Advice needed on secure laptop setup

Agree...Following all the advice above is pretty far fetched for most western citizens, and I doubt affordable for the ones who are not.

Even still, I wonder about the effectiveness anyway, because are there not other "fingerprints" to worry about being tracked against?...

https://www.eff.org/press/archives/2010/05/13
https://www.eff.org/issues/online-behavioral-tracking

Seems to me that one would have more to worry about from these approaches than from MAC. One would have to spoof all kinds of information, from software installed, to browser configurations/addons, to security settings in the OS...any one or a combo of can be a "unique" identifier.

This might even be strong enough to render multi-layered vpn and proxy services useless, if an organization has a large enough collection of data (world wide) and the processing power to correlate it.

I suspect that for most of us joes/jills, we are not "interesting" enough to bring that level of resources to bear, so a solid vpn/proxy (off-shore) setup would suffice and we wouldn't have to go the distance with throw away laptops.

Comments?

 

Good Hammond article, going into MAC addresses:

http://arstechnica.com/tech-policy/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon/

Now imagine if he used wired CAT6 and stayed signed into Tor/IRC even when he left the house. Convenience kills.

PD

 

Indeed! And "loose lips sink ships"

That's a great article, thanks for posting it.

Maybe he was toast as soon as they turned Sabu.

Still, although I feel bad about being hard on the guy, I must say that he revealed far too much. I may occasionally "reveal" specifics about my life, but they're either generic (albeit at least somewhat true) or total fiction (albeit specific in the sense that I know details).

And no matter how much I trust one of mirimir's contacts, I never share specifics that are recorded somewhere. I think twice before even sharing specifics that anyone living might know

I also don't share information about my other pseudonyms, even with others that I've "known" for years. And I'd never ask others about their other pseudonyms. This can lead to amusing situations, where I suspect that I'm in touch with someone as two separate pairs of pseudonyms

It's much harder to prevent identity confirmation through Internet connection activity. My VPN and Tor client VMs run in whole-disk encrypted machines, along with workstation VMs. I wouldn't want to leave all that up when I'm not near the UPS kill switch. But at least, it's up whenever I'm around, whether I'm using it or not.

Am I missing an obvious solution there?

 

If i understand those who are looking for the ultimate security, i always found quite suspicious those who are looking for absolute anonymity...
What is behind the question?
Building a laptop that leaveS no evidence, and in the same time using a network that leaveS also no tracable evidence.
In this case, sorry, but the question does not require an answer.
Also consider laptop theft solution embedded in the Bios (and track every necessary connection, and resist to a low level disk wiping), camera in public space, SPI/law emforcement DPI solutions, forums monitoring (crawling/data mining) like this one, harware keyloggers, Tempest, smart dusts, social engineering (a neighboor, a pretty girl), on the ground investigations and evidence gathering and many more.
If the action is commited once, then yes, it is true,it is possible to build an antiforensic laptop that can not be exploited for finding evidences of crime (fast flux network with China located servers are quite in vogue, even for US security agencies).
Then the guy can sing the Clash version of the famous song "i fought the law and i won"...
If the guy is a crimininal, and often reapeat the action, then it is of course a Russian roulette game...
And in this case, jail guive time to sing the Dead Kennedys version: "i fouht the law and the law won"...

 

@kareldjag

Hey, I don't like criminals any more than you apparently do.

However, my definition of "criminals" is perhaps broader than yours

As someone somewhere has recently observed, any technology that's adequate for protecting good will also protect evil.

 

Not sure if you mean your question, or the original question does not require an answer. Rather sounds like the latter.

The automatic assumption that anyone who wants this level of security/privacy must be "guilty of something" (i.e. "quite suspicious") is precisely one of the problems with the "nothing to hide" argument. One only need lightly google "nothing to hide" to find refutation of that line of thinking.

http://consumercal.blogspot.com/2007/07/in-defense-of-surveillance-debunking.html
http://falkvinge.net/2012/07/19/debunking-the-dangerous-nothing-to-hide-nothing-to-fear/

It is a surprising question in this forum, given that I think the crowd here recognizes the potential for abuse with all the data collection currently underway, especially as it continues to grow exponentially with vast improvements in data mining.

Now if someone only "secures" their computer and communications, are they susceptible to other types of monitoring, some of which you point out...of course. But, that is not what they are looking to address here.

For some people not fortunate enough to live in a western country, the level of security being asked about can have life saving consequences...Or....maybe they ought to just obey the local laws and shush.

 

Good find! Indeed, I stand corrected on the security issue related to MAC addresses.

None-the-less, it appears from that article that even the FBI is not throwing the level of resources to "data mine" to the level I was talking about.

It seems that, human engineering wins the day...using Sabu as a plant to correlate communication, manually piecing together snipits of personal information the suspect "volunteered", etc..

So, aside from MAC, does anyone have a link to an article or know of other "identifiers" that may be "leaked"?

 

I would think setting up WireShark, and logging everything a computer sends out after you hit the power button, would reveal any 'nasties'.

Also, in the Surveillance State, what is 'wrong' is defined in secret, and not disseminated...so much for the "if you aren't doing anything wrong... ' argument.

PD

 

lols , tell me bout it xD

 

Of course i know and understand the "nothing to hide" debat and paradox...
But if there is laws against encryption on western countries, there is torture by default in repressive ones...so i do no not believe in political hacktivism goals behind the initial question...
This thread turns in a kind of "how to" a little bit funny if we consider that it is impossible to control 100% of the armoring security process...
Plus some countearmesures (technologies, law etc) that the potential criminal might ignore (an official overview can be seen for those who can at the next Milipol law enforcement congress in Paris http://en.milipol.com/ ).
I remember also an " how to" against the FBI CIPAV http://www.infiltrated.net/cipav.pimp
And i can add the ones published by muslims terrorists, by Anonymous members and i forget some...
Last year, the blog of a French forensic analyst has been hacked because the blogger has reavealed too much (according to the hacker) things that might help child predators...
http://zythom-en.blogspot.fr/
As there is security consultants who sell zero days in the black market (for maffias, governements agencies etc), there is also forensic analysts who give advices to criminals...paradox of some minds only driven by money...
By this way, as this toppic too, this helps more and more people to download child pornography without needed to worry about being catched...
And that is why some guys like Eric Justin Toth are difficult to track online
http://www.csmonitor.com/USA/Latest...nted-Bin-Laden-replaced-by-child-porn-suspect

http://www.fbi.gov/wanted/topten/eric-justin-toth/view
Hopefully things have an END...

PS. Wireshark does not reveal all connections, case of covert chanels and encrypted packets.
For the punk rock song versions, mistake because the law won for the Clash but not for the Dead Kennedys...
SafetyFirst for some people, but LawFirst of course.

 

No problem, it's how we learn Yeah, Sabu was a major feather in the cap, but like you said, as 'leet' as some of these guys are considered, they still seem to make rookie mistakes. I also wonder how it would have gone, legally, if he had, say, an AirVPN account, and rotated connections to all the servers...AND ran TBB through those. Never violate rule #1 - Never from home But like I said, convenience killed the cat. You'd think those guys would have the router config'd for VPN at least, and in Sabu's case, a software firewall config'd for VPN only outbound...it would have saved him. Maybe they couldn't afford the $80 per year?

PD

 

@kareldjag

Wilders admins don't allow discussions of ethical and political matters.

Threads that veer far from technical matters get closed.

Please don't kill a useful thread.

Thanks.

 

didnt wana add to this , but you got it right on the money mirimir +1 , dont sabotage a useful thread with political feedback and

mind in the box opinions , theres other places for that no need to bring that crap here as well , if it is something that relates to protection of your own privacy as in privacy tech wich this forum section is all about no prob , or useful forensic blogs etc wich go in the privacy general section , but anyhow most of your post is way out of line kareldjag , good day sir