Showing revision #09e6d8fa of page basic_security

/f/freeasinfreedom's Guide to Basic Computer Security

  1. Introduction

    1. Never Assume You Are Safe

    2. Know That Anything You Do Might Be Vulnerable

    3. Given Enough Time, Resources and People, Any System Can Be Cracked

  2. Digital Security

    1. General Pointers

    2. Internet Browsing

    3. Smartphones and Tablets

Introduction

Welcome, comrade.

You've taken your first step towards being a digital ghost, immune to the powers of the tyrannical government of your choice, the evil corporation of your choice, and the exploitative bourgeoisie as a whole. The secret to not having your privacy invaded while on-line is this:

  • Stop using the internet

  • Stop using computers

Unfortunately, no system is fully secure, and that should be the first thing you learn here. Almost every program has it's bugs, and no program, service, or system should ever be trusted as perfect.

This is all to remind you to be sceptical of any system's claims. The less they admit their own faults and limitations is probably the less secure they actually are.

Never Assume You Are Safe

Know That Anything You Do Might Be Vulnerable

Given Enough Time, Resources and People, Any System Can Be Cracked

That being said, the rest of this guide will teach you how to minimize the number of possible holes in your system. This could go into more detail about things like how to design threat models, but the intention is to create something that most people can pick up and use.


Digital Security

Digital security here refers to things that matter while actively using a computer.

General Pointers

  • Keep your software as up-to-date as possible. This is critical because vulnerabilities in older versions of software have more time to be discovered and exploited. Many tools used by the NSA and CIA only work for older versions of Linux.

  • Use free software whenever possible. Free software does not mean free as in free beer, but free as in free speech (see the GNU project's definition for more details). Free software generally ensures that the software isn't doing anything you don't want it to do, as you have access to the source code to verify what it's doing. It also means the person or group that maintains the software can't get you in trouble for using it in a way they don't like.

  • Download software only from trusted sources, like your OS's package manager, trusted 3-rd party repositories (like RPMFusion), F-Droid, or the website of the developer. If you don't use a package manager, verify the download using it's PGP key, if the developer provides one. A guide on how to do this on Linux can be found here. If you're using Windows or macOS, you're wasting your time verifying your downloads.

  • If you're not paying for a product, and the program isn't free software, chances are they're making money off of you somehow, usually through tracking and ads. There are some exceptions to this, but do not trust any non-free gratis software to be secure or private.

Internet Browsing

Browser Plugins

Browser plugins are one easiest of the ways you can help secure your internet browsing experience. Generally, you'll want:

  • An Ad Blocker. This not only stops annoying ads, but also blocks a lot of trackers that allow companies to spy on your browsing history. We recommend uBlock Origin, but personal preference can be a factor in choosing.

  • HTTPS Everywhere. This plugin is a collaboration between the tor project and the electronic frontier foundation, two of the biggest names in privacy. This plugin makes sure that any website that supports the encrypted HTTPS standard uses it, making the content on the sites you visit invisible to your ISP and anyone else with access to your network.

  • Decentraleyes. This plugin blocks requests from big ad-serving services like Google and Amazon and replaces it with locally hosted content to ensure that your information is kept where it belongs.

More browser plugins worth using can be found at privacytools.io and the GNU project's list of free plugins.

Browser Choice

Firefox is generally the browser of choice when thinking about privacy concerns. If you are uncomfortable with Mozilla having any user data, turning off their analytics program will guarantee that they don't collect any information on your browsing habits. All of the plugins above work with Firefox and Firefox-like browsers.

Google Chrome is very much a privacy nightmare. Google analytics is very good at collecting information about it's users, and you should generally not trust any Google products. Chromium is better, but still not ideal. For a Google-less browsing experience with a chrome-like UI and features, ungoogled-chromium is a good choice. Alternatively, check out Brave, which uses a lot of code from chrome.

Safari, Internet Explorer, and Microsoft Edge should all be considered entirely insecure. Not only does Edge record usage data, but the fact that these browsers are often used by the people most likely to be compromised means that a large amount of time has been spent finding their vulnerabilities. Avoid these browsers.

DO NOT use any browser that comes with a VPN. These may hide you from an employer, your ISP, or other people on your network, but if you're not paying for it, they're just logging your data to serve you ads better. If you can't afford to pay for a VPN, or don't trust any VPN, use the Tor browser.

Tor Browser

The Tor Browser the simplest way to access the Tor Network, which is a feat of computer science and a massive community undertaking. While the entirety of the network is too complex to explain here, it basically functions by encrypting your internet traffic, sending it to an entrance node, and routing it through several servers, each stripping off one layer of encryption, until it reaches an exit node, where it is sent to the server you actually wanted to contact. This way, no server has access to both the sender or receiver of the information and the actual content that it's sending or receiving. It's generally trusted as the best way to anonymize your network traffic.

You can download it here. Make sure to verify the signature using the guide above in general tips.

Tor is not perfect, however. At the exit node, the last of the Tor encryption is stripped off, so anything unencrypted can be read by the exit node or any servers it passes through before returning to Tor. Making sure that your traffic is encrypted by other means, specifically using websites that support https:// instead of http://, add another layer of protection. A more complete understanding of vulnerabilities can be found here.

VPN's

A VPN, or Virtual Private Network, is basically like an encrypted tunnel between you and the rest of the internet so your ISP, employer, pesky government agency, or any other potential invader can't see what you're doing and the sites you visit can't see who you are. VPN's can range from very cheap to pretty expensive, depending on your needs. A VPN is absolutely recommended whenever possible. If you can't afford or justify a VPN, Tor is a very competent replacement privacy-wise, but will often be significantly slower.

DO NOT use browsers with VPN's built in, for reasons above, in the browser section.

Use this VPN comparison chart to decide on the VPN you use. The ones on privacytools.io can generally be trusted, but don't go out and organize a massive overthrow of a government on one.

Warrant Canaries

Theoretically, a person or organization can't have their equipment searched or tampered with by most governments without a proper warrant. While this idea has gotten thrown out the window occasionally, it still generally applies. However, most of the time, a group cannot say that a warrant has been issued against them. To circumvent this, many websites that are in danger of being exploited by government agencies to tap into user's privacy issue warrant canaries, which merely say that a warrant or gag order has not been issued against them. You can find raddit's warrant canary here. If you're worried about a website being compromised, check for a canary. If it has one, and it's updated regularly, you're probably safe.

Smartphones and Tablets


Source code

Introduction
==========


Welcome,
 comrade.

You've taken your first step towards being a digital ghost, immune to 
the powers of the tyrannical government of your choice, the evil 
corporation of your choice, and the exploitative bourgeoisie as a whole.
 The secret to not having your privacy invaded while on-line is this: 

* Stop using the internet

* Stop using computers

Unfortunately, no system is fully secure, and that should be the first 
thing you learn here. Almost every program has it's bugs, and no 
program, service, or system should ever be trusted as perfect.

This is all to remind you to be sceptical of any system's claims. The 
less they admit their own faults and limitations is probably the less 
secure they actually are. 

## Never Assume You Are Safe

## Know That Anything You Do Might Be Vulnerable

## Given Enough Time, Resources and People, Any System Can Be Cracked

That being said, the rest of this guide will teach you how to minimize 
the number of possible holes in your system. This could go into more 
detail about things like how to design threat models, but the intention 
is to create something that most people can pick up and use. 

************

Digital Security
============

Digital security here refers to things that matter while actively using a
 computer. 

## General Pointers

* Keep your software as up-to-date as possible. This is critical because
 vulnerabilities in older versions of software have more time to be 
discovered and exploited. Many tools used by the NSA and CIA only work 
for older versions of Linux.

* Use free software whenever possible. Free software does not mean free 
as in free  beer, but free as in free speech (see the [GNU project's 
definition](https://www.gnu.org/philosophy/free-sw.html) for more 
details). Free software generally ensures that the software isn't doing 
anything you don't want it to do, as you have access to the source code 
to verify what it's doing. It also means the person or group that 
maintains the software can't get you in trouble for using it in a way 
they don't like.

* Download software only from trusted sources, like your OS's package 
manager, trusted 3-rd party repositories (like RPMFusion), [F-Droid](https://f-droid.org/), or 
the website of the developer. If you don't use a package manager, verify
 the download using it's PGP key, if the developer provides one. A guide
 on how to do this on Linux can be found 
[here](https://www.linuxbabe.com/security/verify-pgp-signature-software-downloads-linux).
 If you're using Windows or macOS, you're wasting your time verifying 
your downloads.

* If you're not paying for a product, and the program isn't free software, chances are they're making money off of you somehow, usually through tracking and ads. There are some exceptions to this, but do not trust any non-free gratis software to be secure or private.

## Internet Browsing

__Browser Plugins__

Browser plugins are one easiest of the ways you can help secure your 
internet browsing experience. Generally, you'll want:

* An Ad Blocker. This not only stops annoying ads, but also blocks a lot
 of trackers that allow companies to spy on your browsing history. We 
recommend [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/), but 
personal preference can be a factor in choosing.

* [HTTPS Everywhere](https://www.eff.org/https-everywhere). This plugin 
is a collaboration between the tor project and the electronic frontier 
foundation, two of the biggest names in privacy. This plugin makes sure 
that any website that supports the encrypted HTTPS standard uses it, 
making the content on the sites you visit invisible to your ISP and 
anyone else with access to your network.

* [Decentraleyes](https://addons.mozilla.org/firefox/addon/decentraleyes/).
 This plugin blocks requests from big ad-serving services like Google 
and Amazon and replaces it with locally hosted content to ensure that 
your information is kept where it belongs.

More browser plugins worth using can be found at 
[privacytools.io](https://www.privacytools.io/#addons) and the GNU 
project's [list of free plugins](https://directory.fsf.org/wiki/IceCat).


__Browser Choice__

Firefox is generally the browser of choice when thinking about privacy concerns. If you are uncomfortable with Mozilla having any user data, turning off their analytics program will guarantee that they don't collect any information on your browsing habits. All of the plugins above work with Firefox and Firefox-like browsers. 

Google Chrome is very much a privacy nightmare. Google analytics is very good at collecting information about it's users, and you should generally not trust any Google products. Chromium is better, but still not ideal. For a Google-less browsing experience with a chrome-like UI and features, [ungoogled-chromium](https://github.com/Eloston/ungoogled-chromium) is a good choice. Alternatively, check out [Brave](https://www.brave.com/index/), which uses a lot of code from chrome.

Safari, Internet Explorer, and Microsoft Edge should all be considered entirely insecure. Not only does Edge record usage data, but the fact that these browsers are often used by the people most likely to be compromised means that a large amount of time has been spent finding their vulnerabilities. Avoid these browsers.

__DO NOT__ use any browser that comes with a VPN. These may hide you from an employer, your ISP, or other people on your network, but if you're not paying for it, they're just logging your data to serve you ads better. If you can't afford to pay for a VPN, or don't trust any VPN, use the Tor browser. 

__Tor Browser__

The Tor Browser the simplest way to access the Tor Network, which is a 
feat of computer science and a massive community undertaking. While the 
entirety of the network is too complex to explain here, it basically 
functions by encrypting your internet traffic, sending it to an entrance
 node, and routing it through several servers, each stripping off one 
layer of encryption, until it reaches an exit node, where it is sent to 
the server you actually wanted to contact. This way, no server has 
access to both the sender or receiver of the information and the actual 
content that it's sending or receiving. It's generally trusted as the 
best way to anonymize your network traffic. 

You can download it 
[here](https://www.torproject.org/projects/torbrowser.html.en). Make 
sure to verify the signature using the guide above in general tips.

Tor is not perfect, however. At the exit node, the last of the Tor 
encryption is stripped off, so anything unencrypted can be read by the 
exit node or any servers it passes through before returning to Tor. 
Making sure that your traffic is encrypted by other means, specifically 
using websites that support https:// instead of http://, add another 
layer of protection. A more complete understanding of vulnerabilities 
can be found 
[here](https://www.torproject.org/docs/faq.html.en#AmITotallyAnonymous).

__VPN's__

A VPN, or Virtual Private Network, is basically like an encrypted tunnel between you and the rest of the internet so your ISP, employer, pesky government agency, or any other potential invader can't see what you're doing and the sites you visit can't see who you are. VPN's can range from very cheap to pretty expensive, depending on your needs. A VPN is absolutely recommended whenever possible. If you can't afford or justify a VPN, Tor is a very competent replacement privacy-wise, but will often be significantly slower. 

__DO NOT__ use browsers with VPN's built in, for reasons above, in the browser section.

Use this [VPN comparison chart](https://thatoneprivacysite.net/vpn-comparison-chart/) to decide on the VPN you use. The ones on [privacytools.io](https://www.privacytools.io/#vpn) can generally be trusted, but don't go out and organize a massive overthrow of a government on one.

__Warrant Canaries__ 

Theoretically, a person or organization can't have their equipment searched or tampered with by most governments without a proper warrant. While this idea has gotten thrown out the window occasionally, it still generally applies. However, most of the time, a group cannot say that a warrant has been issued against them. To circumvent this, many websites that are in danger of being exploited by government agencies to tap into user's privacy issue warrant canaries, which merely say that a warrant or gag order has not been issued against them. You can find raddit's warrant canary [here](https://raddit.me/wiki/warrant_canary). If you're worried about a website being compromised, check for a canary. If it has one, and it's updated regularly, you're probably safe.

## Smartphones and Tablets