New to all this, What Privacy Steps Should I Be Taking.

[Ineedtopee]

Hi all,
Totally new to all this but wondering if you could give me a run down of all the essentials steps I should be doing to secure my PC from tracking etc.

Thanks.

[PaulyDefran]

1. Operating System: Live CD like TAILS or installed Linux Distro (Ubuntu is fairly painless). If Windows, you are trading convenience for security/anonymity, but I get it, some things only Windows can do. Linux with a Windows VM or Windows with Linux VM is another option.

2. Encryption for data at rest (shut down laptop or desktop...always shut down if possible): dm-crypt/LUKS on an LVM if using Linux, with TrueCrypt Hidden Containers...Truecrypt Hidden OS and Hidden Containers if on Windows. Diskcryptor is another option, but doesn't offer the same options as TrueCrypt...but does have some different options. Linux does not offer plausible deniability at the OS level (but a member here successfully defended against inspection, using Linux), TrueCrypt on Windows does.

3. System Security: Mostly for Windows here, Linux is pretty safe...GUFW and rkhunter with ClamAV maybe. On Windows, see the other forums, that's what Wilders is about Defense Wall (32 bit only) Comodo, and Online Armor are some you may want to look at.

4. Internet Connection: Open Access Point that is not near your home. If at home, a VPN. Tor Browser Bundle. I2P. Check the other sections.

5. Browsing, Email, Etc...: Try using portable apps from within TrueCrypt Hidden Containers. This goes for Linux as well as Windows, although on Windows I would say it is more important, but realize Windows is messy and it is not a 100% solution to tracks. See #2 above. On Windows, Sanboxie is a great tool. For Firefox, install all the privacy add ins that you like, like NoScript, Cookie Monster, Better Privacy, Ad Block Plus, Ghostery, Track Me Not, HTTPS Everywhere, etc... Disable geolocation in about:config.

6. Passwords: Long and unique for each site/application. KeePass can do everything, LastPass can do web sites (they have a beta for applications).

7. System Cleanliness: For Widows, Eraser free space wipes as well as on demand data destruction, CCleaner, Bleach Bit, Comodo System utilities, etc...

There are a million other things and I probably got some of these wrong...read, read, read. Good luck.

PD

[tlu]

While PaulyDefran made some good suggestions (and I've also been running Ubuntu for years) I think it's a bit overkill.

The basic steps are, IMHO:
1. Forbid 3rd party cookies and make session cookies your defaut here by choosing "Use custom settings for history" , deselecting "Accept third-party cookies" and selecting "keep until I close Firefox". (It looks similar, e.g., in Chrome).
2. Forbid flash cookies by using the addon BetterPrivacy (see also here) or choose the appropriate settings in the flash privacy settings panel.
3. Use Adblock Plus (particularly with the EasyPrivacy and/or Fanboy's Tracker List and/or Antisocial subscriptions) and Noscript (or ScriptNo in Chrome).
5. Disable disk caching in your browser to kill Etags once your browser closes. In Firefox go to about:config and set browser.cache.disk.enable to false. Note, that I don't know how to do this in other browsers. In my opinion, FF is the best configurable browser if it comes to privacy.

[ellison64]

Not sure if youve tried it but ive found one of the best and easiest cookie manager for firefox is Cookie Whitelist, With Buttons
https://addons.mozilla.org/en-US/fir...-with-buttons/

[tlu]

Quote:

Originally Posted by ellison64

Not sure if youve tried it but ive found one of the best and easiest cookie manager for firefox is Cookie Whitelist, With Buttons
https://addons.mozilla.org/en-US/fir...-with-buttons/

No, I haven't tried it but use Cookie Monster instead which is very good.

[ellison64]

Quote:

Originally Posted by tlu

No, I haven't tried it but use Cookie Monster instead which is very good.

I agree I tried it a year or two back ,after cookiesafe which i used to use had some problems ,keeping up with firefox builds.I cant remember why i didnt stick with cookie monster at that time ,but found cookie whitelist with buttons and have stayed with that ever since.Ill have to compare them when i have a little time.The OP cant go wrong with either though methinks.

[HTTPS]

Quote:

Originally Posted by PaulyDefran

There are a million other things and I probably got some of these wrong...read, read, read. Good luck.

PD

Support for PaulyDefran

8. IPsec policy / filtering in Windows 7

http://www.scribd.com/doc/22398177/H...sec-in-Windows

9. http://www.dd-wrt.com/site/index

10. Turn off your router or Wlan if you watch TV or leave the house.

11. Give all (if possible) a password - even if you think its unnecessary (your router).

[TheWindBringeth]

N) Get familiar with networking protocols and the various tools that will allow you to check for objectionable traffic. Periodically check to see what is leaking out from your computers and network.

Example: I have one computer which I don't use very much. I fired it up the other day just to download some updates. I started a Wireshark capture before allowing it to connect to the network. Because of the time that elapsed since the last time it was running with a network connection and/or because it was a new month and/or because it was the right day, numerous programs wanted to "do their thing". There was much to review, but I did see something I wasn't previously aware of: one program sending platform, config, and usage information back to the developer. So at least now I know something has been leaking and what it is that I should block going forward.

[HTTPS]

Quote:

Originally Posted by PaulyDefran

6. Passwords: Long and unique for each site/application. KeePass can do everything, LastPass can do web sites (they have a beta for applications).

PD

6a. Test the quality of your password.

http://www.yetanotherpasswordmeter.com/ - adjusted for @syncmaster913n: "... your real password(s) to anyone who might be listening on that website."

- Don't use for anything the same complex password and change it maximum after 2 years.

- Find out which password size is allowed; if the application allow 32 characters than create a 32 character password and not 6 or 8 or other minimum like the most ppl do.

[syncmaster913n]

Quote:

Originally Posted by HTTPS

6a. Test the quality of your password.

http://www.yetanotherpasswordmeter.com/

Be careful with entering your real password(s) into online websites such as the one above, though. Preferably you should just test against a password that has identical entropy to your own, but one that is composed of different characters than the real thing.

So if your password contains 4 lower case letters, 4 upper case letters, 2 numbers and two special characters, come up with a "draft" password that meets these criteria for the purpose of the test..

So if your password is: x%o-00QvNyKL
Test something like: (/PAHi5cBb7f

This way you avoid potentially disclosing your real password(s) to anyone who might be listening on that website.

Better yet; just learn about password entropy and avoid using these password-meters altogether.

[popcorn]

Quote:

Originally Posted by syncmaster913n

Be careful with entering your real password(s) into online websites such as the one above, though. Preferably you should just test against a password that has identical entropy to your own, but one that is composed of different characters than the real thing.

So if your password contains 4 lower case letters, 4 upper case letters, 2 numbers and two special characters, come up with a "draft" password that meets these criteria for the purpose of the test..

So if your password is: x%o-00QvNyKL
Test something like: (/PAHi5cBb7f

This way you avoid potentially disclosing your real password(s) to anyone who might be listening on that website.

Better yet; just learn about password entropy and avoid using these password-meters altogether.

+100

[PaulyDefran]

You could also run KeePass (install or portable) and it offers an entropy meter.

PD

[HTTPS]

Quote:

Originally Posted by syncmaster913n

So if your password contains 4 lower case letters, 4 upper case letters, 2 numbers and two special characters, come up with a "draft" password that meets these criteria for the purpose of the test..

Better yet; just learn about password entropy and avoid using these password-meters altogether.

Message above changed.

https://en.wikipedia.org/wiki/Information_entropy
http://www.redkestrel.co.uk/Articles...dStrength.html

I don't understand. Which password is now better and why?:

1.) 1111111111111111111111111111111111111111111111111111111111111Aa//

2.) aaaaAAAA11// ("... 4 lower case letters, 4 upper case letters, 2 numbers and two special characters ...")

3.) !q"1§E_

[vasa1]

OP, Ineedtopee, hasn't returned

[syncmaster913n]

Quote:

Originally Posted by HTTPS

Message above changed.

https://en.wikipedia.org/wiki/Information_entropy
http://www.redkestrel.co.uk/Articles...dStrength.html

I don't understand. Which password is now better and why?:

1.) 1111111111111111111111111111111111111111111111111111111111111Aa//

2.) aaaaAAAA11// ("... 4 lower case letters, 4 upper case letters, 2 numbers and two special characters ...")

3.) !q"1§E_

The first password does indeed have the highest entropy. However, don't forget that in order for a password to be highly resistant to brute forcing, the password must not only show high entropy, but also a high degree of randomness. A brute force attack is quite likely to start with all such combinations such as 1....11....111....1111 (.....) then 2....22.....222.....2222... and a multitude of variations on those.

So basically, cracking a password like this one depends highly on how a certain brute forcing program is configured to check for passwords. Would that password be cracked by a random brute force attack? Probably not. Can it be cracked easily if the attacker wants to and accounts for the possibility that you might have used such a type of password? For sure.

Basically, all three passwords you listed are weak Add a minimum of 5 random characters to the last password and you're good to go.

BTW, you didn't have to edit your post above, really I am just expressing my opinion, others may disagree.

Quote:

Originally Posted by vasa1

OP, Ineedtopee, hasn't returned

It's ok, we can still all learn from each other

Quote:

Originally Posted by HTTPS

- Find out which password size is allowed; if the application allow 32 characters than create a 32 character password and not 6 or 8 or other minimum like the most ppl do.

This might be overkill in many cases (remember, just an opinion). Obviously it depends on what application you are using and how easy you find it to remember truly random passwords. However, for almost all everyday applications and websites (excluding financial institutions and encrypted data) you won't really need more than 12-16 characters, max. Again, if someone finds it easy to remember long passwords, go with 32!

[Cudni]

Quote:

Originally Posted by syncmaster913n

Basically, all the three passwords you gave are weak

Despite solid theory, weak against who? Only against a very technically strong and determined adversary (a kind most likely not to be faced in several life times). For all other purposes good enough.

[syncmaster913n]

Yes, true. Although when creating a password, it makes sense to me to assume the highest degree of proficiency on the side of an attacker. I'm assuming (from the nature of this forum, and his clear interest in the subject) that this is also HTTP's "approach" to security as well.

But again, you are right.

[Cudni]

Quote:

Originally Posted by syncmaster913n

when creating a password, it makes sense to me to assume the highest degree of proficiency on the side of an attacker.

and that makes you right too

[syncmaster913n]

EDIT: also, something that might be helpful to anyone who finds it difficult to remember many passwords, you might consider using some sort of permutation on one basic password.

For example, I like to have a different password for every website I visit, but having to remember a completely different password for each account (probably well over 30) would be somewhat annoying so instead, I have one basic password (let's say for the sake of the example that it is m@rK-47), which is the base. And this base is modified depending on what website the account I am trying to access is located on. Personally my permutation has to do with certain letters from the domain name, the number of syllables in the domain name, and the number of letters in the domain extension (com, co.uk, eu, etc.)

So you might take that m@rK-47 base and add at the beginning of it the first letter of the domain name in upper case, then add at the end of the password goes the last letter of the domain name in lower case, then Shift+the digit representing the number of syllables in the domain name, and finally the number of letters in the domain extension.

So for this forum, the password would be: Wm@rK-47y^3

I personally use that only for websites that don't contain any highly sensitive data - other websites get a completely unique password.

DISCLAIMER to would-be attackers: the algorithm described above is not the real one I use, just an example

[HTTPS]

@syncmaster913n


The word entropy is not helpful - often used as summarization for password length and randomness and sometimes for any part of creating a password.

Some lines in my text above are more caricatural. The password length alone is complete useless without randomness (your verify to my overstatement).

The edit of my post is important because your argument is very plausible - who knows who is inbetween (you and the online password meter). Great hint.