joe di castro has moved to

joe di castro

Even when I didn't decided yet if I'm going to erase this account, I de facto migrated this account to @joedicastro

You can follow me there if you want!

Now I'm in @joedicastro too (I ! I hope that I don't get mad with all of this federated thing :)

Makes more sense for me that the local timeline of that instance match my interests.

With the VPN use came another surprise, with my home's ISP (movistar) I couldn't get more than 32Mbps on, and that was a very good performance compared to another clients.

Now, I got this consistently all the time:

And that's exactly the speed that I'm paying for.

If previously I took security/privacy seriously, now it's my first priority all over the place.

And also learned a lot of networking, and against all the odds, I starting to like it more than ever... Of all of my job as sysadmin I never really liked networking, it was a pure necessity (well I liked that SDN course) but now I want to know more and more. I suppose that from all of that exhausting and annoying experience, is the only true good thing that I got for sure.

I took my almost six months to find how (the who and the why is another complete and creepy story).

In the process I searched for everything (taps/keyloggers/backdoors) and tried everything... it's exhausting to know that you are being sniffed and not knowing how...

By the way, this guy was smart enough to use a very clever way to do it, but not enough to use a better connection/endpoint on its end. it was introducing a severe lag in my connection, I had a fiber conn performing as a DSL one

Wrong, the worst was to find that all the measures (except for the VPN) that I taken to find the leak and harden my network would never helped me to find/avoid that guys' sniffing.

I only was able to find what was happening because I knew that it was happening (that's another creepy story) and because I exhausted all of the another possibilities.

Finally I was able to find that this guy was using the service maintenance port of my fiber optic GPON/OTN to spy me. And I was able to stop it too.

The worst was to find that the guy wasn't using that firewall hole to watch me, so I suppose that more than one was sharing my cats, series and porn :)

Now I only trust on pf as fw/router.

3 options:

- Best/hardest one: OpenBSD/pf. This is the one I trust as edge router.

- Nice/easiest one: OPNSense uses HardenedBSD/pf. Security as the way to go. Still runs PHP as root. But you can trust it, I use this as my secondary/VPN router.

- Used to be the nice one: pfSense. They don't care to much about the security of the router itself and are going to ditch pf/FreeBSD on v3.0 in favor of own solution suited to performance/corporate networks.

One the things I learned is to avoid Linux/iptables if you can as a router/firewall. I was bitten by iptables rules and had a hole in my router. And I can assure that finding the hole by reading the rules was anything but obvious. All seemed fine and secure, the port was explicitly closed, right? No.

My fancy Mikrotik router ended as a overkilled wireless AP as result.

I never liked networking and as a Sysadmin and not a network guy I always avoided to learn to much about networks, but necessity is the mother of invention I suppose and I have a hard time learning all I could to find how that guy was sniffing all my traffic... but finally I did it.

In the process I learned a few things... (to be continued)

And I can assure you that you're going to find all kind of "interesting" outgoing blocked connections if you use the "deny by default" principle on your firewall or if you analyse all of your outgoing traffic.

And if you made this on a wireless router, you're going to learn a ton of interesting things about Android OS and apps.

Either way, due the nature of HTTPS, you can only be sure of certain connections if you combine sniffing packets with analyzing which apps uses what sockets in your pc.

And the best way to ensure that you endpoint/router is not compromised is to tap the device yourself and analyse all the traffic. At least at first, then rely on a IDS (Suricata, Bro, ...)

Also there is only one true safe way to configure your firewall: "Deny by default". This includes outgoing traffic, open only those ports that you need. This had proven to me to be very reliable and safe, and required less rules that blocking specifically ports.

"The book of PF" is a very good reference.

And of course, if someone is willing to tap your network, the only secure way to establish a VPN connection is in the endpoint/router that you can be sure is under your entire control & secure.

So, forget about configuring your VPN connection in your ISP's router, you can't be sure that is not monitored in some way. If someone successfully puts a tap/sniffer/backdoor/keylog in the endpoint where you establish the VPN connection, you are fucked!

More about HTTPS leaks,

And the hard part of a VPN is to stop all the leaks (avoid any WAN packages that are not the VPN ones itself and the initial DNS queries to find the VPN server) and setup a proper kill-switch that work almost always.

You can do this in the hard way, OpenBSD, pf, IPSec and own hosted VPN server (remember to use a IP to outgoing traffic different from the one to connect to the server). You can use a SSH tunnel instead.

Easy way OPNSense, OpenVPN and a reliable VPN service (e.g. Mullvad).

You think that if using HTTPS everywhere and hardening your DNS searches then you have perfect privacy? think twice... NO

Plain DNS leaks all your domins.

DNSSEC don't hide your domain querys.

DNSCrypt does, but then you have HTTPS leaking all the domains that you are connecting to (at the client-hello packet, before the encrypted channel).

I learned this the hard way.

You need a well configured and reliable VPN (without DNS and WebRTC leaks) to have at least a reasonable level of privacy.

Looking at those A series Thinkpads with a new perspective... perhaps the most secure option nowadays? who knows... all this speculation about CPU bugs are very disheartening. :(

Starting the new year viewing some 34c3 talks, one of the most interesting ones is the one from the Cyber-ITL org:

How risky is the software you use?

Another interesting tool if you're planning to run a connection.