Becoming Virtually Untraceable — 12.0_Gh0st_Us3r.dll

*Note: This article was originally published by the author on This article is also available in Spanish here.

Credit: The Mind Unleashed

“The only way to deal with an unfree world is to become so absolutely free that your very existence is an act of rebellion.” — Albert Camus

Of course, as the author of this newsletter, I recommend that you start your journey from the very beginning with the first installment. However, you’re welcome to pick up wherever you like. Each installment contains unique information that is carefully bound together by a common theme: Data Privacy for La Résistance! In the 12th edition, we’ll continue our seemingly unending descent down the privacy rabbit hole.

Obligatory Privacy Rant

I don’t know about you, but for me, every day is data privacy day! I don’t need a day or a week of the year to be designated as a data privacy theme day or week or remind me of the importance of data privacy. Please! Our online privacy is virtually nonexistent, to begin with, and getting worse incrementally. Every time I turn around there is some new Internet-connected technology that is designed to collect user data and the product or App has sketchy a privacy policy and Terms of Service to justify the monetization of my [personal] data. This is bullshit and we shouldn’t stand for it as a society. It’s time people all over the world start holding elected officials accountable and demand better privacy protections. It amazes me how many people either are unaware or simply don’t care about Internet privacy. It is not hard to imagine that for many people, data privacy has become the unachievable goal that they’ve given up on. Don’t give up! Use ad blockers, use EFF’s Privacy Badger.

Maciej Cegłowski wrote an exceptional essay on data privacy at the link below that is worth reading. Do not be fooled by Tech companies who say they are pro-privacy rights. Their very existence depends on harvesting data from users of their “free” services.

In an example of how data privacy is beyond our control to a large extent, the government of Bulgaria’s tax revenue database was breached and the personal information of 5 million citizens was posted online for anyone to download. Bulgaria has struggled to protect its critical infrastructure against cyberattacks, one of which took the nation’s Commercial Registry offline in 2018. Governments around the world are notorious for having weak cybersecurity controls in place, either due to a lack of funding, lack of expertise, the job is too massive, or often a combination thereof.

This could really happen to any group of citizens in any country. In fact, it did happen to U.S. citizens in the April 2015 Office of Personnel Management (OPM) breach and millions of people who applied for U.S. government security clearances had their data compromised including biometric fingerprint data. I was among the victims and I am still mad as hell about this egregious violation of privacy.

Debugging Privacy To Become Untraceable

Image from Mr. Robot Season 3.0_power-saver-mode.h (note that Orwell’s “1984” is spray-painted on wall)

There is a lot that viewers can learn about becoming virtually untraceable simply by studying Rami Malek’s fictional character Elliot Alderson on the USA Network TV series “Mr. Robot” which I’ve referenced with imagery throughout this series for the many parallels it contains. Looking past Elliot’s obvious social anxiety disorder and drug use, which is more common than many people know among hackers, we find an example of a person that is ever-conscious of his surroundings and about leaving tracks.

  • He possesses a healthy amount of paranoia that somebody is always out to get him. This, though admittedly seems ridiculous, will keep a person safe 99% of the time because the mindset forces you to think about how to be untraceable.
  • He goes to great lengths to hide his vigilante hacker research by using digital steganography to secretly embed his files into .mp3 music albums (See: DeepSound) so if they are discovered, they won’t suspect hidden files are contained therein.
DeepSound Audio File Steg App
  • His Operational Security (OpSec) is strong, meaning he doesn’t have “loose lips that sink ships” as the saying used to go back in the old times. Don’t freely give out information to people you don’t know or trust.
  • Elliot knows how to remain anonymous online and is skilled in information gathering.
  • He has no social media profiles including Facebook.
  • He uses a piece of tape to cover his laptop webcam to prevent other hackers from spying on him.
  • He is not tied down with owning a lot of material possessions, which although has little to do with untraceability, has everything to do with living a portable, digital nomad type of lifestyle where you can pick up and go in a hurry if need be.

There are plenty of other fictional character examples that you can also draw inspiration and tips from such as Jean Reno’s character “Leon: The Professional,” or Liam Neeson’s character Bryan Mills in the “Taken” series to name just a couple. Not to infer that the life of an assassin or former CIA operative is necessary to becoming untraceable, but there are plenty of parallels that should not be ignored. These are people who don’t want to be found, who lurk in the shadows. Of course, some of the tips are complete Hollywood fiction or too impractical for a normal person to use, but there’s also a decent amount of useful tips, privacy, and physical security strategy in these movies that you might notice and later decide to incorporate into your lifestyle depending on how “untraceable” you really want to try to become.

Microsoft added telemetry functionality to Windows 7 security-only patch in July 2019. First off, Windows 7 is nearly End-of-Life (EOL). It is difficult to fathom why ‘Microsquish’ would sneak this into a security patch at this point in the game. Telemetry in software is defined as…

In the software development world, telemetry can offer insights on which features end users use most, detection of bugs and issues, and offering better visibility into performance without the need to solicit feedback directly from users. — Stackify

Satellites Are Spying On You Constantly

As if you didn’t have enough to be paranoid about, satellite technology is beginning to become cheap enough that companies and government agencies from developed nations all over the planet are deploying observation [spy] satellites into Low-Earth Orbit (LEO) outer space.

“US federal regulations limit images taken by commercial satellites to a resolution of 25 centimeters, or about the length of a man’s shoe. (Military spy satellites can capture images far more granular, although just how much more is classified.)”

Governments can already spy on you whenever they choose to, but now commercial observation satellites are going to saturate the night sky. Some companies that own satellites are selling “HD video clips up to 90 seconds long. And a company called EarthNow says it will offer “continuous real-time” monitoring “with a delay as short as about one second…” This represents a massive threat to individual privacy in real life, forget online privacy. These folks are selling access to technology that will absolutely be abused and now instead of only having to worry about the billions of CCTV and home WiFi-connected surveillance cameras, there are also satellites orbiting above that can spy on you day and night if they wanted to. The worst part of it all is that you are completely powerless to do anything about it.

But So Is Social Media…

If you haven’t watched the Netflix documentary “The Great Hack” (1h54m, 2019), I strongly recommend that you do. It goes into detail on how Cambridge Analytica scraped Facebook user data for millions of Americans and used their data (along with all of their friends) to create a massive profile network to target ad content to sway the 2016 U.S. Presidential Election. This was 2 hours of viewing well-spent. It also goes to show that there is no shortage of people in this world who have no conscience and will feed off their greed for money to do all types of unscrupulous things to innocent victims. You must take action to safeguard your personal information now or risk becoming a victim of your personal data being used against you somehow. You can’t prevent data breaches of companies that collect your data, but you can try to control what types of data are collected about you to make their job much harder.

Why anyone still trusts Facebook at this point is beyond me? Disinformation and using aliases are your allies folks. Think about your kids also if you have them, not just yourself. Think about how many data points companies like Facebook, Google, and the Cambridge Analytica’s of the tech world are amassing on your children. Explain to your kids what is going on behind the scenes and how their post content (likes, photos, videos, messages, preferences) will be quietly collected over time and used to create an advertising profile unique to them. Internet regulation is still the Wild West, Americans have very little privacy rights at this time. That will get somewhat better for Californians with the California Consumer Privacy Act (CCPA) which goes into effect on 1 January 2020, but will not actually be enforced by the State Attorney General until 1 July 2020. When will the sorry excuses for politicians come together and pass meaningful Internet privacy regulation at the Federal-level that is similar to the European Union’s (EU) General Data Protection Regulation (GDPR)?

Featured Privacy Tactics, Techniques, & Procedures

The Privacy Forecast is Cloudy

Credit: Someecards

Make no mistake about it. The Cloud is not your friend. Though I have previously written about how using the Cloud has its advantages in terms of data redundancy and accessibility mostly, it certainly has privacy and security implications as well that should not be ignored.

Keep in mind that you, the user, have zero control of the Cloud, which especially means that you should not trust the Cloud. Do you trust some company to protect your most personal files? Why would you? Do you think they care about your data the same way you do beyond that $15-$20 per month that you’re paying to have your data hosted in the Cloud? Doubtful. It could be vulnerable and you wouldn’t even know it. You’d only find out later on after the news of the data breach hit the headlines or once your identity has been stolen and your bank accounts drained. I’ve written about some of the difficulties of engineering security into the Cloud here if you care to learn more about the complexities involved.

Who else has viewing access to your Cloud data or social media content for that matter? Someone else does for sure, the administrators working at Google, Dropbox, Amazon, or Microsoft. Just as MySpace admins abused their “Overlord” tool to spy on users of the social media platform, admins at every C-SP and social media have tools to do the same exact thing. Expect it, but take measures to protect your data ahead of time.

You never know when a company that is hosting your data or that you’re sharing intimate secrets on might be cooperating with law enforcement or government authorities to share the contents of your personal Cloud storage files or social media content. Authorities that likely have the means to decrypt Microsoft’s BitLocker encryption which you cleverly used to encrypt your files before uploading them to the Cloud-Service Provider (C-SP) storage platform.

“Many companies store redundant file backup systems in the same place where the original data is located” (Ammari, 2015). This is idiotic, don’t be like these companies. Be smarter, diversify your data backup storage portfolio as if it were a long-term investment strategy. How about this:

1) Local Backup. Backup data locally to the Hard Disk Drive (HDD) itself (little-to-no additional work required for this). If you have partitioned drives or more than one HDD installed on your computer system, make your primary HDD a Solid State Drive (512GB) where the data is primarily stored on an HDD protected with Full Disk Encryption (FDE) using something like Veracrypt, BitLocker (last resort), or dm-crypt/cryptsetup or Linux Unified Key Setup (LUKS) for Linux machines (read the dm-crypt link for instructions on how to set this up). The secondary drive (i.e., your CPU D:\ or other) can be made to store your C:\ automatic data backups if it is of sufficient disk size (i.e., 2–3 TB) and you properly configure your backup task scheduler to erase old data backups after a certain period of time (e.g., 6 to 12 months or as space is needed).

2) Offsite Backup. Backed up monthly on a disconnected external HDD that is preferably located off-premise but it can also be co-located at your physical residence as long as you also have some type of online backup. It is also smart to store the external HDD securely inside of a Faraday box or bag to protect against High-Altitude Electro-Magnetic Pulse (HEMP) depending on the number of HDDs and other equipment you may have. This way your data is protected from EMP or the dreadful thought of nuclear warfare (assuming you’re not incinerated in the blast).

Tarriss GoDark Faraday Bags ($49.97 at time publishing) for phones, tablets, HDDs, other electronic devices

3) Online Backup. Data should first be encrypted using Veracrypt or some other encryption application and only then securely uploaded into a reputable Cloud platform using Transport Layer Security (TLS) v.1.3 data-in-transit protocol which employs forward secrecy where it will be stored on the chosen C-SP platform as encrypted data-at-rest (DaR). To ensure no one is able to snoop on your data, however, it is double-encrypted with your own crypto (i.e., Veracrypt, BitLocker, LUKS) in addition to the DaR crypto used by the C-SP.

Importance of Data Redundancy

The golden rule when it comes to data backups to ensure redundancy in case of a catastrophe, be it man-made (e.g., ransomware, wiper, or other malware) or natural disaster as discussed above, is to backup your data to three different format types or locations. For this reason, I still recommend using the Cloud in terms of data redundancy in case your dwelling and all of your earthly possessions go up in flames or become submerged under 10 feet of water. However, how you encrypt your personal files is very important. I don’t recommend creating your own home-brewed encryption, ever! Instead, use free, open-source software (FOSS) applications such as Veracrypt to encrypt your files. Loyal readers will recall that I briefly covered Veracrypt in Parts 1 and 3 of the Becoming Virtually Untraceable series, explaining that it was the successor to TrueCrypt.

Low-Tech Security: Evasion and Anonymity Tip

“Convince your enemy that he will gain very little by attacking you; this will diminish his enthusiasm.” — Sun Tzu

Threat modeling, as was previously covered in episode 9, is important to understand. In all likelihood, you are extremely unlikely to be the target of government spooks tracking and investigating you, but who knows, right? Maybe you are, in fact, being targeted? Who knows? Perhaps not by the government or law enforcement authorities but by a stalker or jaded ex-lover. In that case, you may want to develop your own personal threat model similar to the example below (No, not joking). If you’re trying to maintain a low profile, then publishing personal information on the Internet is not winning you any points, is it? Instead, adopting an adversarial mindset will help you protect your most valuable assets and information by thinking like an enemy.

Sample Batman Threat Model; credit: Sean Gallagher for Ars Technica

The Electronic Frontier Foundation’s (EFF) 5–question personal threat model:

1. What do I have inside my home that is worth protecting?

-jewelry, electronics, financial documents, passports, cash, sentimental items like photos, data, communications, and other things that could cause problems for you if misused (or were wrongfully acquired)

2. Who do you want to protect it from?

-Adversaries could include: burglars, roommates, or guests

3. How likely is it that you will need to protect it?

-Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?

4. How bad are the consequences if you fail?

-Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?

5. How much trouble are you willing to go through in order to try to prevent those?

-Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?

Privacy is hard work and the default state of privacy on the Internet is none! You have to work at it to achieve some semblance of privacy and keep at it. That being said, hard work pays off, and achieving online privacy is not a sure thing. All of the tips and hacks I’ve presented throughout the series can be defeated given an adversary that is well-resourced and skilled enough. With security and privacy comes inconvenience, this is the trade-off, one which hardcore privacy advocates don’t mind making. Sometimes all it takes is to make yourself a little bit of a harder target to deter those hack and monitor us for a living to move onto an easier target. Until next time my friends and remember:

***Trust No One. Verify Everything. Leave No Trace.***

Additional Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21

*Privacy-related articles also published by the author can be found here.

Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net

tech privacy, hacking, dfir, security research, & outdoors enthusiast, you savvy?

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Bloxx Block Puzzle Hack Free Resources Generator

{UPDATE} Angry T-Rex Rampage Hack Free Resources Generator

U.S. — China Cyber War Lingers

{UPDATE} Kinder Lernspiel Hack Free Resources Generator

{UPDATE} TicTacToe - Classic Game Hack Free Resources Generator

How I got my first Blind XSS on Private Program

Welcome to PineconeDeFi

XT.COM Will List BTFA(Banana Task Force Ape) and Open Its Trading

꧁𓊈𒆜🆉3🆁🅾🆃🆁🆄🆂🆃𒆜𓊉꧂

꧁𓊈𒆜🆉3🆁🅾🆃🆁🆄🆂🆃𒆜𓊉꧂

tech privacy, hacking, dfir, security research, & outdoors enthusiast, you savvy?

More from Medium

Becoming Virtually Untraceable (Eps7.0_S0c1al.D1st0rt!on.bat)

Steganography Challenge_12.2018_Answers

The Steg Chronicles: Information Hiding 101