CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 724
- Points
- 113
Greetings. Lecture topic: “Security and configuration of a virtual machine.” The lecture includes three sections: handling information, setting up a virtual machine, and financial transactions from the point of view of online privacy.
The first section, the basics of information hygiene.
Behavioral features.
• first of all, you cannot talk about your type of activity and personal circumstances (location, family composition, education, etc.) regardless of the level of trust in your interlocutor - including, do not involve friends or relatives from real life in the work or otherwise communicate online -activities with offline activity. Finding something is much easier if you know where to look, so “my tongue is my enemy”;
• the separation must also be technical: a personal system with personal data and programs cannot be used for “gray” activities, otherwise the risk of information leakage increases. Moreover, it is also possible to isolate data at the hardware level - using separate devices, but if all recommendations are followed, this is not absolutely necessary and virtual machines can be considered a sufficient substitute;
• devices and operating systems should not be in plaintext 24/7 - turned on, decrypted and authorized on inconvenient sites. If an outsider can physically gain access to sensitive information at any unexpected moment, the whole point of hiding it in the first place is lost;
• it is reasonable not to conduct activities in the location where you are located, especially in the “post-Soviet” space. Finding a resident within immediate physical and administrative reach requires less effort, which is once again confirmed by observations. This means that the use of this kind of material, stores and services is undesirable from the point of view of common sense and the “code of honor” has nothing to do with it;
• the use of personal data in any transactions (financial, transport, etc.) is unacceptable. In-person receipt of parcels, details, telephone numbers, emails, nicknames and social networks are replaced by intermediaries, dummies (droppers) and third-party information. Many services freely accommodate requests for disclosure of information, therefore, the less data to search, the better.
2. Technical recommendations.
• encryption. Conventionally, this is placing data in a safe, the password to which only the owner knows. Virtual machines, files, etc. must be in an encrypted area, and the area can be located, for example, on a physical medium that can be easily removed if necessary (flash drive, external hard drive, SSD or a separate device), hidden on the main system or on a dedicated server (VPS);
• the VeraCrypt program is used for encryption. Built-in tools from Windows or MAC operating systems are not recommended due to predominantly closed source code, vulnerabilities, and general security concerns. The main types of encrypted area in different combinations are as follows: container, double-bottom container, entire drive and operating system.
The container is a “safe”, to open which you need to decrypt it with a password. A container with a double bottom is a safe with two compartments, and when you enter different passwords, different parts open, respectively, in case there are no options left and at least something needs to be shown. You can encrypt the entire drive, and the hidden operating system is, in fact, a container with a double bottom on the scale of the entire system.
Approximate minimum requirements for the volume and type of drive for comfortable work: from 64GB of memory, USB connection version 3.0+ and, if possible, an SSD drive instead of a standard hard drive. Step-by-step setup guides are available on the forum and in the program help, in addition, the functionality is intuitive; • if you have a choice, you should use open-source software wherever possible. Information leaks, vulnerabilities undetected by the community, backdoors (intentionally introduced vulnerabilities) or crazy licensing agreements are just a few of the possible problems with closed source programs. Open-source, of course, is also not a panacea, but in terms of reliability it is incomparably better.
In particular, it is appropriate to abandon antivirus programs - programs that actually scan and transmit operating system data to third-party servers. Instead, it is better to open suspicious links and unverified files inside an isolated virtual machine, and keep critical information in a closed form, for example, in a separate container or in open-source password managers like KeePass;
• passwords, in turn, for each service must be unique. The result of using identical passwords may be the loss of several accesses at once, since if the database of one service is leaked, information from it can be used on others. It is also useful to install spirit factor authentication (2FA) on your accounts - additional temporary passwords, for example, in the OTP, Authy programs or in the backup email format;
• Since physical SIMs are easy to track, any registrations that require mobile activation are best done through virtual phone numbers. The necessary services can quickly be found by searching for “SMS activator”, and the forum also has services for receiving messages to real numbers in different countries. Accounts created in this way will be protected from loss by two-factor authentication;
• there are two main messengers for communication: Jabber and Telegram. Other popular services tend to have a track record of leaks or vulnerabilities. Correspondence and clients should be stored in a protected area; for Telegram - set a 2FA password, and in the case of Jabber, firstly, use trusted servers, and secondly, enable OTR encryption (in the client PSI+ is available in plugins, for Pidgin it is downloaded separately);
• It makes sense to periodically create encrypted backup copies of key information for storage outside the working operating system in case of loss of access or technical problems. However, it is not recommended to use cloud data storages - it is not known exactly who can have access to them and to what extent, and in general this is an additional attack vector.
The summary of the first section can be formulated as follows: frivolity and half-measures in matters of information security have negative consequences. Following simple operating principles is not as troublesome as getting into trouble due to naivety or losing your finances by losing access to your accounts.
Second section, setting up a virtual machine.
Virtualization programs are VMware and VritualBox, where the latter option also works on Linux, and the solution for MAC is Parallels Desktop. The internal settings are the same regardless of the system, and the choice of program does not really matter. For the VM to work, virtualization must be enabled in the BIOS (usually by default) - the verification method differs on different devices, so it’s worth using the search.
1. Programs required for operation.
• VPN. An encrypted connection between the user and the server through which the network is accessed in order to hide Internet traffic (actions) and change the user’s IP address. A commercial VPN service should not have: logging (saving history), experience of data disclosure, as well as obvious disgrace in the license agreement regarding privacy.
To insure against leakage of the real IP address in the event of an unintentional disconnection from the server, most VPN clients have an emergency traffic blocking function called “KillSwitch” or something similar. If there is no such function, you can configure it yourself: for example, in VPN programs like OVPN or in the built-in system firewall by prohibiting access to the network for all connections except the desired client. VPN is not only commercial - it is also possible to independently configure a dedicated server for connecting (or several). However, the instructions would require a whole lecture, and there are tons of them on the Internet, so it will not be considered. To avoid conflicts with other IP accesses, VPN must be connected on the main system (or the one located before the actual working one)
• general browsers, such as Chrome, Edge, Firefox, Safari, portable versions, as well as the confidential TOR browser. The latter is needed exclusively for surfing and transactions cannot be made from it - forums and various services often have mirrors in the .onion zone (“in the Tor”), which must be visited through TOR;
• sites determine the user’s IP address, so during operation the VPN server address is replaced with another one (for example, to the location of the owner of the material) using third-party IP accesses - mainly socks (proxy) or SSH (tunnels). They have the following format: IP
ort + loginassword (login and password are not always); To connect, use the Proxifier program for socks and Bitvise or PuTTY for SSH, respectively.
In Proxifier, the “Resolve hostnames through proxy” checkbox is enabled in the “Name Resolutions” item, the socks itself are added in the “Proxy Servers” tab. When using Proxifier in conjunction with Bitvise or PuTTY for SSH, a rule is added to “Rules” on the shortcut of the desired client, where the first or second item is selected in “Action”; socks in this case should be 127.0.0.1:8081/8080 without a password.
Then the data from socks or SSH is simply entered into the appropriate fields for IP, port, login (username) and password in the programs. If problems arise on the network, there are enough manuals for use, but in general there is no need to familiarize yourself in more detail.
Both IP accesses perform the function of IP address spoofing, so simultaneous connection is not required. The practical difference is something like this: on average, finding clean socks for the desired location is easier, but SSH may remain working longer or have unusual characteristics such as a rare Internet provider. In other words, the good that can be found is used.
To use IP accesses of all types (socks, SSH, VPN, etc.), it is not necessary to understand the detailed structure of their protocols and the technical features of their operation. Just as you don’t need to understand programming in order to navigate the operating system at a sufficient level. Correct setup without leaks is much more important, so at the beginning of training there is no point in focusing on minor things and getting so confused;
• antidetect - a special browser that replaces device characteristics and system fingerprints in order to mask the session, significantly automating the process. Socks and SSH can also be connected in the browser itself. However, despite the disguise, for security reasons it is worth storing the antidetect on a virtual system and in an encrypted area. Use as desired, there will be a lecture on this topic;
• a convenient text editor for keeping records that meets the requirements described above: open-source, no cloud storage and no bad reputation. Theoretically, a standard notepad will suffice, of course, but you can find good alternatives on the Internet using the query “open source text editor.”
As a result, the minimum acceptable configuration looks like this: main system > VPN > encrypted area > virtual system > socks/SSH > Internet. The chain is variable and can be supplemented in every possible way by introducing new links. For example, the last two points can be replaced with remote desktops (VPS, RDP...) or supplemented with a VPN series and antidetect - in general, the options are limited only by the imagination.
2. Parameters. Risks when conducting transactions in stores and services are assessed by “anti-fraud systems” based on a variety of internal rules, filters and lists. Naturally, the desire to bypass the “barrier” of anti-fraud systems and successfully conduct a transaction requires understanding the inner workings and developing the skill of camouflage. For convenience, the parameters can be divided into two categories: IP address and digital fingerprints.
A. IP address parameters include:• black lists. Databases with suspicious IP addresses seen in DDoS attacks, spam and other dubious activity. They are formed by special services, which are subsequently used by business companies such as payment systems and banks to check their visitors. Logically, ordering from a particularly dirty IP address will most likely fail: there is no place to put stamps on any TOR or public VPN;
• DNS is a domain name system, a kind of add-on to the IP address and does not have to completely coincide with it. It cannot be called a decisive factor, but physical proximity or visible similarity to the main IP address is without a doubt a plus. Of course, personal DNS should not leak.
IP accesses (socks/SSH) may not have their own DNS, in which case the address will come from the previous one in the sequence of IP access connections, for example, a VPN. You can adjust it like this: select a suitable VPN server, enter a public address from public access into the network adapter in the “Network and Sharing Center” or into the settings of the router (router);
• WebRTC technology: https://shorturl.at/epsFG. Optimally, the IP address displayed in the WebRTC column should be identical to the main one, however, depending on the browser and settings, there may be a leak up to the present. If a discrepancy is observed during the check, the address can be replaced, for example, through antidetect, or disabled in accordance with the instructions on the link
• Internet provider and host name (ISP, hostname). You may come across flashy names (“proxy”, “hidden”, “VPN”, etc.), from which the fact of hiding traffic will become obvious - which, in fact, is one of the calling cards of a typical scammer.
In addition, there are services that provide corporate or private allocation of virtual servers for remote access. As with the ISP, the IP address belonging to such a service or specific server systems contradict the pattern of the average buyer. It is useful to keep statistics of the headlines and titles encountered;
• two-way ping—the approximate time it takes for visitor traffic to reach the server. If characteristic indicators are detected (usually at least 40ms), the IP address is recognized as a tunnel (SSH), which, from the point of view of anti-fraud systems, can be one of the indicators of a potential fraudulent operation.
Unfortunately, without administrative control over IP access (having a login and password just doesn’t give it), the delay is not eliminated and the following options remain: changing IP access (socks/SSH) or changing the link leading up to it in the connection chain, for example , VPN servers. However, it doesn’t always work, and you shouldn’t give in to paranoia without real experiments with a specific anti-fraud system;
• open ports: 80, 81, 1080, 8080, etc. Theoretically, they talk about using proxy means (socks), but at the same time they are a double-edged sword. Firstly, a significant number of such accesses are just web admins of routers. Secondly, contrary to the claims of “anonymity verification” sites, a lot of pure traffic is generated from IP addresses of the above types.
Many properties of an IP address are not “good” or “bad” in and of themselves. VPNs, proxies, servers and similar tools can easily be associated with a business, university, telecom operator and other legitimate activities. Moreover, traffic from groups of users can additionally enter the network through one gateway, for example, to apply a firewall or improve performance.
In conclusion, since aggressive suppression of any suspicious elements would also lead to suffering for ordinary users, perfection in all respects is not necessary. In addition, there is a whole carriage and a small cart of other rules for assessing risks. Here are just a couple of consequences of this fact: transactions from the same IP address using different payment methods are possible, and “dirty” IP addresses can be effective. The method for calculating the likelihood of using a proxy is called “proxyScore”. “riskScore” - as the name suggests, a risk assessment when analyzing a transaction in general or an IP address in particular. They are designated within the range of 0-100, respectively, the higher the value, the worse. Mostly, verification services are integrated into material stores, and private representatives can be found on the forum and online.
B. Digital fingerprints are the collective name for unique information “imprints” from different browser settings and the user’s operating system. Many fingerprints are actively used by websites and anti-fraud systems both for analyzing transactions and for simple surveillance, because they allow you to recognize the user despite changing the IP address, clearing cookies, and, with a strong system, some settings.
From a privacy perspective, it is a set of methods by which a user is identified from others. As, in fact, with fingerprints - and this is also the reason for the need to isolate the work environment: there is a big difference between assigning an identifier to a random observer to collect statistics and a potential “buyer”. Often the data collection and analysis scenario includes:
• user-agent. Together with the IP address, the first information that the site receives about the user is the browser version, language, device type and operating system. First, the language properties must be consistent with the masking: if the IP address is English-speaking, so is the system and browser. Secondly, in the context of statistical analysis, the choice of browser, device and system is equally important.
For example, obviously suspicious proxies or tunnels mostly run on Linux, which in turn affects the attitude towards the system itself; On average, there are fewer fraudulent transactions from mobile phones, which means they are more trustworthy; TOR is a confidential browser, which nevertheless simply cannot be more suspicious, and operating systems have a popularity rating.
In other words, the greater the percentage and proportion of bona fide traffic a certain platform has in the world, the easier it is to blend into the crowd and resemble the average buyer. Although statistics are collected in real time and depend on the individual service, in general suitable options are: operating systems Windows, MAC, IOS, Android; browsers: Chrome, Edge, Safari, Firefox;
• screen resolution, window size, scaling. Extremely rare combinations of data highlight and unique the user, and those that contradict the user-agent information due to the use of antidetect or emulators (virtual machines of mobile devices) may raise suspicions: conditionally, the phone does not have computer permission;
• Like the language, the time settings with the operating system time zone must match the location of the IP address. At the same time, you need to pay attention in another context: with stable work from a specific location and with one anti-fraud system, a constant deviation can lead to identification - for example, if a number of clients (actually the same) have a difference between the systems and the exact local time exactly 3 minutes;
• operating system fonts. Fixing fonts using the JavaScript programming language is a popular technique for user uniqueness. Operating systems have them by default, and the general list is replenished by installing programs with their own fonts: various types of Office, Adobe PDF, and so on;
• passive OS fingerprint. It is formed from the operating system-specific parameters of data transfer to the network: size, lifetime of traffic packets, and others. A contradiction in the fingerprints of the IP address and user-agent (for example, traffic is transmitted to a Linux proxy using IP access, while the Windows desktop is used) equals a flaw in the user’s portrait. You can fix it using standard means: change the IP access, distribute WiFi from the configuration the required device, for example, through an emulator, or neglect the drawback - when working with a compliant anti-fraud system and with a good overall impression of the client, this point is not key;
• extensions & plugins installed in the browser. They are detected by good anti-fraud systems by requesting certain ids in the browser and recording changes in display on the page. A trivial ad blocker is unlikely to radically affect the situation (although it will uniquely identify the user), but tools for falsifying user-agent and fingerprints can play a cruel joke.
• HTML5 Canvas (“canvas fingerprint”) and WebGL. Seamless rendering of visual elements using GPU resources with effects applied to them: text for Canvas and 3D object for WebGL. After processing, the data is converted into a hash code and added to the overall fingerprint to identify the user.
Fonts, GPU driver versions, color depth, filtering, lighting and shadows, textures and so on - to produce a personalized result, the hardware and software features of the device are used, where each of the fragments is a variable, and as a result, the existence of distinctive features is quite understandable;
• audio fingerprint (AudioContext Fingerprint). Reproduction and evaluation of low-frequency audio signals, like Canvas and WebGL, proceeds covertly, taking into account the characteristics of the user's system and equipment. The content is: bitrate, decibel value, number of incoming and outgoing channels, output delay, sampling frequency, operation execution time, and more, based on the anti-fraud system. It is possible to adjust the indicators by changing the system, device, modifying parameters with antidetect, in the “Virtual Audio Cable” program or analogues. Far from being the most common print;
• cookie - a small fragment stored in the operating system with authorization data and user settings for a specific site. Using old cookies for a new disguise is the same as entering the same contact information or payment methods on two different accounts within the same store. Unambiguous identification. Therefore, when changing sessions, you need to get rid of them.
Let's summarize the second section. Cleverly protecting yourself from collecting a number of fingerprints by disabling the JavaScript programming language in your browser, with which they are retrieved, is not an option. In this case, many sites will stop working normally, and there is no need to talk about strict compliance with the pattern of a respectable buyer.
This is precisely why camouflage is needed - to change the components of fingerprints and thus achieve credibility and diversity of profiles, and also avoid identification. The principle is as follows: for example, changing the device will affect the user-agent, extensions or plugins will affect the browser, and the choice of fonts will affect the entire system.
However, it is important not to upset the delicate balance, because particularly rare settings lead to uniqueness. Ironically, even disabling tracking in the browser settings (doNotTrack) or disabling cookies are in themselves options that distinguish the user. Add to this atypical fonts or extensions, and we already have the opposite of the desired effect in the long term, a recognizable imprint.
On the other hand, anti-fraud systems are a tool for predicting risks, but the main task of any store is to consistently generate and maximize profits. Stores are able to control algorithms so that their anti-fraud systems do not react to every “zilch”, exposing honest customers to the hot hand.
For any reason, be it a low-risk assortment or maximizing profits, stores set their own combinations of rules and the acceptable threshold for anomalies in prints. Thus, individual checks may be missing, and errors may not be taken into account, for example, AudioContext or some blacklists; and on the contrary, somewhere they will press on all fronts. So the point is, rather, in a certain critical mass of parameters. In addition, it is worth noting the dynamism in the value judgments of anti-fraud systems. Blacklists, providers, IP address locations and other parameters, firstly, can change on their own due to updating or updating data, and secondly, they are perceived differently by anti-fraud systems depending on current statistics and information from suppliers databases, "weather" ... that's why it's so important to collect information.
Examples of sites for checking IP address characteristics and operating system fingerprints (so-called anonymity verification services):
• whoer.net;
• browserleaks.com;
• 2ip.ru/privacy/;
• ip-score.com;
• maxmind.com;
• f.vision.
Repeated checking of proxyScore, riskScore and Black Lists indicators sometimes provokes IP address contamination; you should not overdo it.
Third section, financial turnover.
The main tool for making transactions is cryptocurrencies. The most suitable options, tested by time and the community: Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Monero (XMR). The use of supposedly more technically advanced or investment-friendly cryptocurrencies, as well as USDT and other “stablecoins” is at your own discretion.
The advantage of cryptocurrencies over other financial instruments is confidentiality - there is no need to support transactions with personal data of the sender and recipient. However, cryptocurrencies cannot be called “anonymous” due to the availability of transactions in clear text, which makes it possible to track the movement of funds. Consequently, they do not give carte blanche in the matter of financial transactions.
You can confuse the tracks like this: changing receiving and sending addresses (provided by many wallets), passing funds through various exchangers and cryptocurrencies, cash transactions and the use of “mixers” - services for anonymizing transactions by splitting client funds into small parts and then mixing them together. The choice of exchangers and mixers is independent, based on reviews and reputation.
There are two types of cryptocurrency wallets: hot and cold. Hot people need constant access to the Internet - exchanges, online wallets and exchangers. In this case, the coins are kept by the service, and the client only gets access to them. In turn, cold wallets are hosted locally, for example, in the operating system or on a separate device, and in the absence of information leaks, only the owner has access to them.
Despite the disadvantages of hot wallets, they are convenient for frequent use, while the point of cold wallets is reliable storage and the absence of intermediaries. Examples of wallets: “Bitcoin Core” (a cold official wallet, but weighs a lot), “Blockchain” (hot, verification is not required to make transactions), “Electrum” (conditionally cold, but unlike Bitcoin Core, the entire blockchain is not installed).
As with cryptocurrencies, the use of alternative wallets (Ledger, Trezor, etc.) or full-fledged exchanges that require verification of personal data is at your own peril and risk. In many private services, vulnerabilities or backdoors are sometimes discovered, and exchanges even tend to go bankrupt and block accounts. In addition, when working with cryptocurrencies, you need to take into account the instability of rates.
For fiat currencies (USD, EUR, RUB, etc.) and transactions from official exchanges, wallets or exchangers, an incognito behavior model is applied. The history of customer actions is saved, so personal IP addresses, personal data and device fingerprints should not be involved in the process of suspicious financial transactions. Instead you can use:
• virtual machines, SMS activators, VPN;
• many services work with cash. Suitable for both withdrawal and deposit of funds;
• use of terminals to replenish pre-registered confidential wallets;
• accounts for dummies (drops). There are risks - blocking and theft, so it is better not to withhold funds, but to change accounts periodically. Verification services, sales of accounts and cards are available on the forum.
The first section, the basics of information hygiene.
Behavioral features.
• first of all, you cannot talk about your type of activity and personal circumstances (location, family composition, education, etc.) regardless of the level of trust in your interlocutor - including, do not involve friends or relatives from real life in the work or otherwise communicate online -activities with offline activity. Finding something is much easier if you know where to look, so “my tongue is my enemy”;
• the separation must also be technical: a personal system with personal data and programs cannot be used for “gray” activities, otherwise the risk of information leakage increases. Moreover, it is also possible to isolate data at the hardware level - using separate devices, but if all recommendations are followed, this is not absolutely necessary and virtual machines can be considered a sufficient substitute;
• devices and operating systems should not be in plaintext 24/7 - turned on, decrypted and authorized on inconvenient sites. If an outsider can physically gain access to sensitive information at any unexpected moment, the whole point of hiding it in the first place is lost;
• it is reasonable not to conduct activities in the location where you are located, especially in the “post-Soviet” space. Finding a resident within immediate physical and administrative reach requires less effort, which is once again confirmed by observations. This means that the use of this kind of material, stores and services is undesirable from the point of view of common sense and the “code of honor” has nothing to do with it;
• the use of personal data in any transactions (financial, transport, etc.) is unacceptable. In-person receipt of parcels, details, telephone numbers, emails, nicknames and social networks are replaced by intermediaries, dummies (droppers) and third-party information. Many services freely accommodate requests for disclosure of information, therefore, the less data to search, the better.
2. Technical recommendations.
• encryption. Conventionally, this is placing data in a safe, the password to which only the owner knows. Virtual machines, files, etc. must be in an encrypted area, and the area can be located, for example, on a physical medium that can be easily removed if necessary (flash drive, external hard drive, SSD or a separate device), hidden on the main system or on a dedicated server (VPS);
• the VeraCrypt program is used for encryption. Built-in tools from Windows or MAC operating systems are not recommended due to predominantly closed source code, vulnerabilities, and general security concerns. The main types of encrypted area in different combinations are as follows: container, double-bottom container, entire drive and operating system.
The container is a “safe”, to open which you need to decrypt it with a password. A container with a double bottom is a safe with two compartments, and when you enter different passwords, different parts open, respectively, in case there are no options left and at least something needs to be shown. You can encrypt the entire drive, and the hidden operating system is, in fact, a container with a double bottom on the scale of the entire system.
Approximate minimum requirements for the volume and type of drive for comfortable work: from 64GB of memory, USB connection version 3.0+ and, if possible, an SSD drive instead of a standard hard drive. Step-by-step setup guides are available on the forum and in the program help, in addition, the functionality is intuitive; • if you have a choice, you should use open-source software wherever possible. Information leaks, vulnerabilities undetected by the community, backdoors (intentionally introduced vulnerabilities) or crazy licensing agreements are just a few of the possible problems with closed source programs. Open-source, of course, is also not a panacea, but in terms of reliability it is incomparably better.
In particular, it is appropriate to abandon antivirus programs - programs that actually scan and transmit operating system data to third-party servers. Instead, it is better to open suspicious links and unverified files inside an isolated virtual machine, and keep critical information in a closed form, for example, in a separate container or in open-source password managers like KeePass;
• passwords, in turn, for each service must be unique. The result of using identical passwords may be the loss of several accesses at once, since if the database of one service is leaked, information from it can be used on others. It is also useful to install spirit factor authentication (2FA) on your accounts - additional temporary passwords, for example, in the OTP, Authy programs or in the backup email format;
• Since physical SIMs are easy to track, any registrations that require mobile activation are best done through virtual phone numbers. The necessary services can quickly be found by searching for “SMS activator”, and the forum also has services for receiving messages to real numbers in different countries. Accounts created in this way will be protected from loss by two-factor authentication;
• there are two main messengers for communication: Jabber and Telegram. Other popular services tend to have a track record of leaks or vulnerabilities. Correspondence and clients should be stored in a protected area; for Telegram - set a 2FA password, and in the case of Jabber, firstly, use trusted servers, and secondly, enable OTR encryption (in the client PSI+ is available in plugins, for Pidgin it is downloaded separately);
• It makes sense to periodically create encrypted backup copies of key information for storage outside the working operating system in case of loss of access or technical problems. However, it is not recommended to use cloud data storages - it is not known exactly who can have access to them and to what extent, and in general this is an additional attack vector.
The summary of the first section can be formulated as follows: frivolity and half-measures in matters of information security have negative consequences. Following simple operating principles is not as troublesome as getting into trouble due to naivety or losing your finances by losing access to your accounts.
Second section, setting up a virtual machine.
Virtualization programs are VMware and VritualBox, where the latter option also works on Linux, and the solution for MAC is Parallels Desktop. The internal settings are the same regardless of the system, and the choice of program does not really matter. For the VM to work, virtualization must be enabled in the BIOS (usually by default) - the verification method differs on different devices, so it’s worth using the search.
1. Programs required for operation.
• VPN. An encrypted connection between the user and the server through which the network is accessed in order to hide Internet traffic (actions) and change the user’s IP address. A commercial VPN service should not have: logging (saving history), experience of data disclosure, as well as obvious disgrace in the license agreement regarding privacy.
To insure against leakage of the real IP address in the event of an unintentional disconnection from the server, most VPN clients have an emergency traffic blocking function called “KillSwitch” or something similar. If there is no such function, you can configure it yourself: for example, in VPN programs like OVPN or in the built-in system firewall by prohibiting access to the network for all connections except the desired client. VPN is not only commercial - it is also possible to independently configure a dedicated server for connecting (or several). However, the instructions would require a whole lecture, and there are tons of them on the Internet, so it will not be considered. To avoid conflicts with other IP accesses, VPN must be connected on the main system (or the one located before the actual working one)
• general browsers, such as Chrome, Edge, Firefox, Safari, portable versions, as well as the confidential TOR browser. The latter is needed exclusively for surfing and transactions cannot be made from it - forums and various services often have mirrors in the .onion zone (“in the Tor”), which must be visited through TOR;
• sites determine the user’s IP address, so during operation the VPN server address is replaced with another one (for example, to the location of the owner of the material) using third-party IP accesses - mainly socks (proxy) or SSH (tunnels). They have the following format: IP
ort + loginassword (login and password are not always); To connect, use the Proxifier program for socks and Bitvise or PuTTY for SSH, respectively.In Proxifier, the “Resolve hostnames through proxy” checkbox is enabled in the “Name Resolutions” item, the socks itself are added in the “Proxy Servers” tab. When using Proxifier in conjunction with Bitvise or PuTTY for SSH, a rule is added to “Rules” on the shortcut of the desired client, where the first or second item is selected in “Action”; socks in this case should be 127.0.0.1:8081/8080 without a password.
Then the data from socks or SSH is simply entered into the appropriate fields for IP, port, login (username) and password in the programs. If problems arise on the network, there are enough manuals for use, but in general there is no need to familiarize yourself in more detail.
Both IP accesses perform the function of IP address spoofing, so simultaneous connection is not required. The practical difference is something like this: on average, finding clean socks for the desired location is easier, but SSH may remain working longer or have unusual characteristics such as a rare Internet provider. In other words, the good that can be found is used.
To use IP accesses of all types (socks, SSH, VPN, etc.), it is not necessary to understand the detailed structure of their protocols and the technical features of their operation. Just as you don’t need to understand programming in order to navigate the operating system at a sufficient level. Correct setup without leaks is much more important, so at the beginning of training there is no point in focusing on minor things and getting so confused;
• antidetect - a special browser that replaces device characteristics and system fingerprints in order to mask the session, significantly automating the process. Socks and SSH can also be connected in the browser itself. However, despite the disguise, for security reasons it is worth storing the antidetect on a virtual system and in an encrypted area. Use as desired, there will be a lecture on this topic;
• a convenient text editor for keeping records that meets the requirements described above: open-source, no cloud storage and no bad reputation. Theoretically, a standard notepad will suffice, of course, but you can find good alternatives on the Internet using the query “open source text editor.”
As a result, the minimum acceptable configuration looks like this: main system > VPN > encrypted area > virtual system > socks/SSH > Internet. The chain is variable and can be supplemented in every possible way by introducing new links. For example, the last two points can be replaced with remote desktops (VPS, RDP...) or supplemented with a VPN series and antidetect - in general, the options are limited only by the imagination.
2. Parameters. Risks when conducting transactions in stores and services are assessed by “anti-fraud systems” based on a variety of internal rules, filters and lists. Naturally, the desire to bypass the “barrier” of anti-fraud systems and successfully conduct a transaction requires understanding the inner workings and developing the skill of camouflage. For convenience, the parameters can be divided into two categories: IP address and digital fingerprints.
A. IP address parameters include:• black lists. Databases with suspicious IP addresses seen in DDoS attacks, spam and other dubious activity. They are formed by special services, which are subsequently used by business companies such as payment systems and banks to check their visitors. Logically, ordering from a particularly dirty IP address will most likely fail: there is no place to put stamps on any TOR or public VPN;
• DNS is a domain name system, a kind of add-on to the IP address and does not have to completely coincide with it. It cannot be called a decisive factor, but physical proximity or visible similarity to the main IP address is without a doubt a plus. Of course, personal DNS should not leak.
IP accesses (socks/SSH) may not have their own DNS, in which case the address will come from the previous one in the sequence of IP access connections, for example, a VPN. You can adjust it like this: select a suitable VPN server, enter a public address from public access into the network adapter in the “Network and Sharing Center” or into the settings of the router (router);
• WebRTC technology: https://shorturl.at/epsFG. Optimally, the IP address displayed in the WebRTC column should be identical to the main one, however, depending on the browser and settings, there may be a leak up to the present. If a discrepancy is observed during the check, the address can be replaced, for example, through antidetect, or disabled in accordance with the instructions on the link
• Internet provider and host name (ISP, hostname). You may come across flashy names (“proxy”, “hidden”, “VPN”, etc.), from which the fact of hiding traffic will become obvious - which, in fact, is one of the calling cards of a typical scammer.
In addition, there are services that provide corporate or private allocation of virtual servers for remote access. As with the ISP, the IP address belonging to such a service or specific server systems contradict the pattern of the average buyer. It is useful to keep statistics of the headlines and titles encountered;
• two-way ping—the approximate time it takes for visitor traffic to reach the server. If characteristic indicators are detected (usually at least 40ms), the IP address is recognized as a tunnel (SSH), which, from the point of view of anti-fraud systems, can be one of the indicators of a potential fraudulent operation.
Unfortunately, without administrative control over IP access (having a login and password just doesn’t give it), the delay is not eliminated and the following options remain: changing IP access (socks/SSH) or changing the link leading up to it in the connection chain, for example , VPN servers. However, it doesn’t always work, and you shouldn’t give in to paranoia without real experiments with a specific anti-fraud system;
• open ports: 80, 81, 1080, 8080, etc. Theoretically, they talk about using proxy means (socks), but at the same time they are a double-edged sword. Firstly, a significant number of such accesses are just web admins of routers. Secondly, contrary to the claims of “anonymity verification” sites, a lot of pure traffic is generated from IP addresses of the above types.
Many properties of an IP address are not “good” or “bad” in and of themselves. VPNs, proxies, servers and similar tools can easily be associated with a business, university, telecom operator and other legitimate activities. Moreover, traffic from groups of users can additionally enter the network through one gateway, for example, to apply a firewall or improve performance.
In conclusion, since aggressive suppression of any suspicious elements would also lead to suffering for ordinary users, perfection in all respects is not necessary. In addition, there is a whole carriage and a small cart of other rules for assessing risks. Here are just a couple of consequences of this fact: transactions from the same IP address using different payment methods are possible, and “dirty” IP addresses can be effective. The method for calculating the likelihood of using a proxy is called “proxyScore”. “riskScore” - as the name suggests, a risk assessment when analyzing a transaction in general or an IP address in particular. They are designated within the range of 0-100, respectively, the higher the value, the worse. Mostly, verification services are integrated into material stores, and private representatives can be found on the forum and online.
B. Digital fingerprints are the collective name for unique information “imprints” from different browser settings and the user’s operating system. Many fingerprints are actively used by websites and anti-fraud systems both for analyzing transactions and for simple surveillance, because they allow you to recognize the user despite changing the IP address, clearing cookies, and, with a strong system, some settings.
From a privacy perspective, it is a set of methods by which a user is identified from others. As, in fact, with fingerprints - and this is also the reason for the need to isolate the work environment: there is a big difference between assigning an identifier to a random observer to collect statistics and a potential “buyer”. Often the data collection and analysis scenario includes:
• user-agent. Together with the IP address, the first information that the site receives about the user is the browser version, language, device type and operating system. First, the language properties must be consistent with the masking: if the IP address is English-speaking, so is the system and browser. Secondly, in the context of statistical analysis, the choice of browser, device and system is equally important.
For example, obviously suspicious proxies or tunnels mostly run on Linux, which in turn affects the attitude towards the system itself; On average, there are fewer fraudulent transactions from mobile phones, which means they are more trustworthy; TOR is a confidential browser, which nevertheless simply cannot be more suspicious, and operating systems have a popularity rating.
In other words, the greater the percentage and proportion of bona fide traffic a certain platform has in the world, the easier it is to blend into the crowd and resemble the average buyer. Although statistics are collected in real time and depend on the individual service, in general suitable options are: operating systems Windows, MAC, IOS, Android; browsers: Chrome, Edge, Safari, Firefox;
• screen resolution, window size, scaling. Extremely rare combinations of data highlight and unique the user, and those that contradict the user-agent information due to the use of antidetect or emulators (virtual machines of mobile devices) may raise suspicions: conditionally, the phone does not have computer permission;
• Like the language, the time settings with the operating system time zone must match the location of the IP address. At the same time, you need to pay attention in another context: with stable work from a specific location and with one anti-fraud system, a constant deviation can lead to identification - for example, if a number of clients (actually the same) have a difference between the systems and the exact local time exactly 3 minutes;
• operating system fonts. Fixing fonts using the JavaScript programming language is a popular technique for user uniqueness. Operating systems have them by default, and the general list is replenished by installing programs with their own fonts: various types of Office, Adobe PDF, and so on;
• passive OS fingerprint. It is formed from the operating system-specific parameters of data transfer to the network: size, lifetime of traffic packets, and others. A contradiction in the fingerprints of the IP address and user-agent (for example, traffic is transmitted to a Linux proxy using IP access, while the Windows desktop is used) equals a flaw in the user’s portrait. You can fix it using standard means: change the IP access, distribute WiFi from the configuration the required device, for example, through an emulator, or neglect the drawback - when working with a compliant anti-fraud system and with a good overall impression of the client, this point is not key;
• extensions & plugins installed in the browser. They are detected by good anti-fraud systems by requesting certain ids in the browser and recording changes in display on the page. A trivial ad blocker is unlikely to radically affect the situation (although it will uniquely identify the user), but tools for falsifying user-agent and fingerprints can play a cruel joke.
• HTML5 Canvas (“canvas fingerprint”) and WebGL. Seamless rendering of visual elements using GPU resources with effects applied to them: text for Canvas and 3D object for WebGL. After processing, the data is converted into a hash code and added to the overall fingerprint to identify the user.
Fonts, GPU driver versions, color depth, filtering, lighting and shadows, textures and so on - to produce a personalized result, the hardware and software features of the device are used, where each of the fragments is a variable, and as a result, the existence of distinctive features is quite understandable;
• audio fingerprint (AudioContext Fingerprint). Reproduction and evaluation of low-frequency audio signals, like Canvas and WebGL, proceeds covertly, taking into account the characteristics of the user's system and equipment. The content is: bitrate, decibel value, number of incoming and outgoing channels, output delay, sampling frequency, operation execution time, and more, based on the anti-fraud system. It is possible to adjust the indicators by changing the system, device, modifying parameters with antidetect, in the “Virtual Audio Cable” program or analogues. Far from being the most common print;
• cookie - a small fragment stored in the operating system with authorization data and user settings for a specific site. Using old cookies for a new disguise is the same as entering the same contact information or payment methods on two different accounts within the same store. Unambiguous identification. Therefore, when changing sessions, you need to get rid of them.
Let's summarize the second section. Cleverly protecting yourself from collecting a number of fingerprints by disabling the JavaScript programming language in your browser, with which they are retrieved, is not an option. In this case, many sites will stop working normally, and there is no need to talk about strict compliance with the pattern of a respectable buyer.
This is precisely why camouflage is needed - to change the components of fingerprints and thus achieve credibility and diversity of profiles, and also avoid identification. The principle is as follows: for example, changing the device will affect the user-agent, extensions or plugins will affect the browser, and the choice of fonts will affect the entire system.
However, it is important not to upset the delicate balance, because particularly rare settings lead to uniqueness. Ironically, even disabling tracking in the browser settings (doNotTrack) or disabling cookies are in themselves options that distinguish the user. Add to this atypical fonts or extensions, and we already have the opposite of the desired effect in the long term, a recognizable imprint.
On the other hand, anti-fraud systems are a tool for predicting risks, but the main task of any store is to consistently generate and maximize profits. Stores are able to control algorithms so that their anti-fraud systems do not react to every “zilch”, exposing honest customers to the hot hand.
For any reason, be it a low-risk assortment or maximizing profits, stores set their own combinations of rules and the acceptable threshold for anomalies in prints. Thus, individual checks may be missing, and errors may not be taken into account, for example, AudioContext or some blacklists; and on the contrary, somewhere they will press on all fronts. So the point is, rather, in a certain critical mass of parameters. In addition, it is worth noting the dynamism in the value judgments of anti-fraud systems. Blacklists, providers, IP address locations and other parameters, firstly, can change on their own due to updating or updating data, and secondly, they are perceived differently by anti-fraud systems depending on current statistics and information from suppliers databases, "weather" ... that's why it's so important to collect information.
Examples of sites for checking IP address characteristics and operating system fingerprints (so-called anonymity verification services):
• whoer.net;
• browserleaks.com;
• 2ip.ru/privacy/;
• ip-score.com;
• maxmind.com;
• f.vision.
Repeated checking of proxyScore, riskScore and Black Lists indicators sometimes provokes IP address contamination; you should not overdo it.
Third section, financial turnover.
The main tool for making transactions is cryptocurrencies. The most suitable options, tested by time and the community: Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Monero (XMR). The use of supposedly more technically advanced or investment-friendly cryptocurrencies, as well as USDT and other “stablecoins” is at your own discretion.
The advantage of cryptocurrencies over other financial instruments is confidentiality - there is no need to support transactions with personal data of the sender and recipient. However, cryptocurrencies cannot be called “anonymous” due to the availability of transactions in clear text, which makes it possible to track the movement of funds. Consequently, they do not give carte blanche in the matter of financial transactions.
You can confuse the tracks like this: changing receiving and sending addresses (provided by many wallets), passing funds through various exchangers and cryptocurrencies, cash transactions and the use of “mixers” - services for anonymizing transactions by splitting client funds into small parts and then mixing them together. The choice of exchangers and mixers is independent, based on reviews and reputation.
There are two types of cryptocurrency wallets: hot and cold. Hot people need constant access to the Internet - exchanges, online wallets and exchangers. In this case, the coins are kept by the service, and the client only gets access to them. In turn, cold wallets are hosted locally, for example, in the operating system or on a separate device, and in the absence of information leaks, only the owner has access to them.
Despite the disadvantages of hot wallets, they are convenient for frequent use, while the point of cold wallets is reliable storage and the absence of intermediaries. Examples of wallets: “Bitcoin Core” (a cold official wallet, but weighs a lot), “Blockchain” (hot, verification is not required to make transactions), “Electrum” (conditionally cold, but unlike Bitcoin Core, the entire blockchain is not installed).
As with cryptocurrencies, the use of alternative wallets (Ledger, Trezor, etc.) or full-fledged exchanges that require verification of personal data is at your own peril and risk. In many private services, vulnerabilities or backdoors are sometimes discovered, and exchanges even tend to go bankrupt and block accounts. In addition, when working with cryptocurrencies, you need to take into account the instability of rates.
For fiat currencies (USD, EUR, RUB, etc.) and transactions from official exchanges, wallets or exchangers, an incognito behavior model is applied. The history of customer actions is saved, so personal IP addresses, personal data and device fingerprints should not be involved in the process of suspicious financial transactions. Instead you can use:
• virtual machines, SMS activators, VPN;
• many services work with cash. Suitable for both withdrawal and deposit of funds;
• use of terminals to replenish pre-registered confidential wallets;
• accounts for dummies (drops). There are risks - blocking and theft, so it is better not to withhold funds, but to change accounts periodically. Verification services, sales of accounts and cards are available on the forum.
