Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
learn:how-tos [2019/05/24 16:00] – 127.0.0.1 | learn:how-tos [2019/11/27 22:45] – [Alternatives to common online services and programs] add switching.software tunda | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | Bats les couilles de l' | + | **Brief How-tos** {{ : |
- | Bats les couilles, j'vise plus le sommet | + | |
- | Mon cœur fait ouhlalala | + | This page briefly explains how to use various tools which enhance your privacy, anonymity and overall security. The guides are written in an easy to understand, step-by-step manner. The difficulty & time required for most of them don't provide any reason to //not// secure your communications and blurring your digital traces. |
- | Crime passionnel que j' | + | |
- | Sur ton cœur, j'fais trou de boulette | + | FIXME This page has grown and is hard to navigate in. Recommended re-arrangement: |
- | J'fais tache de sang sur le pull | + | * Move each guide under separate article, not headline |
- | Je désire nullement vous connaître | + | * People attending crypto parties carry different devices with different operating systems. Therefore, do not arrange stuff under Windows, OSX, iOS, Android etc, but instead under topics, and then explain how to do that for each system. This is because general, cross-platform introduction to each technology (e.g. what is E2EE messaging or FDE) is usually required, and having a copy of what is is FDE for each OS creates pointless redundancy. |
- | Ni toi, ni ces fils de putes | + | * Make this a landing page with short explanation of each tech and add link to actual article(s). |
- | Je me tire d'ici si j'm'écoute | + | |
- | Sang corse mélangé bougnoule | + | |
- | La Lune, j'aime plus, j'vous la laisse | + | ====== Security warning ====== |
- | Je m'endors sous doré, sous gnôle | + | |
- | J'suis ni de chez moi ni de chez vous | + | Note, however, that security is a process, not a tool. You need at least basic understanding to assess the degree of security or [[: |
- | Elle veut la bise, elle veut que j'la baise | + | |
- | J' | + | The use of security sensitive activity (which is both prohibited and can be persecuted by society and/or government) without deep understanding is **strongly** discouraged. |
- | Je t'encule sur le continent | + | |
- | Sale comme ta neuch, mèches courtes | + | |
- | Forte comme la ppe-f' | + | ====== Guides to Crypto Tools ====== |
- | Je tire la gueule, je n' | + | * [[: |
- | Que mon âme seule, mektoub | + | * [[https:// |
- | J'vis dans un rêve érotique | + | * [[http:// |
- | Où j'parle peu mais j'caresse le monde | + | * [[https:// |
- | J'meurs dans un cauchemar exotique | + | * [[https:// |
- | Où la Terre ressemble à ma tombe | + | |
- | Igo, pourquoi toi, tu parles | + | ====== Alternatives to common online services and programs ====== |
- | Si ça se tue, ouais, dis-moi qui signe | + | |
- | Pas d'honneur, toi, tu sens d'ici | + | * [[https:// |
- | WAllah, baba m' | + | * [[https:// |
- | Toi, pas calculer ces pédales | + | * [[https:// |
- | Moi, j'ai donné pendant longtemps | + | * [[https:// |
- | Puis, j'ai perdu mes pétales | + | ====== Why is mass surveillance a problem? ====== |
- | Au DD | + | |
- | J'la passe, la détaille, la pé-cou, la vi-sser, des regrets devant ton bébé | + | * [[: |
- | J'sors de chez toi, j'reprends ta voiture mal garée puis j'retire ton PV | + | |
- | J'recherche un billet, des affaires, des plans dans la planque, un peu trop peiné | + | ====== Quotes ====== |
- | J'fais un bisou à mes cafards dans la cave du six, les pectoraux gainés | + | |
- | Les BACqueux té-ma parce que les ients-cli ne tomberont jamais sur messagerie | + | "// |
- | Eh, poto, démarre dans la jungle, j'y suis H24, j'y fais des singeries | + | |
- | La rue, j'la dévale à toute allure avec du Gucci comme Mitch | + | "//All the headlines saying [[https:// |
- | J' | + | |
- | Que la famille, personne nous inquiète jusqu'au dernier gramme | + | ---- |
- | Toujours dans mon neuf-un parce que j'suis baisé par Paname | + | |
- | Sans, sans, sans le bénéf' de la rue | + | ====== Web Browsing ====== |
- | J'aurais jamais niqué le game (game, game, game) | + | |
- | Me sens pas trop humain, un peu comme mes igos habités, yah | + | To get an idea of what web browsing actually is, read the chapter **[[http:// |
- | Y' | + | |
- | Au DD, DD, DD | + | * When you visit a website you give away information about yourself to the site owner, unless precautions are taken. |
- | Deuxièmes nes-grai, j'suis effacé, yah | + | * Your browsing on the Internet may be tracked by the sites you visit and partners of those sites. |
- | T'as reconnu le cri, igo t'es animal | + | * Visiting a website on the Internet is never a direct connection. Many computers, owned by many different people are involved. Secure connections ensure that your browsing can not be read in between you and the server. |
- | Mes rêves, j'connais le prix, le canon à ny-Ma | + | * What you search for is of great interest to search providers (mostly for targeted advertising). |
- | Au DD | + | |
- | Que la famille dans le bât', on te la push taille-dé au DD | + | Then you can see what you just learned by facing a virtual mirror to yourself on |
- | Pas mélangé, cœur d'étranger, rien n' | + | |
- | Ce qui doit arriver va arriver, yah | + | * [[http:// |
- | C'est peut-être mon dernier album | + | * [[http:// |
- | Peut-être ma dernière puta | + | * [[http:// |
- | Peut-être mon dernier sourire de toi | + | * [[https:// |
- | Dans mon unga, dans mon unga | + | |
- | Pas plus de haine que d'amour, que j'largue entre mes tours | + | ===== Browser ===== |
- | Moins d'humains après minuit, je sors casser mon tour | + | |
- | Sur un nuage de l' | + | [[https:// |
- | Viens, on se casse, mon frère, avant qu' | + | |
- | Au DD | + | ===== Tor Browser ===== |
- | J'la passe, la détaille, la pé-cou, la vi-sser, des regrets devant ton bébé | + | |
- | J'sors de chez toi, j' | + | Most possibly the best option you can and will ever have if you like your privacy, freedom and anonimity in your hands, and not in the hands of trackers, companies -like your personal ISP-, governmental systems and programs, and other potential snoopers, where they don't belong. |
- | J' | + | * [[https:// |
- | J'fais un bisou à mes cafards dans la cave du six, les pectoraux gainés | + | * Install & [[https:// |
- | Les BACqueux té-ma parce que les ients-cli ne tomberont jamais sur messagerie | + | * Use! (instead of your normal browser) |
- | Eh poto, démarre, dans la jungle j'y suis H24, j'y fais des singeries | + | * Before browsing [[: |
- | La rue, j'la dévale à toute allure avec du Gucci comme Mitch | + | |
- | Je me promène dans les beaux quartiers avec le seum qui fait peur aux riches | + | * You should also set the security level to High and lower it only if it has major effect on your browsing experience. The Security setting can be found under the Tor logo in navigation bar. |
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ===== Browser Plugins ===== | ||
+ | |||
+ | ==== HTTPS Everywhere ==== | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | ==== Block Advertising and Tracking ==== | ||
+ | * [[https:// | ||
+ | * For Firefox there also is [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ==== Scripting ==== | ||
+ | |||
+ | Advanced. Only enable JavaScript, and especially plugins like Java, and Flash for sites you // | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | ==== Identifiable Browser configurations ==== | ||
+ | |||
+ | * The only serious attempt to thwart browser fingerprinting is the [[https:// | ||
+ | |||
+ | ==== Request Policy ==== | ||
+ | |||
+ | Advanced. | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | ==== Certificate Patrol ==== | ||
+ | |||
+ | Your browser trusts many certification authorities and intermediate sub-authorities quietly, every time you enter an HTTPS web site. The Firefox AddOn [[https:// | ||
+ | |||
+ | //FIXME Please review AddOns such as [[https:// | ||
+ | |||
+ | ===== Web search ===== | ||
+ | |||
+ | Another thing you might do often on the web is use Google to search things. There are plenty of alternatives to Google who all state that they keep minimal or no IP logs, but blind trust isn't as good as using Tor Browser to actively hide your IP. Most popular ones are: | ||
+ | |||
+ | * [[https:// | ||
+ | * proprietary, | ||
+ | * [[https:// | ||
+ | * partly proprietary, | ||
+ | * [[https:// | ||
+ | * open source, selfhostable meta-search engine, [[https:// | ||
+ | * [[https:// | ||
+ | * Anonymized results using Google, Bing, Yahoo!, or DuckDuckGo. | ||
+ | * [[https:// | ||
+ | * from SuMa e.V., a german non-profit organisation that supports free access to knowledge, provides Web search as a TOR hidden service | ||
+ | |||
+ | * Though if you' | ||
+ | |||
+ | * In **Chrome** | ||
+ | * In **Firefox** | ||
+ | |||
+ | ===== General Tips ===== | ||
+ | |||
+ | * Regularly run [[https:// | ||
+ | * Check the privacy settings of websites. For example if you have a google account you can deactivate the logging of your searches and the personalized advertisements. Log in to your account (android phones come with google accounts) and change [[http:// | ||
+ | * Opt out from various tracking advertising firms using [[http:// | ||
+ | * Check the privacy settings of applications that you use | ||
+ | * If you use Windows do a File System Check once in a while by entering "sfc / | ||
+ | * Disable all Plugins in your Browser or set them to "Ask to Activate" | ||
+ | * Don't use a password across multiple sites or the same as the one you use to encrypt ie your hard drive. Also don't google it or anything alike. [[: | ||
+ | * Use antivirus software and a firewall. Do regular scans & updates | ||
+ | * Regularly update all of the software you find on this page | ||
+ | |||
+ | |||
+ | |||
+ | ====== Insecure software ====== | ||
+ | Update your software frequently and uninstall (or at least deactivate) insecure software or software for which vulnerabilities have recently been disclosed and not yet patched. | ||
+ | |||
+ | Uninstall Adobe Flash. | ||
+ | |||
+ | ====== Own Website ====== | ||
+ | |||
+ | The following is for people running their own website. | ||
+ | |||
+ | * If your website has facebook-like buttons, see [[http:// | ||
+ | * Make your website available via HTTPS, or even better, redirect unencrypted connection attempts to the encrypted version. First follow these instructions for [[https:// | ||
+ | |||
+ | ===== Closing Unused Ports (Linux) ===== | ||
+ | |||
+ | **Check open ports.** | ||
+ | |||
+ | From the command line, you can see which ports are open on which interface by typing: | ||
+ | |||
+ | < | ||
+ | sudo lsof -i -P | grep LISTEN | ||
+ | </ | ||
+ | |||
+ | '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | Services can be removed, disabled, or configured to only listen locally. | ||
+ | |||
+ | ====== Email ====== | ||
+ | |||
+ | ===== Which provider? ===== | ||
+ | |||
+ | With email, you // | ||
+ | |||
+ | One good Email provider is [[https:// | ||
+ | |||
+ | For more control over your email, you have to either [[: | ||
+ | |||
+ | * Ask a geek/nerd friend | ||
+ | * Pay for the service (instead of paying with your data) | ||
+ | * Combine the above (actually the very best option) | ||
+ | * Use email from a non-profit organization (and donate money if you can) | ||
+ | * See [[https:// | ||
+ | |||
+ | ===== Crypto! (GPG-Encryption) ===== | ||
+ | |||
+ | As you may know, your email goes through the data traffic like a postcard in snailmail: Everyone can read it! So, like snailmail, it would make sense to put your emails in a closed envelope. One possible envelope is called **GPG**. \\ The Pretty Good Privacy software was originally written by Phil Zimmermann, and is now owned by Symantec. The means of encryption defined by that software are also called PGP - these standarts are now freely available as OpenPGP which derived from the original PGP. \\ The GPG software is an independent implementation of the OpenPGP standards, so you can use it to exchange encrypted messages with people using other OpenPGP implementations (and Symantec's PGP). | ||
+ | |||
+ | ==== Warning! ==== | ||
+ | |||
+ | While email encryption is still mostly secure, the nature of PGP messages has two inherent problems. | ||
+ | |||
+ | - **Lack of forward secrecy**: PGP uses long term decryption keys that never change. If at any point in future your device is stolen, accessed or hacked, all past messages recorded by powerful attackers can be decrypted, even if you have deleted messages from your own devices. | ||
+ | - **Lack of deniability**: | ||
+ | |||
+ | These problems have since been solved in modern end-to-end encrypted messaging systems like OTR, Signal, etc. that are also easier to use (see below). Therefore, unless you absolutely have to, it is advised to always use modern messaging applications instead of PGP. | ||
+ | ==== Understand ==== | ||
+ | |||
+ | For your first time, you should get a basic understanding at least of the concept of asymmetric encryption (often called **public key encryption**). Please watch one of those videos before you begin using it: | ||
+ | |||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ==== Use a Mailclient with GPG support ==== | ||
+ | |||
+ | A Mailclient is an application for your mail on your computer. It makes mailing even more convenient! | ||
+ | |||
+ | === 1. Install a mailclient === | ||
+ | |||
+ | We recommend [[https:// | ||
+ | |||
+ | === 2. Install GnuPG === | ||
+ | |||
+ | * **Windows**: | ||
+ | * [[http:// | ||
+ | * **Mac**: | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[http:// | ||
+ | * **Linux (e.g. Ubuntu)**: | ||
+ | * comes with GPG installed by default | ||
+ | |||
+ | === 3. Plugin Enigmail === | ||
+ | |||
+ | [[http:// | ||
+ | Find the add-on manager in your Thunderbird (upper right side menu) and install enigmail there. On Linux, install it via your software manager. The package is usually called // | ||
+ | |||
+ | === 4. Passphrase === | ||
+ | |||
+ | Now you want to give yourself some time to think about a nice [[: | ||
+ | |||
+ | === 5. Generate Keypair === | ||
+ | |||
+ | * Click // | ||
+ | * choose //OpenPGP Setup Assistant// | ||
+ | * Follow the instructions. When not sure, the default value is usually safe. | ||
+ | |||
+ | Afterwards, it will ask you if you want to make a revocation certificate. Do so, and store it on a safe medium (that is either a print-out or a CD you burn it to and then put away in a safe place). \\ If you have already generated a keypair or want to follow instructions like the ones given keypair or want to follow instructions like the ones given [[https:// | ||
+ | |||
+ | === 6. Publish Public Key === | ||
+ | |||
+ | If you now think "//WTF publish my KEY!!11!!!//" | ||
+ | |||
+ | To get a copy of a public key on Linux with GNUPG run the following command: | ||
+ | |||
+ | < | ||
+ | gpg --export --armor <your GPG ID> | ||
+ | </ | ||
+ | |||
+ | this will generate output starting with '—–BEGIN PGP PUBLIC KEY BLOCK—–' | ||
+ | |||
+ | === 7. Get your recipient' | ||
+ | |||
+ | If your intended recipient doesn' | ||
+ | |||
+ | < | ||
+ | gpg --import / | ||
+ | </ | ||
+ | |||
+ | The key will now be available to be accessed through GNUPG and thus through Enigmail or other programs that utilise GNUPG. | ||
+ | |||
+ | From the command line, you can see your local collection of keys by typing: | ||
+ | |||
+ | < | ||
+ | gpg -k | ||
+ | </ | ||
+ | |||
+ | To find a particular key, type: | ||
+ | |||
+ | < | ||
+ | gpg -k <part of name/ | ||
+ | </ | ||
+ | |||
+ | To display or search keys in Thunderbird/ | ||
+ | |||
+ | - Choose “OpenPGP” in the Thunderbird menu | ||
+ | - Choose “Key management” | ||
+ | - Type part of a name or email in the search box, or check “Display All Keys by Default” | ||
+ | |||
+ | === 8. Write your first encrypted email === | ||
+ | |||
+ | Only encrypt //plain text// | ||
+ | |||
+ | You can use the command line to encrypt a file or a message: | ||
+ | |||
+ | < | ||
+ | gpg -ase -r < | ||
+ | </ | ||
+ | |||
+ | This will produce | ||
+ | |||
+ | To send encrypted mail with Thunderbird/ | ||
+ | |||
+ | * Make sure auto-saving of drafts is disabled (Tools → Options → Composition → General, uncheck Auto Save, or Edit → Preferences → Composition → General, uncheck Auto Save). | ||
+ | * Compose a message as you normally would. | ||
+ | * Click on OpenPGP, and check Encrypt Message (and, optionally, Sign Message). | ||
+ | * Click Send. | ||
+ | |||
+ | Depending on how Thunderbird is set up, it may give you a list of keys to choose from at this point, or it may select keys automatically based on email addresses (This behavior is configurable: | ||
+ | |||
+ | To decrypt a message from the command line, save the encrypted message to a file, and type: | ||
+ | |||
+ | < | ||
+ | gpg < | ||
+ | </ | ||
+ | |||
+ | To decrypt mail with Thunderbird/ | ||
+ | |||
+ | * Click on the messge. | ||
+ | * After a moment, the passphrase entry box should appear; enter your passphrase. | ||
+ | |||
+ | To verify a signature: | ||
+ | |||
+ | If the message was signed, there should be a “Good signature” message (visible in the output of the command-line client, or a green bar above the sender information in Thunderbird). If there is a “signature verification failed” message instead, it could mean that the message was tampered with, or it could just mean that you don't have the sender' | ||
+ | |||
+ | ==== GPG with Outlook 2010/2013 ==== | ||
+ | |||
+ | GPG also works with Outlook if that's what you're using. | ||
+ | |||
+ | * Get [[http:// | ||
+ | * Open up Kleopatra and go to File→New Certificate→Create a personal OpenPGP key pair. | ||
+ | * Fill in a name and your email address. Open up " | ||
+ | * Enter a [[http:// | ||
+ | * (Optional) make a backup of it somewhere and upload it to directory service. | ||
+ | * Now get the [[https:// | ||
+ | * Install it and if you need to do so get the [[http:// | ||
+ | * Start up Outlook and make a new email. In the right upper panel you can encrypt (and also sign) your email. | ||
+ | * Before you send an encrypted email you need your recipients public key block. For testing purposes you can create another account (with a trashmail address) which you delete later. Otherwise you find such keys on websites/ | ||
+ | * Once you have the recipients public key copy it (from & including " | ||
+ | * Now make a new email in outlook and fill in the recipients' | ||
+ | * Enter whatever text you want to send. And then click " | ||
+ | * Make sure your recipient has your public key as well. | ||
+ | |||
+ | To decrypt a message you received double click the email and then coose " | ||
+ | |||
+ | ==== More Information ==== | ||
+ | |||
+ | Maybe it wasn't that easy for you to do it, or maybe you want to know more. In either case, please have a look at the following links to some guides and more information: | ||
+ | |||
+ | * [[http:// | ||
+ | * Slides: [[https:// | ||
+ | * There is an excellent visual explanation of [[http:// | ||
+ | * [[https:// | ||
+ | |||
+ | **[[: | ||
+ | |||
+ | === 9. Use Tor Birdy === | ||
+ | |||
+ | You can make your communication extra safe by using Tor Birdy, a Thunderbird add-on for the Tor Browser | ||
+ | |||
+ | * If you don't have Thunderbird, get it for free here: [[http:// | ||
+ | * Then you need to install Tor, so follow this [[: | ||
+ | * Next, [[https:// | ||
+ | * in Thunderbirds, | ||
+ | * then you need to adjust your Proxy to 9150 which you can do at Tools (// | ||
+ | * install it and restart Thunderbird | ||
+ | * NOTE: You now always have to open your Tor Browser to use Tor Birdy in Thunderbird. Otherwise e-mails fail to be sent instead. | ||
+ | * for troubleshooting, | ||
+ | |||
+ | ====== GPG-Encryption beyond Email (GPA) ====== | ||
+ | |||
+ | If you'd like to use GPG (for an explanation of GPG please see [[: | ||
+ | If you're using Windows simply install the //The GNU Privacy Assistant// | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | ====== Chat ====== | ||
+ | |||
+ | ===== OTR ===== | ||
+ | |||
+ | Off-the-Record (OTR) messaging allows you to have private conversations over instant messaging by providing: | ||
+ | |||
+ | * **End-to-end encryption**: | ||
+ | * **Authentication**: | ||
+ | * **Deniability**: | ||
+ | * **Forward secrecy**: If you lose control of your private keys, no previous conversation is compromised (assuming control of log files was not lost at the same time). | ||
+ | |||
+ | A variety of chat clients are available which use OTR: | ||
+ | |||
+ | Clients that support the [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | Clients with built in support for OTR | ||
+ | |||
+ | * ChatSecure ([[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | === How to use === | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | Advanced: | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | ===== Signal protocol ===== | ||
+ | |||
+ | Signal-protocol is a modernized version of OTR-protocol that is designed to work in asynchronous environments such as on smartphones. This is because on smartphones apps open and close so frequently, OTR-sessions (that need to be established for each time they're used) become inconvenient. | ||
+ | |||
+ | More information | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | Applications that use Signal protocol or similar (so called [[https:// | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ===== IRC ===== | ||
+ | |||
+ | ==== IRC over Tor ==== | ||
+ | |||
+ | Note that if you don't use the Tor Browser Bundle (but just tor) replace 9150 with **9050** | ||
+ | |||
+ | For the **XChat** | ||
+ | |||
+ | * Start Tor. | ||
+ | * In Xchat go to Settings→Options→Network Setup and enter the following: | ||
+ | |||
+ | < | ||
+ | Hostname: 127.0.0.1 | ||
+ | Port: 9150 | ||
+ | Type: Socks5 | ||
+ | Use Proxy for: both | ||
+ | </ | ||
+ | |||
+ | * Save and make sure you don't connect with the nickname you use without tor. | ||
+ | |||
+ | For the **irssi** | ||
+ | |||
+ | For the **mIRC** | ||
+ | |||
+ | * Press Alt+O to open the options dialog | ||
+ | * Go to Connect → Proxy section | ||
+ | * Under Connection select Both | ||
+ | * Under Protocol select Socks | ||
+ | * Under Hostname enter " | ||
+ | * Under Port enter 9150 & press OK. | ||
+ | |||
+ | There are also tor-internal IRC servers to which you can only connect once you set up the above. [[http:// | ||
+ | |||
+ | ==== IRC with I2P ==== | ||
+ | |||
+ | * Set up I2P [[: | ||
+ | * Start it, as well as your IRC-Client (ie mIRC or Xchat) | ||
+ | * Connect to a new server: 127.0.0.1 Port 6668 | ||
+ | * Done. There are also more IRC servers than the default one above. For learning how to join them read the bottom of [[http:// | ||
+ | * // | ||
+ | |||
+ | ===== Pidgin over Tor ===== | ||
+ | |||
+ | * Go to the Accounts, select your Account | ||
+ | * Select Edit Account | ||
+ | * Go to the Advanced Tab | ||
+ | * Under Proxy Options select proxy type SOCKS v5 | ||
+ | * Enter 127.0.0.1 for the host and 9150 for the port | ||
+ | * Leave user/pass blank | ||
+ | |||
+ | See also: [[https:// | ||
+ | |||
+ | ===== Securing pidgin on GNU/Linux ===== | ||
+ | |||
+ | * For information on how to secure pidgin on GNU/Linux [[https:// | ||
+ | * For information on how to properly install Apparmor: [[https:// | ||
+ | |||
+ | ===== Other ===== | ||
+ | |||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | |||
+ | |||
+ | ====== VoIP ====== | ||
+ | The easiest way is to use WebRTC, which is built into every modern browser. Just go to one of the many rendezvous-sites like https:// | ||
+ | |||
+ | Also, all major instant messaging apps for smartphones, | ||
+ | |||
+ | * [[https:// | ||
+ | * [[http:// | ||
+ | * Jitsi may request non-secure information during encrypted chat if you paste a link into it. This can be disabled in "// | ||
+ | * [[https:// | ||
+ | * Get a free SIP account for Jitsi and/or CSipSimple with The Guardian Project’s [[https:// | ||
+ | |||
+ | ====== Darknet ====== | ||
+ | |||
+ | A darknet is an internet or private network, where information and content are shared by darknet participants anonymously. More accurately all of them share being //anonymous overlay networks// | ||
+ | |||
+ | ===== Tor Hidden Services ===== | ||
+ | |||
+ | Tor can also provide anonymity to websites and other servers. Servers configured to receive inbound connections only through Tor are called hidden services. Rather than revealing a server's IP address (and thus its network location), an hidden service is accessed through its .onion address. The Tor network understands these addresses and can route data to and from hidden services, while preserving the anonymity of both parties. | ||
+ | |||
+ | * Follow the [[: | ||
+ | * That's it already. [[http:// | ||
+ | |||
+ | ===== I2P ===== | ||
+ | |||
+ | I2P is a secure, anonymous network resistant to censorship and monitoring and both distributed and dynamic, with no trusted parties. It offers a range of services by default (including an active IRC Chat) and with full support for streaming, anonymous file sharing (BitTorrent), | ||
+ | |||
+ | ==== Step 1 ==== | ||
+ | |||
+ | * **Ubuntu**: | ||
+ | Open a terminal (Ctrl+Alt+T) and issue the following commands: | ||
+ | |||
+ | < | ||
+ | sudo apt-add-repository ppa: | ||
+ | sudo apt-get update | ||
+ | sudo apt-get install i2p | ||
+ | </ | ||
+ | |||
+ | And then '//' | ||
+ | |||
+ | * **Windows**: | ||
+ | Get the latest installer from [[http:// | ||
+ | |||
+ | ==== Step 2 ==== | ||
+ | |||
+ | * The I2P router console should open by this. You can reach it here: [[http:// | ||
+ | * On the left panel you will see bandwidth of 96KBps and 40KBps for the In and Out speeds. Your most likely have an Internet speed far greater than this. Therefore, you should raise the speeds significantly. | ||
+ | * Then go here (also optionally): | ||
+ | * Now you can either always use a second browser/ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | - Get the [[https:// | ||
+ | - When installed click the FoxyProxy logo next to the URL bar. And then change “Select Mode:” to “Use proxies based on their pre-defined patterns and priorities” | ||
+ | - Click “Add a new proxy” and on the “General” tab, make sure “Enabled” is checked. Also give it a name like " | ||
+ | - One the “Proxy Details” tab, select “Manual Proxy Configuration” and enter “localhost” in the “Host or IP Address” field and “4444″ in the port field. | ||
+ | - On the “URL Patterns” tab, click “Add New Pattern”, make sure “Enabled” is checked and “Whitelist” and “Wildcards” are selected. Give it a Pattern Name (ie. " | ||
+ | - Press Ok twice & close. Firefox will now send all .i2p requests through the local proxy. You can now access the //" | ||
+ | |||
+ | * **Alternatively** | ||
+ | < | ||
+ | HTTP-Proxy: 127.0.0.1 | ||
+ | </ | ||
+ | |||
+ | * Click OK. You can also run 2 firefox instances at the same time using [[http:// | ||
+ | * Enter // | ||
+ | |||
+ | < | ||
+ | javascript.enabled | ||
+ | browser.safebrowsing.enabled | ||
+ | browser.safebrowsing.malware.enabled | ||
+ | </ | ||
+ | |||
+ | * Disable all Plugins. Alternatively to setting javascript.enabled to false you can also use [[https:// | ||
+ | |||
+ | ---- | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | * [[: | ||
+ | * [[: | ||
+ | |||
+ | ===== Freenet ===== | ||
+ | |||
+ | Freenet is a peer-to-peer platform for censorship-resistant communication. It is more or less a decentralized distributed data storage. Freenet works by storing small encrypted snippets of content distributed on the computers of its users and connecting only through intermediate computers which pass on requests for content and sending them back without knowing the contents of the full file, similar to how routers on the Internet route packets without knowing anything about files—except with caching, a layer of strong encryption, and without reliance on centralized structures. This allows users to publish anonymously or retrieve various kinds of information. So called "// | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | ===== Retroshare ===== | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | Communication services in RetroShare: | ||
+ | |||
+ | * Private chat with friends | ||
+ | * Private or public chat lobbies, that allow chatting with friends and friends of friends | ||
+ | * Messages to friends | ||
+ | * Forums | ||
+ | * Voice over IP | ||
+ | |||
+ | All you need to do is install the software and generate a PGP/GPG key, which will be used to encrypt and decrypt your network traffic. The hard part is getting at least 5 of your friends to also install the software and [[http:// | ||
+ | |||
+ | FIXME //Please add info for "The degree of anonymity can still be improved by deactivating the DHT and IP/ | ||
+ | |||
+ | ====== Meshnet ====== | ||
+ | |||
+ | **Advanced**. A meshnet is a decentralized peer-to-peer network, with user-controlled physical links (usually wireless). The most popular meshnet refers to the transitional CJDNS Internet overlay network currently known as // | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | ====== File Sharing, Torrenting, Warez ====== | ||
+ | |||
+ | For anonymous downloading the absolute minimum is making use of a [[: | ||
+ | |||
+ | ===== Torrenting with I2P ===== | ||
+ | |||
+ | * Follow [[: | ||
+ | * Watch [[http:// | ||
+ | * And [[http:// | ||
+ | |||
+ | ===== Tribler ===== | ||
+ | |||
+ | Tribler is an open source peer-to-peer decentralized torrent client with various features for watching, streaming & sharing videos online. | ||
+ | |||
+ | //Soon// (!) **[[http:// | ||
+ | |||
+ | ===== Frost with Freenet ===== | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | * Follow [[: | ||
+ | * Download Frost from the link above or via its freesite: // | ||
+ | * Create a directory where you want Frost to reside, and uncompress the zip file in there. | ||
+ | * Start frost.jar (or .bat) (if you are on Windows) or frost.sh (if you are on *nix) and enter a nick. | ||
+ | |||
+ | ===== Retroshare ===== | ||
+ | |||
+ | [[: | ||
+ | [[http:// | ||
+ | |||
+ | ===== Other ===== | ||
+ | |||
+ | ===== Anonymous Upload & Download of Youtube-Videos ===== | ||
+ | |||
+ | Videos from Youtube have unique metadata embedded into them via our friends at Google (on a per download basis). If that same file is seen elsewhere Google can check their logs to see when that file was downloaded and everything your computer sent, such as your IP address, user-agent and other fingerprinting info. | ||
+ | |||
+ | When using **[[https:// | ||
+ | |||
+ | < | ||
+ | --user-agent UA specify a custom user agent | ||
+ | --user-agent " | ||
+ | </ | ||
+ | |||
+ | You can also put these settings into a file "// | ||
+ | |||
+ | Use [[: | ||
+ | |||
+ | If you plan to reupload or share the video and wish for google to not know which of the downloaders is uploading the file do the following from a Linux terminal: | ||
+ | |||
+ | < | ||
+ | $ ffmpeg -i originalvideo.mp4 -acodec copy -vcodec copy newvideo.mp4 | ||
+ | </ | ||
+ | |||
+ | That will strip the video to only the video and audio (removing the metadata). You can verify this by downloading the same video twice and checking the sha256sum's against each other. After you strip the video and audio you can see the two different sha256sum' | ||
+ | |||
+ | ====== DNS ====== | ||
+ | |||
+ | The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | * Go [[http:// | ||
+ | * Follow the step by step guide. And then repeat the process for IPv6. | ||
+ | * [[http:// | ||
+ | |||
+ | ====== Currency ====== | ||
+ | |||
+ | Bitcoin is a decentralised, anonymous digital currency. | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * To anonymize your bitcoins further you can use the [[http:// | ||
+ | |||
+ | ====== File Deletion ====== | ||
+ | |||
+ | If you want to delete files on your PC the normal way, they can be easily restored with tools freely available on the Internet (such as Recuva). Because of this you might want to make sure to truly delete files in certain circumstances (ie if you want to sell your PC). | ||
+ | |||
+ | ===== Warning ===== | ||
+ | |||
+ | Right now, there is no secure way to delete files from flash memory. This includes usb sticks, memory cards and solid state hard disks (SSDs). The only responsible way to prevent theft of data on these media is // | ||
+ | |||
+ | ==== Windows ==== | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | * With [[http:// | ||
+ | |||
+ | * With [[https:// | ||
+ | |||
+ | ==== Linux ==== | ||
+ | |||
+ | If you want to erase a hard disk (now, because // | ||
+ | |||
+ | < | ||
+ | dd if=/ | ||
+ | </ | ||
+ | |||
+ | as root/ | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | [[http:// | ||
+ | sfill does a secure overwriting of the unused diskspace on the harddisk. \\ | ||
+ | sswap does a secure overwriting and cleaning of the swap filesystem. (note that sswap was only tested on linux so far. you must unmount your swap first!) \\ | ||
+ | smem does a secure overwriting of unused memory (RAM) To install the tools on ubuntu issue the command: | ||
+ | |||
+ | < | ||
+ | sudo apt-get install secure-delete | ||
+ | </ | ||
+ | |||
+ | ==== Mac ==== | ||
+ | |||
+ | Beginning with Mac OS 10.3, Apple enhanced its security by introducing the [[http:// | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | ====== Photos & Videos ====== | ||
+ | |||
+ | ===== Photo EXIF Data Removal ===== | ||
+ | |||
+ | EXIF (Exchangeable Image File) data is a record of what camera settings were used to take a photograph. This data is recorded into the actual image file. Therefore each photograph has its own unique data. EXIF data stores information like camera model, exposure, and sometimes even GPS-data. While there are many image-hosting services such as imgur.com that strip away the exif data most sites keep it, leaking private information ie for grab to the NSA's XKeyscore program which [[http:// | ||
+ | |||
+ | * **Windows**: | ||
+ | * **Ubuntu**: [[http:// | ||
+ | ===== Other ===== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ====== Virtual Machines & Live Disc/USB ====== | ||
+ | |||
+ | The Amnesic Incognito Live System or **Tails** | ||
+ | |||
+ | * Download [[https:// | ||
+ | * Verify the checksums as described here: [[: | ||
+ | * [[: | ||
+ | |||
+ | If you don't want to create these yourself, you can [[https:// | ||
+ | |||
+ | Alternatives to Tails such as Liberté Linux [[https:// | ||
+ | |||
+ | ===== Virtual Machine ===== | ||
+ | |||
+ | A virtual machine is a software based, fictive computer. Virtual machines may be based on specifications of a hypothetical computer or emulate the computer architecture and functions of a real world computer. | ||
+ | |||
+ | * Download & install [[https:// | ||
+ | * Start Virtual Box click " | ||
+ | * FIXME | ||
+ | * | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ===== Live Disc/USB ===== | ||
+ | |||
+ | A live disc is a complete bootable computer operating system which runs in the computer's memory, rather than loading from the hard disk drive. It allows users to experience and evaluate an operating system without installing it or making any changes to the existing operating system on the computer. Live USBs are closely related to live discs, but sometimes have the ability to persistently save settings and permanently install software packages back onto the USB device. | ||
+ | |||
+ | * Burn the ISO onto a DVD You can use [[http:// | ||
+ | * If you want to have it on a USB stick you first need another stick with tails preinstalled or a DVD, then follow [[https:// | ||
+ | * Make sure the DVD is inserted (or the USB plugged in) then restart your PC | ||
+ | * Tails should boot automatically. Make sure you "press any key" when asked to do so. If it doesn't work you have to [[http:// | ||
+ | |||
+ | If you don't want to create these yourself, you can [[https:// | ||
+ | |||
+ | ====== Operating system ====== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | FIXME //Please add tutorial/s for a new OS or 2nd OS// | ||
+ | |||
+ | If you (keep) using Windows [[http:// | ||
+ | |||
+ | ====== VPN ====== | ||
+ | |||
+ | A Virtual Private Network (VPN), is a private network of computers within a public network (the internet). When you connect to a VPN, the computer acts as if it’s | ||
+ | |||
+ | Make sure that.. | ||
+ | |||
+ | * …you pay for the VPN (don't use free ones, [[https:// | ||
+ | * …you do the above anonymously (ie using [[: | ||
+ | * …the VPN [[https:// | ||
+ | * …the VPN doesn' | ||
+ | * …you can also install your own VPN [[https:// | ||
+ | |||
+ | **Windows**: | ||
+ | |||
+ | * Press the Windows key, type VPN, and click the Set up a virtual private network (VPN) connection option. | ||
+ | * Use the wizard to enter the address and login credentials of the VPN service you want to use. | ||
+ | * You can then connect to and disconnect from VPNs using the network icon in the system tray - the same one where you manage the Wi-Fi networks you’re connected to. | ||
+ | |||
+ | FIXME //Please add how to set up a VPN + [[https:// | ||
+ | |||
+ | |||
+ | ====== Android ====== | ||
+ | =====General===== | ||
+ | * Make sure your device firmware and apps remain updated. | ||
+ | * [[https:// | ||
+ | * Check all the settings and disable things like location tracking etc. | ||
+ | |||
+ | =====Antivirus===== | ||
+ | You should definitely have an anti-virus software running | ||
+ | |||
+ | =====Root===== | ||
+ | Many apps require root-access to your phone. Gaining such isn't //that// hard to do: just google your device name and firmware (both to be found in the settings under "info to device" | ||
+ | |||
+ | ===== Encryption ===== | ||
+ | |||
+ | * [[http:// | ||
+ | * Make sure to also encrypt your SD card | ||
+ | |||
+ | ===== Permissions ===== | ||
+ | |||
+ | FIXME Check & review the following Apps: \\ [[https:// | ||
+ | [[https:// | ||
+ | [[https:// | ||
+ | [[https:// | ||
+ | [[https:// | ||
+ | [[http:// | ||
+ | |||
+ | ===== GPG ===== | ||
+ | |||
+ | * [[https:// | ||
+ | * You can use [[https:// | ||
+ | |||
+ | ===== Firewall ===== | ||
+ | A firewall is an absolute //must//. | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ===== Superuser ===== | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | ===== Web browsing ===== | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * Alternatives: | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ===== Notes ===== | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | ====== iOS ====== | ||
+ | iOS is a proprietary operating system whose source code is not available for auditing by third parties. You should entrust neither your communications nor your data to a closed source device (better use android or any of [[https:// | ||
+ | |||
+ | ===== Calls ===== | ||
+ | |||
+ | * [[https:// | ||
+ | * The app " | ||
+ | * More information: | ||
+ | |||
+ | ===== Web Browsing ===== | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | ===== Chat ===== | ||
+ | |||
+ | * See [[: | ||
+ | |||
+ | ====== Disc Encryption ====== | ||
+ | |||
+ | ===== VeraCrypt ===== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | VeraCrypt can also be used to encrypt USB flash memory sticks or digital camera or mobile phone memory cards. The caveat is that it is almost impossible to guarantee to securely wipe or overwrite the data from these devices due to their [[https:// | ||
+ | |||
+ | ==== Learn and Use ==== | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | |||
+ | ===== FileVault ===== | ||
+ | |||
+ | Since version 10.6 of //Mac OS X//, Apple has offered users the ability to encrypt the home directory of their system. And from 10.7 onwards, Full Disk Encryption has been an option (technically referred to as FileVault 2). Enabling FileVault requires the user to have admin privileges on the computer, and will prompt the user to restart. At the next boot, as soon as the user logs in, FileVault will start doing online encryption of the main system drive. Other drives connected to the computer can also be encrypted by selecting them in Finder and choosing “Encrypt” from the File menu. | ||
+ | |||
+ | When enabling FileVault, in addition to admin users being able to unlock the drive at login, a Recovery Key is also generated, with the option of escrowing this key with Apple. If you choose to do that, you'll have to provide various additional security questions/ | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | ==== Learn and Use ==== | ||
+ | |||
+ | * [[https:// | ||
+ | * Additional deployment reading can be found at Apple's [[http:// | ||
+ | |||
+ | ===== LUKS ===== | ||
+ | |||
+ | LUKS is the // | ||
+ | |||
+ | ==== Learn and Use ==== | ||
+ | |||
+ | A detailed step-by-step how to set up an encrypted LUKS partition with //Gnome Disks Utility//: | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ===== Ubuntu ===== | ||
+ | |||
+ | Ubuntu allows you to encrypt your whole drive as an option when you freshly set it up. | ||
+ | |||
+ | ==== Learn and Use ==== | ||
+ | |||
+ | * [[https:// | ||
+ | * [[http:// | ||
+ | |||
+ | ====== Integrity Checks ====== | ||
+ | |||
+ | In order to check that you're actually using the right program and not a fake or modified/ | ||
+ | |||
+ | **Windows**: | ||
+ | |||
+ | * Download [[http:// | ||
+ | * Extract and open it. | ||
+ | * Now drag and drop the file you want to check into it. We're checking GPG4win as an example here. So download the .exe from [[http:// | ||
+ | * Now go to [[http:// | ||
+ | |||
+ | * Now to also check the PGP signature open up a command prompt by going to start→entering " | ||
+ | * Download the .sig file on the [[http:// | ||
+ | * Import their public key by entering: | ||
+ | |||
+ | < | ||
+ | gpg --recv-keys EC70B1B8 | ||
+ | (You can find the last few numbers on the website) | ||
+ | </ | ||
+ | |||
+ | * // | ||
+ | < | ||
+ | gpg --import tails-signing.key | ||
+ | (the last bit is the filename of the .key file of course) | ||
+ | </ | ||
+ | |||
+ | * Then enter this and check the result: | ||
+ | |||
+ | < | ||
+ | gpg2 --verify gpg4win-2.1.1.exe.sig gpg4win-2.1.1.exe | ||
+ | (first the .sig/.asc key then the corresponding file) | ||
+ | </ | ||
+ | |||
+ | **Linux**: | ||
+ | |||
+ | * sha1sum and md5sum are included in most Unix/Linux based operating systems (including MacOSX) → Go to ' | ||
+ | * Compare with expected values from the site you downloaded from. | ||
+ | |||
+ | FIXME //Please add variations for Linux& | ||
+ | |||
+ | ====== About ====== | ||
+ | |||
+ | Also available as an eepsite on [[: | ||
+ | [[http:// | ||
+ | And as a hidden service on [[: | ||
+ | [[http:// | ||
+ | FIXME //These 2 sites need to be updated to the present state of this tutorial-series.// | ||
+ | |||
+ | ---- | ||
+ | |||
+ | If these tutorials helped you please pass it on - **share this page** | ||
+ |