Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Privacy online: most of us are doing it wrong! {tutorial}

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)

Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Privacy online: most of us are doing it wrong! {tutorial}

Postby Lignus » Sat Nov 02, 2013 5:34 am

Mods: This post is very much a cross-domain of how-to's, attack vectors, and behavioral OPSEC. Where it really belongs here, I do not know. Feel free to move it to a more appropriate sub-forum.

    {minor formatting edits made, title updated, tweet posted, & thread set to 'global' status across the entire cryptostorm.org forum ~admin}


Preface:

Ask yourself a question, how much do you really know about keeping your identity safe online? I’m smart enough to admit that I do not have the expertise to make definitive judgments about best practices which is why I am doing this write-up. I *want* holes poked in my ideas, there may be attack vectors that I have not considered. My professional background is not in security, at least not in the sense that would be assumed by this type of post. Now on to the meat of the subject, what are some risk factors that I do not see being discussed that I view as essential considerations?

Being secure is going to cost you time, money, but not necessarily a lot of either. The most important thing to remember is that even with a “perfect” system, you are your own worst enemy. Your identity is only as safe as you keep it. It is only as safe as it is separate from your online persona. If you use your personal gmail over TOR, you are exposing a link between your real identity and your online persona.

Any activities that are going to be performed that could result in a visit by "Law Enforcement" gangs should be separate from EVERYTHING else you do. It should not be understated that you should never, at any time, use closed source software(Windows/MacOS) while undertaking any activities frowned upon in your jurisdiction if you value your freedom. This includes running Windows as the host operating system and Backtrack/Tails/etc in a virtual machine, don't do it.


Risks when using Windows:

    1. Windows Update - How easy would it be for Microsoft, a known collaborator with the NSA, to collect:

      a. MAC address (for all interfaces)
      b. CPU serial number
      c. motherboard/laptop serial number
      d. make and model of your device
      e. a copy of the ARP table
      f. the list of saved SSIDs and MACs(does it save MACs?) from the network manager
      g. Computer Name
      h. the local broadcasting SSIDs with MAC addresses

    For all we know, Microsoft already does some or all of this. None of this data specifically tells anyone who you are(Unless you make the hostname your real name, like any Mac OS machine will do by default), but it does a lot to tell them where you are. Item "h" is the most damning. If your local WiFi access points' MAC addresses are known, your location is likely known, unless you are in a very isolated location with all new access points that have NEVER been active in any more densely populated areas.

    Given the previous statement, it would be prudent for you to physically REMOVE your wireless network card before even considering starting anything. It is an inconvenience, but also a big security risk. There are ways to still have wireless connectivity without this security hole.

To demonstrate my point about the danger of WiFi, I searched for a video of someone using airodump on youtube. There are numerous tutorials and almost all of them will show the screen with bssids of all the local access points.

Video: http://www.youtube.com/watch?v=GLO9HGDwOY0&t=129

Parameters passed to google (note the information in the string matches access points from the video):

Code: Select all

https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&wifi=mac:C4-10-8A-36-80-A8|ssid:CL|ss:-19&wifi=mac:C4-10-8A-36-B8-D8|ssid:CL|ss:-30


The parameters google will return are a lat&long with accuracy confidence. I am not sure if it is meters of feet, but it really doesn’t matter for this. Punch those into google maps and:

Code: Select all

https://maps.google.com/maps?q=29.4080785,+-98.4975053


Search nearby for *, this will give a dot for the building that is being pointed to, notice the business name Cevallos Lofts matches nicely with the SSIDs of CL.

This is just one example, search for “BSSID PWR Beacons #Data, #/s” on google and what you will find is numerous people posing the equivalent of GPS coordinates to their homes.


Consider the FOXACID attack by the NSA. What if it had executed and recorded the results of the command “netsh wlan show all” which does not trigger UAC? Go ahead, run it on your own Windows Vista or newer Windows machine. You will observe your own MAC address, your card make and model, and the details for all the local WiFi networks. Everything needed to identify where you were and which computer was yours.


Risks when using Windows:

    2. Your antivirus software. Do you trust your antivirus vendor to not collect any of that same data when they update your definitions? In many cases, Microsoft is your antivirus vendor. Symantec is widely used in government computer networks, how hard would the NSA have to push for them to collect this type of information?

    3. Any other piece of software on your computer. You have a lot of leak vectors from many entities with unknown affiliations and loyalties. The more software you run, the more vectors there are.


These same risks apply equally to Apple or any other major software vendor.

What is the solution t


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Lignus » Sat Nov 02, 2013 11:47 am

My original post seems to have suffered truncation during editing, fortunately I have a copy of all except the closing paragraph. Unfortunately, that was probably the best part of the whole post.

To continue my previous post, with edits:

What is the solution to this? Linux is really your only option, and I do not mean Ubuntu. You should be using distros that don't update things automatically. You should have to initiate and approve updates. This means none of the popular distros are an option. Pure Debian may be an option. You should prefer a distro that is specifically built for security. I don't even pretend to be an expert other than to say that Tails and BackTrack may be options to explore.

(Note: The following is speculation about creating a more secure environment. It is not a complete guide.)

So how would I go about creating a secure environment? Layers and accident proofing is one way:

    1. Buy a brand new laptop, with cash, at Walmart/Target/etc. You'll be able to get something decent and usable for under $500.

    2. When you get home, do not even turn it on. Remove, destroy, and throw the wireless card in the trash, disconnect the webcam+mic (they will likely be together on the same ribbon cable), disable secure boot, and install your linux distro.
      Why disable the webcam? You are not going to be broadcasting video, so why even have the hardware available for exploitation.
      Why disable the mic? Another source that can compromise you if your machine gets "pwned".

    3. OpenWRT router running OpenVPN 2.3.2 (included in the trunk as of July 2013).

      a. Remove dnsmasq and dhclient. This means no DHCP, you are going to have to statically assign everything. (Have not looked at the particulars, could be in busybox requiring a source rebuid, dhclient removal may not be possible because of OpenVPN needing it)
      b. When assigning IP addresses, do not add a default gateway or add an incorrect one. Instead, manually add the route to get to the IP address of your OpenVPN server.
      c. Add iptables firewall rules to block all outgoing traffic not directed at the port and IP of the OpenVPN server. (Will this work? Certain other protocols may be required to be allowed to pass, someone that knows more should chime in)
      d. (If possible) Add a startup script to change the WAN (wifi or ethernet, depends on the scenario and router) MAC address to a semi-random value (Keep within the same manufacturer to not arouse suspicion).
      This means that the router you are behind prevents you from accomplishing leaks of any kind because the only route to the internet is when the OpenVPN tunnel is active. The router has no DNS server, it is not doing DNS relay, and it does not know what to do with the traffic so it rejects it.

    4. Repeat step 3 for a second(or n) layer of protection, prefer router closest to the real internet to be connected to a VPN provider in a country that is very uncooperative with your local costumed thugs.

    5. If you are using TOR for everything (good!), you should be running TAILS at this point.

Recap of Network Layers

TOR --> Router2/VPN2 (Say, CS.is) --> Router1/VPN1(Say, Vietnam or some other unfriendly country) -->ISP. All layers must be peeled back to find you.

So, to identify you:
    1. Compromise TOR(If you were using TAILS, this would be unlikely) and determine that your IP points to VPN2 (CS.is)

    2. Your traffic coming out of CS.is is bundled with hundreds or thousands of users and CS.is has no way of identifying who you are because you buy tokens over TOR from a broker with freshly tumbled bitcoins. So your identity is never on a (large) suspect list. They manage to tap CS.is without them commiting seppuku and track you down to VPN1.

    3. Your traffic coming out of VPN1(same setup as CS.is) is bundled with hundreds or thousands of users and VPN1 has no way of identifying who you are because you buy tokens over TOR from a broker with freshly tumbled bitcoins. So your identity is never on a (large) suspect list. This assumes the second provider can be coerced into assisting. If they can, and they somehow figure out how to separate you from the noise, you are then completely screwed.

Cheap Router Setups
    The TP-Link WR703n is a tiny wifi router with a USB port that will allow extra storage assuming that OpenVPN cannot be squeezed into the 4MB flash. - $26 on Amazon
      Same router, pre-modded with 64MB RAM and 16MB flash available for $44 shipped. Search for SLBoat on ebay.
    • Advantage: Cheap, Small, USB powered, perfect replacement for a WiFi card if using only one OpenVPN.
    • Disadvantage: WiFi is still a small risk


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Lignus » Sat Nov 02, 2013 1:25 pm

(Rewrite from memory about identity separation and operational security, with additions)

Behavioral OpSec is the one thing that even the most cautious get wrong from time to time. The thing to remember is that you get exactly zero free passes when it comes to violating your own OpSec.

Identity Separation is the Key
To avoid profiling and minimize risk, segregate everything you can.

The following (examples, I know the SilkRoad is dead) should use completely separate virtual machines and identities:
  • SilkRoad: Purchasing items that would cause embarrassment / harassment
  • SilkRoad: Selling items that would cause embarrassment / harassment
  • SilkRoad: Purchasing identification documents (Do not purchase such documents for the "lolz", if I was the FBI I would be selling such documents just to have a list with photographs of people I should be watching. Look for a seller with a long history and only purchase documents if you have no alternative.)
  • Socializing on the "deepweb". In general, don't do it if you can avoid it. For the love of god, do not brag about actions you have taken in the past. If you really need someone to talk to, a good therapist is probably the best money you will ever spend.
  • Any other kind of illicit activity

That was just a quick list of identities that should be separate and never come into contact with each other. These identities should, under no circumstance, share the same:
  • Email Address, or provider if possible
  • Nickname/Handle or variation of any other.
  • Passwords
  • Bitcoin wallets

If you cannot device a method for deriving passwords based on the names you have chosen, at least use an encrypted password vault with a strong and UNIQUE password. This is probably your best option. Your password vault does not belong on your iPhone or Android phone. I don't care what kind of security you think you have. That is just another, unnecessary, attack vector. Your wallet should be encrypted with a unique password on top of the base TrueCrypt encryption that is necessary to launch the Linux OS hosting VMs with your separate identities. To pull this off, you need to remember a grand total of two passwords that are unique. Perhaps you should consider using mnemonic phrases?

Workflow to launch your identity for "socializing" on the deepweb:
  1. Turn on laptop
  2. Enter password for the truecrypt container with your VMs, not the diversion container with nothing but activity you would be proud to show your grandma.
  3. Launch your password vault, enter the unique password protecting it, and grab the key labeled Babymuck. That is the random name you got as the seventh hit on this page and therefor the VM label and how you know which password goes to it.
  4. Launch the VM, enter the password, clear the clipboard.
  5. Inside this VM is where you keep any identity notes/passwords/usernames/wallet.dat password, inside another password vault.
  6. Launch your stuff and do not leave the machine unattended. In fact, since you should be doing very little in the way to things that could result in data loss, remove the battery from the laptop. Clearing that ram (and all your information in memory) is just a power loss away.

Identity generation:
Do not pick your own nickname. Get a nickname generator, get a name generator, and just pick a random one (Say, name 23 on the third generation of the page, no matter how stupid the name sounds). Your nickname should say nothing about you and make no sense. OK, maybe your selling profile needs a little selection finesse, but no other identity should.

Let us pick a name from here. OK, today I want to make a new social identity, so I'm going to be a Pokemon. I select a Pokemon name, and decide that whatever name 12 is, that will be my name: My new social identity is Beefemon. That is my handle, don't argue, just go with it. I need a name to go along with it, so I click the two name generator and my new name is Leona Averesch. I guess I will be a woman from now on. You should be starting to get the picture.
(Bonus points if you manage to pick a name that returns thousands of hits on google.)

Do not, under any circumstances, connect to any services that connects you to your real identities. This means that you cannot use an email service that requires a SMS verification. Leona/Beefemon only exists within the VM, your favorite websites do NOT.

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Deepest apology :-/

Postby Pattern_Juggled » Sun Nov 03, 2013 1:36 pm

Lignus wrote:My original post seems to have suffered truncation during editing, fortunately I have a copy of all except the closing paragraph. Unfortunately, that was probably the best part of the whole post.


I was the admin who did the formatting edits, and I offer you my sincere apologies. Despite auditing logfiles manually once I saw this note from you, I cannot provide even a theory as to how I managed to screw this up. Indeed, as with any copyediting task, care in ensuring no loss of underlying data is top priority.

And yet, somehow, I screwed this up.

I've done my best to recover the original from cached versions - server-side and client-side - but we deprecate caching in general terms and as a result there's not as much there as might otherwise be the case. Additional efforts to see if google might have cached/crawled the original post prior to my screw-up failed, along with a peek into the Wayback Machine.

My sincere regrets. To lose the words of someone else is unacceptable, particularly when doing "minor edits" not even requested by the author. I'm not sure what else to say, except that I will redouble my caution in the future to ensure this does not repeat itself. Looking back nearly two decades during which I've done various sysadmin/admin/moderator duties, I can't ever recall a mistake I've made that was this inexcusable, and this dumb.

If there's anything else I can do to make this right, for you, please let me know.

Respectfully,

    ~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

edit permissions

Postby Pattern_Juggled » Sun Nov 03, 2013 1:47 pm

L -

I've gone ahead and updated your forum permissions mask to allow you to edit your posts in this thread. That way, if you'd like to concatenate your posts into one combined post you can do so without my sloppy fingers being a threat vector to successful completion :-? You can also pull text up into your original post in the thread - the one I unintentionally mangled - if you'd like that to be the authoritative version, as well as editing your post titles and so on.

The new permissions mask has been successfully tested; the "edit" button will show at the bottom of your posts, and does not have a time limit / expiry. If there's any issues with it, please let me know and I will resolve it at once.

Again, my apologies...
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Lignus » Sun Nov 03, 2013 3:06 pm

PJ, not even concerned in the least. My original post was sloppy and the formatting needed fixing. If you notice, I followed your stylistic lead in formatting the rest of the posts. To add to that, the third post you see there was originally a paragraph with maybe ten sentences. As you can now clearly see, I expanded upon it greatly.

In all actuality, I lost five minutes of typing to your error. I happened to have a copy of the post before I added the closing paragraph, the one that turned into a full page when I did the rewrite.

As to consolidation. I am not even sure that consolidation is even preferable, since the subject seems to divide well into three general types of information. Besides, it is a lot easier for someone to digest it when it is broken up like this. They think they are close to the end, then I surprise them with another couple pages. :)

Edit: On the other hand, a one month token would be much appreciated. You would get a test of the OpenWRT setup I mentioned (only one layer) as well as TunnelBlick on Mac OS 10.9. :)

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Pattern_Juggled » Sun Nov 03, 2013 5:32 pm

Lignus wrote:Edit: On the other hand, a one month token would be much appreciated. You would get a test of the OpenWRT setup I mentioned (only one layer) as well as TunnelBlick on Mac OS 10.9. :)


Done.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Guest

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Guest » Wed Nov 06, 2013 7:37 am

First off after the possibly backdoors in truecrypt with bad prng, crypto use, or password left in memory, is it at all plausible for HDD encryption by GPG/PGP? as there may be no way now, but could there be?

Also, whether network bridges stand up to any type of security, you could utilize ADHD Linux, which helps from disrupting attacker recon, monitors the network, active honeypots, etc, either in between the modem and router or after the router.

And I see bitmessage being very useful for email as well as the project for namecoin to actually be used as a DNS.


    {edit: fixed typo in "memory" ~admin}


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Lignus » Thu Nov 07, 2013 3:47 am

Guest wrote:First off after the possibly backdoors in truecrypt with bad prng, crypto use, or password left in memory, is it at all plausible for HDD encryption by GPG/PGP? as there may be no way now, but could there be?

Also, whether network bridges stand up to any type of security, you could utilize ADHD Linux, which helps from disrupting attacker recon, monitors the network, active honeypots, etc, either in between the modem and router or after the router.

And I see bitmessage being very useful for email as well as the project for namecoin to actually be used as a DNS.
    {edit: fixed typo in "memory" ~admin}


There is still hope. TrueCrypt is getting audited. There is a Linux kernel security patch that will encrypt the contents of RAM while storing the key in a CPU debug register. This will prevent DMA attacks on a live machine. It does not completely prevent a ColdBoot attack, but it makes it a nightmare to even attempt one. There are ways of securing a router so that it becomes completely unresponsive(block all traffic destined for the router itself, but forward packets all day long) but still routes your traffic. I am not sure if there are attacks against a Linux router secured in such a fashion. As to LAN attacks, if they have made it that far, you're screwed anyways. They are unlikely to attempt monitoring your LAN before entering your home and seizing equipment.

Your greatest vulnerability, assuming you employ good hardware and software practices, is your password. It needs to be strong and secure. I am far from an expert here, but passphrases instead of passwords seems like a more secure route, but only if you don't use a phrase that makes sense.

You can use a passphrase that only takes seconds to enter, probably less than your 12-16 character "strong" password. With your traditional password, your speed is slowed by substituting numbers and symbols and hitting shift a lot. With a pass phrase, you simply type four to six words and you are in. A 32WPM typist would have the password typed in just 8-12 seconds. How long does it take you to type in "P4s$vv0rd!"? That is what I thought. Then you also have to remember it. Think about how much easier it would be to remember and type "clear tied moment trade". The best part is, you can vary the length and complexity to whatever level you want.

User avatar

acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby acid1c » Sun Nov 10, 2013 11:07 pm

what's your thoughts on VPN > tor > tor?
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Lignus » Tue Nov 12, 2013 6:19 pm

acid1c wrote:what's your thoughts on VPN > tor > tor?


TOR + TOR serves little purpose. Compromising your identity over one layer of TOR means they can easily traverse the second layer. To add to this, neither you nor the destination end of your TOR session know how many hops to get to the center of the onion. You could be as little as two hops or as many as ten hops (wild speculation, I have not read the TOR docs).

There are three ways to compromise TOR, listed in descending order of likelihood:
  1. You, revealing identifying information or what you have revealed in aggregate could be used to identity you. (This is why you keep separate identities and never, ever, boast about things that could result in a visit). Another possibility is that you do not practice good OpSec and connect to things you shouldn't on an open line.
  2. Environment compromise: Identifying information was revealed as a result of system compromise, malware, 0-day (FOXACID), etc. This is why no WiFi and everything runs in a VM environment that looks like millions of other VMs.
  3. Network Compromise: Someone manages to compromise the network that you are relying on for security. This means that TOR has been defeated, along with all the other layers of security. It is unlikely that there will be a convergence of TOR and the VPN connections being compromised at the same time.

It all comes down to this: If you practice good OpSec you are unlikely to be identified. If you do not, you're fucked.

As an additional note, do not do any extensive writing under a name which you do not wish to be associated with your true identity. Punctuation, grammar, verb-subject usage, meter, spelling, capitalization, vocabulary, and slang are all things which can allow someone to compare samples and identify if they are from the same author. I have written more than enough under this identity to be linked with identities that can easily be traced back to me. Fortunately, this identity was created specifically for interacting on this forum and thus it will not have any negative repercussions to have it linked back to me.

User avatar

acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby acid1c » Tue Nov 12, 2013 10:27 pm

good to know. tor through tor was just a thought and I figured I would ask because while I at first think its has its pros, it has cons to, that I may not see sometimes.

On a related matter, I've seen many state to use Tor and then VPN through tor. Now you are unable to use .onion addresses unless using .onion.to, and all traffic through tor is encrypted. what's your take on that?
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Lignus » Thu Nov 14, 2013 1:25 pm

acid1c wrote:good to know. tor through tor was just a thought and I figured I would ask because while I at first think its has its pros, it has cons to, that I may not see sometimes.

On a related matter, I've seen many state to use Tor and then VPN through tor. Now you are unable to use .onion addresses unless using .onion.to, and all traffic through tor is encrypted. what's your take on that?


I'm not saying to not do layered TOR, I am just saying that the benefit factor is low to non-existent and the cost factor (latency, bandwidth) is high.

As to the question of VPN over TOR, that presents some interesting difficulties. I'm not even sure if a UDP VPN would function. TCP, yes, but you are probably looking at a large number of retransmissions.

While I am familiar with the existence of onion.to, I am not sure that it is usable for anything more than passive browsing. I am not sure if it allows session preservation that would enable signing into a forum. Either way, any password you type into it should be assumed to be compromised immediately.


anon
Posts: 5
Joined: Thu Oct 10, 2013 8:53 pm

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby anon » Thu Dec 12, 2013 6:12 am

Nice opsec tips, i also encorage every one to see this video: https://www.youtube.com/watch?v=9XaYdCdwiWU. opinions?

>Anarchism means voluntary co-operation instead of forced participation. It means harmony and order in place of interference and disorder.<


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby Lignus » Fri Dec 13, 2013 7:29 am

Great video and great points in his talk. We do have one point of disagreement(VPN/TOR layering order), but I think that he would be more likely to agree with me given the changes in VPN models now available(sort of, what CS is doing needs to spread to more countries).

I spent most of the afternoon reading his analysis of OPSEC incidents that have occurred over the past year and he makes some great points.

He makes the point over and over again to never trust anyone. Excellent point, but you can use this to even greater advantage. Your alter persona should have a background, you should be taking notes on the things your alter persona says that are normally identifying. He mentions one of the lulzsec guys got caught in part because he revealed he had been in a county jail for two weeks on a drug charge and was currently on probation. If you have never been in jail or on probation, this would be an excellent statement to make about your alternate persona. Consistent and believable misdirection, but not too much, works in your favor.

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: Privacy online: most of us are doing it wrong! {tutorial}

Postby marzametal » Tue Nov 04, 2014 6:52 am

Lignus wrote:Consider the FOXACID attack by the NSA. What if it had executed and recorded the results of the command “netsh wlan show all” which does not trigger UAC? Go ahead, run it on your own Windows Vista or newer Windows machine. You will observe your own MAC address, your card make and model, and the details for all the local WiFi networks. Everything needed to identify where you were and which computer was yours.

This is rendered null and void if the Windows User has tweaked their Windows Services... more specifically setting these to "manual" or "disabled (not sure about this one)"
1) WLAN AutoConfig Service (for the above example)... and to extend a bit further;
2) Wired AutoConfig Service


sanaeerumey
Posts: 1
Joined: Mon Oct 08, 2018 5:19 pm
Contact:

Re: Privacy online: most of us are doing it wrong! {tutorial

Postby sanaeerumey » Wed Oct 10, 2018 12:00 pm

Lignus wrote:My original post seems to have suffered truncation during editing, fortunately I have a copy of all except the closing paragraph. Unfortunately, that was probably the best part of the whole post.

To continue my previous post, with edits:

What is the solution to this? Linux is really your only option, and I do not mean Ubuntu. You should be using distros that don't update things automatically. You should have to initiate and approve updates. This means none of the popular distros are an option. Pure Debian may be an option. You should prefer a distro PhenQthat is specifically built for security. I don't even pretend to be an expert other than to say that Tails and BackTrack may be options to explore.

(Note: The following is speculation about creating a more secure environment. It is not a complete guide.)

So how would I go about creating a secure environment? Layers and accident proofing is one way:

    1. Buy a brand new laptop, with cash, at Walmart/Target/etc. You'll be able to get something decent and usable for under $500.

    2. When you get home, do not even turn it on. Remove, destroy, and throw the wireless card in the trash, disconnect the webcam+mic (they will likely be together on the same ribbon cable), disable secure boot, and install your linux distro.
      Why disable the webcam? You are not going to be broadcasting video, so why even have the hardware available for exploitation.
      Why disable the mic? Another source that can compromise you if your machine gets "pwned".

    3. OpenWRT router running OpenVPN 2.3.2 (included in the trunk as of July 2013).

      a. Remove dnsmasq and dhclient. This means no DHCP, you are going to have to statically assign everything. (Have not looked at the particulars, could be in busybox requiring a source rebuid, dhclient removal may not be possible because of OpenVPN needing it)
      b. When assigning IP addresses, do not add a default gateway or add an incorrect one. Instead, manually add the route to get to the IP address of your OpenVPN server.
      c. Add iptables firewall rules to block all outgoing traffic not directed at the port and IP of the OpenVPN server. (Will this work? Certain other protocols may be required to be allowed to pass, someone that knows more should chime in)
      d. (If possible) Add a startup script to change the WAN (wifi or ethernet, depends on the scenario and router) MAC address to a semi-random value (Keep within the same manufacturer to not arouse suspicion).
      This means that the router you are behind prevents you from accomplishing leaks of any kind because the only route to the internet is when the OpenVPN tunnel is active. The router has no DNS server, it is not doing DNS relay, and it does not know what to do with the traffic so it rejects it.

    4. Repeat step 3 for a second(or n) layer of protection, prefer router closest to the real internet to be connected to a VPN provider in a country that is very uncooperative with your local costumed thugs.

    5. If you are using TOR for everything (good!), you should be running TAILS at this point.

Recap of Network Layers

TOR --> Router2/VPN2 (Say, CS.is) --> Router1/VPN1(Say, Vietnam or some other unfriendly country) -->ISP. All layers must be peeled back to find you.

So, to identify you:
    1. Compromise TOR(If you were using TAILS, this would be unlikely) and determine that your IP points to VPN2 (CS.is)

    2. Your traffic coming out of CS.is is bundled with hundreds or thousands of users and CS.is has no way of identifying who you are because you buy tokens over TOR from a broker with freshly tumbled bitcoins. So your identity is never on a (large) suspect list. They manage to tap CS.is without them commiting seppuku and track you down to VPN1.

    3. Your traffic coming out of VPN1(same setup as CS.is) is bundled with hundreds or thousands of users and VPN1 has no way of identifying who you are because you buy tokens over TOR from a broker with freshly tumbled bitcoins. So your identity is never on a (large) suspect list. This assumes the second provider can be coerced into assisting. If they can, and they somehow figure out how to separate you from the noise, you are then completely screwed.

Cheap Router Setups
    The TP-Link WR703n is a tiny wifi router with a USB port that will allow extra storage assuming that OpenVPN cannot be squeezed into the 4MB flash. - $26 on Amazon
      Same router, pre-modded with 64MB RAM and 16MB flash available for $44 shipped. Search for SLBoat on ebay.
    • Advantage: Cheap, Small, USB powered, perfect replacement for a WiFi card if using only one OpenVPN.
    • Disadvantage: WiFi is still a small risk



Thanks for making us right bro (Y)


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: No registered users and 29 guests

Login