STATUS: DRAFT
This weekend I decided I want to venture myself into “red team” territory and play around with some ideas – far from thinking about commiting crimes but specially for research purposes, since I still entertain this possibility of becoming a Information Security professional.
Thus, I’d like to disclaim that you should not commit crimes. It’s bad, it’s wrong, it’s criminal (obviously) and I’m sharing this information solely for benefit of security researchers that know what they are doing and have a clear and honest purpose.
Do not put other people in danger or steal their money. It doesn’t matter if “they are so dumb”: it’s wrong. Don’t do it!
Do not jeopardize other people property. It doesn’t matter if you hate some company: the wrath of man works not the righteousness of God (James 1:20).
In short, please, be excellent to each other.
(Besides, what constitutes a crime in certain countries are things like downloading a Bible or expressing your true opinion about the local government… so take it cum grano salis…)
And people don’t know shit about Information Security. It doesn´t matter your intentions: if they feel fooled they will call the police and drag you to the court. Newspapers will put “researcher” on quotes when talking about you, pointy-haired CEOs will write articles about how dangerous the unregulated internet can be and government agencies will step in to offer “a solution”, all capitalizing over your case because they are not only stupid but also want more power.
And all that because you guessed a very badly chosen password.
So, at least be prepared. Someone, sometime, is going to misunderstand things…
If you are planning to go unnoticed, be aware that it only takes one mistake to, well, notice you. Do not rush into action before proper planning. Understand your threat models. Do not depend on third parties. Be always in control.
Do not call your Linux machine “linux machine”. Change your Web browser User Agent to “Android”. Make your hostname be "cdn2.facebook.com.
If you’re going to assume some identity and it’s raining outside, you say it’s a beautiful sunny day. But it’s much better if you don’t say anything at all.
Keep it all to yourself. Do no seek for fame or glory.
Keep it all to yourself. Do no seek for fame or glory.
First the news, then (maybe) the court. Be creative. Make yourself look like a poor victim, not a “hacker”. They will abuse the quotes – it goes like ‘“security researcher” says he’s a “victim” in VICIOUS online security breach case’.
It’s waaay better to keep things into separate machines.
Specially the camera and probably the microphone. Put a tape over the camera. Plug a dumb jack into the microphone plug.
User another machine as a firewall so that nothing you don’t really want will leak into the open internet (for instance: DNS requests).
Explore the limits of deniability. Use your right to remain silent.
Not only your /home, but the whole system – specially the logs!
Use looooooooooooooooooooooooooooooooooooooong passwords for everything.
Tor is the bare minimum. Take extra care of dVPNs as they may expose you to the open when disconnected. Do not trust other’s systems, always make sure you’re in control.
Look for “safe” DNS providers but never trust them. Avoid DNS-over-HTTPS, too: new implementations are always born with more surveillance…
Mine is 70% about physical access, so I lock the screen every 60 seconds.
Again, if you think about that as an excercise, you’ll start thinking about how to breach into your own system. That’s why it’s so interesting to make this kind of experiment.
Also, take a look in what is an Ethical Hacker.