Just Because You re Paranoid... | Stealing the Network. How to Own a Continent

Just Because You re Paranoid

No one is paranoid enough. There is a lot of freedom in knowing they are after you. If you know they are watching, then you have no trouble deciding how to behave. If you know that someone just caught your mistake, you do not have to wonder if you should implement your response policy. If you know your enemy has enormous resources, then there is no guessing about how much trouble you have to go to.

The biggest threat to the security of anyone s data is that someone will simply walk in and take the media it is sitting on. Now they have the data and you ve lost the use of it. It doesn t matter if they are allowed to or not. If they want it, they take it. I have no illusions about staging a standoff against a group of armed men. If it gets to the point where they think they have reason to storm my compound, then I don t need my data any longer. It is far, far more important that no one else have it.

I use encryption. The drives in the cage are protected with a hardware encryption IDE controller that takes a USB dongle holding the key to allow it to function. It is protected by a memorized passphrase. The operating system is configured to use EFS and will not boot without the memorized passphrase for EFS. Once booted , all the user data is stored on a PGPDisk, which uses a key stored on another USB key, protected by a memorized passphrase. There is a significant danger that data will be lost due to accidental failure. Any attempt at data recovery would be hopeless, but I can t afford for backups to exist.

You should use encryption, but you should not trust it. No, I don t have any reason to suspect that the current encryption isn t just as strong as you think it is. Yes, there are implementation errors, side-channel attacks, and so on, but if you layer several protection mechanisms, the encryption won t be breakable. There is always a possibility that someone can break it. After all, we re talking about government agencies that will send their own soldiers to die rather than give any hint that they can break a cipher.

But that s not the biggest risk. You never protect against more than the easiest attack. Why would I worry about the NSA, when some punk with a gun and a keyboard logger could steal my USB keys and put a bullet in my head? If you can backdoor my hardware, what does the encryption matter?

The only solution to data theft is destruction. If someone besides me enters the cage, the data must be destroyed . This isn t as easy as it sounds. I m not talking about secure disk wiping. Do you know how long it takes to wipe even a few gigabytes of data? The host has to be operating for that to occur anyway. Even under ideal circumstances, there would be a boot on my face, and the drive would be pulled from the case in 20 seconds.

The data and media must be physically destroyed, and it must be done in a hurry by a process that can t be interrupted . Given that I must also keep this mechanism from setting off any red flags, the ideal substance for my situation is thermite. Thermite is extremely simple to manufacture and can be made in a variety of types to suit one s purpose. Anyone who passed high school chemistry could safely manufacture a large quantity from ingredients that are not suspicious by themselves .

I use it in powdered form, in a Rubbermaid container that sits on top of the hard drive inside the case of the desktop machine in the cage. Atop the powder is a magnesium strip with an electrical igniter attached. The well- insulated wire from the igniter connects to an alarm device and battery pack. Wires run from the alarm out of the back of the PC to a keypad mounted to the desk. Another bundle of wires from the alarm runs to a pair of contacts on the door. Yet another set goes to a motion sensor.

When armed at level one, if the door opens, the thermite goes off if the correct code isn t entered in 5 seconds. If the wires are disconnected, the thermite goes off. When armed at level two, if the motion sensor detects movement 30 seconds after being armed, the thermite goes off. There s no danger of it going off accidentally . Even inside the hottest PC, you d need about another 1800 degrees Fahrenheit to start the reaction, which is what the magnesium is for.

When the thermite goes off, it needs to burn through a thin plastic container bottom, a thin aluminum hard drive shell, and three aluminum drive platters. Since part of the reactant is aluminum, it should have no difficulty doing this. I estimate it will take less than 30 seconds to melt the drive. If I m lucky, if I m in the room when it has to be set off, I will make it out. Once I m inside, the alarm is re-armed to level one in case the door is kicked in.

This defense must remain secret. Any kind of burglar alarm, trap, or detection mechanism should always remain secret. If your enemy knows about the defense, there is always a way to bypass it. This is true for software mechanisms as well, such as IDSs.

The two desktops in the unsecured area are standard desktop usage computers, running XP and Linux. I occasionally need software that runs on one platform or the other. They are kept up-to-date with patches, and are behind a standard low-end hardware firewall, but they aren t unusual. The XP box has PGP for mail usage and PGPDisk. The Linux box uses the SELinux patches and has GPG and a RAM disk set up. The boxes are shut down when not in use and they have had a token hardening performed. It is assumed they will be compromised at some point.

The basement has a standard audible alarm. There is a hidden camera attached to a time-lapse analog VCR. The camera is embedded in the wall outside of either computer room and faces the unsecured area. Unfortunately, some form of communication is necessary to my operation and an undetected keystroke logger on the unsecured PCs would be fatal to the operation.

I could encrypt all Internet communications (and will make every effort to do so), but I could still be compromised by traffic analysis. To combat this, I will employ a number of variations on onion routing, encrypted meshes, and will generate misdirection traffic.