/cyb/ - cyberpunk and cybersecurity

There's almost no such thing as absolute anonymity. VPNs, TOR, etc. are all far from perfect. Disinformation can be valuable, but unless it's truly random, e.g., a computer creates your disinformation via script and distributes it, there will be patterns in it (same with "chaotic" behavior).

What is your threat model? Are you trying to hide from three-letter agencies? If so, and you're asking these kinds of questions, you are /already screwed/ if they care. If you're a teenager who's trying to mask activity from parents, significant other, school, or similar, it's not too hard.

VPN can't protect you if your browser gives you away. TOR can't protect you if you're stupid. Nearly nothing can protect you if you have a dedicated and capable attacker.

In our heavily digital modern society, compromised anonymity is not the worst thing. It's far more unusual and suspicious (thereby prompting investigation), for a person to be entirely invisible online. Having multiple personalities online is the most effective way to remain anonymous. If one becomes compromised, just burn it and create another one.

You should probably read up on browser fingerprinting and other ways in which your device leaves a trail of information even if you VPN.

Here is a decent method, if you really want pretty good anonymity.

1) Install Debian as your OS
2) OpenVPN into a trusted VPN (privacytools.io has a good list)
3) Run Tails in a virtual machine
4) Connect to everything via TOR inside Tails that you want to remain anonymous
5) Close virtual machine
6) Kill VPN
7 ) Do your everyday Internetting in Debian and leave regular human being footprints

• use audited cryptography. do not roll your own. do not trust others that do (e.g., telegram).

• harden your OS.
https://wiki.archlinux.org/index.php/Security
https://wiki.centos.org/HowTos/OS_Protection
https://wiki.debian.org/Hardening
https://wiki.gentoo.org/wiki/Hardened_Gentoo
https://docs.fedoraproject.org/en-US/Fedora/17/html/Security_Guide/chap-Security_Guide-Basic_Hardening.html
https://help.ubuntu.com/community/Security

• encrypt your hard drive (full disk encryption, or FDE for short).
standard LVM encryption is the best option and should be available when installing your linux distro.

for a disk that is not part of your operating system, a portable drive for example, dmcrypt/LUKS is the best option but veracrypt is
available on all platforms. keep in mind your installer may or may not encrypt your GRUB and there are several ways of dealing with
that issue which are discussed in the Paranoid #! security guide linked in the introductory resources below. keep in mind disk
encryption means nothing to an experienced attacker with physical access if you have not completely shut down your computer and
wiped the RAM.

• encrypt your emails.
PGP is pretty much all we have, but it is all we need.
https://www.enigmail.net/

your metadata may still be collected. if you care about metadata, use a disposable email account or a trusted provider. suggestions
include protonmail or cock.li.

• encrypt your instant messages.
for better or worse XMPP+OTR is still our best bet.
https://otr.cypherpunks.ca/

i would not depend on anything else. even if the crypto in other apps is theoretically sound, the implementation fails or the
distribution method is inherently flawed. cryptocat is an unpopular, but good option. telegram, tox, and wickr are fucked. do not
even bother. you might as well use skype.

• use a local password manager (no cloud bullsoykaf).
any. it is better than what you are doing now.

• strong passwords. make sure they are long and unique.
https://www.xkcd.com/936/

• do not reuse passwords. seriously.
if you do, consider your password public knowledge.

bypassing a login wall? sure. fuck it. who cares if someone else uses it.
anything you care about? no. absolutely not.

• better yet, use randomly generated passwords. the best password is one you cannot remember.
https://www.grc.com/passwords.htm

• your new search engine is duckduckgo or searx.
https://duckduckgo.com/
https://searx.me/

• your new browser is firefox.
be sure to go into options, then security, and uncheck block malicious content.
https://www.mozilla.org/en-US/firefox/new/

• modify some settings
enter about:config into your url bar and apply the following modifications. do not bitch about there being too many options. that is the
fucking point. you cannot even configure many of these settings in other browsers without modifying its source or building addons.
https://pastebin.com/raw/T8TeepZP

the changes listed above are unambiguous and unopinionated. you can go a much further than this at the expense of comfort and
convenience. consider modifying some of the settings listed on https://github.com/pyllyukko/user.js/blob/master/user.js depending on
the sacrifices you are willing to make for privacy and security.

• now install your addons.
required: ublock origin, https everywhere, noscript, blender
https://addons.mozilla.org/en-US/firefox/

• apply your filters.
required: easylist, easyprivacy.
https://easylist.to/

• and test your results.
https://panopticlick.eff.org/

• do not use chrome. chrome is a closed source browser by a for profit corporation. firefox is an open source browser by a non-profit
organization. use your head.

• do not use chromium either. it may be open source, but it still phones home.

• block malicious sites in your hosts file.
https://github.com/StevenBlack/hosts

• use an anonymous VPN. a paid one. without traffic logs.
do torrent over VPN.

• use TOR.
do not torrent over TOR.
https://www.torproject.org/

• understand the difference between anonymity, privacy, and security.

>>514
I'll add something
• Use a sandbox program like Firejail to use the browser or anything you download from it (pictures, PDFs…).

• If you plan to connect to a public WiFi you should spoof your MAC address. With macchanger and a script you can automatically spoof it with a random but valid address at boot.

• Encrypt your DNS queries with dnscrypt-proxy and use an https://www.opennic.org/ server as resolver.

• If you're using Firefox you should probably set the same User Agent of the Tor Browser so you don't look different from others Tor users. Other add-ons suggested: No Resource URI Leak, Privacy Badger, uMatrix.

• Consider your phone as a Personal Tracking Device. Most smartphones have bad modem isolation and that means that the GSM network you're connected with has access to RAM, microphone, camera, storage ecc., completely bypassing any OS hardening. If you need it anyway flash it with a open-source ROM (like Lineage OS) and use F-Droid to avoid Google data mining.

I realize this is a question about a length of string, but how much do various data mining operations co-mingle? Are Google and the three letter agencies so closely in bed that any sniff one gets the other hears about? Or, as I suspect is more likely, are there enough holes that they don't need to be sharing, they all know what's going on anyway, across each others systems?

What level of separation are we talking for effective compartmentalization? Devices specific to that ID, easy enough, but what about services - is using the same paid vpn account across two lives akin to linking them?

Is it even worth trying to escape the botnet, so far as devices like smartphones cannot be, to my understanding, effectively de-fanged?

>>997
it's quite simple: faceboogle collects all data because they can, and TLAs fetch that data for surveillance because it's there.

>>1002
> faceboogle collects all data because they can
They do it because it's their business model.

There are technical solutions, but the best things you can do for privacy and anonymity is behavior-based. Practice OPSEC. If you're mixing social media, banking, and other identifying activities with the activity you want anonymized, all the privacy tools and open source software in the world won't prevent these from being correlated. It's super simple, no advanced technology needed:

- Avoid "free" (as in beer) services that are known to track users or who have an incentive to track you.
- Keep identifying activities to a minimum. Anything you have to log in to that can be linked to your real identity, should be compartmentalized.
- Use Tor Browser for all non-identifying activities. Frequently use the "new identity" feature or just restart the application.
- Use vanilla Firefox for any identifying activities, preferably on a separate machine.

>>514
what is wrong with tox should i stop using it ???

I've researched my digital footprint and to my horror found that some image I posted on /sci/ several years ago has my name in the filename. So now googling that form of my name plus one of my interests brings up the archived post on warosu.org. fuaarrrrkk

They have this seedy content removal service (notdmca.net) that doesn't even say how much they'll charge you up front. has anyone had to use this before?

What are some good VPN recommendations? At the moment, I've installed quite a few add-ons to Firefox and use TOR but I don't have any VPNs set up on my computer.

>>1387
Unironically Mullvad.

>>1387
Personally I have always liked AirVPN for day-to-day activities. But if you're wanting it for something more serious, CryptoStorm can be really great. If you do it correctly it can be a zero knowledge VPN. Meaning no DNS or usage information, no payment information, not even a username.

>>1389
wot this guy said.

Depending what I'm doing and what the threat model is I either choose CryptoStorm and pick my endpoint based on what jurisdiction I don't want to piss off or I choose Tor. I tend to prefer keeping a healthy amount of 'base line' traffic linked to my real world public IP. Conduct operations with a fixed start and end. Go back to lurking the net like a regular pleb afterwards. The longer an op lasts the bigger chance of fucking up. On a long enough graph everyones survival rate hits zero.

http://zsmith.co/Ubuntu.html

always remember that bubuntu is watching

I think something people should also understand is that there is nothing wrong with having a real life and non anonymous presence. What should be more important to you is creating an online presence which is anonymous. That means it never goes beyond Tor / VPN, and a virtual machine you dedicate to it. When you run like this, you have less of a chance to leak your information, and at this level you'll be mostly working on your speech and patterns. Always make your anonymous presence disposable as well.

>>514
> for better or worse XMPP+OTR is still our best bet.

I'm no security/cryptography expert, just wondering, how bad is it that SHA-1 is used in OTR? Is it something I should worry about?

This post is not entirely serious (in that boring sense people here like), but you don't _need_ to do anything listed in this thread if you simply don't identify with yourself.

>>1490
Honestly, no. A SHA1 collision is basically never going to happen, and the actual encryption itself is secure regardless.

>>1490
OMEMO is best than OTR.
You should use it :)

>>1502

Came here to post this, XMPP and OMEMO is the best thing that we currently have, but then that still doesn't protect you if the underlying system is compromised obviously. You should never take your phone or computer out of your sight.

>>514
re:xmpp+otr
Want to point out that OMEMO uses DRA which improves upon OTR's forward secrecy. It can also support asynchronous communication much more easily and doesn't have the tendency to go stale when RAM is purged. So it is another just-as-good option, if not better. (it's available in conversations btw)

re:search-engines
on duckduckgo. I have heard (but not evaluated) some not so good things about it. Summarized mainly in this article:
https://voat.co/v/technology/408069

would like to add that startpage is another good meta-search engine. You can use the web proxy to view websites that are blocking tor as an added bonus.

re:firefox
Mozilla lists the security related about:configs you discussed more in depth here, think there is a lot of room for opinion here though, especially around referral:
http://kb.mozillazine.org/Category:Security_and_privacy-related_preferences

re:firefox add-ons
might consider getting something like self-destructing cookies to take care of the zombie cookies & something like certificate control to inspect ssl certificates. With all these free ssl cert options anyone can take out certs for a site and some networks (i.e. airports) will spoof certs too.

Disabling webrtc /uninstalling all plugins (silverlight,flash,java)is good practice because of attack surface and storage options.

making web browsers private is near impossible though. This is an old series (2012) but a lot of the tricks used here are still relevant. At the very least all the storage areas are:
https://www.whitehatsec.com/blog/introducing-the-i-know-series/

re:VPNs
In this world of nits and malware injected vps's, 'anonymous vpn' is a very dangerous phrase. There is no such thing as an anonymous vpn. Worse, when you don't spin it up yourself there are very many unknowns, including whether the private key is the same for every user / easily guessable.
i.e. https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

A good VPN for protecting your traffic is one leading to your household or another trusted network which you have set up and can evaluate yourself.

However, when torrenting, no pursuing party is going to have the resources available to track you down if you use a 3rd party torrent that doesn't keep logs and allows alternative payments, so that is a decent use for these 'anonymous' VPN's.

>>1510
Would like to add that DRA does in some ways protect you if the underlying system is compromised

mainly through deniability. Any message in a conversation can technically be generated from both the sending and receiving side with OMEMO. Also through perfect forward secrecy and future secrecy to a lesser extent.

>>1502
OMEMO is certainly awesome. But it must be said that very few clients actually support it.

>run Tails in virtual machine
>duckduckgoy
>xkcd
>software password storage managers
>anonymous VPN
>without traffic logs
>VPN_providername
>change your User Agent to random string every 2 minutes while sitting on one IP and DOM profile, you are untraceable hacker now
>connect to this DNS_providername, i think eh pretty cool guys and are pro free speech and don't keep logs
>nothing to hide in "real life", don't be anonymous, pay your taxes and use faceberg to blend in with normal people, only do "shady things" in Tor
>if you re not as 1337 as me, you are a dumb zombie drone, no personality, no identity kiddo, he-he

what the schmeck is this thread, are you guys serious?

>>1518
a few of these are fair criticisms

others just seem to be you trying to hinder process and drag people down with pessimism.

also

>this whole post is one person

also

>you not contributing

>>1518

An issue that I have with people like you is that they treat everything as though it were all or nothing.

For me security is an ongoing process, you are never 'done' you are never 'secure' for real. It is important to keep leveling up, always realizing that the things you are doing will always have some flaw.

But allow people to be gradual. Literally something like going from google to startpage or ddg is a really good beginner choice. It isn't something that is actually that much more secure, but hey it is something that is making you think about what you are doing with your computer in a real way for once.

Allow people to grow, don't try to make them tackle all security recommendations at once.

>>1534
applauds

its basically impossible to go from being totally new to being even reasonably knowledgeable and adept at anything without some intermediate phase.

thats not just computer privacy, but anything. you'll probably mess up the first danish pastries you make, especially if before that all you know how to make is toast.

but after that, you can try again. you can try other things, get better, and eventually do the things that once seemed totally impossible, without really much effort at all.

we ought to help people learn, not chide people for not already knowing.

>>1534
>>1535
I think in the long term it goes towards not using any computers at all.

For me going this way, next step will probably getting rid of the Browser.

Wow. This thread has been surprisingly… childish. This is why I don't frequent arisuchan.
There's been a lot of dis/mis-information here, so I think it's important that it gets cleared up.

To respond to OP: Anonymity does NOT exist. Anyone who tells you otherwise is either a retard or is trying to jew you out of whatever """"""privacy""""" you have left.
I'll be back later to complain about more, but here's what I have for now:

Paid VPNs are garbage. You're paying for somebody to collect and consolidate your traffic.
>b-but it's in a different country/region/state that doesn't have internet rulez!1!11
Are you serious? Any data that passes through the US gets logged (read: metadata) by the NSA, if not outright captured and saved. Most traffic goes through the US anyways because of the speed of the fiber links. Somebody in Germany trying to talk to France might end up going through the UK (passing through GCHQ's stuff), the US, and then back to france.

Regardless of data paths, there is so much that could go wrong with a VPN provider that anyone who thinks it protects them from anything but the company or school firewall blocking their lolicon is deranged and should not be trusted.

Not to mention all the sattelite facilities outside the US operated by NSA or their buddies.

Firefox is cucked. It calls home every time you open the thing. (Hotspot detection)
Not to mention it's run by a bunch of SJW morons.

Tor is a meme. So many endpoints are run by various cooperating governments that you'd think they came up with the idea of onion routing themselves. Wait….

Goddamn it, this soykaf makes me angry. You cannot run from them. You cannot hide here.

Go off the grid if you don't want to be tracked.

Morons.

Part two of above.
That was what you can't do, here's what you can(or what has worked for me or people I know.)
Use public wifi. No VPNs, no nothing. Blend in to the crowd.
Use common user agent strings, but plugins that turn your browser in to a gatling gun of user agents are snake oil.
Don't do stupid soykaf online.
Use linux, or if you must use win32 apps, win7. Find keys and activators online for free. Pre-cracked images are compromised. Get your isos from microsoft.
Don't do stupid soykaf online.
I like PGP but quantum computers scare me. We have no idea if quantum computers can factorize primes any better than classical computers, but if they do, RSA is fucked.
Make sure you use https wherever you can. HTTPS Everywhere is nice.

Once again, if you're on the run from the Man, go offline.

>>1731
>might end up going through the UK, the US, and then back to france
That's a really fucked up routing optimization. It's called "Double/Triple VPN" and is most likely a placebo substitute for Tor. Most VPN providers don't route you through third parties and give you fastest route possible, because surprise-surprise, if you read their ToS closely, they are for "censorship circumvention", geoshifting, aka watching Netflix in Mozambique, sometimes even for getting better ping in games because again, routing optimization, but surely not not for "illlegal" activities such as IRC (lol), p2p downloads (even seeding Arch isos is not allowed), and the funny thing is, if your country has some sort of censorship, therefore circumventing it surely is illegal, and those VPN providers do cooperate with police and secret services for investigation purposes, if no, they'll be blocked in said countries.
And remember: if they say that they don't keep logs, they surely do.
>Hotspot detection
Captive portal detection, but Mozilla Firefox is free software and you have all freedoms to modify it for your needs.
>Not to mention it's run by a bunch of SJW morons.
Easy, pal. You are either a controlled SJW "opposition" or corporate-statist slave these days, nothing in between.
>>1732
>Use public wifi
And use directional antennas (Try buying one without getting on the list lol)
>No VPNs, no nothing. Blend in to the crowd.
If particular way of circumventing is popular in your region (i.e Tor, it is very popular worldwide), then do use it.
>plugins that turn your browser in to a gatling gun of user agents are snake oil
Good point, I'd better go with virtualization to emulate native browser on OS behavior for particular situations.
>Pre-cracked images are compromised. Get your isos from microsoft.
That's a nice oxymoron if I'd speak condescendingly, but that's a common knowledge. Never use hardware passthrough for VMs, if you need better performance, buy separate hardware.
>Don't do stupid soykaf online.
That's a very broad advise.
>I like PGP but quantum computers scare me. We have no idea if quantum computers can factorize primes any better than classical computers, but if they do, RSA is fucked.
Dude just like, use quantum key distribution, dude.
And there is always a One-Time Pad
>Make sure you use https wherever you can. HTTPS Everywhere is nice.
That's a real pleb statement, did you forget who wrote this extension? You don't trust RSA, but trust (((X.509))), lmao black man, what the fug
>go offline
Depriving yourself from information might turn out to be more dangerous than you think.

>>1733
> It's called "Double/Triple VPN" and is most likely a placebo substitute for Tor.

That data routing isn't a function of the VPN, it's a function of the Internet itself. Sorry if that wasn't clear. BGP routers move packets based on lowest link cost(latency), not geographical proximity.

>Captive portal detection
thanks for clarifying. That's what I meant.

>That's a nice oxymoron if I'd speak condescendingly, but that's a common knowledge.
Compromised in the sense that there isn't a skiddie out there remotely controlling your computer with Netbus or some other RAT that they preinstalled before uploading as a torrent.
As for alleged microsoft backdoors in their operating systems: if you are concerned about that, chances are you won't be downloading a win7 iso :)

>Depriving yourself from information might turn out to be more dangerous than you think.
What's more dangerous, "information withdrawal" (I think this is what you are hinting at) or the full force of the US government bearing down on you and your digital footprint?

>BGP routers move packets based on lowest link cost(latency), not geographical proximity
Aren't these two things usually the same? At least you can do a traceroute and find out what routers your traffic passes through.

>>1739
You can't always traceroute, as more and more people block icmp. more often than not the trace won't complete or will have many *'ed out entries. feelsbadman

>>511
I think the result of anonymity isn't as important as building good habits that protect your anonymity.

Using VPN, Tor, OTR etc. Building good habits as better chances from protecting you then software them self.

Is doing anything to increase your anonymity completely pointless if you live in the states where IPs legally sell all your traffic data? Asking because flat broke so cant afford VPN (for the moment).

>>1796

Are you ready to trade convenience for privacy? Yes, well you can reduce the amount of monitoring a lot.

VPN are really nice for downloading and hiding from the ISP, but it's not necessary.

>>1797
I have already cut out a lot of convenience. I use firefox with cyberpunked.org's recs as well as Umatrix and Privacy settings, but pretty sure Firefox will be as bad as chrome soon enough.

I do still use windows as my main OS because vidya and office :/

Would be interested in what you recommend that makes a VPN unnecessary.

>>1798

Firefox 57 and newer versions are so fast, Alice. Still, I'd never go back to using Chrome again even if Firefox was incredibly slow.

>>1798

I recommend Firefox ESR for Windows. Icecat for Gnu/Linux.

For the VPN it depend on what you intend to use it for.

>>1799
Even the previous version were "fast" compared to Chrome. And even if it wasn't… 1s difference seriously? What's the big deal? And 1s is already a big difference, which didn't always happen.

I don't understand this run about speed, as long as it's not a big difference I won't change my privacy for the GoogleBot.

Firefox 57 is just amazing. And it's not even the end, the Quantum project+Photon isn't done yet. The best part is coming around FF 60 with Stylo and the whole new Servo.

I'd move to Pale Moon before moving to Chrome. It may be slow, but at least it's better for privacy and customizable.

>>1800
Or people could just compile Icecat for windows, its not hard.

Waterfox is better than normal Firefox though, its removed the analytics.

>>1803

When someone is still using Windows I'm assuming their more hobbyist then techie.

Compiling is really intimidating for most people.

>>1802

You should look into Palemoon scandal that happen couple week ago.

>>1803
>>1804
hobbiest pushing towards career techie. I have a number of machines that dont run windows but my windows machine is by far my most used (school and games really, hate coding on windows).

Obviously I could do my own research but im interested in why: a) Icecat is worth compiling on windows, how that helps, and b) maybe a pointer on where to start so i can get over any intimidation.

>>1806

Is Icecat a web browser that you use already? If so does it give you everything out of the box without you having to manipulate the browser? If no then you stick with Firefox ESR

To get over the intimidation of new practices in technologie is to fuck up a bunch in my opinion. Read documentation about compiling for exemple get the necessary tools for you to do it then try. You're going to fuck up but at the same time you're also going to learn a lot.

I'm looking or a secure and lightweight linux distro. Something like void but that I can quickly setup both FDE and secure boot, preferably in the installer. Any ideas?

>>1805
which scandal? not him but I don't remember hearing anything

>>2014

I couple of month ago the devs of Palemoon refuse to permit a certain extension/addon on there web browser.

Ad neaume or something like that, it's extension that actively give false information to google to fuck with their algorithms and to prevent privacy and security issues. A more effective way to combat them in some sort.

The community went badsoykaf crazy because it means that they actively support what google is doing and is not trustworthy.

>>2023
Yeah, Adnauseum, I believe.

https://news.ycombinator.com/item?id=15112524

>>2067

Well couldn't ask for a better link fellow alice backing up my lazy ass i didn't want to search. Thanks.

>>2023
oh this, yeah I remember I thought there was something else more recent

>>2023
>>2067

Your average Adnauseam user :
https://rbt.asia/g/thread/62676695/#62676695

>>2132

Care to show some proof?

>>1733
You don't get on a list just for an antenna you self obsessed nigger glitterboy. Nobody gives a soykaf about your fatass.

>>3413
Not everyone lives in Land of the Free. In some countries ordering an action camera gets you on a list for possession of conceived surveillance equipment.

>>1731
Tor is designed to be resistant to malicious exits; the most pressing design flaw as of now is a tagging attack where colluding guards and exits can determine the circuit because of counter mode's malleability. We can fix this specifically by pivoting from counter mode or forcing the nonce to be a deterministic in some fashion; there is a proposal to do just that.

Beyond that, I very much doubt quantum hard key material will be introduced into the ntor handshake. SIDH could fit in the cell right now but there's significant performance issues. They're likely waiting for funding/the NIST process to finish, as it'd be preferable to use something based on lattices.

>>1732
We do know that a theorized quantum computer can factorize numbers faster than classical computers… https://en.wikipedia.org/wiki/Shor's_algorithm? The question is whether you can actually build a quantum computer with the amount of qubits/error correcting code needed.
( disclaimer: I only sort of know what I'm talking about. )

>>512
>run tails in virtual machine and use for all anonymous things

why not use qubes/whonix?

>>3417
Convenience, complexity, and system resources. Whatever the reason, Tails in a VM is not a great idea.