Refining my setup – Privacy

To continue the security / privacy theme, I discovered some really nice tools on a site called http://privacytools.io and incorporated them into my setup.

I’m now running Firefox full-time and am using LastPass as a password manager so that I can have a unique, strong password on all sites that are password protected.  In addition, I’m using:

  • HTTPS Everywhere (EFF) – Forces sites to use HTTPS everywhere it can so that more of your traffic is encrypted by default
  • Random Agent Spoofer – Allows you to randomize your user-agent and also block other things that the browser passes back
  • Self-destructing cookies – Deletes a site’s cookies when you close the tab or close the browser
  • uBlock Origin – A very impressive ad and tracker blocking tool

In addition, at the recommendation of PrivacyToolsIO, I purchased a VPN subscription from a non US-based provider who doesn’t retain logs (AirVPN).  It certainly does slow down my network access but the fact that the OpenVPN client encrypts data before it ever leaves my laptop is very nice.

Finally, for backups, I found an excellent provider called TarSnap.  The backup client is open source and it encrypts your data with a key that you generate and control before it leaves your machine.  The encrypted, de-duplicated data is stored in the cloud at a very inexpensive price.  My estimate is that my encrypted backups will cost in the neighborhood of $10 per year.

Setting up Arch

Now that I have the OpenBSD install humming along securely on my primary hard drive, it’s time to set up Arch Linux and my Windows VM on the mSATA drive.  I want to make sure that I take the same care with the privacy and security of this set up as well so I did more research.

It turns out that you can set up an encrypted boot volume and encrypted swap on Arch pretty easily.  The following links pointed the way for me:

After getting the base system up and running, I installed Gnome3 and GDM to make it as similar to my OpenBSD set up as I could.

I then installed Oracle’s VirtualBox software and was able to get Windows 8.1 up and running.  The only hiccup I ran into was that I had to disable 3D acceleration in VirtualBox or the Windows VM would hang on startup.  Sounds like there is a little glitch there that would be nice to get fixed.

At this point, I now have a system that can be easily dual booted by choosing the right boot volume from the BIOS at start up time and both are very similarly configured.

Secure by design…

So I figured that if I really wanted to leverage the capabilities of OpenBSD, I should do my utmost to ensure that what I created was a secure experience.  The first thing that jumped to mind was cryptographic security of the hard drive.  In the event that the possibly mythical (after all, am I really that interesting?) “Bad Guy”(TM) stole my laptop, how can I prevent them from finding the innumerable pictures of cats that clog my browser cache from http://reddit.com/r/aww and embarrassing me with their publication on a national news site?

I started doing some research (a fancy way of saying I fired up my browser and hit Google) and discovered that OpenBSD had me covered already here.  OpenBSD has full disk encryption and setting it up was really simple.  I visited one of my favorite sites (http://bsdnow.tv) and found a tutorial that shows how to set up full disk encryption for each of the BSDs:

http://www.bsdnow.tv/tutorials/fde

The nice thing about OpenBSD is that the swapfile has been encrypted by default for several versions now so there were no special hoops to jump through.

The next thing I wanted to think through was network security.  Fortunately the built-in firewall software (PF) that is provided with OpenBSD is very powerful.   Incredibly powerful.  I might lock my keys in the car and have to walk to work powerful. Again though, the good people of the Internet have provided some really nice tutorials that provide some good starting points here.

One of the things I wanted to do was to see if I could block inbound traffic from countries that should never be connecting to my laptop.  I’ve been running a Debian server for some time on my home network (an old Power PC G4 Mac Mini that I had no other uses for) where I opened up port 22 on my firewall and redirected it to this machine (which only had a single user with a crazy password on it).  The fun thing (and yes, I recognize that this is an odd hobby) was to look at the country of origin for the approximately 5 login attempts per second that I was registering on this server.  No offense to my friends from these regions, but the bulk were Russian, Chinese, or Korean addresses.

I found an article on Undeadly.org that explained how you can leverage the data at http://ipdeny.com to do this pretty nicely:

http://undeadly.org/cgi?action=article&sid=20140527054301

It should be noted that this might not be the most precise source of data for doing this type of thing, but it gets pretty close.

Finally, once I am connected to the Internet, I want to make sure that my browser(s) of choice (I typically run both Firefox and Chrome so that I can test my web applications with both major rendering engines) are configured to maximize my privacy.  For that, I look to a collection of browser plugins:

  • HTTPS Everywhere (forces the browser to use HTTPS exclusively if the site offers it)
  • Ghostly (blocks trackers)
  • AdBlock Pro

The last one (blocking ads) is a bit personally controversial for me in that I want to support my favorite tech sites by generating impressions for their ads (which generates revenue for them).  However, given recent news that has come out of malware being spread by maliciously crafted ads that exploit flaws in things like Adobe Flash, I felt that I really needed to take this step as well.

The hardware

Since I had chosen the Thinkpad x220 for my platform in this experiment.  I needed to think through exactly what my goals were.  Specifically I wanted to have a platform where I could:

  • Dedicate the entire drive to OpenBSD
  • Still be able to access things in Windows if I had to in a pinch (I promise I wash my hands after using Windows every time)
  • Do software development in both C/C++ (on OpenBSD and ports)
  • Do software development in Java/JavaScript (for work or personal projects)

The system needed to be secure above all else and responsive too.

Given all of this, I decided that I would take advantage of the fact that the x220 supported an mSATA drive.  This means that I can have the primary hard drive dedicated to OpenBSD but use the mSATA drive to boot some other operating system.  I wasn’t really comfortable with the idea of installing Windows straight up on it so instead I opted for a compromise – I would use a Linux distribution as the host OS and run Windows in a virtual machine under it.

So now the question was – which Linux distribution do I use for my host OS.  I ended up choosing Arch over all of the other contenders.  I have a significant amount of personal experience with Debian, but I felt that Arch was closer to the spirit of how you work when you are in OpenBSD.  I knew I was taking on some periodic maintenance (you never want to fall too far behind on Arch because big changes can really sock it to you if you eat them all at once), but I figured a weekly reboot into Arch would be good to have as a regular maintenance regimen.

I spent some time researching whether or not I should use Grub, etc. to handle the booting between Arch and OpenBSD when I finally realized I was over-complicating my life.  Since the two operating systems would be on different physical drives and I would be dedicating the entire drive to each one, I could just use the BIOS boot menu on the x220 to choose which one I wanted to boot up, leaving OpenBSD as the primary that would be booted into by default.