Neal Rauhauser Pastebin Sept 10th 2013: Why Barret Browning is in Prison and I am Still Free

Why Barret Brown is in prison and I am still free.
By: NRTwitter on Sep 10th, 2013 | syntax: None | size: 8.54 KB | hits: 261 | expires: Never
download | raw | embed | report abuse | print

Securing Your Home Network

There are a lot of tools out there for protecting your communications but most people don't understand the gritty details, so they're basically installing just one tool on their main access device and hoping they get it right. Here are the current precautions taken by a skilled network engineer with legitimate reason to fear unwanted attention.


Route Defense:

Most home networks involve a single firewall device which provides DHCP service to a private network, offering default route to clients, and the system accepts a default route from the upstream service provider. While convenient, any device on the network that gets compromised can give away your location.

A better solution is to construct one's own edge device. I used a single board computer with a private network range for the inside of the house and the machine has just one static route to a single IP address that belongs to a VPN server. Another method to achieving this would be using the MikroTik Linux appliance OS and a Routeboard computer. That is a much simpler, easy to audit environment than a full unix installation for the edge device. Someone ought to do this and publish a configuration example. I think that would be two to four hours work for someone who uses MikroTik on a regular basis.


VPN Provider Defense:

My VPN provider doesn't log. I'm quite sure of this, since I rent a VPS in a privacy friendly jurisdiction where I have installed OpenVPN. My edge device has a single static route to this machine, and once the VPN tunnel comes up it adds a default route using the VPN server as the endpoint. Anything I do appears to originate from a jurisdiction that will not cooperate with civil or criminal subpoenas from the U.S.

That's an extreme solution to an extreme set of problems. I think most people would be fine using the MikroTik edge device to connect to a known good service provider like SwissVPN, PrivateTunnel, etc. You have to be careful with vendors here, you need to pick one that supports OpenVPN on the client side, and not all of them provide configuration assistance for this.

WiFi Defense:

There was a leftover consumer device when I built the edge of the network, which is use to provide WiFi to various non-secure devices around the house. Since it's behind the custom edge device its traffic is afforded the same protection of an enforced remote internet exit. Machines doing anything touchy need to be hard wired to the network - had Jeremy Hammond done this he might still be free today.


Tor Defense:

Most people experience Tor as a bundle they load on their computer. It is more secure if you install Tor on your network edge device and permit it to provide SOCKS5 service to your local network. This way client machines can be configured without any route at all, which dramatically reduces your exposure. Even if you hit something that can manage to compromise the machine you are using, it's of little use to an attacker, as a stay at home machine always configured in this fashion will never be able to reach the outside world without using Tor's anonymization network.

Host Defense:

Most modern laptops have an SD memory slot and will boot from it. SD cards have hardware write protect tabs - you install your operating system of choice, slide the switch, and it is physically impossible for it to be compromised. I have used TAILS Linux, a Tor only hardened distribution, when I've been mobile. Given the home network I have all I need is an OS with client applications that will use SOCKS5 - every web browser and many chat clients have this ability. Ubuntu Linux provides what is needed in an easy to use fashion.

DNS Defense:

For systems that truly need to be secure I deal with DNS by simply turning it off and using /etc/hosts. Every system I use has about a hundred entries pointed to 127.0.0.x/8 - there are a running list of players that might want to geolocate me and I don't even want them finding this month's IP address for the VPS I'm using to terminate my personal VPN.

Backup Defense:

I have a number of encrypted archives that contain various things I am working on, or that I believe I might need in the future. They are not particularly large. I periodically back them up across the wire, usually at least once a week for those that are undergoing any changes. I buy a couple of thumb drives whenever I see them on sale and then backup copies of my data go into padded mailers and off to a couple of different people who stash them for me. If I were ever raided the worst case situation would be a delay of a few days in retrieving content.


Check Your Work:

When constructing a system you have to start with an assessment of what your adversaries might do. I don't worry so much about the NSA, my concerns are the clumsy corporate or federal provocateurs who attempt to implicate me in various crimes they themselves commit, other hackers who feel the need to editorialize by bothering me, and the motley collection of extortion and/or lawfare artists who involve themselves in domestic politics.


This network thwarts the simpleminded pursuer, who believes that an IP address provides a physical location. Having an endpoint I control in a jurisdiction that will simply ignore all civil and almost all criminal inquiries puts a stop to extortion, lawfare, and provocation/fabrication with the intent to incriminate. Hardened hosts ensure that intrusions, if they happen at all, are transient and very, very difficult for an outside attacker to leverage. Outright fabrication is a concern best addressed with good records. Large disks are cheap, less than $200 for a pair of terabyte drives, and a recording of *everything* that happened on your network is an extreme example of self-surveillance, but sometimes this is what is needed.


There's a simple thought exercise in which you need to engage in order to audit your preparation. Take every bit of electronics in your house and turn it off to simulate seizure in a raid. Do you have everything you need already backed up off site in order to completely restore all your information? If Barrett Brown had taken such precautions he likely wouldn't be sitting in a federal prison cell.


This is a game that USAAs play - they grab everything, pile up some huge set of charges, bury the defense counsel in gigabytes of crap, and attempt to intimidate the target into taking a plea deal. Preparing for this sort of thing puts a serious drag on what you can do - figure a 50% increase in work load - but there are many benefits to this level of discipline, above and beyond thwarting malicious, politicized prosecution.


In Conclusion:


I realize not everyone has the sort of background I do - computer science education, nearly thirty years of unix use, extensive voice/video/data carrier network operations experience, with the implicit business continuity and disaster recovery experience. The sort of detective work I have done over the last two and a half years, picking apart the contents of leaks like those from HBGary and Groundswell, is something the Department of Justice and Congress OUGHT to be doing, but they're too busy harassing activists, prosecuting whistleblowers, and fabricating scandals to be bothered with their actual assigned tasks.


America is at a turning point, clumsily backing away from another needless war, and coming to grips with the consequences of the enormous unconstitutional spying effort Edward Snowden has revealed. We are either going to engage in a vigorous housecleaning that will start right after the 2014 midterm, or we're going to implode in the same ugly fashion the Soviet Union did twenty years ago.


Whatever the case, genetics and other factors beyond my control dictate that my time 'on point' has passed. I always thought my SubGenius roots were fairly clear, but perhaps only to those who are old enough to recall the first anarchist hacker outburst in the 1990s. The performance art aspect of what I do, a sort of 21st century transmedia rant, is something the other ministers will understand and build upon. More than any other Progressive activist, Matt Osborne has taken up the lead on many of the political things I did during the 2010 and 2012 election cycles. The revelations from Manning, the Anonymous raid on HBGary, and Snowden's ongoing disclosure mean there are plenty of puzzles to solve, but there is no value in my naming the people and organizations that tend to such work.


Be careful out there, none of the four folks in my Rolodex who are currently serving time in federal prisons deserve to be there, and I don't want to see any more of you joining them.