Learning self-defense

46 replies [Last post]
lep
lep
Offline
Joined: 07/31/2014

Hi guys,

Recently I've been really aware of all the risks in privacy (thus, in freedom) one is exposed in todays digital world. Inmediately I thought, There should be a way I can defense myself against these kind of things? and then I found out about ethical hacking for security assesment.

So how can I start learning ethical hacking skills?

or

What sources of information can I go to, to start teaching myself? Do you know of any good website that I can rely upon?

All in all, How can I begin to learn digital kung-fu? Although I know that I won't ever be a Bruce lee...

onpon4
Offline
Joined: 05/30/2012

You don't need to be a hacker to defend yourself from surveillance. You just need to change some of your practices.

For protecting your anonymity when browsing the Web, the best tool is Tor, and the easiest way to get that working properly is to use the Tor Browser Bundle. To use Tor with software other than Web browsers (such as an email client or a feed reader), you will want Tails. If you use Tor correctly, no one will be able to find out who you are.

To prevent parties other than intended recipients from listening in on what you're saying, you want to use end-to-end encryption. This one requires cooperation with whoever you're communicating with, but it's not difficult. What type of encryption you use depends on the communication, but for encrypting emails, the best tool is GnuPG. See:

https://emailselfdefense.fsf.org

GnuPG is also what you would likely use to encrypt files before entrusting them to someone else's server e.g. as a backup.

lembas
Offline
Joined: 05/13/2010

Hey lep! I think that's a very worthy goal. Here's a new nuggets to think about

On browser hygiene
https://en.wikipedia.org/wiki/Evercookie
https://en.wikipedia.org/wiki/Device_fingerprint

On hardware backdoors
https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html#Brossard

RedViper
Offline
Joined: 08/29/2014

There is tails. It's a live distro used by Edward Snowden. I installed it in a USB key, you can bring it with you and use it on every computer you want (if it has the USB option on boot)

The system comes with TOR by default so it is well anonymized.

You must only be carefull with the accounts that you open and with the information you share on them.

https://tails.boum.org/

jxself
Offline
Joined: 09/13/2010

TAILS is a non-free distro. Binary blobs for example which seems odd given the nature of the distro. Please don't recommend non-free distros here.

muhammed
Offline
Joined: 04/13/2013

proprietary software in a security-oriented distribution ... how bizarre

bitbit
Offline
Joined: 10/29/2012

That's was my reaction at first glange, but, if there are not proprietary drivers very few people are able to use it.

quantumgravity
Offline
Joined: 04/22/2013

The goal was to create a trustworthy, privacy respecting gnu-linux distribution.
Without proprietary blobs, few people would have been able to use it, no doubt about that.
With proprietary blobs, _no one_ is able to use it, since privacy is completely terminated.

I can't believe that they made this decision; really, that's the stupidest thing I heard of for a long time. What were they thinking?
Like "our goal is to make the first delicious non-alcoholic beer. But not so many people will drink it if it's without alcohol, so let's take the whiskey bottle and add some - yay! We're so smart!"

That's almost criminal. They're pretending to offer a privacy respecting system and people rely on it.

bitbit
Offline
Joined: 10/29/2012

Snowden used tails and talk about tails

quantumgravity
Offline
Joined: 04/22/2013

So what?
Sure a lot of people talk about it and use it.

Don't get me wrong, I really respect what he did for society. It was a great contribution!
But I've seen several interviews with him, and did he mention free software even once?
No, he didn't. He talked about all kind of things and presented himself as some kind of guru, but the most important point was left out.
He had the chance of conveying the message "Anti NSA = Pro Free Software", a conclusion almost nobody in the digital world has made so far.
The whole world was listening to him, but he wasted this opportunity, and this is why people still don't know about free software and instead talk about shit like proprietary encryption software or stuff like that.
Why would I care what this guy says about tails?

bitbit
Offline
Joined: 10/29/2012

If you don't care, lot of people care about what he has to says about security....

the fact are there, he didn't use trisquel nor windows...he might not be an advocate of free software.

bitbit
Offline
Joined: 10/29/2012

quantumgraviry, thinking about, you're right, without free soft i don't think could be security, and Snowden miss a great opportunity like you said. my first glance was the good one.

GNUser
Offline
Joined: 07/17/2013

I think we should give Snowden a break here... Just as we understand when a guy has to use non-free software at work to keep his job (no matter the "work at a factory" speech), we could argue that "Snowden had to use a distro not endorsed by the FSF to save his life". I mean, sure he could have talked more about free software and such, but for a guy on his position... it was really a simple choice, if he had used a non-specialized distro (like TAILS, which is built to a single purpose) he would have gotten caught. As such, I understand his choice. As for free software... He worked for the NSA, he knows that being "free software" doesn't mean that its safe or private. They infiltrate a lot of free software projects, so he probably knows how deep the shit goes.
On another note, I think he mentioned free software on a speech I heard of him the other day... The fact that he is so cautious about it probably deals with the fact that he knows what the NSA did to many free software projects.
Trisquel couldn't be a right choice for a whistleblower because it is built around different purposes. He needed to stay alive, he used TAILS, if he had used Debian or Trisquel he probably would be dead, I don't see anything wrong with his choice. And anyway, many people from Tor Project (Jacob and Roger for example) always mention that "free software for freedom" is the way to go. So bringing people to TAILS and Tor actually brings free software to the table. Hopefully.

salparadise
Offline
Joined: 09/08/2013
GNUser
Offline
Joined: 07/17/2013

I'm sorry, but I believe that must not be correct. According to https://tails.boum.org/doc/about/license/index.en.html
all their software is free software, and IIRC they even got rid of TrueCrypt some time ago (because of the issues with it).
Also, since this is based on Debian main distro, I believe there would be no blobs (since Debian removes those from the kernel). I might be wrong in this one, maybe TAILS puts them back in, but I don't see any indication of that anywhere (please provide a source if you can).
With all this in mind, I would consider TAILS as a free distro (at least as free as Debian itself, which is another debate) and the BEST tool to use in terms of OpSec. Actually, it is a good example to follow if you want to learn self-defense. For example, some of the software they use (MAT, KeePassX, etc) are available in the repositories and you should use them! :)

I am right now in the process of trying to convert Debian (native Debian, not any rebranded distro) into a more secure and privacy oriented system. I have decided that using Tor is not enough, so I started by taking a look at TAILS and Whonix to get some ideas. I have also started to work with grsecurity and AppArmor for improved security. the mempo project is also a good place to get some ideas. All in all, there are many little things you can and should do to improve your security online, without having to become a cracker (you have to be a hacker however to do this kind of thing, which means you have to think creatively and try to come up with new fun ways of doing things). There are also some good talks from GNU hackers meetings, Defcon and HOPE talks, that you could watch to learn the basics. I could provide some links if you want :)

andrew
Offline
Joined: 04/19/2012

gnuser wrote:
> I'm sorry, but I believe that must not be correct. According to
> https://tails.boum.org/doc/about/license/index.en.html all their
> software is free software, and IIRC they even got rid of TrueCrypt
> some time ago (because of the issues with it). Also, since this is
> based on Debian main distro, I believe there would be no blobs (since
> Debian removes those from the kernel). I might be wrong in this one,
> maybe TAILS puts them back in, but I don't see any indication of that
> anywhere (please provide a source if you can).

I asked on their IRC a while back and was told that proprietary firmware
is shipped by default so that Tails will work on more hardware.

I don't have any link to share though, sorry!

Andrew.

jxself
Offline
Joined: 09/13/2010

Precisely - Too many apply the logic that 'It is a variant of the Debian GNU/Linux distro so it *must* be equally free.' This is not a good place to start from and results in people reaching the wrong conclusion.

libredrs

I am a member!

Offline
Joined: 01/29/2012

read the response to comment 7:
https://tails.boum.org/forum/GNU_Award_for_Projects_of_Social_Benefit/

Interesting that TAILS won an FSF award despite the fact that it includes proprietary firmware - i.e., it's not free.

blancorasa riseup
Offline
Joined: 07/03/2014

On Sat, 2014-08-30 at 03:35 +0200, name at domain wrote:
> read the response to comment 7:
> https://tails.boum.org/forum/GNU_Award_for_Projects_of_Social_Benefit/
>
> Interesting that TAILS won an FSF award despite the fact that it includes
> proprietary firmware - i.e., it's not free.

Correct me if I'm wrong but the link goes to a forum where someone asks
if TAILS is Free Software and whether it can apply as a candidate for
Award for Projects of Social Benefit by the FSF.

Do you have the link where TAILS won the award?

libredrs

I am a member!

Offline
Joined: 01/29/2012

My mistake (did not read it carefully). You are correct.

I used tails for a while until I stumbled upon that exchange. Since it's not free, it's NFG.

GNUser
Offline
Joined: 07/17/2013

Sorry for a dumb question, but what means "NFG"?

libredrs

I am a member!

Offline
Joined: 01/29/2012

No eFfin' Good

:)

lembas
Offline
Joined: 05/13/2010

No it didn't win. And in fact the forum thread says that "Tails does ship with proprietary firmwares."

GNUser
Offline
Joined: 07/17/2013

I remember reading in the FSF webpage that between Linux distros and BSD distros there is a difference in the way they use the word "blob". Could it be the case here, as in, they don't use proprietary drivers per se, but use some kind of firmware (I mean as in accessing some closed software already present in the hardware which would normally be replaced with the use of free alternative in the OS itself)?
I am just asking because I find it weird that they use closed source software, although it could be the case that the source is available under a non free license (which making it non free software would still result in the software not being dangerous as the source could be verified).
I am however ready to admit defeat if it is proven that they use non-free closed source software in the distro itself :)

Legimet
Offline
Joined: 12/10/2013

They include non free firmware. Firmware is run on the peripheral itself, unlike a driver. Most firmware, except a few, has no source available and is non free.

davidnotcoulthard (not verified)
davidnotcoulthard

The BSD community's (I guess) view is that since the firmware blobs run on the devices (rather than "the computer itself") it doesn't matter.

The FSF's is that since it's present on editable storage medias (e.g the HDD), it matters.

GNUser
Offline
Joined: 07/17/2013

Ok, so, TAILS doesn't ships non-free/closed-source drivers, but it has non-free/closed-source firmware, is that correct?
From a "freedom perspective" that's bad, but from a security one, is that dangerous, as in, can a firmware affect the users privacy somehow? I would say that a keyboard's firmware could be dangerous (maybe logging your keystrokes and sending it somewhere over the internet) but is it true for any firmware? Or is a matter simply of freedom, not so much of security?
Thanks for the explanation.

Legimet
Offline
Joined: 12/10/2013

A keyboard doesn't have firmware loaded by a Linux driver. If it has any, it's probably stored on the device itself. Firmware loaded by the Linux kernel is mostly for wifi and graphics (radeon) but also for some ethernet cards.

Since Tails uses the Debian kernel, all the blobs are external ones (not embedded in driver source code) and you can easily remove them (or replace with free ones). Of course, this won't make it FSF-endorsable, but it's still easy to remove the nonfree stuff if you want to use it. (The Debian kernel also "suggests" installing these blobs in the logs, which is another reason why the FSF won't endorse it)

jxself
Offline
Joined: 09/13/2010

You should go read up on BadUSB to find some answers to those very questions. :)

A USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. What might those commands be and how might they affect your privacy? Just let your imagination go for a walk...

All the more reason that all software - everywhere and in all forms - should be free.

Kromaz
Offline
Joined: 06/07/2014

Thanks for sharing this info on BadUSB jxself. Is there a site you'd recommend to learn more about this BadUSB?

andrew
Offline
Joined: 04/19/2012

gnuser wrote:
> I would say that a keyboard's firmware could be dangerous (maybe
> logging your keystrokes and sending it somewhere over the internet)
> but is it true for any firmware? Or is a matter simply of freedom,
> not so much of security?

Also, Intel's proprietary Wi-Fi firmware stops a user from being able to
change their MAC address:

http://www.intel.com/support/wireless/wlan/sb/CS-031081.htm

> The Media Access Control (MAC) address is hard-coded on Intel
> wireless adapters and cannot be changed.
>
> Some third-party software applications can "spoof" a MAC address to a
> different address, but for security reasons, Intel does not support
> this practice.
>
> Beginning with 12.x wireless driver package, the possibility of
> "spoofing" the MAC address was blocked to prevent this practice.

Andrew.

andrew
Offline
Joined: 04/19/2012

> Also, Intel's proprietary Wi-Fi firmware stops a user from being able
> to change their MAC address

Er, maybe driver actually, I'm not too sure. The GNU/Linux drivers for
Intel Wi-Fi cards are apparently free but the firmware is not:

https://wiki.debian.org/iwlwifi

The quote from Intel that it is the "driver package" that blocks
changing of MAC address is possibly ambiguous.

Andrew.

GNUser
Offline
Joined: 07/17/2013

These are unknown waters for me. One question: if a device (keyboard or wifi card or webcam) has software (firmware) written inside of it to be able to work, but that firmware doesn't talk to the OS (only the driver makes the connection between computer and device, OS and device) then we should be ok using it without thinking about "freedom issues"? I am asking as I don't get the "free firmware" issue, since firmware runs inside the device it cannot be changed to install a free alternative correct?

GNUser
Offline
Joined: 07/17/2013

Well, I think we scared Lep away :P Maybe we diverted from the original thread subject.

I think one good place for you to start would be reading the documentation on BackTrack Linux. I am not suggesting you use the distro (which is probably non-free) but just read the documentation, they have a lot of tutorials and such that might be useful. Also, many of the programs they use are free (search for them in the repos) so you can use them in Trisquel. I believe they have now moved to a new project called Kali Linux, so check them both. They also have a forum that might be useful for you to make questions and read others questions.

lep
lep
Offline
Joined: 07/31/2014

Hi guys. I'm back...

I've red all your posts and at first I was really surprise specially after reading...

http://www.cryptogon.com/?p=624

from salparadise and viewing the links that lembas provided.

As for the TAILS conversation, it is not very clear to me wheather it is safe to use because of the presence of non-prop. software. But the thing is, I've tried it and it can be cumbersome for productive work.

Thanks to GNUser for the tips. If you have any interesting link you could provide, I would like to check it out!

Any other ideas on how to learn self-defense?
or
Any further interesting ideas to discuss here?

GustavoCM

I am a member!

Offline
Joined: 11/20/2012

Any other ideas on how to learn self-defense?

Hm...

• EFF website: https://www.eff.org/ , specially https://www.eff.org/issues/privacy and EFF's Surveillance Self-Defense project: https://ssd.eff.org/

The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.

• DuckDuckGo's instructions at http://fixtracking.com/ (beware some non-100%-FaiF recommended software)

How-to stop getting tracked in your Browser.

GNUser
Offline
Joined: 07/17/2013

You know, google is not your friend... but duckduckgo and startpage are!

http://www.kali.org/
http://www.backtrack-linux.org/

Read the documentation and you will find most software is actually in the reps. You can install in trisquel and use it. Same goes for TAILS, you don't need to install the distro (even if I maintain that it's good at doing what it does) you can simply install stuff like secure-delete and seahorse, etc. You can already take some steps towards security.

lembas
Offline
Joined: 05/13/2010

Let's not link non-free stuff, mmk?

GNUser
Offline
Joined: 07/17/2013

As you can read in one comment I made above, I was only suggesting to read the documentation, in order to use the FREE SOFTWARE that is used in those distros. Most of it you can get in the reps. I also told NOT to use the distros because they are non-free. So, it's not like I am linking to non-free. I am linking to DOCUMENTATION, asked by another user, to use FREE SOFTWARE to enhance PRIVACY and SECURITY again using FREE SOFTWARE.

People link to ubuntu pages a lot of time, and that is a non issue. Why should this be any different? And yes, I gave my opinion (just that) that TAILS is the best option at remaining anonymous online. I admit it is not as free as I thought (the firmware issue) but I am mentioning the anonymity level it achieves. Nothing more :)

Hope I helped :)

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

You should then have linked to http://www.kali.org/official-documentation/

alimiracle
Offline
Joined: 01/18/2014

btw , we CAN
Rebuilding a Tails image
https://tails.boum.org/contribute/build/

lep
lep
Offline
Joined: 07/31/2014

Hi guys,

Regarding Self-Defense, I've just found out about SElinux.

Can anyone explain me what is it about?
how it works? and
how it helps to enforce security on a GNU/linux system?

What are the main pros & cons?
Does it worth configuring my GNU/linux with SElinux?

Furthermore, Has anyone tried it before?

I know many of the answers for the above question can be found on the documentation but is somewhat technical for me to grasp a good understanding.

Thank you guys!

lep

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

Trisquel uses AppArmor which is an easier to configure alternative to
SELinux. E.g. last time I looked in Toutatis the supplied Samba and
CUPS are running under AppArmor profiles to help protect against
zero day attacks. I suggest you learn this instead (Search the web).

salparadise
Offline
Joined: 09/08/2013

SELinux was developed by the NSA and as such attracts some suspicion. However, it was open sourced and released under the GPL in the year 2000.
It can be a major PITA.
For example, if you're going to install a parallel distro/OS then disable SELinux first or the next time you try to boot it will want to run long winded checks. Disabling it as easy as changing 'enabled' to 'disabled' in the appropriate conf file.

lembas
Offline
Joined: 05/13/2010

Wikipedia is your friend here. Read about SELinux, MACs (mandatory access controls), DACs (discretionary access controls), Apparmor and other implementations.

Basically it's a system to try and limit the capabilities of users and programs to the smallest subset they need.

These things get very complex very fast. However that's not to say impossible, if you don't mind doing a lot of reading you can do it.

And whether it is worth it is another thing. :) Of course in the industry and other places where highest security is required these systems are (supposedly) used.

salparadise
Offline
Joined: 09/08/2013

http://danwalsh.livejournal.com/71122.html

Interesting blog about how SELinux, if enforced, would protect data from being read and files written to as a result of the current BASH exploit.

islander
Offline
Joined: 05/27/2013

Become acquainted with The Jargon
http://www.catb.org/jargon/html/

Embrace The Hacker's Code
http://muq.org/~cynbe/hackers-code.html

Delve into the solutions...
Network Forensics Evasion: How to Exit the Matrix
http://billstclair.com/matrix/index.html

Live Free & Do Good Things!