High resistance OpSec guide for activists - check different laptops google “qubes certified computers” not included in post

High‑Resilience OPSEC Guide for Activists

High‑Resilience OPSEC Guide for Activists

This guide outlines practical operational security (OPSEC) practices for activists focused on reducing attack surfaces, compartmentalisation, and deniability. It assumes a realistic threat model (state surveillance, device seizure, social graph analysis) and prioritises reliable security over exotic tricks.

Table of Contents

1. Hardware: Start by Being Boring

Dumb Phones (Primary Phone)

  • Use a dumb phone as your only daily-carry phone.
  • Calls + SMS only, no apps.
  • No location tracking or social graph harvesting.
  • Do not log into activist accounts or pair with laptops.
  • Keep contacts minimal and non-descriptive.
Smartphones are tracking devices with a UI. Treat them as such.

Qubes‑Certified Laptop (Primary Computer)

Use Qubes OS on certified hardware only. Official Documentation

Qubes OS is a security-focused operating system based on VM isolation. Each VM (or “qube”) can have a separate purpose and network configuration. This allows you to compartmentalise tasks and reduce risk if one VM is compromised.

  • Strong VM isolation
  • Limits blast radius of compromise
  • Designed for hostile environments

Hardware rules: no Wi‑Fi/Bluetooth required, use Ethernet, avoid webcams.

2. Physical Attack Surface Reduction
  • Disable or remove Wi‑Fi, Bluetooth, camera, microphone
  • Methods in order of preference: hardware kill switches → BIOS/UEFI disable → physical removal → epoxy tape as last resort
If it has a sensor, assume it can be activated.
3. Networking: Tor & Whonix

Tor Base System

  • All networking flows through Tor.
  • No clearnet browsing from main OS.
  • No exceptions “just this once”.

Whonix Architecture

  • Use Whonix inside Qubes.
  • VM layout: sys-whonix (gateway), anon-whonix (disposable work VM).
  • All browsing in disposable VMs only.
Persistence is memory. Memory is evidence.

Setting Up WebTunnel Bridges in sys-whonix

To bypass network censorship and use Tor in blocked networks:

  1. Open a terminal in sys-whonix.
  2. Edit Tor configuration:
    3. sudo nano /etc/tor/torrc
  3. Add a WebTunnel bridge line, e.g.:
    4. Bridge web 123.45.67.89:443
  4. Save and restart Tor:
    5. sudo systemctl restart tor
  5. Verify your Tor connection through https://check.torproject.org inside a disposable VM.
4. Messaging: Simple, Metadata‑Resistant
  • Use SimpleX Messenger over Tor inside Whonix.
  • One identity per purpose.
  • Never reuse QR codes, rotate identities regularly.
  • Lower metadata leakage than most messengers.
5. Browsing & Research
  • All Tor browsing happens in Disposable Whonix Workstations only.
  • No bookmarks, no saved logins, no downloads kept across sessions.
  • If files must be kept, move to a cold, isolated VM and strip metadata immediately.
6. VPN Router (Not on the Laptop)
  • VPN at router level only, protects non-Tor traffic.
  • VPN ≠ anonymity; never replaces Tor.
  • Infrastructure tool only.
7. Passwords & Secrets

KeePassXC

  • Database stored offline
  • Open only in dedicated VM
  • Strong master password + keyfile

Hidden & Decoy Passwords

  • One “normal” database, one hidden database
  • Plausible deniability if coerced
  • Never autofill across VMs or store passwords in browsers
8. Identity Compartmentalisation
  • One VM = one role, one role = one identity
  • No crossover between identities
  • Examples: Research VM, Messaging VM, Writing VM
If two activities don’t need to know about each other, they shouldn’t.
9. Behavioural OPSEC
  • Never reuse usernames or writing styles
  • Never mention personal details
  • Do not mix activist and personal time patterns
  • Vary activity times and assume everything is logged
10. Threat Model Reality Check

This setup is designed to resist mass surveillance, limit damage from device compromise, provide plausible deniability, and reduce metadata leakage.

It will not protect you if:

  • You talk too much
  • You trust the wrong people
  • You break compartmentalisation once
Final Principle: OPSEC is subtraction, not addition. Remove features. Remove convenience. Remove assumptions.

Comments

Post a Comment

Popular posts from this blog

Ultimate privacy setup: Buy certified qubes os laptop and use tor browser/whonix for web browser and ricochet refresh for chat over tor/file sharing

Qubes OS Secure Setup Guide (WebTunnel + Ricochet-Refresh) Qubes OS Secure Setup Guide This guide explains how to build a high-security Qubes OS system using: Certified hardware Whonix with WebTunnel bridges Disposable Tor Browser Ricochet-Refresh over Tor Optional VPN router for defense-in-depth Quick Introduction to Qubes OS Qubes OS is a security-focused operating system that isolates applications into separate virtual machines (VMs). A compromise in one VM does not affect others. TemplateVMs – Base OS and software AppVMs – Daily-use application VMs DisposableVMs – Destroyed after use sys-whonix – Tor gateway for all Whonix-based VMs Step 1: Buy and Configure Certified Qubes Hardware Recommended hardware: NovaCustom V54 Series (preinstalled with Qubes OS). Choose These Options for Maximum Security Coreboot + Heads – verified boot and firmware tamper detection Disable Wi-Fi and Bluetooth – use Ethernet only ...
Read more

Use Ricochet Refresh IM on qubes os

Ricochet-Refresh on Qubes OS – Full Guide Ricochet-Refresh on Qubes OS – Full Guide This guide covers setting up Ricochet-Refresh on Qubes OS with: Persistent .onion address Using sys-whonix only (avoiding Tor-over-Tor) Changing your identity safely Step 1: Decide Your Qubes Architecture Component Qube Type Notes Tor network sys-whonix Whonix Gateway handles all Tor traffic Ricochet-Refresh App AppVM based on Whonix or Debian Template Isolated from other AppVMs Persistent storage Dedicated Data Qube (e.g., ricochet-data ) Stores profile folder to preserve .onion address Step 2: Create a Ricochet AppVM Open Qube Manager → “Create Qube”. Set: Name: ricochet-app Template: whonix-ws-XXX (or Debian) Networking: sys-whonix Storage: default Create the Qube. Step 3: Create a Persistent Data Qube Open Qube Manager → “Create Qube”. Set: Name: ricochet-data Type: Standalone or Persistent AppVM Storage: d...
Read more