Miguel asked me to write up something about using VPNs. I’ve chosen to make it a bit broader.
The first thing to know about Internet security is that the Internet was not designed to be secure. It was designed to share information.
If you are a person that is interested in security, you are interested in a number of different moving parts.
- Are my documents secure from being copied
- Are my credentials (password/user name) secure from being copied
- Are my online actions secure from being tracked?
- Are my personal details secure from being revealed by sites I visit.
As designed, sending packets (smallest data block that gets transmitted on the net) are open. Anybody that can intercept that packet can read what is in that packet. Thus if you sent an email in 1990 time frame that said “The Libian’s are going to attack the power plant at 1837 on Nov 1st” anybody that was monitoring the network could read that.
The internet is built on a store and forward. So each packet moves from one “computer” to the next. At the next computer, the computer decides where to forward that packet to. Today we have specialized computers called switches and routers to do this store and forward.
There is NOTHING to keep somebody from programming a router/switch on a network to forward all packets to a collection point.
The point of all of this is that everything sent over the net can be monitored and read.
We, the internet geeks started to fix this. The first step was to protect particular types of communications. So instead of sending our passwords and usernames on post cards (Packets) we did some math magic and exchanged magic tokens that could be copied but were useless to the person that copied them.
We created methods of encrypting documents and email. But for the most part, it just didn’t work very well.
The biggest problem is that most users don’t have a clue how to manage secure information. To often people use a password that is easy to guess or that they write down or a dozen other things. They keep copies of secured documents in decrypted form. All of which is bad.
So we created a new protocol for communicating which is called “end to end encryption” What this means is that a data entity is encrypted before it goes on the net (wire) and can only be decrypted at the remote end. The protocol we use for this at a user level is called “ssh”. It was written by some very smart people that understood cryptography and there have been few security issues with it.
For the rest of the people, we got SSL. This is the protocol used in web browsers and to fetch your email and a bunch of other things. You see it if you have the lock in your browser window or you see “https” in a URL.
So now we have secure communications between us and somebody else on the net. Good.
But what does this actually provide us? Not enough. The bad guy/government agent watching your internet traffic might not know exactly what you are viewing, but they will know what websites you are visiting. So they can see that you are watching that porn video of two guys in rabbit suits doing… but they do know you were visiting the website where porn is served from. They don’t know what you said or read on gunfreezone.net, but they do know you are visiting the site.
This article talks about what can be done with that “metadata”, who you are talking to:
A VPN is designed to solve the meta data issue. So what happens is you fire up your computer and turn on your VPN. Now all your traffic leaves from your computer, your office or house or local McDonalds and travels to a server somewhere on the net, all encrypted. The spies don’t know what you said or who you are saying it to.
Once it gets to those servers, it is then sent repackaged and sent on to its destination. The address on the packet not directly associated with you. Now they don’t know what sites you are visiting. Wowsers!
Except you are a stupid git and you log in and check your email while using your VPN. There is now a log entry at your email service provider saying that at 2021-01-11 17:43:04 you pulled email to such and such IP address.
The bad guys, either legally or by other means get that log entry. They now have the IP address you were using from your VPN and can track that IP address coming into gunfreezone.org. They know you visited GFZ. VPN or not.
So you decide to go full out and install a Tor browser on your computer and use that instead. Except the feds have put a tor server out there. What they do is they watch for packet counts and sizes that match you. As soon as they see that, they can start tracking the traffic back to your physical location.
There was a “dark web” sales site called The Silk Road. Yeah, you could buy *THAT* there. Yes, that too. And that other thing as well. It was a black market selling really black things.
The guy that designed it was really really careful. He had a laptop dedicated to silk road administration. He always used a VPN and Tor protocols. He always connected via a public wifi and never used his own. He was freaking careful. And he was in a hurry one day and checked his email while using his silk road laptop. That was all it took. The feds arrested him shortly there after. They had been tracking him.
Just this last month there was the single biggest transfer of money out of Bitcoin ever. It turns out that the feds, after multiple years, finally got access to the dudes Bitcoin wallet and transferred out over a Billion Dollars in value.
TL;DR; A VPN is a good thing to use. But it isn’t going to help you. It is stupid things that will get you. Did you remember to shut down every single thing that connects to the internet while you were using the VPN? Nope, then there is a record, somewhere, of the VPN being used by *you* to do something normal. And that lets them know you were using that IP address right then.
And even if you do everything right, there is always a chance that somebody you are working with isn’t that careful and they will expose you. Today they are talking about a hack of Parler over the last few days that exposed 70 Terabytes of data and exposed every single piece of information that Perler had.
Be safe out there, everything you say on the Internet is forever and everything you say can, at some point in time, be tracked back to you.
Thanks for reading,
AWA
Thanks for the briefing – much appreciated!
Sounds like the “best” way to manage things would be to have multiple machines, and become religious about separation-of-use. And this would also suggest not using household routers that connect up to a VPN automatically, for all traffic using said router.
By the way … I’m only halfway through but am REALLY enjoying the linked article on metadata. A bit chilling, in some respects; however, I love the elegance of the basic matrix approach.
Thanks!
There are no secure electronics.
Period.
Sending a letter via USPS is more secure than sending any sort of electronic communication, even if you don’t use a cipher. Why?
Because the federal government isn’t going through the trouble of opening your mail, scanning it, and sealing it back up before sending it off to you unless you’re already under enough suspicion that you have a team of agents assigned to you.
But they are able to view every single electronic message in at least the last 15 years. Storage has gotten so cheap, and marketing data is so valuable, that companies keep that data in to perpetuity because you never know what algorithm is going to come out next that shows “people who use ‘that’ in a sentence more that 6 times are 1.2x as likely to prefer coke over pepsi” or some shit.
A happy byproduct of all that is the data becomes subpoenable, and after the first few subpoenas companies generally give up fighting them and give LEO a web portal to just search the info directly.
Autocorrect, autosuggest, form fills….all that stuff reads every keystroke/button press/mouse click and sends it off to Google or Apple or Microsoft or China.
The mobile OSes and Windows 10 also look around you for wifi and bluetooth devices and use that for location awareness. They don’t even let you know they’re doing it*. Then they report back the names and mac addresses of those devices, building a database of what devices are physically located where.
So even if you bought a second laptop for cash in another state and threw linux on it in the parking lot..your phone would know it was there and report back unless you turned off your phone and removed the battery. Newer cars might even pick it up and report back, I don’t know.
We are living in the Stasi’s wet dream and most of the population welcomed it.
“Enemy of the State” was a damned documentary. Fight me.
(TOR, by the way, was developed by the Navy and Darpa, and mostly funded by the federal government. This is not a secret.)
* my kids got chromebooks from school. All four were turned off during Christmas break. When we finally booted them back up, the three that had been connected to power, but “off”, the entire time had magically received operating system updates. The one not plugged in to the wall was three versions back. They’re now on their own segregated network that turns off when the kids are not using them.
I still remember the warning when Interwebs and emails were a new thing: an email is like a postcard: Anybody can read it.
Just a slight tweak to this:
“Sending a letter via USPS is more secure than sending any sort of electronic communication, even if you don’t use a cipher.”
Sending a postcard written in plain language is more secure….
Not only will the postcard take time to identify, read, interpret, but it will be lost among god knows how many other bits of info. Whereas any electronic communication can be examined with no effort whatsoever.
Google/Apple know pretty much where every single WiFi access point is. It is the magic of “meta data”. Most people opt in to the sharing of location data. When your phone connects to a WiFI access point and then logs into Google/Apple so it can continue to get your alerts and all the rest, google gets a message with the location of your phone and the MAC address/SSID of the network the phone is connected to.
If I was to try and go anonymous, I’d start with an older laptop. I’d make sure the onboard wifi was off. I’d install a PenTest Linux OS with just a Tor web browser. I’d then purchase a USB WiFi adapter.
The adapter would be kept separate from the laptop till it is time to use the laptop. At that point I’d find an open WiFi that was accessible from outside the building.
I would walk the final 200 plus feet til I was in range. I would then spend a random amount of time there, read a book whatever. Then fire off the laptop, do what ever needed to be done. Then shut down the laptop, and sit there and read some more.
For even better work, I’d script everything and do it all in a small portable device that never left my back pack. Press the button in my pocket and it does whatever it needs to do.
I’d never use the same WiFi space, so that would require a bit of travel. I’d never fire up the connection unless I could verify that there were multiple people there.
And NONE of that would make any difference if they were monitoring me.
The government would be able to see when the traffic came on line in the destination they are monitoring and trace that back to those times when I was out and about.
All scary stuff.
Many years ago I was part of a group that was working on upgrading the network connections to the campus. Not a university.
We were getting an OC-12. This was a huge upgrade from the T1 we had been using.
This is 600Mbits/second, around 70Mbyte per second.
This was amazing! It was exciting! It was wonderful.
And my friend chuckled and explained that there was a government entity near us that had multiple OC-192 that was inbound only. They had no outbound network connections.
This government entity was tasked with collecting ALL data that was transmitted that left CONUS. And they did.
One further point I want to make:
It doesn’t matter if you never open a facebook account or agree to google’s terms of service or “share you contacts” with other services.
Your friends and family have done all that for you.
When your boss, your sister, and your best friend all have the same phone number for “John Q Public” in their phone, and they all clicked through the ToS on whatever new facebook app version got pushed out, they just independently verified to facebook that John Q Public’s phone number is 888-555-6656 when they let facebook scan their contacts “to help you find friends.”
Oh, and your sister also put johnQDaddy1776@gmail.com as your email address in her contact list, so now they know that, too.
Lord help you if you ever gave your sister your wifi password, because while she was at your house she opened Instagram, which according to the new ToS, then scanned your entire network for IoT devices such as smart speakers, smart TVs, etc…and also reported back any device names and mac addresses (which are globally unique). Oh, and because she had location enabled, they now know exactly where all those things are, AND they added your wifi access point to their broader map to use for location tracking.
I swear, the older I get, the more I get Crazy Ted from Montana’s housing situation.
FWIW: https://100percentfedup.com/list-of-new-alternative-media-options/