New to all this, What Privacy Steps Should I Be Taking.

Discussion in 'privacy technology' started by Ineedtopee, Mar 8, 2012.

Thread Status:
Not open for further replies.
  1. Ineedtopee
    Offline

    Ineedtopee Registered Member

    Hi all,
    Totally new to all this but wondering if you could give me a run down of all the essentials steps I should be doing to secure my PC from tracking etc.

    Thanks.
  2. PaulyDefran
    Offline

    PaulyDefran Registered Member

    1. Operating System: Live CD like TAILS or installed Linux Distro (Ubuntu is fairly painless). If Windows, you are trading convenience for security/anonymity, but I get it, some things only Windows can do. Linux with a Windows VM or Windows with Linux VM is another option.

    2. Encryption for data at rest (shut down laptop or desktop...always shut down if possible): dm-crypt/LUKS on an LVM if using Linux, with TrueCrypt Hidden Containers...Truecrypt Hidden OS and Hidden Containers if on Windows. Diskcryptor is another option, but doesn't offer the same options as TrueCrypt...but does have some different options. Linux does not offer plausible deniability at the OS level (but a member here successfully defended against inspection, using Linux), TrueCrypt on Windows does.

    3. System Security: Mostly for Windows here, Linux is pretty safe...GUFW and rkhunter with ClamAV maybe. On Windows, see the other forums, that's what Wilders is about :D Defense Wall (32 bit only) Comodo, and Online Armor are some you may want to look at.

    4. Internet Connection: Open Access Point that is not near your home. If at home, a VPN. Tor Browser Bundle. I2P. Check the other sections.

    5. Browsing, Email, Etc...: Try using portable apps from within TrueCrypt Hidden Containers. This goes for Linux as well as Windows, although on Windows I would say it is more important, but realize Windows is messy and it is not a 100% solution to tracks. See #2 above. On Windows, Sanboxie is a great tool. For Firefox, install all the privacy add ins that you like, like NoScript, Cookie Monster, Better Privacy, Ad Block Plus, Ghostery, Track Me Not, HTTPS Everywhere, etc... Disable geolocation in about:config.

    6. Passwords: Long and unique for each site/application. KeePass can do everything, LastPass can do web sites (they have a beta for applications).

    7. System Cleanliness: For Widows, Eraser free space wipes as well as on demand data destruction, CCleaner, Bleach Bit, Comodo System utilities, etc...

    There are a million other things and I probably got some of these wrong...read, read, read. Good luck.

    PD
  3. tlu
    Offline

    tlu Registered Member

    While PaulyDefran made some good suggestions (and I've also been running Ubuntu for years) I think it's a bit overkill. ;)

    The basic steps are, IMHO:
    1. Forbid 3rd party cookies and make session cookies your defaut here by choosing "Use custom settings for history" , deselecting "Accept third-party cookies" and selecting "keep until I close Firefox". (It looks similar, e.g., in Chrome).
    2. Forbid flash cookies by using the addon BetterPrivacy (see also here) or choose the appropriate settings in the flash privacy settings panel.
    3. Use Adblock Plus (particularly with the EasyPrivacy and/or Fanboy's Tracker List and/or Antisocial subscriptions) and Noscript (or ScriptNo in Chrome).
    5. Disable disk caching in your browser to kill Etags once your browser closes. In Firefox go to about:config and set browser.cache.disk.enable to false. Note, that I don't know how to do this in other browsers. In my opinion, FF is the best configurable browser if it comes to privacy.
  4. ellison64
    Offline

    ellison64 Registered Member

  5. tlu
    Offline

    tlu Registered Member

  6. ellison64
    Offline

    ellison64 Registered Member

    I agree:thumb: I tried it a year or two back ,after cookiesafe which i used to use had some problems ,keeping up with firefox builds.I cant remember why i didnt stick with cookie monster at that time ,but found cookie whitelist with buttons and have stayed with that ever since.Ill have to compare them when i have a little time.The OP cant go wrong with either though methinks.:)
  7. HTTPS
    Offline

    HTTPS Registered Member

    Last edited: Apr 4, 2012
  8. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    N) Get familiar with networking protocols and the various tools that will allow you to check for objectionable traffic. Periodically check to see what is leaking out from your computers and network.

    Example: I have one computer which I don't use very much. I fired it up the other day just to download some updates. I started a Wireshark capture before allowing it to connect to the network. Because of the time that elapsed since the last time it was running with a network connection and/or because it was a new month and/or because it was the right day, numerous programs wanted to "do their thing". There was much to review, but I did see something I wasn't previously aware of: one program sending platform, config, and usage information back to the developer. So at least now I know something has been leaking and what it is that I should block going forward.
  9. HTTPS
    Offline

    HTTPS Registered Member

    6a. Test the quality of your password.

    http://www.yetanotherpasswordmeter.com/ - adjusted for @syncmaster913n: "... your real password(s) to anyone who might be listening on that website."

    - Don't use for anything the same complex password and change it maximum after 2 years.

    - Find out which password size is allowed; if the application allow 32 characters than create a 32 character password and not 6 or 8 or other minimum like the most ppl do.
    Last edited: Apr 6, 2012
  10. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Be careful with entering your real password(s) into online websites such as the one above, though. Preferably you should just test against a password that has identical entropy to your own, but one that is composed of different characters than the real thing.

    So if your password contains 4 lower case letters, 4 upper case letters, 2 numbers and two special characters, come up with a "draft" password that meets these criteria for the purpose of the test..

    So if your password is: x%o-00QvNyKL
    Test something like: (/PAHi5cBb7f

    This way you avoid potentially disclosing your real password(s) to anyone who might be listening on that website.

    Better yet; just learn about password entropy and avoid using these password-meters altogether.
  11. popcorn
    Offline

    popcorn Registered Member

    :thumb: +100
  12. PaulyDefran
    Offline

    PaulyDefran Registered Member

    You could also run KeePass (install or portable) and it offers an entropy meter.

    PD
  13. HTTPS
    Offline

    HTTPS Registered Member

    Message above changed.

    https://en.wikipedia.org/wiki/Information_entropy
    http://www.redkestrel.co.uk/Articles/RandomPasswordStrength.html

    I don't understand. Which password is now better and why?:

    1.) 1111111111111111111111111111111111111111111111111111111111111Aa//

    2.) aaaaAAAA11// ("... 4 lower case letters, 4 upper case letters, 2 numbers and two special characters ...") :)

    3.) !q"1§E_
    Last edited: Apr 6, 2012
  14. vasa1
    Offline

    vasa1 Registered Member

    OP, Ineedtopee, hasn't returned :(
  15. syncmaster913n
    Offline

    syncmaster913n Registered Member

    The first password does indeed have the highest entropy. However, don't forget that in order for a password to be highly resistant to brute forcing, the password must not only show high entropy, but also a high degree of randomness. A brute force attack is quite likely to start with all such combinations such as 1....11....111....1111 (.....) then 2....22.....222.....2222... and a multitude of variations on those.

    So basically, cracking a password like this one depends highly on how a certain brute forcing program is configured to check for passwords. Would that password be cracked by a random brute force attack? Probably not. Can it be cracked easily if the attacker wants to and accounts for the possibility that you might have used such a type of password? For sure.

    Basically, all three passwords you listed are weak :) Add a minimum of 5 random characters to the last password and you're good to go.

    BTW, you didn't have to edit your post above, really :) I am just expressing my opinion, others may disagree.

    It's ok, we can still all learn from each other :D

    This might be overkill in many cases (remember, just an opinion). Obviously it depends on what application you are using and how easy you find it to remember truly random passwords. However, for almost all everyday applications and websites (excluding financial institutions and encrypted data) you won't really need more than 12-16 characters, max. Again, if someone finds it easy to remember long passwords, go with 32!
    Last edited: Apr 6, 2012
  16. Cudni
    Offline

    Cudni Global Moderator

    Despite solid theory, weak against who? Only against a very technically strong and determined adversary (a kind most likely not to be faced in several life times). For all other purposes good enough.
  17. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Yes, true. Although when creating a password, it makes sense to me to assume the highest degree of proficiency on the side of an attacker. I'm assuming (from the nature of this forum, and his clear interest in the subject) that this is also HTTP's "approach" to security as well.

    But again, you are right.
  18. Cudni
    Offline

    Cudni Global Moderator

    and that makes you right too :)
  19. syncmaster913n
    Offline

    syncmaster913n Registered Member

    :thumb: :)

    EDIT: also, something that might be helpful to anyone who finds it difficult to remember many passwords, you might consider using some sort of permutation on one basic password.

    For example, I like to have a different password for every website I visit, but having to remember a completely different password for each account (probably well over 30) would be somewhat annoying ;) so instead, I have one basic password (let's say for the sake of the example that it is m@rK-47), which is the base. And this base is modified depending on what website the account I am trying to access is located on. Personally my permutation has to do with certain letters from the domain name, the number of syllables in the domain name, and the number of letters in the domain extension (com, co.uk, eu, etc.)

    So you might take that m@rK-47 base and add at the beginning of it the first letter of the domain name in upper case, then add at the end of the password goes the last letter of the domain name in lower case, then Shift+the digit representing the number of syllables in the domain name, and finally the number of letters in the domain extension.

    So for this forum, the password would be: Wm@rK-47y^3

    I personally use that only for websites that don't contain any highly sensitive data - other websites get a completely unique password.

    DISCLAIMER to would-be attackers: the algorithm described above is not the real one I use, just an example :D
    Last edited: Apr 6, 2012
  20. HTTPS
    Offline

    HTTPS Registered Member

    @syncmaster913n


    The word entropy is not helpful - often used as summarization for password length and randomness and sometimes for any part of creating a password.

    Some lines in my text above are more caricatural. The password length alone is complete useless without randomness (your verify to my overstatement). :D

    The edit of my post is important because your argument is very plausible - who knows who is inbetween (you and the online password meter). Great hint. :thumb:
Thread Status:
Not open for further replies.