Learning self-defense
Hi guys,
Recently I've been really aware of all the risks in privacy (thus, in freedom) one is exposed in todays digital world. Inmediately I thought, There should be a way I can defense myself against these kind of things? and then I found out about ethical hacking for security assesment.
So how can I start learning ethical hacking skills?
or
What sources of information can I go to, to start teaching myself? Do you know of any good website that I can rely upon?
All in all, How can I begin to learn digital kung-fu? Although I know that I won't ever be a Bruce lee...
You don't need to be a hacker to defend yourself from surveillance. You just need to change some of your practices.
For protecting your anonymity when browsing the Web, the best tool is Tor, and the easiest way to get that working properly is to use the Tor Browser Bundle. To use Tor with software other than Web browsers (such as an email client or a feed reader), you will want Tails. If you use Tor correctly, no one will be able to find out who you are.
To prevent parties other than intended recipients from listening in on what you're saying, you want to use end-to-end encryption. This one requires cooperation with whoever you're communicating with, but it's not difficult. What type of encryption you use depends on the communication, but for encrypting emails, the best tool is GnuPG. See:
https://emailselfdefense.fsf.org
GnuPG is also what you would likely use to encrypt files before entrusting them to someone else's server e.g. as a backup.
Hey lep! I think that's a very worthy goal. Here's a new nuggets to think about
On browser hygiene
https://en.wikipedia.org/wiki/Evercookie
https://en.wikipedia.org/wiki/Device_fingerprint
On hardware backdoors
https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html#Brossard
There is tails. It's a live distro used by Edward Snowden. I installed it in a USB key, you can bring it with you and use it on every computer you want (if it has the USB option on boot)
The system comes with TOR by default so it is well anonymized.
You must only be carefull with the accounts that you open and with the information you share on them.
TAILS is a non-free distro. Binary blobs for example which seems odd given the nature of the distro. Please don't recommend non-free distros here.
proprietary software in a security-oriented distribution ... how bizarre
That's was my reaction at first glange, but, if there are not proprietary drivers very few people are able to use it.
The goal was to create a trustworthy, privacy respecting gnu-linux distribution.
Without proprietary blobs, few people would have been able to use it, no doubt about that.
With proprietary blobs, _no one_ is able to use it, since privacy is completely terminated.
I can't believe that they made this decision; really, that's the stupidest thing I heard of for a long time. What were they thinking?
Like "our goal is to make the first delicious non-alcoholic beer. But not so many people will drink it if it's without alcohol, so let's take the whiskey bottle and add some - yay! We're so smart!"
That's almost criminal. They're pretending to offer a privacy respecting system and people rely on it.
Snowden used tails and talk about tails
So what?
Sure a lot of people talk about it and use it.
Don't get me wrong, I really respect what he did for society. It was a great contribution!
But I've seen several interviews with him, and did he mention free software even once?
No, he didn't. He talked about all kind of things and presented himself as some kind of guru, but the most important point was left out.
He had the chance of conveying the message "Anti NSA = Pro Free Software", a conclusion almost nobody in the digital world has made so far.
The whole world was listening to him, but he wasted this opportunity, and this is why people still don't know about free software and instead talk about shit like proprietary encryption software or stuff like that.
Why would I care what this guy says about tails?
If you don't care, lot of people care about what he has to says about security....
the fact are there, he didn't use trisquel nor windows...he might not be an advocate of free software.
quantumgraviry, thinking about, you're right, without free soft i don't think could be security, and Snowden miss a great opportunity like you said. my first glance was the good one.
I think we should give Snowden a break here... Just as we understand when a guy has to use non-free software at work to keep his job (no matter the "work at a factory" speech), we could argue that "Snowden had to use a distro not endorsed by the FSF to save his life". I mean, sure he could have talked more about free software and such, but for a guy on his position... it was really a simple choice, if he had used a non-specialized distro (like TAILS, which is built to a single purpose) he would have gotten caught. As such, I understand his choice. As for free software... He worked for the NSA, he knows that being "free software" doesn't mean that its safe or private. They infiltrate a lot of free software projects, so he probably knows how deep the shit goes.
On another note, I think he mentioned free software on a speech I heard of him the other day... The fact that he is so cautious about it probably deals with the fact that he knows what the NSA did to many free software projects.
Trisquel couldn't be a right choice for a whistleblower because it is built around different purposes. He needed to stay alive, he used TAILS, if he had used Debian or Trisquel he probably would be dead, I don't see anything wrong with his choice. And anyway, many people from Tor Project (Jacob and Roger for example) always mention that "free software for freedom" is the way to go. So bringing people to TAILS and Tor actually brings free software to the table. Hopefully.
I'm sorry, but I believe that must not be correct. According to https://tails.boum.org/doc/about/license/index.en.html
all their software is free software, and IIRC they even got rid of TrueCrypt some time ago (because of the issues with it).
Also, since this is based on Debian main distro, I believe there would be no blobs (since Debian removes those from the kernel). I might be wrong in this one, maybe TAILS puts them back in, but I don't see any indication of that anywhere (please provide a source if you can).
With all this in mind, I would consider TAILS as a free distro (at least as free as Debian itself, which is another debate) and the BEST tool to use in terms of OpSec. Actually, it is a good example to follow if you want to learn self-defense. For example, some of the software they use (MAT, KeePassX, etc) are available in the repositories and you should use them! :)
I am right now in the process of trying to convert Debian (native Debian, not any rebranded distro) into a more secure and privacy oriented system. I have decided that using Tor is not enough, so I started by taking a look at TAILS and Whonix to get some ideas. I have also started to work with grsecurity and AppArmor for improved security. the mempo project is also a good place to get some ideas. All in all, there are many little things you can and should do to improve your security online, without having to become a cracker (you have to be a hacker however to do this kind of thing, which means you have to think creatively and try to come up with new fun ways of doing things). There are also some good talks from GNU hackers meetings, Defcon and HOPE talks, that you could watch to learn the basics. I could provide some links if you want :)
gnuser wrote:
> I'm sorry, but I believe that must not be correct. According to
> https://tails.boum.org/doc/about/license/index.en.html all their
> software is free software, and IIRC they even got rid of TrueCrypt
> some time ago (because of the issues with it). Also, since this is
> based on Debian main distro, I believe there would be no blobs (since
> Debian removes those from the kernel). I might be wrong in this one,
> maybe TAILS puts them back in, but I don't see any indication of that
> anywhere (please provide a source if you can).
I asked on their IRC a while back and was told that proprietary firmware
is shipped by default so that Tails will work on more hardware.
I don't have any link to share though, sorry!
Andrew.
Precisely - Too many apply the logic that 'It is a variant of the Debian GNU/Linux distro so it *must* be equally free.' This is not a good place to start from and results in people reaching the wrong conclusion.
read the response to comment 7:
https://tails.boum.org/forum/GNU_Award_for_Projects_of_Social_Benefit/
Interesting that TAILS won an FSF award despite the fact that it includes proprietary firmware - i.e., it's not free.
On Sat, 2014-08-30 at 03:35 +0200, name at domain wrote:
> read the response to comment 7:
> https://tails.boum.org/forum/GNU_Award_for_Projects_of_Social_Benefit/
>
> Interesting that TAILS won an FSF award despite the fact that it includes
> proprietary firmware - i.e., it's not free.
Correct me if I'm wrong but the link goes to a forum where someone asks
if TAILS is Free Software and whether it can apply as a candidate for
Award for Projects of Social Benefit by the FSF.
Do you have the link where TAILS won the award?
My mistake (did not read it carefully). You are correct.
I used tails for a while until I stumbled upon that exchange. Since it's not free, it's NFG.
No it didn't win. And in fact the forum thread says that "Tails does ship with proprietary firmwares."
I remember reading in the FSF webpage that between Linux distros and BSD distros there is a difference in the way they use the word "blob". Could it be the case here, as in, they don't use proprietary drivers per se, but use some kind of firmware (I mean as in accessing some closed software already present in the hardware which would normally be replaced with the use of free alternative in the OS itself)?
I am just asking because I find it weird that they use closed source software, although it could be the case that the source is available under a non free license (which making it non free software would still result in the software not being dangerous as the source could be verified).
I am however ready to admit defeat if it is proven that they use non-free closed source software in the distro itself :)
They include non free firmware. Firmware is run on the peripheral itself, unlike a driver. Most firmware, except a few, has no source available and is non free.
The BSD community's (I guess) view is that since the firmware blobs run on the devices (rather than "the computer itself") it doesn't matter.
The FSF's is that since it's present on editable storage medias (e.g the HDD), it matters.
Ok, so, TAILS doesn't ships non-free/closed-source drivers, but it has non-free/closed-source firmware, is that correct?
From a "freedom perspective" that's bad, but from a security one, is that dangerous, as in, can a firmware affect the users privacy somehow? I would say that a keyboard's firmware could be dangerous (maybe logging your keystrokes and sending it somewhere over the internet) but is it true for any firmware? Or is a matter simply of freedom, not so much of security?
Thanks for the explanation.
A keyboard doesn't have firmware loaded by a Linux driver. If it has any, it's probably stored on the device itself. Firmware loaded by the Linux kernel is mostly for wifi and graphics (radeon) but also for some ethernet cards.
Since Tails uses the Debian kernel, all the blobs are external ones (not embedded in driver source code) and you can easily remove them (or replace with free ones). Of course, this won't make it FSF-endorsable, but it's still easy to remove the nonfree stuff if you want to use it. (The Debian kernel also "suggests" installing these blobs in the logs, which is another reason why the FSF won't endorse it)
You should go read up on BadUSB to find some answers to those very questions. :)
A USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. What might those commands be and how might they affect your privacy? Just let your imagination go for a walk...
All the more reason that all software - everywhere and in all forms - should be free.
Thanks for sharing this info on BadUSB jxself. Is there a site you'd recommend to learn more about this BadUSB?
gnuser wrote:
> I would say that a keyboard's firmware could be dangerous (maybe
> logging your keystrokes and sending it somewhere over the internet)
> but is it true for any firmware? Or is a matter simply of freedom,
> not so much of security?
Also, Intel's proprietary Wi-Fi firmware stops a user from being able to
change their MAC address:
http://www.intel.com/support/wireless/wlan/sb/CS-031081.htm
> The Media Access Control (MAC) address is hard-coded on Intel
> wireless adapters and cannot be changed.
>
> Some third-party software applications can "spoof" a MAC address to a
> different address, but for security reasons, Intel does not support
> this practice.
>
> Beginning with 12.x wireless driver package, the possibility of
> "spoofing" the MAC address was blocked to prevent this practice.
Andrew.
> Also, Intel's proprietary Wi-Fi firmware stops a user from being able
> to change their MAC address
Er, maybe driver actually, I'm not too sure. The GNU/Linux drivers for
Intel Wi-Fi cards are apparently free but the firmware is not:
https://wiki.debian.org/iwlwifi
The quote from Intel that it is the "driver package" that blocks
changing of MAC address is possibly ambiguous.
Andrew.
These are unknown waters for me. One question: if a device (keyboard or wifi card or webcam) has software (firmware) written inside of it to be able to work, but that firmware doesn't talk to the OS (only the driver makes the connection between computer and device, OS and device) then we should be ok using it without thinking about "freedom issues"? I am asking as I don't get the "free firmware" issue, since firmware runs inside the device it cannot be changed to install a free alternative correct?
Well, I think we scared Lep away :P Maybe we diverted from the original thread subject.
I think one good place for you to start would be reading the documentation on BackTrack Linux. I am not suggesting you use the distro (which is probably non-free) but just read the documentation, they have a lot of tutorials and such that might be useful. Also, many of the programs they use are free (search for them in the repos) so you can use them in Trisquel. I believe they have now moved to a new project called Kali Linux, so check them both. They also have a forum that might be useful for you to make questions and read others questions.
Hi guys. I'm back...
I've red all your posts and at first I was really surprise specially after reading...
http://www.cryptogon.com/?p=624
from salparadise and viewing the links that lembas provided.
As for the TAILS conversation, it is not very clear to me wheather it is safe to use because of the presence of non-prop. software. But the thing is, I've tried it and it can be cumbersome for productive work.
Thanks to GNUser for the tips. If you have any interesting link you could provide, I would like to check it out!
Any other ideas on how to learn self-defense?
or
Any further interesting ideas to discuss here?
Any other ideas on how to learn self-defense?
Hm...
• EFF website: https://www.eff.org/ , specially https://www.eff.org/issues/privacy and EFF's Surveillance Self-Defense project: https://ssd.eff.org/
The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.
• DuckDuckGo's instructions at http://fixtracking.com/ (beware some non-100%-FaiF recommended software)
How-to stop getting tracked in your Browser.
You know, google is not your friend... but duckduckgo and startpage are!
http://www.kali.org/
http://www.backtrack-linux.org/
Read the documentation and you will find most software is actually in the reps. You can install in trisquel and use it. Same goes for TAILS, you don't need to install the distro (even if I maintain that it's good at doing what it does) you can simply install stuff like secure-delete and seahorse, etc. You can already take some steps towards security.
Let's not link non-free stuff, mmk?
As you can read in one comment I made above, I was only suggesting to read the documentation, in order to use the FREE SOFTWARE that is used in those distros. Most of it you can get in the reps. I also told NOT to use the distros because they are non-free. So, it's not like I am linking to non-free. I am linking to DOCUMENTATION, asked by another user, to use FREE SOFTWARE to enhance PRIVACY and SECURITY again using FREE SOFTWARE.
People link to ubuntu pages a lot of time, and that is a non issue. Why should this be any different? And yes, I gave my opinion (just that) that TAILS is the best option at remaining anonymous online. I admit it is not as free as I thought (the firmware issue) but I am mentioning the anonymity level it achieves. Nothing more :)
Hope I helped :)
You should then have linked to http://www.kali.org/official-documentation/
btw , we CAN
Rebuilding a Tails image
https://tails.boum.org/contribute/build/
Hi guys,
Regarding Self-Defense, I've just found out about SElinux.
Can anyone explain me what is it about?
how it works? and
how it helps to enforce security on a GNU/linux system?
What are the main pros & cons?
Does it worth configuring my GNU/linux with SElinux?
Furthermore, Has anyone tried it before?
I know many of the answers for the above question can be found on the documentation but is somewhat technical for me to grasp a good understanding.
Thank you guys!
lep
Trisquel uses AppArmor which is an easier to configure alternative to
SELinux. E.g. last time I looked in Toutatis the supplied Samba and
CUPS are running under AppArmor profiles to help protect against
zero day attacks. I suggest you learn this instead (Search the web).
SELinux was developed by the NSA and as such attracts some suspicion. However, it was open sourced and released under the GPL in the year 2000.
It can be a major PITA.
For example, if you're going to install a parallel distro/OS then disable SELinux first or the next time you try to boot it will want to run long winded checks. Disabling it as easy as changing 'enabled' to 'disabled' in the appropriate conf file.
Wikipedia is your friend here. Read about SELinux, MACs (mandatory access controls), DACs (discretionary access controls), Apparmor and other implementations.
Basically it's a system to try and limit the capabilities of users and programs to the smallest subset they need.
These things get very complex very fast. However that's not to say impossible, if you don't mind doing a lot of reading you can do it.
And whether it is worth it is another thing. :) Of course in the industry and other places where highest security is required these systems are (supposedly) used.
http://danwalsh.livejournal.com/71122.html
Interesting blog about how SELinux, if enforced, would protect data from being read and files written to as a result of the current BASH exploit.
Become acquainted with The Jargon
http://www.catb.org/jargon/html/
Embrace The Hacker's Code
http://muq.org/~cynbe/hackers-code.html
Delve into the solutions...
Network Forensics Evasion: How to Exit the Matrix
http://billstclair.com/matrix/index.html
Live Free & Do Good Things!