If you are going to go roam around the dirty end of the playing field you MUST first compartmentalize, and second HARDEN your presence. This takes time, money, and ongoing diligence even after you’ve got a workable solution. Or don’t, but you’re not gonna get a lot of dates wearing a sheep fursuit. That’s not a good look when it’s AI generated, and if you’re extorted into wearing one in hopes an intruder won’t introduce your wife to your girlfriend …
Attention Conservation Notice: The best over the counter anti-anxiety solutions are magnesium, so long as you avoid the low bioavailble oxide form, kava kava, and delta-8 CBD if your state allows. I avoid that last one because it always gives me a nasty headache the next day. No conservation here, you can learn this stuff by reading, or by getting sheared down to bare skin out there.
And since I don’t want the goofy screen shot below as the image for this post …
Hazards:
I had fifteen minutes to wait on something earlier and I started poking around in Inoreader. I looked at my starred articles page and there’s a lesson in what’s been marked so I can share it with others.
A clickless vulnerability means as long as someone knows your phone number or some account you use on iOS/macOS, you’re had the minute they decide to target you.
Zoho ManageEngine can be used to subvert companies, akin to SolarWinds.
Trickbot/Conti is a Russian thing, malware, ransomware, espionage, etc.
Security researchers are hot targets, get in and you learn SO MUCH.
Ukraine is the hot zone.
Remediation is a lot harder than prevention, poor Barracuda.
The fake Signal and Telegram apps were clumsy, who falls for this sort of thing?
Infamous Chisel is an APT tool set being employed against Ukraine.
There’s no end to it …
Compartmentalization:
Here’s your to-do list if you want a modicum of safety. This is NOT conditioned on what I said in What Hunts You?, it’s a poor man’s worst case scenario.
Obtain an unlocked phone.
Visible has a $25/mo all you can eat voice/data plan.
Get an old laptop, Linux best, macOS is the middle, Windows dead last.
Once you’ve got some hardware that you will use only for nosing around, do these things. This is NOT for production right off the bat, this is so you start developing a sense of what will and won’t work.
Set up Visible, get hotspot going.
Clean install of OS on laptop, use DVD if possible.
Do NOT use home/office wifi.
Make Gmail account.
Get Google Voice, associate it with burner cell number.
Make ProtonMail account.
Get ProtonVPN.
Install Authy on phone, protect accounts with it.
Install Authy desktop on laptop.
Get Inoreader, Talkwalker, set alerts if you’re doing something specific.
Get Signal, Telegram, etc using Google Voice.
Maybe also get Signal & Telegram using burner number?
And you had better be taking notes all along. The date, the IMEI of the phone, the number, the Gmail account, the Google Voice number. If you’re going to work this way, things are going to accumulate, and you’ll lose whole personas over one factoid you didn’t preserve when you trip fraud detection somewhere.
What is the purpose of this set of tasks?
New persona NOT associated with your home/office IP.
Get the basics in place for your new persona.
Lock those accounts up tight.
Get your observation support stuff going.
Get ready to interact with others.
Things have gotten harder over the years. You can’t use a Google Voice or other throwaway type VOIP number for a lot of sign ups, they want an actual phone. Burner plans are month to month, TracFone has plans that last three months. Be prepared to be challenged for your ongoing possession of the burner number somewhere past the ninety day mark, especially if you’re not using it daily. If you VPN up you won’t be able to get started with some things. If you create using the Visible hotspot IP, then VPN up later you’ll encounter challenges. And by challenges I mean forget about doing a LinkedIn account, they’ve gotten REALLY touchy about this pattern, which I guess is for the best.
You are just being nosy, doing that without tripping all the anti-fraud measures is a non-trivial problem that evolves more quickly than I do. You MUST drill this stuff before you use it, if you go out just assuming stuff will work for a persona just like it does for you IRL, you will quickly find yourself the unhappy owner of a badly degraded persona you’ll toss in your sock drawer for future low key use.
What Hunts You?
What are you protected against with a setup like that? This comes back to the What Hunts You? Post, which was broader and more high level than I intended when I started. Here’s a quick list of hazards off the top of my head.
Trolls might notice, Google your stuff a lot, try to password guess, etc.
Counter-intel for whatever you’re exploring, quiet, capable pursuers.
If domestic U.S., gotta be ready for frivolous litigation & malicious prosecution.
Get into some international stuff, you’re showing tradecraft, here comes US CI.
Poke the wrong international thing, you get an 0-day subversion because you showed up at the same time other things did and get mistaken for being something you are not, foreign CI has even more latitude than domestic.
This is like walking in a forest at night, only it’s a biome you’ve never visited before, so all the plants and animals are strange to you, and some are big enough to eat you.
Conclusion:
There are misattrib services out there, you pay a LOT for a single seat, they take care of renting a VPS in the area you want to explore and hardening the system. Since I evolved in the context of social movements I’ve only had occasional chances to test drive such things, and have never employed one for actual work.
What I describe here is the first layer of the inferno. I have this setup – an iPhone 8 that was less than $200, a well tended ten year old Mac Air a client gave me in lieu of cash, and Visible as a provider is nice if you’re worried about your flaky cable provider.
If you stopped by my hut for a visit, you’d notice an enterprise AP/firewall/switch with an HP Xeon workstation running Proxmox sitting next to it in the den. Those attentive to such details would wonder why there’s a USB ethernet dongle in addition to the workstation’s onboard ethernet, both plugged into switch ports. If you got a look at its twin under my desk you’d see a similar setup – ethernet, second ethernet via dongle, and a smaller version of that same AP/firewall/switch sitting on the floor next to it. The workstations both have low profile WiFi dongles in USB ports, too.
Proxmox is an industrial strength cloud computing environment. The monitor for the machine downstairs walked off with a friend last spring and I don’t miss it, headless is fine. I used to have a remote trio of rackmounts in a high availability cluster, but it was massive overkill for what I do now, so that stuff is turned down awaiting duties that require that much juice. I’ve used VMware products for the last decade and I used to have a Mac that did a tolerable job with virtualization using Parallels. These days I stick to VirtualBox, since it runs on all three desktop operating systems and its few vices are easily avoided.
Today your vulnerable brain conceives a desire to explore some aspect of the virtual world, you sit down with a vulnerable system, and you start looking at all the things. If you’re only a little bit crafty about it, you’re originating from a public IP that is associated with you and your completely oblivious family members. You take that vulnerable machine with you to work and then it’s entangled with your oblivious coworkers. The grabby consumer behavior stuff is going to dox you just as a normal course of business. And may Flying Spaghetti Monster’s noodly appendage pluck you from harm’s way if any bad actor was expecting you.
No one has sufficient situational awareness to run clean on an ongoing basis. I’ve dealt with this problem every day for over a decade and I know I don’t. The magic phrase here is “fail closed” – you and your minions must originate from an environment that is either running safe, or too broken to run at all. Cell phone VPNs are the poster child for why you need this – the cost doesn’t cover customer support, so if the VPN is shaky, you’re left running bare and you don’t even get notified. If you’re going to go beyond the basics I described in the body of this article, you’ll be going with Linux.
Remember when I said the internet was like those southwestern Afghan valleys, full of feuding tribes? If you’ve got to watch the ridge lines, draws, and faux potholes (cognitive hazards) you should be doing that from an MRAP (fail closed system) in a column.