Your privacy strategy/todo list for a minimal install

35 replies [Last post]
hack and hack
Offline
Joined: 04/02/2015

So what's you're overall privacy strategy, everyone ?
I'm still not writing from my free machine since I want to configure it properly.
Everyday I read about some new thing to configure (like the default Trisquel DNS server being google's).
So I'm trying to prepare a simple but complete todo list.

I've read about the proper use of Tor, and Snowden's software list.
I don't really know why Tails is worth it (besides being fully torrefied), but if it's good enough for him, it's good enough for me. Properly seems to mean without accessing websites that I access without Tails/Tor, for example (in a nutshell, completely separating private from public web access).

But first, it means that I can forget about using Tor on Icecat, right? Or is it only about the proper way to use it?
I mean, I'd use Tails on a usb key for maybe sensitive medical info, but accessing my bank account through it doesn't seem smart since my bank will know it's me anyway.
I remember that Tor (through Icecat) can prevent displaying images and videos. So for entertainment, or checking the news or normal browsing in general, does that mean I have to settle with a "lower" level of privacy?
I mean, the ideal would be to even ditch Trisquel and strictly use Tails.
But I wonder if using Tails on a non-free machine (with a non-free BIOS) would prevent keylogging for example.
Oh, and the VPN. Should that be used at all times? I'm leaning towards openVPN, but I'm still gathering info.

It seems that a smart and practical strategy would be to leave to specific sensitive activities to Tor via Tails.
And the rest to Icecat, with or without Tor, and this point it doesn't seem to make much of a difference.
VPN enabled at all times or not, that's another point I need to clarify. Free or paid VPN is another one (in terms of privacy).

Less important issues:
Since there's no point in using Abrowser for me (it's better for accessibility I think, but I don't need it), I can uninstall it. After all, it's less privacy-friendly than Icecat. It's strong point is for accessibility.
What about the weather in Conky without being located?

---

The hard work is to determine what's truly important.
Using the computer offline isn't an issue, specially with disk encryption.
Online,
I gather info and learn (potentially accessing javacript only websites, maybe like khanacademy),
I get entertainment (pictures, videos),
I communicate (maybe my own mail server, but does it have to stay online at all times? Also suggesting end-to-end encryption to all my contacts is too extreme. Also, a 2-factor authentication for my mailbox),
I occasionally play (online chess without js would be nice).
I'll use social networks from another machine, and like once a year.

That's pretty much it.

Calinou
Offline
Joined: 03/08/2014

> I occasionally play (online chess without js would be nice).

I doubt you want that in 2015 (it's possible, but really inconvenient; it would probably require a page reload at each move).

I'll suggest using Lichess but it uses a non-free JavaScript library (Highcharts) for drawing graphs. Maybe you can block that particular library without losing functionality. Be sure to also block Google Analytics.

hack and hack
Offline
Joined: 04/02/2015

/Calinou/ Ah, true. I suppose that playing only through text input (coordinates) and Ajax could be a possibility, but not as user friendly. Though it could help memorize the coordinates. I'd love such a web app. Also I love the Lichess "no registration/ads/plugins required" policy. It could help me improve my (basic) coding skills also.
If you think it's worth trying, I'll gladly oblige. I always wanted to code a game.

lembas
Offline
Joined: 05/13/2010

Here's my 2 cents ramble.

> So I'm trying to prepare a simple but complete todo list.

This reminds me of a joke: "I've read your manuscript and it was original and clever. However, the parts that were original were not clever and the parts that were clever were not original!" I.e. you won't succeed in that. Security is a process, and a very complex process at that.

> I've read about the proper use of Tor, and Snowden's software list.
I don't really know why Tails is worth it (besides being fully torrefied), but if it's good enough for him, it's good enough for me.

Anonymity is tails' only professed value. Unfortunately freedom takes a backseat as tails uses e.g. the vanilla kernel. Also if I was a powerful spy actor I guess the binary blobs in Linux might be quite tempting. Linus really should man up and kick the blobs from the kernel...

One issue with tor are the web browser extensions, e.g. you're more private browsing with Noscript, yet that will set you apart from the flock using the default tor browser without Noscript. Ditto all other security enhancing extensions...

One horror story is Intel vPro/AMT. If the hardware is compromised no software can make it secure.

Yet another of the hard challenges is our own behavior online. We can compromise ourselves in a million different ways online. That combined with an illusion of privacy can lead to nasty results. Paranoia is good but self-censorship should be avoided as far as possible...

I guess one thing we all should do it fire up Wireshark and see and actively keep an eye on exactly what kind of traffic our machines are spewing.

> The hard work is to determine what's truly important.

Indeed. It's a great subject to think about. Look forward to hearing replies from knowledgeable people.

hack and hack
Offline
Joined: 04/02/2015

/lembas/ I get the joke (love it also), yet indeed things change and in some cases some rules do not apply, though maybe there are some rough principles/outlines regarding setting up a libre system.
For example,
choosing compatible hardware
choosing a libre OS
checking the license of what one's about to install
etc.

Yes, I've recently read about Tor staying private only if nothing out of the Tor system is used (any external plugin).
Same for AMT/ME, I'm now a happy owner of a Librebooted X200.
Online behavior is something new to me (at least to such extent), I'm going to find out more about that.
Using Wireshark this way is a great idea (and instructive). If it's somewhat practical, I'll try that, thanks.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Privacy and anonymity are not the same. If you want privacy having a 100% free OS and a VPN (not trusting external repos, compiling any external application by yourself, setting your browser in a proper manner, not using idiotic nonsense like say facebook) should do it.
If you want anonymity - use tails.

hack and hack
Offline
Joined: 04/02/2015

/SuperTramp83/ Never thought about the difference between the two. So privacy would be that I'm known, but my activity or data is unknown. Anonymity would be that I'm not known, and thus my activity/data isn't either.
Anonymity is kinda stupid for accessing my bank account for example.
Ok, so if I understand properly, one would want security as a must, then privacy also for any web related activity.
And anonymity for special cases, like whistleblowing (or mastur... ok, you get the idea).

More seriously, Anything in Trisquel works in the realm of security and privacy (excluding the user's behavior).
Which leave anonymity for Tor, which comes with Icecat, or with the Tor bundle, or via tails. Most likely, all 3 are OK.

Mangy Dog

I am a member!

I am a translator!

Offline
Joined: 03/15/2015

...

SWIM FAST.png
hack and hack
Offline
Joined: 04/02/2015

/Mangy Dog/ I'm not sure I get this one. Icecat (a fox) on Trisquel (the boat) saving a poor lad thinking he's secured his privacy/anonymity with Tor. and Wireshark?

pizzaiolo
Offline
Joined: 03/12/2015

I think the point is that you try so hard to protect yourself that in the end you stand out and are more easily caught.

Ruben makes exactly this point in his 2015 Libre Planet presentation on IceCat. Unfortunately privacy/security/anonymity need to be the default for users, en masse, so that we can really be off the radar.

hack and hack
Offline
Joined: 04/02/2015

I see. Then what are the possible answers?
Not being anonymous makes one visible (but without much access to it's online activity).
Using Tor properly makes one anonymous.

My goal is to to keep my online activity to myself, even if it's possible to know that I visit such and such website.
It's ok if it's known, but I want to succeed at that without standing out (a paradox).

What is trying too hard, what is not trying hard enough?
I understand that it depends, but since my online activity is very basic (not about anonymity so much, but privacy), I'm sure there's something that can be done, and some things that I can forget about.

Libreboot,
a libre distro,
good browsing habit, specially when using Tor,
checking/changing the default DNS if it's google's,
no js or librejs,
destroy cookies,
no flash/java,
maybe a VPN,

That's some kind of checklist. At least, a starting point.

pizzaiolo
Offline
Joined: 03/12/2015

Regardless, your browser is still sending out info that can be tracked (besides cookies); see: https://panopticlick.eff.org/

Ruben's point was that if you did everything right to avoid browser fingerprinting, that's when you'd REALLY stand out from the crowd.

hack and hack
Offline
Joined: 04/02/2015

I just watched the talk (very interesting), and fired up panopticlicks from IceCat: There is some data indeed, but I wonder how that can be useful (besides that it defines my machine by this pattern). Though I understand that the point is to leave some trace in order to not stand out. The data is very limited.

If there was a way to spoof this kind of data by throwing random info instead... I wonder how doable it can be though.

Mangy Dog

I am a member!

I am a translator!

Offline
Joined: 03/15/2015

it's a joke or a bit of < humour ??? > & the fox is me Mangy wwawawaw....dog :)

As SuperTramp83 says there is a difference between privacy and achieving anonymity.

http://lifehacker.com/how-can-i-stay-anonymous-with-tor-1498876762

the tor project org offers extensive "explanations"on the matter and what vulnerabilities affects it.
https://www.torproject.org/docs/documentation.html.en

https://trisquel.info/en/forum/basic-security-questions
https://trisquel.info/en/forum/torify-my-software-updater-and-synaptic

https://en.wikipedia.org/wiki/Virtual_private_network
https://en.wikipedia.org/wiki/Tor_%28anonymity_network%29
https://en.wikipedia.org/wiki/Anonymous_P2P

hack and hack
Offline
Joined: 04/02/2015

Ah ok, I got it ;)

Yeah, it seems that anonymity is only for specific situations. Most likely not worth the effort for the way I use the web. But worth it for true journalism.
In essence, my strategy as a basic user would be to focus on security and privacy.
So, private browsing/anonymity with Tor for special web queries is enough for me, though the "persona" idea from lifehacker's page was enlightening, thanks. At least, more anonymity than without Tor, if I don't screw up.

I'm not sure I really understand the difference between privacy and anonymity though.

And while I understand the basics of VPN, I have a hard time understanding its use. Am I supposed to setup a VPN server on my machine and then use it as a client? Being my own client? Also, provided I can make it work, am I supposed to use it at all times, or only for specific queries requiring anonymity?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

the default Trisquel DNS server being google's

It was a human error that affected some users of Trisquel 6 and was corrected in Trisquel 6.0.1. You use Trisquel 7, don't you? If so, you need not worry about that.

But first, it means that I can forget about using Tor on Icecat, right?

I was told on this forum that Icecat's private mode goes through Tor.

I remember that Tor (through Icecat) can prevent displaying images and videos.

Is it Tor related? I am not sure (but I am no Tor expert). It looks like an independent rule that would block third-party content (i.e., content sent by sites that are not the one you accessed). Third-party content is common. Advertisement, spyware... but also legitimate content.

But I wonder if using Tails on a non-free machine (with a non-free BIOS) would prevent keylogging for example.

As lembas said:

Oh, and the VPN. Should that be used at all times?

The basic idea behind a VPN is that of a proxy you talk to in an encrypted way (messages between your computer and the VPN cannot be understood without the private key of the VPN). The site you are contacting believes it is ultimately talking to the VPN, not your computer.

It is not perfect though. A secret agency could deanonymized you. For instance, by listening to what is going in/out of your computer, what is going in/out of the VPN you use and making correlations (on the timestamps and the sizes of the packets). Tor solves that problem with a onion structure that you can see as layers of VPNs: you send messages to a site through, typically, three VPNs (when you sent a message, you encrypt it with three their three public keys).

That certainly is a simplified vision (@anyone: please explain better and/or correct me). Anyway, my point is: if you use Tor, then there is little point in using an additional VPN... unless you want to hide your use of Tor... but that is quite easily detectable and you would then be regarded as someone using Tor and trying to hide it!

Free or paid VPN is another one (in terms of privacy).

There is always a risk that the VPN is under the control of whoever wants to spy on you. I guess such VPNs usually are gratis to be more attractive.

hack and hack
Offline
Joined: 04/02/2015

/Magic Banana/ Oh that's good to hear (about the DNS), thanks.

Yes, it blocked some legitimate content, but that's no big deal. It will force me to learn more about Tor.

So Tails is essentially worthless, besides short-term use (which is what it's designed for I think). Interesting.
That article looks fascinating, thanks.

From your point of view, it's better to alternate both, the VPN and Tor, or to just stick with the latter.

Mangy Dog

I am a member!

I am a translator!

Offline
Joined: 03/15/2015

hack and hack :)

You can configure you browser for Privacy(Tor/Cookies/Private Browsing)
or even Proxies or your own Proxy (Anon)

A VPN is just more suitable than Tor in certain situations such as downloading a PDF doc..
CAPTCHA by CloudFlare are becoming a real nuissance and somtimes teadious if not nerve racking.
or logging into certain sites like Paypal or whatever,ect.

if you want to use P2P with a VPN you will have to Portforward.

I suggest you use both alternatively .

To set up your own OpenVpn your need to have a server or a hosted server to connect to
that's a solution but more complicated than using a OpenVpn Client & a VPN paid service

With Tor it's recommended to stay HTTPS all the way to achieve that you have to use IXQUICK/STARTPAGE proxy

*i would stay away from free-Vpn (they are making money somewhere on the line if not collecting all your logs)

I can recommend you this one
https://airvpn.org/

European Data Retention 2006 long before NSA leaks by Snowden
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF

hack and hack
Offline
Joined: 04/02/2015

/Mangy Dog/ Thanks, I'm learning a lot.
Right now I'm reading the European Data Retention document, it's a long read (*_*).
But from the first few pages, it seems fair enough.

I suppose that to use Tor properly, I better leave it as it is (at least not add plugins and stuff).
As for the VPN, to do it right, this might be my first Bitcoin experience.
I suppose I can keep it on all the time. Or is that a bad idea? You suggest to use both alternatively,
But can I use the VPN all the time, and Tor in specific situations, where I put on my "persona" (i.e. watch my behavior)?
Since Icecat fires up Tor automatically in private mode, that would be for the rare special anonymity situations, is that right?

Special thanks for providing examples (and the links), it helps me understand better which does what, and why :)

lydell

I am a member!

Offline
Joined: 04/20/2014

I recognize myself in your situation. I’ll share my experiences below.

> So I'm trying to prepare a simple but complete todo list.

You already have, because you can’t make it complete. Start out with the questions you posted. Pick one that concerns you more and try to fix it. Then move on to the next one. Let it take time. Motivation and available time will come and go. Things on your list might fade away before getting to them, and others might be added during the time. Don’t worry about getting “everything” done “perfectly” at once. Take it step by step. You’ll learn lots along the way—and many things you cannot know before you’ve tried them, no matter how much you read about it. Doing _something_ is better than doing nothing at all.

> I'm still not writing from my free machine since I want to configure it properly.

And you will forever unless you stop worrying.

> Everyday I read about some new thing to configure (like the default Trisquel DNS server being google's).

See what I mean? Stop reading and get started! Then, when you feel that you’ve come a bit along the way you could start reading and looking for new things to do again. Otherwise it will feel overwhelming.

Don’t worry about feeling “I’ve should have done this straight away!” and feel bad about having done something “wrong” for some time. That always happens.

Also, what’s worse? Using a proprietary system, or a free one with Google’s DNS? Do it in steps! One: Move to free system. Two: Move away from Google’s DNS. If it takes a few weeks between step one and step two that’s OK. (Note that as has been said earlier in this thread you do _not_ need to be worried about the whole Google DNS thing since that error has been corrected for a long time now.)

> So what's you're overall privacy strategy, everyone ?

Improving just a little bit is better than not doing it at all. Bit by bit you’ll get closer to your utopia.

> [lots of questions]

Great! That shows that you’re really into it, and you actually know a bit about it too. Continue that way! Try things out! See what you think.

I hope anything of the above helps :)

hack and hack
Offline
Joined: 04/02/2015

/lydell/ Tremendously, you have no idea.
I'm always after perfection (instead of excellence). The result is I don't want to make mistakes, thus I don't step forward. Just as you described.
Fortunately I'm aware of it, but I definitely needed a reminder, so thank you.

Without mistakes, there's no way to grow. I should get this as a tattoo or something.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

I wouldn't trust commercial VPNs. And the reason is that it seems logic to me that those who sell VPNs for money and do it only for money are more prone to selling your logs to someone who offers (again money!) money for that info.
All those VPNs that state they have a no log policy are just promising they don't log. It's like duckduckgo promising they don't log your IP and your search info.. You have no possibility to know for sure. But one thing I do know for sure: companies want money, a lot of money. They want all the money they can get and if doing more money means selling you or me or all of us to advertisers, governments or whatsoever, then they'll do just that..
I wouldn't trust a gratis VPN too, unless it was a VPN by some organization that is well known for fighting oppressors and protecting journalists, whistleblowers, activists etc..

hack and hack - do you hang on IRC? If so go to #trisquel on freenode so we can talk about it maybe. My username there it's the same as here.
cheers!

hack and hack
Offline
Joined: 04/02/2015

yeah, that was my feeling too, this is why I was interested in setting up my own VPN server, though it takes more skill. I stumbled upon a good article which backs up what you wrote, and which explained that using Tor first, then connecting to a VPN made that a moot point.
https://www.bestvpn.com/blog/12273/using-tor-vpn-together/?nabe=6412130213429248:1
Plus it actually recommends airVPN as one of the only 2 VPN that work with this method.

I don't hang on IRC yet, give me some time to learn about it and set it up, and I'll be more than happy to talk about it :)
---
EDIT: I'm ready!
I'll try to connect tomorrow.

JadedCtrl
Offline
Joined: 08/11/2014

I mean, you have to consider what a reputable VPN company has to lose-- if someone finds out that logs are being sold then that company's reputation goes down the toilet, as well as their business.
It's certainly possible that they would sell your logs, but I don't think they'd take such a massive risk. Perhaps I'm too optimistic?

Watchingtheweasels
Offline
Joined: 09/05/2013

I've been using ivpn.net, have been pretty satisfied with their service. I would recommend using a VPN that is outside the US in a privacy friendly jurisdiction.

Alij
Offline
Joined: 05/08/2012

the best advice: get out from internet.

hack and hack
Offline
Joined: 04/02/2015

Believe it or not, a few years ago, I said to a friend that I wanted to stay away from screens as much as possible.
Now I'm studying/working with those damn screens...
But I definitely want to keep web browsing to the minimum. The essential, even. Mainly to get info/knowledge.

Alij
Offline
Joined: 05/08/2012

I only visite a couple of notice news site, torrent sites and email. And Trisquel forum for tecnical support..

;)

hack and hack
Offline
Joined: 04/02/2015

Makes sense. I'm gonna lean towards a minimalistic use as well, and that's not even because of privacy issues.
Mostly because it's only a tool, there's more to life overall.

Mangy Dog

I am a member!

I am a translator!

Offline
Joined: 03/15/2015

Effectively this could have been an IRC discussion :)
http://www.irchelp.org/
https://trisquel.info/en/wiki/connect-trisquel-irc-channel

I agree with JadeCtrl,
some VPN services are dubious but others have a clear policy if they were to not respect their engagements they would be liable and lose their business.

That said one can stay HTTPS all the way while using a VPN.

Any TOR exit node can be a honey-pot and there's more chances of being "data collected"by an exit node than a VPN.

To use Tor with AirVpn you need the Windows Client :(
https://airvpn.org/static/pages/tor/airvpn_with_tor.png

Disadvantages:
Poor performance
Fixed TOR circuit for each OpenVPN session
Access to .onion sites only from browsers configured to connect directly to TOR

Dissociate TOR usage & VPN for practical reasons as mentioned above.

But don't get too over concerned by it all!
If you really want privacy throw your PC and Phone away :)
might even save your eyesight...from premature cecity.

tomlukeywood
Offline
Joined: 12/05/2014

"might even save your eyesight...from premature cecity."

and the repetitive strain injury :(

hack and hack
Offline
Joined: 04/02/2015

Well, is there a way to know if a VPN provider isn't respecting its engagement?
Would https prevent such abuse?

All this is interesting, and it might take a bit more time for me to get less tracked online.
That's all I ask for, not total anonymity.
Why would I care that it's know that I visit such and such website?
As long as what I do offline remains private, I'm fine. And even if it's not, it's not that important.

Which brings me back to what's truly important.
Essentially, the entertainment and occasional play, I could do without (online, not IRL of course).
News gathering and learning, well I could too, but it would be much slower in some way.
But it's true that my actual online time could be shorter and shorter.
Same for my offline activity actually.

My eyesight is already beyond saving :P
But no need to make it worse.
EDIT
/tomlukeywood/ and I'll try to be kind to my wrists.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Stay away form the internet? No!
It's like saying "don't go out and stay in your home because out there there are a lot of dangerous things"
I won't stop using internet and doing whatever I want to do, saying whatever I want to say just because the Big Brother is listening. Protect yourself the best you can and express yourself freely and fuck big brother!

Alij
Offline
Joined: 05/08/2012

of course mate you know what i meant.

hack and hack
Offline
Joined: 04/02/2015

I agree, it's just that in what I personally do online, there's a lot of waste of time that I could use off the computer.

So if I understand, Tor provides full anonymity/invisibility, yet there's the trouble of malicious exit nodes, and it being slower. This doesn't sound reliable.
A VPN has to be trusted, but it's faster. Another VPN downside is that it will reveal that I'm online, and that I use a VPN. But is that even a downside for the average user? Nope.

Now if it's actually possible to use VPN through Tor on GNU/Linux, that would be the best, but slow.

So in the end, Who cares if it's known that I'm online or not? That I use a VPN could be problematic in some countries though, since it could be illegal.

A VPN sounds good. Tor by itself isn't too reliable, and that's only to gain full ninja stealth anonymity (not even revealing whether I'm online or not). More suitable for secret agent level journalism, away from home on disposable hardware, while leaving the phone at home. I'm open to another argumentation, but this makes sense to me. Tor properly used is only for specific situations, or else the average user is using it the wrong way.

Oh, and to connect to websites that know my name (like my bank), I would disconnect both the VPN and Tor.

In a nutshell:
- a VPN most of the time
- no privacy/anonymity tool on for websites where I'm known by name
- No reason to use Tor since it's a pain to use it properly, and the exit nodes are wired. Plus I don't even have one realistic scenario where it could be useful, besides browsing from a dictatorship country.

hack and hack
Offline
Joined: 04/02/2015

I'm replying to myself because someone downvoted my comment, yay !
WTF? It was only a rough conclusion of what was said before, no real new info besides comparing Tor and VPN side by side... If with great power comes great responsibility, with or without freedom, idiocy remains.

Anyway, back to the program:
I know that in the IT security field, the weakest link is always the user, it looks like it's the same for privacy/anonymity (not the same, but mostly similar).
Is there some sort of online behavior guidelines besides The Tor specific behavior?

Like how to use md5/GPG etc to verify whatever one downloads for example,
using a router (though it's most likely automatically configured by the ISP box nowadays),
I don't know, something like a driving code.
As I'm writing I realize that this has more to do with security.