AltNSA Privacy Guide

1.  
2. Privacy has been under attack for a while now, police departments using IMSI catchers or STINGRAYs on American citizens, the NSA having massive over reach. Especially now with the election of Donald Trump and his pro law enforcement and “law and order presidency” I think it is high time for me to write a guide to help you secure yourself from prying eyes because this administration will more than likely expand surveillance powers.
3.  
4. This guide will be aimed at everyone, I can go more in depth in future guides on how to implement thes tools more effectively but for now this is a basic enumeration of the tools that exist and basic uses for them. Tools are in basic groups.
5.  
6. Section 1. INFOSEC(Information Security)
7.  
8. This is a tricky one, people, law enforcement or state actors may try to gain unauthorized access to your information by any number of means. Here are some tools that will limit their ability to access that information.
9.  
10. A. VeraCrypt:
11. VeraCrypt is an open source encryption solution for Windows, Mac OSX and Linux systems. VeraCrypt is unique because it is the first open source encryption software for Windows. It can be used in any number of ways, it can be used to create an encrypted container on your hard drive to store your sensitive files in. It can be used to encrypt a partition on your hard drive(such as a partition that holds a secondary OS). It can also be used to create a hidden OS, meaning that unless you have the VeraCrypt bootloader on a USB stick or DVD the OS should be unfindable. This is particularly useful in cases of seizure of your computer, if the agency/state/person doesn’t know it’s there they cant force you to decrypt it. This tool also creates a decoy OS, one that you can use for day to day activities, as long as you do not store any sensitive files on it your hidden OS should remain totally hidden.
12.  
13. Veracrypt is a particularly useful encryption solution not only because of the usefulness of it but also due to the fact that most of the world uses Windows. It is a powerful tool and one that I would recommend everyone use regardless.
14.  
15. It can be found here:
16. https://veracrypt.codeplex.com/
17.  
18. B: Linux Full Disk Encryption(dm-crypt):
19. Now if you are using Linux I doubt I have to explain this but you never know so lets go. Dm-crypt is the encryption standard that is built into the Linux kernel(as of kernel 2.6 and later). It was designed to not only encrypt your hard drive and data but also to map the drives/partitions. It has had improvements against attacks(such as watermarking) by advanced modes of operation such as XTS, LRW and ESSIV. It can be activated quite easily on most Linux distributions during installation, simply check the box saying your data should be encrypted and provide a pass phrase to unlock, continue with your installation normally and you are done.
20.  
21. Not downloaded, included in Linux distro’s.
22.  
23. C: Mobile Encryption:
24. Android and iOS both come with encryption, iOS it is on by default and Android you need to turn it on. On your Android device navigate to settings, look for security and in that menu you should see an option to encrypt your data, select that(and the SD storage encryption if it’s an option) and proceed with the prompts. Your phone will be encrypted after a wait that can be anywhere from 15-30 minutes to an hour.
25.  
26. D: OSX Encryption(FileVault)
27. Filevault is the OSX standard file encryption, simply go to the system preferences and under security you should see FileVault. Select your desired encryption options and then follow the on screen prompt and you are set. Make sure you keep encryption keys safe somewhere in case you lose your password.
28.  
29. This is where a program called KeepassX comes in. KeepassX is a 100% free, totally open source password manager. And this is free, not in the way you may be used to with software that free being full of ads and/or malware. KeepassX is FOSS(Free Open Source Software) meaning that people who develop it do it because they are passionate about the project, not for financial gain. Now on to KeepassX itself.
30.  
31.  
32. E: KeepassX
33. Another very important part of infosec is strong passwords, enter KeepassX. KeepassX is a password manager, meaning it is used to store passwords to different accounts. The good thing about it is KeepassX can also generate passwords that are much more secure than any you cond ever come up with. It is capable of generating any # of characters you could want, letters both upper and lower, numbers and special characters and any combination of those. Once you generate the password and hit accept and save the database it is heavily encrypted(you provide an initial password upon opening keepass) and as far as anyone knows KeepassX has not been cracked yet. The good this is that it not only keeps all your passwords at your fingertips but it has versions for Windows, OSX, Linux, iOS and Android so you can take your passwords everywhere with you.
34.  
35. There are other versions out there(Keepass2, lastpass to name a few) but KeepassX is the one I trust.
36.  
37. You can find it here: https://www.keepassx.org/
38.  
39. The following are not strictly INFOSEC or NETSEC or a combination of the two:
40.  
41. F: Qubes
42. Qubes is a Linux based distro. It is not a traditional distro given the fact that it runs a series of Virtual Machines(a computer within a computer or VM). This means that every program you run is sandboxed from the rest of the system, so even if someone manages to compromise a program in one VM it is highly unlikely to break out of it’s sandbox and spread. This also has the advantage of every VM using virtual hardware to connect to the internet further increasing your security. It can run Windows, OSX and Linux distros all in virtual machines. There are also different trust levels. It is an excellent choice for privacy and security but lacks the traditional OS feel.
43.  
44. G: TAILS
45. TAILS or The Amnesic Incognito Live System is one of the most popular and well known privacy oriented operating systems. The INFOSEC portion will be discussed here the NETSEC portion in it’s respective section. TAILS is a Debian Linux based distro built from the ground up for not only ptivacy but security as well. It is highly recommended that it only be booted from a USB stick or DVD only, the reason for this is the way it functions. It is not your traditional OS that is installed on a hard drive in your computer, it is designed to run in your RAM only, off of a USB stick or DVD. The reason for this is that once you turn your computer off the RAM is wiped leaving no trace behind that you were ever using TAILS. Instead of saving things on the hard drive TAILS creates whats know as a persistence on your USB drive meaning all files generated in TAILS stay on that encrypted USB persistence. This is excellent from an INFOSEC standpoint as the only times the files are at any risk are when you are actively using TAILS or if the USB stick leaves your possession. There are several types of USB sticks that have hardware encryption on them as well ensuring that any attacker has that much of a harder time trying to break the encryption(which to my knowledge has never been done on the TAILS encryption at least).
46.  
47. 2. OPSEC(Operational Security):
48.  
49. Here is possibly the most overlooked portion of privacy, Operational Security.
50.  
51. This is your online habits. Sharing location, names, activities etc can all be threats to privacy.
52. Facebook is a major offender, they collect as much data from you as possible including location data. Considering locking down your privacy settings or hopping off Facebook altogether. Twitter is another risk, again for location data and collected information. Instagram as well. Obviously posting pictures of your face or identifying features on any social media isnt the greatest idea from a personal privacy standpoint. The fewer social media accounts you have the better it is from a privacy standpoint.
53. A decent replacement that’s distributed and privacy focused is Diaspora:
54. https://www.diasporafoundation.org/
55.  
56. Another piece you need to be careful of even in text based only public forums/social media sites/blogs etc. Yo always need to be careful with usernames, make sure you don’t use something that can be tied back to you(no real names, nicknames etc). And be careful what you reveal, the more personal info you reveal can be used to build a profile that can lead to your identity being compromised. I would also recommend separate usernames for sites, less of a chance of compromising your identity. I could go on about OPSEC all day but this is just a basic guide.
57.  
58. And one last thing, never re-use passwords, anytime anywhere. Always have separate password for every site.
59.  
60. This will come into play later but if you are using TAILS, Whonix or a privacy based distro it is a good idea to NEVER use any accounts you use on a regular basis, have completely separate accounts for Tor/TAILS/Whonix that have absolutely 0 connection with your real life.
61.  
62. 3: NETSEC
63.  
64. This is the one that everyone has been waiting for. The magical tool that makes you totally private and safe on the internet. Well I have some bad news, that doesn’t exist. You have to use the tools I mentioned previously to be safe. Think of it as a building, you have to start with a foundation then you build from there. NETSEC is in my mind the top floor. If any one thing is missing it wakens the entire structure. So without further ado lets get into it.
65.  
66. 1: Tor Browser
67. One of the most popular NETSEC tools is Tor or the Tor Browser Bundle, one of the main choices of dissidents and journalists who face retribution the world over. It is a security and privacy enhanced browser based on Firefox. All traffic from it is routed through a special network built from the ground up with privacy an anonymity in mind. The network is based off of research from United States Naval Research Laboratory and was designed to protect network traffic between intelligence agencies. The network traffic is encrypted and sent through a series of nodes, the traffic is encrypted and the location and routing is separated ensuring a high degree of anonymity and privacy. It is not 100% effective but is the best solution we have as it makes it extremely difficult for anyone to trace it back to you or eavesdrop on the traffic.
68.  
69. https://www.torproject.org/projects/torbrowser.html
70.  
71. B: I2P(Invisible Internet Project)
72. I2P is a program that still is in beta. It is similar to Tor in that the traffic is end to end encrypted and anonymous but the traffic is routed P2P(peer to peer) instead of through traditional servers. I do not know much about it at this time but as it is still in beta and needing peer review I would hold off on using it.
73.  
74. https://geti2p.net/en/
75.  
76. C. VPN Service
77. Another way to secure your traffic is to pay for a VPN(Virtual Private Network). A VPN creates an encrypted private network to tunnel your traffic through. This protects your traffic from prying eyes much better than normal. VPNSecure and Private Internet Access are both good VPN Services. Both have mobile apps and OSX/Windows/Linux iterations.
78.  
79. These are the tools mentioned in the previous section that don’t fully fit into either category:
80.  
81. C. TAILS
82. As mentioned before TAILS, the choice of dissidents and Journalists preserving sources the worlds over TAILS routes absolutely all network traffic through TOR. This is good because it secures all your communications, it also spoofs MAC addresses and has the added benefit of usually being more secure against Tor Browser exploits as many of them are Windows dependent. With the latest release Onionshare has been added by default allowing file sharing over the Tor network. Tails is a very convenient solution as you can also transport it anywhere as it runs on a USB stick.
83.  
84. https://tails.boum.org/
85.  
86. D. Qubes
87. Again as mentioned before Qubes is a VM based distro built on top of Fedora Linux. In addition to the sandboxed environment it runs in it uses virtual network adapters. So if you run Tor in it Tor not only sopoofs Mac addresses but the sandbox has a virtual adapter and since it’s isolated it is highly doubtful they will be able to glean any real information. In addition to all of the above there is the option to route ALL network traffic through the Tor network.
88.  
89. https://www.qubes-os.org/
90.  
91. Whonix:
92. Whonix is very similar to TAILS. There are a few key differences though. Whonix is designed by default to run in a virtual machine whereas due to TAILS inherent design it is highly recommended to never run it in a virtual machine. Like TAILS Whonix routes all network traffic through Tor but it runs in a virtual machine. It is similar to the concept of Qubes except Whonix runs in the virtual machine and can run under on any OS that can run VMWare.
93.  
94. https://www.whonix.org/wiki/Main_Page
95.  
96.  
97. 4. Misc privacy tools
98.  
99. There are some tools that don’t quite fit into the other categories. I’ll discuss them a bit here.
100.  
101. A: GPG Keys
102.  
103. GPG( GNU Privacy Guard) are free, open source encryption keys geared specifically toward email. It is a public key sytem, you have a private key and a public key is uploaded to several servers so any mail you send out with your key can be authenticated. The mail can also only be decrypted by the specified recipient with a certificate/key as well(provided you send it to them). This is a very secure protocol but email itself is an outdated and insecure mode of information delivery and while your message may be encrypted there is still metadata that can be gleaned.
104.  
105. B: SSH Key
106.  
107. Another way to protect your privacy is with SSH keys. One way is if you have a server you administer and are trying to connect to an SSH key will allow for a secure connection. One lesser known function is that you can actually encrypt documents or other files with your SSH key.
108.  
109. C: Encrypted Email Providers
110.  
111. One of the easiest ways to get encrypted email without setting up and generating your own GPG keys is to go to a service like Protonmail, Tutanota or Lavabit. They provide encrypted email as a service. Protonmail and Tutanota are open source but I do not know about Lavabit. What I do know about Lavabit is that the Edward Snowden used it and the creator/owner shut down rather than comply with an FBI order to give them access to Snowdens account.
112.  
113. D: Browser Add Ons
114.  
115. There are many internet browsers to choose from but Mozilla is king when it comes to privacy(the Tor Browser is after all based on Firefox). There are a few addons that you should consider using to improve your privacy. First off we have Privacy Badger, an addon by the EFF(Electronic Frontier Foundation) that stops third party trackers from tracking you. Next up we have Dosconnect, it lets you use your favorite search engines but acts as a proxy to keep them from tracking you(Disconnect does not track you either). Ublock Origin is an ad blocker that hasnt sold out like Adblock. HTTPS Everywhere forces an HTTPS connection wherever possible(more secure). NoScript is an addon that blocks scripts on any and/or all pages you desire.
116.  
117.  
118. Relevant Links:
119.  
120. Electronic Frontier Foundation: https://www.eff.org/
121. Tutanota: https://tutanota.com/
122. Protonmail: https://protonmail.com/
123. Lavabit: https://lavabit.com/?reloaded
124. VPNSecure: https://www.vpnsecure.me/
125. Private Internet Access: https://www.privateinternetaccess.com/