Fundamental Security Guide This is not an in depth or detailed tutorial of any specific security measure. Rather, it is a basic run down of some precautions you should be taking, as well as some things you should be aware of. The three main goals with your digital happenings are to: avoid a trace, avoid an intercept, limit evidence, avoid fedware. Often times more than one of these goals can be met by using a single technique or technology. Avoid Trace There are two primary ways to avoid having your physical location traced when you conduct business online. First there are proxies (including anonymizers) and secondly there is WiFi. The main anonymizer is Tor. Although Tor offers fairly strong anonymity, understand that it is not perfect. So far it seems to be adequate for protecting your anonymity against federal police traces. It is not adequate to protect your anonymity from many intelligence agencies, but they are unlikely to care about what you are doing if you are not a terrorist or an official of a foreign government. There are many technical attacks on the Tor network itself, which you really can't defend against (this is up to the Tor developers). There are some attacks on Tor anonymity that you can protect yourself from though, and these are what I will talk about in this guide. You can find information on more technical attacks at blackopsecurity.net if you are interested, but they are fairly abstract. One of the first things you need to do is make sure that you don't inadvertently leak your IP in your internet surfing. Attacks that find your true location by going around Tor (rather than breaking it) are called side channel attacks. The most well known side channel attacks involve things such as Java or Flash applets being loaded in your browser, and then sending your real IP back to their host machine. Another well known side channel attack involves you opening an office document with a hotlink in it. This goes around Tor if you do not have your office program set to go through it. The best way to defend against side channel attacks is to make sure you are using the Tor Button FireFox extension when you surf the internet. This protects from pretty much all known side channel attacks. You don't want to use FoxyProxy, this does not protect you against any side channel attacks. Also, you want to make sure you do not open any documents with any programs that are not set to run through Tor. If you want to be extra careful, you can use a firewall to force all your traffic over Tor. It might be smart to do this in a virtual machine so it does not interrupt your non-sensitive internet surfing. You can ensure your browser is sending traffic through Tor by going to www.check.torproject.org . You can check your Tor set up by going to www.decloak.net and running their side channel vulnerability scanner on yourself. www.deanonymizer.com offers another side channel vulnerability scanner you can use to ensure your Tor setup is optimized. Another thing you need to keep in mind when using Tor is that it only keeps you anonymous when you are using it. Also remember that servers you visit with or without Tor are going to keep track of the IP address you used for the visit, as well as the exact time of the visit. If you find something interesting while not using Tor and then immediately share it on the forum, your anonymity can eventually be compromised. All the attacker has to do is subpoena the server logs from the site you visited, and check IPs that visited in a time frame relative to when you posted the link. After doing this multiple times with multiple servers, the attacker can do elimination of IP addresses that do not match over several servers, and then they will likely be left with your real IP address. The moral of the story is, always use Tor for anything related to the scene, even if its only peripherally related. This includes clicking links that people you talk to may give you, make sure if you do it you are using Tor. For all you know they are giving you a link to a server that cooperates with them in an attempt to get your IP address. You should avoid going to Youtube style pages that are suggested to you by people in the scene, unless you highly trust them. Another thing to keep in mind with Tor is the fact that not very many people use it, in the grand scheme of things. Tor is the most popular anonymity network in the world, but chances are not many people in your area use it. In the process of doing business, you will likely end up giving your rough geographic location away to some of the people you work with. If these people are malicious, it is not far fetched to imagine that they could work with ISPs in your area to determine who all is connecting to the Tor network. This probably wont even require a warrant, as usually wiretap laws are in regards to what information is going down a communications channel, not who is part of a communications channel. Since not many people in your area are likely using Tor, and since you give your general area away when you receive products from people, you could be greatly narrowed down in this way. To combat this, you want to hide the fact that you are using Tor from your ISP. There are a few ways you can do this. One of the ways to do this is to configure your Tor connection to blend in with normal traffic. You will want to run Tor on port 443, which is the standard port for SSL. SSL traffic is encrypted traffic. If you go to a website that starts with https:// you are using SSL. Encrypted Tor traffic and SSL traffic are essentially impossible to differentiate between, so by running Tor on port 443, you will look just the same as a traditional SSL user (which there are FAR more of in your area than there are Tor users) to anyone looking at your traffic. Although running Tor on port 443 disguises your Tor traffic, your ISP can still tell you are using Tor if you are connecting to known Tor entry nodes. Tor entry nodes generally have their IP listed in publicly available lists, and it is pretty safe to say that if your ISP sees that you are communicating with a Tor entry node, they know you are using Tor. One defence against this is to use what is called a bridge relay. Bridges are Tor nodes that are not listed in the public Tor directories, so it is harder (although not impossible) for your adversary to get a complete list of them. Disguising Tor traffic as SSL traffic and using bridges as entry guards will make it significantly more difficult for your ISP to determine that you are using Tor. Another thing you could consider doing is using an offshore VPN or server as a sort of bridge to the Tor network. Your ISP will be able to see that you are using a VPN, or connecting to an offshore server, but they will not be able to determine that you are using Tor (so you will not be detected in any wide sweeps looking for Tor users in your area). The VPN or offshore server will be able to determine you are using Tor (unless you use a bridge as well), but they will not be in as likely a position to cooperate with authorities as your local ISP is. One thing to keep in mind about using offshore servers or VPNs to communicate with the Tor network, is that the people with access to the VPN or server can do timing correlation attacks on you. If the people who own your VPN can also view the hidden service you communicate with, and they can determine that you are sending traffic down the Tor network, then they can see that every time you send traffic down the Tor network traffic arrives at the hidden service that they are monitoring. However, you are still vulnerable to this attack from your ISP if your ISP can tell you are using Tor. To learn more about Tor bridges, and find some for yourself, go here: www.torproject.org/bridges Tor is not the only tool to assist you in untraceable communications. Another method you can take advantage of is the utilization of WiFi for anonymity. You can use open WiFi, or you can trivially crack WEP secured WiFi. There is a decent possibility that you will be able to crack WPA secured WiFi also, but this is not a sure thing. Using WiFi can offer you very strong anonymity, especially when it is combined with Tor. There are however some things to keep in mind when using WiFi. First of all, your network card has a semi to fully unique number associated with it called a MAC address. When you connect to a wireless router, the wireless router can see and often times logs your MAC address. You can't really be traced with just a MAC address (unless maybe you pay for your network card with a credit card or send in a rebate for it, but even in this case it is unlikely) but if you are discovered and your network card is seized, its MAC address can be used as fairly strong evidence that a previously made wireless connection came from you. This is easy to get around, just spoof your MAC address to be something different every time you use WiFi, and never use your real MAC address. Another important thing to keep in mind is that a wireless connection is prone to live traces. By using directional antennas an adversary in your general area can trace the signal your wireless card gives off back to you (or with in a small radius of you). If you are using WiFi from a static location, this can be used to trace you. For this reason, it is much stronger anonymity if you use dynamic locations and multiple WiFi access points (perhaps war driving, or even using WiFi at locations such as coffee shops). Another thing to keep in mind with WiFi is that if it is not secured, then neither are the communications you send over it (by default). If it was crackable by you, then the communications you send over it are crackable by someone else. This is not a big deal if you are using Tor though, because Tor traffic is encrypted with strong encryption at the application level. Even if you are using Tor though, someone in your general area who sniffs your WiFi traffic might be able to determine that the traffic is destined for the Tor network (depending on how you have your Tor set up, ie: are you using bridges or not?). The same person could also find your physical location by doing a live signal trace of your wireless communications. Something else to consider about WiFi is that, depending on your jurisdiction, it may be illegal to use even open WiFi if it is not advertised for use by the public. And it is most likely always going to be illegal for you to crack your way into secured WiFi. People are very very very rarely caught for using open or cracked WiFi, but it is something to keep in mind. One more thing I want to say about WiFi is that you should definitely invest in a good antenna and WiFi card, you will be able to pick up a lot more connections than you would with a stock antenna. Avoid Intercept In the context of the digital world, an intercept is generally the interception of meaningful communications between two or more parties by a malicious third party. Interception of communications can be damaging both to anonymity and to the goal of minimizing evidence. If you can not be traced over your communication channels, it means very little if a message containing your shipping address is intercepted by an adversary. Also, if your communications can be intercepted a plethora of evidence can be gathered from them and used against you if you are ever compromised. The primary way to protect your communications from a meaningful intercept is to encrypt them. The encrypted communications can still be intercepted, but the interceptor can not decipher useful information from them with out the proper passphrases and keys. The sort of encryption used for communications is called a hybrid system, or a system that uses asymmetric encryption to encrypt session keys and symmetric encryption to encrypt data (with the key to decrypting the data being the asymmetrically encrypted session key). I am not going to go into technical details in this guide, but you can learn more about encryption in the security forum. One thing I want to do is mention some common implementations of communication encryption systems, and also talk about some common misconceptions about communications encryption. The two primary software implementations for encrypted communications are GPG and OTR. GPG is an independent encryption program (it will encrypt anything you put into it, and let you send the resulting ciphertext over the channel of your choice) often used for E-mail encryption. OTR is an encryption system designed for instant messaging, with its primary implementation being the Pidgin OTR plugin. OTR and GPG offer different sorts of advantages and disadvantages. In general, OTR is easier to use and offers deniability (which in my opinion makes it a better choice than GPG). The main disadvantage of OTR is that it is tied to instant messaging programs, so it is not really an option for non-real-time communications. GPG tends to be relatively difficult for most people to learn (although anyone who spends half an hour with it should master it), and it has no deniability at all. The primary advantage of GPG is that it can be utilized over all sorts of communication channels, even non-real-time ones such as E-mail or private messaging systems. OTR and GPG both use strong algorithms for the actual encryption of data. One thing to keep in mind with communications data is that even if an adversary can not immediately decrypt your communications, they can save ciphertext. Perhaps after many months of storing your ciphertext, the adversary will move in on you and then force you to reveal your decryption keys. In the United Kingdom, failure to provide decryption keys to authorities can get you sent to prison for several years. In the United States, it has not yet been to the supreme court, there was one case with a pedophile who encrypted his laptop, but he ended up pleading guilty and revealing his passphrase before it made it to the supreme court. Two courts had ruled on his case already, with one judge saying he did not have to reveal his decryption key and another judge saying he did have to. It is quite possible you will be held in contempt of court for not revealing decryption keys in the USA, but a good lawyer can probably get you off the hook. There was recently a case where yet another pedophile had his computer seized after he allegedly downloaded child porn, only to have his case entirely dismissed when no evidence could be retrieved off his encrypted computer. I am unaware of the laws outside of USA or UK regarding encryption keys, but I think it is safe to say that no matter where you live failure to comply with authorities will end up pissing them off. The reason I talk about being forced to reveal decryption keys, is because it shines light on why I support OTR over GPG. With OTR, you do not (with out seriously trying to find them) know any of the keys used for the encryption of your messages. There is not a passphrase you can give up to reveal your secret key, like there is with GPG (the entire system works differently, too technical to explain here). Also, the keys used change every message and the old keys are not stored. This essentially re-keys your communications every conversation. Meaning that even if someone is saving ciphertexts, they are not really going to be able to force you to decrypt them at a later date, as you wont have any of the information required to decrypt them at a later date. With GPG, the adversary can force you to give up your passphrase to decrypt your private key, and then they can decrypt all messages that were sent to your private key. A good practice with GPG is to generate a new keypair periodically (This is called re-keying). That way, if an adversary compromises you and forces you to reveal your passphrase for your private key, they can only force you to reveal messages received since your previous rekey. Make sure you securely erase your old private key when you re-key! I would like to take some time now to talk about common myths I hear people perpetuate about strong encryption. The first common myth is that it is easy to break strong encryption with a powerful enough computer. This is not really true. First of all, there are two types of encryption: asymmetric and symmetric. Although symmetric encryption is used to encrypt data, in a communications encryption system the session keys (used to decrypt the symmetric encryption) are encrypted asymmetrically. Neither strong asymmetric encryption nor strong symmetric encryption are at any real risk of being broken with a traditional computer. Someone with a multi-million dollar super computer is not going to be able to break strong encryption anymore than someone with a cheap laptop is. Unfortunately, this is only really true with traditional computers. Powerful quantum computers are very good at breaking asymmetric encryption, although they still are not very capable of breaking symmetric encryption. Although a quantum computer powerful enough to run shors algorithm can break your asymmetric encrypted communications, it is important to put this into context. First of all, there is no proof that there is such a quantum computer in existence, and there is a significant amount of doubt if to one could even possibly be created. Second of all, if such a computer does exist, it is certainly in the realms of elite intelligence agencies, with NSA being a likely candidate to have the first (if one is ever made). If the NSA does have such a computer, which seems fairly unlikely, they are going to keep its existence a highly guarded secret. You are not going to find yourself in court with ciphertexts that the NSA encrypted being used against you. They will almost certainly reserve use of such a computer for gathering intelligence on foreign governments and possibly reading the communications of terrorists. They are unlikely to even act solely based off intelligence they gather by such methods. Another common myth about encryption is that it doesn't really help you. This is most often said by complete idiots, but I feel I should discount them now rather than wait for them to make fools of themselves. Let's say you are working with a vendor. Of course, you are going to end up sending communications to this vendor that give away a location where drugs or something similar are being shipped to. Chances are the vendor you are working with works with dozens to hundreds of people or more. If one of those people turn snitch, and give up the vendors E-mail address, you can bet your ass it is going to be monitored by feds. So with out encryption, in this scenario, you are essentially sending your information directly to the feds. Now let's look at it from the perspective of a vendor. You are working with dozens to hundreds or more customers. Chances are that very few of them are feds, but some could be. Do you want the feds to be able to get you with dozens to hundreds or more charges, or do you want to limit them to only crimes you allegedly commited with them? Do you want them to see the addresses of every package you ship? No! So use encryption. Limit Evidence If worst comes to worst, you will probably end up getting raided and having your computers seized for forensic analysis. At this point, you fall back to your most basic security systems: those which limit the ability for evidence to be gathered from your computer. Obviously the most important part of limiting digital evidence is to encrypt your entire system, as well as encrypt the files with in it. You will want FDE (Full Drive Encryption) as your primary system encryption precaution. FDE encrypts all data on your hard drive (save a small bootloader) and keeps you nearly fully safe from forensic examination. FDE uses symmetric encryption, so it is safe from quantum computers as well as traditional computers. The weakest component will almost certainly be your passphrase. If you are using Linux, as you absolutely should, then it is likely you can apply FDE with luks-dm when you first install your system. I suggest you use Serpent-256 for your symmetric algorithm, if you do use AES I suggest AES-128 over 256, as (contradictory to what you would think) AES-256 has been proven weaker than 128 due to poor key structure design in the 256 bit version. Both should keep you safe though. If you use Windows, you should use FDE with truecrypt and use the plausible deniability hidden OS feature as well. The hidden OS feature will protect you in case you are forced to give up a password, essentially with this feature you create two operating systems on your hard drive, one that you can use for non sensitive business and one you use for sensitive business. Both have different passwords, and the password you enter during boot determines which OS you boot into. Truecrypt uses a strong steganographic technique to hide the existence of the hidden operating system, so it will be very difficult for a forensic examiner to prove that there is a hidden OS. This way you can reveal your password if you are forced to do so. It is extremely important you use this method of FDE if you live in the UK, merely encrypting your hard drive with no hidden OS will get you years in prison when you refuse to decrypt your OS. If you are using Linux, unfortunately you can not get plausible deniability with FDE at this time, at least not with out some serious know how (ie: trust me, you almost for sure can't). So if you use Linux, what you want to do is do standard FDE with luks-DM, and then inside your hard drive create a truecrypt hidden partition. Inside the hidden part of the partition, put a virtual hard drive. Whenever you are handling sensitive business, do so using a virtual machine with the virtual hard drive. This is not as good of plausible deniability as you get using Truecrypt FDE hidden OS, but it is the next best thing and lets you use Linux (which you absolutely should). In addition to FDE, you want to individually encrypt sensitive files inside your hard drive. There are two methods to do this. First of all, you can create truecrypt containers and put your sensitive files inside of them after mounting them as virtual hard drives. If you go the Truecrypt route, always make them with hidden sections for plausible deniability. For temporary notes, it is probably safe to just encrypt them to yourself with GPG, but remember you don't have plausible deniability if you do it this way. Now to talk about some things you should know about with encrypting files to limit evidence. First of all, when encrypted drives or virtual drives are mounted, their keys are stored in RAM. So when you are actually on your FD encrypted computer and are using it, it is not encrypted really. It is only encrypted when you turn it off. Actually, for around five or so minutes after your cut power to your computer off, the encryption keys are still in ram. A sophisticated enough forensics/raiding team will know enough to attempt to flash freeze your ram. This is easy, just spray the liquid from an upside down can of compressed air onto the Ram chip. Once the ram has become flash frozen, data on it will stay for long periods of time with out decaying away. So they can take your ram and plug it into a forensics laptop that takes a dump of it, and grabs your encryption keys rendering your encryption useless. You might want to invest some money in a case that is difficult to open, and make sure to cut power super fast if you get raided or a knock at the door. Really, don't keep your computer on when you are not using it and don't keep sensitive containers mounted when you are not using them. Another thing to watch out for is keyloggers. If someone gets your passphrase when you type it in then it is game over. There are many sorts of keyloggers, of varying sophistication. The most basic sorts of keyloggers are software virus-style ones: generally speaking these are not a threat to FDE but they are a threat to encryption after your OS is booted. The primary way to protect yourself from this sort of keylogger is to use Linux. If you for some reason must use Windows, make sure you get a good anti-virus and an anti-keylogger program, but to be honest trying to be secure a Windows machine is going to be extremely difficult, although you should always try. A step above software keyloggers are hardware keyloggers. To be targeted by a hardware keylogger, someone is going to already need to know your location. There are multiple types of hardware keylogger, but primarily the keyboard wire is cut inside your keyboard and a logging device is put in between it and then it is put back together. These key loggers can be found down the length of the wire, and inside the keyboard itself. There are cheaper hardware keyloggers that merely attach to the keyboards connecting piece (ps2/usb), but these are easy to spot unless you are like ten years old. To protect yourself against hardware keyloggers I suggest you either superglue your keyboard shut or invest money in one of those fully enclosed in plastic roll up keyboards. Now add some small but noticeable marks to your keyboard, perhaps with ultra violet ink so that it only shows up under a black light. If someone tries to open your keyboard and put a keylogger in it, you will notice as they will need to break it open. If they replace it with an identical model after putting a keylogger in it, you will notice the absence of the marks. Also, check your keyboard wire for any in uniformity in width, and make sure there are no plugin loggers on the connection part. Other sorts of keyloggers are added directly to the motherboard, and these ones are pretty difficult to detect but you might be able to protect against them by putting motion detecting cameras set to send a feed of your computer case to an offshore server. Then if anyone opens and modifies your case, you will be able to see that they did it by checking the video on the server. There are more sophisticated keyloggers and keylogging methods. One type of keylogger especially made for getting into encrypted hard drives is called an Evil Maid Keylogger (or a keylogger used in an evil maid attack). In this attack, someone with access to your computer replaces the unencrypted bootloader on your hard drive with a bootloader that has a software keylogger on it. They need to boot your PC and use a bit editor to put this onto your hard drive, but it can be done. There is a kit used to do this against truecrypt FDE called the stoned bootkit. Essentially, you type your password in, it is recorded by the bootloader and then next time you leave the adversary comes back and gets your password off the hard drive. To defend against this attack you could use motion detecting cameras like for the motherboard hardware keyloggers, or you could put your bootloader on a tamper resistant USB key and always boot from that. Alternatively you could always boot from a Truecrypt rescure CD if you are using Truecrypt. There are even more sophisticated methods to record your keystrokes. For example, every time you hit a key it makes it a sound. The sound made is unique to that key, or at least with in a range that can be narrowed down to a single value. An adversary with a laser microphone aimed at a window near your keyboard can record all of these sounds from around a mile away if they have line of sight. Once they record the sounds of you typing, they can cryptanalyze them using frequency charts and other statistical methods, to determine which sounds correlate with which keys. This will allow them to do remote keylogging from great distances. The best way to defend against this attack is to invest in some anti-laser microphone devices and put them on your windows. Failing that you can try to type in a noisy environment (mainly when you enter your passwords). You will at least make it so they have more noise to filter. Another thing to consider is that when you type, your keyboard gives off electromagnetic signals. An adversary with a sophisticated signal receiver can record these signals, even through walls, from around up to 70 feet away. The same sorts of frequency table attacks can be done on the electromagnetic signals as can be done on acoustic signals. You will end up having a very difficult time trying to defend yourself against an adversary who is using this sort of technique to log your keystrokes. Fortunately, such technology is unlikely to be used by feds and tends more towards the realms of signals intelligence agencies. In addition to encrypting your computer and files, you may wish to destroy evidence at some point in time. It is good to wipe your computer clean periodically: between projects and when the heat is up especially. Wiping is too slow to do if you get a knock at the door, in this case you need to fall back to encryption and hope your keys were not compromised. Wiping your drive essentially involves filling it up with random 1's and 0's (or solid 1's or 0's), making it difficult to impossible to determine what used to be on it. It is an area of debate, but some have claimed it is possible to retrieve data off a a wiped hard drive by using magnetic imaging / electron microscopes to analyse the current state of bits on the drive and determine what their previous state was. Some say that this may have worked on older hard drives but newer drives have too dense of platters for the same attack to happen. The debate generally focuses on how many passes are adequate to securely wipe a drive: one or more than one. My personal opinion is that one wipe with random data is probably adequate, but I tend to use seven wipes of random data just to be safe. A good program for wiping hard drives is DBAN. You may wish to wipe individual files rather than wipe your entire hard drive. Individual file wipers work generally the same way as hard drive wipers work, they go over a file with random data many times. Understand that merely deleting a file does NOT remove it from your hard drive, it merely removes it from the file systems index allowing for more data is put in its place at a later time. I don't know a whole lot about single file wiping programs, but Heidi Eraser is one I hear suggested a lot for Windows and GPG Shredder works good for Linux. Most (all?) individual file wipers do a half ass job at removing all traces of a file: they might remove the file but they are likely to leave some references to it. Some wiping programs attempt to move as many references as possible also, but in general they do a poor job of this. Another thing you are going to want to do is secure your system from traditional forensics, just in case all else fails. This is not a technical tutorial so I will spare you the details, but check out www.blackopsecurity.net to find indepth tutorials of windows anti-forensic techniques. If you are using Linux you have less to worry about, chances are merely by virtue of using Linux you are making it a pain in the ass for most forensic teams ;-). I would like to address two more things in this section which are sort of off topic but in the same general line of thought. First of all, you should look into password managers such as Keepass and KeepassX. These store your passwords encrypted for you, and you can decrypt all of them with a master password. This allows for you to use huge passwords for things such as forums. You should absolutely use these sorts of technologies, and make sure all your passwords you use for forums and such are very very large and random. The second thing I want to say is, don't store E-currency account numbers, PO box addresses, or anything like that on paper. Keep it encrypted in similar password vaults. Avoid Fedware The primary thing you want to be doing is USING LINUX. I have seen quotes from federal forensics examiners / police where they essentially have said that Microsoft doesn't need to leave backdoors for them, it has enough of its own. Securing Windows is like trying to secure a house made of glass with glass supports. It is important for me to point out that if you simply can't bring yourself to use Linux, you should still secure your Windows. Don't throw in the towel on security just because you can't use Linux. But if you are really serious about your security, you will want to use Linux hands down. Unless you are a gamer you should really give Ubuntu a shot. It is almost as easy to use as Windows and can do everything short of games. With WINE emulation you can even play a lot of kick ass 3d fairly cutting edge games (two or so years behind), sometimes even better than they play on a windows box! Using WiFi with Ubuntu is easy these days too, it used to be a pain in the ass but now it is very painless. If you are using Windows, you can try to rely on anti-virus and such software, but it is very up in the air if they will bother to protect from fedware (check out greenlantern or CIPAV for two examples of fedware). Another thing you can do, which I highly suggest, is make use of virtualization. Virtual Box and VMware are the two most popular virtualization softwares around today, I like VB the best. Pretty much you create an entire virtual computer system, OS and all (USE LINUX, even if your host machine is Windows). Virtual machines allow you to take snapshots of their state, and then load them at a later point in time. I suggest that you set up a secured known clean virtual machine, take a snapshot of it, and load it from its snapshot every time you use it. That way even if it does get infected by fedware at some point in time, it will simply revert back to its non-infected state the next time you load it. It is very difficult (although not impossible) for an attacker to get to your host machine through a virtual machine, thanks to layers of abstraction. In a general (if not strict) sense, anything that infects your virtual machine will not infect or have the ability to influence your host machine. One thing that you can do with virtual machines is bridge them to your wireless network interface. This way you can use WiFi for sensitive operations inside your virtual machine, while you use your wired internet on your host machine for things like torrents. This makes it much easier to make use of WiFi for anonymity. Another thing you can do is set up a firewall in your virtual machine that forces all traffic inside of it to go down the Tor network. This offers strong protection against side channel attacks. Fedware generally infects your system through traditional exploits. Pretty much, the feds are just regular hackers that play for a different team. So you are going to want to make sure your system is fully updated with the newest versions of all software and all security patches up to date. If you are using Linux, consider getting an intrusion detection system such as Tripwire set up, although be aware that even though an IDS can detect an intrusion, it can also open up vulnerabilities in some cases. Another thing you are going to want to do is get a firewall set up and make sure ALL ports besides for the ones you are using are closed. Make sure you are not running any services other than ones you are actually using, the more services you run the more at risk of an exploit you are. If you are using Linux, only run stuff as root if you have to (same for windows and administrator I suppose). You may want to look into super hardening your Linux system with a mandatory access control system such as using the SElinux kernel. SElinux is what you are likely to find running on sensitive NSA or military servers. Setting up SElinux is not trivial and creating policies for it is a bitch, but if it is in your range of abilities to do I suggest you use it or something similar. That pretty much sums up the basic security precautions you want to take. Hopefully this was informative, but I imagine it was mostly TLR, noobs ;-).
