SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#51 2013-02-26 11:29:30

xaos52
The Good Doctor
From: Planet of the @s
Registered: 2011-06-24
Posts: 4,602

Re: The paranoid #! Security Guide

Here is one way to do this - for MBR formatted HDD.
From the installed system Create your own GRUB2 rescue disk
Then zero out the first 446 bytes from your HD MBR

sudo dd if=/dev/zero of=/dev/sda bs=446  count=1

Your system will not boot from HD, but it will boot from  your  thumbdrive and show  your own custom GRUB menu.

Offline

Be excellent to each other!

#52 2013-02-26 13:25:24

MrPink
#! CrunchBanger
From: .dk
Registered: 2011-06-28
Posts: 213

Re: The paranoid #! Security Guide

On waldorf/wheezy things seem to be a litte different. GRUB doesn't install onto my /boot on dev/sdb/ either. Even with --force enabled. That sucks.

I tried various ways but I couldn't manage to get it installed. I will try further - but maybe someone here can help with that issue.

According to several threads at the debian forum, it is a general problem. The testing installer will not install grub to anything other than the MBR..
I managed to install LILO instead, and succesfully boot the system. However, after doing a dist-upgrade dpkg could not update lilo. And since I installed it to the usb drive's mbr, I was unable to replace it with grub. So now I can't boot it.
I think there are two possible solutions for this:
1. Install from stable, and dist-upgrade if you want testing/unstable
2. Install sid, and then install lilo to the /boot partition, not the mbr of the usb-drive, then it should be possible to delete it and install grub to the mbr.
I will try the latter option tomorrow and post results.

Edit: This might be caused because I use a liquorix-kernel. I will try it with 3.2. MrPink: What are the specs on your system?

Vaio VGN-FW31M laptop, 2.4GHz Core2duo cpu, 4GB ram, and a 500GB sata hdd, half of which is a Windows 7 partition, the other half is an unbootable debian sid ... and an 8GB SanDisk Cruzer Contour usb pen drive with a broken bootloader smile

Offline

#53 2013-03-01 20:58:25

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

[4]Encryption

sorcerer's_apprentice wrote:

Obviously having a file lying around somewhere entitled: "secret.tomb" isn't such a good idea, really.

What about naming the tomb file by a more obscure name?

[6]Your Internet-Connection
How do you feel about adding Peer Guardian to the OP?

PeerGuardian wrote:

PeerGuardian is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge blocklists (thousands or millions of IP ranges). Its origin seeds in targeting aggressive IPs while you use P2P.

[9]Firefox/Iceweasel
Adblock Plus seems to have sold out to the advertisers the same way that Ubuntu sold out to Amazon.
I recommend the forks Adblock Edge or Adblock Lite.

[15]Secure Mail-Providers:

sorcerer's_apprentice wrote:

I am decidedly for capitalism, freedom and democracy

And are you decidedly for one's freedom to choose to not be a part of the capitalist rat race?
Most FOSS programs are operated and supported by a loose global collective of coders working as non-profit orgs or for no money whatsoever, sometimes even at a loss. The code is published not as private property but with copyleft licenses in order to keep the results of the work in the commons.

[19]Passwords

sorcerer's_apprentice wrote:

If you have reason to assume that the machine you are using is compromised and has a keylogger installed you should generally only use virtual keyboards to submit critical data.

How does one go about finding out if one is infected with a keylogger?

Last edited by cyberhood (2013-03-01 21:01:00)

Offline

#54 2013-03-02 01:45:19

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Hey cyberhood,

cyberhood wrote:

[4]Encryption

sorcerer's_apprentice wrote:

Obviously having a file lying around somewhere entitled: "secret.tomb" isn't such a good idea, really.

What about naming the tomb file by a more obscure name?

Well, that is possible. But if your attacker-model includes various agencies, you'd be better off hiding that you even use encryption... So, if you choose to leave this file-extension the chance that they will find out is considerably higher as in the case of moving the file's content to a file with a less suspicious name - as I showed in the guide. But as always: That's something you have to decide yourself.

cyberhood wrote:

[9]Firefox/Iceweasel
Adblock Plus seems to have sold out to the advertisers the same way that Ubuntu sold out to Amazon.
I recommend the forks Adblock Edge or Adblock Lite.

Could you elaborate on that?

cyberhood wrote:

[15]Secure Mail-Providers:

sorcerer's_apprentice wrote:

I am decidedly for capitalism, freedom and democracy

And are you decidedly for one's freedom to choose to not be a part of the capitalist rat race?
Most FOSS programs are operated and supported by a loose global collective of coders working as non-profit orgs or for no money whatsoever, sometimes even at a loss. The code is published not as private property but with copyleft licenses in order to keep the results of the work in the commons.

I don't want this thread to become political. This is a technical manual and I only commented on riseup - because they are making a political statement themselves. So, if you want to discuss politics with me - we should open a thread in OT. But here a short answer: Yes, I am all for it. You can choose whatever you want. If you want to live in a socialist collective. Go for it. I don't consider capitalism a rat race. What I do find completely abominable is corporatism - as it is the absence of freedom. Both of a free market and the free choice to live in a socialist collective.

I know how FOSS projects are operated and supported. Can you imagine how they would be operated if we had socialism? wink

I am opposed to copyright - as it opposes the freedom of the people to obtain the information they need. But I don't oppose the freedom of an individual to charge for a tangible service, e.g. coming to your company and fixing your networking issues.

You have to differentiate between a$$holes and sensible people. But at the end of the day even the worst capitalistic sociopaths haven't got the bodycount of any socialist regime. And about anarchism: Well, I guess you know what happens. [Ukraine, Spain, Chiapas] If you put your weapons down - the fascists come.

At the moment, I think, the only hope we have is the pirate party movement.

Politics is tricky business. If you want to talk about it - give me a note. I'll kick your ass... tongue

cyberhood wrote:

[19]Passwords

sorcerer's_apprentice wrote:

If you have reason to assume that the machine you are using is compromised and has a keylogger installed you should generally only use virtual keyboards to submit critical data.

How does one go about finding out if one is infected with a keylogger?

Well, that is not so easy. There are some linux-keyloggers out there: lkl, uberkey, THC-vlogger, PyKeylogger, logkeys. Generally everything that runs will be listed as a process. You can use:

$ htop

or:

$ ps -aux

A skilled attacker could hide the process or rename it. So if a keylogger is part of your threat-model you would have to take certain precautions. RKhunter, tiger, lynis, chkrootkit can help with that. But that won't be enough against a determined attacker. I will include a section on protection against this in the next update - which I will hopefully come around to doing this weekend.

Offline

#55 2013-03-02 01:46:41

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

xaos52 wrote:

Here is one way to do this - for MBR formatted HDD.
From the installed system Create your own GRUB2 rescue disk
Then zero out the first 446 bytes from your HD MBR

sudo dd if=/dev/zero of=/dev/sda bs=446  count=1

Your system will not boot from HD, but it will boot from  your  thumbdrive and show  your own custom GRUB menu.

Thanks for the advice. I haven't tried it out yet. But it's on my list.

Offline

#56 2013-03-02 18:23:46

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

Greetings sorcerer's_apprentice,

sorcerer's_apprentice wrote:
cyberhood wrote:

[4]Encryption

sorcerer's_apprentice wrote:

Obviously having a file lying around somewhere entitled: "secret.tomb" isn't such a good idea, really.

What about naming the tomb file by a more obscure name?

Well, that is possible. But if your attacker-model includes various agencies, you'd be better off hiding that you even use encryption... So, if you choose to leave this file-extension the chance that they will find out is considerably higher as in the case of moving the file's content to a file with a less suspicious name - as I showed in the guide. But as always: That's something you have to decide yourself.

I see. Thanks for the detailed explanation.
---------------------------------------------------------------------------

cyberhood wrote:

[9]Firefox/Iceweasel
Adblock Plus seems to have sold out to the advertisers the same way that Ubuntu sold out to Amazon.
I recommend the forks Adblock Edge or Adblock Lite.

sorcerer's_apprentice wrote:

Could you elaborate on that?

Sure, just read the user reviews after the author released the version with the default allow "acceptable ads" feature... here's just a small sample:

freaking hippy wrote:

No longer blocks all ads. I guess someone paid off the dev. Let's "acceptable" ads come through. I've gone back to using ghostery and blocking ad severs through the hosts file. I've uninstalled this add-on. It was a good run while it lasted.

nicolaos wrote:

I thought I'd install an addon to prevent ads, not one that ensures that the ads the author "likes" will be shown. Add the "error correction" spy, pay-per-click, and this addon took μtorrent's shady way... Only bloat from now on. It's been a good ride as long as you were providing clean code. Unfortunately, the average user lost one of his last, true defenses. Everything for the sake of money. I know it's how it works, but I'm just sad. At the end of the day, who cares about me -meh! Money flowing, is what matters. P.S. I wonder what' next... Silently Babylon installation and one or two toolbars? Might be home page hi-jacking...

whitefort wrote:

This used to be simply the best. Now it's suffering from feature creep, adding totally unwanted extras. This would be bad enough, but since the recent update I've found that it works on far less sites than it used to. Some of my most used sites are now plastered with ads, again. So, with a lot of regret,I'll be uninstalling this and looking elsewhere.

westie wrote:

It seems that the authors of the AdBlock Plus have succumbed to the pressures of the advertisers - I wonder how much they're getting paid to let these people through? One problem I have experienced is that whether I tick the 'Allow some...' tick box or not I still seem to get Google adverts. I'm very disappointed - I expected better from you. You want $5? You can have $5 - remove the adverts and you'll get it.

And from the Adblock Edge fork:

adstomper wrote:

Adblock Edge is a fork of the Adblock Plus version 2.1.2 extension for blocking advertisements on the web. This fork will provide the same features as Adblock Plus 2.X and higher but without "acceptable ads" feature. Adblock Edge was primarily branched off from Adblock Plus 2.1.2 source code package "http://adblockplus.org/downloads/adbloc … source.tgz" created by Wladimir Palant.

And from the Adblock Lite fork:

adstomper wrote:

Adblocklite is a fork of the Adblock Plus version 1.3.10 (classic UI) extension for blocking advertisements on the web. This fork will provide the same features as Adblock Plus 2.X and higher while keeping the old UI but without "acceptable ads" feature.

---------------------------------------------------------------------------

sorcerer's_apprentice wrote:

I don't want this thread to become political. This is a technical manual and I only commented on riseup - because they are making a political statement themselves. So, if you want to discuss politics with me - we should open a thread in OT.

Fair enough. This is a great pratical guide, I would hate to derail it and clutter it up with politics. I'll respond to each of your concerns in this part of the post in a PM. But I agree, let's keep this thread non-political.
---------------------------------------------------------------------------

cyberhood wrote:

[19]Passwords

sorcerer's_apprentice wrote:

If you have reason to assume that the machine you are using is compromised and has a keylogger installed you should generally only use virtual keyboards to submit critical data.

How does one go about finding out if one is infected with a keylogger?

sorcerer's_apprentice wrote:

Well, that is not so easy. There are some linux-keyloggers out there: lkl, uberkey, THC-vlogger, PyKeylogger, logkeys. Generally everything that runs will be listed as a process. You can use:

$ htop

or:

$ ps -aux

A skilled attacker could hide the process or rename it. So if a keylogger is part of your threat-model you would have to take certain precautions. RKhunter, tiger, lynis, chkrootkit can help with that. But that won't be enough against a determined attacker. I will include a section on protection against this in the next update - which I will hopefully come around to doing this weekend.

Interesting. Ok yeah that's really useful info. Are there such thing as hardware keyloggers?
Thanks again.

Last edited by cyberhood (2013-03-02 18:30:23)

Offline

#57 2013-03-03 03:19:16

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Regarding Adblock Plus:

What a shame. I will uninstall it as soon as I finish this reply. I will take it out of the guide as well and replace it with the forks.

Regarding Hardware-Keyloggers:

Yes. There are plenty of them. Check out this article by Irongeek on the subject. [Part 1 | Part 2] You now can even get wifi-supported keyloggers or ones that can be hidden inside the keyboard...

Regarding Politics:

click  wink

Last edited by sorcerer's_apprentice (2013-03-03 03:41:17)

Offline

#58 2013-03-03 23:12:47

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

So, I finally got that update together... There is some really critical information in these updates. Especially concerning TOR and encryption. As for the rest: just check it out. I also adjusted the table of contents. So please use it for navigation. I know that navigation is a pain atm. I will start working on migrating the guide to the wiki sometime soon.

Update:

Hardware Encryption
Attacks against Full-Disk-Encryption
Attacks against TrueCrypt-Containers
Social-Networking Threats
Jondonym-Warning
Important info on TOR/TOR-Warning
Proxies
PDF-Malware-Analysis
Secure File deletion
Keyloggers
Secure VoIP/Jitsi for encrypted-video-calls
replaced Adblock Plus w/ Adblock Egde
added links
added social networks
added about:config settings:
---
keyword.enabled:false
network.dns.disablePrefetch:true
network.dns.disablePrefetchFromHTTPS:true
---
Mentioned install Problems with GRUB to USB
lynis (IDS)
secure and anonymous live-cds
added guide on how to make truecrypt portable
p2p networks, meshnetworks
dd-wrt/openwrt/tomato for better router security
VPN

Last edited by sorcerer's_apprentice (2013-03-03 23:16:06)

Offline

#59 2013-03-04 15:07:21

intoCB
Scatweasel
Registered: 2012-10-25
Posts: 1,906

Re: The paranoid #! Security Guide

Excellent work. Thanks for taking the time to put this together.


FreeBSD installation plan:
1. portsnap fetch extract
2. ?
3. Operating system!

Offline

#60 2013-03-04 15:35:32

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

intoCB wrote:

Excellent work. Thanks for taking the time to put this together.

Thank you.

A man's gotta do...

big_smile

Offline

#61 2013-03-04 22:28:42

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

On the 2012.03.04 updates:

SSL-Search Engines
Have you checked out the YaCy P2P search engine yet? I think the project originated in Germany. (German YaCy site)

TOR [The Onion Router]

sorcerer's_apprentice wrote:

You don't need TOR for funny cat videos on youtube.

Not only that, but the Tor Project recommends not using Tor on Flash sites:

TorFAQ wrote:

I can't view videos on YouTube and other Flash-based sites. Why?
YouTube and similar sites require third party browser plugins such as Flash. Plugins operate independently from Firefox and can perform activity on your computer that ruins your anonymity. This includes but is not limited to: completely disregarding proxy settings, querying your local IP address, and storing their own cookies. It is possible to use a LiveCD solution such as or The Amnesic Incognito Live System that creates a secure, transparent proxy to protect you from proxy bypass, however issues with local IP address discovery and Flash cookies still remain.
If you are not concerned about being tracked by these sites (and sites that try to unmask you by pretending to be them), and are unconcerned about your local censors potentially noticing you visit them, you can enable plugins by going into the Torbutton Preferences->Security Settings->Dynamic Content tab and unchecking "Disable plugins during Tor usage" box. If you do this without The Amnesic Incognito Live System or appropriate firewall rules, we strongly suggest you at least use NoScript to block plugins. You do not need to use the NoScript per-domain permissions if you check the Apply these restrictions to trusted sites too option under the NoScript Plugins preference tab. In fact, with this setting you can even have NoScript allow Javascript globally, but still block all plugins until you click on their placeholders in a page. We also recommend Better Privacy in this case to help you clear your Flash cookies.
The Tor Browser Bundle does not work with Flash or other plugins by design. If you wish to run these plugins over Tor, you need to install Tor and configure your own instance of Firefox.

But in the end, for all the reasons you brought up in your TOR-Warning and because Tor originated as a US Navy tool, I would be very careful using it.

VPN (Virtual Private Network)
What about setting up one's own VPN?

OTR [Off-the-Record Messaging]
Gibberbot: secure instant messaging

Secure and Encrypted VoIP & mobile telephony: There's a LOT to be said about this subject too.
decentralized mobile networks:
ServalProject
P2PNS - A Secure Distributed Name Service for P2PSIP
hardware:
CompuLab
server IP PBX systems and software:
Asterisk.org PBX VoIP
FreeSWITCH VoIP
GNU SIP Witch P2P VoIP server
Kamailio SIP Server (formerly OpenSER)
openSIPS server
OpenTelecoms.org: Federated VoIP
SIPfoundry
sip5060.net: Public SIP Service
software (apps, OSs, encryption, etc.):
csipsimple: ZRTP capability
GNU ZRTP - GNU Telephony: defunct in 2013?
GuardianProject
Orbot
open-ZRTP: VoIP encryption library LGPL
How to ZRTP on Android
operating systems:
Replicant Project: mobile OS recommended by the Free Software Foundation

Facebook
Way to rip into Facebook sorcerer's_apprentice! I love it!

Firewall IP Blacklists/whitelists for secure P2P:
PeerGuardian/Moblock: PeerGuardian is a privacy oriented firewall application. It blocks connections to and from hosts specified in huge blocklists (thousands or millions of IP ranges). Its origin seeds in targeting aggressive IPs while you use P2P.

Last edited by cyberhood (2013-03-04 23:00:45)

Offline

#62 2013-03-05 02:30:20

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Hey cyberhood,

you are just incredible... wink Well, then there's the next update coming up.

No, I didn't yet have the time to check out yacy. That's why I haven't added it. There are a few other things I didn't check out yet - but will. As soon as I had a look at them I will add them.

(cyberhood, it seems as if you understand more about torrent/p2p-stuff than I do. I have not used them very often. Maybe you could write a little piece of text/ a short how-to to add to the guide. Only if you want and have the time to spare. I was thinking particularly about yacy and peerguardian. I mean, I am not the Security-Hitler here. wink So if anyone wants to add text to the guide - just pass it along. Of course I will review it - but since the guide is public I guess misinformation and errors will be noticed by someone.)

Actually, the next thing I was going to investigate is how to set up your own VPN - and if that helps increase anonymity.

All that other stuff: Heard about some of it - some if it is totally new to me. So give me some time to check it all out.

Thanks a lot!

PS: Yeah, that wiki-page on Facebook is epic. I directly added it.

Last edited by sorcerer's_apprentice (2013-03-05 02:35:18)

Offline

#63 2013-03-05 09:01:54

Resident Bot
#! Die Hard
From: The Netherlands
Registered: 2012-02-17
Posts: 573

Re: The paranoid #! Security Guide

I would NEVER use a bios password again. i set one before going on holiday one year - when I got back tried starting up the computer and I swear it was the right password but It would not accept it - so maybe I had mistyped it when setting it up - don't know. In the end had to dismantle my laptop - do you know how hard they make that on some models!!!  There was a swtich I had to flick which they put under the keyboard - under a plate.  Never again. Nearly broke the thing.


Troll = not a fanatic
slave of #!  and arch

Offline

#64 2013-03-05 14:49:41

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

ChickenPie4Tea wrote:

I would NEVER use a bios password again. i set one before going on holiday one year - when I got back tried starting up the computer and I swear it was the right password but It would not accept it - so maybe I had mistyped it when setting it up - don't know. In the end had to dismantle my laptop - do you know how hard they make that on some models!!!  There was a swtich I had to flick which they put under the keyboard - under a plate.  Never again. Nearly broke the thing.

So what's your advice? "Don't use passwords - you could loose them."

That is the idea behind a password - that only the party that has it can access the data.

Offline

#65 2013-03-05 20:04:35

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

sorcerer's_apprentice wrote:

(cyberhood, it seems as if you understand more about torrent/p2p-stuff than I do. I have not used them very often. Maybe you could write a little piece of text/ a short how-to to add to the guide. Only if you want and have the time to spare. I was thinking particularly about yacy and peerguardian. I mean, I am not the Security-Hitler here. wink So if anyone wants to add text to the guide - just pass it along. Of course I will review it - but since the guide is public I guess misinformation and errors will be noticed by someone.)

I'll see what I can do if I find some time. The thing is that my torrent/p2p knowledge is unfortunately mostly theoretical. Back in the day when I was a Windows® user I used programs like PeerGuardian and YaCy more frequently. Actually, once I got a hit from the DoD on my PeerGuardian when trying to obtain one particular file. Since I've moved over to GNU-Linux I haven't really explored p2p too much, so I'd be the wrong person to ask to try to put together a guide on getting all this up and running. But the next time I install one of these programs and get it configured I promise to make a how-to guide to contribute to the community.

The user & PeerGuardianLinux (formerly MoBlock) developer jre on UbunutForums.org is extremely active and helpful with that particular program. So just doing a simple search for "PeerGuardian", "Moblock" or "jre" on the UbuntuForums should turn up lots of information. Here is the best guide on how to install and configure PeerGuardian Linux.

Theoretically speaking, the key to Pretty Good security has to do with decentralization. The idea being that even if you trust Hushmail to handle your email or Startpage to conduct your searches, they still have centralized servers with all the data on their storage media to be either hacked or subpoenaed beyond their control. Having your own server, and using decentralizing programs -like these p2p programs- makes it that much harder for the enemies of freedom to track us and know more about ourselves than even we do. 

YaCy is so exciting because you don't rely on that one single big provider that can easily be compromised for your searches.

The same's true for the new BitTorrent program Tribler:

Wikipedia wrote:

Tribler is based on the BitTorrent protocol and uses an overlay network for content searching, which makes the program operate independent of external websites and renders it immune to limiting external action, for example, government restraint. Due to this overlay network Tribler does not require an external website or indexing service to discover content. ... In 2012 the lead researcher stated “we’re going to take Internet privacy to the next level” by releasing Tribler with a proxy layer. wiki/Tribler

Last edited by cyberhood (2013-03-05 20:08:00)

Offline

#66 2013-03-05 20:22:25

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

Looking a little bit broader than just email and search engine technology we can even decentralize the actual structure of the internet. We saw in Egypt that when the protests started that eventually lead to the ousting of Mubarak, Mubarak actually called up the major Internet Service Providers (ISPs) and had them shut down the internet! This new mesh networking technology helped the protesters continue communication and ultimately topple their repressive regime, it will help prevent this kind of shut down in the future, it will help during disasters, and it will help in poor and rural areas:

Sharing the Internet: "Commotion Wireless" Technology Lets Communities Create Free Webs of Access
Guest: Sascha Meinrath, director of the New America Foundation’s Open Technology Institute.

Amy Goodman wrote:

We are broadcasting from Silver Spring, Maryland, at the Freedom to Connect Conference. People have come here from across the country to discuss how to promote Internet freedom and universal connectivity.
About two years ago, news reports described the project of our next guest as a way for overseas dissidents to overcome repressive regimes as they try to censor them by shutting down the Internet. Well, this week the software he helped launch will launch here in the United States. It’s called Commotion Wireless. You can download the program on your cellphone or laptop computer in order to create what’s called a "mesh" network that allows you to share Internet access with other devices on the network. This so-called peer-to-peer communication can also challenge the centralized business model and control of Internet service providers.
To talk more about CommotionWireless.net and its implications for participatory democracy here in the U.S. and around the world, we’re joined by Sascha Meinrath, director of the New America Foundation’s Open Technology Institute. He’s also speaking today here at the Freedom to Connect conference.
Welcome to Democracy Now! So what is it that you are releasing?

Sascha Meinrath wrote:

So what we’re releasing is software that repurposes available hardware—cellphones, laptops, etc.—to allow them to communicate directly with one another. So, in addition to needing cellphone unlocking, we really want these technologies to be liberated in the same way that our personal computers can connect to, say, a network inside your home or office. We want to expand that to encompass an entire community and neighborhood, even an entire city.

read/watch the rest of the interview with Sascha Meinrath & Amy Goodman

Big Brother is WWWatching You - feat. George Orwell [RAP NEWS 15]

Last edited by cyberhood (2013-03-05 21:38:21)

Offline

#67 2013-03-06 18:31:03

vlax
#! Member
From: Alcatraz
Registered: 2012-12-25
Posts: 79
Website

Re: The paranoid #! Security Guide

one more option for "Disposable Mail-Addresses" : http://mailinator.com

Online

#68 2013-03-06 19:21:13

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

vlax wrote:

one more option for "Disposable Mail-Addresses" : http://mailinator.com

Thanks, vlax. Added.

Offline

#69 2013-03-12 19:32:18

Bradi
#! CrunchBanger
From: Poland
Registered: 2013-01-21
Posts: 114

Re: The paranoid #! Security Guide

Today I have been researching RSS feeds. It is an amazing technology for efficient web browsing. But I ran into some privacy concerns.

Most websites nowadays use third-party services for managing their feeds, notably Feedburner, so that they can track the RSS statistics. This is done in two ways: providing individually-generated URLs for every item, and including web bugs in the items. This effectively enables these service providers, beyond simple viewcount tracking, to determine exact reading habits for each IP address. And the privacy policies of services like Mediafed are disturbingly unclear.

Now, how can one defend oneself against this form of tracking? The web bugs are easily dealt with by using an aggregator which does not parse images and/or html. But what about the personalized URLs? Is there a way to access the original, non-processed feed of a given website? Or share the tracked feed with thousands of people much like ixquick works with google?

It seems to me that reading news is more private via a well-configured web-browser than via RSS. Which makes me sad because RSS makes life so much easier. Unless I am misinterpreting something.

Offline

#70 2013-03-14 08:50:33

MrPink
#! CrunchBanger
From: .dk
Registered: 2011-06-28
Posts: 213

Re: The paranoid #! Security Guide

When I apply the fake useragent settings in about:config, these settings get overwritten when I restart the browser. This happens in both Iceweasel and Firefox Nightly.

Edit: Never mind, this is probably because of the Useragent Switcher. Using that to enable OP's fake useragent actually gave a better result in Panopticlick.. only 7.99 bits of information  cool

Last edited by MrPink (2013-03-14 09:28:02)

Offline

#71 2013-03-14 17:21:42

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Bradi wrote:

Today I have been researching RSS feeds. It is an amazing technology for efficient web browsing. But I ran into some privacy concerns.

Most websites nowadays use third-party services for managing their feeds, notably Feedburner, so that they can track the RSS statistics. This is done in two ways: providing individually-generated URLs for every item, and including web bugs in the items. This effectively enables these service providers, beyond simple viewcount tracking, to determine exact reading habits for each IP address. And the privacy policies of services like Mediafed are disturbingly unclear.

Now, how can one defend oneself against this form of tracking? The web bugs are easily dealt with by using an aggregator which does not parse images and/or html. But what about the personalized URLs? Is there a way to access the original, non-processed feed of a given website? Or share the tracked feed with thousands of people much like ixquick works with google?

It seems to me that reading news is more private via a well-configured web-browser than via RSS. Which makes me sad because RSS makes life so much easier. Unless I am misinterpreting something.

What you could do is to request the feed directly. Just go to the RSS-page of the site/service you want to follow. You can request the RSS-updates via Newsbeuter.

With that you still aren't anonymous but at least wouldn't have to worry about third parties using your subscription data for anything. At least this is what I conclude. If you go and download the feed directly I don't see a 3rd party involved. But I could be wrong. Better check this out again. I wasn't able to find any real info on that.

What you also could do is to use this in conjunction with a VPN or TOR. Then you would have some form of anonymity using RSS.

Apart from that I don't know what else could be done in this matter.

Offline

#72 2013-03-14 17:26:56

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

MrPink wrote:

When I apply the fake useragent settings in about:config, these settings get overwritten when I restart the browser. This happens in both Iceweasel and Firefox Nightly.

Yes.

That's why I wrote in the guide:

sorcerer's_apprentice wrote:

But be careful: If you set your user-agent as shown below - using this addon it will overwrite these settings and will not automatically restore them if you turn off the switcher. So you would have to manually reconfigure about:config again. Which kinda sucks.

wink

MrPink wrote:

Edit: Never mind, this is probably because of the Useragent Switcher. Using that to enable OP's fake useragent actually gave a better result in Panopticlick.. only 7.99 bits of information  cool

Yes, I noticed that I also get better and better results on panopticlick with these settings. The only explanation is that this particular userstring/header-data is being used more and more. Or that all the nerds that read this guide directly implemented these settings, ran off the panopticlick and thus produced a highly unrepresentative data-set within panopticlick's database... big_smile

Last edited by sorcerer's_apprentice (2013-03-14 17:27:26)

Offline

#73 2013-03-14 21:14:35

Bradi
#! CrunchBanger
From: Poland
Registered: 2013-01-21
Posts: 114

Re: The paranoid #! Security Guide

sorcerer's_apprentice wrote:

What you could do is to request the feed directly. Just go to the RSS-page of the site/service you want to follow. You can request the RSS-updates via Newsbeuter.

With that you still aren't anonymous but at least wouldn't have to worry about third parties using your subscription data for anything. At least this is what I conclude. If you go and download the feed directly I don't see a 3rd party involved. But I could be wrong. Better check this out again. I wasn't able to find any real info on that.

What you also could do is to use this in conjunction with a VPN or TOR. Then you would have some form of anonymity using RSS.

Apart from that I don't know what else could be done in this matter.

Let me provide an example. I often visit this site, and would like to subscribe to their newsfeed. Upon clicking the subscription button on the main page, I am redirected to a feedburner feed. The article titles are not linked directly to cyclingnews, but through feedburner's proxy.

In addition, the site uses mediafed to add social media buttons to every item description. These include nasty invisible web bugs, with a unique URL (i have checked on different computers - the image url is different each time).

I can not find a more direct feed address than this feedburner/mediafed-processed one. I do not think that Newsbeuter or any other reader can help with this, but I am still new to all this so I could be wrong.

It appears that feedburner can be trusted to the same extent as any other Google service. As far as I'm aware they do not gather data specifically for each browser. I am OK with using feedburner feeds.
This is not the case with Mediafed. As shown by the unique Image URLs they do track every browser individually, which I think is against the interests of the consumer (me). This is why I make sure never to download images in feeds from Mediafed, and inspect the source code of any new feed before adding it. I have also refrained from using a feed from another website that I like, because they use mediafed as their default proxy, generating a unique article url for every browser.

Hope this clears some things up.

Offline

#74 2013-03-14 22:00:28

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

Secure, anonymous live-CDs:

Pentoo wrote:

Pentoo is a security-focused livecd based on Gentoo
It's basically a gentoo install with lots of customized tools, customized kernel, and much more. Here is a non-exhaustive list of the features currently included:
    Hardened Kernel with aufs patches
    Backported Wifi stack from latest stable kernel release
    Module loading support ala slax
    Changes saving on usb stick
    XFCE4 wm
    Cuda/OPENCL cracking support with development tools
    System updates if you got it finally installed
Put simply, Pentoo is Gentoo with the pentoo overlay. This overlay is available in layman so all you have to do is layman -L and layman -a pentoo.
We have a pentoo/pentoo meta ebuild and multiple pentoo profiles, which will install all the pentoo tools based on USE flags.

about Pentoo

Last edited by cyberhood (2013-03-14 22:01:05)

Offline

Help fund CrunchBang, donate to the project!

#75 2013-03-15 14:07:06

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

cyberhood wrote:

Secure, anonymous live-CDs:

Pentoo wrote:

Pentoo is a security-focused livecd based on Gentoo
It's basically a gentoo install with lots of customized tools, customized kernel, and much more. Here is a non-exhaustive list of the features currently included:
    Hardened Kernel with aufs patches
    Backported Wifi stack from latest stable kernel release
    Module loading support ala slax
    Changes saving on usb stick
    XFCE4 wm
    Cuda/OPENCL cracking support with development tools
    System updates if you got it finally installed
Put simply, Pentoo is Gentoo with the pentoo overlay. This overlay is available in layman so all you have to do is layman -L and layman -a pentoo.
We have a pentoo/pentoo meta ebuild and multiple pentoo profiles, which will install all the pentoo tools based on USE flags.

about Pentoo

Thanks, cyberhood. Added to the guide.

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.

Debian Logo