Hello Patriots and Partisans,
Let’s talk a little about the markers that can identify a computer to an attacker or investigator. We’ll consider the typical perspective of tying Internet activity to a user and computer, as well as that of an investigator who, having gotten his hands on a laptop, is trying to find out who it belongs to.
As I was working on this article, CCC published a talk from the #32c3 by Joanna Rutkowska. You can find it here. If you’re not a techie, you don’t need to watch it, but the primary takeaway is that your computer is vulnerable to many attacks which cannot be effectively mitigated. We’ll discuss those attacks and what you can do to reduce their effectiveness in a future article, but my desire is that you’ll understand that if the machine cannot be trusted, then you should work that much harder at your privacy.
“Personal computers are extensions of our brains… yet they are insecure and untrustworthy. -Joanna Rutkowska”
While this list is fairly thorough, it is not exhaustive. Items listed are in no particular order.
The Serial Number is of course usually on a sticker on the machine, but did you know that it is written to memory on the computer? For most manufacturers it is very difficult to change the serial number saved on the computer. In order to change the serial number on the motherboard you’ll need a maintenance disc from the manufacturer. You can often find these leaked online.
Here are a couple of examples of how someone with root/administrator access to your system can find your serial number without physical access.
In Windows, there are a few ways to do it. For example, you can open PowerShell and run the Get-WMIObject win32_bios command. In Linux, the dmidecode utility will do effectively the same thing.
So what does that mean to you? Let’s say you use your laptop for partisan things. You’ve behaved well, running a secure OS, and protected your identity. Now, let’s say somehow you’ve lost your laptop; perhaps you loaned it to a friend who was using it to keep a log of the birds he was observing at a particular wildlife refuge. However it’s happened, your laptop is now in evidence and someone really wants to find the owner.
Let’s pretend that everything is perfect from an IT perspective. Their forensics guys can’t get any data off of your hard drive. Then, they extract the serial number and start down the supply chain.
First, they contact the manufacturer, let’s say, Dell. Here’s one way it could go:
Dell looks up the serial number and says, “It was sold directly to Joe Smith on March 14, 2014, was shipped on March 21 to 123 Main Street, Seattle, and delivery was confirmed on March 24. They had one service request for a bad LCD cable on June 26 of the same year. The technician’s note says they had an aggressive dog.” The investigators now go and find Joe to see if he can explain what happened to the laptop after that. Was it still Joe’s? Did he lend it out? Did he sell it? How did he sell it? Does he have the buyer’s information?
If Joe sold the laptop on Craigslist maybe it’s a dead end… unless Joe still has his emails with the buyer, boyer’s email address, and phone number. If Joe sold it via eBay, you’ve got all of that information, plus likely a PayPal account and so on. Our investigator now goes to the next person and repeats the process.
Here’s another way it could go:
Dell looks up the serial number and says, “It was sold to Walmart for retail sale and shipped to the distribution center in Grandview, Washington on March 21, 2014.” Our intrepid gumshoe then calls up Walmart and asks them what happened to it. “It was sent on to store number 1234 in Oak Harbor.” “Can you tell me who bought it?” asks the investigator. “Four of them were sold in the three months after we sent your unit to the store. Here are the transaction numbers and the credit cards used in each of them.”
Our investigator now has four names to chase down. Three of them probably still have their computers, leaving us with the original buyer.
If you purchased your computer used from a company, they may have filled in the “Asset Number” field in the BIOS. If they did, and an investigator follows the trail to them, then their accounting department may be able to say who they sold the computer to, or which recycler they sold the computer to.
All networking devices have one more more MAC Addresses. Your ethernet adapter, wireless network adapter and bluetooth radio all have a MAC address. The MAC address is a unique (with a few minor exceptions) identifier that can be used to identify your computer. Without getting into too much detail, the MAC address is essential to any kind of networking, must be unique, and pretty much anyone on your network can see it.
An investigator armed with your MAC address can go to the chipset manufacturer (for example, Intel), who can say who they sold that device (or chip) to, who will then be able to tie it to your serial number.
If they know what networks you were connected to, and their administrators log things, they could find out what you accessed based off of your MAC address.
Similar to a MAC address, if your laptop has a cellular modem (even if it’s not enabled), it has an IMEI number, just like your cell phone. In addition to the investigational methods used for tracking down someone by their MAC address, if the device ever was registered with a cellular carrier an investigator might be able to trace you from there, too.
Anything that makes you unique can track you. For example, Tor Browser warns you against maximizing your window:
That covers many of the moderate difficulty ways to track you. There are a number of much easier ways for Windows users in particular to be traced or victimized. There are also some harder methods that are a bit out of scope for our discussion.
Considering all of the above, that there are numerous ways to track the provenance of a device for an investigator with significant resources, how do we disassociate ourselves from our device, as far as we can? Part of the answer is thoughtfulness and tradecraft.
The target for this series is the laptop you’re using for “serious” work. This isn’t about watching Youtube, this is about securely and privately doing research, communicating with other patriots, and staying under the wire. With that in mind, here are some suggestions for separating yourself from your device:
- Pay for the device in cash.
- Buy from somewhere without cameras (fly-by-night guys found on craigslist, contacted with a burner email and phone are great).
- Buy outside of your normal area. Leave your normal phone at home.
- Don’t buy the extended warranty.
- Don’t connect it to your home network.
- Don’t sign in to any of your “real” accounts from it.
Do you have any other suggestions? Hit us up in the comments!
Coming up, we’re going to discuss some common and extreme methods for adding misdirection and obfuscation to our device to confuse any pursuers.
EDUCATE. EMPOWER. RESIST.