This post originally appeared at https://program-think.blogspot.com/2019/01/Security-Guide-for-Political-Activists.html under the title 为啥朝廷总抓不到俺—十年反党活动的安全经验汇总 on January 30, 2019. It has been translated into English by Google Translate.
Security Guide for Political Activists
I haven’t been online for several days, and some readers may think that something happened to me. Do not worry! I was still replying to comments on the 21st, and as of the time of posting this blog post, it is not beyond the 14-day period of normal silence.
Because this blog post wants to fully share my technical experience of ten years of anti-party activities, it involves a lot of fragmentary content, and it takes a little more effort and time to organize it.
Readers who are familiar with my blog know that I have smeared the party-state for many years. From the first political blog post to writing this summary, the time span has exceeded 9.5 years, rounding up to the nearest ten years :)
I remember many years ago, someone said to me in the blog comment area (the following is to the effect): “You kid can be thrilled on the Internet because the network supervision department has not noticed you; when the Internet police start to look at you, you can wait to die.”
At that time, many things hadn’t happened yet, and I lacked the material to refute. Now I can refute it confidently: the relevant departments of the imperial court have long been eyeing me; unfortunately, they have nothing to do with me.
If you want to see the evidence, please watch the “Memorabilia of the 10th Anniversary of the Expo” a few days ago. I excerpt a few of the main points:
The above-mentioned signs have already shown that I am a thorn in the eyes of the relevant authorities of the imperial court.
After spending so much saliva, I just want to explain one point: My defense measures are basically reliable! In other words, I dare not say that my defense measures are perfect (perfection is impossible), but at least there are no obvious loopholes. Otherwise (if there are obvious loopholes), I will either be cross-province or account compromised. How can I “willfully discredit the court and viciously attack the party and state leaders” in the past ten years?
After opening blogs for so many years, I have a feeling that inside the wall, many people with political qualities lack the skills of information security; therefore, they cannot use the Internet to fight the party-state.
Although there are already many pro-democracy websites outside the wall, many pro-democracy activists have opened social network accounts. But they live outside the wall after all. The process of democratization of the celestial dynasty cannot rely solely on overseas people. The key is to rely on us people living in the celestial dynasty. So today’s article is first of all to help those netizens who are interested in engaging in anti-party activities.
Second, it is to help those who defend freedom of speech on the Internet. I once wrote an article, “N Kinds of Technical Forces to Fight against Despotism and Defend Freedom” and talked about this issue.
Of course, all technologies are double-edged swords — they can all be abused. Some guys who do bad things on the Internet will also benefit from this article. Regarding this point, I am also very helpless :(
However, I will not stop the dissemination and popularization of technology because of the possibility of technology being abused.
Over the years of blogging, I have written a lot of information security-related literacy tutorials (see the post at the end of this article: related to this article ). A lot of the content to be talked about today, the previous tutorials are already available. So, why do I still write this pinch?
Because what I wrote before was only for a specific aspect or a specific software. And this paper is to string together all these to facilitate those students in the information security has just started.
In order to avoid old readers from saying that I “fried cold rice,” this article contains some content that I haven’t talked about in the past. In addition, the last chapter also attaches several practical cases as negative textbooks.
Suppose you want to emulate me — long-term use of the Internet for anti-party activities. The following two principles need to be kept in mind at all times.
The following discussion will focus on these two points.
Regarding the concealment of identity, I add: Even if your body is located outside the wall, it is still necessary to ensure that your identity is concealed!
(The “domestic” mentioned here refers to Wei Guangzheng has the scope of jurisdiction, including Hong Kong/Macau, excluding Taiwan.)
If you want to conduct sensitive political activities on the Internet, this principle must be keep in mind. Because using domestic Internet services for anti-party activities will greatly increase your exposure to risks.
Take me as an example. When I first started the blog (early 2009), I also registered a CSDN account and set up a mirror blog on CSDN (for details, please refer to “The tenth anniversary of the opening of the blog”). The more and more presumptuously discredited the party-state, that CSDN account has become less and less used.
Although I use Tor to access CSDN all the way (that is, the CSDN server cannot know my public IP). But it will still know the time of my online activities. Please note: the timeline also constitutes a certain amount of information. For a detailed introduction to this aspect, please see the 9th article of the “How to Hide Your Tracks and Avoid Inter-provincial Pursuits” series of tutorials, “How to hide your tracks and avoid inter-provincial pursuits” “9: Talk from Time Perspective,” “Precautions in Social Engineering” except for “online time information.”
Considering that many websites now rely heavily on JavaScript scripts (disable JS scripts, the website will be useless). Therefore, if you use the network service in the wall, the JS script on its website may possibly collect some system information of your local machine.
If time information and system information are not enough to scare you, I would like to mention one more thing: When you use the network services inside the wall, all your user behavior may be collected and monitored by relevant departments. What is “user behavior” pinch? If you are using a chat service (IM), your user behavior is “all the content you have written and read”; if you are using an email service, your user behavior is “all mail sent and received.”
Please note: The amount of information contained in “user behavior’ is too large. As long as you are not careful and involve information related to your true identity, this information may become a clue to trace your identity in the future. (If you don”t believe it, please see one of the negative cases at the end of this article.)
There is another insidious trick that everyone easily overlooks: if the Internet police stares at your account (in-the-wall website), you can directly find the relevant company, just you can get your account password. Then, the network police can directly control the account. For example: when a cyber police controls one of your IM accounts, you can use your identity to chat with other contacts of the account (isn’t it insidious?).
I have been asked more than once: Why doesn’t the blog use an independent domain name? To be honest, I have always felt that as long as the blog content is good enough, it doesn’t really matter whether there is an independent domain name or not.
In addition, from the perspective of information security, independent domain names will increase additional risks. Because the domain name is a scarce resource, any registration of an independent domain name naturally involves the issue of purchase (that is, payment). Regardless of whether you pay in cash or bitcoin, it will expose the amount of information related to your identity. (In layman’s terms: increase the risk of identity exposure.)
(Note: The server mentioned in this section is in a broad sense, including physical hosting and VPS.)
There are two situations for this question:
Speaking of the dark web, one thing to add: Many people are overly superstitious about the capabilities of the dark web. I want to remind you: the dark web just helps you complete the invisibility of the network level. To be completely invisible, you have to take precautions on multiple levels. (Other levels of prevention will be discussed in the following chapters.)
Briefly talk about a few reference points:
You have to choose a completely different screen name. This screen name cannot be similar to any any screen name you have used before. Speaking of which, by the way, I would like to share my experience of creating a screen name. My experience is that if a screen name is too long, it’s hard to remember (it’s not good from a communication point of view), and it’s too short to be confused with other names (resulting in a decrease in recognition). Also has a certain degree of recognition of the name.
For example, when registering an email address, you will be asked to fill in your birthday. Don’t write the real one, just just break one. As for the mobile phone number and ID card number, it is even more not to fill in truthfully. (Note: The issue of SMS verification will be discussed below, don’t worry.)
Registered account is the starting point of this sensitive virtual identity. If the identity information is exposed during the registration process, it will be useless no matter how hidden it is in the future! So, you have to make sure the whole process of registration is done through anonymous network. Only in this way can completely avoid the risk of public IP exposure. In other words, even if the web server records your visitor IP during your registration process, this IP is not your real public IP.
As the name suggests, anonymity network is one of the methods used to help you achieve anonymization. Performing various operations through an anonymous network (such as posting comments on the Internet) can make the reverse traceability at the network level extremely difficult. Note: Many people confuse the anonymous web with the dark web. In fact, these are two concepts with different dimensions. The reason for this confusion is that several well-known tools (Tor, I2P) are both dark web and anonymous web.
Because the original intention of the circumvention tool is to break through GFW, and not to anonymize. If you are very concerned about anonymization (for example, if you want to post sensitive political speech on the Internet), then you must use a special anonymity network.
There are two most famous anonymous networks, Tor and I2P. I personally recommend Tor, but if you want to use I2P, I have no objection. Regarding these two paragraphs, I have written tutorials (see below).
Tor tutorial: “How to Overcome the Wall” series: “Literacy Tor Browser 7.5 — About the Configuration, Optimization and Principles of the Meek plug-in” (this talk about the use of Tor Browser Bundle is more foolish and supports various desktop systems). “Literacy Arm — interface front-end for Tor (substitute has died Vidalia)” (this talks about how to use Linux “naked Tor,” a high technical threshold ratio) “How over the wall” series: Tor on common Questions and Answers (this is a FAQ).
I2P tutorial: “How to Overcome the Wall” series: Simple Literacy I2P Use (this is an introductory I2P tutorial).
Let me make a statement: Since I started blog relatively early (early 2009), mobile Internet was not yet popular at that time, and many network accounts no need to bind mobile phones. So it’s cheaper for a lazy man like me — saving a lot of trouble. Nowadays, more and more accounts need to be bound to mobile phones (when registering an account, SMS verification is required). At this time, you never use a real mobile phone for binding operations!!! Many students have to ask: What’s the matter? There are roughly two general tricks that can be done (as follows):
Trick 1: Virtual number. You can search on the Internet:, you should be able to find a lot of free “virtual number services.” This service can be used to help you receive verification SMS. When using this trick, please note one thing — the full process of using the “virtual number service” should also be based on anonymous network!
Trick 2: Anonymous mobile phone card, like today’s mobile phone card, all have real name system. To find this unregistered mobile phone card, you need to go to overseas. It is said that Hong Kong has it. (As for where else you can buy it, please list it to see the official supplement.) Of course, you don’t need to make a special trip overseas in order to get a mobile phone card; you can buy one by the way when you can take advantage of a certain overseas trip. When using this trick, please pay attention to a few points:
Some big-name laptops have these two functions. When you start with a laptop, first turn on these two items.
After enabling these two items, every time you turn on the computer (cold boot), you need to enter two passwords, namely power-on password and hard disk password. Some students may find it troublesome, I want to emphasize: if you want to improve security, don’t be afraid of trouble!
Of course, it is difficult to tell how high the reliability of these two gadgets is because the implementation mechanisms of the two passwords are very different for laptops of different brands (manufacturers). But enable is better than unenable.
In addition, it is precisely because the hard disk lock that comes with the notebook is not necessarily reliable, so you need to perform full disk encryption at the operating system level (this will be discussed in the subsequent chapters of this article).
Taking into account the different generations and different brands of notebooks, the BIOS options are quite different. I just cite a few examples here. Everyone has to draw inferences from one another.
For example: For Intel (Intel) architecture, ME (Management Engine) must be banned &mdas; this is a security risk. In addition, AMD’s architecture also has a similar thing, called PSP (Platform Security Processor), which should also be banned. (Note: some BIOS cannot disable ME or PSP.)
For example: After you install the system, you should go to the BIOS startup configuration interface to disable all other startup items, and only keep the “hard disk startup” item.
For example: “Wake on LAN” function is unnecessary and risky.
(There are many more, so I won’t list them one by one. I remind everyone again: Learn from one another.)
If the operating system you are using has a lot of security issues, of course it won’t work. So the first step is to choose a certain reliable operating system.
To sum up, use Linux or BSD. The follow-up discussion in this article will also start on the basis of these two.
The operating system prevention mentioned just now is mainly for your physical system (also known as Host OS). The next thing to talk about is, you must use virtualization software to build several virtual systems (also known as Guest OS or VM) on the Host OS. This kind of gameplay can greatly improve your ability to defend against intrusions; under certain circumstances, it can also prevent you from exposing your public IP (this is mentioned in a negative case at the end of this article).
I just introduced one of the methods of physical isolation. For other ways to play, please refer to the eighth part of the “How to Prevent Hacker Intrusion” series of tutorials, “How to Prevent Hacker Intrusion 8: Several methods of physical isolation.”
After using the virtualization software, you should put all daily operations in the VM. Operations with common identities are placed in the “normal VM,” and operations with sensitive identities are placed in the “sensitive VM.”
So, your Host OS hardly needs any software (except for virtualization software and the software that comes with the system). By simplifying the Host OS to the extreme, the attack surface of the Host OS is also reduced to a minimum. You must always remember: Host OS is very important!!! If the Host OS falls, all the Guest OS running on it will fall.
Disk encryption software is very important. I will discuss it in a separate section.
Encrypt your hard disk. This is an important magic weapon against the police forensic software. Another advantage is that if your laptop is accidentally stolen, the thief will not be able to see the contents of the hard drive.
Since the disk encryption software depends on the specific operating system, I will use Linux as an example below. Students who use BSD, please follow the same pattern.
Note: If you are not familiar with TrueCrypt or VeraCrypt, you will be puzzled by the many terms and suggestions mentioned in this section. Please, please. Refer to the following tutorials: “TrueCrypt Use Experience” (series). “Literacy VeraCrypt-Cross-platform TrueCrypt Alternative.” A few days after the publication of this article, I wrote another article specifically to supplement the details of Disk Encryption, especially — How to deal with the police. “How to use disk encryption against the police’s forensic software and torture to extract a confession, and also talk about data deletion techniques ”
If your network skills are not solid enough, it is recommended to read the following long tutorial first: “Systematic Literacy of Computer Network Communication — From Basic Concepts to OSI Models.”
Both Linux and BSD have built-in operating system-level firewalls (Linux community: iptables and nftables; BSD community: PF, NPF, IPFW). You should develop a good habit of turning on the firewall as soon as the system is installed. Set up the firewall to follow the principle of least privilege (anything that is not needed is prohibited). For example, you want to configure a PC for personal use and not need remote access. Then you should set the firewall to “prohibit external listening ports.” (The same principle applies to the configuration of the built-in firewall of Guest OS.)
Mentioned earlier: use virtualization software to strengthen security. Therefore, you also need to set the “virtual network card mode“ for the Guest OS. My suggestions are:
For detailed principle description and configuration tutorial, see the following two articles: “How to hide your traces to avoid cross-provincial hunting, 6: Use a virtual machine to hide public IP (principle introduction)” and “How to hide your traces to avoid cross-provincial hunting, 7: Use virtual machines to hide public IP (configuration diagram).”
Why avoid using wireless pinch? In a nutshell, compared to physical network cables, wireless networks will significantly increase your attack surface. For example: For companies or institutions with a higher level of security protection, their core network must be physical wiring, and will not use wireless networks such as wifi.
Even a relatively ordinary home router provides some basic security settings (such as firewall, MAC address binding...). You should use all of these settings, or the old saying just mentioned-configuration. Refer to the Principle of Least Privilege. In addition, if you use the aforementioned physical isolation scheme, then you will have N physical hosts. In this case, you need to perform some configuration on the home router to make these N physical hosts invisible to each other.
I have already talked about it before: Tor and I2P are the two most influential anonymous networks. Because I personally recommend Tor, let’s take Tor as an example. Students who want to use I2P, please draw a gourd in the same way.
Since many years ago, Tor has been unable to independently connect to the Internet in the celestial dynasty. Because GFW regards Tor as a confidant, it blocks all Tor relays. Therefore, if you want to use Tor in the wall, you need to make Tor use a pre-proxy (this pre-proxy, usually some available circumvention software). Later, Tor Browser officially launched by Tor has a built-in meek plug-in, which can assist Tor to network in the wall. This meek plug-in can also be regarded as (in a sense) pre-proxy. Originally, the pre-proxy for Tor was to break the GFW’s blockade of Tor. But doing so has produced several additional benefits — making your network transmission more robust. What do I mean? Let me explain.
Benefit 1 — ISP Cannot Know that you are using Tor. Whether you are surfing the Internet at home or at the company, your network traffic will eventually pass through the ISP. In other words, it is entirely possible for the ISP to monitor your traffic. When you use “Tor over front wall circumvention software,“ your ISP monitors your traffic, and what you see is the “front wall circumvention software” traffic. Since the traffic of the circumvention software is all encrypted drops, the ISP cannot decrypt it and cannot know that you are using Tor. Among the global Internet users, the proportion of Tor users is still low; in the Celestial Dynasty, this proportion will be lower (the Internet users in the wall still don’t pay enough attention to privacy), because Tor is designed to hidden network traces drops. If you let your ISP see that you are using Tor, it’s not a good thing after all. Therefore, even if you are online outside the wall, Tor can be connected to the Internet independently, you should still equip Tor with an encrypted front proxy.
Benefit 2 — Double insurance. When you use “Tor over software,” your real Internet traffic is actually wrapped in two layers. The first layer is Tor, and the second layer is “front wall software.” Because it is wrapped in two layers, it is similar to a kind of “double insurance.” In other words, if someone wants to intercept your real Internet traffic at the network level, they must first crack the outermost layer (encryption of the pre-wall circumvention software), and then crack the second outer layer (the encryption of Tor) to see your real Internet traffic. Since Tor itself is strong encryption, the encryption of the circumvention software will not be too weak. Therefore, the possibility of cracking these two layers of encryption at the same time is so small that it can be ignored.
Assuming that you let the “real identity” account and the “sensitive identity” account use the same Tor/I2P environment, it may cause these two accounts to use the same exit node at the same time. If this situation persists for a long time, it will cause the two accounts to have a certain relevance, which makes people suspect that the two accounts are behind the same person. For a more detailed description, please refer to the chapter “On the association caused by the public network address in the” following blog post: “How to hide your tracks and avoid inter-provincial hunts, 10: Talking about the prevention of social engineering from Identity Isolation.”
Just mentioned: use some circumvention tools as Tor’s pre-proxy. So, where should these circumvention software be placed? My suggestion is to put the circumvention software in another virtual machine to further reduce the risk of network accounts. Why? Because you can’t know whether the circumvention software itself will be rogue.
In the following blog posts, I detailed several deployment methods: “Tor Front Deployment and Tor Post Deployment.” “How to hide your tracks and avoid cross-province hunts, 8: How to match multi-proxy and multi-virtual machine.”
For the target readers of this article, if you operate a network account through a browser (Web method), you Internet software (browser) is credible, and circumvention tools are not necessarily credible. So you should use “Tor’s post deployment.”
When it comes to the topic of choosing a browser, in reality it means choosing between Chrome/Chromium or Firefox. As mentioned earlier, the system you use to access the Internet should be Linux or BSD. IE, Edge, etc. — don’t even think about it.
My personal suggestion is Firefox. I know that there are many Google fans among readers, as well as many Chrome/Chromium fans. I don’t understand my preference for Firefox. These students are recommended to read the analysis of the following blog post: “A few reasons for abandoning Chrome and switching to Firefox — Random thoughts on the Chrome 69 privacy scandal.”
Regarding the issue of the Firefox version, here are a few key points:
If you don’t know the version system of Firefox, you may not understand the meaning of the above. Please refer to the following blog post: “Based on security considerations, how to choose and switch Firefox version?”
Let me talk about it first: “plugin” and “extension” are two different things. In this blog post, there is a section dedicated to the difference between plug-ins and extensions. For the browsers that operate important accounts, third-party “plug-ins” are not installed; the third-party “extensions” should be as few as possible, and only a few security-related ones should be installed at most, and the one with good reputation should be selected.
For students who do not know much about technology, it is recommended to use the Tor Browser package directly. This package is based on the ESR version of Firefox by the Tor community and further strengthens its security. It also binds Tor.
For those who like to toss the students, you can own user.js for Firefox were a lot of customization. The main principle is to reduce the attack surface of Firefox to as small as possible.
How to depth customize Firefox? See the following tutorial: “Literacy Firefox customization from ‘user.js’ to ‘omni.ja’.”
(Note: The above tutorial only teaches you how to configure Firefox. “How to perform security hardening on Firefox” is another topic. Considering that this topic is too niche, I haven’t written it yet.)
To achieve this, there is a prerequisite: The website corresponding to the sensitive account must provide all-site HTTPS.
Considering that HTTPS is very popular nowadays, well-known web services basically support all-site HTTPS. Some web services are more intimate. Even if you use the clear-text HTTP protocol to access, it will redirect you to encrypted HTTPS.
Some students may ask: What should I do if I encounter a certain network service that does not support HTTPS? My suggestion is: If a certain website has not yet not implemented “full-site HTTPS” until now (2019), then this website is bad enough, and you don’t need it.
Why should we emphasize full HTTPS pinch? Earlier, I mentioned walking the anonymous network throughout, but the nodes in the anonymous network are maintained by volunteers from all over the world, and it is not ruled out that there will be malicious nodes (honeypot nodes) among them. If the traffic you visit the website is encrypted HTTPS traffic, even if it is a malicious node, you cannot see your online content (webpages, pictures, videos, etc.), and it is even more impossible to tamper with.
To illustrate what “dedicated” means, let’s take an example. Blog readers will know: I have a Twitter account which is designed to release blog update notification. On my computer, there is a dedicated VM (Guest OS) used to operate this Twitter account (this has already been mentioned when we talked about the “granularity“ of virtual machines). The Firefox in this VM, in addition to visiting the Twitter webpage, absolutely not visits any other website.
Ensure that the browser is dedicated, which can prevent most web attacks. Even if it is unfortunately compromised (as long as there is no virtual machine penetration), the affected area is only limited to this VM. As for how to thoroughly prevent virtual machine penetration, I have already talked about it in a previous chapter of this article.
For technical experts, the prevention of “social engineering” is the most difficult. Because “social engineering” discusses topics in non technical fields.
The defense in this regard is not based on your skills, but on your psychological quality. For example: Is it rational enough, careful enough, patient enough, calm enough.
(Note: If you have never heard of the concept of “social engineering” before, you can read the following series of blog posts first: “Literacy Social Engineering.”)
I deliberately put this in the first item, because when it comes to social engineering, many people only think of guarding against other people on the Internet, and ignore people around.
When you operate a sensitive virtual identity, make sure you are not seen by people around. If it is in a public place (including in the company), you also need to be alert to the surrounding cameras.
Let me take another example: I sometimes reply to reader comments during working hours because I, as an executive of the company, have an independent office :) If I am in a meeting or discussing issues with others, it will definitely not work. “programthink” related VMs (not even the Sensitive Encrypted Disk storing these VMs).
Since it is talking about “voyeurism,” by the way, I will emphasize a common sense — input important passwords and remember to cover the keyboard (especially in public places). For example: a classmate who uses a notebook (when entering a password) close the screen to a 30-degree angle with the keyboard.
When you use a sensitive identity to communicate with others (even in private communication), never mention your true identity. Even if you can trust each other, how do you ensure that the software environment of the communicating parties is trustworthy? How do you ensure that the physical environment of the communicating parties is tight? (I can write a lot of rhetorical questions like this.) Based on the same reasoning, even if you communicate with me via email, you should don’t expose your identity information.
The chat tool (IM) will expose a lot of information. Therefore, the identity of “programthink” has never used IM to communicate with readers, at most only emails. (For the sake of safety, I use less email now, mainly in the blog comment area to communicate with readers.)
If you really want to use IM, then only use the text format, and never use audio or video. (IM in the form of multimedia, which exposes too much information.)
Another reminder: Don’t be too superstitious about “end-to-end encryption.” Some students naively thought: After adopting “end-to-end encryption,” only two people know the content of the chat. Actually not! For example: if one of them has a Trojan horse in his PC/mobile phone, the chat content may be leaked. This is only one possibility, and there are many other possibilities.
As mentioned in the previous section: chat tools (IM) will expose a lot of information. Let’s explain now.
First define the category of private communication — refers to those not public one-to-one communication. At least including: two-person chat, non-group emails, “private messages” on social networks, etc.
The dangerousness of private communication is that this way of communication will let you relax your vigilance (this is determined by the psychological level).
Compare it to real life. When you are in a multi-person situation, you will be more cautious and self-disciplined when speaking. And in that kind of one-on-one private communication, your vigilance will decrease. In this case, you are more likely to expose more personal information.
The social network account used by the sensitive virtual identity must be the same as the social network account used by your real identity — no intersection.
For example: I have a Twitter account with my real identity, but this Twitter account will definitely not follow the Twitter of @programthink.
There is a blind spot that everyone can easily overlook, is password.
Different accounts and passwords cannot have similarities. Why? Because you cannot be sure whether the website complies with security regulations when storing passwords. If the website’s password storage is not standardized enough, then the website’s database has been hacked (often such irregular websites are more likely to be hacked), causing the user’s original password to be exposed. (After excluding those simple fool passwords) accounts with highly similar passwords may be linked, leading to identity exposure.
(Note: The standard way to store passwords is to use a sufficiently strong hashing algorithm, combined with random salting, and then store the hash value. Although it is just a short sentence, unfortunately most programmers do not understand the deep meaning behind it.)
For how to construct a complex password, please refer to the following tutorial: “How to prevent hacker intrusion, 3: How to construct a secure password.”
Whether you write a blog or use social network to communicate with others, what you say will always reveal some personal identity information inadvertently.
For example, my blog talked about so many information security topics, and some topics are still more “live and snow” (only those who know how to write it). Therefore, the reader can guess that I am mixed in this circle. This is some kind of “personal information.” Therefore, unless you don’t speak at all, there will always be information of this kind and that kind. When you expose enough information, some wishful people will gradually narrow down the scope based on this information, and gradually piece together your complete facial makeup.
So, what should I do? Speaking of this, I would like to borrow the famous saying in “A Dream of Red Mansions.” Fake is true when it is true and false. In other words, you have to deliberately expose fake information. Use these fake messages to interfere with the other party’s sight. The key to false information lies in “quality” rather than “quantity.” What do I mean? In other words, the amount of “fake information” does not need to be too much, but it must be believed to be true. Due to the interference of “fake information,” when the intentional person attempts to narrow the search scope based on the information you exposed, you may leak the net — leak out of the encircled circle :)
Everyone’s words and sentences have their own uniqueness. This uniqueness is like a “fingerprint” at the language level.
For example: J.K. Rowling once used a pseudonym to create a mystery novel, The Cuckoo’s Calling. A company analyzed the writing style through special software and found that the writing style of the book was highly consistent with the writing style of Harry Potter, thus exposing the true identity of the author.
Therefore, if your “virtual identity” and “real identity” both leave enough text on the Internet, others maybe find the correlation between the two from the text style. The more text, the more likely it is to be discovered. (Note: According to the feedback of enthusiastic readers, special software can be used to modify the text style of the article in batches. I have never used this software before, and interested students can try it.)
My luck is that this blog is my first blog. Before 2009, I had always been an online diver (never bubbling). In addition, I do not write long-form documents in the company. Therefore, in terms of “writing style”, my risk will be relatively low.
Considering that there are many programmer readers on my blog, by the way, remind me of the “fingerprint“ of source code style. The principle is similar to drops. A few years ago, I drastically remodeled the comment area interface of the blog and added a lot of customized JS scripts. At that time, enthusiastic readers reminded me of this risk. Let me explain by the way today. As an old programmer, I wrote a lot of code in the company, but it was all C/C++, Java, Python (you can guess this from the programming blog post I wrote). And what I write in the company is back-end code (server-side). The transformation of the blog comment area belongs to front-end JS. Because the front-end and back-end are too different, and the programming language is also different. Therefore, my risk in this area is also very small.There are too many aspects of social engineering, and I must have missed some of them. Welcome to the blog comment area to continue to add more.
The topic of “mobile phone“ is quite special, because mobile phones involve several levels mentioned earlier, so I will discuss them in a separate chapter.
Regarding the privacy risks of mobile phones, I have been nagging many times over the years. Do it again today. When you want to use your mobile phone to operate your online account, this already implies a premise — this mobile phone must be a smart phone. The security risks of “smart phones” at least include the following:
Because mobile phones have so many risk points. So —
Freedom Hosting was a platform that provided hosting services on the dark web (it is well-known in the dark web circles). After the webmaster was caught by the FBI, the FBI took over the web server and then embedded a malicious script in the page. This malicious script can exploit a vulnerability in the Firefox 17.0 ESR version. The Tor Browser, back then, used this ESR version of Firefox. Therefore, when a Tor Browser user visits the page that is linked to the horse, the script will take advantage of the security loopholes in Firefox 17.0 and then bypass the proxy to send HTTP requests directly to a server controlled by the FBI. Since it is a direct connection with bypassing the proxy, the FBI can know the real public IP of the Tor Browser users who have been recruited by checking the HTTP requests received by the server.
Some students thought I was talking about this case because I wanted to talk about fixing loopholes. Unfortunately not! Since it is impossible for any browser to guarantee zero vulnerabilities, it is not safe enough to patch browser vulnerabilities to deal with such threats. A more secure approach is system-level network isolation. If the Tor users mentioned above had read my tutorials and knew how to use virtual machine isolation to hide the public IP, then the FBI’s tactics would fail-because in the isolated virtual machine, malicious scripts are directly connected to the outside world. The HTTP request will fail (cannot be sent). Therefore, the lesson of this case is that you have to eliminate all direct network connections without a proxy. In order to do this, put all sensitive Internet behaviors in the virtual machine, to ensure that all traffic passes through the “gateway VM” you set.
This person was a backbone member of the famous LulzSec, with the screen name yohoho. As can be seen from his brilliant record, he was clearly a technical master. And he had always been cautious. The other members of LulzSec didn’t know his real body. Later, a member of LulzSec (net name Sabu) was arrested by the FBI and turned into an undercover agent. So the FBI got all the chat records between yohoho and Sabu. While chatting with Sabu, Yohoho accidentally mentioned that he participated in a protest demonstration against the Republican National Congress and was detained by the police. This amount of information is high enough to reduce the scope to a small amount. The police began to suspect Hammond and monitored his home’s network traffic. After observing for many days, it was found that the time period during which the Tor traffic of his house appeared was highly consistent with the time when yohoho went online. So the FBI applied for a forced search warrant and broke in.
The first lesson of this case is, don’t expose the true personal information of the amount of information is too high. The second lesson of this case is to put an encryption front proxy in front of Tor (I have been nagging for many years). If Hammond had abided by this principle, then the FBI monitoring the traffic of his home cannot determine whether he is using Tor (because Tor traffic is wrapped in the encrypted traffic of the front proxy).
All original articles on this blog, the author reserves the copyright. Reproduced must include this statement, keep the article intact, and the form of hyperlinks indicate the author @programthink (编程随想) and address of the original article: https://program-think.blogspot.com/2019/01/Security-Guide-for-Political-Activists.html.