Building an OK, Sorta Secure Computer

by barce on February 5, 2019

In my last blog post, I talked about how a seriously compromised supply chain prevents us from ever building a secure computer. This morning I logged into my Instagram account and found that I had 7 followers even though my account was set to private and 2FA. I’m hoping this is a bug, but even so, it just shows that nothing presents as secure.

Let’s assume – and this is a big assumption – that we can build a secure computer because we now have a secure supply chain. So you buy a CPU, a motherboard, a hard drive, some memory, a power supply, input devices like a mouse and keyboard, something to connect to the Internet with, and a bootable USB stick with the OS of choice on it. I won’t go into the specifics of building a computer from these parts, but suffice it to say, you should be asking, “How will I know the OS is secure?” On some level, this is hard to do. Can you imagine reading all those lines of code? Historically, Red Hat Linux 5.2 was insecure. If you installed it with an FTP server running and exposed to the Internets, you would get hacked in days, if not hours. The hacker would just use a buffer over flow attack. For years, SSL, one of the central encryption layers for web browsing, was compromised.

OK, so you boot up your newly built computer with a “secure” OS like Kali Linux or Parrot. You create an account with a super secure, never used before password, and maybe some biometric protection. Nevermind that these OS’s are complicated to use and not consumer friendly. But you can be sure they won’t expose you to the Internet the way something like Mac OS or iOS will with bluetooth, or some other services with file, music sharing and Active Directory.

Are we secure? Well, right now the OS might be asking to run an update to make your OS really secure. However, in doing so, you give up your IP address, and thus an 80/20 chance of giving up your location. So before even getting to this point, you will want to proxy all your connections, but then again this begs the question: how can you even trust the proxy? Does chaining proxies you can’t trust equal security?

Let’s assume we trust a company like NordVPN or a network like TOR. We’ll also setup and turn on a firewall, too. Great, now we can download software updates. We’re not going to use social media though. That will surely give us away, even when we share an alias account with friends and family. When we browse the web we’ll just be using a browser like Brave with ad blocking with JavaScript turned off because we all know JavaScript is insecure – except for the JavaScript subset, CAJA. When we search, we’ll hope that Duck Duck Go doesn’t give up our privacy. We will use proxies all the time to keep our privacy. Still this will leave some sort of fingerprint. If you go to a website like Am I Unique, you can see if your browsing configuration & habits have set you up to be tracked.

Let’s review what we’ve done:

  1. Built a computer with components from a secure supply chain.
  2. Used a USB stick to install a secure OS. Make sure you’re account is secured by a password and if your computer has it some sort of biometric protection. We won’t connect to the Internet yet. Nevermind we haven’t even discussed vetting the security of the USB stick.
  3. Set up a proxy / tor and firewall.
  4. Update the OS.
  5. Use a secure browser like Brave.
  6. Turn off JavaScript except maybe for CAJA.
  7. Use only Duck Duck Go for searching since they supposedly don’t keep records.
  8. Don’t use social media. Even an alias can betray you.
  9. Check to make sure you’re web fingerprint isn’t unique.

We haven’t even discussed email yet. And your set up isn’t really secure. All I really need is your fingerprint and password. Anyone remember Dark Knight Rises? In my next piece, I’ll discuss secure email. If you’re not using a PGP key to secure your email, it’s not secure. It’s basically yelling in public. We’ll also discuss adding a VM running off of an encrypted key on a USB stick to really secure your computer.

{ 1 comment }

Basic Security is Not Secure

by barce on January 30, 2019

Let’s say I wanted to do basic security. I want to be able to defend myself against cyber attacks on my laptop, network, phone as well as any peripherals I might use that connect to any of the devices I use. I want to communicate securely. I want to be untrackable or have privacy. Basic security for the purposes of this post will consist of 3 things:

  1. Malicious code barriers & Cyber Defense
  2. Secure communications
  3. Privacy

Let’s tackle the first one. I have a computer that I just purchased from a store. A sales person might even suggest buying anti-virus software with a firewall. It’s guaranteed to protect me from everything except a zero day hack. Well what about this “zero day hack.” Anything on my computer that is listening to the Internet, e.g. notifications, Dropbox, Adobe, GoogleTalk. Ok, we turn these off. Are we still secure? What if the hardware is not secure? In light of recent revelations, we can’t even trust the hardware anymore. We are forced to build are own computer with our components we can trust, but this begs the question of finding a trustworthy component. Back in the days of 6502 processors, it could be possible to know all the contents in memory, and to even know the factory that made all the components. With our global economy such an empirical luxury (if it was ever so enjoyed) is no more. We might as well stop here, and think about what it would take to secure the supply chain of computer components. There’s a suggestion for it in the dystopian, Draka series of novels by S.M. Stirling. All computers are Read Only Memory (ROM), and produced under close government / military scrutiny. What we can conclude is that even on a basic level, we are not secure.

In my next piece, I’ll look at secure communications on an ok, sorta secure computer.

{ 1 comment }

A Brief History of Instagram Growth Hacking

by barce October 24, 2018

In Episode 83 of the now defunct Hashtagged Podcast, Jordan Powers interviews Tyson Wheat, who talked about the early days of Instagram. Back then (2011), he says, “You just needed 10 or so likes within 5 minutes to get onto the popular page.”  When I heard this, I realized Instagram was gamed from the beginning. […]

0 comments Read the full article →

Where’d the year go?

by barce November 8, 2017

There hasn’t been much tech-wise that’s interested me. I’ve gotten better as a coder, and finally built my own data app that helped me find and track people that follow and unfollow using bots on Instagram. It’s closed source, but I just might get to sell it to an adtech company. We’ll see. I first […]

0 comments Read the full article →

What happened in the last 12 months?

by barce July 27, 2016

I’ve been spending most of my free time working on my photography. You can see see some of it at Bracket This, and a ton of it on my Instagram account. Right now though, I’m starting to focus on tech again. I’ve been learning Swift to make an iOS app while working with a really […]

0 comments Read the full article →

What is Geonymity?

by barce June 1, 2015

Geonymity is geo-location based anonymity. Sometimes you want to broadcast your info to everyone like at a bar or a party. Sometimes you want to be low key like at a new airport. Apps with geonymity enabled allow you to automatically determine how much of yourself that you share based on your location.

0 comments Read the full article →

Switching to Emacs from Vim

by barce April 23, 2015

I’ve been looking more and more at Clojure and decided to start coding using emacs. Clojure is the language behind many highly performant and concurrent systems. It was used in BankSimple’s early days. It’s also used at Akamai, a CDN, which has to serve hundreds of thousands of requests per second, when content rich media […]

0 comments Read the full article →

Day 34: I didn’t do my laundry for a month

by barce February 26, 2015

And I’m still not doing it. Instead, I’ve gotten into the habit of just hand washing in the morning. I put my cloths into the sink, take a shower, and then dry the clothes and me. 🙂 I don’t have to worry about sucking a huge chunk of my weekend to get clean clothes. I […]

0 comments Read the full article →

Day 13: Minimalist Winter Gear

by barce February 5, 2015

It’s day 13 of my challenge not to do laundry in washing machines and dryers and just hand wash for a month. So far it’s going great. $20 saved which I’ll use for tacos once I finish this post. Let’s talk winter gear. What’s the least you can wear and still stay comfortably warm? I […]

0 comments Read the full article →

Handwashing Clothes for a month: Day 3

by barce January 26, 2015

When I was traveling through Iceland in November, I tried to travel as light as possible. I did this by handwashing my clothes: long johns, shirts, socks and underwear. If I could go 14 days without having to do laundry while traveling, could I go a whole month without doing laundry. This Saturday, I started […]

0 comments Read the full article →