Greetings all.
Today I intend to append a new series to my mini-collection of posts. This series will consist of informative guides for the purpose of depicting certain aspects of the White Hat profession that I believe are of profound importance. Furthermore, I will keep this series simple for everyone to follow, regardless of your tech level. So without further ado, let's get right into it.
In today's guide I will be talking about privacy, the fundamental right of every human, and the controversy around it. I will also be fully divulging the ways in which you could implement security measures in order to strengthen your privacy. Privacy, privacy, privacy. Let us begin.
Prelude
It is evident that, despite the increasing concerns over one's reclusion and freedom of expression, there are entities which seek to restrain people for attempting to fight for those very rights. That, of course, points to the fact that subsequently not everyone is in control of their liberties. Most certainly the internet is a setting, one of its kind, that allows higher forces to more easily impose restrictive laws to obstruct people's entitlements. Today I aim to help everyone with this scenario by advising measures to prevent the disclosure of personal information and to let private data stay private.
(Enough of my verbal diarrhea •_•)
VPN
A VPN is a Virtual Private Network which, when used, routes your entire internet traffic through the provider's server(s) in an encrypted form before reaching its final destination. Sounds safe, doesn't it? Not so fast. When it comes to VPN, it is painstakingly obvious that trusting a company with absolutely all of your data is foolish. Here I outline some points to think about before choosing a provider.
- Privacy Policy
As lengthy as it seems, you should always read the T&C and PP pages before making a deal. If they mention anything there that may seem off-putting or not to your appeal, disregard the choice. This is for your own protection, since that is what you're here for in the first place.
- Warrant Canary
It can also be referred to as a Transparency document. This may be a page, or a notice on the website, stating that there have not been any official requests for user data, and that none have been turned over. If the page goes blank, missing, or something indicates that it isn't functioning, it means user data has been requested and most probably handed over to the authorities. This system is used to avoid the company getting in trouble but, at the same time, letting users know that something is up.
- Own Servers
A big question at hand is whether the VPN provider runs their own servers, their own DNS and their own infrastructure. If they don't then they are owned by a parent company who, if required, will have access to all logs and user data it needs in case there is an issue or an investigation. If they do, that is good news because they are independent and whatever they claim on their website is more likely to be true since they are not affected by any entities (apart from the government of the country they reside in).
- Location
This is probably one of the most important points to outline. Wherever a VPN provider is situated, make sure it does not have any physical ties to any members of the Five Eyes, that being the US, UK, Australia, Canada and New Zealand. By having ties to any of these countries, the VPN company straight away loses its powers to protect you. This is a golden rule that needs no explanation.
- Price
Alright, I think this one is pretty clear. If a VPN is free, don't take it. Remember that for a free service, if you are the customer then you are the product. This is because by offering you a 'free' service the VPN company still needs to make some money. The only way they can do that is by implementing ads and by selling whatever data they can squeeze out of you. They will do this through forms, surveys, and data usage they collect through their VPN app. Thus, you have lost all of your privacy when that's all you came for in the first place. So don't take up free VPNs. If you want extra anonymity, see if the provider allows payment using Bitcoin because that's your golden ticket.
Proxy
A proxy is a server that acts as an intermediary for any protocol-specific requests from one machine to another. There really isn't much up for discussion here. We all know proxies are not the safest, not the most reliable and definitely not the fastest means of connectivity... but they save you when you most need saving. They can make traffic seem totally anonymous and are a quick and easy alternative for when VPNs don't work.
But don't rely on them saving you from the NSA or GCHQ (Britain's equivalent). Whoever is running those proxies are fully aware what you're doing with the service. Even if you're using an SSL-protected proxy, they can still perform a live inspection on the traffic. The one thing you could try is pick proxies from countries where they will not, by any means, give up user data simply because they don't care about threats. Such countries include Russia, China, Romania, and several others that you can dig up on the internet.
Public Hotspots
This isn't something covered in many places, but I believe it is imperative that it needs to be mentioned. When you're out and about, and you're at a coffee shop or something, you will most likely use the free Wi-Fi that is usually available these days. If you ever decide you need protection, you already have one complimentary layer set up for you, just by being in a café. However, this will only work if one of the other measures are implemented (e.g. VPN) and that will strengthen your protection.
Using a public hotspot means that, since you are not at your home network, you will not be seen as a domestic target by attackers. So that means that, if someone decides to monitor your connection, all they will see is a random stranger at Starbucks (an example) and they will not know their target, thus you have just been dismissed. Great news, now how about authorities?
This doesn't really change the situation with the authorities, as their power extends in all directions. An FBI official could literally just walk into Starbucks and ask for all the Wi-Fi logs and he (or she) would be handed them instantly. So your only protection from the government remains a VPN or a proxy, which will deter anyone from looking in the place of origin of the traffic. But is that all there is?
TOR and I2P
These two words you may have heard of. The first one is much more known, but I think the second one is worth including. Sure, they aren't your fastest means of 'proxying' but they are by far your safest bet. What I find miraculous is that people are still getting caught doing terrible things when using these services. I'm not saying this to discourage you from using them, I'm telling you this because it's something to be aware of.
The problem when people get caught over TOR is poor self discipline. If you wish to do something online, and you don't want anybody to know of it, TOR is not enough. You also need to stop bragging you did it, stop bragging under your name! Drawing attention to yourself, using your real name and frivolous acts like these will most certainly cast doom onto you.
Why did I mention TOR though? Oh yes, right, use the TOR browser (connected to the network, of course) and that will send your traffic through 3 relays before reaching your target. What I like the most is that those 3 relays are different for each website you visit. Now that's some auto-proxychains-power safety right there if you ask me.
A similar story goes for I2P, except it doesn't relay your traffic through 3 mediums, but it does encrypt your traffic end to end and it does have base32 addresses (if you use the network) that are incredibly difficult to decrypt, so much as realistically impossible. Either way, these are your alternative methods of achieving total privacy if you seek it.
This may not seem very important but it is. Email is fundamentally flawed, and judging by how we use it and how much we rely on it, it poses a huge risk to our privacy. So what is the solution here. Well, there's one solution and that is to use a privacy oriented service. No silly, not Gmail or Yahoo but something like Startmail, Tutanota, Riseup, or ProtonMail (yes, I know all about the hack). However to use them you'll need to spare a bit of money, it's not free you know (except Riseup, that is absolutely free of charge).
So there you have it, a way to save the day.
Operating System
If you're looking for a private way to browse, a private way to open files, and a private way to do pretty much everything, you need a privacy-oriented OS that will do half of the work for you. You have a few choices here, the more obvious ones notably being Tails, Whonix, and then there's JonDonym.
Tails OS isn't very difficult to get used to. All you need is a USB stick with 2 GB of space and you are set. What's great is that all of your internet traffic is already redirected through TOR and you are able to set up I2P in just the same way.
Whonix works best as a Virtual Machine so I suggest you keep it as such. It isolates programs into workstations so that if you get a virus that tries to mess with you, it will stay in the workstation it arrived, and it will never move.
There is very little to say about JonDonym because it is little known, but I can say that it is a great Tails OS alternative as it functions in a similar fashion. I think it is a great (and a greatly underrated) alternative for Tails and I've enjoyed testing it and using it for privacy purposes. So yes, it is a recommendation, along with the other two.
Behaviour
There are plenty of discussions out there on this topic, but I feel like I have to mention it as it goes well along with everything I've already talked about.
Firstly, I cannot stress enough how important it is that you never talk about yourself if you're seeking privacy and/or anonymity. Practise self discipline, make sure you understand that whatever you type on the internet stays there. So think twice before doing anything that may reveal who you are.
Secondly, it is your responsibility to deal with arising threats. If you feel you are being tracked, followed, monitored, whatever, then immediately stop what you are doing. Take a break for 10-15 minutes, meanwhile cleaning all cookies and cache, then return, maybe even on a new browser. Be thoughtful, improvise, make wise decisions that you think will get you to safety.
Remember one thing on the internet: safety first. This is the motto and it doesn't change. Your safety is more important that whatever it is you are doing. So if you feel threatened, cut loose immediately and stay loose until the appropriate time. You shouldn't hesitate to protect yourself, even for a mere second. In a future tutorial I will demonstrate how to set up a 'trip wire' that securely erases your entire hard drive in case you are physically approached. I'm sure this will prove useful with this privacy Guide.
Links and Downloads
Conclusion
I think I've covered most of what needed covering on this topic. There you have it, ways to keep your privacy intact and your mind open. I hope you've learned from this and that you will use this knowledge wisely. If you feel I've missed something, ask in the comments for me to add it and I will try my best.
This series of Guides will be branching out in all sorts of directions so bear with me, as this is just the beginning. I hope you all enjoyed this one, have a great day, and I have a tutorial coming up pretty soon so stay tuned. As always, leave any suggestions for future guides in the comments.
Here's a PDF version of this article. I hope it will prove handy.
https://www.docdroid.net/Ik5jDba/guide-privacy-matters.pdf.html
or use this link.
Have a great day, peace.
TRT
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
14 Comments
Great intro, very informative. Looking forward to the "trip wire", sounds pretty useful.
Well said, good guide for beginners and what to expect. As stated, even though TOR can be intercepted, you are not making there job easy by using it. They will have to work a hell of a lot harder to work out who is who compared to communicating in the clear.
The reason why they make a big deal out of stating that TOR has been compromised is so people stop using it, hence making their job easier. The only way for TOR to be useless is if every TOR node you go through is owned by the big bad wolves. This is where large number of people using it makes it harder to pin point. This is how JonDo works, it relies on large numbers of connections, which in turn, the more secure you become.
The only other problem is if the big bad wolves put out thousands of servers all over the world and populate it so much that you are guaranteed to go through it, then that could render all privacy to zero.
Therefore, do not rely on these protocols alone in case of such a scenario, or in case said scenario is actually happening.
+1 Kudos from me
What are your thoughts about OpenVPN ??
OpenVPN appears safe from NSA.
Comparison of VPN protocols
I read through the article, it's pretty good in explaining what is going on. It is basically a game of cat and mouse, the more they push, the more encryption becomes wide spread, and also the more people that use it, the more data that needs to be decrypted.
The problem is regardless of encryption, there is usually an easier way to bypass it. Backdoor in your router, weakness in your firewall, bug in your software, the user, etc, etc, the list goes on.
Regards to OpenVPN, the fact that it is open source, is what will keep it safe. The fact that anyone can look through the code means that it can be monitored for tampering. That is why you should be very mindful of where you download your software. Also the way OpenVPN works is you need to create an encryption key, which is basically your key that you need so your computer can connect to the VPN. Without it, you can not connect. I would highly suggest you setup your own VPN server so you can see how it works, then hopefully you will see what the vulnerabilities are.
From doing this I have discovered that there could be some vulnerability that could occur, but no fault from the OpenVPN application, but from user error.
One other possibility, which I am not sure of is, what happens if your created OpenVPN key is intercepted from a 3rd party, can they now discover your encryption key and eaves drop on your connection?
Though what you say about open source projects being safer is true to some degree, there could be issues that can affect its security. The heartbleed bug from OpenSSL remained unnoticed for too long a period and despite being open source, it was not detected. So consider this, what if someone put it there intentionally? Someone who was either malicious or someone from the NSA? We don't know. Could this happen to OpenVPN? It's not impossible.
Actually, yes, its is very possible for someone to put a back door into OpenVPN. Don't get me wrong, being open source does not guarantee a clean program. Same goes for closed source, just as bad.
Its very possible someone could upload a back door version onto the main site if they managed to find a way onto the server. Then anyone who downloaded that OpenVPN client didn't verify it, would now be compromised.
This could go on for a while until someone stumbles across the code change. Yes, very likely what happened with heartbleed could happen the same with OpenVPN.
But there is always other ways, if they can't get you from the software level, then there's the hardware level. The NSA has been rumored to have put backdoors into cisco routers prior to them being delivered to their destination. How true that is I don't know, but I think it is very possible. If they can do things like PRISM, then anything is possible that the imagination can come up with.
Hello everybody, thank you TRT for this great guide but after reading it i still have the same question i got when reading at other privacy oriented articles... how to implement those tools ? I think that enumerating those tools is a great idea for a beginner but oftenly the "perfect setup" is not described. I mean, what should i do to be as close as possible to the perfect setup ?
Should i use a VM on my local machine + use a VPN inside my VM and maybe add another layer using proxychains or TOR/i2p in my VM ?
I really don't know what's the best setup and it seems a bit difficult to understand as a beginner so i would be very happy if you guys tell me what setup you are using on a day to day basis.
Thanks in advance ;)
I don't think anybody is using a perfect setup as there is no need to. If you'd like, I will make a tutorial on a privacy oriented setup in which I can disclose all of the possible measures to be taken IRL if you were to implement the setup yourself.
I will demonstrate with examples and show you how it is done by those who truly seek anonimity. That is, if you really want the tutorial.
TRT
Thanks for the answer ! I know no one is using a perfect setup because it doesn't even exist, nothing is perfect. I was just wondering how to reach a minimum level of privacy and how to setup those different tools properly.
I would be very interested in an article that shows a basic configuration for privacy and how do i make VMs, VPNs, etc.. to interact together.
If you make an article like that, be sure that you'll make at least one guy happy ! :p
Sorry if my english is bad :/
I will try and make a tutorial soon. It'll take a while to plan the setup itself, since I myself will have to perform whatever it is that I will be showing. Stay tuned.
TRT
Nice ;)
Thanks that you provided us with a downloadable PDF ;)
I like to store guides and read them later ;)
I will continue to do this if it benefits the readers.
I'm using OneVPN for my privacy which is good service around vpn provider with best vpn features you may buy vpn at affordable price.
Nowadays digital privacy does matter there are many data sellers and hacker you hack our internet activities. While surfing internet uses Best VPN service which can be encrypted your online activities with secure tunnels. Buy VPN
Share Your Thoughts