The Edward Snowden guide to practical privacy

Thanks to The Register; here’s The Edward Snowden guide to practical privacy

Edward Snowdon

If you’re just an average user concerned about your privacy

  • Use Tor when browsing. You don’t have to use Tor all the time (it does slow things down considerably and some sites will also block Tor traffic). But if you are looking at or for something that you feel is sensitive, then either set up your browser to work with Tor or use the Tor browser.
  • Use an ad-blocker. Says Snowden: “As long as service providers are serving ads with active content that require the use of Javascript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser – you should be actively trying to block these.”
  • Use a password manager. It doesn’t matter how many surveys and reports come out that tell people to use different passwords and complex passwords, a huge percentage of us maintain borderline idiotic approaches. The simple answer is: get a password manager. It will protect you.
  • Use two-factor authentication. Many services such as Gmail, Twitter, Dropbox, Hotmail, and Facebook offer this now for no charge. So even if your password does get exposed, you still have a backup such as a text message to your phone to secure your information.
  • Use apps that protect your information. Snowden suggests the smartphone app Signal, which encrypts both your phone calls and texts. It’s free and easy to use. Although of course, following a high-profile argument with the FBI, it would appear that Apple’s messaging service is also pretty secure (although Snowden would probably have doubts).
  • Use the HTTPS Everywhere browser plug-in. This comes from the Electronic Frontier Foundation (EFF) and will try to force all browser communication to be encrypted.
  • Encrypt your hard drive. This is comparatively easy these days but you have to be careful to do two things: one, have a longish phrase to make it worthwhile; and two, make damn sure you remember that phrase. There will be a slowdown in performance but nothing too bad if you have a modern machine.
  • Be smart with your security questions. Stop using your mother’s maiden name for everything. Likewise your first school. The key is to mix things up as much as possible so if someone does get into one of your accounts, they can’t use the same information to get in everywhere else.

After reading this I installed Whisper Systems Signal on my Android devices, and encouraged my friends and family to do the same.

Signal allows you to send encrypted texts and phone calls, all free of charge, combining the original apps TextSecure and RedPhone.

At Open Whisper Systems, we want everyone to have access to advanced secure communication tools that are as easy and reliable to use as making a normal phone call or sending a normal text message.

Over the past year, we’ve been working to bring the privacy software we’ve developed for Android to the iPhone, and today we’re releasing Signal – free, worldwide, encrypted voice calls for iPhone, and fully compatible with RedPhone for Android.

This free app is a no brainer for anyone who values their privacy, available on Android and iOS.

yubikey-neo + KeyPassX + KeyPassDroid + OwnCloud

KeyPassDroid

yubikey-neo + KeyPassX + KeyPassDroid + OwnCloud portable secure password vault

Searching through F-Droid for yubico I came across a link to KeyPassDroid; I’d come across a password safe solution on the yubico site using KeyPass, but was shied away as it mentioned the premium version… I don’t mind paying for shit, although if I can solve the issue with free open source alternatives I’ll spend hours trying 🙂

So the solution that I’ve pulled together:

  1. created a KeyPassX database on my Ubuntu machine with all login email details
  2. set password up in 2 steps
    1. self entered password
    2. password stored on yubikey-neo
  3. setup key
  4. saved key and KeyPassX database to OwnCloud
  5. from Android download key and database opened with KeyPassDroid
  6. password acquired on demand via NFC from yubikey-neo

Sorted, a free solution… excluding purchasing of yubikey-neo and host fee of website that allows for OwnCloud space.

Guess free alternatives could be Google Drive or MEGA for online file storage, and a more simple one step password 🙂

Quite happy with how it works, lets’s hope I don’t lose the yubikey-neo in the near future 🙂

Reset the Net

This was a fantastic campaign that began yesterday (a year after the Snowden NSA leaks), from Fight for the Future, to encourage the users of the web to step up their security.

A coincidence that I set up unique IP, and HTTPS with a self signed cert for this site yesterday 🙂

Block mass government surveillance and take back privacy! Share this so we can reset the net everywhere.

Reset the Net

Firefox security plugins

firefox plugins
Here’s a list of firefox (you are using firefox arn’t you?) plugins, that were shared on Reddit, to help keep your browsing more secure and anonymous.

I already used a few of them, but in this day and age you can’t be too careful 😉

  • Adblock (with the privacy easylist added)
    • Annoyed by adverts? Troubled by tracking? Bothered by banners? Install Adblock Plus now to regain control of the internet and change the way that you view the web.
  • BetterPrivacy
    • Remove or manage a new and uncommon kind of cookies, better known as LSO’s.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others…
  • Blender
    • Blend in the crowd by faking to be the most common Firefox browser version, operating system and other stuff.
  • DoNotTrackMe
    • Protects your privacy by blocking online tracking. DNTMe blocks ads and cookies with tracking, prevents data collection, and keeps your private browsing what it should be – private. Stop web tracking of your browsing activity now.
  • HTTPS Finder
    • Automatically detects and enforces HTTPS connections when available. It also provides one-click creation and in-browser editing for HTTPS Everywhere rules.
  • HTTPS-Everywhere
    • HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. Encrypt the web: Install HTTPS Everywhere today.
  • NoScript
    • The best security you can get in a web browser!
      Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
  • Redirect Cleaner
    • Cleans Redirects from Links
  • RefControl
    • Control what gets sent as the HTTP Referer on a per-site basis.
  • Self-Destructing Cookies
    • Cookies when you need them, not when others need them to track you – gets rid of a site’s cookies and LocalStorage as soon as you close its tabs. Protects against trackers and zombie-cookies. Trustworthy services can be whitelisted.

And finally forget searching with google and make the change to StartPage

Be careful out there people 🙂

Edit: A comprehensive list of security solutions here Prism-Break

Build a VPN-Tor proxy on Amazon cloud servers with Lahana

OK I’m intrigued, here’s the idea User>>Lahana VPN>>Tor>>Website, thanks to Hacker 10

Lahana is a set of scripts that can quickly create a VPN on Amazon EC2 cloud servers using Linux instances and tunnel everything through the Tor proxy network.

And here’s a Lahana link.

Off to play, will put together a guide if I can get this to work

Links

r/netsec

 

 

TechCrunch: MIT Students Show How To 3D Print Your Own Non-Duplicatable Keys For Easy Breaking And Entering

3D Key
TechCrunch: MIT Students Show How To 3D Print Your Own Non-Duplicatable Keys For Easy Breaking And Entering.

This is both interesting and scary.

The key (with lock) has long been considered the first and last line of defence in keeping your precious things private… our keeping thieving villainous scum out of your house.

This application of technology could be a game changer, I wonder what alternatives to the traditional lock and key are currently available?

grab the greasemonkey

I can’t believe it took me so long to find GreaseMonkey, from Greasepot:

Greasemonkey is a user script manager. It is an extension for the Firefox web browser.

So what does it do?
It adds user created functionality to the web sites you use.

Greasepot
Very easy to use:

The 1st script I tried deleted all of my 6 months posts on Reddit.
Brilliant; keep the karma, remove the history.

But my favourite script so far is this one, SSL Certificates Pro, which opens many popular websites automatically with https.

Any others you’ve tried & like to share?

Edit: I’ve just found https-everywhere, another Firefox plugin wich uses https at every opportunity