Secure or not Secure?
By: White Rabbit
Posted in: Internet Security
Generally speaking, nothing on the Internet is secure. Agencies will try to convince you that certain methods or tools will make you safe, to give you a false sense of security. Meanwhile, they either built the tool, had the designer put a backdoor in, surreptitiously slipped something into the toolchain, or are aware of a weakness.
For instance, the much-touted Tor browser was built by government agencies. Does it provide anonymity or only the illusion of it? Ever notice how a plausible reason why somebody got caught is usually provided? Was their mistake accidentally stumbled upon or provided by parallel construction?
Encryption will hide data from most people but not necessarily certain agencies . Steganography can be very useful if done right but it is not immune to certain types of analysis .
Beware of "honeypots" for whistleblowers. SecureDrop is the best recent example. Whether by design or by a reaction to the threat it represents, the result will be the same. It doesn't matter how noble the intentions or how intelligent the designer(s), any such system will turn into a honeypot.
People connected to it will die, have their reputations ruined, or be compromised in some way. The elites do not like having their secrets exposed. They will focus on the site, defeat the anonymity, persecute the whistleblowers, and make examples out of the developers. Learn from past debacles, change tactics. There is a way forward but it isn't "convenient".
The only methods that work are innovative, custom, relying on "Pig Latin" and human intelligence. Not automated tools, though you can incorporate them into your methodology.
If you are working with dangerous files on a computer, keep in mind that everything you do is an open book unless it is disconnected from the Internet, off the electrical grid, and inside a well-grounded Faraday cage. Use a computer from a second-hand store or yard sale, so the origin cannot be traced to you.
Common operating systems store logs, timestamps, and reams of forensic evidence . You cannot escape certain tracks because big brother chips in the hardware will make sure your content is tagged, even if your software is clean. This is done below the level programmers can access, at the machine level, in the circuitry itself.
Think about that for a minute. If your machine is stamping your files and broadcasting your location, does it really matter if you use a VPN or Tor to anonymize the path? When the file reaches the destination, who sent it is still obvious to certain agencies.
Not all packet sniffers are created equal, nor all injection tools. Even raw data isn't exactly raw when transmitted, it is processed with certain protocols at the machine level. For example, how is packet loss detected unless some of the data contains information about the data? What does this leave room for? Do devices and routers have ID's? How does the Treasure Map get drawn?
No tracks would be suspicious, leave fake tracks away from you if you know how. Easiest fix, a second-hand yard sale computer obtained far away from your location with no purchase records. Keep it inside your Faraday cage, courier files to other locations before transmission.
Never let modern technology like a cell phone anywhere near your anonymous computer and don't allow even common things like USB cables into the Faraday cage unless you know where they came from and have checked them for emissions. Run off a battery, charge it elsewhere. No pipes or electrical wires should be in the room. Look up Tempest technology if you don't understand why these protocols are necessary.
Files should be removed from the cage on an easy to conceal and destroy media type like a micro SD card (or better). If it's going on the Internet, don't use a machine or a connection that can be traced back to you in any way.
If it's comms, you have to have a system in place that defeats efforts to map out your contacts. Using a "chatroom" or a "game server", for instance, will give away your whole team. Encryption and dropbox strategies won't help, and message boards are not anonymous. Bit Chat, Signal, and Cryptocat are not protection against top agencies.
Let's assume that Signal is doing everything it should be doing. Not storing records, getting your conversation to point A to point B with unbreakable encryption. None of that matters if the cell phone at point A or point B is compromised such that the data is collected before encryption or after decryption. The app is helpful but the false sense of security can be very dangerous.
For sensitive information, such tools should only be used in combination with other measures. Like using a comm language only you and your recipient understand to reference an encrypted file coming by courier, off the grid altogether.
Never put dangerous files on the Internet unless it is time to publish and the sources are protected. Don't trust law enforcement, or government agencies to do the right thing when you do present evidence. The system is corrupt, secret societies are embedded everywhere, many officials are bribed, blackmailed, or compromised in some way.
I can't say more publically. Take some time to learn our comms and I can flesh out more and more details as you progress. You don't have to take my word for it, here is an excellent video from Bill Binney who had decades of top-level NSA experience. There are more videos with similar info in Thumper's video section.