Author Topic: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)  (Read 1182 times)

0 Members and 5 Guests are viewing this topic.

Offline bling bling

  • Commandant
  • ****
  • Posts: 1,621
    • View Profile
The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« on: September 14, 2014, 03:33:49 am »
1. COINTELPRO Techniques for dilution, misdirection and control of a internet forum

COINTELPRO Techniques for dilution, misdirection and control of a internet forum..
 
There are several techniques for the control and manipulation of a internet forum no matter what, or who is on it. We will go over each technique and demonstrate that only a minimal number of operatives can be used to eventually and effectively gain a control of a 'uncontrolled forum.'
 
Technique #1 - 'FORUM SLIDING'
 
If a very sensitive posting of a critical nature has been posted on a forum - it can be quickly removed from public view by 'forum sliding.' In this technique a number of unrelated posts are quietly prepositioned on the forum and allowed to 'age.' Each of these misdirectional forum postings can then be called upon at will to trigger a 'forum slide.' The second requirement is that several fake accounts exist, which can be called upon, to ensure that this technique is not exposed to the public. To trigger a 'forum slide' and 'flush' the critical post out of public view it is simply a matter of logging into each account both real and fake and then 'replying' to prepositined postings with a simple 1 or 2 line comment. This brings the unrelated postings to the top of the forum list, and the critical posting 'slides' down the front page, and quickly out of public view. Although it is difficult or impossible to censor the posting it is now lost in a sea of unrelated and unuseful postings. By this means it becomes effective to keep the readers of the forum reading unrelated and non-issue items.
 
Technique #2 - 'CONSENSUS CRACKING'
 
A second highly effective technique (which you can see in operation all the time at www.abovetopsecret.com) is 'consensus cracking.' To develop a consensus crack, the following technique is used. Under the guise of a fake account a posting is made which looks legitimate and is towards the truth is made - but the critical point is that it has a VERY WEAK PREMISE without substantive proof to back the posting. Once this is done then under alternative fake accounts a very strong position in your favour is slowly introduced over the life of the posting. It is IMPERATIVE that both sides are initially presented, so the uninformed reader cannot determine which side is the truth. As postings and replies are made the stronger 'evidence' or disinformation in your favour is slowly 'seeded in.' Thus the uninformed reader will most like develop the same position as you, and if their position is against you their opposition to your posting will be most likely dropped. However in some cases where the forum members are highly educated and can counter your disinformation with real facts and linked postings, you can then 'abort' the consensus cracking by initiating a 'forum slide.'
 
Technique #3 - 'TOPIC DILUTION'
 
Topic dilution is not only effective in forum sliding it is also very useful in keeping the forum readers on unrelated and non-productive issues. This is a critical and useful technique to cause a 'RESOURCE BURN.' By implementing continual and non-related postings that distract and disrupt (trolling ) the forum readers they are more effectively stopped from anything of any real productivity. If the intensity of gradual dilution is intense enough, the readers will effectively stop researching and simply slip into a 'gossip mode.' In this state they can be more easily misdirected away from facts towards uninformed conjecture and opinion. The less informed they are the more effective and easy it becomes to control the entire group in the direction that you would desire the group to go in. It must be stressed that a proper assessment of the psychological capabilities and levels of education is first determined of the group to determine at what level to 'drive in the wedge.' By being too far off topic too quickly it may trigger censorship by a forum moderator.
 
Technique #4 - 'INFORMATION COLLECTION'
 
Information collection is also a very effective method to determine the psychological level of the forum members, and to gather intelligence that can be used against them. In this technique in a light and positive environment a 'show you mine so me yours' posting is initiated. From the number of replies and the answers that are provided much statistical information can be gathered. An example is to post your 'favourite weapon' and then encourage other members of the forum to showcase what they have. In this matter it can be determined by reverse proration what percentage of the forum community owns a firearm, and or a illegal weapon. This same method can be used by posing as one of the form members and posting your favourite 'technique of operation.' From the replies various methods that the group utilizes can be studied and effective methods developed to stop them from their activities.
 
Technique #5 - 'ANGER TROLLING'
 
Statistically, there is always a percentage of the forum posters who are more inclined to violence. In order to determine who these individuals are, it is a requirement to present a image to the forum to deliberately incite a strong psychological reaction. From this the most violent in the group can be effectively singled out for reverse IP location and possibly local enforcement tracking. To accomplish this only requires posting a link to a video depicting a local police officer massively abusing his power against a very innocent individual. Statistically of the million or so police officers in America there is always one or two being caught abusing there powers and the taping of the activity can be then used for intelligence gathering purposes - without the requirement to 'stage' a fake abuse video. This method is extremely effective, and the more so the more abusive the video can be made to look. Sometimes it is useful to 'lead' the forum by replying to your own posting with your own statement of violent intent, and that you 'do not care what the authorities think!!' inflammation. By doing this and showing no fear it may be more effective in getting the more silent and self-disciplined violent intent members of the forum to slip and post their real intentions. This can be used later in a court of law during prosecution.
 
Technique #6 - 'GAINING FULL CONTROL'
 
It is important to also be harvesting and continually maneuvering for a forum moderator position. Once this position is obtained, the forum can then be effectively and quietly controlled by deleting unfavourable postings - and one can eventually steer the forum into complete failure and lack of interest by the general public. This is the 'ultimate victory' as the forum is no longer participated with by the general public and no longer useful in maintaining their freedoms. Depending on the level of control you can obtain, you can deliberately steer a forum into defeat by censoring postings, deleting memberships, flooding, and or accidentally taking the forum offline. By this method the forum can be quickly killed. However it is not always in the interest to kill a forum as it can be converted into a 'honey pot' gathering center to collect and misdirect newcomers and from this point be completely used for your control for your agenda purposes.
 
CONCLUSION
 
Remember these techniques are only effective if the forum participants DO NOT KNOW ABOUT THEM. Once they are aware of these techniques the operation can completely fail, and the forum can become uncontrolled. At this point other avenues must be considered such as initiating a false legal precidence to simply have the forum shut down and taken offline. This is not desirable as it then leaves the enforcement agencies unable to track the percentage of those in the population who always resist attempts for control against them. Many other techniques can be utilized and developed by the individual and as you develop further techniques of infiltration and control it is imperative to share then with HQ.
______________________________________________________________________________________

Offline bling bling

  • Commandant
  • ****
  • Posts: 1,621
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #1 on: September 14, 2014, 04:13:35 am »
Twenty-Five Rules of Disinformation
 
Note: The first rule and last five (or six, depending on situation) rules are generally not directly within the ability of the traditional disinfo artist to apply. These rules are generally used more directly by those at the leadership, key players, or planning level of the criminal conspiracy or conspiracy to cover up.
 
1. Hear no evil, see no evil, speak no evil. Regardless of what you know, don't discuss it -- especially if you are a public figure, news anchor, etc. If it's not reported, it didn't happen, and you never have to deal with the issues.
 
2. Become incredulous and indignant. Avoid discussing key issues and instead focus on side issues which can be used show the topic as being critical of some otherwise sacrosanct group or theme. This is also known as the 'How dare you!' gambit.
 
3. Create rumor mongers. Avoid discussing issues by describing all charges, regardless of venue or evidence, as mere rumors and wild accusations. Other derogatory terms mutually exclusive of truth may work as well. This method which works especially well with a silent press, because the only way the public can learn of the facts are through such 'arguable rumors'. If you can associate the material with the Internet, use this fact to certify it a 'wild rumor' from a 'bunch of kids on the Internet' which can have no basis in fact.
 
4. Use a straw man. Find or create a seeming element of your opponent's argument which you can easily knock down to make yourself look good and the opponent to look bad. Either make up an issue you may safely imply exists based on your interpretation of the opponent/opponent arguments/situation, or select the weakest aspect of the weakest charges. Amplify their significance and destroy them in a way which appears to debunk all the charges, real and fabricated alike, while actually avoiding discussion of the real issues.
 
5. Sidetrack opponents with name calling and ridicule. This is also known as the primary 'attack the messenger' ploy, though other methods qualify as variants of that approach. Associate opponents with unpopular titles such as 'kooks', 'right-wing', 'liberal', 'left-wing', 'terrorists', 'conspiracy buffs', 'radicals', 'militia', 'racists', 'religious fanatics', 'sexual deviates', and so forth. This makes others shrink from support out of fear of gaining the same label, and you avoid dealing with issues.
 
6. Hit and Run. In any public forum, make a brief attack of your opponent or the opponent position and then scamper off before an answer can be fielded, or simply ignore any answer. This works extremely well in Internet and letters-to-the-editor environments where a steady stream of new identities can be called upon without having to explain criticism, reasoning -- simply make an accusation or other attack, never discussing issues, and never answering any subsequent response, for that would dignify the opponent's viewpoint.
 
7. Question motives. Twist or amplify any fact which could be taken to imply that the opponent operates out of a hidden personal agenda or other bias. This avoids discussing issues and forces the accuser on the defensive.
 
8. Invoke authority. Claim for yourself or associate yourself with authority and present your argument with enough 'jargon' and 'minutia' to illustrate you are 'one who knows', and simply say it isn't so without discussing issues or demonstrating concretely why or citing sources.
 
9. Play Dumb. No matter what evidence or logical argument is offered, avoid discussing issues except with denials they have any credibility, make any sense, provide any proof, contain or make a point, have logic, or support a conclusion. Mix well for maximum effect.
 
10. Associate opponent charges with old news. A derivative of the straw man -- usually, in any large-scale matter of high visibility, someone will make charges early on which can be or were already easily dealt with - a kind of investment for the future should the matter not be so easily contained.) Where it can be foreseen, have your own side raise a straw man issue and have it dealt with early on as part of the initial contingency plans. Subsequent charges, regardless of validity or new ground uncovered, can usually then be associated with the original charge and dismissed as simply being a rehash without need to address current issues -- so much the better where the opponent is or was involved with the original source.
 
11. Establish and rely upon fall-back positions. Using a minor matter or element of the facts, take the 'high road' and 'confess' with candor that some innocent mistake, in hindsight, was made -- but that opponents have seized on the opportunity to blow it all out of proportion and imply greater criminalities which, 'just isn't so.' Others can reinforce this on your behalf, later, and even publicly 'call for an end to the nonsense' because you have already 'done the right thing.' Done properly, this can garner sympathy and respect for 'coming clean' and 'owning up' to your mistakes without addressing more serious issues.
 
12. Enigmas have no solution. Drawing upon the overall umbrella of events surrounding the crime and the multitude of players and events, paint the entire affair as too complex to solve. This causes those otherwise following the matter to begin to lose interest more quickly without having to address the actual issues.
 
13. Alice in Wonderland Logic. Avoid discussion of the issues by reasoning backwards or with an apparent deductive logic which forbears any actual material fact.
 
14. Demand complete solutions. Avoid the issues by requiring opponents to solve the crime at hand completely, a ploy which works best with issues qualifying for rule 10.
 
15. Fit the facts to alternate conclusions. This requires creative thinking unless the crime was planned with contingency conclusions in place.
 
16. Vanish evidence and witnesses. If it does not exist, it is not fact, and you won't have to address the issue.
 
17. Change the subject. Usually in connection with one of the other ploys listed here, find a way to side-track the discussion with abrasive or controversial comments in hopes of turning attention to a new, more manageable topic. This works especially well with companions who can 'argue' with you over the new topic and polarize the discussion arena in order to avoid discussing more key issues.
 
18. Emotionalize, Antagonize, and Goad Opponents. If you can't do anything else, chide and taunt your opponents and draw them into emotional responses which will tend to make them look foolish and overly motivated, and generally render their material somewhat less coherent. Not only will you avoid discussing the issues in the first instance, but even if their emotional response addresses the issue, you can further avoid the issues by then focusing on how 'sensitive they are to criticism.'
 
19. Ignore proof presented, demand impossible proofs. This is perhaps a variant of the 'play dumb' rule. Regardless of what material may be presented by an opponent in public forums, claim the material irrelevant and demand proof that is impossible for the opponent to come by (it may exist, but not be at his disposal, or it may be something which is known to be safely destroyed or withheld, such as a murder weapon.) In order to completely avoid discussing issues, it may be required that you to categorically deny and be critical of media or books as valid sources, deny that witnesses are acceptable, or even deny that statements made by government or other authorities have any meaning or relevance.
 
20. False evidence. Whenever possible, introduce new facts or clues designed and manufactured to conflict with opponent presentations -- as useful tools to neutralize sensitive issues or impede resolution. This works best when the crime was designed with contingencies for the purpose, and the facts cannot be easily separated from the fabrications.
 
21. Call a Grand Jury, Special Prosecutor, or other empowered investigative body. Subvert the (process) to your benefit and effectively neutralize all sensitive issues without open discussion. Once convened, the evidence and testimony are required to be secret when properly handled. For instance, if you own the prosecuting attorney, it can insure a Grand Jury hears no useful evidence and that the evidence is sealed and unavailable to subsequent investigators. Once a favorable verdict is achieved, the matter can be considered officially closed. Usually, this technique is applied to find the guilty innocent, but it can also be used to obtain charges when seeking to frame a victim.
 
22. Manufacture a new truth. Create your own expert(s), group(s), author(s), leader(s) or influence existing ones willing to forge new ground via scientific, investigative, or social research or testimony which concludes favorably. In this way, if you must actually address issues, you can do so authoritatively.
 
23. Create bigger distractions. If the above does not seem to be working to distract from sensitive issues, or to prevent unwanted media coverage of unstoppable events such as trials, create bigger news stories (or treat them as such) to distract the multitudes.
 
24. Silence critics. If the above methods do not prevail, consider removing opponents from circulation by some definitive solution so that the need to address issues is removed entirely. This can be by their death, arrest and detention, blackmail or destruction of their character by release of blackmail information, or merely by destroying them financially, emotionally, or severely damaging their health.
 
25. Vanish. If you are a key holder of secrets or otherwise overly illuminated and you think the heat is getting too hot, to avoid the issues, vacate the kitchen.
______________________________________________________________________________________

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #2 on: September 14, 2014, 04:19:58 am »
The paranoid #! Security Guide

Table of Contents:

Introduction

Basic Considerations

BIOS-Passwords

Encryption
Making TrueCrypt Portable
Hardware Encryption
Attacks on Full-Disk-Encryption
Attacks on encrypted Containers
Debian's encrypted LVM pwned
Solutions
eCryptfs
Encrypting SWAP using eCryptfs
Tomb
Advanced Tomb-Sorcery

Keyloggers
Software Keyloggers
Defense against Software Keyloggers
Hardware Keyloggers
Defense against Hardware Keyloggers

Secure File-Deletion
BleachBit
srm [secure rm]
Other Ways to securely wipe Drives

Your Internet-Connection
ipkungfu
Configuring /etc/sysctl.conf
Modem & Router

Intrusion-Detection, Rootkit-Protection & AntiVirus
Snort
RKHunter
RKHunter-Jedi-Tricks
chkrootkit
Tiger
Lynis
debsums
sha256
ClamAV

DNS-Servers
Using secure and censor-free DNS
DNSCrypt

Firefox/Iceweasel
Firefox-Sandbox: Sandfox
Firefox-Preferences
Plugins
Addons
SSL-Search-Engines
Flash-Settings
about:config
Prevent Browser-Fingerprinting

TOR [The Onion Router]
TOR-Warning

I2P

Freenet

Secure Peer-to-Peer-Networks

Mesh-Networks

Proxies
Proxy-Warning

VPN (Virtual Private Network)

The Web
RSS-Feeds

Secure Mail-Providers

Disposable Mail-Addresses

Secure Instant-Messaging/VoIP
TorChat
OTR [Off-the-Record-Messaging]
Secure and Encrypted VoIP

Social Networking
Facebook
Alternatives to Facebook

Passwords
pwgen
KeePass

Live-CDs and VM-Images that focus on security and anonymity

Further Info/Tools


Introduction


Hi all!

This is my first attempt to contribute something to the community. Basically you can find everything I write here somewhere else on the web or in some book - but exactly that is the problem. You can literally spend weeks digging up all this stuff. And to save you some trouble I thought: "Heck, let's just put this into a little manual."

You're dealing with a somewhat paranoid security setup for debian-based systems like #!.
[This is the end-user and not the |-|4xx0|2-version. We are not getting into virtual-virtual-virtual-machine-double-vpn-ssh-proxy-chain-from-your-internet-cafe-type-stuff.]

In this small guide I simply provide several "recipes" for securing both your box and your internet-connection and web-applications. I won't go into the why of all of this in too much detail as I want to provide a simple how-to that people can follow to make their system more secure without having to read through hundreds of pages of explanations. This information can easily be found elsewhere. If you're interested in a certain topic then just fire up a web-search and give it a read.

This guide is not exhaustive of course. As they say, security is a process - and so this guide can only be a place to start which needs to be adjusted to your personal needs.

If you consider to use this information and you find something to be too overcautious for your particular need - just ignore it and move on. One last thing before we begin: I am not a "security-guru" (far from it) - but more appropriately (as my nick suggests) some dude wrapping his head around things...
Basic considerations

BIOS-Passwords


For the physical security of your data you should always employ encrypted drives. But before we get to that make sure you set strong passwords in BIOS for both starting up and modifying the BIOS-settings. Also make sure to disable boot for any media other than your harddrive.
Encryption


With #! this is easy. In the installation you can simply choose to use an encrypted LVM. (For those of you who missed that part on installation and would still like to use an encrypted partition withouth having to reinstall: use these instructions to get the job done.) For other data, e.g. data you store on transportable media you can use TrueCrypt - which is better than e.g. dmcrypt for portable media since it is portable, too. You can put a folder with TrueCrypt for every OS out there on to the unencrypted part of your drive and thus make sure you can access the files everywhere you go.

This is how it is done:
Making TrueCrypt Portable
   •   
   •   Download yourself some TC copy.
   •   
   •   Extract the tar.gz
   •   
   •   Execute the setup-file
   •   
   •   When prompted choose "Extract .tar Package File"
   •   
   •   go to /tmp
   •   
   •   copy the tar.gz and move it where you want to extract/store it
   •   
   •   extract it
   •   
   •   once it's unpacked go to "usr"->"bin" grab "truecrypt"-binary
   •   
   •   copy it onto your stick
   •   
   •   give it a test-run

There is really not much more in that tarball than the binary. Just execute it and you're ready for some crypto.

I don't recommend using TrueCrypt's hidden container, though. Watch this vid to find out why. If you don't yet know how to use TrueCrypt check out this guide. [TrueCrypt's standard encryption is AES-256. This encryption is really good but there are ways to attack it and you don't know how advanced certain people already got at this. So when prompted during the creation of a TrueCrypt container use: AES-Twofish-Serpent and as hash-algorithm use SHA-512. If you're not using the drive for serious video-editing or such you won't notice a difference in performance. Only the encryption process when creating the drive takes a little longer. But we get an extra scoop of security for that... ]
Hardware Encryption


There are three different types of hardware encrypted devices available, which are generally called: SED (Self Encrypting Devices)

- Flash-Drives (Kingston etc.)
- SSD-Drives (Samsung etc.)
- HD-Drives (WD, Hitachi, Toshiba etc.)

They all use AES encryption. The key is generated within the device's microprocessor and thus no crucial data - neither password nor key are written to the host system. AES is secure - and thus using these devices can give some extra protection.

But before you think that all you need to do is to get yourself one of these devices and you're safe - I have to warn you: You're not.

So let's get to the reasons behind that.
Attacks on Full-Disk-Encryption


Below we will have a look at a debian specific attack using a vulnerability common with encrypted LVMs.

But you need to be aware that all disk-encryption is generally vulnerable - be it software- or hardware-based. I won't go into details how each of them work exactly - but I will try to at least provide you with a short explanation.

For software-based disk-encryption there are these known attacks:

- DMA-Attacks (DMA/HDMI-Ports are used to connect to a running, locked machine to unlock it)

- Cold-Boot-Attacks (Keys are extracted from RAM after a cold reboot)

- Freezing of RAM (RAM is frozen and inserted into the attacker's machine to extratct the key)

- Evil-Maid-Attacks (Different methods to boot up a trojanized OS or some kind of software-keylogger)

For hardware-based disk-encryption there are similar attacks:

- DMA-Attacks (same as with SW-based encryption)

- Replug-Attacks (Drive's data cable is disconnected and connected to attacker's machine via SATA-hotplugging)

- Reboot-Attacks (Drive's data cable is disconnected and connected to attacker's machine after enforced reboot. Then the bios-password is circumvented through the repeated pressing of the F2- and enter-key. After the bios integrated SED-password has been disabled the data-cable is plugged into the attacker's machine. This only works on some machines.)

- Networked-Evil-Maid-Attacks (Attacker steals the actual SED and replaces it with another containing a tojanized OS. On bootup victim enters it's password which is subsequently send to the attacker via network/local attacker hot-spot. Different method: Replacing a laptop with a similar model [at e.g. airport/hotel etc.] and the attacker's phone# printed on the bottom of the machine. Victim boots up enters "wrong" password which is send to the attacker via network. Victim discovers that his laptop has been misplaced, calls attacker who now copies the content and gives the "misplaced" laptop back to the owner.)

A full explanation of all these attacks been be found in this presentation. (Unfortunately it has not yet been translated into English.) An English explanation of an evil-maid-attack against TrueCrypt encrypted drives can be found here
Attacks on encrypted Containers


There are also attacks against encrypted containers. They pretty much work like cold-boot-attacks, without the booting part.
An attacker can dump the container's password if the computer is either running or is in hibernation mode - either having the container open and even when the container has been opened during that session - using temporary and hibernation files.
Debian's encrypted LVM pwned


This type of "full" disk encryption can also be fooled by an attack that could be classified as a custom and extended evil-maid-attack. Don't believe me? Read this!

The problem basically is that although most of the filesystem and your personal data are indeed encrypted - your boot partition and GRUB aren't. And this allows an attacker with physical access to your box to bring you into real trouble.

To avoid this do the following:Micah Lee wrote:


If you don’t want to reinstall your operating system, you can format your USB stick, copy /boot/* to it, and install grub to it. In order to install grub to it, you’ll need to unmount /boot, remount it as your USB device, modify /etc/fstab, comment out the line that mounts /boot, and then run grub-install /dev/sdb (or wherever your USB stick is). You should then be able to boot from your USB stick.

An important thing to remember when doing this is that a lot of Ubuntu updates rewrite your initrd.img, most commonly kernel upgrades. Make sure your USB stick is plugged in and mounted as /boot when doing these updates. It’s also a good idea to make regular backups of the files on this USB stick, and burn them to CDs or keep them on the internet. If you ever lose or break your USB stick, you’ll need these backups to boot your computer.

One computer I tried setting this defense up on couldn’t boot from USB devices. I solved this pretty simply by making a grub boot CD that chainloaded to my USB device. If you google “Making a GRUB bootable CD-ROM,” you’ll find instructions on how to do that. Here’s what the menu.1st file on that CD looks like:

default 0
timeout 2
title Boot from USB (hd1)
root (hd1)
chainloader +1

I can now boot to this CD with my USB stick in, and the CD will then boot from the USB stick, which will then boot the closely watched initrd.img to load Ubuntu. A little annoying maybe, but it works.



(Big thanks to Micah Lee!)

Note: Apparently there is an issue with installing GRUB onto USB with waldorf/wheezy. As soon as I know how to get that fixed I will update this section.
Solutions


You might think that mixing soft- and hardware-based encryption will solve these issues. Well, no. They don't. An attacker can simply chain different methods and so we are back at square one. Of course this makes it harder for an attacker to reach his goals - but he/she will not be stopped by it. So the only method that basically remains is to regard full-disk-encryption as a first layer of protection only.

Please don't assume that the scenarios described above are somewhat unrealistic. In the US there are about 5000 laptops being lost or stolen each week on airports alone. European statistics indicate that about 8% of all business-laptops are at least once either lost or stolen.

A similar risk is there if you leave the room/apartment with your machine locked - but running. So the first protection against these methods is to always power down the machine. Always.

The next thing to remind yourself off is: You cannot rely on full-disk-encryption. So you need to employ further layers of encryption. That means that you will have to encrypt folders containing sensitive files again using other methods such as tomb or TrueCrypt. That way - if an attacker manages to get hold of your password he/she will only have access to rather unimportant files. If you have sensitive or confidential data to protect full-disk encryption is not enough!

When using encrypted containers that contain sensitive data you should shutdown your computer after having used them to clear all temporary data stored on your machine that could be used by an attacker to extract passwords.

If you have to rely on data being encrypted and would be in danger if anyone would find the data you were encrypting you should consider only using a power-supply when using a laptop - as opposed to running on power and battery. That way if let's say, you live in a dictatorship or the mafia is out to get you - and they are coming to your home or wherever you are - all you need to do when you sense that something weird is going on is to pull the cable and hope that they still need at least 30 secs to get to your ram. This can help prevent the above mentioned attacks and thus keep your data safely hidden.
eCryptfs


If for some reason (like performance or not wanting to type in thousands of passwords on boot) you don't want to use an encrypted LVM you can use ecryptfs to encrypt files and folders after installation of the OS.

To find out about all the different features of ecryptfs and how to use them I would like to point you to bodhi.zazen's excellent ecryptfs-tutorial.

But there is one thing that is also important for later steps in this guide and is generally a good idea to do:
Encrypting swap using ecryptfs


Especially when using older machines with less ram than modern computers it can happen quite frequently that your machine will use swap for different tasks when there's not enough ram available to do the job. Apart from the lack of speed this is isn't very nice from a security standpoint: as the swap-partition is not located within your ram but on your harddrive - writing into this partion will leave traces of your activities on the harddrive itself. If your computer happens to use swap during your use of encryption tools it can happen that the passwords to the keys are written to swap and are thus extractable from there - which is something you really want to avoid.

You can do this very easily with the help of ecryptfs.

First you need to install it:
Code: Select all
$ sudo apt-get install ecryptfs-utils cryptsetup



Then we need to actually encrypt our swap using the following command:
Code: Select all
$ sudo ecryptfs-setup-swap



Your swap-partition will be unmounted, encrypted and mounted again.

To make sure that it worked run this command:
Code: Select all
$ sudo blkid | grep swap



The output lists your swap partion and should contain "cryptswap".

To avoid error messages on boot you will need to edit your /etc/fstab to fit your new setup:
Code: Select all
$ sudo geany /etc/fstab



Copy the content of that file into another file and save it. You will want to use it as back-up in case something gets screwed up.

Now make sure to find the entry of the above listed encrypted swap partition. If you found it go ahead and delete the other swap-entry relating to the unencrypted swap-partition. Save and reboot to check that everything is working as it should be.
Tomb


Another great crypto-tool is Tomb provided by the dyne-crew.

Tomb uses LUKS AES/SHA-256 and can thus be consider secure. But Tomb isn't just a possible replacement for tools like TrueCrypt.

It has some really neat and easy to use features:

1) Separation of encrypted file and key
2) Mounting files and folders in predefined places using bind-hooks
3) Hiding keys in picture-files using steganography

The documentation on Tomb I was able to find, frankly, seems to be scattered all over the place.
After I played around with it a bit I also came up with some tricks that I did not see being mentioned in any documentation.

And because I like to have everything in one place I wrote a short manual myself:

Installation:

First you will need to import dyne's keys and add them to your gpg-keylist:
Code: Select all
$ sudo gpg --fetch-keys http://apt.dyne.org/software.pub



Now verify the key-fingerprint.
Code: Select all
$ sudo gpg --fingerprint software@dyne.org | grep fingerprint



The output of the above command should be:
Code: Select all
Key fingerprint = 8E1A A01C F209 587D 57063A36 E314 AFFA 8A7C 92F1



Now, after checking that you have the right key you can trust add it to apt:
Code: Select all
$ sudo gpg --armor --export software@dyne.org > dyne.gpg$ sudo apt-key add dyne.gpg



After you did this you want to add dyne's repos to your sources.list:
Code: Select all
$ sudo geany /etc/apt/sources.list



Add:
Code: Select all
deb http://apt.dyne.org/debian dyne maindeb-src http://apt.dyne.org/debian dyne main



To sync apt:
Code: Select all
$ sudo apt-get update



To install Tomb:
Code: Select all
$ sudo apt-get install tomb



Usage:

If you have your swap activated Tomb will urge you to turn it off or encrypt it. If you encrypt it and leave it on you will need to include --ignore-swap into your tomb-commands. To turn off swap for this session you can run
Code: Select all
$ swapoff -a



To disable it completely you can comment out the swap in /etc/fstab. So it won't be mounted on reboot. (Please be aware that disabling swap on older computers with not much ram isn't such a good idea. Once your ram is being used fully while having no swap-partition mounted processes and programs will crash.)

Tomb will create the crypto-file in the folder you are currently in - so if you want to create a tomb-file in your documents-folder make sure to
Code: Select all
$ cd /home/user/documents



Once you are in the right folder you can create a tomb-file with this command:
Code: Select all
$ tomb -s XX create FILE



XX is used to denote the size of the file in MB. So in order to create a file named "test" with the size of 10MB you would type this:
Code: Select all
$ tomb -s 10 create test



God Bless

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #3 on: September 14, 2014, 04:20:13 am »
20K characters is really fuck all
God Bless

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #4 on: September 14, 2014, 04:21:50 am »

Usage:

If you have your swap activated Tomb will urge you to turn it off or encrypt it. If you encrypt it and leave it on you will need to include --ignore-swap into your tomb-commands. To turn off swap for this session you can run
Code: Select all
$ swapoff -a



To disable it completely you can comment out the swap in /etc/fstab. So it won't be mounted on reboot. (Please be aware that disabling swap on older computers with not much ram isn't such a good idea. Once your ram is being used fully while having no swap-partition mounted processes and programs will crash.)

Tomb will create the crypto-file in the folder you are currently in - so if you want to create a tomb-file in your documents-folder make sure to
Code: Select all
$ cd /home/user/documents



Once you are in the right folder you can create a tomb-file with this command:
Code: Select all
$ tomb -s XX create FILE



XX is used to denote the size of the file in MB. So in order to create a file named "test" with the size of 10MB you would type this:
Code: Select all
$ tomb -s 10 create test



Please note that if you haven't turned off your swap you will need to modify this command as follows:
Code: Select all
$ tomb --ignore-swap -s 10 create test



To unlock and mount that file on /media/test type:
Code: Select all
$ tomb open test.tomb



To unlock and mount to a different location:
Code: Select all
$ tomb open test.tomb /different/location



To close that particular file and lock it:
Code: Select all
$ tomb close /media/test.tomb



To close all tomb-files:
Code: Select all
$ tomb close all



or simply:
Code: Select all
$ tomb slam



After these basic operations we come to the fun part:
Advanced Tomb-Sorcery


Obviously having a file lying around somewhere entitled: "secret.tomb" isn't such a good idea, really.

A better idea is to make it harder for an attacker to even find the encrypted files you are using. To do this we will simply move its content to another file.

Example:
Code: Select all
$ touch true-story.txt true-story.txt.key$ mv secret.tomb true-story.txt$ mv secret.tomb.key true-story.txt.key



Now you have changed the filename of the encrypted file in such a way that it can't easily be detected.

When doing this you have to make sure that the filename syntax tomb uses is conserved:
Code: Select all
filename.suffixfilename.suffix.key



Otherwise you will have trouble opening the file.

After having hidden your file you might also want to move the key to another medium.
Code: Select all
$ mv true-story.txt.key /medium/of/your/choice



Now we have produced quite a bit of obfuscation. Now let's take this even further:

After we have renamed our tomb-file and separated key and file we now want to make sure our key can't be found either.

To do this we will hide it within a jpeg-file.
Code: Select all
$ tomb bury true-story.txt.key invisible-bike.jpg



You will need to enter a steganography-password in the process.

Now rename the original keyfile to something like "true-story.txt.key-backup" and check if everything worked:
Code: Select all
$ tomb exhume true-story.txt.key invisible-bike.jpg



Your key should have reappeared now. After making sure that everything works you can safely bury the key again and delete the residual key that usually stays in the key's original folder.

By default Tomb's encrypted file and key need to be in one folder. If you have separated the two you will have to modify your opening-command:
Code: Select all
$ tomb -k /medium/of/your/choice/true-story.txt.key open true-story.txt



To change the key-files password:
Code: Select all
$ tomb passwd true-story.txt.key



If, let's say, you want to use Tomb to encrypt your icedove mail-folders you can easily do that. Usually it would be a pain in the butt to do this kind of stuff with e.g. truecrypt because you would need to setup a container, move the folder to the container and when using the folder you would have to move back to its original place again.

Tomb does this with ease:

Simply move the folders you want to encrypt into the root of the tomb-file you created.

Example:

You want to encrypt your entire .icedove folder. Then you make a tomb-file for it and move the .icedove folder into that tomb. The next thing you do is create a file named "bind-hooks" and place it in the same dir. This file will contain a simple table like this:
Code: Select all
.icedove .icedove.folder-x .folder-x.folder-y .folder-y.folder-z .folder-z



The fist column denotes the path relative to the tomb's root. The second column represents the path relative to the user's home folder.

So if you simply wanted to encrypt your .icedove folder - which resides in /home/user/ the above notation is fine. If you want the folder to be mounted elsewhere in the your /home you need to adjust the lines accordingly.

One thing you need to do after you moved the original folder into the tomb is to create a dummy-folder into which the original's folders content can be mounted. So you simply go into /home/user and create a folder named ".icedove" and leave it empty.

The next time you open and mount that tomb-file your .icedove folder will be where it should be and will disappear as soon as you close the tomb. Pretty nice, hu?

I advise to test this out before you actually move all your mails and prefs into the tomb. Or simply make a backup. But use some kind of safety-net in order not to screw up your settings.
Keyloggers


Keyloggers can pose a great thread to your general security - but especially the security of your encrypted drives and containers. If someone manages to get a keylogger onto your system he/she will be able to collect all the keystrokes you make on your machine. Some of them even make screenshots.

So what kind of keyloggers are there?
Software Keyloggers


For linux there are several software-keyloggers available. Examples are lkl, uberkey, THC-vlogger, PyKeylogger, logkeys.
Defense against Software Keyloggers


1) Never use your system-passwords outside of your system

Generally everything that is to be installed under linux needs root access or some priveliges provided through /etc/sudoers. But an attacker could have obtained your password if he/she was using a browser-exploitation framework such as beef - which also can be used as a keylogger on the browser level. So if you have been using your sudo or root password anywhere on the internet it might have leaked and could thus be used to install all kinds of evil sh*t on your machine. Keyloggers are also often part of rootkits. So do regular system-checks and use intrusion-detection-systems.

2) Make sure your browser is safe

Often people think of keyloggers only as either a software tool or a piece of hardware equipment installed on their machine. But there is another threat that is actually much more dangerous for linux users: a compromised browser. You will find a lot of info on how to secure your browser further down. So make sure you use it.

Compromising browsers isn't rocket science. And since all the stuff that is actually dangerous in the browser is cross-plattform - you as a linux-user aren't safe from that. No matter what short-sighted linux-enthusiasts might tell you. A java-script exploit will pwn you - if you don't secure your browser. No matter if you are on OSX, Win or debian.

3) Check running processes

If your attacker isn't really skilled or determined he/she might not think about hiding the process of the running keylogger. You can take a look at the output of
Code: Select all
$ ps -auxor$ htopor$ pstree



and inspect the running processes. Of course the attacker could have renamed it. So have a look for suspicious processes you have never heard of before. If in doubt do a search on the process or ask in a security-related forum about it.

Since a lot of keyloggers come as the functionality of a rootkit it would be much more likely that you would have one of these.

4) Do daily scans for rootkits

I will describe tools for doing that further below. RKHunter and chkrootkit should definitely be used. The other IDS-tools described give better results and are much more detailed - but you actually need to know a little about linux-architecture and processes to get a lot out of them. So they're optional.

5) Don't rely on virtual keyboards

The idea to defeat a keylogger by using a virtual keyboard is nice. But is also dangerous. There are some keyloggers out there that will also capture your screen activity. So using a virtual keyboard is pretty useless and will only result in the false feeling of security.
Hardware Keyloggers


There is also an ever growing number of hardware keyloggers. Some of which use wifi. And some of them can be planted inside your keyboard so you wouldn't even notice them if you inspected your hardware from the outside.
Defense against Hardware Keyloggers


1) Inspect your Hardware

This one's obvious.

2) Check which devices are connected to your machine

There is a neat little tool called USBView which you can use to check what kind of usb-devices are connected to your machine. Some - but not all - keyloggers that employ usb will be listed there. It is available through the debian-repos.
Code: Select all
$ sudo apt-get install usbview



Apart from that there's not much you can do about them. If a physical attack is part of your thread-model you might want to think about getting a laptop safe in which you put the machine when not in use or if you're not around. Also, don't leave your laptop unattended at work, in airports, hotels and on conferences.
Secure File-Deletion


Additional to encrypted drives you may also want to securely delete old data or certain files. For those who do not know it: regular "file deletion" does not erase the "deleted" data. It only unlinks the file's inodes thus making it possible to recover that "deleted" data with forensic software.

There are several ways to securely delete files - depending on the filesystem you use. The easiest is:
BleachBit


With this little tool you can not only erase free disc space - but also clean your system from various temporary files you don't need any longer and that would give an intruder unnecessary information about your activities.

To install:
Code: Select all
$ sudo apt-get install bleachbit



to run:
Code: Select all
$ bleachbit



Just select what you need shredding. Remember that certain functions are experimental and may cause problems on your system. But no need to worry: BleachBit is so kind to inform you about that and give you the chance to cancel your selection.

Another great [and much more secure] tool for file deletion is:
srm [secure remove]
Code: Select all
$ sudo apt-get install secure-delete



Usage:
Code: Select all
Syntax: srm [-dflrvz] file1 file2 etc.Options:-dignore the two dot special files "." and "..".-ffast (and insecure mode): no /dev/urandom, no synchronize mode.-llessens the security (use twice for total insecure mode).-rrecursive mode, deletes all subdirectories.-vis verbose mode.-zlast wipe writes zeros instead of random data.


God Bless

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #5 on: September 14, 2014, 04:22:18 am »

Other ways to securely wipe drives


To overrite data with zeros:
Code: Select all
# dd if=/dev/zero of=/dev/sdXor:$ sudo dd if=/dev/zero of=/dev/sdX



To overwrite data with random data (makes it less obvious that data has been erased):
Code: Select all
# dd if=/dev/urandom of=/dev/sdXor:$ sudo dd if=/dev/urandom of=/dev/sdX



Note: shred doesn't work reliably with ext3.
Your Internet-Connection


Generally it is advised to use a wired LAN-connection - as opposed to wireless LAN (WLAN).
For further useful information in regards to wireless security read this. If you must use WLAN please use WPA2 encryption. Everything else can be h4xx0red by a 12-year-old using android-apps such as anti.

Another thing is: Try only to run services on your machine that you really use and have configured properly. If e.g. you don't use SSH - deinstall the respective client to make sure to save yourself some trouble. Please note that IRC also is not considered to be that secure. Use it with caution or simply use a virtual machine for stuff like that.

If you do use SSH please consider using Denyhosts or SSHGuard. (If you want to find out what might happen if you don't use such protection see foozer's post.)

So, let's begin with your firewall. For debian-like systems there are several possible firewall-setups and different guis to do the job. However, I found ipkungfu [an iptables-script] to do the best job while being easy to set up. This is how you set it up:
ipkungfu [basic configuration]


download and install:
Code: Select all
$ sudo apt-get install ipkungfu



configure:
Code: Select all
$ sudo geany /etc/ipkungfu/ipkungfu.conf



uncomment (and adjust):
Code: Select all
# IP Range of your internal network. Use "127.0.0.1"# for a standalone machine. Default is a reasonable# guess.LOCAL_NET="192.168.1.0/255.255.255.0"---# Set this to 0 for a standalone machine, or 1 for# a gateway device to share an Internet connection.# Default is 1.GATEWAY=0---# Temporarily block future connection attempts from an# IP that hits these ports (If module is present)FORBIDDEN_PORTS="135 137 139"---# Drop all ping packets?# Set to 1 for yes, 0 for no. Default is no.BLOCK_PINGS=1---# What to do with 'probably malicious' packets#SUSPECT="REJECT"SUSPECT="DROP"---# What to do with obviously invalid traffic# This is also the action for FORBIDDEN_PORTS#KNOWN_BAD="REJECT"KNOWN_BAD="DROP"---# What to do with port scans#PORT_SCAN="REJECT"PORT_SCAN="DROP"



enable ipkungfu to start with the system:
Code: Select all
$ sudo geany /etc/default/ipkungfu



change: "IPKFSTART = 0" ---> "IPKFSTART=1"

start ipkungfu:
Code: Select all
$ sudo ipkungfu



fire up GRC's Shields Up! and check out the awesomeness.

(special thanks to the ubuntu-community)
Configuring /etc/sysctl.conf


Here you set different ways how to deal with ICMP-packets and other stuff:
Code: Select all
$ sudo geany /etc/sysctl.conf

Code: Select all
# Do not accept ICMP redirects (prevent MITM attacks)net.ipv4.conf.all.accept_redirects=0net.ipv6.conf.all.accept_redirects=0net.ipv4.tcp_syncookies=1#lynis recommendations#net.ipv6.conf.default.accept_redirects=0net.ipv4.tcp_timestamps=0net.ipv4.conf.default.log_martians=1# TCP Hardening - http://www.cromwell-intl.com/security/security-stack-hardening.htmlnet.ipv4.icmp_echo_ignore_broadcasts=1net.ipv4.conf.all.forwarding=0net.ipv4.conf.all.rp_filter=1net.ipv4.tcp_max_syn_backlog=1280kernel.core_uses_pid=1kernel.sysrq=0#ignore all pingnet.ipv4.icmp_echo_ignore_all=1# Do not send ICMP redirects (we are not a router)net.ipv4.conf.all.send_redirects = 0# Do not accept IP source route packets (we are not a router)net.ipv4.conf.all.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0# Log Martian Packetsnet.ipv4.conf.all.log_martians = 1



After editing do the following to make the changes permanent:
Code: Select all
sudo sysctl -p



(thanks to tradetaxfree for these settings)
Modem & Router


Please don't forget to enable the firewall features of your modem (and router), disable UPnP and change the usernames and admin-passwords. Also try to keep up with the latest security info and updates on your firmware to prevent using equipment such as this. You might also want to consider setting up your own firewall using smoothwall.

Here you can run a short test to see if your router is vulnerable to UPnP-exploits.

The best thing to do is to use after-market-open-source-firmware for your router such as dd-wrt, openwrt or tomato. Using these you can turn your router into an enterprise grade device capable of some real Kungfu. Of course they come with heavy artillery - dd-wrt e.g. uses an IP-tables firewall which you can configure with custom scripts.
Intrusion-Detection, Rootkit-Protection & AntiVirus

snort [basic configuration]


The next thing you might want to do is to take a critical look at who's knocking at your doors.

For this we use snort. The setup is straight forward and simple:
Code: Select all
$ sudo apt-get install snort



run it:
Code: Select all
$ snort -D (to run as deamon)



to check out packages live type:
Code: Select all
$ sudo snort



Snort should automatically start on reboot.

If you want to check out snort's rules take a look at: /etc/snort/rules

To take a look at snorts warnings:
Code: Select all
$ sudo geany /var/log/snort/alert



Snort will historically list all the events it logged.

There you will find nice entries like this...
Code: Select all
[**] [1:2329:6] MS-SQL probe response overflow attempt [**][Classification: Attempted User Privilege Gain] [Priority: 1][Xref => ]http://www.securityfocus.com/bid/9407]



...and will thank the flying teapot that you happen to use #!
RKHunter


The next thing to do is to set up RKHunter - which is short for [R]oot[K]itHunter.

What does it do? You guessed it: It hunts down rootkits.

Installation again is simple:
Code: Select all
$ sudo apt-get install rkhunter



The best is to run rkhunter on a clean installation - just to make sure nothing has been tampered with already.

One very important thing about rkhunter is that you need to give it some feedback: everytime you e.g. make an upgrade to your sytem and some of your binaries change rkhunter will weep and tell you you've been compromised. Why? Because it can only detect suspicious files and file-changes. So, if you go about and e.g. upgrade the coreutils package a lot of change will be happening in /usr/bin - and when you subsequently ask rkhunter to check your system's integrity your log file will be all red with warnings. It will tell you that the file-properties of your binaries changed and you start freaking out. To avoid this simply run the command rkhunter --propupd on a system which you trust to not have been compromised.

In short: directly after commands like apt-get update && apt-get upgrade run:
Code: Select all
$ sudo rkhunter --propupd



This tells rkhunter: 'sall good.

To run rkhunter:
Code: Select all
$ sudo rkhunter -c --sk



You find rkhunter's logfile in /var/log/rkhunter.log. So when you get a warning you can in detail check out what caused it.

To set up a cronjob for RKHunter:
Code: Select all
$ sudo geany /etc/cron.daily/rkhunter.sh



insert and change the mail-address:
Code: Select all
#!/bin/bash/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" your@email-address.com



make the script executable:
Code: Select all
$ sudo chmod +x /etc/cron.daily/rkhunter.sh



update RKHunter:
Code: Select all
$ sudo rkhunter --update



and check if it functions the way it's supposed to do:
Code: Select all
$ sudo rkhunter -c --sk



Of course you can leave out the email-part of the cronjob if you don't want to make the impression on someone shoulder-surfing
your email-client that the only one who's sending you emails is your computer...

Generally, using snort and rkhunter is a good way to become paranoid - if you're not already. So please take the time to investigate the alerts and warnings you get. A lot of them are false positives and the listings of your system settings. Often enough nothing to worry about. But if you want to use them as security tools you will have to invest the time to learn to interpret their logs. Otherwise just skip them.
RKHunter-Jedi-Tricks


If you're in doubt whether you did a rkhunter --propupd after an upgrade and you are getting a warning you can run the following command:
Code: Select all
$ sudo rkhunter --pkgmgr dpkg -c --sk



Now rkhunter will check back with your package-manager to verify that all the binary-changes were caused by legitimate updates/upgrades. If you previously had a warning now you should get zero of them. If you still get a warning you can check which package the file that caused the warning belongs to.

To do this:
Code: Select all
$ dpkg -S /folder/file/in/doubt



Example:
Code: Select all
$ dpkg -S /bin/ls



Output:
Code: Select all
coreutils: /bin/ls



This tells you that the file you were checking (in this case /bin/ls) belongs to the package "coreutils".

Now you can fire up packagesearch.

If you haven't installed it:
Code: Select all
$ sudo apt-get install packagesearch



To run:
Code: Select all
$ sudo packagesearch



In packagesearch you can now enter coreutils in the field "search for pattern". Then you select the package in the box below. Then you go over to the right and select "files". There you will get a list of files belonging to the selected package. What you want to do now is to look for something like:
Code: Select all
/usr/share/doc/coreutils/changelog.Debian.gz



The idea is to get a file belonging to the same package as the file you got the rkhunter-warning for - but that is not located in the binary-folder.

Then you look for that file within the respective folder and check the file-properties. When it was modified at the same time as the binary in doubt was modified you can be quite certain that the change was caused by a legitimate update. I think it is save to say that some script-kiddie trying to break into your system will not be that thorough. Also make sure to use debsums when in doubt. I will get to that a little further down.

Another neat tool with similar functionality is:
chkrootkit


To install:
Code: Select all
$ sudo apt-get install chkrootkit



To run:
Code: Select all
$ sudo chkrootkit



Other nice intrusion detection tools are:
tiger


Tiger is more thorough than rkhunter and chkrootkit and can aid big time in securing your box:
Code: Select all
$ sudo apt-get install tiger



to run it:
Code: Select all
$ sudo tiger



you find tiger's logs in /var/log/tiger/
Lynis


If you feel that all the above IDS-tools aren't enough - I got something for you:

LynisLynis wrote:


Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems



I use it. It is great. If you think you might need it - give it a try. It's available through the debian repos.
Code: Select all
$ sudo apt-get install lynis



To run:
Code: Select all
$ sudo lynis -c



Lynis will explain its findings in the log-file.
debsums


debsums checks the md5-sums of your system-files against the hashes in the respective repos.

Installation:
Code: Select all
$ sudo apt-get install debsums



To run:
Code: Select all
$ sudo debsums -ac



This will list all the files to which the hashes are either missing or have been changed. But please don't freak out if you find something like: /etc/ipkungfu/ipkungfu.conf after you have been following this guide...
sha256


There are some programs that come with sha256 hashes nowadays. For example: I2P

debsums won't help with that. To check these hashes manually:
Code: Select all
$ cd /folder/you/downloaded/file/to/check/to -sha256sum -c file-you-want-to-check



Then compare it to the given hash. Note: This tool is already integrated to debian-systems.
ClamAV


To make sure eveything that gets into your system is clean and safe use ClamA[nti]V[irus].

To install:
Code: Select all
$ sudo apt-get install clamav



To update:
Code: Select all
$ sudo freshclam

God Bless

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #6 on: September 14, 2014, 04:23:48 am »



To inspect e.g. your download folder:
Code: Select all
$ sudo clamscan -ri /home/your-username/downloads



This will ClamAV do a scan recursively, i.e. also scan the content of folders and inform you about possibly infected files.

To inspect your whole system:
Code: Select all
$ sudo clamscan -irv --exclude=/proc --exclude=/sys --exclude=/dev --exclude=/media --exclude=/mnt



This will make ClamAV scan your system recursively in verbose mode (i.e. show you what it is doing atm) whilst excluding folders that shouldn't be messed with or are not of interest and spit out the possibly infected files it finds. To also scan attached portable media you need to modify the command accordingly.

Make sure to test everything you download for possible infections. You never know if servers which are normally trustworthy haven't been compromised. Malicious code can be hidden in every usually employed filetype. (Yes, including .pdf!)

Remember: ClamAV is known for its tight nets. That means that you are likely to get some false positives from time to time. Do a web-search if you're in doubt in regards to its findings.

After you set up your host-based security measures we can now tweak our online security.

Starting with:
DNS-Servers

Using secure and censor-free DNS


To make changes to your DNS-settings:
Code: Select all
$ sudo geany /etc/resolv.conf



change your nameservers to trustworthy DNS-Servers. Otherwise your modem will be used as "DNS-Server" which gets its info from your ISP's DNS.
And nah... We don't trust the ISP...
Here you can find secure and censor-free DNS-servers. The Germans look here.

HTTPS-DNS is generally preferred for obvious reasons.

Your resolv.conf should look something like this:
Code: Select all
nameserver 213.73.91.35#CCC DNS-Servernameserver 85.214.20.141#FoeBud DNS-Server



Use at least two DNS-Servers to prevent connectivity problems when one server happens to be down or experiences other trouble.

To prevent this file to be overwritten on system restart fire up a terminal as root and run:
Code: Select all
$ sudo chattr +i /etc/resolv.conf



This will make the file unchangeble - even for root.

To revoke this for future changes to the .conf run:
Code: Select all
$ sudo chattr -i /etc/resolv.conf



This forces your web-browser to use the DNS-servers you provided instead of the crap your ISP uses.

To test the security of your DNS servers go here.
DNScrypt


What you can also do to secure your DNS-connections is to use DNScrypt.

The thing I don't like about DNScrypt is one of its core functions: to use OpenDNS as your resolver. OpenDNS has gotten quite a bad rep in the last years for various things like aggressive advertising and hijacking google-searches on different setups. I tested it out yesterday and couldn't replicate these issues. But I am certain that some of these "features" of OpenDNS have been actively blocked by my Firefox-setup (which you find below). In particular the addon Request Policy seems to prevent to send you to OpenDNS' search function when you typed in an address it couldn't resolve. The particular issue about that search function is that it apparently is powered by yahoo! and thus yahoo! would log the addresses you are searching for.

Depending on your threat-model, i.e. if you don't do anything uber-secret you don't want anybody to know, you might consider using DNScrypt, as the tool seems to do a good job at encrypting your DNS-traffic. There also seems to be a way to use DNScrypt to tunnel your queries to a DNS-server other than OpenDNS - but I haven't yet checked the functionality of this.

So, if you don't mind that OpenDNS will know every website you visit you might go ahead and configure DNScrypt:

Download the current version.

Then:
Code: Select all
$ sudo bunzip2 -cd dnscrypt-proxy-*.tar.bz2 | tar xvf -$ cd dnscrypt-proxy-*



Compile and install:
Code: Select all
$ sudo ./configure && make -j2$ sudo make install



Adjust -j2 with the number of cpu-cores you want to use for the compilation or have at your disposal.

Go and change your resolv.conf to use localhost:
Code: Select all
$ geany /etc/resolv.conf



Modify to:
Code: Select all
nameserver 127.0.0.1



Run DNScrypt as daemon:
Code: Select all
$ sudo dnscrypt-proxy --daemonize



According to the developer:jedisct1 wrote:


DNSCrypt will chroot() to this user's home directory and drop root privileges for this user's uid as soon as possible.



I have to admit that OpenDNS is really fast. What you could do is this: You could use OpenDNS for your "normal" browsing. When you start browsing for stuff that you consider to be private for whatever reasons change your resolv.conf back to the trustworthy DNS-servers mentioned above - which you conveniently could keep as a backup file in the same folder. Yeah, that isn't slick, I know. If you come up with a better way to do this let me know. (As soon as I checked DNScrypt's function to use the same encryption for different DNS-Servers I will make an update.)

The next thing on our list is:
Firefox/Iceweasel

Firefox-Sandbox: Sandfox


Sandfox is a neat little script provided by IgnorantGuru which runs firefox (and other applications) in a sandboxed environment which prevents firefox's access to crucial filesystem-areas in case it gets compromised.

To install:
Code: Select all
$ sudo -s$ gpg --keyserver keys.gnupg.net --recv-keys 7977070A723C6CCB696C0B0227A5AC5A01937621$ gpg --check-sigs 0x01937621$ bash -c 'gpg --export -a 01937621 | apt-key add -'$ echo "deb http://ignorantguru.github.com/debian/ unstable main" >> /etc/apt/sources.list$ apt-get update$ apt-get install sandfox



(Thanks to tradetaxfree)

To run:
Code: Select all
$ sudo sandfox firefox



Type "/" into firefox address-bar to check out whether it works. Firefox should now only have access to files it really needs to function and not e.g. /root.

To be able to download stuff from the web you need to add a bind in sandfox's default profile:
Code: Select all
$ sudo geany /etc/sandfox/default.profile



add:
Code: Select all
bind=/home/$user/downloads



Check your systems filename-capitalization to make sure you really grant sandfox access to the right folder

In #! you can easily set this configuration as your default: simply go to "settings"->"openbox"->"GUI Menu Editor"->"Openbox"->"Web Browser". Then simply add the command "sandfox firefox". For this to work you need to once run
Code: Select all
$ sudo sandfox firefox



after a system start to create a sandbox. If you happen to find this too much hassle simply go with tradetaxfree's init-script.

After you successfully sandboxed your browser we now continue to make that particular application much more secure than it is by default.

First go to:
Firefox-Preferences


and change these settings:

[Some of these are defaults already - but depending on who was/is using the machine you access the interwebs with and other varying factors you might want to control these settings.]
Code: Select all




"General"->"when Firefox starts"->"Show a blank page""General"->"save files to:"Downloads""Content"->check:"Block pop-up windows""Content"->uncheck:"Enable JavaScript" [optional - NoScript Add-on will block it anyway]"Content"->"Fonts & Colors"->"Advanced"->"Serif":"Liberation Sans""Content"->"Fonts & Colors"->"Advanced"->"Sans-serif":"Liberation Sans""Content"->"Fonts & Colors"->"Advanced"->uncheck:"Allow pages to choose their own fonts""Content"->"Languages"->choose *only*:"en-us" [remove all others, if any]"Applications"->choose:"Always ask" for every application - if not possible:choose:"Preview in Firefox/Nightly""Privacy"->"Tracking"->check:"Tell websites I do not want to be tracked""privacy"->"History"->"Firefox will:"Use custom settings for history""privacy"->"History"->uncheck:"Always use private browsing mode""privacy"->"History"->uncheck:"Remember my browsing and download history""privacy"->"History"->uncheck:"Remember search and form history""privacy"->"History"->uncheck:"Accept cookies from sites""privacy"->"History"->uncheck:"Accept third-party cookies""privacy"->"History"->check:"Clear history when Firefox/Nightly closes""privacy"->"History"->"settings":check all -> except:"Site Preferences"[to enable cookies for certain trusted sites: use:"Exceptions" and paste URL of site and modify settings according to your preference. If you additionally use Cookie-Monster (Add-on) you need to uncheck "Block all cookies" in CM-Options]"privacy"->"location bar"->"When using the location bar, suggest:"->choose:"Nothing""security"->check:"Warn me when sites try to install add-ons""security"->check:"Block reported attack sites""security"->check:"Block reported web forgeries""security"->"Passwords"->uncheck:"Remember passwords for sites""security"->"Passwords"->uncheck:"Use a master password""advanced"->"General"->"System Defaults"->uncheck:"Submit crash reports""advanced"->"General"->"System Defaults"->uncheck:"Submit performance data""advanced"->"Update"->check:"Automatically install updates""advanced"->"Update"->check:"Warn me if this will disable any of my add-ons""advanced"->"Update"->check:"Automatically update Search Engines""advanced"->"Encryption"->"Protocols"->check:"Use SSL 3.0""advanced"->"Encryption"->"Protocols"->check:"Use TLS 1.0""advanced"->"Encryption"->"Certificates"->"When a server requests my personal certificate"->check:"Ask me every time"


Plugins


at the most use:

Java

Flash [Be aware of the latest security holes in flash!

Only allow them to run on trusted sites!
Addons


Empty Cache Button [optional]

Calomel SSL Validation [cool little addon which does exactly what its name says and also has some more tweaks in the settings]

Adblock Edge

[---> Filter Supscriptions: make sure you get some anti-tracking filters up and running! (depending on location & internet use)]

Easylist

EasyPrivacy

fanboy-adblock

Fanboy's Tracking List

Fanboy's Annoyance List

[---]

BetterPrivacy [LSO/Flash-Cookie-Protection]

Cookie Monster [Allows you to Manage your Cookie-Policies. For less baggage use Firefox/Iceweasel "Preferences" -> "Privacy"]

HTTPS-Everywhere [Download via EFF.org] [settings: enable SSL-Observatory but don't allow to transmit ISP-data]

HTTPS Finder

NoScript [go to "settings" and check "also apply on whitelisted sites"]

Perspectives [SSL-Cerfiticate-Control - go to settings: "notary servers" -> check "only contact when websites cause security error"]

RefControl [controls your HTTP-Referers - setting: "block" -> "3rd parties only"]

Request Policy [rejects cross-site requests]

WOT [Web of Trust - user based website ratings that show up in websearches. Caution: Not very accurate. Always double check when in doubt. This addon tends
to get abused by different groups of users who either give malicious sites good ratings - or flag perfectly good sites.]

PwdHash [Nice addon to help your password management. Use "F2" when entering a password into a password field when setting up a new account somewhere to create a MD5-hash using your password and the domain. (When logging in you have to select the password-field and press F2 again to run the hashing.) This way you can use the same password on different sites without having to worry about security implications - because every site gets its own password generated through the hash. The tool is provided by Standford University and can be trusted. No data is actually transmitted to their servers. The hash is generated using your local java-script. If you need to login from a machine that doesn't have pwdhash installed: go to https://www.pwdhash.com/ -> their SSL is very strong.]

FoxyProxy [a convenient Proxy Switcher]

Useragent Switcher [Does exactly that. But be careful: If you set your user-agent as shown below - using this addon it will overwrite these settings and will not automatically restore them if you turn off the switcher. So you would have to manually reconfigure about:config again. Which kinda sucks. But you can get a whole load really cool user agents here. Simply download the .xml and import it to the Useragent Switcher. There are really neat current agents in there: e.g. all kinds of different web browser for all OSs and of course various bots. Google bot comes in handy when you need access to some forum... ]

Web Developer [Has some cool features. If you like inspecting websites just check it out.]

Bloody Vikings [Creates disposable mail-addresses]

Note: You don't need Ghostery. The above mentioned Adblock lists do a much better job protecting you from web-tracking without using the additional resourced Ghostery uses.

Of course there are more addons you could use. But I don't really see the point of them. Most of them either are snake-oil or even dangerous. But please inform me if you happen to come across something really cool which could help improve security which none of the setting provided here can do.

To keep your ISP and possible MITM-attackers from reading what you do on the web always use SSL - as far as it is available. To help with this use:
SSL-Search Engines


To get them go here.

The user "SSL Search Bar" has provided easily installable SSL-searchbar-plugins

You get SSL-plugins for all the alternative search-engines like ixquick, duckduckgo etc. there. Install those you happen to use.

Privatelee also looks promising. But I haven't tried it out extensively.

The next thing to do is to change macromedias flash-settings:
Flash-Settings


Go here.

And fight yourself through their nasty settings-manager. Set everything to "0" or "never allow"/"never ask again" and
delete all stored website-content. Give special attention to the "webcam and mic"-options...

You might as well set the permissions of your .macromedia folder to read only - but that's kind of unnecessary because you want to make sure to edit the options mentioned above - to make sure that you don't allow websites to use your mic or webcam... [I actually take this one step further by disabling them in BIOS and sticking some neatly cut little piece of black cardboard on my webcam. Just because you're paranoid doesn't mean they aren't after you...  ] And if you set the parameters in the settings-manager accordingly nothing will be written to that folder anyway.

Now we come to the fun part. Finetuning Firefox using about:config. If you've never done this before: No reason to freak out. It's really easy.
about:config


[You can simply copy/paste these variables into the search-bar at the top: e.g. "browser.cache.disk.enable" and
then double-click on the entry that shows up to modify the settings.]
Code: Select all



isable browser cache:browser.cache.disk.enable:falsebrowser.cache.disk_cache_ssl:falsebrowser.cache.offline.enable:falsebrowser.cache.memory.enable:falsebrowser.cache.disk.capacity:0browser.cache.disk.smart_size.enabled:falsebrowser.cache.disk.smart_size.first_run:falsebrowser.cache.offline.capacity:0dom.storage.default_quota:0dom.storage.enabled:falsedom.indexedDB.enabled:falsedom.battery.enabled:false---disable history & localizationbrowser.search.suggest.enabled:falsebrowser.sessionstore.resume_from_crash:falsegeo.enabled:false---misc other tweaks:keyword.enabled:falsenetwork.dns.disablePrefetch:true -> very important when using TORnetwork.dns.disablePrefetchFromHTTPS -> very important when using TORdom.disable_window_open_feature.menubar:truedom.disable_window_open_feature.personalbar:truedom.disable_window_open_feature.scrollbars:truedom.disable_window_open_feature.toolbar:truebrowser.identity.ssl_domain_display:1browser.urlbar.autocomplete.enabled:falsebrowser.urlbar.trimURL:falseprivacy.sanitize.sanitizeOnShutdown:truenetwork.http.sendSecureXSiteReferrer:falsenetwork.http.spdy.enabled:false ---> use http instead of google's spdyplugins.click_to_play:true ---> also check each drop-down-menu under "preferences"->"content"security.enable_tls_session_tickets:false ---> disable https-trackingsecurity.ssl.enable_false_start:true ---> disable https-trackingextensions.blocklist.enabled:false ---> disble Mozilla's option to block/disable your addons remotelywebgl.disabled:true ---> disable WebGL (http://security.stackexchange.com/questions/13799/is-webgl-a-security-concern)network.websocket.enabled:false ---> ***Tor Users: This is extremely important as it could blow your cover! See: http://pastebin.com/xajsbiyh***---make your browsing faster:network.http.pipelining:truenetwork.http.pipelining.ssl:truenetwork.http.proxy.pipelining:truenetwork.http.max-persistent-connections-per-proxy:10network.http.max-persistent-connections-per-server:10network.http.max-connections-per-server:15network.http.pipelining.maxrequests:15network.http.redirection-limit:5network.dns.disableIPv6:truenetwork.http.fast-fallback-to-IPv4:falsedom.popup_maximum Mine:10network.prefetch-next:falsebrowser.backspace_action:0browser.sessionstore.max_tabs_undo:5browser.sessionhistory.max_entries:5browser.sessionstore.max_windows_undo:1browser.sessionstore.max_resumed_crashes:0browser.sessionhistory.max_total_viewers:0browser.tabs.animate:0




God Bless

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #7 on: September 14, 2014, 04:26:30 am »
For all Firefox Versions after 17.0 [you should be using current versions and update them regularly anyway - to do this go to "preferences"->"advanced"->"update" select: "automatically install updates" & "warn me if this will disable any of my addons"] [not required for iceweasel]

For the following changes right-click in about:config and select "new"->"string" and enter in this order:
Code: Select all
Variable:Value:general.useragent.overrideMozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0general.appname.overrideNetscapegeneral.appversion.override5.0 (Windows)general.oscpu.overrideWindows NT 6.1general.platform.overrideWin32general.productSub.override20100101general.buildID.override0general.useragent.vendor[enter variable - but leave value blank]general.useragent.vendorSub[enter variable - but leave value blank]intl.accept_languagesen-us,en;q=0.5network.http.accept.defaulttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8network.http.accept-encodinggzip, deflate



This creates a fake-profile of your browser via the readable HTTP-headers it sends.

Check out if your browser is profilable.

With all the above settings I get 8.1 bits of identifying information at Panopticlick for my browser - which is really good.

Considering:

"In particular, a fingerprint that carries no more than 15-20 bits of identifying information will in almost all cases be sufficient to uniquely identify a particular browser, given its IP address, its subnet, or even just its Autonomous System Number."

Source: EFF's "Browser Uniqueness" [page 3]

Also check your settings on ip-check.info - but don't rely on it. Apparently they are quite busy promoting their JonDonym-Browser and services - which quite frankly I don't think anyone needs. I would rather warn you to use it since according to this defcon-talk JAP/JonDonym has implemented tracking-features which are disabled by default but can be activated anytime. So don't use it.

Now, after having configured your host-based security and your web-browser we can start connecting to the web. But there are different options:
TOR [The Onion Router]


TOR is probably the most famous anonymizing-tool available. You could consider it a safe-web proxy. [Update: I wouldn't say that any longer. See the TOR-Warning below for more info.] Actually, simply put, it functions as a SOCKS-proxy which tunnels your traffic through an encrypted network of relays in which your ip-address can not be traced. When your traffic exits the network through so-called exit-nodes the server you are contacting will only be able to retrieve the ip-address of the exit-node. It's pretty useful - but also has a few drawbacks:

First of all it is slow as f**k. Secondly exit-nodes are often times honey-pots set up by cyber-criminals and intelligence agencies. Why? The traffic inside the TOR-network is encrypted - but in order to communicate with services on the "real" internet this traffic needs to be decrypted. And this happens at the exit-nodes - which are thus able to inspect your packets and read your traffic. Pretty uncool. But: you can somewhat protect yourself against this kind of stuff by only using SSL/https for confidential communications such as webmail, forums etc. Also, make sure that the SSL-certificates you use can be trusted, aren't broken and use secure algorithms. The above mentioned Calomel SSL Validation addon does a good job at this. Even better is the Qualys SSL Server Test.

The third bummer with TOR is that once you start using TOR in an area where it is not used that frequently which will be almost everywhere - your ISP will directly be able to identify you as a TOR user if he happens to use DPI (Deep Packet Inspection) or flags known TOR-relays. This of course isn't what we want. So we have to use a workaround. (For more info on this topic watch this vid: How the Internet sees you [27C3])

This workaround isn't very nice, I admit, but basically the only way possible to use TOR securely.

So, the sucker way to use TOR securely is to use obfuscated bridges. If you don't know what this is please consider reading the TOR project's info on bridges

Basically we are using TOR-relays which are not publicly known and on top of that we use a tool to hide our TOR-traffic and change the packets to look like XMPP-protocol.

Why does this suck? It sucks because this service is actually meant for people in real disaster-zones, like China, Iran and other messed up places. This means, that everytime we connect to TOR using this technique we steal bandwidth from those who really need it. Of course this only applies if you live somewhere in the Western world. But we don't really know what information various agencies and who-knows-who collect and how this info will be used if, say, our democratic foundations crumble. You could view this approach as being proactive in the West whereas it is necessary and reactive in the more unfortunate places around the world.

But, there is of course something we can do about this: first of all only use TOR when you have to. You don't need TOR for funny cat videos on youtube. Also it is good to have some regular traffic coming from your network and not only XMPP - for obvious reasons. So limit your TOR-use for when it is necessary.

The other thing you/we can do is set up our own bridges/relays and contribute to the network. Then we can stream the DuckTales the whole darn day using obfuscated bridges without bad feelings...

How to set up a TOR-connection over obfuscated bridges?

Simple: Go to -> The Tor project's special obfsproxy page and download the appropriate pre-configured Tor-Browser-Bundle.

Extract and run. (Though never as root!)

If you want to use the uber-secure webbrowser we configured above simply go to the TOR-Browsers settings and check the port it uses for proxying. (This will be a different port every time you start the TOR-Bundle.)

Then go into your browser and set up your proxy accordingly. Close the TOR-Browser and have phun! - But don't forget to: check if you're really connected to the network.

To make this process of switching proxies even more easy you can use the FireFox-addon: FoxyProxy. This will come in handy if you use a regular connection, TOR and I2P all through the same browser.

Tipp: While online with TOR using google can be quite impossible due to google blocking TOR-exit-nodes - but with a little help from HideMyAss! we can fix this problem. Simply use the HideMyAss! web interface to browse to google and do your searchin'. You could also use search engines like ixquick, duckduckgo etc. - but if you are up for some serious google hacking - only google will do...  [Apparently there exists an alternative to the previously shut-down scroogle: privatelee which seems to support more sophisticated google search queries. I just tested it briefly after digging it up here. So you need to experiment with it.]

But remember that in case you do something that attracts the attention of some three-letter-organization HideMyAss! will give away the details of your connection. So, only use it in combination with TOR - and: don't do anything that attracts that kind of attention to begin with.

Warning: Using Flash whilst using TOR can reveal your real IP-Address. Bear this in mind! Also, double-check to have network.websocket.enabled set to false in your about:config! -> more info on that one here.

Another general thing about TOR: If you are really concerned about your anonymity you should never use anonymized services along non-anonymized services. (Example: Don't post on "frickkkin'-anon-ops-forum.anon" while browsing to your webmail "JonDoe@everybodyknowsmyname.com")

And BTW: For those who didn't know it - there are also the TOR hidden services...

One note of caution: When dealing with darknets such as TOR's hidden services, I2P and Freenet please be aware that there is some really nasty stuff going on there. In fact in some obscure place on these nets everything you can and can't imagine is taking place. This is basically a side-effect of these infrastructure's intended function: to facilitate an uncensored access to various online-services from consuming to presenting content. The projects maintaining these nets try their best to keep that kind of stuff off of the "official" search engines and indexes - but that basically is all that can be done. When everyone is anonymous - even criminals and you-name-it are.


To avoid that kind of exposure and thus keep your consciousness from being polluted with other people's sickness please be careful when navigating through these nets. Only use search-engines, indexes and trackers maintained by trusted individuals. Also, if you download anything from there make sure to triple check it with ClamAV. Don't open even one PDF-file from there without checking.

To check pdf-files for malicious code you can use wepawet. Or if you are interested in vivisecting the thing have a look at Didier Steven's PDFTools or PeePDF.

Change the file-ownership to a user with restricted access (i.e. not root) and set all the permissions to read only. Even better: only use such files in a virtual machine. The weirdest code thrives on the darknets...  I don't want to scare you away: These nets generally are a really cool place to hang out and when you exercise some common sense you shouldn't get into trouble.

[Another short notice to the Germans: Don't try to hand over stuff you may find there to the authorities, download or even make screenshots of it. This could get you into serious trouble. Sad but true. For more info watch this short vid.]
TOR-Warning


The above mentioned issues unfortunately aren't the only ones. I have come across more and more reasons not to use TOR:

- When using TOR you use about five times your normal bandwidth - which makes you stick out for your ISP - even with obfuscate bridges in use.

- TOR-nodes (!) and TOR-exit-nodes can be and are being used to deploy malicious code and to track and spy on users.

- There are various methods of de-anonymizing TOR-users: from DNS-leaks over browser-info-analysis to traffic-fingerprinting.

I won't explain all these issues in detail but if you are interested in finding out why TOR isn't safe to use (and you should if you actually think that TOR is making you anonymous) I recommend you watch these talks:

Attacking TOR at the Application-Layer
De-TOR-iorate Anonymity
Taking Control over the Tor Network
Dynamic Cryptographic Backdoors to take over the TOR Network
Security and Anonymity vulnerabilities in Tor
Anonymous Internet Communication done Right (I disagree with the speaker on Proxies, though. See info on proxies below.)
Owning Bad Guys and Mafia with Java-Script Botnets

And if you want to see how TOR-Exit-Node sniffing is done live you can have a look at this:
Tor: Exploiting the Weakest Link

To make something clear: I have nothing against the TOR-project. In fact I like it really much. But TOR is simply not yet able to cash in the promises it makes. Maybe in a few years time it will be able to defend against a lot of the issues that have been raised and illustrated. But until then I can't safely recommend using it to anybody. Sorry to disappoint you.
I2P


I2P is a so-called darknet. It functions differently from TOR and is considered to be way more secure. It uses a much better encryption and is generally faster. You can theoretically use it to browse the web - but it is generally not advised and even slower as TOR using it for this purpose. I2P has some cool sites to visit, an anonymous email-service and a built-in anonymous torrent-client.

For I2P to run on your system you need Open-JDK/JRE since I2P is a java-application. To install:

Go to-> The I2P's website download, verify the SHA256 and install:
Code: Select all
$ cd /directory/you/downloaded/the/file/to && java -jar i2pinstall_0.9.4.jar



Don't install as root - and even more important: Never run as root!
Code: Select all
To start: $ cd /yourI2P/folder ./i2prouter startTo stop: $ cd /yourI2P/folder ./i2prouter stop



Once running you will be directed to your Router-Console in FireFox. From there you have various options. You should consider to give I2P more bandwidth than default for a faster and more anonymous browsing experience.

The necessary browser configuration can be found here.

For further info go to the project's website.
Freenet


A darknet I have not yet tested myself, since I only use TOR and I2P is Freenet. I heard that it is not that populated and that it is mainly used for filesharing. A lot of nasty stuff also seems to be going on on Freenet - but this is only what I heard and read about it. The nasty stuff issue of course is also true for TOR's hidden services and I2P. But since I haven't been on it yet I can't say anything about that. Maybe another user who knows Freenet better can add her/his review.

Anyhow...:

You get the required software here.

If you want to find out how to use it - consult their helpsite.
Secure Peer-to-Peer-Networks


GNUnet

RetroShare
Mesh-Networks


If you're asking yourself what mesh-networks are take a look at this short video.

guifi.net

Netsukuku Community

OpenWireless

Commotion

FabFi

Mesh Networks Research Group

Byzantium live Linux distro for mesh networking

(Thanks to cyberhood!)
Proxies


I have not yet written anything about proxy-servers. In short: Don't ever use them.

There is a long and a short explanation. The short one can be summarized as follows:

- Proxy-servers often sent xheaders containing your actual IP-address. The service you are then communication to will receive a header looking like this:
Code: Select all
X-Forwarded-For: client, proxy1, proxy2



This will tell the server you are connecting to that you are connecting to him via a proxy which is fetching data on behalf of... you!

- Proxy servers are infested with malware - which will turn your machine into a zombie within a botnet - snooping out all your critical login data for email, banks and you name it.

- Proxy servers can read - and modify - all your traffic. When skilled enough sometimes even circumventing SSL.

- Proxy servers can track you.

- Most proxy servers are run by either criminals or intelligence agencies.

Seriously. I really recommend watching this (very entertaining) Defcon-talk dealing with this topic. To see how easy e.g. java-script-injections can be done have a look at beef.
VPN (Virtual Private Network)


You probably have read the sections on TOR and proxy-servers (do it now - if you haven't) and now you are asking yourself: "&*%$!, what can I use to browse the web safely and anonymously????"

Well, there is a pretty simple solution. But it will cost you a few nickels. You have to buy a premium-VPN-service with a trustworthy VPN-provider.

If you don't know what a VPN is or how it works - check out this video.

Still not convinced? Then read what lifehacker has to say about it.

Once you've decided that you actually want to use a VPN you need to find a trustworthy provider. Go here to get started with that.

Only use services that offer OpenVPN. Basically all the other protocols aren't that secure. Or at least they can't compare to OpenVPN.

Choose the most trustworthy service you find out there and be paranoid about it.

A trustworthy service doesn't keep logs. If you choose a VPN, read the complete FAQ, their Privacy Policy and the Terms of Service. Check where they're located and check local privacy laws. And: Don't tell people on the internet which service you are using.

You can get yourself a second VPN account with a different provider you access through a VM. That way VPN#1 only knows your IP-address but not the content of your communication and VPN#2 knows the content but not your IP-address.

Don't try to use a free VPN. Remember: If you're not paing for it - you are the product.
The Web


If for some unimaginable reason you want to use the "real" internet  - you now are equipped with a configuration which will hopefully make this a much more secure endeavour. But still: Browsing the internet and downloading stuff is the greatest vulnerability to a linux-machine. So use some common sense.
RSS-Feeds


Please be aware that using RSS-feeds can be used to track you and the information-sources you are using. Often RSS-feeds are managed through 3rd-party providers and not the by the original service you are using.

Web-bugs are commonly used in RSS-tracking. Also your IP-address and other available browser-info will be recorded.

Even when you use a text-based desktop-feedreader such as newsbeuter - which mitigates tracking though web-bugs and redirects - you still leave your IP-address.

To circumvent that you would want to use a VPN or TOR when fetching your RSS-updates.

If you want to learn more about RSS-tracking read this article.
Secure Mail-Providers:


Please consider using a secure email-provider and encourage your friends and contacts to do the same. All your anonymization is worthless when you communicate confidential information in an unencrypted way with someone who is using gmx, gmail or any other crappy provider. (This also applies if you're contemplating setting up your own mail-server.)

If possible, encrypt everything, but especially confidential stuff, using gpg/enigmail.

lavabit.com [SSL, SMTP, POP]
hushmail.com [SSL, SMTP, no POP/IMAP - only in commercial upgrade]
vfemail.net [SSL, SMTP, POP]

I found these to be the best. But I may have missed others in the process.
Hushmail also has the nice feature to encrypt "inhouse"-mails, i.e. mail sent from one hushmail-account to another. So, no need for gpg or other fancy stuff.

The user cyberhood mentioned these mail-providers in the other #! thread on security.

autistici.org [SSL, SMTP, IMAP, POP]

Looks alright. Maybe someone has tested it already?

mailoo.org [SSL, SMTP, IMAP, POP]

Although I generally don't trust services that can not present themselves without typos and grammatical errors - I give them
the benefit of the doubt for they obviously are French.  Well, you know how the French deal with foreign languages... 

countermail.com [SSL, SMTP, IMAP, POP]

See this Review

riseup.org

You need to prove that you are some kind of activist-type to get an account with them. So I didn't bother to check out their security. This is how they present themselves:Riseup wrote:


The Riseup Collective is an autonomous body based in Seattle with collective members world wide. Our purpose is to aid in the creation of a free society, a world with freedom from want and freedom of expression, a world without oppression or hierarchy, where power is shared equally. We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression.



Edit: I changed my mind and will not comment on Riseup. It will have its use for some people and as this is a technical manual I edited out my political criticism to keep it that way.
Disposable Mail-Addresses


Sometimes you need to register for a service and don't want to hand out your real mail-address. Setting up a new one also is a nuisance. That's where disposable mail-addresses come in. There is a firefox-addon named Bloody Vikings that automatically generates them for you. If you rather want to do that manually you can use some of these providers:
God Bless

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #8 on: September 14, 2014, 04:27:25 am »
IM SAVING THE REST FOR THE REAL GANGSTERSSSASASASAS :GUN: :KNIFE: :BOMB: :BLUNT: :STAXOFCASH: :TRUEGSLINKUP:
God Bless

Offline Darkhunter

  • Devotee
  • **
  • Posts: 151
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #9 on: September 14, 2014, 04:49:38 am »
You will never be a mod again.

Offline unbreakable matter

  • Zealot
  • ****
  • !
  • Posts: 1,108
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #10 on: September 14, 2014, 04:53:12 am »
who gives a fuck

you will never be less than 200 lbs again
God Bless

Offline Darkhunter

  • Devotee
  • **
  • Posts: 151
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #11 on: September 14, 2014, 11:10:49 am »
who gives a fuck

you will never be less than 200 lbs again

But I am right now. How's the fused spin from Bubba making you his bitch one too many times that your body couldn't take it?

Offline RisiR

  • Veteran
  • *****
  • Posts: 3,710
  • The Anti-Mod
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #12 on: September 14, 2014, 11:27:31 am »
What kind of weakling would like to way less than 200 lbs?

Is Unstable Matter a girl??!!! Darkhunter, to? What the fuck.....
who's the judge of if its funny and or clever? the mods. period.

Offline Darkhunter

  • Devotee
  • **
  • Posts: 151
    • View Profile
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #13 on: September 14, 2014, 08:20:00 pm »
What kind of weakling would like to way less than 200 lbs?

Is Unstable Matter a girl??!!! Darkhunter, to? What the fuck.....

Shut it you obese nigger

Offline Dfg

  • Devotee
  • **
  • Posts: 103
    • View Profile
    • Totseans
Re: The Gentleman's Guide To Forum Spies (spooks, feds, etc.)
« Reply #14 on: September 14, 2014, 08:31:20 pm »
TC has been nuked ages ago. 1.7 was the last working version, anything above is nuked.

lavabit.com [SSL, SMTP, POP]

Has been closed down.

This thread is full of copypasta and outdated information.



@dfg <-- Twitter