In my last blog post, I talked about how a seriously compromised supply chain prevents us from ever building a secure computer. This morning I logged into my Instagram account and found that I had 7 followers even though my account was set to private and 2FA. I’m hoping this is a bug, but even so, it just shows that nothing presents as secure.
Let’s assume – and this is a big assumption – that we can build a secure computer because we now have a secure supply chain. So you buy a CPU, a motherboard, a hard drive, some memory, a power supply, input devices like a mouse and keyboard, something to connect to the Internet with, and a bootable USB stick with the OS of choice on it. I won’t go into the specifics of building a computer from these parts, but suffice it to say, you should be asking, “How will I know the OS is secure?” On some level, this is hard to do. Can you imagine reading all those lines of code? Historically, Red Hat Linux 5.2 was insecure. If you installed it with an FTP server running and exposed to the Internets, you would get hacked in days, if not hours. The hacker would just use a buffer over flow attack. For years, SSL, one of the central encryption layers for web browsing, was compromised.
OK, so you boot up your newly built computer with a “secure” OS like Kali Linux or Parrot. You create an account with a super secure, never used before password, and maybe some biometric protection. Nevermind that these OS’s are complicated to use and not consumer friendly. But you can be sure they won’t expose you to the Internet the way something like Mac OS or iOS will with bluetooth, or some other services with file, music sharing and Active Directory.
Are we secure? Well, right now the OS might be asking to run an update to make your OS really secure. However, in doing so, you give up your IP address, and thus an 80/20 chance of giving up your location. So before even getting to this point, you will want to proxy all your connections, but then again this begs the question: how can you even trust the proxy? Does chaining proxies you can’t trust equal security?
Let’s review what we’ve done:
- Built a computer with components from a secure supply chain.
- Used a USB stick to install a secure OS. Make sure you’re account is secured by a password and if your computer has it some sort of biometric protection. We won’t connect to the Internet yet. Nevermind we haven’t even discussed vetting the security of the USB stick.
- Set up a proxy / tor and firewall.
- Update the OS.
- Use a secure browser like Brave.
- Use only Duck Duck Go for searching since they supposedly don’t keep records.
- Don’t use social media. Even an alias can betray you.
- Check to make sure you’re web fingerprint isn’t unique.
We haven’t even discussed email yet. And your set up isn’t really secure. All I really need is your fingerprint and password. Anyone remember Dark Knight Rises? In my next piece, I’ll discuss secure email. If you’re not using a PGP key to secure your email, it’s not secure. It’s basically yelling in public. We’ll also discuss adding a VM running off of an encrypted key on a USB stick to really secure your computer.