Advice needed on secure laptop setup

I've got a new laptop with Win7 x64. I would like to use it as a dedicated privacy/anonymity/security computer, i.e. never use it from my home IP (public WiFi only), surf only through Tor/VPN etc. I need some advice on how to set it up.

ATM, it has the 100MB system reserved partition, C partition and recovery partition. What I think to do first is to image these partitions and save the image backups on an external HDD in case something goes wrong (is it possible to restore an imaged recovery partition?).

Then I would attempt to merge the 100MB partition with C partition in order to get one system/boot partition which I would later encrypt and set up FDE with TC hidden OS. In this scenario, what would be with the recovery partition - get rid of it or leave it? How would you partition my 750 GB HDD regarding my plan?

Is it safe to update Windows from a public WiFi hotspot? Should I change MAC address before going online for the first time or only after updating Windows? Can you recommend a good MAC changer? Can it be set up to change MAC address before booting the PC and before it's caught by the hotspot's access point?

If I use a freeware version of Sandboxie, is it fully functional like paid version (I do own a paid SBIE on my desktop computer, but I wouldn't like to have personally identifiable software on my privacy box).

Can I use a light system virtualizer if I have FDE in place?

I'd like to use Whonix or some live CD distro but I am not familiar with Linux - any tutorials you could point me to?

What other security software should I install? In what sequence?

Please suggest anything you consider important to setup a top secret, ultra-anonymous, James Bond-like secure laptop .

Thank you

 

You should get a lot of answers.

For *me*, I would first use a bootable partition tool (I like MiniTool Partition Wizard) http://www.partitionwizard.com/partition-wizard-bootable-cd.html and get rid of everything on the disk..then create 2 partitions, the second, 5% larger for the hidden OS. This will get rid of Windows trying to create a 100MB system partition, and it's easier than trying to merge it, IMO. Just remember that the hidden OS will be the same size as the decoy. You can't have an original 30GB install, and then clone it to the hidden partition which is 250GB, and expect to see a 250GB hidden OS...it will be 30GB. So I'd just split the disk in two + 5%.

*Note: you can go nuts here with dealing with *possible* previous sensitive data that has been on the disk. Starting with a brand new disk would be best, but you could also wipe with BCWipe Total Wipe Out, or others... Maybe getting the DCO and HPA areas as well. (I've never tried to re-use a disk after a DCO/HPA wipe...don't know if they still 'work'...so do your due diligence).

Then I'd install Windows on C:, install TC, and run the hidden OS setup. MAKE THE RESCUE ISO!!!!!!! and put it on another device and also maybe burn it. Then I'd create a bootable USB/SD device for the rescue iso and test that you can boot into the hidden OS with it.

Make one like this:

After TC wipes C: reinstall Windows again. Here is where my preference differs: I don't install TC on the decoy, and I don't encrypt it. Since it's a fresh Windows install, it overwrote the TC bootloader and boots right into the decoy Windows. To get into the hidden OS, boot from the bootable USB/SD device you made, with the rescue.iso on it.

I like using a 32 character password (overkill, but I can remember it, so...) that I know, and another 32 that are completely random, On a Yubikey set to static mode on slot 1.

While not *technically* 2FA, brute forcing 32 completely random characters from the YK will be tough...so you 'kind of need it' to boot....not technically, but practically. And since you can not possibly memorize them (you don't want to), if you can "lose" the YK, you can't be compelled to reveal that part.

For backup, you can image the decoy like normal. For the hidden OS, you can do a (large) sector by sector image, or image compressed with software to a local hidden TC volume on an external drive. I *think* you can image like normal to a network location...but you'd obviously want any back up encrypted somehow. The bottom line is that from within the Hidden OS, you can't write to anything that isn't also a hidden volume (again I think you can write to a network location - but can't say for sure right now). If you use a bootable backup solution, you should be able to write it anywhere...but encrypt it somehow - built in, or in a TC volume, etc... And it will be BIG because the bootable solution will only see random data.

MAC Address: Yes, spoof it everywhere for the hidden OS. Don't spoof it for the decoy (my opinion). MadMACs from iron geek is the best I've used. It will also spoof the machine name, and runs at boot.

The collective can address your other questions, and also correct anything I've written that isn't correct.

PD

 

If you're going to those extremes -- public WiFi, Tor/VPN, Truecrypt FDE with hidden OS -- I don't think that it's prudent to use the copy of Windows that came with your new computer. If there's a money trail, it's prudent to assume that Microsoft can identify you, no matter how you're connecting to the Internet (and no matter how you've encrypted the disk).

Also, as we've seen on a few recent threads, Windows logs all sorts of things in ways that we don't necessarily know. No matter how you sandbox and virtualize, the host OS can potentially log anything. It's running everything, right?

Anyway, I recommend using Linux as the host OS. If you're new to Linux, you'll probably be happiest with Xubuntu or (if you like Unity) Ubuntu. Debian lovers may sneer, but you gotta start somewhere

However, there's a downside: there's no easy way to hide LUKS encryption headers. You can use dm-crypt, but that's far less user-friendly and convenient. As far as I know, there's nothing as "hidden" in Linux land as Truecrypt in Windows. But, on the other other hand, given that I see lots of "help with Truecrypt" posts on Wilders, LUKS may be more reliable, or less easily broken

Do you live in a place where disclosure of encryption keys is legally (or practically) required? If you do, you may want to change gears, and go for a setup that saves nothing locally, just in secure online places that nobody can link to you.

You can run Tails, Whonix and Linux LiveCDs as VirtualBox VMs. You could also run your Windows (assuming that you have installation media) as a VM. That way, it's isolated from your host OS and other VMs. But you'll lose some features, such as simple device connectivity and high-end gaming capability.

 

Already some great advice by mirimir, follow it!

I'll just add if you really want to be private , rip[ out your hard drive and only boot LIVE CD/DVD/USB. No hard drive? No worries! No information to save!

 

Thanks

That's one extreme, for sure.

If you live in a repressive area, travel a lot, hang out with criminal hackers or whatever, it's probably the way to go. But then you'll need secure places online to store your stuff. And you'll need to remember how to set up VPNs, Tor etc to get to your stuff without revealing its location to the Internet gateway that you're using. And you'll need to do all that every time you boot. That would be a lot of work!

 

Yeah that's why I don't do it. But if you want security, you must fling your hard drive of the nearest bridge. No persistent threats because there is nothing to save it to.

I have seen LIVECD's get compramised mind you, so always be on the lookout for that. And MiTM attacks, those pretty trigger machines the government buys are pretty worthless though IMHO.

 

There's an approach that I've heard about, and played with a little. You start with a stock installation of some Linux version that will be available unchanged for as long as you'll need it. Immediately after installing it, you image the disk to a DVD. Then you update, install whatever you need, configure VMs, VPNs, Tor etc, add whatever documents you need, etc. And then you create a difference image, and save to a disposable flash drive. It'll be relatively small.

Put the difference image in a Truecrypt container, apply some binary-to-text conversion, and anonymously save it on some mainstream filesharing site. You can split the file into pieces, and save them separately in multiple places, to be sure.

Now you wipe the disk, and remove it from your laptop. Burn it if you like And destroy the DVD and flash drive.

Whenever you need your stuff, use Tails to download your difference image file(s), and do whatever it takes to recover the difference image. Save it to a disposable flash drive.

Then you repeat the Linux installation to a RAM disk, and save the base image again to a DVD. Apply the difference image, and you're ready to go.

When you're done, you create a new difference image vs the base install, and store it online as described above. Then shut down and destroy the flash drive and DVD.

I wonder if that would actually work.

 

sounds more like a headache to me , lols

 

Yeah, me too

 

Can you elaborate on this in more details, please?

 

Microsoft, fairly enough, wants to prevent piracy. It wants to know that your copy of Windows is genuine, and it wants to know how many times it's been installed.

If you disclosed your identity in buying the computer, there's an association (albeit perhaps latent) between you and the copy of Windows on that computer. Some may say that Microsoft would never use that information to deanonymize you. But the fact of that association remains.

If you paid cash for it in a store where they don't know you, and it's never been online from your true IP, and you've never provided any information to anyone that links you to that computer or copy of Windows, you can discount all that I've said about this

 

Are you saying that Microsoft keeps tracks of each particular computer with Windows OS all way to the location of sale?

I would assume that computer builder (and not M$) installs OS purchased in bulk from Microsoft, but I may be wrong.

 

No, I'm not claiming that.

That's probably so.

But the store's data system links you with the computer's serial number. And the computer builder's data system links the computer's serial number with the Windows serial number, and also with their Windows volume license agreement. When you activate and update Windows, Microsoft knows your Windows serial number and your IP address.

So, while Microsoft may not track every copy of Windows, the correlation can be made by combining data from the store, the computer builder and Microsoft. That's what I meant by "latent".

 

yeah never buy a laptop with an os , by both seperate as mirimir has stated

 

And pay cash, in a store far from where you live, but not across a monitored border

 

or buy it online over ..wait lemme flex some of my creative muscles , lols , ok here goes ,been a while since ive done this , just setup a anonymous one time use mail locker, just set one up every time you make an anonymous required online order , go and order that nice shiny laptop with cash on mail delivery , yes all you do is deposit the amount the laptop plus shipping costs to the mail office to the according anonymous locker , mail gets paid and you receive your nice laptop , no need to make it so difficult , with the store videocaming you buying a laptop and them having the serial number plus barcode etc in the register , with the above method all theyd have is nothing, except you picking up and paying for a random package as a million others do , lols

 

dont really see what this would actually increase in terms of security / anonymity , sure its important to make sure when using a vpn vm setup that the mac address of your pfsense vm and decoy os pfsense vm macs are the same , can be done without any spoofing , but the rest , i honestly aint sure whats the use

 

You go to a coffee shop and connect. Without spoofing, your burned in MAC is in their connection log. You become "interesting". You can now be sniffed from afar (like I think Sabu was) and tracked, either through the air, or by grabbing all router logs of places you visit. A spoofed MAC can not connect you to being at a certain place, at a certain time. If they "seize" you and look at your burned in MAC, it won't match what's in the routers. Doing it only for the Hidden OS, they can't even tell that your spoofing, unless they somehow get into it. Even then, the numbers are generated randomly - suspicion doesn't equal proof. Even the Machine Name list is generic and random. You can make your own list too...mine is every male and female common first name on the planet. "We see Jim in your list" ... "So? How many computers named "Jim" in this country?" LOL.

PD

 

ok now you have me interested, could you elaborate on how to setup MadMACs for my hidden os , since im a total noob when it comes to that program , i already downloaded it, a nice quick mini tut would be nice, and what machine namelist would be recommended and where would i get it , and i recon for home use its recommended as well ?

 

On the road ATM, so it may be a while. There is a brand new version out, but the older version I use had a walk-though setup. You basically just pick the adapter you want spoofed and set it at boot. Then go into the folder (which IIRC, you place anywhere and just click the .exe inside to set it up) and change dic.txt to contain any machine name list you want. I pulled a list off the internet for first names. If you go into Computer>Properties you can see if it's working...it will list current, and next computer name after reboot. You can spoof anything, but I just use it for the Hidden OS. And obviously check your router for the MAC spoofing verification.

PD

 

yeah i downloaded the latest one youve linked too aka 2.0, btw ill check it out and see how far i get and ill be checking back on what you have to add , thanks in advance

update> ok , lols , i just found out that i totally forgot that i set my router to only allow certain mac addresses to connect to it , of course with the mac randomizing now , i cant connect to the internet , had to restart , to get my old mac back , so what do you suggest for me to just disable mac address whitelisting , ive done this to make access more secure

 

So if you are using the Windows product key that comes with the computer, the one on the label stuck to the bottom and paid for the computer with a credit card Microsoft can connect my OS's ID to my bank account ?
What other data leaks to Microsoft are they, can they be correlated with this ?

 

I'm not saying that they routinely do that. But I am arguing that they (or someone with their data) could do that. So the prudent assumption is that it's being done.

I don't want to speculate

 

The only way to be truly anonymous is to utilize the above advice in any manner you wish... then throw that laptop off a bridge into a river afterward. Buy a new one for each time you want to use it. Or vaporize it with a laser beam, or shoot it into space (but NASA may recover it then).

Sounds absurd I know, but it's really the only sure-fire way. Just like in the movies where the bad guys toss their prepaid cell phones after using them 1 time...

And if you're gonna spoof a MAC make sure it's not the MAC addy of a device you'd used in the past from a known residence/your mailing address, that can also be connected to you.

 

Or someone else's. You could use locally administered addresses, mentioned in https://en.wikipedia.org/wiki/MAC_address and elsewhere, but that doesn't actually prevent a collision. Some new devices with MAC addresses are just a few bucks so you could actually buy some if you wanted, new or used.