Internet communications and being clandestine

[bae]

I am not sure how to wipe the hd of a non-functional computer, but there must be a way like using a strong magnetic field.

A sledge hammer and a woodchipper.

http://csrc.nist.gov/publications/ni...00-88_rev1.pdf
http://www.nsa.gov/ia/_files/governm...ion_Manual.pdf

When I sold storage devices to various 3-letter US agencies, we never saw any of them back for repair or analysis. Debugging problems was a bit tricky, since we couldn't examine the gear or the problematic data.

[Al Lipscomb]

So you want meaningful security for data you need to move around. Let us say you are doing business overseas and need to transmit some information in a secure manner. Maybe nothing life or death, but lots of money and to some that could become life or death if things go wrong.

Start with a computer you have 100% control of physically. It does not need to be high end as its role is limited. Epoxy the network port and no wifi. USB ports may be a risk so a DVD reader/burner can be installed if you need to.

Install an OS on an encrypted disk (whole disk only) and use a very secure pass phrase to unlock it. If you can do two factor authentication, even better. Install an Open PGP compliant product (PGP, GPG) and go somewhere private. Now generate a brand new private/public key pair and secure the private key with a strong pass phrase that is different from what is locking the hard disk.

The private key will never, ever, ever leave this disk. Ever. Lock everything up when not in use. Your security is no stronger than what is protecting this computer.

Note the public key's fingerprint and, using a secure channel, distribute it to those you wish to communicate with. Have the key signed by trusted third parties if you need to establish trust with others. For most applications you will need to publish the public key somewhere. For some needs a key server is best, for others hide it on a web site.

When you need to send data you need to obtain a verified copy of the recipients public key. This needs to go onto the secure system and is added to the key chain. Create the message and encrypt it using the public key, sign the message as well. The encrypted message can be stored in an ASCII armored file.

There are many ways to transmit this message. You can use your imagination. You can print the results and send them via the postal service to be scanned in for example. Or include it as a "track" on a music CD, or load it onto an iPod. Someone who has the message won't be able to read it unless they have the private key that matches the public key.

There are also techniques for protecting the recipient key to offer further protection. You can use "key splitting" to require multiple people to agree to "open" the message for example.

Remember that if you send an encrypted message you must deal with the original "clear text" message. If you leave a copy of that file laying around you have a weakness. If you don't include yourself as a recipient when encrypting you cannot decrypt the message.

The shelf life of the message will depend on how long it takes before the encryption can be broken. If someone can get a copy of your private key down the road then the protection is gone. Dispose of obsolete keys when they are no longer needed. Do not "chain" keys by sending the new key as an encrypted key protected by the old key.

Don't change keys too often as the strength lies in the ability to exchange trusted keys.

[Country Boy]

Do you know of a bank that allows two folks to share an account yet access that account through different credentials?

Wells Fargo

[hernando_mauro]

The first think to do is to get off Windows and start using Linux (for example Ubuntu), and use FULL harddisk encryption (Ubuntu Alternate installer - configure your system so you have NO swap file).

Whatever you use in the way of encryption should be open source (i.e Truecrypt - best on the market and open source).

Never rely on services like Anonymizer, they will give up your user data when faced with a court order.

Full disk encryption on Linux for your system (running bleachbit every now and then to clean your system), Truecrypt for encrypting folders/files on your Encrypted Linux, TOR browser bundle for secure surfing (using public wifi spots) is a good start.

[bae4]

The first think to do is to get off Windows and start using Linux (for example Ubuntu), and use FULL harddisk encryption (Ubuntu Alternate installer - configure your system so you have NO swap file).

Whatever you use in the way of encryption should be open source (i.e Truecrypt - best on the market and open source).

Never rely on services like Anonymizer, they will give up your user data when faced with a court order.

Full disk encryption on Linux for your system (running bleachbit every now and then to clean your system), Truecrypt for encrypting folders/files on your Encrypted Linux, TOR browser bundle for secure surfing (using public wifi spots) is a good start.

https://tails.boum.org/

Good place to get a LiveCDsystem.

[duey1267]

Tag for future refferance.

[Teckomando]

If you're not a computer guy, and don't have a really, really good one on hand you're likely to fuck up something fierce.

This just about sums it up. I've been doing Security Risk Analysis (I identify and secure IT security risks for companies) for a few years now. It's not as satisfying as LE (I miss LE) but it has it's similarities. One thing I've learned is cyber security is just like physical security. There are entities that are smarter and better than you. Even Uber hackers get caught. Don't let yourself fall into the trap of relying your tech. It's just like buying a gun. If you don't train with it it is useless to you. You'll be overconfident and think you can't be beat. Until you come up against a professional that knows real violence and you're dead. You can and will get caught if you are worth catching. It's all a matter of time and the motivation of the entity hunting you down.

That being said, you can create a secure workspace on a flash drive for anonymous browsing and messaging on a public use computer. To create a secure workspace you need:

• A flash drive.
• An OS. (preferably a flavor of Linux)
• Some encryption (PGP) software.
• A proxy server; You can set up a browser configured proxy (The best proxies to set up are, Anonymous Proxy, Distorting Proxy, or High Anonymity Proxy) Use proxy software such as Tor (my favorite) or you can buy something like Hide-My-IP or GhostSurf. Or simply use a web based proxy (preferably one based in countries that have no reciprocal agreements, conventions, or extradition treaties with the U.S.)
• Or just use a web based IP anonymizer such as ninjacloak.com.

You can set up the same things on a laptop with a WiFi card then use free public WiFi available virtually anywhere. Truck stops, fast food places, public libraries, shopping malls, etc. I can access my local library's WiFi after close parked on the street. College campuses usually have guest logons for visiting students so you can log on without being a student. Pick a location with a lot of people and few cameras. As many posters have already discussed OPSEC is your weak link not your tech. Tradecraft (for lack of a better term) is more important than the tech. Your OPSEC has to be good. There are thousands of professionals that are the special forces of tech. You cannot beat them or outsmart them. Time and movement are your only advantages. Or you can use the good guy technique...Don't do anything that would motivate anyone to come after you.

As a side note: DO NOT USE IP SPOOFING OR "HACKER TOOLS". IP spoofing and a lot of hacking software is illegal (To use not possess) in most jurisdictions.

Apologies if this was incoherent. I typed this while working. 2am without any chemical motivation and the brain gets a little fuzzy while trying to multitask. So, if this doesn't contribute to the conversation just ignore it and have a nice day.

[Teckomando]

Additional question is when computers are brought in for repair are there things that the repair tech might do relative stealing information. Are there certain files that should be removed prior to repair. Or should you just wipe the hard drive and have everything newly loaded prior to bringing it in. I am not sure how to wipe the hd of a non-functional computer, but there must be a way like using a strong magnetic field.

You need a magnet that produces a 20,000 Gauss positive field and a 20,000 Gauss negative field to make the data unrecoverable. DoD grade degaussers are expensive. You can pick up a retrieving magnet with a 150 lb pull from Harbor Freight for around $8 that will work. You would be amazed at what computer forensics techs can recover from what looks like a completely destroyed hard drive. Don't forget to clear your RAM too. For another poor man's degausser use heat. A cutting torch works perfectly. Heat destroys the magnetic field on the plates and they can't get data from slag. There's a company in Fresno that I have used for clients that had hard drive failures and didn't bother with IT industry standards of redundancy. It costs a lot to have them do open plate surgery but they can recover your data if your data is worth hundreds of thousands of $. The gubment can do the same thing.

[Al Lipscomb]

Mine in bold.

The first think to do is to get off Windows and start using Linux (for example Ubuntu), and use FULL harddisk encryption (Ubuntu Alternate installer - configure your system so you have NO swap file).

The operating system has almost nothing to do with the problem at hand. While the cool guy answer is Linux those of us who work on computer security for a living often use other tools. If your FULL disk is encrypted, you don't need to worry about your swap area.

Whatever you use in the way of encryption should be open source (i.e Truecrypt - best on the market and open source).

Truecrypt is far from the best. It can be useful, but most people don't understand its limitations.

Never rely on services like Anonymizer, they will give up your user data when faced with a court order.

Full disk encryption on Linux for your system (running bleachbit every now and then to clean your system), Truecrypt for encrypting folders/files on your Encrypted Linux, TOR browser bundle for secure surfing (using public wifi spots) is a good start.

Putting encrypted files/folders on an encrypted file system is not only a waste of time, but can weaken the protection. TOR is another matter as it is only as secure as the owner of the servers you pass through. Public wifi? Really?

I can go on.

[hernando_mauro]

Al, I am taking note of your points.

Could you elaborate on the limitations of truecrypt, not in too much technical depth but in an understandable way, also, what criteria should we be looking for in file/folder encryption software?