JBM’s Basic Guide To Online Subterfuge: Phase 3
Ok so if you followed the first three phases of my guide to subterfuge you should have a few basic things setup and you have your crypto/web3 activities separated from your home network. Now that your money is safe and secure, let’s setup an environment for you to do battle on the Internet.
First, we need to clean up your current devices and network so we can feel moderately safe setting this up. I am going to assume for this guide that all of your machines have been compromised and your network is being watched by some form of malware right now without your knowledge. So, put your secure crypto environment away and head back to your infected computer on your shady WiFi.
Phase 3.0: Smash And Burn! Scorched Earth People!
Now look, I’m super paranoid … I think that’s apparent by now. So if you are too, go ahead and toss out all your hardware. Computers, routers, switches, smart TVs, media boxes, etc… backup your files, wipe your data and take it straight to the recycler. Especially if you’ve been hacked before.
If you aren’t as paranoid as I am, then at the very least, back up all your important files and format your hard disk and reinstall your choice of operating system from a known good source. If you’re using a tablet or mobile device, backup your files and then use the factory reset procedure. Do the same for your router, Smart TVs, Roku boxes, anything that connects to your network.
I would recommend starting with resetting your router, and updating it first. Then connect each device one by one, updating each all the way before connecting the next one. After they’re fully updated, restore your apps and files from your backups and proceed forward with this guide.
Security Warning: Make sure all your devices are still receiving security updates. Devices reach an “end of life” at a certain point and they’re no longer supported or patched for vulnerabilities. It is important to keep track of your products life cycles and update cycles. Just because an older device still works and says “Up to date” doesn’t mean it’s secure, it could mean that is the last supported version for your device. It’s also important to purchase from manufacturers that specify how long a product will receive updates, or when it will reach end of life.
Phase 3.1: Securing your Castle
You have to think of your home network as a castle with big tall walls and sharpshooters in towers at the corners to keep the bad guys out. The first step in good network security is your router, or gateway. This will prevent intrusions from the outside, and with the right hardware and software it can also help you detect and stop intruders if you become compromised.
Now there are a ton of brands of routers and software and stuff out there, and almost all of them integrate some sort of cloud system and a lot have poor security, don’t get updated, etc.. so I’m not going to recommend any of them. What I will recommend is using open source software like OpnSense or PFSense. I personally prefer OpnSense over PFSense. Both of these are free and you can install these on any hardware you like as long as it has 2 network ports.
If you’re looking for a product, or a router-like-shaped piece of hardware I can’t recommend anyone but ProtectLi. You can purchase them with either OpnSense or PFSense installed, as well as with Coreboot UEFI for the ultimate in open source protection. I like these products because they include “Intrusion Detection Software” that inspects packets on your network and detects botnets/malware/miners and more, and if configured, it will cut the network access off to the affected device to prevent your data from leaving, or your computer becoming part of a botnet army.
Some consumer devices have this, but most insist on sending your packets to their data centers for inspection, even in cases where the router is sufficiently powerful to do it locally. So… opensource routers with opensource packet inspection and open source packet signatures are better if you have the means is all I’m tryna say.
Tip: If you go the ProtectLi route, configure it with at least 8GB of RAM to order to use the Intrusion Detection services reliably.
Phase 3.1.1: Basic Consumer Router Hardening
Ok, so lets say you don’t want to buy a whole new router, what can you do? Well, honestly I don’t know what kind of router you have, and don’t start asking me questions about your router. I don’t know anything about it. I will however suggest a few things that a lot of routers have in common. You’ll have to figure out how to adjust these settings for your model. These are just basic security tips and not the end-all-be-all of router security.
- Ensure that your firewall is up, and enabled. This is usually on by default but you never know.
- If available, disable any cloud services that route your packets to a service for inspection, like ASUS’s aiCloud.
- Unless you absolutely need it, disable the web administration panel on the WAN interface. This should also be default, but you never know.
- Disable UPnP. Universal Plug and Play. This is been such a security problem it’s jokingly called Universal Pwn and Play. Forward any ports you need to the device requiring it. This is almost always on by default in consumer routers.
- Disable WPS, or Wireless Protected Setup. This “PIN” can be cracked in only 11,000 guesses. This is almost always on in consumer routers.
- Disable PING on the WAN interface. Most routers allow you to drop PING requests. This can be used to determine whether you’re online and therefore worth the time for a port scan and further investigation.
- Make sure your WiFi security level is at least WPA2-AES. WPA3 is better but not all devices support it. WPA2-PSK is insecure and should no longer be used. And WPA … well it should be outlawed. Make your password a long passphrase like
- Set up and use the “Guest Wifi” feature if available. Don’t let anything other than approved devices on your network. When your friends, or the neighbor or the guy that lives in the tent under the bridge asks for your wifi password, you give them the guest network password. Give it a creative name, or maybe a funny one like “Abraham Linksys” so they don’t feel like they’ve been relegated to a lesser WiFi. The guest network is also great for devices that you want to connect to the Internet, like your SmartTV or Roku, but don’t need access to your internal LAN. Guest WiFi networks isolate clients from each other and your network.
- Assign all of your personally owned devices a static IP address. Then limit the DHCP range to 10 or 20 IP addresses. If you don’t have a lot of “foreign” devices coming and going on your network then you can disable DHCP all together and assign each device a static IP address.
- Change the default administrator username, password, wifi network name, and wifi password from the defaults. Pfft… duh! obviously John!
Phase 3.1.2: Basic Desktop Computer Hardening
Alright, so as you probably know there are different desktop devices, with different operating systems made by different manufacturers. So with that said, I’m not going to get in detail on how to accomplish these tasks, but I think you can search for solutions. This list is by no means exhaustive or complete. Perhaps a more in depth guide to hardening is in order in the future. For now, at least make sure these are done.
- Skip “online” accounts like Windows loves to try and make you use. Use local accounts.
- Choose a strong login password. I think we’ve been over how to create a strong login password previously in this guide and past guides, so I will skip it for now.
- Encrypt your hard disk. Every modern operating system has the ability to encrypt your files on disk, use it. In the event your home is burglarized and your computer stolen, your data will be safe. Don’t think that an attacker won’t break into your home to steal your computer if they think they can gain something of value from it. Most operating systems generate a recovery code, so write that down on paper and then type it in your Keepass database in your secure crypto environment you setup in Phase 1 of this guide. Double, triple, quadruple check that you copied it correctly. Then, if asked, don’t store the recovery code in the cloud.
- Encrypt your backups. No matter what sort of backup solution you use (you do have backups right?) make sure they’re also encrypted. There’s no sense in using disk encryption if your little portable backup hard drive has all the good stuff unencrypted.
- Put the firewall up. Even though you have a firewall in your router, each computer on your network should also have a firewall up. If one device on your network is compromised, the firewall running on each machine may help prevent them from being compromised as well. This is very easy to do on Linux, macOS or Windows. Learn how to use the firewall and only open the ports between the machines you need.
Phase 3.2: Secure Your Online Experience
For most people, they do a few things online. They use a web browser, they access email, and use a handful of apps that are useful to them. What we’re going to do is try to secure the apps and your connections to the wild wild west we call The Internet so that you can function like a normal human in society without worrying too much about all your emails, photos, calendars and documents being leaked all over the Internet or used in some AI’s training models.
Phase 3.2.1: The Holy Hole … Your Web Browser
So one of the main tools we all use to access the Internet is a web browser. Your web browser also goes through your firewall and right to your eyeballs, so it’s a perfect attack vector to get inside your castle. So we need to secure that up best we can. Just remember though, web browser = hole. Most of the time, things that come out of holes are not good. Not always, but in my experience most of the time. Now as you know, there are a lot of different web browsers out there, made by a lot of different companies with a lot of different motivations.
So, as always I’m going to recommend opensource software, primarily the Firefox web browser made by the fine folks at Mozilla. If you use another browser, no worries, all these things are more than likely available for other browsers. Whatever you do, don’t use Microsoft Edge, it’s not secure in the slightest. For you to do combat online you need a few extensions for your web browser to keep you safe. You can download extensions here for Firefox or Chrome. If you use another browser you’re on your own. You’re smart though, I know you’ll figure it out.
1. Ad Blocker
Hey… I know sometimes you want ads when you’re shopping, but a lot of time ads carry viruses and malware. Lizard people love using ad networks like Google Adwords and others to spread their crap across the Internet. So block ads. I personally like Ublock Origin. It’s available for Firefox and all the others. There are a lot of options out there, so find one you’re comfortable with.
3. Container Tabs
This as far as I know is a Firefox only extension. I have not seen anything similar available for Chrome. Multi-account container tabs contain all your cookies, cache and more inside isolated containers. For example: You could create a container for just your Banking websites, or just for Facebook and all those tracking cookies and cache stay inside that container, organized by color coded tabs in a single browser window, using a single profile. Nice!
This way you can isolate each of your different online activities and make it a little more difficult for data mining companies to track you and your habits through the series of tubes that is The Internet. It also keeps those precious session keys, you know… the ones that keep you logged in and log you in automatically so you don’t have to type your password every damn time you visit a website… yeah you know the ones. Well it keeps them inside segregated containers, which can help reduce the chance of cookie stealing malware getting ahold of them.
Phase 3.2.2: A Password Manager
Hey, this seems familiar huh? We setup a password manager called KeepassXC in Phase 1 of my guide for our secure crypto environment didn’t we? Mmhmm… we sure did. We’re going to do the same thing for your non-secure environment here also. I mean … you’re not saving your passwords in the Browser are you? You wouldn’t save personal information like your name and address and credit card numbers in there too right!? Whew! I didn’t think so, I mean … that’s not even moderately secure let alone reasonably secure!
Since we’re not trying to secure cryptocurrency or anything else of irrevocable value here, I believe it’s safe enough to go with an online/cloud password manager service for your day to day things. Now look, if you have the wherewithal then please setup KeepassXC + SyncThing to keep password database stored locally, and synced across all your devices using your LAN.
If not, I believe a secure online service affords you a reasonable amount of security for a tradeoff in ease of use. I also believe it offers better security than placing your Keypass database on your cloud storage account for reasons I won’t go into here for the sake of brevity. I can only recommend two services. Both have been tested for security and by the legal system. Both offer a sort of trial/free account, so take them both for a spin and decide for yourself.
Bitwarden, and even their server software is completely open source. It’s also inexpensive for an individual plan for all your devices through their hosted service, and they have a nearly flawless track record. I don’t believe their interface and functionality is as nice as my #2 choice below, but being open source would make it my first choice. They have clients for Linux, macOS and Windows as well as browser extensions.
1Password is not open source, but they have been securing peoples passwords for a long time without a single vault breach. I would argue that they may even be more secure than BitWarden as you also have to provide a 128-bit pass phrase (which you are told to print out during account setup) in addition to your username and password to log a new device in. They also have clients for Linux, macOS, Windows and ChromeOS.
Phase 3.3: Secure Your Data By Actually Paying For It
Alright! We are rocking and rolling now! You got yourself a password manager so you can generate long passwords and save them securely for later retrieval. Great, now that we have that setup, it’s time to secure your email. Why? Because 99% of the time websites use your email address as your username, so if someone has access to your email, they can reset your account passwords or even change account information and delete the emails before you see them and assume full control over the account and by extension any online accounts you signed up with using that email address. So, with all that said, this needs to be as safe as we can get it.
As you know, I am a big fan of Proton Mail. In Phase 0 of the guide you signed up for a free Proton Mail account for your online alias. Now its time to do the same for yourself. Head over to Proton Mail and sign up for, and purchase the “Unlimited” account. Don’t upgrade your alias account, make a new one. Hey, maybe you even created a second alias to use to buy your personal Proton account … just in case their customer database does get hacked. You get up to 15 email addresses with the Proton Unlimited account so you can set one up for your alias, and another one for your real name to give to friends and business partners and they’ll all come to the same inbox.
Ok, remember … you specifically want the Unlimited account because it also includes some other services that you will have to pay for anyway if you follow the rest of the guide. So don’t be cheap, you’re getting a great bargain and you’re paying for it, so no one is data mining you to pay the bills. It’s also hosted in Switzerland and as such, it is protected by the worlds strictest privacy laws. Basically, unless it can be proven that you broke Swiss law, no one can compel them to turn over anything. Even then … your actual email data is zero-knowledge encrypted and only you hold the key. Meaning, Proton can’t provide anything other than the information you gave them when you signed up. Wink!
Phase 3.3.1: You Need a VPN Homie!
Alright so you signed up with Proton and got that all setup. You saved your Proton recovery keys somewhere safe, offline and you created a new personal email address. Awesome! Now we need to secure your connection to the Internet from eavesdroppers and hide your real IP address from websites and trackers. To do that, we’ll use a technology called a VPN, or Virtual Private Network. A VPN creates an encrypted tunnel between your computer and the Internet.
All your traffic is routed through the VPN before going out to the Internet so it looks like you’re connecting from the VPN’s IP address instead of your own. Since it creates a secure tunnel, that means other people on your LAN, or at your ISP, or anyone in between you and the Internet can’t see what you’re doing. This will help keep you safe even if another device on your network has been compromised and is sniffing your traffic without your knowledge. So lets lock that up.
Well … woooja just look at that! The Proton Unlimited account you subscribed to includes ProtonVPN for free! You get secure encrypted email and a VPN for the same price!? What a bargain! Setup is very easy. Just download the client for your operating system from the Proton website, enter your login info and hit connect. If it seems confusing to you, Proton has some great help guides to help you set it up and configure it.
Phase 3.3.2: You Need Secure Offsite Data Storage Homie!
You’ll also notice that Proton Drive is included with your Proton Unlimited account. This is similar to Dropbox or Onedrive but your files are encrypted on your device before they’re uploaded to your Proton Drive. The encryption keys are only stored on your device, so even Proton themselves can’t see what is in it, and they can’t decrypt it without your encryption key…which only you have. Unfortunately as of this writing, Proton Drive is not as full featured as Dropbox/OneDrive/GoogDrive. As a result, there is no Desktop client, no folder syncing or anything like that. It’s literally just a place to upload files from a web browser to keep them safe.
Update: Recently Proton released a ProtonDrive app for iPhone, and Android. Desktop apps have also been announced. So good news!
That’s ok though, this is perfect for things like storing a backup of your Keepass database, or your family photos or any data you don’t want to worry about losing if your entire state goes up in flames. While I believe Proton Drive to be safe and secure, I wouldn’t store crypto wallet keys or anything else super valuable in there without encrypting it first.
What I’m tryna say is, don’t go dropping an Excel spreadsheet with all your passwords in there thinking it’s safe. It should be, but you can’t be too careful these days. There are some other great end-to-end encrypted cloud storage providers and even some self hosted options like NextCloud, or OwnCloud if you have the ability to self host your cloud. If you need more functionality than ProtonDrive currently provides, and you don’t want to self-host, then I would recommend pCloud. pCloud is Zero Knowledge, end to end encrypted cloud storage, like ProtonDrive, but with more functionality. What’s really cool about pCloud too … they sell LIFETIME subscriptions. Pay one higher price, one time and never pay again. Crazy huh?
Maybe you could even skip the BitWarden or 1Password account, and sync a KeepassXC database between your devices using pCloud. Hmm… I never tried but … theoretically it should work…
Phase 3.4: Wrapping it up … for now
Well … you’re still here. That’s good because that means you’ve got your devices up to date and cleaned up. You’ve also buttoned up security on your network, desktop and web browser. You’ve ditched your Google or Yahoo email and moved over to Proton Mail or similar encrypted mail provider that you’re paying real money for. Your Internet connection is now secured by a VPN, and your offline cloud storage is zero knowledge, end to end encrypted. Huzzah! It looks like you’re ready to do battle on the Internet now! Sit tight, in the next phase of this guide we’re going to go clean up, secure and do our best to hide ourselves on all those old online accounts. Obfuscation! Stay Tuned!