I had a nice goof, ghaff, and laugh.

I'm thinking of going from Ubuntu to Gentoo. I've been reading the manual/guide and see that the only supported stage is stage 3. Does this mean that the bootstrap is set as SystemD? You guys on here talk about installing Gentoo as "non SystemD version".

tl;dr
Does Gentoo come with SystemD if you don't start at stage 1?

This isn't bait btw, Holla Forums is convincing me to installgentoo

Fuck off Holla Forums. Everytime I see one of you faggots breaking links, I intentionally set my referrer to 8ch.net and visit the links just to spite you. But before you call me a cuck, I'll address your post. All of it is shit. Every single word. You clearly don't value security as you actually disregarded Arch Linux because it was "pozzed" by systemd while at the same time going on a tangent about how you can run Windows 7 in a VM for your vidya games.

Your hardware list is incomplete as you are forgetting about hardware firmware. For example, the NSA has the ability to rewrite your hard drive firmware with malware. Your autistic energy would be better suited at preventing sidechannel attacks and leaks as those threats are more realistic than the government boogeyman backdooring your hardware.

As for the software, I recommend you use hardened Gentoo. It gives you complete control over your operating system and you become less dependent on package maintainers as you compile everything yourself.

"P2P chat software": Tox is shit. Case closed. If you insist on the P2P meme then I suggest Ricochet.

"Browser": Tor Browser or Lynx. I cannot fathom why browser debates are still a thing on Holla Forums when these two browsers are the only good ones left.

"VPN": Like this user, , I too lol @ at your example but for a different reason. It doesn't matter what country your VPN is in. Every single country spies on you but since you would rather take advice from Reddit, you are forgetting that there are more than "Five Eyes".

You don't need an old Thinkpad laptop to escape Intel ME. Thanks to the efforts by the Coreboot team, you can use the me_cleaner script and effectively neutralize Intel ME - deny internet access, remove botnet software, etc. github.com/corna/me_cleaner


The Tails devs still don't have grsecurity or PaX. And they also don't still don't have a persistent Tor state opening you up to attacks from bad guard nodes. The AppArmor profiles they use are too permissive as well. They also ask that you don't update software because it's risky when it's more risky to NOT update software. We also can't forget about the fact that they for some reason didn't set the Tor Browser homepage to about:tor making tails.boum.org a perfect venue to track or deliver exploits to Tails users since the Tor Browser defaults to a "Low" security level! The software (htpdate) they use to sync time was fingerprintable for the longest time since no one with a Tor Browser useragent sends PUT requests and once they realized this they decided to "fix" it by making themselves even more fingerprintable instead of just sending GET requests.


Four sentences. Four sentences and you thought it was necessary to put make a TL;DR? But to answer your question, no. Read the handbook again and actually parse the sentences this time.

I can continue to critique the "advice" in this thread but all in all, it's all shit. Everytime we have these kinds of threads they're always filled with FUD and shitty advice. I would love to have a nice security thread one day.

WHY
HOW
I CAN NOT SEE ANY WAY IN WHICH ITS BAD

Well seeing as it's always garbage threads... why don't you start "a nice security thread"? Otherwise all we have is what is here or in the 8ch bunkers.

Part 1 - cryptsetup

part 2 - lvm2

part 3 - the gentooing
>`tar xvjpf `

Then do a normal gentoo install.

But when it comes to making an initramfs, I recommend using better-initramfs from funtoo, just wget/curl/ftp the tarball into opt and follow the instructions

bitbucket.org/piotrkarbowski/better-initramfs.git

Have fun

this is how to install encrypted gentoo for non retards, btw

For my browser I just use Icecat with ublock, umatrix, secret agent spoofer, https everywhere, and Foxyproxy configured to use TOR/I2P when required or at will.

If you want to browse completely in the blank I like to use 'torify surf', surf is a browser made by the guys at suckless.org (just be aware you should make .surf/cookies.txt immutable)

Gentoo does not come with systemd. It comes with OpenRC, which is lovely

also, stage 1&2 aren't for you, they're for devs and people using weird systems and building US Navy databases

Do nothing of that gay ass shit where you pretend to be doing something important like Snowden and you go and buy all THIS FUCKING HACKER STUFF because roleplaying autists told you that the chinese hack daily into your usb camera to watch you masturbate to fucking boku no pico.

You buy another computer, set up a directional antenna and use the best connection available. You'll want to pretend you're basically someone or something else, with a really common name ie "Mohammed Yang" and use baby-tier shit like a VPN doesn't matter which as long as it accepts bitcoins.

You shouldn't submit so easily to a state that has shown itself unworthy of submission. They're not out for your best interests, or to make everyone's life better. They exist only to protect the elites and advance their agenda, nothing more. Everyone else are just useful pawns or collateral damage.
Anyway I couldn't see doing things differently. I started getting into security just to keep my servers from getting pwnd, but now it's to have peace and quiet and not deal with all the malware that plague modern computer systems. Well I grew up on 8-bit micros, where your computer was yours, nobody fucking with it (except maybe your siblings), not even the OS manufacturer ("Windows updates" shit, etc.) This is the normal state of things, and I can't accept subversion to a "new normal" state where everything is infested and broken by design.

You use set -systemd as a global USe flag and also add systemd to package.mask for extra protection. Then Gentoo will install OpenRC instead.


Gentoo will install systemd by default.

No, it won't.

Is Qubes pozzed ?

you don't really get people recommending it. Is this because it is compromised in some way or is it because its a pain in the ass to use.

butttriggered by le Holla Forums boogeyman

Not an argument. Holla Forums isn't a sekrit club. Fuck off.


Qubes works well but I disagree with the developers' decision to provide passwordless sudo. The template VMs aren't hardened either. You could say that Qubes is better at containing breaches rather than preventing them from happening into the first place - which isn't a bad thing in it of itself but a balance must be found.

It installs OpenRC by default. I always add -systemd to USE flags anyway just to make my stand.

Also, does hardened make any difference for a desktop system? After all you aren't going to install something unreliable from a 3rd party anyways are ya? The way I see it is hardened is only important when active attacks are involved. Normal desktops shouldn't have to deal with malicious code (the browser, irc etc. would be run under the least-privilege-principle anyhow).
Am I wrong?

t. bulldozer+gentoo masterrace