IPREDator and Internet Privacy HOWTO
IPREDator is a public VPN service that helps you mask your IP address (the unique address assigned to your computer by your service provider, such as Comcast or BT). This allows you to transfer data without the immediate worry of having someone tracing those transfers back to you. Without this masking, your on-line address poses a risk to your safety or freedom if you engage in any of these activities:
- File sharing, which may be misconstrued as "piracy"
- Whistleblowing working with Wikileaks
- You are an Iranian dissident with democratic aspirations
- You visit Australia, are a consenting adult, and want to enjoy adult entertainment on-line without worrying about import/customs rules
Whatever your reasons, IPREDator by itself isn't enough to cover your tracks. Internet surfing leaves plenty of traces of your activities on your hard disk drives: virtual memory swap files, cookies, web browser history, documents, etc. all can be traced back to you if the computer were confiscated or lost. This HOWTO helps you to harden your computer, IPREDator connection, and activities to minimize the ability of a hostile attacker or organization to tie your Internet activities to you.
IPREDator From Your Own System
- Avoid using Windows as your base operating system, if you can; it's known that Microsoft left back doors into the system and their security record is atrocious
- Create a separate user account on your own machine under an innocuous name
- Service accounts could be good for this: sendmail, mysql, mule - anything that looks like a service will do
- Define the account as your girlfriend's name, or your cat's, or your mum's, or whoever
- Under the new account, create a separate disk partition using TrueCrypt
- You must be the only person who knows about the separate partition
- Name the file something innocuous (e.g. bigmovie.mpeg) or use TrueCrypt's hidden operating system features
- Do not name the file anything that would associate it with TrueCrypt
- DO NOT, under any circumstances, use a commercial encryption system like Windows' or OS X's File Vault - you don't know if they have vulnerabilities built in and commercial vendors have been known to leave back doors in; TrueCrypt is peer-reviewed
- Get a copy of VMWare, Virtual Box, Xen, or whatever software you like and create an operating system image in the encrypted partition
- Install an operating system that you like on the virtual image but isn't the same as your host (e.g. if your machine runs OS X, create an Ubuntu Linux image)
- Connect to IPREDator
- Either under the hosting operating system, so that all traffic, whether it comes from the virtual image or any leakage from the host, goes through the VPN; or
- Start IPREDator from within the virtual image
- Related to the previous point: pay for your 90-day IPREDator subscription using a Visa or MasterCard gift card
- Don't do something dumb like paying for it with your regular card
- Visa / MasterCard cards are anonymous and you can buy them at most supermarkets (in the US)
- Don't do something stupid like paying for the gift card with your ATM card
- Surf the net, send, receive, share files, etc. do whatever you need to do from the virtual image
- Do not ever share files between the virtual image's partition and your real system!
- Run some disk-shredding program to zero-out the "erased" space on your disk every time that you finish a session in the virtual machine
- End the session
- Reboot your host system
- Run the disk-shredding program
- When you're done and no longer need this setup
- Erase the virtual machine from your encrypted partition
- Turn TrueCrypt off and remove the encrypted partition from your disk
- Run the disk-shredding program
IPREDator From Someone Else's System
- Get a copy of a live CD operating system like Knoppix and put it on a CD, DVD, or USB thumb drive
- Ensure that your USB drive is read-only after you configure it, just in case
- Start the computer using this external OS
- Connect to IPREDator
- Surf the net, send, receive, etc. do whatever you need to do from this image
- Do not share files between the live CD's run-time and the hard disk drive in the machine where you're running
- Use this from an Internet cafe, someone else's computer, etc. keep it far, far away from your own systems
Odds and Ends
- Create new accounts for blogging, email, googling, bookmarks, etc. from a fictitious identity that you create for this purpose
- Do not recycle any of the same passwords that you'd use for your real life accounts
- Avoid installing ad blocking software on your browser, or anything else that would make your system "stand out" to someone tracking; as long as they track the fictitious account you're fine if it can't be traced back to you
- Never share compromising data between your real and your fictitious identities, whether by email, Dropbox, or any other sharing system
- If you must share data between accounts, use a noisy medium like Twitter instead of contacting yourself over email, etc. This will help lose the shared data/link/etc. in the noise of that medium; hide in plain sight
- Use offshore systems for email, disk sharing, bookmarks, etc. accounts to make it harder for the bad guys to gain access to your data
Conclusion
IPREDator is not enough to fully protect your privacy and personal safety since there are other traceable data besides your IP address that can tie you to specific on-line activity. There are more precautions that you can take, but this is a good basis for peace of mind. It creates more work for you but following these steps minimizes or eliminates the risk of associating your on-line surfing activities with the data on your disk. You may still need to worry about key loggers and other intrusions, but those are subjects for a different article.
Scalable Systems Newsletter
Subscribe to the newsletter and get every issue mailed free - with access to the latest system scalability, high availability, and performance news.