This topis is very common and people help each together for this reason I want too give you my experience and knowledge how I am more than few years safe without any compromised account or etc
like first in long term you will need Linux ( there some people who use Tails but I think you need to use Linux on hard disk ) dual boot
reason why in long term you be gathered files,knowledge,sources and etc so for this reason
look don't take me wrong but Tails is primary for Journalist which live without freedom to speech,like use Tails when you must just few times its okay,but in long term, I am not sure ( that's only my opinion )
When you use Virtual machine likes ( Oracle VM ) better is always keep that on QEMU/KVM
Encrypt hard disk again common step but many people don't take it seriously,for example my LUKS password have over 24-32 characters,special symbols,numbers
this password I don't have written somewhere on piece of paper or before used,I have it only at my mind
I recommend you use password for example to easy remember "yourFavoriteSong@669myAnotherfavoriteSong#669" example
there is not important which distro you choice like means Debian ( kali parrrot,linux mint and etc ) or arch
----------------------------------------------------------------------
I don't be talk about VPN you re know at this moment its best Mullvad but still keep on your mind never trust VPN provider
for this reason I used "USB TETHERING" i have rooted phone,custom rom and on setting I "allow client to use VPN"
so for example on phone I running IPVANISH which give me over USB TETHERING internet and on Linux I running Mullvad
without any knowledge or experience and ricing you have connection over two separated vpn providers
you can still use tor-socks,always when I connect to ssh,rdp or everything what could be dangerous for me I use tor-socks here few examples
vpn---->vpn---->tor socks ( for that paranoid guys )
vpn---->tor socks ( use always where could be something compromised )
vpn---> ssh ( personally I don't use or recommend )
Prefer to run application and etc over proxychains than setup it manually on Telegram for example ( there you have some logs what i get when i use proxychains ----> Telegram )
[proxychains] Strict chain ... 127.0.0.1:9050 ... firebaseremoteconfig.googleapis.com:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 149.154.175.53:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 149.154.175.53:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... google.com:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 149.154.175.56:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... mozilla.cloudflare-dns.com:443
[proxychains] Strict chain ... 127.0.0.1:9050 ... firestore.googleapis.com:443
Interesting how Telegram communicate with google dns server or even mozzila cloudflare
----------------------------------------------------------------------
Personally on each site like xss.pro and etc,used different password,you can "pwgen" ( sudo apt install pwgen or sudo pacman -S pwgen )
[backstab@tor-browser]$ pwgen
aico5eRe ohDeex3E aY6TiH7o iole8ohH aepei9Tu le3Up1Ae sa2ahPha tiu8chaR
oov6ooK3 Ejeigh9o theeNgi9 Aithag6u Caequ3ua iun5veTa ai9oKeim mue3Jueb
You can see its generate bunch of password,you cannot remember it that obviously but you can make PGP ( for example with same pass which you use for hard disk LUKS )
and you can keep your password storage secured and nobody else cannot read that without your PGP and password
------------------------------------------------------------------------------------
Shits like never trust anyone,don't say where you live or even your age I think its obviously never specified your real personal info, nobody never have reason to know it
thats all like i said its just basic and definition of opsec in pocket,be safe
------------------------------------------------------------------------------------
Remember you cannot trust to Microsoft which on newest Windows 11 make from this Operating system total spyware,same Windows 10 and etc
you cannot trust to Google and Android phone same like,you cannot trust to iPhone and they security features
everything what is close source is dangerous
for example I have rooted phone,custom rom,without gapps and Google still pinging my device,how that's possible without any google frameworks and etc
always work just on Linux don't work over phone and etc
better is be paranoid and think about everything what could possible to happened than even once get on trap and paid with your time
Hardening Arch Linux
Sandboxes allow you to run a program in an isolated environment that has no, or limited access to the rest of your system. You can use these to secure your applications or run untrusted programs.
I recommend to use bubblewrap to sandbox programs. It is a very powerful sandbox with minimal attack surface.
You should not use Firejail as it has far too large attack surface which has led to Firejail having trivial privilege escalations and sandbox escapes.
Virtual Machines
Virtual Machines (VMs) isolate processes by virtualizing an entirely new system. I recommend to use KVM/QEMU.
You should not use Virtualbox for multiple reasons.
1) They use a non-free toolchain to compile their BIOS which is problematic for some free software projects.
2) They don't fix security bugs. Many bugs are left in because the developers are too lazy to fix them.
3) They rarely tell people about bugs. If they discover a bug they hide it from everyone else which makes it a lot harder for the community to make patches.
4) A lot of important features only come with the extension pack which is proprietary.
KVM is a kernel module that allows the kernel to function like a hypervisor.
QEMU is an emulator that can use KVM.
Virt-manager and GNOME Boxes are both good and easy to use GUIs to manage KVM/QEMU virtual machines.
Transparent Proxy
You can configure your whole system to use Tor by default with a transparent proxy to anonymize all internet traffic.
To do this add this to /etc/tor/torrc:
TransPort 9040
DNSPort 5353
SocksPort 9050
Link to full Hardening ----> https://theprivacyguide1.github.io/linux_hardening_guide
like first in long term you will need Linux ( there some people who use Tails but I think you need to use Linux on hard disk ) dual boot
reason why in long term you be gathered files,knowledge,sources and etc so for this reason
look don't take me wrong but Tails is primary for Journalist which live without freedom to speech,like use Tails when you must just few times its okay,but in long term, I am not sure ( that's only my opinion )
When you use Virtual machine likes ( Oracle VM ) better is always keep that on QEMU/KVM
Encrypt hard disk again common step but many people don't take it seriously,for example my LUKS password have over 24-32 characters,special symbols,numbers
this password I don't have written somewhere on piece of paper or before used,I have it only at my mind
I recommend you use password for example to easy remember "yourFavoriteSong@669myAnotherfavoriteSong#669" example
there is not important which distro you choice like means Debian ( kali parrrot,linux mint and etc ) or arch
----------------------------------------------------------------------
I don't be talk about VPN you re know at this moment its best Mullvad but still keep on your mind never trust VPN provider
for this reason I used "USB TETHERING" i have rooted phone,custom rom and on setting I "allow client to use VPN"
so for example on phone I running IPVANISH which give me over USB TETHERING internet and on Linux I running Mullvad
without any knowledge or experience and ricing you have connection over two separated vpn providers
you can still use tor-socks,always when I connect to ssh,rdp or everything what could be dangerous for me I use tor-socks here few examples
vpn---->vpn---->tor socks ( for that paranoid guys )
vpn---->tor socks ( use always where could be something compromised )
vpn---> ssh ( personally I don't use or recommend )
Prefer to run application and etc over proxychains than setup it manually on Telegram for example ( there you have some logs what i get when i use proxychains ----> Telegram )
[proxychains] Strict chain ... 127.0.0.1:9050 ... firebaseremoteconfig.googleapis.com:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 149.154.175.53:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 149.154.175.53:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... google.com:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 149.154.175.56:443 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... mozilla.cloudflare-dns.com:443
[proxychains] Strict chain ... 127.0.0.1:9050 ... firestore.googleapis.com:443
Interesting how Telegram communicate with google dns server or even mozzila cloudflare
----------------------------------------------------------------------
Personally on each site like xss.pro and etc,used different password,you can "pwgen" ( sudo apt install pwgen or sudo pacman -S pwgen )
[backstab@tor-browser]$ pwgen
aico5eRe ohDeex3E aY6TiH7o iole8ohH aepei9Tu le3Up1Ae sa2ahPha tiu8chaR
oov6ooK3 Ejeigh9o theeNgi9 Aithag6u Caequ3ua iun5veTa ai9oKeim mue3Jueb
You can see its generate bunch of password,you cannot remember it that obviously but you can make PGP ( for example with same pass which you use for hard disk LUKS )
and you can keep your password storage secured and nobody else cannot read that without your PGP and password
------------------------------------------------------------------------------------
Shits like never trust anyone,don't say where you live or even your age I think its obviously never specified your real personal info, nobody never have reason to know it
thats all like i said its just basic and definition of opsec in pocket,be safe
------------------------------------------------------------------------------------
Remember you cannot trust to Microsoft which on newest Windows 11 make from this Operating system total spyware,same Windows 10 and etc
you cannot trust to Google and Android phone same like,you cannot trust to iPhone and they security features
everything what is close source is dangerous
for example I have rooted phone,custom rom,without gapps and Google still pinging my device,how that's possible without any google frameworks and etc
always work just on Linux don't work over phone and etc
better is be paranoid and think about everything what could possible to happened than even once get on trap and paid with your time
Hardening Arch Linux
Sandboxes allow you to run a program in an isolated environment that has no, or limited access to the rest of your system. You can use these to secure your applications or run untrusted programs.
I recommend to use bubblewrap to sandbox programs. It is a very powerful sandbox with minimal attack surface.
You should not use Firejail as it has far too large attack surface which has led to Firejail having trivial privilege escalations and sandbox escapes.
Virtual Machines
Virtual Machines (VMs) isolate processes by virtualizing an entirely new system. I recommend to use KVM/QEMU.
You should not use Virtualbox for multiple reasons.
1) They use a non-free toolchain to compile their BIOS which is problematic for some free software projects.
2) They don't fix security bugs. Many bugs are left in because the developers are too lazy to fix them.
3) They rarely tell people about bugs. If they discover a bug they hide it from everyone else which makes it a lot harder for the community to make patches.
4) A lot of important features only come with the extension pack which is proprietary.
KVM is a kernel module that allows the kernel to function like a hypervisor.
QEMU is an emulator that can use KVM.
Virt-manager and GNOME Boxes are both good and easy to use GUIs to manage KVM/QEMU virtual machines.
Transparent Proxy
You can configure your whole system to use Tor by default with a transparent proxy to anonymize all internet traffic.
To do this add this to /etc/tor/torrc:
TransPort 9040
DNSPort 5353
SocksPort 9050
Link to full Hardening ----> https://theprivacyguide1.github.io/linux_hardening_guide
who knows when this bloatware will decide to rewrite the routes.