Unified Approach to Privacy and Security Documentation

22 respostas [Última entrada]
strypey
Desconectado
Joined: 05/14/2015

I notice that the Trisquel manuals have a section on Privacy and Security:
https://trisquel.info/en/wiki/security

There is a lot of this kind of information about, and in many different places, and it seems to be changing all the time.

I was recently asked to help with an update of another manual on this topic hosted by FlOSSManuals:
https://flossmanuals.net/tech-tools-for-activism/

It was originally put together by the Tech Tools for Activism collective:
https://techtoolsforactivism.org/

I already aggregated some information about privacy and security here:
http://www.coactivate.org/projects/disintermedia/privacy-not-privatization

The activist hosting collective RiseUp.net also has documentation on this topic:
https://help.riseup.net/en/security

There are other groups working in this area too, such as the EFF:
https://www.eff.org/issues/privacy
https://panopticlick.eff.org/

...the LEAP project:
https://leap.se/

...and the Guardian Project:
https://guardianproject.info/

It seems to me it could be valuable to put together an online working group on privacy and security, with members from as many trustworthy groups as possible, to create and maintain one manual of privacy and security advice, with regular updates. This manual could then be mirrored by each group on their own website.

Would anyone be interested in getting involved in such a project, sometime early next year perhaps?

strypey
Desconectado
Joined: 05/14/2015

BTW Apologies for the rash of postings over the last few days. It's just such a relief to have both my laptops usable again, and I've been trying to get the last few issues worked out, and share a few ideas, before I head away for a week's holiday starting tomorrow. No more flooding from me, I promise! :)

lembas
Desconectado
Joined: 05/13/2010

No need to apologize my friend, it's all good interesting stuff! Glad to hear your boxes are running again. Enjoy your holiday!

cooloutac
Desconectado
Joined: 06/27/2015

the forum needs more real people like you and less posers. Don't stay away for too long!

Calinou
Desconectado
Joined: 03/08/2014

We are launching dedicated security documentation:

:)

GNUser
Desconectado
Joined: 07/17/2013

Rofl!!!!

So true...

cooloutac
Desconectado
Joined: 06/27/2015

hardenubuntu.com is full of great info, only thing i would add to that would be grsecurity, which works great with trisquel and libre kernel.

GNUser
Desconectado
Joined: 07/17/2013

How do you configure Linux-Libre with Grsec? I mean, which settings do you use. Usually I would try that and either lose wifi, sound, orsomething else. So I am curious as to which settings you use.

GNUser
Desconectado
Joined: 07/17/2013

Still would like to know about your grsec setup :)
Feel free to email me if you prefer.

cooloutac
Desconectado
Joined: 06/27/2015

hello, I use menuconfig and use the automatic settings and choose desktop (not server) I pick security over performance (I dont' notice a diff) And if you plan to use kvm or something select the correct virtualization options. (host and kvm) Thats pretty much it.

I've never had the problems you experience. Only problems I've ever had are suspend issues when using the older kernel, and real sluggish performance. But that is not really a grsec problem but more a nouveau on the older kernel problem. I would not recommend using the stable patch and would only recommend you use the testing patch. And keep the patch and kernel up to date when new versions come out.

Grsec is very easy to use on trisquel, because you don't have do anything special to allow the desktop and wm. Only issue will be the memory limits for the browser, and perhaps one or two control panel settings which require python. Or any demanding games you plan to play.

So I simply used the paxctl in the repos. and for example to make sure abrowser works you would do:

Paxctl -c /usr/lib/abrowser/abrowser
Paxctl -m /user/lib/abrowser/abrowser

Thats it. All i had to do. You will have to do that after everytime abrowser updates. If you have problems with any other programs, you can grep the syslog for pax or grsec entries and do the same for the processes you need to use.

I use grsec along with the default trisquel apparmor profiles (which includes abrowser) and a custom profile by ryan farmer for pidgin, and filter outgoing with ufw and don't have any issues. Grsec for me runs better on trisquel then any other distro i've used it on I would recommend you try it out.

Feel free to send me a message if you have any problems.

cooloutac
Desconectado
Joined: 06/27/2015

Here is also a good write up on how to harden your ufw firewall. http://ubuntuforums.org/showthread.php?t=1893751

Ignore his advice on Part 1. and instead simply do sudo ufw default deny outgoing. And then allow what you need.

Follow all the rest of his advice.

Since you use tor though you might not want to filter outgoing, unless you want to use fascistfirewall option in the torcc file, or specify multiple sockshttp ports if want besides 443 and 80, like 9001 9101 9150 9151 for examples. ( I forget the command) But you can still use the advice for the sysctl.conf regardless.

But I would recommend filtering outgoing connections for those that can.

GNUser
Desconectado
Joined: 07/17/2013

Thanks for all the info. Right now I can't try it out, but i will surely let you know how it went when i do :)

Thanks again, and stay safe.

EDIT: Btw, i do use Tor for (almost) all traffic, so only ports that accept out traffic are 80 and 443. In traffic is set to always deny. I think using Tor improves the way I manage my firewall because mostly i only need to open its own ports.

cooloutac
Desconectado
Joined: 06/27/2015

You can lose anonymity by limiting the outgoing ports it can connect to though.

BTW: somebody other then me has logged into my trisquel account and changed my picture.... I also got an email about how osmeone initiated a change password...figures.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

That must be the reason for the changes in your account: https://trisquel.info/forum/problems-access-trisquel-site#comment-81256

cooloutac
Desconectado
Joined: 06/27/2015

hmm possibly, tks for the reply.

I changed all my passwords just to be on the safe side.

GNUser
Desconectado
Joined: 07/17/2013

Does anyone uses LEAP or BitMask?
Those look interesting. Didn't know about those.

I am (as most people know) a Tor user and I have made some simple experimentation with it. If someone needs help with Tor, I could try and help.

At this point I think Tor is the best chance we have, the most user friendly solution, the most advanced software, and the most well supported network. HOWEVER, for situations where you need something Tor won't do (torrents, video calls, etc) I think other solutions are welcome.

I2P for example is worth noting.
What about GNUNET has it ever done any serious work?

Would love to know more about BitMask.

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

I have experience with bitmask. If you need help with installing (very simple to tell you the truth), running or simply want info, feel free to contact me.

GNUser
Desconectado
Joined: 07/17/2013

Basically I want to know what does it do. I mean, I understand it is a VPN software, that uses any service provider that uses the compatible software. RiseUp for example. BUT, what does it do exactly? Does it hide from websites my IP? Does it handle DNS requests probably? Is it a global proxy or can I configure it so that only one application is using this VPN?

I use Tor for most of my stuff, but when I have to use a torrent application or some other program that can't use it, I would like to have a way to encrypt my communications. Up to this point, I never found anything that could be as reliable as Tor (I2p is good on privacy, but bad on flexibility and speed, other solutions are bad on privacy and I don't trust them). RiseUp has been getting a good reputation among privacy conscious people all over the world, so I think using their service would be an option.

If you prefer to talk this over email, feel free to send me one :)

GNUsercn
Desconectado
Joined: 10/13/2015

Hi, I would like to give a hand to you.

I am based in China, where the censorship floods.

I am going to translate some documentations on privacy and security to Chinese, and before this I need these knowledge :P

Is there anything I could help, either in translation or in maintaining the Chinese -version of the OS.

cheers

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

hi gnusercn. You'd need to ask Ruben either by mail or on Irc (username: quidam). The chinese language is not supported. Ask quidam. ciao

GNUsercn
Desconectado
Joined: 10/13/2015

Thanks though!
Grazie

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

Di niente.. :)

cooloutac
Desconectado
Joined: 06/27/2015

email name at domain