I'm researching a project on how best to advise people about privacy, security, and associated OPSEC. I'd like to get a sense of the most common concerns and questions. And what sorts of advice are most useful, and what sorts are less so. So anyway, if you recall good examples, please post links in this thread, or PM me.
Are you talking about creating awareness or advice for people that are already concerned about privacy?
Advice. For people who hit the IVPN website, but don't really know what they want. What IVPN has is a VPN service, but that doesn't stop them from asking
RL is asking the right questions here. Teaching people to value their privacy and security when they've already forfeited it to maintain a gadgetry addiction is almost mission impossible. For those who are interested it is still a very difficult task as the landscape is always changing. I think there's a real need to have a good cross section of material - of course it must be suitable for those just starting out. If it's too complex they'll just run in the other direction.
Yes, and I am just so totally out of touch. I could dig through Wilders history. Maybe /r/privacy etc. But I figured that I might as well ask And not just about good answers. Please call me out about useless advice
This is just for people who are aware enough to think about using VPN services. But aren't sure whether that's enough. Or are confused about what else would be useful.
I'd ask if they use FB, twit & the like. And what amount of effort & learning they will contribute. That'll eliminate 99%.
I think "FB, twit & the like" would easily take up that 99% before even considering about adding in effort etc.
For most users, the key point is compartmentalizing "FB, twit & the like" from whatever it is that you want a VPN to keep private. Some do use VPNs etc to "abuse" social media in one way or another, but they don't need my advice
If you want iVPN to be THE must have privacy application for Windows, tell them to develop a fully fledged application based outbound packet filtering firewall built into their VPN client, with individual application based ip rules and access alerts for the user and plugin ad and tracker domain block lists. That would enable the user to block phone home applications, data mining, all kinds of privacy invasive stuff like system telemetry that uses the VPN and then the user could hardware firewall any leaks that try to bypass the VPN interface to block access to the regular internet. Their devs should be able to do that because I believe the VPN client will already be stripping ip routing info from the packet headers and replacing it so examining packet routing info should be right up their street. There is all manner of things that could prevent such as hidden system applications that could send info about applications that are using the VPN and delivering a hardware ID such as Mac address to a third party that would break the VPN anonymity. Seriously, that would make security and privacy conscious Windows users drool.
That is an interesting idea, and I'll pass it along The Windows app does have a tight firewall. But now I'm focusing on advice for users. So I'd say to compartmentalize, by using IVPN in a dedicated VM, with nothing on it about meatspace stuff. And to use Linux to minimize telemetry.
I'd say the biggest threat to anonymity is device hardware ID's, OS and application serial numbers. So assume your OS and other privacy breaking applications will try to send those ID's regardless. Therefore ideally use a device that you personally have never used to access the internet, so nothing on the machine can be already linked to you. Install qubes use VPN in VM and never use it for anything but anonymity because if any device hardware ID or application serial number leaks over your VPN it will link all the identities used on that machine. As long as they are all anonymous identities that won't compromise the actual user. One of the things I don't know what to do about is ARP which is level 2 networking and deals with sharing a device Mac address with routers and WIFI access points.
@RockLobster -- Solid advice But Qubes is overkill for many, I suspect. Or at least, it's too hard. Using VPNs in VMs is not that hard. And it's better than nothing. If you really care, it's also good to use a host machine that's not linked to you through prior use.
Yes and use a Linux distro in the VM that supports Mac address spoofing and hope that is enough to prevent the real one leaking and disable WIFI completely. Take it out. Yes many would think qubes is overkill but I think if you are looking for anonymity in the surveillance state, nothing is overkill.
MAC addresses in VMs are already totally made up. And you can get a new random one in the VBox GUI. But not when the VM is running. Yes, no WiFi. In particular, no VMs bridged to WiFi adapters: https://www.virtualbox.org/manual/ch06.html
I've been reflecting on a couple of reported cases recently where University students have been suspended after what they thought were private group chats (Whatsapp and FB Group Chat), were made public. Leaving aside the reprehensible nature of the chats and the technology involved, this highlights, for these purposes, the fact that with electronic communications, very little is really private, and there is nothing really to prevent your correspondents from outing you. http://www.bbc.co.uk/news/uk-england-devon-43473517 http://www.bbc.co.uk/news/uk-england-coventry-warwickshire-44052070 This is really saying how vital Opsec is. If you want to be private, you must not be known to your correspondents in an attributable manner, because they can and may use your electronic statements against you. There is a strong case for being able to issue a strong denial that it was you. But in most social situations, this is simply not possible. Therefore don't do it electronically - in meat space. In fact, there is a good argument for saying very little electronically that is attributable, because it is recorded indefinitely (or you have to assume that is the case), it can be easily misinterpreted or taken out of context, there is no room for irony/sarcasm, and the Zeitgeist is such that there is no absolute freedom of speech, even in what you imagined was unbuttoned private chat. With hate speech laws, you can be prosecuted, lose jobs etc. It's a funny old world where you are electronically only able to say what you think with complete strangers! On a technology control front, I'm intending to investigate Firejail's ability to set IP and Mac addresses in the jail's network namespace. Also, randomising machine id. Since these can potentially be randomised on the invocation command line, it offers a potential solution to create multiple isolated containers with different "machines" in a lightweight way. If anyone has experience of this, I'd be grateful to hear about it. I'd also note that more recent versions of pfsense do have an id (as a handle for subscriptions); this isn't sinister and can be removed. Finally, I think reassuring users - who have already been able to set up and manage a windows box and apps - that running a Vbox Linux virtual machine is dead easy, is an important and responsible thing to do. There are many benefits of doing so from a security point of view, regardless of anything else.
All of what is being said here is great for wilders users but useless for John Q public. Most people won't have a clue what a virtual machine is, and less so about linux. And if your dealing with Facebook users walk away
I'm afraid you are absolutely correct. I would just tell them to backup their important files as often as possible, use a security suite and keep their programs up to date. Even this elementary stuff is probably much more than average Joe is prepared to do on a regular basis.
I don't agree completely, because what you need is the seed, the techie, to set things up. Most families/groups have such a person. And I've been successful in inflicting practical VM setups on friends and workplaces, in part because they are actually MORE maintainable than individual environments. Replacing a VM is a file copy. And, for example, it's the only way of delivering some sweet Firejail browser profiles with Multi-account container stuff built in, so that they get higher protection without even being aware of it. The users find it no particular issue to start a VM icon and then a browser - their main concerns are performance. I think it works because it's a superset environment that weans them away gracefully from a particular OS. I think you might also be surprised at how widespread the desire is to - say - setup and use a VPN. Once you've done that, extension to actually doing it "properly" is a never ending skills development process.
I don't agree either, Mirimir is talking about writing for iVPN, anyone who is visiting iVPN is probably savvy enough to be looking for a VPN provider which means they are at least learning about private internet connectivity so the type of information discussed here would be food for thought, for that kind of person.
That's the hope. But @Peter2150 does have a point. I'm sure that many make it to IVPN's website from links. Without exactly having a clue what VPNs do -- and don't do -- for them. Or just what they want done So we gotta do a threat assessment, but without mentioning the term.
It seems to me the threat assessment is fairly consistent across the main VPN providers. They are selling to those "peeved" by the Snowden revelations, and the subsequent dismal flood of bad privacy news. The other "big" issue is that of content restriction, and hoping to get round that. That responding to this threat goes way beyond a single control like a VPN perhaps doesn't matter - once you enter the water, you start to find more and more information about what else you have to do.
That makes sense. And I'll ask IVPN about it. True. And that's the issue here. They ask IVPN support about what else to do. So someone (or something) needs to walk them through a threat assessment.
