Becoming Virtually Untraceable — 13.0_ⱡnviϨ!blε_B⨊ⲖC⭙ͶiNg.iso

*Note: This article was originally published by the author on September 2, 2019. This article is also available in Spanish here.

Ninja — the definitive embodiment of stealth & untraceability; credit

“A goal is not always meant to be reached, it often serves simply as something to aim at.” ~Bruce Lee

Life is not meant to be overly complicated.

As humans, we often tend to overcomplicate life by introducing complexity.

Try to keep it light and consciously decide to free yourself from mental chains popular culture enslaves people in.

Feel free to check out the entire series by checking the links at the bottom of the article. Each segment is unique but similarly themed with the intention of enabling and promoting Data Privacy irrespective of your personal reasons for desiring to be more private. In this lucky 13th installment (Whew! I never imagined this series would make it this far!), I encourage you to journey with me deeper into the abyss of Internet privacy and learn more practical ways that you can increase your level of anonymity online. Also, on a personal note, I’ll explain why and how I finally ditched Google, the biggest Tech giant threat to privacy currently in existence. If you’re a music lover as I am, then enjoy these catchy tunes from Sleigh Bells’ Infinity Guitars,” Portishead’sThe Rip,” and Massive Attack’s Black Milk.”

Obligatory Privacy Rant

Goodbye Google; credit: Lifehacker.com

Installment 13 of the Becoming Virtually Untraceable series is somewhat of a special edition as it marks my decision to finally take my own advice and quit the Cloud and Google in one fell swoop. This is something I am incredibly proud of myself for doing as it is something that I’ve struggled with for years. It always comes down to convenience or security. Which is more important to the individual in question? It was incredibly simple and easy to do.

Many people think it would be so difficult to cut ties with Google because they’ve always used Google and started using Cloud services for file storage or something along those lines. I feel as though the little amount of data that I do have is better protected by me on my own system, not in the Cloud possibly left unprotected and vulnerable to exploitation. The same goes for my Email, music listening habits, etc. For someone who has written extensively about data privacy and attempting to become virtually untraceable, I was living a lie. It was the old, “Do as I say, not as I do” cliche paradox that so many of us learned from our parents as children and detest. It is high time I started walking the walk instead of just talking the talk. So, I did it.

I unplugged from everything Google and Cloud-related and let me tell you, it feels great! I highly encourage it as daunting a task as it may seem. There really weren’t any downfalls to my doing so or adjustments I had to make. Remember, you’re paying to use their free services with your personal information and usage habits that they sell to marketers, or you’re paying them to use their premium member services and they’re still selling your usage data on top of that. Read the Terms of Service and Privacy statements. We covered this previously…

Apps/Services I was using that I am either no longer using or swapped out for other Apps resulting in some minor financial savings as well. I decided to free myself of all social media accounts except for my Twitter account so that I can still remain cognizant of the InfoSec community happenings, these types of accounts are just OSINT treasure troves of collection sources after all. I have better things to do with my time, there is little value that you get in return for these online activities.

  • Gmail……………………………………………ProtonMail
  • Google Calendar………………………………..Paper Calendar Planner
  • YouTube………………………………….……..Can still use it without a Google account
  • Google Search………………………………….Duck-Duck-Go
  • Google News……………………………………USA Today [actually, I usually read a variety of different news sources]
  • Chrome browser…………………………..……Brave/Firefox (been off Chrome for a while now)
  • Google Play Store (Android)……………….…Side-loaded Apps via PC/USB connection
  • Dropbox (not Google Drive)………………….Regular home CPU file backups using different media formats stored in different locations
  • Evernote………………………………………..Sticky Notes, MS Word, Notepad, Wordpad
  • Peerlyst…………………………………………Deactivated my account
  • LinkedIn…………………………….………….Deactivated my account
Side-loading apps onto an Android device; credit: Lifehacker.com

Now, since I still require a cell phone for family/work reachability purposes when I am out and about and my phone happens to be an Android (because I absolutely detest Apple and its elitist line of overpriced shitty products), one is forced to get a little creative when it comes to installing new Apps onto your mobile device. But it can still be done quite easily by using a technique known as side-loading. Rather than explaining how to do it, just check out the below article if you’re interested.

Also, if you’re seriously considering ditching Google, as I did, you may want to check out these other articles that provide some alternative options for your App needs.

For me, at least, there is comfort in knowing that my files are exactly where I want them to be on my computer at home or on an external HDD, or on another form of media that I am using as a backup medium. Sure, I am giving up the data redundancy that Cloud storage provides, but I can still ensure a level of redundancy myself by using different backup media types (CD/DVD are not vulnerable to EMP attack) or by storing non-volatile memory full-disk encrypted (External HDD) in a fireproof gun safe or in a safety deposit box.

I also don’t like being tracked incessantly by Google with location tracking that I had voluntarily enabled so that my wife would know where to find my phone, at least, if I went missing. If I was running somewhere in the woods and was attacked by a mountain lion, it could be a starting point to begin the search for my remains if it still had battery power and wasn’t destroyed by the elements or an animal, or if it was out of signal range. Are you beginning to understand just how many things have to line up for these things to even work properly now? I can now set the terms and conditions that I want to follow should I choose to use one of Google’s services again in the future. It’s about reclaiming your privacy and identity.

Privacy Accountability

Twitter Bio example; feel free to leave out any true details you like

Recently a follower made a comment on Twitter about the fact that Tweeting was the opposite of “Becoming Untraceable.” I had to laugh when I read it as it was clearly directed toward me, the author of said series. The follower was correct to say so and call me out on my use of Twitter although I’d argue it’s a little different when you’re a writer trying to self-publicize your work and bring attention to your cause and written works. Also, don’t for one second believe everything you read online. Ever heard of misinformation or disinformation? Personally, I think a bit of misinformation or disinformation is a healthy practice. For instance, on your Twitter profile, there are options to list a brief 140-character bio (see above picture), where you live, a website URL, and your birthdate. The info I’ve listed on my Twitter Bio is for the most part entirely true, but that’s only because I don’t feel as though it reveals anything about me that I don’t mind people knowing. Thanks to several data breaches that have affected me over the years, most of my Personally Identifiable Information (PII) is public now anyway.

How your Internet activity is interpreted; credit: Panoptykon Foundation

Open-Source Intelligence (OSINT) Reconnaissance will yield more valuable information, but you still need to question the accuracy of such information. The Latitude/Longitude coordinates listed on my Twitter Bio are those of Los Angeles, California, which you may not be aware is a massive metropolitan or rather a megalopolis. It doesn’t exactly tell you where I am located, but you get the point.

The important takeaway from this is that it’s smart to not overshare personal information because it can be used to locate and track you. You want to make tracking you more difficult, so you should be paying with cash and not using credit/debit cards that leave a trail. You should strive to blend in with the crowds, not stick out like a sore thumb. Why draw attention to yourself unnecessarily? Plastering a bunch of bumper stickers and a unique license plate frame that reads “My Other Computer Is Your Computer” is not only foolish, but it uniquely identifies your vehicle to anyone tracking you or recognizing him.

“Hey! There’s that guy who cut me off in traffic on the freeway yesterday… I’ll get him now!”

Somebody has been watching too many Matrix movies…

Don’t forget about Automatic License Plate Readers (ALPRs) either. I’m not suggesting you do anything illegal, like cover your license plate up with a sign as in the picture below. But if you do be sure to use proper SQL statement syntax: “DROP TABLE table_name;” No, seriously though, drawing undue attention to yourself is not smart. It makes you a target the same way a red sports car sticks out to a highway patrolman.

Chip (In)Security

At the risk of sounding like a conspiracy theorist, which I do not profess to be, it has become abundantly evident that you cannot trust the computer processor chips inside your computers. Period.

Operating Systems (OS) and firmware are riddled with vulnerabilities, so much so, in fact, that it certainly would not surprise anyone if State-level involvement was behind at least some of the recently discovered vulnerabilities, perhaps some type of Advanced Persistent Threat (APT) supply chain attack effort between government agencies and computer electronics manufacturers. It wouldn’t be the first time it’s happened. Whether or not these numerous processor chip design flaws were intentional or not, or whether they were intended to be exploited against foreign adversaries or not, they can be used against anyone in the world who owns a computer with a vulnerable chipset. That is bad news for computer security and data privacy because a compromised chipset at the physical layer is game over and could enable access to the entire OS and application set.

The Confidential Computing Consortium is comprised of companies such as “Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent” (Cimpanu, 2019). Their goal is to develop “technical solutions for isolating user data inside a computer’s memory while it’s being processed, to avoid exposing it to other applications, the operating system, or other cloud server tenants” (Cimpanu, 2019). Think of trusted computing model concepts, only now that are being further isolated and refined to processing in virtual environments that are segmented and protected from other processes and computing elements.

Aside from downloading and installing the firmware patches provided by the chip vendor to protect against threats such as the Intel Spectre and Meltdown flaws, there is little that the average user can do to protect against this threat.

‘“The[re] are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone — allowing hackers to read sensitive information, such as passwords, from memory” (Heath, 2018).

Classification tree of Spectre & Meltdown variants, with demonstrated attacks (red, bold), and negative results (white). credit: Graph Data: Canella et al. Edited image: James Sanders/TechRepublic

This is why knowing your threat model as I’ve mentioned before is essential. Chances are, government agencies are not targeting you. I know we all like to think it could be possible, but unless you’re on the FBI’s Top 10 wanted suspects list or you are an “enemy of the state,” the chances are slim, sorry. If you were being targeted and tracked there is also little you can do to prevent or interfere except try to become untraceable to the greatest extent you can. Better it is to operate as if your communications are being targeted by implementing encryption of data-at-rest (Full Disk Encryption or FDE) and of data-in-transit (End-to-End Encryption or E2E). Soon we will also see encryption of data-in-use, but it heavily taxes the computing processing speed and network so that means it will require newer IT infrastructure to fully implement without degrading network and processing speeds dramatically.

Featured Privacy Tactics, Techniques, & Procedures

The Electronic Frontier Foundation’s “Panopticlick” browser scanner checks for privacy

Check your Internet browser with EFF’s “Panopticlick 3.0” tool to see how well your browser protects you from Web tracking. It will provide you with results that look something like this:

Click the “Show full results for fingerprinting” option to reveal the statistical results of the Panopticlick 3.0 scan of your browser.

You can try different Web browsers such as Tor, Brave, Firefox, or even Google’s Chrome or Microsoft’s Edge and test your fingerprint results. Tweak your browser’s privacy settings for best results (e.g., blocking cookies, block cross-site trackers, use HTTPS-only; block scripts, device recognition, etc.).

Low-Tech Security: Evasion and Anonymity Tip

“Your mind is your best weapon.”

“Manifest plainness, embrace simplicity, reduce selfishness, have few desires.” ~Lao Tzu

Value your personal privacy and right to exist in a greed-filled world that is hell-bent on sucking any and all information that it can from you in any form so that it can be collected, processed, analyzed, and marketed to make profits off of or track you. Many people look at images or reenactments of ninjas and think they are just fiction or that they never really existed. What they may not realize is that the ninja or “shinobi no mono” as they were actually known in medieval Japanese history weren’t just real, but they were also highly respected even amongst Samurai warriors.

Ninjas were akin to elite special forces warriors of their time, not merely as they have been portrayed in Hollywood as assassins dressed all in black with katanas glistening in the moonlight and blow darts and shurikens flying all over the place. While historical inaccuracies of the ninja are shrouded in mystery, it is difficult to argue that ninjas were not on some level masters of stealth and invisibility. Their class placement in Japanese society devolved over history, but they fought alongside the Samurai for a long time as respected special forces elements of Japanese armies.

How is all of this relevant to digital privacy you may wonder? Great question, allow me to explain. Becoming untraceable is as much a state of mind as it is about technology and how we use it. For that reason, I believe it is worth studying the tactics, techniques, and procedures (TTP) of the ninja. The desire to become “untraceable” is like perfection, impossible to attain. However, we might be able to get close by using technology if we work hard at it and if we have the correct frame of mind.

As a martial artist myself from a young age, I started off learning Tae Kwon Do when I was just 9 or 10 years old. My stepdad thought it would build discipline and character in me and I still thank him for doing it to this day because I believe he was right. As a teenager, I later studied Kosho Ryu Kempo Karate under Hanshi Bruce Juchnik in Sacramento, California before enlisting as a young Marine where over time I eventually earned a black belt (1st degree) in the Marine Corps Martial Arts Program (MCMAP). While I don’t practice much anymore, martial arts is still engrained in every fiber of my being.

I find it interesting that there are still estimated to be around 400–500 ninja manuals in Japan. Some of which are allegedly being kept secret. What I remember from my limited exposure to Ninjutsu is that it was not a hand-to-hand combat martial art in the sense that it was structured to break or kill opponents as opposed to other martial art forms that were less lethal. I am no expert at it, but as I recall, Ninjutsu was all about lethal strikes, breaking bones, crippling joint blows, and generally disabling the opponent in the quickest manner possible using hand strikes and kicks to break elbows, knees, whatever it takes. For instance, in Tae Kwon Do you may block an opponent’s round kick by raising a knee and absorbing the blow while hopefully injuring your attacker. However, in Ninjutsu, the opponent’s decision to throw that same round kick might result in a direct strike to the knee joint with sufficient force to break and therefore cripple your opponent for the finishing technique.

Then there was the weapons training which I loved! Shuriken throwing, Bo (long staff), Jo (short staff), sword (Iaido), nunchaku (nunchucks). As students, we were also exposed to other disciplines such as shiatsu (acupressure) and writing Kanji characters as practice for sword movements. Above all else, what I took from my years of martial arts practice beyond the obvious ability to defend myself was that the martial arts teach self-discipline, an invaluable quality as well as many techniques that can be used to evade and increase stealth and it also gives clarity of mind to be able to think clearly without distraction.

Although privacy is not easily achieved, I believe it to be a worthy pursuit for those who value it. You can keep your fame and fortune, I’ll take privacy over it all. My hope is that you have learned something new or that something piqued your interest. If we all stopped caring about privacy then you can rest assured that the authorities would love that and would be very reluctant to relinquish their Orwellian control over their subjects. Until next time my friends and remember:

***Trust No One. Verify Everything. Leave No Trace.***

Additional Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21

*Privacy-related articles also published by the author can be found here.

Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net

tech privacy, hacking, dfir, security research, & outdoors enthusiast, you savvy?

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
꧁𓊈𒆜🆉3🆁🅾🆃🆁🆄🆂🆃𒆜𓊉꧂

꧁𓊈𒆜🆉3🆁🅾🆃🆁🆄🆂🆃𒆜𓊉꧂

tech privacy, hacking, dfir, security research, & outdoors enthusiast, you savvy?

More from Medium

On Cyberwarfare & the Effectiveness of Indicting Foreign Criminal Hackers

Becoming Virtually Untraceable (Eps7.0_S0c1al.D1st0rt!on.bat)

Hardware Hacking & the Importance of Proper Digital Media Sanitization