Over the years you’ve seen me recommending compartments … over and over and over. Here are some of the notions I’ve put forth during that time.
Get a separate cell phone/laptop if you’re going to play in dangerous places.
Corner each investigation environment in its own virtual machine.
Use fail closed VPN to relocate your lurking.
Every burner phone can make a new Google Voice number.
Keep your high value private stuff on a dedicated device AT HOME.
Create a separate debit card unconnected to the real you for lurking.
Yesterday in Hexnode Praxis I suggested there would be a new Raspberry Pi5 on the fourth port of my Steetek KVM, but after sleeping on it I’m going a somewhat different direction.
Attention Conservation Notice:
Hardcore hands on technical admin within, enter at your own risk. If you’re not the tool pusher on your rig, maybe just skim this one?
Lift & Separate:
I am going to do Hexnode for more than just the myself and the little pack of ferals I run with, so there’s a need to get any work up out of the scrum of my desktop. I am daily in the mode of professional paranoia and I think the combination of hardening and situational awareness has been working, but given how hot 2025 promises to be, going a bit further is NOT crossing the line into pathological paranoia.
Rather than spending $76 for yet another tiny electronic device, I decided to just rearrange things a bit. The Pi5 with radio and antennas is elsewhere, and the bare Pi5 is now on my desk. The device on top is an ACS smart card reader. This can handle the CAC cards used by the U.S. military.
This equipment has been lurking in my spare parts box for the last five years. It never would behave for what I wanted it to do back then. The ACS reader below is a compact pocket unit and it’s sitting on a stack of generic cards.
The desktop reader can be made to work in my mixed environment but for mobile duties I really need a USB-C device, and a USB-C female to lightning male cable for my phone. I am due for a new phone, now that I’ve got a 5G hotspot plan, so that means a $200 iPhone 12. If I want to free myself of lightning that means a $600 iPhone 15. I’ll take the $14 adapter cable instead.
Problem Statement:
What is it that we’re trying to accomplish here?
We want to be able to log into Hexnode both at home and on the go, using two factor authentication, with a system that is highly resistant to both hands on and virtual attacks.
What are the specific threat vectors for the stationary side?
Pi5 lost/stolen/seized.
Smart card lost/stolen/seized.
Device intrusion.
Operator under legal duress.
Operator under illegal duress.
The Pi5 is vulnerable to burglary, search warrants, intrusion, and wildfire. The smart card faces similar hazards, even though it would be in my pocket when I leave the house. Legal duress means subpoenas, search warrants, or perhaps an attempt to compel me to use it under supervision to get at a client. Illegal duress means some flavor of kidnapping.
So that is a lot to digest. The solution has to work with multiple smart cards, figure one for wallet, one for home, one for a bolt hole well away from home. The combination of passwords and encryption must be such that legal process can be thwarted via 4th Amendment protection claims. My laptop and phone both support facial recognition and other biometric options, which remain unconfigured. You can successfully argue against giving up passwords, but from what I’ve seen biometric auth is zero protection against courts, they’ll just order you to smile, or hold out your finger.
The illegal duress angle is tough. You need two ways to employ the card, they both have to look legit, but one method triggers a silent alert to others that there is trouble. I guess I could rig something up on the PI5 to automatically send an email after a short amount of time, but then I’d have to remember to turn it off during each use. And no matter how slick you think you are, sooner or later you always slip on something like that. I don’t have a good answer here …
Conclusion:
One foot in light, the other in shadow, this has been my lot in life since before politics. Normally one would do things like this and never make a peep about it. However, since I am both trying to educate the next generation, as well as round up some additional clients, I overshare.
That line of thinking could go a lot of directions, but there’s one thing that’s certain - you can’t leave something like this where some rando could get their hands on it.