nihilist@mainpc - 2024-04-26

Internet Usage Segmentation Setup

In this tutorial we're going to cover how to properly segment your internet usage. This is the most common opsec practice that you should always use. We're going to base ourselves off from the pyramid of internet use that we have seen previously, to be able to replicate each of the 4 OPSEC levels into our current setup:

Sidenote: Help us improve this tutorial by letting us know if there's anything missing or incorrect on this git issue directly!

Different Internet Usage

The most common OPSEC mistake out there is the lack of internet usage segmentation. Most people don't have this reflex when they first discover Anonymity and Privacy online. Thing is, it is not possible to be fully anonymous for everything that you do online, there will always be some service that is vital to you, which you will need to access with your real world identity (for example, to access your bank account, or some insurance website, etc). However it is definitely possible to implement proper internet usage segmentation:

In this case we're going to differentiate 4 types of Internet usage:

Internet Uses:

1. Public use: What you do is public knowledge

2. Private use: What you do is NOT publicly known

3. Anonymous use: What you do is meant to be done without revealing your identity

4. Sensitive use: What you do is meant to remain secret at all cost, only to be known by you

With each different Internet usage, we have different requirements:

Requirements:

1. Public use: No requirement ; you can use closed source software (meaning it's all public), using your IRL identity

2. Private use: only open source software, + you use a pseudonym instead of your IRL identity

3. Anonymous use: open source, using a random, meaningless identity not sensitive

4. Sensitive use: open source, using an other random meaningless identity, AND if the adversary seizes the device, they musn't be able to prove the existance of the Sensitive VM

Now with this we identified the 4 most typical internet use cases, and their requirements.

Identity Management

As we said previously, segmentation is required for each internet use. This extends to the Identity you use online. For example you cannot use your real name when trying to use the internet anonymously. So you need a different identity for each use case:

Different Identities:

1. Public Identity: Linus Torvalds (used on websites that ask for your identity)

2. Private Identity: Nihilist (used on websites that may KYC, but pseudonym is preferred)

3. Anonymous Identity: ZacharyJr (used on anonymous websites, non-sensitive use)

4. Sensitive Identity: Dread Pirate Roberts (used on anonymous websites, sensitive use)

The important thing here is that you must make sure that each identity have nothing in common, it must always remain impossible for and adversary to be able to link those identities together.

Multiple Virtual Machines (VMs)

To help you implement your internet usage segmentation, you can use VMs to make sure the segmentation is present inside the system:

Virtual Machines:

1. Public use: No requirement ; you can use a windows VM for all closed source software and KYC use

2. Private use: you can use a Debian VM, with only open source software (ex: SimpleX chat)

3. Anonymous use: you can use Whonix VMs (it forces every connection to go through Tor)

4. Sensitive use: You can use Whonix VMs, but they need to be inside a Veracrypt hidden volume

Sidenote: QubesOS is based off the same segmentation principle, that every use must remain isolated (or compartmentalized) into VMs, for specific uses. It also uses Linux and Whonix VMs, while using the Xen hypervisor instead of libvirtd QEMU/KVM, but the concept remains the same.

Internet Usage Segmentation Recap

Now with this setup, one can segment their Internet use with a system implementation (VMs) along with the associated Identities for each usecase.

For further details on how to dissect your OPSEC, check out this tutorial here, because using the right technologies is only the first half of the work, you also need to have the correct behavior while using them.