It seems that everyday we have to read about great failures of OpSec. People seem to be overly relying on TOR, or VPN for security. These are tools, not total solutions. When you use a VPN you are trusting the VPN provider with your IP address, and your network activity logs. If that end-point is in the US or any of the 5-Eye countries, then that data is in NSA files merely waiting to be searched by any other government agency. TOR is fine for browsing the internet a little more securely, at least secure from your ISP, and it’s at least computationally more difficult to analyze. But you can’t rely on TOR for anything deemed egregious to the police state as the NSA is at bare minimum monitoring TOR via exit nodes. There is a better way.
Using Gmail and YouTube is free and easy. It’s great for cat videos and emailing your Mom about cat videos. Good security isn’t free and it’s not easy to setup with a pretty GUI. You’d be wrong to expect good security to be that easy. If it actually was that easy, the police state would quickly kill off the service. Let’s not be naive about what billions of dollars of dark budgets can buy, or how police states operate. They kill every threat to mass surveillance once it reaches a certain percentage of usage. The day Skype went online the NSA and CIA were blind to it. Today any law enforcement officer can login to a portal and monitor anything on Skype they like. They co-opted Hushmail, and every privacy service that ever grew up to become a problem for them. It’s what they do.
The trick is to manage your own security, and change infrastructure providers, often. That’s the only way to be guaranteed maximum security and privacy against warrantless intrusion into your life. At this point it might also be a good idea to protect yourself from black hats as well, even if you are one yourself. Hey, it’s a war out there, and automated scripts don’t extend any professional courtesy. In my previous article, “An Open Letter to the Dark Web”, I gave an overview of how to use a VPS and SOCKS5 proxy for security. Using Linux , that’s probably fine, but let’s look at a worse case scenario, which of course involves Windows.
In the book, “The Internet Police”, (reviewed on this site), law enforcement admitted to using IP capture apps, and that was over a decade ago. It would be of trivial complexity to write an app to capture and traceroute to a known destination. Your Windows box could be infected with such an app, and it could come in from any number of zero day exploits the US government buys from real hackers. Anti-virus is worthless against a zero day, especially at the OS level. The only sure way to guarantee your PC doesn’t give up your IP is to make sure your PC doesn’t know it’s own IP. Any cheap router fixes that problem with a local (internal) IP address (i.e. 192.168.0.xxx). But a traceroute from your PC would capture your router’s IP. Even if you are running TOR, and/or using a VPN, rouge software on your machine could divulge your router’s external IP address.
Even if you have a remote VPS you use for a personal VPN connection, it’s still possible to have a rouge app track and save data from your OS’s IP stack of environmental data, package it up, and send it out. This was proven by the Adobe Flash plug-in for Firefox that the NSA leveraged to exploit TOR.
One solution to this problem is to buy an expensive router that allows you to build a . VPN tunnel from the router, directly to your remote VPN server outside of 5-Eye countries. Alternatively, you can use a Linux box for this purpose, and also use the built-in Net Filter as a firewall. And you might as well run Wireshark too, and push that data to an Intrusion Detection System (IDS). In short, you’d build a single purpose security box, and connect your PC to that instead of the public internet directly. Thankfully, you could do all of this on a Raspberry-PI setup, and use an external USB WiFi adapter. With this setup, your IP would be secure even if your PC is compromised, and you’re on public WiFi. Assuming your VPS is wiping logs, and you’re changing VPS providers often, and discussed in the “Open Letter …” article.
You can have your little security/gateway box generate pretty reports, and even use Webmin or your choice of web-based management GUIs thus managing by HTTP instead of having to run a separate keyboard and video connection to it. You’d set that up on a local IP of course, and add a firewall rule to only allow access from your PC. If you are Linux savvy, then just use SSH to manage the little box.
With this setup, a traceroute would begin with your local IP, and the next hop would be your remote VPS, running your SOCKS5 or VPN service, completely hiding your real public IP address. As a bonus, you can then peruse your packets and see anything weird without bogging down your local machine. For added security, you can setup your gateway box in a Read-Only configuration, and boot it off a static image. With this setup, any possible exploit would only survive between reboots, and you’d only have logs from one reboot to the next. If needed, you could always copy your Wireshark dumps from the gateway box to your local PC for further analysis. Otherwise, it would be just like a fresh install every boot up.
Using this portable VPN/Firewall gateway setup, and ever changing remote VPS machines with log shredders running on cron jobs, you can’t really screw it up. You can switch the tunnel from VPN to SOCKS5 to increase the speed a bit at the expense of reducing the encryption. Not a bad idea if you are out of the US at least. You could also use SSH tunneling, or whatever technology you like to connect the gateway box to the VPS. The only down side to this concept is that you have to setup a new VPS every 3 weeks or so, but config scripts make that easy if you can script a little. If you can’t budget $15 a month for a VPS then that’s an economic reality beyond the scope of this article. Otherwise, this is the method I’d suggest for at least a moderate level of privacy and security for an independent operator.
It’s also possible to have 20 covert agents with these magic boxes connecting to the same VPS, with the added benefit of very secure inter-connectivity with LAN-like ease, regardless of geography. So this model scales quite well. I’d recommend this setup for mutli-user scenarios, as your messaging can pass back and forth on the VPS, never being exposed to the public internet unencrypted. I’d use Spark or a Jabber variation if I was setting up an Instant Messaging platform on the VPS.
Obviously you might not want to take any little boxes of electronics through airport security unless it looked like something else, or at least very innocuous. They now make cases for Rasberry-PI boards, so you can easily build one to be velcroed to the laptop, with nothing more than a USB connection to the PC, or a short Cat6 ethernet cable, with another going to the Network Interface (USB WiFi, or hotel Cat6, etc.) Ideally you’d use long range WiFi connections in a heavy metro area. Large directional antennas are quite obvious, but only after they exceed the size of a laptop bag, as they work through nylon quite well. If you are running a temporary operation from a hotel or office building with a little privacy, you can mount a directional antenna on a camera tripod via a cheap L Bracket from Home Depot. With a 2-Watt external WiFi device a little elevation goes a very long way. If you frequent the same routers, you might want to add a script to randomize your MAC address on boot-up. Otherwise as the MAC address is an artifact of OSI layer-2, and as ARP Tables are generally extremely temporary, I wouldn’t worry too much about MAC addresses.
Otherwise I just wouldn’t do anything stupid like: 1) Using the same Nick/Handle on the surface web as the dark web. 2) Buying or selling drugs, thus exposing yourself to additional levels of lawless law enforcement. 3) Failing to change VPS less often that once a month. 4) Using the same VPS provider too many times. 5) Paying for the VPS with a personal credit card in your own name. 6) Having law enforcement encounters with a tripod, but no camera. This list could go on but it’s really common sense: “Don’t commingle your professional life with your public life”. And if you are a pro, or inspire to become one, think about burning that public life and going full-dark. No social networks, no Gmail, no personal ISP accounts, no Linked-In, and damn sure no convention appearances. If you’re
really serious about it, get out of the police state, and stay out of 5-Eye countries. Getting a new identity outside the US is beyond the scope of this article, but just know that it’s
not difficult or expensive. So be good, or be good at it, just be safe doing it.