3 min read

Roll Your Own: Secure Online Communications

First Amendment protections should apply to online communications; in the absence of such protections, the technical considerations of ensuring end-to-end security of communications are of paramount interest to us all.
Roll Your Own: Secure Online Communications

I watched this YouTube video recently about how a drug cartel created their own HAM/WISP/the video calls 'cell service' (but it really isn't) - and it got me thinking on the subject of securing online communications from prying eyes. This is particularly relevant with the issues plaguing Parler and as of this writing Signal is down.

While I disagree with most Conservative-leaning folks about the details of Parler's complicity in (what I believe to be) the seditious treasonous domestic terror plot, let alone the technical considerations of their deplatforming - I also believe that First Amendment protections should apply to online communications; in the absence of such protections, the technical considerations of ensuring end-to-end security of communications are of paramount interest to us all.

All of this effort is pretty great and all - but they would have gotten a lot farther faster just using public packet-switched networks with IPSEC VPN tunnels, TOR, SILC, their own CA with CRL to revoke certificates of devices that are captured - and finally, satellite phones for uplinks to remote stations where traditional telecommunications are not available. As long as the devices being used by the end-users with typical cell/3G/4G service are Android phones of a new enough version (Apple has already demonstrated that even with refusing the FBI demanding their cooperation that their devices are easily compromised by third-party security experts) with a long enough pin or lock screen pattern - by the time they got into it as long as MDM is enabled whoever was orchestrating this whole thing could revoke the certificate and remotely wipe it. This world be a great test of Signal lol but for some reason if I was some kind of criminal mastermind - I don't think I would trust it!

If the Federales are going to raid you (which obviously they did) the right architecture could guarantee that whoever set it all up wouldn't even be able to retrieve messages once they have been sent/routed/arrived at their endpoint nor be captured during transit unlike traditional RF muxes/repeaters/amplifiers. For all that money they were spending on physical infrastructure and kidnapping engineers they could just have had satellite phones/uplinks because with IP it's all just endpoints.

Just like when the feds raided one of those Silk Road bros, they compromised the encryption on his laptop and were able to get IP/login and account creation details from his password manager - but were unable to retrieve the details of his vault. Just imagine if dudebro wasn't dumb enough to not use TOR (or at least 'I'm behind seven proxies bro' lol) and something like Kali thumb drive without persistence. Then, the feds couldn't even have gotten his LastPass credentials to write a subpoena for login information or ferret out other services he was using. He still would have gotten popped because they had him in possession of the drugs and packaging/manufacturing paraphernalia but I'm sure it would have made prosecution a lot more difficult.


Kali Linux from Mr. Robot

Let's talk specifics!

If you are curious about the whole SILC/CA thing (obviously with IPSEC and SSL in addition to the SILC public key encryption) just look at this handy-dandy suggestion of how to implement such a thing! And if you know how to use a compiler or install an RPM or DEB package - most of the work is already done for you!!!!

Throw in a commercially available VPN subscription, route through enough nodes - and you have a pretty secure system for exchanging messages for a substantial amount of people. This isn't the same scale as Signal or any social type system, I just wanted to put it out there that even if what you are doing is downright illegal - if you do it correctly, even law enforcement with all of their resources couldn't beat the technology even if they probably could get folks to snitch.

I never have ever done anything like this for concealing the contents of communications across the public internet for less than legal and legitimate purposes in my life - swear on a stack of... uh... yeah