Difference between revisions of "Security"

From TBP Wiki
Jump to: navigation, search
(Created page with "<strong>Security</strong> Security is a broad term covering everything from stopping your girlfriend from finding your porn folder to stopping the NSA from [http://en.wikiped...")
 
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
<strong>Security</strong>
+
Security is a broad term covering everything from stopping your girlfriend from finding your porn folder to stopping the NSA from [[Wikipedia:Stuxnet |breaking into your nuclear power plant]].
  
Security is a broad term covering everything from stopping your girlfriend from finding your porn folder to stopping the NSA from [http://en.wikipedia.org/wiki/Stuxnet breaking into your nuclear power plant].
+
In our post-Snowden world, it is easy to fall into [https://www.eff.org/deeplinks/2014/10/they-fight-surveillance-and-you-can-too security nihilism] (i.e. "'they' know everything so why bother?") or to think [http://www.thoughtcrime.org/blog/we-should-all-have-something-to-hide/ you] [http://www.digitizd.com/2014/09/06/why-care-about-online-privacy-if-youve-got-nothing-to-hide/ have] [http://www.techrepublic.com/blog/it-security/why-nothing-to-hide-misrepresents-online-privacy/ nothing] [https://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/ to] [http://www.wired.com/2013/06/why-i-have-nothing-to-hide-is-the-wrong-way-to-think-about-surveillance/ hide].
 
 
In our post-Snowden world, it is easy to fall into [https://www.eff.org/deeplinks/2014/10/they-fight-surveillance-and-you-can-too security nihilism] (i.e. "'they' know everything so why bother?") or to think [https://moxie.org/blog/we-should-all-have-something-to-hide/ you] [https://www.digitizd.com/2014/09/06/why-care-about-online-privacy-if-youve-got-nothing-to-hide/ have] [https://www.techrepublic.com/blog/it-security/why-nothing-to-hide-misrepresents-online-privacy/ nothing] [https://www.chronicle.com/article/Why-Privacy-Matters-Even-if/127461/ to] [https://www.wired.com/2013/06/why-i-have-nothing-to-hide-is-the-wrong-way-to-think-about-surveillance/ hide].
 
  
 
The worst thing you can have is a false sense of security.
 
The worst thing you can have is a false sense of security.
Line 9: Line 7:
 
This page cannot possibly define every attack and mitigation strategy available. Instead it aims to provide a decent overview of basic security principles and techniques.
 
This page cannot possibly define every attack and mitigation strategy available. Instead it aims to provide a decent overview of basic security principles and techniques.
  
=Define your adversary=
+
==Define your adversary==
  
 
Who/What do you want to have security from? Who/What is a threat to you? Who/What do you want to keep things private from?
 
Who/What do you want to have security from? Who/What is a threat to you? Who/What do you want to keep things private from?
  
* Your mother?
+
*You mother?
* Thieves?
+
*Thieves?
* Hackers, Viruses, Malware and Phishing?
+
*Hackers, Viruses, Malware and Phishing?
* Advertisers/Marketing companies who build profiles on you to sell you garbage?
+
*Advertisers/Marketing companies who build profiles on you to sell you garbage?
* Rivals and rival businesses?
+
*Rivals and rival businesses?
* Government policies you don't agree with and wish to legally avoid?
+
*Government policies you don't agree with and wish to legally avoid?
* Foreign government policies you don't agree with?
+
*Foreign government policies you don't agree with?
* Copyright trolls?
+
*Copyright trolls?
* Local Law Enforcement Agencies (LEA)?
+
*Local Law Enforcement Agencies (LEA)?
* National Law Enforcement Agencies?
+
*National Law Enforcement Agencies?
  
 
or perhaps you wish to:
 
or perhaps you wish to:
  
* Publish anonymously?
+
*Publish anonymously?
* Keep journalistic sources safe?
+
*Keep journalistic sources safe?
* Participate in whistleblowing?
+
*Participate in whistleblowing?
  
 
or are you under attack from:
 
or are you under attack from:
  
* Psycho ex-partners/family members?
+
*Psycho ex-partners/family members?
* Internet trolls/doxxers?
+
*Internet trolls/doxxers?
  
 
or maybe you just want to:
 
or maybe you just want to:
  
* Be as secure as possible as a fun experiment?
+
*Be as secure as possible as a fun experiment?
  
Knowing your "enemy" is important. Thinking in terms of NSA technology is depressing, but narrowing your threat down to advertising trackers makes the battle seem much more practical and winnable.  
+
Knowing your "enemy" is important. Thinking in terms of NSA technology is depressing, but narrowing your threat down to advertising trackers makes the battle seem much more practical and winnable.
  
=Threat analysis=
+
==Threat analysis==
For any adversary, there are a few key factors you must consider if you want to create an effective defense.  
+
For any adversary, there are a few key factors you must consider if you want to create an effective defense.
  
* Competence - Just because it's possible to defeat your security, doesn't mean your adversary can. Not everyone knows how to do everything.
+
*Competence - Just because it's possible to defeat your security, doesn't mean your adversary can. Not everyone knows how to do everything.
 +
**Resources - Knowing how to do something and being able to do it are two different things. For instance, the adversary may know a quantum algorithm to quickly crack your encrypted file, but if they don't actually have access to a quantum computer, that won't do them much good (although they can archive the file indefinitely until QCs become commonplace).
 +
*Motivation - Does the attacker want to attack you? The attackers that have the most competence and resources often want to get something worthwhile for their trouble. They prefer high value targets like banks, government sites, corporate networks, eCommerce credit card databases, and huge swathes of very insecure computers that can be used as botnets. You don't really need to have perfect security to avoid getting attacked, you just need to have more security than is worth defeating to get what you have (or appear to have).
 +
*Physical access - It is a maxim of security that if the adversary has physical access to your computer, you've lost. Physical access doesn't just mean stealing the computer and putting it in a secret vault, it can be as simple as being able to come into your house and plant some kind of concealed device on the computer while you're out buying groceries.
  
* Resources - Knowing how to do something and being able to do it are two different things. For instance, the adversary may know a quantum algorithm to quickly crack your encrypted file, but if they don't actually have access to a quantum computer, that won't do them much good (although they can archive the file indefinitely until QCs become commonplace).
+
Typically, the most dangerous hackers have high competence but not physical access. The ones that have physical access rarely are competent. The ones that have both resources and competence have better things to do than hack you. At most you will be hit by their automated software that looks for common, typical weaknesses (really bad [[Passwords | passwords]] like "qwerty" or "rosebud", running vulnerable software that is years behind on security updates) in millions of machines. This is why security through obscurity will work on them - they can easily defeat your system, but it's not worth it for them since there's not enough people like you out there to justify the effort of writing a hack.
  
* Motivation - Does the attacker want to attack you? The attackers that have the most competence and resources often want to get something worthwhile for their trouble. They prefer high value targets like banks, government sites, corporate networks, eCommerce credit card databases, and huge swathes of very insecure computers that can be used as botnets. You don't really need to have perfect security to avoid getting attacked, you just need to have more security than is worth defeating to get what you have (or appear to have).
+
So, at both ends of the spectrum you have a balance: Each class of adversary always has one or more severe disadvantage. You can exploit this to create strong defense. The one exception is government intelligence agencies like NSA. These have both physical access, are highly competent, and have immense resources. The only thing standing between you and them is motivation. In other words, the moment NSA has a reason to suspect you, you're done. Best you can do is don't do things they don't like.
* Physical access - It is a maxim of security that if the adversary has physical access to your computer, you've lost. Physical access doesn't just mean stealing the computer and putting it in a secret vault, it can be as simple as being able to come into your house and plant some kind of concealed device on the computer while you're out buying groceries.
 
 
 
Typically, the most dangerous hackers have high competence but not physical access. The ones that have physical access rarely are competent. The ones that have both resources and competence have better things to do than hack you. At most you will be hit by their automated software that looks for common, typical weaknesses (really bad passwords like "qwerty" or "rosebud", running vulnerable software that is years behind on security updates) in millions of machines. This is why security through obscurity will work on them - they can easily defeat your system, but it's not worth it for them since there's not enough people like you out there to justify the effort of writing a hack.
 
 
 
So, at both ends of the spectrum you have a balance: Each class of adversary always has one or more severe disadvantage. You can exploit this to create strong defense. The one exception is government intelligence agencies like NSA. These have both physical access, are highly competent, and have immense resources. The only thing standing between you and them is motivation. In other words, the moment NSA has a reason to suspect you, you're done. Best you can do is don't do things they don't like.  
 
 
 
=Practices by kind of adversary=
 
<strong>Against your mother</strong>
 
  
 +
==Practices by kind of adversary==
 +
===Against your mother===
 
Your mother can:
 
Your mother can:
  
* Physically access your computer.
+
*Physically access your computer.
* Physically access your computer when you're not there.
+
*Physically access your computer when you're not there.
* Spy over your shoulder.
+
*Spy over your shoulder.
  
 
These can be serious security implications, however your mother is unlikely to either:
 
These can be serious security implications, however your mother is unlikely to either:
  
* Have the technical knowledge to perform an attack.
+
*Have the technical knowledge to perform an attack.
* Have the motivation to perform an attack.
+
*Have the motivation to perform an attack.
  
 
Her motivation:
 
Her motivation:
  
* None, actually. All your mother is likely to do is walk past when you're masturbating, or perform a Windows Search for her cat photos and accidentally turn up your hentai.
+
*None, actually. All your mother is likely to do is walk past when you're masturbating, or perform a Windows Search for her cat photos and accidentally turn up your hentai.
  
 
In response, you can:
 
In response, you can:
  
* Lock the door to your room.
+
*Lock the door to your room.
* Zip/rar/7z your porn with a password.
+
*Zip/rar/7z your porn with a password.
* Encrypt your home directory.
+
*Encrypt your home directory.
* Put a password on your bios and deny her booting your computer.
+
*Put a password on your bios and deny her booting your computer.
 
 
<strong>Against thieves</strong>
 
  
 +
===Against thieves===
 
Thieves can:
 
Thieves can:
  
* Physically steal your computer and deny you access to your data.
+
*Physically steal your computer and deny you access to your data.
* Remove the storage drive from your computer and recover data.
+
*Remove the storage drive from your computer and recover data.
* Recruit a nerd friend to do something with your hardware.
+
*Recruit a nerd friend to do something with your hardware.
* Sell your storage drive to someone who might be actually interested in its content.
+
*Sell your storage drive to someone who might be actually interested in its content.
  
 
Their motivation:
 
Their motivation:
  
* Making money as fast as possible from selling off your stuff. If they can get your data they will sell it, but if they can't they will settle for the cash value of your hardware.
+
*Making money as fast as possible from selling off your stuff. If they can get your data they will sell it, but if they can't they will settle for the cash value of your hardware.
  
 
They are interested in:
 
They are interested in:
  
* First and foremost, your hardware.
+
*First and foremost, your hardware.
* In second term, whatever personal data they can find inside. They will usually give up if they can't access it.
+
*In second term, whatever personal data they can find inside. They will usually give up if they can't access it.
  
 
In response you can:
 
In response you can:
  
* Encrypt your home directory.
+
*Encrypt your home directory.
* Use full disk encryption.
+
*Use full disk encryption.
* Backup your data and physically hide it.
+
*Backup your data and physically hide it.
  
<strong>Against hackers, viruses, malware and phishing</strong>
+
===Against hackers, viruses, malware and phishing===
  
 
Assuming hackers here are your run of the mill script kiddies and not nation states, hackers can:
 
Assuming hackers here are your run of the mill script kiddies and not nation states, hackers can:
  
* Use Remote Exploits to access your computer (hacking your computer).
+
*Use Remote Exploits to access your computer (hacking your computer).
* Trick you into running exploits on your computer (viruses, malware).
+
*Trick you into running exploits on your computer (viruses, malware).
* Trick you into disclosing the credentials to your computer or web services (phishing).
+
*Trick you into disclosing the credentials to your computer or web services (phishing).
* Manipulate company employees into handing over your login details or control of your account (social engineering)
+
*Manipulate company employees into handing over your login details or control of your account (social engineering)
* Guess the credentials to your computer or web services (cracking).
+
*Guess the credentials to your computer or web services (cracking).
* Break into web services and determine your credentials (hacking web services).
+
*Break into web services and determine your credentials (hacking web services).
  
 
While hackers will always know about security problems before everyone else, they are less likely to use their brand new exploits against random people. High value targets (whether they be financial (paypal?), political (fbi website?) or lulzy (the fappening)) are much more likely to be their focus. Unknown exploits are valuable: They are obtained by hard work or paying for them on the black market. But the moment you use them, everyone will find out and patch the hole. So the hacker wants to make it count, he doesn't want to blow his one shot on something worthless.
 
While hackers will always know about security problems before everyone else, they are less likely to use their brand new exploits against random people. High value targets (whether they be financial (paypal?), political (fbi website?) or lulzy (the fappening)) are much more likely to be their focus. Unknown exploits are valuable: They are obtained by hard work or paying for them on the black market. But the moment you use them, everyone will find out and patch the hole. So the hacker wants to make it count, he doesn't want to blow his one shot on something worthless.
Line 119: Line 113:
 
Day to day attacks will be from relatively unskilled hackers (script kiddies) and deployed against ip address on the internet.
 
Day to day attacks will be from relatively unskilled hackers (script kiddies) and deployed against ip address on the internet.
  
Occasionally a large internet service will lose it's password database to hackers e.g. twitch.tv. Sooner or later one of these headline hacks will affect you.
+
Occasionally a large internet service will lose it's password database to hackers e.g. [http://www.bbc.co.uk/news/technology-32034102 twitch.tv]. Sooner or later one of these headline hacks will affect you.
  
 
In response you can:
 
In response you can:
  
* Keep your operating system and software up to date to cut down on remote exploits.
+
*Keep your operating system and software up to date to cut down on remote exploits.
* Use anti-virus and anti-malware scanning software.
+
*Use anti-virus and anti-malware scanning software.
* Be wary about running unknown software or logging into untrusted sites (common sense 2016).
+
*Be wary about running unknown software or logging into untrusted sites (common sense 2016).
* Run a restrictive firewall to allow only certain applications access to the network.
+
*Run a restrictive firewall to allow only certain applications access to the network.
* Use a password manager to generate random, secure passwords for your local computer accounts and web services.
+
*Use a password manager to generate random, secure passwords for your local computer accounts and web services.
* Use a different password on each site. Knowing one password shouldn't make it easier to guess the others.
+
**Use a different password on each site. Knowing one password shouldn't make it easier to guess the others.
* Give fake personal info where possible, so that info from one hacked account can't be used to break into other accounts by messing with the "Forgot Password" feature or calling and manipulating support/customer service.
+
**Give fake personal info where possible, so that info from one hacked account can't be used to break into other accounts by messing with the "Forgot Password" feature or calling and manipulating support/customer service.
* Only use trusted web services, and give them as little sensitive data as possible.
+
*Only use trusted web services, and give them as little sensitive data as possible.
* If you shop online, try to delete Credit Cards when you're done using them, don't keep them saved in the account.
+
**If you shop online, try to delete Credit Cards when you're done using them, don't keep them saved in the account.
* Use Two Factor Authentication (2FA) for higher value web services (banking, email).
+
*Use Two Factor Authentication (2FA) for higher value web services (banking, email).
  
<strong>Against a jealous girlfriend</strong>
+
===Against a jealous girlfriend===
  
 
Let's supposed that through sheer dumb luck, you managed to get a girlfriend. Unfortunately, she was a jealous bitch from the beginning, but due to >tfwnogf you ended up accepting her anyway. Now you're stuck with a girl who wants to control your entire life. What do you do?
 
Let's supposed that through sheer dumb luck, you managed to get a girlfriend. Unfortunately, she was a jealous bitch from the beginning, but due to >tfwnogf you ended up accepting her anyway. Now you're stuck with a girl who wants to control your entire life. What do you do?
Line 140: Line 134:
 
Your girlfriend can:
 
Your girlfriend can:
  
* Physically access your computer and phone.
+
*Physically access your computer and phone.
* Spy over your shoulder.
+
*Spy over your shoulder.
* Possibly physically access your computer when you're not there.
+
*Possibly physically access your computer when you're not there.
* Recruit nerd friends, i.e. hackers, viruses, malware and phishing, to help her break into your devices if you put up any resistance.
+
*Recruit nerd friends, i.e. hackers, viruses, malware and phishing, to help her break into your devices if you put up any resistance.
  
 
Her motivation:
 
Her motivation:
  
* Get any shred of positive evidence that you're cucking her. For security purposes, assume that a jealous girlfriend is emotionally attached to the idea that you're going to cuck her. No amount of evidence against will ever convince her of the opposite, and a single, dubious figment of evidence in favor will confirm her suspicions. Her determination will be extreme: they say hell hath no fury but that of a woman scorned, so be prepared for a fight that at best will only end when either side decides to break up, at worst with injury or material damage for either side, or if you live in an SJW place, with a false rape accusation.
+
*Get any shred of positive evidence that you're cucking her. For security purposes, assume that a jealous girlfriend is emotionally attached to the idea that you're going to cuck her. No amount of evidence against will ever convince her of the opposite, and a single, dubious figment of evidence in favor will confirm her suspicions. Her determination will be extreme: they say hell hath no fury but that of a woman scorned, so be prepared for a fight that at best will only end when either side decides to break up, at worst with injury or material damage for either side, or if you live in an SJW place, with a false rape accusation.
  
 
She is interested in:
 
She is interested in:
  
* Your location ("why were you on this part of town where this bitch lives?").
+
*Your location ("why were you on this part of town where this bitch lives?").
* Your communication metadata ("who is that skank you talk to all the time?").
+
*Your communication metadata ("who is that skank you talk to all the time?").
* Your personal media ("who is this bitch in the picture?").
+
*Your personal media ("who is this bitch in the picture?").
* Your login credentials (there is no better place to find all that than your social media accounts).
+
*Your login credentials (there is no better place to find all that than your social media accounts).
  
 
In response, you can:
 
In response, you can:
  
* Do everything you would do against your mom, against thieves and against virii, hackers and malware.
+
*Do everything you would do against your mom, against thieves and against virii, hackers and malware.
* Never share your passwords. This is going to be the hardest one. Women are natural savants when it comes to emotions and know every single emotional manipulation trick under the sun, and a jealous girlfriend will have no qualms on abusing them if that's what it takes to make you cough up your password. Do not fall for any blackmail, badmouthing, refusal of sexual consent, melodrama, fake tears or blaming. Password sharing is not a proof of love or a ritual of intimacy, it is a dangerous practice that negates every single countermeasure you take against information breaches. Be especially wary if this is your first girlfriend: chances are she perfectly knows you have the relationship experience of a high school kid (even if you consistently negate it, girls are experts at reading your true emotions), meaning that you will fall squarely for every single one of her tricks and charms.
+
*Never share your passwords. This is going to be the hardest one. Women are natural savants when it comes to emotions and know every single emotional manipulation trick under the sun, and a jealous girlfriend will have no qualms on abusing them if that's what it takes to make you cough up your password. Do not fall for any blackmail, badmouthing, refusal of sexual consent, melodrama, fake tears or blaming. Password sharing is ''not'' a proof of love or a ritual of intimacy, it is a dangerous practice that negates every single countermeasure you take against information breaches. Be especially wary if this is your first girlfriend: chances are she perfectly knows you have the relationship experience of a high school kid (even if you consistently negate it, girls are experts at reading your true emotions), meaning that you will fall squarely for every single one of her tricks and charms.
* * Alternatively, create a decoy account and share the password to that. Before sharing, protest that you hardly use your account anyway, and that you're embarrassed about how you don't have any friends. This will make it more credible.
+
**Alternatively, create a decoy account and share the password to that. Before sharing, protest that you hardly use your account anyway, and that you're embarrassed about how you don't have any friends. This will make it more credible.
* Keep your phone with you at all times, with a password lock, encrypted and with instant screen lock. Consider enabling the fingerprint reader if securing your phone outweighs giving the botnet your fingerprint.
+
*Keep your phone with you at all times, with a password lock, encrypted and with instant screen lock. Consider enabling the fingerprint reader if securing your phone outweighs giving the botnet your fingerprint.
* * The phone is the weakest link:
+
**The phone is the weakest link:
* * * A truly strong password makes using the phone very inconvenient, since you have to unlock many times a day and typing on a phone is hard.
+
***A truly strong password makes using the phone very inconvenient, since you have to unlock many times a day and typing on a phone is hard.
* * * Of all your device, the one you will most commonly have to unlock in full view of others is your phone.
+
***Of all your device, the one you will most commonly have to unlock in full view of others is your phone.
* * * The way keyboards are implemented on phones (current character shown unmasked) makes shoulder surfing very easy.
+
***The way keyboards are implemented on phones (current character shown unmasked) makes shoulder surfing very easy.
* * * All the convenient options like PIN or pattern are laughably insecure.
+
***All the convenient options like PIN or pattern are laughably insecure.
* * * She can touch your finger to the scanner while you're asleep.
+
***She can touch your finger to the scanner while you're asleep.
* * * Face/eye recognition can be defeated with a photo.
+
***Face/eye recognition can be defeated with a photo.
* * * Phones are easy to break into by connecting to a computer.
+
***Phones are easy to break into by connecting to a computer.
* * It is very hard to keep your phone secure. Either have a secret secondary phone, or do not keep anything valuable on the phone.
+
**It is very hard to keep your phone secure. Either have a secret secondary phone, or do not keep anything valuable on the phone.
* * When deleting something, make sure you immediately overwrite your phone's writable storage with random data; on Android phones this is done with cat /dev/urandom > /sdcard/dsfargeg.fgsfds and then rm /sdcard/dsfargeg.fgsfds on Terminal Emulator.
+
**When deleting something, make sure you immediately overwrite your phone's writable storage with random data; on Android phones this is done with ''cat /dev/urandom > /sdcard/dsfargeg.fgsfds'' and then ''rm /sdcard/dsfargeg.fgsfds'' on Terminal Emulator.
* * Do a factory reset once in a while; depending on the magnitude of her jealousy, it could be anything from once every other month to every single week.
+
**Do a factory reset once in a while; depending on the magnitude of her jealousy, it could be anything from once every other month to every single week.
* Enable two-factor authentication as a safeguard against password sharing. This way, even if you share your password, she will require the login code that has been sent to your sealed, locked, encrypted phone that can only be unlocked with your own finger.
+
*Enable two-factor authentication as a safeguard against password sharing. This way, even if you share your password, she will require the login code that has been sent to your sealed, locked, encrypted phone that can only be unlocked with your own finger.
* Be especially wary of spear phishing. Do not click on any weird link sent by your closest friends, or if you feel compelled to do so, open it from a tightly secured operating system (a fresh VM) where you have never logged in to your social networks.
+
*Be especially wary of spear phishing. Do not click on any weird link sent by your closest friends, or if you feel compelled to do so, open it from a tightly secured operating system (a fresh VM) where you have never logged in to your social networks.
* Keep your GPS off at all times, or use a custom ROM that restricts apps' access to your location.
+
*Keep your GPS off at all times, or use a custom ROM that restricts apps' access to your location.
* Keep your lawyer on standby and call them the very moment she involves law enforcement into the mix (e.g. threatening with a rape accusation).
+
*Keep your lawyer on standby and call them the very moment she involves law enforcement into the mix (e.g. threatening with a rape accusation).
* Bail out of the relationship the very moment she starts inflicting physical violence on your or your possessions. >tfwnogf is better than >tfw my gf hits me.
+
*Bail out of the relationship the very moment she starts inflicting physical violence on your or your possessions. >tfwnogf is better than >tfw my gf hits me.
 
 
<strong>Advertisers/Marketing companies</strong>
 
  
 +
===Advertisers/Marketing companies===
 
Advertisers can:
 
Advertisers can:
  
* Collect information when you login to them.
+
*Collect information when you login to them.
* Track you across different websites you visit without logging into them.
+
*Track you across different websites you visit without logging into them.
* Track you via GPS on your phone.
+
*Track you via GPS on your phone.
* Track you online via WiFi on your phone.
+
*Track you online via WiFi on your phone.
* Track you offline via WiFi on your phone.
+
*Track you offline via WiFi on your phone.
* Track you offline via credit/debit cards.
+
*Track you offline via credit/debit cards.
* Track you offline via reward/membership cards.
+
*Track you offline via reward/membership cards.
  
Some of the security (or privacy) threats with advertisers are opt-in (i.e. you accepted it) and generally advertiser tracking isn't going to mess up your day. Problems arise when advertisers sell your information on to third parties (who in turn sell it to other third parties), go broke and auction off your data, get hacked or are victims of mass surveillance.
+
Some of the security (or privacy) threats with advertisers are opt-in (i.e. you accepted it) and generally advertiser tracking isn't going to mess up your day. Problems arise when advertisers sell your information on to third parties (who in turn sell it to other third parties), go broke and [http://arstechnica.com/tech-policy/2015/03/despite-privacy-policy-radioshack-customer-data-up-for-sale-in-auction/ auction off] your data, get hacked or are victims of mass surveillance.
  
 
It's worth noting that their revenue models would be colossally damaged if everyone ran adblocking software.
 
It's worth noting that their revenue models would be colossally damaged if everyone ran adblocking software.
Line 197: Line 190:
 
In response you can:
 
In response you can:
  
* Not create social media accounts, or create accounts with false information (although you'll still have the same friends, so are still opting in big time).
+
*Not create social media accounts, or create accounts with false information (although you'll still have the same friends, so are still opting in big time).
* Disable third party cookies in your browsers.
+
*Disable third party cookies in your browsers.
* Turn off GPS on your phone, or use a custom rom to limit which apps have access to your GPS.
+
*Turn off GPS on your phone, or use a custom rom to limit which apps have access to your GPS.
* Turn off WiFi on your phone, or use a custom rom to limit which apps have access to WiFi.
+
*Turn off WiFi on your phone, or use a custom rom to limit which apps have access to WiFi.
* Turn off WiFi when you're out and about, especially in [http://www.yro.slashdot.org/story/13/01/22/2216224/have-a-wi-fi-enabled-phone-stores-are-tracking-you malls]/[http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/19/how-stores-use-your-phones-wifi-to-track-your-shopping-habits shopping centres].
+
*Turn off WiFi when you're out and about, especially in [http://www.yro.slashdot.org/story/13/01/22/2216224/have-a-wi-fi-enabled-phone-stores-are-tracking-you malls]/[http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/19/how-stores-use-your-phones-wifi-to-track-your-shopping-habits shopping centres].
* Use cash.
+
*Use cash.
* * Debit cards tell your bank what you're buying and who from and where, and they [http://money.cnn.com/2011/07/06/pf/banks_sell_shopping_data/index.htm sell] [http://www.theguardian.com/business/2013/jun/24/barclays-bank-sell-customer-data that].
+
**Debit cards tell your bank what you're buying and who from and where, and they [http://money.cnn.com/2011/07/06/pf/banks_sell_shopping_data/index.htm sell] [http://www.theguardian.com/business/2013/jun/24/barclays-bank-sell-customer-data that].
* * Credit cards tell VISA/Mastercard/etc what you're buying and who from and where.
+
**Credit cards tell VISA/Mastercard/etc what you're buying and who from and where.
* Don't use reward cards. Most people [https://www.youtube.com/watch?v=f2Kji24833Y never use the "rewards"] and your privacy is worth more.
+
*Don't use reward cards. Most people [https://www.youtube.com/watch?v=f2Kji24833Y never use the "rewards"] and your privacy is worth more.
 
 
<strong>But I've already given them everything!</strong>
 
  
 +
====But I've already given them everything!====
 
So you've already given Facebook your phone number and address and date of birth? They already know your schools and job and hobbies? Why close the gate when the horse has bolted?
 
So you've already given Facebook your phone number and address and date of birth? They already know your schools and job and hobbies? Why close the gate when the horse has bolted?
  
* You'll change jobs.
+
*You'll change jobs.
* You'll move house.
+
*You'll move house.
* Your interests will change.
+
*Your interests will change.
* Your friends will change.
+
*Your friends will change.
* You'll get married/divorced/have children.
+
*You'll get married/divorced/have children.
* You could even change your name or get married and change your surname.
+
*You could even change your name or get married and change your surname.
  
Sure, the data they have today will still be valid in a week. But in six months? A year? Five years? The sooner you cut off advertisers from up to date information, the sooner it'll be out of date. Their databases will say you still like Linkin Park and Jackass unless you tell them otherwise. They'll also miss out on your patterns over time, not knowing the path of your history and making their future predictions inaccurate.  
+
Sure, the data they have today will still be valid in a week. But in six months? A year? Five years? The sooner you cut off advertisers from up to date information, the sooner it'll be out of date. Their databases will say you still like Linkin Park and Jackass unless you tell them otherwise. They'll also miss out on your patterns over time, not knowing the path of your history and making their future predictions inaccurate.
  
<strong>Cellphone service providers</strong>
+
===Cellphone service providers===
  
 
Your cell phone service provider can:
 
Your cell phone service provider can:
  
* See what cell tower you are connected to whenever your phone is on.
+
*See what cell tower you are connected to whenever your phone is on.
* See when your phone is switched off or out of coverage (they can't tell which).
+
*See when your phone is switched off or out of coverage (they can't tell which).
* See who you call and text, when and where, and for how long.
+
*See who you call and text, when and where, and for how long.
* See who calls and texts you, when where you are, and for how long.
+
*See who calls and texts you, when where you are, and for how long.
* See your data usage metadata and perhaps "full take" data.
+
*See your data usage metadata and perhaps "full take" data.
* Sell you a phone preloaded with their applications, which have all kinds of permissions granted.
+
*Sell you a phone preloaded with their applications, which have all kinds of permissions granted.
  
 
Cell phones are a big problem when trying to avoid location tracking. Without the cell tower your phone is only a phone when you have WiFi access, or not at all.
 
Cell phones are a big problem when trying to avoid location tracking. Without the cell tower your phone is only a phone when you have WiFi access, or not at all.
Line 235: Line 227:
 
In response you can:
 
In response you can:
  
* Use OTR in any instant messaging conversations. Install Pidgin and the [https://otr.cypherpunks.ca/ OTR plugin] for PC, and Xabber or ChatSecure for Android.
+
*Use OTR in any instant messaging conversations. Install Pidgin and the [https://otr.cypherpunks.ca/ OTR plugin] for PC, and Xabber or ChatSecure for Android.
* Use VoIP and data messaging instead of traditional calls and texts. Encrypted VoIP and messaging exists.
+
*Use VoIP and data messaging instead of traditional calls and texts. Encrypted VoIP and messaging exists.
* Convince your contacts to use VoIP and data messaging.
+
*Convince your contacts to use VoIP and data messaging.
* Install a firewall to restrict which apps have access to the data connection, or turn your data connection off completely.
+
*Install a firewall to restrict which apps have access to the data connection, or turn your data connection off completely.
* Uninstall preloaded apps, flash a custom ROM or buy a standalone phone unlocked from any provider.
+
*Uninstall preloaded apps, flash a custom ROM or buy a standalone phone unlocked from any provider.
* Leave your phone at home when you're going out.
+
*Leave your phone at home when you're going out.
* Keep airplane mode turned on when you don't use your phone (you can have it automatically turn on whenever the screen is off).
+
*Keep airplane mode turned on when you don't use your phone (you can have it automatically turn on whenever the screen is off).
 
 
<strong>Internet service providers</strong>
 
  
 +
===Internet service providers===
 
While your ISP is able to collect your metadata and block access to websites, these are generally because of Government Policy. Some ISPs will offer a "family friendly" site blocking option which you can turn off. Remember that while ISPs can most certainly be nefarious, usually it's the laws that compel them to give up your data to security agencies that can do you in, as the ISPs really can't do anything about it, but comply.
 
While your ISP is able to collect your metadata and block access to websites, these are generally because of Government Policy. Some ISPs will offer a "family friendly" site blocking option which you can turn off. Remember that while ISPs can most certainly be nefarious, usually it's the laws that compel them to give up your data to security agencies that can do you in, as the ISPs really can't do anything about it, but comply.
  
 
Your home or business ISP can:
 
Your home or business ISP can:
  
* Provide you with an email service which they control (e.g. you@yourISP.com).
+
*Provide you with an email service which they control (e.g. you@yourISP.com).
* Force you to use a modem which they retain root access to, which may also contain [http://www.scmagazineuk.com/over-700000-home-routers-threaten-enterprise-security/article/405279/ serious bugs].
+
*Force you to use a modem which they retain root access to, which may also contain [http://www.scmagazineuk.com/over-700000-home-routers-threaten-enterprise-security/article/405279/ serious bugs].
* Send you a modem that is configured by default to use their DNS, allowing easy logging of your traffic.
+
*Send you a modem that is configured by default to use their DNS, allowing easy logging of your traffic.
 +
 
 +
In response you can:
 +
 
 +
*Use an alternative email service and/or use [[PGP]].
 +
*Use OTR in any instant messaging conversations. Install Pidgin and the [https://otr.cypherpunks.ca/ OTR plugin] for PC, and Xabber or ChatSecure for Android.
 +
*Bridge your ISP modem to a router which you control (or just ditch your ISP modem for one you bought personally, if possible). $50 will buy you an [[OpenWRT]] compatible router.
 +
 
 +
===Government policies you can legally avoid===
 +
Governments policies may enable:
 +
 
 +
*Collection of metadata or "full take" internet data.
 +
*Forcing ISPs to block websites or internet services.
 +
 
 +
In response you can (if legal):
 +
 
 +
*Use HTTPS versions of websites wherever possible. There is a [https://www.eff.org/https-everywhere browser plugin] for this.
 +
*Use a Virtual Private Network (VPN)
 +
**These can be paid or free services. Don't trust free services to anything other than light trolling.
 +
**These can be based in a variety of countries and be bound by that country's laws, even though they have exits in multiple countries.
 +
**Some take your privacy [https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/ more seriously than others]. Ultimately it's down to you trusting their word, but [https://ssd.eff.org/en/module/choosing-vpn-thats-right-you do your homework and make an informed choice].
 +
*Use an anonymity network such as [[Tor]] (free, trustworthy).
 +
*Use a proxy for web browsing (free, perhaps trustworthy, perhaps not).
 +
*Use encrypted messaging when communicating with others.
 +
 
 +
See [https://ssd.eff.org/ Surveillance Self Defense] and [[Anonymising Yourself]] for more.
 +
 
 +
===Foreign government policies===
 +
Avoiding government surveillance/hacking from countries you're not legally bound to is essentially the same as avoiding your own government's policies (above) without the requirement to follow their laws.
 +
 
 +
===Copyright trolls===
 +
Copyright Trolls are companies which exist purely to litigate against perceived copyright infringements, often using loopholes in copyright law and borderline standover/intimidation tactics to force their target into taking a plea deal.
 +
 
 +
They have different tactics for organisations than they do for individuals. For individuals they can:
 +
 
 +
*Monitor/scrape torrent tracker information.
 +
*Monitor usenet posts.
 +
*Monitor irc chat and honeypot dcc.
 +
 
 +
Everything they access is publicly available. They have no more power than you do to monitor the internet. Some sites like http://mypiracy.net/ will show you what information you expose. If you don't see anything, it doesn't mean the trolls won't, but if you do, they can definitely see you.
 +
 
 +
In response you can:
 +
 
 +
*Use a VPN.
 +
*Use Tor, but not for torrenting as it only slows down the network for you and everyone else since your IP gets leaked anyway.
 +
 
 +
===Local Law Enforcement Agencies (LEA)===
 +
We're not talking about breaking the law here. If you want to be a criminal, you can fuck off.
 +
 
 +
We're talking about attending a protest or running a Tor Exit Node or participating in any other legal activity (or even being targeted by mistake) where your equipment may be monitored or seized.
 +
 
 +
Obviously laws are different in different countries and within different parts of the same country, but often local LEA can:
 +
 
 +
*Seize your devices and keep them for extended periods.
 +
*Request or [[Wikipedia:Key_disclosure_law |demand]] your passwords.
 +
*Detain you.
 +
*Request your metadata of "full take" data from your internet and cell phone service providers.
 +
*Request your metadata or "full take" data from higher law enforcement.
 +
*Question your friends/family/roommates/landlord/whoever.
  
 
In response you can:
 
In response you can:
  
* Use an alternative email service and/or use [https://wiki.installgentoo.com/index.php/PGP PGP].
+
*Be polite.
* Use OTR in any instant messaging conversations. Install Pidgin and the [https://otr.cypherpunks.ca/ OTR plugin] for PC, and Xabber or ChatSecure for Android.
+
*Speak to a lawyer for advice.
* Bridge your ISP modem to a router which you control (or just ditch your ISP modem for one you bought personally, if possible). $50 will buy you an [https://wiki.installgentoo.com/index.php/OpenWRT OpenWRT] compatible router.
+
*Know your rights.
 +
*Prepare yourself for attending a protest in the [https://ssd.eff.org/en/module/attending-protests-united-states US] or [https://ssd.eff.org/en/module/attending-protests-international elsewhere].
 +
 
 +
===National Law Enforcement Agencies===
 +
====Passive surveillance====
 +
Passive surveillance, or dragnet surveillance, is where all internet data is scooped up without a particular target in mind. The NSA tapping into undersea cables and spying on Google's data center links are some examples of this.
 +
 
 +
In response you can:
 +
 
 +
*Use end to end encryption wherever possible (e.g. email, web browsing, file transfer).
 +
*Use an anonymizing network such as Tor.
 +
 
 +
====Targeted attacks====
 +
Hopefully you're never targeted/attacked by this level of LEA/Intelligence agency, but depending on your country, they may be able to:
 +
 
 +
*Do everything local LEA can do.
 +
*Sniff your network traffic, be it home WiFi or [[Wikipedia:Stingray_Phone_Tracker |cell network]].
 +
*Attack your systems, perhaps with 0days (publicly unknown and unpatched vulnerabilities).
 +
*Intercept your online tech purchases and bug them.
 +
*Attack the systems of people you trust.
 +
*Pay off people you trust.
 +
*Detain you when entering/leaving their country.
 +
*Threaten you with [[Wikipedia:Aaron_Swartz#Arrest_and_prosecution |lengthy prison sentences]].
 +
*Stop you from revealing the attacks and stop others revealing to you that you're under attack.
 +
*Use the extensive information about you recorded in government databases to guess your passwords.
 +
*Secretly bug your house or install a keylogger on your computer.
 +
*Remotely view what's on your monitor from an adjacent room by [http://www.erikyyy.de/tempest/ analyzing its EM field].
 +
 
 +
And in extreme cases/countries:
 +
 
 +
*Do whatever they want to you.
 +
 
 +
In response you can:
 +
 
 +
*Kid yourself.
 +
*Use all of the above tactics combined.
 +
*Buy your tech equipment anonymously in a bricks-and-mortar store using cash.
 +
*Stay off the radar in the first place.
 +
*Go completely off the grid, including internet. Minimize use of technology.
 +
 
 +
==Practices by tool==
 +
The first thing to look for in any security tool is, what is the password/data recovery method? If you lose your password, what are the ways in which it can be recovered?
 +
 
 +
A real security tool will clearly say: If you lose your password, the data is gone and there is no way to get it back. If you can "recover the password", a hacker can too. More importantly, if they can restore your access, that means they are able to give themselves access, which means all their employees, any government person who asks, and any criminal that infiltrates them (by social engineering or hacking) can now also get access to your account/data without even needing to get past the password!
 +
 
 +
Beware especially systems that:
 +
 
 +
*Email passwords (email can get hacked, their database of passwords can get exfiltrated and dictionary attacked or brute forced)
 +
*Email password reset link (your email can get hacked)
 +
*Have a secret question (very easy to guess just by searching online social media info)
 +
*Allow recovery by booting from different OS/LiveCD (e.g. Windows user account password)
 +
 
 +
===Password manager===
 +
Don't use a cloud service. Even if encrypted, the database will be shuffled back and forth all over the internet constantly, and every time it's moving around, someone is saving a copy for later. If one day a vulnerability is discovered in encryption, what then?
 +
 
 +
Enable both password and key file. Cracking the password is too easy with only password (unless you use a +6-word diceware). Gaining access is as easy as stealing your key if no password.
 +
 
 +
==Practices by domain==
 +
===Phone===
 +
Phones are very insecure. Your phone is on you 24/7, and it is constantly being tracked by your cell provider because they always know which tower it's connected to. Your only options are:
 +
 
 +
*Don't carry a phone, or carry it in a Faraday cage, or keep it in airplane mode - basically all things that defeat the point of having a mobile phone
 +
*Accept that a lot of information on you is being gathered and make your peace with it
 +
 
 +
There is no real way to defeat cell tracking.
 +
 
 +
====Android====
 +
 
 +
*Ideally, you should not use GApps and opt for F-droid instead
 +
*Use [https://f-droid.org/repository/browse/?fdid=com.shadcat.secdroid SecDroid]
 +
**Disables binaries that can be used as an attack vector like: SSH, SSHD, NC, Telnet and Ping
 +
**Disallows installing apps via CLI/ADB, unless it is explicitly allowed
 +
**Secures the TCP Stack using Systctl
 +
*If you are on Marshmallow, using XPrivacy, or are using a custom ROM (that, plus Xposed with Xprivacy are your best bet) with built in permissions manager, make sure to fine-tune the permissions on a per-app basis to ensure minimal data leak;
 +
*Use XPrivacy <sup>(requires Xposed)</sup> if you can, since it not only allows you to manage permissions on a per-app basis, it also lets you feed an application with fake data to keep it running
 +
*Manage your firewall with [https://f-droid.org/repository/browse/?fdid=dev.ukanth.ufirewall AFWall+], an iptables front-end with VPN support
 +
*Use [https://guardianproject.info/wiki/Ostel CSSimple and OStel] as a replacement to the built-in calling apps
 +
*Use [[DNSCrypt]] to encrypt DNS queries between the name server and yourself, to mitigate MITM attacks
 +
*Patch your hosts file with [https://f-droid.org/repository/browse/?fdid=org.adaway AdAway] to avoid some unneeded third-party exposure, thereby reducing your online fingerprint
 +
 
 +
{{Tip|The newer the phone model, the newer the Linux kernel that comes with it and thus, (potentially) fewer security exploits.}}
 +
 
 +
==Laptop==
 +
Light, portable, easy to recognize, good resale value - laptops are very high on a thief's list. That and the fact that you carry it everywhere means there's a high risk it will get stolen.
 +
 
 +
*Always use full disk encryption. Losing a computer with a scrambled hard drive that cannot be opened is better than losing a computer and all your personal information.
 +
*Set a password to your BIOS to deny boot access and write down the password somewhere safe, resetting it in case you forget it is not easy at all unlike with desktops.
 +
*If you have a home computer, don't save on your laptop anything you believe you won't need on the go.
 +
*Get a Kensington lock cable, even if it's fairly weak and easy to cut with the proper tools it will still discourage some nearby Tyrones. There are locks who use other ports too such as the VGA one.
 +
*Keep your backpack with you at all times.
 +
**Develop the reflex of opening your trunk to get your computer every time you leave your car. Even if you're just getting a pack of smokes at the 7-Eleven; thieves are literally that fast.
 +
**Supermarkets will usually allow you to enter the premises with your backpack as long as you let the security staff know.
 +
**Be particularly careful about software security on your laptop if you connect to a public Wi-Fi. You never know who's using and who runs your Starbucks' network. Always connect to a VPN as soon as you connect to public Wi-Fi (this will prevent sniffing and MITM attacks) and make sure all your software is up to date.
 +
*Do not leave your laptop unattended anywhere—even for a second.
 +
**If you are in a coffee shop and you get called for your shitty coffee, do not just leave the laptop there; a thief will just grab it and run away, and now you are an idiot standing there with a coffee.
 +
**Do not leave your laptop sitting in a computer lab; Tyrone will take it.
 +
**Do not trust other people to look after your stuff while you take a shit; people are stupid and you should never trust them with anything.
 +
**There are team tactics thieves will use, such as distracting you over something stupid while thief #2 sneaks in and takes your stuff. Or thief #1 will steal something lesser off your table, you chase them while thief #2 casually takes your bag and laptop while you are distracted.
 +
 
 +
Most of the software-related practices are recommended for desktops too.
 +
 
 +
==Desktop==
 +
Since desktops are commonly easy to open and fuck with their hardware, the cheapest way to keep one safe is to thoroughly lock your door, use encryption and set a password to your BIOS, hoping that the burglar doesn't know shit about computers or simply isn't interested at all in the contents of your PC.
 +
 +
If you're willing to spend money you can also:
 +
 
 +
*Get a Kensington chassis lock or an adhesive desktop locking kit, which basically keeps your tower, monitor and other stuff from being stolen with a steel cable that links them all together. It can be cut with some effort though
 +
*Buy a custom locked enclosure to completely deny access to the whole tower, keep in mind though that "customized" = "expensive as hell"
 +
*Get an adhesive self-contained alarm, it requires a physical key to be armed/disarmed and it's linked to a cable that, if removed, sets off the alarm which sounds for hours, costs around 100 bucks
 +
*Learn Arduino and make a homebuilt alarm with cameras and motion sensors
 +
*Get a door like [https://www.youtube.com/watch?v=ET9SNXpeORY this one]for your office
 +
 
 +
==Server==
 +
 
 +
Having your own server secured in a data centre can be useful, but authorities can then raid the data centre and seize it, or bug it, or passively collect data through the data centre without you knowing.
 +
 
 +
==CryptoLockers==
 +
CryptoLockers are a reasonably new type of malware which encrypt files on your computer and demand a ransom (often bitcoin) to decrypt them. The ransom is usually fairly "reasonable" (sub $100) and a timer to destruction is included.
 +
 
 +
To render cryptolockers useless, see [[Backups]].
 +
 
 +
==Social Media/Web of communication==
 +
Keeping away from unwanted connections on social media is basically impossible. Changing your name or profile picture and/or changing accounts doesn't work because you will end up connecting to the same friends and familiarity with your new identity.
 +
 
 +
The block button is your best friend. Failing that, give up on social media. You won't convince all your friends to lock down their accounts so that you can't be found.
 +
 
 +
If you can't give up social media so easily, because, like most of us, you're addicted, then you can at least take steps to mitigate your addiction and reduce your social media usage.
 +
 
 +
*Find alternative sites to browse, or find another hobby like reading, or IRC for that social fix you crave.
 +
*If you can, unfollow (note, this doesn't necessarily mean unfriend or disconnect, unless you want to do that) all of your friends so that you don't get updates in whatever "news feed" the social media provider gives you. Without that "news feed", you'll find yourself needing to go back there less and less, instead using it only for messaging people.
 +
*Replace your social media's web instant messenger with a custom client you can use, like Pidgin, Jitsi etc (see [[Recommended software]]). A lot of this software will allow you to connect directly to the social media's IM system, whether through an <s>XMPP proxy (like Facebook)</s> [https://developers.facebook.com/docs/chat deprecated] or a software plugin (like Skype), so you don't have to log in to their website.
 +
*Use a [[freedom|free]] alternative to mainstream social media, such as [[GNU Social]] for twitter, [[GNU FM]] for last.fm, and [[MediaGoblin]] for YouTube.
 +
 
 +
==External links==
 +
General resources:
 +
 
 +
*http://reddit.com/r/netsec
 +
*http://seclists.org/fulldisclosure/
 +
*https://packetstormsecurity.com/files/
 +
*https://www.exploit-db.com/
 +
*http://radare.today/
 +
*https://www.reviewsed.com/malwarebytes-vs-avast/
 +
*https://hex-rays.com/products/ida/index.shtml
 +
*http://phrack.org/
 +
*https://www.alchemistowl.org/pocorgtfo/
 +
*https://www.vpnranks.com/torrent-vpn/
 +
*https://codup.co/wordpress-security-guide/
 +
*https://www.bestvpnprovider.com/bypass-isp-throttling/
 +
*https://www.techlectual.com/mcafee-vs-avast/
 +
*https://www.knowtechmag.com/paid-antivirus-vs-free-antivirus/
 +
 
 +
Cool "shit" :
 +
 
 +
*https://github.com/taviso/dbusmap
 +
*http://lcamtuf.coredump.cx/afl/
 +
*https://github.com/stealth/troubleshooter
 +
*https://grsecurity.net/
 +
*https://www.qubes-os.org/
 +
 
 +
==See also==
 +
 
 +
*[https://wiki.tbpindustries.com/index.php?title=Anonymizing_yourself Anonymizing Yourself ]
 +
*[[Encryption]]
 +
 
 +
[[Category:HowTo]]
 +
[[Category:Security]]
 +
[[Category:Recommendations]]

Latest revision as of 16:16, 11 May 2023

Security is a broad term covering everything from stopping your girlfriend from finding your porn folder to stopping the NSA from breaking into your nuclear power plant.

In our post-Snowden world, it is easy to fall into security nihilism (i.e. "'they' know everything so why bother?") or to think you have nothing to hide.

The worst thing you can have is a false sense of security.

This page cannot possibly define every attack and mitigation strategy available. Instead it aims to provide a decent overview of basic security principles and techniques.

Define your adversary

Who/What do you want to have security from? Who/What is a threat to you? Who/What do you want to keep things private from?

  • You mother?
  • Thieves?
  • Hackers, Viruses, Malware and Phishing?
  • Advertisers/Marketing companies who build profiles on you to sell you garbage?
  • Rivals and rival businesses?
  • Government policies you don't agree with and wish to legally avoid?
  • Foreign government policies you don't agree with?
  • Copyright trolls?
  • Local Law Enforcement Agencies (LEA)?
  • National Law Enforcement Agencies?

or perhaps you wish to:

  • Publish anonymously?
  • Keep journalistic sources safe?
  • Participate in whistleblowing?

or are you under attack from:

  • Psycho ex-partners/family members?
  • Internet trolls/doxxers?

or maybe you just want to:

  • Be as secure as possible as a fun experiment?

Knowing your "enemy" is important. Thinking in terms of NSA technology is depressing, but narrowing your threat down to advertising trackers makes the battle seem much more practical and winnable.

Threat analysis

For any adversary, there are a few key factors you must consider if you want to create an effective defense.

  • Competence - Just because it's possible to defeat your security, doesn't mean your adversary can. Not everyone knows how to do everything.
    • Resources - Knowing how to do something and being able to do it are two different things. For instance, the adversary may know a quantum algorithm to quickly crack your encrypted file, but if they don't actually have access to a quantum computer, that won't do them much good (although they can archive the file indefinitely until QCs become commonplace).
  • Motivation - Does the attacker want to attack you? The attackers that have the most competence and resources often want to get something worthwhile for their trouble. They prefer high value targets like banks, government sites, corporate networks, eCommerce credit card databases, and huge swathes of very insecure computers that can be used as botnets. You don't really need to have perfect security to avoid getting attacked, you just need to have more security than is worth defeating to get what you have (or appear to have).
  • Physical access - It is a maxim of security that if the adversary has physical access to your computer, you've lost. Physical access doesn't just mean stealing the computer and putting it in a secret vault, it can be as simple as being able to come into your house and plant some kind of concealed device on the computer while you're out buying groceries.

Typically, the most dangerous hackers have high competence but not physical access. The ones that have physical access rarely are competent. The ones that have both resources and competence have better things to do than hack you. At most you will be hit by their automated software that looks for common, typical weaknesses (really bad passwords like "qwerty" or "rosebud", running vulnerable software that is years behind on security updates) in millions of machines. This is why security through obscurity will work on them - they can easily defeat your system, but it's not worth it for them since there's not enough people like you out there to justify the effort of writing a hack.

So, at both ends of the spectrum you have a balance: Each class of adversary always has one or more severe disadvantage. You can exploit this to create strong defense. The one exception is government intelligence agencies like NSA. These have both physical access, are highly competent, and have immense resources. The only thing standing between you and them is motivation. In other words, the moment NSA has a reason to suspect you, you're done. Best you can do is don't do things they don't like.

Practices by kind of adversary

Against your mother

Your mother can:

  • Physically access your computer.
  • Physically access your computer when you're not there.
  • Spy over your shoulder.

These can be serious security implications, however your mother is unlikely to either:

  • Have the technical knowledge to perform an attack.
  • Have the motivation to perform an attack.

Her motivation:

  • None, actually. All your mother is likely to do is walk past when you're masturbating, or perform a Windows Search for her cat photos and accidentally turn up your hentai.

In response, you can:

  • Lock the door to your room.
  • Zip/rar/7z your porn with a password.
  • Encrypt your home directory.
  • Put a password on your bios and deny her booting your computer.

Against thieves

Thieves can:

  • Physically steal your computer and deny you access to your data.
  • Remove the storage drive from your computer and recover data.
  • Recruit a nerd friend to do something with your hardware.
  • Sell your storage drive to someone who might be actually interested in its content.

Their motivation:

  • Making money as fast as possible from selling off your stuff. If they can get your data they will sell it, but if they can't they will settle for the cash value of your hardware.

They are interested in:

  • First and foremost, your hardware.
  • In second term, whatever personal data they can find inside. They will usually give up if they can't access it.

In response you can:

  • Encrypt your home directory.
  • Use full disk encryption.
  • Backup your data and physically hide it.

Against hackers, viruses, malware and phishing

Assuming hackers here are your run of the mill script kiddies and not nation states, hackers can:

  • Use Remote Exploits to access your computer (hacking your computer).
  • Trick you into running exploits on your computer (viruses, malware).
  • Trick you into disclosing the credentials to your computer or web services (phishing).
  • Manipulate company employees into handing over your login details or control of your account (social engineering)
  • Guess the credentials to your computer or web services (cracking).
  • Break into web services and determine your credentials (hacking web services).

While hackers will always know about security problems before everyone else, they are less likely to use their brand new exploits against random people. High value targets (whether they be financial (paypal?), political (fbi website?) or lulzy (the fappening)) are much more likely to be their focus. Unknown exploits are valuable: They are obtained by hard work or paying for them on the black market. But the moment you use them, everyone will find out and patch the hole. So the hacker wants to make it count, he doesn't want to blow his one shot on something worthless.

Day to day attacks will be from relatively unskilled hackers (script kiddies) and deployed against ip address on the internet.

Occasionally a large internet service will lose it's password database to hackers e.g. twitch.tv. Sooner or later one of these headline hacks will affect you.

In response you can:

  • Keep your operating system and software up to date to cut down on remote exploits.
  • Use anti-virus and anti-malware scanning software.
  • Be wary about running unknown software or logging into untrusted sites (common sense 2016).
  • Run a restrictive firewall to allow only certain applications access to the network.
  • Use a password manager to generate random, secure passwords for your local computer accounts and web services.
    • Use a different password on each site. Knowing one password shouldn't make it easier to guess the others.
    • Give fake personal info where possible, so that info from one hacked account can't be used to break into other accounts by messing with the "Forgot Password" feature or calling and manipulating support/customer service.
  • Only use trusted web services, and give them as little sensitive data as possible.
    • If you shop online, try to delete Credit Cards when you're done using them, don't keep them saved in the account.
  • Use Two Factor Authentication (2FA) for higher value web services (banking, email).

Against a jealous girlfriend

Let's supposed that through sheer dumb luck, you managed to get a girlfriend. Unfortunately, she was a jealous bitch from the beginning, but due to >tfwnogf you ended up accepting her anyway. Now you're stuck with a girl who wants to control your entire life. What do you do?

Your girlfriend can:

  • Physically access your computer and phone.
  • Spy over your shoulder.
  • Possibly physically access your computer when you're not there.
  • Recruit nerd friends, i.e. hackers, viruses, malware and phishing, to help her break into your devices if you put up any resistance.

Her motivation:

  • Get any shred of positive evidence that you're cucking her. For security purposes, assume that a jealous girlfriend is emotionally attached to the idea that you're going to cuck her. No amount of evidence against will ever convince her of the opposite, and a single, dubious figment of evidence in favor will confirm her suspicions. Her determination will be extreme: they say hell hath no fury but that of a woman scorned, so be prepared for a fight that at best will only end when either side decides to break up, at worst with injury or material damage for either side, or if you live in an SJW place, with a false rape accusation.

She is interested in:

  • Your location ("why were you on this part of town where this bitch lives?").
  • Your communication metadata ("who is that skank you talk to all the time?").
  • Your personal media ("who is this bitch in the picture?").
  • Your login credentials (there is no better place to find all that than your social media accounts).

In response, you can:

  • Do everything you would do against your mom, against thieves and against virii, hackers and malware.
  • Never share your passwords. This is going to be the hardest one. Women are natural savants when it comes to emotions and know every single emotional manipulation trick under the sun, and a jealous girlfriend will have no qualms on abusing them if that's what it takes to make you cough up your password. Do not fall for any blackmail, badmouthing, refusal of sexual consent, melodrama, fake tears or blaming. Password sharing is not a proof of love or a ritual of intimacy, it is a dangerous practice that negates every single countermeasure you take against information breaches. Be especially wary if this is your first girlfriend: chances are she perfectly knows you have the relationship experience of a high school kid (even if you consistently negate it, girls are experts at reading your true emotions), meaning that you will fall squarely for every single one of her tricks and charms.
    • Alternatively, create a decoy account and share the password to that. Before sharing, protest that you hardly use your account anyway, and that you're embarrassed about how you don't have any friends. This will make it more credible.
  • Keep your phone with you at all times, with a password lock, encrypted and with instant screen lock. Consider enabling the fingerprint reader if securing your phone outweighs giving the botnet your fingerprint.
    • The phone is the weakest link:
      • A truly strong password makes using the phone very inconvenient, since you have to unlock many times a day and typing on a phone is hard.
      • Of all your device, the one you will most commonly have to unlock in full view of others is your phone.
      • The way keyboards are implemented on phones (current character shown unmasked) makes shoulder surfing very easy.
      • All the convenient options like PIN or pattern are laughably insecure.
      • She can touch your finger to the scanner while you're asleep.
      • Face/eye recognition can be defeated with a photo.
      • Phones are easy to break into by connecting to a computer.
    • It is very hard to keep your phone secure. Either have a secret secondary phone, or do not keep anything valuable on the phone.
    • When deleting something, make sure you immediately overwrite your phone's writable storage with random data; on Android phones this is done with cat /dev/urandom > /sdcard/dsfargeg.fgsfds and then rm /sdcard/dsfargeg.fgsfds on Terminal Emulator.
    • Do a factory reset once in a while; depending on the magnitude of her jealousy, it could be anything from once every other month to every single week.
  • Enable two-factor authentication as a safeguard against password sharing. This way, even if you share your password, she will require the login code that has been sent to your sealed, locked, encrypted phone that can only be unlocked with your own finger.
  • Be especially wary of spear phishing. Do not click on any weird link sent by your closest friends, or if you feel compelled to do so, open it from a tightly secured operating system (a fresh VM) where you have never logged in to your social networks.
  • Keep your GPS off at all times, or use a custom ROM that restricts apps' access to your location.
  • Keep your lawyer on standby and call them the very moment she involves law enforcement into the mix (e.g. threatening with a rape accusation).
  • Bail out of the relationship the very moment she starts inflicting physical violence on your or your possessions. >tfwnogf is better than >tfw my gf hits me.

Advertisers/Marketing companies

Advertisers can:

  • Collect information when you login to them.
  • Track you across different websites you visit without logging into them.
  • Track you via GPS on your phone.
  • Track you online via WiFi on your phone.
  • Track you offline via WiFi on your phone.
  • Track you offline via credit/debit cards.
  • Track you offline via reward/membership cards.

Some of the security (or privacy) threats with advertisers are opt-in (i.e. you accepted it) and generally advertiser tracking isn't going to mess up your day. Problems arise when advertisers sell your information on to third parties (who in turn sell it to other third parties), go broke and auction off your data, get hacked or are victims of mass surveillance.

It's worth noting that their revenue models would be colossally damaged if everyone ran adblocking software.

In response you can:

  • Not create social media accounts, or create accounts with false information (although you'll still have the same friends, so are still opting in big time).
  • Disable third party cookies in your browsers.
  • Turn off GPS on your phone, or use a custom rom to limit which apps have access to your GPS.
  • Turn off WiFi on your phone, or use a custom rom to limit which apps have access to WiFi.
  • Turn off WiFi when you're out and about, especially in malls/shopping centres.
  • Use cash.
    • Debit cards tell your bank what you're buying and who from and where, and they sell that.
    • Credit cards tell VISA/Mastercard/etc what you're buying and who from and where.
  • Don't use reward cards. Most people never use the "rewards" and your privacy is worth more.

But I've already given them everything!

So you've already given Facebook your phone number and address and date of birth? They already know your schools and job and hobbies? Why close the gate when the horse has bolted?

  • You'll change jobs.
  • You'll move house.
  • Your interests will change.
  • Your friends will change.
  • You'll get married/divorced/have children.
  • You could even change your name or get married and change your surname.

Sure, the data they have today will still be valid in a week. But in six months? A year? Five years? The sooner you cut off advertisers from up to date information, the sooner it'll be out of date. Their databases will say you still like Linkin Park and Jackass unless you tell them otherwise. They'll also miss out on your patterns over time, not knowing the path of your history and making their future predictions inaccurate.

Cellphone service providers

Your cell phone service provider can:

  • See what cell tower you are connected to whenever your phone is on.
  • See when your phone is switched off or out of coverage (they can't tell which).
  • See who you call and text, when and where, and for how long.
  • See who calls and texts you, when where you are, and for how long.
  • See your data usage metadata and perhaps "full take" data.
  • Sell you a phone preloaded with their applications, which have all kinds of permissions granted.

Cell phones are a big problem when trying to avoid location tracking. Without the cell tower your phone is only a phone when you have WiFi access, or not at all.

In response you can:

  • Use OTR in any instant messaging conversations. Install Pidgin and the OTR plugin for PC, and Xabber or ChatSecure for Android.
  • Use VoIP and data messaging instead of traditional calls and texts. Encrypted VoIP and messaging exists.
  • Convince your contacts to use VoIP and data messaging.
  • Install a firewall to restrict which apps have access to the data connection, or turn your data connection off completely.
  • Uninstall preloaded apps, flash a custom ROM or buy a standalone phone unlocked from any provider.
  • Leave your phone at home when you're going out.
  • Keep airplane mode turned on when you don't use your phone (you can have it automatically turn on whenever the screen is off).

Internet service providers

While your ISP is able to collect your metadata and block access to websites, these are generally because of Government Policy. Some ISPs will offer a "family friendly" site blocking option which you can turn off. Remember that while ISPs can most certainly be nefarious, usually it's the laws that compel them to give up your data to security agencies that can do you in, as the ISPs really can't do anything about it, but comply.

Your home or business ISP can:

  • Provide you with an email service which they control (e.g. you@yourISP.com).
  • Force you to use a modem which they retain root access to, which may also contain serious bugs.
  • Send you a modem that is configured by default to use their DNS, allowing easy logging of your traffic.

In response you can:

  • Use an alternative email service and/or use PGP.
  • Use OTR in any instant messaging conversations. Install Pidgin and the OTR plugin for PC, and Xabber or ChatSecure for Android.
  • Bridge your ISP modem to a router which you control (or just ditch your ISP modem for one you bought personally, if possible). $50 will buy you an OpenWRT compatible router.

Government policies you can legally avoid

Governments policies may enable:

  • Collection of metadata or "full take" internet data.
  • Forcing ISPs to block websites or internet services.

In response you can (if legal):

  • Use HTTPS versions of websites wherever possible. There is a browser plugin for this.
  • Use a Virtual Private Network (VPN)
    • These can be paid or free services. Don't trust free services to anything other than light trolling.
    • These can be based in a variety of countries and be bound by that country's laws, even though they have exits in multiple countries.
    • Some take your privacy more seriously than others. Ultimately it's down to you trusting their word, but do your homework and make an informed choice.
  • Use an anonymity network such as Tor (free, trustworthy).
  • Use a proxy for web browsing (free, perhaps trustworthy, perhaps not).
  • Use encrypted messaging when communicating with others.

See Surveillance Self Defense and Anonymising Yourself for more.

Foreign government policies

Avoiding government surveillance/hacking from countries you're not legally bound to is essentially the same as avoiding your own government's policies (above) without the requirement to follow their laws.

Copyright trolls

Copyright Trolls are companies which exist purely to litigate against perceived copyright infringements, often using loopholes in copyright law and borderline standover/intimidation tactics to force their target into taking a plea deal.

They have different tactics for organisations than they do for individuals. For individuals they can:

  • Monitor/scrape torrent tracker information.
  • Monitor usenet posts.
  • Monitor irc chat and honeypot dcc.

Everything they access is publicly available. They have no more power than you do to monitor the internet. Some sites like http://mypiracy.net/ will show you what information you expose. If you don't see anything, it doesn't mean the trolls won't, but if you do, they can definitely see you.

In response you can:

  • Use a VPN.
  • Use Tor, but not for torrenting as it only slows down the network for you and everyone else since your IP gets leaked anyway.

Local Law Enforcement Agencies (LEA)

We're not talking about breaking the law here. If you want to be a criminal, you can fuck off.

We're talking about attending a protest or running a Tor Exit Node or participating in any other legal activity (or even being targeted by mistake) where your equipment may be monitored or seized.

Obviously laws are different in different countries and within different parts of the same country, but often local LEA can:

  • Seize your devices and keep them for extended periods.
  • Request or demand your passwords.
  • Detain you.
  • Request your metadata of "full take" data from your internet and cell phone service providers.
  • Request your metadata or "full take" data from higher law enforcement.
  • Question your friends/family/roommates/landlord/whoever.

In response you can:

  • Be polite.
  • Speak to a lawyer for advice.
  • Know your rights.
  • Prepare yourself for attending a protest in the US or elsewhere.

National Law Enforcement Agencies

Passive surveillance

Passive surveillance, or dragnet surveillance, is where all internet data is scooped up without a particular target in mind. The NSA tapping into undersea cables and spying on Google's data center links are some examples of this.

In response you can:

  • Use end to end encryption wherever possible (e.g. email, web browsing, file transfer).
  • Use an anonymizing network such as Tor.

Targeted attacks

Hopefully you're never targeted/attacked by this level of LEA/Intelligence agency, but depending on your country, they may be able to:

  • Do everything local LEA can do.
  • Sniff your network traffic, be it home WiFi or cell network.
  • Attack your systems, perhaps with 0days (publicly unknown and unpatched vulnerabilities).
  • Intercept your online tech purchases and bug them.
  • Attack the systems of people you trust.
  • Pay off people you trust.
  • Detain you when entering/leaving their country.
  • Threaten you with lengthy prison sentences.
  • Stop you from revealing the attacks and stop others revealing to you that you're under attack.
  • Use the extensive information about you recorded in government databases to guess your passwords.
  • Secretly bug your house or install a keylogger on your computer.
  • Remotely view what's on your monitor from an adjacent room by analyzing its EM field.

And in extreme cases/countries:

  • Do whatever they want to you.

In response you can:

  • Kid yourself.
  • Use all of the above tactics combined.
  • Buy your tech equipment anonymously in a bricks-and-mortar store using cash.
  • Stay off the radar in the first place.
  • Go completely off the grid, including internet. Minimize use of technology.

Practices by tool

The first thing to look for in any security tool is, what is the password/data recovery method? If you lose your password, what are the ways in which it can be recovered?

A real security tool will clearly say: If you lose your password, the data is gone and there is no way to get it back. If you can "recover the password", a hacker can too. More importantly, if they can restore your access, that means they are able to give themselves access, which means all their employees, any government person who asks, and any criminal that infiltrates them (by social engineering or hacking) can now also get access to your account/data without even needing to get past the password!

Beware especially systems that:

  • Email passwords (email can get hacked, their database of passwords can get exfiltrated and dictionary attacked or brute forced)
  • Email password reset link (your email can get hacked)
  • Have a secret question (very easy to guess just by searching online social media info)
  • Allow recovery by booting from different OS/LiveCD (e.g. Windows user account password)

Password manager

Don't use a cloud service. Even if encrypted, the database will be shuffled back and forth all over the internet constantly, and every time it's moving around, someone is saving a copy for later. If one day a vulnerability is discovered in encryption, what then?

Enable both password and key file. Cracking the password is too easy with only password (unless you use a +6-word diceware). Gaining access is as easy as stealing your key if no password.

Practices by domain

Phone

Phones are very insecure. Your phone is on you 24/7, and it is constantly being tracked by your cell provider because they always know which tower it's connected to. Your only options are:

  • Don't carry a phone, or carry it in a Faraday cage, or keep it in airplane mode - basically all things that defeat the point of having a mobile phone
  • Accept that a lot of information on you is being gathered and make your peace with it

There is no real way to defeat cell tracking.

Android

  • Ideally, you should not use GApps and opt for F-droid instead
  • Use SecDroid
    • Disables binaries that can be used as an attack vector like: SSH, SSHD, NC, Telnet and Ping
    • Disallows installing apps via CLI/ADB, unless it is explicitly allowed
    • Secures the TCP Stack using Systctl
  • If you are on Marshmallow, using XPrivacy, or are using a custom ROM (that, plus Xposed with Xprivacy are your best bet) with built in permissions manager, make sure to fine-tune the permissions on a per-app basis to ensure minimal data leak;
  • Use XPrivacy (requires Xposed) if you can, since it not only allows you to manage permissions on a per-app basis, it also lets you feed an application with fake data to keep it running
  • Manage your firewall with AFWall+, an iptables front-end with VPN support
  • Use CSSimple and OStel as a replacement to the built-in calling apps
  • Use DNSCrypt to encrypt DNS queries between the name server and yourself, to mitigate MITM attacks
  • Patch your hosts file with AdAway to avoid some unneeded third-party exposure, thereby reducing your online fingerprint

Template:Tip

Laptop

Light, portable, easy to recognize, good resale value - laptops are very high on a thief's list. That and the fact that you carry it everywhere means there's a high risk it will get stolen.

  • Always use full disk encryption. Losing a computer with a scrambled hard drive that cannot be opened is better than losing a computer and all your personal information.
  • Set a password to your BIOS to deny boot access and write down the password somewhere safe, resetting it in case you forget it is not easy at all unlike with desktops.
  • If you have a home computer, don't save on your laptop anything you believe you won't need on the go.
  • Get a Kensington lock cable, even if it's fairly weak and easy to cut with the proper tools it will still discourage some nearby Tyrones. There are locks who use other ports too such as the VGA one.
  • Keep your backpack with you at all times.
    • Develop the reflex of opening your trunk to get your computer every time you leave your car. Even if you're just getting a pack of smokes at the 7-Eleven; thieves are literally that fast.
    • Supermarkets will usually allow you to enter the premises with your backpack as long as you let the security staff know.
    • Be particularly careful about software security on your laptop if you connect to a public Wi-Fi. You never know who's using and who runs your Starbucks' network. Always connect to a VPN as soon as you connect to public Wi-Fi (this will prevent sniffing and MITM attacks) and make sure all your software is up to date.
  • Do not leave your laptop unattended anywhere—even for a second.
    • If you are in a coffee shop and you get called for your shitty coffee, do not just leave the laptop there; a thief will just grab it and run away, and now you are an idiot standing there with a coffee.
    • Do not leave your laptop sitting in a computer lab; Tyrone will take it.
    • Do not trust other people to look after your stuff while you take a shit; people are stupid and you should never trust them with anything.
    • There are team tactics thieves will use, such as distracting you over something stupid while thief #2 sneaks in and takes your stuff. Or thief #1 will steal something lesser off your table, you chase them while thief #2 casually takes your bag and laptop while you are distracted.

Most of the software-related practices are recommended for desktops too.

Desktop

Since desktops are commonly easy to open and fuck with their hardware, the cheapest way to keep one safe is to thoroughly lock your door, use encryption and set a password to your BIOS, hoping that the burglar doesn't know shit about computers or simply isn't interested at all in the contents of your PC.

If you're willing to spend money you can also:

  • Get a Kensington chassis lock or an adhesive desktop locking kit, which basically keeps your tower, monitor and other stuff from being stolen with a steel cable that links them all together. It can be cut with some effort though
  • Buy a custom locked enclosure to completely deny access to the whole tower, keep in mind though that "customized" = "expensive as hell"
  • Get an adhesive self-contained alarm, it requires a physical key to be armed/disarmed and it's linked to a cable that, if removed, sets off the alarm which sounds for hours, costs around 100 bucks
  • Learn Arduino and make a homebuilt alarm with cameras and motion sensors
  • Get a door like this onefor your office

Server

Having your own server secured in a data centre can be useful, but authorities can then raid the data centre and seize it, or bug it, or passively collect data through the data centre without you knowing.

CryptoLockers

CryptoLockers are a reasonably new type of malware which encrypt files on your computer and demand a ransom (often bitcoin) to decrypt them. The ransom is usually fairly "reasonable" (sub $100) and a timer to destruction is included.

To render cryptolockers useless, see Backups.

Social Media/Web of communication

Keeping away from unwanted connections on social media is basically impossible. Changing your name or profile picture and/or changing accounts doesn't work because you will end up connecting to the same friends and familiarity with your new identity.

The block button is your best friend. Failing that, give up on social media. You won't convince all your friends to lock down their accounts so that you can't be found.

If you can't give up social media so easily, because, like most of us, you're addicted, then you can at least take steps to mitigate your addiction and reduce your social media usage.

  • Find alternative sites to browse, or find another hobby like reading, or IRC for that social fix you crave.
  • If you can, unfollow (note, this doesn't necessarily mean unfriend or disconnect, unless you want to do that) all of your friends so that you don't get updates in whatever "news feed" the social media provider gives you. Without that "news feed", you'll find yourself needing to go back there less and less, instead using it only for messaging people.
  • Replace your social media's web instant messenger with a custom client you can use, like Pidgin, Jitsi etc (see Recommended software). A lot of this software will allow you to connect directly to the social media's IM system, whether through an XMPP proxy (like Facebook) deprecated or a software plugin (like Skype), so you don't have to log in to their website.
  • Use a free alternative to mainstream social media, such as GNU Social for twitter, GNU FM for last.fm, and MediaGoblin for YouTube.

External links

General resources:

Cool "shit" :

See also