Show Posts
1
Anonymity and Privacy / short anonymity/privacy guide
« on: January 27, 2016, 04:40:57 am »
First section: Operating system. Windows is proprietary, expensive, and vulnerable to most malware, and if you’re still using it as your primary OS, ESPECIALLY WINDOWS 10 USERS, you haven’t the slightest chance of obtaining any degree of privacy or anonymity, as Microsoft is logging and storing nearly every activity your computer carries out; needless to say, they will not hesitate to notify authorities at the first sign of shady goings-on. Mac is alright, its still proprietary and even more expensive than Microsoft, but they have a decent record of keeping user data safe (they in no uncertain terms told the NSA to fuck off when the shady governmental dragnet complained about their implementation of end to end encryption for iPhones) and file encryption is built into recent versions of Mac OSX. As a rule of thumb, I avoid proprietary programs and operating systems, as their security can not be independently verified by a neutral third party. Personally, I use Linux as my primary operating system. Which distro you should choose depends on what you want to do with your Linux system; everyday computing users would be fine with a base Ubuntu or Debian Gnome install. As an aspiring pentester and security analyst, I run Kali Linux (http://www.kali.org). It handles day-to-day affairs with relative ease, and excels for security purposes of all varieties – protecting your data, or stealing others’ (if you so choose). TAILS (http://tails.boum.org) is fantastic if you’re ultra paranoid (or need to do some extra shady shit) – it is a live operating system, which means every time you boot it up is like a fresh install, and leaves no trace on your actual hardware. No data is saved across boot instances unless you configure persistence (encrypted, of course), it’s loaded with tools to help you protect yourself and your sensitive data, and it routes ALL internet traffic through the Tor network.
Next: your browser. This comes down to personal preference, but I use Iceweasel (the Debian derivative of Firefox). Open source, fast, functional, and highly configurable, Firefox leads to the best user experience without sacrificing privacy and anonymity. One of Firefox’s advantages is its large wealth of add-ons, many of which are immensely helpful in preserving your anonymity and privacy. You can find some suggestions for Firefox add-ons below.
NoScript (https://noscript.net): I assume you’re already using this nearly ubiquitous security enhancing add-on, but I’ll put it on here anyway.
HTTPS Everywhere (https://www.eff.org/https-everywhere): Redirects insecure web traffic to a secure connection if possible.
Ghostery (www.ghostery.com): Allows you to view and block web trackers on pages you visit.
Random Agent Spoofer (https://github.com/dillbyrne/random-agent-spoofer): Leads websites you visit to believe you are using a user agent which you really aren’t; for example, I could be using Firefox on Ubuntu and the page I am visiting would think I’m using Chromium on Mac. This helps muddy the waters for traffic analysis.
Self Destructing Cookies (https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api): While it is possible to completely disable cookies in your browser, many websites can’t function without them. This add-on gets rid of cookies after a set interval, allowing you to freely browse the web but also maintain a reasonable level of security.
SSleuth (https://github.com/sibiantony/ssleuth/): Uses set criteria to rank the security of an SSL connection on a scale of 1 to 10. See how safe you are on your favorite sites.
FoxyProxy (getfoxyproxy.org): Proxies are a tried and true method for obfuscating online activities; you can find lists of open proxies with a simple Google search. The real advantage (and the main reason I use FoxyProxy) is being able to route traffic through Tor or i2p with a simple click, no special browser required.
UBlock Origin (https://github.com/gorhill/uBlock): doesn’t have anything to do with security, but ads are fucking annoying and UBlock doesn’t accept payment to whitelist ads like AdBlock. (fuck AdBlock forever for that)
Next: Email. First off, fuck Gmail, fuck Yahoo, fuck Outlook, fuck any commercial email service really. They’re more than likely logging your metadata (or worse) and selling it to the highest bidder. If you’re concerned in the slightest with privacy and anonymity, a more secure email service is necessary. The A/I collective (http://www.autistici.org/en/index.html) has been around since 2002. They’ve endured a few court battles with law enforcement officials, and they know their shit when it comes to security. They don’t log anything, so even if law enforcement were to win in court (they won’t) there would be nothing to see anyway. You have to request an account, and some effort is required, but if you’re reasonable you should have no problems. They typically respond within a week to your request, so be patient. Also, donate if you can, their network maintenance costs are staggering. Another service worth mentioning is ProtonMail (https://protonmail.com/), I use it as my secondary secure account. In addition, do not register these accounts under your real name. Find yourself a pseudonym or use a fake name. For the extra paranoid among us, there are also anonymous remailer services, which, when used in conjunction with secure email providers, lead to almost complete anonymity, at a price: you can’t receive replies to emails sent with them. I use MixMaster (http://mixmaster.sourceforge.net/) if I find I need to; more often than not the use of MixMaster is not required. Now, on to the topic of email encryption. PGP is the gold standard when it comes to keeping email conversations private. While it is possible to integrate PGP encryption with various desktop email clients, I prefer to use gpg4usb (http://www.gpg4usb.org/). It allows for easy key creation and import, and provides one of the most pleasant and simple ways to encrypt, decrypt, and sign messages or documents (PGP encryption is REALLY EASY to fuck up for those with less technological literacy; get confident using it before you go around sending extra sketchy shit, and even then, err on the side of caution.)
Tor and other anonymizing networks have been garnering lots of media attention as of late; they are demonized as safe havens for drugs, child porn, stolen credit cards, and assorted other nefarious activities. However, these isolated corners of the internet are not the main purpose behind Tor, i2p, freenet, etc. These services exist simply to keep you from being identified as you when you visit a webpage. If you’re using Linux, routing traffic through Tor is easy; install Tor on your system using your distro’s package manager, start the Tor service, then create a new proxy in FoxyProxy or a similar add-on, setting the SOCKS host to listen on 127.0.0.1, port 9050. When you route traffic through Tor in this manner, you can switch between anonymous and regular browsing with ease; you can even configure your proxy add-on to automatically route certain URLs through Tor by default, if you need to remain anonymous while using certain services. If you’re using Windows (sigh) then you can head on over to https://www.torproject.org/ and download the handy Tor browser, which starts the Tor service on your system automatically and is configured to push all traffic through the Tor network. If you need to share files anonymously, check out Onionshare (https://github.com/micahflee/onionshare); I won’t go into details, but do your homework (just google it) and you’ll find Onionshare to be quite awesome.
Lastly, choosing a VPN service that works with your needs. Personally, I use Cryptofree, but a paid service is best if possible; free services have been known to collect data on hackers, file-sharers, etc. and share it with our best pal the Department of Justice. I’ve heard nothing but good things about Private Internet Access, as well as Mullvad or NordVPN. Bottom line is, forking over a couple bucks a month to stay secure is nothing worth stressing about; think of it as an investment in your online safety.
For those who want to create encrypted volumes for secure storage of sensitive data, VeraCrypt (https://veracrypt.codeplex.com/) is my go-to. It’s free, open source, easy to use, and reasonably secure.
and thus concludes the guide. hope it was helpful.
Next: your browser. This comes down to personal preference, but I use Iceweasel (the Debian derivative of Firefox). Open source, fast, functional, and highly configurable, Firefox leads to the best user experience without sacrificing privacy and anonymity. One of Firefox’s advantages is its large wealth of add-ons, many of which are immensely helpful in preserving your anonymity and privacy. You can find some suggestions for Firefox add-ons below.
NoScript (https://noscript.net): I assume you’re already using this nearly ubiquitous security enhancing add-on, but I’ll put it on here anyway.
HTTPS Everywhere (https://www.eff.org/https-everywhere): Redirects insecure web traffic to a secure connection if possible.
Ghostery (www.ghostery.com): Allows you to view and block web trackers on pages you visit.
Random Agent Spoofer (https://github.com/dillbyrne/random-agent-spoofer): Leads websites you visit to believe you are using a user agent which you really aren’t; for example, I could be using Firefox on Ubuntu and the page I am visiting would think I’m using Chromium on Mac. This helps muddy the waters for traffic analysis.
Self Destructing Cookies (https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api): While it is possible to completely disable cookies in your browser, many websites can’t function without them. This add-on gets rid of cookies after a set interval, allowing you to freely browse the web but also maintain a reasonable level of security.
SSleuth (https://github.com/sibiantony/ssleuth/): Uses set criteria to rank the security of an SSL connection on a scale of 1 to 10. See how safe you are on your favorite sites.
FoxyProxy (getfoxyproxy.org): Proxies are a tried and true method for obfuscating online activities; you can find lists of open proxies with a simple Google search. The real advantage (and the main reason I use FoxyProxy) is being able to route traffic through Tor or i2p with a simple click, no special browser required.
UBlock Origin (https://github.com/gorhill/uBlock): doesn’t have anything to do with security, but ads are fucking annoying and UBlock doesn’t accept payment to whitelist ads like AdBlock. (fuck AdBlock forever for that)
Next: Email. First off, fuck Gmail, fuck Yahoo, fuck Outlook, fuck any commercial email service really. They’re more than likely logging your metadata (or worse) and selling it to the highest bidder. If you’re concerned in the slightest with privacy and anonymity, a more secure email service is necessary. The A/I collective (http://www.autistici.org/en/index.html) has been around since 2002. They’ve endured a few court battles with law enforcement officials, and they know their shit when it comes to security. They don’t log anything, so even if law enforcement were to win in court (they won’t) there would be nothing to see anyway. You have to request an account, and some effort is required, but if you’re reasonable you should have no problems. They typically respond within a week to your request, so be patient. Also, donate if you can, their network maintenance costs are staggering. Another service worth mentioning is ProtonMail (https://protonmail.com/), I use it as my secondary secure account. In addition, do not register these accounts under your real name. Find yourself a pseudonym or use a fake name. For the extra paranoid among us, there are also anonymous remailer services, which, when used in conjunction with secure email providers, lead to almost complete anonymity, at a price: you can’t receive replies to emails sent with them. I use MixMaster (http://mixmaster.sourceforge.net/) if I find I need to; more often than not the use of MixMaster is not required. Now, on to the topic of email encryption. PGP is the gold standard when it comes to keeping email conversations private. While it is possible to integrate PGP encryption with various desktop email clients, I prefer to use gpg4usb (http://www.gpg4usb.org/). It allows for easy key creation and import, and provides one of the most pleasant and simple ways to encrypt, decrypt, and sign messages or documents (PGP encryption is REALLY EASY to fuck up for those with less technological literacy; get confident using it before you go around sending extra sketchy shit, and even then, err on the side of caution.)
Tor and other anonymizing networks have been garnering lots of media attention as of late; they are demonized as safe havens for drugs, child porn, stolen credit cards, and assorted other nefarious activities. However, these isolated corners of the internet are not the main purpose behind Tor, i2p, freenet, etc. These services exist simply to keep you from being identified as you when you visit a webpage. If you’re using Linux, routing traffic through Tor is easy; install Tor on your system using your distro’s package manager, start the Tor service, then create a new proxy in FoxyProxy or a similar add-on, setting the SOCKS host to listen on 127.0.0.1, port 9050. When you route traffic through Tor in this manner, you can switch between anonymous and regular browsing with ease; you can even configure your proxy add-on to automatically route certain URLs through Tor by default, if you need to remain anonymous while using certain services. If you’re using Windows (sigh) then you can head on over to https://www.torproject.org/ and download the handy Tor browser, which starts the Tor service on your system automatically and is configured to push all traffic through the Tor network. If you need to share files anonymously, check out Onionshare (https://github.com/micahflee/onionshare); I won’t go into details, but do your homework (just google it) and you’ll find Onionshare to be quite awesome.
Lastly, choosing a VPN service that works with your needs. Personally, I use Cryptofree, but a paid service is best if possible; free services have been known to collect data on hackers, file-sharers, etc. and share it with our best pal the Department of Justice. I’ve heard nothing but good things about Private Internet Access, as well as Mullvad or NordVPN. Bottom line is, forking over a couple bucks a month to stay secure is nothing worth stressing about; think of it as an investment in your online safety.
For those who want to create encrypted volumes for secure storage of sensitive data, VeraCrypt (https://veracrypt.codeplex.com/) is my go-to. It’s free, open source, easy to use, and reasonably secure.
and thus concludes the guide. hope it was helpful.