How to Be Safe on the Internet, Part 4: Fighting Power

By this, the fourth and final entry in this series, you need to understand the basics of information security. Let’s review the rabbits before continuing to the hole.


You researched a variety of attack vectors and methods to shut them down. In observing their patterns, you learned the weak points that are naturally exposed online and therefore require intervention.

You have learned that any software or operator that manages your communication can control it. Information security comes to break this grip. To do this, you excise intermediaries when this is possible or encrypt your connection when it is not.

In the process, you have also learned that humans are really bad at generating a random product, so you can't expect your brain to think that passwords are random. The tendency to trust our instincts on our own is our most serious weakness. This common bias also reduces our guard when people request sensitive information.

Category 2 opponents have nothing to sneeze at, but their resources are limited. If you do enough armor, they will give up and move on to a comparable easy target.

In the face of the Category 3 threat, all you have learned is a whole new level of insanity. Category 3 opponents have unlimited resources to tackle the top goal.

Often called "nation-state actors" or "advanced persistent threats" (APTs), they have tax revenues, national sovereignty, and the law behind them.

Validation with severe bias

Before proceeding, consider the following.

First of all, the guidance in this part of our series is definitely not applicable to you. You may find it interesting and you will probably benefit from it. However, statistically, you will never run this level of risk.

If for some reason this guide applies to you, you need a lot more help than I can provide. Right now, I fail to shut down a nation-state. I don't know anyone who can resist for more than one or two months.

Instead of using this guide as an official term on defense against nation-states, use it as a jumping-off point for further research. I recommend studying the Monitoring Self-Defense Manual of the Electronic Frontier Foundation, followed by the Open Source Society University Degree Track.

There are many more qualified sources that you should seek advice on, but this is a modest start. As all of the information suggests, you need a comprehensive computer science background to give you a chance.

Second, even if you are only practicing the methods of providing this part, your operational security (OPSEC) should be impeccable. That is, you will probably fail.

OPSEC is your discipline in following the security controls dictated by your bullying model. As I said at the beginning of this series, security comes at the expense of convenience, and when you face the ultimate risk, the sacrifice of convenience is total.

This is why the best OPSEC doctors keep their followers for only a few years. Therefore, make a contingency plan if you fail. Only you know what it looks like.

So to whom does this installment apply? National security or international affairs journalist, for one. This can be doubled for those who review classified information or sensitive sources. Rajas are invaluable to nation-states and they do nothing to hunt them out of the box.

High-level political dissenters are also found in cross-shares of nation-states. They justify the dissenting policies needed to justify the silence of governments in any way.

Finally, military technology researchers must conduct Category 3 attacks. Nation-states can compromise engineers who develop sources of military or economic benefit, so they can brighten up their copy of work and level the playing field.

Not owned - or zero
It is important to understand "belief" in computing. Here, belief is bad. In particular, relying on hardware or software or the entity that manages it, you have to trust it with your data management. In a trusting relationship, you cannot defend what you believe: you can only hope that it will not betray you.

Instead, adopt a currency of infidelity. Without trust, you don't have to rely on some entity touching your data. If you try to weaken the unit, you will achieve this posture by taking measures to ensure that you are not harmed.

End-to-end encryption is an example of reducing trust. A VPN, for example, disables Snooping's ISP on you, so you don't have to rely on it.

To close Category 3, the number of companies you trust must be zero.

Your mentors are now in the military

Government opponents are very dangerous because they endure government resources.

They have a huge budget. Deep Pockets allows APTs to have dedicated agencies with hackers. They can cost expensive toys such as zero-day vulnerability (found on the gray market) for brute force attacks, supercomputers, or custom force attacks.

Another advantage is that nation-states have the power to provide legal immunity to their agents. Paraphrase technician Chris Sogdian said that because soldiers can kill people without going to jail, government hackers can compromise you with impunity. This is one of the main attractions for hackers who seek lucrative employment.

Finally, government employees can make legal compulsion. Simply put, they can instruct digital service providers to rat you. Legally supported actions force service providers to back out of requests for your data. Snippets of code in other programs allow root access for anyone who knows how they work, which is too small to keep track of users.

A complete list of nation-state actors is impossible. Some tricks are impossible for them. What are the weapons against their goal and what are they willing to do to target the nation-states.

With so many goals, you, Fantasy Hunt, topped the niche list. Therefore, you have an opening: make it very clever for attacking you, it is not worth the strategic reward. You don’t necessarily know what the tipping point is, but if you are sure you are appropriately hounded, you should try.

With all that said, let’s get into the counterexamples, and I’ll explain what they aim to do. There are two aspects of protection against category 3: the equipment to be used and the OPSEC required to use them.

My computer has a lot like it, but it's mine.
The really ideal way is to run your equipment through a piece of wood, move a shark in an explosive furnace, and throw the remains into the sea. If that's not an option, read on.

The odds are that if you work reliably to secure your computer, it's because you need communication. All communication, with some provider mediated, is committed to protecting user privacy.

Choosing email providers, chat servers, etc. that are included outside your jurisdiction's jurisdiction is a good bet. Your rival government then has to pass on the provider government to execute the record request, and the latter is not always aware of it.

The next thing you need to do is to guide all your communications through Tor. Tor is a network designed to anonymize all users before moving to the appropriate destination.

Most importantly, it puts VPN on steroids. The weakness of a VPN is that a moderately capable attacker can turn it around. VPNs can be effective against adverse conditions that can cause a client's connection to VPNs or a VPN server's connection to the Internet, but both.

ISPs fit this profile because they only connect your device to the VPN. However, traffic is noticeable on both sides of the VPN in the top tier category 2 or more. If they see your device colliding with a VPN, and then immediately see a VPN on a website, they can put two and two together.

Instead of routing a single proxy as a VPN, Tor uses three proxies in a row. As planned, your traffic travels from your device to Tor Node A, Tor Node A to Tor Node B, Tor Node B to Tor Node C, and finally Tor Node C to your destination.

This way, your connection is encrypted three times: with the key of the B-C leg C, the key of the B with the A-B leg, and the device with the A-B leg A key. That way, even if you know someone A, you don't know where you're going. On the contrary, Cici knows where your connection is going but does not know who made the request.

This makes it difficult to track your traffic over the Tor network, complicating the associated attacks on the VPN. Oh, and for good measure, Tor changes the node you use every five minutes.

Tor offers the Tor browser, which allows you to browse through Tor. However, it only protects your web browsing, so I'm not talking about it. You must configure your system to guide all Internet traffic through Tor. It depends a lot on the system here, but there are guidelines on how to do this.

Once this is set, each of your devices sends or receive filters through Tor. If you are doing nothing to exclude yourself (as in the case of OPSEC discussed below), this will make your traffic anonymous.

No nation-state is affected by Going on you using Tor, but it forces Tor to seek records from a third party or to close their connection to the Internet backbone. These sources contain traces of your activity but are not responsible for you.

With Tor, MAC address spoofing is required to hide the source of your communication. The MAC address is a unique hardware serial number for your device's Network Interface Controller (NIC).

Your device NIC encloses its MAC address within the metadata it sends packets to. With Mac spoofing, your hardware in your software packet gives Mac an arbitrary Mac option. Without this step, your MAC address will not be deceived by a known country-state toe.

Against high-caliber opponents, you have to trade your encryption up to PGP. Despite their learning curve, PGP keys offer highly powerful and versatile encryption.


OPSEC: Sharpening the Warrior, not the weapon

OPSEC is the second part of the nation-state threat model. All your equipment is useless without OPSEC.

First, remove your phone. Devices with cellular basebands (collectively “mobile devices”) are fully optimized to track you. For one thing, your mobile device expresses an un-spoofed hardware number because it reports your location to your carrier in real-time.

It gives you a legal order that discloses your every move. No matter how secure your desktop device is if your mobile device is nearby. There is always the fact that the microphone can turn on your opacity.

So, why not repeat what you did for your desktop? Well, you can't.

One is that you cannot install fully open source software on it. It is practically impossible to install fully open-source Android on a mobile device without proprietary drivers, and by law must have proprietary firmware for cellular baseband radio frequency compliance.

Two, mobile devices do not allow you to run a secure boot with custom keys.

Three, mobile open hardware is not ready for prime time, so you have to rely on the hardware.

Finally, architecturally, the SIM is the master of your mobile device, which literally prevents you from doing anything. With mobile devices with deadly, inevitable weaknesses, the only step to winning in this strange game is not to play.

Additionally, choose your network carefully. Obviously, you should never connect to your home network, but don't put all your hopes on Tor. Always assume that your IP is exposed. Don't log in twice on the same network. Instead, flip through public networks without leaving a model.

As you travel to use the network, you also want to learn basic modeling techniques. You will be able to tell if you are going to a physical location.

The protest does not stop there, however. You also need to know if your contacts are damaged. This is an easy way for someone to reach their partners. In the digital context, it usually does not turn into a la spy thriller but compromises the tool to monitor your interactions.

The remedy here is that your contacts have forgotten you or they will be practicing everything with you in this guide. Communication is a two-way street. If your partner fails in these steps, the result you failed is the same.

To the extent that you expect to live a "normal" life, you must fulfill your "safe" and "normal" life. Do not transfer any file, message, or another digital artifact between devices, accounts, or platforms on this partition.

Also, don’t behave the same in every “life”. Samples, such as simultaneous open tab content or the order in which you visited a site, are sufficient to identify your unique behavior.

To summarize OPSEC, do not move until you have fully thought about it.

Where the path ends, the wilderness begins
In the meantime, all I can do is say it. The causes of Category 3 threat are many and personal, where you can only decide how to use tools and techniques.

While there are many more to Category 3 goals, anyone reading this should be prepared to revalue your threat model and expand your toolset, no matter what threat you face. Video

Post a Comment

0 Comments