Category: Privacy

More Bad Gun Safe OPSEC

I have a dumb habit. Every time I enter any store which sells gun safes, I immediately check for personal exposure. I have blogged about this before. Today, I want to take things a step further. While walking through a store this week, I observed the following receipt taped to a large gun safe.

This $1600 gun safe is on layaway. Instead of setting it in the back, the store personnel simply taped a receipt on it displaying the future owners name and cell number. Let's query the number through a caller ID database.

We now know that "Allen" (from the receipt) likely has a spouse named "Hannah" (the cell phone owner), and I know the county they likely live in. A property search for those names in that county reveals the following.

 

I now know the likely location where this gun safe will be delivered in the near future. However, that does not get me INSIDE the safe. I tried another tactic. The following was displayed right next to the previous safe.

Once again, I have the name of the owner, but this time the sales associate was kind enough to include both a landline and cell on the ticket. The cell comes back to:

However, the landline returns to a small gun shop in the county (which had recently been burglarized):

 

I asked an associate if I could see the inside of the safe, as I was considering purchasing an identical unit. My hope was that the combination was present inside. Instead, she walked to the back and returned with all of the paperwork from that safe. As she entered the combination, she made sure to read it aloud for me to copy. If I were a burglar, I would have a new target for a safe-full of guns. Surprisingly, most owners of programmable safes never change the combination.

Please everyone, only purchase a gun safe with cash on the day you will retrieve it. Do not provide any name or loyalty number. If allowed, change the combination before use.

Darter Pro Part 2: Truly Secure Dual-Booting

This is a followup post from my original Darter Pro review.

The concept of dual-booting a computer is not new. Apple devices have had Bootcamp as an option to run both macOS and Windows natively from the same drive. In the late 90's I had Windows 98 and Linux partitions ready to boot at all times. The technology has been available a long time. However, SECURE dual-booting needs discussed more.

By default, a MacBook Pro with Bootcamp running Windows offers two isolated operating systems on one drive. You can choose which to load upon a reboot. Each operating system has its own partition on the overall drive and neither are encrypted by default. You could dual-boot a Windows computer to launch Linux from a separate partition just as easily. However, encryption can cause issues.

While it is possible to encrypt two systems within the same drive, it is problematic. We like to have true FULL-DISK encryption which makes the entire drive readable by only one system. There are tweaks which can allow for two PARTITION-ENCRYPTED systems within the same drive, but there will always be minor security sacrifices. This is where the new Darter Pro (and any other laptop with dual NVMe ports) provides a much better solution. You can add a second internal NVMe drive in order to possess two isolated systems, each with true full-disk encryption. The following are the steps I took to possess two secure versions of Pop!_OS on my machine, and encrypted Pop!_OS along with encrypted Windows 11 for a client.

First, I needed a second NVMe drive. I chose the Crucial 1 TB P3 Plus (https://amzn.to/4aC5vfC) for $69. However, I could have also just ordered a second drive from System76 and saved the headache. They would have installed it for me.

Next, I needed to open my new Darter Pro. This always makes me nervous, as I do not want to crack, chip, or break anything. Fortunately, the process was simple. I removed all eleven of the screws on the back cover, and within the grey ledge. The following displays the screws removed.

My first inclination was to remove the interior back-plate, which was wrong. I needed to remove the entire silver housing. I carefully separated the silver casing from the black casing, starting at the front of the laptop. I applied a plastic tool commonly used for cell phone repair to get in the crack, then carefully unsnapped each connector as I worked my way around the case. I could now access the interior, as seen in the following image.

 

The NVMe drive is seen in the lower-right, and the second NVMe slot can be seen in the upper-right. I removed the existing drive (to make sure I did not overwrite it) and placed the new 1 TB NVMe drive in the second slot. However, both drives can be seen in the following image.

I then inserted a Pop!_OS USB installer and installed Pop!_OS to the new drive. I activated full-disk encryption as the default option. After successful installation, I replaced the original drive back in the first slot. I then booted the computer and immediately pressed "Esc" to enter the coreboot BIOS. I selected "One Time Boot" and confirmed that both drives were selectable, as seen in the following image.

I tested booting to each and confirmed that they were unique versions of the OS within the different drives. I changed the boot process by changing the drives themselves in the boot order. I re-entered the BIOS, selected "Change Boot Order", and made the 1 TB the default boot option (in this case the SK hynix) and the 4 TB (Samsung) the secondary. The following displays my changes.

This is the drive (1 TB) which I will use as my personal machine. Whenever I want to boot to the 4 TB for breach work, I can press "Esc" upon boot and select it. My daily driver (1 TB) has a blue background (safe) while the breach data drive (4 TB) has a bright red background to remind me that I should not do anything personal within that drive. This allows me to stop carrying two laptops around while still having secure access to my data. If the laptop is lost, stolen, or seized, I have no concern about my data. Without the unique passwords I have assigned to each drive, which possess true full-disk encryption, the data is protected.

Let's think about this further. Each drive is encrypted and cannot see the other. I can completely trash my breach data drive with every known Linux virus, and know that nothing on it can touch my personal usage drive. While this is typically assumed to be the case with virtual machines as well, there are many known VM escapes which can breach the boundaries. I don't mind this when doing OSINT work in a VM on a dedicated OSINT machine, as there is minimal risk. However, I would never trust a VM to isolate malicious data while the sensitive personal host is running. Since I cannot boot both of these drives at the same time, I have no worries. This is the only real way to have complete isolation of data.

I repeated this process for a client who needed Linux as a daily driver, but also Window as an option. Specific software he needed to use is blocked within virtual machines, and he needed Windows running directly on the host. I installed Windows 11 to the second drive and activated BitLocker for the full-disk encryption. I then made the Linux drive the default for boot order, and he can reboot; press "Esc"; and select Windows whenever it is needed. Note that I had to install the Intel update program in order to fetch all of the wireless drivers. Dual booting can help ease the permanent transition from Windows to Linux. You will always know that you are a reboot away from the familiarity of Windows.

In hindsight, I should have just ordered a second drive with the machine. I would not have had to open it at all. Lesson learned, but it is great to have a laptop which I can open and modify the hardware. You can't do that with a Mac. Speaking of hardware ... The Darter Pro is the first dedicated Linux laptop I have owned which passes the one finger test. I am able to open the lid with one finger, and the rest of the body does not move. The laptop stays in place without bumping up off of the flat surface. I know that is very minor, but has always been a pet peeve of mine. My current MacBook Pro can't even do that.

Digital Guide Updates 2024.06.01

Today, we updated all six of our digital supplement guides. If you purchased any, please check your email for the download link(s). If you would like more information on these guides, please visit https://inteltechniques.com/books.html. The following provides details of each update:

OSINT Techniques-10th Edition:
(Minor): No content updates in order to preserve the 10th edition, but added a brief disclaimer about expired content before Chapters Two and Thirty. This also resets the download clock for all purchases.

Extreme Privacy-4th Edition:
(Minor): No content updates in order to preserve the 4th edition, but added a brief disclaimer about outdated content before Chapters One and Two, and at the end of Chapter Four. This also resets the download clock for all purchases.

OSINT Techniques-Leaks, Breaches, and Logs:
Page 94 (Minor): Added new search hint.
Entire Guide (Minor): Emphasized Pop!_OS over Ubuntu for host machines.

OSINT Techniques-The Ultimate Virtual Machine:
Page 34 (Minor): Added section about macOS to VM VPN interference.
Page 50 (Minor): Added section about Linux to VM VPN interference.
Page 65 (Minor): Added section about Windows to VM VPN interference.
Pages 49-50, 65-66, 79, 84, 222 (Major): Updated several sections for the transition from VMWare Workstation Player to Workstation Pro.

Extreme Privacy-Mobile Devices:
Page 73(Major): Added new section about recent Twilio Customer Profile demands.
Pages 93-95 (Major): Added new section about Cloaked

Extreme Privacy-macOS Devices:
Page 28 (Major): Added page to discuss the latest Little Snitch landscape including new versions and features.
Page 79 (Major): Added new section about recent Twilio Customer Profile demands.

Extreme Privacy-Linux Devices:
Pages 13-14 (Major): Updated hardware recommendations based on new Darter Pro.
Pages 15-18 (Major): Added new section for truly secure Linux dual-booting.
Page 73 (Major): Added new section about recent Twilio Customer Profile demands.

Extreme Privacy-VPNs and Firewalls:
Pages 61-62 (Major): Added optional section to configure a second VPN in the firewall.

Choosing A Linux Laptop: The New Darter Pro

I have been due for a new laptop for some time. Mine both work, but they have been beaten up by constant travel and I am due for a performance boost. I am also growing tired of having a machine for personal work and a dedicated OSINT/Breach machine. I have been watching the System76 site for a while and monitoring their new products. I finally executed and now have a single System76 Darter Pro with truly secure, fully encrypted, dual-boot internal drives ready for all of my needs. It feels like the right time to update my preferences for a Linux laptop, and explain how I choose the ideal machine.

First, we need to define the scope of the ideal laptop. If you are a macOS user, then you just find the shiny product you like and customize the specs. If you are a Linux user, you may feel overwhelmed by the options available from many providers. If you are a Windows user, please consider becoming a Linux user.

You could take practically any used Windows (or Intel macOS) computer and reformat the drive with Linux. That is a great way to get a feel for the operating system before committing. If you know you want to switch to Linux, then I recommend purchasing a new laptop designed for Linux. There are a few providers who cater to this, and I hope to eliminate a couple right away. Purism makes an outdated and overpriced Linux laptop, but I would never consider buying anything from them. They are still trying to fulfill orders from five years ago, and refuse to provide a refund if they never ship your product. I am shocked they are still in business, please avoid them. Framework came out with a very interesting product which has swap-able parts, such as Ethernet or USB ports, but I do not recommend them either. I have witnessed numerous devices fail and the components wear out way too quickly. Finally, Tuxedo offers dedicated Linux machines, but they cater mostly to European customers. I have no issues with Tuxedo computers, but I believe we have a much better option.

It should be no surprise to readers that I am a System76 fanboy. I have been recommending their products for many years, and I use them daily. It is not because they are making a physical product which is unavailable anywhere else, because that is not true. System76 uses mostly Clevo machines purchased in bulk which anyone can buy. The reason I choose System76 is their custom open-source firmware and attempts to disable as much of Intel's processor management as possible. These two options cannot be overstated, as well as their customer support.

When you purchase a System76 laptop, they have already eliminated the stock firmware and replaced it with their own customization of open-source coreboot. This removes all of the unknown blobs, connections, and suspicious software which is always running at the root of your machine, regardless of encryption. I see so many people screaming about the importance of full-disk encryption, but most of them are running closed-source firmware outside of that encryption which could be doing malicious things. Therefore, I only consider System76 machines for my personal Linux usage.

This presents the next issue. There is some substantial complexity of choice when buying a System76 laptop. This has gotten better since they eliminated a couple of older models, but today you still must choose from the Lemur Pro, Darter Pro, Pangolin, Adder WS, Oryx Pro, Serval WS and Bonobo WS. This is a very personal choice, but I offer my process of elimination.

First, I do not need dedicated graphics. I am not a gamer and I do not process 4K video all day. I do not mine cryptocurrency and I simply do not want to pay a premium for power I will never use. This eliminates the Adder WS, Oryx Pro, Serval WS and Bonobo WS for me. We are left with the Lemur Pro, Darter Pro, and Pangolin. The Pangolin is out for me because it has an AMD processor, which possesses its own processor management operating system which cannot be disabled. Both the Lemur Pro and Darter Pro have most of Intel's Management Engine (ME) disabled by default, so either works for me.

I insist on both USB-A and USB-C ports, and both machines offer that. I prefer to possess a microSD slot, and both have me covered there too. I also insist on an Ethernet port. I often need to connect directly to a firewall or network without Wi-Fi, and this is essential to have. Only the Darter Pro has every port I need with all of the features I demand. I am writing this post on my new Darter Pro.

I prefer a 14" model since I travel often. I am sure the 16" has a beautiful screen, but the mobility is more vital to me. The machine works great and looks slick. If you are transitioning from any other Windows computer, I think the overall build and feel will be superior to your previous experiences. If you are a macOS user accustomed to the latest MacBook Pro machines, many previous Linux devices may feel "plasticy" or "cheap". This one does not. The new Darter Pro seems to have the most premium build of the lightweight models. I have been testing various Linux laptops for many years, and this one is hands-down the best I have had. Some will say it can never compete with the aesthetics of a MacBook Pro, Air, etc., but I think it comes close. That leads us to the specs.

The new Darter Pro offers the new Intel 4.5 GHz Core Ultra (U) 5 or the Intel 4.8 GHz Core Ultra (U) 7. I went with the 5 at a $129 lower price. It has plenty of speed for my usage. If you know you will need the extra boost, then go with the 7. You cannot change the processor after purchase (but you can modify the RAM and drive). I have yet to max out the processor, so I have no need for the upgrade.

I went with 32 GB of RAM, which I think is overkill for most people. Since I use multiple virtual machines simultaneously, I wanted to be covered. Again, I have yet to come close to maximizing the RAM usage, but 16GB could have caused me some issues.

I have a 4 TB internal PCIe4 M.2 NVMe drive. That is also overkill for most, but I will be using this for breach data work which can quickly exceed a couple of terabytes. Having this large internal SSD allows me lightning fast queries and imports. Shaving off a few seconds here or there may seem like a small benefit, but it becomes vital when dealing with terabytes of data.

The screen has a matte finish and looks great. I am mostly at my home office connected to an external monitor, so this is not a priority to me anyway. However, I spent a few hours on the unit itself and found no issues with the 14" screen. The brightest setting was actually too bright. The keyboard is great, and better than the previous generations. There is much less of a "hollow" feel which is common in Linux machines. The track-pad is also better than the previous models, and has a nice matte "velvet" feel to it. It is extremely responsive, especially when tapping to click. The embedded Intel graphics are all I need, and allowed me a longer battery life. I never felt the need for a dedicated graphics card.

Battery life is never the same for everyone. Light browsing may provide a long range while heavy processing might reveal minimal life before recharging. Since I am usually plugged in, battery life is not a priority for me. However, I achieved almost 5 hours while thoroughly testing for this review.

One thing I did not expect to make a difference was the placement of the Ethernet port. This model has it on the back of the device instead of the side. I like this feature. It keeps the cable out of my site and away from my external mouse. HDMI is also on the back. I do not use Bluetooth, but the Wi-Fi 6E performed as expected. Internal transfers approached the speed limitations.

As I recommend for others in my Extreme Privacy: Linux Devices book, I rely on Pop!_OS as my operating system. I no longer use Ubuntu on any machine or VM, and Pop!_OS has spoiled me with their application storefront and overall fluid environment. I am impatiently awaiting their new Cosmic 24.04 release, which is a full rebuild of the OS. Until then, the current stable build works great on this machine.

Overall, the machine just "feels" good. It feels more solid, possibly more "premium", than previous models. The size is perfect for me and the value is appropriate. My machine has a retail price of $1,697.00, but I chose a 4TB internal drive. The same machine with 1TB drive would have been $1,393.00 ($100 less if pre-ordered). That is a great deal for a dedicated Linux machine with open-source firmware and disabled Intel ME. I know of no other device which gives you this. Combine this with a full-disk encrypted Pop!_OS and you have what I believe is the most private and secure system available today. It is both my daily driver and my breach data machine (more on that soon).

Below are some photos I took to provide some insight which may not be obvious in the stock images on the System76 website. This is a comparison to the 14" MacBook Pro.


MacBook Pro (left) and Darter Pro (right)


Darter Pro (left) and MacBook Pro (right)


MacBook Pro (top) and Darter Pro (bottom)


MacBook Pro (top) and Darter Pro (bottom)

MacBook Pro (top) and Darter Pro (bottom)

In the next post, I will explain how I use multiple internal NVMe drives to securely dual-boot full-disk encrypted operating systems within open-source coreboot for true security. This allows me to safely carry one machine for both personal and breach data usage. Readers of my book Extreme Privacy: Linux Devices will also receive this content within their book updates by June 1, 2024.

Disclosures: I was not paid to write this article and I was not asked to write this review. I gave no editorial control for this and the opinions are mine. System76 allowed me temporary access to a demo unit before it was publicly available. I am not a System76 affiliate and I do not receive any payments for orders placed due to this review. I just like the machine.

Census Bureau Considering Cellular Tracking

One of the members of my online training posted some interesting screen captures to our private group, and authorized me to share them here. This person participates in surveys offered by the U.S. Census, and was surprised at the questions being asked. I typically avoid any types of surveys, as they can be an invasion of privacy, but this makes me think differently about future participation. What better way to know what your government is considering than to be asked your opinions about potential changes to procedures? Consider the first question of the survey, knowing that the Census is usually conducted via postal mail and direct physical visits.


This tells me that the Census is considering accessing IRS records to identify occupants of a home. This is not too shocking, and I am somewhat surprised they do not already access IRS data. I am not in favor of this, but this is the least of my worries since I do not file my federal taxes under my home address.


This tells me that the Census is considering accessing Social Security records to identify occupants of a home. This is also not too shocking, and I am equally surprised they do not already access SSA data. I am also not in favor of this, but this is no concern to me or my clients. If you associate your true name to your home address for federal government programs, you should not expect any privacy from Census records.

This one hits closer to home. Most of us are deeply exposed within credit reports, and I would hate to see that become the data populating Census records. However, it gets worse...

The previous questions simply asked for an opinion. This one clearly states that the Census Bureau is PLANNING to use information from PRIVATE companies for Census fulfillment. We have no idea which companies are being considered, but we can be assured that the relationship will be two-way sharing. Not only will a private company populate Census records, but they will also likely receive all available information from the Census to abuse on their own.


We are now being informed that the Census may just forgo the mail or visit options altogether and rely solely on inaccurate and outdated details provided through the previous avenues. However, the following is the true concern.

This confirms that the Census Bureau is considering tracking your cellular telephone location history to identify the members of a household. I am often ridiculed for placing my (anonymous) mobile phone into a Faraday bag before arriving anywhere near my home. Maybe I am not crazy after all.