Some basic hygiene for blogging and surfing

Laughing Wolf at Blackfive is in an uproar over some computers being seized by the TSA and CID forensics folk.  Without discussing the validity of the outrage, he makes an interesting suggestion — that anybody who has a computer seized dump it and get a new one, because Big Brother will likely have loaded child porn on your machine in order to entrap you.

In fact, it is not policy of any of the investigating agencies I know (and I know  a few from working with SWGIT, SWGDE, AAFS, and ASCLD-LAB) to go around planting evidence.  Please.  But it is *not* uncommon to install key-loggers , rootkits, and surveillance software as allowed by law.  For the most part, however, they will not seize your computer to do it.  They will either install it remotely or get a warrant to break into and enter your house or office unobserved, and install it on site.  You will never know.  The bottom line is that if these folk have *that* much interest in your computer activities, they will find a way to  monitor them.

But that’s not what gets most folk, it seems to me.  What gets most folk is that they are sloppy about the hygiene of their machines.  Computer anonymity is like a lot of things — you can’t beat someone who has unlimited resources and infinite time and patience.  However, you can make it increasingly difficult and discourage folk who have limited resources and limited time.  You don’t have to be the low-hanging fruit. As a friend of mine once told me, when you are being chased by a bear, you don’t have to faster than the bear, you just have to be faster than the guy beside you.

Anonymity is a *good* thing, and we need to remember that.  There’s a reason the Federalist Papers were signed with pseudonyms.  The world does not have a right to know every detail of your life, and law enforcement *should* have to respect your rights.  There should be no stigma attached to desires for privacy, and the best way to remove that stigma is for *everybody* to insist on theirs.

So here’s some simple things I do to try to be just a little faster than the guy running beside me.  Note that this is *not* a security tutorial.  I am going to assume that you do basic security.  I’m not going to talk about firewalls and intrusion detection.  These steps will *not* stop intrusion — they assume the installation (or attempt) of forensic surveillance software, not more traditional malware.  They are only to minimize exposure assuming you *are* intruded upon or your computer seized.  They are not the *only* things you can do — they are just things that i do.

It may sound like a lot, but in fact it’s all pretty easy once you have the scripts written and the procedures in place.  None of this interferes with my enjoyment of computing at all.

1) Run Linux or BSD as your operating system.

This is not really a thing about the Microsoft-as-Satan thing.  It’s just a matter of cleanliness.  Microsoft operating systems are inherently dirty.  They store little traces of what you do *everywhere* and it’s almost impossible to clean it all out.  Linux is inherently cleaner in that respect.  There are fewer logs and hidden caches of data to clean up, and since Linux is completely open source, none of them are really hidden.  Sure, Linux does keep logs and various apps do make their own little logs, but you can find them and clean them pretty easily.  Note that the new versions of Gnome and KDE both have centralized areas where user preferences are stored — gconf and .kde4/share — that some folk find analogous to the Windows registry.  Whether that analogy is valid is a religous debate, but in either case they are both easier to clean.

1A) If you *do* run Linux, don’t use a journaled filesystem.  Of course, you don’t have a choice in Windows, but in Linux you do. Journaled file systems are filesystems that keep data from files that are in the process of being written to disk.  Thus, if the computer crashes in the middle of a write, the computer can figure out what it was trying to write on next boot up and fix things automatically.  The downside is that it is possible to forensically look at the cache.  That means that an investigator can tell what files were being accessed and may be able to reconstruct part of all of the file. Journaled systems are great — there’s a reason they are so common. If you don’t have one, every time your computer crashes you have to let the computer do a disk scan and try to repair things.  You’ve seen that in older Windows versions when you get that “Your computer did not shut down cleanly.  Hit any key within x seconds to abort scandisk…” or whatever it says (I don’t remember all that well).  The newer Linux filesystems *also* are journaled, but you can still use ones that aren’t (like ext2).

2) Encrypt your wireless  at home.  If you are running from home, of course it’s better to be wired than wireless, but most folk will find that too inconvenient.  And don’t use WEP, which is, oddly, often the default.  Use WPA, or better, WPA2.  Change your ESSID and passphrase on a regular basis.  Some people have argued that you should not encrypt your wireless, but instead leave it open — which provides plausible deniability in that it’s always possible that someone is borrowing bandwidth.  For awhile, I tried to have the best of both worlds by having a second wireless router that was open.  Thus, my machines were part of the the encrypted network, but there was an unencrypted back door that tunneled through my encrypted network.  My experience has been that wherever I’ve lived, there’s been little bandwidth use.  Your mileage may vary.

3) Periodically re-install your operating system from scratch or use a removable distro.

This is the second reason to run Linux.  The idea of installing Windows from scratch is profoundly frightening to a lot  of people.  Most people who get over the initial idea that installing an operating system is “supposed” to be hard will find that it’s usually a piece of cake with Linux, particularly with hardware that’s been around for awhile and has had time for good driver development.  Linux support for hardware is profoundly better than it was a few years ago, though there are still a few problems here and there.  And you can bet that if you have a problem, a quick search on the web will find a solution.

But whether you use Windows or Linux, there is no better way to make sure you are rid of a rootkit or malware than to start afresh.  More important, it also makes sure that you get rid of all those old files you forgot to delete three months ago. Most Linux users do this as a matter of course simply because they upgrade their OS on a regular basis.  I use Mandriva Linux, which comes out with a major upgrade on a 6-month schedule.  Thus, at least once every six months, I wipe my drive and install from scratch.

4) Back up frequently, but *only* back up files you want to keep.  A lot of people have the habit of making disk images as backups, and backing up all files automatically.  Since the idea here is *not* to have old, forgotten files laying about, don’t do that.  Make frequent and redundant backups, but only back up stuff you really need.

4A) Don’t do incremental backups. Instead, backup all the files you want to keep into a different place and check them against the same files you backed up last time.  In other words, I back up my servers every week, and keep backups from 1,2,3, 5, and 10 weeks ago.  When I do another backup, I check the files against the ones in the previous backup to make sure only the right files have been changed.

5) Don’t keep your logs.  In the past, I ran a circumventor on a network I administered in an attempt to help Chinese dissidents get around the Great Firewall of China.  Clearly, it would not be bright to keep extensive logs of those communications. I have a policy of *not* keeping logs once I’ve scanned them for signs of intrusion.  I monitor my logs every day, and delete them afterwards.  Thus, if my computer is seized, any traffic over a day old will likely not be discovered.  In addition, since I have had that policy for years, it cannot convincingly be claimed that I deleted my logs to obscure one particular event.

5A) This includes, by the way, making sure you clean your cache and delete cookies on a frequent basis (e.g. every time you start or shut down the browser).  Most browsers have a security setting to do this.  Use it.

6) Don’t keep emails.  For the same reason as above.  If you must keep old emails, archive them off your machine.

7) Encrypt your disk. Disk encryption is available on both Windows and Linux.  The courts, at least at the Federal District Appeals level,  have indicated that a person does *not* have Fifth Amendment protections involving encrypted disks and can be forced to provide the passphrase.  However, it will usually mean a delay that will give you time to talk to your lawyer.  The recent stories from the news with the TSA wrongly seizing computers are common stories with the victims being intimidated and giving up their computers under threat of harassment, and not having time to consult their lawyers.  If the disks are encrypted, then even if they make an image of the disk, the data will not be trivially available.  By the time they get back to you and make the demands for the passphrase, you may be in a better position to know if you must give it and no longer be in the “Oh my God ” panic mode.

8 ) Use an anonymization service.  Anonymization services, for the most part, act as middle-men when you surf the internet.  Anybody getting logs of your traffic will only see you going to the intermediate site and anybody looking at the logs of your destination will only see the intermediate site.  Some services will bounce your traffic between multiple machines, so that the logs on your side and the logs from your destination point to different intermediaries.  It’s not perfect — your browser logs will still record where you go and some places have to provide certain information to their governments.  I use JAP, run out of Germany.  When I use that service, the sites I go to think I’m in Germany or Switzerland or France or whatever. The other ig bpopular free service is Tor.

The free services suffer a little from latency issues — bouncing from machine to machine can slow things down. There are also a number of commercial services and JAP has a fee-based service that gives much faster transmission times.

In addition, there are a large number of one-hop circumventors around. I run three on various networks for personal use, and many are publicly available.  These are more useful for bypassing nannyware than privacy, but they are better than nothing.

Note that, depending on what anonymizer you are using, it will only make tracing things harder, but almost never *impossible.*

9) Run a circumventor on your network.  Again, this is a plausible deniability thing.  Just as with having an open wireless, if random other people can use your network, then not all traffic on it can be ascribed to you.

10) Spoof your MAC address. Anonymization services, such as those noted in step 8 will obscure your ip address from outside your local network.  From inside the network, it will obscure the ip address of your final target.  However, it will *not* obscure the fact that you were using the anonymization service to someone monitoring your local network.  The reason is that, just as web sites are identified by ip addresses, individual machines are identified by “MAC” (Machine Address Code).  This allows the local network to associate your particular machine to an ip address. MAC addresses are hard wired into your network card, and uniquely identifies your machine.  Someone who has access to your local network can identify what your particular machine is doing by looking at this association.

However, you can fake (or “spoof”) your MAC address.  In Linux, it is a very simple command, and there are simple scripts to make you fake being a different kind of network card, etc.  In Linux, the most common tool is called macchanger.

For some cards it’s a lttle more complicated, but not much.  In addition, not all cards support it equally well.  I have a usb wireless card that I use on my laptop instead of the internal card, both because of range and because it’s easier to spoof.  In any case, whatever my MAC address is at the moment will be gone forever the next time I boot up.

11) Automatically delete files you don’t use.  It’s easy to write a script that will delete any personal file not accessed in, say, a month.  If you don’t need them on your laptop, don’t keep them.  If you need them, they’ll be backed up, after all.

12) Keep your backup drives in a hidden place.  Keep your network storage in a non-obvious place — the attic, behind a wall, whatever.  It won’t stop a real search, and it won’t stop someone who bothers to do a network scan, but again, it will slow down the average “let’s go into his office and take whatever we happen to see” kind of search.  And, again, encrypt them.

13) If you are on the road and in a hotel, use another hotel’s wireless.  Most of the time, when I go on the road, my wireless card will pick up networks not only from my hotel, but the five or six nearby hotels or other places with free wireless– particularly if I’m using my external card and attach it to a window.  Many of these (though fewer all the time) do not require login or ask if you are actually staying at that hotel.  Unless I have to, I never use the wireless from my own hotel.  This is getting increasingly difficult, but I have found a place in most cities that i go to frequently that will fit the bill.  Note that I’m *not* advocating breaking into wireless networks that put up barriers, even lousy WEP encryption, or who have screens saying that they are not open and only guests should use the service.  I do not advocate breaking the law, and I am not a lawyer.  I only do this with truly free and open services.

In some cases, particularly Mariott hotels, they charge for wireless and seem to make it hard to get to other nets.  Worse, when you pay, they tie it to the MAC address of your laptop.  Obviously in those cases, don’t use your “real” MAC address,  but save the spoofed on at least for the day you use it, and be sure to use a circumventor and/or anonymizer.

14) Spoof your user agent in your browser.  When you surf the internet, your browser announces what kind of browser it is (Firefox, IE7, Safari, Konqueror, Opera, whatever) as well as the Operating system and even kernel version you are running.  This is done to tell webservers what kind of page to provide — pages build for IE may not work perfectly on Firefox and vice versa.  In addition, some web servers will send you to different places depending on your browser — for instance, many newspapers that do the nagging ask-for-free-registration-password thing will not stop a browser that identifies itself as a Googlebot

Firefox has a plugin that allows you to spoof your identifier. Use it.  Here are some instructions for other browsers with respect to Googlebot. I suggest that you don’t use Googlebot all the time.  There are some sites that block it or send you to wacky places.  For instance, always sends googlebot to its home page, regardless of where you try to go, as far as I can tell.

15) Don’t run java or javascript or other downloaded controls/software (including ActiveX) by default on your browser.  This is a tough one, since so many pages use them.  However, they allow holes that provide identification of who you are.  It is always a security risk to run code from a website.  Know the pages you allow this from.  Again, your browser should have easy settings for this.