Hello! We are running our annual fundraising. Please consider making a donation if you value this freely available service or want to support people around the world working towards liberatory social change - https://riseup.net/donate
- The machine ID is altered to a generic identifier to reduce host fingerprinting.
- Randomized MAC address for Network Interface Controllers (NIC)
- The implementation for randomizing the MAC address includes the use of `bwrap` in the [plague-macchanger](https://0xacab.org/optout/plagueOS/src/branch/master/bin/plague-macchanger) service. This alters the MAC upon every boot rather than every new connection. We mimic vendor identifiers in the first bits and randomize the last half. Having a completely random MAC address stands to make your device an anomaly rather than blending.
- This prevents arbitrary mounting of USBs that could be malicious. This is a reduction on physical attack surface. On plagueOS, USBGuard must whitelist USB connections from the privileged `admin` account. The USBGuard implementation is not a perfect mitigation, however it is sufficient to prevent automounting for most threat models. The issue is when the adversary has physical access and could attempt to spoof the identifier of whitelisted devices, allow them to connect said unwelcome USB. The best solution, which is likely to come to fruition soon is deny USBs from the kernel level and allow them access via USBCTL. This is a planned feature.
- This prevents arbitrary mounting of USBs that could be malicious. This is a reduction on physical attack surface. On PlagueOS, you must run `usbctl unprotect` to allow USB connections from the privileged `admin` account. The USBCTL is a strong mitigation, given that it operates at the kernel level. It is sufficient to prevent automounting.
- Encrypted DNS with [DNSCrypt](https://github.com/DNSCrypt/dnscrypt-proxy) by default.
- Ported in `plague-time-sync`
- This is a simple mechanism using curl to set the date variable. This removes the need for syncing to NTP pools and the presence of services such as `ntpd`. The current configuration of Plague executes `plague-time-sync` via `bwrap` sandbox from the runit service `/plague/runit/plague-time-sync` and subsequently terminates the parent process once the date variable has been set. This occurs on a frequency of 6 hours, however the user can execute `plague-time-sync` at any time with the use of `doas` from the privileged `admin` account.
