Internet Security Walk-Through Tutorial

[Ufostrahlen]

Thanks Ufostrahlen! Fuck em!

Yeah, it's so funny that people still are on Facebook. I mean why not Google+ (still meh, but I don't think they do crap like biometric face recognition) or Diaspora (privacy yay, functionality beta). I totally understand the need for being connected, but Facebook?!! Some folks deserve to be spied on.

Some additions to the Mail sections:

Add end-to-end encryption to your webmail address with Mailvelope! - OSS GPG plugin for Firefox and Chrome that let's you encrypt your mail within the mail provider's interface. Yes, there are stubborn persons like my sister who dislike mail clients. I don't understand why, but there's a need for this, too.

Yandex.ru - My favorite mail hoster, especially good for Americans. Putin laughs about court orders from the US or other countries. You only need Google translator for the sign up (no mobile phone number required) and a Cyrillic alphabet to copy from (Wikipedia) for the captchas. But then you have a sweet mailbox in Russia with no NSA access. Encrypt with GPG nevertheless, because the Russian intelligence scans mails, too.

And no mention of PRISM Break ? It's THE software directory for open source security software. Granted, most of the software is already mentioned in the walk thru.

 

[NotTwo]

Hey PsilocybeChild, just read your pdf. That is amazingly well researched and thank you so much for sharing

Would be interesting to know if anyone on this site is NOT using at least something like Tor to login.

I'm a little horrified that my ISP logs the fact that I'm browsing with Tor (even though they can't see what I browse) and that instantly puts me into a higher suspicicion group. Percentage of the population using Tor is still quite low so get the message out there - install Tor and use it for at least some of your browsing!

I occasionally use Tor over VPN but this is painfully slow even over a fast fibre optic connection.

 

[doodlekid]

@PsilocybeChild

Thx again for this work. Gives me headstart on these things. But still a question.

DNSCrypt seems not to be working on Linux. I have installed Antergos for now and succesfully installed and enabled DNSCrypt. Set the DNS server to 127.0.0.1 on IPv4. But when I want to browse (without Tor) I can't access any page. I have to remove the DNS server and set it to automatic before I can visit any page again. Tor works fine though.

Any hint how to solve this?

 

[PsilocybeChild]

@doodlekid, that is because DNSCrypt uses european DNSCrypt DNS Servers.

I originally was concerned DNSCrypt was not using OpenDNS dns servers. When I contacted OpenDNS Support about it, they responded:

Hello,

OpenDNS has the largest DNS network in the world, so pointing to us could mean faster resolution and more reliability. In terms of encryption, yes, any provider on that .csv list will provide encryption.

OpenDNS is faster but not recommended, e.g.:
does not support DNS Security Extensions
does not support Namecoin domains
logs your activity

So I left it set to it's default DNS
DNSCrypt does encrypt DNS by default and sets your DNS Servers. Just follow my directions.

Once installed start DNSCrypt Proxy by typing into your terminal:
sudo systemctl enable dnscrypt-proxy.service
then
sudo systemctl start dnscrypt-proxy.service

^^That's all you need to do after install.

Check DNSCrypt status by inputing:
sudo systemctl status dnscrypt-proxy
Upon which it should state active (running)

P.S. Awesome to hear that you installed Antergos. Hope you enjoy it as much as I have! If you have any problems or questions about it message me!


@Ufostrahlen Thank you for your contributions! I recently heard about mailvelope and and keybase. Will look over all of these and add to the tutorial when I have time. Yes, I have read the prism-break site and found some of the mentioned software and services there. I should add a mention of it at least somewhere.

@NotTwo Thank you for the appreciation! Love to hear that people are actually using this and finding it helpful.

Also remember to use a separate email address from your regular email, for things you don't want to be connected with, like darknet markets or whatever.
Thanks all!

 

[doodlekid]

Yeah I did all that. The response was this standard message indicating it's connected and runing blala. But when browsing it won't load any page. I had this as well in Windows, but somehow it just didn't occur after a while and two reinstalls. Maybe it has to do with the DNS server. I use the standard (dnscrypt-eu.nl) which is close by...

Anyway I'll give it another try. It took me a while to get it installed on Antergos. Maybe it would be a good thing to expand the DNScrypt stuff cause it's not easy.

But it's great to be working with Linux. Actually it takes the consumerness out of computer use. Don't know what took me so long.

 

[PsilocybeChild]

Sorry I didn't catch this sooner my friend.

Set the DNS server to 127.0.0.1 on IPv4. But when I want to browse (without Tor) I can't access any page.

This is your problem and has nothing to do with DNSCrypt.

Set Socks Host proxy to 127.0.0.1 and the port to 9150, not DNS!
WiFi>WiFi Settings>Network Proxy>Manual>and edit Socks Host line.

When you're set to 127.0.0.1 for tor but don't have tor open, you will not be able to browse.

Use firefox to add extensions to gnome. go here: jam-Proxy Switcher - GNOME Shell Extensions
When Firefox prompts you just under the address bar make sure to click to make firefox accept "Gnome Shell Integration Plugin" and set it to remember that choice. Install that extension jam-Proxy Switcher.

This gives you a convenient toggle on the topbar.
When you are using Tor set it for manual. When Tor is closed, set it for none.

I reworded this making it a bit easier to understand in the tut.

 

[doodlekid]

Well I saw that both Win7 & Antergos have this issue now. It did work for Win7 and I don't have tor on that OS.

If it proves to be some nasty thing I will come back to this. For now I will try support and see if they can help me find the problem.

I try your solution as well...

But the one thing that troubles with all this, is how can you verify that you're actually using the DNSCrypt service... See, it reports that it's properly installed, connected to the server etc. But, as long you have automatic DNS you're not using it, right? So how can you actually verify that the service is being used by the system when you have set the DNS to 127.0.0.1?

 

[PsilocybeChild]

No, you should be using automatic while using it. It installs or modifies local system files, and as long as it's installed and the service is working, then it's running.

I forget the system files. I think one is /etc/conf.d which will say, for example,

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALIP2=127.0.0.2
DNSCRYPT_LOCALPORT=53
DNSCRYPT_RESOLVERPORT=443
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver2.dnscrypt.eu
DNSCRYPT_PROVIDER_NAME2=2.dnscrypt-cert.resolver1.dnscrypt.eu
DNSCRYPT_PROVIDER_KEY=3748:5585:E3B9088:FD25:AD36:B037:01F5:520C648:9E9AD52:1457:4955:9F0A:9955
DNSCRYPT_PROVIDER_KEY2=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
DNSCRYPT_RESOLVERIP=77.66.84.233
DNSCRYPT_RESOLVERIP2=176.56.237.171

 

[Ufostrahlen]

Bump. Because this more than relevant:

CISA: the dirty deal between government and corporate giants.

It's the dirty deal that lets much of government from the NSA to local police get your private data from your favorite websites and lets them use it without due process.

[..]

Wait, wasn't there some other bill like that?

Yep, you’re probably thinking of CISPA, which was already resoundingly rejected in Congress three times after overwhelming public outcry. Here's a good comparison of the various bills at play.

https://www.faxbigbrother.com/#faq

The Cybersecurity Information Sharing Act (CISA S. 2588 (113th Congress), S. 754 (114th Congress)) is a proposed law to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes".[1] The law would allow the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies.

[..]

On September 14, 2015, the BSA published a letter of support addressed to Congress, signed by board members Adobe, Apple Inc., Altium, Autodesk, CA Technologies, DataStax, IBM, Microsoft, Minitab, Oracle, Salesforce.com, Siemens, and Symantec.[11] This prompted the digital rights advocacy group Fight for the Future to organize a protest against CISA.[12]

Cybersecurity Information Sharing Act - Wikipedia

en.wikipedia.org

 

[PsilocybeChild]

Thanks for bumping with that. This must be shared.

 

[PsilocybeChild]

Nother update.

v1.9 How to get Bitcoin, Email section rewritten (current email protocols leave much to be desired, link comparing and contrasting providers), Fix Url Links Redirect extension breaks some pages, difference between an unlocked and a rooted phone.

 

[doodlekid]

Thanx for the updates!

Came across this document:

How_to_Exit_the_Matrix

If you don't have TOR, you can add .cab to the .onion extension, but this is not anonymous.

It seems to cover a lot of ground. From what I cam make of it, it's written a few years ago...

 

[PsilocybeChild]

Read it thanks. Also added the mailvelope info and the facebook quote thanks to Ufostrahlen. and a small revision about the possible need to reactivate phone with service to fix issues after a new OS/firmware install.

 

[PsilocybeChild]

updated

 

[PsilocybeChild]

Updated. Feel the need to bump this as I need to retract or add caution to previous statements to avoid causing anyone instability or loss.

I recommended Bitcoin Fog as a BTC tumbler, and it has somewhat of a reputation for selective scamming. There was a page on reddit I can't seem to find now which had compiled posts from users who felt that they were scammed by them. although I have not had issues.

I also want to caution about major version updates in CyanogenMod because you can pretty easily, potentially fuck your phone up good.

v2.1 Cyanogenmod update cautions, esp. major version updates; bitcoin tumblers--replaced Bitcoin Fog recommendation with BitBlender and Grams Helix. BitcoinFog has a reputation for selective scamming; Netflix support for Chromium

 

[Ufostrahlen]

Also, whats the licence of the pdf? Creative commons or public domain?

Do with it whatever yous wish. As for myself, I'm going to sleep! I've been working on that since last night and still haven't slept.

I added the Walk-Through pdf to my signature, so outside Nexus readers can access it, too. :thumb_up:
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓

 

[KillaNoodles]

---

 

[JDSalinger]

Very nice guys, thank you!!

Will defiantly be passing around, much love.

 

[PsilocybeChild]

Update coming soon but in the mean time:

Signal Desktop
Signal desktop is the new version of TextSecure and Red Phone.
Join the desktop beta!

Signal Desktop

Today we’re making the Signal Desktop beta available. Signal Desktop brings the trusted private messaging experience of Signal to the desktop, with a simplicity that allows you to seamlessly continue conversations back and forth between your mobile device and your desktop computer.

whispersystems.org

Sync encrypted messages and media across platforms (desktop, phone, etc.)


______________________________________________________________________________________________

RandomDNS makes DNS secure. It's based on DNSCrypt but we've added a bunch of new cool features. RandomDNS aims to improve the security, privacy and anonymity of DNSCrypt. It can randomize the server choice at runtime and can rotate it frequently.

Features of RandomDNS
-Randomize the provider at runtime
-se (-E)phemeral keys option
-Securely run DNSCrypt proxy by verifying its hash, copying it in /tmp dir with restricted permissions and launching it as "nobody" user (if reverse proxy is enabled)
-Watch the proxy process and relaunch it if it dies
-Can run multiple instances of DNSCrypt and load balance the traffic (EdgeDNS)
-Have in-memory caching of DNS requests along with Consistent Hashing (EdgeDNS)
-Can filter the server list by protocols, country and much more
-Rotate the server with a defined time (default: 10 minutes)
-Support DNSSEC (EdgeDNS)

https://github.com/pwnsdx/RandomDNS

When I figure this out, I will post how-to info.

 

[Valmar]

Many thanks for this wonderful resource, PsilocybeChild!

A feature request: could you create an index for quick and easy navigating? Thanks in advance!