Secure yourself before you wreck yourself

I’m going to take a little break from #30daysofApple, and instead today’s blog will be about internet privacy. Now that the US federal government has given internet service providers the green light to sell our traffic history. The old paranoid security person in me, decided it’s time to do a refresher course on the different options we have to protect our online privacy. I’ll go over a few options from the very easy to the DIY build your own (literal) black box version. Before we dive in, let me start by saying, none of the products or services I mention in this post are sponsors. In fact one of the solutions is so opensource there would be no good way to find a sponsor.

You maybe be asking yourself: “Ok Ricky, other than being extremely paranoid, why would I want to that? It seems so humbug.” Even if you aren’t super suspicious of the government, or believe that ISPs are out there to make a quick buck off of you, there are some real world reasons why you need secure your data. Ever sat at a cafe and use the free public wifi? I’m not saying be wary of the cafe owner, rather, you never know who is sitting in the cafe with you sniffing (that’s an actual term) the unsecured data as it’s flying thru the air. While most shopping sites, login pages use encryption, and there is a movement to “SSL Everything,” until that day comes, you should take every precaution with your data. Oh and before I move on, if you’re thinking “that’s fine, the place I use has a WiFi password/key.” Sorry to burst your bubble but all that does is stop someone from getting into the wi-fi playground, but once they’re inside the gate, they can snoop, sniff, snarf (i think snarf is a word) anything they want too. I do want to manage your expectations though, adding any sort of over head to your network transactions, will have it’s penalties, in some case it’s just a simple slowdown (for example instead of 30 megabits/second you’ll get 25 megabits/second), to some strangeness in websites. For example, I don’t know why but even on commercial VPN services, google prompts me to verify I am not a bot every few searches. Also sometimes, banking sites glitch because they see you appearing in a location other than your registered home state; e.g. my credit union site freaks out but bank of america, as long as my VPN appears to in the US, everything is fine. However, as the old saying goes it’s better than nothing, or a stick in the eye.

The easiest solution

We’ll start with the easiest, but possibly the least secure version (depending on your paranoia level), download and install the Tor browser from the tor project. There are some drawbacks, right now it doesn’t have all the extensions you might be used to using and of all the methods, I find it the slowest. Also it only protects web traffic, it’s a browser so duh, and everything else you do on your computer will be out in the unencrypted open. That means your instant messaging traffic, twitter (if you use an app), ftp, etc will be in the clear. Also you’ll be using a browser that was developed via the opensource community, which comes with its own set of paranoia (I love opensource, don’t hate me opensource gods). Below there’s a quick primer video on how Tor networks work, I recommend at least skimming thru it. There may be a test later on. Another option if you’re a chrome user is to install tunnelbear’s browser extension. You’ll still be able to use your favorite browser and it will have an added layer of security. If all that seems too humbug, do yourself a favor and install “https everywhere” from the Electronics Frontier Foundation  if you run chrome. It will at the very least make sure you’re using the SSL/encrypted version of the sites you’re visiting (if the site supports SSL).

The medium solution

Next step up in complexity, but still easy to implement is a ready to roll service like TunnelBear, which happens to be my VPN service of choice. It’s as simple as downloading a client, installing it on your computer/phone/tablet and after you configure accounts, you’re ready to go. The nice thing with tunnelbear is that you can set your exit node, so hypothetically, lets say, you want to watch something on the BBC iPlayer and it’s geolocked to the the UK. You could use Tunnelbear to make it appear that you are in the UK. If you look at the screen shot, I could easily choose to be in Mexico. Not saying this always works, but when it works, it’s great. Most commercial apps/services support android, iOS, windows, and MacOS. Now for the drawbacks, for Tunnelbear in particular, while they do have a free plan, it’s limited to about a gigabyte per month. Which is fine for the occasional VPN session, however power users can easily blow past that datacap. After that it’s about $9/mth for unlimited data, or at the time of this writing, $5/mth if you sign up for a whole year. Now some security minded folks, take issue with the fact that companies like tunnelbear are for-profit companies, and since they aren’t opensource, the community cannot check the software for bugs and backdoors. I counter, with compared to the next solution having someone you can email when you have problems, is worth the $9/mth.

The “so DIY, Macgyver would be proud” solution (aka hard)

The last and the most complicated option, is to build your own tor server and route traffic thru it. I’m using a raspberry pi 3, running Raspbian Jessie lite, and I set the filesystem into read only mode so I can just pull power without having to worry about doing a proper shutdown. It’s not an easy solution, and right now it only works in places where I have an Ethernet connection for the outbound/wan link. However I am trying to roll in a second WiFI connection to allow for more mobile/hotspot friendly use. Also it requires the use of SSH/command line utilities to switch between router only and Tor modes (that’s an option I created), or do any sort of troubleshooting.  

The big advantage this solution offers me, is that I’m able to use a single connection to provide internet service to all my devices. In a hotel room for example where WiFi sucks, I can provide my own in room WiFi network that uses the single Ethernet plug that’s usually in the room. Another advantage is everything from the rPi outwards is tunneled thru the tor network, which means all connections is encrypted (no worrying if some other guest is running a packet sniffer on the hotel WiFi); Instant messagers, netflix, web browsing, even  DNS look ups are hidden away. All the while for my devices behind/inside the rPi they think they’re on an unecrypted network, so features like airdrop seamlessly work (some locations block host to host communication), all while I am sealed in a network safety bubble of sorts.  If you read between the lines, I’m saying I don’t trust the local ISP/provider, but I have no problem with strangers out on the ‘net relaying my anonymized data. Weird huh? For a quick primer on how Tor works, here’s a video from Linus Media Group.

Items you’ll need:

A raspberry PI with two network connections, with the rPi 3 it’s wireless and wired.
Ability to follow complex instructions.
Ethernet connection (for now) to an active network.

The Basics

First step is to configure your raspberry PI to be used as an access point, and then configure it for use as a Tor device. I follow this guide on adafruit.com to do that:

1. Installing an OS on your raspberry PI: https://learn.adafruit.com/adafruit-raspberry-pi-lesson-1-preparing-and-sd-card-for-your-raspberry-pi
2. Setting up a Raspberry Pi as a WiFi access point https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/overview
3. Setting up an Onion Pi (tor proxy) https://learn.adafruit.com/onion-pi/install-tor?view=all

That’s pretty much it for the basic part. Remember to change your raspberry pi’s default password, if you have the hard drive space (on another computer), I recommend imaging the sd-card once you have everything configured. That way if something gets messed up during normal use, you can just restore from the image. If you stop here, remember you need to shutdown your raspberrypi properly every time, or else you risk corrupting your filesystem.

For the power user

As I mentioned above I went a bit beyond the adafruit instructions. I changed the filesystem to read only so that I don’t have to worry about doing a “safe” shutdown. For that I followed these basic instructions:

1. DHCP server log files and database have to be written to a temp space that is set to read/write (/var/tmp in my case).
2. A script to set the rPI into read/write mode.
3. Reconfigure the TOR startup scripts to create the necessary directories and files, that the readonly process removes. 
4. Flush and replace the ipchains/firewall rules to route NAT traffic thru the Tor service (and reverse it when I want to go back to NAT only mode).
5. A script to set everything back for readonly mode.

I’m not sure how to turn those 4 things into instructions, so I’ll just attach my current working files and notes to this post. 

torpi – config files

Here are the drawbacks of this scenario, one the raspberry pi is a full computer just in a compact form. That means it needs its own power supply, which is fine because it can work off a standard USB charger or a battery bank. Which makes it humbug if you’re cofficing, but fine if you’re a remote office or hotel room.  Perhaps the biggest limitation is, right now it only works with ethernet WAN connections (though I am working on this). Also it requires one to be pretty comfortable with Linux/SSH/command lines. Which, as you can tell this method is pretty involved, and well over kill for most people. While I like the idea of people walking around with Onion Routers in their backpack, Tunnelbear with a subscription is probably the best solution for most people.

Conclusion

So really you have multiple options on how to secure your data, from something as simple as switching to a different browser or going as complicated as building your own Tor access point router. What solution am I using? Combination of tunnelbear and the Tor access point for now. I am paying for my tunnel bear service, but I do like the ability to create my own secure bubble for my devices to use that the tor solution offers. Also in this day and age, where wardriving consists of running an app on your mobile device, you really can’t be too careful out there. If you’re still unconvinced, remember, Trust No One, if you don’t want to run a VPN product, at the very least get off the free WiFi and tether yourself to your phone.  Because if you can’t trust your ISP who can you trust? Oh that’s right, they can sell your data now. Think they won’t do it? Verizon did, and only stopped because of public outcry.

P.S. incase you’re wondering, yes you can use these methods to hide your special video viewing time. No one has to know how much you like… clowns.