hello friends! new(ish)!
Anonymizing yourself: Difference between revisions
>Galactus m (→Squid) |
>Galactus m (→Unbound) |
||
Line 126: | Line 126: | ||
See [[DNSCrypt]] for more information. | See [[DNSCrypt]] for more information. | ||
=== Unbound === | === [[Unbound]] === | ||
[https://www.unbound.net/ Unbound] is a [https://www.unbound.net/documentation/howto_optimise.html high performance] validating, recursive, and caching DNS server with a multitude of privacy oriented features. The simple fact it acts as a DNS cache ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC and use clever algorithms to harden your DNS queries. | [https://www.unbound.net/ Unbound] is a [https://www.unbound.net/documentation/howto_optimise.html high performance] validating, recursive, and caching DNS server with a multitude of privacy oriented features. The simple fact it acts as a DNS cache ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC and use clever algorithms to harden your DNS queries. | ||
See [[Unbound]] for more information. | |||
=== OpenNIC === | === OpenNIC === |
Revision as of 02:25, 9 December 2015
The internet is a cruel and horrible place. You might want to drop out of the matrix and join an anonymous network. A broad approach on how to start evading global data surveillance and improving your overall online privacy can be found here, and here.
Anonymous Networks
Tor
Main article: Tor
Let's get something clear: Tor is NOT illegal to use (unless you live in one of those crazy whackjob countries run by a militant dictator). Tor traffic was NOT significantly reduced by the removal of Silk Road, and as far as is known, new compromises for the underlying Tor framework did not come about from the removal of Silk Road. If you are interested, concerned or sceptical, check out this video here and read the FAQ.
Tor sets up a SOCKS proxy to the normal internet, allowing you to send any application’s connection anonymously through the Tor network. Any connections made through Tor will be anonymised but not confidential unless you use end to end encryption in the application, like SSL/TLS for web browsing, or an SSH tunnel. Torrenting is discouraged as it uses up too much bandwidth.
I2P
I2P is end to end encrypted and separate from the normal internet; this means that connections through I2P are confidential and anonymous. No-one can know who you are talking to, or what you are saying to them, because there are no exit nodes. Tor hidden services (.onions) work in a similar way. All internet applications can be forwarded through I2P including ed2k, Gnutella, and torrents. Torrenting is encouraged on the I2P network, although you cannot connect to non-I2P torrent swarms. Internal services that would be called onions on the TOR network are called eepsites on the I2P network
Freenet
Freenet is a distributed filesystem, where you can store files ‘in the cloud’ and download them anonymously from the Freenet network. Many of the files are HTML pages which can be viewed as static websites using a browser, and many are standalone files which can be searched and downloaded anonymously. Freenet content is undeletable as there is no way of knowing which node is holding each file.
Please note that it's also full of CP.
Browsers
See privacytools.io.
Safe Practices
- Always use an open-source browser. This ensures it can be freely audited. Google Chrome is not open-source, and while Chromium is, it hasn't been fully audited yet.
- Use a search engine that respects your privacy such as StartPage(encrypted google searches) or [ixquick.com ixquick](non-google searches, owned by StartPage) instead of Google. Note that while DuckDuckGo is a better alternative than Google or Bing, it's based in the US and therefore has possible privacy concerns.
Chromium
Using Chromium is generally unrecommended because even though you can disable it's known tracking features (the RLZ identifier is in Chrome, not Chromium), Chromium's code isn't as audited as Firefox's and Chromium's security addons aren't anywhere up to par with Firefox's yet. If you absolutely refuse to use anything else, follow these instructions:
- If you seriously sync Chromium to your Google account, you're a fucking dumbass. De-sync the two immediately.
- Go to your settings menu, click advanced settings scroll down to privacy, and turn everything off.
- Go to Content Settings above that and check "Block 3rd party cookies and site data"
- Unless you want to use a script blocker, also turn off Javascript.
- Now scroll down to "Continue running background apps while Chromium is closed" and disable that as well unless you trust your addons.
Setting Startpage As A Search Engine
What is given to you by Startpage's website won't work, so use this link in the third box when adding it as a search engine: https://startpage.com/do/search?query=%s&cat=web&pl=chrome&language=english Alternatively, you would be better off using a locally hosted page.
Security Extensions
See them here.
Mozilla Firefox
It is recommended that you compile firefox from scratch, as it allows you to make use of security oriented USE flags such as hardened and forcing it to use more up to date system-wide libraries (eg: systemsqlite). To ensure maximum security while browsing the internet, always turn off third party cookies. Mozilla describes them as: For example, cnn.com might have a Facebook like button on their site. That like button will set a cookie that can be read by Facebook. That would be considered a third-party cookie.
Change your search engine. There are ways to get around Google’s insane profiling. See Search engines.
Use freshplayer [GNU/Linux only]. Freshplayer is a NPAPI wrapper for PPAPI Flash that works on Firefox. It is inherently safer and more performant, if you must use flash.
Security Extensions
There are many extensions available for Firefox to make you less trackable. Read the Firefox article for a comprehensive list of addons.
Fingerprinting
Fingerprinting is the process of using otherwise non-identifying information to identify you. When enough non-identifying information is collected, you will usually be unique amongst others.
Threat | Countermeasure |
|
Recommended: Disable and uninstall browser Plugins (note: Plugins are different than Extensions) such as Flash and Java.
Alternative: Set the plugin to "Ask to activate". You will still be vulnerable whenever you activate that plugin. |
|
Recommended: Disable Javascript
Alternative: Use uMatrix or NoScript to whitelist Javascript on a per-site basis. You will still be vulnerable on those sites. |
|
Recommended: Use an extension such as Secret Agent to randomize header information. Alternatively, you can change your HTTP_ACCEPT headers by modifying your about:config/prefs.js file. |
|
Disable 3rd Party Cookies and use an extension such as Self-Destructing Cookies to automatically purge cookies. |
|
Recommended: Use an anonymous network, a non-logging VPN service, or a non-logging proxy service. Check out our very comprehensive article on VPNs for ways to further foil this mechanism. |
|
Recommended: Use an extension such as uMatrix or RequestPolicyContinued to selectively whitelist such requests. |
|
Recommended: Turn off sending HTTP referer information.
Alternative: Install an extension such as Smart Referer to keep referer information limited to a single domain, or uMatrix to spoof it on a per-hostname basis. |
See also: EFF Panopticlick and evercookie. For a more comprehensive guide on how to foil most fingerprinting mechanisms, see https://github.com/CrisBRM/user.js
Web cache
Web caches mirror web requests locally for t time, thus ensuring a decrease in the number of servers hit, thereby somewhat reducing your privacy exposure and decreasing page load speeds.
Squid
Whilst modern browsers have their own cache implementations, they are often outdated, slow, and not very secure. Squid is a modern, high performance web cache and proxy server that supports a plethora of protocols. It can be used in combination with any browser that supports proxies. Best used in conjunction with a DNS caching server like Unbound.
DNS
DNS is what allows your computer to convert a domain name (such as wiki.installgentoo.com) into an IP address to connect to. That process is called resolving.
When your computer attempts to resolve a domain name it queries a DNS server. Usually this will belong to your ISP if you have not configured it manually. Not all DNS servers are created equal—some block queries to certain websites, others hijack queries and redirect them elsewhere, and some log your queries. You should look for a DNS server that is close by (for minimum latency) that doesn't log your IP address. In addition, you may want to use DNSCrypt for added protection, and a caching DNS server for reduced privacy exposure and higher performance.
Warning: Google DNS and OpenDNS log queries. Google "anonymizes" query information after a period of time, but keeps associated ISP information permanently.[1] OpenDNS logs your IP address and may also correlate it with other information that is normally non-personally identifying.[2] Avoid those two services.
DNSCrypt
End-to-end encryption for your DNS requests. This prevents any intermediaries from monitoring your DNS requests. It defaults to OpenDNS. You should change that using one of the additional DNS servers listed on dnscrypt.org. Ideally, it should be used with a caching DNS server like Unbound.
See DNSCrypt for more information.
Unbound
Unbound is a high performance validating, recursive, and caching DNS server with a multitude of privacy oriented features. The simple fact it acts as a DNS cache ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC and use clever algorithms to harden your DNS queries. See Unbound for more information.
OpenNIC
The OpenNIC Project is a privacy-minded collection of volunteer-run servers that also allow you to use extra TLDs such as .geek etc. Also features DNSCrypt support.
Operating Systems
While unfortunately, government organizations around the world have a variety of back doors into a variety of operating systems, one can still attempt to be anonymous through a variety of methods. Free software alternatives to Windows or OS X appear to be more secure than their counterparts, since their code is almost always individually reviewed.
Tails
Tails is an OS specifically designed to preserve your privacy and anonymity. It forwards all your packets through the Tor network and leaves no trace on the computer you are using it on. Your files and emails are also encrypted using top of the line cryptographic tools.
Whonix
Whonix is an OS based on Debian GNU/Linux and Tor which focuses on anonymity, privacy and security. It is designed to be used inside a host OS.
Tools
MAT or Metadata Anonymisation Toolkit, is a toolbox composed of a GUI application, a CLI application and a library, to anonymize/remove metadata.
Anonymouth a anti-stylometry [the scientific study of literary style] article discusing it - https://archive.is/xNP9r, another article - https://archive.is/vZ2Cw
Privoxy Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.
Anonymization Tools Taxonomy A list of anonymization tools. Hasn't been updated since 2004.
Routers
A router that supports free and open source firmware is recommended over one provided by your ISP. ISP routers often come preloaded with software that can compromise your privacy and security. There are many GNU/Linux based firmwares available for common routers:
- OpenWrt: An open source Linux distribution for embedded devices. It is optimized for minimal storage and RAM usage to fit on home routers;
- LibreCmc: The FSF's fork of OpenWrt with all non-free software removed;
- DD-WRT: A firmware focusing on the Linksys WRT54G series routers;
- Tomato: Partially FOSS firmware released in 2008. It is still actively updated by community mods;
- PORTAL: An acronym for Personal Onion Router To Assure Liberty. It forces all internet traffic through the Tor network to limit the possibility of user mistakes.
For more detailed information see: Routers. You can also use a computer as a router.
Android
By their nature cellphones cannot be completely anonymous, but there are some steps that can be taken to at least limit your footprint.
Android Replacements
- Replicant: A project to completely replace all proprietary components of Android;
- Custom ROMs;
- Firefox OS: An alternative operating system by Mozilla that runs on some Android devices.
Alternative Google Apps
- F-Droid: Part of the Replicant project. An app store that only contains Free Open Source Software;
- NOGAPPS Project: Replaces the Play Store, Google Maps API, Network Location API, and others in the future;
- APK Downloader;
- OsmAnd~: Replacement for Google Maps;
- GApps Browser;
- Relevant thread on google app store alternatives.
Removing Ads
- AdAway (Requires root): Hosts file based ad-blocking;
- Adblock Plus;
- Lucky Patcher (Requires root): Patches APKs to remove ads and allows you to disable the ads' activity itself.
Enforcing Permissions
- XPrivacy;
- App Ops: Available since Android 4.3. Removed in 4.4.2, but still retained in custom ROMs. Allows you to tweak individual permissions on a per-app basis;
- Available by default on Android 6 (M).
Browsers
Related Links
- http://browserspy.dk/
- https://www.howsmyssl.com/
- https://www.dnsleaktest.com
- http://www.whatismyreferer.com/
- https://panopticlick.eff.org/
- https://securityinabox.org/en
- https://myshadow.org/
- https://ssd.eff.org/
- https://thetinhat.com/
- http://login2.me/
- http://bugmenot.com/
- https://alternativeto.net/software/bugmenot/
- https://alternativeto.net/software/fake-mail-generator/
OPSEC/Operational Security
All the software in the world won't help you if ignore the human element. Obvious no-nos:
- Using the same username everywhere;
- Using the same email address everywhere;
- Logging into the same accounts through your real IP and a proxy/vpn/tor;
- Posting photos or images which can be traced back to you via a reverse image search.
Dread Pirate Roberts was brought down by many of the above points.
More subtle no-nos:
- Forensic Linguistics is the science of figuring out someone's identity by the words, phrases and grammar they use. Recommendation to counter this: Anonymouth;
- Using the same browser with your real IP as your proxy/VPN/tor IP (see fingerprinting above);
- Discussing personal preferences, or knowledge of specific locations such as a school, shop or town;
- Being unprepared for a proxy/VPN/tor to drop out.
Steve Rambam gave an excellent talk at the HOPE hacker conference which summarizes many of the techniques that you/private investigators/LEA can use to determine someone's identity.
To err is human. As clever as you think you are, all it takes is one connection from your real IP address to deanonymize you. One day when you're distracted/tried/stressed/drunk/high/panicked/surprised or when something out of the ordinary is happening, you will mess up. Putting up many automated layers of anonymity/security will help protect you from yourself.