UNREDACTED Magazine Issue 007 is now available!
https://inteltechniques.com/magazine.html
https://inteltechniques.com/issues/007.pdf
Many thanks to our sponsor:
Cloaked: https://www.buy.cloaked.com/bazzell
UNREDACTED Magazine Issue 007 is now available!
https://inteltechniques.com/magazine.html
https://inteltechniques.com/issues/007.pdf
Many thanks to our sponsor:
Cloaked: https://www.buy.cloaked.com/bazzell
This is a followup post from my original Darter Pro review.
The concept of dual-booting a computer is not new. Apple devices have had Bootcamp as an option to run both macOS and Windows natively from the same drive. In the late 90's I had Windows 98 and Linux partitions ready to boot at all times. The technology has been available a long time. However, SECURE dual-booting needs discussed more.
By default, a MacBook Pro with Bootcamp running Windows offers two isolated operating systems on one drive. You can choose which to load upon a reboot. Each operating system has its own partition on the overall drive and neither are encrypted by default. You could dual-boot a Windows computer to launch Linux from a separate partition just as easily. However, encryption can cause issues.
While it is possible to encrypt two systems within the same drive, it is problematic. We like to have true FULL-DISK encryption which makes the entire drive readable by only one system. There are tweaks which can allow for two PARTITION-ENCRYPTED systems within the same drive, but there will always be minor security sacrifices. This is where the new Darter Pro (and any other laptop with dual NVMe ports) provides a much better solution. You can add a second internal NVMe drive in order to possess two isolated systems, each with true full-disk encryption. The following are the steps I took to possess two secure versions of Pop!_OS on my machine, and encrypted Pop!_OS along with encrypted Windows 11 for a client.
First, I needed a second NVMe drive. I chose the Crucial 1 TB P3 Plus (https://amzn.to/4aC5vfC) for $69. However, I could have also just ordered a second drive from System76 and saved the headache. They would have installed it for me.
Next, I needed to open my new Darter Pro. This always makes me nervous, as I do not want to crack, chip, or break anything. Fortunately, the process was simple. I removed all eleven of the screws on the back cover, and within the grey ledge. The following displays the screws removed.
My first inclination was to remove the interior back-plate, which was wrong. I needed to remove the entire silver housing. I carefully separated the silver casing from the black casing, starting at the front of the laptop. I applied a plastic tool commonly used for cell phone repair to get in the crack, then carefully unsnapped each connector as I worked my way around the case. I could now access the interior, as seen in the following image.
The NVMe drive is seen in the lower-right, and the second NVMe slot can be seen in the upper-right. I removed the existing drive (to make sure I did not overwrite it) and placed the new 1 TB NVMe drive in the second slot. However, both drives can be seen in the following image.
I then inserted a Pop!_OS USB installer and installed Pop!_OS to the new drive. I activated full-disk encryption as the default option. After successful installation, I replaced the original drive back in the first slot. I then booted the computer and immediately pressed "Esc" to enter the coreboot BIOS. I selected "One Time Boot" and confirmed that both drives were selectable, as seen in the following image.
I tested booting to each and confirmed that they were unique versions of the OS within the different drives. I changed the boot process by changing the drives themselves in the boot order. I re-entered the BIOS, selected "Change Boot Order", and made the 1 TB the default boot option (in this case the SK hynix) and the 4 TB (Samsung) the secondary. The following displays my changes.
This is the drive (1 TB) which I will use as my personal machine. Whenever I want to boot to the 4 TB for breach work, I can press "Esc" upon boot and select it. My daily driver (1 TB) has a blue background (safe) while the breach data drive (4 TB) has a bright red background to remind me that I should not do anything personal within that drive. This allows me to stop carrying two laptops around while still having secure access to my data. If the laptop is lost, stolen, or seized, I have no concern about my data. Without the unique passwords I have assigned to each drive, which possess true full-disk encryption, the data is protected.
Let's think about this further. Each drive is encrypted and cannot see the other. I can completely trash my breach data drive with every known Linux virus, and know that nothing on it can touch my personal usage drive. While this is typically assumed to be the case with virtual machines as well, there are many known VM escapes which can breach the boundaries. I don't mind this when doing OSINT work in a VM on a dedicated OSINT machine, as there is minimal risk. However, I would never trust a VM to isolate malicious data while the sensitive personal host is running. Since I cannot boot both of these drives at the same time, I have no worries. This is the only real way to have complete isolation of data.
I repeated this process for a client who needed Linux as a daily driver, but also Window as an option. Specific software he needed to use is blocked within virtual machines, and he needed Windows running directly on the host. I installed Windows 11 to the second drive and activated BitLocker for the full-disk encryption. I then made the Linux drive the default for boot order, and he can reboot; press "Esc"; and select Windows whenever it is needed. Note that I had to install the Intel update program in order to fetch all of the wireless drivers. Dual booting can help ease the permanent transition from Windows to Linux. You will always know that you are a reboot away from the familiarity of Windows.
In hindsight, I should have just ordered a second drive with the machine. I would not have had to open it at all. Lesson learned, but it is great to have a laptop which I can open and modify the hardware. You can't do that with a Mac. Speaking of hardware ... The Darter Pro is the first dedicated Linux laptop I have owned which passes the one finger test. I am able to open the lid with one finger, and the rest of the body does not move. The laptop stays in place without bumping up off of the flat surface. I know that is very minor, but has always been a pet peeve of mine. My current MacBook Pro can't even do that.
I have been due for a new laptop for some time. Mine both work, but they have been beaten up by constant travel and I am due for a performance boost. I am also growing tired of having a machine for personal work and a dedicated OSINT/Breach machine. I have been watching the System76 site for a while and monitoring their new products. I finally executed and now have a single System76 Darter Pro with truly secure, fully encrypted, dual-boot internal drives ready for all of my needs. It feels like the right time to update my preferences for a Linux laptop, and explain how I choose the ideal machine.
First, we need to define the scope of the ideal laptop. If you are a macOS user, then you just find the shiny product you like and customize the specs. If you are a Linux user, you may feel overwhelmed by the options available from many providers. If you are a Windows user, please consider becoming a Linux user.
You could take practically any used Windows (or Intel macOS) computer and reformat the drive with Linux. That is a great way to get a feel for the operating system before committing. If you know you want to switch to Linux, then I recommend purchasing a new laptop designed for Linux. There are a few providers who cater to this, and I hope to eliminate a couple right away. Purism makes an outdated and overpriced Linux laptop, but I would never consider buying anything from them. They are still trying to fulfill orders from five years ago, and refuse to provide a refund if they never ship your product. I am shocked they are still in business, please avoid them. Framework came out with a very interesting product which has swap-able parts, such as Ethernet or USB ports, but I do not recommend them either. I have witnessed numerous devices fail and the components wear out way too quickly. Finally, Tuxedo offers dedicated Linux machines, but they cater mostly to European customers. I have no issues with Tuxedo computers, but I believe we have a much better option.
It should be no surprise to readers that I am a System76 fanboy. I have been recommending their products for many years, and I use them daily. It is not because they are making a physical product which is unavailable anywhere else, because that is not true. System76 uses mostly Clevo machines purchased in bulk which anyone can buy. The reason I choose System76 is their custom open-source firmware and attempts to disable as much of Intel's processor management as possible. These two options cannot be overstated, as well as their customer support.
When you purchase a System76 laptop, they have already eliminated the stock firmware and replaced it with their own customization of open-source coreboot. This removes all of the unknown blobs, connections, and suspicious software which is always running at the root of your machine, regardless of encryption. I see so many people screaming about the importance of full-disk encryption, but most of them are running closed-source firmware outside of that encryption which could be doing malicious things. Therefore, I only consider System76 machines for my personal Linux usage.
This presents the next issue. There is some substantial complexity of choice when buying a System76 laptop. This has gotten better since they eliminated a couple of older models, but today you still must choose from the Lemur Pro, Darter Pro, Pangolin, Adder WS, Oryx Pro, Serval WS and Bonobo WS. This is a very personal choice, but I offer my process of elimination.
First, I do not need dedicated graphics. I am not a gamer and I do not process 4K video all day. I do not mine cryptocurrency and I simply do not want to pay a premium for power I will never use. This eliminates the Adder WS, Oryx Pro, Serval WS and Bonobo WS for me. We are left with the Lemur Pro, Darter Pro, and Pangolin. The Pangolin is out for me because it has an AMD processor, which possesses its own processor management operating system which cannot be disabled. Both the Lemur Pro and Darter Pro have most of Intel's Management Engine (ME) disabled by default, so either works for me.
I insist on both USB-A and USB-C ports, and both machines offer that. I prefer to possess a microSD slot, and both have me covered there too. I also insist on an Ethernet port. I often need to connect directly to a firewall or network without Wi-Fi, and this is essential to have. Only the Darter Pro has every port I need with all of the features I demand. I am writing this post on my new Darter Pro.
I prefer a 14" model since I travel often. I am sure the 16" has a beautiful screen, but the mobility is more vital to me. The machine works great and looks slick. If you are transitioning from any other Windows computer, I think the overall build and feel will be superior to your previous experiences. If you are a macOS user accustomed to the latest MacBook Pro machines, many previous Linux devices may feel "plasticy" or "cheap". This one does not. The new Darter Pro seems to have the most premium build of the lightweight models. I have been testing various Linux laptops for many years, and this one is hands-down the best I have had. Some will say it can never compete with the aesthetics of a MacBook Pro, Air, etc., but I think it comes close. That leads us to the specs.
The new Darter Pro offers the new Intel 4.5 GHz Core Ultra (U) 5 or the Intel 4.8 GHz Core Ultra (U) 7. I went with the 5 at a $129 lower price. It has plenty of speed for my usage. If you know you will need the extra boost, then go with the 7. You cannot change the processor after purchase (but you can modify the RAM and drive). I have yet to max out the processor, so I have no need for the upgrade.
I went with 32 GB of RAM, which I think is overkill for most people. Since I use multiple virtual machines simultaneously, I wanted to be covered. Again, I have yet to come close to maximizing the RAM usage, but 16GB could have caused me some issues.
I have a 4 TB internal PCIe4 M.2 NVMe drive. That is also overkill for most, but I will be using this for breach data work which can quickly exceed a couple of terabytes. Having this large internal SSD allows me lightning fast queries and imports. Shaving off a few seconds here or there may seem like a small benefit, but it becomes vital when dealing with terabytes of data.
The screen has a matte finish and looks great. I am mostly at my home office connected to an external monitor, so this is not a priority to me anyway. However, I spent a few hours on the unit itself and found no issues with the 14" screen. The brightest setting was actually too bright. The keyboard is great, and better than the previous generations. There is much less of a "hollow" feel which is common in Linux machines. The track-pad is also better than the previous models, and has a nice matte "velvet" feel to it. It is extremely responsive, especially when tapping to click. The embedded Intel graphics are all I need, and allowed me a longer battery life. I never felt the need for a dedicated graphics card.
Battery life is never the same for everyone. Light browsing may provide a long range while heavy processing might reveal minimal life before recharging. Since I am usually plugged in, battery life is not a priority for me. However, I achieved almost 5 hours while thoroughly testing for this review.
One thing I did not expect to make a difference was the placement of the Ethernet port. This model has it on the back of the device instead of the side. I like this feature. It keeps the cable out of my site and away from my external mouse. HDMI is also on the back. I do not use Bluetooth, but the Wi-Fi 6E performed as expected. Internal transfers approached the speed limitations.
As I recommend for others in my Extreme Privacy: Linux Devices book, I rely on Pop!_OS as my operating system. I no longer use Ubuntu on any machine or VM, and Pop!_OS has spoiled me with their application storefront and overall fluid environment. I am impatiently awaiting their new Cosmic 24.04 release, which is a full rebuild of the OS. Until then, the current stable build works great on this machine.
Overall, the machine just "feels" good. It feels more solid, possibly more "premium", than previous models. The size is perfect for me and the value is appropriate. My machine has a retail price of $1,697.00, but I chose a 4TB internal drive. The same machine with 1TB drive would have been $1,393.00 ($100 less if pre-ordered). That is a great deal for a dedicated Linux machine with open-source firmware and disabled Intel ME. I know of no other device which gives you this. Combine this with a full-disk encrypted Pop!_OS and you have what I believe is the most private and secure system available today. It is both my daily driver and my breach data machine (more on that soon).
Below are some photos I took to provide some insight which may not be obvious in the stock images on the System76 website. This is a comparison to the 14" MacBook Pro.
MacBook Pro (left) and Darter Pro (right)
Darter Pro (left) and MacBook Pro (right)
MacBook Pro (top) and Darter Pro (bottom)
MacBook Pro (top) and Darter Pro (bottom)
MacBook Pro (top) and Darter Pro (bottom)
In the next post, I will explain how I use multiple internal NVMe drives to securely dual-boot full-disk encrypted operating systems within open-source coreboot for true security. This allows me to safely carry one machine for both personal and breach data usage. Readers of my book Extreme Privacy: Linux Devices will also receive this content within their book updates by June 1, 2024.
Disclosures: I was not paid to write this article and I was not asked to write this review. I gave no editorial control for this and the opinions are mine. System76 allowed me temporary access to a demo unit before it was publicly available. I am not a System76 affiliate and I do not receive any payments for orders placed due to this review. I just like the machine.
Several readers of my books have been asking about a newer service called Cloaked. At first glance, I saw they offered some type of email masking and VoIP telephone service, and I delayed a full review toward the end of a long list of pending tasks. I finally got around to taking a deep dive, and there is much more there than I thought. This review will be longer than I anticipated, because I was also able to test their masked payment option. There is a lot to discuss.
First, I was not paid or asked to write this review and there was no editorial control or input from any third party. These are my thoughts. First, the easy stuff.
On-Boarding: Creating an account was easy, and they accepted a Proton Mail email address. There seemed to be no verification of identity and automated confirmation emails arrived immediately. I was issued a two-week free trial, which appeared to be fully-functioning. That gave me plenty of time to play around without commitment. So far, so good.
Layout: The web layout was very polished and easy to navigate. Everything seemed to function properly. The mobile app layout was also nicely done. I had no complaints, and everything seemed professional.
Email: Nothing too exciting here. It works fine. Create an identity and get an auto-generated email address at a Cloaked domain. You can choose whether you want incoming messages to stay within the Cloaked portal or be forwarded to your registered email address. I chose to leave them within Cloaked. It seemed I could create unlimited Identities, each with their own masked email address and optional usernames and passwords.
VoIP: This is where things got interesting. I had assumed they were offering true two-way unlimited-use VoIP telephone numbers. This was surprising since they claim to offer unlimited numbers for a flat membership fee, and that would be an absolute steal. I soon realized this was not the case. Cloaked does offer unlimited telephone numbers, but there are major restrictions.
1) You can only call numbers which have previously called or texted you first.
2) You can only text numbers which have previously called or texted you first.
3) All voice calls are routed through your own true cellular number (if connected via the app), but masked to display your VoIP number as the caller ID.
4) If you did not connect a cell number to the app, then incoming calls go to voicemail.
That is a lot to digest. Here is how it all works. You are in need of a telephone number to provide some type of service (healthcare, shopping, streaming, etc.). You generate a new "Identity" within Cloaked and ask to have a number generated. That VoIP number is assigned to you and it can be given to the service. If the service calls that number, it will forward to you. If anyone else calls that number, it will forward to you. If you did not associate your true cellular number within the mobile app, the call goes to voicemail and you can listen to the message in your portal (web or app). If you associated your cellular number with the app, the call is received at Cloaked; forwarded to your true cellular number from their servers; presented to your mobile calling app as a random Cloaked number; and the call can be answered. If you choose to call the provider back (mobile app only), the call is routed through Cloaked servers and presented to the original caller as coming from the Cloaked number assigned to your Identity. Got all that?
This is actually not anything new. Online VoIP providers have been offering similar services for years. This is how Cloaked can afford to issue you unlimited numbers for every purpose. If needed, you could have 30 Identities for 30 services, with 30 unique numbers. Again, this presents a serious limitation. You cannot call any receiving number from a Cloaked number until that receiving number calls you. Same for SMS text. If you want to call a restaurant to confirm a reservation, but they have never called you, you cannot do that. Traditional VoIP providers allow this, but you pay a premium fee for every number you possess.
If you receive no calls or text messages into a number issued by Cloaked within 60 days, they reclaim that number and recycle it to another user. This is concerning, but they have an option to "Lock" the number for permanent use. Once you do this, no other incoming calls or messages can be received, but any numbers which have connected to you are locked in. If you give your doctor's office a Cloaked number, they call it and you are now connected to them. If you lock the number, then that office (from the number which has already called you) will forever be forwarded to your account without expiration. However, if they call from a different number, it will not go through. I worry about "collisions" with this method, but I may just need more time to digest it. If I lock a number which has received a call from my doctor, and that number is re-issued to another Cloaked user for all other purposes, and he has the same doctor as me, would I receive the call intended for him? I do not have the answer, but I am working on some tests.
Personally, I do not connect my true cellular number to my account. I never use that number for any purpose. Also, if you forward calls and text messages through your true number, even though you are masking that number from anyone on the other end, you are creating a lot of metadata with your cellular provider. All of those calls are now documented by your ISP, but they would all show you were calling Cloaked servers. All of your voice calls use your own cellular minutes on your cellular network. I prefer to simply receive a voicemail which I can listen to through the web or app. I can also send and receive SMS messages directly through web or app once I am connected to another number.
Pricing: During your trial, you will likely receive an offer to upgrade to the full version at a discounted rate ($4x annually). If you plan to upgrade, take this offer. Once my trial was over, I could only renew at the upgrade rate ($5x-$6x annually). Their website lists $96 as the full-price annual rate. I believe anything less than $60 is a great price for the service. On one device, we were allowed to use a Privacy.com card, but on another we were blocked. If you will be using this as a way to connect to services under your true name, I see no reason to hide your identity. I used my AMEX to make the purchase.
Documentation: Cloaked offers plenty of fields to name your identities and provide data such as the company, website, password, notes, etc. I do not use much of this, but it is well done. Below is a screen capture.
Wallet: This was the most interesting part for me. I rely heavily on Privacy.com and want a redundant option for masked payments. I requested to join the Cloaked beta program for masked payments and was accepted. I had to provide my true name, DOB, and SSN for financial verification. This will upset some, but should be no surprise. US laws require financial institutions to verify their customers. I was excited that I was confirmed on the first try. From there, you must connect a source of payment. You can connect a bank account, debit card, or credit card. I chose my business AMEX credit card and it connected through a third-party processor called Stripe. I have no objection to any of that association. There is no such thing as a completely anonymous US financial account. I could then generate new cards and select the available dollar amount and limits (day/week/month/one-time/fixed). Cloaked placed an authorization on my credit card for the amount I approved on the card. This issued me a MasterCard for use online. I tested this by making a payment for my trash service. Everything worked as expected, and very similar to Privacy.com. My AMEX showed a charge from Cloaked, but not the merchant. The merchant saw my alias and Cloaked card number, but not my AMEX. Unlike Privacy.com, I did not have to associate any bank account or provide account credentials for verification. Stripe made the connection to my credit card with minimal details.
Future: I had my office reach out to Cloaked about a few issues we were investigating, and the CEO confirmed they have many new features on the immediate horizon. I will not disclose them here, that is up to them. However, I believe the pricing will fluctuate upward once we start to see major new features. If you have a need for this type of service, I would join at the lowest rate you can get now, and hope to be grandfathered in.
Affiliate: Cloaked offers an affiliate program to refer people to their service. I have not tested this, but supposedly you and I each receive $10-$25 if you use the following link to create your free trial account and then upgrade to a paid plan. This link will lock you into a free two-week unlimited trial with no commitment.
https://try.cloaked.app/vAk1/2hrvbzxoyx
Who is this good for? I think it is a great option if you need many phone numbers and only want to use each for a single purpose. Get them connected, lock them in, and forget about them. It may be an option for people who are unable to use Twilio, Telnyx, VoIP.ms, etc. However, it is not a good fit for people who need a fully-functioning two-way telephone number. If you make many outgoing calls, this is not for you. This is an option to mask mostly INCOMING connections, which has value. I have no idea what the current wait-list is for the beta program for their wallet service. If you can get in, I see even more value there.
How will I use this? I will create one-time VoIP numbers and email aliases through the Cloaked app or web interface. I will receive only voicemails and text through the service with no forwarding whatsoever. I have seen reports from users that creating hundreds of phone numbers will get your account locked, which I respect. I currently possess 40 numbers and everything just works. I will lock in numbers in order to prevent them from disappearing when appropriate. I will continue to test the payment options.
Overall, I like this service for what it is. It is a great incoming communication mask with payment option. I will still maintain my other VoIP solutions for true two-way unlimited usage. I believe we will see continuous changing and evolving from Cloaked. Once new features arise, I will update this review within UNREDACTED Magazine.