Skip to content

cristiancmoises/securityos

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

43 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ” SecurityOS

SecurityOS is a privacy- and security-first web operating system β€” a hardened fork of daedalOS (Next.js + TypeScript). It runs entirely in the browser and is built for students, researchers, and security practitioners who want an anonymous, amnesic, self-contained workspace.

🌐 os.securityops.co


✨ Highlights

  • πŸ§… Tor Browser (anonymity-only) β€” all web access goes through the Tor Browser: a server-side privacy proxy routes every request over Tor (SOCKS5h, so .onion resolves and clear-net hostnames never leak), with tabs and a NoScript-style 3-state JS control (Off / first-party-only / All). There is no clearnet browser. The proxy is SSRF-guarded, fails closed if Tor is misconfigured, pins the SSRF-validated IP, forwards only an allowlist of response headers, and logs nothing. See Tor Browser.
  • πŸ¦€ Memory-safe proxy sidecar β€” the untrusted fetch + HTML-rewriting path is also available as a Rust sidecar (Tor SOCKS5h, DNS-pinned SSRF guard, lol_html streaming rewriter); the OS delegates to it and transparently falls back to the built-in proxy.
  • πŸ”‘ Vaptvupt encryption (WebAssembly) β€” the real Vaptvupt engine compiled to WASM:
    • Password mode: PBKDF2-SHA256 β†’ AES-256-CTR + HMAC-SHA256 (encrypt-then-MAC) β†’ .zupt.
    • Post-quantum public-key mode: ML-KEM-768 + X25519 hybrid β€” generate a keypair, encrypt to a public key, decrypt with the private key.
    • Exposed in the Terminal (vaptvupt/encrypt/decrypt) and the file-manager right-click Encrypt/Decrypt menu.
  • πŸ—‘οΈ Secure delete β€” right-click any file/folder β†’ overwrite with random (3-pass) or zeros, then delete.
  • 🧠 Amnesia β€” containers run read-only with RAM-only tmpfs (no volumes, no logs); the session is overwritten with CSPRNG randomness and wiped on shutdown.
  • πŸ’» Linux VM β€” a 32-bit x86 emulator (v86, WASM) that boots lightweight live ISOs (Alpine, Tiny Core, SliTaz, …) amnesically, routable through Tor.
  • πŸ§… TAILS β€” a launcher with CI-verified (OpenPGP signature + SHA-256) downloads, auto-updated by the tails-iso GitHub/Forgejo action.
  • πŸ’¬ Matrix (end-to-end-encrypted chat) β€” a full Matrix client (matrix-js-sdk + Rust crypto/WASM) where every request is tunneled through the same-origin Tor proxy to matrix.securityops.co. It decrypts E2EE rooms, searches the user directory, browses/joins federated rooms, handles invites, and renders image/file attachments. It pre-warms the Tor circuit on open so the first login is fast (cold Tor otherwise makes the first request take 15–40s). Amnesic β€” keys live in memory only. See Matrix.
  • πŸŽ₯ SecChat β€” first-party end-to-end-encrypted video chat (chat.securityops.co), embedded in-OS.
  • πŸ“» Radio β€” listen to internet radio worldwide (radio-browser API). Exact country filtering (by ISO country code, not a fuzzy name match), genre filter, and only working HTTPS stations β€” offline and non-playable (http-only) ones are filtered out β€” plus favorites and resilient mirror failover.
  • πŸ“ Cloudmacs β€” a full Emacs (Spacemacs) in the browser (Gotty serving a terminal Emacs), with telega (Telegram β€” TDLib built into the image), whatsappel (WhatsApp), org-mode, and eww. Appears in Open with for text/code files.
  • πŸ“Ί SecTube β€” the SecurityOps video frontend, embedded for playback.
  • πŸ“ VaptVupt file share β€” the first-party SecurityOps encrypted file share, embedded in-OS over Tor (its .onion served through the privacy proxy in an opaque-origin sandbox). Upload and download files in the window (uploads up to 256 MiB; downloads stream back in full); a toolbar offers Reload and Open in Tor Browser for script-heavy actions. Real-time/WebSocket features aren't available through the proxy by design.
  • πŸ” CryptPad Β· 🟒 WhatsApp Β· Telegram β€” embedded INSIDE the OS, over Tor. These run through the privacy proxy (fetched server-side over Tor, anti-framing headers stripped, realtime WebSocket tunneled via /api/ws, storage + an amnesic in-memory IndexedDB shim injected), so they load in-OS and even on networks that block them β€” your IP is never exposed. The embeds request the proxy with &app=1 ("embedded-app mode"), which forces the full Node clientShim path so the runtime shim is always present β€” even in the production deployment that delegates ordinary browsing to the memory-safe Rust sidecar (the sidecar injects no shim, which is why the embeds previously loaded blank in prod). They're heavy multi-origin SPAs, so the embed is still best-effort (no Service Workers or persistent storage on an opaque origin); each app's toolbar has a Window button that opens the full official client (run SecurityOS in the Tor Browser to keep that over Tor). Session stays a launcher (no web client; it's onion-routed once installed).
  • ⏺️ Screen Capture β€” screen recording + screenshots via getDisplayMedia (captures everything on screen, incl. cross-origin app iframes): countdown, microphone + system audio, quality/format/codec presets, and a max-duration. A webcam picture-in-picture overlay offers selectable effect themes β€” Matrix (digital rain), Grayscale, Sepia, Neon/Invert, Blur, and a best-effort Background blur.
  • 🧩 Desktop Widgets β€” Rainmeter-style, draggable, toggleable, and persisted: Clock, Weather (searchable city, open-meteo), a JS-heap Memory gauge, RSS News (fetched over Tor), a month-grid Calendar, and a Post-it sticky note. A Clock and the News feed are shown on first run.
  • πŸ”’ Lock screen β€” a frosted overlay with a large clock over the blurred wallpaper, an optional PIN (salted SHA-256), idle auto-lock, and it stays locked across reload; a Lock button lives in the Start menu.
  • πŸ”Š Master volume β€” the taskbar volume now controls all web-OS sound β€” native audio/video plus WebAudio apps like Webamp and the v86 emulator.
  • 🎡 Music + Webamp β€” bundled free/classical music and the Webamp (Winamp-style) player, plus lots of wallpapers (including animated ones).
  • πŸͺŸ Undercover mode β€” a Windows-11-like appearance (folders/wallpaper/theming) for blending in.
  • πŸ›Ÿ Resilience / recovery β€” if corrupted saved data from an old version would otherwise stop the desktop from starting, SecurityOS shows a recovery screen (Try again / Reset) instead of reloading forever.
  • 🧰 Security Tools β€” an offline suite (hashing, encoding, entropy, UUID, …).
  • ⌨️ Expanded terminal β€” UNIX-style commands plus curl/wget over Tor, du, df, tree, stat, and more.
  • πŸ”Ž Start-menu search β€” open the Start menu and start typing to find any app or file and launch it (results dropdown with icons; Enter opens the top hit). Apps are matched by name from the process directory; documents come from the file index.
  • πŸ–ΌοΈ Custom wallpaper β€” set a background from an image URL or a proxied link; adjustable fit. πŸ“‹ Paste any file/image from the clipboard straight onto the Desktop.

πŸ§… Tor Browser

SecurityOS browses the web through one browser β€” the Tor Browser, anonymity first. (There is intentionally no clearnet browser: all web access goes over Tor.)

  • Every request is routed through Tor (SOCKS5h, including DNS) via a server-side privacy proxy, so .onion resolves and your real IP is never revealed. Clear-net sites load over Tor too; hostnames never leak to a local resolver.
  • Tabbed β€” per-tab history; Ctrl/⌘- or middle-click a link to open it in a new tab; οΌ‹ for a blank tab. Tab labels show the page title.
  • NoScript-style 3-state JavaScript control (toolbar): Off β€” Safest, all JS blocked + script-src 'none'; NoScript β€” first-party scripts only, third-party stripped server-side by the LibreJS filter; All β€” every script runs. Off by default.
  • Bookmarks point at the SecurityOps hidden services.
  • The proxy is SSRF-guarded, fails closed if Tor is misconfigured, pins the SSRF-validated IP (no DNS rebinding), forwards only an allowlist of response headers, rewrites links/forms to stay in-app, and logs nothing.

What loads, and what won't. The proxy renders pages server-side in an opaque sandbox, so it's deliberately not a full browser: onions and simple, mostly-static sites render cleanly, but many arbitrary sites won't β€” they block Tor exit IPs (Cloudflare challenges), require JavaScript + login, or break under URL rewriting. That's the inherent ceiling of a privacy proxy, not a bug. For genuinely full, anonymous browsing of arbitrary sites, use the Linux VM via Tor Control.


πŸ’¬ Matrix

SecurityOS ships a full end-to-end-encrypted Matrix client (matrix-js-sdk with the Rust crypto/WASM stack), wired so that every request is tunneled through the same-origin Tor proxy to the matrix.securityops.co homeserver β€” nothing talks to Matrix off-Tor.

  • E2EE β€” decrypts encrypted rooms; keys are kept in memory only (amnesic β€” nothing is written to disk).
  • Federation β€” search the user directory, browse and join federated rooms, and accept/decline invites.
  • Attachments β€” renders image and file attachments.
  • Fast first login β€” the client pre-warms the Tor circuit the moment you open it, so login is quick. (A cold Tor circuit otherwise makes the first request take ~15–40s.)
  • Truthful, recoverable connection state β€” a flaky /sync over Tor no longer pins the UI on "Connecting over Tor…" after a successful login; it shows "Syncing…", gives an honest "couldn't sync after several tries" if the circuit is down, and flips back to "online" on its own once Tor recovers. The login and first-sync phases are time-bounded so a stalled socket can't freeze sign-in.

πŸ†• New apps & how they work

  • WhatsApp Β· Telegram Β· Session (messenger launchers). One click opens the official web client (WhatsApp Web, Telegram Web) in a real top-level browser window, where everything works β€” chats, voice/video calls, native file uploads/downloads, QR login. They are launchers, not embeds, on purpose: WhatsApp/Telegram forbid framing (frame-ancestors / X-Frame-Options) and rely on WebSockets the Tor proxy blocks, and Session has no web client (it's a desktop/mobile app). The window therefore shows a clear "Direct connection β€” NOT routed through Tor" badge; to use them over Tor, run SecurityOS itself in the Tor Browser / Tails (an in-app "Using … over Tor" panel explains how). Session's launcher opens the official download page.
  • VaptVupt (encrypted file share). Embeds the SecurityOps share's .onion over the Tor proxy in an opaque-origin sandbox: upload files (forms are rewritten through the proxy, up to 256 MiB) and download them in full (attachments stream back). A toolbar adds Reload and Open in Tor Browser (for script-heavy actions); a slow-load hint appears on a cold circuit.
  • Radio (improved). Internet radio via radio-browser with exact country selection (ISO code, not a fuzzy name) and only working stations shown (HTTPS-playable + last-seen-online; offline/non-playable removed), resilient mirror failover, genre filter, and favorites. (Streams play direct, not over Tor.)
  • Matrix (fixed). Full E2EE chat tunneled over Tor; this round fixed attachment display, uploads timing out over Tor, a proxy circuit leak, and duplicate actions on retry. A persistent "Connecting over Tor…" indicates Tor or the homeserver is unreachable (start Tor in Tor Control), not an app bug.
  • Start-menu search. Type in the Start menu to find and launch any app or file.

πŸ›‘οΈ Security model

  • Strict CSP without 'unsafe-eval' (WASM uses 'wasm-unsafe-eval'), frame-ancestors 'none', HSTS, COOP, CORP, and a locked-down Permissions-Policy.
  • Tor egress for all proxied browsing; the v86 VM defaults to a local Tor relay.
  • No persistence by design β€” see Amnesia above.
  • Single source of truth for headers: scripts/securityHeaders.js (mirrored to next.config.js, pages/_document.tsx, and the deploy/ reverse-proxy samples).

πŸš€ Deploy

One command (web + Tor, hardened & amnesic) β€” from the repo root:

docker compose up -d
# β†’ open http://localhost:8088

Two containers, no host networking, no manual flags, Tor on by default. docker compose down leaves no residue.

Other options
# Full stack β€” adds the memory-safe Rust proxy sidecar:
docker compose -f deploy/docker-compose.yml up -d --build

# Web image alone (bring your own Tor SOCKS at TOR_PROXY):
docker build -t securityos .
docker run -d -p 8088:3000 -e TOR_PROXY=socks5h://tor:9050 securityos

See CHANGELOG.md for what's new, and docs/ for TOR.md, LIVE-ISO.md, GUIX-SETUP.md, and deploy/SECURITY-HEADERS.md.


🧱 Architecture

Layer What
Frontend Next.js + TypeScript + styled-components (the desktop, apps, virtual filesystem)
Privacy proxy pages/api/proxy.ts β€” server-side Tor fetch, SSRF guard, header allowlist, HTML rewriting
Matrix proxy same-origin Tor tunnel to matrix.securityops.co for the E2EE Matrix client (matrix-js-sdk + Rust crypto/WASM)
Rust sidecar sidecar/ β€” memory-safe equivalent of the proxy fetch/rewrite path
Crypto wasm/vaptvupt/ β†’ public/Program Files/Vaptvupt/vaptvupt.js (the WASM engine)
Emulation v86 (x86 Linux), BoxedWine, js-dos, Ruffle β€” all WebAssembly
Deploy Dockerfile + deploy/ (compose, Tor image, nginx/Caddy, VM bootstrap, TAILS CI)

⚠️ Disclaimer & liability

SecurityOS is built by one person, Cristian Cezar MoisΓ©s, to improve privacy worldwide and help people be safer online β€” and for the author's own use. It is for lawful, authorized use only.

  • Use it ethically and legally. The bundled tools (Tor Browser, Matrix chat, Vaptvupt encryption, network utilities) are for securing your own systems, authorized research/testing with explicit permission, lawful privacy, and CTF/labs.
  • You are solely responsible for what you do with it. The project and its sole maintainer are NOT responsible or liable for any misuse, illegal, unauthorized, or harmful use.
  • No warranty. Provided "as is", without warranty of any kind; to the maximum extent permitted by law the author is not liable for any damages arising from its use. Tor reduces but does not eliminate deanonymization risk.

Full terms: docs/TERMS.md (also on the SecurityOS desktop as terms.md), and LICENSE.

🀝 Contributing & license

SecurityOS is an independent, one-person project β€” built and maintained solely by Cristian Cezar MoisΓ©s (no team, no company). Issues and patches are welcome.

Licensing is per component:

  • SecurityOS (the desktop / OS itself) β€” MIT. It's a fork of daedalOS by Dustin Brett, also MIT, so LICENSE carries both copyrights (Cristian Cezar MoisΓ©s for SecurityOS, Dustin Brett for daedalOS).
  • Vaptvupt (the encryption tool, and its .zupt encrypted-file format / engine) β€” dual-licensed: GNU AGPL-3.0-or-later or a separate Commercial license, at your option. The AGPL's network-use clause (Β§13) means that if you run a modified Vaptvupt as a network service, you must offer its users the corresponding source; a commercial license is the alternative for proprietary or closed-source use. Full terms are in LICENSE-VAPTVUPT.md, with the AGPL text in LICENSES/AGPL-3.0.txt.

Naming: Vaptvupt is the tool; .zupt is only its encrypted-file format / extension β€” never a name for the tool itself.

Upstream and bundled third-party components keep their own licenses β€” see source headers and THIRD-PARTY-NOTICES. For a one-page summary, see LICENSING.md.


πŸ‘¨β€πŸ’» Author

Cristian Cezar MoisΓ©s β€” sole maintainer & developer Β· Information Security

πŸ’Ό LinkedIn Β· πŸ™ GitHub Β· πŸ“¦ Codeberg Β· πŸ“Ί YouTube Β· 🌐 Portfolio

About

SecurityOS is a web-based operating system focused on security, privacy, and education.

Topics

Resources

License

MIT, Unknown licenses found

Licenses found

MIT
LICENSE
Unknown
LICENSE-VAPTVUPT.md

Stars

Watchers

Forks

Packages

 
 
 

Contributors