By this, the fourth and final entry in this series, you should have a grasp of information security basics. Let’s take stock of them before continuing down the rabbit hole.
How to Stay Safe on the Internet, Part 1
How to Stay Safe on the Internet, Part 2: Take Canaries Into the Data Mine
How to Stay Safe on the Internet, Part 3: Drive the Black Hatters Mad
You’ve examined a variety of attack vectors and ways to close them off. In observing their patterns, you’ve learned the weak points that are exposed inherently online, and thus require intervention.
You’ve learned that any software or operator handling your communication controls it. Information security comes down to breaking this hold. To do that, you either excise intermediaries when that is possible, or you encrypt your connections through them when it isn’t.
In the process, you also discovered that humans are bad at devising truly random outputs, so you can’t assume that passwords your brain thinks up are random enough. Our most glaring weakness is our tendency to trust our instinctual assessments automatically. This normalcy bias also lowers our guard when people request sensitive information.
Category 2 adversaries are nothing to sneeze at, but their resources are finite. If you armor up enough, they will give up, and move onto an easier comparable target.
In confronting the threat of category 3, everything you have learned ratchets up to a whole new level of paranoia. Category 3 adversaries have functionally unlimited resources for pursuing top targets.
Often called “nation-state actors” or “advanced persistent threats” (APTs), they have tax revenue, national sovereignty and the law behind them.
Pontificate With Extreme Prejudice
Before continuing, consider the following.
First, the guidance in this part of our series almost certainly doesn’t apply to you. You may find it interesting, and you probably will gain from it. However, statistically, you will never face this level of threat.
If for some reason this guide does apply to you, you are going to need significantly more help than I can provide. At present, I would fail at fending off a nation-state. I don’t know anyone who could resist one for more than a month or two, either.
Rather than taking this guide as the authoritative word on defense against nation-states, use it as a jumping off point for further research. I recommend studying the Electronic Frontier Foundation’s Surveillance Self-Defense manual next, followed by the Open Source Society University degree track.
There are many more worthy resources you should consult, but these are a modest start. As the volume of information implies, you need a thorough computer science background to stand a chance.
Second, even if you practice only the techniques that this piece presents, your operational security (OPSEC) must be impeccable. That is, you will probably fail.
OPSEC is your discipline in following the security controls prescribed by your threat model. As I noted at the outset of this series, security comes at the cost of convenience, and when you are facing the ultimate threat, the sacrifice of convenience is total.
That’s why the best OPSEC practitioners keep their pursuers at bay only for a few years. So, have a contingency plan for when you fail. Only you will know what that looks like.
So who does this installment apply to? National security or international affairs journalists, for one. This goes doubly for those reviewing classified information or sensitive sources. Secrets are invaluable to nation-states, and they will stop at nothing to hunt down those that leak out.
High-profile political dissidents also can find themselves in nation-states’ crosshairs. These dissenters advocate policies that governments view as extreme enough to justify silencing by any means.
Finally, military technology researchers should anticipate category 3 attacks. Nation-states compromise engineers developing sources of military or economic advantage all the time, so they can glean a copy of the work and level the playing field.
Trust No Ones – or Zeroes
It’s important to understand “trust” in computing. Here, trust is bad. Specifically, trusting something, like hardware or software or the entity that maintains it, means you have to trust it with handling your data. In a trust relationship, you can’t defend against whatever you’re trusting: You can only hope it doesn’t betray you.
Instead, adopt a no-trust posture. Without trust, you don’t have to trust some entity that touches your data. You reach this posture by implementing measures ensuring you’re not harmed if the entity tries undermining you.
End-to-end encryption is an example of obviating trust. A VPN, for instance, renders an ISP incapable of snooping on you, so you don’t have to trust it.
To stave off category 3, the number of entities you trust must be zero.
Your Adversaries Are in the Army Now
Government adversaries are extremely dangerous because they bring a government’s resources to bear.
They have enormous budgets. Deep pockets allow APTs to staff dedicated agencies with hackers. They can afford expensive toys, like supercomputers for brute force attacks, or zero-day vulnerabilities (found on the gray market) for crafting custom exploits.
Another advantage nation-states enjoy is the power to grant their agents legal immunity. To paraphrase technologist Chris Soghoian, just as soldiers can kill people without going to prison, government hackers can compromise you with impunity. It’s one of the main attractions for hackers who seek gainful employment.
Finally, government actors can employ legal coercion. Simply put, they can order digital service providers to rat you out. Legally supported actions can range from requests for your data to orders compelling service providers to insert backdoors. Snippets of code inside other programs allow root access to anyone who knows how they work, making it trivial to spy on users.
An exhaustive listing of the techniques nation-state actors actually use is impossible. Few feats are impossible for them. The weapons they array against their targets are a matter of what nation-states are willing to do to nail a target.
With so many targets, it’s not likely that you, the hypothetical prey, are near the top of an APT’s list. Thus, you have an opening: Make it so onerous to attack you that it’s not worth the strategic payoff. You can’t necessarily know what the tipping point is, but if you are sure you are hounded by an APT, you have to try.
With all of that said, let’s dive right into countermeasures, and I’ll explain along the way what they aim to counter. Defense against category 3 involves two considerations: the tools to use, and the OPSEC required to use them.
This Is My Computer. There Are Many Like It, but This One’s Mine.
The truly ideal approach would be to run your devices through a woodchipper, incinerate the shards in a blast furnace, and throw the remains into the ocean. If that’s not an option, read on.
Odds are if you are laboring this ardently to secure your computer, it’s because you need it for communication. All communication being mediated by some provider, start by picking one that is committed to protecting user privacy.
A good bet is to choose an email provider, chat server, etc., that is incorporated outside your enemy’s jurisdiction. Your adversary government then has to inveigle the provider’s government to execute the records request, to which the latter will not always acquiesce.
The next thing you should do is route all your communications through Tor. Tor is a network designed to make users anonymous by shuffling around all user traffic before routing it to the proper destinations.
Essentially, it puts a VPN on steroids. A VPN’s weakness is that a moderately competent attacker can get around it. VPNs are effective against adversaries that can see either the client’s connection to the VPN, or the VPN server’s connection to the Internet, but not both.
ISPs fit this profile, since they only see your device connecting to the VPN. However, foes at or above the top tier category 2 can observe traffic on both sides of VPNs. If they see your device hit the VPN, and then an instant later see the VPN hit a website, they can put two and two together.
Instead of routing via one proxy, as VPNs do, Tor uses three consecutive proxies. Schematically, your traffic travels from your device to Tor node A, from Tor node A to Tor node B, from Tor node B to Tor node C, and finally from Tor node C to your destination.
Along this path, your connection is triply encrypted: the B-C leg is encrypted with C’s key, the A-B leg with B’s key, and the device-A leg with A’s key, in that order. This way, although A knows who you are, it doesn’t know where you’re going. Correspondingly, C will know where your connection is going, but it won’t know who made the request.
This makes it difficult to follow your traffic through the Tor network, complicating the correlation attacks that work on VPNs. Oh, and for good measure, Tor switches the nodes you use every five minutes.
Tor offers the Tor Browser, which lets you browse via Tor. However, that protects only your Web browsing, so I’m not talking about that. You have to configure your system to route all Internet traffic through Tor. This is too system-dependent to delineate here, but there are guides on how to do this.
Once this is set, though, everything your device sends or receives filters through Tor. Assuming you don’t do anything to out yourself (a matter of OPSEC, discussed below), this makes your traffic functionally anonymous.
Using Tor does not preclude a nation-state from spying on you, but it does force it to attack Tor itself instead of demanding records from a third-party or sniffing your connection off taps on the Internet backbone. These sources contain traces of your activity, but are not attributed to you.
Along with Tor, concealing the source of your communications requires MAC address spoofing. A MAC address is a unique hardware serial number for your device’s network interface controller (NIC).
Your device NIC bundles its MAC address inside the metadata of every packet it sends. With MAC spoofing, your software substitutes an arbitrary MAC for your hardware MAC in the packet instead. Without this step, a nation-state that knows your MAC address won’t be fooled by Tor.
Against high-caliber adversaries, you also have to trade up your encryption to PGP. Despite their learning curve, PGP keys provide some of the most powerful and versatile encryption around.
In a nutshell, PGP keys work in pairs: One can decrypt anything the other encrypts. If you hand out one of the duo to anyone who wants to communicate with you and keep the other for yourself, anyone can encrypt messages that only you can decrypt.
The strength of PGP keys is that they can encrypt anything, anywhere. Whether it’s email content, text files, video and audio, or even text posted on the Web, PGP can encrypt it all. Another neat trick is it can sign data to affirmatively attribute it to the key’s creator. Properly utilized, PGP will prove highly dependable. Though it has been around since the 90s, to this day it remains unbroken.
Any hope of fending off APTs also means switching to an open source operating system (OS). In practice, this means installing either Linux or FreeBSD on your desktop device (i.e. desktop or laptop). Android isn’t good enough (I’ll explain later). Open source OSes are not necessarily more secure than proprietary ones, but because their source code is available to the public, it can be audited to discover tampering.
Open source OSes are developed in so many jurisdictions that you are guaranteed to find one outside your adversary’s grasp. As with extraterritorial communication providers, OS foreign developers insulate them from legal orders.
Whatever OS you choose, enable full-disk encryption, too. I’ve said a lot about encrypting communications — data in transit — but you also can encrypt data at rest. Without encryption, the data on your hard drive is stored in readable form, meaning anyone who snatches your hard drive can see all your files. Encrypting your hard drive protects not just user files like documents, videos, etc. but your OS’s core files as well.
Unfortunately, that’s still not enough — it’s not that simple. Think about this: If your computer’s entire OS on the disk is scrambled, how would your computer know how to boot? The answer is it wouldn’t. That’s why, in reality, a small bit of your OS’s boot data is unencrypted even under full-disk encryption.
This leaves you open to attack if, say, your adversary deployed a team to break into your home, pop your hard drive out, replace your boot code with its own, and pop it back in. Every subsequent boot, your computer will seem to run normally, but will invisibly execute whatever it is your adversary wants. Not good.
Enter secure boot. Basically, secure boot is a motherboard firmware process that allows a boot only if the signature on the unencrypted boot sector checks out. Most modern computers do this by default, but with the manufacturer’s key, meaning you’re trusting it. Although it’s tricky, you can create your own encryption key, sign your OS’s boot sector, and then flash the key to your secure boot register.
There’s a snag here, too. If your adversary bugs your hardware itself, nothing you’ve done so far can help you. For that, there’s open hardware. This is currently less mature than open source, but it embodies the same concept: transparent specifications allow the detection of tampering.
The vulnerability that open hardware tackles is not theoretical. It’s child’s play to re-flash a computer’s BIOS (motherboard firmware) with a backdoored lookalike. Nation-state actors also could somehow breach Intel’s Management Engine, a tiny, totally opaque OS running underneath your computer’s OS. If that doesn’t work, your government can just intercept your new computer, or get its hands on your existing computer and insert a bug in it.
Although I’ve barely scratched the surface of category 3 attack vectors, the fact that all these mitigations are necessary and proportionate should make it clear that these adversaries are no joke.
OPSEC: Sharpening the Warrior, Not the Weapon
OPSEC is the other half of the nation-state threat model. Without unassailable OPSEC, all of your tools are worthless.
First and foremost, ditch your phone. Cellular baseband-equipped devices (collectively “mobile devices”) are perfectly optimized to track you. For one thing, your mobile device expresses un-spoofable hardware serial numbers as it reports your location to your carrier in real time.
This puts you one legal order way from having your every move exposed. It doesn’t matter how secure your desktop device is if your mobile device is nearby. Then there’s always that microphone your adversary can turn on.
So, why not just repeat what you did for your desktop? Well, you can’t.
One, you can’t install fully open source software on it. It’s practically impossible to install purely open source Android on a mobile device without proprietary drivers, and by law cellular basebands must contain proprietary firmware for radio frequency compliance.
Two, mobile devices don’t allow you to run secure boot with custom keys.
Three, mobile open hardware is not ready for prime time, so you have to trust the hardware.
Finally, architecturally, the SIM is the master of your mobile device, letting it override literally anything you do. With mobile devices brimming with fatal, unavoidable vulnerabilities, the only winning move in this strange game is to not play.
Additionally, choose your networks carefully. Obviously, you never should connect from your home network, but don’t pin all your hopes on Tor either. Always assume that your IP is exposed. Never log onto the same network twice. Instead, rotate through public networks without leaving a pattern.
Since you’ll be traveling to use networks, you’ll also want to practice basic counterintelligence techniques. Be able to tell if you’re being tailed in physical space.
Counterintelligence doesn’t stop there, though. You also must know how to figure out if your contacts have been compromised. The easiest way to reach someone is through their associates. In the digital context, this usually isn’t being turned la spy thriller, but having a device compromised to monitor interactions with you.
The remedy here is to ensure either that your contacts forget you or that they practice everything in this guide along with you. Communication is a two-way street. If your associates fail at any of these steps, the outcome is the same as if you failed.
To the extent that you hope to retain a “normal” life, you must bifurcate your “secure” and “normal” lives strictly. Never transfer any file, message, or other digital artifact between devices, accounts or platforms across this divide.
Moreover, don’t behave in similar ways in each “life.” Patterns like the contents of concurrently open tabs or the order in which you visit sites are enough to identify your unique behavior.
To summarize OPSEC, don’t make a move unless you’ve completely thought it through.
Where the Path Ends, the Wilderness Begins
At this point, I’ve said about all I can. The reasons one might face category 3 threats are so numerous and personal that only you can determine how best to apply the tools and techniques herein.
Although there is much left for the category 3 targets to do, everyone who reads this should be equipped to reevaluate your threat models and extend your toolset, no matter the threat you face.
Security is a journey, but only some of the trail is blazed. Good luck, and may you have sharp machetes.