Question about my idea for an anonymous setup

Hi all -I’m a software dev by trade, advance-beginner hacker.

I spent a lot of time today reading through the Anonymity category here and tested out a few setups today. Bear in mind, what I’m about to ask could very well absolutely stupid no doubt, but I feel like this community could give pretty good insight into why this would be a bad or useless setup implementation:

Host Machine

  • Ubuntu or Deb installed on the physical hard drive
  • LVM Encrypted Hard Drive option during installation
  • LVM encrypted root and home directory after installation
  • Connection: VPN (vpn provider #1)
  • VirtualBox installed

Virtual Machine

  • Tails or Whonix linux distro installed on encrypted VirtualBox VDI Disk
  • LVM Encrypt root and home directory after installation
  • Connection: TOR → VPN (vpn provider #2)
  • VirtualBox installed

Virtual Machine #2

  • Linux distro of choice running live via the ISO saved on the previous virtual machine or even on a USB
  • Connection: TOR

My thinking was that the host will be running VPN#1, okay now your ISP might not flag you for TOR usage. And assuming you choose a theoretically ‘secure’ company, then VPN#1 wouldn’t care or have logs on tor usage.

So then with the first virtual machine, you’re connect through TOR. And on top of that, let’s say I’d connect to a VPN#2 (another ‘credible’ company). My thoughts was that since there’s many people that run TOR → VPN, surely other people on that ip from VPN#2 were connected to TOR as well, making the web that traces back to you so much more intricate.

Finally - Virtual machine #2. Well since it’s host machine is technically virtual machine #1, then that means machine #2 certainly couldn’t have access to any of your main host machine’s physical hardware ID’s. And to put the cherry on top, say I connect to TOR yet again.

Again, I’m willing to get roasted on this if it means I learn a little more, lol.

Thanks in advance!

1 Like

I’d say your idea has a few holes from the start; the system, how did you acquire it? For it to be truly private and anonymous, you would have had to pay for it cash only, and in a more extreme case, you’d have to avoid security cameras and/or traceable transportation (you would probably have to do the 2-or-more cab technique, or the usual public transport).

Now, the flavor of linux distro is irrelevant (though ideally less vulnerabilities and more stability is better, I personally avoid Ubuntu like the plague), and I’d say it is a pretty hardened setup with the disk encryption, but the moment you connect to the internet it has to be outside of your home network, even if you connect to a VPN. As for the Tails or Whonix, I’d reckon having it on a bootable USB is more anonymous and secure since you’re not relying on third party software to virtualize it (and possibly open some windows into de-anonymizing it and/or making your host machine vulnerable [see VMware, for example]. For the physical hardware ID’s, I’d say you can just spoof them before doing anything else. The whole advantage of Linux is it’s granular, so you can probably change everything.

There is a weird discussion about VPN to TOR, or TOR to VPN, and to be honest I would not pay too much attention to the VPN side. As I said, to be truly anonymous you do not even want to be on your home network, and as such, the ISP of the public WiFi you connect to probably has ideally too much traffic a day to notice you, and even if they did, they can only see you connected to TOR, not the traffic that runs through it.

This avoiding of your home network avoids having your ISP come into play, so it removes the need for VM #2, and since you’re booting Tails or Whonix from a USB, the need for VM’s is removed. Now, for the second part I’d just say to keep a separate identity for that machine only, and do not let any of the traffic or activity be even remotely linked to your own personal life. The more degrees of separation (username, full fake name, country, backstory, etc), the better.

Not roasting you lol, but the dependency on 3rd party software is something to look up, since some also require machine hardware ID’s and/or logins and license activation.

2 Likes

Anonymity is harder to achieve and you must change your behavior while using operating systems and even after that is not simply plug-and-play. There are still many things to consider than just using Tor and having a separate VM. You should never put all your eggs into one basket, Keep in mind ‘You only got to fuck up once’

1 Like

Nice, you should create a new topic about anonymity.

1 Like

Haha, I don’t know what I’d post about though. I try to live a relatively anonymous life, but it is incompatible with being social most of the time, so it is a delicate balance.

2 Likes

you guys rock, good work

1 Like