JBM’s Basic Guide To Online Subterfuge | Phase 2

secure vault

You’re still here? Nice. If you just stumbled in here off the wild web and you’re wonderin’ what in tarnation is going on around these parts, then go back and read Phase 0 and Phase 1 of this guide first. You’ll need all that stuff for this next part.

Phase 2: Lock it up and Back it up

Ok, great … got all that stuff from the previous phases ready to go huh? Then let’s move on, shall we old chap? Mmm…indeed we shall my good man.

2.1: You Are The Worst Security Flaw

Seriously … people are so easy to exploit. Even people who exploit people themselves, or people who are trained to notice when they are being exploited are susceptible. I really think that fact, that basic knowledge about humans is why Ethereum is so important. It takes the human element out of so many things that the human element shouldn’t be in. Anyway … like I was saying. You are the weakest link, always. Just look at you, 90% water, just a bunch of atoms stuck together only because they choose to be stuck together right now … pppaaathhhetic!

So, I’m going to say this once, and only once, don’t do anything except crypto stuff from your secure crypto environment. That means no twitter, no email, no random browsing, no youtubes, no discord, no onlyfans, none of that stuff. You go to your CEX, DEX or whatever to buy, trade, sell, transfer to and from your cold storage only. If you need NFT’s for online identification (like here at caches) or you’re chasing the latest NFT pumpscam, or you need to buy something with crypto, you use a totally separate hot wallet on your dirty PC on your shady ass wifi network. Got it?

Also you don’t ever send stuff between your cold storage and your hotwallet either. Don’t connect them on chain. Send money from Cold Wallet -> CEX/Mixer -> Hot Wallet. Or even better, just buy the crypto you need at the time and deposit it in your hot wallet to make your purchase. Understand? Cool. I knew you guys were smart. In the next section we’re going to set up your infrastructure for protecting your crypto from a zombie uprising in your local area… but first, we need some tools.

2.2: Like … You Need A Password For Your Passwords

Ok, so inevitably with crypto related activities you’re going to have login’s, passwords, MFA’s, recovery codes and all sorts of things that you need to keep safe, secure … but readily available. You need an encrypted, password protected vault for all of those things. For that, I recommend an app called KeePass. Beware of scam apps by the same name, Keepass is free, open source software and as a result there are several forks out there including, but not limited to: KeePass, KeePass2, KeePassX and KeePassXC. Man … and I thought Bitcoin had a lot of forks. Bazinga!

The important thing to know on all these forks is they all adhere to the Keepass database standard, as decided and coded by the original KeePass development team, which oddly develops the KeePass2 fork. Sooo…what I’m tryna say is, a database created in one works in all of them the same. Most of the forks are just platform forks or GUI toolkit forks … the meaty bits of the code are the same underneath. So it’s your choice really, but I personally recommend KeePassXC. Why? Because it’s cross platform, updated often, and since UI matters, the KeePassXC UI is the nicest IMO. There are other more nerdy reasons too, but I won’t bore you. Go ahead, connect your secure Kali environment to your hotspot and install KeePassXC on Kali. Don’t forget to disconnect your wifi when you don’t need the Internet. Mostly to save your data cap, but also because the less time we’re connected to the Internet, the less chance we have of our crypto box somehow getting infected.

Once you’ve got it installed it’s probably best to read over the KeepassXC Getting Started guide to learn the in’s and out’s of how it works. Here’s the tldr; for you though. You can create encrypted “databases” and can store everything from usernames/passwords, your Proton Mail account recovery codes, even file attachments like Photos, PDFs, DOCs, XLS, etc… you can get pretty creative here. So inside of there will go your crypto related usernames/passwords/account recovery codes and more. KeepassXC can also be used to generate secure, easy to remember passwords and provide one time passcodes for Multi-factor Authentication (MFA) and/or 2 Factor Authentication (2FA). I do not recommend keeping your passwords and your MFA codes on the same device, but if you must for convenience sake then put your MFA/2FA/OTP codes in a separate KeePass database, with a different password than the one with your username/logins. Make sense? I believe having your password and 2FA code on the same device is better than not using 2FA at all, but that’s not exactly good layering now is it? Mmhmm … no, it’s not.

Keepass is great and you could even burn the KBDX database file onto one of your gold DVDs that we mentioned earlier for safe storage on-site somewhere too. You could even toss it inside a Veracrypt container for an extra layer of security if you wanted. Now I know what you’re thinking, John … why don’t I just keep my seed words in KeePassXC?

Well there are several reasons, but the biggest one is encryption and accessibility. VeraCrypt containers can use 3 different layers of security with single, or multiple passwords. That means if for some reason AES encryption is broken, there are still a TwoFish and then Serpent algorithms to break before getting to your crypto. Not an easy feat. Veracrypt also has additional anti-brute force measures and some other really cool spy level features. KeePass does not offer this functionality, meaning that if the encryption algorithm securing your KBDX file is broken, your info is exposed. So use VeraCrypt to secure your life savings, KeePass to store account info and things you need quick and convenient access to, but still needs to be reasonably secure. Ya pickin’ up what I’m puttin down?

2.3: John, What If My Whole City Disappears?

Ok, so you’ve got your Veracrypt container we created in Phase 1 and it’s burned on your DVDs but you’re still worried that an earthquake will come swallow up your whole town while you’re on vacation in the tropics. Sure, you won’t have to go to work after vacation, but more importantly your gold DVDs will have been swallowed up by the earth … even the one you buried in your garden. Damn! What now?! My whole life savings just down the literal drain man! Ahhhhhh!

First, calm down … we’re not going to let that happen. We need to keep an offsite backup of your VeraCrypt container though. So … we’re going to explore a few different options here. It’s up to you to choose the right one for you. If you are trying to protect 1000s of ETH, I wouldn’t trust ANY cloud storage provider … even with a VeraCrypt container. That container would never go online. If that’s you, what are you doing here? I’m kidding, you should go with my first option. In other cases, my 2 online backup solutions are probably sufficiently secure.

2.31: Offsite Media/Tape Vaults

Where do governments, military’s, world banks and any other organizations store their most treasured data backups? In a vault. Maybe even an underground vault. If you are protecting a serious amount of ETH you will want to skip all other options for storing your golden DVD and go straight to this. I can’t tell you what it costs, as it varies, but I can tell you that it won’t be that expensive for a single DVD. It’s really not that expensive for a whole box of DVDs honestly. There are several companies that provide this service but I can only recommend two.

First, a company called Iron Mountain. They have been storing valuables, media and archives for over 70 years. Their rates are reasonable and at any point they will destroy your media on request…. like Scorched earth! Nothing left! destroyed. You can also visit your media, in person, on site in a secure room and facility if you’d like. So you know … serious security. This would be my first choice.

My next choice is AccessCorp. They’ve been in business for a long time and offer varying levels of vaultiness. You can choose a basic PRISM certified above ground vault in a secure facility, or they also offer an underground vault option if you would like your golden DVD stored inside of a limestone mountain fortress. They offer basically all the same services, including destruction services that Iron Mountain does as well. I would compare these two if you are serious about secure offsite vault storage.

2.32 Clouds made from Blockchains

GASP! THE CLOUD!? Yes, but not just any “the cloud.” How about an end-to-end encrypted, zero-knowledge, sharded, web3 tracked, distributed, peer-to-peer powered cloud? In 2020 a Spanish company, Internxt, started up. Internxt (INXT) has a pretty damn sweet blockchain integrated cloud storage thing going on called Internxt Drive. Now you can read their post on how they secure your data with all the technical tidbits, but basically they encrypt all your files, strip any filenames and metadata from the transfer, don’t log the transfer, then they shard or fragment all your encrypted data and spread it out over a peer to peer network. Only your encryption key, which never leaves your device can recombine and decrypt the files… Whoah! All of this is tracked on the blockchain for verification, and everything is fully open source!

So if you’re looking for a reasonably secure cloud provider, I think this is about as reasonably secure as you can get… and hey it’s FREE for a 10GB account. That’s more than enough for storing our VeraCrypt container. If you want to upgrade to more space, they even offer an astonishing 90% discount if you hold and pay with their INXT token. Might be worth looking into. So head over to the INXT website and get signed up … MJ. Once you’re signed up for your free account there we need to install the Linux client to make it easy to upload and download files.

2.32.1: Install The Client In Kali

First, head over to the Internxt drive github repo and find the link for the latest release. The Linux download ends in .deb. As of this writing the filename is internxt-drive_1.9.3_amd64.deb. You can click to download it. In Kali you can use Thunar, the GUI file manager to navigate to where you downloaded it and double click to install it. Or if you want to be a real hacker, you can do it from the Terminal. Assuming you downloaded the deb package in your Downloads folder you would run this command

sudo apt install ./Downloads/internxt-drive_1.9.3_amd64.deb

That should download any dependencies, ask if they’re ok to install (say yes), and install the Internxt drive software. Now you should see an icon somewhere in the XFCE app launcher menu. Launch that and log in using the credentials you setup earlier. Now you can drag your Veracrypt container and your KBDX file into your secure cloud storage for backup.

Exploit Warning: I have not personally audited the Internxt code for security flaws, backdoors or information leaks. I honestly don't have the skill, and most likely you don't either. So... you know ... there's your risk here.

2.33: Buckets, Not Clouds

Ok, so how about creating your own personal cloud instead of subscribing to a service? I mean, it’s way harder but waaayy f’ing nerdier, am I right!? So I’m going to throw this one in there for the nerds that want to explore. How do you get your own personal cloud? Sure you could install NextCloud or something on a VPN, but too big of a surface area, too many moving parts for just storing a simple file. What we’re going to do isn’t really a cloud, but it’s internet accessible storage called buckets. Also known as S3 Object storage, or S3 Buckets.

This technology was pioneered by Amazon and used on their AWS service, but S3 is a sort of protocol standard now, so you can purchase this service from any hosting provider. I personally like Linode, for a number of reasons, but mostly because they make it easy to setup and it’s relatively inexpensive. S3 compatible object storage at Linode costs $5/month, and includes 250GB of storage and 1 TB of outbound data transfer. You will never use all of that for our purposes here.

If you use anything above that, it’s an additional $0.02 per GB per month for either. They’re even offering a $100 promo credit for signing up right now… what is that? Like … 20 months of free VIP bucket service at Club Linode? Whoah! Nice score big shot! 👊🏻

Exploit Warning: Data transfer between you and S3 Buckets is encrypted and your bucket can only be accessed remotely with your Access Key, however Linode employees will still be able to see the contents of your bucket by default.

2.33.1: Kicking The Bucket

Linode has a great guide on how to encrypt your buckets as well, but I won’t get into that right now. Our VeraCrypt volume and our KBDX database are both already encrypted, so we’re reasonably secure, but if you have the time and the skill I would recommend following that guide and setting it up. After you’ve signed up at Linode, Michael 😉, don’t forget to setup your MFA/2FA on your account. Then, click the blue Create button at the top, a menu will drop down, select Bucket. In the right window pane, click Create Bucket, give it a name, but you know … nothing too obvious like “my life savings in crypto” or “keys for ethereum wallets” … maybe just something random like “bucket32469” or whatever, and select a region FAAAR from you. For example, if you’re in the United States, select Germany or Singapore. If you are in the EU, select somewhere in the US or Singapore. We cool? Yeah … we cool.

Ok, now you’ve got your new shiny Bucket created. At the top click the Access Keys tab and create a new access key. Name it whatever you like, be creatively mundane like above. Now you have some credentials created for your bucket. You can use those to up/download files to your own personal cloud storage. Remember, Linode employees can most likely see whats in this bucket if they wanted to, unless you setup the encryption above. Keep that in mind, anything that goes in this bucket needs to be encrypted BEFORE you upload it there.

Exploit Warning: Don’t store the password for your VeraCrypt “seed word container” in ANY KeePass database kept anywhere online. That password has to be kept TOTALLY offline, totally not in digital format anywhere. KeePass is very safe, but if for some reason the encryption is broken or there is an exploit in the version you used to create your KeePass database … game over man! So … no cold storage crypto seed words in there. For hot wallets containing assets you can “afford to lose” or the password to your Metamask plugin, KeePassXC is likely more secure than you are.

2.33.2: How Do I Get In The Damn Bucket?

Now, you’re only ever going to access this Linode account and this bucket from your BurnTop. You don’t ever want to interact with this thing on your disease ridden home network, and definitely not that sicker’n’hell thing you call a personal computer. So we need to connect our Kali encrypted system up to our S3 bucket. There are a million ways to do this, but I personally like to use an app called s3fs-fuse. This allows you to mount a s3 bucket as a normal disk drive on your desktop. That way you can access and interact with it using your regular point-n-click, drag-and-drop file manager instead of typing cryptic commands into a dark window like a caveman. So go ahead and install it using the Terminal in Kali, like a caveman, by typing this command

sudo apt update && apt install s3fs -y

Enter your password, some stuff will fly by really fast and s3fs-fuse should be installed! Ok, remember that Access key you created for your bucket earlier? You still have that window open don’t you? Good. In your Terminal application you’ll run the following command. Of course replace ACCESS KEY and SECRET KEY with the actual access key and secret keys from Linode. They should be separated by a colon.

echo "ACCESS_KEY:SECRET_KEY" | sudo tee /etc/passwd-s3fs && chmod 600 /etc/passwd-s3fs

Next, we’ll create a folder to mount the bucket to on your local system

sudo mkdir /mnt/bucket32469

Finally, we’ll use s3fs-fuse and mount your newly created bucket in the folder you created

sudo s3fs {bucketname} {/mountpoint/dir/} -o passwd_file=/etc/passwd-s3fs -o allow_other -o url=https://{private-network-endpoint}

We’re going to replace {bucketname} with the name of our bucket, for example bucket32469, and we’re going to replace {/mountpoint/dir/} with the folder we created above, /mnt/bucket32469/ and the {private-network-endpoint} url will vary depending on what location your bucket is in. Here’s a good guide on how to find the endpoint URL for your bucket on Linode. So, if my example bucket was in Germany, my command would look like this:

sudo s3fs bucket32469 /mnt/bucket32469/ -o passwd_file=/etc/passwd-s3fs -o allow_other -o url=https://eu-central-1.linodeobjects.com

What do the rest of those things do you ask? Well the passwd_file flag tells us where the access key for the bucket is, the allow_other flag allows users other than the root user to access the mounted bucket. Easy, right? Right, so if everything worked according to plan you should be able to open up your GUI file manager app, Thunar on Kali XFCE, and browse to /mnt/bucket32469/ and see all the files in your bucket.

If you don’t have any files in there yet, go ahead and create a test.txt file and put it in there. Now look inside your bucket in your online Linode.com account. Did the text file show up? Yep? Sweet. Now you can go ahead and drag your Veracrypt container and your KBDX Keepass database inside your bucket. For good security measure, when you’re done interacting with your bucket, unmount it from the system with the following terminal command

sudo fusermount -u /mnt/bucket32469/

Alright! Now you have your whole setup stored securely and safely in a completely different part of the world! Go ahead and log out of your Linode account too. We don’t want any session keys saved… just in case. When you’re satisfied, you can delete your Veracrypt container from your Kali system disk, and empty the trash. Obviously don’t delete your KBDX file, you’ll use that for logging into your crypto accounts. Ok, I know what you’re thinking … why go through all the trouble to put it on a golden DVD?

Because Linode or whoever you choose could go bankrupt tomorrow, or the datacenter or server your files are on could burst into flames. They could delete your account and your files with no recourse or at the behest of someone with wealth or clout. Cloud service providers aren’t responsible for data loss basically. So this is just a backup solution in case a Volcano erupts in your home town while you’re on vacation and covers everything in liquid hot magma … including your gold DVD collection.

You don’t want to forget to pay your Linode bill though, so if you’re confident in your credit worthiness, go ahead and put it on automatic payment in your Linode account settings.

2.33.3: Let’s Make This A Bit Easier

Lets turn those mount and unmount commands above into some simple scripts so we don’t have to type that big long command every damn time. Keep in mind these scripts have no error checking or logic. Open a new Terminal window. We’re going to create two files containing the commands we used successfully above, so first lets start with the one that mounts our bucket. In your terminal type the following command

echo -e '#!/bin/bash \nsudo s3fs bucket32469 /mnt/bucket32469/ -o passwd_file=/etc/passwd-s3fs -o allow_other -o url=https://https://eu-central-1.linodeobjects.com \nexit 0;' >> ~/bucket

So now we have created a script to mount your bucket as a drive. Lets make one to unmount it too. In your terminal type the following commands

echo -e '#!/bin/bash \nsudo fusermount -u /mnt/bucket32469/ \nexit 0;' >> ~/unbucket

And finally lets set the proper permissions on the scripts so only your user can see or execute them

chmod 700 ~/bucket ~/unbucket

Great! Now when we want to connect up our bucket all we have to do is open a terminal window and type ~/bucket then enter your Kali password. When we’re done, we can use that same terminal window to type ~/unbucket to unmount it.

2.4: Locked Up, Backed Up

Clean and easy, just how we like it. Nice, we’re looking good bros … we now have a reasonably secure crypto environment, reasonably secure password storage, reasonably secure and resilient cold storage, and a reasonably secure on and offsite backup solutions. Now … we gotta clean up that mess you made with your real identity and clean up that personal computer and back alley of filth you call a home network. Stay tuned!

P.S. If you have questions or need help join me over at the Surviving the Internet (OpSec) Group. It’s a private group but after signing up you can request to join. I heard the organizer of the group over there is pretty cool and will let just about anybody in.

Related Articles