2020 五月 15日， 9：58 上午
在面对第3类的威胁时，你学到的一切都会升级到一个全新的偏执狂水平。第 3 类对手在功能上拥有无限的资源来追求顶级目标。
其次，即使您只练习本文介绍的技术，您的操作安全性 （OPSEC） 也必须无可挑剔。也就是说，你可能会失败。
相信没有 - 或零
端到端加密是避免信任的一个示例。例如，VPN 使 ISP 无法窥探您，因此您不必信任它。
他们有巨大的预算。深口袋允许 ART 为专门的机构配备黑客。他们买得起昂贵的玩具，比如用于暴力攻击的超级计算机，或者零日漏洞（在灰色市场上找到）来制作定制漏洞。
有这么多的目标，你，假想的猎物，不太可能是接近APT的榜首。因此，你有一个开口：让它如此繁重的攻击你，以至于它不值得战略回报。你不一定知道临界点是什么， 但如果你确定你被 Apt 追捕， 你必须尝试。
话虽如此，让我们深入探讨对策，并一路上解释它们要对抗的目标。对第 3 类的防御涉及两个注意事项：使用的工具和使用它们所需的 OPSEC。
接下来，您应该要做的是将所有通信路由到 Tor。Tor 是一个网络，旨在通过在将用户流量路由到正确的目的地之前对所有用户流量进行洗牌来使用户匿名。
本质上， 它把一个 VPN 类固醇.VPN 的弱点是，一个中等能力攻击者可以绕过它。VPN 对可以看到客户端连接到 VPN 或 VPN 服务器连接到 Internet 的对手有效，但两者不能同时看到。
ISP 适合此配置文件，因为他们只看到您的设备连接到 VPN。但是，在顶级类别 2 处或上面的敌人可以观察 VPN 两侧的流量。如果他们看到您的设备点击VPN，然后瞬间看到VPN点击一个网站，他们可以把两个和两个放在一起。
Tor 使用三个连续代理，而不是像 VPN 那样通过一个代理进行路由。从逻辑上看，您的流量从设备到 Tor 节点 A，从 Tor 节点 A 到 Tor 节点 B，从 Tor 节点 B 到 Tor 节点 C，最后从 Tor 节点 C 到目的地。
沿着这条路径，您的连接被三步加密：B-C 腿用 C 的密钥加密，A-B 腿加密与 B 的密钥，设备-A 段与 A 的密钥，按此顺序加密。这样，虽然 A 知道你是谁，但不知道你要去哪里。相应地，C 将知道您的连接将位于哪里，但它不会知道是谁提出了请求。
这使得通过 Tor 网络跟踪流量变得困难，使在 VPN 上起作用的关联攻击复杂化。 哦，为了好，Tor 每五分钟切换一次您使用的节点。
Tor 提供 Tor 浏览器，这...允许您通过 Tor 浏览。但是，这仅保护您的 Web 浏览，因此我并不是在谈论此内容。您必须配置您的系统，以路由所有互联网流量通过 Tor。这过于依赖于系统，不能在这里描述，但有关于如何做到这一点的指南。
但是，设置一旦设置好，您的设备通过 Tor 发送或接收所有筛选器。假设您不做任何对自己的事情（OPSEC 的问题，下面讨论），这会使您的流量在功能上匿名。
使用 Tor 并不排除一个民族国家监视你，但它确实迫使它攻击 Tor 本身，而不是要求第三方的记录或嗅探您的连接关闭点击互联网主干。这些源包含您的活动跟踪，但不包括您。
与 Tor 一样，隐藏通信源需要 MAC 地址欺骗。MAC 地址是设备网络接口控制器 （NIC） 的唯一硬件序列号。
您的设备 NIC 将其 MAC 地址捆绑在它发送的每个数据包的元数据中。使用 MAC 欺骗，您的软件将任意 MAC 替换为数据包中的硬件 MAC。没有这一步，一个知道你的 MAC 地址的民族国家不会被 Tor 愚弄。
对抗高口径的对手，你还必须把你的加密交易到PGP。尽管存在学习曲线，但 PGP 密钥仍提供一些功能最强大、功能最全的加密技术。
PGP 密钥的优势在于它们可以在任何地方加密任何内容。无论是电子邮件内容、文本文件、视频和音频，还是发布到 Web 上的文本，PGP 都可以对其进行加密。另一个巧妙的技巧是，它可以对数据进行签名，以肯定地将其归于密钥的创建者。如果使用得当，PGP 将被证明是高度可靠的。虽然它从90年代就已经存在了，但到今天，它仍然不间断。
任何抵御 ART 的希望也意味着切换到开源操作系统 （OS）。实际上，这意味着在桌面设备（即台式机或笔记本电脑）上安装 Linux 或 FreeBSD。安卓不够好 （我稍后再解释） 。开源 OS 不一定比专有的更安全，但由于其源代码可供公众使用，因此可以对其进行审核以发现篡改。
开源的 性 OS 在很多司法管辖区开发，因此您保证在对手的掌握之外找到一个。与域外通信提供商一样，OS 外国开发人员将它们与法律命令隔离。
不幸的是，这仍然是不够的 - 它不是那么简单。想想看：如果计算机磁盘上的整个操作系统被炒了，您的计算机如何知道如何启动？答案是不会的。因此，实际上，即使在全磁盘加密下，OS 的一小部分启动数据也是未加密的。
这让你可以攻击，如果你的对手部署了一个团队闯入你的家，弹出你的硬盘驱动器，用自己的 boot code with ，替换你的启动代码，并弹出它回来。每次后续启动，您的计算机似乎都会正常运行，但会无形中执行对手想要的任何操作。不好
虽然我刚刚触及第 3 类攻击媒介的表面，但所有这些缓解措施都是必要的，而且比例应该表明，这些对手不是玩笑。
OPSEC： 锐化战士， 而不是武器
第一，您不能安装完全开源的软件。在没有专有驱动程序的情况下，在移动设备上安装纯开源 Android 几乎是不可能的，根据法律，蜂窝基带必须包含用于射频合规性的专有固件。
此外，请仔细选择您的网络。显然，你不应该从你的家庭网络连接，但不要把所有希望都寄托在 Tor 上。始终假设您的 IP 已暴露。切也切从不登录到同一网络两次。相反，在不留下模式的情况下，在公共网络中旋转。
在这一点上，我已经说了我的所有。。一个人可能面临第 3 类威胁的原因如此之多和个人，只有您才能确定如何最好地应用此处的工具和技术。
尽管第 3 类目标还有许多需要做的事情，但无论面临什么威胁，阅读此目标的人都应该具备重新评估威胁模型并扩展工具集的能力。
How to Stay Safe on the Internet, Part 4: Fighting the Power
By Jonathan Terrasi May 15, 2020 9:58 AM PT
By this, the fourth and final entry in this series, you should have a grasp of information security basics. Let's take stock of them before continuing down the rabbit hole.
You've examined a variety of attack vectors and ways to close them off. In observing their patterns, you've learned the weak points that are exposed inherently online, and thus require intervention.
You've learned that any software or operator handling your communication controls it. Information security comes down to breaking this hold. To do that, you either excise intermediaries when that is possible, or you encrypt your connections through them when it isn't.
In the process, you also discovered that humans are bad at devising truly random outputs, so you can't assume that passwords your brain thinks up are random enough. Our most glaring weakness is our tendency to trust our instinctual assessments automatically. This normalcy bias also lowers our guard when people request sensitive information.
Category 2 adversaries are nothing to sneeze at, but their resources are finite. If you armor up enough, they will give up, and move onto an easier comparable target.
In confronting the threat of category 3, everything you have learned ratchets up to a whole new level of paranoia. Category 3 adversaries have functionally unlimited resources for pursuing top targets.
Often called "nation-state actors" or "advanced persistent threats" (APTs), they have tax revenue, national sovereignty and the law behind them.
Pontificate With Extreme Prejudice
Before continuing, consider the following.
First, the guidance in this part of our series almost certainly doesn't apply to you. You may find it interesting, and you probably will gain from it. However, statistically, you will never face this level of threat.
If for some reason this guide does apply to you, you are going to need significantly more help than I can provide. At present, I would fail at fending off a nation-state. I don't know anyone who could resist one for more than a month or two, either.
Rather than taking this guide as the authoritative word on defense against nation-states, use it as a jumping off point for further research. I recommend studying the Electronic Frontier Foundation's Surveillance Self-Defense manual next, followed by the Open Source Society University degree track.
There are many more worthy resources you should consult, but these are a modest start. As the volume of information implies, you need a thorough computer science background to stand a chance.
Second, even if you practice only the techniques that this piece presents, your operational security (OPSEC) must be impeccable. That is, you will probably fail.
OPSEC is your discipline in following the security controls prescribed by your threat model. As I noted at the outset of this series, security comes at the cost of convenience, and when you are facing the ultimate threat, the sacrifice of convenience is total.
That's why the best OPSEC practitioners keep their pursuers at bay only for a few years. So, have a contingency plan for when you fail. Only you will know what that looks like.
So who does this installment apply to? National security or international affairs journalists, for one. This goes doubly for those reviewing classified information or sensitive sources. Secrets are invaluable to nation-states, and they will stop at nothing to hunt down those that leak out.
High-profile political dissidents also can find themselves in nation-states' crosshairs. These dissenters advocate policies that governments view as extreme enough to justify silencing by any means.
Finally, military technology researchers should anticipate category 3 attacks. Nation-states compromise engineers developing sources of military or economic advantage all the time, so they can glean a copy of the work and level the playing field.
Trust No Ones - or Zeroes
It's important to understand "trust" in computing. Here, trust is bad. Specifically, trusting something, like hardware or software or the entity that maintains it, means you have to trust it with handling your data. In a trust relationship, you can't defend against whatever you're trusting: You can only hope it doesn't betray you.
Instead, adopt a no-trust posture. Without trust, you don't have to trust some entity that touches your data. You reach this posture by implementing measures ensuring you're not harmed if the entity tries undermining you.
End-to-end encryption is an example of obviating trust. A VPN, for instance, renders an ISP incapable of snooping on you, so you don't have to trust it.
To stave off category 3, the number of entities you trust must be zero.
Your Adversaries Are in the Army Now
Government adversaries are extremely dangerous because they bring a government's resources to bear.
They have enormous budgets. Deep pockets allow APTs to staff dedicated agencies with hackers. They can afford expensive toys, like supercomputers for brute force attacks, or zero-day vulnerabilities (found on the gray market) for crafting custom exploits.
Another advantage nation-states enjoy is the power to grant their agents legal immunity. To paraphrase technologist Chris Soghoian, just as soldiers can kill people without going to prison, government hackers can compromise you with impunity. It's one of the main attractions for hackers who seek gainful employment.
Finally, government actors can employ legal coercion. Simply put, they can order digital service providers to rat you out. Legally supported actions can range from requests for your data to orders compelling service providers to insert backdoors. Snippets of code inside other programs allow root access to anyone who knows how they work, making it trivial to spy on users.
An exhaustive listing of the techniques nation-state actors actually use is impossible. Few feats are impossible for them. The weapons they array against their targets are a matter of what nation-states are willing to do to nail a target.
With so many targets, it's not likely that you, the hypothetical prey, are near the top of an APT's list. Thus, you have an opening: Make it so onerous to attack you that it's not worth the strategic payoff. You can't necessarily know what the tipping point is, but if you are sure you are hounded by an APT, you have to try.
With all of that said, let's dive right into countermeasures, and I'll explain along the way what they aim to counter. Defense against category 3 involves two considerations: the tools to use, and the OPSEC required to use them.
This Is My Computer. There Are Many Like It, but This One's Mine.
The truly ideal approach would be to run your devices through a woodchipper, incinerate the shards in a blast furnace, and throw the remains into the ocean. If that's not an option, read on.
Odds are if you are laboring this ardently to secure your computer, it's because you need it for communication. All communication being mediated by some provider, start by picking one that is committed to protecting user privacy.
A good bet is to choose an email provider, chat server, etc., that is incorporated outside your enemy's jurisdiction. Your adversary government then has to inveigle the provider's government to execute the records request, to which the latter will not always acquiesce.
The next thing you should do is route all your communications through Tor. Tor is a network designed to make users anonymous by shuffling around all user traffic before routing it to the proper destinations.
Essentially, it puts a VPN on steroids. A VPN's weakness is that a moderately competent attacker can get around it. VPNs are effective against adversaries that can see either the client's connection to the VPN, or the VPN server's connection to the Internet, but not both.
ISPs fit this profile, since they only see your device connecting to the VPN. However, foes at or above the top tier category 2 can observe traffic on both sides of VPNs. If they see your device hit the VPN, and then an instant later see the VPN hit a website, they can put two and two together.
Instead of routing via one proxy, as VPNs do, Tor uses three consecutive proxies. Schematically, your traffic travels from your device to Tor node A, from Tor node A to Tor node B, from Tor node B to Tor node C, and finally from Tor node C to your destination.
Along this path, your connection is triply encrypted: the B-C leg is encrypted with C's key, the A-B leg with B's key, and the device-A leg with A's key, in that order. This way, although A knows who you are, it doesn't know where you're going. Correspondingly, C will know where your connection is going, but it won't know who made the request.
This makes it difficult to follow your traffic through the Tor network, complicating the correlation attacks that work on VPNs. Oh, and for good measure, Tor switches the nodes you use every five minutes.
Tor offers the Tor Browser, which… lets you browse via Tor. However, that protects only your Web browsing, so I'm not talking about that. You have to configure your system to route all Internet traffic through Tor. This is too system-dependent to delineate here, but there are guides on how to do this.
Once this is set, though, everything your device sends or receives filters through Tor. Assuming you don't do anything to out yourself (a matter of OPSEC, discussed below), this makes your traffic functionally anonymous.
Using Tor does not preclude a nation-state from spying on you, but it does force it to attack Tor itself instead of demanding records from a third-party or sniffing your connection off taps on the Internet backbone. These sources contain traces of your activity, but are not attributed to you.
Along with Tor, concealing the source of your communications requires MAC address spoofing. A MAC address is a unique hardware serial number for your device's network interface controller (NIC).
Your device NIC bundles its MAC address inside the metadata of every packet it sends. With MAC spoofing, your software substitutes an arbitrary MAC for your hardware MAC in the packet instead. Without this step, a nation-state that knows your MAC address won't be fooled by Tor.
Against high-caliber adversaries, you also have to trade up your encryption to PGP. Despite their learning curve, PGP keys provide some of the most powerful and versatile encryption around.
In a nutshell, PGP keys work in pairs: One can decrypt anything the other encrypts. If you hand out one of the duo to anyone who wants to communicate with you and keep the other for yourself, anyone can encrypt messages that only you can decrypt.
The strength of PGP keys is that they can encrypt anything, anywhere. Whether it's email content, text files, video and audio, or even text posted on the Web, PGP can encrypt it all. Another neat trick is it can sign data to affirmatively attribute it to the key's creator. Properly utilized, PGP will prove highly dependable. Though it has been around since the 90s, to this day it remains unbroken.
Any hope of fending off APTs also means switching to an open source operating system (OS). In practice, this means installing either Linux or FreeBSD on your desktop device (i.e. desktop or laptop). Android isn't good enough (I'll explain later). Open source OSes are not necessarily more secure than proprietary ones, but because their source code is available to the public, it can be audited to discover tampering.
Open source OSes are developed in so many jurisdictions that you are guaranteed to find one outside your adversary's grasp. As with extraterritorial communication providers, OS foreign developers insulate them from legal orders.
Whatever OS you choose, enable full-disk encryption, too. I've said a lot about encrypting communications -- data in transit -- but you also can encrypt data at rest. Without encryption, the data on your hard drive is stored in readable form, meaning anyone who snatches your hard drive can see all your files. Encrypting your hard drive protects not just user files like documents, videos, etc. but your OS's core files as well.
Unfortunately, that's still not enough -- it's not that simple. Think about this: If your computer's entire OS on the disk is scrambled, how would your computer know how to boot? The answer is it wouldn't. That's why, in reality, a small bit of your OS's boot data is unencrypted even under full-disk encryption.
This leaves you open to attack if, say, your adversary deployed a team to break into your home, pop your hard drive out, replace your boot code with its own, and pop it back in. Every subsequent boot, your computer will seem to run normally, but will invisibly execute whatever it is your adversary wants. Not good.
Enter secure boot. Basically, secure boot is a motherboard firmware process that allows a boot only if the signature on the unencrypted boot sector checks out. Most modern computers do this by default, but with the manufacturer's key, meaning you're trusting it. Although it's tricky, you can create your own encryption key, sign your OS's boot sector, and then flash the key to your secure boot register.
There's a snag here, too. If your adversary bugs your hardware itself, nothing you've done so far can help you. For that, there's open hardware. This is currently less mature than open source, but it embodies the same concept: transparent specifications allow the detection of tampering.
The vulnerability that open hardware tackles is not theoretical. It's child's play to re-flash a computer's BIOS (motherboard firmware) with a backdoored lookalike. Nation-state actors also could somehow breach Intel's Management Engine, a tiny, totally opaque OS running underneath your computer's OS. If that doesn't work, your government can just intercept your new computer, or get its hands on your existing computer and insert a bug in it.
Although I've barely scratched the surface of category 3 attack vectors, the fact that all these mitigations are necessary and proportionate should make it clear that these adversaries are no joke.
OPSEC: Sharpening the Warrior, Not the Weapon
OPSEC is the other half of the nation-state threat model. Without unassailable OPSEC, all of your tools are worthless.
First and foremost, ditch your phone. Cellular baseband-equipped devices (collectively "mobile devices") are perfectly optimized to track you. For one thing, your mobile device expresses un-spoofable hardware serial numbers as it reports your location to your carrier in real time.
This puts you one legal order way from having your every move exposed. It doesn't matter how secure your desktop device is if your mobile device is nearby. Then there's always that microphone your adversary can turn on.
So, why not just repeat what you did for your desktop? Well, you can't.
One, you can't install fully open source software on it. It's practically impossible to install purely open source Android on a mobile device without proprietary drivers, and by law cellular basebands must contain proprietary firmware for radio frequency compliance.
Two, mobile devices don't allow you to run secure boot with custom keys.
Three, mobile open hardware is not ready for prime time, so you have to trust the hardware.
Finally, architecturally, the SIM is the master of your mobile device, letting it override literally anything you do. With mobile devices brimming with fatal, unavoidable vulnerabilities, the only winning move in this strange game is to not play.
Additionally, choose your networks carefully. Obviously, you never should connect from your home network, but don't pin all your hopes on Tor either. Always assume that your IP is exposed. Never log onto the same network twice. Instead, rotate through public networks without leaving a pattern.
Since you'll be traveling to use networks, you'll also want to practice basic counterintelligence techniques. Be able to tell if you're being tailed in physical space.
Counterintelligence doesn't stop there, though. You also must know how to figure out if your contacts have been compromised. The easiest way to reach someone is through their associates. In the digital context, this usually isn't being turned à la spy thriller, but having a device compromised to monitor interactions with you.
The remedy here is to ensure either that your contacts forget you or that they practice everything in this guide along with you. Communication is a two-way street. If your associates fail at any of these steps, the outcome is the same as if you failed.
To the extent that you hope to retain a "normal" life, you must bifurcate your "secure" and "normal" lives strictly. Never transfer any file, message, or other digital artifact between devices, accounts or platforms across this divide.
Moreover, don't behave in similar ways in each "life." Patterns like the contents of concurrently open tabs or the order in which you visit sites are enough to identify your unique behavior.
To summarize OPSEC, don't make a move unless you've completely thought it through.
Where the Path Ends, the Wilderness Begins
At this point, I've said about all I can. The reasons one might face category 3 threats are so numerous and personal that only you can determine how best to apply the tools and techniques herein.
Although there is much left for the category 3 targets to do, everyone who reads this should be equipped to reevaluate your threat models and extend your toolset, no matter the threat you face.
Security is a journey, but only some of the trail is blazed. Good luck, and may you have sharp machetes.