CIA is an overloaded acronym - there’s the traditional use as shorthand for a U.S. intelligence operation, it would be fair to describe me as a groomer for NAFO’s Canine Intelligence Agency, but there’s an infosec specific one, too.

You don’t want unauthorized people to access your data. Or, if you’re a special kind of asshole, like me, you’ll create a scenario where someone thinks they’ve gotten into something, but there’s a thin but usable trail of lies, unique bits of information found nowhere else, canary tokens, and the like.

You don’t want unauthorized people making changes to your data. This includes additions, deletions, and modifications. Those are three different facets of the problem.

You don’t want to lose access to your only copy of your data. You could lose access to a device due to loss, theft, or hardware failure. You could lose access to an account due to an intrusion. It’s common for large companies to face ransomware attacks. All of these things can be disasters, but air gapped backups are a cure for much of this.

Today we’re going to work out how to leave air gapped backups in obscure public locations without creating any hazard in the process.

Scenario:

I am ever mindful of an event in the fall of 2012, wherein a fellow traveler of mine, part of the Anonymous class of 2011 - 2012, was raided by the FBI while livestreaming. His cell phone and laptop were unprotected, so he lost confidentiality and availability immediately. One could also argue that there’s a loss of integrity - having evidence planted is a bit of a stretch, but not having access to exculpatory data is to be expected in such circumstances. Adding insult to injury, rather than turning over his email account to his family, his “girlfriend” at the time instead shopped it to various anti-Anonymous forces, again a major CIA failure.

Constant readers will already know that I have an OIG complaint against the Dallas FBI field office. Not a week goes by that I don’t spend at least some time thinking about how I would handle a raid like that. I’m very public about the fact that I keep detailed records as part of my normal practice, that these records are backed up in several ways, and that I don’t mind that I’m making that information discoverable by legal procedure because it’s publicly known. If the USDOJ is going to volunteer to give me discovery, I have SO MANY QUESTIONS for which I’d like answers.

So we’re going to put some of these devices in magnetic key holders, then place them in obscure locations on the BART network, and if one happens to be found, it’ll be no big deal …

Encryption:

We’re addressing Availability by putting devices at three different locations. That’s in addition to whatever else I may have done to preserve information. I don’t think there’s a problem with my existing arrangements in this area, I’m just looking at my USB-C laptops, all those USB-A storage devices, and trying to do something instructive with them. This weekend the headcount of followers for this Substack crossed the 300 mark and I presume at least a few of you need to add some of what I do to your existing tradecraft.

There are two things you can do encryption wise - either create a bag o’ bits that lives on an otherwise unencrypted file system, or create an impenetrable file system. Neither is better than the other, there are reasons to do both things. The five similar thumb drives with the heavy, hinged key ring loops are all formatted using Ventoy, a tool which makes the device bootable, and then it provides a menu of whatever bootable ISO files are on the device. These have the Tor only liveCD TAILS, the Ubuntu Budgie I use for my desktop, and the Proxmox cloud computing environment I use on servers. And there are non-ISO files, some are Debian packages, but a fewvend with the extension “age”.

The age (say ahh-zhay) encryption package is a very minimalist means of creating an encrypted bag o’ bits. You can make a tarball or zip of a directory tree and then encrypt it with a single command.

age -p -o LorenIpsum.age LorenIpsum.txt

That’s the easy way to do things. VeraCrypt is the diametrical opposite, as you can see from its documentation. It can create an encrypted file that contains a directory structure you can mount and access, or it can make an entire device encrypted. If you’re truly paranoid, there are Plausible Deniability features, wherein you can create a bag o’ bits that has important secrets as one facet, and 241 pictures and videos of an obstreperous tuxedo cat as the other. If you were under duress you could give up the passphrase that leads to the Cattogate files, while your secrets … remain secret.

I encourage those of you who want to start down this path to simply install VeraCrypt and use the graphical interface to explore the system.

Passphrase Considerations:

You will need to apply passphrases to both age and VeraCrypt storage. This is a problem for which a password keeper is wholly inappropriate. You need something that you can remember, but which is computationally forbidding to someone trying to brute force the passphrase.

The string “password” isn’t a very good password. There are dictionaries out there with tens of thousands of passwords that have leaked via intrusion. Storage and computation got cheap enough that people make “rainbow tables” - if someone wanted to be able to reverse a cryptographic hash of a forty character string, they could just create the hashes of all possible forty character strings, then search for the hash in question. This is when a combination of your brain and cryptographic hashes can do wonders. Consider this:

echo -n "password" | openssl dgst -sha256

(stdin)= 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

That eight letter dictionary word just became a 64 hexadecimal string. The computational complexity for brute forcing an eight character string from an English keyboard is 96^8 or 7,213,895,789,838,336 choices. Seven quadrillion seems like a pretty large number, but for a 64 byte SHA256 hash it’s

115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936

I asked ChatGPT about this and the increased size of the space to brute force is enormous.

If you append the SHA256 hash of “password” to password you get this:

“password5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”

What if someone knows you’re in the habit of using a short keyword and a SHA256 hash? Modify the output in a way that’s easy for you to remember, but forbidding for anything other than a quantum computer to crack. You can add a step to this process, say replacing all sixes with sevens in the hash, and you’ve broken the computational connection between the plaintext string and what would appear to be a cryptographic sum.

It isn’t difficult to come up with a combination like this:

• Passphrase you can easily remember.

• Cryptographic hash to apply to passphrase.

• Simple manual modification to resulting hash.

• Combine the passphrase and its modified hash for your volume encryption key.

That eight character password plus its 64 byte hash results in a 72 character string. You have no excuse to not have a ninety character string for a passphrase that is easy for you to reproduce and impossible for someone else to either guess or brute force.

Decoys:

How would you make a decoy file or device that *COULD* be a VeraCrypt container, but it’s actually just noise?

dd if=/dev/random of=decoy.veracrypt bs=1M count=100

Storage is cheap, brute force time is dear. As long as YOU can pick out the one real item from a forest of junk, a folder chock full of files generated in this fashion is a big fat NOPE when it comes to cracking resources.

Conclusion:

Am I really going to create plausible denial VeraCrypt devices full of a mix of cat photos and age encrypted containers, then go out into the BART system looking for places where a magnetic container could cling for decades without being discovered?

You betcha I am.

I agreed to help Chet Uber get Project VIGILANT going 184 months ago, with my very specific motivation being concern about right wing extremism.

My one phone conversation with Scientology’s Dullest Tool was 157 months ago.

The original OIG complaint against the Dallas FBI field office was 140 months ago.

Rauhauser v. McGibney, the frivolous lawsuit against me in Texas filed by James “Pissboy” McGibney is in its 124th month.

The attempt by Special Agent Jayson Chambers & Co. to fabricate a criminal case against me out of whole cloth in Michigan was 119th months ago.

November’s Civil War Referendum is in just 108 days.

But this hearing is just 36 hours away …

Once this last bit of legal process is done, Pissboy will owe me around $480,000, and more importantly there will be a debtor’s exam. I already know the Dallas FBI field office put him up to suing me. We’re going to see when he was on the FBI’s payroll, all the communications he’s had with them, everything will be laid bare. We already know there was a conspiracy against me, thanks to an extraordinary discovery response error by Dan Backer in another frivolous lawsuit clear back in 2012.

McGibney’s behavior has already been adjudicated to have been “malicious and intentional”. Once we demonstrate that the FBI was instrumental in this, the U.S. DOJ is going to owe me MILLIONS.

So yeah, I will spend $50 in equipment and a day roaming around BART in order to make myself an even less palatable target for some hinky FBI “investigation” than I was yesterday.

And if some of you can avoid the sort of trouble I’ve faced by becoming digital porcupines yourselves, that’s just an added bonus.