Staying Anonymous Description: Staying Anonymous Uploaded: 2013-09-09 Bookmark this freesite View the source Check for updates --- Please note, this was reposted from elsewhere, I take no credit for it. -- I compiled this short guide on privacy and anonymity/pseudonymity on in cyberspace. I'll cover both software and usage of software to be anonymous. Most software runs native on Linux, but many might have Windows/OSX equiv. I'll make a note of why I am doing this: It seems everyone these days wants their hands on your data. Large factions, be they governments, advertising companies, political parties, and even just plain old fashion mean spirited fellow internet uses. Throughout history; important but initially unpopular poets, politicians(to include revolutionaries like the American founding fathers, among others), whistle blowers, and others, who's works proved necessary for just and free society to function have used anonymity to protect themselves from the knee-jerk reactions of an unjust society. I assert you have the RIGHT to post either anonymously or pseudonymously(persistent and exclusive persona owned by but not publicly affiliated or immediately traceable to the physical author). Right to freedom of speech is not limited to the opinions of the loudest speaker, or of what is popular opinion at the moment. Lets start with GNU/Linux. Learn to use GNU/Linux as the best programs run on GNU/Linux or other free *NIX/UNIX systems. If you don't know how to use UNIX, linux is the easiest for a newbie. https://code.google.com/edu/tools101/linux/basics.html - basics of Linux +--===Table of Contents===--+ Section 1 - Software to Download, Sites to Bookmark A. Disk Encryption/Secure Storage B. Password Management C. Secure Deletion D. MAC Address scrambling E. Darknets and Proxies F. LiveOS's G. Metadata Scrubbers H. Media Tools I. Encryption Frameworks and Enhancers(SSL, GPG and OTR) J. FireFox Plugins K. Misc Links Section 2 - Software Usage A. MAC Addresses and Hostnames(scrambling and managing) B. Security Framework and Utilities C. Secure Deletion/File Shredding D. Password and Identity Management E. Darknets and Proxies F. Sanitize Picture files(Remove Identifying Marks and Metadata) G. LiveCD/USB Stick usage H. Instant Message and IRC I. Disk Encryption/Secure Storage J. Password Management K. GNU Privacy Guard H. Web Browsing Section 3 - Operating Theory A. Life-cycle of Data B. TOR and proxy usage Appendix A. Privacy Network Proxy Settings. B. Privoxy Config for Privacy Networks C. Online lists of IRC sites. D. Torbrowser/button HTTP user agent E. Firefox manual config options -------=============SECTION 1 Software to download, Sites to bookmark:=============------------- It should be noted that in Linux consult your distribution's online repositories before looking to download from the web. In BSD consult your flavour's ports selection. -- A. Disk Encryption: guarding against theft, coercion and allowing the proper storing of sensative material without fear of reprisal. i. Truecrypt : http://www.truecrypt.org/ - very strong encryption, it has a few minor flaws. Do NOT use to secure a whole system. Containers cannot be broken though. Cross platform for Windows/Mac/Linux ii. LUKS (linux unified key setup - https://code.google.com/p/cryptsetup/, generally included with your linux operating sytem, if not, check your distributions iii. eCryptFS - linux module for encrypted userspace. used by debian based(like Ubuntu/mint) as an option to encrypt $HOME dirrectory. https://launchpad.net/ecryptfs see your distro's documentation for more information. -- B. Password management and generators - create impossible to guess, strong passwords and store them securely. Recommended Password Strength is at least 10 characters upper and lower case, to include numbers. It is not recommended you use a password generator on a website, or let a website pick a personal password for you. i. KeePass2/KeePassX - http://keepass.info/download.html - cross platform password manager. available mac/windows/linux. Stores passwords in an encrypted file. nice features like automatically clearing copied passwords from memory after a few seconds, allowing you to copy without viewing passwords, as well as an easy to use password generator. Recommended to store password file on an encrypted disk for maximum effect. ii. Password Gorilla - similar to keepass, not compatible. https://github.com/zdia/gorilla/wiki/ iii. pwsafe,apg,makepasswd,pwgen - various linux based command line password generators, see your distribution's documentation. iv. PWgen for windows - http://pwgen-win.sourceforge.net/ v. Omziff - http://xtort.net/freeware/xtort-software/omziff/ - multi-tool with password generator for windows. -- C. Secure Deletion/File Shredding. OK so your done with a file, now get rid of it before anyone else can pick through your cyber trash. Some Programs: i. Bleach Bit - http://bleachbit.sourceforge.net/ - available linux and windows. GUI usage track/cache cleaner than can overwrite files. ii. scrub - https://code.google.com/p/diskscrub/ - overkill multipass scrubber, works on most UNIX-like operating systems. iii. srm - http://srm.sourceforge.net/ - secure drop in replacement for the UNIX-type "rm" command to delete files. available from many linux distros. iv. ozmiff - as mentioned earlier, also shreds files. v. scrub - dod/nsa certified file shredder for linux https://code.google.com/p/diskscrub/ vi nautilus-wipe - plug in for GNOME http://wipetools.tuxfamily.org/nautilus-wipe.html vii. Secure-Delete - the new standard, includes its own version of srm, along with a memory wiper(somewhat broken). http://www.thc.org/releases.php . Linux -- D. MAC(Media Access Control) address scrambling. i. macchanger - http://www.alobbs.com/macchanger/ - Linux ii. macchanger-gtk - linux -see your distro's repository. iii. Technitium Mac Address Changer - http://www.technitium.com/tmac/index.html - Windows iv. MacDaddyX (untested) - http://www.macupdate.com/app/mac/25729/macdaddyx - Mac OS X -- E. Darknet and Proxying Tools i. tor - https://www.torproject.org/download/download.html.en- mac,linux,windows, reroutes your data through many routers encrypted with "onion" routing". Recommendation is to install tor + Vidalia(GUI control), and the torbutton firefox extension(not torbrowser.) Vidalia bundle. torsocks is also recommended to wrap non-tor aware programs in tor usage. https://www.torproject.org/projects/torbrowser.html.en - FireFox port, that works exclusively with tor https://code.google.com/p/torsocks/ - command line linux program that runs a command rerouting its network calls through TOR ii. i2p - http://www.i2p2.de/ -experminetal anonymous "darknet". not quite as user friendly as tor. iii. Freenet - https://freenetproject.org/ - another darknet with distributed storage. iv. Foxy Proxy - https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ - good old fashion proxy switcher for Firefox web browser -- F. Privacy based liveCD/USB stick - a portable distro that ships most if not all the tools (all the types none the less) elsewhere described. Not only do they run free operating systems like linux as a base, they tend to be set up right, and don't leave traces on the machines they use. they are also portable, can be taken anywhere, and no need for great skill to use. i. TAILS - https://tails.boum.org/ - Total Amnesiac Incognito Live System, Debian based ii. Librte Linux - sourceforge.net/projects/liberte/ - live distro based on Gentoo. improvement over TAILS iii. NinjaOS - http://sourceforge.net/projects/ninjaos/?source=directory - based on Arch Linux. Fast, with the neccary tools. -- G. Metadata scrubbers - remove traces of information out of images and other files. i. pngcrush - http://pmt.sourceforge.net/pngcrush/ - linux/UNIX and DOS/windows command line program for viewing and manipulating metadata in .PNG images. ii. jhead - http://www.sentex.net/~mwandel/jhead/ - Windows/Mac/Linux - reads/writes and scrubs metadata from JPEG images. command line tool. iii. Metadata Anonymization Toolkit(MAT) - https://mat.boum.org/ - scrubs metadata from a wide variety of files to include, pngs, jpegs, pdfs, MS office documents, flacs and more. Easy to use, includes a GUI interface. -- H. Other media tools. everyday tools to help you create media(F/L/O, for Free/Libre/Open) i. audacity - http://audacity.sourceforge.net/ - Free/libre/opensource audio editing linux/windows/mac. ii. PiTiVi - http://www.pitivi.org/ - PiTiVi - F/L/O video editor, runs on linux iii. OpenShot - http://www.openshotvideo.com/ - yet another F/L/O video editor, runs on linux iv. espeak and derivates and various front ends - http://espeak.sourceforge.net/ - text to speach framwork. create a computer generated voice used in everything from automated telephone systems to activist collective "Anonymous". v. GIMP - http://www.gimp.org/ - GNU Image Manipulation Program. F/L/O "Photoshop" like program runs Mac/liunx/windows. vi. Windows and MAC OSX have built in video editing tools which are "good enough". -- I Encryption Frameworks and enhancers(GPG and OTR) i. GPG - Eponymous program that encrypts and verifies emails, files, and more. Most common framework there is will plugins for many many programs to use the same identity- http://http://www.gnupg.org/ - GPG homepage https://live.gnome.org/Seahorse - Seahorse is a Gnome front end for GPG http://utils.kde.org/projects/kgpg/ - similar concept for KDE http://wald.intevation.org/projects/gpa/ - very lightweight generic GTK front end, Gnu Privacy Assistant. ii. OTR - Off the record. Encryption and authentication for IRC and instant message. plugins available for a few clients, with pidgin being the most prominent. - http://www.cypherpunks.ca/otr/ iii. SSL/TLS - This is middleware that encrypts connections used in other software. Most of the time you need not install anything, except if your particular application needs additional software for it to work. manually installing OpenSSL on windows is a must, it comes default on most modern Linux/Unix distributions/flavours. http://www.openssl.org/ https://www.gnu.org/software/gnutls/ https://www.mozilla.org/projects/security/pki/nss/ -- J. FireFox Plugins 1. Https-everywhere. forces ssl optional sites(see above) to use ssl, available from long standing and reputable privacy advocates the Electronic Frontier Foundation(EFF - http://eff.org). - download and install @ https://www.eff.org/https-everywhere 2. NoScript. FireFox plugin to block and/or give you granular control over the java, javascript, flash, and a whole mess of privacy invading, attacking, and otherwise potentially malaciously content. - http://noscript.net/ 3. User Agent Switcher. Spoofs your HTML web browser type. useful for when sites take sides in the browser wars, and try and force you to use a browser you don't want to. - https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ 4. foxy proxy. - adds a button, menu item, and/or context menu to switch between proxies. configure anonyimitty proxies, i2p, tor, and switch between them easily - http://getfoxyproxy.org -- J. Misc and useful links. 1. bitcoin - http://bitcoin.org/ - online digital currency, distributed in nature, controlled by no one, NOT really anonymous, but tried to be. Can buy and sell for real dollars. Software runs as linux/windows/mac. 2. Proxy lists and indexes, for simple re-routing of data. http://hidemyass.com/proxy-list/ http://www.freeproxies.org/ https://proxy.org/cgi_proxies.shtml http://www.socks24.org/ http://www.xroxy.com/proxylist.htm 3. Name and details persona generation: Serious: http://www.kleimo.com/random/name.cfm - based off the US census. http://www.fakenamegenerator.com/gen-random-us-us.php - includes demographic data too. http://www.behindthename.com/random/ - whole bunch of "backgrounds" Silly and Stupid: http://rinkworks.com/namegen/ - fantasy name http://gangstaname.com/ - has options for "gansta", pirate, mexican wreslter, pet, taxi driver, mafiosi, and vampires. has "troll" written all over it http://www.artifacting.com/blog/2011/12/02/one-percenter-name-generator/ - the one percenter name generator, (#OWS %1). http://www.ratbike.org/motorcycho/outlawname.php - "biker %1'er" name generator http://rumandmonkey.com/widgets/toys/namegen/ - whole megapack of silly and stupid name generators 4. Yacy - http://www.yacy.net/ - Yacy is a peer to peer web search which runs locally on your computer, and connects to other computers for a distributed peer to peer search engine. Free software --------------===============SECTION 2 Software Usage===================------------------- -- A. MAC Addresses, and Randomization thereof A MAC address is a level2/link layer address for ethernet, by far the most popular consumer network technology in both wired (LAN) and wireless (WiFi) technologies. The MAC address is a 48-bit string generally represented in a string of 6 bytes (12 hexadecimal characters, separated by colons as such FE:DC:BA:98:78:65). This is used for network configuration, and to PHYSCIALLY represent the hardware of your network card. If someone gets a real MAC address, if they physcially possess the computer or network card that it came from they can hence prove that data came from a particular computer. MAC addresses are burned into a network card at the time of manufacture, and a MAC address links a connection to a physical computer. It has several limitations when used for tracking users. No operating system reads directly from hardware when making network calls, instead calls the address from software, Some operating systems let users arbitrarily set the value or "spoof" very easily. The second limitation on tracking MAC addresses is that every time they are lost every time they go through a router, or hop. Every time data goes through a router, the router substitutes the mac address field with its own. Meaning, the only people who can see your MAC, are the people on your subnet, i.e. at home, the cafe/airport your in, etc... However all machines on the LOCAL network can see your mac, and this can be tied to your physical hardware if such hardware is obtained for comparison, will positively identify a computer, or more correctly a network card as the origin of data. The computer's name, or "hostname" is send accross the network when obtaining an IP from a router via DHCP. If you did not set your IP address information manually, then this has happened. On wireless connections you can specify a nickname for each wireless card. If none is specified, this should default to the computer hostname. WHERE TO USE THIS: Of course, when you connect from home via fiber or cable connection, your cablemodem/fiber box has a very long serial number string that acts like a MAC. This is also tied to your account and is how they know how to turn your internet service on and off. This is also tied to your billing information(name on the account, credit card, street address, etc...), which is tied to your very real life persona. This is also the ONLY link layer address that gets sent, as mentioned earlier your computers MAC doesn't get sent out to your ISP, nor does your cable modem's MAC get send further than your ISP's network(not to any site you visit). There are no advantages to spoofing your MAC at home, and it increases security to use the same MAC and filter out MACs you don't directly authorize (most home routers can do this, another discussion). Of course when you are using internet in public, such as publicly accessible wifi, the network can identify you, by your laptop's wireless MAC. If you use the one from hardware, someone who aquires your laptop can conclusively link you to all network activity performed by you. This is where you need to use a scrambled MAC address. There is no real way for anyone to check, most places have the same residential routers you have at home, and you leave no trace of your physical hardware on their network. Data profiling is when the same user uses the same information over and over again, and sets a pattern they can be identified with. Granted you plan on using encryption of higher level data, there should be little for the "near side" to identify with you postively provided you use a new MAC address everytime. The IP address you get will be assigned by their hardware, and the rest above that should either be encrypted or so trivial, its not viable to use to track or identify you. TL;DR - Use a real MAC/Hostname at home and on trusted networks. Scramble your MAC BEFORE connecting to public/untrusted networks. How do you scramble a MAC address?(temporary software MAC). There are several ways to do this. easiest is to use a program as mentioned in =Section I=. However it can by done manually, in various operating systems: Linux/UNIX/OSX(as root) on the command line: ifconfig eth0 down ifconfig eth0 hw ether XY:XX:XX:XX:XX:XX ifconfig eth0 up where Xs are any hexidecimal (0-F) digit, and Y is any EVEN hexadecimal number. Please note that eth0, is simply the first hardline ethernet card in linux. type "ifconfig" for a list of all network adapters, and subtitute another interface for "eth0" as appriorate. network-manager-applet also has an option to change your mac if you are running network manager(ubuntu, and most easy to use distros run this), you can right click the network icon -> edit, should give you and option. Windows - edit a registry key go to start -> run "regedit" then navigate to this key in the registry editor: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318] modify the NetworkAddress Key to desired MAC. NOTE - the first 3 bytes(6 numbers) are a manufacturer ID, which identify the company that makes the wireless card. All of these are known, and there is a list of known manufactures. This is useful,if you need to carefully construct a MAC address instead of choosing a random one.(some networks actively discriminate against what they perceive to be random and fake addresses, or cards that aren't the type they are using(wired address used on wireless). Now how about hostname/computer names. in linux/UNIX/*NIX its as easy as typing on the command line: please note this changes after a reboot, and you need to restart your desktop enviroment generally, or it will not work. # hostname In windows, you want to right click my computer -> properties. Then change the computer name. -- B. Security Frameworks and utilities - Frameworks are general concepts and code that build into other products, securing other things you do. While you most likely don't use them directly, you use products that incorporate them. Knowing the basics of what they are and how they work is important. Sometimes they are optional, and you can improve security by manually enabling them, and plan your operations around services that make better use of them. You might not have to install any of these directly. Most are implemented in user software. Understand how you can get the most out of them. i. SSL/TLS - Secure Socket Layer, and its replacement Transport Socket Layer. sub protocols that are used to encrypt many if not most kinds of communications on the internet. Look for for the SSL/TLS in program options. OpenSSL, GnuTLS, and NSS are various implementation wrappers for middleware. Used not only to encrypt, but authenticate websites and users.(verify identity). Check settings to make sure programs are running them. These mostly work transparantly. In firefox, a little lock icon, or a green identity bar should appear in the left side of the "Awesome" URL bar. Clicking on this should show the encryption status. https:// as opposed to http:// means encryption. the "s" stands for "SSL". Often other protocols are suffixed with "s" to indicate added ssl support. ftps, ircs, etc.. ii. GPG - Gnu Privacy Guard the open source successor to PGP when PGP closed it's source code. Used to encrypt and authenticate users in email, as well as other functions. You need to create a private public key pair, and then maintain it. You give other users your public key, but keep your private key a closely guarded secret. This will allow you to not only to verify the contents of files and emails, but encrypted/decrypt them. It can also be used to postively identify contacts online via encryption. In linux, gpg is a command line application, but there are many front ends that provide a good GUI. a nice feature of GPG is that all applications share the same keys, and data, making keys imported into gpg universal, system wide. Also check your program's support for GPG, and how to enable it. See Section K for instructions on setting up and managing GPG keys. iii. OTR - Off the Record. Similar concept to GPG, but this is written exclusively for instant message and chat programs. The software generally comes as plugins for various instant message clients. http://www.cypherpunks.ca/otr/ -- C. File Shredding - Some theory. When you traditionally delete a file, all the operating system does is delete the information it has of the file in the file table(master list of files and locations of data), the actual data is still there, although it CAN be, but probably won't be over-written. Once unlinked, its often impossible for normal operating system calls to find the data. HOWEVER, a direct sequential byte by byte read can find this data quite easily, and many forensic SOFTWARE tools that run on regular computers exist to do this. Many are free/libre and/or open source. Many are not hard to use. That said, a singe "pass" is enough to make sure that %99.999 of attempts to recover data are unsuccessful. There are some media specific attacks that can recover data from specfic technologies. ever non forensic tools like "strings" and "dd" in UNIX can find this data fairly easily. HARD DISKS - In a Hard Disk, the disk can be disassembled, and a sensitive write tool can be used to look for "layers" and access written over data, for what value the underlying bit had before the current one. There is some dispute over how many "layers down" this will reliabily work. Peter Guttman, a security researcher, has specified a 35-path method for completely obliterating data. However, this, in modern terms, is widely believed to be excessive. the US National Security Agency and Department of Defense have their own methods (4 and 7 pass respectively). With modern hard disks however, its generally assumed a double pass shall be sufficient by all but the most persistant attackers, and offers a better trade off when time spent is factored in. It is recommended when wiping an entire Hard Drive, you wipe two passes with all zeros.(i.e. from /dev/zero) FLASH MEDIA, to include SSDs - They lack a history like spinning disks, but almost all modern formats do what they call "wear leveling", automaticlly remapping sectors, to wear the drive more evenly. This is done transparantly in the firmware, and its often impossible for the OS to know exactly where on the physical medium the data actually is. New solid state drives generally have a hardware "secure wipe" command that will overwrite backup and remapped sectors. This can be done in linux with hdparm. Its also assumed a double pass of fill will get most sectors on the drive, if done sequentially the entire drive. Follow the Guide: https://wiki.archlinux.org/index.php/SSD_Memory_Cell_Clearing FLOPPY DISKS, to include zip disks, or anything else with a spinning magnetic disk inside: These are obsolete. I recommend copying the data elsewhere, and then breaking open the case, and cutting the magnetic disk inside with scissors into triangle shaped patters. After a zero-overwrite. It you can do many disks this way, throw them all in the same trash bag and shake bag vigoursly(while closed), they should all rub together, making the mess worthless. For the more conventional - The 35 pass Guttman method should be sufficient if you plan on reusing them. There is little reason to re-use floppy disks. Boot And Nuke - http://www.dban.org/ - Darik's this is a LiveCD that does one thing, boots up, and automatically overwrites data on all attached hard disks. Store and use with care. Great for either emergencies, or if you really can't sit and watch the computer. It should be noted this is not longer maintained. IMPORTANT UPDATE: some research has shown that it is still possible to recover data from a single zero fill. It is now recommended on "modern" hard disks you use two passes(overwrite twice) to securely eliminate data. There are two types of file scrubbers, ones that target specific files, and ones that look for and clean parts of the operating system. The first category includes programs like bleachbit, and various properitary implementations. They are good for easily cleaning all at once your usage tracks off your regular operating system on your hard disk. Be sure to read the documentation and check settings to make sure that data is overwritten on the disk(bleachbit is NOT enabled by default, check the settings). The second are targeted scrubbers like various incarnations of srm, scrub, wipe, and shred. Make sure you consult your documentation on how to use the right type of file shredding. Real world pro-tips i. when you scrub entire disks, write all zeros directly to the block device(like using dd if=/dev/zero, etc..) TWICE, then FORMAT THE DISK, and then create a new file system on the disk.(looks like blank unused medium) ii. when scrubbing individual files, just write TWO layers of random.(doesn't look like deleted files) -- D. Password and Identity management - Its important to use randomly generated passwords generated by strong random. in Linux /dev/random or even /dev/urandom or /dev/frandom block character devices and that based off them should be enough. windows has random functions. Of course these are called by higher level programs. See above. Now you do need one password which is easy enough to memorize. This you put on Truecrypt containers and password managers. mix and match these enough that separate passworded files or objects with similar functions get seperate passwords. Now we get to "offline" passwords vs "online" passwords. See below TYPES OF PASSWORDS - There are two types of passwords i. Online - passwords that store data on networks that are accessible by other machines you cannot control that can be readilly accessed to brute-force your password. This standard applies to any password protected resource which also doesn't have a layer of physical security to it at all, or a brute-force tool can be readily applied. This is mainly things like Facebook, emails, or most internet and cloud connected passwords. These are at the most risk. However you CAN load your password manager before accessing these resources Online passwords should be as long and random as possible, they should be stored in encrypted containers, with password managers to minimize risk of improper exposure. The KeePass family of password managers are good for the entire life-cycle of your passwords.(creation/storage/retrieval/deletion). They are easy to make, and easy to change, easy to remove, and encrypted on the disk. ii. Offline - offline passwords are anything which a unknown opponent cannot routinely access or bruteforce. They can also be further protected by physical security. This is computers without remote access(like your laptop/desktop), encrypted files on your local machines(where you sit CONSOLE, not in general vicinity), etc. These are at lesser risk, and at the same time unable to be bruteforced by traditional methods. Many times, you cannot load your password manager BEFORE loading these resources. Offline passwords need to be mnemonic enough that you can remember them, long enough they can't be easily bruteforced, and unique and unguessable your friends(and enemies) can't guess them. They can't be about any of your biometrics, your family, pets, nicknames, or anything a good guesser who obtains all your personal information can obtain. They are used to store online passwords. Make sure they are good, change often. If someone cracks one of these, chances are you probably know them. Historical note: The now infamous "HB Gary" cyber security firm was taken down by activist group "Anonymous" after their leader used the same password and username on a trivial front page by the rest of the servers(which of course had root access via sudo) , which allowed Anonymous access to every last bit of data the company had. If HB Gary had done what I recommended above, Anonymous would have gotten no further than defacing HB Gary's frontpage. Just remember the weakest point of cyber security is the human being. You pick a password based on biometrics, pet names, family names, hobbies, or any other factor it can and most likely will be guessed. - ALTER EGOS - Your alt-ego, your "alias" if you got the pseudononymous route. user name or full name it does not matter. Someone is going to go through your interests and pin just about any thing you choose on your own to you. Don't try and think to hard. Have one randomly generated and save yourself the trouble. MULTIPLE PERSONAILITIES - keep files on your alt-egos and don't mix match or cross reference one character from another. someone will pick up on this and link the two. Keep the files in an encrypted partition. See above. Don't post pictures from real life. If you MUST post something from real life, be sure to scrub and sanatize not just the picture, but the metadata something all Cameras and editing progs stamp into pic files. Historical Note: Hackvisit group "Lulzsec" leader "Sabu" failed to get this right, instead posting pictures of his beloved car(with license plate), and other real world identifiers to social networking sites with the same identity he used for hacktivism. This is how the American FBI was able to catch him. It is uncertain if he scrubbed metadata but it really wouldn't have mattered. -- E. Darknets and Proxies - There are two types of "darknets", there are the Anonymous Public Darknets(APD), Freenode, TOR, and I2P, and then there are private virtual networks. to join a private virtual network, you need to be invited, and you will be generally instructed on how to connect, and what software you need. General use public darknets, use common general use software, available to the public. In general, they run software which connects and maintains connections to the network, and then provides access to your local machine in the form of a local SOCKS or HTTP proxy. You then set proxy settings to have existing applications connect, or in some cases, you need/might want purpose built applications that work on said darknet. This section covers "APD" usage. Onion routing works both as darknet allowing you to access .onion addresses on the tor network, but for the most part reroutes your data through a serious of progressively encrypted proxies at random to a random "exit" node. Your data appearers to come from the exit node. Vidalia is a graphical controller for tor which lets you easily stop start and control the tor program(which is command line in nature). There is also a button to use a new identity which of course creates a new route, finds a new exit node, and gives you a "new ip" to use. The onion routing principle is that there are several layers of encryption. Each hop decrypts one layer which contains nothing more than the routing information to the next router(they have no information on previous and future routers), until the last "exit node" which sends to the server you are trying to reach. BE WARNED, there is no encryption from exit node to intended destination, and they have found exit nodes that DO sniff your data. Use end to end encryption like gpg and SSL/TLS in addition to tor. Also, don't use personally identifyable information over TOR, nor mix and match aliases on the same IP. Use on Alias, use vidalia to get a new IP, the use the other IP. TOR also doesn't automatically route your data over TOR. It simply makes itself available as a local proxy to applications on your computer. using privoxy or polipo inline with tor is popular and can be a good idea to further strip meta-data off web connections. Using TOR on the web you have two options. One, the most convenient method, and best for new users, is to simply use the tor projects "tor browser". This is a pre-set up FireFox ESR, with recommended tools and useful extensions built in. In more advanced mode, you want to try a FireFox extension called "Foxy Proxy". See Section I edit: Please note that earlier we recommended "Proxy Selector", we no longer do so, instead we recommend "Foxy Proxy". Torsocks - torsocks is a program that launches other programs rerouting all data through tor automatically. you can prefix any command with "usewithtor" provided torsocks is installed. great for making tor-enabled shortcuts on the desktop. you can copy a menu item in your GUI and rename it to say Program(withtor) and prefix the command it launches with "usewithtor". This works great with IRC. Vidalia - is a great front end controller for tor. its easy to use and unobtrusive. It launches tor and keeps you updated with tor's connection status, lets you view the tor network, and has a convenient button for new identity which really means "use a new IP address". If you are using tor on a desktop Vidalia is the way to go. i2p is newer and primarily darknet, with .i2p domains. it provides access to i2p only features like mail, chat, and file-sharing that are done anonymously over i2p. Its still pretty beta with no good controller program. Traditional Proxies. Back when you wanted to troll message boards and evade IP bans you'd simply get a list of free proxies and then set them in your network settings. Then there came plugins and addons for browsers which made this so much easier, with a flip of a button. very simple, and some of them you reveal your real IP. Not elegant and they don't work all the time. All they do is simply bounce data off the proxy server you add to the configuration. usually unauthenticated and unencrypted. -- F. Sanatise Picture files.(Remove Identifying Marks and Metadata) - Scrub metadata off pictures and other files you post online, there are plenty of tools many free to extract them. be very careful about all movies and pictures posted. pictures can identify alot, even by just whats in the picture. Everything from color temperature to to vehicle plates, and almost unobservable details in the background. jhead is a great command line tool for this. simply type "jhead -purejpg " and this works with ? and * wildcards for mass header stripping.(say all the files on your digital camera) pngcrush works with pngs, type "pngcrush -rem alla -rem text ". works one file at a time, you need a batch script to do many files. GIMP is a good free light photo editing tool. you can blur and smudge out most unwanted details without being barely noticeable, you can also turn down the quality of JPEGs just enough to keep anyone from getting any good background information from your pictures. Its also recommended you save this as an online only version of a picture. Online only version gets reduced quality, and its recommended you limit size to 800x600 pixels, no greater. At 800x600 is big enough to get the point across, small enough to keep small details from being enlarged to grab identifying information. GIMP can scale pictures quite easily. under Image -> scale, then make the larger number 800 pixels while keeping the aspect ration. Workflow on picturefu. VERY IMPORTANT THESE BE DONE IN ORDER - 1. edit - blur, smudge, otherwise manipulate photo. 2. scale - scale image so the larger dimension is 800 pixels 3. scrub - scrub metadata appropriate for filetype. tl;dr: no uploading pictures from the real world that are over 800x600 in resolution. Scrub all metadata off pictures. This goes with the obvious of keeping faces, distinguishing clothing, license plates, ALL SERIAL NUMBERS OF ANY KIND, unique things out of the photos. Again, its probably a good idea if you want to strong anonymity/pseudonymity only to re-paste images readily found elsewhere on the net. It should be noted that technical tools are just that. They do not prevent user error. -- G. LiveCD/USB stick - leave no trace - Find a good live os. a good list. start with: https://sourceforge.net/directory/system-administration/osdistro/livecd/os:linux/freshness:recently-updated/ Make sure the live OS you use supports the feature you need. make sure you test it in private(in a virtual box if possible) and at least conduct a minimal audit and ask opinions of other users with similar needs to get a reputable live os. All the tools mentioned above conveniently only a single CD that boots itself, generally with free operating systems, generally Linux. They also don't save data unless you copy data to an external disk or non-live partition or leave usage tracks, all of which are erased when you shutdown the computer. the work by instead of booting off the hard disk you boot off a CD or USB stick. USB sticks are better. Not only are they faster, they can be dual partitioned to have a writable data portion that can save your work, encrypted, if so desired. At home - you can work on and view sensative data with confidence no one is spying on you. You can websites without fear of permanent malware infection. Its also great way for more novices to keep a great collection of free and open source tools in one place, easy to use with no setup or installation needed. You do NOT need to know Linux in depth, to run a Linux live cd with a very intuitive desktop. at a wifi point - do research without leaving a trace, you can use a fake mac address on many to leave no clue to what computer you are actually using, nor leave any trace of downloaded data. Use TOR to further disguise the data and make tracking of the user and hardware that much hardware. Get a full suite that disguises both the real IP and MAC address. at a library/public access computer - not everyone is so keen to put a bios password or lock the boot sequence, get around restrictions imposed on software by booting off a live USB stick/CD. use a mode that scrambles mac addresses and hostnames to avoid being linked back to a specific machine. Scrambling MACs here is tricky. The network might not be set up to work with random MACs, and at the same time, using the system MAC of a public computer identifies the hardware used(and potentially location of the computer if your in a lab or library, and they are slick at recording their own hardware addresses). Worst case scenario if a random mac doesn't work, reboot with the hard disk operating system and walk away. (or try again) tl;dr - scramble macs when your on any network you don't control. -- H. Instant Message and IRC(Internet Relay Chat) - 1. IRC - Old and trusted protocol of chat rooms. Not a single service but many services with the same protocol. Servers group themselves into networks of interconnected load balanced instances which are the same entity and users communicate with each other. Anyone can run their own server or network, but it is unwise for the novice or those without massive amounts of time on their hands to do so. Its an old protocol and depending on server varying degrees of secure. By default most are horribly insecure. Lets start with finding a suitable IRC client. make sure it supports SSL(OTR too is a good bet) - mIRC - most popular by far, runs only on windows - http://www.mirc.com/ once you download mIRC make sure you have openssl for windows - http://www.slproweb.com/products/Win32OpenSSL.html when you install OpenSSl for windows make sure you install the DLL files into the windows system directory. This is where mIRC looks for them. when you run mIRC type //echo $sslready it should come back with "yes" http://www.mirc.com/ssl.html - more information. xchat - great Linux GUI client, SSL out of the box, also works on windows and OS X. has OTR plugin. irssi - command line IRC client for Linux/UNIX, successor to BitchX works great through ssh. NOTE: Running Linux, the operating system keeps a repository of certificate authority root certificates for encryption, so its possible to authenticate servers with xchat in Linux(like web browsers do with web servers). Note some clients like mIRC do not check root authorities. linux and xchat do. When joining a group's IRC look up SSL compatible servers and their port numbers on the network's homepage or in the motd when you connect. When setting up your own group, and looking for a suitable network things to take into account 1. robust infrastructure. many diverse located servers, somewhat underutilized 2. good services - nickserv, chanserv. make sure they are present. tight integration with the server a bigger plus. 3. privacy and security - CA signed ssl certs are a plus(the only known network that has signed certs is Freenode.), other features are host name cloaking which hides your IP to other users, and official .onion host. 4. Network operators have a stated policy or general attitude of free speech and sticking up for users rights. 5. some networks offer hostname cloaking. big big big plus you can do basic research on IRC networks with the search engines in Appendix C - BASICS of IRC First you need a screename. your "nickname" or "nick" is what IRC calls screen names. This is how IRC will identify you with, and how you will show up in Chat. Its the main means you are identifying on in IRC. You can change your nickname with the "/nick" command, once on IRC.(set a default inside your client) Real Names, emails, and USERIDS. This goes back to the class days of IRC, when IRC was ran on multiuser machines, and system proccesses like "identd" would tell the IRC server the system login name of the user. the IRC server adds this to the IP, to further create a unique identity. As IRC servers do this, this is a potential security flaw in the modern world, where many if not most IRC clients run one at a time on graphical or single user setups. "Real Name" was also taken from your UNIX login information. Its legacy. All of this information shows up when someone does /whois $nickname on you. While usernames were traditionally limited to 8/13 characters, no spaces, no special chars(still no spaces), a "full name" gives you a chance to add a better self-desciption than the limits of IRC's nick naming. Its also smart to set "username" or "identd" or something similar to the same thing as your nickname. many UNIX clients default this to your machine login information. Never a good idea. Set it the same as your nickname. tl;dir - If you still don't get it, set "real name" "ident" "email", and all other personal information to the same as your "nickname" Now, connect to an IRC network. Your client should have a good list, if not, see above, or Appendix C. You can connect to an irc server by typing /server or using a connect dialog in a GUI. Now your connected, lets find people to talk with. Chat Rooms are called "Channels" and start with the "#" character. you can use the /join command, to join a #channel. i.e /join #chat. You can list publicly available IRC channels with /list. On many IRC networks, they offer services to protect your nickname, and protect channels through optional registration. services are special "bots"(short for robots), that end with "serv". 'Nickserv' and 'Chanserv' are the two most important to you, but others exist. Registering a nickname with nickserv will prevent anyone else from using it, and may offer other benefits of registration depending on the network. You can register with nickserv by typing: /msg nickserv register To log in with nickserv on return visits /msg nickserv identify PROTIP: Some IRC networks have server commands to alias /msg nickserv as /nickserv, or even /identify, these are generally more secure. Read more on IRC: http://www.irchelp.org/irchelp/new2irc.html 2. MSN, Yahoo, AIM, ICQ, jabber, etc..... As they are a centralized service they can be a whole mess of fail. However everyone else in the world uses them. They also don't give out IP addresses. Get a single general purpose IM client that runs them ALL. Try to avoid the standard clients, as they tend to be slow, buggy, and laden with advertisements and flaws. Try Pidgin. http://www.pidgin.im/. It runs mac/windows/Linux. pidgin also supports OTR, and many many many usefull IM-foo plugins to use IM like a champ.(gives you far more control than standard IM clients). oh and go through settings of connections and make sure "encryption required" on any network you connect to. This makes it use SSL/TLS or TLS. Many IM networks support encryption. --OTR-- Next, lets learn about OTR(off the record), is a good easy to use encryption plugin for- IRC and instant message, that uses AES Encryption and Diffe Hellmen key exchange. While OTR cannot disguise that you're using a particular service, or who you are talking to, it can keep the content of the conversation private. Its important to understand this. You need to generate a private/public key for every "instance" of yourself, every nick/handle on every network you use. Then you need to authenticate and store keys for all your buddies you wish to securely chat with. primarily in pidgin, its as easy as installing the OTR plugin, then going to the menu tools - > plugins Now find "Off The Record", select it and hit configure. Select each individual "Key for account", and hit "generate" until they all have keys. NOTE: Its important to save and back up the keys, and never change your OTR keys unless you absolutely have to. Guard them, and access to them with your life. If you loose them, your loose your ability to authenticate yourself to your friends. If they get stolen someone can impersonate you. When you see a buddy online, you must authenticate with him, which means swapping fingerprints. contact him securely via other means and manually verify the fingerprint then save it. If someone who you already swapped keys for, asks to swap keys, contact him via another secure medium(or in real life), and verify the keyswap, to make sure its not an impersonator. XCHAT - you need to do this manually via /otr commands in xchat, see the user guide http://git.tuxfamily.org/irssiotr/irssiotr.git?p=gitroot/irssiotr/irssiotr.git;a=blob_plain;f=README;hb=HEAD Backup OTR Keys: xchat - in $HOME/.xchat2/otr - back this up and restore it for your saved personal keys and saved authentications. pidgin/libpurple - $HOME/.purple/otr.fingerprints - your saved authentications you've made previously. q $HOME/.purple/otr.private_key - your personal key you use for authentications.(keep this safe, if someone else gets this, they can fake your identity) Save and restore to the same locations to maintain a key(helps prevent man in the middle attacks, and verify/preserve your identity). Its important to back up these files if you are reformatting your computer, moving to a new computer, or using a live operating system(you need to restore these files every time you start your live os) Secure connection to the IRC/IM server(TLS/SSL), this will authenticate the SERVER, and encrypt all communications between you and the server. a snooper WILL be able to see your computer is connecting to the server, and not much else, to include who you are talking to. The server itself WILL be able to tell these things.(how much do you really trust the server). OTR, or other end to end encryption, encrypts message send from you to the person you are actually talking with. Someone snooping will see what server and protocol you are using, your user name, and who you are talking to, but not what is being said. The server will NOT be able to tell the content of the messages. Using SSL/TLS to the server, AND OTR together(recommended). The server - will be able to see you are online, and who you are talking to, with timestamps, but not the content of any messages. The snooper - will be able to see what server you are connected to, and that you are, but nothing more. -- I. Disk Encryption/Secure Storage - Truecrypt can work in three ways: 1. it can encrypt an entire disk(not the one you boot off of) 2. it can create an encrypted CONTAINER in a file which contains an virutal disk in it. 3. In can encrypted the entire computer (the disk with the operating system). 3 is not recommended because it can be defeated EASILY by the "evil maid" attack, and Truecrypt refuses to work with trusted boot/encryption hardware which would counter this. Its recommended you use something else like Bitlocker or ecryptfs/LUKS to encrypt the entire disk. Offline encryption is what Truecrypt excels at, making encrypted containers and disks mounted only long enough to use sensitive information, then unmounted where they are safely stored. Its up to you how to store encrypted containers. No single way should be used by everyone otherwise a pattern emerges. There are three algorithms with Truecrypt, AES, Twofish and Serpent. AES is a US government standard of Belgian origin for storing data up to TOP SECRET.(Twofish and serpent were finalists in the AES competition) Its also widely used in webservers, ssh, and various other internet protocols, as well as internally by Linux, and the big plus is that many modern CPUs have hardware based AES acceleration to speed up read-writes by a few powers of ten. Truecrypt can use CPU based hardware acceleration of AES. Twofish is the successor to blowfish, the still unbroken 64-bit algorithm from 1993, by Bruce Schneier, author of blowfish. There is no way to REALLY determine which algorithms will stand the test of time(RC5 was broken less than 5 years after its debut as the worlds strongest algorithm), but my money is on Twofish. All three operating in 256-bit mode, and can be used in any combination. the more encryption, the slower it gets, the less the faster, but weaker. Also used by Linux, ssh, ssl, etc.. General recommendation - for large amounts of media, AES is the best bet due to acceleration, unless need for security is absolute and extreme. Serpent and Twofish are less used, and less likely to be broken, as well as marginally more secure. If you are storing extra sensitive data, text, small images, pick any of the two algorithms, they should all be good. Hashing is the same way, all three algorithms are tried and tested. Unless you find out that one of them is bad, or gets broken.(which happens). Then there are hidden partitions - you get to choose another password and make an inner container which is invisible to the outer container. the presence of an inner container IMPLIES there is an outer container, but NOT vice versa. Also remember, writing to the inner container can damage the outer container, as they incorrectly report free space to hide from each other. Truecrypt containers just look like random data in a file. Encrypted disks look like unformatted disks. Keep in mind someone technically adept enough can find Truecrypt partitions though, and although they where made to have "plausible deniability" of their existence, it seems this was broken. Just remember this when facing an adversary. The plausible deniability of inner "hidden" containers has yet to be broken however. http://16s.us/TCHunt/index.php -- J. Password management - A Password Manager is nice easy to use way to store passwords locally, storing passwords in an encrypted file with a password key. Store the file on your Truecrypt/LUKS partition for double protection. They also do things like clear passwords out of memory after a short period of time. They let you use very long passwords you can generate and store and then copy and paste as needed, and very easily to make new ones too. They also don't show passwords plaintext while you look at them unless you want to see them, making them great for public places and people looking over your shoulder and defeating keyloggers. They also clear passwords out of memory after a short time (under 1 min). You can have as many files as you want, compartmentalizing passwords by sets. one off password generation there are a zillion command line utilizes, just open a terminal just type the command, and copy and paste. You can also use KeePass KeePass and its variants are recommended by this guide. They greatly reduce the risk posed by local and physical threats of force and surveillance, and they are open source and cross platform. -- K. GPG - GNU Privacy Guard. (replacement for PGP) GPG is an encryption and authentication framework. It can be used to encrypt files, emails, and AUTHENTICATE the same as well. This depends on you creating, storing, and maintaining a private key to identify yourself with. You should keep the private key as secret as possible(back up file on encrypted space). 1. Step one learn how to handle keys, such as importing and giving the correct amount of trust to public keys, and then generating your own. You should "ultimately trust" your own personal key, and your own personal key alone. gpg works on the command line, but there are some good graphical front ends. a. Seahorse - gnome b. kgpg - KDE c. GPA(GNU Privacy Assistant) - GTK, minimal dependencies, works great with XFCE and LXDE d. GPG-shell - GTK. Once you've found one you can work with, go ahead and create a key. make sure you remember the pass phrase, or better yet, save it securely in a password management keyfile on an encrypted partition. Once you've done, back up your private key so it doesn't get lost. This is used to verify your identity, so replacing it is a big deal. store it in encrypted space as well. Its also important no one else gets access to it(could steal your identity). When you create a GPG key, you really create a pair of keys. One public, and one private. The public key you can give out pretty liberally to identify yourself online. the private key you should give out to no one, ever. No one ever needs your private key for any reason. When you make contact with someone online, or at conventions you might exchange PUBLIC keys. Some people love doing this in person. Keys have signatures you can verify manually.(generally a signature which is a number in Hex-Decimal). This is important. Don't just click through these. They should never change. If they change there is a problem. Either your friend lost his private key, or someone is trying to impersonate him. If a GPG key changes, or you are setting up this particular connection for the firs time, you need to conact your friend via other means, to confirm the key. A simple reciting of the public fingerprint of both parties keys should do.(NOTE, this is also true for OTR). If your using a live os that doesn't save data, you will have to import this every boot. or even better, back up your entire $HOME/.gnupg directory and restore it every time.(make sure to secure the contents of this directory with strong encryption, it contains your private key). Its important to note that you need a new GPG pair key for EVERY identity you have. Again, if it has your private key, take care. Once you make a gpg key, all GPG aware programs should see this identity and use it. See your program's guide for signing/encrypting data with GPG. 2. Signing/verifying Encrypting/Decrypting - once you've loaded GPG keys, you can use your master(private) key to sign and encrypt files. to VERIFY or decrypt the files, you need the PUBLIC key of whomever signed/encrypted the file/email/etc... 3. Keyservers - there are some secure keyservers that automatically distribute public keys securely. you are free to use or not use them, depending how secretive you want to be with your keys. Your GUI program should have menus for this, or you can type "man gpg" on the command line for information on command line commands. -- H. Web Browsing OK, so you've probably got the scare speach on how rouge government employees, criminals, and/or large corproations(mabey even in conjuncture) are going to spy on your web habits, or otherwise invade your privacy via the web. In the previous section we discussed several bits of software. Now lets talk about putting them into action to protect your web browsing. 1. Configure web browser. At this point, the best browswer for this is Firefox. Let start with firefox config You want to disable all automatic updates from inside firefox.(make sure you manually check for updates, at least once a week). This will give more control back to you, the user. Menu -> edit -> prefrences -> advanced -> update, uncheck everything Menu -> Tools -> Addons - > little gearbox menu -> uncheck update addons automaticly Now some more configuring: Menu -> edit -> prefrences. From prefrences, select the following. Prefrences -> security -> make sure "remember passwords for sites" is unchecked. Firefox can generally be trusted with "Block reported attack sites" and "Block reported web forgeries", but keep in mind if the lists were ever updated in the future by an unsavory party, they could have the inverse effect as intended. For regular browsing they should be fine. On other hand, if your extremely web savy and paranoid, and can spot forgeries and attack sides on your own, you can uncheck these, as they add an extra miscelanory connections. Now click on the "Exceptions..." button next to "Warn me when sites try to install add-ons". The only site should be addons.mozilla.org, and you can even delete that too. Prefrences - > General "When firefox starts" should be set to either "show my home page" or "blank page". If you were also using a proxy or tor, and close the window, you don't need the last site to load over clearnet. Make sure your "home page" is something sane. blank pages, about:blank, and about:home aren't bad ideas. Prefrences -> privacy -> make sure "Tell websites I do not want to be tracked" is enabled. Prefrences -> privacy -> Now select "use custom settings for history" from the first drop down box. The sections in this part are a little tricky, and user prefrence depending on your needs and how paranoid you are.. You should always uncheck "Remeber search and form history", and you should always have "Accept cookies from sites" enabled, and "Accept Third Party Cookies"(will seriously degrade web performance if you don't.). Uncheck "Remember browsing and download history", but its NOT neccary, and you can easily clean up cookies, history, settings, etc.. with bleach bit, and with a built in history remover.(which works on all of these settings) You can also selectively opt in at will with "privacy mode", durring browsing. If your really want, you can check "always use private browsing mode", but this can be slightly excessive(or not, you decide). You can always select private browsing in normal usage mode if its something senative(while retaining a usage history). now type in the URL bar.(Also in Appendix E.) about:config and hit enter This will enter into manual settings config, change the following values network.http.keep-alive.timeout 600 network.http.pipelining true network.http.proxy.pipelining true network.http.max-persistent-connections-per-proxy 16 network.prefetch-next false geo.enabled false For further Security, but might break some usability(generally OK to not set these when using NoScript): network.http.sendRefererHeader 0 network.http.sendSecureXSiteReferrer false Great. Now some must have addons and additional programs. If you run linux, see if these are in your distro has these before downloading them externally. This will make updates far more seamless. a. Program - Bleachbit. Can quickly scrub usage tracks for firefox and almost all programs on many systems. If you didn't install it already, install it. Really easy to use. Once you install run it then edit the config. edit -> prefrences -> check "Overwrite files to hide contents" b. Addon - https-everywhere. get it from the EFF's website. Section 1. For normal operations its a good idea to keep the observatory turned on. You will be asked on install. if not click the https-everywhere button https-everywhere -> SSL Observatory Prefrences. make sure its turned on for normal use. This also makes a miscallaenous connection to the EFF, so if you don't trust that(super paranoid), turn it off, but be WANRED, checking SSL certs on your own will be hard, if not implausable. Use with care. c. Addon - NoScript - you can always get it from searching for it in the addon's window: Tools -> Addons https://addons.mozilla.org/en-us/firefox/addon/noscript/ Now if it doesn't show up as a button on the toolbar, go to: View -> Toolbars -> Customize. Now drag the button onto the toolbar.(then close the customize window) Now Click on the Noscript button. NoScript -> Options -> Whitelist. delete every website on the list.(that doesn't start with about:, blob:, chrome:, resources:, etc...) NoScript -> Options -> Embeddings - If your running GNU Gnash instead of Adobe Flash you can safely uncheck "Forbid Adobe Flash" otherwise keep it checked. Now hit OK. d. Addon - Foxy Proxy - Again, get it from addon's search. Its named "Foxy Proxy". e. Addon - User Agent Switcher. Search for it. The one you want is made by "Chris Perderick". View -> Toolbars -> Customize. drag the UA switcher button to the tool bar. close, and click UA switcher -> edit user agents -> make sure "overwrite user agents when importing" is checked, now download a massive list from: http://techpatterns.com/forums/about304.html Click "import". select the file you downloaded and hit "OK" f. Program - privoxy. go download and install privoxy. edit /etc/prixoxy/config. See Appendix B for more information settings for I2P and TOR. leave alone for transparant proxying. Can now be used with TOR and I2P with one proxy setting. Follow the instructions for (TOR with privoxy). Great, now we have everything installed. 2. Use Firefox Like a Champ. By now your are going to noticed that NoScript has took a bite out of most of your favorite sites, as it blocks everything by default, gives no quarter nor expects none in return. To view most "live" content, like flash, java, javascript, etc.., you need to tell NoScript to allow the sites you need. You probably don't want to do this perminantly, just temporarily. There is an option as such. In fact, the little popup bar on the bottom of your browser will now alert you to what is blocked, and give an option to allow(temporary is an option) to allow content by site. You will also see all the sites that are trying to load content. Be very not suprised when you see the likes of "googleanalytics" "doubleclick", etc....(these are advertiser tracking sites) Most of your websites should now work, sans the large scale tracking. As far as java and flash apps, they will only load when you double click on them to load them, loading only the ones you want. You will see a NoScript Icon as a placeholder. Now, very easily, you've gotten a grip on most obnoxious content and most tracking advertisements with NoScript. https-everywhere's function is more mundane but just as important. You will notice many sites will be re-dirrected to https now transparently. This will make a good chunk of the web use the option crypto as default. Niether of these are fool proof, but they are a great start, and combine with other methods to make you harder to track. They give you far far more control over your browsing experiance, and add a degree of informed consent. Do not allow more sites with NoScript than you need, and be very careful allowed sites in a non-temporary basis.(you can always undo it later). Another thing to keep in mind is some sites you should trust SOME of the time. Such as facebook and google, two companies that make most of their money collecting information on users. NoScript will let you selectively tell these companies what you allow them to see. Simply don't allow google or facebook to run scripts on websites, that don't use google or facebook. googleanalytics.com is a big one. Some sites use this as a backend, many just include it. That said, only trust facebook and google when you are using them dirrectly. Therefor you only give the companies what you want to give them. I certainly say you won't let out "zero" personal information, but this will greatly reduce the amount available. Great volumes of data are needed to accurately profile you, and this method should eliminate around 80%-90% of the information that tracks you from site to site, making decreasing amount of information that sites have to profile you with. While I do not know for sure, it should making profiling difficult if not impossible. User Agent Switcher - You should notice the massive amounts of user agents here. update the list from time to time, from the site listed above. Internet content providers can change content based on what browser is reported to them, or networks can profile users based on their browser choice. If either of these become an issue, you can set your user agent to whatever is the browser the powers that be "expect" you to use, such as Internet Explorer, as a work around. Privacy mode - firefox has a mode called "privacy mode", where settings, cookies, cache, all persistant data will only be stored for the durration of that privacy mode or until the webbrowser quits. Note this only affects local storage, anyone monitoring your network connection will still see the connections. This will prevent anyone who goes through your hard disk from looking at your user history. If you forgot to do this, you can apply it retroactively with: Tools -> Clear Recent History, or hitting CTRL-SHIFT-DEL. But note, this merely deletes things, using bleach bit or another fileshredder than overwrites files is far more safer if your adversary is technically competent.(see secure shredding, section 2). You can now set up proxy switcher to work with I2P and TOR. If you are going to use tor without torbutton/torbrowser be sure to spoof your user agent to the same as torbutton/browser. See Appendix D. Now test http://ip-check.info, to see what your browser gives up on you, or what can be gotten on you. NOTE: This is your set up for everyday browsing, to use facebook, web mail, and above ground official personality usage. Your demographic profile could be used to fingerprint you, and link you to alternate pseudonyms used elsewhere, or otherwise make you a target for corporate, government, or other large instutional attack. 3. TOR Usage - If you seem to be using TOR a lot, and are NOT an expert user, try using TORbrowser. TORBrowser is a fork of firefox with most of the above done, meant to use TOR, with a discontinued plugin called "TORButton", that switches TOR use on and off. https://www.torproject.org/projects/torbrowser.html.en 4. Yacy - http://yacy.net. Yacy is a distributed peer to peer search engine, that unlike client-server models like google, every peer on the network assissits with search, and every peer has a search interface. Its also free software, and a protocol as well as a service, so there are a few diffrent search networks.(redundancy reduces impact of attacks/breakage). Its also Free(as in speech) software. Its a little expirmental but the internface is good, and its very intuitive. Make sure its running before attempting to use it. It will run on the background as a system service. You can then navigate to http://localhost:8090 in your web-browser (bookmark this), to connect to the web interface running on your local machine. You'll see the familar search bar, and options tabs for futher configuration. -------------------==============Section III Operating Theory==================------------------ Now that you've learned what some tools are, and how they work, lets talk about theory. -- A. LIFECYCLE OF SENSATIVE DATA the lifecycle of data refers to the creation, storage, usage, and destruction of senative data, and how to handle data at each stage to prevent leaks. 1. the beginning. There are three ways that new data is obtained. Sometimes a combination of these is true, if so follow guidelines for all applicable. a. Downloaded from the internet or other network - make sure you download or view sensitive data via an encrypted connection, preferably authenticated. If you are downloading from an source that would arouse suspicion by itself, make sure you use an anonymizing proxy, such as TOR to disguise your origin. You should download directly to an encrypted container if possible. If this is NOT possible, download to a location you can easily scrub later on. See below for sensitive data on unencrypted/unsecured space. b. Created using programs and tools on the local machine, particularly from other files. - create files on a secure/encrypted partition/drive, and never let them touch unsecure space. See below if it happens. c. Downloaded from a locally connected media capture device such as a cellphone, digital camera or camcorder. you generally connect a USB cable and download them to encrypted/secure space only. Then follow the guide for sensitive data on an unencrypted/unsecured space. 2. Access - is as simple as making sure you have a clean operating system to use. as much as you feel comfortable with no spyware or other malware. also make sure page files and disk based swap is either encrypted or disabled to avoid leaving residue on the disk. Make sure your operating system doesn't make/use temp files outside the encrypted partition(modern ones shouldn't). Again, Don't move sensitive data off encrypted/secure partitions, use them where they are. 3. Uploading. depending on the nature, its good sense to use an IP other than your own, be it an internet cafe or routed through tor. Using a public computer/network it is imperative you spoof your mac to avoid the transmission being tied to the hardware you are using. If you directly upload form a home network, your IP can be compared to usage accross other sites, and traced back to your ISP, the general vicinity(city or town), you live in. Make sure you use encryption layers like TLS/SSL, that go end to end from where you are uploading to your intented recipient. Its not enough that you encrypt the data so it cannot be intercepted, but you disguise the nature of the data so its not singled out, and hide the source/destination of the data so you don't bring attention to either sender or receiver. See Sections I & II. 3a. Sending encrypted containers. Sometimes you need to send someone a sensitive file accross the internet. the best way is to make an encrypted container, either as an archive with an encryption based password like zip or 7zip, or make a Truecrypt container. Then you need to transmit the password separately through secure lines. Truecrypt containers are preferred because they contain no visable meta-data to identify them. make sure these use unbroken encryption algorithms. Truecrypt is a plus because there is no unencrypted meta-data the file can be identified with. See Sections I &II 4. Deletion - End of life for sensitive data. You have no more use for data, but its still sensitive, so you want it irrevocably erased. Do not simple delete, but overwrite byte by byte the entire file. If an entire disk or partition is being decommissioned, the entire drive needs to be overwritten byte by byte. See sections I &II for secure deletion/scrubbing/shredding. GUIDE for sensitive data that gets on unencrypted/unsecured space COPY the data to an encrypted partition. Never move or delete sensative data FROM an unencrypted partition. First copy to an encrypted/secure location, verify your copy, then securely scrub the data off the unencrypted space, as discussed in section II --Making Iconography and Art for Anonymous/Pseudonymous personas/groups-- Real simple. First set up a relatively private line to the internet.(read tor/proxies + ssl/crypo) (see data lifecycle) Second using your favorite search engine, search for the type of image you want, download it to secure space. Touch it up with gimp/photoshop and combine it with other images. Scrub all metadata off it with a metadata scrubbing tool(see above). scrub settings and usage tracks if not used with a live cd. (in fact live cds are great with this task, no mistakes made). -- B. TOR, Darknets, and proxy usage explained. 1. Anonymiziation of "Clearnet". Traditionally to make your IP address on websites you'd use a web proxy. This has many drawbacks. TOR works as a proxying network to address many of these concerns. TOR can also function as a "darknet", but we'll get into that later. There are many advantages to TOR. Your data cannot be traced back through the path, its "onion encrypted", so each router doesn't know the full chain, only peels a layer and re-transmitts. Its a pretty good way of hiding your source IP. There also some potential problems with TOR. Its slow. The last hop on the network(exit node) gets to see your data unencrypted(can snoop your traffic), and there is no encryption from the last hop to the destination(exit node's network might be more dangerous than yours). Another big limitation is that tor nodes are fingerprinted as being TOR nodes, and many sites won't work. So far using TOR in most civilized nations is 100% without restrictions, BUT it might finger print you as an "undesirable". That said, there is no better option for researching sensative information on "clearnet", or the above ground internet. You NEED TO USE TOR for researching sensative information, doing research on topics that are taboo, controversial, or might get you as an invidual, or as part of a group, in trouble. You might be further researching additional privacy methods. Its also the best method for contact sites the mainstream has deemed "unsavory". This is an effective tool to prevent censorship by shame. You should never use TOR or an anonymizing proxy for accessing websites or internet services that need a real login attached to your real life persona. Not only is TOR worthless in covering your usage tracks in this respect, it exposes your personal inforamtion to being intercepted over TOR. This includes sites like online bill paying, banking, a social network site with real information, etc... Alter-egos, pseudonyms, and screennames. This is a grey area. pseudonyms not linked back to you dirrectly. When you make them you have to decide, is this a TOR/proxy pseudonym, or not, and you have to stick with that decision for the rest of time you use the pseudonym. If you choose "tor/proxy", then either TOR or a good anonymous web proxy must be used each and every time you access resources(such as email, web forums, file locker, etc...), associated with said character. Anonymity has levels. You must decide how anonymous/pseudononymous you want to be. Be Mindful of the "Use New Identity" button in vidalia, if you use this, you will get you a new IP. Make sure you don't mix and match identities you want to keep seperate by using them at the same time, with the same identity. .onion version of regular websites. Always Always Always, double check to make sure they are official, and CONFIRM THIS. This would be a great way for someone to do a phising attack on you. Using a .onion is far safer than using tor as a proxy, because there is end to end encryption, and .onions are authenticated with private/public key encryption. You can be certain you are getting the same server every time. Just be careful though, an attacker can make a similarlly named site. They can also be useful, and are verified with hash sums, and encrypted end to end via tor. Its also impossible to prove from the outside which .onions you are using. This adds far side protection as well as the usual near side security. IRC - using IRC with TOR can be tricky, you should see if your network has an official .onion, as many networks ban tor exit nodes because of abuse. Make sure you start your irclient with torsocks instead of trying to fiddle with proxy settings. 2. Darknets - The Web Beneath the Web Lets take the time to tark about the so called "dark networks", i.e. websites and networks that aren't accessible from the outside of the internet, while transmitted over the internet, the contents, senders, and destintions of data are purposefully obscured to give anonitmitty. TOR is mentioned earlier. TOR can also function as a darknet in addition to being a proxy network. I2P(Invisible Internet Project), is an example a network which is primarily a darknet, but can be configured with "exit" nodes. They are generally set up in the same fashion as proxies are, and some use darknet specific software. Both I2P and TOR have in common that it would be exceeding difficult if not impossible for a user to find the location, or identity of either a site visitor, or a site via the usual TCP/IP lookup methods. They both use similar means of progressive encryption, that obscures the routing details all but what is needed to function. We can call these APDs(Anonymous Public Darknet). Then other type of "darknet" is simply a private network, either physical or virtual, but invitation only. They generally use commonly available internet and/or VPN software, and whoever invites you will generally give you instructions on its use. Once you've configured a web browser or other internet software to use your darknet, you need to connect to a site. This is generally done the same was as "clearnet", but you will notice darknets generally use net specific fake domain names, that will only make sense on that net. I2P uses .i2p domains, and TOR uses .onion. Culture - There is a lot of things you will find on darknets, specificly APDs. If you are unfamilar with darknets, you should be very careful. You can still be indentified on darknets if you post identifable information of yourself, or otherwise give out information (credit cards, shipping addresses, pictures), that could be used to identify you. Although you can be certain that all kinds of law enforcement from around the globe are watching most darknet sites, there would be relatively little any of them, to help you, if a dispute does not resolve in your favor. That said, there is little that your fellow darknet uses could do against you, if you don't let them. Act like its the 1990s internet. The term "clearnet" is used for the regular internet, when discussing "darknets" Also be warned, there are many goods and services for sale that might seem silly or out of place to the deziens of the "risk adverse" clearnet universe. Also, if it sounds ridiculous, it probably is. If it looks illegal, it just might be. If there is a question of legitimacy, there is none. It should be noted that if you are not familiar with a seller on darknet, do not contract them for high value service(thousands of dollars), as your first transaction. When purchasing services that are quesiontable, there are no Gurauntees. There are illegitimate, unethical, illegal, and most certainly sexual content on darknets. Expect Frauds and liars. As policy, this guide recommends no darknet only sites, nor to the best of our knowledge will recommend anything "questionable". We just point out that "questionable" material lurks out there, and to take caution: tl;dr - if you or your dumb little buddies, while on said "darknets"; do anything, masterbate, purchase, or ther otherwise fuck with materials that are: illegal, ammoral, unethical, or known by the State of California to cause cancer, get your shit fucked up, shit your pants, warp your mind, or commit a Class 9A felony, or any other bad shit happens to you, cause your a fucking brainless 15 year old fuckhead trying to be edgy, then get caught, because your not as badass, leet, or as hardcore as you think you are: Don't blame the darknets, don't blame this guide, don't blame the author, or any of the other projects he/she works on, or anyone else but your dumb weeabo yiffy self. You did it. Not me. You. I told you not to. ===================================APPENDIX==================================== Appendix A. - Privacy Network Web Browser Proxy Settings. TOR(The onion router) + filtering proxy(polipo/privoxy) Port http proxy 127.0.0.1 8118 ssl proxy 127.0.0.1 8118 ftp proxy 127.0.0.1 8118 TOR(The onion router) - No filtering Port Host SOCKS 127.0.0.1 9050 Check SOCKS v5 I2P(Invisible Internet Project) Port http proxy 127.0.0.1 4444 ssl proxy 127.0.0.1 4445 Appendix B. - Privoxy config for using TOR and I2P (add ONE to your /etc/privoxy/config) TOR forward-socks5 / localhost:9050 . I2P forward / localhost:4444 TOR+I2P forward .i2p localhost:4444 forward-socks5 / localhost:9050 . Appendix C. - Lists of IRC Networks http://http://searchirc.com/ http://netsplit.de/ Appendix D. - Torbrowser/button HTTP user agent. Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0 Appendix E. - Manual FireFox settings (type about:config in address bar) network.http.keep-alive.timeout 600 network.http.pipelining true network.http.proxy.pipelining true network.http.max-persistent-connections-per-proxy 16 network.prefetch-next false network.dns.disablePrefetch true geo.enabled false Optional: network.http.sendRefererHeader 0 network.http.sendSecureXSiteReferrer false Appendix F. - URLs on localhost(127.0.0.1) http://localhost:8090 - YaCY http://localhost:7657 - I2P control pannel ---------------------------------------------------------------------------------- Epilogue - Just a reminder, this is copypasta. © 2011-13 Ninja OS. Licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)