For those of you looking for a TL;DR (too long, did not read) I can give you only this:
> “The only defense against the world is a thorough knowledge of it.” ― John Locke
Just like there is not a TL;DR for packing a parachute, I just can’t put one here, sorry. There is no shortcut to being safe (secure, private, and anonymous) on the Internet. If anyone tells you there is, throw a stone at them. Please note that those three things are very different, and without security there is no privacy, and without privacy there is no anonymity.
There are numerous threats on the Internet. There are gnat sized annoyances like advertising and tracking cookies, bigger blood sucking parasites like ISPs (Internet Service Providers) that rummage through your traffic so they can resell it, monetizing you for a second time. A cynical person might say that there is a digital remora ecosystem that has layered itself on top of the Internet like flies on a carcass, and like the bite of a malaria carrying mosquito, all of these threats can lead to actual financial and physical harm.
Since the beginning of computer time there has been a constant ever increasing background noise of beginner hackers, script kiddies, and outright organized crime. Recently the rate at which the Internet grows more hostile has accelerated.
I Don’t Mean to Get all Chicken Little Here…
> “If you think this has a happy ending, you haven’t been paying attention.” — Ramsay Bolton
In the past year or so several “hacking groups” have acquired large chunks of operational cyber tools from private offensive cyber tool companies and even the U.S. cyber warfare armory. Much of this has been dumped onto the Internet for anyone to use. Existing cyber criminals immediately put their new found tools to use, ransoming entire industries and compromising hundreds of thousands of computers in less than a week. Operating Systems vendors scrambled to plug these “new” vulnerabilities, vulnerabilities that in reality had existed and been exploited for years.
This is the equivalent of someone breaking into an actual armory and leaving piles of M16’s, M249 light machines guns, some M134 Miniguns, mortars, stacks of ammo and operations manuals on every street corner in your town. Piles of arms in front of your banks, hospitals, schools, electrical utilities, places of worship, voting booths. If I had to commute through this environment I think I’d buy a tank and wear kevlar undies. If this is not your red pill - blue pill moment, I think it should be.
Every Network is a Battlefield
“Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.” ― Sun Tzu, The Art of War
Each time your computer (or phone or tablet or watch) joins a network you don’t know if there are any hostile computers already there, waiting for you.
If you walk into a coffee shop your computer will connect to an WiFi access point and then be assigned an ip address by the local network. An ip address is like the address of a house. It is unique in your neighborhood and the world. Your computer can send a packet to the other side of the planet if you know it’s address, just like you can send a post card anywhere on the world if you know the mailing address. Your local network, in this coffee shop, is like a cul-de-sac at the end of a road. You can see everyone else in your neighborhood just by looking around. You can reach out and touch them, ring their doorbells without going far at all. If this were a movie this is where the scary music would start.
The next time you are in a coffee shop look at the ip address you have been given. I am in one now and currently have 172.16.0.160. Everything from 172.16.0.2 to 172.16.0.255 are in the local network. There are 19 computers on this cul-de-sac that respond to pings. I bet if I ran nmap (a network scanning app) on this local network I would see some computers sharing part of their hard disks. I bet some of them are vulnerable to these new hacks, I bet some are vulnerable to many old ones too. I have some very good free software loaded on my laptop, software anyone can download and use. These apps would would allow me to check for and act on any vulnerabilities I find, but this is not that kind of an article. (Scary music fades away).
Your computer is also like a house in that it has ports that may be opened or closed. In an old house there is the front door, where people come and go, windows for air and light, a coal chute, a mail slot, a doggy door so pets can get in and out; the list goes on. On your computer ports can be opened at well known port numbers and services can be run behind them; file sharing, screen sharing, web services, vpn servers, and ports can show up at random places for new services. If you have an Android phone some apps will open ports and throw up services without your knowledge or permission. If those services have vulnerabilities your phone (and everything on it) is not going to be just yours for long. Turning on any network connected device in a hostile environment is like bleeding in front of a shark.
If you were able to sit in your computer like it was a house it would be a noisy scary place. Over the course of a few minutes there would be hundreds of attempts to turn the door knob, open the windows, sneak in through the doggy door, etc. Some of these attempts will come from actual humans sitting at a keyboard, but the vast majority of these probes will be automated and come from computers that have already been compromised by viruses and trojans. One of those might be sitting in your cul-de-sac right now. After all, part of every viruses job description is to spread to a new host as fast as possible, and if it can see you, it will try.
"The general who is skilled in defense hides in the most secret recesses of the earth…” ― Sun Tzu, The Art of War
We are going to play defense here. I’m talking 1985 Bears defense. Strong, take no prisoners bounce the attackers off the wall and watch them drown in a mote of burning oil defense. Security is best applied in layers and this is going to describe some outer layers that provides security, privacy and anonymity. Care must still be taken because, like any walled city, danger can grow from inside the walls; for instance, you might click on a phishing email link, or you want the Internet to think you are 1000’s of miles away but you run an app that sends your GPS coordinates to a server so your true location is revealed. Eternal vigilance is required.
I have two main laptops running MacOS and Linux, a phone and a tablet and I am mobile half the time. I don’t want anyone logging onto my devices, reading my hard disks or snooping on any aspect (meta data or content) of any of my communications with the outside world. This would result in financial hardship for me, my company, and my clients. That is my threat model, you need one. It will be your requirements list for all you do.
My requirements have led me to design what is essentially a mobile cyber fortress. Something all of my devices can get in and work without suffering the slings and arrows of outrageously bad cyber fortune.
This is How I Roll
“When dragons attack, the only thing you should seek to stand behind is your own sword.” ― Richelle E. Goodrich
My laptop never talks directly to the Internet. It never logs on to any WiFi network, the WiFi radio is turned off, and I don’t plug it into any foreign Ethernet networks. The laptop’s only network connection is to a Tiny Hardware Firewall. The Tiny Hardware Firewall then, connects to public WiFi access points or plugs into hotel Ethernet ports. The Tiny Hardware Firewall is a small (fits in the palm of your hand small) hardened Linux computer with two Ethernet ports and two WiFi radios. It is configured as a hardened firewall and router with a built in VPN client, a Tor client, and ad/virus/malware blocking processes. It does not respond to pings, it drops all unsolicited incoming traffic and is essentially an invisible citizen on the cul-de-sac.
The benefits of this setup is that I am invisible to my cul-de-sac neighbors. Whatever attack surface my devices have is hidden behind the firewall. If anyone glances around the cul-de-sac they can’t even see that there is a resident at my address. If anyone rings the doorbell at my seemingly unoccupied address there will be no answer. Any traffic that comes out of my computer is encrypted by the Tiny Hardware Firewall before being forwarded.
Even if you owned the network I am on you can’t understand any of the traffic because it is encrypted. All of the DNS queries, traffic to email servers, web servers and anything else are all encrypted and sent to at least one VPN server. If I wish I can connect to Tor after connecting to the VPN and no one on my local network including the local ISP would know I am on the Tor network.
If you spend time outside of the U.S. on networks hostile to VPNs and Tor then the Black Hole Cloud (BHC) version of Tiny Hardware Firewall (THF) will be of interest to you. It can proactively hide VPN traffic by wrapping it in stunnel and it can connect to dedicated private Tor bridges via obfsproxy, which makes identifying Tor traffic very difficult.
"The world is wrong. It looks like my world, but everything’s different.” ― Sy Feltz
The OPSEC approach to security can provide impact containment by compartmentation. Translating into English, compartmentation is good because it allows you to suffer a small attack and shake it off without suffering a total take down of your computer. Think Cylon resurrection ship from Battlestar Galactica (2004-2009) and you’ve got it.
When I want to be even more anonymous and hack-proof than usual I follow a multi step process. It is a little more complicated and involves connecting a virtual machine (VM) to the Tiny Hardware Firewall.
- Plug in another Ethernet Interface to the laptop and plug the THF into it. This is not my laptop’s main Ethernet interface or it’s default route.
- Start the THF or BHC and start the VPN and or Tor.
- Start a virtual machine running an operating system different than the main OS on my laptop.
- This VM’s only Ethernet interface is bridged to the new Ethernet interface that is the THF. As this VM “wakes up” it thinks it is where ever the VPN or Tor has terminated in the world. If the VPN server is in Germany, then this VM thinks it is in Germany.
- This VM is a read only VM. Anything written to it is thrown away when the VM shuts down. If this VM gets infected with a virus, when I shut it down all of the work the virus has done dies with it. When the VM is started again it is a fresh copy of it’s old self, just like the last time you started it. On my computer I’ve labeled this VM “GroundHogDay”.
This Compartmentation idea is not new and borrows heavily from QubesOS and Whonix. It is a simpler more robust hardware based implementation of Whonix with no software to install, configure, or run.
“Amateurs hack systems, professionals hack people.”
― Bruce Schneier
This is part one of several idea dumps I will publish. In the next edition I will dig a little deeper into the THF and BHC and show some interesting use cases. Please note that this is not new or beta, but rather tried and true. I got this idea in 1998 and for the first couple of years used a spare OpenBSD laptop as my mobile firewall. Hardware, as it does, kept shrinking and it eventually became possible to make this easy for everyone. We started the first VPN as a Service company in 2002 (HotSpotVPN) and we have been selling the TinyHardwareFirewall since 2012 and BlackHoleCloud since 2015.
We have not touched on any OS or browser specific recommendations because there is such variation in threat models it would have been quite premature to do here. For those who want to read ahead there will be some links below in the notes.