Even if you’re not doing anything wrong, you are being watched and recorded. – Edward Snowden
As more and more people are living a digital life inside their computers, discussions about privacy and whether or not we can expect to be protected from intrusions in our private lives are taking over the Internet. Regardless of your thoughts on the subject, if you are just a concerned citizen or the newest whistle-blower, there are some ways you can protect your privacy while browsing the Internet or visiting a new country. This is not an exhaustive list, it’s just a compilation of useful information I gathered.
In the light of this article hitting no. 1 on Hacker News (Hey guys, love you, thank you for not killing my host!), I feel like some clarifications are in order: I do not suggest a normal Internet-browsing user should check all the items in the list below and call it a day; I just gave a list of ideas that can help you improve and keep your internet privacy, nobody should encrypt all disks and USB sticks AND remove all features from the browser AND use nail polish on the screws of the laptop AND pump glue inside the USB and HDMI ports AND inspect all the code from the programs you use; it’s impossible and to be honest it’s borderline insane: the idea is you select which items of this list make sense to you and work on those.
For example, someone might travel a lot, so it makes sense to secure your browser if you’re using WiFi spots you don’t have control to (hotels, cafes and so on), maybe encrypt your hard-disk if you carry sensitive information on it, encrypt your communication if you’re going to China, or Cuba, or Russia, whatever. Someone else could be a reporter traveling to remote countries where the freedom of speech might be a rare and valuable asset, in which case he might want to check more of the items from the list (and pump hot glue inside the laptop ports). But I’m sure you got the idea. Also, not everybody is a C/C++ programmer in order to inspect KeePassX’s code (for example), but I bet you have a friend or coworker that can audit the code (if you trust him, of course) for 10 bucks, or a pizza and a beer. The monthly changes in KeepassX (when there are changes, the application is rock solid) are probably about 10 lines of code, totally worth the price.
Now I’ll leave you to read the rest of the article, have fun and please contact me if you have any suggestions or ideas on how to improve it. I’m reading all comments, e-mails and HN comments, so there will probably be a part 2 of this article.
Use unique SSH keys for each service (sharing a SSH key on your GitHub/Gitlab account, network router and AWS/Azure instance is a very stupid idea); use
ssh-keygen -t rsa -b 4096 to generate a 4096 bit RSA SSH key. Never put your private keys on external storage (USB stick, SD card, floppy disk, punch card, whatever) where it can be accessed unencrypted. Learn how to work with a SSH
~/.ssh/config file and prevent servers from fingerprinting you using your public key (you can view the public keys of any user via a GitHub request
https://github.com/<USERNAME>.keys, for example
Always enable two-factor auth on websites that support it and you will receive a SMS message with a code every time you login into the website, adding an extra layer of security. Consider getting a YubiKey.
I advise against using Google for searches since they are tracked, you should be using DuckDuckGo’s Search Engine, and when you actually need to search using Google, use the
!g modifier in the address bar (for example, type
!g EFF and you will be redirected to Google Search through DuckDuckGo’s website. Likewise you can use
!w to search into Wikipedia and many other shortcuts (
!git for GitHub search).
Full Disk Encryption
You should be using either Bitlocker (for Windows platforms, warning ahead) or LUKS (Linux platforms) full disk encryption on the hard-drive of your system and any external disks with sensitive information on them. Start by setting an unique pass-phrase of minimum 32 characters for each hard-drive (try making a mental algorithm, for example, start with
Dum inter homines sumus, colamus humanitatem (a quote by Seneca that roughly translates as “As long as we are among humans, let us be humane”) then replace each
u occurence with
|_| (three characters).
Make it more complex by replacing
o letter with
() (or even
)( if you want to be sneaky). That way, the passphrase will become
D|_|m inter h()mines s|_|m|_|s, c()lam|_|s h|_|manitatem. Of course, sky is the limit for upping the complexity of your passphrase (as long as you remember the original version and the replacement algorithm). Keep in mind that nothing can save you from this kind of attack.
A very important thing to remember is that you cannot fully rely on disk encryption, you need to employ additional layers like encrypting your sensitive files. Also, in USA (and UK and probably many other countries) a court might demand you decrypt the hard-drives or hold you in contempt and throw your sorry ass in the jail until you comply.
I recommend using the Mozilla Firefox browser for navigation, not Chrome, and below is the list of Firefox plugins that I recommend for everyone to use.
For example, Random Agent Spoofer should be configured as below and rotate a desktop browser profile every 5 minutes.
Some of the functions of the plugins overlap but overall, I found those plugins to offer the best privacy. Each of them needs to be fine-tuned according to the level of anonymity you want to keep.
I use the Pidgin messenger with separate plugins for Telegram, Facebook Chat and Skype. All those plugins will probably need to be compiled (helps immensely if you have a Linux machine) and if you are a programmer, I recommend you to look over the source code on each update, so that you can spot any rogue functions. Always use SSL on every connection, including IRC.
Always sign your e-mail using PGP and encrypt sensitive documentation (and even e-mails) before sending them. Try to stay away from Gmail and Outlook.com.
I highly recommend using KeepassX as a password manager, secured using a key file and not a password. Also, you should download the source code, compile it (using a Linux machine) and always look over the source code for rogue functions, you CANNOT afford a vulnerability inside the password manager.
Blocking malicious domains is really easy using Steven Black’s repository (direct link to the actual
hosts file, beware it will block most of the social media websites, Twitter, Facebook, etc). Download the file and overwrite the one on your machine (on MacOS/Linux/iOS/Android, the file is
/etc/hosts, on Windows it resides in
%SystemRoot%\system32\drivers\etc\hosts). Reboot the system or just restart your network component and you’re done, all the requests to the domains/subdomains blacklisted in the file will be blocked.
Never hibernate your laptop, always power it off when it’s unattended; if it must be powered on, suspend and lock it. A powered-on machine can be subjected to a cold-boot attack (this type of attack is harder to be accomplished if the RAM modules are soldered onto the machine’s mainboard, usually more encountered in netbooks). If you are really paranoid, mark the screws on your laptop with wax/nail polish, but once you go that way … it’s hard to come back.
Use a BIOS password and disable boot from anything else than the local hard-disk/SSD, a BIOS password won’t be hard to bypass (removing the battery from the mainboard) but it might prevent a thief from accessing your data since the laptop screws will need to be removed. Every bit helps.
I won’t go as far as suggesting you should pump hot glue inside your laptop’s USB and HDMI ports, but if you plan on visiting North Korea, maybe you should (read more on DMA attacks).
Other things to keep in mind
- Make sure you use good passwords.
jimmy82is not a good password.
jimmy_helen(provided your name is Jim and your wife’s name is Helen) is a pitiful password.
passwordas a password should get you fired from any job and your citizenship revoked. Be smart about it, how about
1^/y-K73g)T24%#-,$34. (you don’t actually need to remember that, that’s why we have password managers)
- If you need private (or even public)
gitrepositories, install gogs on a server you control, it’s a way better alternative than GitLab or GitHub. Everybody knows all hosted git services are like a black hole that keeps drawing in (through our own mistakes) private keys from various projects, though we all deny ever doing that.
- Install OpenWRT or ddWRT on your home router (if it does support them), secure it using a SSH private key (if you have a SSH server running on it), keep it updated and close all incoming connections to your local network (or log them, whatever you see fit).
- Install a more privacy-oriented operating system: Windows (any version of it) is not really suited because it leaks so much information about the user, has telemetry software installed, is not free, you can’t inspect the source code, there are specific domains that cannot be blocked in the firewall, etc. Use a Linux variant like Debian, Whonix, Tails, even Ubuntu. I don’t have any experience with FreeBSD but I’ve heard good things about it. Basically anything but Windows; if you HAVE TO choose a Windows version, use Windows 7.
- Keep in mind that you can use a Tizen or Android phone as a home development server, with Apache/nginx, MySQL/MariaDB/PostgreSQL, PHP, git and many other useful tools.
- DO NOT use cloud solutions (OneDrive, Dropbox, Google Drive, iCloud, even self-hosted OwnCloud) if your files are not encrypted before being sent to the remote servers. Your photos might not need (beware that EXIF data from the photos will leak information, GPS coordonates, camera/phone, etc) but your private documents do need to be encrypted. Use GPG to encrypt them (and decrypt when needed).
- Keep your system software and applications updated to the latest changes (on Ubuntu is as easy as running
sudo apt update && sudo apt upgradein a console). On Windows, beware of updates that install telemetry packages (keep Windows Updates to “Check for updates but don’t install them automatically” and search for the name of the update on your favorite search engine before installing it).
- If you need to remove sensitive files you should know that the actual file contents isn’t removed from the disk, just the file inodes are unlinked, so forensic software will recover the contents of the file. Install a tool like
secure-deletefrom the Ubuntu repository (
sudo apt install secure-delete) and use it to securely remove a file and its contents from your drive.
- Tor (The Onion Router) is not a 100% full-proof solution, there have been some attacks against it lately. Also, it might mark you as a possible target.
- Always use HTTPS for your websites, you can get free SSL certificates from the Mozilla’s Letsencrypt project.