https://wiki.yesmap.net/wiki/api.php?action=feedcontributions&feedformat=atom&user=Time+Has+PassedNewgonWiki - User contributions [en]2026-05-30T18:03:04ZUser contributionsMediaWiki 1.45.3https://wiki.yesmap.net/wiki/index.php?title=Colin_Nugent&diff=24226Colin Nugent2024-02-14T16:33:00Z<p>Time Has Passed: </p>
<hr />
<div>[[File:Nugent.png|thumb|Colin Nugent]]<br />
__NOTOC__'''Colin Nugent''' (aka Harry Holland and Emu Nugent) is a first-wave Australian MAP Activist and former leader of the [[Australian Paedophile Support Group]] in the early 1980s.<br />
<br />
==Legal action in 2014==<br />
<br />
In 2014, Nugent had three copies of the 1980s MAP magazine ''Rockspider'' confiscated by police. He unsucessfully argued in court that they were historical documents, a view backed up by Australian academics [[Steven Angelides]] and [[Terry Leahy]] among others. The magazines, thought to be the last of their kind, were destroyed.<ref>[https://perthvoiceinteractive.com/2014/05/08/child-porn-social-history-court-told/ Nugent loses child sex mag appeal - Perth Voice]</ref><ref>[https://www.outinperth.com/man-appeals-child-porn-charge/ Man Appeals Child Porn Charge - OUTinPerth]</ref><ref>[https://perthvoiceinteractive.com/2014/05/08/child-porn-social-history-court-told/ Child porn ‘social history’ court told - Perth Voice]</ref><br />
<br />
==References==<br />
<br />
[[Category:Official Encyclopedia]]<br />
[[Category:Gay]]<br />
[[Category:People]]<br />
[[Category:People: Australian]]<br />
[[Category:People: Sympathetic Activists]]<br />
[[Category:Law/Crime]]<br />
[[Category:Law/Crime: Australian]]<br />
[[Category:People: Adult or Minor sexually attracted to or involved with the other]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=23910Guide To Computer Security (2022)2023-11-23T15:27:56Z<p>Time Has Passed: /* Chat */ Ricochet</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. This guide represents an updated version, and is up-to-date as of 2023.<br />
<br />
While simple, [[Guide_To_Computer_Security_(2022)#Perspective|behavioral considerations]] are enough to keep most MAPs safe online if they are not engaged in illicit activity, this guide is an essential read for non-offending MAPs who are concerned about, yet not familiar with advanced computer security.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular desktop operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution (popularly called 'distro') is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu, as well as distros based on it, such as Mint and Elementary OS, are a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
<br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
Encrypted containers holding hidden volumes should never be copied; any changes to one of the containers can be used to prove the existence of a hidden volume.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===SSD Issues===<br />
<br />
Wiping techniques that are effective on traditional hard drives may be ineffective on SSDs. People with highly sensitive data should not trust the aforementioned programs to securely erase their SSD. For activists in difficult locations, a traditional hard drive is probably a better choice.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
Avoiding malicious software on your computer is crucial. These days, most operating systems come with effective firewall and anti-virus solutions. However, there are also more complex and configurable third-party options.<br />
<br />
Users of hidden containers should not allow firewall and anti-virus programs to keep logs, as logs may reveal the existence of a hidden container.<br />
<br />
These programs should also have their reporting features disabled; sensitive information such as MAP-related data and websites accessed could be reported.<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
* [https://www.ricochetrefresh.net/ Ricochet] is an open-source chat app that routes all communication through Tor. It is secure, but has limited functionality.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
Activists should also be careful about participating in online MAP communities while intoxicated. One simple mistake may lead to identification.<br />
<br />
Furthermore, unsafe offline activities may lead to search warrants that allow authorities to analyze computer equipment. Any MAP-related material found (including legal photographs or videos of children) can be used to support allegations.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=23909Guide To Computer Security (2022)2023-11-23T15:24:59Z<p>Time Has Passed: /* Network Security */ E-mail service no longer available</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. This guide represents an updated version, and is up-to-date as of 2023.<br />
<br />
While simple, [[Guide_To_Computer_Security_(2022)#Perspective|behavioral considerations]] are enough to keep most MAPs safe online if they are not engaged in illicit activity, this guide is an essential read for non-offending MAPs who are concerned about, yet not familiar with advanced computer security.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular desktop operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution (popularly called 'distro') is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu, as well as distros based on it, such as Mint and Elementary OS, are a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
<br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
Encrypted containers holding hidden volumes should never be copied; any changes to one of the containers can be used to prove the existence of a hidden volume.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===SSD Issues===<br />
<br />
Wiping techniques that are effective on traditional hard drives may be ineffective on SSDs. People with highly sensitive data should not trust the aforementioned programs to securely erase their SSD. For activists in difficult locations, a traditional hard drive is probably a better choice.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
Avoiding malicious software on your computer is crucial. These days, most operating systems come with effective firewall and anti-virus solutions. However, there are also more complex and configurable third-party options.<br />
<br />
Users of hidden containers should not allow firewall and anti-virus programs to keep logs, as logs may reveal the existence of a hidden container.<br />
<br />
These programs should also have their reporting features disabled; sensitive information such as MAP-related data and websites accessed could be reported.<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
Activists should also be careful about participating in online MAP communities while intoxicated. One simple mistake may lead to identification.<br />
<br />
Furthermore, unsafe offline activities may lead to search warrants that allow authorities to analyze computer equipment. Any MAP-related material found (including legal photographs or videos of children) can be used to support allegations.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22576Guide To Computer Security (2022)2023-08-06T06:18:36Z<p>Time Has Passed: </p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. This guide represents an updated version, and is an essential read for MAPs who are not familiar with computer security.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
Encrypted containers holding hidden volumes should never be copied; any changes to one of the containers can be used to prove the existence of a hidden volume.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===SSD Issues===<br />
<br />
Wiping techniques that are effective on traditional hard drives may be ineffective on SSDs. People with highly sensitive data should not trust the aforementioned programs to securely erase their SSD. For activists in difficult locations, a traditional hard drive is probably a better choice.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
Avoiding malicious software on your computer is crucial. These days, most operating systems come with effective firewall and anti-virus solutions. However, there are also more complex and configurable third-party options.<br />
<br />
Users of hidden containers should not allow firewall and anti-virus programs to keep logs, as logs may reveal the existence of a hidden container.<br />
<br />
These programs should also have their reporting features disabled; sensitive information such as MAP-related data and websites accessed could be reported.<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
* [http://dnmxjaitaiafwmss2lx7tbs5bv66l7vjdmb5mtb3yqpxqhk3it5zivad.onion/ DNMX] is a darknet e-mail service that does not require JavaScript. E-mails are not encrypted.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
Activists should also be careful about participating in online MAP communities while intoxicated. One simple mistake may lead to identification.<br />
<br />
Furthermore, unsafe offline activities may lead to search warrants that allow authorities to analyze computer equipment. Any MAP-related material found (including legal photographs or videos of children) can be used to support allegations.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22575Guide To Computer Security (2022)2023-08-06T06:11:47Z<p>Time Has Passed: /* Perspective */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
Encrypted containers holding hidden volumes should never be copied; any changes to one of the containers can be used to prove the existence of a hidden volume.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===SSD Issues===<br />
<br />
Wiping techniques that are effective on traditional hard drives may be ineffective on SSDs. People with highly sensitive data should not trust the aforementioned programs to securely erase their SSD. For activists in difficult locations, a traditional hard drive is probably a better choice.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
Avoiding malicious software on your computer is crucial. These days, most operating systems come with effective firewall and anti-virus solutions. However, there are also more complex and configurable third-party options.<br />
<br />
Users of hidden containers should not allow firewall and anti-virus programs to keep logs, as logs may reveal the existence of a hidden container.<br />
<br />
These programs should also have their reporting features disabled; sensitive information such as MAP-related data and websites accessed could be reported.<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
* [http://dnmxjaitaiafwmss2lx7tbs5bv66l7vjdmb5mtb3yqpxqhk3it5zivad.onion/ DNMX] is a darknet e-mail service that does not require JavaScript. E-mails are not encrypted.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
Activists should also be careful about participating in online MAP communities while intoxicated. One simple mistake may lead to identification.<br />
<br />
Furthermore, unsafe offline activities may lead to search warrants that allow authorities to analyze computer equipment. Any MAP-related material found (including legal photographs or videos of children) can be used to support allegations.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22574Guide To Computer Security (2022)2023-08-06T06:04:54Z<p>Time Has Passed: /* SSD Issues */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
Encrypted containers holding hidden volumes should never be copied; any changes to one of the containers can be used to prove the existence of a hidden volume.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===SSD Issues===<br />
<br />
Wiping techniques that are effective on traditional hard drives may be ineffective on SSDs. People with highly sensitive data should not trust the aforementioned programs to securely erase their SSD. For activists in difficult locations, a traditional hard drive is probably a better choice.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
Avoiding malicious software on your computer is crucial. These days, most operating systems come with effective firewall and anti-virus solutions. However, there are also more complex and configurable third-party options.<br />
<br />
Users of hidden containers should not allow firewall and anti-virus programs to keep logs, as logs may reveal the existence of a hidden container.<br />
<br />
These programs should also have their reporting features disabled; sensitive information such as MAP-related data and websites accessed could be reported.<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
* [http://dnmxjaitaiafwmss2lx7tbs5bv66l7vjdmb5mtb3yqpxqhk3it5zivad.onion/ DNMX] is a darknet e-mail service that does not require JavaScript. E-mails are not encrypted.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22573Guide To Computer Security (2022)2023-08-06T05:51:36Z<p>Time Has Passed: /* Data Protection */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
Encrypted containers holding hidden volumes should never be copied; any changes to one of the containers can be used to prove the existence of a hidden volume.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===SSD Issues===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
Avoiding malicious software on your computer is crucial. These days, most operating systems come with effective firewall and anti-virus solutions. However, there are also more complex and configurable third-party options.<br />
<br />
Users of hidden containers should not allow firewall and anti-virus programs to keep logs, as logs may reveal the existence of a hidden container.<br />
<br />
These programs should also have their reporting features disabled; sensitive information such as MAP-related data and websites accessed could be reported.<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
* [http://dnmxjaitaiafwmss2lx7tbs5bv66l7vjdmb5mtb3yqpxqhk3it5zivad.onion/ DNMX] is a darknet e-mail service that does not require JavaScript. E-mails are not encrypted.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22572Guide To Computer Security (2022)2023-08-06T05:37:22Z<p>Time Has Passed: /* Volume Encryption */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
Encrypted containers holding hidden volumes should never be copied; any changes to one of the containers can be used to prove the existence of a hidden volume.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
* [http://dnmxjaitaiafwmss2lx7tbs5bv66l7vjdmb5mtb3yqpxqhk3it5zivad.onion/ DNMX] is a darknet e-mail service that does not require JavaScript. E-mails are not encrypted.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22571Guide To Computer Security (2022)2023-08-06T05:32:13Z<p>Time Has Passed: /* Encryption */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
Regardless of the program used, it is important to use a secure password. Long passwords are essential, and it is preferable to use a password containing character strings that are not words found in a dictionary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
* [http://dnmxjaitaiafwmss2lx7tbs5bv66l7vjdmb5mtb3yqpxqhk3it5zivad.onion/ DNMX] is a darknet e-mail service that does not require JavaScript. E-mails are not encrypted.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22570Guide To Computer Security (2022)2023-08-06T05:21:28Z<p>Time Has Passed: /* Providers */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
* [http://dnmxjaitaiafwmss2lx7tbs5bv66l7vjdmb5mtb3yqpxqhk3it5zivad.onion/ DNMX] is a darknet e-mail service that does not require JavaScript. E-mails are not encrypted.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22569Guide To Computer Security (2022)2023-08-06T05:18:40Z<p>Time Has Passed: /* Perspective */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
Possibly the biggest threat to your privacy and security is the information you post about yourself online. Activists should avoid posting information on MAP sites that could be linked to information they posted on non-MAP sites. People posting on MAP sites should take care in not disclosing excessive information about their personal lives, as this could be compiled over time and linked to their real identity.<br />
<br />
A significant number of 'outings' in the late 2000s occurred due to [[Perverted Justice]] vigilantes searching Google and social media for correlations between pseudonymous posts on MAP websites and easily traceable posts on non-MAP websites. One of the biggest mistakes was using the same e-mail address for MAP-related and unrelated activities.<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=22568Guide To Computer Security (2022)2023-08-06T04:55:43Z<p>Time Has Passed: /* Cryptocurrency */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although convenient and coming pre-installed on many devices, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
[[Guide_To_Computer_Security_(2022)#Windows_7|Windows 7]] is no longer supported by Microsoft and its continued usage is recommended against. Nonetheless some tips relevant to it remain available [[Guide_To_Computer_Security_(2022)#Windows_7|below]].<br />
<br />
Windows 11 continues its predecessor's model of pervasive data collection which is only expected to expand, as such it is highly discouraged as well (no data stored on a Windows computer should be considered secure).<br />
<br />
In any case, installing a free/open source operating system such as [[Guide_To_Computer_Security_(2022)#Linux|Linux]] is recommended instead.<br />
<br />
===Linux===<br />
Linux-based operating systems are strongly recommended over proprietary operating systems like Windows due to the latter's inherent privacy and security issues.<br><br />
Installing a Linux distribution is easy. All that is needed is an .iso file downloaded from the distribution's official website, flashing it to a USB drive with a tool such as [https://rufus.ie/en/ Rufus] or burning to a CD/DVD.<br><br />
Booting a computer from this USB or DVD drive will begin the installation.<br />
*'''Ubuntu'''<br />
:[https://ubuntu.com/desktop Ubuntu] is the most popular and one of the most user-friendly Linux distributions. If you're looking for a place to start while switching away from Windows, Ubuntu is a decent choice.<br />
*'''Fedora'''<br />
:[https://getfedora.org/ Fedora] is another very popular Linux distribution, and in user friendliness equals Ubuntu. It also uses the most up to date releases of software and drivers, making it a good choice for newer hardware. Which also means less of a chance to run into problems at the installation step.<br />
<br />
====Tips====<br />
Virtually every popular Linux distribution will offer you to enable full disk encryption ([[Guide_To_Computer_Security_(2022)#LUKS|LUKS]]) during the installation process. It is highly recommended to enable this option (see [[Guide_To_Computer_Security_(2022)#Linux_installation|screenshots]]).<br />
<br />
====Installation examples====<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu1.png|Ubuntu<br />
File:fedora1.png|Fedora<br />
File:Pop_os1.png|POP OS<br />
</gallery><br />
===Live CDs===<br />
Live operating systems require no installation except a USB or DVD drive they are flashed/burned onto and then booted from.<br />
*'''Tails OS'''<br />
:[https://tails.boum.org/ Tails] is a live operating system configured to be fully amnesic (leave no trace on the computer it is booted from) and use the Tor anonymity network.<br />
*Many Linux distributions can be run in live mode as an alternative to installation.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====LUKS=====<br />
LUKS is [[Guide_To_Computer_Security_(2022)#Linux|Linux]] inbuilt encryption utility. An option to encrypt the entire disk is offered while installing Linux. Afterwards it can be easily used to encrypt external devices through a graphical interface offered by the distribution's desktop environment.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists [https://web.archive.org/web/20221007143346/https://proprivacy.com/privacy-service/guides/veracrypt-hidden-volumes is the ability to create hidden volumes]. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
In most cases, files deleted through conventional methods are '''still recoverable''', even after trash is emptied. Several tools exist to securely erase either specific files, entire partitions, or wipe free space on a disk to get rid of any remnants of files that were not erased securely.<br />
<br />
====Windows-specific====<br />
[https://eraser.heidi.ie/ Eraser] can be used to erase select files, external drives, or wipe free space on the currently used drive.<br />
<br />
====All operating systems====<br />
[https://www.bleachbit.org/ Bleachbit] is an example of software which can be used for this purpose on Linux, version for Windows is also available. In addition, the software includes features useful for general data cleanup.<br />
<br />
====Other (entire disk)====<br />
[https://dban.org/ DBAN] (Darik's Boot and Nuke), is used for wiping entire drives. It must be booted from an external drive.<br>'''Warning: All data''' will be erased, including the operating system. If there are files you want to keep, you must back them up on another drive and unplug it from the computer before using DBAN.<br />
An operating system must be reinstalled on the computer afterwards.<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, [https://www.torproject.org/ Tor] forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means (such as HTTPS), although the source of the data is unknown. In the modern age, almost all sites use HTTPS and as such, this is no longer much of a concern (see below).<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Tor Browser, which is automatically configured to connect via the Tor network.<br />
<br />
Tor Browser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any unencrypted data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. Tor Browser, since recent versions, forces a HTTPS connection for all compatible services by default and warns a user when plain HTTP connection is attempted.<br />
<br />
===E-mail===<br />
====Providers====<br />
* [https://tutanota.com/ Tutanota] is a privacy-respecting e-mail provider that offers both a free and paid model. There is a two-day waiting period on newly registered accounts before they can be used.<br />
* [https://proton.me/ ProtonMail], while having faced some skepticism, should still be considered a better alternative to most mainstream e-mail providers.<br />
<br />
====Clients====<br />
Email clients can be used for using an email account outside of a browser. Depending on user practices, this can have a number of security advantages (such as OpenPGP). However, if it is desired to stay anonymous while accessing email (such as through Tor), the email client must be properly configured to connect through the desired proxy before using any accounts.<br />
<br />
* [https://www.thunderbird.net/ Thunderbird] is a full-featured, free and open source email client.<br />
::Tor configuration should be possible through '''General''' > '''Connection''' > '''Settings''' > '''Manual proxy configuration''': '''SOCKS Host''': <code>127.0.0.1</code> '''Port''': <code>9050</code>. [https://addons.thunderbird.net/en-US/thunderbird/addon/torbirdy/ TorBirdy] may be of use. Tor Browser, or a Tor client must be running for connectivity to work. Users are advised to test their configuration works properly.<br />
::'''OpenPGP''' (end-to-end encryption) can be configured in '''Account Settings''' > '''End-To-End Encryption''' > '''Add Key''' after logging into an account. You have to share the public portion with your contacts (Thunderbird can automatically attach it to emails), and you have to import your contact's public keys to encrypt emails to them.<br />
<br />
===Chat===<br />
General recommendations for chat and instant messaging software is avoiding proprietary solutions and anything lacking end-to-end encryption. A work-in-progress list of open source messaging software with end-to-end encryption capability is offered below:<br />
* [https://element.io/get-started Element] is a modern chat application powered by the Matrix protocol. It supports end-to-end encryption and general features expected from a modern chat client.<br />
* '''XMPP''' is an instant messaging protocol that can be used through a number of chat applications (clients) designed to be compatible with it; the client used is a matter of user choice. One example of a cross-platform desktop client is [https://gajim.org/ Gajim]. An example of a mobile client is [https://conversations.im/ Conversations].<br />
::Modern '''XMPP''' clients, including these two examples, generally have support for end-to-encryption (OMEMO). This encryption can be toggled on in private messages and private group chats.<br />
::An '''XMPP''' user selects a particular server to register on, acquiring an address such as user@example.org. Much like e-mail these addresses resemble, users registered on different servers can still communicate and chat with each other; it is not necessary for them to use the same server.<br />
::'''XMPP''' clients usually have a selection built in and support registration directly through the client.<br />
<br />
==Operational Security==<br />
<br />
===Search engines / Googling===<br />
It is recommended to use a privacy-respecting search engine instead of Google.<br />
*[https://www.startpage.com/ Startpage] offers results from Google without Google's tracking mechanisms. This also means the results are not personalized.<br />
*[https://duckduckgo.com/ DuckDuckGo] is a popular search engine that claims to respect privacy of its users.<br />
<br />
===Fingerprinting===<br />
====Metadata====<br />
<Gallery heights=200px widths=200px><br />
File:Metadata GPS.png|GPS coordinates saved in the metadata of an image taken on an iPhone.<br />
</gallery><br />
Metadata, or EXIF data, is information that is stored along with most saved files, including photos. Some of the information that can be stored in metadata includes '''GPS coordinates for where the photo was taken (automatically like this on iPhones)''', author information of a document, and information about the camera or device that was used to take a photo. Whenever you upload a file somewhere, '''always check''' that the metadata contains no information that could be used to identify or fingerprint you.<br />
*[https://exiftool.org Exiftool] offers the ability to not only view metadata, but also strip/remove it from an image or document. <br />
**Commands:<br />
***Read metadata: exiftool your_file.jpg<br />
***Delete metadata: exiftool -All= your_file.jpg<br />
<br />
===Social Engineering===<br />
====Infiltration====<br />
Federal agents, or other adversaries often infiltrate movements to sabotage or acquire information of a group's plans. [https://www.rooshv.com/how-the-fbi-infiltrates-movements-and-what-you-can-do-to-stop-them This site] contains information about how to spot infiltrators.<br />
<br />
==Phone Security==<br />
Securing mobile phones offers additional factors to take into account over PC security, such as the phone's GPS location capability, connection to cellular networks, unique phone number, and video and audio recording capabilities which can all be used to identify and track its user if the phone is compromised, including through untrusted software running on the phone.<br />
<br />
These reasons are why utmost care should be taken to secure the phone and make sure it only runs trusted and secure software if it is to be used for any sensitive activities at all.<br />
<br />
===Custom ROMs===<br />
Most phones come with the Android operating system. Because manufacturers tend to pre-install many apps and make other modifications which can threaten the user's privacy and security, using the stock Android ROM that came with the phone is very non-ideal.<br />
<br />
Before doing anything else, it is ''strongly recommended'' to replace the stock Android ROM with a custom Android ROM such as [https://www.lineageos.org/ LineageOS]. This is essentially reinstalling the phone's operating system. Therefore, as with most reinstallations, any data desired to be kept by the user must be backed up elsewhere, because all data on the phone will be lost.<br />
<br />
Guides for installation of custom ROMs are available on the specific project's website, as well as a list of phones which are compatible with the ROM. If you are buying a new phone, make sure your phone is on this list prior to purchasing it. LineageOS has the broadest compatibility. Alternative ROMs exist as well but not all are compatible with every phone.<br />
<br />
====List of custom ROMs====<br />
* [https://www.lineageos.org/ LineageOS]<br />
<br />
===Apps===<br />
For a trusted application base, your apps should come from a trusted source, such as the [https://f-droid.org/ F-Droid] store. Do not install or use the proprietary Google Play store, as ubiquitous on most Android devices as it is. Prefer open source apps from F-Droid instead. If you really need an app only available on Google Play, consider alternative stores like [https://f-droid.org/en/packages/com.aurora.store/ Aurora Store].<br />
<br />
==Cryptocurrency==<br />
Cryptocurrencies (cryptos) offer activists a valuable tool for financial privacy and freedom. In countries with oppressive governments or strict controls on financial transactions, activists can use cryptos to securely send and receive funds without fear of being tracked or censored. Cryptos also provide an alternative to traditional financial systems, allowing activists to bypass bank restrictions or sanctions. Additionally, the decentralized nature of cryptos gives activists a level of autonomy and control over their own funds, enabling them to support causes and organizations without fear of interference. Cryptos may increase and decrease considerably in value, as measured in fiat currencies such as the US Dollar. Privacy-related, and more illiquid cryptos tend to be more stable in their value over time as compared to Bitcoin, which is much less secure, easily traceable by authorities, and forms the basis for numerous scams.<br />
<br />
*[https://www.getmonero.org Monero (XMR)] is a decentralized, open-source cryptocurrency that focuses on privacy and anonymity. It allows users to securely send and receive funds without revealing their identity. Unlike Bitcoin, which publicly displays all transactions on a transparent ledger, Monero uses advanced cryptographic techniques to make transactions untraceable and unlinkable.<br />
<br />
==Perspective==<br />
<br />
==Useful Links==<br />
<br />
===Safety Guides by and for MAPs===<br />
<br />
*[https://blsafety.net/?safety/online BLSafety] - Predominantly behavioral guide. Somewhat outdated.<br />
*[https://blog.mapcommunity.org/omc/security-privacy OMC]<br />
*[http://fuckthefeds.pro/ Fuckthefeds] (may be offline, consider viewing via [https://web.archive.org/web/20230000000000*/http://fuckthefeds.pro/ Web Archive])<br />
*[https://www.mapresources.info/guides/safety MAPResources] - <span style="color: Red;">'''Please note, this is a Google site, and may be used to track you if you are logged in to your Google account. Consider using Tor Browser or Web Archive to view this site.'''</span><br />
<br />
==Screenshots==<br />
===Linux installation===<br />
During the installation step that asks you about the disk to use for your operating system, tick the checkbox to '''Encrypt your data''' (under '''Advanced Features''' in the Ubuntu example).<br><br />
<br><br />
'''Ubuntu'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:ubuntu4.png<br />
File:ubuntu5.png<br />
File:ubuntu6.png<br />
File:ubuntu8.png<br />
File:ubuntu9.png<br />
File:ubuntu10.png<br />
</gallery><br />
<br />
'''Fedora'''<br><br />
<br />
<Gallery heights=200px widths=200px><br />
File:Fedora3.png<br />
File:Fedora4.png<br />
File:Fedora5.png<br />
File:Fedora7.png<br />
</gallery><br />
<br />
[[Category:Advice]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=10298Guide To Computer Security (2022)2021-12-18T06:30:10Z<p>Time Has Passed: /* Tor */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists is the ability to create hidden volumes. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, Tor forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means, although the source of the data is unknown.<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Torbrowser, which is automatically configured to connect via the Tor network.<br />
<br />
Torbrowser has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. The 'HTTPS Everywhere' extension forces a HTTPS connection for all compatible services.<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=10297Guide To Computer Security (2022)2021-12-18T06:28:53Z<p>Time Has Passed: /* Using Tor safely */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists is the ability to create hidden volumes. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, Tor forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means, although the source of the data is unknown.<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Torbrowser, which is automatically configured to connect via the Tor network.<br />
<br />
=====Security Levels=====<br />
<br />
Tor has three pre-configured security levels.<br />
<br />
* 'Safest' disables any functionality that could be used to identify you. However, a lot of website features will no longer work. Social media, webmail and many other services will be unusable.<br />
<br />
* 'Safer' disables some features that could be used to identify you, but not all. JavaScript is enabled on HTTPS sites. Social media, webmail and many other services will will usable, but there is a small risk of being identified via malicious scripts.<br />
<br />
* 'Standard' does not disable any potentially dangerous functionality. There is a higher risk of being identified or attacked.<br />
<br />
=====Encryption=====<br />
<br />
The final connection in the Tor circuit (between the exit node and the destination) is not encrypted by the Tor client. Therefore, any data sent will be visible by the operator of the exit node. Any sensitive information should be encrypted by other means. A simple HTTPS connection is one solution. The 'HTTPS Everywhere' extension forces a HTTPS connection for all compatible services.<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Talk:Minor_Attracted_Person_(archive_research)&diff=10170Talk:Minor Attracted Person (archive research)2021-12-14T15:07:19Z<p>Time Has Passed: Created page with "The 2001 screenshot shows TPKA Jason suggesting the phrase. Not TPKA Ghost Writer. Were they the same person, or is the article wrong? ~~~~"</p>
<hr />
<div>The 2001 screenshot shows TPKA Jason suggesting the phrase. Not TPKA Ghost Writer. Were they the same person, or is the article wrong? [[User:Time Has Passed|Time Has Passed]] ([[User talk:Time Has Passed|talk]]) 15:07, 14 December 2021 (UTC)</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=10070Guide To Computer Security (2022)2021-12-12T03:37:05Z<p>Time Has Passed: /* Network Security */ Updating bit by bit...</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists is the ability to create hidden volumes. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
Unlike web-based proxies and VPNs, Tor forwards data via an entry node and two more random nodes operated by volunteers. Data sent by the client is encrypted up to the exit node. Upon leaving the exit node, data is visible if not encrypted by other means, although the source of the data is unknown.<br />
<br />
There are weaknesses within the Tor design, but it is the safest option for anonymous communication online. People who do not make themselves a major global target are unlikely to be identified due to any of the inherent weaknesses. User error is the biggest risk.<br />
<br />
=====Using Tor safely=====<br />
<br />
In 2022, Tor is most often used with Torbrowser, which is automatically configured to connect via the Tor network.<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=10046Guide To Computer Security (2022)2021-12-11T14:15:11Z<p>Time Has Passed: /* Volume Encryption */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists is the ability to create hidden volumes. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are extremely difficult to detect. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume containing the data that you really wish to keep private.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
=====Using Tor safely=====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=10045Guide To Computer Security (2022)2021-12-11T14:04:42Z<p>Time Has Passed: /* Proxies */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists is the ability to create hidden volumes. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are undetectable. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
Proxies are used to hide your true IP address from another server or client. Many proxies are insecure and not suitable for use by MAP activists. Use of a malicious or unfriendly proxy server can be more dangerous than a direct connection.<br />
<br />
====Web-based proxy servers====<br />
<br />
Web-based proxies are of very limited utility for the MAP activist community. They provide a minimal level of obfuscation suitable only for circumventing bans and geographic restrictions, and many will already be blocked from popular websites. The service operator has the ability to monitor users and may well comply with authorities wrongly targeting MAPs.<br />
<br />
====VPNs====<br />
<br />
Similar to web-based proxies, VPNs place users at risk of monitoring by the service provider and anyone to whom they choose to provide access. They have the same practical purpose as web-based proxies for the MAP community.<br />
<br />
====Tor====<br />
<br />
=====Using Tor safely=====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=10042Guide To Computer Security (2022)2021-12-11T12:56:45Z<p>Time Has Passed: /* Volume Encryption */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists is the ability to create hidden volumes. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are undetectable. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume.<br />
<br />
VeraCrypt has a feature allowing users to run an operating system from within a hidden container, reducing the risk of data leakage from improper operating system configuration.<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Talk:Guide_To_Computer_Security_(2022)&diff=10041Talk:Guide To Computer Security (2022)2021-12-11T12:53:52Z<p>Time Has Passed: Created page with "Somebody should make a guide for mobile device security. It will not be me. I just avoid doing anything BL-related on my phone because I'm not aware of a way to make it accept..."</p>
<hr />
<div>Somebody should make a guide for mobile device security. It will not be me. I just avoid doing anything BL-related on my phone because I'm not aware of a way to make it acceptably secure. [[User:Time Has Passed|Time Has Passed]] ([[User talk:Time Has Passed|talk]]) 12:53, 11 December 2021 (UTC)</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=10034Guide To Computer Security (2022)2021-12-11T08:10:56Z<p>Time Has Passed: /* Encryption */ Will add links later</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon Support Team]] after consultation with the [[Newgon]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
Encrypting files renders the data within them unintelligible. While Microsoft, hard drive manufacturers and other companies offer free encryption tools, these cannot be trusted in the event of a highly motivated adversary.<br />
<br />
====Recommended Programs====<br />
<br />
The following programs can probably be trusted to protect against the vast majority of adversaries, assuming that their settings are configured correctly and the operating system has been appropriately secured.<br />
<br />
=====VeraCrypt=====<br />
<br />
VeraCrypt is a fork of TrueCrypt, a program whose development is alleged by many to have been shut down by the US government. VeraCrypt is widely considered to provide the highest level of security of any free program. Donations to the project would always be welcome.<br />
<br />
=====BestCrypt=====<br />
<br />
BestCrypt is a paid encryption product with similar functionality to VeraCrypt. It can be purchased along with highly effective data erasure software. Although expensive, it is a long established and very well trusted product.<br />
<br />
====Encryption Options====<br />
<br />
There are two main methods of encryption that are still relevant in 2022.<br />
<br />
=====Whole Disk Encryption=====<br />
<br />
Encrypting the entire disk renders all contents unreadable unless a password is provided. If you do not require plausible deniability and you do not care about giving the appearance of compliance, you can simply encrypt the entire disk and refuse to provide the password.<br />
<br />
=====Volume Encryption=====<br />
<br />
Volume encryption creates a file on your disk that functions as a virtual drive. These virtual drives have the same functionality as a physical drive. Using volume encryption allows you to encrypt only a portion of your disk, instead of encrypting the whole drive.<br />
<br />
A major benefit of volume encryption for activists is the ability to create hidden volumes. Hidden volumes are created within the free space of a standard volume. Due to the way they're created, they are undetectable. This provides excellent plausible deniability; you can hand over a key to the main volume and still nobody can prove that there is a second hidden volume.<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9878Guide To Computer Security (2022)2021-12-08T14:47:11Z<p>Time Has Passed: /* Operating Systems */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended. <br />
<br />
There are a number of settings that should be changed in order to improve user privacy.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_to_Computer_Security_(Archive)&diff=9875Guide to Computer Security (Archive)2021-12-08T14:36:00Z<p>Time Has Passed: This would be better preserved as an archive. I've rolled back my recent edits.</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>'''Guide to Computer Security''', now available as an out-of-date archive, was produced by the [[Newgon.com Support Team]] after a consultation with the [[Newgon.com]] forum community. It explains how you can protect data stored on your hard drive and stay anonymous on the internet. The guide should be read by anyone who has a special interest in avoiding the scrutiny of [[Vigilantism|cyber-vigilantes]] and corrupt law enforcement officers. It should ''not'', however be seen as a vital first step to participation in [[Newgon.com]] or any similar websites.<br />
<br />
The 2008 guide (currently identical to the wiki version) can be downloaded as a PDF here: [[Media:Guide_to_Computer_Security.pdf|Guide to Computer Security]]<br />
<br />
==Protecting data stored on your hard drive==<br />
<br />
===Locking down Windows===<br />
Windows at its default settings is an insecure operating system. Having been designed for mass<br />
consumer/commercial usage, it tries to be all things to all people. Consequently, it has a tendency to run unnecessary services, store/hide private information in numerous, often hidden, locations, and exposes your PC to unnecessary security risks.<br />
<br />
====Disable unneeded services====<br />
Many of the services in Windows are unnecessary, and some are security risks (e.g. the 'Remote Registry' service, which permits third party network access to the computer's system settings). There are numerous online guides giving advice as to which services you can safely disable. [http://www.prestwood.com/aspsuite/kb/document_view.asp?qid=100274]<br />
<br />
====System Restore points==== <br />
By default, Windows saves a backup of your system settings at regular intervals (and therefore may store information that is ideally kept sensitive) in case you need to roll-back the system to an earlier point in time. Most computer problems can be fixed via other methods however, and if you don't use/need System Restore you can disable it (via Control Panel / System / System Properties / System Restore tab).<br />
<br />
====Hibernation====<br />
If you don't use hibernation, ensure that this is disabled, since otherwise it will intermittently save anything that you are currently working on to your hard drive in plain text form – even encrypted documents – which could later be retrieved. (Control Panel / Power Options / Hibernate tab / uncheck 'Enable Hibernation').<br />
<br />
====Pagefile/Swapfile====<br />
By default, Windows creates a file on your hard drive (pagefile.sys) which it uses as additional computer memory, and it shifts running processes to this file on the hard drive when necessary. Many modern PCs have sufficient RAM (e.g. over 1 GB) not to need this file. You can disable it via Control Panel / System / Advanced tab / select 'Settings' button under the 'Performance' heading / Advanced tab / Virtual Memory / Change / select 'No Paging File' / click 'Set' / click 'Ok'.<br />
<br />
'''NOTE''': Disabling the pagefile is contentious, and the debate around this is unresolved [http://www.codinghorror.com/blog/archives/000422.html] Provided you have a reasonably fast CPU and a decent amount of RAM, you should not encounter any problems. If you do need the paging file for some reason, or your RAM capacity is not sufficient to do without it, you should at least ensure that it is securely wiped when the computer powers off (see Section 1.3.1., below). In addition, the pagefile can be encrypted using a dedicated encryption product, such [http://www.jetico.com BestCrypt].<br />
<br />
====Windows Security Center====<br />
The built-in Security Center and Windows Firewall are highly ineffective. Disable them via the Control Panel, and use a third party Firewall instead (see Section 1.2, below).<br />
<br />
====Windows Privacy Tools====<br />
<br />
In addition to the above steps, you can utilize easy-to-use, one-off, privacy tools to tighten up Windows settings. e.g. [http://privazer.com/ Privazer]<br />
<br />
====Alternative Software====<br />
<br />
Avoid using Microsoft software (e.g. Office, Outlook Express, Internet Explorer, Windows Media Player) so far as possible. Since they are designed to collaborate with one another, most of them leak personal information all over the place. Use open-source alternatives so far as possible (which typically also have the added benefit of being much less resource-hungry). For example, consider using:<br />
*[http://www.openoffice.org Open Office suite] instead of MS Office (Word, Excel, etc). Particularly important for office software is to remember to disable 'auto-save' in the program options – since if you are working on an encrypted file the document may be saved to your drive as plain text during an auto-save.<br />
*[https://www.mozilla.org/thunderbird Thunderbird] or [http://sylpheed.sraoss.jp/en/ Sylpheed] instead of Windows Live Mail<br />
*[https://mozilla.org/firefox Firefox] or [http://www.opera.com Opera] instead of Internet Explorer<br />
*[http://www.videolan.org VLC Media Player] or [http://sourceforge.net/projects/guliverkli/ Media Player Classic] instead of Windows Media Player<br />
*[http://www.foxitsoftware.com/Secure_PDF_Reader/ Foxit PDF Reader] instead of Adobe Acrobat Reader.<br />
<br />
===Avoiding Malware===<br />
<br />
The commonly talked about threats to computer data surround the execution of malevolent code on your PC, in the form of viruses, trojans, spyware, etc. Discussion of this topic usually revolves around damage to your data or identity theft by cyber-criminals for financial gain; but it is also crucial to ensure that you are protected from malware that could benefit other adversaries. One obvious aspect is keylogging software: you can come up with the most complex passwords to protect your data, but if there is a keylogger on your PC capturing each keystroke you enter, the password might become worthless. Equally insidious is the use of 'copware' – malware planted on your PC via LEA pecifically<br />
targeting you [http://www.infiltrated.net/cipav.pimp]. Such software frequently arrives on the target's PC via email attachments. Standard email advice applies, e.g:<br />
<br />
*Disable HTML in your emails – in most webmail and desktop email clients there is an option to do this in the settings (eg. in Thunderbird: 'View' menu / uncheck 'Display attachments inline' and check 'View message body as...plain text')<br />
*Use Anti-Virus software that scans emails as well as files<br />
*Don't open attachments from unknown sources<br />
<br />
In addition, further advice includes:<br />
<br />
*Check regularly for the presence of hardware keyloggers (a small device fitted to your PC designed to record keystrokes as an alternative to software keyloggers). The device will appear inconspicuous, and could, for example, resemble a traditional USB-type plug. Also consider applying a drop of paint (or, e.g. correction fluid) to the screws in the back of keyboards, making it easier to see if the hardware has been tampered with.<br />
*When encrypting data, and where given the option to do so, use 'keyfiles' in addition to passwords. This is an available option with some encryption programs, which enables you to specify a file(s) on your hard-drive (perhaps a photo, for example) that must be entered in addition to a password. This will help protect against keyloggers (though not against malware that also captures mouse-movements).<br />
*If practicable, you could also use an on screen keyboard (OSK) to enter passwords (thereby using the mouse rather than the keyboard).<br />
*Zero-emission pads: Surveillance teams can remotely scan the electromagnetic emissions from your computer monitor, e.g. as you type a passphrase (google TEMPEST for technical details). You can use a replacement text editor that enables you to view and/or edit text in a special font and screen that allegedly 'diffuses the emissions from your computer monitor efficiently enough to defeat TEMPEST surveillance equipment', such as this one [http://geocities.com/phosphor2013/zep.zip]<br />
*So far as security software is concerned, you should have one Firewall, one Anti-Virus (AV) program, and one Anti-Spyware (AS) program, all providing 'real-time' protection. For completeness, you could also install a second AV and/or AS program and/or dedicated anti-trojan software (such as [http://www.misec.net/ TrojanHunter]) – not to operate in 'real-time' (since a software conflict is possible) but just to perform regular scanning of your PC.<br />
:Firewalls, AV and AS vary considerably in effectiveness (as well as in the amount of your PC's resources that they use). Check PC magazines for test results, or check online sources for the most effective protection. Good sources of information are sites such as [http://www.wilderssecurity.com Wilders Security Forums].<br />
<br />
:It is sometimes rumored – though to what extent this is likely is debatable – that major AV/AS companies may turn a 'blind-eye' to copware. Here is one advantage of using standalone products, e.g. separate AV, AS and Firewall software each from a different company, rather than the easier option of relying on a single security suite such as Norton or McAfee. In addition, some software is notorious for 'phoning home' regularly – Zone Alarm, for instance, frequently (more so than necessary) contacts its company's servers without notifying the user. It may therefore be desirable to turn off 'automatic updating', and manually update software at (say) daily intervals; and for persistent software (e.g. Zone Alarm) you can prevent it from contacting its servers by making simple changes to the Windows 'hosts' file [http://labnol.blogspot.com/2006/02/prevent-zonealarm-from-phoning-home.html].<br />
*In counteracting malware, you should also keep an eye on which programs are running on your PC, and whether any software has set itself to startup when you boot Windows. Both can be checked via Windows' built-in tools:<br />
**to view running processes, open Task Manager by right-clicking on the taskbar and selecting the 'processes' tab. You can identify any processes you do not recognize online, by looking them up at sites such as [http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx].<br />
**to check which programs are set to start when you boot Windows, go to Start / Run... then enter “msconfig” in the box (without the quote marks). In the window that appears, the last tab marked 'Startup' lists these items. Many of these are inserted by software, and are unnecessary. To check whether it needs to run at startup, identify the program at the following site: [http://www.sysinfo.org/startuplist.php] and uncheck any that are not needed. (Note, this has the added advantage of substantially reducing the PC's boot time).<br />
:As an alternative to these built-in Windows tools, you could use a freeware program to keep a closer eye on running processes and startup items, such as [http://processhacker.sourceforge.net/ Process Hacker] or [http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Process Explorer]<br />
*Keep up-to-date all your software that uses network connections, such as your browser, anti-virus software, and all security products.<br />
<br />
===Cleaning / Erasing===<br />
Windows stores a vast amount of information about your activities, which should be cleaned up on a regular basis.Note that such traces, along with any files that you chose to get rid of, should be securely erased rather than just deleted. This distinction between 'deleting' and 'erasing/wiping' is a crucial one. Deleting data in the standard way merely makes the data invisible to Windows – it remains on the hard disk until it is overwritten by other data. Instead of deleting, data should be securely 'erased' or 'wiped' (i.e. it is overwritten a number of times with random data so that it becomes unrecoverable).<br />
<br />
====Erasing files====<br />
There are numerous tools available for securely erasing files. One simple, freeware, tool is [https://sourceforge.net/projects/eraser/ (Heidi) Eraser]. This has various features, one of which is to insert itself into your context menu, such that when you right-click a file, you just select 'Erase', and it will wipe the file according to the number of 'passes' that you specify. Another useful feature is 'Erase Secure Move': usually when you move files from one place to another, behind-the-scenes Windows actually copies the file to the new location, then deletes the existing file – which suffers from the above-mentioned issue of the deleted file being recoverable. With the Erase Secure Move option, after the file is copied to the new location, the existing file will be wiped, rather than just deleted.<br />
<br />
'''NOTE''': Eraser can also be set to erase the Windows 'pagefile' on shutdown/restart (see 'Locking down Windows', Section 1.1, above).<br />
<br />
====Erasing disk space====<br />
Files that are deleted automatically by Windows (e.g. temporary files which it has created), or files that have been deleted by the standard method without having been wiped as above, will be simply be hidden in 'free disk space' until overwritten. To ensure that these have been removed, regularly wipe the 'free disk space' on your hard drive – again, Eraser (above) is good for this purpose.<br />
<br />
====Cleaning traces====<br />
Most software stores information about your usage – e.g. Internet browsers keep a record of details such as your browsing history, downloads, and cookies; PDF readers store a history of the last few files you've read; Office products keep a record of recently opened documents and perhaps unusual words used therein; media players store details of recently played files; Windows itself stores temporary files, prefetch data, memory dumps, and so on. A simple way to erase all such tracks in one go is to use dedicated 'cleaning' software. For example, [http://www.piriform.com/ccleaner] is a decent freeware program which will erase these tracks for you. In the settings options, you can select the number of times such traces should be 'wiped', rather than simply deleted.<br />
<br />
'''NOTE (1'''): All decent erasing/wiping/shredding software will allow you to specify the number of times that the data will be overwritten – typically, you can choose to overwrite data once, three times, seven times or thirty-five times, depending on the sensitivity of the data. There is some debate as to whether modern hard drives require as many passes to irrevocably destroy data – Googling this issue will produce much discussion. To be on the safe side, a minimum of three 'passes' is suggested. Naturally, the more 'passes' over the data you select, the longer it will take. Be aware that, say, shredding the entire free disk space on a hard drive (which may be hundreds of gigabytes) will take a significant amount of time.<br />
<br />
'''NOTE (2)''': If wiping data on flash memory (e.g. USB sticks), wiping individual files is insufficient to make them irrecoverable, due to the way such memory writes data. See the special section on USB drives (Section 1.5, below).<br />
<br />
===Encryption===<br />
Broadly-speaking, “computer forensics” involves inspection of the computer hard drive for evidence as part of a legal investigation. In the event that your PC is seized, investigators or other adversaries will search it for the 'activity traces' referred to in the previous section, as well as stored files and documents, and other evidence of how the PC has been used (e.g. checking the Windows Registry for evidence of which USB drives have been used – since details of such devices, including their serial numbers, are stored there). The goal of encryption is to make data unintelligible, so that, even if your data is seized, it cannot be read.<br />
<br />
A brief note on the medium which you may be using: first, there is the hard drive. Typically, Windows will be installed onto partition C of the hard drive (and unless you have created other partitions, this may make up the entire physical drive). Data may also be stored on external, USB hard drives; on flash memory drives (USB sticks / pen drives); on floppy disks, CDs and DVDs. It is important that, on whichever medium you store sensitive data, that data are encrypted.<br />
<br />
====Individual files====<br />
There are numerous tools available to encrypt data, offering various different options. Some software will simply encrypt individual files – they will still be visible on the hard disk, but a password will be required to open them. Other software offers a greater range of options, such as creating a 'vault' on your hard drive of a specific size, into which you can place sensitive files without having to encrypt each file individually.<br />
<br />
[http://truecrypt.ch TrueCrypt] is highly recommended for your encryption needs. It enables both the creation of encrypted files, as well as the ability to encrypt an entire hard drive partition, or an entire device (e.g. a USB stick). It also allows for the creation of 'hidden volumes' – a partition/device can be encrypted, then within this encrypted container a second, encrypted contained is created. This is primarily so that if you are forced to decrypt the 'outer'<br />
volume, on which you might store a few sensitive-looking, but unimportant files, it will not be evident (and cannot be proved) that there is a second, hidden volume. (NB. For various security reasons, encrypting partitions or devices is preferable to encrypting individual files – the<br />
TrueCrypt manual explains these in detail.)<br />
<br />
The advantage of the open-source TrueCrypt over most other encryption software is the 'plausible deniability' aspect. It is impossible to prove that a partition or device encrypted with TrueCrypt is in fact encrypted. Upon forensic analysis, the partition or device appears to simply be filled with random data – as though there is nothing on the partition or device. This is crucial in authoritarian regimes, e.g. the United Kingdom, which has enacted a criminal offense (punishable by up to 2 years, or 10 years in terrorism cases) of 'failing to decrypt' (or provide the password to<br />
enable decryption) when demanded by the authorities. Obviously for such a law to be used against you, it would have to be established that you had some encrypted material in the first place. With a TrueCrypt-encrypted device or partition, this should be impossible to prove.<br />
<br />
'''NOTE''': If you are working with individual encrypted files (rather than storing files in a container or partition) and are using USB flash drives, see Section 1.5 on USB drives below.<br />
<br />
====System Drive / Full Disk / Whole Disk Encryption====<br />
The disadvantage of only encrypting individual files or external devices is that computer forensics can still reveal much about your computer usage from the system partition (the drive on which Windows is installed) and – importantly – sensitive details such as your browsing history, bookmarks, emails, and email contacts addresses, may be accessible. Details of your contacts is one of the first things an adversary will check for, which they will use to 'broaden' their investigation, perhaps by targeting those contacts. There is therefore an obligation to protect not only yourself, but also those with whom you correspond.<br />
<br />
Computer forensics is essentially rendered ineffective by encrypting your entire system drive (typically the C: drive in Windows). This is the ideal position: if the adversary cannot access your hard drive to begin with, you have gone along way to defending your data. The latest versions of TrueCrypt (versions 5.0 and upwards) have an option for encryption of the system drive (or the entire hard drive, if it has more than one partition). It is very simple to use, and will ensure that no one can access your hard drive without first entering the correct password prior to the computer booting (and also makes it more difficult for adversaries to plant data on your hard drive). A detailed reading of the TrueCrypt manual is essential in order to encrypt the system drive effectively.<br />
<br />
One consideration for those in countries in which failure to disclose a password is a criminal offense (just the UK at present, though this will undoubtedly be extended to other countries), is that where your entire hard drive (or just the system drive) is completely encrypted, you lose an element of plausible deniability. TrueCrypt system encryption, for example, stores its 'boot loader' (the information necessary for the computer to boot) on the first cylinder of the hard disk – which will obviously be visible to a forensics team. It is possible to remove the boot loader and instead boot from a CD which has the TC boot loader installed, though obviously this is more inconvenient.<br />
<br />
In any event, whether or not the boot loader is present, it remains the case that it cannot be proved that the hard drive itself is encrypted – the remainder of the drive will still appear as random data. So from this point of view, you are still protected from 'failure to disclose password' laws. Nonetheless, having to explain away an internal hard drive with a TC boot loader, and “nothing else” on it, will be tedious (depending on how convincing you can be that you had “coincidentally, just recently wiped the hard drive”). Therefore it may be felt preferable to use other tactics to increase plausibility.<br />
<br />
One such tactic is to install Windows to an external hard drive, or to a USB stick, and encrypt it with TrueCrypt. You can then keep your 'dummy' Windows installation with no compromising data on the PC's internal hard drive, and boot to the external hard drive or USB stick to use your 'real' Windows. Technically, Windows does not want to be installed to external devices – but it can be achieved. There are numerous guides available on the web; and the project also has a useful forum for resolving issues. For installing Windows to an external device to work, it is necessary that your PC's BIOS is capable of booting to external devices – most recent computers (built in the last few years) can do this, but if you have an older PC, check its ability to do so by doing a web search on its model.<br />
<br />
If utilizing this method, your 'computer' effectively lives on your external device, while you maintain a dummy system on the internal drive. This has the added advantage of portability – your Windows installation can be kept in a secure place when not in use, etc. Again, the TrueCrypt boot loader will reside on the first cylinder of the external device – but it is certainly more plausible to have an external device with “nothing on it” than an internal drive (particularly if you take the extra step of removing the TrueCrypt boot loader and booting the device from a CD).<br />
<br />
'''NOTE''': While the latest version of TrueCrypt (6.0 and upwards) now enables the creation of a hidden, encrypted system drive – by utilizing a 'dummy' system partition, with the real system partition hidden – at the time of writing it is not ideal: to ensure complete plausible deniability it has very stringent requirements, e.g. the real system partition should not be used to access the Internet (which partly defeats the object), files cannot be copied from the real partition to other<br />
media, the dummy partition must be accessed regularly to make it appear plausible, etc. It may be felt that until a more substantive hidden operating system is available, this latest feature should be used circumspectly.<br />
<br />
===Security Note on USB Drives and Wear-Leveling===<br />
When writing data to a USB flash drive, a PC uses a 'logical address' on the drive. However, this logical address is distinct from the flash drive's 'physical block address' – since most USB flash drives use a 'wear leveling' technique. Wear leveling – i.e. shifting data around the physical blocks of the flash drive – prevents the same physical block being used over and over (in order to preserve the life of the USB drive).<br />
<br />
Consequently, any time updated or new data are written to the flash drive, such data will be written to a new physical block, regardless of the address of the old block, and any old/amended data is just deleted (not wiped).<br />
<br />
This raises a number of security issues, e.g:–<br />
<br />
#Securely wiping' (e.g. with Eraser) an individual file on a flash drive is potentially ineffective, since the random data that is used to overwrite could be written to a different physical block; the existing data will simply be deleted, rather than wiped.<br />
#Encrypting individual files could potentially suffer similar problems – e.g. when decrypting a file, amending it, then re-encrypting it.<br />
<br />
These issues can be resolved by either securely wiping the entire flash drive (not just wiping individual files) or by encrypting the entire flash drive (rather than encrypting individual files on it) – since then it makes no difference to which physical block the new data is being written.<br />
<br />
Ideally the latter approach should be used for all USB flash drives on which sensitive data is placed – encrypt or wipe the entire USB drive – as necessary. For any existing USB flash drives on which this approach has not been taken, it would be advisable to format and wipe the USB drive completely, then start using it afresh with this 'entire USB drive' approach.<br />
<br />
===Other Methods===<br />
There are of course many, many alternatives to the security suggestions outlined above, such as using any or all of the following:<br />
<br />
====Live CDs====<br />
Live CDs are an excellent alternative to encrypting the entire system drive. Essentially, an entire operating system (usually Linux-based) is on the CD, and whenever you want to boot to your OS, you simply boot the CD rather than booting to your hard disk. Should you not want to encrypt your hard drive, you could use the OS on there for all non-sensitive tasks, and use the Live CD for Internet access / other sensitive tasks.<br />
<br />
Running an operating system from a Live CD means that the PC's hard drive does not get used at all – and is therefore not subject to problems of leaving behind 'traces' to be recovered by forensics. There are some limitations with Live CDs e.g. a limited range of software can be run from them, and since the CD is read-only (as the point is not to save any data, which could be recovered!) any data you do want to save while working within the CD, or settings you want to keep, should be saved to an (encrypted) USB drive. Its simplicity ensures that this remains an attractive alternative, and it is worth keeping an eye on developments in this area. For some examples of Live CDs, see [http://susestudio.com/ Suse Studio] on how to create your own custom live bootable CD or see http://www.privacylover.com/anonymous-live-cd-list/ for a list of pre-built, mostly Linux-based alternatives.<br />
<br />
An excellent example of a pre-built option is the [https://tails.boum.org Tails Live CD] – this an operating system on a CD which is pre-configured to use the Tor network for all Internet access – including emails and web browsing.<br />
<br />
====Portable Applications====<br />
If installing an entire operating system to an external drive/USB stick, or using a Live CD, are not desired options, another alternative is to use 'portable applications' – standalone versions of existing software that can be run from a USB stick and do not save files or settings to your hard drive in the way that regular applications do. The idea is simply to prevent data being saved to your hard drive – the application files and data (including settings such as bookmarks, emails, etc), will be stored entirely on the USB device (which could be encrypted using a program such as TrueCrypt). See, for example, http://portableapps.com/ for an entire portable suite of software (including commonly-used programs such as Firefox, Thunderbird, Open Office, etc.).<br />
<br />
The use of portable applications may prove a practical and easy method of protecting your most sensitive data without going to the lengths of full disk encryption. One drawback is that there will still be traces of the USB drive having been used on that PC, and any monitoring software (firewalls, AV, etc.) is likely to have a record of an application on the USB drive (eg Firefox) having been run, which you might be called upon to explain. Nevertheless, this is an inconvenience more than anything, and so long as the USB stick itself is encrypted, the data will be safe. To increase the protection, this method could be combined with the following option.<br />
<br />
====System Drive Emulation software====<br />
Such software effectively prevents data being written to your hard drive by creating a clone of the system partition (typically drive C: in Windows – which includes system files, page file, registry files, application data and program files, etc.) as it looks when it is booted, in the computer's RAM. Once the system is shut down/restarted, this clone will be restored, thereby returning your system drive to the position it was before any data was written. An example of such software is the freeware program [http://www.toolwiz.com/products/toolwiz-time-freeze/ Toolwiz Time Freeze]. Simple to use, it is 'switched on' when necessary, and from that moment nothing that takes place (programs installed, software used, etc.) is permanently recorded; all normal computer operations appear to take place, but in fact these changes only take place for the duration of the session – upon restarting the PC there is no evidence that any such activity has occurred.<br />
<br />
With reference to the previous item – Portable Applications – an advantage of using combining drive emulation software with running portable apps from a USB drive would be that, once the PC was shut down/restarted, there would be no evidence of the applications on the USB stick (eg Firefox) ever having been run (and further, no evidence that the USB stick was ever plugged into that computer).<br />
<br />
====Virtual Machines====<br />
Another alternative to running a separate installation of Windows on an encrypted device is to employ a virtual machine. Such software (e.g. VirtualBox, at www.virtualbox.org) enables you to create a virtual operating system on your existing computer. In this way, you could run a dummy copy of Windows (or any other OS) on the main hard drive, then boot to a virtual copy of Windows which could reside in an encrypted file or partition on the hard drive. One drawback of this technique (other than the additional system resources / RAM consumption it requires) is that it is not guaranteed that traces of the virtual systems may not still appear in the 'real' system, since the two systems share some resources (and frequently, a network connection).<br />
<br />
==Protecting data while in transit over networks (Internet, Email, etc)==<br />
Whenever data is on the move – whether in the form of sending/receiving email, surfing the web, chat, downloading via P2P, viewing streaming media files, etc – it is at risk of interception. Data is transferred via different protocols (e.g. 'http' for web traffic, 'pop3' or 'smtp' for email, 'ftp' for some file uploads/downloads, etc). All the 'standard' forms of protocol (including those just mentioned) are sent over networks in plain text format – meaning that the data is visible to anyone who intercepts the traffic (your ISP, crackers, LEA, etc). The goal is therefore to utilize methods of secure communication so far as possible, irrespective of the data that is being transferred.<br />
<br />
===Email===<br />
Most commercial email addresses (including any email addresses supplied by your ISP) typically use insecure protocols. This will be apparent by checking the ports they use to communicate. If you use a desktop email client (eg. Outlook, Outlook Express, Eudora, Thunderbird) you will find this information under the 'Settings' option. If your email communicates via standard ports (usually port 110 for POP3 (i.e. incoming email) and port 25 for SMTP (i.e. outgoing email), it is being transmitted unencrypted – and therefore potentially visible to everyone.<br />
<br />
There are various techniques that can be employed to enhance the security of your emails:<br />
<br />
*Check your email provider's website to see if they offer an encrypted option (i.e. sending and receiving email via SSL (secure socket layer)). Usually this will simply be a matter of changing the port used in your email client's account settings – e.g. changing the ports to ports 995 (SSL POP) and 465 (SSL SMTP).<br />
*Avoid using email addresses provided by an ISP, and instead use dedicated email providers, such as Fastmail,Hushmail, SafeMail, and so on. Examples of such providers can be found in Section 3 below, or at [http://epic.org/privacy/tools.html EPIC's website]. Specialized email providers enhance your security by limiting the amount of information transferred to the recipient in the hidden email 'header' – which in the case of standard email providers (ISPs, Hotmail, etc) provide the recipient with far too much information, such as the IP address of your computer, the operating system that you use, and even which email client you used to send the email).<br />
*Use a dedicated form of email encryption, such as PGP. This utilizes public key encryption – the drawback being that the people with whom you communicate must also use public key encryption. Encourage others that you correspond with to do this. See 2.1.1. for more information.<br />
*Anonymous Remailers can be used to conceal from the recipient the origin of the email (see Section 2.3 for further details).<br />
<br />
====PGP====<br />
In 'public key' cryptography, two different keys are used: one key is secret and the other is made public. Anybody sending you an email simply encrypts their message to you using your public key. The public key is obviously not secret – in fact it may be spread widely so that anybody can find it if they wish to send you encrypted email (you can upload the key to a public key server to do this; though you may prefer just to give your public key to specific correspondents). The only way to decrypt an incoming message is with your secret key. The process works in reverse when sending email: you encrypt an email using the recipient's public key, which only they can decrypt using their<br />
private key.<br />
<br />
The original, and most well-known, program of this type is PGP, invented by Phil Zimmerman. There is now an OpenPGP standard, with which all software using public key cryptography should comply. Consequently, other programs are becoming popular, such as the open-source [http://gnupg.org/ GNU Privacy Guard (GnuPG)], which is OpenPGP compliant and compatible with other Open PGP tools (including PGP itself).<br />
<br />
After downloading the software, you simply use it to create a pair of keys – one public and one secret key. The public key can then be given to your correspondents which they will use to encrypt messages to you, which you can then decrypt using your private key. There are some programs which make the process of encrypting/decrypting easier via the use of 'add-ons'. Some email clients (e.g. Thunderbird) have add-ons (e.g. [http://www.enigmail.net/ Enigmail], which takes care of the encryption/decryption process on your behalf; the Firefox browser also has an add-on (see [http://www.mailvelope.com/ MailVelope) which enables you to easily encrypt text for pasting into a website, for example.<br />
<br />
===Web-Surfing===<br />
Whenever you request a web page via your Internet browser, in very basic terms what is happening is this: your browser sends the request for data to the server hosting that website, which then replies, and transfers the data to your computer, which is then recreated in your browser. Consequently, any request you make (whether by clicking on a link, or manually entering the site address) is transferred over the Internet via standard protocols (see introduction to this section, above) – typically for the Internet this will be http.<br />
<br />
Accordingly, this request for a particular web page is sent over the networks in plain text and so will be visible to anyone who is monitoring your activity (e.g. your ISP or other adversaries), and also reveals to the site you are visiting information about who you are (your computer's unique IP address) and information about your computer (which browser you use, what language/location settings you use, what the current time is on your PC, etc). In addition, in order to find that site, your browser needs to translate the address of the web page (e.g. (“amazon.com”) into its numeric equivalent – which it does by consulting a domain name (DNS) server. In a standard home Internet connection, the DNS server will be owned by your ISP – so the ISP has a second method of recording which sites you visit. Note that you can change your DNS server to one not owned by your ISP: see [http://www.opendns.com/ OpenDNS] for the relevant address to use.<br />
<br />
The upshot of the above is clear: both the site you visit, and your ISP (and anyone intercepting), knows the unique IP address assigned to your computer, and what data you are viewing. To avoid this, various options are available to 'anonymize' and/or encrypt your web surfing:<br />
<br />
====Free proxies====<br />
<br />
This is the weakest level of 'anonymity' – these are sites (e.g. http://www.kproxy.com/) which enable you to access another site, hiding your computer IP address, e.g. your request is sent to the 'end' site using the proxy IP as an intermediary. In that a case, the site you ultimately visit believes the request for data emanated from the proxy site and not from your computer. This does not protect you against surveillance by your ISP, and the data transferred is typically unencrypted and therefore visible to anyone else monitoring your connections, the proxy administrator can also log everything you do and turn over those logs if pressured to do so.<br />
<br />
====Commercial software====<br />
These are companies (e.g. Anonymizer, see Section 3 for an extensive list) which provide software which effectively bypasses surveillance from your ISP by creating an encrypted 'tunnel' between your computer and that company's server. In practice, this means that before making the data transfer from your PC (in the form of, say, a request for a web page), the software will encrypt this request, and then direct it to be forwarded from your ISP's servers to the proxy company's server. When it reaches the latter, the request will be decrypted and forwarded on to the relevant website. When that website returns the data, the reverse will take place. The effect of this is that:<br />
<br />
#your ISP cannot see which websites you are accessing – all it can see is that you are communicating with the company's server, not which websites you visit thereafter. (So if you were surfing the web for (say) 3 hours, from your ISP's point of view, they could see that traffic was passing back and forwards to your PC, but you would only appear to be receiving traffic from one address (the proxy company's server), and the contents of that traffic would be encrypted)<br />
#the website you are visiting cannot see who you are – since as far as they know, they are receiving the request for data from the proxy company's server, and simply return it to that server.<br />
<br />
The weak link in this chain will be apparent. While you are protected from your ISP, and from the websites you visit, the commercial proxy company knows who you are and (potentially, if they keep logs, what you are doing). The significance of this will vary according to the circumstance. If the sites you are visiting are merely sensitive (rather than illegal in your jurisdiction), the fact that the commercial proxy knows what you are doing is of little importance (particularly if – as recommended – you chose one in a different jurisdiction to your home country). You may, for example, simply not want your ISP to know that you visit boychat.org. The commercial proxy would be adequate for such uses.<br />
<br />
Check the terms and conditions of the commercial proxy company – in particular, whether they keep logs of your activity (for example, some log everything; some do not log origin and destination, but only record the quantity of data passing through, etc). Also, check which forms of data they will support – some commercial proxies will only encrypt Internet traffic (the http protocol), others (genuine 'VPNs') will encrypt all forms of protocol (whether it is Internet, email, file-sharing, etc). For additional security, look for a commercial proxy that offers anonymous payment methods and, ideally, is outside the US/EU.<br />
<br />
In summary: the advantage of using a commercial proxy is that it gives you a level of protection from monitoring by your ISP, and from the sites you visit, and generally you suffer little or no loss of speed in browsing. A potential disadvantage is that the commercial proxy knows who you are. For this reason, when accessing more sensitive sites, you may wish to employ other methods, such as Tor.<br />
<br />
====Tor====<br />
The basic idea of [http://www.torproject.org/ Tor] is to protect your privacy by disguising the route of data to and from your PC, as well as encrypting the traffic.<br />
<br />
Broadly-speaking, the Tor software will create a chain of at least 3 proxies, through which your data will pass – each interim stage in this chain only knows who sent the data to it (the previous proxy) and who it should forward data to (the next proxy in the chain).<br />
<br />
Effectively, this means that if you want to visit, say, Site A, Tor will encrypt this request, and pass it to the first link in the chain (Proxy 1), with encrypted instructions on where to send it thereafter. Proxy 1 will forward the encrypted request to Proxy 2, Proxy 2 will forward it to Proxy 3, etc. Thus, Proxy 1 only knows Proxy 2, Proxy 2 only knows Proxy 1 and Proxy 3, Proxy 3 only knows Proxy 2. The final link in this chain (known as the 'exit node') transfers the request to your ultimate destination (Site A). The process is then repeated in reverse. From the point of view of the user, this process happens invisibly – once the software is up and running, you merely use your browser as normal.<br />
<br />
(It should be noted at this point that once the data leaves the final link in the chain, it is no longer encrypted – at least until data is returned from your final destination to the first link in the return journey. This is only really significant if you are providing identifying information, e.g. entering a password into a webmail server – since then it is apparent that the request has come from you).<br />
<br />
The obvious advantage of this procedure is that there is no commercial proxy in the middle. No single point in the chain knows both you and your ultimate destination. This is arguably the most secure form of anonymizing web traffic. <br />
<br />
Some disadvantages are:<br />
<br />
#There is an initial learning curve with Tor – nevertheless, there is extensive documentation on the Tor website to assist with this, and once you have set it up and used it a few times, it becomes second nature.<br />
#As part of this learning curve, it is crucial that you configure your browser correctly, and a second piece of software – e.g. Privoxy – should be used to filter data such as your computer's DNS requests (see above) over the Tor network. Again: this is not as complicated as it sounds in abstract, and is made easier for Windows users by the GUI package (Vidalia) which includes all the necessary software (including Privoxy, and a quick-configuration button for Firefox users).<br />
#It should also be pointed out that when using Tor, your browsing will be slowed considerably – which is to an extent inevitable given the number of different servers the traffic passes through, each of which may have different bandwidth allotments. Tor will therefore be unsuitable for downloading large files (and possibly streaming data, such as Youtube or other streaming media). Its primary use will be for visiting particularly sensitive websites.<br />
#Related to the previous point, at the present time Tor only encrypts limited forms of protocol – primarily http traffic – which effectively limits its use to visiting web sites.<br />
#There have been a number of stories about breaching Tor's anonymity. Such instances tend to be a consequence of user implementation, rather than any flaw in Tor itself. More specifically, when using Tor, ensure that Javascript is disabled in your browser (since it is due to malicious scripts that Tor can be compromised. This can be done manually (in Firefox, go to Tools / Options / Content / uncheck 'enable Javascript'), or through the use of an Add-on such as [https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript], which automatically blocks scripts unless you permit them on a sire-by-site basis.<br />
<br />
It will be clear from the above consideration of Email and Web Surfing that there is no 'perfect' solution to online anonymity. Experts would say that 'true' anonymity is impossible. As long as you are transferring data from one computer to another over a network, there will be attempts made to intercept or track that data content and movement. Nonetheless, utilizing a combination of the above methods, depending on the circumstances and the sensitivity of your activities, offers significant protection against surveillance.<br />
<br />
'''NOTE''': Regardless of whether an anonymous connection is used, your browser should be as secure as possible, since there are numerous browser vulnerabilities that can expose your PC to malware. Javascript, Flash, Shockwave objects – all of these can compromise your anonymity. Firefox is highly recommended as a more secure browser than Internet Explorer, and can be further customized with Add-ons to increase security. NoScript, referred to above, is particularly desirable. Other security-related Add-ons are referred to in the Links section, below.<br />
<br />
===Other Network Usage (Chat, Anonymous Remailers, File-Sharing)===<br />
Similar anonymity considerations apply to any form of network activity, including Chat, P2P/File-Sharing, Usenet, etc. Typically, all such traffic is carried unencrypted over public networks, and is therefore capable of surveillance by the ISP and interception from other adversaries. Wherever possible, utilize security and anonymity tools to protect the privacy of such data.<br />
<br />
*For chat/IM, [https://otr.cypherpunks.ca OTR (Off The Record)] is an excellent plugin. Even if your contacts' private keys are determined, your private conversations are not compromised.<br />
*For posting messages on Usenet, consider using an anonymous remailer, which forwards messages without revealing where they originally came from. Anonymous remailers utilize the same 'onion router' principle behind Tor: they remove personal data from the message, encrypt it, and pass it through a chain of 'post offices' until the last remailer in the chain forwards the message to the recipient. As with Tor, the idea is to make the message untraceable to the sender.<br />
:The main issue with remailers is whether/how a recipient can reply to the message, given that its source is untraceable. Different types of remailers handle this differently. 'Pseudonymous remailers' are the most basic: they are typically unencrypted, and merely apply a pseudonym to the sender and forward the message to the recipient, who can then reply via the remailer. 'Cypherpunk remailers' typically encrypt the message and pass it through numerous hops on the chain to the recipient; generally the recipient cannot reply to such messages. 'Mixmaster' and 'Mixminion' remailers offer more advanced features, and seek to address issues such as the capacity for the recipient to reply to a message that has come from an 'untraceable' source. These generally require dedicated software.<br />
:One example of such software is OmniMix: http://www.danner-net.de/om.htm, which is designed for Windows, and can be used to send email and Usenet postings through the Mixmaster anonymous remailer network. OmniMix is straightforward to install, and can also be run from a removable device such as a USB stick.<br />
*When downloading from file-sharing networks (e.g. Limewire, Shareaza, etc.), it is important to know that not only is the traffic unencrypted (and therefore visible to, e.g. your ISP), your IP address is made available to anyone you are sharing with – and there is every possibility that the latter could be LEA or other adversary. A new breed of 'anonymous' networks are continually being developed, which generally seek to utilize the onion routing principle – traffic is encrypted and the origin/destination of the requested file are proxied. For examples of these, see:<br />
**[http://freenetproject.org/ Freenet]<br />
**[http://www.gnunet.org/ GNU Net]<br />
<br />
For a more detailed comparison of the different programs available, see http://www.zeropaid.com/software/file-sharing/ and http://www.anonymous-p2p.org/programs.html<br />
<br />
==Useful Links==<br />
'''NOTE''':Inclusion of links should not be taken to imply endorsement of particular software<br />
<br />
===Cleaning traces, erasing and general encryption software===<br />
<br />
*[http://www.piriform.com/ccleaner CCleaner] - Shreds/wipes sensitive traces of Internet activity<br />
*[http://sourceforge.net/projects/eraser/ Heidi Eraser] - Secure erasing software for individual files and free disk space<br />
*[http://www.dban.org/ Darik's Boot and Nuke (DBAN)] - Boot disk that does a government-standard wipe of hard drives<br />
*[http://www.truecrypt.ch TrueCrypt] - Open source encryption software<br />
*[http://diskcryptor.net/] - Full disk encryption software<br />
*[http://www.jetico.com BestCrypt] - Commercial encryption software<br />
<br />
===Email providers, remailers, and email encryption===<br />
<br />
*[https://protonmail.ch ProtonMail] - Free email provider in Switzerland<br />
*[http://www.unseen.is Unseen.is]- Email provider with encryption in Iceland<br />
*[https://addons.mozilla.org/en-US/thunderbird/addon/torbirdy/ TorBirdy] - Thunderbird addon to send email using tor<br />
*[http://www.anonymousspeech.com Anonymous Speech] - Email provider with PGP encryption<br />
*[http://www.cotse.net Cotse] - Email, SSH tunnel and VPN provider<br />
*[https://emailselfdefense.fsf.org The PGP Faq] - email self-defence guide<br />
*[http://www.gnupg.org GnuPG] - Linux/Windows email encryption<br />
*[http://www.goanywheremft.com/products/openpgp OpenPGP Desktop] - OpenPGP Go Anywhere<br />
*[http://www.enigmail.net/ Enigmail]- Plugin for Thunderbird Email client to manage encryption<br />
*[http://quicksilvermail.net QuickSilver] - email remailer client<br />
*[http://www.danner-net.de/om.htm OmniMix] - anonymous remailer<br />
*[https://otr.cypherpunks.ca OTR (Off The Record)]- a plugin for encyrypting chat/IM<br />
<br />
===Anonymity online===<br />
<br />
*[http://www.torproject.org/ Tor proxy] - Anonymous Internet browsing with hidden sites<br />
*[https://geti2p.net/ I2P Network] – Anonymity, similar to Tor<br />
*[http://cyberghostvpn.com/ CyberGhost VPN] - Commercial VPN with free option<br />
*[http://www.securitykiss.com/ Security Kiss] – Commercial VPN with free option<br />
*[http://anonymous-proxy-servers.net/ JonDoNym] - Commercial VPN<br />
*[https://www.perfect-privacy.com/ Perfect Privacy] – Commercial VPN<br />
*[http://www.opendns.com/ OpenDNS] - set your DNS addresses using OpenDNS, instead of using your ISP's DNSs.<br />
*[http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/ TorrentFreak] - List of VPN services with strong privacy<br />
<br />
<br />
'''NOTE''': When purchasing commercial products, ensure you check the providers' terms & conditions, particularly regarding their jurisdiction, privacy, reporting and logging policies. Do some research on the different companies' products, e.g. by searching their name at Wilders Security Forums. Use alternative methods of payment wherever possible, such as using prepaid web money/debit cards that you don't need ID to buy.<br />
<br />
===Firefox add-ons===<br />
<br />
*[https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript]- Many browser security holes are related to Javascript. Block scripts entirely, until permitted on a site-by-site basis.<br />
*[https://addons.mozilla.org/en-US/firefox/addon/flashblock/ FlashBlock] - Blocks flash content until you permit it<br />
*[https://addons.mozilla.org/en-US/firefox/addon/refcontrol/ Refcontrol] - Blocks or fakes your referrer ID<br />
*[https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy] - Easy proxy management<br />
*[https://addons.mozilla.org/en-US/firefox/addon/anonymox/ AnonymoX] - Change computer IP proxy addon<br />
*[https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ BetterPrivacy] - It removes hard to erase Flash cookies<br />
<br />
===Miscellaneous privacy/security software===<br />
<br />
*[http://keepass.info/ KeePass] - Open-source password manager<br />
*[http://www.nirsoft.net/utils/cports.html CurrPorts] - See your open ports<br />
*[http://www.nirsoft.net/utils/cprocess.html CurrProcess] - See info about processes running in your computer<br />
*[http://windirstat.info/ WinDirStat] - disk usage statistics viewer and cleanup tool<br />
*[http://www.7-zip.org/ 7-zip] - compression & encryption tool<br />
*[http://www.sandboxie.com Sandboxie] – run your browser inside a 'sandbox' to prevent malware from gaining access to your system<br />
<br />
*Pre-paid web money: see http://www.bitcoin.org and [http://www.paysafecard.com PaySafeCard](EU)<br />
<br />
===Sources for technical advice/support===<br />
<br />
*[http://www.wilderssecurity.com Wilders Security Forums]- Information related to security, privacy and anonymity<br />
*[https://en.boywiki.org/wiki/Category:Technology BoyWiki Technology] - Boylover Wiki Technology section<br />
*An old BoyChat post with useful advice on how not to accidentally out yourself: https://www.boychat.org/messages/1107524.htm<br />
<br />
<u>'''FINAL NOTE'''</u>: If you follow the procdures outlined in this guide, you will be a long way to protecting yourself -- but please remember that there is no such thing as 100% computer security. Stay safe.<br />
<br />
'''<u>Disclaimer</u>: All material provided in this guide is intended as introductory guidance only, and should not be used as an alternative to undertaking your own research. No representation is made as to the current accuracy of the information and links provided.'''<br />
<br />
[[Category:Advice]]<br />
[[Category:Archival]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_to_Computer_Security_(Archive)&diff=9874Guide to Computer Security (Archive)2021-12-08T14:34:15Z<p>Time Has Passed: Reverted edits by Time Has Passed (talk) to last revision by The Admins</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>'''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after a consultation with the [[Newgon.com]] forum community. It explains how you can protect data stored on your hard drive and stay anonymous on the internet. The guide should be read by anyone who has a special interest in avoiding the scrutiny of [[Vigilantism|cyber-vigilantes]] and corrupt law enforcement officers. It should ''not'', however be seen as a vital first step to participation in [[Newgon.com]] or any similar websites.<br />
<br />
The 2008 guide (currently identical to the wiki version) can be downloaded as a PDF here: [[Media:Guide_to_Computer_Security.pdf|Guide to Computer Security]]<br />
<br />
==Protecting data stored on your hard drive==<br />
<br />
===Locking down Windows===<br />
Windows at its default settings is an insecure operating system. Having been designed for mass<br />
consumer/commercial usage, it tries to be all things to all people. Consequently, it has a tendency to run unnecessary services, store/hide private information in numerous, often hidden, locations, and exposes your PC to unnecessary security risks.<br />
<br />
====Disable unneeded services====<br />
Many of the services in Windows are unnecessary, and some are security risks (e.g. the 'Remote Registry' service, which permits third party network access to the computer's system settings). There are numerous online guides giving advice as to which services you can safely disable. [http://www.prestwood.com/aspsuite/kb/document_view.asp?qid=100274]<br />
<br />
====System Restore points==== <br />
By default, Windows saves a backup of your system settings at regular intervals (and therefore may store information that is ideally kept sensitive) in case you need to roll-back the system to an earlier point in time. Most computer problems can be fixed via other methods however, and if you don't use/need System Restore you can disable it (via Control Panel / System / System Properties / System Restore tab).<br />
<br />
====Hibernation====<br />
If you don't use hibernation, ensure that this is disabled, since otherwise it will intermittently save anything that you are currently working on to your hard drive in plain text form – even encrypted documents – which could later be retrieved. (Control Panel / Power Options / Hibernate tab / uncheck 'Enable Hibernation').<br />
<br />
====Pagefile/Swapfile====<br />
By default, Windows creates a file on your hard drive (pagefile.sys) which it uses as additional computer memory, and it shifts running processes to this file on the hard drive when necessary. Many modern PCs have sufficient RAM (e.g. over 1 GB) not to need this file. You can disable it via Control Panel / System / Advanced tab / select 'Settings' button under the 'Performance' heading / Advanced tab / Virtual Memory / Change / select 'No Paging File' / click 'Set' / click 'Ok'.<br />
<br />
'''NOTE''': Disabling the pagefile is contentious, and the debate around this is unresolved [http://www.codinghorror.com/blog/archives/000422.html] Provided you have a reasonably fast CPU and a decent amount of RAM, you should not encounter any problems. If you do need the paging file for some reason, or your RAM capacity is not sufficient to do without it, you should at least ensure that it is securely wiped when the computer powers off (see Section 1.3.1., below). In addition, the pagefile can be encrypted using a dedicated encryption product, such [http://www.jetico.com BestCrypt].<br />
<br />
====Windows Security Center====<br />
The built-in Security Center and Windows Firewall are highly ineffective. Disable them via the Control Panel, and use a third party Firewall instead (see Section 1.2, below).<br />
<br />
====Windows Privacy Tools====<br />
<br />
In addition to the above steps, you can utilize easy-to-use, one-off, privacy tools to tighten up Windows settings. e.g. [http://privazer.com/ Privazer]<br />
<br />
====Alternative Software====<br />
<br />
Avoid using Microsoft software (e.g. Office, Outlook Express, Internet Explorer, Windows Media Player) so far as possible. Since they are designed to collaborate with one another, most of them leak personal information all over the place. Use open-source alternatives so far as possible (which typically also have the added benefit of being much less resource-hungry). For example, consider using:<br />
*[http://www.openoffice.org Open Office suite] instead of MS Office (Word, Excel, etc). Particularly important for office software is to remember to disable 'auto-save' in the program options – since if you are working on an encrypted file the document may be saved to your drive as plain text during an auto-save.<br />
*[https://www.mozilla.org/thunderbird Thunderbird] or [http://sylpheed.sraoss.jp/en/ Sylpheed] instead of Windows Live Mail<br />
*[https://mozilla.org/firefox Firefox] or [http://www.opera.com Opera] instead of Internet Explorer<br />
*[http://www.videolan.org VLC Media Player] or [http://sourceforge.net/projects/guliverkli/ Media Player Classic] instead of Windows Media Player<br />
*[http://www.foxitsoftware.com/Secure_PDF_Reader/ Foxit PDF Reader] instead of Adobe Acrobat Reader.<br />
<br />
===Avoiding Malware===<br />
<br />
The commonly talked about threats to computer data surround the execution of malevolent code on your PC, in the form of viruses, trojans, spyware, etc. Discussion of this topic usually revolves around damage to your data or identity theft by cyber-criminals for financial gain; but it is also crucial to ensure that you are protected from malware that could benefit other adversaries. One obvious aspect is keylogging software: you can come up with the most complex passwords to protect your data, but if there is a keylogger on your PC capturing each keystroke you enter, the password might become worthless. Equally insidious is the use of 'copware' – malware planted on your PC via LEA pecifically<br />
targeting you [http://www.infiltrated.net/cipav.pimp]. Such software frequently arrives on the target's PC via email attachments. Standard email advice applies, e.g:<br />
<br />
*Disable HTML in your emails – in most webmail and desktop email clients there is an option to do this in the settings (eg. in Thunderbird: 'View' menu / uncheck 'Display attachments inline' and check 'View message body as...plain text')<br />
*Use Anti-Virus software that scans emails as well as files<br />
*Don't open attachments from unknown sources<br />
<br />
In addition, further advice includes:<br />
<br />
*Check regularly for the presence of hardware keyloggers (a small device fitted to your PC designed to record keystrokes as an alternative to software keyloggers). The device will appear inconspicuous, and could, for example, resemble a traditional USB-type plug. Also consider applying a drop of paint (or, e.g. correction fluid) to the screws in the back of keyboards, making it easier to see if the hardware has been tampered with.<br />
*When encrypting data, and where given the option to do so, use 'keyfiles' in addition to passwords. This is an available option with some encryption programs, which enables you to specify a file(s) on your hard-drive (perhaps a photo, for example) that must be entered in addition to a password. This will help protect against keyloggers (though not against malware that also captures mouse-movements).<br />
*If practicable, you could also use an on screen keyboard (OSK) to enter passwords (thereby using the mouse rather than the keyboard).<br />
*Zero-emission pads: Surveillance teams can remotely scan the electromagnetic emissions from your computer monitor, e.g. as you type a passphrase (google TEMPEST for technical details). You can use a replacement text editor that enables you to view and/or edit text in a special font and screen that allegedly 'diffuses the emissions from your computer monitor efficiently enough to defeat TEMPEST surveillance equipment', such as this one [http://geocities.com/phosphor2013/zep.zip]<br />
*So far as security software is concerned, you should have one Firewall, one Anti-Virus (AV) program, and one Anti-Spyware (AS) program, all providing 'real-time' protection. For completeness, you could also install a second AV and/or AS program and/or dedicated anti-trojan software (such as [http://www.misec.net/ TrojanHunter]) – not to operate in 'real-time' (since a software conflict is possible) but just to perform regular scanning of your PC.<br />
:Firewalls, AV and AS vary considerably in effectiveness (as well as in the amount of your PC's resources that they use). Check PC magazines for test results, or check online sources for the most effective protection. Good sources of information are sites such as [http://www.wilderssecurity.com Wilders Security Forums].<br />
<br />
:It is sometimes rumored – though to what extent this is likely is debatable – that major AV/AS companies may turn a 'blind-eye' to copware. Here is one advantage of using standalone products, e.g. separate AV, AS and Firewall software each from a different company, rather than the easier option of relying on a single security suite such as Norton or McAfee. In addition, some software is notorious for 'phoning home' regularly – Zone Alarm, for instance, frequently (more so than necessary) contacts its company's servers without notifying the user. It may therefore be desirable to turn off 'automatic updating', and manually update software at (say) daily intervals; and for persistent software (e.g. Zone Alarm) you can prevent it from contacting its servers by making simple changes to the Windows 'hosts' file [http://labnol.blogspot.com/2006/02/prevent-zonealarm-from-phoning-home.html].<br />
*In counteracting malware, you should also keep an eye on which programs are running on your PC, and whether any software has set itself to startup when you boot Windows. Both can be checked via Windows' built-in tools:<br />
**to view running processes, open Task Manager by right-clicking on the taskbar and selecting the 'processes' tab. You can identify any processes you do not recognize online, by looking them up at sites such as [http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx].<br />
**to check which programs are set to start when you boot Windows, go to Start / Run... then enter “msconfig” in the box (without the quote marks). In the window that appears, the last tab marked 'Startup' lists these items. Many of these are inserted by software, and are unnecessary. To check whether it needs to run at startup, identify the program at the following site: [http://www.sysinfo.org/startuplist.php] and uncheck any that are not needed. (Note, this has the added advantage of substantially reducing the PC's boot time).<br />
:As an alternative to these built-in Windows tools, you could use a freeware program to keep a closer eye on running processes and startup items, such as [http://processhacker.sourceforge.net/ Process Hacker] or [http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Process Explorer]<br />
*Keep up-to-date all your software that uses network connections, such as your browser, anti-virus software, and all security products.<br />
<br />
===Cleaning / Erasing===<br />
Windows stores a vast amount of information about your activities, which should be cleaned up on a regular basis.Note that such traces, along with any files that you chose to get rid of, should be securely erased rather than just deleted. This distinction between 'deleting' and 'erasing/wiping' is a crucial one. Deleting data in the standard way merely makes the data invisible to Windows – it remains on the hard disk until it is overwritten by other data. Instead of deleting, data should be securely 'erased' or 'wiped' (i.e. it is overwritten a number of times with random data so that it becomes unrecoverable).<br />
<br />
====Erasing files====<br />
There are numerous tools available for securely erasing files. One simple, freeware, tool is [https://sourceforge.net/projects/eraser/ (Heidi) Eraser]. This has various features, one of which is to insert itself into your context menu, such that when you right-click a file, you just select 'Erase', and it will wipe the file according to the number of 'passes' that you specify. Another useful feature is 'Erase Secure Move': usually when you move files from one place to another, behind-the-scenes Windows actually copies the file to the new location, then deletes the existing file – which suffers from the above-mentioned issue of the deleted file being recoverable. With the Erase Secure Move option, after the file is copied to the new location, the existing file will be wiped, rather than just deleted.<br />
<br />
'''NOTE''': Eraser can also be set to erase the Windows 'pagefile' on shutdown/restart (see 'Locking down Windows', Section 1.1, above).<br />
<br />
====Erasing disk space====<br />
Files that are deleted automatically by Windows (e.g. temporary files which it has created), or files that have been deleted by the standard method without having been wiped as above, will be simply be hidden in 'free disk space' until overwritten. To ensure that these have been removed, regularly wipe the 'free disk space' on your hard drive – again, Eraser (above) is good for this purpose.<br />
<br />
====Cleaning traces====<br />
Most software stores information about your usage – e.g. Internet browsers keep a record of details such as your browsing history, downloads, and cookies; PDF readers store a history of the last few files you've read; Office products keep a record of recently opened documents and perhaps unusual words used therein; media players store details of recently played files; Windows itself stores temporary files, prefetch data, memory dumps, and so on. A simple way to erase all such tracks in one go is to use dedicated 'cleaning' software. For example, [http://www.piriform.com/ccleaner] is a decent freeware program which will erase these tracks for you. In the settings options, you can select the number of times such traces should be 'wiped', rather than simply deleted.<br />
<br />
'''NOTE (1'''): All decent erasing/wiping/shredding software will allow you to specify the number of times that the data will be overwritten – typically, you can choose to overwrite data once, three times, seven times or thirty-five times, depending on the sensitivity of the data. There is some debate as to whether modern hard drives require as many passes to irrevocably destroy data – Googling this issue will produce much discussion. To be on the safe side, a minimum of three 'passes' is suggested. Naturally, the more 'passes' over the data you select, the longer it will take. Be aware that, say, shredding the entire free disk space on a hard drive (which may be hundreds of gigabytes) will take a significant amount of time.<br />
<br />
'''NOTE (2)''': If wiping data on flash memory (e.g. USB sticks), wiping individual files is insufficient to make them irrecoverable, due to the way such memory writes data. See the special section on USB drives (Section 1.5, below).<br />
<br />
===Encryption===<br />
Broadly-speaking, “computer forensics” involves inspection of the computer hard drive for evidence as part of a legal investigation. In the event that your PC is seized, investigators or other adversaries will search it for the 'activity traces' referred to in the previous section, as well as stored files and documents, and other evidence of how the PC has been used (e.g. checking the Windows Registry for evidence of which USB drives have been used – since details of such devices, including their serial numbers, are stored there). The goal of encryption is to make data unintelligible, so that, even if your data is seized, it cannot be read.<br />
<br />
A brief note on the medium which you may be using: first, there is the hard drive. Typically, Windows will be installed onto partition C of the hard drive (and unless you have created other partitions, this may make up the entire physical drive). Data may also be stored on external, USB hard drives; on flash memory drives (USB sticks / pen drives); on floppy disks, CDs and DVDs. It is important that, on whichever medium you store sensitive data, that data are encrypted.<br />
<br />
====Individual files====<br />
There are numerous tools available to encrypt data, offering various different options. Some software will simply encrypt individual files – they will still be visible on the hard disk, but a password will be required to open them. Other software offers a greater range of options, such as creating a 'vault' on your hard drive of a specific size, into which you can place sensitive files without having to encrypt each file individually.<br />
<br />
[http://truecrypt.ch TrueCrypt] is highly recommended for your encryption needs. It enables both the creation of encrypted files, as well as the ability to encrypt an entire hard drive partition, or an entire device (e.g. a USB stick). It also allows for the creation of 'hidden volumes' – a partition/device can be encrypted, then within this encrypted container a second, encrypted contained is created. This is primarily so that if you are forced to decrypt the 'outer'<br />
volume, on which you might store a few sensitive-looking, but unimportant files, it will not be evident (and cannot be proved) that there is a second, hidden volume. (NB. For various security reasons, encrypting partitions or devices is preferable to encrypting individual files – the<br />
TrueCrypt manual explains these in detail.)<br />
<br />
The advantage of the open-source TrueCrypt over most other encryption software is the 'plausible deniability' aspect. It is impossible to prove that a partition or device encrypted with TrueCrypt is in fact encrypted. Upon forensic analysis, the partition or device appears to simply be filled with random data – as though there is nothing on the partition or device. This is crucial in authoritarian regimes, e.g. the United Kingdom, which has enacted a criminal offense (punishable by up to 2 years, or 10 years in terrorism cases) of 'failing to decrypt' (or provide the password to<br />
enable decryption) when demanded by the authorities. Obviously for such a law to be used against you, it would have to be established that you had some encrypted material in the first place. With a TrueCrypt-encrypted device or partition, this should be impossible to prove.<br />
<br />
'''NOTE''': If you are working with individual encrypted files (rather than storing files in a container or partition) and are using USB flash drives, see Section 1.5 on USB drives below.<br />
<br />
====System Drive / Full Disk / Whole Disk Encryption====<br />
The disadvantage of only encrypting individual files or external devices is that computer forensics can still reveal much about your computer usage from the system partition (the drive on which Windows is installed) and – importantly – sensitive details such as your browsing history, bookmarks, emails, and email contacts addresses, may be accessible. Details of your contacts is one of the first things an adversary will check for, which they will use to 'broaden' their investigation, perhaps by targeting those contacts. There is therefore an obligation to protect not only yourself, but also those with whom you correspond.<br />
<br />
Computer forensics is essentially rendered ineffective by encrypting your entire system drive (typically the C: drive in Windows). This is the ideal position: if the adversary cannot access your hard drive to begin with, you have gone along way to defending your data. The latest versions of TrueCrypt (versions 5.0 and upwards) have an option for encryption of the system drive (or the entire hard drive, if it has more than one partition). It is very simple to use, and will ensure that no one can access your hard drive without first entering the correct password prior to the computer booting (and also makes it more difficult for adversaries to plant data on your hard drive). A detailed reading of the TrueCrypt manual is essential in order to encrypt the system drive effectively.<br />
<br />
One consideration for those in countries in which failure to disclose a password is a criminal offense (just the UK at present, though this will undoubtedly be extended to other countries), is that where your entire hard drive (or just the system drive) is completely encrypted, you lose an element of plausible deniability. TrueCrypt system encryption, for example, stores its 'boot loader' (the information necessary for the computer to boot) on the first cylinder of the hard disk – which will obviously be visible to a forensics team. It is possible to remove the boot loader and instead boot from a CD which has the TC boot loader installed, though obviously this is more inconvenient.<br />
<br />
In any event, whether or not the boot loader is present, it remains the case that it cannot be proved that the hard drive itself is encrypted – the remainder of the drive will still appear as random data. So from this point of view, you are still protected from 'failure to disclose password' laws. Nonetheless, having to explain away an internal hard drive with a TC boot loader, and “nothing else” on it, will be tedious (depending on how convincing you can be that you had “coincidentally, just recently wiped the hard drive”). Therefore it may be felt preferable to use other tactics to increase plausibility.<br />
<br />
One such tactic is to install Windows to an external hard drive, or to a USB stick, and encrypt it with TrueCrypt. You can then keep your 'dummy' Windows installation with no compromising data on the PC's internal hard drive, and boot to the external hard drive or USB stick to use your 'real' Windows. Technically, Windows does not want to be installed to external devices – but it can be achieved. There are numerous guides available on the web; and the project also has a useful forum for resolving issues. For installing Windows to an external device to work, it is necessary that your PC's BIOS is capable of booting to external devices – most recent computers (built in the last few years) can do this, but if you have an older PC, check its ability to do so by doing a web search on its model.<br />
<br />
If utilizing this method, your 'computer' effectively lives on your external device, while you maintain a dummy system on the internal drive. This has the added advantage of portability – your Windows installation can be kept in a secure place when not in use, etc. Again, the TrueCrypt boot loader will reside on the first cylinder of the external device – but it is certainly more plausible to have an external device with “nothing on it” than an internal drive (particularly if you take the extra step of removing the TrueCrypt boot loader and booting the device from a CD).<br />
<br />
'''NOTE''': While the latest version of TrueCrypt (6.0 and upwards) now enables the creation of a hidden, encrypted system drive – by utilizing a 'dummy' system partition, with the real system partition hidden – at the time of writing it is not ideal: to ensure complete plausible deniability it has very stringent requirements, e.g. the real system partition should not be used to access the Internet (which partly defeats the object), files cannot be copied from the real partition to other<br />
media, the dummy partition must be accessed regularly to make it appear plausible, etc. It may be felt that until a more substantive hidden operating system is available, this latest feature should be used circumspectly.<br />
<br />
===Security Note on USB Drives and Wear-Leveling===<br />
When writing data to a USB flash drive, a PC uses a 'logical address' on the drive. However, this logical address is distinct from the flash drive's 'physical block address' – since most USB flash drives use a 'wear leveling' technique. Wear leveling – i.e. shifting data around the physical blocks of the flash drive – prevents the same physical block being used over and over (in order to preserve the life of the USB drive).<br />
<br />
Consequently, any time updated or new data are written to the flash drive, such data will be written to a new physical block, regardless of the address of the old block, and any old/amended data is just deleted (not wiped).<br />
<br />
This raises a number of security issues, e.g:–<br />
<br />
#Securely wiping' (e.g. with Eraser) an individual file on a flash drive is potentially ineffective, since the random data that is used to overwrite could be written to a different physical block; the existing data will simply be deleted, rather than wiped.<br />
#Encrypting individual files could potentially suffer similar problems – e.g. when decrypting a file, amending it, then re-encrypting it.<br />
<br />
These issues can be resolved by either securely wiping the entire flash drive (not just wiping individual files) or by encrypting the entire flash drive (rather than encrypting individual files on it) – since then it makes no difference to which physical block the new data is being written.<br />
<br />
Ideally the latter approach should be used for all USB flash drives on which sensitive data is placed – encrypt or wipe the entire USB drive – as necessary. For any existing USB flash drives on which this approach has not been taken, it would be advisable to format and wipe the USB drive completely, then start using it afresh with this 'entire USB drive' approach.<br />
<br />
===Other Methods===<br />
There are of course many, many alternatives to the security suggestions outlined above, such as using any or all of the following:<br />
<br />
====Live CDs====<br />
Live CDs are an excellent alternative to encrypting the entire system drive. Essentially, an entire operating system (usually Linux-based) is on the CD, and whenever you want to boot to your OS, you simply boot the CD rather than booting to your hard disk. Should you not want to encrypt your hard drive, you could use the OS on there for all non-sensitive tasks, and use the Live CD for Internet access / other sensitive tasks.<br />
<br />
Running an operating system from a Live CD means that the PC's hard drive does not get used at all – and is therefore not subject to problems of leaving behind 'traces' to be recovered by forensics. There are some limitations with Live CDs e.g. a limited range of software can be run from them, and since the CD is read-only (as the point is not to save any data, which could be recovered!) any data you do want to save while working within the CD, or settings you want to keep, should be saved to an (encrypted) USB drive. Its simplicity ensures that this remains an attractive alternative, and it is worth keeping an eye on developments in this area. For some examples of Live CDs, see [http://susestudio.com/ Suse Studio] on how to create your own custom live bootable CD or see http://www.privacylover.com/anonymous-live-cd-list/ for a list of pre-built, mostly Linux-based alternatives.<br />
<br />
An excellent example of a pre-built option is the [https://tails.boum.org Tails Live CD] – this an operating system on a CD which is pre-configured to use the Tor network for all Internet access – including emails and web browsing.<br />
<br />
====Portable Applications====<br />
If installing an entire operating system to an external drive/USB stick, or using a Live CD, are not desired options, another alternative is to use 'portable applications' – standalone versions of existing software that can be run from a USB stick and do not save files or settings to your hard drive in the way that regular applications do. The idea is simply to prevent data being saved to your hard drive – the application files and data (including settings such as bookmarks, emails, etc), will be stored entirely on the USB device (which could be encrypted using a program such as TrueCrypt). See, for example, http://portableapps.com/ for an entire portable suite of software (including commonly-used programs such as Firefox, Thunderbird, Open Office, etc.).<br />
<br />
The use of portable applications may prove a practical and easy method of protecting your most sensitive data without going to the lengths of full disk encryption. One drawback is that there will still be traces of the USB drive having been used on that PC, and any monitoring software (firewalls, AV, etc.) is likely to have a record of an application on the USB drive (eg Firefox) having been run, which you might be called upon to explain. Nevertheless, this is an inconvenience more than anything, and so long as the USB stick itself is encrypted, the data will be safe. To increase the protection, this method could be combined with the following option.<br />
<br />
====System Drive Emulation software====<br />
Such software effectively prevents data being written to your hard drive by creating a clone of the system partition (typically drive C: in Windows – which includes system files, page file, registry files, application data and program files, etc.) as it looks when it is booted, in the computer's RAM. Once the system is shut down/restarted, this clone will be restored, thereby returning your system drive to the position it was before any data was written. An example of such software is the freeware program [http://www.toolwiz.com/products/toolwiz-time-freeze/ Toolwiz Time Freeze]. Simple to use, it is 'switched on' when necessary, and from that moment nothing that takes place (programs installed, software used, etc.) is permanently recorded; all normal computer operations appear to take place, but in fact these changes only take place for the duration of the session – upon restarting the PC there is no evidence that any such activity has occurred.<br />
<br />
With reference to the previous item – Portable Applications – an advantage of using combining drive emulation software with running portable apps from a USB drive would be that, once the PC was shut down/restarted, there would be no evidence of the applications on the USB stick (eg Firefox) ever having been run (and further, no evidence that the USB stick was ever plugged into that computer).<br />
<br />
====Virtual Machines====<br />
Another alternative to running a separate installation of Windows on an encrypted device is to employ a virtual machine. Such software (e.g. VirtualBox, at www.virtualbox.org) enables you to create a virtual operating system on your existing computer. In this way, you could run a dummy copy of Windows (or any other OS) on the main hard drive, then boot to a virtual copy of Windows which could reside in an encrypted file or partition on the hard drive. One drawback of this technique (other than the additional system resources / RAM consumption it requires) is that it is not guaranteed that traces of the virtual systems may not still appear in the 'real' system, since the two systems share some resources (and frequently, a network connection).<br />
<br />
==Protecting data while in transit over networks (Internet, Email, etc)==<br />
Whenever data is on the move – whether in the form of sending/receiving email, surfing the web, chat, downloading via P2P, viewing streaming media files, etc – it is at risk of interception. Data is transferred via different protocols (e.g. 'http' for web traffic, 'pop3' or 'smtp' for email, 'ftp' for some file uploads/downloads, etc). All the 'standard' forms of protocol (including those just mentioned) are sent over networks in plain text format – meaning that the data is visible to anyone who intercepts the traffic (your ISP, crackers, LEA, etc). The goal is therefore to utilize methods of secure communication so far as possible, irrespective of the data that is being transferred.<br />
<br />
===Email===<br />
Most commercial email addresses (including any email addresses supplied by your ISP) typically use insecure protocols. This will be apparent by checking the ports they use to communicate. If you use a desktop email client (eg. Outlook, Outlook Express, Eudora, Thunderbird) you will find this information under the 'Settings' option. If your email communicates via standard ports (usually port 110 for POP3 (i.e. incoming email) and port 25 for SMTP (i.e. outgoing email), it is being transmitted unencrypted – and therefore potentially visible to everyone.<br />
<br />
There are various techniques that can be employed to enhance the security of your emails:<br />
<br />
*Check your email provider's website to see if they offer an encrypted option (i.e. sending and receiving email via SSL (secure socket layer)). Usually this will simply be a matter of changing the port used in your email client's account settings – e.g. changing the ports to ports 995 (SSL POP) and 465 (SSL SMTP).<br />
*Avoid using email addresses provided by an ISP, and instead use dedicated email providers, such as Fastmail,Hushmail, SafeMail, and so on. Examples of such providers can be found in Section 3 below, or at [http://epic.org/privacy/tools.html EPIC's website]. Specialized email providers enhance your security by limiting the amount of information transferred to the recipient in the hidden email 'header' – which in the case of standard email providers (ISPs, Hotmail, etc) provide the recipient with far too much information, such as the IP address of your computer, the operating system that you use, and even which email client you used to send the email).<br />
*Use a dedicated form of email encryption, such as PGP. This utilizes public key encryption – the drawback being that the people with whom you communicate must also use public key encryption. Encourage others that you correspond with to do this. See 2.1.1. for more information.<br />
*Anonymous Remailers can be used to conceal from the recipient the origin of the email (see Section 2.3 for further details).<br />
<br />
====PGP====<br />
In 'public key' cryptography, two different keys are used: one key is secret and the other is made public. Anybody sending you an email simply encrypts their message to you using your public key. The public key is obviously not secret – in fact it may be spread widely so that anybody can find it if they wish to send you encrypted email (you can upload the key to a public key server to do this; though you may prefer just to give your public key to specific correspondents). The only way to decrypt an incoming message is with your secret key. The process works in reverse when sending email: you encrypt an email using the recipient's public key, which only they can decrypt using their<br />
private key.<br />
<br />
The original, and most well-known, program of this type is PGP, invented by Phil Zimmerman. There is now an OpenPGP standard, with which all software using public key cryptography should comply. Consequently, other programs are becoming popular, such as the open-source [http://gnupg.org/ GNU Privacy Guard (GnuPG)], which is OpenPGP compliant and compatible with other Open PGP tools (including PGP itself).<br />
<br />
After downloading the software, you simply use it to create a pair of keys – one public and one secret key. The public key can then be given to your correspondents which they will use to encrypt messages to you, which you can then decrypt using your private key. There are some programs which make the process of encrypting/decrypting easier via the use of 'add-ons'. Some email clients (e.g. Thunderbird) have add-ons (e.g. [http://www.enigmail.net/ Enigmail], which takes care of the encryption/decryption process on your behalf; the Firefox browser also has an add-on (see [http://www.mailvelope.com/ MailVelope) which enables you to easily encrypt text for pasting into a website, for example.<br />
<br />
===Web-Surfing===<br />
Whenever you request a web page via your Internet browser, in very basic terms what is happening is this: your browser sends the request for data to the server hosting that website, which then replies, and transfers the data to your computer, which is then recreated in your browser. Consequently, any request you make (whether by clicking on a link, or manually entering the site address) is transferred over the Internet via standard protocols (see introduction to this section, above) – typically for the Internet this will be http.<br />
<br />
Accordingly, this request for a particular web page is sent over the networks in plain text and so will be visible to anyone who is monitoring your activity (e.g. your ISP or other adversaries), and also reveals to the site you are visiting information about who you are (your computer's unique IP address) and information about your computer (which browser you use, what language/location settings you use, what the current time is on your PC, etc). In addition, in order to find that site, your browser needs to translate the address of the web page (e.g. (“amazon.com”) into its numeric equivalent – which it does by consulting a domain name (DNS) server. In a standard home Internet connection, the DNS server will be owned by your ISP – so the ISP has a second method of recording which sites you visit. Note that you can change your DNS server to one not owned by your ISP: see [http://www.opendns.com/ OpenDNS] for the relevant address to use.<br />
<br />
The upshot of the above is clear: both the site you visit, and your ISP (and anyone intercepting), knows the unique IP address assigned to your computer, and what data you are viewing. To avoid this, various options are available to 'anonymize' and/or encrypt your web surfing:<br />
<br />
====Free proxies====<br />
<br />
This is the weakest level of 'anonymity' – these are sites (e.g. http://www.kproxy.com/) which enable you to access another site, hiding your computer IP address, e.g. your request is sent to the 'end' site using the proxy IP as an intermediary. In that a case, the site you ultimately visit believes the request for data emanated from the proxy site and not from your computer. This does not protect you against surveillance by your ISP, and the data transferred is typically unencrypted and therefore visible to anyone else monitoring your connections, the proxy administrator can also log everything you do and turn over those logs if pressured to do so.<br />
<br />
====Commercial software====<br />
These are companies (e.g. Anonymizer, see Section 3 for an extensive list) which provide software which effectively bypasses surveillance from your ISP by creating an encrypted 'tunnel' between your computer and that company's server. In practice, this means that before making the data transfer from your PC (in the form of, say, a request for a web page), the software will encrypt this request, and then direct it to be forwarded from your ISP's servers to the proxy company's server. When it reaches the latter, the request will be decrypted and forwarded on to the relevant website. When that website returns the data, the reverse will take place. The effect of this is that:<br />
<br />
#your ISP cannot see which websites you are accessing – all it can see is that you are communicating with the company's server, not which websites you visit thereafter. (So if you were surfing the web for (say) 3 hours, from your ISP's point of view, they could see that traffic was passing back and forwards to your PC, but you would only appear to be receiving traffic from one address (the proxy company's server), and the contents of that traffic would be encrypted)<br />
#the website you are visiting cannot see who you are – since as far as they know, they are receiving the request for data from the proxy company's server, and simply return it to that server.<br />
<br />
The weak link in this chain will be apparent. While you are protected from your ISP, and from the websites you visit, the commercial proxy company knows who you are and (potentially, if they keep logs, what you are doing). The significance of this will vary according to the circumstance. If the sites you are visiting are merely sensitive (rather than illegal in your jurisdiction), the fact that the commercial proxy knows what you are doing is of little importance (particularly if – as recommended – you chose one in a different jurisdiction to your home country). You may, for example, simply not want your ISP to know that you visit boychat.org. The commercial proxy would be adequate for such uses.<br />
<br />
Check the terms and conditions of the commercial proxy company – in particular, whether they keep logs of your activity (for example, some log everything; some do not log origin and destination, but only record the quantity of data passing through, etc). Also, check which forms of data they will support – some commercial proxies will only encrypt Internet traffic (the http protocol), others (genuine 'VPNs') will encrypt all forms of protocol (whether it is Internet, email, file-sharing, etc). For additional security, look for a commercial proxy that offers anonymous payment methods and, ideally, is outside the US/EU.<br />
<br />
In summary: the advantage of using a commercial proxy is that it gives you a level of protection from monitoring by your ISP, and from the sites you visit, and generally you suffer little or no loss of speed in browsing. A potential disadvantage is that the commercial proxy knows who you are. For this reason, when accessing more sensitive sites, you may wish to employ other methods, such as Tor.<br />
<br />
====Tor====<br />
The basic idea of [http://www.torproject.org/ Tor] is to protect your privacy by disguising the route of data to and from your PC, as well as encrypting the traffic.<br />
<br />
Broadly-speaking, the Tor software will create a chain of at least 3 proxies, through which your data will pass – each interim stage in this chain only knows who sent the data to it (the previous proxy) and who it should forward data to (the next proxy in the chain).<br />
<br />
Effectively, this means that if you want to visit, say, Site A, Tor will encrypt this request, and pass it to the first link in the chain (Proxy 1), with encrypted instructions on where to send it thereafter. Proxy 1 will forward the encrypted request to Proxy 2, Proxy 2 will forward it to Proxy 3, etc. Thus, Proxy 1 only knows Proxy 2, Proxy 2 only knows Proxy 1 and Proxy 3, Proxy 3 only knows Proxy 2. The final link in this chain (known as the 'exit node') transfers the request to your ultimate destination (Site A). The process is then repeated in reverse. From the point of view of the user, this process happens invisibly – once the software is up and running, you merely use your browser as normal.<br />
<br />
(It should be noted at this point that once the data leaves the final link in the chain, it is no longer encrypted – at least until data is returned from your final destination to the first link in the return journey. This is only really significant if you are providing identifying information, e.g. entering a password into a webmail server – since then it is apparent that the request has come from you).<br />
<br />
The obvious advantage of this procedure is that there is no commercial proxy in the middle. No single point in the chain knows both you and your ultimate destination. This is arguably the most secure form of anonymizing web traffic. <br />
<br />
Some disadvantages are:<br />
<br />
#There is an initial learning curve with Tor – nevertheless, there is extensive documentation on the Tor website to assist with this, and once you have set it up and used it a few times, it becomes second nature.<br />
#As part of this learning curve, it is crucial that you configure your browser correctly, and a second piece of software – e.g. Privoxy – should be used to filter data such as your computer's DNS requests (see above) over the Tor network. Again: this is not as complicated as it sounds in abstract, and is made easier for Windows users by the GUI package (Vidalia) which includes all the necessary software (including Privoxy, and a quick-configuration button for Firefox users).<br />
#It should also be pointed out that when using Tor, your browsing will be slowed considerably – which is to an extent inevitable given the number of different servers the traffic passes through, each of which may have different bandwidth allotments. Tor will therefore be unsuitable for downloading large files (and possibly streaming data, such as Youtube or other streaming media). Its primary use will be for visiting particularly sensitive websites.<br />
#Related to the previous point, at the present time Tor only encrypts limited forms of protocol – primarily http traffic – which effectively limits its use to visiting web sites.<br />
#There have been a number of stories about breaching Tor's anonymity. Such instances tend to be a consequence of user implementation, rather than any flaw in Tor itself. More specifically, when using Tor, ensure that Javascript is disabled in your browser (since it is due to malicious scripts that Tor can be compromised. This can be done manually (in Firefox, go to Tools / Options / Content / uncheck 'enable Javascript'), or through the use of an Add-on such as [https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript], which automatically blocks scripts unless you permit them on a sire-by-site basis.<br />
<br />
It will be clear from the above consideration of Email and Web Surfing that there is no 'perfect' solution to online anonymity. Experts would say that 'true' anonymity is impossible. As long as you are transferring data from one computer to another over a network, there will be attempts made to intercept or track that data content and movement. Nonetheless, utilizing a combination of the above methods, depending on the circumstances and the sensitivity of your activities, offers significant protection against surveillance.<br />
<br />
'''NOTE''': Regardless of whether an anonymous connection is used, your browser should be as secure as possible, since there are numerous browser vulnerabilities that can expose your PC to malware. Javascript, Flash, Shockwave objects – all of these can compromise your anonymity. Firefox is highly recommended as a more secure browser than Internet Explorer, and can be further customized with Add-ons to increase security. NoScript, referred to above, is particularly desirable. Other security-related Add-ons are referred to in the Links section, below.<br />
<br />
===Other Network Usage (Chat, Anonymous Remailers, File-Sharing)===<br />
Similar anonymity considerations apply to any form of network activity, including Chat, P2P/File-Sharing, Usenet, etc. Typically, all such traffic is carried unencrypted over public networks, and is therefore capable of surveillance by the ISP and interception from other adversaries. Wherever possible, utilize security and anonymity tools to protect the privacy of such data.<br />
<br />
*For chat/IM, [https://otr.cypherpunks.ca OTR (Off The Record)] is an excellent plugin. Even if your contacts' private keys are determined, your private conversations are not compromised.<br />
*For posting messages on Usenet, consider using an anonymous remailer, which forwards messages without revealing where they originally came from. Anonymous remailers utilize the same 'onion router' principle behind Tor: they remove personal data from the message, encrypt it, and pass it through a chain of 'post offices' until the last remailer in the chain forwards the message to the recipient. As with Tor, the idea is to make the message untraceable to the sender.<br />
:The main issue with remailers is whether/how a recipient can reply to the message, given that its source is untraceable. Different types of remailers handle this differently. 'Pseudonymous remailers' are the most basic: they are typically unencrypted, and merely apply a pseudonym to the sender and forward the message to the recipient, who can then reply via the remailer. 'Cypherpunk remailers' typically encrypt the message and pass it through numerous hops on the chain to the recipient; generally the recipient cannot reply to such messages. 'Mixmaster' and 'Mixminion' remailers offer more advanced features, and seek to address issues such as the capacity for the recipient to reply to a message that has come from an 'untraceable' source. These generally require dedicated software.<br />
:One example of such software is OmniMix: http://www.danner-net.de/om.htm, which is designed for Windows, and can be used to send email and Usenet postings through the Mixmaster anonymous remailer network. OmniMix is straightforward to install, and can also be run from a removable device such as a USB stick.<br />
*When downloading from file-sharing networks (e.g. Limewire, Shareaza, etc.), it is important to know that not only is the traffic unencrypted (and therefore visible to, e.g. your ISP), your IP address is made available to anyone you are sharing with – and there is every possibility that the latter could be LEA or other adversary. A new breed of 'anonymous' networks are continually being developed, which generally seek to utilize the onion routing principle – traffic is encrypted and the origin/destination of the requested file are proxied. For examples of these, see:<br />
**[http://freenetproject.org/ Freenet]<br />
**[http://www.gnunet.org/ GNU Net]<br />
<br />
For a more detailed comparison of the different programs available, see http://www.zeropaid.com/software/file-sharing/ and http://www.anonymous-p2p.org/programs.html<br />
<br />
==Useful Links==<br />
'''NOTE''':Inclusion of links should not be taken to imply endorsement of particular software<br />
<br />
===Cleaning traces, erasing and general encryption software===<br />
<br />
*[http://www.piriform.com/ccleaner CCleaner] - Shreds/wipes sensitive traces of Internet activity<br />
*[http://sourceforge.net/projects/eraser/ Heidi Eraser] - Secure erasing software for individual files and free disk space<br />
*[http://www.dban.org/ Darik's Boot and Nuke (DBAN)] - Boot disk that does a government-standard wipe of hard drives<br />
*[http://www.truecrypt.ch TrueCrypt] - Open source encryption software<br />
*[http://diskcryptor.net/] - Full disk encryption software<br />
*[http://www.jetico.com BestCrypt] - Commercial encryption software<br />
<br />
===Email providers, remailers, and email encryption===<br />
<br />
*[https://protonmail.ch ProtonMail] - Free email provider in Switzerland<br />
*[http://www.unseen.is Unseen.is]- Email provider with encryption in Iceland<br />
*[https://addons.mozilla.org/en-US/thunderbird/addon/torbirdy/ TorBirdy] - Thunderbird addon to send email using tor<br />
*[http://www.anonymousspeech.com Anonymous Speech] - Email provider with PGP encryption<br />
*[http://www.cotse.net Cotse] - Email, SSH tunnel and VPN provider<br />
*[https://emailselfdefense.fsf.org The PGP Faq] - email self-defence guide<br />
*[http://www.gnupg.org GnuPG] - Linux/Windows email encryption<br />
*[http://www.goanywheremft.com/products/openpgp OpenPGP Desktop] - OpenPGP Go Anywhere<br />
*[http://www.enigmail.net/ Enigmail]- Plugin for Thunderbird Email client to manage encryption<br />
*[http://quicksilvermail.net QuickSilver] - email remailer client<br />
*[http://www.danner-net.de/om.htm OmniMix] - anonymous remailer<br />
*[https://otr.cypherpunks.ca OTR (Off The Record)]- a plugin for encyrypting chat/IM<br />
<br />
===Anonymity online===<br />
<br />
*[http://www.torproject.org/ Tor proxy] - Anonymous Internet browsing with hidden sites<br />
*[https://geti2p.net/ I2P Network] – Anonymity, similar to Tor<br />
*[http://cyberghostvpn.com/ CyberGhost VPN] - Commercial VPN with free option<br />
*[http://www.securitykiss.com/ Security Kiss] – Commercial VPN with free option<br />
*[http://anonymous-proxy-servers.net/ JonDoNym] - Commercial VPN<br />
*[https://www.perfect-privacy.com/ Perfect Privacy] – Commercial VPN<br />
*[http://www.opendns.com/ OpenDNS] - set your DNS addresses using OpenDNS, instead of using your ISP's DNSs.<br />
*[http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/ TorrentFreak] - List of VPN services with strong privacy<br />
<br />
<br />
'''NOTE''': When purchasing commercial products, ensure you check the providers' terms & conditions, particularly regarding their jurisdiction, privacy, reporting and logging policies. Do some research on the different companies' products, e.g. by searching their name at Wilders Security Forums. Use alternative methods of payment wherever possible, such as using prepaid web money/debit cards that you don't need ID to buy.<br />
<br />
===Firefox add-ons===<br />
<br />
*[https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript]- Many browser security holes are related to Javascript. Block scripts entirely, until permitted on a site-by-site basis.<br />
*[https://addons.mozilla.org/en-US/firefox/addon/flashblock/ FlashBlock] - Blocks flash content until you permit it<br />
*[https://addons.mozilla.org/en-US/firefox/addon/refcontrol/ Refcontrol] - Blocks or fakes your referrer ID<br />
*[https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy] - Easy proxy management<br />
*[https://addons.mozilla.org/en-US/firefox/addon/anonymox/ AnonymoX] - Change computer IP proxy addon<br />
*[https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ BetterPrivacy] - It removes hard to erase Flash cookies<br />
<br />
===Miscellaneous privacy/security software===<br />
<br />
*[http://keepass.info/ KeePass] - Open-source password manager<br />
*[http://www.nirsoft.net/utils/cports.html CurrPorts] - See your open ports<br />
*[http://www.nirsoft.net/utils/cprocess.html CurrProcess] - See info about processes running in your computer<br />
*[http://windirstat.info/ WinDirStat] - disk usage statistics viewer and cleanup tool<br />
*[http://www.7-zip.org/ 7-zip] - compression & encryption tool<br />
*[http://www.sandboxie.com Sandboxie] – run your browser inside a 'sandbox' to prevent malware from gaining access to your system<br />
<br />
*Pre-paid web money: see http://www.bitcoin.org and [http://www.paysafecard.com PaySafeCard](EU)<br />
<br />
===Sources for technical advice/support===<br />
<br />
*[http://www.wilderssecurity.com Wilders Security Forums]- Information related to security, privacy and anonymity<br />
*[https://en.boywiki.org/wiki/Category:Technology BoyWiki Technology] - Boylover Wiki Technology section<br />
*An old BoyChat post with useful advice on how not to accidentally out yourself: https://www.boychat.org/messages/1107524.htm<br />
<br />
<u>'''FINAL NOTE'''</u>: If you follow the procdures outlined in this guide, you will be a long way to protecting yourself -- but please remember that there is no such thing as 100% computer security. Stay safe.<br />
<br />
'''<u>Disclaimer</u>: All material provided in this guide is intended as introductory guidance only, and should not be used as an alternative to undertaking your own research. No representation is made as to the current accuracy of the information and links provided.'''<br />
<br />
[[Category:Advice]]<br />
[[Category:Archival]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9873Guide To Computer Security (2022)2021-12-08T14:19:16Z<p>Time Has Passed: /* Hibernation */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended.<br />
<br />
====Securing Windows 7====<br />
<br />
There are a number of areas that require attention in order to make Windows 7 reasonably secure.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
The hibernation feature of Windows 7 stores data from your current session to your hard drive and puts your computer in a very low power state. This has similar security implications to the swap file.<br />
<br />
To disable hibernation: Start -> Type 'run' -> Type 'cmd' -> type 'powercfg -h off'.<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9872Guide To Computer Security (2022)2021-12-08T14:00:22Z<p>Time Has Passed: /* Swap File */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended.<br />
<br />
====Securing Windows 7====<br />
<br />
There are a number of areas that require attention in order to make Windows 7 reasonably secure.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
Windows 7 uses a swap file in which it temporarily stores data from RAM on the disk in order to conserve RAM usage. This is unnecessary for most modern computers, and it is a security issue because almost any data could theoretically be written to the disk, including encryption keys.<br />
<br />
To disable, System -> Advanced System Settings -> under performance, click 'Settings' -> Advanced tab -> under Virtual Memory, click 'Change' -> set 'No paging file' for all drives.<br />
<br />
=====Hibernation=====<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9870Guide To Computer Security (2022)2021-12-08T13:42:57Z<p>Time Has Passed: /* System Restore */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended.<br />
<br />
====Securing Windows 7====<br />
<br />
There are a number of areas that require attention in order to make Windows 7 reasonably secure.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
Windows 7 is normally configured to automatically backup system files and personal documents. This can be disabled via Control Panel -> System -> System Protection. Make sure it is turned off for all disks.<br />
<br />
=====Swap File=====<br />
<br />
=====Hibernation=====<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9869Guide To Computer Security (2022)2021-12-08T13:20:13Z<p>Time Has Passed: /* Indexing Service */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended.<br />
<br />
====Securing Windows 7====<br />
<br />
There are a number of areas that require attention in order to make Windows 7 reasonably secure.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed files and some of their contents will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
=====Swap File=====<br />
<br />
=====Hibernation=====<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Talk:Guide_to_Computer_Security&diff=9868Talk:Guide to Computer Security2021-12-08T13:18:40Z<p>Time Has Passed: Time Has Passed moved page Talk:Guide to Computer Security to Talk:Guide to Computer Security (Archive): Archive version</p>
<hr />
<div>#REDIRECT [[Talk:Guide to Computer Security (Archive)]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Talk:Guide_to_Computer_Security_(Archive)&diff=9867Talk:Guide to Computer Security (Archive)2021-12-08T13:18:40Z<p>Time Has Passed: Time Has Passed moved page Talk:Guide to Computer Security to Talk:Guide to Computer Security (Archive): Archive version</p>
<hr />
<div>==Wikitext?==<br />
<br />
Would it not be better to have a wikitext version of this document? What with the constantly changing nature of this technology? [[User:The Admins|The Admins]] 20:59, 8 June 2009 (UTC)<br />
<br />
:Sounds good to me... I'll do it if nobody has any objections [[User:Innormal|Innormal]]<br />
<br />
::I'm sure that there are no objections to having II documents. The laptop I have at the moment has no software for reading PDF files. [[User:The Admins|The Admins]] 23:10, 8 June 2009 (UTC)<br />
<br />
==Archival==<br />
<br />
If we restart this, please remove the archival category. --[[User:The Admins|The Admins]] ([[User talk:The Admins|talk]]) 04:01, 26 September 2021 (CEST)</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_to_Computer_Security&diff=9866Guide to Computer Security2021-12-08T13:18:39Z<p>Time Has Passed: Time Has Passed moved page Guide to Computer Security to Guide to Computer Security (Archive): Archive version</p>
<hr />
<div>#REDIRECT [[Guide to Computer Security (Archive)]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_to_Computer_Security_(Archive)&diff=9865Guide to Computer Security (Archive)2021-12-08T13:18:39Z<p>Time Has Passed: Time Has Passed moved page Guide to Computer Security to Guide to Computer Security (Archive): Archive version</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>'''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. However, parts of it may be out of date. It is currently in the process of being updated.<br />
<br />
The 2008 guide can be downloaded as a PDF here: [[Media:Guide_to_Computer_Security.pdf|Guide to Computer Security]]<br />
<br />
==Protecting data stored on your hard drive==<br />
<br />
===Locking down Windows===<br />
Windows at its default settings is an insecure operating system. Having been designed for mass<br />
consumer/commercial usage, it tries to be all things to all people. Consequently, it has a tendency to run unnecessary services, store/hide private information in numerous, often hidden, locations, and exposes your PC to unnecessary security risks.<br />
<br />
====Disable unneeded services====<br />
Many of the services in Windows are unnecessary, and some are security risks (e.g. the 'Remote Registry' service, which permits third party network access to the computer's system settings). There are numerous online guides giving advice as to which services you can safely disable. [http://www.prestwood.com/aspsuite/kb/document_view.asp?qid=100274]<br />
<br />
====System Restore points==== <br />
By default, Windows saves a backup of your system settings at regular intervals (and therefore may store information that is ideally kept sensitive) in case you need to roll-back the system to an earlier point in time. Most computer problems can be fixed via other methods however, and if you don't use/need System Restore you can disable it (via Control Panel / System / System Properties / System Restore tab).<br />
<br />
====Hibernation====<br />
If you don't use hibernation, ensure that this is disabled, since otherwise it will intermittently save anything that you are currently working on to your hard drive in plain text form – even encrypted documents – which could later be retrieved. (Control Panel / Power Options / Hibernate tab / uncheck 'Enable Hibernation').<br />
<br />
====Pagefile/Swapfile====<br />
By default, Windows creates a file on your hard drive (pagefile.sys) which it uses as additional computer memory, and it shifts running processes to this file on the hard drive when necessary. Many modern PCs have sufficient RAM (e.g. over 1 GB) not to need this file. You can disable it via Control Panel / System / Advanced tab / select 'Settings' button under the 'Performance' heading / Advanced tab / Virtual Memory / Change / select 'No Paging File' / click 'Set' / click 'Ok'.<br />
<br />
'''NOTE''': Disabling the pagefile is contentious, and the debate around this is unresolved [http://www.codinghorror.com/blog/archives/000422.html] Provided you have a reasonably fast CPU and a decent amount of RAM, you should not encounter any problems. If you do need the paging file for some reason, or your RAM capacity is not sufficient to do without it, you should at least ensure that it is securely wiped when the computer powers off (see Section 1.3.1., below). In addition, the pagefile can be encrypted using a dedicated encryption product, such [http://www.jetico.com BestCrypt].<br />
<br />
====Windows Security Center====<br />
The built-in Security Center and Windows Firewall are highly ineffective. Disable them via the Control Panel, and use a third party Firewall instead (see Section 1.2, below).<br />
<br />
====Windows Privacy Tools====<br />
<br />
In addition to the above steps, you can utilize easy-to-use, one-off, privacy tools to tighten up Windows settings. e.g. [http://privazer.com/ Privazer]<br />
<br />
====Alternative Software====<br />
<br />
Avoid using Microsoft software (e.g. Office, Outlook Express, Internet Explorer, Windows Media Player) so far as possible. Since they are designed to collaborate with one another, most of them leak personal information all over the place. Use open-source alternatives so far as possible (which typically also have the added benefit of being much less resource-hungry). For example, consider using:<br />
*[http://www.openoffice.org Open Office suite] instead of MS Office (Word, Excel, etc). Particularly important for office software is to remember to disable 'auto-save' in the program options – since if you are working on an encrypted file the document may be saved to your drive as plain text during an auto-save.<br />
*[https://www.mozilla.org/thunderbird Thunderbird] or [http://sylpheed.sraoss.jp/en/ Sylpheed] instead of Windows Live Mail<br />
*[https://mozilla.org/firefox Firefox] or [http://www.opera.com Opera] instead of Internet Explorer<br />
*[http://www.videolan.org VLC Media Player] or [http://sourceforge.net/projects/guliverkli/ Media Player Classic] instead of Windows Media Player<br />
*[http://www.foxitsoftware.com/Secure_PDF_Reader/ Foxit PDF Reader] instead of Adobe Acrobat Reader.<br />
<br />
===Avoiding Malware===<br />
<br />
The commonly talked about threats to computer data surround the execution of malevolent code on your PC, in the form of viruses, trojans, spyware, etc. Discussion of this topic usually revolves around damage to your data or identity theft by cyber-criminals for financial gain; but it is also crucial to ensure that you are protected from malware that could benefit other adversaries. One obvious aspect is keylogging software: you can come up with the most complex passwords to protect your data, but if there is a keylogger on your PC capturing each keystroke you enter, the password might become worthless. Equally insidious is the use of 'copware' – malware planted on your PC via LEA pecifically<br />
targeting you [http://www.infiltrated.net/cipav.pimp]. Such software frequently arrives on the target's PC via email attachments. Standard email advice applies, e.g:<br />
<br />
*Disable HTML in your emails – in most webmail and desktop email clients there is an option to do this in the settings (eg. in Thunderbird: 'View' menu / uncheck 'Display attachments inline' and check 'View message body as...plain text')<br />
*Use Anti-Virus software that scans emails as well as files<br />
*Don't open attachments from unknown sources<br />
<br />
In addition, further advice includes:<br />
<br />
*Check regularly for the presence of hardware keyloggers (a small device fitted to your PC designed to record keystrokes as an alternative to software keyloggers). The device will appear inconspicuous, and could, for example, resemble a traditional USB-type plug. Also consider applying a drop of paint (or, e.g. correction fluid) to the screws in the back of keyboards, making it easier to see if the hardware has been tampered with.<br />
*When encrypting data, and where given the option to do so, use 'keyfiles' in addition to passwords. This is an available option with some encryption programs, which enables you to specify a file(s) on your hard-drive (perhaps a photo, for example) that must be entered in addition to a password. This will help protect against keyloggers (though not against malware that also captures mouse-movements).<br />
*If practicable, you could also use an on screen keyboard (OSK) to enter passwords (thereby using the mouse rather than the keyboard).<br />
*Zero-emission pads: Surveillance teams can remotely scan the electromagnetic emissions from your computer monitor, e.g. as you type a passphrase (google TEMPEST for technical details). You can use a replacement text editor that enables you to view and/or edit text in a special font and screen that allegedly 'diffuses the emissions from your computer monitor efficiently enough to defeat TEMPEST surveillance equipment', such as this one [http://geocities.com/phosphor2013/zep.zip]<br />
*So far as security software is concerned, you should have one Firewall, one Anti-Virus (AV) program, and one Anti-Spyware (AS) program, all providing 'real-time' protection. For completeness, you could also install a second AV and/or AS program and/or dedicated anti-trojan software (such as [http://www.misec.net/ TrojanHunter]) – not to operate in 'real-time' (since a software conflict is possible) but just to perform regular scanning of your PC.<br />
:Firewalls, AV and AS vary considerably in effectiveness (as well as in the amount of your PC's resources that they use). Check PC magazines for test results, or check online sources for the most effective protection. Good sources of information are sites such as [http://www.wilderssecurity.com Wilders Security Forums].<br />
<br />
:It is sometimes rumored – though to what extent this is likely is debatable – that major AV/AS companies may turn a 'blind-eye' to copware. Here is one advantage of using standalone products, e.g. separate AV, AS and Firewall software each from a different company, rather than the easier option of relying on a single security suite such as Norton or McAfee. In addition, some software is notorious for 'phoning home' regularly – Zone Alarm, for instance, frequently (more so than necessary) contacts its company's servers without notifying the user. It may therefore be desirable to turn off 'automatic updating', and manually update software at (say) daily intervals; and for persistent software (e.g. Zone Alarm) you can prevent it from contacting its servers by making simple changes to the Windows 'hosts' file [http://labnol.blogspot.com/2006/02/prevent-zonealarm-from-phoning-home.html].<br />
*In counteracting malware, you should also keep an eye on which programs are running on your PC, and whether any software has set itself to startup when you boot Windows. Both can be checked via Windows' built-in tools:<br />
**to view running processes, open Task Manager by right-clicking on the taskbar and selecting the 'processes' tab. You can identify any processes you do not recognize online, by looking them up at sites such as [http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx].<br />
**to check which programs are set to start when you boot Windows, go to Start / Run... then enter “msconfig” in the box (without the quote marks). In the window that appears, the last tab marked 'Startup' lists these items. Many of these are inserted by software, and are unnecessary. To check whether it needs to run at startup, identify the program at the following site: [http://www.sysinfo.org/startuplist.php] and uncheck any that are not needed. (Note, this has the added advantage of substantially reducing the PC's boot time).<br />
:As an alternative to these built-in Windows tools, you could use a freeware program to keep a closer eye on running processes and startup items, such as [http://processhacker.sourceforge.net/ Process Hacker] or [http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Process Explorer]<br />
*Keep up-to-date all your software that uses network connections, such as your browser, anti-virus software, and all security products.<br />
<br />
===Cleaning / Erasing===<br />
Windows stores a vast amount of information about your activities, which should be cleaned up on a regular basis.Note that such traces, along with any files that you chose to get rid of, should be securely erased rather than just deleted. This distinction between 'deleting' and 'erasing/wiping' is a crucial one. Deleting data in the standard way merely makes the data invisible to Windows – it remains on the hard disk until it is overwritten by other data. Instead of deleting, data should be securely 'erased' or 'wiped' (i.e. it is overwritten a number of times with random data so that it becomes unrecoverable).<br />
<br />
====Erasing files====<br />
There are numerous tools available for securely erasing files. One simple, freeware, tool is [https://sourceforge.net/projects/eraser/ (Heidi) Eraser]. This has various features, one of which is to insert itself into your context menu, such that when you right-click a file, you just select 'Erase', and it will wipe the file according to the number of 'passes' that you specify. Another useful feature is 'Erase Secure Move': usually when you move files from one place to another, behind-the-scenes Windows actually copies the file to the new location, then deletes the existing file – which suffers from the above-mentioned issue of the deleted file being recoverable. With the Erase Secure Move option, after the file is copied to the new location, the existing file will be wiped, rather than just deleted.<br />
<br />
'''NOTE''': Eraser can also be set to erase the Windows 'pagefile' on shutdown/restart (see 'Locking down Windows', Section 1.1, above).<br />
<br />
====Erasing disk space====<br />
Files that are deleted automatically by Windows (e.g. temporary files which it has created), or files that have been deleted by the standard method without having been wiped as above, will be simply be hidden in 'free disk space' until overwritten. To ensure that these have been removed, regularly wipe the 'free disk space' on your hard drive – again, Eraser (above) is good for this purpose.<br />
<br />
====Cleaning traces====<br />
Most software stores information about your usage – e.g. Internet browsers keep a record of details such as your browsing history, downloads, and cookies; PDF readers store a history of the last few files you've read; Office products keep a record of recently opened documents and perhaps unusual words used therein; media players store details of recently played files; Windows itself stores temporary files, prefetch data, memory dumps, and so on. A simple way to erase all such tracks in one go is to use dedicated 'cleaning' software. For example, [http://www.piriform.com/ccleaner] is a decent freeware program which will erase these tracks for you. In the settings options, you can select the number of times such traces should be 'wiped', rather than simply deleted.<br />
<br />
'''NOTE (1'''): All decent erasing/wiping/shredding software will allow you to specify the number of times that the data will be overwritten – typically, you can choose to overwrite data once, three times, seven times or thirty-five times, depending on the sensitivity of the data. There is some debate as to whether modern hard drives require as many passes to irrevocably destroy data – Googling this issue will produce much discussion. To be on the safe side, a minimum of three 'passes' is suggested. Naturally, the more 'passes' over the data you select, the longer it will take. Be aware that, say, shredding the entire free disk space on a hard drive (which may be hundreds of gigabytes) will take a significant amount of time.<br />
<br />
'''NOTE (2)''': If wiping data on flash memory (e.g. USB sticks), wiping individual files is insufficient to make them irrecoverable, due to the way such memory writes data. See the special section on USB drives (Section 1.5, below).<br />
<br />
===Encryption===<br />
Broadly-speaking, “computer forensics” involves inspection of the computer hard drive for evidence as part of a legal investigation. In the event that your PC is seized, investigators or other adversaries will search it for the 'activity traces' referred to in the previous section, as well as stored files and documents, and other evidence of how the PC has been used (e.g. checking the Windows Registry for evidence of which USB drives have been used – since details of such devices, including their serial numbers, are stored there). The goal of encryption is to make data unintelligible, so that, even if your data is seized, it cannot be read.<br />
<br />
A brief note on the medium which you may be using: first, there is the hard drive. Typically, Windows will be installed onto partition C of the hard drive (and unless you have created other partitions, this may make up the entire physical drive). Data may also be stored on external, USB hard drives; on flash memory drives (USB sticks / pen drives); on floppy disks, CDs and DVDs. It is important that, on whichever medium you store sensitive data, that data are encrypted.<br />
<br />
====Individual files====<br />
There are numerous tools available to encrypt data, offering various different options. Some software will simply encrypt individual files – they will still be visible on the hard disk, but a password will be required to open them. Other software offers a greater range of options, such as creating a 'vault' on your hard drive of a specific size, into which you can place sensitive files without having to encrypt each file individually.<br />
<br />
[http://truecrypt.ch TrueCrypt] is highly recommended for your encryption needs. It enables both the creation of encrypted files, as well as the ability to encrypt an entire hard drive partition, or an entire device (e.g. a USB stick). It also allows for the creation of 'hidden volumes' – a partition/device can be encrypted, then within this encrypted container a second, encrypted contained is created. This is primarily so that if you are forced to decrypt the 'outer'<br />
volume, on which you might store a few sensitive-looking, but unimportant files, it will not be evident (and cannot be proved) that there is a second, hidden volume. (NB. For various security reasons, encrypting partitions or devices is preferable to encrypting individual files – the<br />
TrueCrypt manual explains these in detail.)<br />
<br />
The advantage of the open-source TrueCrypt over most other encryption software is the 'plausible deniability' aspect. It is impossible to prove that a partition or device encrypted with TrueCrypt is in fact encrypted. Upon forensic analysis, the partition or device appears to simply be filled with random data – as though there is nothing on the partition or device. This is crucial in authoritarian regimes, e.g. the United Kingdom, which has enacted a criminal offense (punishable by up to 2 years, or 10 years in terrorism cases) of 'failing to decrypt' (or provide the password to<br />
enable decryption) when demanded by the authorities. Obviously for such a law to be used against you, it would have to be established that you had some encrypted material in the first place. With a TrueCrypt-encrypted device or partition, this should be impossible to prove.<br />
<br />
'''NOTE''': If you are working with individual encrypted files (rather than storing files in a container or partition) and are using USB flash drives, see Section 1.5 on USB drives below.<br />
<br />
====System Drive / Full Disk / Whole Disk Encryption====<br />
The disadvantage of only encrypting individual files or external devices is that computer forensics can still reveal much about your computer usage from the system partition (the drive on which Windows is installed) and – importantly – sensitive details such as your browsing history, bookmarks, emails, and email contacts addresses, may be accessible. Details of your contacts is one of the first things an adversary will check for, which they will use to 'broaden' their investigation, perhaps by targeting those contacts. There is therefore an obligation to protect not only yourself, but also those with whom you correspond.<br />
<br />
Computer forensics is essentially rendered ineffective by encrypting your entire system drive (typically the C: drive in Windows). This is the ideal position: if the adversary cannot access your hard drive to begin with, you have gone along way to defending your data. The latest versions of TrueCrypt (versions 5.0 and upwards) have an option for encryption of the system drive (or the entire hard drive, if it has more than one partition). It is very simple to use, and will ensure that no one can access your hard drive without first entering the correct password prior to the computer booting (and also makes it more difficult for adversaries to plant data on your hard drive). A detailed reading of the TrueCrypt manual is essential in order to encrypt the system drive effectively.<br />
<br />
One consideration for those in countries in which failure to disclose a password is a criminal offense (just the UK at present, though this will undoubtedly be extended to other countries), is that where your entire hard drive (or just the system drive) is completely encrypted, you lose an element of plausible deniability. TrueCrypt system encryption, for example, stores its 'boot loader' (the information necessary for the computer to boot) on the first cylinder of the hard disk – which will obviously be visible to a forensics team. It is possible to remove the boot loader and instead boot from a CD which has the TC boot loader installed, though obviously this is more inconvenient.<br />
<br />
In any event, whether or not the boot loader is present, it remains the case that it cannot be proved that the hard drive itself is encrypted – the remainder of the drive will still appear as random data. So from this point of view, you are still protected from 'failure to disclose password' laws. Nonetheless, having to explain away an internal hard drive with a TC boot loader, and “nothing else” on it, will be tedious (depending on how convincing you can be that you had “coincidentally, just recently wiped the hard drive”). Therefore it may be felt preferable to use other tactics to increase plausibility.<br />
<br />
One such tactic is to install Windows to an external hard drive, or to a USB stick, and encrypt it with TrueCrypt. You can then keep your 'dummy' Windows installation with no compromising data on the PC's internal hard drive, and boot to the external hard drive or USB stick to use your 'real' Windows. Technically, Windows does not want to be installed to external devices – but it can be achieved. There are numerous guides available on the web; and the project also has a useful forum for resolving issues. For installing Windows to an external device to work, it is necessary that your PC's BIOS is capable of booting to external devices – most recent computers (built in the last few years) can do this, but if you have an older PC, check its ability to do so by doing a web search on its model.<br />
<br />
If utilizing this method, your 'computer' effectively lives on your external device, while you maintain a dummy system on the internal drive. This has the added advantage of portability – your Windows installation can be kept in a secure place when not in use, etc. Again, the TrueCrypt boot loader will reside on the first cylinder of the external device – but it is certainly more plausible to have an external device with “nothing on it” than an internal drive (particularly if you take the extra step of removing the TrueCrypt boot loader and booting the device from a CD).<br />
<br />
'''NOTE''': While the latest version of TrueCrypt (6.0 and upwards) now enables the creation of a hidden, encrypted system drive – by utilizing a 'dummy' system partition, with the real system partition hidden – at the time of writing it is not ideal: to ensure complete plausible deniability it has very stringent requirements, e.g. the real system partition should not be used to access the Internet (which partly defeats the object), files cannot be copied from the real partition to other<br />
media, the dummy partition must be accessed regularly to make it appear plausible, etc. It may be felt that until a more substantive hidden operating system is available, this latest feature should be used circumspectly.<br />
<br />
===Security Note on USB Drives and Wear-Leveling===<br />
When writing data to a USB flash drive, a PC uses a 'logical address' on the drive. However, this logical address is distinct from the flash drive's 'physical block address' – since most USB flash drives use a 'wear leveling' technique. Wear leveling – i.e. shifting data around the physical blocks of the flash drive – prevents the same physical block being used over and over (in order to preserve the life of the USB drive).<br />
<br />
Consequently, any time updated or new data are written to the flash drive, such data will be written to a new physical block, regardless of the address of the old block, and any old/amended data is just deleted (not wiped).<br />
<br />
This raises a number of security issues, e.g:–<br />
<br />
#Securely wiping' (e.g. with Eraser) an individual file on a flash drive is potentially ineffective, since the random data that is used to overwrite could be written to a different physical block; the existing data will simply be deleted, rather than wiped.<br />
#Encrypting individual files could potentially suffer similar problems – e.g. when decrypting a file, amending it, then re-encrypting it.<br />
<br />
These issues can be resolved by either securely wiping the entire flash drive (not just wiping individual files) or by encrypting the entire flash drive (rather than encrypting individual files on it) – since then it makes no difference to which physical block the new data is being written.<br />
<br />
Ideally the latter approach should be used for all USB flash drives on which sensitive data is placed – encrypt or wipe the entire USB drive – as necessary. For any existing USB flash drives on which this approach has not been taken, it would be advisable to format and wipe the USB drive completely, then start using it afresh with this 'entire USB drive' approach.<br />
<br />
===Other Methods===<br />
There are of course many, many alternatives to the security suggestions outlined above, such as using any or all of the following:<br />
<br />
====Live CDs====<br />
Live CDs are an excellent alternative to encrypting the entire system drive. Essentially, an entire operating system (usually Linux-based) is on the CD, and whenever you want to boot to your OS, you simply boot the CD rather than booting to your hard disk. Should you not want to encrypt your hard drive, you could use the OS on there for all non-sensitive tasks, and use the Live CD for Internet access / other sensitive tasks.<br />
<br />
Running an operating system from a Live CD means that the PC's hard drive does not get used at all – and is therefore not subject to problems of leaving behind 'traces' to be recovered by forensics. There are some limitations with Live CDs e.g. a limited range of software can be run from them, and since the CD is read-only (as the point is not to save any data, which could be recovered!) any data you do want to save while working within the CD, or settings you want to keep, should be saved to an (encrypted) USB drive. Its simplicity ensures that this remains an attractive alternative, and it is worth keeping an eye on developments in this area. For some examples of Live CDs, see [http://susestudio.com/ Suse Studio] on how to create your own custom live bootable CD or see http://www.privacylover.com/anonymous-live-cd-list/ for a list of pre-built, mostly Linux-based alternatives.<br />
<br />
An excellent example of a pre-built option is the [https://tails.boum.org Tails Live CD] – this an operating system on a CD which is pre-configured to use the Tor network for all Internet access – including emails and web browsing.<br />
<br />
====Portable Applications====<br />
If installing an entire operating system to an external drive/USB stick, or using a Live CD, are not desired options, another alternative is to use 'portable applications' – standalone versions of existing software that can be run from a USB stick and do not save files or settings to your hard drive in the way that regular applications do. The idea is simply to prevent data being saved to your hard drive – the application files and data (including settings such as bookmarks, emails, etc), will be stored entirely on the USB device (which could be encrypted using a program such as TrueCrypt). See, for example, http://portableapps.com/ for an entire portable suite of software (including commonly-used programs such as Firefox, Thunderbird, Open Office, etc.).<br />
<br />
The use of portable applications may prove a practical and easy method of protecting your most sensitive data without going to the lengths of full disk encryption. One drawback is that there will still be traces of the USB drive having been used on that PC, and any monitoring software (firewalls, AV, etc.) is likely to have a record of an application on the USB drive (eg Firefox) having been run, which you might be called upon to explain. Nevertheless, this is an inconvenience more than anything, and so long as the USB stick itself is encrypted, the data will be safe. To increase the protection, this method could be combined with the following option.<br />
<br />
====System Drive Emulation software====<br />
Such software effectively prevents data being written to your hard drive by creating a clone of the system partition (typically drive C: in Windows – which includes system files, page file, registry files, application data and program files, etc.) as it looks when it is booted, in the computer's RAM. Once the system is shut down/restarted, this clone will be restored, thereby returning your system drive to the position it was before any data was written. An example of such software is the freeware program [http://www.toolwiz.com/products/toolwiz-time-freeze/ Toolwiz Time Freeze]. Simple to use, it is 'switched on' when necessary, and from that moment nothing that takes place (programs installed, software used, etc.) is permanently recorded; all normal computer operations appear to take place, but in fact these changes only take place for the duration of the session – upon restarting the PC there is no evidence that any such activity has occurred.<br />
<br />
With reference to the previous item – Portable Applications – an advantage of using combining drive emulation software with running portable apps from a USB drive would be that, once the PC was shut down/restarted, there would be no evidence of the applications on the USB stick (eg Firefox) ever having been run (and further, no evidence that the USB stick was ever plugged into that computer).<br />
<br />
====Virtual Machines====<br />
Another alternative to running a separate installation of Windows on an encrypted device is to employ a virtual machine. Such software (e.g. VirtualBox, at www.virtualbox.org) enables you to create a virtual operating system on your existing computer. In this way, you could run a dummy copy of Windows (or any other OS) on the main hard drive, then boot to a virtual copy of Windows which could reside in an encrypted file or partition on the hard drive. One drawback of this technique (other than the additional system resources / RAM consumption it requires) is that it is not guaranteed that traces of the virtual systems may not still appear in the 'real' system, since the two systems share some resources (and frequently, a network connection).<br />
<br />
==Protecting data while in transit over networks (Internet, Email, etc)==<br />
Whenever data is on the move – whether in the form of sending/receiving email, surfing the web, chat, downloading via P2P, viewing streaming media files, etc – it is at risk of interception. Data is transferred via different protocols (e.g. 'http' for web traffic, 'pop3' or 'smtp' for email, 'ftp' for some file uploads/downloads, etc). All the 'standard' forms of protocol (including those just mentioned) are sent over networks in plain text format – meaning that the data is visible to anyone who intercepts the traffic (your ISP, crackers, LEA, etc). The goal is therefore to utilize methods of secure communication so far as possible, irrespective of the data that is being transferred.<br />
<br />
===Email===<br />
Most commercial email addresses (including any email addresses supplied by your ISP) typically use insecure protocols. This will be apparent by checking the ports they use to communicate. If you use a desktop email client (eg. Outlook, Outlook Express, Eudora, Thunderbird) you will find this information under the 'Settings' option. If your email communicates via standard ports (usually port 110 for POP3 (i.e. incoming email) and port 25 for SMTP (i.e. outgoing email), it is being transmitted unencrypted – and therefore potentially visible to everyone.<br />
<br />
There are various techniques that can be employed to enhance the security of your emails:<br />
<br />
*Check your email provider's website to see if they offer an encrypted option (i.e. sending and receiving email via SSL (secure socket layer)). Usually this will simply be a matter of changing the port used in your email client's account settings – e.g. changing the ports to ports 995 (SSL POP) and 465 (SSL SMTP).<br />
*Avoid using email addresses provided by an ISP, and instead use dedicated email providers, such as Fastmail,Hushmail, SafeMail, and so on. Examples of such providers can be found in Section 3 below, or at [http://epic.org/privacy/tools.html EPIC's website]. Specialized email providers enhance your security by limiting the amount of information transferred to the recipient in the hidden email 'header' – which in the case of standard email providers (ISPs, Hotmail, etc) provide the recipient with far too much information, such as the IP address of your computer, the operating system that you use, and even which email client you used to send the email).<br />
*Use a dedicated form of email encryption, such as PGP. This utilizes public key encryption – the drawback being that the people with whom you communicate must also use public key encryption. Encourage others that you correspond with to do this. See 2.1.1. for more information.<br />
*Anonymous Remailers can be used to conceal from the recipient the origin of the email (see Section 2.3 for further details).<br />
<br />
====PGP====<br />
In 'public key' cryptography, two different keys are used: one key is secret and the other is made public. Anybody sending you an email simply encrypts their message to you using your public key. The public key is obviously not secret – in fact it may be spread widely so that anybody can find it if they wish to send you encrypted email (you can upload the key to a public key server to do this; though you may prefer just to give your public key to specific correspondents). The only way to decrypt an incoming message is with your secret key. The process works in reverse when sending email: you encrypt an email using the recipient's public key, which only they can decrypt using their<br />
private key.<br />
<br />
The original, and most well-known, program of this type is PGP, invented by Phil Zimmerman. There is now an OpenPGP standard, with which all software using public key cryptography should comply. Consequently, other programs are becoming popular, such as the open-source [http://gnupg.org/ GNU Privacy Guard (GnuPG)], which is OpenPGP compliant and compatible with other Open PGP tools (including PGP itself).<br />
<br />
After downloading the software, you simply use it to create a pair of keys – one public and one secret key. The public key can then be given to your correspondents which they will use to encrypt messages to you, which you can then decrypt using your private key. There are some programs which make the process of encrypting/decrypting easier via the use of 'add-ons'. Some email clients (e.g. Thunderbird) have add-ons (e.g. [http://www.enigmail.net/ Enigmail], which takes care of the encryption/decryption process on your behalf; the Firefox browser also has an add-on (see [http://www.mailvelope.com/ MailVelope) which enables you to easily encrypt text for pasting into a website, for example.<br />
<br />
===Web-Surfing===<br />
Whenever you request a web page via your Internet browser, in very basic terms what is happening is this: your browser sends the request for data to the server hosting that website, which then replies, and transfers the data to your computer, which is then recreated in your browser. Consequently, any request you make (whether by clicking on a link, or manually entering the site address) is transferred over the Internet via standard protocols (see introduction to this section, above) – typically for the Internet this will be http.<br />
<br />
Accordingly, this request for a particular web page is sent over the networks in plain text and so will be visible to anyone who is monitoring your activity (e.g. your ISP or other adversaries), and also reveals to the site you are visiting information about who you are (your computer's unique IP address) and information about your computer (which browser you use, what language/location settings you use, what the current time is on your PC, etc). In addition, in order to find that site, your browser needs to translate the address of the web page (e.g. (“amazon.com”) into its numeric equivalent – which it does by consulting a domain name (DNS) server. In a standard home Internet connection, the DNS server will be owned by your ISP – so the ISP has a second method of recording which sites you visit. Note that you can change your DNS server to one not owned by your ISP: see [http://www.opendns.com/ OpenDNS] for the relevant address to use.<br />
<br />
The upshot of the above is clear: both the site you visit, and your ISP (and anyone intercepting), knows the unique IP address assigned to your computer, and what data you are viewing. To avoid this, various options are available to 'anonymize' and/or encrypt your web surfing:<br />
<br />
====Free proxies====<br />
<br />
This is the weakest level of 'anonymity' – these are sites (e.g. http://www.kproxy.com/) which enable you to access another site, hiding your computer IP address, e.g. your request is sent to the 'end' site using the proxy IP as an intermediary. In that a case, the site you ultimately visit believes the request for data emanated from the proxy site and not from your computer. This does not protect you against surveillance by your ISP, and the data transferred is typically unencrypted and therefore visible to anyone else monitoring your connections, the proxy administrator can also log everything you do and turn over those logs if pressured to do so.<br />
<br />
====Commercial software====<br />
These are companies (e.g. Anonymizer, see Section 3 for an extensive list) which provide software which effectively bypasses surveillance from your ISP by creating an encrypted 'tunnel' between your computer and that company's server. In practice, this means that before making the data transfer from your PC (in the form of, say, a request for a web page), the software will encrypt this request, and then direct it to be forwarded from your ISP's servers to the proxy company's server. When it reaches the latter, the request will be decrypted and forwarded on to the relevant website. When that website returns the data, the reverse will take place. The effect of this is that:<br />
<br />
#your ISP cannot see which websites you are accessing – all it can see is that you are communicating with the company's server, not which websites you visit thereafter. (So if you were surfing the web for (say) 3 hours, from your ISP's point of view, they could see that traffic was passing back and forwards to your PC, but you would only appear to be receiving traffic from one address (the proxy company's server), and the contents of that traffic would be encrypted)<br />
#the website you are visiting cannot see who you are – since as far as they know, they are receiving the request for data from the proxy company's server, and simply return it to that server.<br />
<br />
The weak link in this chain will be apparent. While you are protected from your ISP, and from the websites you visit, the commercial proxy company knows who you are and (potentially, if they keep logs, what you are doing). The significance of this will vary according to the circumstance. If the sites you are visiting are merely sensitive (rather than illegal in your jurisdiction), the fact that the commercial proxy knows what you are doing is of little importance (particularly if – as recommended – you chose one in a different jurisdiction to your home country). You may, for example, simply not want your ISP to know that you visit boychat.org. The commercial proxy would be adequate for such uses.<br />
<br />
Check the terms and conditions of the commercial proxy company – in particular, whether they keep logs of your activity (for example, some log everything; some do not log origin and destination, but only record the quantity of data passing through, etc). Also, check which forms of data they will support – some commercial proxies will only encrypt Internet traffic (the http protocol), others (genuine 'VPNs') will encrypt all forms of protocol (whether it is Internet, email, file-sharing, etc). For additional security, look for a commercial proxy that offers anonymous payment methods and, ideally, is outside the US/EU.<br />
<br />
In summary: the advantage of using a commercial proxy is that it gives you a level of protection from monitoring by your ISP, and from the sites you visit, and generally you suffer little or no loss of speed in browsing. A potential disadvantage is that the commercial proxy knows who you are. For this reason, when accessing more sensitive sites, you may wish to employ other methods, such as Tor.<br />
<br />
====Tor====<br />
The basic idea of [http://www.torproject.org/ Tor] is to protect your privacy by disguising the route of data to and from your PC, as well as encrypting the traffic.<br />
<br />
Broadly-speaking, the Tor software will create a chain of at least 3 proxies, through which your data will pass – each interim stage in this chain only knows who sent the data to it (the previous proxy) and who it should forward data to (the next proxy in the chain).<br />
<br />
Effectively, this means that if you want to visit, say, Site A, Tor will encrypt this request, and pass it to the first link in the chain (Proxy 1), with encrypted instructions on where to send it thereafter. Proxy 1 will forward the encrypted request to Proxy 2, Proxy 2 will forward it to Proxy 3, etc. Thus, Proxy 1 only knows Proxy 2, Proxy 2 only knows Proxy 1 and Proxy 3, Proxy 3 only knows Proxy 2. The final link in this chain (known as the 'exit node') transfers the request to your ultimate destination (Site A). The process is then repeated in reverse. From the point of view of the user, this process happens invisibly – once the software is up and running, you merely use your browser as normal.<br />
<br />
(It should be noted at this point that once the data leaves the final link in the chain, it is no longer encrypted by Tor – at least until data is returned from your final destination to the first link in the return journey. This is only really significant if you are providing identifying information, e.g. entering a password into a webmail server via an unencrypted form – since then it is apparent that the request has come from you).<br />
<br />
The obvious advantage of this procedure is that there is no commercial proxy in the middle. No single point in the chain knows both you and your ultimate destination. This is arguably the most secure form of anonymizing web traffic. <br />
<br />
Some disadvantages are:<br />
<br />
#There is an initial learning curve with Tor – nevertheless, there is extensive documentation on the Tor website to assist with this, and once you have set it up and used it a few times, it becomes second nature.<br />
#As part of this learning curve, it is crucial that you configure your browser correctly. Enabling 'Security Level: Safest' in the browser is recommended.<br />
#It should also be pointed out that when using Tor, your browsing will be notably slower – which is to an extent inevitable given the number of different servers the traffic passes through, each of which may have different bandwidth allotments and be based in different countries. Tor will therefore be unsuitable for downloading large files (and possibly streaming data, such as Youtube or other streaming media). Its primary use will be for visiting particularly sensitive websites.<br />
#Related to the previous point, at the present time Tor only encrypts limited forms of protocol – primarily http traffic – which effectively limits its use to visiting web sites.<br />
#There have been a number of stories about breaching Tor's anonymity. Such instances tend to be a consequence of user implementation, rather than any flaw in Tor itself. More specifically, when using Tor, ensure that Javascript is disabled in your browser (since it is due to malicious scripts that Tor can be compromised. This can be done manually (in Firefox, go to Tools / Options / Content / uncheck 'enable Javascript'), or through the use of an Add-on such as [https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript], which automatically blocks scripts unless you permit them on a sire-by-site basis.<br />
<br />
It will be clear from the above consideration of Email and Web Surfing that there is no 'perfect' solution to online anonymity. Experts would say that 'true' anonymity is impossible. As long as you are transferring data from one computer to another over a network, there will be attempts made to intercept or track that data content and movement. Nonetheless, utilizing a combination of the above methods, depending on the circumstances and the sensitivity of your activities, offers significant protection against surveillance.<br />
<br />
'''NOTE''': Regardless of whether an anonymous connection is used, your browser should be as secure as possible, since there are numerous browser vulnerabilities that can expose your PC to malware. Javascript, Flash, Shockwave objects – all of these can compromise your anonymity. Firefox is highly recommended as a more secure browser than Internet Explorer, and can be further customized with Add-ons to increase security. NoScript, referred to above, is particularly desirable. Other security-related Add-ons are referred to in the Links section, below.<br />
<br />
===Other Network Usage (Chat, Anonymous Remailers, File-Sharing)===<br />
Similar anonymity considerations apply to any form of network activity, including Chat, P2P/File-Sharing, Usenet, etc. Typically, all such traffic is carried unencrypted over public networks, and is therefore capable of surveillance by the ISP and interception from other adversaries. Wherever possible, utilize security and anonymity tools to protect the privacy of such data.<br />
<br />
*For chat/IM, [https://otr.cypherpunks.ca OTR (Off The Record)] is an excellent plugin. Even if your contacts' private keys are determined, your private conversations are not compromised.<br />
*For posting messages on Usenet, consider using an anonymous remailer, which forwards messages without revealing where they originally came from. Anonymous remailers utilize the same 'onion router' principle behind Tor: they remove personal data from the message, encrypt it, and pass it through a chain of 'post offices' until the last remailer in the chain forwards the message to the recipient. As with Tor, the idea is to make the message untraceable to the sender.<br />
:The main issue with remailers is whether/how a recipient can reply to the message, given that its source is untraceable. Different types of remailers handle this differently. 'Pseudonymous remailers' are the most basic: they are typically unencrypted, and merely apply a pseudonym to the sender and forward the message to the recipient, who can then reply via the remailer. 'Cypherpunk remailers' typically encrypt the message and pass it through numerous hops on the chain to the recipient; generally the recipient cannot reply to such messages. 'Mixmaster' and 'Mixminion' remailers offer more advanced features, and seek to address issues such as the capacity for the recipient to reply to a message that has come from an 'untraceable' source. These generally require dedicated software.<br />
:One example of such software is OmniMix: http://www.danner-net.de/om.htm, which is designed for Windows, and can be used to send email and Usenet postings through the Mixmaster anonymous remailer network. OmniMix is straightforward to install, and can also be run from a removable device such as a USB stick.<br />
*When downloading from file-sharing networks (e.g. Limewire, Shareaza, etc.), it is important to know that not only is the traffic unencrypted (and therefore visible to, e.g. your ISP), your IP address is made available to anyone you are sharing with – and there is every possibility that the latter could be LEA or other adversary. A new breed of 'anonymous' networks are continually being developed, which generally seek to utilize the onion routing principle – traffic is encrypted and the origin/destination of the requested file are proxied. For examples of these, see:<br />
**[http://freenetproject.org/ Freenet]<br />
**[http://www.gnunet.org/ GNU Net]<br />
<br />
For a more detailed comparison of the different programs available, see http://www.zeropaid.com/software/file-sharing/ and http://www.anonymous-p2p.org/programs.html<br />
<br />
==Useful Links==<br />
'''NOTE''':Inclusion of links should not be taken to imply endorsement of particular software<br />
<br />
===Cleaning traces, erasing and general encryption software===<br />
<br />
*[http://www.piriform.com/ccleaner CCleaner] - Shreds/wipes sensitive traces of Internet activity<br />
*[http://sourceforge.net/projects/eraser/ Heidi Eraser] - Secure erasing software for individual files and free disk space<br />
*[http://www.dban.org/ Darik's Boot and Nuke (DBAN)] - Boot disk that does a government-standard wipe of hard drives<br />
*[http://www.truecrypt.ch TrueCrypt] - Open source encryption software<br />
*[http://diskcryptor.net/] - Full disk encryption software<br />
*[http://www.jetico.com BestCrypt] - Commercial encryption software<br />
<br />
===Email providers, remailers, and email encryption===<br />
<br />
*[https://protonmail.ch ProtonMail] - Free email provider in Switzerland<br />
*[http://www.unseen.is Unseen.is]- Email provider with encryption in Iceland<br />
*[https://addons.mozilla.org/en-US/thunderbird/addon/torbirdy/ TorBirdy] - Thunderbird addon to send email using tor<br />
*[http://www.anonymousspeech.com Anonymous Speech] - Email provider with PGP encryption<br />
*[http://www.cotse.net Cotse] - Email, SSH tunnel and VPN provider<br />
*[https://emailselfdefense.fsf.org The PGP Faq] - email self-defence guide<br />
*[http://www.gnupg.org GnuPG] - Linux/Windows email encryption<br />
*[http://www.goanywheremft.com/products/openpgp OpenPGP Desktop] - OpenPGP Go Anywhere<br />
*[http://www.enigmail.net/ Enigmail]- Plugin for Thunderbird Email client to manage encryption<br />
*[http://quicksilvermail.net QuickSilver] - email remailer client<br />
*[http://www.danner-net.de/om.htm OmniMix] - anonymous remailer<br />
*[https://otr.cypherpunks.ca OTR (Off The Record)]- a plugin for encyrypting chat/IM<br />
<br />
===Anonymity online===<br />
<br />
*[http://www.torproject.org/ Tor proxy] - Anonymous Internet browsing with hidden sites<br />
*[https://geti2p.net/ I2P Network] – Anonymity, similar to Tor<br />
*[http://cyberghostvpn.com/ CyberGhost VPN] - Commercial VPN with free option<br />
*[http://www.securitykiss.com/ Security Kiss] – Commercial VPN with free option<br />
*[http://anonymous-proxy-servers.net/ JonDoNym] - Commercial VPN<br />
*[https://www.perfect-privacy.com/ Perfect Privacy] – Commercial VPN<br />
*[http://www.opendns.com/ OpenDNS] - set your DNS addresses using OpenDNS, instead of using your ISP's DNSs.<br />
*[http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/ TorrentFreak] - List of VPN services with strong privacy<br />
<br />
<br />
'''NOTE''': When purchasing commercial products, ensure you check the providers' terms & conditions, particularly regarding their jurisdiction, privacy, reporting and logging policies. Do some research on the different companies' products, e.g. by searching their name at Wilders Security Forums. Use alternative methods of payment wherever possible, such as using prepaid web money/debit cards that you don't need ID to buy.<br />
<br />
===Firefox add-ons===<br />
<br />
*[https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript]- Many browser security holes are related to Javascript. Block scripts entirely, until permitted on a site-by-site basis.<br />
*[https://addons.mozilla.org/en-US/firefox/addon/flashblock/ FlashBlock] - Blocks flash content until you permit it<br />
*[https://addons.mozilla.org/en-US/firefox/addon/refcontrol/ Refcontrol] - Blocks or fakes your referrer ID<br />
*[https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy] - Easy proxy management<br />
*[https://addons.mozilla.org/en-US/firefox/addon/anonymox/ AnonymoX] - Change computer IP proxy addon<br />
*[https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ BetterPrivacy] - It removes hard to erase Flash cookies<br />
<br />
===Miscellaneous privacy/security software===<br />
<br />
*[http://keepass.info/ KeePass] - Open-source password manager<br />
*[http://www.nirsoft.net/utils/cports.html CurrPorts] - See your open ports<br />
*[http://www.nirsoft.net/utils/cprocess.html CurrProcess] - See info about processes running in your computer<br />
*[http://windirstat.info/ WinDirStat] - disk usage statistics viewer and cleanup tool<br />
*[http://www.7-zip.org/ 7-zip] - compression & encryption tool<br />
*[http://www.sandboxie.com Sandboxie] – run your browser inside a 'sandbox' to prevent malware from gaining access to your system<br />
<br />
*Pre-paid web money: see http://www.bitcoin.org and [http://www.paysafecard.com PaySafeCard](EU)<br />
<br />
===Sources for technical advice/support===<br />
<br />
*[http://www.wilderssecurity.com Wilders Security Forums]- Information related to security, privacy and anonymity<br />
*[https://en.boywiki.org/wiki/Category:Technology BoyWiki Technology] - Boylover Wiki Technology section<br />
*An old BoyChat post with useful advice on how not to accidentally out yourself: https://www.boychat.org/messages/1107524.htm<br />
<br />
<u>'''FINAL NOTE'''</u>: If you follow the procdures outlined in this guide, you will be a long way to protecting yourself -- but please remember that there is no such thing as 100% computer security. Stay safe.<br />
<br />
'''<u>Disclaimer</u>: All material provided in this guide is intended as introductory guidance only, and should not be used as an alternative to undertaking your own research. No representation is made as to the current accuracy of the information and links provided.'''<br />
<br />
[[Category:Advice]]<br />
[[Category:Archival]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9864Guide To Computer Security (2022)2021-12-08T13:17:07Z<p>Time Has Passed: /* Recent Items */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended.<br />
<br />
====Securing Windows 7====<br />
<br />
There are a number of areas that require attention in order to make Windows 7 reasonably secure.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
By default, Windows 7 stores a list of recently opened items. To disable this, right click on Start, select 'Properties', select the 'Start Menu' tab, then uncheck 'Store and display recently opened programs in the Start menu' and 'Store and display recently opened items in the Start menu and the taskbar'.<br />
<br />
=====System Restore=====<br />
<br />
=====Swap File=====<br />
<br />
=====Hibernation=====<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9819Guide To Computer Security (2022)2021-12-06T14:48:38Z<p>Time Has Passed: Should include this category - Bitcoin is not anonymous</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended.<br />
<br />
====Securing Windows 7====<br />
<br />
There are a number of areas that require attention in order to make Windows 7 reasonably secure.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
=====System Restore=====<br />
<br />
=====Swap File=====<br />
<br />
=====Hibernation=====<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Cryptocurrency==<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9818Guide To Computer Security (2022)2021-12-06T13:41:39Z<p>Time Has Passed: /* Windows 7 */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances. Usage of the Internet Explorer browser is not recommended.<br />
<br />
====Securing Windows 7====<br />
<br />
There are a number of areas that require attention in order to make Windows 7 reasonably secure.<br />
<br />
=====Indexing Service=====<br />
<br />
The indexing service provides a book-like index of all files stored on any drive for which it is enabled. It enables faster searches of drives and folders. However, names of all indexed will be stored in plain-text on the drive on which Windows is installed, even if those files are encrypted.<br />
<br />
To turn off the indexing service:<br />
<br />
Control Panel -> Programs -> Turn Windows features on or off. Deselect 'Indexing Service'.<br />
<br />
=====Recent Items=====<br />
<br />
=====System Restore=====<br />
<br />
=====Swap File=====<br />
<br />
=====Hibernation=====<br />
<br />
=====Thumbnail cache=====<br />
<br />
Windows 7 stores thumbnails in a central cache on the drive on which Windows is installed. Thumbnails of encrypted images will also be stored in this central cache when the folder in which the images are located is accessed.<br />
<br />
Built-in methods and [https://www.sevenforums.com/tutorials/10794-thumbnail-cache-enable-disable.html software]for disabling the cache exist, but there are reports of these solutions not working perfectly. People living in particularly oppressive regimes should consider wiping their thumbnail cache regularly.<br />
<br />
=====Telemetry=====<br />
<br />
Windows 7 sends data about your computer usage to Microsoft. The relevant 'features', designed for Windows 10, were introduced to Windows 7 via Windows Updates.<br />
<br />
The following updates should be uninstalled if present:<br />
<br />
*KB3068708<br />
*KB3022345<br />
*KB3075249<br />
*KB3080149<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=User_talk:Time_Has_Passed&diff=9817User talk:Time Has Passed2021-12-06T12:16:13Z<p>Time Has Passed: </p>
<hr />
<div>==May interest you==<br />
<br />
[[Prohibited images of children]] - funnily, it is uncategorized. Might be worth a look, as if it is up to date, we could just categorize it and add to the encyclopedia. --[[User:The Admins|The Admins]] ([[User talk:The Admins|talk]]) 16:34, 5 December 2021 (UTC)<br />
<br />
:According to the CPS website, the law seems not to have been changed. The UK government has probably been too busy chasing people who are 'not the right colour'. [[User:Time Has Passed|Time Has Passed]] ([[User talk:Time Has Passed|talk]]) 12:16, 6 December 2021 (UTC)</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9792Guide To Computer Security (2022)2021-12-05T13:52:04Z<p>Time Has Passed: </p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. This page represents an updated version currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances.<br />
<br />
There are a number of concerns that may be of interest to the MAP community.<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9791Guide To Computer Security (2022)2021-12-05T13:51:15Z<p>Time Has Passed: /* Operating Systems */ I will work on this article bit by bit</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. An updated version is currently under development.<br />
<br />
==Operating Systems==<br />
<br />
===Windows 10===<br />
<br />
As of December 2021, Windows 10 is the world's most popular operating system. Although extremely convenient, it is widely considered to be a very poor choice for data security and privacy.<br />
<br />
Multiple guides exist online describing how to reduce the risk posed by using Windows 10. However, it is inherently insecure and best avoided for anyone who is concerned about the leakage of sensitive information.<br />
<br />
===Windows 7===<br />
<br />
Windows 7 is no longer supported by Microsoft; as such, known security issues are unlikely to be patched barring exceptional circumstances.<br />
<br />
There are a number of concerns that may be of interest to the MAP community.<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9790Guide To Computer Security (2022)2021-12-05T13:26:00Z<p>Time Has Passed: ordering</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. An updated version is currently under development.<br />
<br />
==Operating Systems==<br />
<br />
As of December 2021, Windows 10 is the most popular operating system. It is widely considered to be a very poor choice for data security and privacy. Other options include...<br />
<br />
===Windows 10===<br />
<br />
====Securing Windows 10====<br />
<br />
===Windows 7===<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Perspective==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9789Guide To Computer Security (2022)2021-12-05T13:25:10Z<p>Time Has Passed: /* Data Protection */</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. An updated version is currently under development.<br />
<br />
==Operating Systems==<br />
<br />
As of December 2021, Windows 10 is the most popular operating system. It is widely considered to be a very poor choice for data security and privacy. Other options include...<br />
<br />
===Windows 10===<br />
<br />
====Securing Windows 10====<br />
<br />
===Windows 7===<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
===SSD Issues===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Useful Links==<br />
<br />
==Perspective==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9788Guide To Computer Security (2022)2021-12-05T13:23:40Z<p>Time Has Passed: </p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. An updated version is currently under development.<br />
<br />
==Operating Systems==<br />
<br />
As of December 2021, Windows 10 is the most popular operating system. It is widely considered to be a very poor choice for data security and privacy. Other options include...<br />
<br />
===Windows 10===<br />
<br />
====Securing Windows 10====<br />
<br />
===Windows 7===<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Useful Links==<br />
<br />
==Perspective==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9787Guide To Computer Security (2022)2021-12-05T13:22:49Z<p>Time Has Passed: /* Googling and Fingerprinting */ Better</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. An updated version is currently under development.<br />
<br />
==Operating Systems==<br />
<br />
As of December 2021, Windows 10 is the most popular operating system. It is widely considered to be a very poor choice for data security and privacy. Other options include...<br />
<br />
===Windows 10===<br />
<br />
====Securing Windows 10====<br />
<br />
===Windows 7===<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Operational Security==<br />
<br />
===Googling===<br />
<br />
===Fingerprinting===<br />
<br />
===Social Engineering===<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9786Guide To Computer Security (2022)2021-12-05T13:14:06Z<p>Time Has Passed: Added category</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. An updated version is currently under development.<br />
<br />
==Operating Systems==<br />
<br />
As of December 2021, Windows 10 is the most popular operating system. It is widely considered to be a very poor choice for data security and privacy. Other options include...<br />
<br />
===Windows 10===<br />
<br />
====Securing Windows 10====<br />
<br />
===Windows 7===<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Googling and Fingerprinting==<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9785Guide To Computer Security (2022)2021-12-05T11:43:48Z<p>Time Has Passed: Template</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>The original '''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. An updated version is currently under development.<br />
<br />
==Operating Systems==<br />
<br />
As of December 2021, Windows 10 is the most popular operating system. It is widely considered to be a very poor choice for data security and privacy. Other options include...<br />
<br />
===Windows 10===<br />
<br />
====Securing Windows 10====<br />
<br />
===Windows 7===<br />
<br />
====Securing Windows 7====<br />
<br />
===Linux===<br />
<br />
===Live CDs===<br />
<br />
==Data Protection==<br />
<br />
===Encryption===<br />
<br />
===Secure Erasure===<br />
<br />
===Firewalls and Anti-Virus Protection===<br />
<br />
==Network Security==<br />
<br />
===Proxies===<br />
<br />
====Tor====<br />
<br />
====VPNs====<br />
<br />
====Web-based proxy servers====<br />
<br />
===E-mail===<br />
<br />
===Chat===<br />
<br />
==Useful Links==</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_To_Computer_Security_(2022)&diff=9784Guide To Computer Security (2022)2021-12-05T11:26:03Z<p>Time Has Passed: Created page with "Placeholder"</p>
<hr />
<div>Placeholder</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_to_Computer_Security_(Archive)&diff=9783Guide to Computer Security (Archive)2021-12-05T11:22:22Z<p>Time Has Passed: This is horribly out of date. I will update it in parts. There are some things I need to clarify too. A review by someone with professional computer science qualifications or experience is needed.</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>'''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after consultation with the [[Newgon.com]] forum community in 2008. It explained how you could protect data stored on your hard drive and stay anonymous on the internet. The guide may be of interest to people who wish to protect their anonymity and data from adversaries. However, parts of it may be out of date. It is currently in the process of being updated.<br />
<br />
The 2008 guide can be downloaded as a PDF here: [[Media:Guide_to_Computer_Security.pdf|Guide to Computer Security]]<br />
<br />
==Protecting data stored on your hard drive==<br />
<br />
===Locking down Windows===<br />
Windows at its default settings is an insecure operating system. Having been designed for mass<br />
consumer/commercial usage, it tries to be all things to all people. Consequently, it has a tendency to run unnecessary services, store/hide private information in numerous, often hidden, locations, and exposes your PC to unnecessary security risks.<br />
<br />
====Disable unneeded services====<br />
Many of the services in Windows are unnecessary, and some are security risks (e.g. the 'Remote Registry' service, which permits third party network access to the computer's system settings). There are numerous online guides giving advice as to which services you can safely disable. [http://www.prestwood.com/aspsuite/kb/document_view.asp?qid=100274]<br />
<br />
====System Restore points==== <br />
By default, Windows saves a backup of your system settings at regular intervals (and therefore may store information that is ideally kept sensitive) in case you need to roll-back the system to an earlier point in time. Most computer problems can be fixed via other methods however, and if you don't use/need System Restore you can disable it (via Control Panel / System / System Properties / System Restore tab).<br />
<br />
====Hibernation====<br />
If you don't use hibernation, ensure that this is disabled, since otherwise it will intermittently save anything that you are currently working on to your hard drive in plain text form – even encrypted documents – which could later be retrieved. (Control Panel / Power Options / Hibernate tab / uncheck 'Enable Hibernation').<br />
<br />
====Pagefile/Swapfile====<br />
By default, Windows creates a file on your hard drive (pagefile.sys) which it uses as additional computer memory, and it shifts running processes to this file on the hard drive when necessary. Many modern PCs have sufficient RAM (e.g. over 1 GB) not to need this file. You can disable it via Control Panel / System / Advanced tab / select 'Settings' button under the 'Performance' heading / Advanced tab / Virtual Memory / Change / select 'No Paging File' / click 'Set' / click 'Ok'.<br />
<br />
'''NOTE''': Disabling the pagefile is contentious, and the debate around this is unresolved [http://www.codinghorror.com/blog/archives/000422.html] Provided you have a reasonably fast CPU and a decent amount of RAM, you should not encounter any problems. If you do need the paging file for some reason, or your RAM capacity is not sufficient to do without it, you should at least ensure that it is securely wiped when the computer powers off (see Section 1.3.1., below). In addition, the pagefile can be encrypted using a dedicated encryption product, such [http://www.jetico.com BestCrypt].<br />
<br />
====Windows Security Center====<br />
The built-in Security Center and Windows Firewall are highly ineffective. Disable them via the Control Panel, and use a third party Firewall instead (see Section 1.2, below).<br />
<br />
====Windows Privacy Tools====<br />
<br />
In addition to the above steps, you can utilize easy-to-use, one-off, privacy tools to tighten up Windows settings. e.g. [http://privazer.com/ Privazer]<br />
<br />
====Alternative Software====<br />
<br />
Avoid using Microsoft software (e.g. Office, Outlook Express, Internet Explorer, Windows Media Player) so far as possible. Since they are designed to collaborate with one another, most of them leak personal information all over the place. Use open-source alternatives so far as possible (which typically also have the added benefit of being much less resource-hungry). For example, consider using:<br />
*[http://www.openoffice.org Open Office suite] instead of MS Office (Word, Excel, etc). Particularly important for office software is to remember to disable 'auto-save' in the program options – since if you are working on an encrypted file the document may be saved to your drive as plain text during an auto-save.<br />
*[https://www.mozilla.org/thunderbird Thunderbird] or [http://sylpheed.sraoss.jp/en/ Sylpheed] instead of Windows Live Mail<br />
*[https://mozilla.org/firefox Firefox] or [http://www.opera.com Opera] instead of Internet Explorer<br />
*[http://www.videolan.org VLC Media Player] or [http://sourceforge.net/projects/guliverkli/ Media Player Classic] instead of Windows Media Player<br />
*[http://www.foxitsoftware.com/Secure_PDF_Reader/ Foxit PDF Reader] instead of Adobe Acrobat Reader.<br />
<br />
===Avoiding Malware===<br />
<br />
The commonly talked about threats to computer data surround the execution of malevolent code on your PC, in the form of viruses, trojans, spyware, etc. Discussion of this topic usually revolves around damage to your data or identity theft by cyber-criminals for financial gain; but it is also crucial to ensure that you are protected from malware that could benefit other adversaries. One obvious aspect is keylogging software: you can come up with the most complex passwords to protect your data, but if there is a keylogger on your PC capturing each keystroke you enter, the password might become worthless. Equally insidious is the use of 'copware' – malware planted on your PC via LEA pecifically<br />
targeting you [http://www.infiltrated.net/cipav.pimp]. Such software frequently arrives on the target's PC via email attachments. Standard email advice applies, e.g:<br />
<br />
*Disable HTML in your emails – in most webmail and desktop email clients there is an option to do this in the settings (eg. in Thunderbird: 'View' menu / uncheck 'Display attachments inline' and check 'View message body as...plain text')<br />
*Use Anti-Virus software that scans emails as well as files<br />
*Don't open attachments from unknown sources<br />
<br />
In addition, further advice includes:<br />
<br />
*Check regularly for the presence of hardware keyloggers (a small device fitted to your PC designed to record keystrokes as an alternative to software keyloggers). The device will appear inconspicuous, and could, for example, resemble a traditional USB-type plug. Also consider applying a drop of paint (or, e.g. correction fluid) to the screws in the back of keyboards, making it easier to see if the hardware has been tampered with.<br />
*When encrypting data, and where given the option to do so, use 'keyfiles' in addition to passwords. This is an available option with some encryption programs, which enables you to specify a file(s) on your hard-drive (perhaps a photo, for example) that must be entered in addition to a password. This will help protect against keyloggers (though not against malware that also captures mouse-movements).<br />
*If practicable, you could also use an on screen keyboard (OSK) to enter passwords (thereby using the mouse rather than the keyboard).<br />
*Zero-emission pads: Surveillance teams can remotely scan the electromagnetic emissions from your computer monitor, e.g. as you type a passphrase (google TEMPEST for technical details). You can use a replacement text editor that enables you to view and/or edit text in a special font and screen that allegedly 'diffuses the emissions from your computer monitor efficiently enough to defeat TEMPEST surveillance equipment', such as this one [http://geocities.com/phosphor2013/zep.zip]<br />
*So far as security software is concerned, you should have one Firewall, one Anti-Virus (AV) program, and one Anti-Spyware (AS) program, all providing 'real-time' protection. For completeness, you could also install a second AV and/or AS program and/or dedicated anti-trojan software (such as [http://www.misec.net/ TrojanHunter]) – not to operate in 'real-time' (since a software conflict is possible) but just to perform regular scanning of your PC.<br />
:Firewalls, AV and AS vary considerably in effectiveness (as well as in the amount of your PC's resources that they use). Check PC magazines for test results, or check online sources for the most effective protection. Good sources of information are sites such as [http://www.wilderssecurity.com Wilders Security Forums].<br />
<br />
:It is sometimes rumored – though to what extent this is likely is debatable – that major AV/AS companies may turn a 'blind-eye' to copware. Here is one advantage of using standalone products, e.g. separate AV, AS and Firewall software each from a different company, rather than the easier option of relying on a single security suite such as Norton or McAfee. In addition, some software is notorious for 'phoning home' regularly – Zone Alarm, for instance, frequently (more so than necessary) contacts its company's servers without notifying the user. It may therefore be desirable to turn off 'automatic updating', and manually update software at (say) daily intervals; and for persistent software (e.g. Zone Alarm) you can prevent it from contacting its servers by making simple changes to the Windows 'hosts' file [http://labnol.blogspot.com/2006/02/prevent-zonealarm-from-phoning-home.html].<br />
*In counteracting malware, you should also keep an eye on which programs are running on your PC, and whether any software has set itself to startup when you boot Windows. Both can be checked via Windows' built-in tools:<br />
**to view running processes, open Task Manager by right-clicking on the taskbar and selecting the 'processes' tab. You can identify any processes you do not recognize online, by looking them up at sites such as [http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx].<br />
**to check which programs are set to start when you boot Windows, go to Start / Run... then enter “msconfig” in the box (without the quote marks). In the window that appears, the last tab marked 'Startup' lists these items. Many of these are inserted by software, and are unnecessary. To check whether it needs to run at startup, identify the program at the following site: [http://www.sysinfo.org/startuplist.php] and uncheck any that are not needed. (Note, this has the added advantage of substantially reducing the PC's boot time).<br />
:As an alternative to these built-in Windows tools, you could use a freeware program to keep a closer eye on running processes and startup items, such as [http://processhacker.sourceforge.net/ Process Hacker] or [http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Process Explorer]<br />
*Keep up-to-date all your software that uses network connections, such as your browser, anti-virus software, and all security products.<br />
<br />
===Cleaning / Erasing===<br />
Windows stores a vast amount of information about your activities, which should be cleaned up on a regular basis.Note that such traces, along with any files that you chose to get rid of, should be securely erased rather than just deleted. This distinction between 'deleting' and 'erasing/wiping' is a crucial one. Deleting data in the standard way merely makes the data invisible to Windows – it remains on the hard disk until it is overwritten by other data. Instead of deleting, data should be securely 'erased' or 'wiped' (i.e. it is overwritten a number of times with random data so that it becomes unrecoverable).<br />
<br />
====Erasing files====<br />
There are numerous tools available for securely erasing files. One simple, freeware, tool is [https://sourceforge.net/projects/eraser/ (Heidi) Eraser]. This has various features, one of which is to insert itself into your context menu, such that when you right-click a file, you just select 'Erase', and it will wipe the file according to the number of 'passes' that you specify. Another useful feature is 'Erase Secure Move': usually when you move files from one place to another, behind-the-scenes Windows actually copies the file to the new location, then deletes the existing file – which suffers from the above-mentioned issue of the deleted file being recoverable. With the Erase Secure Move option, after the file is copied to the new location, the existing file will be wiped, rather than just deleted.<br />
<br />
'''NOTE''': Eraser can also be set to erase the Windows 'pagefile' on shutdown/restart (see 'Locking down Windows', Section 1.1, above).<br />
<br />
====Erasing disk space====<br />
Files that are deleted automatically by Windows (e.g. temporary files which it has created), or files that have been deleted by the standard method without having been wiped as above, will be simply be hidden in 'free disk space' until overwritten. To ensure that these have been removed, regularly wipe the 'free disk space' on your hard drive – again, Eraser (above) is good for this purpose.<br />
<br />
====Cleaning traces====<br />
Most software stores information about your usage – e.g. Internet browsers keep a record of details such as your browsing history, downloads, and cookies; PDF readers store a history of the last few files you've read; Office products keep a record of recently opened documents and perhaps unusual words used therein; media players store details of recently played files; Windows itself stores temporary files, prefetch data, memory dumps, and so on. A simple way to erase all such tracks in one go is to use dedicated 'cleaning' software. For example, [http://www.piriform.com/ccleaner] is a decent freeware program which will erase these tracks for you. In the settings options, you can select the number of times such traces should be 'wiped', rather than simply deleted.<br />
<br />
'''NOTE (1'''): All decent erasing/wiping/shredding software will allow you to specify the number of times that the data will be overwritten – typically, you can choose to overwrite data once, three times, seven times or thirty-five times, depending on the sensitivity of the data. There is some debate as to whether modern hard drives require as many passes to irrevocably destroy data – Googling this issue will produce much discussion. To be on the safe side, a minimum of three 'passes' is suggested. Naturally, the more 'passes' over the data you select, the longer it will take. Be aware that, say, shredding the entire free disk space on a hard drive (which may be hundreds of gigabytes) will take a significant amount of time.<br />
<br />
'''NOTE (2)''': If wiping data on flash memory (e.g. USB sticks), wiping individual files is insufficient to make them irrecoverable, due to the way such memory writes data. See the special section on USB drives (Section 1.5, below).<br />
<br />
===Encryption===<br />
Broadly-speaking, “computer forensics” involves inspection of the computer hard drive for evidence as part of a legal investigation. In the event that your PC is seized, investigators or other adversaries will search it for the 'activity traces' referred to in the previous section, as well as stored files and documents, and other evidence of how the PC has been used (e.g. checking the Windows Registry for evidence of which USB drives have been used – since details of such devices, including their serial numbers, are stored there). The goal of encryption is to make data unintelligible, so that, even if your data is seized, it cannot be read.<br />
<br />
A brief note on the medium which you may be using: first, there is the hard drive. Typically, Windows will be installed onto partition C of the hard drive (and unless you have created other partitions, this may make up the entire physical drive). Data may also be stored on external, USB hard drives; on flash memory drives (USB sticks / pen drives); on floppy disks, CDs and DVDs. It is important that, on whichever medium you store sensitive data, that data are encrypted.<br />
<br />
====Individual files====<br />
There are numerous tools available to encrypt data, offering various different options. Some software will simply encrypt individual files – they will still be visible on the hard disk, but a password will be required to open them. Other software offers a greater range of options, such as creating a 'vault' on your hard drive of a specific size, into which you can place sensitive files without having to encrypt each file individually.<br />
<br />
[http://truecrypt.ch TrueCrypt] is highly recommended for your encryption needs. It enables both the creation of encrypted files, as well as the ability to encrypt an entire hard drive partition, or an entire device (e.g. a USB stick). It also allows for the creation of 'hidden volumes' – a partition/device can be encrypted, then within this encrypted container a second, encrypted contained is created. This is primarily so that if you are forced to decrypt the 'outer'<br />
volume, on which you might store a few sensitive-looking, but unimportant files, it will not be evident (and cannot be proved) that there is a second, hidden volume. (NB. For various security reasons, encrypting partitions or devices is preferable to encrypting individual files – the<br />
TrueCrypt manual explains these in detail.)<br />
<br />
The advantage of the open-source TrueCrypt over most other encryption software is the 'plausible deniability' aspect. It is impossible to prove that a partition or device encrypted with TrueCrypt is in fact encrypted. Upon forensic analysis, the partition or device appears to simply be filled with random data – as though there is nothing on the partition or device. This is crucial in authoritarian regimes, e.g. the United Kingdom, which has enacted a criminal offense (punishable by up to 2 years, or 10 years in terrorism cases) of 'failing to decrypt' (or provide the password to<br />
enable decryption) when demanded by the authorities. Obviously for such a law to be used against you, it would have to be established that you had some encrypted material in the first place. With a TrueCrypt-encrypted device or partition, this should be impossible to prove.<br />
<br />
'''NOTE''': If you are working with individual encrypted files (rather than storing files in a container or partition) and are using USB flash drives, see Section 1.5 on USB drives below.<br />
<br />
====System Drive / Full Disk / Whole Disk Encryption====<br />
The disadvantage of only encrypting individual files or external devices is that computer forensics can still reveal much about your computer usage from the system partition (the drive on which Windows is installed) and – importantly – sensitive details such as your browsing history, bookmarks, emails, and email contacts addresses, may be accessible. Details of your contacts is one of the first things an adversary will check for, which they will use to 'broaden' their investigation, perhaps by targeting those contacts. There is therefore an obligation to protect not only yourself, but also those with whom you correspond.<br />
<br />
Computer forensics is essentially rendered ineffective by encrypting your entire system drive (typically the C: drive in Windows). This is the ideal position: if the adversary cannot access your hard drive to begin with, you have gone along way to defending your data. The latest versions of TrueCrypt (versions 5.0 and upwards) have an option for encryption of the system drive (or the entire hard drive, if it has more than one partition). It is very simple to use, and will ensure that no one can access your hard drive without first entering the correct password prior to the computer booting (and also makes it more difficult for adversaries to plant data on your hard drive). A detailed reading of the TrueCrypt manual is essential in order to encrypt the system drive effectively.<br />
<br />
One consideration for those in countries in which failure to disclose a password is a criminal offense (just the UK at present, though this will undoubtedly be extended to other countries), is that where your entire hard drive (or just the system drive) is completely encrypted, you lose an element of plausible deniability. TrueCrypt system encryption, for example, stores its 'boot loader' (the information necessary for the computer to boot) on the first cylinder of the hard disk – which will obviously be visible to a forensics team. It is possible to remove the boot loader and instead boot from a CD which has the TC boot loader installed, though obviously this is more inconvenient.<br />
<br />
In any event, whether or not the boot loader is present, it remains the case that it cannot be proved that the hard drive itself is encrypted – the remainder of the drive will still appear as random data. So from this point of view, you are still protected from 'failure to disclose password' laws. Nonetheless, having to explain away an internal hard drive with a TC boot loader, and “nothing else” on it, will be tedious (depending on how convincing you can be that you had “coincidentally, just recently wiped the hard drive”). Therefore it may be felt preferable to use other tactics to increase plausibility.<br />
<br />
One such tactic is to install Windows to an external hard drive, or to a USB stick, and encrypt it with TrueCrypt. You can then keep your 'dummy' Windows installation with no compromising data on the PC's internal hard drive, and boot to the external hard drive or USB stick to use your 'real' Windows. Technically, Windows does not want to be installed to external devices – but it can be achieved. There are numerous guides available on the web; and the project also has a useful forum for resolving issues. For installing Windows to an external device to work, it is necessary that your PC's BIOS is capable of booting to external devices – most recent computers (built in the last few years) can do this, but if you have an older PC, check its ability to do so by doing a web search on its model.<br />
<br />
If utilizing this method, your 'computer' effectively lives on your external device, while you maintain a dummy system on the internal drive. This has the added advantage of portability – your Windows installation can be kept in a secure place when not in use, etc. Again, the TrueCrypt boot loader will reside on the first cylinder of the external device – but it is certainly more plausible to have an external device with “nothing on it” than an internal drive (particularly if you take the extra step of removing the TrueCrypt boot loader and booting the device from a CD).<br />
<br />
'''NOTE''': While the latest version of TrueCrypt (6.0 and upwards) now enables the creation of a hidden, encrypted system drive – by utilizing a 'dummy' system partition, with the real system partition hidden – at the time of writing it is not ideal: to ensure complete plausible deniability it has very stringent requirements, e.g. the real system partition should not be used to access the Internet (which partly defeats the object), files cannot be copied from the real partition to other<br />
media, the dummy partition must be accessed regularly to make it appear plausible, etc. It may be felt that until a more substantive hidden operating system is available, this latest feature should be used circumspectly.<br />
<br />
===Security Note on USB Drives and Wear-Leveling===<br />
When writing data to a USB flash drive, a PC uses a 'logical address' on the drive. However, this logical address is distinct from the flash drive's 'physical block address' – since most USB flash drives use a 'wear leveling' technique. Wear leveling – i.e. shifting data around the physical blocks of the flash drive – prevents the same physical block being used over and over (in order to preserve the life of the USB drive).<br />
<br />
Consequently, any time updated or new data are written to the flash drive, such data will be written to a new physical block, regardless of the address of the old block, and any old/amended data is just deleted (not wiped).<br />
<br />
This raises a number of security issues, e.g:–<br />
<br />
#Securely wiping' (e.g. with Eraser) an individual file on a flash drive is potentially ineffective, since the random data that is used to overwrite could be written to a different physical block; the existing data will simply be deleted, rather than wiped.<br />
#Encrypting individual files could potentially suffer similar problems – e.g. when decrypting a file, amending it, then re-encrypting it.<br />
<br />
These issues can be resolved by either securely wiping the entire flash drive (not just wiping individual files) or by encrypting the entire flash drive (rather than encrypting individual files on it) – since then it makes no difference to which physical block the new data is being written.<br />
<br />
Ideally the latter approach should be used for all USB flash drives on which sensitive data is placed – encrypt or wipe the entire USB drive – as necessary. For any existing USB flash drives on which this approach has not been taken, it would be advisable to format and wipe the USB drive completely, then start using it afresh with this 'entire USB drive' approach.<br />
<br />
===Other Methods===<br />
There are of course many, many alternatives to the security suggestions outlined above, such as using any or all of the following:<br />
<br />
====Live CDs====<br />
Live CDs are an excellent alternative to encrypting the entire system drive. Essentially, an entire operating system (usually Linux-based) is on the CD, and whenever you want to boot to your OS, you simply boot the CD rather than booting to your hard disk. Should you not want to encrypt your hard drive, you could use the OS on there for all non-sensitive tasks, and use the Live CD for Internet access / other sensitive tasks.<br />
<br />
Running an operating system from a Live CD means that the PC's hard drive does not get used at all – and is therefore not subject to problems of leaving behind 'traces' to be recovered by forensics. There are some limitations with Live CDs e.g. a limited range of software can be run from them, and since the CD is read-only (as the point is not to save any data, which could be recovered!) any data you do want to save while working within the CD, or settings you want to keep, should be saved to an (encrypted) USB drive. Its simplicity ensures that this remains an attractive alternative, and it is worth keeping an eye on developments in this area. For some examples of Live CDs, see [http://susestudio.com/ Suse Studio] on how to create your own custom live bootable CD or see http://www.privacylover.com/anonymous-live-cd-list/ for a list of pre-built, mostly Linux-based alternatives.<br />
<br />
An excellent example of a pre-built option is the [https://tails.boum.org Tails Live CD] – this an operating system on a CD which is pre-configured to use the Tor network for all Internet access – including emails and web browsing.<br />
<br />
====Portable Applications====<br />
If installing an entire operating system to an external drive/USB stick, or using a Live CD, are not desired options, another alternative is to use 'portable applications' – standalone versions of existing software that can be run from a USB stick and do not save files or settings to your hard drive in the way that regular applications do. The idea is simply to prevent data being saved to your hard drive – the application files and data (including settings such as bookmarks, emails, etc), will be stored entirely on the USB device (which could be encrypted using a program such as TrueCrypt). See, for example, http://portableapps.com/ for an entire portable suite of software (including commonly-used programs such as Firefox, Thunderbird, Open Office, etc.).<br />
<br />
The use of portable applications may prove a practical and easy method of protecting your most sensitive data without going to the lengths of full disk encryption. One drawback is that there will still be traces of the USB drive having been used on that PC, and any monitoring software (firewalls, AV, etc.) is likely to have a record of an application on the USB drive (eg Firefox) having been run, which you might be called upon to explain. Nevertheless, this is an inconvenience more than anything, and so long as the USB stick itself is encrypted, the data will be safe. To increase the protection, this method could be combined with the following option.<br />
<br />
====System Drive Emulation software====<br />
Such software effectively prevents data being written to your hard drive by creating a clone of the system partition (typically drive C: in Windows – which includes system files, page file, registry files, application data and program files, etc.) as it looks when it is booted, in the computer's RAM. Once the system is shut down/restarted, this clone will be restored, thereby returning your system drive to the position it was before any data was written. An example of such software is the freeware program [http://www.toolwiz.com/products/toolwiz-time-freeze/ Toolwiz Time Freeze]. Simple to use, it is 'switched on' when necessary, and from that moment nothing that takes place (programs installed, software used, etc.) is permanently recorded; all normal computer operations appear to take place, but in fact these changes only take place for the duration of the session – upon restarting the PC there is no evidence that any such activity has occurred.<br />
<br />
With reference to the previous item – Portable Applications – an advantage of using combining drive emulation software with running portable apps from a USB drive would be that, once the PC was shut down/restarted, there would be no evidence of the applications on the USB stick (eg Firefox) ever having been run (and further, no evidence that the USB stick was ever plugged into that computer).<br />
<br />
====Virtual Machines====<br />
Another alternative to running a separate installation of Windows on an encrypted device is to employ a virtual machine. Such software (e.g. VirtualBox, at www.virtualbox.org) enables you to create a virtual operating system on your existing computer. In this way, you could run a dummy copy of Windows (or any other OS) on the main hard drive, then boot to a virtual copy of Windows which could reside in an encrypted file or partition on the hard drive. One drawback of this technique (other than the additional system resources / RAM consumption it requires) is that it is not guaranteed that traces of the virtual systems may not still appear in the 'real' system, since the two systems share some resources (and frequently, a network connection).<br />
<br />
==Protecting data while in transit over networks (Internet, Email, etc)==<br />
Whenever data is on the move – whether in the form of sending/receiving email, surfing the web, chat, downloading via P2P, viewing streaming media files, etc – it is at risk of interception. Data is transferred via different protocols (e.g. 'http' for web traffic, 'pop3' or 'smtp' for email, 'ftp' for some file uploads/downloads, etc). All the 'standard' forms of protocol (including those just mentioned) are sent over networks in plain text format – meaning that the data is visible to anyone who intercepts the traffic (your ISP, crackers, LEA, etc). The goal is therefore to utilize methods of secure communication so far as possible, irrespective of the data that is being transferred.<br />
<br />
===Email===<br />
Most commercial email addresses (including any email addresses supplied by your ISP) typically use insecure protocols. This will be apparent by checking the ports they use to communicate. If you use a desktop email client (eg. Outlook, Outlook Express, Eudora, Thunderbird) you will find this information under the 'Settings' option. If your email communicates via standard ports (usually port 110 for POP3 (i.e. incoming email) and port 25 for SMTP (i.e. outgoing email), it is being transmitted unencrypted – and therefore potentially visible to everyone.<br />
<br />
There are various techniques that can be employed to enhance the security of your emails:<br />
<br />
*Check your email provider's website to see if they offer an encrypted option (i.e. sending and receiving email via SSL (secure socket layer)). Usually this will simply be a matter of changing the port used in your email client's account settings – e.g. changing the ports to ports 995 (SSL POP) and 465 (SSL SMTP).<br />
*Avoid using email addresses provided by an ISP, and instead use dedicated email providers, such as Fastmail,Hushmail, SafeMail, and so on. Examples of such providers can be found in Section 3 below, or at [http://epic.org/privacy/tools.html EPIC's website]. Specialized email providers enhance your security by limiting the amount of information transferred to the recipient in the hidden email 'header' – which in the case of standard email providers (ISPs, Hotmail, etc) provide the recipient with far too much information, such as the IP address of your computer, the operating system that you use, and even which email client you used to send the email).<br />
*Use a dedicated form of email encryption, such as PGP. This utilizes public key encryption – the drawback being that the people with whom you communicate must also use public key encryption. Encourage others that you correspond with to do this. See 2.1.1. for more information.<br />
*Anonymous Remailers can be used to conceal from the recipient the origin of the email (see Section 2.3 for further details).<br />
<br />
====PGP====<br />
In 'public key' cryptography, two different keys are used: one key is secret and the other is made public. Anybody sending you an email simply encrypts their message to you using your public key. The public key is obviously not secret – in fact it may be spread widely so that anybody can find it if they wish to send you encrypted email (you can upload the key to a public key server to do this; though you may prefer just to give your public key to specific correspondents). The only way to decrypt an incoming message is with your secret key. The process works in reverse when sending email: you encrypt an email using the recipient's public key, which only they can decrypt using their<br />
private key.<br />
<br />
The original, and most well-known, program of this type is PGP, invented by Phil Zimmerman. There is now an OpenPGP standard, with which all software using public key cryptography should comply. Consequently, other programs are becoming popular, such as the open-source [http://gnupg.org/ GNU Privacy Guard (GnuPG)], which is OpenPGP compliant and compatible with other Open PGP tools (including PGP itself).<br />
<br />
After downloading the software, you simply use it to create a pair of keys – one public and one secret key. The public key can then be given to your correspondents which they will use to encrypt messages to you, which you can then decrypt using your private key. There are some programs which make the process of encrypting/decrypting easier via the use of 'add-ons'. Some email clients (e.g. Thunderbird) have add-ons (e.g. [http://www.enigmail.net/ Enigmail], which takes care of the encryption/decryption process on your behalf; the Firefox browser also has an add-on (see [http://www.mailvelope.com/ MailVelope) which enables you to easily encrypt text for pasting into a website, for example.<br />
<br />
===Web-Surfing===<br />
Whenever you request a web page via your Internet browser, in very basic terms what is happening is this: your browser sends the request for data to the server hosting that website, which then replies, and transfers the data to your computer, which is then recreated in your browser. Consequently, any request you make (whether by clicking on a link, or manually entering the site address) is transferred over the Internet via standard protocols (see introduction to this section, above) – typically for the Internet this will be http.<br />
<br />
Accordingly, this request for a particular web page is sent over the networks in plain text and so will be visible to anyone who is monitoring your activity (e.g. your ISP or other adversaries), and also reveals to the site you are visiting information about who you are (your computer's unique IP address) and information about your computer (which browser you use, what language/location settings you use, what the current time is on your PC, etc). In addition, in order to find that site, your browser needs to translate the address of the web page (e.g. (“amazon.com”) into its numeric equivalent – which it does by consulting a domain name (DNS) server. In a standard home Internet connection, the DNS server will be owned by your ISP – so the ISP has a second method of recording which sites you visit. Note that you can change your DNS server to one not owned by your ISP: see [http://www.opendns.com/ OpenDNS] for the relevant address to use.<br />
<br />
The upshot of the above is clear: both the site you visit, and your ISP (and anyone intercepting), knows the unique IP address assigned to your computer, and what data you are viewing. To avoid this, various options are available to 'anonymize' and/or encrypt your web surfing:<br />
<br />
====Free proxies====<br />
<br />
This is the weakest level of 'anonymity' – these are sites (e.g. http://www.kproxy.com/) which enable you to access another site, hiding your computer IP address, e.g. your request is sent to the 'end' site using the proxy IP as an intermediary. In that a case, the site you ultimately visit believes the request for data emanated from the proxy site and not from your computer. This does not protect you against surveillance by your ISP, and the data transferred is typically unencrypted and therefore visible to anyone else monitoring your connections, the proxy administrator can also log everything you do and turn over those logs if pressured to do so.<br />
<br />
====Commercial software====<br />
These are companies (e.g. Anonymizer, see Section 3 for an extensive list) which provide software which effectively bypasses surveillance from your ISP by creating an encrypted 'tunnel' between your computer and that company's server. In practice, this means that before making the data transfer from your PC (in the form of, say, a request for a web page), the software will encrypt this request, and then direct it to be forwarded from your ISP's servers to the proxy company's server. When it reaches the latter, the request will be decrypted and forwarded on to the relevant website. When that website returns the data, the reverse will take place. The effect of this is that:<br />
<br />
#your ISP cannot see which websites you are accessing – all it can see is that you are communicating with the company's server, not which websites you visit thereafter. (So if you were surfing the web for (say) 3 hours, from your ISP's point of view, they could see that traffic was passing back and forwards to your PC, but you would only appear to be receiving traffic from one address (the proxy company's server), and the contents of that traffic would be encrypted)<br />
#the website you are visiting cannot see who you are – since as far as they know, they are receiving the request for data from the proxy company's server, and simply return it to that server.<br />
<br />
The weak link in this chain will be apparent. While you are protected from your ISP, and from the websites you visit, the commercial proxy company knows who you are and (potentially, if they keep logs, what you are doing). The significance of this will vary according to the circumstance. If the sites you are visiting are merely sensitive (rather than illegal in your jurisdiction), the fact that the commercial proxy knows what you are doing is of little importance (particularly if – as recommended – you chose one in a different jurisdiction to your home country). You may, for example, simply not want your ISP to know that you visit boychat.org. The commercial proxy would be adequate for such uses.<br />
<br />
Check the terms and conditions of the commercial proxy company – in particular, whether they keep logs of your activity (for example, some log everything; some do not log origin and destination, but only record the quantity of data passing through, etc). Also, check which forms of data they will support – some commercial proxies will only encrypt Internet traffic (the http protocol), others (genuine 'VPNs') will encrypt all forms of protocol (whether it is Internet, email, file-sharing, etc). For additional security, look for a commercial proxy that offers anonymous payment methods and, ideally, is outside the US/EU.<br />
<br />
In summary: the advantage of using a commercial proxy is that it gives you a level of protection from monitoring by your ISP, and from the sites you visit, and generally you suffer little or no loss of speed in browsing. A potential disadvantage is that the commercial proxy knows who you are. For this reason, when accessing more sensitive sites, you may wish to employ other methods, such as Tor.<br />
<br />
====Tor====<br />
The basic idea of [http://www.torproject.org/ Tor] is to protect your privacy by disguising the route of data to and from your PC, as well as encrypting the traffic.<br />
<br />
Broadly-speaking, the Tor software will create a chain of at least 3 proxies, through which your data will pass – each interim stage in this chain only knows who sent the data to it (the previous proxy) and who it should forward data to (the next proxy in the chain).<br />
<br />
Effectively, this means that if you want to visit, say, Site A, Tor will encrypt this request, and pass it to the first link in the chain (Proxy 1), with encrypted instructions on where to send it thereafter. Proxy 1 will forward the encrypted request to Proxy 2, Proxy 2 will forward it to Proxy 3, etc. Thus, Proxy 1 only knows Proxy 2, Proxy 2 only knows Proxy 1 and Proxy 3, Proxy 3 only knows Proxy 2. The final link in this chain (known as the 'exit node') transfers the request to your ultimate destination (Site A). The process is then repeated in reverse. From the point of view of the user, this process happens invisibly – once the software is up and running, you merely use your browser as normal.<br />
<br />
(It should be noted at this point that once the data leaves the final link in the chain, it is no longer encrypted by Tor – at least until data is returned from your final destination to the first link in the return journey. This is only really significant if you are providing identifying information, e.g. entering a password into a webmail server via an unencrypted form – since then it is apparent that the request has come from you).<br />
<br />
The obvious advantage of this procedure is that there is no commercial proxy in the middle. No single point in the chain knows both you and your ultimate destination. This is arguably the most secure form of anonymizing web traffic. <br />
<br />
Some disadvantages are:<br />
<br />
#There is an initial learning curve with Tor – nevertheless, there is extensive documentation on the Tor website to assist with this, and once you have set it up and used it a few times, it becomes second nature.<br />
#As part of this learning curve, it is crucial that you configure your browser correctly. Enabling 'Security Level: Safest' in the browser is recommended.<br />
#It should also be pointed out that when using Tor, your browsing will be notably slower – which is to an extent inevitable given the number of different servers the traffic passes through, each of which may have different bandwidth allotments and be based in different countries. Tor will therefore be unsuitable for downloading large files (and possibly streaming data, such as Youtube or other streaming media). Its primary use will be for visiting particularly sensitive websites.<br />
#Related to the previous point, at the present time Tor only encrypts limited forms of protocol – primarily http traffic – which effectively limits its use to visiting web sites.<br />
#There have been a number of stories about breaching Tor's anonymity. Such instances tend to be a consequence of user implementation, rather than any flaw in Tor itself. More specifically, when using Tor, ensure that Javascript is disabled in your browser (since it is due to malicious scripts that Tor can be compromised. This can be done manually (in Firefox, go to Tools / Options / Content / uncheck 'enable Javascript'), or through the use of an Add-on such as [https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript], which automatically blocks scripts unless you permit them on a sire-by-site basis.<br />
<br />
It will be clear from the above consideration of Email and Web Surfing that there is no 'perfect' solution to online anonymity. Experts would say that 'true' anonymity is impossible. As long as you are transferring data from one computer to another over a network, there will be attempts made to intercept or track that data content and movement. Nonetheless, utilizing a combination of the above methods, depending on the circumstances and the sensitivity of your activities, offers significant protection against surveillance.<br />
<br />
'''NOTE''': Regardless of whether an anonymous connection is used, your browser should be as secure as possible, since there are numerous browser vulnerabilities that can expose your PC to malware. Javascript, Flash, Shockwave objects – all of these can compromise your anonymity. Firefox is highly recommended as a more secure browser than Internet Explorer, and can be further customized with Add-ons to increase security. NoScript, referred to above, is particularly desirable. Other security-related Add-ons are referred to in the Links section, below.<br />
<br />
===Other Network Usage (Chat, Anonymous Remailers, File-Sharing)===<br />
Similar anonymity considerations apply to any form of network activity, including Chat, P2P/File-Sharing, Usenet, etc. Typically, all such traffic is carried unencrypted over public networks, and is therefore capable of surveillance by the ISP and interception from other adversaries. Wherever possible, utilize security and anonymity tools to protect the privacy of such data.<br />
<br />
*For chat/IM, [https://otr.cypherpunks.ca OTR (Off The Record)] is an excellent plugin. Even if your contacts' private keys are determined, your private conversations are not compromised.<br />
*For posting messages on Usenet, consider using an anonymous remailer, which forwards messages without revealing where they originally came from. Anonymous remailers utilize the same 'onion router' principle behind Tor: they remove personal data from the message, encrypt it, and pass it through a chain of 'post offices' until the last remailer in the chain forwards the message to the recipient. As with Tor, the idea is to make the message untraceable to the sender.<br />
:The main issue with remailers is whether/how a recipient can reply to the message, given that its source is untraceable. Different types of remailers handle this differently. 'Pseudonymous remailers' are the most basic: they are typically unencrypted, and merely apply a pseudonym to the sender and forward the message to the recipient, who can then reply via the remailer. 'Cypherpunk remailers' typically encrypt the message and pass it through numerous hops on the chain to the recipient; generally the recipient cannot reply to such messages. 'Mixmaster' and 'Mixminion' remailers offer more advanced features, and seek to address issues such as the capacity for the recipient to reply to a message that has come from an 'untraceable' source. These generally require dedicated software.<br />
:One example of such software is OmniMix: http://www.danner-net.de/om.htm, which is designed for Windows, and can be used to send email and Usenet postings through the Mixmaster anonymous remailer network. OmniMix is straightforward to install, and can also be run from a removable device such as a USB stick.<br />
*When downloading from file-sharing networks (e.g. Limewire, Shareaza, etc.), it is important to know that not only is the traffic unencrypted (and therefore visible to, e.g. your ISP), your IP address is made available to anyone you are sharing with – and there is every possibility that the latter could be LEA or other adversary. A new breed of 'anonymous' networks are continually being developed, which generally seek to utilize the onion routing principle – traffic is encrypted and the origin/destination of the requested file are proxied. For examples of these, see:<br />
**[http://freenetproject.org/ Freenet]<br />
**[http://www.gnunet.org/ GNU Net]<br />
<br />
For a more detailed comparison of the different programs available, see http://www.zeropaid.com/software/file-sharing/ and http://www.anonymous-p2p.org/programs.html<br />
<br />
==Useful Links==<br />
'''NOTE''':Inclusion of links should not be taken to imply endorsement of particular software<br />
<br />
===Cleaning traces, erasing and general encryption software===<br />
<br />
*[http://www.piriform.com/ccleaner CCleaner] - Shreds/wipes sensitive traces of Internet activity<br />
*[http://sourceforge.net/projects/eraser/ Heidi Eraser] - Secure erasing software for individual files and free disk space<br />
*[http://www.dban.org/ Darik's Boot and Nuke (DBAN)] - Boot disk that does a government-standard wipe of hard drives<br />
*[http://www.truecrypt.ch TrueCrypt] - Open source encryption software<br />
*[http://diskcryptor.net/] - Full disk encryption software<br />
*[http://www.jetico.com BestCrypt] - Commercial encryption software<br />
<br />
===Email providers, remailers, and email encryption===<br />
<br />
*[https://protonmail.ch ProtonMail] - Free email provider in Switzerland<br />
*[http://www.unseen.is Unseen.is]- Email provider with encryption in Iceland<br />
*[https://addons.mozilla.org/en-US/thunderbird/addon/torbirdy/ TorBirdy] - Thunderbird addon to send email using tor<br />
*[http://www.anonymousspeech.com Anonymous Speech] - Email provider with PGP encryption<br />
*[http://www.cotse.net Cotse] - Email, SSH tunnel and VPN provider<br />
*[https://emailselfdefense.fsf.org The PGP Faq] - email self-defence guide<br />
*[http://www.gnupg.org GnuPG] - Linux/Windows email encryption<br />
*[http://www.goanywheremft.com/products/openpgp OpenPGP Desktop] - OpenPGP Go Anywhere<br />
*[http://www.enigmail.net/ Enigmail]- Plugin for Thunderbird Email client to manage encryption<br />
*[http://quicksilvermail.net QuickSilver] - email remailer client<br />
*[http://www.danner-net.de/om.htm OmniMix] - anonymous remailer<br />
*[https://otr.cypherpunks.ca OTR (Off The Record)]- a plugin for encyrypting chat/IM<br />
<br />
===Anonymity online===<br />
<br />
*[http://www.torproject.org/ Tor proxy] - Anonymous Internet browsing with hidden sites<br />
*[https://geti2p.net/ I2P Network] – Anonymity, similar to Tor<br />
*[http://cyberghostvpn.com/ CyberGhost VPN] - Commercial VPN with free option<br />
*[http://www.securitykiss.com/ Security Kiss] – Commercial VPN with free option<br />
*[http://anonymous-proxy-servers.net/ JonDoNym] - Commercial VPN<br />
*[https://www.perfect-privacy.com/ Perfect Privacy] – Commercial VPN<br />
*[http://www.opendns.com/ OpenDNS] - set your DNS addresses using OpenDNS, instead of using your ISP's DNSs.<br />
*[http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/ TorrentFreak] - List of VPN services with strong privacy<br />
<br />
<br />
'''NOTE''': When purchasing commercial products, ensure you check the providers' terms & conditions, particularly regarding their jurisdiction, privacy, reporting and logging policies. Do some research on the different companies' products, e.g. by searching their name at Wilders Security Forums. Use alternative methods of payment wherever possible, such as using prepaid web money/debit cards that you don't need ID to buy.<br />
<br />
===Firefox add-ons===<br />
<br />
*[https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript]- Many browser security holes are related to Javascript. Block scripts entirely, until permitted on a site-by-site basis.<br />
*[https://addons.mozilla.org/en-US/firefox/addon/flashblock/ FlashBlock] - Blocks flash content until you permit it<br />
*[https://addons.mozilla.org/en-US/firefox/addon/refcontrol/ Refcontrol] - Blocks or fakes your referrer ID<br />
*[https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy] - Easy proxy management<br />
*[https://addons.mozilla.org/en-US/firefox/addon/anonymox/ AnonymoX] - Change computer IP proxy addon<br />
*[https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ BetterPrivacy] - It removes hard to erase Flash cookies<br />
<br />
===Miscellaneous privacy/security software===<br />
<br />
*[http://keepass.info/ KeePass] - Open-source password manager<br />
*[http://www.nirsoft.net/utils/cports.html CurrPorts] - See your open ports<br />
*[http://www.nirsoft.net/utils/cprocess.html CurrProcess] - See info about processes running in your computer<br />
*[http://windirstat.info/ WinDirStat] - disk usage statistics viewer and cleanup tool<br />
*[http://www.7-zip.org/ 7-zip] - compression & encryption tool<br />
*[http://www.sandboxie.com Sandboxie] – run your browser inside a 'sandbox' to prevent malware from gaining access to your system<br />
<br />
*Pre-paid web money: see http://www.bitcoin.org and [http://www.paysafecard.com PaySafeCard](EU)<br />
<br />
===Sources for technical advice/support===<br />
<br />
*[http://www.wilderssecurity.com Wilders Security Forums]- Information related to security, privacy and anonymity<br />
*[https://en.boywiki.org/wiki/Category:Technology BoyWiki Technology] - Boylover Wiki Technology section<br />
*An old BoyChat post with useful advice on how not to accidentally out yourself: https://www.boychat.org/messages/1107524.htm<br />
<br />
<u>'''FINAL NOTE'''</u>: If you follow the procdures outlined in this guide, you will be a long way to protecting yourself -- but please remember that there is no such thing as 100% computer security. Stay safe.<br />
<br />
'''<u>Disclaimer</u>: All material provided in this guide is intended as introductory guidance only, and should not be used as an alternative to undertaking your own research. No representation is made as to the current accuracy of the information and links provided.'''<br />
<br />
[[Category:Advice]]<br />
[[Category:Archival]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Guide_to_Computer_Security_(Archive)&diff=9766Guide to Computer Security (Archive)2021-12-05T02:43:15Z<p>Time Has Passed: /* Tor */ Mostly removed outdated information</p>
<hr />
<div><div style="margin-left: 25px; float: right;">__TOC__</div>'''Guide to Computer Security''' was produced by the [[Newgon.com Support Team]] after a consultation with the [[Newgon.com]] forum community. It explains how you can protect data stored on your hard drive and stay anonymous on the internet. The guide should be read by anyone who has a special interest in avoiding the scrutiny of [[Vigilantism|cyber-vigilantes]] and corrupt law enforcement officers. It should ''not'', however be seen as a vital first step to participation in [[Newgon.com]] or any similar websites.<br />
<br />
The 2008 guide (currently identical to the wiki version) can be downloaded as a PDF here: [[Media:Guide_to_Computer_Security.pdf|Guide to Computer Security]]<br />
<br />
==Protecting data stored on your hard drive==<br />
<br />
===Locking down Windows===<br />
Windows at its default settings is an insecure operating system. Having been designed for mass<br />
consumer/commercial usage, it tries to be all things to all people. Consequently, it has a tendency to run unnecessary services, store/hide private information in numerous, often hidden, locations, and exposes your PC to unnecessary security risks.<br />
<br />
====Disable unneeded services====<br />
Many of the services in Windows are unnecessary, and some are security risks (e.g. the 'Remote Registry' service, which permits third party network access to the computer's system settings). There are numerous online guides giving advice as to which services you can safely disable. [http://www.prestwood.com/aspsuite/kb/document_view.asp?qid=100274]<br />
<br />
====System Restore points==== <br />
By default, Windows saves a backup of your system settings at regular intervals (and therefore may store information that is ideally kept sensitive) in case you need to roll-back the system to an earlier point in time. Most computer problems can be fixed via other methods however, and if you don't use/need System Restore you can disable it (via Control Panel / System / System Properties / System Restore tab).<br />
<br />
====Hibernation====<br />
If you don't use hibernation, ensure that this is disabled, since otherwise it will intermittently save anything that you are currently working on to your hard drive in plain text form – even encrypted documents – which could later be retrieved. (Control Panel / Power Options / Hibernate tab / uncheck 'Enable Hibernation').<br />
<br />
====Pagefile/Swapfile====<br />
By default, Windows creates a file on your hard drive (pagefile.sys) which it uses as additional computer memory, and it shifts running processes to this file on the hard drive when necessary. Many modern PCs have sufficient RAM (e.g. over 1 GB) not to need this file. You can disable it via Control Panel / System / Advanced tab / select 'Settings' button under the 'Performance' heading / Advanced tab / Virtual Memory / Change / select 'No Paging File' / click 'Set' / click 'Ok'.<br />
<br />
'''NOTE''': Disabling the pagefile is contentious, and the debate around this is unresolved [http://www.codinghorror.com/blog/archives/000422.html] Provided you have a reasonably fast CPU and a decent amount of RAM, you should not encounter any problems. If you do need the paging file for some reason, or your RAM capacity is not sufficient to do without it, you should at least ensure that it is securely wiped when the computer powers off (see Section 1.3.1., below). In addition, the pagefile can be encrypted using a dedicated encryption product, such [http://www.jetico.com BestCrypt].<br />
<br />
====Windows Security Center====<br />
The built-in Security Center and Windows Firewall are highly ineffective. Disable them via the Control Panel, and use a third party Firewall instead (see Section 1.2, below).<br />
<br />
====Windows Privacy Tools====<br />
<br />
In addition to the above steps, you can utilize easy-to-use, one-off, privacy tools to tighten up Windows settings. e.g. [http://privazer.com/ Privazer]<br />
<br />
====Alternative Software====<br />
<br />
Avoid using Microsoft software (e.g. Office, Outlook Express, Internet Explorer, Windows Media Player) so far as possible. Since they are designed to collaborate with one another, most of them leak personal information all over the place. Use open-source alternatives so far as possible (which typically also have the added benefit of being much less resource-hungry). For example, consider using:<br />
*[http://www.openoffice.org Open Office suite] instead of MS Office (Word, Excel, etc). Particularly important for office software is to remember to disable 'auto-save' in the program options – since if you are working on an encrypted file the document may be saved to your drive as plain text during an auto-save.<br />
*[https://www.mozilla.org/thunderbird Thunderbird] or [http://sylpheed.sraoss.jp/en/ Sylpheed] instead of Windows Live Mail<br />
*[https://mozilla.org/firefox Firefox] or [http://www.opera.com Opera] instead of Internet Explorer<br />
*[http://www.videolan.org VLC Media Player] or [http://sourceforge.net/projects/guliverkli/ Media Player Classic] instead of Windows Media Player<br />
*[http://www.foxitsoftware.com/Secure_PDF_Reader/ Foxit PDF Reader] instead of Adobe Acrobat Reader.<br />
<br />
===Avoiding Malware===<br />
<br />
The commonly talked about threats to computer data surround the execution of malevolent code on your PC, in the form of viruses, trojans, spyware, etc. Discussion of this topic usually revolves around damage to your data or identity theft by cyber-criminals for financial gain; but it is also crucial to ensure that you are protected from malware that could benefit other adversaries. One obvious aspect is keylogging software: you can come up with the most complex passwords to protect your data, but if there is a keylogger on your PC capturing each keystroke you enter, the password might become worthless. Equally insidious is the use of 'copware' – malware planted on your PC via LEA pecifically<br />
targeting you [http://www.infiltrated.net/cipav.pimp]. Such software frequently arrives on the target's PC via email attachments. Standard email advice applies, e.g:<br />
<br />
*Disable HTML in your emails – in most webmail and desktop email clients there is an option to do this in the settings (eg. in Thunderbird: 'View' menu / uncheck 'Display attachments inline' and check 'View message body as...plain text')<br />
*Use Anti-Virus software that scans emails as well as files<br />
*Don't open attachments from unknown sources<br />
<br />
In addition, further advice includes:<br />
<br />
*Check regularly for the presence of hardware keyloggers (a small device fitted to your PC designed to record keystrokes as an alternative to software keyloggers). The device will appear inconspicuous, and could, for example, resemble a traditional USB-type plug. Also consider applying a drop of paint (or, e.g. correction fluid) to the screws in the back of keyboards, making it easier to see if the hardware has been tampered with.<br />
*When encrypting data, and where given the option to do so, use 'keyfiles' in addition to passwords. This is an available option with some encryption programs, which enables you to specify a file(s) on your hard-drive (perhaps a photo, for example) that must be entered in addition to a password. This will help protect against keyloggers (though not against malware that also captures mouse-movements).<br />
*If practicable, you could also use an on screen keyboard (OSK) to enter passwords (thereby using the mouse rather than the keyboard).<br />
*Zero-emission pads: Surveillance teams can remotely scan the electromagnetic emissions from your computer monitor, e.g. as you type a passphrase (google TEMPEST for technical details). You can use a replacement text editor that enables you to view and/or edit text in a special font and screen that allegedly 'diffuses the emissions from your computer monitor efficiently enough to defeat TEMPEST surveillance equipment', such as this one [http://geocities.com/phosphor2013/zep.zip]<br />
*So far as security software is concerned, you should have one Firewall, one Anti-Virus (AV) program, and one Anti-Spyware (AS) program, all providing 'real-time' protection. For completeness, you could also install a second AV and/or AS program and/or dedicated anti-trojan software (such as [http://www.misec.net/ TrojanHunter]) – not to operate in 'real-time' (since a software conflict is possible) but just to perform regular scanning of your PC.<br />
:Firewalls, AV and AS vary considerably in effectiveness (as well as in the amount of your PC's resources that they use). Check PC magazines for test results, or check online sources for the most effective protection. Good sources of information are sites such as [http://www.wilderssecurity.com Wilders Security Forums].<br />
<br />
:It is sometimes rumored – though to what extent this is likely is debatable – that major AV/AS companies may turn a 'blind-eye' to copware. Here is one advantage of using standalone products, e.g. separate AV, AS and Firewall software each from a different company, rather than the easier option of relying on a single security suite such as Norton or McAfee. In addition, some software is notorious for 'phoning home' regularly – Zone Alarm, for instance, frequently (more so than necessary) contacts its company's servers without notifying the user. It may therefore be desirable to turn off 'automatic updating', and manually update software at (say) daily intervals; and for persistent software (e.g. Zone Alarm) you can prevent it from contacting its servers by making simple changes to the Windows 'hosts' file [http://labnol.blogspot.com/2006/02/prevent-zonealarm-from-phoning-home.html].<br />
*In counteracting malware, you should also keep an eye on which programs are running on your PC, and whether any software has set itself to startup when you boot Windows. Both can be checked via Windows' built-in tools:<br />
**to view running processes, open Task Manager by right-clicking on the taskbar and selecting the 'processes' tab. You can identify any processes you do not recognize online, by looking them up at sites such as [http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx].<br />
**to check which programs are set to start when you boot Windows, go to Start / Run... then enter “msconfig” in the box (without the quote marks). In the window that appears, the last tab marked 'Startup' lists these items. Many of these are inserted by software, and are unnecessary. To check whether it needs to run at startup, identify the program at the following site: [http://www.sysinfo.org/startuplist.php] and uncheck any that are not needed. (Note, this has the added advantage of substantially reducing the PC's boot time).<br />
:As an alternative to these built-in Windows tools, you could use a freeware program to keep a closer eye on running processes and startup items, such as [http://processhacker.sourceforge.net/ Process Hacker] or [http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Process Explorer]<br />
*Keep up-to-date all your software that uses network connections, such as your browser, anti-virus software, and all security products.<br />
<br />
===Cleaning / Erasing===<br />
Windows stores a vast amount of information about your activities, which should be cleaned up on a regular basis.Note that such traces, along with any files that you chose to get rid of, should be securely erased rather than just deleted. This distinction between 'deleting' and 'erasing/wiping' is a crucial one. Deleting data in the standard way merely makes the data invisible to Windows – it remains on the hard disk until it is overwritten by other data. Instead of deleting, data should be securely 'erased' or 'wiped' (i.e. it is overwritten a number of times with random data so that it becomes unrecoverable).<br />
<br />
====Erasing files====<br />
There are numerous tools available for securely erasing files. One simple, freeware, tool is [https://sourceforge.net/projects/eraser/ (Heidi) Eraser]. This has various features, one of which is to insert itself into your context menu, such that when you right-click a file, you just select 'Erase', and it will wipe the file according to the number of 'passes' that you specify. Another useful feature is 'Erase Secure Move': usually when you move files from one place to another, behind-the-scenes Windows actually copies the file to the new location, then deletes the existing file – which suffers from the above-mentioned issue of the deleted file being recoverable. With the Erase Secure Move option, after the file is copied to the new location, the existing file will be wiped, rather than just deleted.<br />
<br />
'''NOTE''': Eraser can also be set to erase the Windows 'pagefile' on shutdown/restart (see 'Locking down Windows', Section 1.1, above).<br />
<br />
====Erasing disk space====<br />
Files that are deleted automatically by Windows (e.g. temporary files which it has created), or files that have been deleted by the standard method without having been wiped as above, will be simply be hidden in 'free disk space' until overwritten. To ensure that these have been removed, regularly wipe the 'free disk space' on your hard drive – again, Eraser (above) is good for this purpose.<br />
<br />
====Cleaning traces====<br />
Most software stores information about your usage – e.g. Internet browsers keep a record of details such as your browsing history, downloads, and cookies; PDF readers store a history of the last few files you've read; Office products keep a record of recently opened documents and perhaps unusual words used therein; media players store details of recently played files; Windows itself stores temporary files, prefetch data, memory dumps, and so on. A simple way to erase all such tracks in one go is to use dedicated 'cleaning' software. For example, [http://www.piriform.com/ccleaner] is a decent freeware program which will erase these tracks for you. In the settings options, you can select the number of times such traces should be 'wiped', rather than simply deleted.<br />
<br />
'''NOTE (1'''): All decent erasing/wiping/shredding software will allow you to specify the number of times that the data will be overwritten – typically, you can choose to overwrite data once, three times, seven times or thirty-five times, depending on the sensitivity of the data. There is some debate as to whether modern hard drives require as many passes to irrevocably destroy data – Googling this issue will produce much discussion. To be on the safe side, a minimum of three 'passes' is suggested. Naturally, the more 'passes' over the data you select, the longer it will take. Be aware that, say, shredding the entire free disk space on a hard drive (which may be hundreds of gigabytes) will take a significant amount of time.<br />
<br />
'''NOTE (2)''': If wiping data on flash memory (e.g. USB sticks), wiping individual files is insufficient to make them irrecoverable, due to the way such memory writes data. See the special section on USB drives (Section 1.5, below).<br />
<br />
===Encryption===<br />
Broadly-speaking, “computer forensics” involves inspection of the computer hard drive for evidence as part of a legal investigation. In the event that your PC is seized, investigators or other adversaries will search it for the 'activity traces' referred to in the previous section, as well as stored files and documents, and other evidence of how the PC has been used (e.g. checking the Windows Registry for evidence of which USB drives have been used – since details of such devices, including their serial numbers, are stored there). The goal of encryption is to make data unintelligible, so that, even if your data is seized, it cannot be read.<br />
<br />
A brief note on the medium which you may be using: first, there is the hard drive. Typically, Windows will be installed onto partition C of the hard drive (and unless you have created other partitions, this may make up the entire physical drive). Data may also be stored on external, USB hard drives; on flash memory drives (USB sticks / pen drives); on floppy disks, CDs and DVDs. It is important that, on whichever medium you store sensitive data, that data are encrypted.<br />
<br />
====Individual files====<br />
There are numerous tools available to encrypt data, offering various different options. Some software will simply encrypt individual files – they will still be visible on the hard disk, but a password will be required to open them. Other software offers a greater range of options, such as creating a 'vault' on your hard drive of a specific size, into which you can place sensitive files without having to encrypt each file individually.<br />
<br />
[http://truecrypt.ch TrueCrypt] is highly recommended for your encryption needs. It enables both the creation of encrypted files, as well as the ability to encrypt an entire hard drive partition, or an entire device (e.g. a USB stick). It also allows for the creation of 'hidden volumes' – a partition/device can be encrypted, then within this encrypted container a second, encrypted contained is created. This is primarily so that if you are forced to decrypt the 'outer'<br />
volume, on which you might store a few sensitive-looking, but unimportant files, it will not be evident (and cannot be proved) that there is a second, hidden volume. (NB. For various security reasons, encrypting partitions or devices is preferable to encrypting individual files – the<br />
TrueCrypt manual explains these in detail.)<br />
<br />
The advantage of the open-source TrueCrypt over most other encryption software is the 'plausible deniability' aspect. It is impossible to prove that a partition or device encrypted with TrueCrypt is in fact encrypted. Upon forensic analysis, the partition or device appears to simply be filled with random data – as though there is nothing on the partition or device. This is crucial in authoritarian regimes, e.g. the United Kingdom, which has enacted a criminal offense (punishable by up to 2 years, or 10 years in terrorism cases) of 'failing to decrypt' (or provide the password to<br />
enable decryption) when demanded by the authorities. Obviously for such a law to be used against you, it would have to be established that you had some encrypted material in the first place. With a TrueCrypt-encrypted device or partition, this should be impossible to prove.<br />
<br />
'''NOTE''': If you are working with individual encrypted files (rather than storing files in a container or partition) and are using USB flash drives, see Section 1.5 on USB drives below.<br />
<br />
====System Drive / Full Disk / Whole Disk Encryption====<br />
The disadvantage of only encrypting individual files or external devices is that computer forensics can still reveal much about your computer usage from the system partition (the drive on which Windows is installed) and – importantly – sensitive details such as your browsing history, bookmarks, emails, and email contacts addresses, may be accessible. Details of your contacts is one of the first things an adversary will check for, which they will use to 'broaden' their investigation, perhaps by targeting those contacts. There is therefore an obligation to protect not only yourself, but also those with whom you correspond.<br />
<br />
Computer forensics is essentially rendered ineffective by encrypting your entire system drive (typically the C: drive in Windows). This is the ideal position: if the adversary cannot access your hard drive to begin with, you have gone along way to defending your data. The latest versions of TrueCrypt (versions 5.0 and upwards) have an option for encryption of the system drive (or the entire hard drive, if it has more than one partition). It is very simple to use, and will ensure that no one can access your hard drive without first entering the correct password prior to the computer booting (and also makes it more difficult for adversaries to plant data on your hard drive). A detailed reading of the TrueCrypt manual is essential in order to encrypt the system drive effectively.<br />
<br />
One consideration for those in countries in which failure to disclose a password is a criminal offense (just the UK at present, though this will undoubtedly be extended to other countries), is that where your entire hard drive (or just the system drive) is completely encrypted, you lose an element of plausible deniability. TrueCrypt system encryption, for example, stores its 'boot loader' (the information necessary for the computer to boot) on the first cylinder of the hard disk – which will obviously be visible to a forensics team. It is possible to remove the boot loader and instead boot from a CD which has the TC boot loader installed, though obviously this is more inconvenient.<br />
<br />
In any event, whether or not the boot loader is present, it remains the case that it cannot be proved that the hard drive itself is encrypted – the remainder of the drive will still appear as random data. So from this point of view, you are still protected from 'failure to disclose password' laws. Nonetheless, having to explain away an internal hard drive with a TC boot loader, and “nothing else” on it, will be tedious (depending on how convincing you can be that you had “coincidentally, just recently wiped the hard drive”). Therefore it may be felt preferable to use other tactics to increase plausibility.<br />
<br />
One such tactic is to install Windows to an external hard drive, or to a USB stick, and encrypt it with TrueCrypt. You can then keep your 'dummy' Windows installation with no compromising data on the PC's internal hard drive, and boot to the external hard drive or USB stick to use your 'real' Windows. Technically, Windows does not want to be installed to external devices – but it can be achieved. There are numerous guides available on the web; and the project also has a useful forum for resolving issues. For installing Windows to an external device to work, it is necessary that your PC's BIOS is capable of booting to external devices – most recent computers (built in the last few years) can do this, but if you have an older PC, check its ability to do so by doing a web search on its model.<br />
<br />
If utilizing this method, your 'computer' effectively lives on your external device, while you maintain a dummy system on the internal drive. This has the added advantage of portability – your Windows installation can be kept in a secure place when not in use, etc. Again, the TrueCrypt boot loader will reside on the first cylinder of the external device – but it is certainly more plausible to have an external device with “nothing on it” than an internal drive (particularly if you take the extra step of removing the TrueCrypt boot loader and booting the device from a CD).<br />
<br />
'''NOTE''': While the latest version of TrueCrypt (6.0 and upwards) now enables the creation of a hidden, encrypted system drive – by utilizing a 'dummy' system partition, with the real system partition hidden – at the time of writing it is not ideal: to ensure complete plausible deniability it has very stringent requirements, e.g. the real system partition should not be used to access the Internet (which partly defeats the object), files cannot be copied from the real partition to other<br />
media, the dummy partition must be accessed regularly to make it appear plausible, etc. It may be felt that until a more substantive hidden operating system is available, this latest feature should be used circumspectly.<br />
<br />
===Security Note on USB Drives and Wear-Leveling===<br />
When writing data to a USB flash drive, a PC uses a 'logical address' on the drive. However, this logical address is distinct from the flash drive's 'physical block address' – since most USB flash drives use a 'wear leveling' technique. Wear leveling – i.e. shifting data around the physical blocks of the flash drive – prevents the same physical block being used over and over (in order to preserve the life of the USB drive).<br />
<br />
Consequently, any time updated or new data are written to the flash drive, such data will be written to a new physical block, regardless of the address of the old block, and any old/amended data is just deleted (not wiped).<br />
<br />
This raises a number of security issues, e.g:–<br />
<br />
#Securely wiping' (e.g. with Eraser) an individual file on a flash drive is potentially ineffective, since the random data that is used to overwrite could be written to a different physical block; the existing data will simply be deleted, rather than wiped.<br />
#Encrypting individual files could potentially suffer similar problems – e.g. when decrypting a file, amending it, then re-encrypting it.<br />
<br />
These issues can be resolved by either securely wiping the entire flash drive (not just wiping individual files) or by encrypting the entire flash drive (rather than encrypting individual files on it) – since then it makes no difference to which physical block the new data is being written.<br />
<br />
Ideally the latter approach should be used for all USB flash drives on which sensitive data is placed – encrypt or wipe the entire USB drive – as necessary. For any existing USB flash drives on which this approach has not been taken, it would be advisable to format and wipe the USB drive completely, then start using it afresh with this 'entire USB drive' approach.<br />
<br />
===Other Methods===<br />
There are of course many, many alternatives to the security suggestions outlined above, such as using any or all of the following:<br />
<br />
====Live CDs====<br />
Live CDs are an excellent alternative to encrypting the entire system drive. Essentially, an entire operating system (usually Linux-based) is on the CD, and whenever you want to boot to your OS, you simply boot the CD rather than booting to your hard disk. Should you not want to encrypt your hard drive, you could use the OS on there for all non-sensitive tasks, and use the Live CD for Internet access / other sensitive tasks.<br />
<br />
Running an operating system from a Live CD means that the PC's hard drive does not get used at all – and is therefore not subject to problems of leaving behind 'traces' to be recovered by forensics. There are some limitations with Live CDs e.g. a limited range of software can be run from them, and since the CD is read-only (as the point is not to save any data, which could be recovered!) any data you do want to save while working within the CD, or settings you want to keep, should be saved to an (encrypted) USB drive. Its simplicity ensures that this remains an attractive alternative, and it is worth keeping an eye on developments in this area. For some examples of Live CDs, see [http://susestudio.com/ Suse Studio] on how to create your own custom live bootable CD or see http://www.privacylover.com/anonymous-live-cd-list/ for a list of pre-built, mostly Linux-based alternatives.<br />
<br />
An excellent example of a pre-built option is the [https://tails.boum.org Tails Live CD] – this an operating system on a CD which is pre-configured to use the Tor network for all Internet access – including emails and web browsing.<br />
<br />
====Portable Applications====<br />
If installing an entire operating system to an external drive/USB stick, or using a Live CD, are not desired options, another alternative is to use 'portable applications' – standalone versions of existing software that can be run from a USB stick and do not save files or settings to your hard drive in the way that regular applications do. The idea is simply to prevent data being saved to your hard drive – the application files and data (including settings such as bookmarks, emails, etc), will be stored entirely on the USB device (which could be encrypted using a program such as TrueCrypt). See, for example, http://portableapps.com/ for an entire portable suite of software (including commonly-used programs such as Firefox, Thunderbird, Open Office, etc.).<br />
<br />
The use of portable applications may prove a practical and easy method of protecting your most sensitive data without going to the lengths of full disk encryption. One drawback is that there will still be traces of the USB drive having been used on that PC, and any monitoring software (firewalls, AV, etc.) is likely to have a record of an application on the USB drive (eg Firefox) having been run, which you might be called upon to explain. Nevertheless, this is an inconvenience more than anything, and so long as the USB stick itself is encrypted, the data will be safe. To increase the protection, this method could be combined with the following option.<br />
<br />
====System Drive Emulation software====<br />
Such software effectively prevents data being written to your hard drive by creating a clone of the system partition (typically drive C: in Windows – which includes system files, page file, registry files, application data and program files, etc.) as it looks when it is booted, in the computer's RAM. Once the system is shut down/restarted, this clone will be restored, thereby returning your system drive to the position it was before any data was written. An example of such software is the freeware program [http://www.toolwiz.com/products/toolwiz-time-freeze/ Toolwiz Time Freeze]. Simple to use, it is 'switched on' when necessary, and from that moment nothing that takes place (programs installed, software used, etc.) is permanently recorded; all normal computer operations appear to take place, but in fact these changes only take place for the duration of the session – upon restarting the PC there is no evidence that any such activity has occurred.<br />
<br />
With reference to the previous item – Portable Applications – an advantage of using combining drive emulation software with running portable apps from a USB drive would be that, once the PC was shut down/restarted, there would be no evidence of the applications on the USB stick (eg Firefox) ever having been run (and further, no evidence that the USB stick was ever plugged into that computer).<br />
<br />
====Virtual Machines====<br />
Another alternative to running a separate installation of Windows on an encrypted device is to employ a virtual machine. Such software (e.g. VirtualBox, at www.virtualbox.org) enables you to create a virtual operating system on your existing computer. In this way, you could run a dummy copy of Windows (or any other OS) on the main hard drive, then boot to a virtual copy of Windows which could reside in an encrypted file or partition on the hard drive. One drawback of this technique (other than the additional system resources / RAM consumption it requires) is that it is not guaranteed that traces of the virtual systems may not still appear in the 'real' system, since the two systems share some resources (and frequently, a network connection).<br />
<br />
==Protecting data while in transit over networks (Internet, Email, etc)==<br />
Whenever data is on the move – whether in the form of sending/receiving email, surfing the web, chat, downloading via P2P, viewing streaming media files, etc – it is at risk of interception. Data is transferred via different protocols (e.g. 'http' for web traffic, 'pop3' or 'smtp' for email, 'ftp' for some file uploads/downloads, etc). All the 'standard' forms of protocol (including those just mentioned) are sent over networks in plain text format – meaning that the data is visible to anyone who intercepts the traffic (your ISP, crackers, LEA, etc). The goal is therefore to utilize methods of secure communication so far as possible, irrespective of the data that is being transferred.<br />
<br />
===Email===<br />
Most commercial email addresses (including any email addresses supplied by your ISP) typically use insecure protocols. This will be apparent by checking the ports they use to communicate. If you use a desktop email client (eg. Outlook, Outlook Express, Eudora, Thunderbird) you will find this information under the 'Settings' option. If your email communicates via standard ports (usually port 110 for POP3 (i.e. incoming email) and port 25 for SMTP (i.e. outgoing email), it is being transmitted unencrypted – and therefore potentially visible to everyone.<br />
<br />
There are various techniques that can be employed to enhance the security of your emails:<br />
<br />
*Check your email provider's website to see if they offer an encrypted option (i.e. sending and receiving email via SSL (secure socket layer)). Usually this will simply be a matter of changing the port used in your email client's account settings – e.g. changing the ports to ports 995 (SSL POP) and 465 (SSL SMTP).<br />
*Avoid using email addresses provided by an ISP, and instead use dedicated email providers, such as Fastmail,Hushmail, SafeMail, and so on. Examples of such providers can be found in Section 3 below, or at [http://epic.org/privacy/tools.html EPIC's website]. Specialized email providers enhance your security by limiting the amount of information transferred to the recipient in the hidden email 'header' – which in the case of standard email providers (ISPs, Hotmail, etc) provide the recipient with far too much information, such as the IP address of your computer, the operating system that you use, and even which email client you used to send the email).<br />
*Use a dedicated form of email encryption, such as PGP. This utilizes public key encryption – the drawback being that the people with whom you communicate must also use public key encryption. Encourage others that you correspond with to do this. See 2.1.1. for more information.<br />
*Anonymous Remailers can be used to conceal from the recipient the origin of the email (see Section 2.3 for further details).<br />
<br />
====PGP====<br />
In 'public key' cryptography, two different keys are used: one key is secret and the other is made public. Anybody sending you an email simply encrypts their message to you using your public key. The public key is obviously not secret – in fact it may be spread widely so that anybody can find it if they wish to send you encrypted email (you can upload the key to a public key server to do this; though you may prefer just to give your public key to specific correspondents). The only way to decrypt an incoming message is with your secret key. The process works in reverse when sending email: you encrypt an email using the recipient's public key, which only they can decrypt using their<br />
private key.<br />
<br />
The original, and most well-known, program of this type is PGP, invented by Phil Zimmerman. There is now an OpenPGP standard, with which all software using public key cryptography should comply. Consequently, other programs are becoming popular, such as the open-source [http://gnupg.org/ GNU Privacy Guard (GnuPG)], which is OpenPGP compliant and compatible with other Open PGP tools (including PGP itself).<br />
<br />
After downloading the software, you simply use it to create a pair of keys – one public and one secret key. The public key can then be given to your correspondents which they will use to encrypt messages to you, which you can then decrypt using your private key. There are some programs which make the process of encrypting/decrypting easier via the use of 'add-ons'. Some email clients (e.g. Thunderbird) have add-ons (e.g. [http://www.enigmail.net/ Enigmail], which takes care of the encryption/decryption process on your behalf; the Firefox browser also has an add-on (see [http://www.mailvelope.com/ MailVelope) which enables you to easily encrypt text for pasting into a website, for example.<br />
<br />
===Web-Surfing===<br />
Whenever you request a web page via your Internet browser, in very basic terms what is happening is this: your browser sends the request for data to the server hosting that website, which then replies, and transfers the data to your computer, which is then recreated in your browser. Consequently, any request you make (whether by clicking on a link, or manually entering the site address) is transferred over the Internet via standard protocols (see introduction to this section, above) – typically for the Internet this will be http.<br />
<br />
Accordingly, this request for a particular web page is sent over the networks in plain text and so will be visible to anyone who is monitoring your activity (e.g. your ISP or other adversaries), and also reveals to the site you are visiting information about who you are (your computer's unique IP address) and information about your computer (which browser you use, what language/location settings you use, what the current time is on your PC, etc). In addition, in order to find that site, your browser needs to translate the address of the web page (e.g. (“amazon.com”) into its numeric equivalent – which it does by consulting a domain name (DNS) server. In a standard home Internet connection, the DNS server will be owned by your ISP – so the ISP has a second method of recording which sites you visit. Note that you can change your DNS server to one not owned by your ISP: see [http://www.opendns.com/ OpenDNS] for the relevant address to use.<br />
<br />
The upshot of the above is clear: both the site you visit, and your ISP (and anyone intercepting), knows the unique IP address assigned to your computer, and what data you are viewing. To avoid this, various options are available to 'anonymize' and/or encrypt your web surfing:<br />
<br />
====Free proxies====<br />
<br />
This is the weakest level of 'anonymity' – these are sites (e.g. http://www.kproxy.com/) which enable you to access another site, hiding your computer IP address, e.g. your request is sent to the 'end' site using the proxy IP as an intermediary. In that a case, the site you ultimately visit believes the request for data emanated from the proxy site and not from your computer. This does not protect you against surveillance by your ISP, and the data transferred is typically unencrypted and therefore visible to anyone else monitoring your connections, the proxy administrator can also log everything you do and turn over those logs if pressured to do so.<br />
<br />
====Commercial software====<br />
These are companies (e.g. Anonymizer, see Section 3 for an extensive list) which provide software which effectively bypasses surveillance from your ISP by creating an encrypted 'tunnel' between your computer and that company's server. In practice, this means that before making the data transfer from your PC (in the form of, say, a request for a web page), the software will encrypt this request, and then direct it to be forwarded from your ISP's servers to the proxy company's server. When it reaches the latter, the request will be decrypted and forwarded on to the relevant website. When that website returns the data, the reverse will take place. The effect of this is that:<br />
<br />
#your ISP cannot see which websites you are accessing – all it can see is that you are communicating with the company's server, not which websites you visit thereafter. (So if you were surfing the web for (say) 3 hours, from your ISP's point of view, they could see that traffic was passing back and forwards to your PC, but you would only appear to be receiving traffic from one address (the proxy company's server), and the contents of that traffic would be encrypted)<br />
#the website you are visiting cannot see who you are – since as far as they know, they are receiving the request for data from the proxy company's server, and simply return it to that server.<br />
<br />
The weak link in this chain will be apparent. While you are protected from your ISP, and from the websites you visit, the commercial proxy company knows who you are and (potentially, if they keep logs, what you are doing). The significance of this will vary according to the circumstance. If the sites you are visiting are merely sensitive (rather than illegal in your jurisdiction), the fact that the commercial proxy knows what you are doing is of little importance (particularly if – as recommended – you chose one in a different jurisdiction to your home country). You may, for example, simply not want your ISP to know that you visit boychat.org. The commercial proxy would be adequate for such uses.<br />
<br />
Check the terms and conditions of the commercial proxy company – in particular, whether they keep logs of your activity (for example, some log everything; some do not log origin and destination, but only record the quantity of data passing through, etc). Also, check which forms of data they will support – some commercial proxies will only encrypt Internet traffic (the http protocol), others (genuine 'VPNs') will encrypt all forms of protocol (whether it is Internet, email, file-sharing, etc). For additional security, look for a commercial proxy that offers anonymous payment methods and, ideally, is outside the US/EU.<br />
<br />
In summary: the advantage of using a commercial proxy is that it gives you a level of protection from monitoring by your ISP, and from the sites you visit, and generally you suffer little or no loss of speed in browsing. A potential disadvantage is that the commercial proxy knows who you are. For this reason, when accessing more sensitive sites, you may wish to employ other methods, such as Tor.<br />
<br />
====Tor====<br />
The basic idea of [http://www.torproject.org/ Tor] is to protect your privacy by disguising the route of data to and from your PC, as well as encrypting the traffic.<br />
<br />
Broadly-speaking, the Tor software will create a chain of at least 3 proxies, through which your data will pass – each interim stage in this chain only knows who sent the data to it (the previous proxy) and who it should forward data to (the next proxy in the chain).<br />
<br />
Effectively, this means that if you want to visit, say, Site A, Tor will encrypt this request, and pass it to the first link in the chain (Proxy 1), with encrypted instructions on where to send it thereafter. Proxy 1 will forward the encrypted request to Proxy 2, Proxy 2 will forward it to Proxy 3, etc. Thus, Proxy 1 only knows Proxy 2, Proxy 2 only knows Proxy 1 and Proxy 3, Proxy 3 only knows Proxy 2. The final link in this chain (known as the 'exit node') transfers the request to your ultimate destination (Site A). The process is then repeated in reverse. From the point of view of the user, this process happens invisibly – once the software is up and running, you merely use your browser as normal.<br />
<br />
(It should be noted at this point that once the data leaves the final link in the chain, it is no longer encrypted by Tor – at least until data is returned from your final destination to the first link in the return journey. This is only really significant if you are providing identifying information, e.g. entering a password into a webmail server via an unencrypted form – since then it is apparent that the request has come from you).<br />
<br />
The obvious advantage of this procedure is that there is no commercial proxy in the middle. No single point in the chain knows both you and your ultimate destination. This is arguably the most secure form of anonymizing web traffic. <br />
<br />
Some disadvantages are:<br />
<br />
#There is an initial learning curve with Tor – nevertheless, there is extensive documentation on the Tor website to assist with this, and once you have set it up and used it a few times, it becomes second nature.<br />
#As part of this learning curve, it is crucial that you configure your browser correctly. Enabling 'Security Level: Safest' in the browser is recommended.<br />
#It should also be pointed out that when using Tor, your browsing will be notably slower – which is to an extent inevitable given the number of different servers the traffic passes through, each of which may have different bandwidth allotments and be based in different countries. Tor will therefore be unsuitable for downloading large files (and possibly streaming data, such as Youtube or other streaming media). Its primary use will be for visiting particularly sensitive websites.<br />
#Related to the previous point, at the present time Tor only encrypts limited forms of protocol – primarily http traffic – which effectively limits its use to visiting web sites.<br />
#There have been a number of stories about breaching Tor's anonymity. Such instances tend to be a consequence of user implementation, rather than any flaw in Tor itself. More specifically, when using Tor, ensure that Javascript is disabled in your browser (since it is due to malicious scripts that Tor can be compromised. This can be done manually (in Firefox, go to Tools / Options / Content / uncheck 'enable Javascript'), or through the use of an Add-on such as [https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript], which automatically blocks scripts unless you permit them on a sire-by-site basis.<br />
<br />
It will be clear from the above consideration of Email and Web Surfing that there is no 'perfect' solution to online anonymity. Experts would say that 'true' anonymity is impossible. As long as you are transferring data from one computer to another over a network, there will be attempts made to intercept or track that data content and movement. Nonetheless, utilizing a combination of the above methods, depending on the circumstances and the sensitivity of your activities, offers significant protection against surveillance.<br />
<br />
'''NOTE''': Regardless of whether an anonymous connection is used, your browser should be as secure as possible, since there are numerous browser vulnerabilities that can expose your PC to malware. Javascript, Flash, Shockwave objects – all of these can compromise your anonymity. Firefox is highly recommended as a more secure browser than Internet Explorer, and can be further customized with Add-ons to increase security. NoScript, referred to above, is particularly desirable. Other security-related Add-ons are referred to in the Links section, below.<br />
<br />
===Other Network Usage (Chat, Anonymous Remailers, File-Sharing)===<br />
Similar anonymity considerations apply to any form of network activity, including Chat, P2P/File-Sharing, Usenet, etc. Typically, all such traffic is carried unencrypted over public networks, and is therefore capable of surveillance by the ISP and interception from other adversaries. Wherever possible, utilize security and anonymity tools to protect the privacy of such data.<br />
<br />
*For chat/IM, [https://otr.cypherpunks.ca OTR (Off The Record)] is an excellent plugin. Even if your contacts' private keys are determined, your private conversations are not compromised.<br />
*For posting messages on Usenet, consider using an anonymous remailer, which forwards messages without revealing where they originally came from. Anonymous remailers utilize the same 'onion router' principle behind Tor: they remove personal data from the message, encrypt it, and pass it through a chain of 'post offices' until the last remailer in the chain forwards the message to the recipient. As with Tor, the idea is to make the message untraceable to the sender.<br />
:The main issue with remailers is whether/how a recipient can reply to the message, given that its source is untraceable. Different types of remailers handle this differently. 'Pseudonymous remailers' are the most basic: they are typically unencrypted, and merely apply a pseudonym to the sender and forward the message to the recipient, who can then reply via the remailer. 'Cypherpunk remailers' typically encrypt the message and pass it through numerous hops on the chain to the recipient; generally the recipient cannot reply to such messages. 'Mixmaster' and 'Mixminion' remailers offer more advanced features, and seek to address issues such as the capacity for the recipient to reply to a message that has come from an 'untraceable' source. These generally require dedicated software.<br />
:One example of such software is OmniMix: http://www.danner-net.de/om.htm, which is designed for Windows, and can be used to send email and Usenet postings through the Mixmaster anonymous remailer network. OmniMix is straightforward to install, and can also be run from a removable device such as a USB stick.<br />
*When downloading from file-sharing networks (e.g. Limewire, Shareaza, etc.), it is important to know that not only is the traffic unencrypted (and therefore visible to, e.g. your ISP), your IP address is made available to anyone you are sharing with – and there is every possibility that the latter could be LEA or other adversary. A new breed of 'anonymous' networks are continually being developed, which generally seek to utilize the onion routing principle – traffic is encrypted and the origin/destination of the requested file are proxied. For examples of these, see:<br />
**[http://freenetproject.org/ Freenet]<br />
**[http://www.gnunet.org/ GNU Net]<br />
<br />
For a more detailed comparison of the different programs available, see http://www.zeropaid.com/software/file-sharing/ and http://www.anonymous-p2p.org/programs.html<br />
<br />
==Useful Links==<br />
'''NOTE''':Inclusion of links should not be taken to imply endorsement of particular software<br />
<br />
===Cleaning traces, erasing and general encryption software===<br />
<br />
*[http://www.piriform.com/ccleaner CCleaner] - Shreds/wipes sensitive traces of Internet activity<br />
*[http://sourceforge.net/projects/eraser/ Heidi Eraser] - Secure erasing software for individual files and free disk space<br />
*[http://www.dban.org/ Darik's Boot and Nuke (DBAN)] - Boot disk that does a government-standard wipe of hard drives<br />
*[http://www.truecrypt.ch TrueCrypt] - Open source encryption software<br />
*[http://diskcryptor.net/] - Full disk encryption software<br />
*[http://www.jetico.com BestCrypt] - Commercial encryption software<br />
<br />
===Email providers, remailers, and email encryption===<br />
<br />
*[https://protonmail.ch ProtonMail] - Free email provider in Switzerland<br />
*[http://www.unseen.is Unseen.is]- Email provider with encryption in Iceland<br />
*[https://addons.mozilla.org/en-US/thunderbird/addon/torbirdy/ TorBirdy] - Thunderbird addon to send email using tor<br />
*[http://www.anonymousspeech.com Anonymous Speech] - Email provider with PGP encryption<br />
*[http://www.cotse.net Cotse] - Email, SSH tunnel and VPN provider<br />
*[https://emailselfdefense.fsf.org The PGP Faq] - email self-defence guide<br />
*[http://www.gnupg.org GnuPG] - Linux/Windows email encryption<br />
*[http://www.goanywheremft.com/products/openpgp OpenPGP Desktop] - OpenPGP Go Anywhere<br />
*[http://www.enigmail.net/ Enigmail]- Plugin for Thunderbird Email client to manage encryption<br />
*[http://quicksilvermail.net QuickSilver] - email remailer client<br />
*[http://www.danner-net.de/om.htm OmniMix] - anonymous remailer<br />
*[https://otr.cypherpunks.ca OTR (Off The Record)]- a plugin for encyrypting chat/IM<br />
<br />
===Anonymity online===<br />
<br />
*[http://www.torproject.org/ Tor proxy] - Anonymous Internet browsing with hidden sites<br />
*[https://geti2p.net/ I2P Network] – Anonymity, similar to Tor<br />
*[http://cyberghostvpn.com/ CyberGhost VPN] - Commercial VPN with free option<br />
*[http://www.securitykiss.com/ Security Kiss] – Commercial VPN with free option<br />
*[http://anonymous-proxy-servers.net/ JonDoNym] - Commercial VPN<br />
*[https://www.perfect-privacy.com/ Perfect Privacy] – Commercial VPN<br />
*[http://www.opendns.com/ OpenDNS] - set your DNS addresses using OpenDNS, instead of using your ISP's DNSs.<br />
*[http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/ TorrentFreak] - List of VPN services with strong privacy<br />
<br />
<br />
'''NOTE''': When purchasing commercial products, ensure you check the providers' terms & conditions, particularly regarding their jurisdiction, privacy, reporting and logging policies. Do some research on the different companies' products, e.g. by searching their name at Wilders Security Forums. Use alternative methods of payment wherever possible, such as using prepaid web money/debit cards that you don't need ID to buy.<br />
<br />
===Firefox add-ons===<br />
<br />
*[https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript]- Many browser security holes are related to Javascript. Block scripts entirely, until permitted on a site-by-site basis.<br />
*[https://addons.mozilla.org/en-US/firefox/addon/flashblock/ FlashBlock] - Blocks flash content until you permit it<br />
*[https://addons.mozilla.org/en-US/firefox/addon/refcontrol/ Refcontrol] - Blocks or fakes your referrer ID<br />
*[https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ FoxyProxy] - Easy proxy management<br />
*[https://addons.mozilla.org/en-US/firefox/addon/anonymox/ AnonymoX] - Change computer IP proxy addon<br />
*[https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ BetterPrivacy] - It removes hard to erase Flash cookies<br />
<br />
===Miscellaneous privacy/security software===<br />
<br />
*[http://keepass.info/ KeePass] - Open-source password manager<br />
*[http://www.nirsoft.net/utils/cports.html CurrPorts] - See your open ports<br />
*[http://www.nirsoft.net/utils/cprocess.html CurrProcess] - See info about processes running in your computer<br />
*[http://windirstat.info/ WinDirStat] - disk usage statistics viewer and cleanup tool<br />
*[http://www.7-zip.org/ 7-zip] - compression & encryption tool<br />
*[http://www.sandboxie.com Sandboxie] – run your browser inside a 'sandbox' to prevent malware from gaining access to your system<br />
<br />
*Pre-paid web money: see http://www.bitcoin.org and [http://www.paysafecard.com PaySafeCard](EU)<br />
<br />
===Sources for technical advice/support===<br />
<br />
*[http://www.wilderssecurity.com Wilders Security Forums]- Information related to security, privacy and anonymity<br />
*[https://en.boywiki.org/wiki/Category:Technology BoyWiki Technology] - Boylover Wiki Technology section<br />
*An old BoyChat post with useful advice on how not to accidentally out yourself: https://www.boychat.org/messages/1107524.htm<br />
<br />
<u>'''FINAL NOTE'''</u>: If you follow the procdures outlined in this guide, you will be a long way to protecting yourself -- but please remember that there is no such thing as 100% computer security. Stay safe.<br />
<br />
'''<u>Disclaimer</u>: All material provided in this guide is intended as introductory guidance only, and should not be used as an alternative to undertaking your own research. No representation is made as to the current accuracy of the information and links provided.'''<br />
<br />
[[Category:Advice]]<br />
[[Category:Archival]]</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Talk:Anti-contact&diff=9765Talk:Anti-contact2021-12-05T02:05:39Z<p>Time Has Passed: </p>
<hr />
<div>Regarding:<br />
<br />
*'''Consequentialist anti-c (c-anti-c).''' In this instance, celibacy is called for in the present climate. Further, such an individual might maintain that:<br />
**They are not presently interested in [[age of consent]] reform. Supporters of very limited reforms sometimes also self-describe as anti-contact.<br />
**They oppose age of consent reform."<br />
<br />
Would consequentialist anti-contact MAPs really argue the latter two positions? If the argument is that adult-child sexual activity is harmful due to society's reactions to it, surely reforming age of consent laws and battling the stigma would be a positive? --[[User:Time Has Passed|Time Has Passed]] ([[User talk:Time Has Passed|talk]]) 03:29, 2 December 2021 (UTC)<br />
<br />
:I presonally prefer anti reform vs pro choice/pro reform, but I think we have to reflect and develop on the present terminology. "Pro-contact" seems to have evolved into a way for NOMAPs to take out a loan on the public image of other MAPs. I know 15 years ago, it was used in a naive way, but that seems to have been weaponized.<br />
<br />
:I will modify it slightly, see if it works. --[[User:The Admins|The Admins]] ([[User talk:The Admins|talk]]) 19:12, 2 December 2021 (UTC)<br />
<br />
::I also like the 'pro-reform' term, but I'm not sure about 'anti-reform'. We need something that emphasises the point that these people are not engaging in sexual activity with children. I also doubt that the NOMAP people would accept 'anti-reform', for this very reason. [[User:Time Has Passed|Time Has Passed]] ([[User talk:Time Has Passed|talk]]) 02:05, 5 December 2021 (UTC)</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=User:Time_Has_Passed&diff=9752User:Time Has Passed2021-12-02T13:29:15Z<p>Time Has Passed: Created page with "Some 2nd wave guy. I've forgotten how to use MediaWikia since the wikiwars!"</p>
<hr />
<div>Some 2nd wave guy. I've forgotten how to use MediaWikia since the wikiwars!</div>Time Has Passedhttps://wiki.yesmap.net/wiki/index.php?title=Nelson_Maatman&diff=9751Nelson Maatman2021-12-02T13:28:14Z<p>Time Has Passed: /* 2021 Prosecution */ Ref</p>
<hr />
<div>__NOTOC__<br />
[[File:Maatman.jpg|thumb|Nelson Maatman]]<br />
'''Nelson Maatman''' is a young, second-wave [[Minor Attracted Person|MAP]] activist from the Netherlands, and chair of the [[PNVD]]. <br />
<br />
He is currently under investigation for supposed links with the banned political organization, [[Vereniging MARTIJN]], which ceased operation before he became active as a campaigner. He has been known to have left the country at some point, and this has been characterized as "fleeing" the country.<br />
<br />
Maatman has become infamous after seeking to make an appearance at Amsterdam’s annual Pride march in the summer of 2019. He devised a social experiment whereby he attempted to [[Historical examples of LGBT-MAP unity|bring back the tradition]] of advocating for children’s and paedophiles’ rights at Pride events. He was barred, and has since appealed to human rights organizations. He has also taken part in an infamous television interview, in which he made provocative statements about sexual relationships between adults and minors.<ref>[https://www.youtube.com/watch?v=pBC5X8l4uOU YouTube (Dutch)] and [https://www.freespeechtube.org/v/16bl English Translation]</ref> He was soon-after arrested under statutes on illegal images, but no evidence has thusfar been indicated.<br />
<br />
==2021 Prosecution==<br />
<br />
In March 2021, [[Marthijn Uittenbogaard]] announced that he, Maatman, [[Norbert de Jonge]] and [[Ad van den Berg]] were being prosecuted for allegedly participating in a criminal organisation. The evidence offered by the prosecution is spurious, alleging that Twitter comments and the maintenance of an academic website constitute the continuation of an organisation deemed 'criminal' under a highly controversial Dutch law.<ref>https://marthijn.nl/p/218</ref><br />
<br />
==External Links==<br />
<br />
*[https://heretictoc.com/2020/05/24/hanging-in-there-in-hengelo-hotspot/ Tom O'Carroll] - With some information in English - source used in this article.<br />
<br />
==References==<br />
<br />
[[Category:Official Encyclopedia]][[Category:People]][[Category:People: Sympathetic Activists]][[Category:People: Dutch]][[Category:People: Adult or Minor sexually attracted to or involved with the other]]</div>Time Has Passed