{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicye7scjuknsl3zruwvp3dq6kbfdgfgnj2ghyev5znjltnt4yekie",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3miorivurru42"
  },
  "path": "/t/security-posture-that-can-reasonably-withstand-nation-states/36857#post_1",
  "publishedAt": "2026-04-04T16:33:00.000Z",
  "site": "https://discuss.privacyguides.net",
  "textContent": "Evaluating security posture for an EU based person (50 U.S.C. § 1881a protections do not apply to this person). This person might face targeting by nation states. Their most feared adversary in this situation is the NSA, specifically the NSA’s TAO division. Readers might rightfully state that TAO targeting is exceptionally unlikely. Regardless this person has concluded that it is part of their threat model, so it has to be considered. No additional details can be provided to justify why this might be the case. What can be stated is that the justification is neither criminal nor terrorism related.\n\nThe person in question has access to valuable infrastructure, which makes them a high-value target to gain a foothold and potential persistence. This infrastructure access happens over traditional remote access protocols such as SSH and RDP. Implied but not stated yet: this person is extremely technically capable, so operational discipline is in their nature.\n\nAny access happens through a WireGuard VPN with extensive filtering, allowing access solely from ASNs this person uses. All connections through this VPN need to be separately authorized statefully with 2FA, through hardware-tokens where possible. Every 30 minutes, a hard-interrupt terminates all connections within the VPN, with the goal of preventing lateral movement and persistence through the endpoint.\n\nThis person currently uses traditional hardware, specifically a latest-generation MacBook. Supply-chain risks are combated by sourcing hardware anonymously and in-person with cash payments from different suppliers.\n\nFor endpoint hardening specifically, the following measures were taken:\n\n  * LittleSnitch as firewall, default-deny policy\n  * Built-in firewall configured to deny everything and logging\n  * Apple services are blocked from communicating except OCSP\n  * MDM profile that disables almost all features (Airdrop, Sharing, etc)\n  * Minimal application surface (Browser, Terminal, RDP client)\n  * Chromium-based browser with V8, WASM and JIT disabled\n  * Javascript is allowed on a small set of trustable sites\n  * Santa is deployed for binary allowlisting\n\n\n\nFor network-level, the following measures were taken:\n\n  * Work-related devices (MacBook) are on their own VLAN\n  * No inter-VLAN routing and extensive packet logging for this VLAN\n  * Separate uplink for this VLAN with CGNAT to the internet\n  * Local DNS resolver (AdGuard Home) with DoT forwarder\n  * eBPF based packet inspection to detect anomalies\n  * Port 80 TCP/UDP blocked to prevent downgrade attacks\n  * Port 443 UDP blocked to disable QUIC\n  * Internet is restricted to “trusted” target ASNs\n\n\n\nThis person has extensive personal infrastructure to leverage. Currently, they use various virtual machines hosted on this infrastructure for tasks that require running untrusted software. They connect to the virtual machines using RDP over the VPN setup (even internally, the VLAN does not give any trust level or authorization).\n\nCurrently, the assumed most likely available attack vector looks like this: TAO targets ISP with selector for the person in question. This gives them an IP address to target, albeit not an unique IP address because of CGNAT. With this information, they could compromise or compel a JS-whitelisted site to deliver a zero-day exploit. This would mean V8, WASM and JIT are still disabled with intent of forcing them to burn an expensive zero-day. A sandbox escape and LPE is required to get anywhere and a custom implant is likely needed to ride sessions after they were authenticated. This is also primary but not sole concern which this setup needs to defend against: session riding/hijacking to infrastructure.\n\nIt is known that browser exploits outside of JavaScript exist but it is presumed that they are substantially more valuable and complex. Endpoints are not used for random browsing to unknown websites. That much said, the only true feasible attack vector remaining is still the browser. Remote Browser Isolation by i.e. Cloudflare was explored, but since they are an US company, it is not feasible at this time. Removing the browser entirely from endpoints would make any work practically impossible. Any pointers here are greatly appreciated.\n\nWhat I’m also looking for is advise on where this setup might have cracks or what could be done to make it even more difficult for a nation state to compromise the person in question. A reality check would be appreciated on where this setup currently stands. It is presumed that it goes far beyond what most high-value targets run in practice. Unfortunately moving to a nuclear bunker with airgap and without any internet connection is not feasible.\n\nQubesOS is ruled out due to various reasons which no further details can be provided for.\n\nPersonal devices are intentionally not mentioned because they are assumed compromised.\n\nAnonymity and privacy is not a strong concern here.",
  "title": "Security posture that can reasonably withstand nation states"
}