Even if you're not doing anything wrong, you are being watched and recorded. — Edward Snowden

As more and more people are living a digital life inside their computers, discussions about privacy and whether or not we can expect to be protected from intrusions in our  private lives are taking over the Internet. Regardless of your thoughts  on the subject, if you are just a concerned citizen or the newest  whistle-blower, there are some ways you can protect your privacy while  browsing the Internet or visiting a new country. This is not an  exhaustive list, it's just a compilation of useful information I  gathered.


Use unique SSH keys for each service  (sharing a SSH key on your GitHub/Gitlab account, network router and  AWS/Azure instance is a very stupid idea); use ssh-keygen -t rsa -b 4096  to generate a 4096 bit RSA SSH key. Never put your private keys on  external storage (USB stick, SD card, floppy disk, punch card, whatever) where it can be accessed unencrypted. Learn how to work with a SSH ~/.ssh/config file and prevent servers from fingerprinting you using your public key (you can view the public keys of any user via a GitHub request https://github.com/<USERNAME>.keys, for examplehttps://github.com/voxspace.keys).

Always enable two-factor auth on websites that support it and you will receive a SMS message with a code every time you login  into the website, adding an extra layer of security. Consider getting a YubiKey.

Use a strong PIN for your phone, NEVER use fingerprints as passwords, they can be bypassed or you can be compelled by a judge to unlock the phone.

Search Engine

I advise against using Google for searches since they are tracked, you should be usingDuckDuckGo's Search Engine,  and when you actually need to search using Google, use the!g modifier  in the address bar (for example, type !g EFF and you will be redirected  to Google Search through DuckDuckGo's website. Likewise you can use !w  to search intoWikipedia and many other shortcuts (!git for GitHub search).

Full Disk Encryption

You should be using either Bitlocker (for Windows platforms, warning ahead) or LUKS(Linux  platforms) full disk encryption on the hard-drive of your system and  any external disks with sensitive information on them. Start by setting  an unique pass-phrase of minimum 32 characters for each hard-drive (try  making a mental algorithm, for example, start with Dum inter homines  sumus, colamus humanitatem (a quote by Seneca that roughly translates as  "As long as we are among humans, let us be humane") then replace each u  occurence with |_| (three characters).

Make it more complex by  replacing o letter with () (or even )( if you want to be sneaky). That  way, the passphrase will become D|_|m inter h()mines s|_|m|_|s,  c()lam|_|s h|_|manitatem. Of course, sky is the limit for upping the  complexity of your passphrase (as long as you remember the original  version and the replacement algorithm). Keep in mind that nothing can  save you from this kind of attack.

A  very important thing to remember is that you cannot fully rely on disk  encryption, you need to employ additional layers like encrypting your  sensitive files. Also, in USA (and UK and probably many other countries)  a court might demand you decrypt the hard-drives or hold you in contempt and throw your sorry ass in the jail until you comply.

Browser Plugins

I recommend using the Mozilla Firefox browser for navigation, not Chrome, and below is the list of Firefox plugins that I recommend for everyone to use.

For example, Random Agent Spoofer should be configured as below and rotate a desktop browser profile every 5 minutes.

Random Agent Spoofer settings

Your worst browser enemies are Java applets, Flash objects, Silverlight, WebRTC, WebGL,  basically any malicious Javascript code, so you should have all  Javascript forbidden and whitelist your domains and the ones that you  are absolutely sure they pose no threat.

Some of the functions of  the plugins overlap but overall, I found those plugins to offer the best  privacy. Each of them needs to be fine-tuned according to the level of  anonymity you want to keep.Chat/communication

I use the Pidgin messenger with separate plugins for Telegram, Facebook Chatand Skype.  All those plugins will probably need to be compiled (helps immensely if  you have a Linux machine) and if you are a programmer, I recommend you  to look over the source code on each update, so that you can spot any  rogue functions. Always use SSL on every connection, including IRC.

Always sign your e-mail using PGP and encrypt sensitive documentation (and even e-mails) before sending them. Try to stay away from Gmail and Outlook.com.Password manager

I highly recommend using KeepassX as a password manager, secured using a key file and not a password. Also, you should download the source code,  compile it (using a Linux machine) and always look over the source code  for rogue functions, you CANNOT afford a vulnerability inside the  password manager.Malicious domains

Blocking malicious domains is really easy using Steven Black's repository(direct link to the actual hosts file, beware it will block most of the social media  websites, Twitter, Facebook, etc). Download the file and overwrite the  one on your machine (on MacOS/Linux/iOS/Android, the file is /etc/hosts,  on Windows it resides in%SystemRoot%\system32\drivers\etc\hosts).  Reboot the system or just restart your network component and you're  done, all the requests to the domains/subdomains blacklisted in the file  will be blocked.Hardware

Never hibernate your laptop, always  power it off when it's unattended; if it must be powered on, suspend and  lock it. A powered-on machine can be subjected to a cold-boot attack (this type of attack is harder to be accomplished if the RAM modules  are soldered onto the machine's mainboard, usually more encountered in netbooks). If you are really paranoid, mark the screws on your laptop  with wax/nail polish, but once you go that way … it's hard to come back.

Use  a BIOS password and disable boot from anything else than the local  hard-disk/SSD, a BIOS password won't be hard to bypass (removing the  battery from the mainboard) but it might prevent a thief from accessing  your data since the laptop screws will need to be removed. Every bit  helps.

I won't go as far as suggesting you should pump hot glue  inside your laptop's USB and HDMI ports, but if you plan on visiting  North Korea, maybe you should (read more on DMA attacks).Other things to keep in mind

  • Make sure you use good passwords.  jimmy82 is not a good password. jimmy_helen(provided your name is Jim  and your wife's name is Helen) is a pitiful password.password as a  password should get you fired from any job and your citizenship revoked.  Be smart about it, how about 1^/y-K73g)T24%#-,$34. (you don't actually  need to remember that, that's why we have password managers)
  • If you need private (or even public) git repositories, install gogs on a server you control, it's a way better alternative than GitLab or  GitHub. Everybody knows all hosted git services are like a black hole  that keeps drawing in (through our own mistakes) private keys from  various projects, though we all deny ever doing that.
  • Install OpenWRT or ddWRT on your home router (if it does support them), secure it using a SSH  private key (if you have a SSH server running on it), keep it updated  and close all incoming connections to your local network (or log them,  whatever you see fit).
  • Install a more privacy-oriented operating  system: Windows (any version of it) is not really suited because it  leaks so much information about the user, has telemetry software installed, is not free, you can't inspect the source code, there are  specific domains that cannot be blocked in the firewall, etc. Use a  Linux variant like Debian,Whonix, Tails, even Ubuntu.  I don't have any experience with FreeBSD but I've heard good things  about it. Basically anything but Windows; if you HAVE TO choose a  Windows version, use Windows 7.
  • Keep in mind that you can use a Tizen or Android phone as a home development server, with Apache/nginx, MySQL/MariaDB/PostgreSQL, PHP, git and many other useful tools.
  • DO  NOT use cloud solutions (OneDrive, Dropbox, Google Drive, iCloud, even  self-hosted OwnCloud) if your files are not encrypted before being sent  to the remote servers. Your photos might not need (beware that EXIF data  from the photos will leak information, GPS coordonates, camera/phone, etc) but your private documents do need to be encrypted. Use GPG to encrypt them (and decrypt when needed).
  • Keep  your system software and applications updated to the latest changes (on  Ubuntu is as easy as running sudo apt update && sudo apt  upgrade in a console). On Windows, beware of updates that install  telemetry packages (keep Windows Updates to "Check for updates but don't  install them automatically" and search for the name of the update on  your favorite search engine before installing it).
  • If you need  to remove sensitive files you should know that the actual file contents  isn't removed from the disk, just the file inodes are unlinked, so  forensic software will recover the contents of the file. Install a tool  like secure-delete from the Ubuntu repository (sudo apt install  secure-delete) and use it to securely remove a file and its contents  from your drive.
  • Tor (The Onion Router) is not a 100% full-proof solution, there have been some attacksagainst it lately. Also, it might mark you as a possible target.
  • Always use HTTPS for your websites, you can get free SSL certificates from the Mozilla'sLetsencrypt project.Useful links
  • Donate to Electronic Frontier Foundation (EFF)
  • Surveillance Self-Defense
  • Puri.sm Librem
  • OpenPGP best practices
  • Bruce Schneier on Security
  • Be anonymous on the Internet(s)
  • Tor Browser
  • Securing Debian
  • The Hacker News
  • Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices
  • The paranoid security guide
  • Encryption matters

Later edit: Hacker News discussionRelated Articles

Share this post