The paranoid #! Security Guide

May 11th, 2017
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. work not my own. credit goes to sorcerer's_apprentice
  6. Table of Contents:
  8. Introduction
  10. Basic Considerations
  12. BIOS-Passwords
  14. Encryption
  15. Making TrueCrypt Portable
  16. Hardware Encryption
  17. Attacks on Full-Disk-Encryption
  18. Attacks on encrypted Containers
  19. Debian's encrypted LVM pwned
  20. Solutions
  21. eCryptfs
  22. Encrypting SWAP using eCryptfs
  23. Tomb
  24. Advanced Tomb-Sorcery
  26. Keyloggers
  27. Software Keyloggers
  28. Defense against Software Keyloggers
  29. Hardware Keyloggers
  30. Defense against Hardware Keyloggers
  32. Secure File-Deletion
  33. BleachBit
  34. srm [secure rm]
  35. Other Ways to securely wipe Drives
  37. Your Internet-Connection
  38. ipkungfu
  39. Configuring /etc/sysctl.conf
  40. Modem & Router
  42. Intrusion-Detection, Rootkit-Protection & AntiVirus
  43. Snort
  44. RKHunter
  45. RKHunter-Jedi-Tricks
  46. chkrootkit
  47. Tiger
  48. Lynis
  49. debsums
  50. sha256
  51. ClamAV
  53. DNS-Servers
  54. Using secure and censor-free DNS
  55. DNSCrypt
  57. Firefox/Iceweasel
  58. Firefox-Sandbox: Sandfox
  59. Firefox-Preferences
  60. Plugins
  61. Addons
  62. SSL-Search-Engines
  63. Flash-Settings
  64. about:config
  65. Prevent Browser-Fingerprinting
  67. TOR [The Onion Router]
  68. TOR-Warning
  70. I2P
  72. Freenet
  74. Secure Peer-to-Peer-Networks
  76. Mesh-Networks
  78. Proxies
  79. Proxy-Warning
  81. VPN (Virtual Private Network)
  83. The Web
  84. RSS-Feeds
  86. Secure Mail-Providers
  88. Disposable Mail-Addresses
  90. Secure Instant-Messaging/VoIP
  91. TorChat
  92. OTR [Off-the-Record-Messaging]
  93. Secure and Encrypted VoIP
  95. Social Networking
  96. Facebook
  97. Alternatives to Facebook
  99. Passwords
  100. pwgen
  101. KeePass
  103. Live-CDs and VM-Images that focus on security and anonymity
  105. Further Info/Tools
  108. Introduction
  110. Hi all!
  112. This is my first attempt to contribute something to the community. Basically you can find everything I write here somewhere else on the
  113. web or in some book - but exactly that is the problem. You can literally spend weeks digging up all this stuff. And to save you some
  114. trouble I thought: "Heck, let's just put this into a little manual."
  116. You're dealing with a somewhat paranoid security setup for debian-based systems like #!.
  117. [This is the end-user and not the |-|4xx0|2-version. We are not getting into
  118. virtual-virtual-virtual-machine-double-vpn-ssh-proxy-chain-from-your-internet-cafe-type-stuff.]
  120. In this small guide I simply provide several "recipes" for securing both your box and your internet-connection and web-applications. I
  121. won't go into the why of all of this in too much detail as I want to provide a simple how-to that people can follow to make their system
  122. more secure without having to read through hundreds of pages of explanations. This information can easily be found elsewhere. If you're
  123. interested in a certain topic then just fire up a web-search and give it a read.
  125. This guide is not exhaustive of course. As they say, security is a process - and so this guide can only be a place to start which needs to
  126. be adjusted to your personal needs.
  128. If you consider to use this information and you find something to be too overcautious for your particular need - just ignore it and move
  129. on. One last thing before we begin: I am not a "security-guru" (far from it) - but more appropriately (as my nick suggests) some dude
  130. wrapping his head around things...
  131. Basic considerations
  132. BIOS-Passwords
  134. For the physical security of your data you should always employ encrypted drives. But before we get to that make sure you set strong
  135. passwords in BIOS for both starting up and modifying the BIOS-settings. Also make sure to disable boot for any media other than your
  136. harddrive.
  140. Encryption
  142. With #! this is easy. In the installation you can simply choose to use an encrypted LVM. (For those of you who missed that part on
  143. installation and would still like to use an encrypted partition withouth having to reinstall: use these instructions to get the job done.)
  144. For other data, e.g. data you store on transportable media you can use TrueCrypt - which is better than e.g. dmcrypt for portable media
  145. since it is portable, too. You can put a folder with TrueCrypt for every OS out there on to the unencrypted part of your drive and thus
  146. make sure you can access the files everywhere you go.
  148. This is how it is done:
  149. Making TrueCrypt Portable
  151. Download yourself some TC copy.
  153. Extract the tar.gz
  155. Execute the setup-file
  157. When prompted choose "Extract .tar Package File"
  159. go to /tmp
  161. copy the tar.gz and move it where you want to extract/store it
  163. extract it
  165. once it's unpacked go to "usr"->"bin" grab "truecrypt"-binary
  167. copy it onto your stick
  169. give it a test-run
  171. There is really not much more in that tarball than the binary. Just execute it and you're ready for some crypto.
  173. I don't recommend using TrueCrypt's hidden container, though. Watch this vid to find out why. If you don't yet know how to use TrueCrypt
  174. check out this guide. [TrueCrypt's standard encryption is AES-256. This encryption is really good but there are ways to attack it and you
  175. don't know how advanced certain people already got at this. So when prompted during the creation of a TrueCrypt container use:
  176. AES-Twofish-Serpent and as hash-algorithm use SHA-512. If you're not using the drive for serious video-editing or such you won't notice a
  177. difference in performance. Only the encryption process when creating the drive takes a little longer. But we get an extra scoop of
  178. security for that... wink]
  179. Hardware Encryption
  181. There are three different types of hardware encrypted devices available, which are generally called: SED (Self Encrypting Devices)
  183. - Flash-Drives (Kingston etc.)
  184. - SSD-Drives (Samsung etc.)
  185. - HD-Drives (WD, Hitachi, Toshiba etc.)
  187. They all use AES encryption. The key is generated within the device's microprocessor and thus no crucial data - neither password nor key
  188. are written to the host system. AES is secure - and thus using these devices can give some extra protection.
  190. But before you think that all you need to do is to get yourself one of these devices and you're safe - I have to warn you: You're not.
  192. So let's get to the reasons behind that.
  193. Attacks on Full-Disk-Encryption
  195. Below we will have a look at a debian specific attack using a vulnerability common with encrypted LVMs.
  197. But you need to be aware that all disk-encryption is generally vulnerable - be it software- or hardware-based. I won't go into details how
  198. each of them work exactly - but I will try to at least provide you with a short explanation.
  200. For software-based disk-encryption there are these known attacks:
  202. - DMA-Attacks (DMA/HDMI-Ports are used to connect to a running, locked machine to unlock it)
  204. - Cold-Boot-Attacks (Keys are extracted from RAM after a cold reboot)
  206. - Freezing of RAM (RAM is frozen and inserted into the attacker's machine to extratct the key)
  208. - Evil-Maid-Attacks (Different methods to boot up a trojanized OS or some kind of software-keylogger)
  210. For hardware-based disk-encryption there are similar attacks:
  212. - DMA-Attacks (same as with SW-based encryption)
  214. - Replug-Attacks (Drive's data cable is disconnected and connected to attacker's machine via SATA-hotplugging)
  216. - Reboot-Attacks (Drive's data cable is disconnected and connected to attacker's machine after enforced reboot. Then the bios-password is
  217. circumvented through the repeated pressing of the F2- and enter-key. After the bios integrated SED-password has been disabled the
  218. data-cable is plugged into the attacker's machine. This only works on some machines.)
  220. - Networked-Evil-Maid-Attacks (Attacker steals the actual SED and replaces it with another containing a tojanized OS. On bootup victim
  221. enters it's password which is subsequently send to the attacker via network/local attacker hot-spot. Different method: Replacing a laptop
  222. with a similar model [at e.g. airport/hotel etc.] and the attacker's phone# printed on the bottom of the machine. Victim boots up enters
  223. "wrong" password which is send to the attacker via network. Victim discovers that his laptop has been misplaced, calls attacker who now
  224. copies the content and gives the "misplaced" laptop back to the owner.)
  226. A full explanation of all these attacks been be found in this presentation. (Unfortunately it has not yet been translated into English.)
  227. An English explanation of an evil-maid-attack against TrueCrypt encrypted drives can be found here
  228. Attacks on encrypted Containers
  230. There are also attacks against encrypted containers. They pretty much work like cold-boot-attacks, without the booting part.
  231. An attacker can dump the container's password if the computer is either running or is in hibernation mode - either having the container
  232. open and even when the container has been opened during that session - using temporary and hibernation files.
  233. Debian's encrypted LVM pwned
  235. This type of "full" disk encryption can also be fooled by an attack that could be classified as a custom and extended evil-maid-attack.
  236. Don't believe me? Read this!
  238. The problem basically is that although most of the filesystem and your personal data are indeed encrypted - your boot partition and GRUB
  239. aren't. And this allows an attacker with physical access to your box to bring you into real trouble.
  241. To avoid this do the following:
  242. Micah Lee wrote:
  244. If you don’t want to reinstall your operating system, you can format your USB stick, copy /boot/* to it, and install grub to it. In
  245. order to install grub to it, you’ll need to unmount /boot, remount it as your USB device, modify /etc/fstab, comment out the line that
  246. mounts /boot, and then run grub-install /dev/sdb (or wherever your USB stick is). You should then be able to boot from your USB stick.
  248. An important thing to remember when doing this is that a lot of Ubuntu updates rewrite your initrd.img, most commonly kernel upgrades.
  249. Make sure your USB stick is plugged in and mounted as /boot when doing these updates. It’s also a good idea to make regular backups of the
  250. files on this USB stick, and burn them to CDs or keep them on the internet. If you ever lose or break your USB stick, you’ll need these
  251. backups to boot your computer.
  253. One computer I tried setting this defense up on couldn’t boot from USB devices. I solved this pretty simply by making a grub boot CD
  254. that chainloaded to my USB device. If you google “Making a GRUB bootable CD-ROM,” you’ll find instructions on how to do that. Here’s what
  255. the menu.1st file on that CD looks like:
  257. default 0
  258. timeout 2
  259. title Boot from USB (hd1)
  260. root (hd1)
  261. chainloader +1
  263. I can now boot to this CD with my USB stick in, and the CD will then boot from the USB stick, which will then boot the closely watched
  264. initrd.img to load Ubuntu. A little annoying maybe, but it works.
  266. (Big thanks to Micah Lee!)
  268. Note: Apparently there is an issue with installing GRUB onto USB with waldorf/wheezy. As soon as I know how to get that fixed I will
  269. update this section.
  270. Solutions
  272. You might think that mixing soft- and hardware-based encryption will solve these issues. Well, no. They don't. An attacker can simply
  273. chain different methods and so we are back at square one. Of course this makes it harder for an attacker to reach his goals - but he/she
  274. will not be stopped by it. So the only method that basically remains is to regard full-disk-encryption as a first layer of protection
  275. only.
  277. Please don't assume that the scenarios described above are somewhat unrealistic. In the US there are about 5000 laptops being lost or
  278. stolen each week on airports alone. European statistics indicate that about 8% of all business-laptops are at least once either lost or
  279. stolen.
  281. A similar risk is there if you leave the room/apartment with your machine locked - but running. So the first protection against these
  282. methods is to always power down the machine. Always.
  284. The next thing to remind yourself off is: You cannot rely on full-disk-encryption. So you need to employ further layers of encryption.
  285. That means that you will have to encrypt folders containing sensitive files again using other methods such as tomb or TrueCrypt. That way
  286. - if an attacker manages to get hold of your password he/she will only have access to rather unimportant files. If you have sensitive or
  287. confidential data to protect full-disk encryption is not enough!
  289. When using encrypted containers that contain sensitive data you should shutdown your computer after having used them to clear all
  290. temporary data stored on your machine that could be used by an attacker to extract passwords.
  292. If you have to rely on data being encrypted and would be in danger if anyone would find the data you were encrypting you should consider
  293. only using a power-supply when using a laptop - as opposed to running on power and battery. That way if let's say, you live in a
  294. dictatorship or the mafia is out to get you - and they are coming to your home or wherever you are - all you need to do when you sense
  295. that something weird is going on is to pull the cable and hope that they still need at least 30 secs to get to your ram. This can help
  296. prevent the above mentioned attacks and thus keep your data safely hidden.
  297. eCryptfs
  299. If for some reason (like performance or not wanting to type in thousands of passwords on boot) you don't want to use an encrypted LVM you
  300. can use ecryptfs to encrypt files and folders after installation of the OS.
  302. To find out about all the different features of ecryptfs and how to use them I would like to point you to bodhi.zazen's excellent
  303. ecryptfs-tutorial.
  305. But there is one thing that is also important for later steps in this guide and is generally a good idea to do:
  306. Encrypting swap using ecryptfs
  308. Especially when using older machines with less ram than modern computers it can happen quite frequently that your machine will use swap
  309. for different tasks when there's not enough ram available to do the job. Apart from the lack of speed this is isn't very nice from a
  310. security standpoint: as the swap-partition is not located within your ram but on your harddrive - writing into this partion will leave
  311. traces of your activities on the harddrive itself. If your computer happens to use swap during your use of encryption tools it can happen
  312. that the passwords to the keys are written to swap and are thus extractable from there - which is something you really want to avoid.
  314. You can do this very easily with the help of ecryptfs.
  316. First you need to install it:
  318. $ sudo apt-get install ecryptfs-utils cryptsetup
  320. Then we need to actually encrypt our swap using the following command:
  322. $ sudo ecryptfs-setup-swap
  324. Your swap-partition will be unmounted, encrypted and mounted again.
  326. To make sure that it worked run this command:
  328. $ sudo blkid | grep swap
  330. The output lists your swap partion and should contain "cryptswap".
  332. To avoid error messages on boot you will need to edit your /etc/fstab to fit your new setup:
  334. $ sudo geany /etc/fstab
  336. Copy the content of that file into another file and save it. You will want to use it as back-up in case something gets screwed up.
  338. Now make sure to find the entry of the above listed encrypted swap partition. If you found it go ahead and delete the other swap-entry
  339. relating to the unencrypted swap-partition. Save and reboot to check that everything is working as it should be.
  340. Tomb
  342. Another great crypto-tool is Tomb provided by the dyne-crew.
  344. Tomb uses LUKS AES/SHA-256 and can thus be consider secure. But Tomb isn't just a possible replacement for tools like TrueCrypt.
  346. It has some really neat and easy to use features:
  348. 1) Separation of encrypted file and key
  349. 2) Mounting files and folders in predefined places using bind-hooks
  350. 3) Hiding keys in picture-files using steganography
  352. The documentation on Tomb I was able to find, frankly, seems to be scattered all over the place.
  353. After I played around with it a bit I also came up with some tricks that I did not see being mentioned in any documentation.
  355. And because I like to have everything in one place I wrote a short manual myself:
  357. Installation:
  359. First you will need to import dyne's keys and add them to your gpg-keylist:
  361. $ sudo gpg --fetch-keys
  363. Now verify the key-fingerprint.
  365. $ sudo gpg --fingerprint | grep fingerprint
  367. The output of the above command should be:
  369. Key fingerprint = 8E1A A01C F209 587D 5706 3A36 E314 AFFA 8A7C 92F1
  371. Now, after checking that you have the right key you can trust add it to apt:
  373. $ sudo gpg --armor --export > dyne.gpg
  374. $ sudo apt-key add dyne.gpg
  376. After you did this you want to add dyne's repos to your sources.list:
  378. $ sudo geany /etc/apt/sources.list
  380. Add:
  382. deb dyne main
  383. deb-src dyne main
  385. To sync apt:
  387. $ sudo apt-get update
  389. To install Tomb:
  391. $ sudo apt-get install tomb
  393. Usage:
  395. If you have your swap activated Tomb will urge you to turn it off or encrypt it. If you encrypt it and leave it on you will need to
  396. include --ignore-swap into your tomb-commands. To turn off swap for this session you can run
  398. $ swapoff -a
  400. To disable it completely you can comment out the swap in /etc/fstab. So it won't be mounted on reboot. (Please be aware that disabling
  401. swap on older computers with not much ram isn't such a good idea. Once your ram is being used fully while having no swap-partition mounted
  402. processes and programs will crash.)
  404. Tomb will create the crypto-file in the folder you are currently in - so if you want to create a tomb-file in your documents-folder make
  405. sure to
  407. $ cd /home/user/documents
  409. Once you are in the right folder you can create a tomb-file with this command:
  411. $ tomb -s XX create FILE
  413. XX is used to denote the size of the file in MB. So in order to create a file named "test" with the size of 10MB you would type this:
  415. $ tomb -s 10 create test
  417. Please note that if you haven't turned off your swap you will need to modify this command as follows:
  419. $ tomb --ignore-swap -s 10 create test
  421. To unlock and mount that file on /media/test type:
  423. $ tomb open test.tomb
  425. To unlock and mount to a different location:
  427. $ tomb open test.tomb /different/location
  429. To close that particular file and lock it:
  431. $ tomb close /media/test.tomb
  433. To close all tomb-files:
  435. $ tomb close all
  437. or simply:
  439. $ tomb slam
  441. After these basic operations we come to the fun part:
  442. Advanced Tomb-Sorcery
  444. Obviously having a file lying around somewhere entitled: "secret.tomb" isn't such a good idea, really.
  446. A better idea is to make it harder for an attacker to even find the encrypted files you are using. To do this we will simply move its
  447. content to another file.
  449. Example:
  451. $ touch true-story.txt true-story.txt.key
  452. $ mv secret.tomb true-story.txt
  453. $ mv secret.tomb.key true-story.txt.key
  455. Now you have changed the filename of the encrypted file in such a way that it can't easily be detected.
  457. When doing this you have to make sure that the filename syntax tomb uses is conserved:
  459. filename.suffix
  460. filename.suffix.key
  462. Otherwise you will have trouble opening the file.
  464. After having hidden your file you might also want to move the key to another medium.
  466. $ mv true-story.txt.key /medium/of/your/choice
  468. Now we have produced quite a bit of obfuscation. Now let's take this even further:
  470. After we have renamed our tomb-file and separated key and file we now want to make sure our key can't be found either.
  472. To do this we will hide it within a jpeg-file.
  474. $ tomb bury true-story.txt.key invisible-bike.jpg
  476. You will need to enter a steganography-password in the process.
  478. Now rename the original keyfile to something like "true-story.txt.key-backup" and check if everything worked:
  480. $ tomb exhume true-story.txt.key invisible-bike.jpg
  482. Your key should have reappeared now. After making sure that everything works you can safely bury the key again and delete the residual key
  483. that usually stays in the key's original folder.
  485. By default Tomb's encrypted file and key need to be in one folder. If you have separated the two you will have to modify your opening-
  486. command:
  488. $ tomb -k /medium/of/your/choice/true-story.txt.key open true-story.txt
  490. To change the key-files password:
  492. $ tomb passwd true-story.txt.key
  494. If, let's say, you want to use Tomb to encrypt your icedove mail-folders you can easily do that. Usually it would be a pain in the butt to
  495. do this kind of stuff with e.g. truecrypt because you would need to setup a container, move the folder to the container and when using the
  496. folder you would have to move back to its original place again.
  498. Tomb does this with ease:
  500. Simply move the folders you want to encrypt into the root of the tomb-file you created.
  502. Example:
  504. You want to encrypt your entire .icedove folder. Then you make a tomb-file for it and move the .icedove folder into that tomb. The next
  505. thing you do is create a file named "bind-hooks" and place it in the same dir. This file will contain a simple table like this:
  507. .icedove .icedove
  508. .folder-x .folder-x
  509. .folder-y .folder-y
  510. .folder-z .folder-z
  512. The fist column denotes the path relative to the tomb's root. The second column represents the path relative to the user's home folder.
  514. So if you simply wanted to encrypt your .icedove folder - which resides in /home/user/ the above notation is fine. If you want the folder
  515. to be mounted elsewhere in the your /home you need to adjust the lines accordingly.
  517. One thing you need to do after you moved the original folder into the tomb is to create a dummy-folder into which the original's folders
  518. content can be mounted. So you simply go into /home/user and create a folder named ".icedove" and leave it empty.
  520. The next time you open and mount that tomb-file your .icedove folder will be where it should be and will disappear as soon as you close
  521. the tomb. Pretty nice, hu?
  523. I advise to test this out before you actually move all your mails and prefs into the tomb. Or simply make a backup. But use some kind of
  524. safety-net in order not to screw up your settings.
  528. Keyloggers
  530. Keyloggers can pose a great thread to your general security - but especially the security of your encrypted drives and containers. If
  531. someone manages to get a keylogger onto your system he/she will be able to collect all the keystrokes you make on your machine. Some of
  532. them even make screenshots.
  534. So what kind of keyloggers are there?
  535. Software Keyloggers
  537. For linux there are several software-keyloggers available. Examples are lkl, uberkey, THC-vlogger, PyKeylogger, logkeys.
  538. Defense against Software Keyloggers
  540. 1) Never use your system-passwords outside of your system
  542. Generally everything that is to be installed under linux needs root access or some priveliges provided through /etc/sudoers. But an
  543. attacker could have obtained your password if he/she was using a browser-exploitation framework such as beef - which also can be used as a
  544. keylogger on the browser level. So if you have been using your sudo or root password anywhere on the internet it might have leaked and
  545. could thus be used to install all kinds of evil sh*t on your machine. Keyloggers are also often part of rootkits. So do regular system-
  546. checks and use intrusion-detection-systems.
  548. 2) Make sure your browser is safe
  550. Often people think of keyloggers only as either a software tool or a piece of hardware equipment installed on their machine. But there is
  551. another threat that is actually much more dangerous for linux users: a compromised browser. You will find a lot of info on how to secure
  552. your browser further down. So make sure you use it.
  554. Compromising browsers isn't rocket science. And since all the stuff that is actually dangerous in the browser is cross-plattform - you as
  555. a linux-user aren't safe from that. No matter what short-sighted linux-enthusiasts might tell you. A java-script exploit will pwn you - if
  556. you don't secure your browser. No matter if you are on OSX, Win or debian.
  558. 3) Check running processes
  560. If your attacker isn't really skilled or determined he/she might not think about hiding the process of the running keylogger. You can take
  561. a look at the output of
  563. $ ps -aux
  565. or
  567. $ htop
  569. or
  571. $ pstree
  573. and inspect the running processes. Of course the attacker could have renamed it. So have a look for suspicious processes you have never
  574. heard of before. If in doubt do a search on the process or ask in a security-related forum about it.
  576. Since a lot of keyloggers come as the functionality of a rootkit it would be much more likely that you would have one of these.
  578. 4) Do daily scans for rootkits
  580. I will describe tools for doing that further below. RKHunter and chkrootkit should definitely be used. The other IDS-tools described give
  581. better results and are much more detailed - but you actually need to know a little about linux-architecture and processes to get a lot out
  582. of them. So they're optional.
  584. 5) Don't rely on virtual keyboards
  586. The idea to defeat a keylogger by using a virtual keyboard is nice. But is also dangerous. There are some keyloggers out there that will
  587. also capture your screen activity. So using a virtual keyboard is pretty useless and will only result in the false feeling of security.
  588. Hardware Keyloggers
  590. There is also an ever growing number of hardware keyloggers. Some of which use wifi. And some of them can be planted inside your keyboard
  591. so you wouldn't even notice them if you inspected your hardware from the outside.
  592. Defense against Hardware Keyloggers
  594. 1) Inspect your Hardware
  596. This one's obvious.
  598. 2) Check which devices are connected to your machine
  600. There is a neat little tool called USBView which you can use to check what kind of usb-devices are connected to your machine. Some - but
  601. not all - keyloggers that employ usb will be listed there. It is available through the debian-repos.
  603. $ sudo apt-get install usbview
  605. Apart from that there's not much you can do about them. If a physical attack is part of your thread-model you might want to think about
  606. getting a laptop safe in which you put the machine when not in use or if you're not around. Also, don't leave your laptop unattended at
  607. work, in airports, hotels and on conferences.
  611. Secure File-Deletion
  613. Additional to encrypted drives you may also want to securely delete old data or certain files. For those who do not know it: regular "file
  614. deletion" does not erase the "deleted" data. It only unlinks the file's inodes thus making it possible to recover that "deleted" data with
  615. forensic software.
  617. There are several ways to securely delete files - depending on the filesystem you use. The easiest is:
  618. BleachBit
  620. With this little tool you can not only erase free disc space - but also clean your system from various temporary files you don't need any
  621. longer and that would give an intruder unnecessary information about your activities.
  623. To install:
  625. $ sudo apt-get install bleachbit
  627. to run:
  629. $ bleachbit
  631. Just select what you need shredding. Remember that certain functions are experimental and may cause problems on your system. But no need
  632. to worry: BleachBit is so kind to inform you about that and give you the chance to cancel your selection.
  634. Another great [and much more secure] tool for file deletion is:
  635. srm [secure remove]
  637. $ sudo apt-get install secure-delete
  639. Usage:
  641. Syntax: srm [-dflrvz] file1 file2 etc.
  643. Options:
  644. -d ignore the two dot special files "." and "..".
  645. -f fast (and insecure mode): no /dev/urandom, no synchronize mode.
  646. -l lessens the security (use twice for total insecure mode).
  647. -r recursive mode, deletes all subdirectories.
  648. -v is verbose mode.
  649. -z last wipe writes zeros instead of random data.
  651. Other ways to securely wipe drives
  653. To overrite data with zeros:
  655. # dd if=/dev/zero of=/dev/sdX
  657. or:
  659. $ sudo dd if=/dev/zero of=/dev/sdX
  661. To overwrite data with random data (makes it less obvious that data has been erased):
  663. # dd if=/dev/urandom of=/dev/sdX
  665. or:
  667. $ sudo dd if=/dev/urandom of=/dev/sdX
  669. Note: shred doesn't work reliably with ext3.
  670. Your Internet-Connection
  672. Generally it is advised to use a wired LAN-connection - as opposed to wireless LAN (WLAN).
  673. For further useful information in regards to wireless security read this. If you must use WLAN please use WPA2 encryption. Everything else
  674. can be h4xx0red by a 12-year-old using android-apps such as anti.
  676. Another thing is: Try only to run services on your machine that you really use and have configured properly. If e.g. you don't use SSH -
  677. deinstall the respective client to make sure to save yourself some trouble. Please note that IRC also is not considered to be that secure.
  678. Use it with caution or simply use a virtual machine for stuff like that.
  680. If you do use SSH please consider using Denyhosts or SSHGuard. (If you want to find out what might happen if you don't use such protection
  681. see foozer's post.)
  683. So, let's begin with your firewall. For debian-like systems there are several possible firewall-setups and different guis to do the job.
  684. However, I found ipkungfu [an iptables-script] to do the best job while being easy to set up. This is how you set it up:
  685. ipkungfu [basic configuration]
  687. download and install:
  689. $ sudo apt-get install ipkungfu
  691. configure:
  693. $ sudo geany /etc/ipkungfu/ipkungfu.conf
  695. uncomment (and adjust):
  697. # IP Range of your internal network. Use ""
  698. # for a standalone machine. Default is a reasonable
  699. # guess.
  700. LOCAL_NET=""
  702. ---
  704. # Set this to 0 for a standalone machine, or 1 for
  705. # a gateway device to share an Internet connection.
  706. # Default is 1.
  707. GATEWAY=0
  709. ---
  711. # Temporarily block future connection attempts from an
  712. # IP that hits these ports (If module is present)
  713. FORBIDDEN_PORTS="135 137 139"
  715. ---
  717. # Drop all ping packets?
  718. # Set to 1 for yes, 0 for no. Default is no.
  719. BLOCK_PINGS=1
  721. ---
  723. # What to do with 'probably malicious' packets
  727. ---
  729. # What to do with obviously invalid traffic
  730. # This is also the action for FORBIDDEN_PORTS
  734. ---
  736. # What to do with port scans
  740. enable ipkungfu to start with the system:
  742. $ sudo geany /etc/default/ipkungfu
  744. change: "IPKFSTART = 0" ---> "IPKFSTART=1"
  746. start ipkungfu:
  748. $ sudo ipkungfu
  750. fire up GRC's Shields Up! and check out the awesomeness.
  752. (special thanks to the ubuntu-community)
  753. Configuring /etc/sysctl.conf
  755. Here you set different ways how to deal with ICMP-packets and other stuff:
  757. $ sudo geany /etc/sysctl.conf
  759. # Do not accept ICMP redirects (prevent MITM attacks)
  760. net.ipv4.conf.all.accept_redirects=0
  761. net.ipv6.conf.all.accept_redirects=0
  762. net.ipv4.tcp_syncookies=1
  763. #lynis recommendations
  764. #net.ipv6.conf.default.accept_redirects=0
  765. net.ipv4.tcp_timestamps=0
  766. net.ipv4.conf.default.log_martians=1
  767. # TCP Hardening - [url][/url]
  768. net.ipv4.icmp_echo_ignore_broadcasts=1
  769. net.ipv4.conf.all.forwarding=0
  770. net.ipv4.conf.all.rp_filter=1
  771. net.ipv4.tcp_max_syn_backlog=1280
  772. kernel.core_uses_pid=1
  773. kernel.sysrq=0
  774. #ignore all ping
  775. net.ipv4.icmp_echo_ignore_all=1
  776. # Do not send ICMP redirects (we are not a router)
  777. net.ipv4.conf.all.send_redirects = 0
  778. # Do not accept IP source route packets (we are not a router)
  779. net.ipv4.conf.all.accept_source_route = 0
  780. net.ipv6.conf.all.accept_source_route = 0
  781. # Log Martian Packets
  782. net.ipv4.conf.all.log_martians = 1
  784. After editing do the following to make the changes permanent:
  786. sudo sysctl -p
  788. (thanks to tradetaxfree for these settings)
  789. Modem & Router
  791. Please don't forget to enable the firewall features of your modem (and router), disable UPnP and change the usernames and admin-passwords.
  792. Also try to keep up with the latest security info and updates on your firmware to prevent using equipment such as this. You might also
  793. want to consider setting up your own firewall using smoothwall.
  795. Here you can run a short test to see if your router is vulnerable to UPnP-exploits.
  797. The best thing to do is to use after-market-open-source-firmware for your router such as dd-wrt, openwrt or tomato. Using these you can
  798. turn your router into an enterprise grade device capable of some real Kungfu. Of course they come with heavy artillery - dd-wrt e.g. uses
  799. an IP-tables firewall which you can configure with custom scripts.
  803. Intrusion-Detection, Rootkit-Protection & AntiVirus
  804. snort [basic configuration]
  806. The next thing you might want to do is to take a critical look at who's knocking at your doors.
  808. For this we use snort. The setup is straight forward and simple:
  810. $ sudo apt-get install snort
  812. run it:
  814. $ snort -D (to run as deamon)
  816. to check out packages live type:
  818. $ sudo snort
  820. Snort should automatically start on reboot.
  822. If you want to check out snort's rules take a look at: /etc/snort/rules
  824. To take a look at snorts warnings:
  826. $ sudo geany /var/log/snort/alert
  828. Snort will historically list all the events it logged.
  830. There you will find nice entries like this...
  832. [**] [1:2329:6] MS-SQL probe response overflow attempt [**]
  833. [Classification: Attempted User Privilege Gain] [Priority: 1]
  834. [Xref => [url]][/url]
  836. ...and will thank the flying teapot that you happen to use #! wink
  837. RKHunter
  839. The next thing to do is to set up RKHunter - which is short for [R]oot[K]itHunter.
  841. What does it do? You guessed it: It hunts down rootkits.
  843. Installation again is simple:
  845. $ sudo apt-get install rkhunter
  847. The best is to run rkhunter on a clean installation - just to make sure nothing has been tampered with already.
  849. One very important thing about rkhunter is that you need to give it some feedback: everytime you e.g. make an upgrade to your sytem and
  850. some of your binaries change rkhunter will weep and tell you you've been compromised. Why? Because it can only detect suspicious files and
  851. file-changes. So, if you go about and e.g. upgrade the coreutils package a lot of change will be happening in /usr/bin - and when you
  852. subsequently ask rkhunter to check your system's integrity your log file will be all red with warnings. It will tell you that the
  853. file-properties of your binaries changed and you start freaking out. To avoid this simply run the command rkhunter --propupd on a system
  854. which you trust to not have been compromised.
  856. In short: directly after commands like apt-get update && apt-get upgrade run:
  858. $ sudo rkhunter --propupd
  860. This tells rkhunter: 'sall good. wink
  862. To run rkhunter:
  864. $ sudo rkhunter -c --sk
  866. You find rkhunter's logfile in /var/log/rkhunter.log. So when you get a warning you can in detail check out what caused it.
  868. To set up a cronjob for RKHunter:
  870. $ sudo geany /etc/cron.daily/
  872. insert and change the mail-address:
  874. #!/bin/bash
  875. /usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details"
  877. make the script executable:
  879. $ sudo chmod +x /etc/cron.daily/
  881. update RKHunter:
  883. $ sudo rkhunter --update
  885. and check if it functions the way it's supposed to do:
  887. $ sudo rkhunter -c --sk
  889. Of course you can leave out the email-part of the cronjob if you don't want to make the impression on someone shoulder-surfing
  890. your email-client that the only one who's sending you emails is your computer... wink
  892. Generally, using snort and rkhunter is a good way to become paranoid - if you're not already. So please take the time to investigate the
  893. alerts and warnings you get. A lot of them are false positives and the listings of your system settings. Often enough nothing to worry
  894. about. But if you want to use them as security tools you will have to invest the time to learn to interpret their logs. Otherwise just
  895. skip them.
  896. RKHunter-Jedi-Tricks
  898. If you're in doubt whether you did a rkhunter --propupd after an upgrade and you are getting a warning you can run the following command:
  900. $ sudo rkhunter --pkgmgr dpkg -c --sk
  902. Now rkhunter will check back with your package-manager to verify that all the binary-changes were caused by legitimate updates/upgrades.
  903. If you previously had a warning now you should get zero of them. If you still get a warning you can check which package the file that
  904. caused the warning belongs to.
  906. To do this:
  908. $ dpkg -S /folder/file/in/doubt
  910. Example:
  912. $ dpkg -S /bin/ls
  914. Output:
  916. coreutils: /bin/ls
  918. This tells you that the file you were checking (in this case /bin/ls) belongs to the package "coreutils".
  920. Now you can fire up packagesearch.
  922. If you haven't installed it:
  924. $ sudo apt-get install packagesearch
  926. To run:
  928. $ sudo packagesearch
  930. In packagesearch you can now enter coreutils in the field "search for pattern". Then you select the package in the box below. Then you go
  931. over to the right and select "files". There you will get a list of files belonging to the selected package. What you want to do now is to
  932. look for something like:
  934. /usr/share/doc/coreutils/changelog.Debian.gz
  936. The idea is to get a file belonging to the same package as the file you got the rkhunter-warning for - but that is not located in the
  937. binary-folder.
  939. Then you look for that file within the respective folder and check the file-properties. When it was modified at the same time as the
  940. binary in doubt was modified you can be quite certain that the change was caused by a legitimate update. I think it is save to say that
  941. some script-kiddie trying to break into your system will not be that thorough. Also make sure to use debsums when in doubt. I will get to
  942. that a little further down.
  944. Another neat tool with similar functionality is:
  945. chkrootkit
  947. To install:
  949. $ sudo apt-get install chkrootkit
  951. To run:
  953. $ sudo chkrootkit
  955. Other nice intrusion detection tools are:
  956. tiger
  958. Tiger is more thorough than rkhunter and chkrootkit and can aid big time in securing your box:
  960. $ sudo apt-get install tiger
  962. to run it:
  964. $ sudo tiger
  966. you find tiger's logs in /var/log/tiger/
  967. Lynis
  969. If you feel that all the above IDS-tools aren't enough - I got something for you:
  971. Lynis
  972. Lynis wrote:
  974. Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside
  975. security related information it will also scan for general system information, installed packages and configuration mistakes.
  977. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based
  978. systems
  980. I use it. It is great. If you think you might need it - give it a try. It's available through the debian repos.
  982. $ sudo apt-get install lynis
  984. To run:
  986. $ sudo lynis -c
  988. Lynis will explain its findings in the log-file.
  989. debsums
  991. debsums checks the md5-sums of your system-files against the hashes in the respective repos.
  993. Installation:
  995. $ sudo apt-get install debsums
  997. To run:
  999. $ sudo debsums -ac
  1001. This will list all the files to which the hashes are either missing or have been changed. But please don't freak out if you find something
  1002. like: /etc/ipkungfu/ipkungfu.conf after you have been following this guide... wink
  1003. sha256
  1005. There are some programs that come with sha256 hashes nowadays. For example: I2P
  1007. debsums won't help with that. To check these hashes manually:
  1009. $ cd /folder/you/downloaded/file/to/check/to -sha256sum -c file-you-want-to-check
  1011. Then compare it to the given hash. Note: This tool is already integrated to debian-systems.
  1012. ClamAV
  1014. To make sure eveything that gets into your system is clean and safe use ClamA[nti]V[irus].
  1016. To install:
  1018. $ sudo apt-get install clamav
  1020. To update:
  1022. $ sudo freshclam
  1024. To inspect e.g. your download folder:
  1026. $ sudo clamscan -ri /home/your-username/downloads
  1028. This will ClamAV do a scan recursively, i.e. also scan the content of folders and inform you about possibly infected files.
  1030. To inspect your whole system:
  1032. $ sudo clamscan -irv --exclude=/proc --exclude=/sys --exclude=/dev --exclude=/media --exclude=/mnt
  1034. This will make ClamAV scan your system recursively in verbose mode (i.e. show you what it is doing atm) whilst excluding folders that
  1035. shouldn't be messed with or are not of interest and spit out the possibly infected files it finds. To also scan attached portable media
  1036. you need to modify the command accordingly.
  1038. Make sure to test everything you download for possible infections. You never know if servers which are normally trustworthy haven't been
  1039. compromised. Malicious code can be hidden in every usually employed filetype. (Yes, including .pdf!)
  1041. Remember: ClamAV is known for its tight nets. That means that you are likely to get some false positives from time to time. Do a
  1042. web-search if you're in doubt in regards to its findings.
  1044. After you set up your host-based security measures we can now tweak our online security.
  1046. Starting with:
  1050. DNS-Servers
  1051. Using secure and censor-free DNS
  1053. To make changes to your DNS-settings:
  1055. $ sudo geany /etc/resolv.conf
  1057. change your nameservers to trustworthy DNS-Servers. Otherwise your modem will be used as "DNS-Server" which gets its info from your ISP's
  1058. DNS.
  1059. And nah... We don't trust the ISP... wink
  1060. Here you can find secure and censor-free DNS-servers. The Germans look here.
  1062. HTTPS-DNS is generally preferred for obvious reasons.
  1064. Your resolv.conf should look something like this:
  1066. nameserver
  1067. #CCC DNS-Server
  1068. nameserver
  1069. #FoeBud DNS-Server
  1071. Use at least two DNS-Servers to prevent connectivity problems when one server happens to be down or experiences other trouble.
  1073. To prevent this file to be overwritten on system restart fire up a terminal as root and run:
  1075. $ sudo chattr +i /etc/resolv.conf
  1077. This will make the file unchangeble - even for root.
  1079. To revoke this for future changes to the .conf run:
  1081. $ sudo chattr -i /etc/resolv.conf
  1083. This forces your web-browser to use the DNS-servers you provided instead of the crap your ISP uses.
  1085. To test the security of your DNS servers go here.
  1086. DNScrypt
  1088. What you can also do to secure your DNS-connections is to use DNScrypt.
  1090. The thing I don't like about DNScrypt is one of its core functions: to use OpenDNS as your resolver. OpenDNS has gotten quite a bad rep in
  1091. the last years for various things like aggressive advertising and hijacking google-searches on different setups. I tested it out yesterday
  1092. and couldn't replicate these issues. But I am certain that some of these "features" of OpenDNS have been actively blocked by my
  1093. Firefox-setup (which you find below). In particular the addon Request Policy seems to prevent to send you to OpenDNS' search function when
  1094. you typed in an address it couldn't resolve. The particular issue about that search function is that it apparently is powered by yahoo!
  1095. and thus yahoo! would log the addresses you are searching for.
  1097. Depending on your threat-model, i.e. if you don't do anything uber-secret you don't want anybody to know, you might consider using
  1098. DNScrypt, as the tool seems to do a good job at encrypting your DNS-traffic. There also seems to be a way to use DNScrypt to tunnel your
  1099. queries to a DNS-server other than OpenDNS - but I haven't yet checked the functionality of this.
  1101. So, if you don't mind that OpenDNS will know every website you visit you might go ahead and configure DNScrypt:
  1103. Download the current version.
  1105. Then:
  1107. $ sudo bunzip2 -cd dnscrypt-proxy-*.tar.bz2 | tar xvf -
  1108. $ cd dnscrypt-proxy-*
  1110. Compile and install:
  1112. $ sudo ./configure && make -j2
  1113. $ sudo make install
  1115. Adjust -j2 with the number of cpu-cores you want to use for the compilation or have at your disposal.
  1117. Go and change your resolv.conf to use localhost:
  1119. $ geany /etc/resolv.conf
  1121. Modify to:
  1123. nameserver
  1125. Run DNScrypt as daemon:
  1127. $ sudo dnscrypt-proxy --daemonize
  1129. According to the developer:
  1130. jedisct1 wrote:
  1132. DNSCrypt will chroot() to this user's home directory and drop root privileges for this user's uid as soon as possible.
  1134. I have to admit that OpenDNS is really fast. What you could do is this: You could use OpenDNS for your "normal" browsing. When you start
  1135. browsing for stuff that you consider to be private for whatever reasons change your resolv.conf back to the trustworthy DNS-servers
  1136. mentioned above - which you conveniently could keep as a backup file in the same folder. Yeah, that isn't slick, I know. If you come up
  1137. with a better way to do this let me know. (As soon as I checked DNScrypt's function to use the same encryption for different DNS-Servers I
  1138. will make an update.)
  1140. The next thing on our list is:
  1144. Firefox/Iceweasel
  1145. Firefox-Sandbox: Sandfox
  1147. Sandfox is a neat little script provided by IgnorantGuru which runs firefox (and other applications) in a sandboxed environment which
  1148. prevents firefox's access to crucial filesystem-areas in case it gets compromised.
  1150. To install:
  1152. $ sudo -s
  1153. $ gpg --keyserver --recv-keys 7977070A723C6CCB696C0B0227A5AC5A01937621
  1154. $ gpg --check-sigs 0x01937621
  1155. $ bash -c 'gpg --export -a 01937621 | apt-key add -'
  1156. $ echo "deb [url][/url] unstable main" >> /etc/apt/sources.list
  1157. $ apt-get update
  1158. $ apt-get install sandfox
  1160. (Thanks to tradetaxfree)
  1162. To run:
  1164. $ sudo sandfox firefox
  1166. Type "/" into firefox address-bar to check out whether it works. Firefox should now only have access to files it really needs to function
  1167. and not e.g. /root.
  1169. To be able to download stuff from the web you need to add a bind in sandfox's default profile:
  1171. $ sudo geany /etc/sandfox/default.profile
  1173. add:
  1175. bind=/home/$user/downloads
  1177. Check your systems filename-capitalization to make sure you really grant sandfox access to the right folder
  1179. In #! you can easily set this configuration as your default: simply go to "settings"->"openbox"->"GUI Menu Editor"->"Openbox"->"Web
  1180. Browser". Then simply add the command "sandfox firefox". For this to work you need to once run
  1182. $ sudo sandfox firefox
  1184. after a system start to create a sandbox. If you happen to find this too much hassle simply go with tradetaxfree's init-script.
  1186. After you successfully sandboxed your browser we now continue to make that particular application much more secure than it is by default.
  1188. First go to:
  1189. Firefox-Preferences
  1191. and change these settings:
  1193. [Some of these are defaults already - but depending on who was/is using the machine you access the interwebs with and other varying
  1194. factors you might want to control these settings.]
  1196. "General"->"when Firefox starts"->"Show a blank page"
  1197. "General"->"save files to:"Downloads"
  1198. "Content"->check:"Block pop-up windows"
  1199. "Content"->uncheck:"Enable JavaScript" [optional - NoScript Add-on will block it anyway]
  1200. "Content"->"Fonts & Colors"->"Advanced"->"Serif":"Liberation Sans"
  1201. "Content"->"Fonts & Colors"->"Advanced"->"Sans-serif":"Liberation Sans"
  1202. "Content"->"Fonts & Colors"->"Advanced"->uncheck:"Allow pages to choose their own fonts"
  1203. "Content"->"Languages"->choose *only*:"en-us" [remove all others, if any]
  1204. "Applications"->choose:"Always ask" for every application - if not possible:choose:"Preview in Firefox/Nightly"
  1205. "Privacy"->"Tracking"->check:"Tell websites I do not want to be tracked"
  1206. "privacy"->"History"->"Firefox will:"Use custom settings for history"
  1207. "privacy"->"History"->uncheck:"Always use private browsing mode"
  1208. "privacy"->"History"->uncheck:"Remember my browsing and download history"
  1209. "privacy"->"History"->uncheck:"Remember search and form history"
  1210. "privacy"->"History"->uncheck:"Accept cookies from sites"
  1211. "privacy"->"History"->uncheck:"Accept third-party cookies"
  1212. "privacy"->"History"->check:"Clear history when Firefox/Nightly closes"
  1213. "privacy"->"History"->"settings":check all -> except:"Site Preferences"
  1214. [to enable cookies for certain trusted sites: use:"Exceptions" and paste URL of site and modify settings according to your preference. If
  1215. you additionally use Cookie-Monster (Add-on) you need to uncheck "Block all cookies" in CM-Options]
  1216. "privacy"->"location bar"->"When using the location bar, suggest:"->choose:"Nothing"
  1217. "security"->check:"Warn me when sites try to install add-ons"
  1218. "security"->check:"Block reported attack sites"
  1219. "security"->check:"Block reported web forgeries"
  1220. "security"->"Passwords"->uncheck:"Remember passwords for sites"
  1221. "security"->"Passwords"->uncheck:"Use a master password"
  1222. "advanced"->"General"->"System Defaults"->uncheck:"Submit crash reports"
  1223. "advanced"->"General"->"System Defaults"->uncheck:"Submit performance data"
  1224. "advanced"->"Update"->check:"Automatically install updates"
  1225. "advanced"->"Update"->check:"Warn me if this will disable any of my add-ons"
  1226. "advanced"->"Update"->check:"Automatically update Search Engines"
  1227. "advanced"->"Encryption"->"Protocols"->check:"Use SSL 3.0"
  1228. "advanced"->"Encryption"->"Protocols"->check:"Use TLS 1.0"
  1229. "advanced"->"Encryption"->"Certificates"->"When a server requests my personal certificate"->check:"Ask me every time"
  1231. Plugins
  1233. at the most use:
  1235. Java
  1237. Flash [Be aware of the latest security holes in flash!
  1239. Only allow them to run on trusted sites!
  1240. Addons
  1242. Empty Cache Button [optional]
  1244. Calomel SSL Validation [cool little addon which does exactly what its name says and also has some more tweaks in the settings]
  1246. Adblock Edge
  1248. [---> Filter Supscriptions: make sure you get some anti-tracking filters up and running! (depending on location & internet use)]
  1250. Easylist
  1252. EasyPrivacy
  1254. fanboy-adblock
  1256. Fanboy's Tracking List
  1258. Fanboy's Annoyance List
  1260. [---]
  1262. BetterPrivacy [LSO/Flash-Cookie-Protection]
  1264. Cookie Monster [Allows you to Manage your Cookie-Policies. For less baggage use Firefox/Iceweasel "Preferences" -> "Privacy"]
  1266. HTTPS-Everywhere [Download via] [settings: enable SSL-Observatory but don't allow to transmit ISP-data]
  1268. HTTPS Finder
  1270. NoScript [go to "settings" and check "also apply on whitelisted sites"]
  1272. Perspectives [SSL-Cerfiticate-Control - go to settings: "notary servers" -> check "only contact when websites cause security error"]
  1274. RefControl [controls your HTTP-Referers - setting: "block" -> "3rd parties only"]
  1276. Request Policy [rejects cross-site requests]
  1278. WOT [Web of Trust - user based website ratings that show up in websearches. Caution: Not very accurate. Always double check when in doubt.
  1279. This addon tends to get abused by different groups of users who either give malicious sites good ratings - or flag perfectly good sites.]
  1281. PwdHash [Nice addon to help your password management. Use "F2" when entering a password into a password field when setting up a new
  1282. account somewhere to create a MD5-hash using your password and the domain. (When logging in you have to select the password-field and
  1283. press F2 again to run the hashing.) This way you can use the same password on different sites without having to worry about security
  1284. implications - because every site gets its own password generated through the hash. The tool is provided by Standford University and can
  1285. be trusted. No data is actually transmitted to their servers. The hash is generated using your local java-script. If you need to login
  1286. from a machine that doesn't have pwdhash installed: go to -> their SSL is very strong.]
  1288. FoxyProxy [a convenient Proxy Switcher]
  1290. Useragent Switcher [Does exactly that. But be careful: If you set your user-agent as shown below - using this addon it will overwrite
  1291. these settings and will not automatically restore them if you turn off the switcher. So you would have to manually reconfigure
  1292. about:config again. Which kinda sucks. But you can get a whole load really cool user agents here. Simply download the .xml and import it
  1293. to the Useragent Switcher. There are really neat current agents in there: e.g. all kinds of different web browser for all OSs and of
  1294. course various bots. Google bot comes in handy when you need access to some forum... wink]
  1296. Web Developer [Has some cool features. If you like inspecting websites just check it out.]
  1298. Bloody Vikings [Creates disposable mail-addresses]
  1300. Note: You don't need Ghostery. The above mentioned Adblock lists do a much better job protecting you from web-tracking without using the
  1301. additional resourced Ghostery uses.
  1303. Of course there are more addons you could use. But I don't really see the point of them. Most of them either are snake-oil or even
  1304. dangerous. But please inform me if you happen to come across something really cool which could help improve security which none of the
  1305. setting provided here can do.
  1307. To keep your ISP and possible MITM-attackers from reading what you do on the web always use SSL - as far as it is available. To help with
  1308. this use:
  1309. SSL-Search Engines
  1311. To get them go here.
  1313. The user "SSL Search Bar" has provided easily installable SSL-searchbar-plugins
  1315. You get SSL-plugins for all the alternative search-engines like ixquick, duckduckgo etc. there. Install those you happen to use.
  1317. Privatelee also looks promising. But I haven't tried it out extensively.
  1319. The next thing to do is to change macromedias flash-settings:
  1320. Flash-Settings
  1322. Go here.
  1324. And fight yourself through their nasty settings-manager. Set everything to "0" or "never allow"/"never ask again" and
  1325. delete all stored website-content. Give special attention to the "webcam and mic"-options... wink
  1327. You might as well set the permissions of your .macromedia folder to read only - but that's kind of unnecessary because you want to make
  1328. sure to edit the options mentioned above - to make sure that you don't allow websites to use your mic or webcam... [I actually take this
  1329. one step further by disabling them in BIOS and sticking some neatly cut little piece of black cardboard on my webcam. Just because you're
  1330. paranoid doesn't mean they aren't after you... big_smile ] And if you set the parameters in the settings-manager accordingly nothing will
  1331. be written to that folder anyway.
  1333. Now we come to the fun part. Finetuning Firefox using about:config. If you've never done this before: No reason to freak out. It's really
  1334. easy.
  1335. about:config
  1337. [You can simply copy/paste these variables into the search-bar at the top: e.g. "browser.cache.disk.enable" and
  1338. then double-click on the entry that shows up to modify the settings.]
  1340. ---disable browser cache:
  1341. browser.cache.disk.enable:false
  1342. browser.cache.disk_cache_ssl:false
  1343. browser.cache.offline.enable:false
  1344. browser.cache.memory.enable:false
  1345. browser.cache.disk.capacity:0
  1346. browser.cache.disk.smart_size.enabled:false
  1347. browser.cache.disk.smart_size.first_run:false
  1348. browser.cache.offline.capacity:0
  1351. dom.indexedDB.enabled:false
  1352. dom.battery.enabled:false
  1353. ---disable history & localization
  1355. browser.sessionstore.resume_from_crash:false
  1356. geo.enabled:false
  1357. ---misc other tweaks:
  1358. keyword.enabled:false
  1359. network.dns.disablePrefetch:true -> very important when using TOR
  1360. network.dns.disablePrefetchFromHTTPS -> very important when using TOR
  1361. dom.disable_window_open_feature.menubar:true
  1362. dom.disable_window_open_feature.personalbar:true
  1363. dom.disable_window_open_feature.scrollbars:true
  1364. dom.disable_window_open_feature.toolbar:true
  1365. browser.identity.ssl_domain_display:1
  1366. browser.urlbar.autocomplete.enabled:false
  1367. browser.urlbar.trimURL:false
  1368. privacy.sanitize.sanitizeOnShutdown:true
  1369. network.http.sendSecureXSiteReferrer:false
  1370. network.http.spdy.enabled:false ---> use http instead of google's spdy
  1371. plugins.click_to_play:true ---> also check each drop-down-menu under "preferences"->"content"
  1372. security.enable_tls_session_tickets:false ---> disable https-tracking
  1373. security.ssl.enable_false_start:true ---> disable https-tracking
  1374. extensions.blocklist.enabled:false ---> disble Mozilla's option to block/disable your addons remotely
  1375. webgl.disabled:true ---> disable WebGL ([url][/url])
  1376. network.websocket.enabled:false ---> ***Tor Users: This is extremely important as it could blow your cover! See:
  1377. [url]***[/url]
  1378. ---make your browsing faster:
  1379. network.http.pipelining:true
  1380. network.http.pipelining.ssl:true
  1381. network.http.proxy.pipelining:true
  1382. network.http.max-persistent-connections-per-proxy:10
  1383. network.http.max-persistent-connections-per-server:10
  1384. network.http.max-connections-per-server:15
  1385. network.http.pipelining.maxrequests:15
  1386. network.http.redirection-limit:5
  1387. network.dns.disableIPv6:true
  1389. dom.popup_maximum Mine:10
  1390. network.prefetch-next:false
  1391. browser.backspace_action:0
  1392. browser.sessionstore.max_tabs_undo:5
  1393. browser.sessionhistory.max_entries:5
  1394. browser.sessionstore.max_windows_undo:1
  1395. browser.sessionstore.max_resumed_crashes:0
  1396. browser.sessionhistory.max_total_viewers:0
  1397. browser.tabs.animate:0
  1399. [thanks to machinebacon for these last entries.
  1400. Prevent Browser Fingerprinting [still in about:config]
  1403. For all Firefox Versions after 17.0 [you should be using current versions and update them regularly anyway - to do this go to
  1404. "preferences"->"advanced"->"update" select: "automatically install updates" & "warn me if this will disable any of my addons"] [not
  1405. required for iceweasel]
  1407. For the following changes right-click in about:config and select "new"->"string" and enter in this order:
  1409. Variable: Value:
  1411. general.useragent.override Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
  1412. general.appname.override Netscape
  1413. general.appversion.override 5.0 (Windows)
  1414. general.oscpu.override Windows NT 6.1
  1415. general.platform.override Win32
  1416. general.productSub.override 20100101
  1417. general.buildID.override 0
  1418. general.useragent.vendor [enter variable - but leave value blank]
  1419. general.useragent.vendorSub [enter variable - but leave value blank]
  1420. intl.accept_languages en-us,en;q=0.5
  1421. network.http.accept.default text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  1422. network.http.accept-encoding gzip, deflate
  1424. This creates a fake-profile of your browser via the readable HTTP-headers it sends.
  1426. Check out if your browser is profilable.
  1428. With all the above settings I get 8.1 bits of identifying information at Panopticlick for my browser - which is really good.
  1430. Considering:
  1432. "In particular, a fingerprint that carries no more than 15-20 bits of identifying information will in almost all cases be sufficient to
  1433. uniquely identify a particular browser, given its IP address, its subnet, or even just its Autonomous System Number."
  1435. Source: EFF's "Browser Uniqueness" [page 3]
  1437. Also check your settings on - but don't rely on it. Apparently they are quite busy promoting their JonDonym-Browser and
  1438. services - which quite frankly I don't think anyone needs. I would rather warn you to use it since according to this defcon-talk
  1439. JAP/JonDonym has implemented tracking-features which are disabled by default but can be activated anytime. So don't use it.
  1441. Now, after having configured your host-based security and your web-browser we can start connecting to the web. But there are different
  1442. options:
  1446. TOR [The Onion Router]
  1448. TOR is probably the most famous anonymizing-tool available. You could consider it a safe-web proxy. [Update: I wouldn't say that any
  1449. longer. See the TOR-Warning below for more info.] Actually, simply put, it functions as a SOCKS-proxy which tunnels your traffic through
  1450. an encrypted network of relays in which your ip-address can not be traced. When your traffic exits the network through so-called
  1451. exit-nodes the server you are contacting will only be able to retrieve the ip-address of the exit-node. It's pretty useful - but also has
  1452. a few drawbacks:
  1454. First of all it is slow as f**k. Secondly exit-nodes are often times honey-pots set up by cyber-criminals and intelligence agencies. Why?
  1455. The traffic inside the TOR-network is encrypted - but in order to communicate with services on the "real" internet this traffic needs to
  1456. be decrypted. And this happens at the exit-nodes - which are thus able to inspect your packets and read your traffic. Pretty uncool. But:
  1457. you can somewhat protect yourself against this kind of stuff by only using SSL/https for confidential communications such as webmail,
  1458. forums etc. Also, make sure that the SSL-certificates you use can be trusted, aren't broken and use secure algorithms. The above mentioned
  1459. Calomel SSL Validation addon does a good job at this. Even better is the Qualys SSL Server Test.
  1461. The third bummer with TOR is that once you start using TOR in an area where it is not used that frequently which will be almost everywhere
  1462. - your ISP will directly be able to identify you as a TOR user if he happens to use DPI (Deep Packet Inspection) or flags known
  1463. TOR-relays. This of course isn't what we want. So we have to use a workaround. (For more info on this topic watch this vid: How the
  1464. Internet sees you [27C3])
  1466. This workaround isn't very nice, I admit, but basically the only way possible to use TOR securely.
  1468. So, the sucker way to use TOR securely is to use obfuscated bridges. If you don't know what this is please consider reading the TOR
  1469. project's info on bridges
  1471. Basically we are using TOR-relays which are not publicly known and on top of that we use a tool to hide our TOR-traffic and change the
  1472. packets to look like XMPP-protocol.
  1474. Why does this suck? It sucks because this service is actually meant for people in real disaster-zones, like China, Iran and other messed
  1475. up places. This means, that everytime we connect to TOR using this technique we steal bandwidth from those who really need it. Of course
  1476. this only applies if you live somewhere in the Western world. But we don't really know what information various agencies and who-knows-who
  1477. collect and how this info will be used if, say, our democratic foundations crumble. You could view this approach as being proactive in the
  1478. West whereas it is necessary and reactive in the more unfortunate places around the world.
  1480. But, there is of course something we can do about this: first of all only use TOR when you have to. You don't need TOR for funny cat
  1481. videos on youtube. Also it is good to have some regular traffic coming from your network and not only XMPP - for obvious reasons. So limit
  1482. your TOR-use for when it is necessary.
  1484. The other thing you/we can do is set up our own bridges/relays and contribute to the network. Then we can stream the DuckTales the whole
  1485. darn day using obfuscated bridges without bad feelings... wink
  1487. How to set up a TOR-connection over obfuscated bridges?
  1489. Simple: Go to -> The Tor project's special obfsproxy page and download the appropriate pre-configured Tor-Browser-Bundle. wink
  1491. Extract and run. (Though never as root!)
  1493. If you want to use the uber-secure webbrowser we configured above simply go to the TOR-Browsers settings and check the port it uses for
  1494. proxying. (This will be a different port every time you start the TOR-Bundle.)
  1496. Then go into your browser and set up your proxy accordingly. Close the TOR-Browser and have phun! - But don't forget to: check if you're
  1497. really connected to the network.
  1499. To make this process of switching proxies even more easy you can use the FireFox-addon: FoxyProxy. This will come in handy if you use a
  1500. regular connection, TOR and I2P all through the same browser.
  1502. Tipp: While online with TOR using google can be quite impossible due to google blocking TOR-exit-nodes - but with a little help from
  1503. HideMyAss! we can fix this problem. Simply use the HideMyAss! web interface to browse to google and do your searchin'. You could also use
  1504. search engines like ixquick, duckduckgo etc. - but if you are up for some serious google hacking - only google will do... wink [Apparently
  1505. there exists an alternative to the previously shut-down scroogle: privatelee which seems to support more sophisticated google search
  1506. queries. I just tested it briefly after digging it up here. So you need to experiment with it.]
  1508. But remember that in case you do something that attracts the attention of some three-letter-organization HideMyAss! will give away the
  1509. details of your connection. So, only use it in combination with TOR - and: don't do anything that attracts that kind of attention to begin
  1510. with.
  1512. Warning: Using Flash whilst using TOR can reveal your real IP-Address. Bear this in mind! Also, double-check to have
  1513. network.websocket.enabled set to false in your about:config! -> more info on that one here.
  1515. Another general thing about TOR: If you are really concerned about your anonymity you should never use anonymized services along
  1516. non-anonymized services. (Example: Don't post on "frickkkin'-anon-ops-forum.anon" while browsing to your webmail
  1517. "")
  1519. And BTW: For those who didn't know it - there are also the TOR hidden services...
  1521. One note of caution: When dealing with darknets such as TOR's hidden services, I2P and Freenet please be aware that there is some really
  1522. nasty stuff going on there. In fact in some obscure place on these nets everything you can and can't imagine is taking place. This is
  1523. basically a side-effect of these infrastructure's intended function: to facilitate an uncensored access to various online-services from
  1524. consuming to presenting content. The projects maintaining these nets try their best to keep that kind of stuff off of the "official"
  1525. search engines and indexes - but that basically is all that can be done. When everyone is anonymous - even criminals and you-name-it are.
  1527. What has been seen...
  1529. To avoid that kind of exposure and thus keep your consciousness from being polluted with other people's sickness please be careful when
  1530. navigating through these nets. Only use search-engines, indexes and trackers maintained by trusted individuals. Also, if you download
  1531. anything from there make sure to triple check it with ClamAV. Don't open even one PDF-file from there without checking.
  1533. To check pdf-files for malicious code you can use wepawet. Or if you are interested in vivisecting the thing have a look at Didier
  1534. Steven's PDFTools or PeePDF.
  1536. Change the file-ownership to a user with restricted access (i.e. not root) and set all the permissions to read only. Even better: only use
  1537. such files in a virtual machine. The weirdest code thrives on the darknets... wink I don't want to scare you away: These nets generally
  1538. are a really cool place to hang out and when you exercise some common sense you shouldn't get into trouble.
  1540. [Another short notice to the Germans: Don't try to hand over stuff you may find there to the authorities, download or even make
  1541. screenshots of it. This could get you into serious trouble. Sad but true. For more info watch this short vid.]
  1542. TOR-Warning
  1544. The above mentioned issues unfortunately aren't the only ones. I have come across more and more reasons not to use TOR:
  1546. - When using TOR you use about five times your normal bandwidth - which makes you stick out for your ISP - even with obfuscate bridges in
  1547. use.
  1549. - TOR-nodes (!) and TOR-exit-nodes can be and are being used to deploy malicious code and to track and spy on users.
  1551. - There are various methods of de-anonymizing TOR-users: from DNS-leaks over browser-info-analysis to traffic-fingerprinting.
  1553. I won't explain all these issues in detail but if you are interested in finding out why TOR isn't safe to use (and you should if you
  1554. actually think that TOR is making you anonymous) I recommend you watch these talks:
  1556. Attacking TOR at the Application-Layer
  1557. De-TOR-iorate Anonymity
  1558. Taking Control over the Tor Network
  1559. Dynamic Cryptographic Backdoors to take over the TOR Network
  1560. Security and Anonymity vulnerabilities in Tor
  1561. Anonymous Internet Communication done Right (I disagree with the speaker on Proxies, though. See info on proxies below.)
  1562. Owning Bad Guys and Mafia with Java-Script Botnets
  1564. And if you want to see how TOR-Exit-Node sniffing is done live you can have a look at this:
  1565. Tor: Exploiting the Weakest Link
  1567. To make something clear: I have nothing against the TOR-project. In fact I like it really much. But TOR is simply not yet able to cash in
  1568. the promises it makes. Maybe in a few years time it will be able to defend against a lot of the issues that have been raised and
  1569. illustrated. But until then I can't safely recommend using it to anybody. Sorry to disappoint you.
  1570. I2P
  1572. I2P is a so-called darknet. It functions differently from TOR and is considered to be way more secure. It uses a much better encryption
  1573. and is generally faster. You can theoretically use it to browse the web - but it is generally not advised and even slower as TOR using it
  1574. for this purpose. I2P has some cool sites to visit, an anonymous email-service and a built-in anonymous torrent-client. wink
  1576. For I2P to run on your system you need Open-JDK/JRE since I2P is a java-application. To install:
  1578. Go to-> The I2P's website download, verify the SHA256 and install:
  1580. $ cd /directory/you/downloaded/the/file/to && java -jar i2pinstall_0.9.4.jar
  1582. Don't install as root - and even more important: Never run as root!
  1584. To start: $ cd /yourI2P/folder ./i2prouter start
  1585. To stop: $ cd /yourI2P/folder ./i2prouter stop
  1587. Once running you will be directed to your Router-Console in FireFox. From there you have various options. You should consider to give I2P
  1588. more bandwidth than default for a faster and more anonymous browsing experience.
  1590. The necessary browser configuration can be found here.
  1592. For further info go to the project's website.
  1593. Freenet
  1595. A darknet I have not yet tested myself, since I only use TOR and I2P is Freenet. I heard that it is not that populated and that it is
  1596. mainly used for filesharing. A lot of nasty stuff also seems to be going on on Freenet - but this is only what I heard and read about it.
  1597. The nasty stuff issue of course is also true for TOR's hidden services and I2P. But since I haven't been on it yet I can't say anything
  1598. about that. Maybe another user who knows Freenet better can add her/his review.
  1600. Anyhow...:
  1602. You get the required software here.
  1604. If you want to find out how to use it - consult their helpsite.
  1605. Secure Peer-to-Peer-Networks
  1607. GNUnet
  1609. RetroShare
  1610. Mesh-Networks
  1612. If you're asking yourself what mesh-networks are take a look at this short video.
  1616. Netsukuku Community
  1618. OpenWireless
  1620. Commotion
  1622. FabFi
  1624. Mesh Networks Research Group
  1626. Byzantium live Linux distro for mesh networking
  1628. (Thanks to cyberhood!)
  1629. Proxies
  1631. I have not yet written anything about proxy-servers. In short: Don't ever use them.
  1633. There is a long and a short explanation. The short one can be summarized as follows:
  1635. - Proxy-servers often sent xheaders containing your actual IP-address. The service you are then communication to will receive a header
  1636. looking like this:
  1638. X-Forwarded-For: client, proxy1, proxy2
  1640. This will tell the server you are connecting to that you are connecting to him via a proxy which is fetching data on behalf of... you!
  1642. - Proxy servers are infested with malware - which will turn your machine into a zombie within a botnet - snooping out all your critical
  1643. login data for email, banks and you name it.
  1645. - Proxy servers can read - and modify - all your traffic. When skilled enough sometimes even circumventing SSL.
  1647. - Proxy servers can track you.
  1649. - Most proxy servers are run by either criminals or intelligence agencies.
  1651. Seriously. I really recommend watching this (very entertaining) Defcon-talk dealing with this topic. To see how easy e.g.
  1652. java-script-injections can be done have a look at beef.
  1653. VPN (Virtual Private Network)
  1655. You probably have read the sections on TOR and proxy-servers (do it now - if you haven't) and now you are asking yourself: "&*%$!, what
  1656. can I use to browse the web safely and anonymously????"
  1658. Well, there is a pretty simple solution. But it will cost you a few nickels. You have to buy a premium-VPN-service with a trustworthy
  1659. VPN-provider.
  1661. If you don't know what a VPN is or how it works - check out this video.
  1663. Still not convinced? Then read what lifehacker has to say about it.
  1665. Once you've decided that you actually want to use a VPN you need to find a trustworthy provider. Go here to get started with that.
  1667. Only use services that offer OpenVPN. Basically all the other protocols aren't that secure. Or at least they can't compare to OpenVPN.
  1669. Choose the most trustworthy service you find out there and be paranoid about it.
  1671. A trustworthy service doesn't keep logs. If you choose a VPN, read the complete FAQ, their Privacy Policy and the Terms of Service. Check
  1672. where they're located and check local privacy laws. And: Don't tell people on the internet which service you are using.
  1674. You can get yourself a second VPN account with a different provider you access through a VM. That way VPN#1 only knows your IP-address but
  1675. not the content of your communication and VPN#2 knows the content but not your IP-address.
  1677. Don't try to use a free VPN. Remember: If you're not paing for it - you are the product.
  1678. The Web
  1680. If for some unimaginable reason you want to use the "real" internet wink - you now are equipped with a configuration which will hopefully
  1681. make this a much more secure endeavour. But still: Browsing the internet and downloading stuff is the greatest vulnerability to a linux-
  1682. machine. So use some common sense. wink
  1683. RSS-Feeds
  1685. Please be aware that using RSS-feeds can be used to track you and the information-sources you are using. Often RSS-feeds are managed
  1686. through 3rd-party providers and not the by the original service you are using.
  1688. Web-bugs are commonly used in RSS-tracking. Also your IP-address and other available browser-info will be recorded.
  1690. Even when you use a text-based desktop-feedreader such as newsbeuter - which mitigates tracking though web-bugs and redirects - you still
  1691. leave your IP-address.
  1693. To circumvent that you would want to use a VPN or TOR when fetching your RSS-updates.
  1695. If you want to learn more about RSS-tracking read this article.
  1696. Secure Mail-Providers:
  1698. Please consider using a secure email-provider and encourage your friends and contacts to do the same. All your anonymization is worthless
  1699. when you communicate confidential information in an unencrypted way with someone who is using gmx, gmail or any other crappy provider.
  1700. (This also applies if you're contemplating setting up your own mail-server.)
  1702. If possible, encrypt everything, but especially confidential stuff, using gpg/enigmail.
  1704. [SSL, SMTP, POP]
  1705. [SSL, SMTP, no POP/IMAP - only in commercial upgrade]
  1706. [SSL, SMTP, POP]
  1708. I found these to be the best. But I may have missed others in the process.
  1709. Hushmail also has the nice feature to encrypt "inhouse"-mails, i.e. mail sent from one hushmail-account to another. So, no need for gpg or
  1710. other fancy stuff. wink
  1712. The user cyberhood mentioned these mail-providers in the other #! thread on security.
  1714. [SSL, SMTP, IMAP, POP]
  1716. Looks alright. Maybe someone has tested it already?
  1718. [SSL, SMTP, IMAP, POP]
  1720. Although I generally don't trust services that can not present themselves without typos and grammatical errors - I give them
  1721. the benefit of the doubt for they obviously are French. roll Well, you know how the French deal with foreign languages... tongue
  1723. [SSL, SMTP, IMAP, POP]
  1725. See this Review
  1729. You need to prove that you are some kind of activist-type to get an account with them. So I didn't bother to check out their security.
  1730. This is how they present themselves:
  1731. Riseup wrote:
  1733. The Riseup Collective is an autonomous body based in Seattle with collective members world wide. Our purpose is to aid in the creation
  1734. of a free society, a world with freedom from want and freedom of expression, a world without oppression or hierarchy, where power is
  1735. shared equally. We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other
  1736. forms of oppression.
  1738. Edit: I changed my mind and will not comment on Riseup. It will have its use for some people and as this is a technical manual I edited
  1739. out my political criticism to keep it that way.
  1740. Disposable Mail-Addresses
  1742. Sometimes you need to register for a service and don't want to hand out your real mail-address. Setting up a new one also is a nuisance.
  1743. That's where disposable mail-addresses come in. There is a firefox-addon named Bloody Vikings that automatically generates them for you.
  1744. If you rather want to do that manually you can use some of these providers:
  1746. anonbox
  1747. anonymouse/anonemail
  1748. trash-mail
  1749. 10 Minute Mail
  1750. dispostable
  1751. SilentSender
  1752. Mailinator
  1754. It happens that websites don't allow you to register with certain disposable mail-addresses. In that case you need to test out different
  1755. ones. I have not yet encountered a site where I could not use one of the many one-time-address out there...
  1756. Secure Instant-Messaging/VoIP
  1758. Using Skype is not advised from a security standpoint. Although Skype communication is encrypted there are a few ways to attack it. Also,
  1759. you probably don't want to trust Skype to keep all your data safe, do you?
  1761. Instead you can use:
  1762. TorChat
  1764. To install:
  1766. $ sudo apt-get install torchat
  1768. TorChat is generally considered to be really safe - employing end-to-end encryption via the TOR network. It is both anonymous and
  1769. encrypted.
  1771. Obviously you need TOR for it to function properly.
  1773. Here you find instructions on how to use it.
  1774. OTR [Off-the-Record Messaging]
  1776. OTR is also very secure. Afaik it is encrypted though not anonymous.
  1778. Clients with native OTR support:
  1780. Jitsi
  1781. Climm
  1783. Clients with OTR support through Plugins:
  1785. Pidgin
  1786. Kopete
  1788. XMPP generally supports OTR.
  1790. Here you find a tutorial on how to use OTR with Pidgin.
  1791. Secure and Encrypted VoIP
  1793. As mentioned before - using Skype is not advised. There is a much better solution:
  1795. Jitsi
  1797. Jitsi is a chat/VoIP-client that can be used with different services, most importantly with XMPP. Jitsi doesn't just offer chat, chat with
  1798. OTR, VoIP-calls over XMPP, VoIP-video-calls via XMPP - but also the ZRTP-protocol, which was developed by the developer of PGP, Phil
  1799. Zimmerman.
  1801. ZRTP allows you to make fully end-to-end encrypted video-calls. Ain't that sweet? wink
  1803. If you want to know how that technology works, check out these talks by Phil Zimmerman at Defcon. [Defcon 15 | Defcon 16]
  1805. Setting up Jitsi is pretty straightforward.
  1807. Here is a very nice video-tutorial on how get started with Jitsi.
  1811. Social Networking
  1812. Facebook
  1814. Although I actually don't think I need to add this here - I suspect other people coming to this forum from google might need to consider
  1815. this: Don't use Facebook!
  1817. Apart from security issues, malware and viruses Facebook itself collects every bit of data you hand out: to store it, to sell it, to give
  1818. it to the authorities. And if that's still not enough for you to cut that crap you might want to watch this video.
  1820. And no: Not using your real name on Facebook isn't helping you anything. Who are your friends on Facebook? Do you always use an
  1821. IP-anonymization-service to login to Facebook? From where do you login to Facebook? Do you accept cookies? LSO-cookies? Do you use SSL to
  1822. connect to Facebook? To whom are you writing messages on Facebook? What do you write there? Which favorite [movies | books | bands |
  1823. places | brands]-lists did you provide to Facebook which only need to be synced with google-, youtube-, and amazon-searches to match your
  1824. profile? Don't you think such a massive entity as Facebook is able to connect the dots? You might want to check out this vid to find out
  1825. how much Facebook actually does know about you. Still not convinced? [Those who understand German might want to hear what the head of the
  1826. German Police Union (GDP), Bernhard Witthaut, says about Facebook on National TV...]
  1828. For all of you who still need more proof regarding the dangers of Facebook and mainstream social media in general - there is a defcon-
  1829. presentation which I urge you to watch. Seriously. Watch it.
  1831. Well, and then there's of course Wikipedia's collection of criticism of Facebook. I mean, come on.
  1832. Alternatives to Facebook
  1834. Friendica is an alternative to Facebook recommended by the Free Software Foundation
  1836. Lorea seems a bit esoteric to me. Honestly, I haven't wrapped my head around it yet. Check out their description:
  1837. Lorea wrote:
  1839. Lorea is a project to create secure social cybernetic systems, in which a network of humans will become simultaneously represented on
  1840. a virtual shared world.
  1842. Its aim is to create a distributed and federated nodal organization of entities with no geophysical territory, interlacing their
  1843. multiple relationships through binary codes and languages.
  1845. Diaspora - but there are some doubts - or I'd better say: questions regarding diasporas security.
  1847. But it is certainly a better choice than Facebook.
  1849. One last thing:
  1853. Passwords
  1855. Always make sure to use good passwords.
  1857. To generate secure passwords you can use:
  1858. pwgen
  1860. Installation:
  1862. $ sudo apt-get install pwgen
  1864. Usage:
  1866. pwgen [ OPTIONS ] [ pw_length ] [ num_pw ]
  1868. Options supported by pwgen:
  1869. -c or --capitalize
  1870. Include at least one capital letter in the password
  1871. -A or --no-capitalize
  1872. Don't include capital letters in the password
  1873. -n or --numerals
  1874. Include at least one number in the password
  1875. -0 or --no-numerals
  1876. Don't include numbers in the password
  1877. -y or --symbols
  1878. Include at least one special symbol in the password
  1879. -s or --secure
  1880. Generate completely random passwords
  1881. -B or --ambiguous
  1882. Don't include ambiguous characters in the password
  1883. -h or --help
  1884. Print a help message
  1885. -H or --sha1=path/to/file[#seed]
  1886. Use sha1 hash of given file as a (not so) random generator
  1887. -C
  1888. Print the generated passwords in columns
  1889. -1
  1890. Don't print the generated passwords in columns
  1891. -v or --no-vowels
  1892. Do not use any vowels so as to avoid accidental nasty words
  1894. Example:
  1896. $ pwgen 24 -y
  1898. Pwgen will now give you a list of password with 24 digits using at least one special character.
  1900. To test the strength of your passwords I recommend using Passfault. But: Since Passfaults' symmetric cypher is rather weak I advise not to
  1901. use your real password. It is better to substitute each character by another similar one. So you can test the strength of the password without
  1902. transmitting it in an insecure way over the internet.
  1904. If you have reason to assume that the machine you are using is compromised and has a keylogger installed you should generally only use
  1905. virtual keyboards to submit critical data. They are built in to every OS afaik.
  1907. Another thing you can do is use:
  1908. KeePass
  1910. KeePass stores all kinds of password in an AES/Twofish encrypted database and is thus highly secure and a convenient way to manage your
  1911. passwords.
  1913. To install:
  1915. $ sudo apt-get install keepass2
  1917. A guide on how to use it can be found here.
  1918. Live-CDs and VM-Images that focus on security and anonymity
  1920. Tails Linux The classic. Debian-based.
  1922. Liberté Linux Similar to Tails. Gentoo-based.
  1924. Privatix Live-System Debian-based.
  1926. Tinhat Gentoo-based.
  1928. Pentoo Gentoo-based. Hardened kernel.
  1930. Janus VM - forces all network traffic through TOR
  1934. Further Info/Tools:
  1936. TOR
  1937. I2P
  1938. Securing Debian Manual
  1939. Electronic Frontier Foundation
  1940. EFF's Surveillance Self-Defense Guide
  1941. Schneier on Security
  1942. Irongeek
  1943. SpywareWarrior
  1944. SecurityFocus
  1945. Wilders Security Forums
  1947. CCC [en]
  1948. Eli the Computer Guy on Security
  1949. Digital Anti-Repression Workshop
  1950. The Hacker News
  1951. Anonymous on the Internets!
  1952. #! Privacy and Security Thread [Attention: There are some dubious addons listed! See my post there for further info.]
  1953. EFF's Panopticlick
  1954. GRC
  1955. Rapid7 UPnP Vulnerability Scan
  1956. HideMyAss! Web interface
  1957. Browserspy
  1959. IP Lookup
  1960. BrowserLeaks
  1961. Whoer
  1962. evercookie
  1963. Sophos Virus DB
  1964. f-secure Virus DB
  1965. Offensive Security Exploit DB
  1966. Passfault
  1967. PwdHash
  1968. Qualys SSL Server Test
  1969. MyShadow
  1970. Security-in-a-Box
  1971. Calyx Institute
  1972. CryptoParty
  1973. Self-D0xing
  1974. Wepawet
  1975. German only:
  1977. awxcnx
  1978. anondat
  1979. SemperVideo
  1980. SemperVideo [youtube]
  1981. Fefes Blog
  1982. heise
  1983. golem
  1984. CCC [de]
  1985. FoeBud
  1986. German Privacy Foundation
  1987. Postscript:
  1989. If you find any error in this guide please don't hesitate to reply with an explanation. Also, if you have anything to add please also use
  1990. the reply function. Since this is my first "real" post on the #! forums I don't know how long the edit-function is available for regular
  1991. posts. Should it be usable indefinitely I will edit this original post to include all the additional information you will provide. This
  1992. way we keep all the required info in one place. Thanks!
  1994. ...and keep sorcering!
  1996. [Edit: Apparently I can edit the hell out of this post. wink So I will be constantly updating this guide in the future. I already
  1997. scrambled together all the info I found noteworthy from the #! Privacy and Security Thread. So you should in theory find everything you
  1998. need from there in this manual, too. But you know how personal opinions differ. So please raise your hand if you find I missed something.
  2000. I will also work on migrating this guide into the #!-wiki in the future.]
  2002. additional resources available at []
Add Comment
Please, Sign In to add comment