/tech/ - Tech

Technology.

catalog
Mode: Reply
Name
E-mail
Subject
Message

Max message length: 8192

Files

Max file size: 20.00 MB

Max files: 3

Password

(used to delete files and postings)

Misc

Remember to follow the rules


(573.58 KB 1140x500 cyber_security.jpeg)
Privacy general Comrade 05/08/2016 (Sun) 16:12:51 No. 2214
Comrades, we need a thread on privacy. Any decent activist should try ways of staying anonymous on the web and prevent being tracked by governments and corporations.

General tips
===

* Use free software as much as you can.

* Use GNU/Linux and keep it up-to-date, to be sure that you don't have unpatched security exploits

* Don't use Flash Player, use youtube-dl instead for watching streaming videos online

* Do not use Google, use DuckDuckGo or StartPage instead

* Use a password manager like Keepass or for GNU/Linux users keepassx. Create new passwords for every site that you visit and use a strong password as a master password. A tip for easy remembering of your master password is to use a sentence. "i fucking love cookies and tits!" with extra capital characters etc. is easier to remember than some random characters and long enough to prevent brute force attacks of any kind.

* Use the Tor Browser Bundle if you really want to stay anonymous.

Firefox
====

* Go to Preferences -> History and set History to "Never remember history".

* See for additional tweaks: https://github.com/amq/firefox-debloat and https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

Add-ons
-----------

* Use uBlock Origin for preventing tracking etc. Bonus: use hard-mode to manually whitelist external domains on sites. Don't use uBlock but be sure to use uBlock Origin https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-mode

* HTTPS Everywhere

* DecentralEyes: prevents CDN hosting from tracking you (Google for Jquery etc.)

* Self Destructing Cookies: only allow cookies that you choose to allow

OS
==

* Encrypt your hard drive or home partition at least

* If you use GNU/Linux, you can try to restrict systemd or syslog from logging.

* Use a distribution which takes security seriously. Also, be sure that you don't install a lot of things outside the repository. It will cover most of your needs.

Real life tips
===

* Pay with cash if you can



Feel free to provide tips to each other comrades!
>>99
I have never administrated anything before.
Cryptography is a topic I love but getting up to date with cyber security is a mystery to me.
>>101
There is no absolute security, and when someone really wants to get into your server, he will find a way; especially when you're not a pro at defending it.
However, I don't think somebody will make the effort to crack reasonably encrypted content.
>>98
>How safe will it be to have a server in my house for my personal email and webpage?
>>98
>How safe will it be to have a server in my house for my personal email and webpage?
Install gentoo and run all webserver related services on their own user account so if they get hacked the attacker doesn't have root or other access to anything that would let him easily privilege escalate (e.g. graphics card access).

Currently i'm trying to find a secure non-root alternative to courier-imap :/

>>102
>However, I don't think somebody will make the effort to crack reasonably encrypted content.
encryption has nothing to do with this.
if you are worried about the content of your emails then you need to pgp encrypt them, but that is unrelated to running your own mail server and unrelated to the mail server's security.
reminder that all emails that aren't pgp encrypted and travel over the internet are read at least the very least by the NSA's AI.
I'm going to buy a new laptop soon. What model should I get if I want privacy? I'm going to install Qubes OS.

What do you guys think of Comodo IceDragon? It's a free Firefox-based browser (so it can have the same add-ons), but it comes with some built-in security features IIRC.

Also, what's a distribution?
>>159
Hardware shouldn't matter for privacy purposes, but the company 'System76' has good linux compatible hardware
>>160
Except for hardware-level botnet features like uefi and intel mme.
>>159
A distro is a compilation of software, which comes mostly as a ready-to-use operating system. The Qubes OS you have chosen is such a distro.
Attempting to post via tor
Testing, testing, 1, 2, 3.
>>86
does not work
>>58
>alternative to Gmail
I use ProtonMail and it's pretty good. They have a tiered system though, so if you have a high volume of email, it might be worth paying for the standard tier. Plus iirc they bundle in their premium ProtonVPN service for a paid ProtonMail account
>>236
Throwing up your own copy of postfix and running your own mail server isn't particularly difficult. It does attract a load of pests to your connection, though.
Anyone use RiseUp services? Particularly looking for a new email to switch frm google
(460.25 KB 2240x1440 wan benis.jpg)
you guys stop necroposting :DDD
>>58
>>236
>>268
I suggest just using email service from countries that don't extradite to [insert your country here] or cooperate with your law. Like, half these "suuuper private email" sites turn out to be honeypots anyway (protonmail is). Better to just use a mainstream Russian or like, Vietnamese email service I'd guess.
>>91
>I want full disk encryption without having to wipe my data.
Just make a backup.
everyone switch to STARTPAGE

https://www.startpage.com/

its like duckduckgo but better and with a name that isnt stupid like 'duckduckgo'

also it has proxy viewing. Very useful to read articles etc at work, if your work monitors web traffic like mines does.
>>273
>(protonmail is)
Source?
Privacy is mostly not a technical issue, but a social one.

What good does it do when you follow all the expert advice in how to use technology while your family, friends, coworkers, and party colleagues are constantly broadcasting to the world what you say and what you do and where you are? Privacy-protecting software has to be used by the people around you; privacy-protecting habits have to be common among the people around you. A software with the best privacy protection is useless if nobody uses it. Software that is not very competently made from a cryptography expert's point of view, but that has an an appealing and easy interface and a good meme propaganda campaign around it, so that the people around you then actually use it (when they didn't use anything protecting them and you before), can do more for your privacy protection in the big picture.

People form habits that follow them for the rest of their lives while they are young. How to design privacy-protecting software that appeals to kids?
>>607
>What good does it do when you follow all the expert advice in how to use technology while your family, friends, coworkers, and party colleagues are constantly broadcasting to the world what you say and what you do and where you are?
That's what compartmentalization is for.
>>608
You mean activities like posting on different topics on different sites under different pseudonyms and not presenting a full picture of your various interests all bundled in one place, but the point is that it isn't really up to you how much of you shows up online.

Here's the kind of story that happens every day: You are a member of a party. Of course, those members elected to important positions aren't anonymous, but there is no public database of all party members and you like it that way. At a small non-public meeting, a fellow party member takes a photo of you. You politely but firmly ask that person to not publish it. The person promises not to do that. A few minutes later the picture is online (but you don't know that immediately, you only get to know it with a delay, as it makes the rounds. The comrade is an old fart who lives off a pension. You still have most working years ahead of you. This information about you is now online forever. Any neonazi or potential employer can enter your name into a search engine and see that you are in a hard-left party.

There needs to be a cultural shift so that the people around you IRL don't fuck up your life.
>>609
It's true, we need a professional and disciplined attitude about security in our organizations. I think that's different from saying we can't have security if our family and co-workers aren't all disciplined.
>>63
This is what I get on https://searx.me after a few searches.

It's a shitty website. https://duckduckgo.com/ is superior to https://searx.me
>>611
>I get rate limit exceeded after a few searches on https://searx.me
Anyone can host a searx instance, even in your basement, the owners of the main instance put rate limiting to encourage you to host your own (which increases privacy, so long a small community uses it) and to avoid having to pay for it.
>>612
I prefer not having to go through the trouble of hosting my own search engine. I want user friendliness, which is exactly what DuckDuckGo gives me. On top of that, DuckDuckGo doesn't censor the results I receive.

Google has censored The Daily Stormer and 8chan, which is disgusting. I hate politically motivated search engines. Search engines should be just what they are: a program that searches the Internet for you for the content you requested.
not sure why this thread is on the last page, but these links definitely need to be somewhere on /tech/ https://invidious.snopyta.org/ https://nitter.snopyta.org/ https://snopyta.org/ but also wanted to ask, what's up with archive.is not having SSL encryption? should this be concerning?
Anyone tried https://qwant.com ? Are they more or less trustworthy than duckduckgo? Results seem comparable. >>2915 >what's up with archive.is not having SSL encryption It supports SSL but doesn't automatically redirect to it https://archive.is/
>>2918 if you’re concerned with privacy just go with searx. snopyta.org has a searx instance.
>>2915 archive.is blocks tor via cloudflare anyway
>>2915 >>2920 >this.snopyta.org >that.snopyta.org not smart to put all your eggs in the same basket. using everything via snopyta instances means they technically have access to an aggregated collection of your browsing activity. and you should never rely just on trust.
The issue I have with YouTube-dl is searching things up in the first place. You still have to connect to YouTubes servers in order to get your videos. This is really the only rule I have caved in. I just browse YouTube directly at this point
>>2923 You can use Youtube-dl with Tor: youtube-dl --proxy "socks5://127.0.0.1:9050" As for browsing for videos, use invidio.us.
>>2924 I can't login to my account with invido.us for some reason; never been able too.
>>2924 If you don't have system Tor running, then you can proxy through Tor Browser, which uses socks port 9150 instead of 9050: youtube-dl --proxy "socks5://127.0.0.1:9150" Of course you can still pipe the output to mpv like before. I have something like this in my shell config: youtube-mpv() { /usr/bin/youtube-dl --proxy "socks5://127.0.0.1:9050" "[email protected]" -o - | mpv - } Then you just use it like this: youtube-mpv https://invidio.us/watch?v=y5zQTmkY7GI If Tor is too slow add the -f worst flag. youtube-mpv -f worst https://invidio.us/watch?v=y5zQTmkY7GI >>2925 If all you want is to subscribe or follow someone on social media, then you can use RSS feeds instead of creating an account, which is often blocked over Tor anyway. What you need is a RSS feed reader that supports socks5 proxies for use with Tor. You can replace a lot of your browsing routines this way, which will save you a ton of time, since you'll have everything you're interested in aggregated and automatically updated in a single program. Keep in mind though that all feed reader's connections will use a single Tor "identity". This is similar to opening everything within a single Tor Browser session, without resetting the circuits. So if you subscribe to a bunch of invidio.us channels, all of the connections to invidio.us will come from the same Tor exit relay (while connections to other sites will use different circuits). This is still way better than using an account, but it doesn't allow for total isolation of different "identities" in the OPSEC sense. Another issue is that your feed reader will probably use its own User-Agent header. If possible change it to whatever current version of Tor Browser uses. You still won't have control over the rest of HTTP headers though, which could also be used for fingerprinting. Of course in the end it's safer to just use Tor Browser, copy-paste URLs from some text file, and often reset the browser's session. Unless you write your own scripts there's always some compromise, most devs still have barely any idea how mass surveillance works or just don't care.
>>2228 be careful installing random add-ons, as these can be used to fingerprint you. Set up a script if you can to randomly assign your user-agent
>>2228 >>2928 Random user agent spoofing has little use if you don't use a proxy or public networks (then you should also spoof your MAC address). And if you use Tor it will only make you stand out more since Tor Project's design philosophy bets on uniformity rather than randomness.
>>2929 User-Agent is not the only HTTP header that they use to fingerprint you anyway. Each browser has a distinct set of HTTP headers it uses (Accept, Accept-Encoding, Accept-Language, etc.), so if you spoof just your User-Agent header you're just telling the website that you e.g. use Firefox with a user-agent-spoofing add-on. You're only making it worse!
>>2218 luks is fast and easy, friend
>>2239 >I'm going to buy a new laptop soon. What model should I get if I want privacy? Something librebooted >Also, what's a distribution? A combination of package manager and package configurations. Ubuntu, Debian, Redhat, Suse, etc.
>>2933 >luks is fast and easy, friend Doesn't work that well with SSDs. Many report 50% drop in performance. There's also the TRIM dilemma: either you TRIM, which leaks some information (space usage, filesystem used), or you don't TRIM and your SSD will have shorter life-span and deteriorating performance. https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html I guess if you don't do full disk encryption and instead only encrypt your /home then it's not such a big issue. >>2218 >Also, duckduckgo has shit results. True. I don't know what happened in the last couple of years but all of these "alternative" search engines have become complete utter shit. You use 5+ very specific keywords, looking for something specific and obscure, and it always spits out the most generic results possible based on only one or two of the terms used. Quoting keywords doesn't have any effect anymore either. It's such a pain trying to find anything, trying to make the search engine finally listen. Most of the time I just give up. I'm seriously considering just using Google, but it blocks Tor with its stupid infinitely-looping AI-training captchas. Bing is also an improvement, but it seems heavily biased towards regional results, so it's not that useful over Tor.
Let's get into some meatspace privacy stuff. Here is a map with camera locations: https://sunders.uber.space/ You can add cameras that you see outside on openstreetmap and they will be added here.
I'm finally starting to take my privacy seriously. I've already been doing a lot of the easier/lazier stuff in this thread for a long time, but I've been stuck in the google ecosystem for like 10+ years(email and youtube mostly). I'm gradually cutting all ties with it. I'm sure the profile they've built will still be able to identify me when I pop up on their radar, but not spoon-feeding them my data directly should be an improvement. Between my VPN usage and general browser security I should have a little more privacy.
>>3528 pretty much the best most people can do. Fact is, if they want your info/data they can and will get it. Doesn't mean you need to make it easy, nor give them all of it.
i like this blog, was fun to read through. The author tends to emphasize how opsec is more than just the software you use https://grugq.github.io/blog/2013/12/01/yardbirds-effective-usenet-tradecraft/
https://n-o-d-e.net/nano_server2.html I'm building one of these next week to finally set up a pihole with and maybe do some other dumb stuff like keep a little local backup of my CV etc., I'm not sure if that's actually that smart though, none of the info I'd be backing up isn't already public but I don't know about keeping it on the same box as a DNS server that's probably going to be constantly hammered by ads Thoughts? OR should I just back up the files I want to keep onto another Micro SD card and tape it to the top of the server? Really interested in the utility of little hobbyist hardware solutions for common privacy issues like corpo tracking, and it will be a fun project even if its only marginally effective
>>2214 >Use a password manager like Keepass is it alright if i use bitwarden? i like the easy sync across multiple devices
>>3958 If you're talking about their cloud offering then its enough to deal with reducing password reuse but because the database is stored on their server and is encrypted/decrypted via a webpage they control you should not expect any protection whatsoever from anyone with serious resources. If three letter agency wanted access to your passwords on a self controlled keepass database then they would have to either thoroughly compromise your computer (to the point nothing would help) or get the password via other means, for something like bitwarden they could potentially walk into the office with a subpoena and have them change the web page so it sends your password to the server and decrypts your db for them, since there is no warrant canary assume this has already occured.
>>3958 I'm using keepass and tbh I don't see the problem with just transferring the file around, its like 5kb, I've got into the habit of just copy/pasting it across my different machines when I update it on my main machine, it takes like 2 seconds to copy it to my phone and push it over waprinator or ssh to my laptop, if I needed to get it remotely for some reason I could just put the encrypted password file in a cloud repo or github or something and up the masterpass complexity/change the pass after downloading the file (I don't forsee ever needing this so I don't have an online backup of it, doesn't seem like the greatest idea even if a 30 character properly configed masterpassword should be virtually uncrackable) I think the slight hassle is worth the extra comfiness of knowing its not being passed around in a cloud server by some company somewhere, and the passwords don't need to change often, since they're so strong, and they all get changed at once since force change after a certain time is enabled for them
I really hate that I can't post on fourchins with my vpn. I want to basically fight every right wing post that they shoehorn into any thread.
anyone virtualize whonix on debian: what version of virtualbox do you use?

Delete
Report

no cookies?