This post is a follow up to my previous post about online security – “How to surf safe in today’s digital world?” which I ended with a personal statement wrt Internet anonymity and with some basic instructions how to surf the web privately. In this post I will try to offer some more details on how to maintain your Privacy in this intrusive digital world we find ourselves today.
As I am writing these lines, thousands of people all over the world are protesting the NSA spying in US and around the world. So I am writing this in support of the Stop Watching Us campaign, and in support of the Human Rights in the offline and online world.
Firstly I would like to emphasize the following: If you’re a human being, you have the Right to Privacy even if you think/believe that you have nothing to hide. The Data Protection Commissioner tells you why this matters. Prof. Gavin Phillipson tells you and BBC why it matters, and the PrivacyRights organisation tells you why it matters. Please take a few minutes of your time and read the info, document yourselves to learn a lesson from history and understand the catastrophic consequences of mass digital & personal surveillance. Such unethical and unconstitutional actions as mass/personal surveillance cannot be allowed to continue so please act! (an if you’re still debating the implications of these actions, please take a look around on eff.org or read this article on why privacy matters, or this one on why should you care, or this one on key takeaways)
Before I start my tutorial, please review/follow my security post1 , security post 2 and Top 5 Myths of Safe Web Browsing (by Sophos). I can’t stress this enough: If you want digital privacy, you have to make sure you are using a secure Internet enabled device! If your hardware & software environments are not secure, you will achieve the same level of anonymity online as in the attached photo above. 🙂
Without further a due, here are the high level links in any average day of browsing the internet (in reverse order):
Webpage on webserver -> WAN -> Local network -> Your Internet device -> Your Browser -> YOU.
In summary, if an individual or an organisation wishes to monitor your digital life, they can do it at any of the connection points described in the EFF’s tutorial or by me above. And this is how they may achieve this (presented at high level & in reverse order):
- Through scripts of various kinds running on the webserver(s) which hosts the website(s) you are accessing through your browser. These scripts load automatically and detect you as an individual, not just your machine. This technique is called fingerprinting -Read more tech details here.
- The WAN hardware can be monitored at ISP level, DNS level and/or raw level: HW fibre optic tapping (which includes ALL digital communications including telephones & VOIP).
- Your LAN hardware can have various levels of poor security and the security level only depends on hardware and software config. Since WiFi networks are most common these days, here is a list of vulnerabilities.
- Your Internet enabled devices (Desktop or laptop PC, Macs, tablets of all kinds, mobile phones, smartwatches etc) are the absolute weakest link. These devices run the software environment which in turn allows the browsers to make the queries through the Internet and display the content you desire.
- The browser. This is where it all begins and also ends in full cycle. Your browser security depends on many of the points above but it also depends on its internal profile configuration. Your browser identifies you.
To achieve a reasonable level of anonymity a user should at least consider securing the 3 points which has control over. These would be:
- The Local Area Network (yes, incl WiFi)
- The Internet device (SW & HW)
- The Internet browser used.
In my previous security post I described the absolute minimum steps which I would recommend for hardening the security on a personal LAN and a computer running Windows (weak), OSX (better than Windows) or Linux (highly recommended). I also gave some tips on configuring Firefox and Chromium based browsers for a better online experience. Now I will take this one step further and present 2 usability scenarios: A. Quick config for Day to Day Internet surfing and B. Quick config for Advanced private comms.
Finally, please note this disclaimer: This tutorial is an FYI only. While it can be used in regions of the world affected by the Chilling Effect or by mass surveillance systems like PRISM, it doesn’t present the full details on how to achieve invisibility while connected to the Internet and you, the reader and/or user, take full responsibility for following any advice described in this post and for any consequences that may follow from your actions. My tutorial is FYI only. Regardless of how you choose to use this information, please obey the law in your country, please respect life and guide your actions by ethical standards. Thank you.
A. Quick configuration for D2D surfing
A1. Windows PC & Apple Macs
Windows machines are probably the least secure machines out of all PCs connected to the Internet. The good news is that they are easy to configure for good security. Here’s how in 3 easy steps:
1.First backup all your user data to external drive/cloud/secure media. 2.Second: Format the Windows partition. 3.Install Linux and if you really need windows, put it in a virtual machine on Debian. Done. Not joking! 🙂
If the above suggestion is not feasible then please secure your LAN and your Windows/Mac OS (basic instructions are provided in my other post), and when you’re comfortable that your LAN and your OS passes penetration security tests (eg tutorial, NetworkTools, SecurityTools, FW test, AuditmyPC or search4more) move on to:
2. Configure OpenVPN on your computer and test the VPN connection (response time is more important than bandwidth as long as you have at least 1Mbps). Connecting to Ireland, Switzerland or Netherlands would be a good choice to start with.
3. Configure a profile on your software Firewall to block all Internet traffic that is not going through VPN. If the VPN connection drops (it happens), it is essential that your firewall will stop you from accessing those secure Internet sources through your normal connection. And depending on the level of threat you may find yourself under in your country, this only needs to happen once, to be a serious issue for you in real life.
4. Pair your VPN with a browser that you never use for your social media, email or any other services that require you to login. JonDoFox is a good choice here.
- By “pairing” I mean, use that browser only after you start your VPN, you activate the firewall VPN profile and after you are safely connected to the VPN.
- This goes without saying but I will write it anyway: If you want to maintain your privacy, do not login on any website or service. From the moment you logged in, you lost your privacy in that session, or on the server you connected to, and depending on your VPN SP, you lost it on your VPN account too.
5. Configure the DNS on your network card(s) to force use the DNS from your VPN provider. And for everyday use to use OpenDNS with DNScrypt, or one of these from OpenNIC or an OpenDNS server listed by TechAthena here or by a DNS listed by wikileaks under their /wiki/Alternative_DNS link.
A2. Mobile devices (phones, tablets etc)
This should be a post on its own considering the complexity involved in masking your identity while using your phone and surfing the Internet. Therefore I am only describing the very high level steps:
1. Try to use a pre-2003 GSM phone eg Nokia 3330 (but with a headset! OK just kidding)
2.Try to use a smartphone with Android, Firefox OS or any other Open Source OS.
3. If you choose to use an Android powered device then you may want to root it to benefit from its full capabilities and also to gain root (admin) rights on the OS. Check out XDA Devs for goodies. Please note that rooting is voiding warranty in all cases, there are certain risks involved, including freezing your device, and if you choose to do this you do it on your own responsibility.
4. Configure the secure VPN service (mentioned above) on your device and connect to it
5. Use secure apps for all comms. The Guardian Project is a good start.
A3. Tools & relevant info
- Search engines: StartPage.com (recommended) and Blippex
- Browsers tests: Panopticlick, SecuStudy, IP-check
- How To Anonymize and Encrypt Your BitTorrent Traffic
- Guardian’s guide to staying secure from surveillance
- Guardian’s guide to “What is Tor? A beginner’s guide to the privacy tool”
- Guardian’s “What the surveillance revelations mean for you“
- About.com’s 5 ways to stealth yourself online
- WikiHow’s How to be Online Anonymously
- Prism-Break.org (be selective)
- PewInternet’s Anonymity report (interesting statistics)
- The State Of IT Security [Infographic]
- Berkeley’s Web Architecture online course
- OpenSecurity Free Online training
- More resources on: The Internet 😀
B. Quick advanced config for private comms on Desktops, laptops, Macs
Same as above, this is a “quick config description, only meant to give you a high level view of the model you could use. The actual details are waiting to be found and tested 🙂
- Install VirtualBox or your favorite Virtualization software
- Download Whonix and load it in VirtualBox.
- Or else you may be more comfy with Linux Mint (if you’re a pro then BSD is prob 4u :p)
- After you loaded the VM image regardless of OS, save snapshot 1.
- Get a VPN package from JonDonym or proxy.sh or Privacy.io Or from a Swiss or Irish SP.
- Setup the VPN package in your VM. Or else setup TOR in your VM.
- When you’re done and you’re happy everything is ok, just take snapshot 2.
A VPN or TOR on its own will not provide anonymity. Your browser needs to be configured correctly!
- The easiest way to achieve it is by using a pre-configured OS like Whonix or a browser like the Tor Browser or JonDoFox (which can be used outside the VM as well with TOR/VPN)
- Adv. If for some reason you need extreme security then use a pre-paid mobile ISP (min 3G) and put a secure VPS between your VM and the open Internet. eg: PC-VM-VPN-VPS-VPN2/TOR-Destination (your VM connects to the VPS through an encrypted VPN1 and then connects to the destination website / service through a 2nd encrypted VPN2 or TOR account)
- Happy surfing!
- DO NOT login to any personal websites while using anonymous browsers or services.
- Do use a search engine and read more.
- Feel free to search more and read articles on online surveillance, PRISM, Snowden etc.
- Do obey the law!