Portable Privacy (pt.1): Sheep’s Clothing

There have been many articles on how to setup your laptop for a trip through an airport ran by a police state. I love the way US white hats infer that the extra precautions are only necessary when visiting Syria or North Korea, when in reality the US is the most likely to molest your data. Either way, no one goes far enough in my opinion, and so let’s look at an entirely hypothetical scenario where a great revolutionary hero has to pass through some future police state airport. If this assists a black hat passing through a US or Euro airport today, that’s totally unintentional. I swear.
If you are a full-time professional operator, you need to take maximum precautions with a minimum of performance penalty. If you are an intelligence agent for a big government, or a black hat working for the Russian Mob, whatever the exact situation may be, you need tight OpSec. Ideally, you should be able to close your laptop and hand it over to a law enforcement forensics guy at any time without fear. That’s a high bar obviously, but that should be your minimum acceptable level of play if you’re a pro, and that’s what I’d require of any crew I was working with. So let’s see how that might be done.
In the past we’d just run Linux and laugh as the retards in the airport would boot up into the command line and ask what was wrong with the laptop. For additional lulz I’d switch the language files to Spanish. It was funny until they started getting scared of those weird black screens. Then for years it was fairly safe to run a basic Windows OS with a hidden TrueCrypt partition, and then keep the naughty stuff in the encrypted partition. Using “portable appz” from the TrueCrypt partition worked fine. The idea was to use Remote Desktop and/or SSH to control remote Virtual Machines with their images stored in additional encrypted partitions on the remote servers, keeping nothing local. That still works, using VeraCrypt instead of TrueCrypt of course, but it just doesn’t go far enough. Why trust Windows at all? And why trust your host country’s internet between you and your remote server any more than you have to?
Before getting into the details, let’s look at appearances. In the UK they can compel you to give up your passwords, or you will sit in jail until you do. In the US they can’t yet legally force you provide a password on demand. Either way, they can image your drive and crack Windows before your waiting room coffee cools off, so what difference does the law make? And if you are trafficking in illicit data in Snowden or WikiLeaks style, this is the same country that wears out waterboards, so why take any chances? It’s super cool to have your laptop boot up into a Russian command prompt, but these days Homeland Security has zero sense of humor. They have a mandate, and quotas to meet.
The trick now is to look like a lame. When they boot your machine, it should boot to a Window’ s login, and the password should be an easy one that you can give them, like tiffanyl23. Your Window’ s wallpaper should be a family photo. Buy a picture frame and scan in the family pie it comes with. Have some browser history full of lame stuff, and have all the appz your cover story character would need. Make it look the part, but don’t have a single SSH client on Windows. In fact, just use this lame install of Windows to generate lameness content. Although you might add a keylogger just for fun.
Now setup VeraCrypt with full-drive encryption, and choose the fastest encryption for this. This may need to be done before the Windows install depending on your setup. Either way, you want to install Linux (Kali maybe) and pick the option to allow Linux to peacefully coexist with Windows. Once you are all setup your boot loader (GRUB maybe) should pop up on start-up and say “Booting Windows in 5, 4, 3, 2, 1 seconds unless you push whatever for Linux, or something to that effect. It needs to be set to boot the lame version of Windows by default. Then go into your bootloader config in Linux , and setup a new message and modify the countdown. Have it say simply “Starting Windows …” and nothing more. Set it up so if you don’t push CTRL-ALT-X in a 2 second window, it will boot lame Windows. This means you will only have that 2 seconds to get into Linux . That’s the cross you must bear for proper OpSec, so deal with it. It will eventually become automatic in your neurons and be easy.

Now, in your Linux install, there you will create a new hidden VeraCrypt partition with a decent level of encryption. I’d use something of the post-quantum nature myself. This is where you’ll keep the essential data. Setup VeraCrypt to unmount on a short timer when inactivity is detected, and have the whole system shutdown if the lid is closed. That’s important. Don’t skip that step.
Okay, now if your drive gets copied, it’s encrypted. Even if it’s light weight encryption and you use a stored password for boot up, all it’s really meant to do is to keep automated forensic tools from seeing the Linux partition, allowing you time to get the hell out of the airport. If they just see a base install of Windows, chances are they’ll just make a quick copy and send you on your way. But even if they get into the Linux partition, you have encryption inside encryption, which isn’t easy to find with Encase or any of the off­ the-shelf software analyzers used by Homeland today . Keep all your remote access tools in the encrypted partition in Linux, with the really heavy stuff on remote servers. Beyond that you want to know your rights, and have a good lawyer on speed dial, but that’s a path you hope to avoid. Personally, I wouldn’t suggest flying commercial, as the private aviation terminals tend to have far less scrutiny, and usually a wealthier class of business people they prefer not to piss off.
Again, Windows should just have lame stuff, and with just enough usage to look like it’s the real deal. Add a little basic porn if you’re male, it’s expected, but nothing crazy regardless of what you are actually into. Obviously all the models should be clearly adults, and famous if possible, so there’s no questions on that front.
Considering performance, the above is a better solution than most as it allows the OS to use hardware drivers, unlike a Virtual Machine solution or boot-disk solution, both of which would force you to use software drivers. Although it’s totally cool to use remote virtual private servers (VPS) for anything that for-sure doesn’t need to be on your machine. The above scenario just gives you maximum plausible deniability, with the added benefit of actual security just in case.
Ideally you appear to be just a regular business traveler on a business trip, even if your real job is setting up puppet governments, or selling purloined data on the dark web. I don’t judge. The point is that appearances are everything to those that not only specialize in profiling, but have an algorithm telling them how to do their job. Make sure your gear looks the part, and you can spend more time doing your job and less time in holding cells in your underwear.
Additionally, the physical appearance of your gear counts as well. A custom brushed
aluminum laptop cover with a laser engraved Kali dragon looks nice, but it tends to attract more attention than a factory fresh HP. When I first went on the run in 2009 I started with a $450 laptop from Wal-Mart. It was slower than the $4,800 laptop the FBI had taken from me, but not $4,350 slower. So pick fast hardware from a manufacturer that makes a product for performance, and not aesthetics. I realize this will detract from your individuality, and I know it might tarnish your virgin soul to advertise some giant corporation’s logo. I get it. When you go to DefCon by all means take a fancy laptop so it will look good in those FBI photos at your future trial. Alternatively, you can live the life of a professional black hat, spending your time on your yacht instead of dressing up electronics for conventions.
FYI, professional criminals don’t go to conventions where law enforcement arrests professional criminals. Let it go. It’s not the 1990’s anymore. Hacking isn’t “cool”, it’s a felony and it scares the police state right down to their red, white, and blue bones. If the police state thinks you are involved in the scene they’11 invent evidence to rip open your life to find or plant real evidence. It’s what they do. So do what you do, and
do it well, by looking the part doing it.

BTW, I made over a million dollars with that $450 laptop, while using an ironing board as a computer desk. I did that with stolen WiFi from a cheap apartment in Mexico in less than
60 days. If you have the skillz to pay the bills, you do not need to advertise the fact. Everyone wants to be rich and famous. Just being rich is easy, but you can’t be a famous criminal in 2017 unless you are doing it from prison. And trust me on this, prison is the suck. No amount of offshore wealth makes it any better. You really don’t want to be here, (CygonX is in a US Federal Prison. See FAQs for details) . The path of a professional operator is that of stealth and anonymity. There is no other way. So be incognito and look lame doing it, or you aren’t doing it right. Save the glitz for your downtime in Ibitha. And if someone in Ibitha asks what you do for a living, say Hedge Fund Manager.

Leave a Reply

Your email address will not be published. Required fields are marked *