You are currently viewing all posts tagged with privacy.

Using Network Trust

Work continues on Spark, my Arch Linux provisioning system. As the project has progressed, it has created some useful tools that I’ve spun off into their own projects. One of those is nmtrust.

The idea is simple. As laptop users, we frequently connect our machines to a variety of networks. Some of those networks we trust, others we don’t. I trust my home and work networks because I administer both of them. I don’t trust networks at cafes, hotels or airports, but sometimes I still want to use them. There are certain services I want to run when connected to trusted networks: mail syncing, file syncing, online backups, instant messaging and the like. I don’t want to run these on untrusted networks, either out of concern over the potential leak of private information or simply to keep my network footprint small.

The solution is equally simple. I use NetworkManager to manage networks. NetworkManager creates a profile for every network connection. Every profile is assigned a UUID. I can decide which networks I want to trust, lookup their UUID with nmcli conn, and put those strings into a file somewhere. I keep them in /usr/local/etc/trusted_networks.

nmtrust is a small shell script which gets the UUIDs of all the active connections from NetworkManager and compares them to those in the trusted network file. It returns a different exit code depending on what it finds: 0 if all connections are trusted, 3 if one or more connections are untrusted, and 4 if there are no active connections.

This makes it extremely easy to write a script that executes nmtrust and takes certain action based on the exit code. For example, you may have a network backup script netbackup.sh that is executed every hour by cron. However, you only want the script to run when you are connected to a network that you trust.

1
2
3
4
5
6
7
8
9
#!/bin/sh

# Execute nmtrust
nmtrust

# Execute backups if the current connection(s) are trusted.
if [ $? -eq 0 ]; then
    netbackup.sh
fi

On machines running systemd, most of the things that you want to start and stop based on the network are probably described by units. ttoggle is another small shell script which uses nmtrust to start and stop these units. The units that should only be run on trusted networks are placed into another file. I keep them in /usr/local/etc/trusted_units. ttoggle executes nmtrust and starts or stops everything in the trusted unit file based on the result.

For example, I have a timer mailsync.timer that periodically sends and receives my mail. I only want to run this on trusted networks, so I place it in the trusted unit file. If ttoggle is executed when I’m connected to a trusted network, it will start the timer. If it is run when I’m on an untrusted network or offline, it will stop the timer, ensuring my machine makes no connection to my IMAP or SMTP servers.

These scripts are easy to use, but they really should be automated so that nobody has to think about them. Fortunately, NetworkManager provides a dispatcher framework that we can hook into. When installed, the dispatcher will execute ttoggle whenever a connection is activated or deactivated.

The result of all of this is that trusted units are automatically started whenever all active network connections are trusted. Any other time, the trusted units are stopped. I can connect to shady public wifi without worrying about network services that may compromise my privacy running in the background. I can connect to my normal networks without needing to remember to start mail syncing, backups, etc.

All of this is baked in to Spark, but it’s really just two short shell scripts and a NetworkManager dispatcher. It provides a flexible framework to help preserve privacy that is fairly easy to use. If you use NetworkManager, try it out.

A Personal Micro-Cut Shredder

I purchased the AmazonBasics 8-Sheet Micro-Cut Shredder a few months ago. For the price I think it’s a good buy. The CD shredding is a bit of a joke (use scissors), but it handles paper and cards admirably, cutting them into 4mm x 12mm pieces that will foil the casual antagonist. The 8-sheet capacity, compact size, and low cost make it a good choice for personal document filing. Tis the season.

Micro-Cut Shredder

Financial Defense Through Proxies

Brian Krebs’ recent experience highlights PayPal’s insecurity. The convenience and ease of use of PayPal give them a wide customer base, but their inherent untrustworthiness has long been reason for concern. For as long as I’ve used the service, I’ve been concerned about external attacks, like what Krebs experienced, as well as the internal threat – PayPal themselves have a history of freezing and diverting their users’ funds. Both of these concerns can be addressed via a proxy bank.

In 2008 I opened an online checking account with a new bank, completely separate from the financial institutions I normally use. The account has no “overdraft protection” or any line of credit. As with my PayPal account, I keep no money in the checking account. This checking account is the only account I associate with PayPal. When I want to make a purchase via PayPal, I transfer the needed funds from my primary financial institution to the checking account at the proxy bank. Since banks still subscribe to the archaic notion of “business days”, this transfer can sometime take up to week, but more frequently completes within 2-3 days.

The brief wait period is acceptable to me (it certainly reduces the ability to impulse buy) and gives me a level of security that otherwise cannot be achieved with PayPal. If someone breaks into my PayPal account, there’s nothing for them to steal. Even PayPal themselves have limited ability to steal funds. If an attacker is lucky, they may gain access to the account when I’m transferring funds in preparation for a purchase. My PayPal transactions are typically low-value, so at most this lucky attacker will acquire $100 or so. That’s an acceptable risk for the convenience of PayPal.

In the past I used this multilayer approach for all online purchases. A debit card from a proxy checking account at a different bank with no access to my primary accounts was the only thing I would use to make online purchases. When the account was compromised, the wait period for a new card wasn’t the inconvenience it normally is, since it had no impact on my day-to-day spending with my primary accounts. I think this type of security is required for shopping online, but responsible use of a credit card can offer acceptable protection for non-PayPal transactions without the hassle of a proxy account.

Jailing the Browser

The web browser is one of our computers’ primary means of interaction with the unwashed mashes. Combined with the unfortunately large attack surface of modern browsers, this makes a sandbox which does not depend on the browser itself an attractive idea.

Firejail is a simple, lightweight sandbox that uses linux namespaces to prevent programs from accessing things they do not need.

Firejail ships with default profiles for Firefox and Chromium. These profiles drop capabilities, filter syscalls, and prevent access to common directories like /sbin, ~/.gnupg and ~/.ssh. This is a good start, but I see little reason to give the browser access to much of anything in my home directory.

The --private flag instructs Firejail to mount a new user home directory in a temporary filesystem. The directory is empty and all changes are discarded when the sandbox is closed – think of it as a more effective private browsing or incognito mode that also resets your browser to factory defaults.

$ firejail --private firefox

A more useful option for normal browsing is to specify a directory that Firejail should use as the user home. This allows you to keep a consistent browser profile and downloads directory, but still prevents the browser from accessing anything else in the normal user home.

$ mkdir ~/firefox
$ mv ~/.mozilla ~/firefox/
$ firejail --private=firefox firefox

This is the method I default to for my browsing. I’ve created my own Firejail profile for Firefox at ~/.config/firejail/firefix.profile which implements this.

include /etc/firejail/disable-mgmt.inc
caps.drop all
seccomp
netfilter
noroot

# Use ~/firefox as user home
private firefox

The only inconvenience I’ve discovered with this is that linking my Vimperator configuration files into the directory from my dotfiles repository creates a dangling link from the perspective of anything running within the jail. Since it cannot access my real home directory, it cannot see the link target in the ~/.dotfiles directory. I have to copy the configuration files into ~/firefox and then manually keep them in sync. I modify these files infrequently enough that for me this is worth the trade-off.

The temporary filesystem provided by --private is still useful when accessing websites that are especially sensitive (such as a financial institution) or especially shady. In my normal browser profiles, I have a number of extensions installed that block ads, disable scripts, etc. If these extensions completely break a website, and I don’t want to take the time to figure out which of the dozens of things I’m blocking are required for the website to function, I’ll just spin up a sandboxed browser with the --private flag, comfortable in the knowledge that whatever dirty scripts the site is running are limited in their ability to harm me.

I perform something like 90% of my web browsing in Firefox, but use Chromium for various tasks throughout the day. Both run in Firejail sandboxes, helping to keep me safe when surfing the information superhighway. Other programs, like torrent applications and PDF readers, also make good candidates for running within Firejail.

I wrote an article about anonymous debit cards on ITS Tactical.

I have previously mentioned prepaid debit cards. On ITS I discuss using prepaid debit cards for anonymous, cash-like digital transactions a bit more in-depth.

Simon provides anonymous debit cards.

Their prepaid Visa and American Express gift cards can be purchased with cash at any Simon mall. No identification is required. To use the card with online merchants, you will likely need to register the card with an address so that it can pass AVS checks. This can be done through Tor with fake information.

Anonymous Debit Card

Leave My Keys Alone

Judge rules defendant can’t be forced to divulge PGP passphrase

A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination. Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with the Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop."