2020 was a hell of a year for most people. Privacy is being eroded quicker under the pandemic, but there is a silver lining. In the new year, we should all strive for better privacy and access to anonymity. Privacy is not anonymity and vice versa. Along with protecting ourselves with proper operational security with a solid defense, we also will need a solid offense. Every Monday I will be covering topics on privacy, hacking digital defense as well as offense, and other security-related topics. This is a rehash of other articles, but again they are the foundation of a good start.
Adversaries
In today’s world, our privacy is constantly under attack, be it from government agencies or corporations. There are two sides to this argument of why this is occurring, the first argument is monetization and the second argument is surveillance. Monetization is how all of these “free” services and “platforms” can operate. There is a cost of running servers or utilizing cloud service providers and that cost is ultimately paid by the users of the “free” service. From a business perspective, this approach is so common that most startups in the web service markets rely on this, social media, email, video services, and et al. The user agrees to the terms of services without even understanding what they agreed to. Governments use the practices of wiretapping, whether legal or not to surveil the citizens and build profiles on the user. This also applies to those using anonymity networks, there is correlation information that can be used to identify a user of a service and the time. Now, this does not mean the user may be fully identified, only that a user was utilizing that network at this time. Further information could be obtained to fully identify the user.
Often the correlation information is forgotten and leads to some individuals being caught. This has applied to Ross Ulbricht, Sabu, and plenty of others. In some cases, they may turn informant, as Sabu did against AntiSec. However, the case of AntiSec is interesting in its own right as the FBI was providing zero-day vulnerabilities to Sabu to use with AntiSec. Ultimately it also led to the beginning of the Occupy Wall Street movement with Sabu and others pushing for it via Twitter. This is par for the course as the FBI has often been a part of many counter ops over the years against citizens in one way or another. Many are not privy to information regarding the FBI involvement with AntiSec, so I am including a nice little video here. Also, that video does go over Weev, if you are not familiar with him, you should get familiar with him.
Monetization and correlation information can come to a head if you are planning an operation as what you purchase and the method of purchase can be a red flag when investigators go poking around. We often overlook this in the convenient world of online shopping and we definitely should not be ordering devices for an operation online. Remember that silver lining of the pandemic? It is that it is socially acceptable to be fully covered up in public and we should all use this to our advantage. Whether you are planning an operation or not, a few key things should be in your toolkit. Nothing in your toolkit is of any value though, unless you know how to properly deploy and use them. This applies in the digital and physical world. A table saw is great, not knowing how to use it forces it to just occupy space and collect dust. Learn to use your tools.
Fresh Start
Since it is the beginning of a new year and we are all on a fresh reset, let’s start the year by obtaining a few things that could come in quite handy over the next few months of this year. As we get an opportunity to do so while remaining fairly anonymous if we use cash, then we should do so. First on our list is understanding whether we are operating or not is that we will need to obtain a couple of devices for various purposes that will be brought up over the year in some of these articles. These items are as follows:
- Throwaway laptop, preferred x86(Intel/AMD). Budget $300+
- Burner Phone. Budget $150+
- Raspberry pi. Budget $100
- A cheap old x86 desktop from Craigslist. Budget $100
- Prepaid Debit card. Budget $100+
- USB thumb drive. Budget $20-$40
One may ask why do we need all of these things, and the point of this year is to start fresh. So let’s take a look at why we would need each item and depth and what purpose it may serve us going forward in digital defense or digital offense dependent on your needs. As posted in another article, you should not obtain cash from the location you wish to purchase. Please use best practices for your privacy when obtaining.
The throwaway laptop or you may see me refer to them as “woodchipper laptops” are great for a few purposes. From a defensive model, it could become our air-gapped completely ghost device that may hold some PGP encrypted copies of our keys, files, and other sensitive data. On the offensive side, this could become our main weapon to take offensive actions or development and testing for such offensive actions. This device or devices could become ultimately more important depending on your needs. You should purchase this with cash from a store while being “Covid Safe”. This will allow you to now have a fairly anonymous device to begin the new year of discovery, defense, or as a backup device for important things.
The burner phone is important for running as well as having an alternate number not associated with your Mobile Subscriber Number. It is important to also never use this phone near your other phone, this information is collected in metadata and can be used against you. Always make sure the burner phone is off and the battery is removed when not in use. Never connect it to your home network or turn it on at your home. This would essentially compromise your operational security again pointed out in other articles.
The raspberry pi will be used for various penetration testing and project builds. A pi costs around $35-$50 dependent on spec and version, I listed $100 here as you may want a case and some other accessories for it. I would again highly recommend you obtain these from your local electronics store and use cash. You can also use multiple SD cards with the pi for various tasks. You may need an ubuntu test box, another nix os box, and a retro arcade box. With a pi and a couple of cheap SD cards, you can do this and all you need is to set up each SD card and rotate appropriately. These devices can be a wonderful addition to your toolkit.
A cheap older x86 desktop can and will provide you a server like an environment for research and accurate pen-testing vulnerabilities. As the pi can provide us many various options, most servers are not running on arm processors. This could pose issues with inaccuracies of our research and could also prove to be very problematic when working with CVE’s and specific versions of services running on a platform. As recon would provide us the operating system and versions, this host could provide us a nice little playground on our network to do some very accurate testing without disclosing we are exploring or possibly testing for vulnerabilities.
The USB drive is very clutch, many have asked me in several DM’s on Twitter, Tox, and Signal how to do cold storage properly. I will answer that the same way I keep my backups safe, PGP encrypted backups on multiple USB drives. The hardware wallets are provided by companies who have your data, and Ledger dump taught us just how many people bought their product and gave their data. This is important as it is being used against individuals in ways to extort them for money. Do not become a victim, remember a hardware wallet is a glorified USB drive with a screen. Have multiples, use them, verify your backups, and such often. A backup is only good if it can be restored.
Lastly, the prepaid debit card can be used to pay for the burner phone service. In some regions, especially in the United States, you can obtain refillable cards without KYC. In areas where you
can not obtain a refillable one, you can and should multiple ones so that you can use at your convenience for the burner cost or other costs you may need for digital-only purchases. DO NOT USE THE PREPAID CARDS IN AN OPERATION AND HAVE THINGS SHIPPED TO YOUR HOME.
Setting Up
Now that we have our shiny new laptop and other devices. We should spend some time getting them set up. Install Linux, install Rspian OS, install tails on a USB drive, set up our PGP keys, and begin the wonderful world of clean starting online which will be covered in the next article. Clean starting will require you to do a little threat modeling on your actions going forward. Writing style, common word usage, stylistic remarks, and imagery can and will be used by some to determine the origins of the new persona if you choose to be on social media. If you do not choose to be on any social media services, then you should also be very cautious when posting on forums, newsgroups, or chat services. All information should be treated as if it were being read by a law enforcement agency, regardless of your activities. This attitude will help keep you from accidentally blowing the cover of your new fresh start.
We need to understand why we have our devices for this setup, we now have a common baseline of devices that are not on our home network and without a definitive correlated data path for who owns the devices. This now allows us to make decisions on how we handle the future of our fresh start. Empowering yourself to choose your operational security practices is very liberating. This can allow you to also begin the threat model for the operations, whether they be for offensive or defensive purposes. It is advised to review your operational security very frequently. You can choose to connect these devices to your network, but understand the risks and you could take steps to prevent identification that they were. I have covered this previously on changing your MAC address and how to do this with *nix based systems.
I would caution you to avoid signing in to any services from other accounts on your new devices, do not even add contacts or contact those from your burner phone who have your other number. This can be used in correlation that you may or may not be the owner of the mobile number used with your burner phone. Remember, everyone is watching and you should treat all of your actions this way. What would you be looking for when analyzing a situation with another person who may be trying to be anonymous? When in doubt on whether or not you should do something, take a few moments and consider would you be looking to correlate information about someone based on that action? This will help you in understanding your threat models but also how to threat model devices and targets in the future.
Many may ask why not use virtualization? My response is that virtualization can be a great tool but it introduces several issues related to doing our testing. One is that you would want to refrain from locally testing a vulnerability as this is not what will happen in the real world. It could also pose issues dependent on the operating system you choose and whether or not it could compromise the security of the system by needing exclusions via SELinux and firewall ports. Remember without a solid defense, our offense will be just pure trash. Avoid virtualization when possible as it can also give inaccurate results in your research and testing. Use the cheap rig we scooped off of CL or something we bought with cash. These systems we obtain through these methods are possibly going to be destroyed and we should treat them like that. Be sure to keep a couple of hard drives floating around so when you finish some testing you can re-image or even destroy them based on your needs.
Other common mistakes developers make is by logging into Github with their devices, do not do this. If you plan to be anonymous, keep in mind Github will provide information about your origin if and when they are requested. All companies will, your little subscription fee you pay per month is not going to justify them going to an epic court battle over your data. This also applies to all other online services, including VPN’s. You should always remember that a business is just that, a business. They will cooperate with legal inquiries from governments all the time to avoid losing their ability to operate in that nation. Businesses may care about their customers but few if any will go to bat for their users when it comes to law enforcement requests, always keep that in mind as you process your operational security.
Another drop that most overlook, is what happens when operational security is compromised and what steps to take with the said drop. I can not stress enough that you must evaluate what actions you will take if your operational security is compromised. An example, what happens when a device does inevitably connects to a network with your others? The first step would be to destroy the device, yes it can get expensive, but what is more important your privacy and safety or money? You need to ask yourself these questions. In future write-ups, I will be going over some other methods to take such as burning pseudonyms and how to properly handle that. Another major issue is people will often use similar handles or even worse only use VPN or Tor when doing operations. The tactic of only using Tor for an operation is very dangerous, you should use it for everything when possible so that metadata collections and other surveillance groups see it they can never use correlation of timing that it was your origin. This is critical, if you fail at using the tools properly, you might as well not even use them.
VPN’s and Myths
Privacy is being free from being monitored or observed. In the current environment of the internet and technology, this is next to impossible. It is not impossible but there are some trade off’s in who can monitor our activities. One prime example of this is VPN’s. While they do shield us from our ISP, it does allow for the VPN provider to see our traffic. It could also permit an attacker to attack the VPN server and record all user’s traffic. Many are also advertising they do not log, and while true, they are legally obligated to respond and provide details when they
receive National Security Letter.
One may ask how an attacker could compromise the VPN server and my response is that just like all services they can and will be compromised in due time. It is just a matter of whether the attacker finds it worth the time to pursue, in some cases this could be a nation-state or other government. This can pose serious privacy concerns as we begin to break down what is happening in the modern marketing frenzy over VPN’s. You probably see many influencers marketing their content in various industries, it is very common on YouTube and others. This is not to say that VPN’s are bad, it is just a harsh reality many are overlooking. Remember that a server runs software as a service, this software is written and configured by people. People make mistakes.
Tor just like a VPN can be compromised as well dependent on the operator of the servers you may encounter. The Tor Project does a wonderful job with many volunteers testing and verifying relays every day to identify bad actors and have them removed from the network. It can be a daunting task, but they are always working on it. This does not mean that each bad relay is caught and it can pose serious risks to all types of users of the Tor network. Unlike VPN providers, relay operators are individuals and in some cases companies. They may, or may not, log the traffic dependent on the relay type. Try and support those that do not log, however, in some jurisdictions they may log the requests coming through their relay to avoid legal issues. I will cover this in the future as many have inquired about this very topic.
Another problem with most VPN providers is that they require a subscription with a credit card, most users of VPN’s are using their non-prepaid debit cards which have their actual address and names associated with them. Avoid this, refer to the prepaid card(s) mentioned earlier for this type of transaction. When possible, use bitcoin to pay for the VPN service for those that accept it. Again there are many options here and I wanted to highlight some of the more interesting problems in VPNs. There are a few types of VPN’s and each of them have their own sets of problems. There are also operating system configurations when taking in such considerations. My full deep dive on VPN’s is coming. I am still collecting tons of data to be able to properly demonstrate the differences between VPNs and their attack vectors.
Cryptocurrency
Cryptocurrency whether Bitcoin, Monero, or whatever you and another person or entity decide to transact in, can be a powerful addition to your privacy toolbelt. However, improper usage goes back to not using it at all. An example of this would be buying off of a KYC service to pay for goods or services directly. At this point, you might as well have used your credit card or PayPal, as there is a direct link from you to the purchase. This is a drop-in OpSec that can be easily resolved through the use of tools such as Samourai’s Whirlpool, or just using privacy by design currencies like Monero. There are several ways to obtain bitcoin or other cryptocurrencies without KYC and I highly suggest you spend some time to look into those methods. As the noose tightens on KYC enforcement, it is better to use and know how to properly use these methods than not.
Keep in mind that Monero is privacy by design, it does not mean that it is immune to correlation attacks or bad users. A prime example of this would be to run some services on the same machine that you are running your peer on, this could provide details to surveillance systems on who you are and when you may transact. While Monero prevents the knowledge of the sender to the receiver directly, timestamps in the blockchain and timestamps on networking logs can disclose quite a bit of information on the user. This applies to all cryptocurrencies whether private by design or not, when possible use a mixing service. Deterministic links of logs and transactions can and will be used against you regardless of how insignificant you may feel it is.
Another huge drop in OpSec with regards to cryptocurrency is the posting of wallet addresses. Whether on Twitter, Facebook(WTAF?), Linkedin, or wherever you may post it, understand that this ties your account on that service to the wallet. An example of this was for using node services like Infura, where they would ask for you to post your wallet address to social media before they would grant a freemium account. Whether or not the wallet address listed was under your control or not, it can allow for investigators and others to question you on the matters that involve that address. This goes back to some of the problems with social media services and their hefty requirements for phone numbers and so much more from the users. Any data you provide them can and will be used against you. Do not underestimate the power of a simple email request to gain access to your data, always assume the worst and plan for it.
Giveaways with cryptocurrency can also pose some serious issues with taxes and for investigation purposes. At the current moment many overlook this as just paranoia, but just because it is paranoia does not mean they are not watching and creating data profiles for such things. Tokens within wallets may have value to you, or they may have value to an attacker who now has an easier way to track your other transactions. Transparency is often set to default, many forget that, unless mixed again, there is a deterministic link within wallet addresses generated by the same wallet. Once upon a time, this was not true for bitcoin, but that was patched years ago to prevent address generation mistakes locking up people’s stashes. These links between the sender and receiver could be used in a case or added to profile tooling for investigators. Please do not say you have nothing to hide, everyone does. You shit with the door closed.
Commitment
The hardest part of operational security is your commitment, this includes at times providing disinformation and sticking to it. This involves not being honest and that is something you can see first hand at how important it is with someone like Satoshi. You may think that it is something that is so let’s say taboo aboutanonymity, however, it can be quite dangerous for loved ones and the person who is trying to remain anonymous or in Satoshi’s case pseudo-anonymous. There is a price to pay for good operational security, be it monetary or for being dishonest to others to prevent disclosures. You need to evaluate your commitment to your operational security often, it can be your downfall if you start to waiver on hard lines you once drew. You should also ask yourself are you willing to serve time and lose your freedoms for what you are doing?
It is very important that you also understand your commitment if an operation could compromise others. The one time you call someone from the other number, or connect with your home ISP, or happen to be seen by someone who could identify you at a location could very well compromise everyone. Most people are not mentally, physically, or emotionally prepared for interrogations and or the real threat of losing their freedoms. This
is a major problem in a group setting in an operation as one person could now be compromised and is now a liability to all. However, this would not be known by the others as the person compromised would most likely turn into an informant. A single compromise could endanger others whether intentional or not, this is why collective operations can be very hard to do correctly. This has been proven time and time again, members of Anonymous, AntiSec, LulzSec, and others have all been infiltrated with informants that turned on others. Agent Steal from the 80’sand even former members of LoD and MoD had informants in their circles. When in doubt, remember most people are not willing to sacrifice their freedom for yours. If another is compromised they will most definitely flip informant, plan accordingly and keep disclosures at a minimum even with some disinformation for various things. This can also be used for leak detection in the organizational sense and can provide very good indicators of information leaks when others are inquiring. Remember, YOU are responsible for YOUR actions.
Whether you are hacking, running a DNM, or simply running an online blog that speaks out against a nation-state, your operational security requires commitment. Some more than others and the choices you make from start to end are very important for the safety and execution of the operation. If you are requiring others to assist you in certain activities, you need to limit the scope of their knowledge. It prevents them from being able to take you down with them if they make a bad move, ultimately you are each responsible for the operation, one bad mistake, and everything could go up. A lot of times people may speculate in the case of an operation going quiet it could be an exit scam, it could also be a stop operation to fix a leak(er), dependent on the situation. It can be quite stressful running a DNM or other group led operation and there will be times when you are going to be tested with many others involved. Keeping your resolve and commitment to operational security will help in going through the hard times. Always remember though, trust can be very dangerous even with those that you are committed to working on things with and you should always proceed with caution. Especially with operations that may be questionable in your jurisdiction.
Rehash and Conclusion
While some of this I have covered in previous articles, I will again always need to reiterate this message of understanding how to start without links to your information. It can not be stressed enough of starting correctly, if done incorrectly your operational security drops from the get-go can compromise your anonymity and privacy. If you feel that it is too much work, then make decisions on what is the right path for yourself. What I need and want in my online privacy and anonymity may differ greatly from yours. Along with deciding what level of anonymity and privacy you want, you need a plan on the eventual breakdowns in your plan. When operating in a group you need to set in place some checks for leaks, informant behavioral checks, and various other methods to ensure there has been no compromise. In future writing, I will provide a baseline checklist for operating in groups and you can use that template to adapt for your own need.
The next article will be about setting up your machine properly. This includes setting up Linux, not Kali Linux, using Kali Linux on a network not your own is advertising that you are a script kiddie about to try something questionable on their network. As Kali is a Linux, 99% of all the tools will work on other Linux versions and it would be of wise choice to use a version that is non assuming. I will be covering installing Debian, Fedora, and Tails. I will be providing some best practice tips and information on proper usage of setting up your firewall on the host as well as SELinux configurations and the like. We will also explore communication tools and which ones can protect our privacy. As in other articles, some of this material may seem like I am repeating myself, and I am because it is important. Some of these foundational pieces can not be stressed enough as their importance outweighs all the bells and whistles some service may provide you. When building something, you need a strong foundation, and if you do not have that it will crumble when the pressure of the elements is applied. This applies greatly to OpSec as it is tested constantly in our day- to-day.
I want to thank JACE for proofreading as always, along with thanking many of you who reach out to me over secure channels to inquire on topics and ideas. I do appreciate you and in 2021, the write-ups are going to help empower more and more to take control of their operational security on a defensive and offensive level. You can contact me on the following platforms:
Signal:(867–675–1041)
Tox: D7D264EA7541C4324625A8360267C3C54F9C1AF564D4266FE4 5F2BCB68924E21CB2A75746D51
