Even if you’re not doing anything wrong, you are being watched and recorded. - Edward Snowden
As more and more people are living a digital life inside their computers, discussions about privacy and whether or not we can expect to be protected from intrusions in our private lives are taking over the Internet. Regardless of your thoughts on the subject, if you are just a concerned citizen or the newest whistle-blower, there are some ways you can protect your privacy while browsing the Internet or visiting a new country. This is not an exhaustive list, it’s just a compilation of useful information I gathered.
Use unique SSH keys for each service (sharing a SSH key on your GitHub/Gitlab account, network router and AWS/Azure instance is a very stupid idea); use ssh-keygen -t rsa -b 4096 to generate a 4096 bit RSA SSH key. Never put your private keys on external storage (USB stick, SD card, floppy disk, punch card, whatever) where it can be accessed unencrypted. Learn how to work with a SSH ~/.ssh/config file and prevent servers from fingerprinting you using your public key (you can view the public keys of any user via a GitHub request https://github.com/<USERNAME>.keys, for example https://github.com/sizeofcat.keys).
Always enable two-factor auth on websites that support it and you will receive a SMS message with a code every time you login into the website, adding an extra layer of security. Consider getting a YubiKey.
I advise against using Google for searches since they are tracked, you should be using DuckDuckGo’s Search Engine, and when you actually need to search using Google, use the !g modifier in the address bar (for example, type !g EFF and you will be redirected to Google Search through DuckDuckGo’s website. Likewise you can use !w to search to Wikipedia and many other shortcuts (!git for GitHub search).
Full Disk Encryption
You should be using either Bitlocker (for Windows platforms, warning ahead), FileVault(macOS) or LUKS (Linux platforms) full disk encryption on the hard-drive of your system and any external disks with sensitive information on them. Start by setting an unique pass-phrase of minimum 32 characters for each hard-drive (try making a mental algorithm, for example, start with Dum inter homines sumus, colamus humanitatem (a quote by Seneca that roughly translates as “As long as we are among humans, let us be humane”) then replace each u occurence with |_| (three characters).
Make it more complex by replacing o letter with () (or even )( if you want to be sneaky). That way, the passphrase will become D||m inter h()mines s||m||s, c()lam||s h|_|manitatem. Of course, sky is the limit for upping the complexity of your passphrase (as long as you remember the original version and the replacement algorithm). Keep in mind that nothing can save you from this kind of attack.
A very important thing to remember is that you cannot fully rely on disk encryption, you need to employ additional layers like encrypting your sensitive files. Also, in USA (and UK and probably many other countries) a court might demand you decrypt the hard-drives or hold you in contempt and throw your sorry ass in the jail until you comply.
I recommend using the Mozilla Firefox browser for navigation, not Chrome, and below is the list of Firefox plugins that I recommend for everyone to use.
Some of the functions of the plugins overlap but overall, I found those plugins to offer the best privacy. Each of them needs to be fine-tuned according to the level of anonymity you want to keep.
I use Pidgin/Adium with separate plugins for Telegram, Facebook Chat and Skype. All those plugins will probably need to be compiled (helps immensely if you have a Linux machine) and if you are a programmer, I recommend you to look over the source code on each update, so that you can spot any rogue functions. Always use SSL on every connection, including IRC.
Always sign your e-mail using PGP and encrypt sensitive documentation (and even e-mails) before sending them. Try to stay away from Gmail and Outlook.com.
highly recommend using KeepassX as a password manager, secured using a key file and not a password. Also, you should download the source code, compile it (using a Linux machine) and always look over the source code for rogue functions, you CANNOT afford a vulnerability inside the password manager.
Best password manager is 1Password. Period.
Blocking malicious domains is really easy using Steven Black’s hosts repository (direct link to the actual hosts file, beware it will block most of the social media websites, Twitter, Facebook, etc). Download the file and overwrite the one on your machine (on MacOS/Linux/iOS/Android, the file is /etc/hosts, on Windows it resides in %SystemRoot%\system32\drivers\etc\hosts). Reboot the system or just restart your network component and you’re done, all the requests to the domains/subdomains blacklisted in the file will be blocked.
Never hibernate your laptop, always power it off when it’s unattended; if it must be powered on, suspend and lock it. A powered-on machine can be subjected to a cold-boot attack (this type of attack is harder to be accomplished if the RAM modules are soldered onto the machine’s mainboard, usually more encountered in netbooks). If you are really paranoid, mark the screws on your laptop with wax/nail polish, but once you go that way … it’s hard to come back.
Use a BIOS password and disable boot from anything else than the local hard-disk/SSD, a BIOS password won’t be hard to bypass (removing the battery from the mainboard) but it might prevent a thief from accessing your data since the laptop screws will need to be removed. Every bit helps.
I won’t go as far as suggesting you should pump hot glue inside your laptop’s USB and HDMI ports, but if you plan on visiting North Korea, maybe you should (read more on DMA attacks).
Other things to keep in mind
Make sure you use good passwords. jimmy82 is not a good password. jimmy_helen (provided your name is Jim and your wife’s name is Helen) is a pitiful password. password as a password should get you fired from any job and your citizenship revoked. Be smart about it, how about 1^/y-K73g)T24%#-,$34. (you don’t actually need to remember that, that’s why we have password managers)
If you need private (or even public) git repositories, install gogs on a server you control, it’s a way better alternative than GitLab or GitHub. Everybody knows all hosted git services are like a black hole that keeps drawing in (through our own mistakes) private keys from various projects, though we all deny ever doing that.
Install OpenWRT or ddWRT on your home router (if it does support them), secure it using a SSH private key (if you have a SSH server running on it), keep it updated and close all incoming connections to your local network (or log them, whatever you see fit).
Install a more privacy-oriented operating system: Windows (any version of it) is not really suited because it leaks so much information about the user, has telemetry software installed, is not free, you can’t inspect the source code, there are specific domains that cannot be blocked in the firewall, etc. Use a Linux variant like Debian, Whonix, Tails, even Ubuntu. I don’t have any experience with FreeBSD but I’ve heard good things about it. Basically anything but Windows; if you HAVE TO choose a Windows version, use Windows 7.
DO NOT use cloud solutions (OneDrive, Dropbox, Google Drive, iCloud, even self-hosted OwnCloud) if your files are not encrypted before being sent to the remote servers. Your photos might not need (beware that EXIF data from the photos will leak information, GPS coordonates, camera/phone, etc) but your private documents do need to be encrypted. Use GPG to encrypt them (and decrypt when needed).
Keep your system software and applications updated to the latest changes (on Ubuntu is as easy as running sudo apt update && sudo apt upgrade in a console). On Windows, beware of updates that install telemetry packages (keep Windows Updates to “Check for updates but don’t install them automatically” and search for the name of the update on your favorite search engine before installing it).
If you need to remove sensitive files you should know that the actual file contents isn’t removed from the disk, just the file inodes are unlinked, so forensic software will recover the contents of the file. Install a tool like secure-delete from the Ubuntu repository (sudo apt install secure-delete) and use it to securely remove a file and its contents from your drive.
Always use HTTPS for your websites, you can get free SSL certificates from the Mozilla’s Letsencrypt project.
- Donate to Electronic Frontier Foundation (EFF)
- Surveillance Self-Defense
- Puri.sm Librem
- OpenPGP best practices
- Bruce Schneier on Security
- Be anonymous on the Internet(s)
- Tor Browser
- Securing Debian
- The Hacker News
- Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices
- The paranoid security guide
- Encryption matters
Note Crossed-out sections have been modified in 2017.
License CC BY 4.0