Ancient Data Privacy + Security Guide | The Red Mudder Blog

[utterances-bot]

Ancient Data Privacy + Security Guide | The Red Mudder Blog

I've read 100s of privacy guides, most provide a false sense of privacy by repeating the same canned solutions. To truly have privacy you have to be private.

http://blog.ronjdias.com/ancient-guide-to-internet-privacy/

[TheRedMudder]

Thanks, I appreciate the feedback very much. Please critique or disagree with what you think is unguided, wrong, or complete baloney because I'd love to learn from those with more experience. The government is in the threat models. Perhaps, the reader is trying to move to flee countries, appear normal (doesn't want to be killed), and needs to have a (paranoiac) cautious attitude to exploitable risks.

[LINE REMOVED]

All hardware must be audited for latest exploits. Disable any backdoors found or switch to hardware alternatives.

Great. How?

It's probably impossible to find by hardware analysis because the idea is to hide it really well. In the older days, it was easier to Detecting A Surveillance State Hardware Implants. However, government cybersecurity agencies stay away from physical visible implants, due to it's high risk of detection by people looking for it. Now, hardware backdoors can be easily directly designed into the chips themselves and it isn't feasible to create maps of the billions of transistor connections in a CPU to analyze. If experts were actively looking for backdoors in hardware, by the time it's found the hardware will already be obsolete. I'm pretty sure Governments themselves rely on Common Criteria certificates for their hardware security standards. That being said, it is possible to prevent yourself from using possibly known backdoors like IME by using older processors with me_cleaner. Older hardware that hasn't reached the end of it's lifespan has had more time to be vetted by companies like libreboot. They have a recommend list of hardware that doesn't contain any known backdoors. This still doesn't mean there aren't any backdoors and it would naive of us to think that. Audit hypervisor and if it’s untrusted it’s game over.

Great. How?

I don't know. It's a big risk if the government is part of your threat model, but I haven't figured out how to solve it. If there is a hypervisor backdoor that allows for Hyperjacking, then dom0 in Qubes isn't secure anymore. Hyperjacking won't allow you trust that VMs are contained to not mess with the host.

If dom0 were ever compromised, it would be Game OverTM. (The entire system would effectively be compromised.) ~ Qubes Team

MacOS has issues like NTP pinging apples servers.

What privacy risk do you think there is with NTP? Are you worried Apple will find out how out of sync your clock is?

https://security.stackexchange.com/questions/82765/osx-yosemite-and-security-privacy

Qubes OS is a pretty good choice, it’s only flaw is System D.

Systemd is in virtually every Linux distribution. Can you explain why it's a "flaw"?

I guess I always thought systemd was bad security because the sysadmin at my job always complains about it and recommends slackware instead for security. This is what I've found online about why it's a potential security flaw. I'll certainty do more research and open to removing that statement if it's not a flaw.

(mostly) people don't inject vulnerabilities deliberately, they occur by accident. As the volume of code increases, the number of defects increases. But its not just size - the number of bugs increases with the complexity of the code and it increases faster than linearly. So more code is bad news for security.

The attack surface of systemd is massively larger than initd - the default configuration has multiple interfaces.

A big annoyance for me is the design philosophy; the intention is that systemd provides a more unified way for distributors to integrate services. But this means removing control over the system from syste admins (over and above the impact of replacing a complex but well understood eco-system). It deliberately makes it hard or impossible to achieve thing which could be done with initd (note that there are many options for service managers running under initd - djb daemontools, upstart, initng, rund, procd, openrc.... Most of which solve the paralellization / dependency problems that limit the sysv rc init system).

A lot of the logic of the start up of a unix system is implemented in shell scripts. This makes it much easier to not only reverse engineer the operation but also to instrument it and extend the capabilities. Systemd moves more logic into binaries and relies more on a complex and poorly documented configuration.

The combination of deliberately reducing the level of control by the system administrator and failing to support the system administrator in their task makes it more difficult for them to do their job - which encompasses assuring the security of the system.

A further consequence of all this complexity in PID 1 means that you should have to reboot your system a lot more frequently. In addition to the impact on availability this also means moving your system through a series of interim states - which can temporarily expose vulnerabilities which are difficult to detect on a homeostatic system. Using daemon-reexec to work around this brings a new set of problems.

~ symcbean

Don't want an operating system that makes an unsolicited network request if the Government is part of your security model. Apple is one of the better companies, but the assumption is that your computer is where you store all your Top Secrets.

Files may be sent to it, but can’t escape.

Great. How?

While using the high priority VM don't use the "Copy to Other AppVM" functionality, leave the NetVM as N/A and in the Device section of the VM settings make sure no devices are selected.

[ ] Bloat Files

What is a "bloat file"?

I mean create random files that contain false secrets that aren't really true, so even if your system is compromised they have to figure out which secrets are true. Now, that I type this out I realize that this is horrible security because from a game theory perspective they have to assume all the worst thing they find are true until proven otherwise. I'll update the post to state this.

60 Character passcode

If you're using an ASCII character set, this would give you nearly 250 bits of entropy, which is well beyond overkill.

Agreed

Bios password protected, hard-drive encrypted, delete everything on 5 wrong decryption code

Great. How?

It depends on the BIOS, but there is a Administrator password option to lock down the BIOS in the security tab. Qubes encrypts by the hard-drive by default, but VeraCrypt appears highly recommended. I just found out the option to delete everything on wrong decryption password was an open request on GitHub and was never implemented because it's assumed the attacker can easily clone the encrypted data. [I UPDATED THE POST TO REFLECT THESE COMMENTS]

[TheRedMudder]

Wow, thanks that was perfect way of putting it. I agree with everything you said. I'm really glad you pointed out the fingerprinting statistics because I was drastically overestimating the the effectiveness of fingerprint identification. That's was the premise of never enabling JavaScript in Tor, to avoid JavaScript mouse tracking identification.

If I'm directly connecting to a private, self-hosted VPN server which is connecting to the Tor network, then isn't it trivial for NSA types to deduce that I'm using Tor anyway?

So, what's a good way of connecting to Tor? For an imaginary scenario, a journalist in China. If you connect directly your ISP knows and those are heavily monitored and link directly to you.Public WiFi may work a couple times, but will make everything a million time slower and is not practical as a long term solution. Is the only real solution to not have the government type agencies know Tor is being used to not use Tor?

[TheRedMudder]

how do you disable the intel management engine? And what dont you like about systemd?

Good questions. Although Intel ME can't be turned removed anymore, it can be effectively disabled by only allowing it to be active during the boot process. There is a python module called me_cleaner on github that allows you to do this, but it's not compatible with all Intel chips. It takes the original firmware and produces modified firmware that will disable it right after the boot process completes. Obtaining the original firmware and flashing the new one is the more complex part. You should buy an SPI programmer and find a tutorial on flashing a chip with that programmer. As for systemd, My response to the TerribleHalf says why I wrote it was a flaw in the first place. I have to do more research, I'll cross it out for now to avoid spreading misinformation. Thanks for the questions.

TL;DR But good Read digdeeper.neocities.org for shorter guides.

[TheRedMudder]

Do you feel more secure because of Government Cybersecurity Agencies?

Yes, they blatantly spy on their own citizens, but with all the data they are able to harvest so much data to be able to identify terrorist threats. Does this help you live with a greater sense of security or are they not very effective at preventing terrorist attacks? Is there some statistics on terrorist attack plans the Government Cybersecurity Agencies have caught?

[TheRedMudder]

They don't release official statistics. But my educated guess would be none. The intelligence gathered by these systems are usually used to figure out what happened AFTER a terrorist attack had already occurred. It is very easy for the information you need to be lost in a sea of irrelevant garbage. Garbage In Garbage Out.

Thank you for the rational answer, I agree. [LINE REMOVED]

[TheRedMudder]

    they blatantly spy on their own citizens, but

Nope, no buts. There's nothing else that needs to be said. No way you can justify this.

    with all the data they are able to harvest so much data to be able to identify terrorist threats

Yeah, except it's all security theatre. TSA, for example, was created to "combat terrorist attacks" yet has almost an 80% failure rate at detecting anything except the size of your nuts thanks the invasive groping.

    Is there some statistics on terrorist attack plans the Government Cybersecurity Agencies have caught?

Take a look

FBI agents can’t point to any major terrorism cases they’ve cracked thanks to the key snooping powers in the Patriot Act, the Justice Department’s inspector general said in a report Thursday that could complicate efforts to keep key parts of the law operating.

https://www.washingtontimes.com/news/2015/may/21/fbi-admits-patriot-act-snooping-powers-didnt-crack/

There is too much good stuff to quote from this next article, so read the whole thing. Lots of examples in there. Here's a few sample paragraphs

    But the track record of the collection programs Edward Snowden revealed provides little evidence that massive surveillance will help us identify future terrorist attacks or mitigate these new risks. American spies’ allegiance to massive surveillance is based on faith, not track record.[...]

    Targeted surveillance of people known to be connected to terrorism is the best way to find terrorists. Indeed, almost every major terrorist attack on Western soil in the past fifteen years was committed by someone already on the government’s radar for one or another reason.[...]

and

        I do not know to what extent metadata was used or if it was used, but I do know this: That terrorists will come after us if they can and the only thing we have to deter this is good intelligence. To understand that a plot is being hatched and to get there before they get to us.

    Feinstein may have revealed more by this statement than she intended. We don’t know what works to identify terrorist plots. But surveillance is one thing we know how to do well. So we are going to do that to stop the terrorists. It’s a little like looking under the lamppost for your keys, because that’s where the light is.

https://www.wired.com/2017/03/mass-spying-isnt-just-intrusive-ineffective/

This makes a lot of sense now that you brought up the TSA comparison.