This page briefly explains how to use various tools which enhance your privacy, anonymity and overall security. The guides are written in an easy to understand, step-by-step manner. The difficulty & time required for most of them don't provide any reason to not secure your communications and blurring your digital traces.
Note however, that security is a process, not a tool. You need at least basic understanding to assess the degree of security or anonymity a tool can give you. That said, treat it like a game. The worst thing which can happen if you use these tools for your everyday business is that you are just as unsecure, unencrypted or in the open as you would be anyway.
Usage for security sensitive activity (prohibited and persecuted by society and/or government) without deeper understanding is however strongly discouraged.
To get an idea of what web browsing actually is, read the chapter Understanding Browsing of the CryptoParty Handbook. In brief:
Then you can see what you just learned by facing a virtual mirror to yourself on
Firefox is an open source web browser that respects your privacy. If you're not using it already you should do from now on. It's available for Windows, Mac & Linux.
See third-party sites tracking you and be able to stop them
Your browser trusts many certification authorities and intermediate sub-authorities quietly, every time you enter an HTTPS web site. The Firefox AddOn Certificate Patrol reveals when certificates are updated, so you can ensure it was a legitimate change.
Another thing you might do often on the web is use Google to search things. There are plenty of alternatives to Google who all state that they keep minimal or no IP logs. Most popular ones are:
The following is for people running their own website.
Check open ports.
From the command line, you can see your open ports by typing:
su netstat -anltp | grep "LISTEN"
Must should be none, i.e no reply.
Remove services, which open ports.
su apt-get remove dovecot-core openbsd-inetd bind9 samba cups apache2 postgres* apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin apt-get autoremove
Check open ports again.
su netstat -anltp | grep "LISTEN"
With email, you always have to trust the operator. So, no matter what, try to use real end-to-end encryption like OpenPGP.
Check https://prism-break.org/en/subcategories/web-services-email-accounts/ or http://prxbx.com/email/ for recommendations
For more control over your email, you have to either run your own mail server or have a good personal trust relationship with the provider.
There are some ways to get a new email account with a bit more privacy:
As you may know, your email goes through the data traffic like a postcard in snailmail: Everyone can read it! So, like snailmail, it would make sense to put your emails in a closed envelope. One possible envelope is called GPG.
The Pretty Good Privacy software was originally written by Phil Zimmermann, and is now owned by Symantec. The means of encryption defined by that software are also called PGP - these standarts are now freely available as OpenPGP which derived from the original PGP.
The GPG software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (and Symantec's PGP).
For your first time, you should get a basic understanding at least of the concept of asymmetric encryption (often called public key encryption). Please watch one of those videos before you begin using it:
A Mailclient is an application for your mail on your computer. It makes mailing even more convenient!
We recommend Thunderbird, but there are plenty of good ones out there! (see https://prism-break.org/en/subcategories/windows-email-clients/ or for Linux] for a list).
Enigmail is a plugin for Thunderbird that brings thunderbird and GnuPG together.
Find the add-on manager in your Thunderbird (upper right side menu) and install enigmail there. On Linux, install it via your software manager. The package is usually called enigmail.
Now you want to give yourself some time to think about a nice passphrase and making sure you remember it.
Afterwards, it will ask you if you want to make a revocation certificate. Do so, and store it on a safe medium (that is either a print-out or a CD you burn it to and then put away in a safe place).
If you have already generated a keypair or want to follow instructions like the ones given by Alex Cabal, you should run the Setup Assistant anyway and then choose the already generated keypair at the appropriate step of the wizard. For a more detailed description of the mechanism of public-key encryption, please refer to The GNU Privacy Handbook.
If you now think “WTF publish my KEY!!11!!!” please watch the above videos again :P
Link it on your website/message it your friend and/or get it up a keyserver such as this one
To get a copy of a public key on Linux with GNUPG run the following command:
gpg --export --armor <your GPG ID>
this will generate output starting with '—–BEGIN PGP PUBLIC KEY BLOCK—–' and ending with '—–END PGP PUBLIC KEY BLOCK—–'. '–armor' makes the key read- and printable.
If your intended recipient doesn't already use PGP get him to work through this tutorial first. Then get his public key which you can find on a keyserver/website if he doesn't message you it directly. On Linux using GNUPG, your intended recipient should follow the process in step 6 and output it to a file, once you've received this file use the command:
gpg --import /path/to/file.key
The key will now be available to be accessed through GNUPG and thus through Enigmail or other programs that utilise GNUPG.
From the command line, you can see your local collection of keys by typing:
To find a particular key, type:
gpg -k <part of name/email/key ID>
To display or search keys in Thunderbird/Enigmail:
Only encrypt plain text and note that subject lines are not encrypted.
You can use the command line to encrypt a file or a message:
gpg -ase -r <recipient's key ID> -r <your key ID> <input file name>
This will produce a file (ending in .asc) that you can attach or paste into an email.
To send encrypted mail with Thunderbird/Enigmail:
Depending on how Thunderbird is set up, it may give you a list of keys to choose from at this point, or it may select keys automatically based on email addresses (This behavior is configurable: OpenPGP → Preferences → Key Selection.). If you see the list of keys, make sure the recipient's key and your key are checked, and click OK.
To decrypt a message from the command line, save the encrypted message to a file, and type:
gpg <encrypted file name>
To decrypt mail with Thunderbird/Enigmail:
To verify a signature:
If the message was signed, there should be a “Good signature” message (visible in the output of the command-line client, or a green bar above the sender information in Thunderbird). If there is a “signature verification failed” message instead, it could mean that the message was tampered with, or it could just mean that you don't have the sender's public key.
GPG also works with Outlook if that's what you're using.
To decrypt a message you received double click the email and then coose “decrypt” in the right upper corner and enter your password.
Maybe it wasn't that easy for you to do it, or maybe you want to know more. In either case, please have a look at the following links to some guides and more information:
You can make your communication extra safe by using Tor Birdy, a Thunderbird add-on for the Tor Browser
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:
A variety of chat clients are available which use OTR:
Note that if you don't use the Tor Browser Bundle (but just tor) replace 9150 with 9050
For the XChat IRC Client (or Hexchat):
Hostname: 127.0.0.1 Port: 9150 Type: Socks5 Use Proxy for: both
For the irssi IRC Client go here: https://www.cryptoparty.in/documentation/irssi_plus_tor
For the mIRC Client:
There are also tor-internal IRC servers to which you can only connect once you set up the above. You can find most of them here
A darknet is a Internet or private network, where information and content are shared by darknet participants anonymously. More accurately all of them share being anonymous overlay networks.
Tor can also provide anonymity to websites and other servers. Servers configured to receive inbound connections only through Tor are called hidden services. Rather than revealing a server's IP address (and thus its network location), a hidden service is accessed through its onion address. The Tor network understands these addresses and can route data to and from hidden services, while preserving the anonymity of both parties.
I2P is a secure, anonymous network resistant to censorship and monitoring and both distributed and dynamic, with no trusted parties. It offers a range of services by default (including an active IRC Chat) and with full support for streaming, anonymous file sharing (BitTorrent), webserving, mail and more. See the comparison between Tor and I2P
Open a terminal (Ctrl+Alt+T) and issue the following commands:
sudo apt-add-repository ppa:i2p-maintainers/i2p sudo apt-get update sudo apt-get install i2p
And then ''i2prouter start'' to launch I2P.
HTTP-Proxy: 127.0.0.1 Port: 4444
Freenet is a peer-to-peer platform for censorship-resistant communication. It is more or less a decentralized distributed data storage. Freenet works by storing small encrypted snippets of content distributed on the computers of its users and connecting only through intermediate computers which pass on requests for content and sending them back without knowing the contents of the full file, similar to how routers on the Internet route packets without knowing anything about files—except with caching, a layer of strong encryption, and without reliance on centralized structures. This allows users to publish anonymously or retrieve various kinds of information. So called “freesites” allow you to browse such content. Other types of usage include chat, email & microblogging.
RetroShare is free software for encrypted, serverless email, Instant messaging, BBS and filesharing based on a friend-to-friend network built on GPG. Unlike most P2P networks where your computer will connect to the network and share information with a huge number of unknown peers, RetroShare will only connect to other peers that you have explicitly allowed into your network, and all communications are private.
Communication services in RetroShare:
All you need to do is install the software and generate a PGP/GPG key, which will be used to encrypt and decrypt your network traffic. The hard part is getting at least 5 of your friends to also install the software and to share their public keys with you. Once that is done, you have your very own DarkNet.
Please add info for “The degree of anonymity can still be improved by deactivating the DHT and IP/certificate exchange services”
Advanced. A meshnet is a decentralized peer-to-peer network, with user-controlled physical links (usually wireless). The most popular meshnet refers to the transitional CJDNS Internet overlay network currently known as Hyperboria.
For anonymous downloading the absolute minimum is making use of a VPN. Other options are described further below.
Tribler is an open source peer-to-peer decentralized torrent client with various features for watching, streaming & sharing videos online.
Soon(!) Tribler will also feature anonymous downloading by including support for a subset of the Tor onion routing protocol (independent from the existing Tor network).
Frost is a Freenet client that provides newsgroup-like messaging, private encrypted messages, file upload/download functionality and a file sharing system.
RetroShare allows you to share files securely with your friends. It also allows downloads from friends of friends using anonymous tunnels, if the uploader allows it. More information on this can be found here:
Videos from Youtube have unique metadata embedded into them via our friends at Google (on a per download basis). If that same file is seen elsewhere Google can check their logs to see when that file was downloaded and everything your computer sent, such as your IP address, user-agent and other fingerprinting info.
--user-agent UA specify a custom user agent --user-agent "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
You can also put these settings into a file “~/.config/youtube-dl.conf” to use as default. Just remember to update it when the Tor Bowser Bundle updates their user agent.
If you plan to reupload or share the video and wish for google to not know which of the downloaders is uploading the file do the following from a Linux terminal:
$ ffmpeg -i originalvideo.mp4 -acodec copy -vcodec copy newvideo.mp4
That will strip the video to only the video and audio (removing the metadata). You can verify this by downloading the same video twice and checking the sha256sum's against each other. After you strip the video and audio you can see the two different sha256sum's have become the same.
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. An oft-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 22.214.171.124 (IPv4) and 2001:500:88:200::10 (IPv6)….which you probably can't remember as good as a name such as “example.com”. Here is a video explaining DNS
OpenNIC is an alternative DNS root which lists itself as an alternative to ICANN and its registries. By using it your connection to the Internet can't get censored by your DNS server. It also allows you to use DNS servers which don't run logs improving your anonymity.
Bitcoin is a decentralised, anonymous digital currency.
If you want to delete files on your PC the normal way, they can be easily restored with tools freely available on the Internet (such as Recuva). Because of this you might want to make sure to truly delete files in certain circumstances (ie if you want to sell your PC).
Right now, there is no secure way to delete files from flash memory. This includes usb sticks, memory cards and solid state hard disks (SSDs). The only responsible way to prevent theft of data on these media is full disk encryption.
If you want to erase a hard disk (now, because everything is overwritten, this works with flash memory, too), you can simply do so by finding out the file representation of the disk, e.g. /dev/sdx and then executing
dd if=/dev/urandom of=/dev/sdx
as root/superuser. This command is irrevocable, so please double-check before executing it! \\To find a list of current 'block devices' you can use the 'lsblk' program, this will provide a list of the current available block devices by their name. Please note that if you want to properly purge the data you want to overwrite the root device, ie /dev/sda rather than /dev/sda1. as /dev/sda1 is a partition within the block device.
BleachBit provides a means of clearing common caches and other meta information left behind by applications and also includes a 'Free disk space' option, which will attempt to obscure the contents of free disk space by overwriting available disk space with random data (it creates a file, and lets it grow till it consumes all free space) and a 'Memory' option which will do the same for RAM and Swap.
THC Secure Delete provides a set of tools for surely erasing files, swap and memory.
srm does secure deletion of files.
sfill does a secure overwriting of the unused diskspace on the harddisk.
sswap does a secure overwriting and cleaning of the swap filesystem. (note that sswap was only tested on linux so far. you must unmount your swap first!)
smem does a secure overwriting of unused memory (RAM) To install the tools on ubuntu issue the command:
sudo apt-get install secure-delete
Beginning with Mac OS 10.3, Apple enhanced its security by introducing the Secure Empty Trash feature, which follows the U.S. DoD pattern of overwriting data seven times.
Permanent Eraser provides an even stronger level of security by implementing the Gutmann Method. This utility overwrites your data thirty-five times, scrambles the original file name, and truncates the file size to nothing before Permanent Eraser finally unlinks it from the system. Once your data has been erased, it can no longer be read through traditional means.
EXIF (Exchangeable Image File) data is a record of what camera settings were used to take a photograph. This data is recorded into the actual image file. Therefore each photograph has its own unique data. EXIF data stores information like camera model, exposure, and sometimes even GPS-data. While there are many image-hosting services such as imgur.com that strip away the exif data most sites keep it, leaking private information ie for grab to the NSA's XKeyscore program which is planned to mine for the exif data of all pictures getting uploaded.
ObscuraCam is a secure camera app for android phones that can obscure (ie for face blurring), encrypt or destroy pixels within an image.
The Amnesic Incognito Live System or Tails is a Debian-based Linux distribution aimed at preserving privacy and anonymity. All its outgoing connections are forced to go through Tor, and direct (non-anonymous) connections are blocked. The OS is designed to be booted as a live CD or USB, and leaves no trace on the machine unless explicitly told to do so.
Alternatives to Tails such as Liberté Linux can be found here. The following tutorials also pretty much apply to them as well.
A virtual machine is a software based, fictive computer. Virtual machines may be based on specifications of a hypothetical computer or emulate the computer architecture and functions of a real world computer.
A live disc is a complete bootable computer operating system which runs in the computer's memory, rather than loading from the hard disk drive. It allows users to experience and evaluate an operating system without installing it or making any changes to the existing operating system on the computer. Live USBs are closely related to live discs, but sometimes have the ability to persistently save settings and permanently install software packages back onto the USB device.
Please add tutorial/s for a new OS or 2nd OS
If you (keep) using Windows xp-AntiSpy lets you disable some built-in update and authentication ‘features’ in Windows 2000/XP/Vista/7 that are calling home.
A Virtual Private Network (VPN), is a private network of computers within a public network (the internet). When you connect to a VPN, the computer acts as if it’s on the same local network as the VPN. All your network traffic is sent over a secure connection to the VPN. Unlike a Proxy, a VPN service provider encrypts all of your traffic, replacing your ISP and routing ALL traffic through the VPN server, including all programs and applications while being faster as each client gets dedicated resources (a single proxy often has thousands of users).
Make sure that..
Please add how to set up a VPN + recommendations + improve description above
For many of the below Apps you need to have root-access to your phone. Gaining such isn't hard to do: just google your device name and firmware (both to be found in the settings under “info to device”) + “root tutorial” as it's different for each device and firmware-version. ). Root is required for many apps to work. Such as firewalls that allow you to restrict which of your apps are allowed to establish a connection to the internet.
iOS is a proprietary operating system whose source code is not available for auditing by third parties. You should entrust neither your communications nor your data to a closed source device (better use android or any of these alternatives).
TrueCrypt is an on-the-fly disk encryption system. The software is freely available, runs on multiple operating systems, and is very easy to learn how to use. TrueCrypt also plays nicely with dual-boot systems (such as Windows and Linux). TrueCrypt options include either full disk encryption or the creation of cryptographic container files, which mount as additional drive volumes.
TrueCrypt can also be used to encrypt USB flash memory sticks or digital camera or mobile phone memory cards. The caveat is that it is almost impossible to guarantee to securely wipe or overwrite the data from these devices due to their wear leveling algorithms. Therefore you should use a fresh USB device to re-encrypt the data with a new secret key. TrueCrypt also includes a few options which theoretically provide plausible deniability to the user.
Since version 10.6 of Mac OS X, Apple has offered users the ability to encrypt the home directory of their system. And from 10.7 onwards, Full Disk Encryption has been an option (technically referred to as FileVault 2). Enabling FileVault requires the user to have admin privileges on the computer, and will prompt the user to restart. At the next boot, as soon as the user logs in, FileVault will start doing online encryption of the main system drive. Other drives connected to the computer can also be encrypted by selecting them in Finder and choosing “Encrypt” from the File menu.
When enabling FileVault, in addition to admin users being able to unlock the drive at login, a Recovery Key is also generated, with the option of escrowing this key with Apple. If you choose to do that, you'll have to provide various additional security questions/answers along with your Apple ID. Given the ease of use of FileVault, it should be almost the first thing you should enable on setting up a new Mac. Unfortunately, it doesn't currently work on RAID drives.
FileVault 2 requires OS X Lion or Mountain Lion and Recovery HD installed on your startup drive, which the OS X Lion installer will attempt to create at installation.
LUKS is the Linux system for encrypted disks. It can be selected as an install option on most distributions. (Available in Ubuntu as of version 12.10).
LUKS can be set up using the program 'cryptsetup', to create, open and close a LUKS partition. In the following examples I will be using the device '/dev/sdxN' as a generic name, where x in the drive letter and N is the partition number. You will want to use your own device name (IE, /dev/sda1). To format a partition to a LUKS partition, type the command:
cryptsetup luksFormat /dev/sdxN
Next, it will ask you to confirm, as this will *wipe any data on the partition*, then, you will be prompted to enter and confirm the password to access the drive.
Once you have a LUKS partition, to make the drive accessible for formating or mounting, use the command, type the command:
cryptsetup luksOpen /dev/sdxN volume-name
You will be asked for the password to decrypt the device, then it will be available like a normal drive or parition located at '/dev/mapper/volume-name'. From here, you can interact with it as you would any other drive or partition. If you are finished using the device, you can remove it by typing the command:
cryptsetup luksClose volume-name
The advantage of this method is that dm-crypt, the system that cryptsetup interacts with, it part of the Linux kernel and no further software is required however you will likely not be able to access LUKS formatted partitions or drives from a Microsoft or Apple device.
If you're unsure about choosing a cipher or concerned about performance the latest version of cryptsetup has a benchmark command that will CPUs data throughput for the available ciphers, for maximum security of cipher it is recommended that you choose the XTS mode with a 512 bit key (with XTS the 512 bit key is equivalent in terms of keyspace to a 256 bit CBC mode), to see how the ciphers perform on your CPU type the following into the terminal
Note: The above section is written assuming that the user is running the latest version of cryptsetup, for older versions the command structure differs slightly.
Ubuntu allows you to encrypt your whole drive as an option when you freshly set it up.
In order to check that you're actually using the right program and not a fake or modified/backdoor'ed one it's recommended to do integrity checks (for things such as the Tor Browser Bundle at least). A 'hash' is a unique number generated using a published algorithm on a particular file. For example, if I have file1.txt, which has no text in it, and I run it through a hashing algorithm, I will get mathematical_value_1. If I then add text to the file, it has now changed and if I hash it again I will get a different result, mathematical_value_2.
gpg --recv-keys EC70B1B8 (You can find the last few numbers on the website)
gpg --import tails-signing.key (the last bit is the filename of the .key file of course)
gpg2 --verify gpg4win-2.1.1.exe.sig gpg4win-2.1.1.exe (first the .sig/.asc key then the corresponding file)
Please add variations for Linux&Mac and add tutorials for http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html
Also available as an eepsite on I2P:
And as a hidden service on Tor:
These 2 sites need to be updated to the present state of this tutorial-series.
If these tutorials helped you please pass it on - share this page (or its contents)!