> > change target. Then a victim that describe a situation outside of this > > schema most > > probably will be classified as a paranoid or a troll. > > Do you have reason to believe, that this evil person has control over your > hardware > deliveries? Do you have some procurement process in place, which guarantees, > that this > person can not intercept and xompromise such a shipment? To which extent > would you > trust authorities to protect you? >
Yes could be, he has a "social engineering" approach to people. He places people and himself on the same level of machines. Then he searches vulnerability on persons. He makes extensive use of corruption to take advantage on his personal war. From this point of view also a vpn provider could be very vulnerable because as many people know vpn providers are not big rich companies. Also often they operate in a grey area where users are hackers, p2p downloader and so on. Then if someone offer them something like $5000 to log the traffic of someone most probably they accept. From this point of view "security" is a word with a really wide meaning. And in addition to this he uses the typical techniques of social engineering to manipulate people. I use the word "he" but it's clear that is an organization. But now we are off topic. About authorities it would be my next step when I'll find proofs of what I'm saying. Because as you saw the first thing they think it will be "this guy is paranoid". Or they'll tell me: "of course! you have to clean cookies and cache on your edge!" > Once this is done: what is your attack surface? What are the applications > facing the > big bad internet? I haven't server, I just use chrome+unveil, ping, sometimes speedtest-cli. I think I can exclude all the usb device as media infection. I don't know if the dhclient could have some bug... what remain is the vpn decryption with aes256 and a 4096 key and decrypt https. I also tried without success wireguard as vpn software with chacha20 as algorithm that someone say to be more robust/fast than aes256gcm. I think we can exclude decrypt openvpn/wireguard but I'm not so skilled to be sure. What remain is also something installed in some chip with the firmware. And yes, of course I run openvpn as root. Do you have to run public facing services? Is there a way to restrict > the level of "public"? DO you have to run applications which connect to > random servers > on the internet? Have you thought about running these in a virtual machine > with snap > shoting enabled, which allows you to return to a known safe state? Yes I thought to try to use vm on linux, but you know the linux kernel is hole with some code around. As I know the openbsd vmm doesn't support graphic, isn'it ?
