- The rescue of a drowning man is the drowning man’s own job.
Nineteen Eighty-Four (1984) George Orwell - a dystopian novel
- (russia) О применении закона «о праве на забвение» - yandex blog
- Your ill-wishers
- Your goals
- Really hardened security (paranoic)
- Normal security
- Tools / Applications
- hackers (viruses, worms, spyware, adware, cryptolockers, …)
- your business competitors
government (yours and foreign)
5- 9- 14- eyes: Australia, Canada, New Zealand, UK, US (FVEY) + Denmark, France, Netherlands, Norway + Germany, Belgium, Italy, Spain, Sweden (SIGINT Seniors Europe (SSEUR) )
- Save your information safe
- Save your information’s metadata safe
- Communicate with other people safely
- Anonymity (staying in shadows) (not only between you and action/phrase, but also between you and your interlocutor)
Really hardened security (paranoic)
This options must be done if you are paranoic, or have some real secrets to be hidden (e.g. from your business competitors).
- Use only applications to which you trust (linux OS and applications for linux are prefered).
- Be carefull with information and files you work with. Memorize everything you can (names, dates, …)
Need real security? => hardware problems
Use separate computer without wireless/cable connections at all ( + usb-drives must be used carefully) (so called air gap).
soft option: virtual machines (virtualbox, qemu/kvm, vmware)
The hardware is the base level of security and Kamphuis recommended finding a pre-2009 IBM Thinkpad X60 or X61 as they are
“the only laptop modern enough to have modern software systems but old enough to be able replace the low level software”, - Arjen Kamphuis
- disable swap (memory is written on hard-drive (non-volatile memory))
Use old cellphones without internet access.
Regularly change sim-cards (for yourself and your business partner). Cellphone companies records your calls, however your competitors will not know, which telephone number call’s records they have to buy. (Cellphone companies (just like social networks) can easily sell data to anyone (competitors, governments, ex-girlfriends))
Remove batteries from unsafe
- Forgot the words: “cloud”, “thin-client”.
It is hard to crack you, but if someone influential will have such a goal, he will probably succeed (using 0-days and unexpected backdoors).
However, the securer the system, the harder it is to hack => less wishful parties. Everybody is limited with economic realities.
- Choose OS and applications carefully. (backdoors / selling data) Be suspicious to large vendor’s software.
Use encryption (encryption for your connections, encryption for your hard-drives / etc.).
Sпоwdеп: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Commercial encryption systems are suspicious, widely spread encryption are less suspicious (it is hard to change standard and not to loose compatibility)
- Secure messengers
- Encrypt hard-drives
- Use OpenVPN (against untrusted networks, e.g. free-wifi, your internet-provider)
- Use OpenPGP for e-mails.
Problem: information about sender/receiver, timestamps, … remain unencrypted.
Anonymity: - it is hard to reach real anonymity, because exists a lot of various fingerprinting technics
- Tor-based products
- adequate care of information you insert into computer (browser)
- browser’s incognito tabs
- Use virtual machines (virtualbox, qemu/kvm, vmware) for checking suspicious files and web-surfing
- Do not hybernate or sleep your computer, only shutdown your computer. It is much easily to hack started computer, rather than switched off.
- Clean up your OS (by special apps, like BleachBit, CCleaner), clean your DNS cache (for notebook, restart your router) (DNS leaktest). No garanties there is nothing left undeleted.
Say NO to:
- slack, campfire, skype, google hangouts, …
- dropbox, google drive, microsoft onedrive, …
Forgot the words: “cloud”, “thin-client”.
- domain names of countries with stringent security laws:
Tools / Applications
- GnuPG, PGP - OpenPGP standard implementation (RFC4880) for using asymmetric cryptography to sign and encrypt data
Tor project - anonymizer (vidalia – qt gui for tor)
Problem: exit-nodes can be hosted by governments in an effort of capturing traffic and deanonimize people, however community regularly close such nodes in the name of anonymity.
Tor is still the main anonymization mechanism nowadays.
- I2P (is it endeed anonymous ?)
Search engine: duckduckgo
- Free proxy lists - they WILL spy on you
- Free proxy lists
- Tor browser
- Others: Dooble, Comodo Dragon, SRWare Iron, cliqz, …
- adblock plus
- HTTPS everywhere - contains huge list of web-site urls and enforces for them https connections instead of http
- torbrowser button (Chrome only) (is it still supported ?) - not really effective, because there is a lot of methods to fingerprint you
- Searchlinkfix (Firefox only) - preventing the search engines (google, yandex) from recording your clicks
- NoScript (firefox only) - disable scripts (JS, flash, …)
- ScriptSafe (Chrome only) - disable scripts (JS, flash, …)
- Ghostery - detects and blocks tracking technologies to speed up page loads, eliminate clutter, and protect your data
- Privacy Badger - blocks spying ads and invisible trackers
extensions for encrypting your e-mail (in google/yandex):
e-mails is never fully encrypted: sender, receiver, timestamps, …
- No profit of starting-up your own e-mail server, because the other party will still have gmail/yandex, … use encryption.
Mozilla Thunderbird plugins for using PGP:
- gmail/yandex alternatives with better security: Hushmail (government still has access), protonmail.com (everything stored at Switzerland, claims to be opensource) (security ?), Kolab Now (everything stored at Switzerland), riseup.net (security ?)
- guerrilla mail
bugmenot - publicly known accounts for various services
- Others: fake-mail generator, 10 minute mail, temp mail, …
Mobile security (secure messaging)
Runa Sandvik: “If I were in a situation where I needed anonymity, mobile is not a platform I’d rely on”
- Change sim-cards regularly, clean up memory of your cellphone
- Use cellphones, not smartphones (with 3g/4g, Wifi, GPS, NFC, …) or use blackphone (expensive option)
- Telegram messenger (for secure messanging and secure? calls)
- Signal messenger (for messanging and secure calls)
- Matrix messanger (still in beta?)
- Orbot - free proxy app that empowers other apps to use the internet through tor (rooted device required)
- onion-browser - iOS browser working though tor
- Others: SMSSecure, Threema, WhatsApp, Facebook messanger (encryption is not enabled by default), Google Allo (encryption is not enabled by default) - ???
OTR - Off-the-Record (OTR) Messaging: encryption, authentication, deniability, perfect forward secrecy.
- Pidgin (windows) - supports OTR and tor
- Adium (MacOS) - supports OTR and tor
- TorMessenger - (still in beta?) - supports OTR and tor
Silent Circle - project targeted at securing mobile communications
- You can buy “blackphone 2” smartphone with Silent OS - smartphone built from the ground up to be private by design
- You can buy software for calls, file transfer, …
- Enterprise Mobile Security Management can be used for managing users, groups, regions, …
- BitLocker (windows) (is it endeed secure ?) (BitLocker uses TMP (Trusted Platform Module) to store keys)
- FileVault (MacOS only)
TrueCrypt - development ended at 2014, unfixed security issues will remain unfixed ! (however last review of truecrypt did not discover any issues)
- AES-XTS encryption for TrueCrypt should be okay
- eCryptfs - POSIX-compatible filesystem with multilevel encryption
- Password Safe - (specialists says it is indeed secure password storage) (Schneier approves) - based on twofish - one of the five Advanced Encryption Standard (AES) finalists
Some good, but undocumented command-line options
- KeePassXC - (is it endeed as secure as it is told to be?)
- KeePass - (is it endeed as secure as it is told to be?)
- pass - for Linux
- DashLane - (do not know if it is secure)
- Others: LastPass, 1Password, dashlane
Tor, I2P, VPN into any truly independent country
Micah Lee: “Tor is awesome and can make you anonymous. But if your endpoint gets compromised, your anonymity is compromised too”
Anonymity tests (fingerprinting checks)
additional fingerprint technics: Web SQL database (google, opera, safari, android browser) (not part of W3C standard)
Tails - a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
- use the Internet anonymously and circumvent censorship;
- leave no trace on the computer;
- use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.
- whonix - specifically designed OS for advanced security and privacy
- Qubes - a reasonably secure operating system (Sпоwdеп approves)
VPNs / Proxy-es
2017’s best vpn services (vpnmentor.com)
Needed more invastigation about trustworthy of this services:
ipv6 into ipv4 tunneling (e.g. teredo (this is based on microsoft servers it is not encrypted/secure))
- buy hosting at amazon web services and run your own OpenVPN
- hide my ass, vyprvpn, ExpressVPN, NordVPN, Avira phantom VPN, privateinternetaccess
(mainly targeted at anonymity, rather at encryption)
- mega (is it indeed secure ?)
- spideroak (is it indeed secure ?) - encrypted group chat, file sharing and backup
- onionshare (official web-site) (is it indeed secure ?) - open source tool that lets you securely and anonymously share a file of any size
- securedrop - file-upload for getting messages from anonymous sources from hidden Tor Hidden Service
You walk on the brink, if you are here.