The Final Section… Spoookie.
You might notice that the section header is “Edward Snowden?” with a question mark at the end. I did this because of my uncertainty with my ability to write a section dedicated to people needing his level of security. I’m not experienced enough and can really only comment on what I would were I in a position like his. So please understand that the next “category” here isn’t at all from an experienced standpoint (that I am going to admit in a formal paper lol) and more-so from just someone whom has acquired some in-depth knowledge from reading online and befriending individuals with more security/privacy/anonymity related experience than myself.
Edit (April 27th, 2016): Spoke with one of the founders of IVPN over email today about ideas I had and the potential to introduce some of them into their company. During this email discussion, he made a VERY GOOD point about doing too much as a service provider to gain trust from your intended audience and then further discussed how companies that present themselves as providing strong anonymity can be a killer. This links in with my discussion about not trusting one service, company, product, etc with your life. They can very well do their best and even then that often won’t be enough for everyone’s threat model. Copy pasta:
> I think there is a point at which it seems like you're pushing too hard for their trust which can be interpreted suspiciously. Clearly the ultimate goal is not to have to trust the VPN service but the requirement for trust is dependant to the threat model of the user. IVPN was never designed to provide strong anonymity, especially where the adversary has significant resources e.g. the ability to monitor traffic flow across large portions of the net (even Tor, a far more capable tool for anonymity is vulnerable to such an adversary). The vast majority of VPN users are not aware of the significant effort involved in achieving anonymity and promoting a VPN service as providing strong anonymity is careless and potentially dangerous in my opinion. IVPN was designed for privacy, specifically to counter the threat posed by the increasingly pervasive data retention laws and practices. ISP's are a credible threat due to them relaying all your traffic and they do retain records for various periods, in some cases by law. So when using a VPN, you're effectively trusting them not to perform any of those activities. However, this only requires that you trust them more than you trust your ISP. Given that a VPN's reputation depends on respecting customer privacy, not an unreasonable assumption.
The Issues With FOSS
Once you get down to this level, you almost need to reevaluate everything about your threat model and what you are doing to protect yourself. Even the littlest of things can bring a whirlwind of issues if you are up against the wrong people. Just in the previous section, we are discussing how open source software is a really, really good thing. And now, we need to discuss some issues with it and what you can do to combat these issues and stay safe.
FOSS is great because it allows us to look at the code in its entirety and verify that what we are seeing is doing what we are being made to believe it is doing. But in order for this to be a true statement, we need to understand everything about the published code. I for one do not understand how to code anything apart from a simple website in HTML so I have to rely on the word of others. This word is only as good as the people checking it though. So say we are planning on using ServiceX (just as an example) to communicate securely with someone else but ServiceX is pushing out updates on a pretty timely (monthly) basis. Unless we know how to read, understand, and validate the code ourselves, we need to have another trusted person who is able to do this. Furthermore, that person needs to be doing this when every update is pushed. Then we raise the question on whether one skilled person looking at the code is enough? If this person misses something that has the potential to compromise us, we would be using ServiceX up until the point and time where someone else does notice this fault. Even though that timeframe might only be a matter of days, those are days where everything we do in association with this service is compromised, which by association, compromises us and our entire model of security, privacy, AND anonymity we have worked so hard to build up.
Another issue with Free, Open Source Software is mobile platforms. On most operating systems for desktop computers, we can take the source code from the GitHub (or other code publishing website) and build/compile them ourselves if they have been written to work with our OS. But on mobile operating systems, we can’t do that easily. And even in the cases where we can do it, we still face a huge challenge that doesn’t yet have a magical solve. To download an application onto my iPhone, it needs to be published to the App Store by the company who developed said application. I can’t go to the Open Whisper Systems website and download Signal straight to my phone. So even if we are checking the source code of the service/application (or having someone else do it for us), we still can’t validate that the same application is being sent to the App Store for us to download. If the company was compromised by a body of law enforcement and forced to comply, they could publish a clean update to the GitHub, making slight UI changes to avoid suspicion, but then send a backdoored version of the same application to the App Store for thousands of users to download. This holds true in a sense for Android devices and the Google Play Store as well. The only way around this with the Google Play Store is to submit reproducible builds for the public to see and make use of. Open Whisper Systems has just pushed this out for Signal and it would be really nice to see other services do the same (Hint Hint: ProtonMail, Tutanota, ChatSecure) https://github.com/WhisperSystems/Signal-Android/wiki/Reproducible-Builds. So since we can’t easily verify that the application we are using on our phones isn’t doing malicious things, it should be a fair assumption that ditching mobile devices and using strictly desktop versions of programs, ones we can compile from source and monitor ourselves, is the best route to travel down.
Even after reading all of the above about Open Source Software, there still lays a huge issue that needs to be hurdled before we can be certain that the software we are using is secure. It isn’t fair to assume that 100% of the people reading this section are going to be able to check through the code of an application themselves. Hell, it isn’t even fair to assume that 5% of the people reading this could perform such a daunting task. Take TrueCrypt for example. The code audits performed to make sure it was secure took months, from people light years ahead of me in the field of encryption; some of these people holding master’s degrees in the area with years of experience under their belts (cough, cough @matthewdgreen). So assuming that one individual can do this sort of thing to keep his or herself secure is silly. Code audits on the applications and services we are trusting with our security at this level is crucial. And once this code audit is complete, you then have to consider that the audit won’t be valid for further versions of the application. The second they send out an update and you install it, you have gone back to square one unless someone is viewing the changes and verifying them with every update.
Virtual Private Networks & Tor
The issue once you get to need such a level of security that you find yourself categorized in a paper like this is you are really the only person who knows what you need to keep yourself safe. That presents an issue in itself because you are hopefully reading this paper to gain some knowledge. I however, am not the type of individual to be able to relate very well with you but I can tell you a philosophy a friend told me a few years back that has stuck with me since. “When you are literally fighting for your life online, NEVER put all your trust into one company or service”. To attain maximum security, privacy, and anonymity, one needs to be sure they aren’t putting all their cards down in one area and not focusing on others. An example of this would be just using the Tor network to attain Internet anonymity. This is an “okay” model to follow if we assume the Tor network is as secure as it is made out to be. However, recent events have unfolded that claim otherwise (http://gizmodo.com/judge-confirms-carnegie-mellon-hacked-tor-and-provided-1761191933). Instead, you could purchase 2 very reputable VPN providers like say IVPN and CryptoStorm, and then chain them together in succession before using the Tor Browser Bundle. You would need to be cautious that no IP leaks were happening in the process but say if you connected to the first VPN on your host OS and then ran Debian from a VirtualMachine, you would be able to connect to another VPN provider within the Virtual Machine and attain a very high level of anonymity and security. Not only would this really limit your attack vector, but it would be like making your own little Qubes by compartmentalizing that section and keeping it separate from the rest of your system.
IVPN provided a really great tutorial on using Virtual Machines, VPNs, and Tor together to acquire pretty complete network anonymity. I would highly recommend their “Privacy Guides” section of their website here: https://www.ivpn.net/privacy-guides/
These guides are very well written and provide a second perspective from my own.
Password Management & Storage
In the beginning sections of this paper, I talked a bit about creating strong passwords and how to store them securely. However, if your threat model fits you into this final category, you pretty much need to ignore all of that and redesign your system for password management. I highly recommended LastPass because it is incredibly easy for all kinds of Internet people to use but also very secure from a malicious person trying to steal your information and identity. There are quite a few issues with LastPass when your life depends on security and privacy. The first of those issues being the fact that it isn’t Open Source. Our data is stored inside a vault that is fully encrypted with our password, but we can’t confirm that there are no backdoors because we can’t see the source code for ourselves. Secondly, LastPass stores your passwords in the cloud and I would probably avoid all cloud-based password managers if I fell into this category of people. Lastly, what if they are provided with a subpoena or warrant for our information? Then what?
So to begin, we should probably consider my form of password creation that is available at https://cryptoseb.pw/passwords.png to be too “amateur” for what we need. The created passwords are secure, but they don’t have enough randomness to them to give us a high enough level of security. Instead, I would recommend creating or generating passwords 19-20 characters of length for most of your online accounts, and 40-50 characters for services that are dealing with sensitive information/documents (SpiderOak, VeraCrypt, etc). To create this longer 50 character passwords, one should be using Diceware and adding in symbols & numbers at the beginning/end. An example of a strong random word password could be:
%[<Humming Greek slider for Timothy star@\@182
Something like this uses 5 randomly generated words and the connecting word “for” to make a fairly memorable sentence of them and adds some symbols and numbers to increase the strength. An alternative method I came across when doing some reading was to use the traditional Diceware method but to generate 5 words and put a symbol with 2 spaces in between each word. The result would be something like this:
good * waterfall / Cambodia ; finances [ again
You would be acquiring the password strength offered by the randomness of diceware, but adding to it by throwing in 4 symbols and 2 spaces for each one. But if you are the kind of individual who can remember a 35, 40, or even 50-character random password, all the power to you!
Since we shouldn’t store our passwords in a cloud-based service, we need to look at getting one that provides the same security requirements, but keeps everything in a local format that we can encrypt. Probably the best password management software out there right now in terms of security would be KeePassX. Originally an application just called KeePass was developed (back in early 2000s), but it only worked/works properly on Windows based machines. So because of this KeePassX was created as an open source fork of the program in 2005. It uses either 256-bit AES or 256-bit TwoFish for the encryption of your KeyPass Vault, but because the file is portable, it can be stored on an encrypted SD card very easily. Like LastPass, it requires a master password for encrypting and decrypting the data but also allows a user to add a keyfile for added security (much like how TrueCrypt and VeraCrypt do). Because KeePassX doesn’t need access to any sort of a server with all the password management being done locally, you can firewall/block all connections to and from the program for added assurance. Check it out here: https://www.keepassx.org/
I know, I have already discussed different areas of encryption in varying levels of detail. But I think an aspect that needs to be highlighted even further is a point I made shortly above. “When you are literally fighting for your life online, NEVER put all your trust into one company or service”. This applies to encryption on every level as well. Say you have a folder with 6-7 top-secret files in it and you need to make sure this folder is secure from all forms of compromise. You would want to make sure this folder was stored on a system that was completely encrypted and away from prying eyes. I personally would FDE a USB with VeraCrypt and a 45-50-character password. I would make sure the encryption algorithm was cascading like AES(Serpent). I would then mount the encrypted USB and place say 400 random files (pictures, random .txt files, etc) on the root directory. Then VeraCrypt (or MacOS with encrypted .dmg) would be used to create an encrypted container on the same USB using a different 50-character password and 3 keyfiles selected from the 300 images. The folder container sensitive information would then be stored within the VeraCrypt container on the encrypted USB. To attack this setup, one would first need to break into the USB by attacking VeraCrypt; either by bruteforcing the password (not easily done with length of password), or attacking the encryption itself (which is also not happening due to cascading mode used). To put things bluntly, the FDE on the USB isn’t getting broken into unless they can steal your password. Furthermore, this adversary would also need to then successfully break into the VeraCrypt container being stored on said USB. Another feat that is pretty much impossible due to the 50-character password and added security of using 3 keyfiles from a 400 choice lot. 'apt-get install overkill —fix-missing'
When we take this same sort of thinking and apply it to securely communicating with someone, we should find ourselves looking for a method that would allow us to employ our own encryption over top of the encryption provided by the service we are using to communicate. Ideally, something like XMPP (using OTR and your own server of course) using Tor Messenger to keep things anonymous would be a good and secure method to communicate. On top of this, we could write our messages locally in a .txt document and then encrypt the text with the other person’s PGP key before sending it to them. An adversary would first have to break OTR (Off-The-Record) or attack the client we are using AND crack the PGP encrypted messages. The OTR protocol should make use of perfect forward secrecy to assure that even if you lose your private key, no previous messages can be compromised. No matter what form of communication you use, I would make sure it employs strong PFS, and has an easy way to add a form of encryption on top of it (like PGP). I am with Snowden when he says that Signal is a very secure way to communicate with someone. BUT, one would ideally need a true burner phone that doesn’t link to their identity or they have to give out their personal phone number to the other party. AND they need to be able to verify the source code on the device they are installing it on; a feature that is not yet available for iOS.
Another big issue we run into when we look at communicating securely with someone is how we chose and deploy this “method” of communication. If the FBI, CIA, GCHQ, or another big name organization knows we are using firstname.lastname@example.org over XMPP to initiate our secret communications with someone, they know what to attack. However, if we meet someone in a random TeamSpeak server, private message them the details for an encrypted IRC server employing good SSL and not logging connections, then initiate an OTR chat with the person on that IRC server to exchange XMPP usernames, OTR fingerprints, and PGP key information, we would be seriously decreasing the chance of those government organizations being able to attack us. Since they are unable to actively determine how we are communicating (if we are routing all connections through Tor and VPNs), we have used some obscurity to our advantage.
Where to Communicate
You might never think of physical security coming into play too much if you have a very high level of Internet/Device security. But it is actually a lot more important than one would think. If we are “important” enough to need the security online, we definitely need the security in real life. So the question to ask ourselves is: “where is an acceptable places to communicate securely with another party.” One might think that the comfort of their home would be the best place to do this but I would argue against it. I argue against this because it isn’t difficult for a skilled adversary or Government level body to place physical tools for spying (like cameras or hidden audio recording devices) inside of the places you frequent. They break in when you aren’t there and hide devices meant to capture your every word. If this were to happen, and then you held a very private conversation over Signal with another individual, your entire conversation may be compromised. Jumping onto the other side of the fence, if you are going somewhere very public and not someplace you frequent often to do the communicating, like a coffee shop, you also have a fair amount of physical obstacles to jump. Being careful that people are not recording you in that setting is likely even more difficult and most of these places would have cameras that you need to be avoiding.
So how do we acquire the “perfect place” to communicate with someone else? The best answer I think is: in person. Meeting up with someone in person has the added benefits of not needing a bunch of digital security but it comes with the drawback of ease and usability. It isn’t always easy to just meet someone and have a private conversation with them. You also need to be in complete trust with the person you are meeting. If they turn out to be an adversary under cover, you could have your entire model of security destroyed in seconds. But what if we did the communicating digitally from a location that was removed from our personal life, not very public, and only semi-permanent. An example could be an apartment you are purchasing with cash and a fake name (to keep your identity anonymous). You could take a different route to get here everyday to avoid being followed by anyone, and make use of tools like bug sniffers (http://www.spytechs.com/bug_sweep_equip/) to make sure the space around you is clean from digital recording equipment. Because this location is not common to your real identity, it isn’t easily compromised.
One thing you should be cautious of though when employing methods like this is how our devices can track our every move if we aren’t careful. Having our phone turned on could disclose our every move to someone who is able to track it. Even an installed application with too many permissions could reveal our location. So keeping your mobile devices under a strict watch is good, but turning them off and considering a Faraday Bag to stop all ingoing and outgoing signals from the device (https://www.amazon.ca/Black-Hole-Faraday-Bag-Isolation/dp/B0091WILY0) is even better. Seems like a spookie thing to do but Farday Bags and Cages are very common tools for law enforcement that want to make sure devices stay in the state they were taken in. Nico Sell, the Founder of Wickr, talks about “Tricking Google Maps” and providing disinformation Online (http://www.dailydot.com/technology/online-privacy-tips-from-wickr-ceo-nico-sell/). I’m not the only one promoting these “crazy” ideas and I am sure it isn’t just the two of us either. Geolocation is a killer and many of the services you use, alongside your mobile device, are lovers of it.
Pretty much the only thing left to do is to make sure that our data is not being changed or altered without our prior knowledge or consent. We can do this on our systems by using what is known as File-Change Detection or Integrity Monitoring Systems. They are very common server-side but also important to consider for your personal systems as well. These applications/services for your system work by monitoring certain files or sections of your system for any sort of read or write changes. So if we had a system like this configured on our server and someone were to break into it without our permission, we could be alerted by email if certain files were to be accessed or changed. This would give us a heads up that one of our systems has been compromised.
I am not really an expert in using these types of tools but I have done a bit of reading on them and have found 2 popular ones that you can do your own research into.
+ OSSEC – https://ossec.github.io/
+ Tripwire – https://www.tripwire.com/solutions/file-integrity-and-change-monitoring/
As a side note, I have a friend who has developed a rootkit that is able to bypass OSSEC in its default state on Debian 7. I am unsure on whether this works on a Debian 8 system but can confirm that it is NOT streamlined for any other OS. The reality is that even with File-Change Detection Systems, it is still possible to completely roll your system onto its back if someone is experienced enough. Nonetheless, adding these security measures into your setup isn’t a bad thing and will only work to increase the security you have. For further reading see: https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps and https://www.alienvault.com/solutions/pci-dss-file-integrity-monitoring.
If we were to place security, privacy, and anonymity onto a sliding scale from 1-100, nobody is going to be able to achieve all 100s. It is just not feasible to attain a perfect score of safety. Knowing this, we need to be ready for the “What ifs” and the scenarios when shit hits the fan and we are literally dealing with the repercussions of something serious. I’m not going to comment on what may have gotten you into this position, but I will try and help you get out of it.
For starters, this entire section (like most of what is included in this Edward Snowden? category) is going to be speculation. I would love to give you so much more information and write without restrictions, but my safety has to be included. I’ll leave it at “legal”.
We have to think about what might happen in the worst possible scenario and then REALLY think about what would happen in that scenario. Maybe it includes a swat team and the sentence “You have the right to remain silent…” or maybe it just means getting fired from your job. In any situation, it is important to think ahead and have a plan of action ready for when you need it.
The first step I think is going to be revisiting (AGAIN), how important Full-Disk Encryption is on your devices and being able to turn those devices off in a hurry. A device that is properly encrypted is the strongest when it is off without any keys being left in RAM. This also includes your mobile devices, but thanks to Apple, your iPhone is already secure even if it is powered on; so long as it is locked of course. A few pages above, I talked about DBAN and how I always like to keep a USB formatted with it handy for those “just in case” scenarios. It isn’t going to be a quick wipe by any means, but at least with a fully encrypted drive, you could just pop in the USB, set it to wipe everything, and leave. You wouldn’t have to worry about someone halting the process because your drive was already full disk encrypted to begin with.
Another neat tool that you should check out is “swatD”. I won’t do really any explaining about it and leave all the reading/research up to you but will say this. Imagine what you could do with this program and some cameras in your computer room? See: https://github.com/defuse/swatd and https://thetinhat.com/blog/2015/01/24/get-swatd.html
But what are the consequences of actually going through with a tactic like this and purging all of your data. You would literally lose everything on the devices you wiped! This includes things like your PGP Keys, SSH Keys, and encrypted containers. In knowing this, it might be a good idea to have an external hard drive that is fully encrypted where you can backup a lot of crucial files every month and then store it in a secure place (maybe even off location incase the unthinkable does happen). You could also consider encrypting your sensitive files in say a VeraCrypt container or with your PGP key and then backing up those files to a cloud service. This would give you access to them virtually anywhere as long as you had access to a computer where you could install VeraCrypt. If you chose to encrypt them with your PGP key, it might add some security, but wouldn’t be as easy to decrypt them if needed (taking into account that your private key would have to be backed up somewhere completely different).