The thread on browser addons for privacy inspired me to write a tutorial for internet security and privacy. And I just noticed this whole security section of the forum. Writing this consumed me for the past week and it turned into a mini eBook. (You need more than Browser extensions for real security!) I am not an expert but have started taking a strong interest in the subject for the past couple years. I'd like to share the info with users of drug education/harm reduction communities as well as alternative medicine communities who might want to incorporate these protocols. FYI, it is quite long.



Edit:
v1.1 Updated with some small revisions and a 'EXIF Data: "Geolocation"' Section.
v1.2 Small revisions, added a disclaimer, SSH tunneling, Public WiFi dangers, rewrote open-source router firmware section to include OpenWRT and LibreCMC.
v1.3 Small revisions and blocking webcam.
v1.4 Encrypting plaintext/passwords with a compressed archive (tar or zip).
v1.5 Added details on KeePassX for password storage and encryption. New software highlight: Demonsaw for anoymous p2p filesharing. Added details to downsides of VeraCrypt and why I recommend other ways for password encryption.
v1.6 Added Which phone apps to give permanent root access and KeePass encrypted passwords on phone.
v1.7 Added browser extensions for Chromium, Firefox and Firefox mobile. Extensions to block flash from automatically loading and playing on pages unless you click to play. This blocks flash exploits and ads. An extension to remove URL link referrer/redirect and takes you direct to destination. Remove the middle man and tracking. (e.g. Facebook tracks in that way). An extension to block Web RTC leakage. This is a bad vulnerability. Sites can use Web RTC to unmask your local IP behind anonymizing software like a VPN, SSH Tunnel, and Proxy! Removed Blur extension (unnecessary and closed source). Enhanced extension download URL links section.
v1.7.5 Setting TextSecure as default SMS messenger.
v1.7.6 Minor revision
v1.7.7 Saving KeePass password database in an encrypted zip on a personal USB drive.
v1.8 Bitcoin, Perfect Forward Secrecy (PFS), Wickr preferred to Telegram
v1.9 How to get Bitcoin, Email section rewritten (current email protocols leave much to be desired, link comparing and contrasting providers), Fix Url Links Redirect extension breaks some pages, difference between an unlocked and rooted phone.
v1.9.5 Ublock can simply be set on Firefox and Chromium to stop WebRTC leakage, How to block third-party cookies in Firefox, Cyanogen Mod's system profile triggers allow you to set your lock screen to go on when you leave the house and your car and to unlock when you get n your car or get home.
v1.9.6 mailvelope, added info to delete FB, & possible need to reactivate phone with service after new firmware/OS install.
v1.9.7 Note on opting out of Google sync: In CyanogenMod you can export and save your contacts list to storage, making it unnecessary to use Google for it.
v2.0 DNSCrypt instructions for Windows & Ubuntu, video tutorial for darknet markets, increase the cryptographic strength of your PGP key, encrypt your backup hard drive, Ephemeral Messaging, Choosing a Bitcoin wallet, Bitcoin Mixing, Tips.
v2.1 Cyanogenmod update cautions, esp. major version updates; bitcoin tumblers--replaced Bitcoin Fog recommendation with BitBlender and Grams Helix. BitcoinFog has a reputation for selective scamming; Netflix support for Chromium. Updates since 2.0 highlighted yellow.
v2.1.8 Added browser extensions and their links, Clyph encrypted web chat, Opera-dev now has free, built-in VPN, TextSecure and Redphone are now Signal, Signal desktop, Signal and Whatsapp info, minor improvements.
v2.1.9 Manjaro stable v. branch runs a couple of weeks behind arch repos which allows more testing leading to better system stability. Recommended: ProtonMail and Tutanoa.
Typo edits.
v2.2 Many minor edits and improvements.
v2.2.6 Bitcoin ATMs, $40 open-source Think Penguin Routers with optional VPN service built-in, Clearing Google account history and ceasing logging.
v3.0 Entire re-write. Copperhead OS, Monero cryptocurrency, privnote self-destructing messages, temporary phone inbox, temporary email, Unsee self-destructing image upload service, Wire messenger
v3.1 Added front and back cover.

In the last version I recommended a chromium extension called Random (Hide) User-Agent.


The extension loads older versions of chrome as a profile, making Chrome tell me:

Quote:

We've detected you're using an older version of Chrome.Update to stay secure

I'm not sure if this extension is actually reverting my browser to an older less secure version? Probably not but, I've changed the recommended extension to a different one that let's you choose the user-agent profile.

There's also the issue with this type of extension, the possibility that some websites may tell you your browser is too old to view it's contents, if an old browser profile is loaded.

Someone also commented:

Quote:

Many Websites also make use of JQuery Browser and OS identification. So that they can override the User-Agent String to determine your data.
Example: http://stoimen.com/jquery.client.plugin/

So which extension is adequate or most proper for it's purpose, for now I'm not sure.
But the one I recommended may cause browser vulnerabilities if it makes chrome revert to an older version; It probably just makes it appear that way, I emailed the developer about the possible issue.

I saw that only 3 people downloaded the last version, so I'm not even gonna bump the thread for it, as I'm not sure it's even a real vulnerability.

Bitcoin: bc1qawjux6k2307zqnufxkxp3k390t499cqgs3khey

PayNyms: +dawnsun74c

Monero: 4Ax1ZCas6G8em1Yp7u9Z1v8E48hJUVABWVNN3AG8AdZ8hdUaoAfPrFPLU9KADeaTdnAJxCdigs6nzeB3KibuAVCNBbbSdDD

If you'd like to support the expanding and updating of this effort.

Awesome resource, thanks for taking the initiative to put this together.

Quite comprehensive, recommended!

Idea: Ask the Trav to upload it directly on the Nexus, so even guests can read the pdf. Also, whats the licence of the pdf? Creative commons or public domain?

I really do appreciate this. I have only a little knowledge on the subject, and nothing is as dangerous as 'a little' knowledge.

I only quickly browsed the resource, and it is in a helpful, well-structured format.

Kudos!

Updated file in the first post. Just minor changes, mostly typos.

Do with it whatever yous wish. As for myself, I'm going to sleep! I've been working on that since last night and still haven't slept.

By coincidence I just installed Linux Mint on my machine tonight and then started browsing the Nexus on my much faster and responsive PC. It was interesting to read your comments on Linux in the ebook and even after using it for only an hour I can agree that it feels "sleek, streamlined, aesthetically beautiful, stable, fast, intuitive and
a more pleasurable experience [...] than Windows". Can't wait to read the rest of the ebook and i'm never going back to Windows.

Really nice guide.

This is awesome awesome work - you are a champion!

I had to laugh a bit. The first thing you wrote in a nutshell is that Microsoft Windows is the first obstacle to safe internet. True, as I was installing a Windows version yesterday and noticed that after so long there has never been a Windows version that would install without at least some problems. This one crashed multiple times on the security updates.

So on top of failure to install, a leaky OS. I have to go over to Linxu. It's just that I don't care that much for I am not so into computers anymore. Maybe that's because of Windows actually. But it's so true, first step is to get rid of Microsoft. So thank you very much for this!

You should include sanitation of exif data in images into your manual.

Nothing better than someone going through all these techniques to obtain anonymity through obscurity, than to encode their location information into a picture with a smartphone and upload it through the same connection.

Great point. There's some stuff I was thinking about adding but that was not one of them. Do Android phones do this? It's probably something I should look into more, and how and when that data is embedded with pictures. The guide talks about keeping gps location off (I think?) and routing over a VPN or Tor. Even with GPS on, my VPN screws up apps from determining my location. (You can see the yelp screen shot) If you are doing that, your location won't be determined while taking pictures. But it's definitely something to be aware of.

@Pihuechenyi Just in time! I used Mint for a while. Love hearing of people switching!
The only thing that I couldn't figure out on linux for some time was compiling tar packages. If your software center doesn't have a program you want but you can download it for linux on the developers website, but it's a .tar file, you have to run some commands. I suggest copy and pasting these into a text document.
________________________________________________________
Install a tar.gz
example: name.tar.gz

cd to file location (example: cd Desktop or cd Downloads)
tar -xvzf 1.tar.gz
cd to extracted folder
example: cd name
makepkg -s
sudo pacman -U *.pkg.tar.xz
__________________________________________________________
Install a tar.xz
example: name.tar.xz

cd to file location
tar -xvJf name.tar.xz
___________________________________________________________
^^ about the hardest thing I ever had to learn for linux.
The tor package from their website is a .tar.xv The commands will extract a folder containing the application icon.

@doodlekid. Maybe it's windows. For me, linux makes the experience of using the computer so much more pleasurable and resparked my passion for computers. My friend was calling me the Linux Jehovah's Witness, because I couldn't stop talking about how much better it was to windows and mac.

Thanks to everyone who commented!

Very nice! Thank you!

I am by no means an expert on the matter... But there's some things that I think need to be touched on.

Page 6: Needs to clarify that while the security risks are lower they are not non-existant (shellshock, heartbleed). I specifically have a problem with the statement "...not a threat, and anti-virus is not necessary". Linux is a different ballgame than the virus makers are used to, it's an ever-changing landscape of patches and updates that they need to navigate. The simple fact that this stuff is open source does not give it any intrinsic hardiness against attacks. specifically: How long did the heartbleed bug exist in the wild before discovery? My point is that a document like this should be careful to qualify the statements that it makes. My server has a client VM that runs multiple services for many windows clients, it runs anti-virus, and it catches the occasional threat. While I have absolutely no realistic fear of that server being infected with any malicious code, I do need to protect the clients. Mail servers for one absolutely need AV (I wonder if the press has asked Clinton about this)

Page 8: You mention PGP signing of software packages from repositories, but you don't caution against adding unknown or untrusted repositories. I can set up a repo on my server, package up a script and call it 'ncc-1.2' set the descriptor as "An intuitive client side app for easily connecting to the DMT-Nexus Chat with intuitive chat controls". But all it really is turns out to be a shell script that runs 'yes | rm -rf /' (No one do this pwetty pwease). It's a signed package by the repository owner (me) that says I say it's what it is. But as it turns out I'm a liar and there's absolutely nothing from canonical preventing me from doing this to you. This attack is easy to perform with social engineering. All I'd have to do is put a post up here or any forum and I guarantee I'd get at least a couple nibbles until Trav or another techie came along to ban me.

Page 37: Passwords. You should touch on two factor authentication. If your service supports it, and your authetication key is secure, USE IT.

/tired

And if you want me to nitpick, the formatting really grinds my gears, but I can get past that.

Good effort!

hey. i just woke up to let my dog out and am tired as well. I do appreciate any comments and criticisms as I'm learning as well. I'm sorry the formatting irks you. I spent hours trying to make it look nice and enjoyable to read. I did mention two-factor authentication in the article under passwords, and to use it when it is available. There was one such case where I saw tho option available but chose not to use it, because it was something like opening a phone app or something that I use too often to do that. Imagine having to do that every time you wanted to unlock your phone. I forget what it was specifically. Linux is more secure than windows and that is not my preference or opinion.

We can go over your comments about "page 6" and "page 8" here or through pm, and then perhaps I can add more on the subjects. I am not an expert either but am just trying to help others, because I wish I had a source like this when I started wanting to harden my security. Thanks for the comments, keep em comin.

I have two questions, though it might be a bit dumb ass.

Installed DNScrypt on a windows system and am wondering, do I need to run dnscrypt-proxy --install every time I run the system? Or is it just once, and every time I start the computer now it will run the service automatically? I do not know how to check for this. The installation was succesful though...

Ps is it possible to install linux through a bootable usb stick? If the only option is through burning a image I have to wait until end of the month to buy DVD's.

hey kid,

I'm not sure how it works on windows. For linux after I install I run
sudo systemctl enable dnscrypt-proxy.service
then
sudo systemctl start dnscrypt-proxy.service


And I never have to do anything again. You shouldn't have to run an "install" command again, or even a command after each reboot. So you'd just want to verify that it's working at this point.
Only after i see and run an update for it do I input those commands again to start it up again. <---I need to mention that in the tutorial


I run sudo systemctl status dnscrypt-proxy
and it tells me that it's running. even after a reboot it will still be running. You need to find the windows equivalent to this command.


Also, yes you can install from a usb. First you burn the image to the pen drive so that you can boot from it. then you install it to your hard drive from there. Here are two difeerent softwares that do it.
https://unetbootin.github.io/
http://www.pendrivelinux...installer-easy-as-1-2-3/

Edit:
v1.1 Updated with some small revisions and a 'EXIF Data: "Geolocation"' Section.
v1.2 Small revisions, added a disclaimer, SSH tunneling, Public WiFi dangers, rewrote open-source router firmware section to include OpenWRT and LibreCMC.
v1.3 Small revisions and blocking webcam.
v1.4 Encrypting plaintext/passwords with a compressed archive (tar or zip).
v1.5 Added details on KeePassX for password storage and encryption. New software highlight: Demonsaw for anoymous p2p filesharing. Added details to downsides of VeraCrypt and why I don't recommend other ways for password encryption.
v1.6 Added Which phone apps to give permanent root access, KeePass encrypted passwords on phone, and CyanogenMod's account service frees you from Google.
v1.7 Added browser extensions for Chromium, Firefox and Firefox mobile. Extensions to block flash from automatically loading and playing on pages unless you click to play. This blocks flash exploits and ads. An extension to remove URL link referrer/redirect and takes you direct to destination. Remove the middle man and tracking. (e.g. Facebook tracks in that way). An extension to block Web RTC leakage. This is a bad vulnerability. Sites can use Web RTC to unmask your local IP behind anonymizing software like a VPN, SSH Tunnel, and Proxy! Removed Blur extension (unnecessary and closed source). Enhanced extension download URL links section.
v1.7.5 Setting TextSecure as default SMS messenger.

Everything new since v1.0 is highlighted yellow.

Sorry to bump thread, but a warning to anyone behind NATs, VPNs, and proxies. The Web RTC leak vulnerability de-anonymizes you. If you use them, patch your browsers with the proper browser extension.

Bumping this is good.

You could add under Social Media / Delete Your Facebook

Thanks Ufostrahlen! Fuck em!

https://youtu.be/_juA1-O58Dc