Brief How-tos

This page briefly explains how to use various tools which enhance your privacy, anonymity and overall security. The guides are written in an easy to understand, step-by-step manner. The difficulty and time required for most of them don't provide any reason to not secure your communications and blurring your digital traces.

FIXME This page has grown and is hard to navigate in. Recommended re-arrangement:

  • Move each guide under separate article, not headline
  • People attending crypto parties carry different devices with different operating systems. Therefore, do not arrange stuff under Windows, OSX, iOS, Android etc, but instead under topics, and then explain how to do that for each system. This is because general, cross-platform introduction to each technology (e.g. what is E2EE messaging or FDE) is usually required, and having a copy of what is is FDE for each OS creates pointless redundancy.
  • Make this a landing page with short explanation of each tech and add link to actual article(s).

Why is mass surveillance a problem?

Quotes

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
~Edward Snowden (on NSA surveillance)

All the headlines saying #NSA breaks encryption are wrong; correct phrase is NSA works with vendors to sabotage security technology.”
~Cory Doctorow (on NSA Backdoors & 'cracking' encryption)


Security warning

Note, however, that security is a process, not a tool. You need at least basic understanding to assess the degree of security or anonymity a tool can give you. That said, treat it like a game. The worst thing which can happen, if you use these tools for your everyday business, is that you are just as insecure, unencrypted or in the open as you would be anyway.

All security sensitive activity (which is both prohibited, and prosecutable by the society and/or the government) without deep understanding is strongly discouraged.

Guides to Crypto Tools

Alternatives to common online services and programs

Web Browsing

To get an idea of what web browsing actually is, read the chapter Understanding Browsing of the CryptoParty Handbook. In brief:

  • When you visit a website you give away information about yourself to the site owner, unless precautions are taken.
  • What you search for is of great interest to search providers (mostly for targeted advertising).
  • Your browsing on the Internet may be tracked by the sites you visit and partners of those sites.
  • Visiting a website on the Internet is never a direct connection. Many computers, owned by many different people are involved.
  • Encrypted connections (HTTPS a.k.a TLS) ensure that your browsing can not be read in between you and the server.
  • TLS is important, but since the server belongs to an untrusted third party, your primary protection when browsing the web and publishing to web is anonymity.

See what companies know about you by facing a virtual mirror to yourself on

Tor Browser

Tor Browser is

  • Anonymous and secure by default. For more information, see this and this article
  • The best option out there
  • Based on the Mozilla Firefox, an open source web browser that respects your privacy
  • Designed to protect you against surveillance done by companies and governments

Setup

Before browsing

  1. Watch the "Using Tor" from CryptoParty Boston.

Adjust the Tor Browser security settings

  1. Before accessing .onion sites (i.e. Onion Services), make sure to click on the in the upper left of the browser and choose “Forbid Scripts Globally”. This prevents JavaScript from leaking potentially personally identifiable information - disable for individual sites if needed.
  2. set the security setting level to Safest and lower it only if it has major effect on your browsing experience. The Security setting can be found under the Tor logo in navigation bar.

WARNING! Do not install any browser add-ons to Tor Browser. The anonymity Tor provides is based on the fact all users look identical. If you install an add-on that makes your browser fingerprint unique, it means you will stand out from the crowd, and you can be tracked.

Firefox Browser

For browsing that can't be done anonymously (i.e. browsing that requires you to log in – think banking, shopping, social media), switch to Mozilla Firefox. It's as good as Chrome, fast and the most extendible browser with most add-ons. It's available for Windows, Mac, and Linux. Firefox supports many useful security privacy enhancing plugins discussed next.

Ad block plugins

  • uBlock Origin has become the de-facto ad-block plugin for Firefox.

Security plugins

  • HTTPS Everywhere has a big list of websites that support encrypted connections, and whenever you connect to them silently switches to the encrypted variant. That little “s” in the URL is what it is about.

Privacy plugins to block tracking

  • Disconnect.me is a free and open source add-on that blocks tracking elements based on block lists.
  • Privacy Badger does a similar job, but based on heuristics rather than block lists.
  • Disable WebRTC prevents IP-address from leaking via WebRTC connections (note: may break some sites).

Advanced plugins

WARNING! Only enable JavaScript, and especially plugins like Java, and Flash for sites you trust.

Certificate plugins

Your browser trusts many certification authorities and intermediate sub-authorities quietly, every time you enter an HTTPS web site. The Firefox add-on Certificate Patrol reveals when certificates are updated, so you can ensure it was a legitimate change.

FIXME Please review add-ons such as

Another thing you might do often on the web is use Google to search things. There are plenty of alternatives to Google who all state that they keep minimal or no IP logs, but blind trust is never a good option. A much better choice is to always use the Tor Browser to actively hide your IP. Even better, some search engines provide a Tor Onion Service (.onion site) that makes tracking the users even harder. Most popular ones are:

    • proprietary, hosted in the USA/Netherlands, and provides you with anonymized Google search results (including images)

How to change default search engine

General Tips

  • Regularly run CCleaner (Windows & Mac) or BleachBit (Windows & Linux) for deleting cookies and various other junk.
  • Check the privacy settings of websites. For example if you have a google account you can deactivate the logging of your searches and the personalized advertisements. Log in to your account (android phones come with google accounts) and change various settings on the dashboard
  • Opt out from various tracking advertising firms using http://www.networkadvertising.org/choices/ & http://www.aboutads.info/choices/
  • Check the privacy settings of applications that you use
  • If you use Windows do a File System Check once in a while by entering “sfc /scannow” into the console
  • Disable all Plugins in your Browser or set them to “Ask to Activate” (in Firefox)
  • Don't use a password across multiple sites or the same as the one you use to encrypt ie your hard drive. Also don't google it or anything alike. More tips on good passwords
  • Use antivirus software and a firewall. Do regular scans & updates
  • Regularly update all of the software to ensure security vulnerabilities are patched.
  • Check if you have an account that has been compromised in a data breach on HaveIBeenPwned.com

Insecure software

Update your software frequently and uninstall (or at least deactivate) insecure software or software for which vulnerabilities have recently been disclosed and not yet patched.

Uninstall Adobe Flash.

Personal Website hardening

The following is for people running their own website.

  • If your website has facebook-like buttons, see 2-clicks for more privacy
  • Make your website available via HTTPS, or even better, redirect unencrypted connection attempts to the encrypted version. First follow these instructions for getting the certificate then install it as in the appropiate tutorial here. Secure Sockets Layer provides an encrypted connection between the client and the server/certificate holder.

Close Unused Ports (Linux)

From the command line, you can see which ports are open on which interface by typing:

      sudo lsof -i -P | grep LISTEN

* means it is listened on all interfaces (reachable from the outside)

localhost means the ports are only opened locally (only reachable from the user's own computer).

Services can be removed, disabled, or configured to only listen locally.

Secure communication

Public key encryption

Uses who desire secure communication, whether it's email or instant messaging, benefit greatly from understanding the basics of public key encryption (a.k.a. asymmetric encryption). Please watch (one or more) of these videos to get a general understanding of what public key cryptography is about:

  • 5 minutes: Simply Explained explains the principles of public key encryption
  • 4 minutes: CompTIA Security+ certification material on public key cryptography

For people who want slightly more detailed look into how Diffie-Hellman and RSA algorithms work, see

  • 9 minutes: Art of the Problem explains Diffie-Hellman key exchange
  • 17 minutes: Art of the Problem explains RSA encryption
  • 5 Minuten: E-Mail-Verschlüsselung: Der digitale Briefumschlag (DE)
  • 5 minutes: PGP benutzen Stopmotion-Film (DE)

General principles

  • Symmetric encryption can protect content such as any length message, call, file, or even video stream.
  • Symmetric encryption doesn't solve key delivery problem: Sending symmetric key to contact without any protection is useless.
  • Key delivery of symmetric key is handled by asymmetric ciphers.
    • Diffie-Hellman (derive key by combining private and public value)
    • RSA (encrypt key with another key)
    • Diffie-Hellman is better than RSA for key

Encryption must be end-to-end

  • Client-server encryption is useful when browsing web, accessing online bank, bying things online: Effectively End-to-end encryption because other end is the server.
  • When the other end becomes a buddy we want to talk to, server becomes an untrusted third party.
  • Many bad messaging apps like Telegram by default send everything via client-server encryption, meaning server can read, modify, and copy the message content.
  • For messaging with buddies we need end-to-end encryption, where messages are encrypted and decrypted only by you and your buddy.
  • This is equally important, whether we're talking about email, instant messaging, calls, or video calls.

End-to-end encryption requires two equally important parts

  • Private key(s) must never leave the user's device without password protection that only the user knows
  • Public keys from contact's must be verified to actually originate from contact's device, otherwise end-to-end encryption can be eavesdropped with something called a man-in-the-middle attack. Verification is done in almost all applications by comparing public key fingerprints, also called safety numbers, and security codes.

Chat

Signal protocol

Signal-protocol is a modernized version of OTR-protocol that is designed to work in asynchronous environments such as on smartphones. This is because on smartphones apps open and close so frequently, OTR-sessions (that need to be established for each time they're used) become inconvenient.

More information

Applications that use Signal protocol or similar (so called double-ratchet algorithm based) protocols

OTR

Warning, the OTRv3 is starting to show its age, e.g. wrt. the key size used (1536-bits). The OTRv4 standardization is still a work-in-progress, thus Signal protocol should be favoured until the next gen OTR is ready to deploy.

Off-the-Record (OTR) messaging allows you to have private conversations over instant messaging by providing:

  • End-to-end encryption: No one else can read your instant messages.
  • Authentication: You can verify that end-to-end encryption is not under man-in-the-middle-attack.
  • Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
  • Forward secrecy: If you lose control of your private keys, no previous conversation is compromised (assuming control of log files was not lost at the same time).

A variety of chat clients are available which use OTR:

Clients that support the OTR-plugin

  • Gajim (Windows, Linux, MacOS)
  • Pidgin (Windows, Linux, MacOS)
  • Adium (MacOS only)

Clients with built in support for OTR

How to use

IRC

IRC over Tor

Note that if you don't use the Tor Browser Bundle (but just tor) replace 9150 with 9050

For the XChat IRC Client (or Hexchat):

  • Start Tor.
  • In Xchat go to Settings→Options→Network Setup and enter the following:
      Hostname: 127.0.0.1
      Port: 9150
      Type: Socks5
      Use Proxy for: both
  • Save and make sure you don't connect with the nickname you use without tor.

For the irssi IRC Client go here: https://www.cryptoparty.in/documentation/irssi_plus_tor

For the mIRC Client:

  • Press Alt+O to open the options dialog
  • Go to Connect → Proxy section
  • Under Connection select Both
  • Under Protocol select Socks
  • Under Hostname enter “127.0.0.1”
  • Under Port enter 9150 & press OK.

There are also tor-internal IRC servers to which you can only connect once you set up the above. You can find most of them here

IRC with I2P

Pidgin over Tor

  • Go to the Accounts, select your Account
  • Select Edit Account
  • Go to the Advanced Tab
  • Under Proxy Options select proxy type SOCKS v5
  • Enter 127.0.0.1 for the host and 9150 for the port
  • Leave user/pass blank

See also: https://help.riseup.net/en/chat/clients/pidgin#tor-with-pidgin-configuration

Securing pidgin on GNU/Linux

Other

  • Retroshare lets you securely chat and share files with your friends and family, using a web-of-trust to authenticate peers and OpenSSL to encrypt all communication. It provides filesharing, chat, messages, forums and channels.
  • pond is a heavily encrypted replacement for email
  • I2P Messenger is an end-to-end encrypted serverless communication application over I2P. It supports file transfer and has a search for other users.
  • BitMessage is a P2P communications protocol used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide “non-content” data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs. Tutorial for setting up and using Bitmessage – an encrypted communications platform based on Bitcoin

Email

Which provider?

Email, like all secure communication, has two aspects to protect: content, and metadata. Practically no email provider provides you with either of them on its own.

For email protection, you want any provider that allows you to enforce your own privacy by doing the following

  • Access the email with email client that offers end-to-end encryption (protection for content).
  • Register and access the email account anonymously via Tor (protection for metadata).
  • Doesn't require personal information during use or registration.

Thus, if e.g. the service requires you to confirm your phone number, it is not anonymous, and it does not protect your privacy even if you could otherwise use Tor to register and access it: they already know who you are. Same goes for payment details, so make sure to evaluate whether paid features are worth it. Sometimes being anonymous and tracked is more private than paying for the service and not being tracked although the service provider knows who you are.

Check https://prism-break.org/en/subcategories/web-services-email-accounts/ or http://prxbx.com/email/ for recommendations.

One good Email provider is ProtonMail. Another good alternative is to use an e-mail provided by a non-profit such as Riseup (Make sure to donate, even if it's just a little).

PGP end-to-end encryption

As you may know, your email goes through the data traffic like a postcard in snail-mail: Everyone can read it!

So, like snail-mail, it would make sense to put your emails in a closed envelope. The most common envelope is called PGP. The terminology around PGP is quite a jungle, so below is a dissection that explains the relation between these terms:

  • PGP is an abbreviation of the Pretty Good Privacy, an encryption program originally written by Phil Zimmermann in 1991.
  • PGP is a commercial product and is now owned by NortonLifeLock.
  • OpenPGP is the open standard that defines the appearance of the envelope all OpenPGP applications use.
  • gpg or Gnu Privacy Guard is a common OpenPGP client program for Linux operating systems.
  • Gpg4win is like gpg but for the Windows operating system
  • Another OpenPGP client program is called Enigmail, a plugin for the Thunderbird and Postbox email clients.

Warning!

While email encryption is still mostly secure, the nature of PGP messages has two inherent problems.

  1. Lack of forward secrecy: PGP uses long term decryption keys that never change. If at any point in future your device is stolen, accessed or hacked, all past messages recorded by powerful attackers can be decrypted, even if you have deleted messages from your own devices.
  2. Lack of deniability: In PGP, the authorship of messages is verified with what are called digital signatures. These digital signatures can only be created by the sender, and any message you send can be proven to have been written by you.

These problems have since been solved in modern end-to-end encrypted messaging porotocols like OTR, Signal protocol, OMEMO, etc. that are also easier to use (see below). Therefore, unless you absolutely have to use email, it is advised to always use modern messaging applications instead of PGP.

Use a Mailclient with GPG support

A Mailclient is an application for your mail on your computer. It makes mailing even more convenient!

1. Install a mailclient

We recommend Thunderbird, but there are plenty of good ones out there! (see https://prism-break.org/en/subcategories/windows-email-clients/ or for Linux] for a list).

2. Install GnuPG

3. Plugin Enigmail

Enigmail is a plugin for Thunderbird that brings thunderbird and GnuPG together.
Find the add-on manager in your Thunderbird (upper right side menu) and install enigmail there. On Linux, install it via your software manager. The package is usually called enigmail.

4. Passphrase

Now you want to give yourself some time to think about a nice passphrase and making sure you remember it.

5. Generate Keypair

  • Click OpenPGP in the Thunderbird menu and
  • choose OpenPGP Setup Assistant or … Wizard (depending on version).
  • Follow the instructions. When not sure, the default value is usually safe.

Afterwards, it will ask you if you want to make a revocation certificate. Do so, and store it on a safe medium (that is either a print-out or a CD you burn it to and then put away in a safe place).
If you have already generated a keypair or want to follow instructions like the ones given keypair or want to follow instructions like the ones given by Alex Cabal, you should run the Setup Assistant anyway and then choose the already generated keypair at the appropriate step of the wizard. For a more detailed description of the mechanism of public-key encryption, please refer to keypair at the appropriate step of the wizard. For a more detailed description of the mechanism of public-key encryption, please refer to The GNU Privacy Handbook.

6. Publish Public Key

If you now think “WTF publish my KEY!!11!!!” please watch the above videos again :P
Link it on your website/message it your friend and/or get it up a keyserver such as this one

To get a copy of a public key on Linux with GNUPG run the following command:

gpg --export --armor <your GPG ID>

this will generate output starting with '—–BEGIN PGP PUBLIC KEY BLOCK—–' and ending with '—–END PGP PUBLIC KEY BLOCK—–'. '–armor' makes the key read- and printable.

7. Get your recipient's Public Key

If your intended recipient doesn't already use PGP get him to work through this tutorial first. Then get his public key which you can find on a keyserver/website if he doesn't message you it directly. On Linux using GNUPG, your intended recipient should follow the process in step 6 and output it to a file, once you've received this file use the command:

gpg --import /path/to/file.key

The key will now be available to be accessed through GNUPG and thus through Enigmail or other programs that utilise GNUPG.

From the command line, you can see your local collection of keys by typing:

      gpg -k

To find a particular key, type:

      gpg -k <part of name/email/key ID>

To display or search keys in Thunderbird/Enigmail:

  1. Choose “OpenPGP” in the Thunderbird menu
  2. Choose “Key management”
  3. Type part of a name or email in the search box, or check “Display All Keys by Default”

8. Write your first encrypted email

Only encrypt plain text and note that subject lines are not encrypted.

You can use the command line to encrypt a file or a message:

      gpg -ase -r <recipient's key ID> -r <your key ID> <input file name>

This will produce a file (ending in .asc) that you can attach or paste into an email.

To send encrypted mail with Thunderbird/Enigmail:

  • Make sure auto-saving of drafts is disabled (Tools → Options → Composition → General, uncheck Auto Save, or Edit → Preferences → Composition → General, uncheck Auto Save).
  • Compose a message as you normally would.
  • Click on OpenPGP, and check Encrypt Message (and, optionally, Sign Message).
  • Click Send.

Depending on how Thunderbird is set up, it may give you a list of keys to choose from at this point, or it may select keys automatically based on email addresses (This behavior is configurable: OpenPGP → Preferences → Key Selection.). If you see the list of keys, make sure the recipient's key and your key are checked, and click OK.

To decrypt a message from the command line, save the encrypted message to a file, and type:

      gpg <encrypted file name>

To decrypt mail with Thunderbird/Enigmail:

  • Click on the messge.
  • After a moment, the passphrase entry box should appear; enter your passphrase.

To verify a signature:

If the message was signed, there should be a “Good signature” message (visible in the output of the command-line client, or a green bar above the sender information in Thunderbird). If there is a “signature verification failed” message instead, it could mean that the message was tampered with, or it could just mean that you don't have the sender's public key.

GPG with Outlook 2010/2013

GPG also works with Outlook if that's what you're using.

  • Get GPG4Win. You should check GPA & Kleopatra during installation.
  • Open up Kleopatra and go to File→New Certificate→Create a personal OpenPGP key pair.
  • Fill in a name and your email address. Open up “Advanced” and also check “Authentication”. Then click Next & Create Key.
  • Enter a passphrase. Make sure you don't forget it!
  • (Optional) make a backup of it somewhere and upload it to directory service.
  • Install it and if you need to do so get the .NET Framework 4.5. If there's a problem also this.
  • Start up Outlook and make a new email. In the right upper panel you can encrypt (and also sign) your email.
  • Before you send an encrypted email you need your recipients public key block. For testing purposes you can create another account (with a trashmail address) which you delete later. Otherwise you find such keys on websites/directory services or elsewise.
  • Once you have the recipients public key copy it (from & including “—–BEGIN PGP PUBLIC KEY BLOCK—–” until end), open up GPA and simply press ctrl+v (paste).
  • Now make a new email in outlook and fill in the recipients' email address.
  • Enter whatever text you want to send. And then click “encrypt” in the right upper corner.
  • Make sure your recipient has your public key as well.

To decrypt a message you received double click the email and then coose “decrypt” in the right upper corner and enter your password.

More Information

Maybe it wasn't that easy for you to do it, or maybe you want to know more. In either case, please have a look at the following links to some guides and more information:

Having troubles? Go here

9. Use Tor Birdy

You can make your communication extra safe by using Tor Birdy, a Thunderbird add-on for the Tor Browser

  • If you don't have Thunderbird, get it for free here: Thunderbird e-mail client
  • Then you need to install Tor, so follow this guide for setting up the Tor Browser Bundle above
  • Next, download Tor Birdy or choose the direct link to the latest version and save it somewhere on your computer
  • in Thunderbirds, go to Extras or Tools –> Add-ons –> install add-on from file (in German: das Zahnrad wählen und dann Add on aus Datei installieren)
  • then you need to adjust your Proxy to 9150 which you can do at Tools (Extras) –> Settings (Einstellungen) –> Network (Netzwerk & Speicherplatz) –> Settings (Einstellungen) –> Manual Proxy Configuration (Manuelle Proxy-Konfiguration). Type “9150” in the field “Port” at SOCKS-Host
  • install it and restart Thunderbird
  • NOTE: You now always have to open your Tor Browser to use Tor Birdy in Thunderbird. Otherwise e-mails fail to be sent instead.
  • for troubleshooting, refer to the Tor Project Wiki

GPG-Encryption beyond Email (GPA)

If you'd like to use GPG (for an explanation of GPG please see the upper section "Crypto! (GPG-Encryption)") for other purposes besides just Email the video-tutorial beneath might help you out.
If you're using Windows simply install the The GNU Privacy Assistant (GPA) of the GPG4Win-Installer and use the Clipboard to encrypt and decrypt messages by hand. Tutorial:

VoIP

The easiest way is to use WebRTC, which is built into every modern browser. Just go to one of the many rendezvous-sites like https://meet.jit.si, https://talky.io, or https://spreed.me, create a room, and start chatting.

Also, all major instant messaging apps for smartphones, like WhatsApp or Signal, support encrypted calls.

  • Jitsi is an open source multiplatform Voice over IP, videoconferencing and instant messaging application for Windows, Linux and Mac OS X.
  • Jitsi may request non-secure information during encrypted chat if you paste a link into it. This can be disabled in “Preferences/Options > Chat > Enable Image/Video replacement
  • CSipSimple is an open source android app for end-to-end encrypted VoIP calls.
  • Get a free SIP account for Jitsi and/or CSipSimple with The Guardian Project’s Ostel service.

Darknet

A darknet is an internet or private network, where information and content are shared by darknet participants anonymously. More accurately all of them share being anonymous overlay networks.

Tor Onion Services

Tor can also provide anonymity to websites and other servers. Servers configured to receive inbound connections only through Tor are called Onion Services (hidden services by their former name). Rather than revealing a server's IP address (and thus its network location), an Onion Service is accessed through its .onion address. The Tor network understands these addresses and can route data to and from Onion Services, while preserving the anonymity of both parties.

I2P

I2P is a secure, anonymous network resistant to censorship and monitoring and both distributed and dynamic, with no trusted parties. It offers a range of services by default (including an active IRC Chat) and with full support for streaming, anonymous file sharing (BitTorrent), webserving, mail and more. See the comparison between Tor and I2P

Step 1

  • Ubuntu:

Open a terminal (Ctrl+Alt+T) and issue the following commands:

      sudo apt-add-repository ppa:i2p-maintainers/i2p
      sudo apt-get update
      sudo apt-get install i2p

And then ''i2prouter start'' to launch I2P.

  • Windows:

Get the latest installer from http://i2p2.de/download.html & install. Make sure you also install java if you get asked to do so. Then double click on Start I2P (no window)

Step 2

  • The I2P router console should open by this. You can reach it here: http://127.0.0.1:7657/home
  • On the left panel you will see bandwidth of 96KBps and 40KBps for the In and Out speeds. Your most likely have an Internet speed far greater than this. Therefore, you should raise the speeds significantly.
  • Then go here (also optionally): http://127.0.0.1:7657/susidns/subscriptions and remove the textbox's contents, replace with this &save.
  • Now you can either always use a second browser/profile for using I2P or FoxyProxy wildcards:

  1. When installed click the FoxyProxy logo next to the URL bar. And then change “Select Mode:” to “Use proxies based on their pre-defined patterns and priorities”
  2. Click “Add a new proxy” and on the “General” tab, make sure “Enabled” is checked. Also give it a name like “I2P” there.
  3. One the “Proxy Details” tab, select “Manual Proxy Configuration” and enter “localhost” in the “Host or IP Address” field and “4444″ in the port field.
  4. On the “URL Patterns” tab, click “Add New Pattern”, make sure “Enabled” is checked and “Whitelist” and “Wildcards” are selected. Give it a Pattern Name (ie. “I2P”) and in the “URL Pattern” field, enter “*.i2p/*”
  5. Press Ok twice & close. Firefox will now send all .i2p requests through the local proxy. You can now access the “eepsites” hosted within I2P.
  • Alternatively (and recommended for optimal security) you can create another Firefox profile (ie “I2P”) go to Extras→Options→Network→Connection Settings→check Manual Proxy Configuration and then enter the following:
      HTTP-Proxy: 127.0.0.1    Port: 4444
  • Click OK. You can also run 2 firefox instances at the same time using this neat batch
  • Enter about:config and confirm that you're being careful. Search for the following entries and set them all to false:
    javascript.enabled
    browser.safebrowsing.enabled
    browser.safebrowsing.malware.enabled
  • Disable all Plugins. Alternatively to setting javascript.enabled to false you can also use NoScript

Freenet

Freenet is a peer-to-peer platform for censorship-resistant communication. It is more or less a decentralized distributed data storage. Freenet works by storing small encrypted snippets of content distributed on the computers of its users and connecting only through intermediate computers which pass on requests for content and sending them back without knowing the contents of the full file, similar to how routers on the Internet route packets without knowing anything about files—except with caching, a layer of strong encryption, and without reliance on centralized structures. This allows users to publish anonymously or retrieve various kinds of information. So called “freesites” allow you to browse such content. Other types of usage include chat, email & microblogging.

Retroshare

RetroShare is free software for encrypted, serverless email, Instant messaging, BBS and filesharing based on a friend-to-friend network built on GPG. Unlike most P2P networks where your computer will connect to the network and share information with a huge number of unknown peers, RetroShare will only connect to other peers that you have explicitly allowed into your network, and all communications are private.

Communication services in RetroShare:

  • Private chat with friends
  • Private or public chat lobbies, that allow chatting with friends and friends of friends
  • Messages to friends
  • Forums
  • Voice over IP

All you need to do is install the software and generate a PGP/GPG key, which will be used to encrypt and decrypt your network traffic. The hard part is getting at least 5 of your friends to also install the software and to share their public keys with you. Once that is done, you have your very own DarkNet.

FIXME Please add info for “The degree of anonymity can still be improved by deactivating the DHT and IP/certificate exchange services”

Meshnet

Advanced. A meshnet is a decentralized peer-to-peer network, with user-controlled physical links (usually wireless). The most popular meshnet refers to the transitional CJDNS Internet overlay network currently known as Hyperboria.

File Sharing, Torrenting, Warez

For anonymous downloading the absolute minimum is making use of a VPN. Other options are described further below.

Torrenting with I2P

Tribler

Tribler is an open source peer-to-peer decentralized torrent client with various features for watching, streaming & sharing videos online.

Soon (!) Tribler will also feature anonymous downloading by including support for a subset of the Tor onion routing protocol (independent from the existing Tor network).

Frost with Freenet

Frost is a Freenet client that provides newsgroup-like messaging, private encrypted messages, file upload/download functionality and a file sharing system.

  • Download Frost from the link above or via its freesite: USK@oyjm9tEWQ1fYbYDsBfJ017-ip9uTPzPLB52QHMduBIc,HE~wfG205QnSscK-U9FX7hAtGVkJg1~GRjkU1qkceTE,AQABAAE/frost/-1 /
  • Create a directory where you want Frost to reside, and uncompress the zip file in there.
  • Start frost.jar (or .bat) (if you are on Windows) or frost.sh (if you are on *nix) and enter a nick.

Retroshare

RetroShare allows you to share files securely with your friends. It also allows downloads from friends of friends using anonymous tunnels, if the uploader allows it. More information on this can be found here:
http://retroshare.sourceforge.net/wiki/index.php/Documentation:Filesharing

Other

Anonymous Upload & Download of Youtube-Videos

Videos from Youtube have unique metadata embedded into them via our friends at Google (on a per download basis). If that same file is seen elsewhere Google can check their logs to see when that file was downloaded and everything your computer sent, such as your IP address, user-agent and other fingerprinting info.

When using youtube-dl: Make sure to use the false user-agent that Tor Browser uses. Youtube-dl uses your real computer user-agent otherwise, which is not good for privacy.

        --user-agent UA specify a custom user agent
        --user-agent "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"

You can also put these settings into a file “~/.config/youtube-dl.conf” to use as default. Just remember to update it when the Tor Bowser Bundle updates their user agent.

Use Tor or a VPN if you need your IP concealed.

If you plan to reupload or share the video and wish for google to not know which of the downloaders is uploading the file do the following from a Linux terminal:

     $ ffmpeg -i originalvideo.mp4 -acodec copy -vcodec copy newvideo.mp4

That will strip the video to only the video and audio (removing the metadata). You can verify this by downloading the same video twice and checking the sha256sum's against each other. After you strip the video and audio you can see the two different sha256sum's have become the same.

DNS

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. An oft-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.43.10 (IPv4) and 2001:500:88:200::10 (IPv6)….which you probably can't remember as good as a name such as “example.com”. Here is a video explaining DNS

OpenNIC is an alternative DNS root which lists itself as an alternative to ICANN and its registries. By using it your connection to the Internet can't get censored by your DNS server. It also allows you to use DNS servers which don't run logs improving your anonymity.

Currency

Bitcoin is a decentralised, anonymous digital currency.

File Deletion

If you want to delete files on your PC the normal way, they can be easily restored with tools freely available on the Internet (such as Recuva). Because of this you might want to make sure to truly delete files in certain circumstances (ie if you want to sell your PC).

Warning

Right now, there is no secure way to delete files from flash memory. This includes usb sticks, memory cards and solid state hard disks (SSDs). The only responsible way to prevent theft of data on these media is full disk encryption.

Windows

  • DBAN is a self-contained boot disk that automatically deletes the contents of any hard disk that it can detect.
    This method can help prevent identity theft before recycling a computer. DBAN prevents all known techniques of hard disk forensic analysis. Warning to make this perfectly clear: it will erase all data on all hard drives it detects (including external ones(!))“.
  • With Eraser you can securely delete individual files on Windows.
  • With Ccleaner you can do the same for partitions, drives as well as seemingly “free space” [which in reality consists of restorable data] on Windows & Mac. For this go to Tools→Drive Wiper.

Linux

If you want to erase a hard disk (now, because everything is overwritten, this works with flash memory, too), you can simply do so by finding out the file representation of the disk, e.g. /dev/sdx and then executing

dd if=/dev/urandom of=/dev/sdx

as root/superuser. This command is irrevocable, so please double-check before executing it! \\To find a list of current 'block devices' you can use the 'lsblk' program, this will provide a list of the current available block devices by their name. Please note that if you want to properly purge the data you want to overwrite the root device, ie /dev/sda rather than /dev/sda1. as /dev/sda1 is a partition within the block device.

BleachBit provides a means of clearing common caches and other meta information left behind by applications and also includes a 'Free disk space' option, which will attempt to obscure the contents of free disk space by overwriting available disk space with random data (it creates a file, and lets it grow till it consumes all free space) and a 'Memory' option which will do the same for RAM and Swap.

THC Secure Delete provides a set of tools for surely erasing files, swap and memory. srm does secure deletion of files.
sfill does a secure overwriting of the unused diskspace on the harddisk.
sswap does a secure overwriting and cleaning of the swap filesystem. (note that sswap was only tested on linux so far. you must unmount your swap first!)
smem does a secure overwriting of unused memory (RAM) To install the tools on ubuntu issue the command:

sudo apt-get install secure-delete

Mac

Beginning with Mac OS 10.3, Apple enhanced its security by introducing the Secure Empty Trash feature, which follows the U.S. DoD pattern of overwriting data seven times.

Permanent Eraser provides an even stronger level of security by implementing the Gutmann Method. This utility overwrites your data thirty-five times, scrambles the original file name, and truncates the file size to nothing before Permanent Eraser finally unlinks it from the system. Once your data has been erased, it can no longer be read through traditional means.

Photos & Videos

Photo EXIF Data Removal

EXIF (Exchangeable Image File) data is a record of what camera settings were used to take a photograph. This data is recorded into the actual image file. Therefore each photograph has its own unique data. EXIF data stores information like camera model, exposure, and sometimes even GPS-data. While there are many image-hosting services such as imgur.com that strip away the exif data most sites keep it, leaking private information ie for grab to the NSA's XKeyscore program which is planned to mine for the exif data of all pictures getting uploaded.

Other

ObscuraCam is a secure camera app for android phones that can obscure (ie for face blurring), encrypt or destroy pixels within an image.

Virtual Machines & Live Disc/USB

The Amnesic Incognito Live System or Tails is a Debian-based Linux distribution aimed at preserving privacy and anonymity. All its outgoing connections are forced to go through Tor, and direct (non-anonymous) connections are blocked. The OS is designed to be booted as a live CD or USB, and leaves no trace on the machine unless explicitly told to do so.

If you don't want to create these yourself, you can purchase them.

Alternatives to Tails such as Liberté Linux can be found here. The following tutorials also pretty much apply to them as well.

Virtual Machine

A virtual machine is a software based, fictive computer. Virtual machines may be based on specifications of a hypothetical computer or emulate the computer architecture and functions of a real world computer.

  • Download & install Virtual Box
  • Start Virtual Box click “New” in the upper left corner
  • FIXME

Here is a full tutorial for Whonix

Live Disc/USB

A live disc is a complete bootable computer operating system which runs in the computer's memory, rather than loading from the hard disk drive. It allows users to experience and evaluate an operating system without installing it or making any changes to the existing operating system on the computer. Live USBs are closely related to live discs, but sometimes have the ability to persistently save settings and permanently install software packages back onto the USB device.

  • Burn the ISO onto a DVD You can use ImgBurn for that.
  • If you want to have it on a USB stick you first need another stick with tails preinstalled or a DVD, then follow this guide.
  • Make sure the DVD is inserted (or the USB plugged in) then restart your PC
  • Tails should boot automatically. Make sure you “press any key” when asked to do so. If it doesn't work you have to change the boot order in BIOS

If you don't want to create these yourself, you can purchase them.

Operating system

Recommended OS

FIXME Please add tutorial/s for a new OS or 2nd OS

If you (keep) using Windows xp-AntiSpy lets you disable some built-in update and authentication ‘features’ in Windows 7 that are calling home. For Windows 10.

VPN

A Virtual Private Network (VPN), is a private network of computers within a public network (the internet). When you connect to a VPN, the computer acts as if it’s on the same local network as the VPN. All your network traffic is sent over a secure connection to the VPN. Unlike a Proxy, a VPN service provider encrypts all of your traffic, replacing your ISP and routing ALL traffic through the VPN server, including all programs and applications while being faster as each client gets dedicated resources (a single proxy often has thousands of users).

Make sure that..

Windows:

  • Press the Windows key, type VPN, and click the Set up a virtual private network (VPN) connection option.
  • Use the wizard to enter the address and login credentials of the VPN service you want to use.
  • You can then connect to and disconnect from VPNs using the network icon in the system tray - the same one where you manage the Wi-Fi networks you’re connected to.

FIXME Please add how to set up a VPN + recommendations + improve description above

Android

General

  • Make sure your device firmware and apps remain updated.
  • Greenify keeps some apps from running in the background
  • Check all the settings and disable things like location tracking etc.

Antivirus

You should definitely have an anti-virus software running on your device.

Root

Many apps require root-access to your phone. Gaining such isn't that hard to do: just google your device name and firmware (both to be found in the settings under “info to device”​) + “root tutorial”​ as it's different for each device and firmware-version. However there are also multiple reasons of security to not root your device.

Encryption

Permissions

GPG

  • Open Keychain gives you access to PGP keys allowing end-to-end secure communication and encrypted data storage (also mentionied earlier). Additionally, this software supports the YubiKey hardware token for storing your private keys.
  • You can use K-9 Mail together with Open Keychain for encrypting/decrypting, signing/verifying emails.

Firewall

A firewall is an absolute must.

Superuser

  • Superuser for Android allows you to grant and manage Superuser rights for your phone. It also requires root.

Web browsing

  • Firefox is an open source web browser that respects your privacy. It also allows you to use AddOns, such as the following:
  • Adguard for Android, Firewall AND Adblocker for non-rooted phones (not free)
  • Alternatives: AdAway (requires root), Adblock Plus (does not require root) and more
  • Orbot is a free proxy application that empowers other applications to use the Internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by bouncing through a series of computers around the world.
  • History Eraser allows you to delete your search history and various other things (just like Ccleaner/BleachBit for your mobile). It also guides you to some settings that ought to be changed or switched off such as google data syncing. There also is CCleaner for Android.

Notes

  • NoteCipher allows you to create notes secured using industry standard 256-bit AES encryption. Tap “Lock Notes” after finishing.

iOS

iOS is a proprietary operating system whose source code is not available for auditing by third parties. You should entrust neither your communications nor your data to a closed source device (better use android or any of these alternatives).

Calls

  • Signal provides ZRTP / end-to-end encryption for your calls, securing your conversations so that nobody can listen in.
  • The app “Wire” offers encrypted calls with excellent quality and the option to have video chats.

Web Browsing

* Onion browser is a Tor-capable web browser that lets you access the internet privately and anonymously.

Chat

Disc Encryption

VeraCrypt

VeraCrypt is an on-the-fly disk encryption system and the successor of the discontinued TrueCrypt. The software is freely available, runs on multiple operating systems, and is very easy to learn how to use. VeraCrypt also plays nicely with dual-boot systems (such as Windows and Linux). VeraCrypt options include either full disk encryption or the creation of cryptographic container files, which mount as additional drive volumes.

VeraCrypt can also be used to encrypt USB flash memory sticks or digital camera or mobile phone memory cards. The caveat is that it is almost impossible to guarantee to securely wipe or overwrite the data from these devices due to their wear leveling algorithms. Therefore you should use a fresh USB device to re-encrypt the data with a new secret key. VeraCrypt also includes a few options which theoretically provide plausible deniability to the user.

Learn and Use

FileVault

Since version 10.6 of Mac OS X, Apple has offered users the ability to encrypt the home directory of their system. And from 10.7 onwards, Full Disk Encryption has been an option (technically referred to as FileVault 2). Enabling FileVault requires the user to have admin privileges on the computer, and will prompt the user to restart. At the next boot, as soon as the user logs in, FileVault will start doing online encryption of the main system drive. Other drives connected to the computer can also be encrypted by selecting them in Finder and choosing “Encrypt” from the File menu.

When enabling FileVault, in addition to admin users being able to unlock the drive at login, a Recovery Key is also generated, with the option of escrowing this key with Apple. If you choose to do that, you'll have to provide various additional security questions/answers along with your Apple ID. Given the ease of use of FileVault, it should be almost the first thing you should enable on setting up a new Mac. Unfortunately, it doesn't currently work on RAID drives.

FileVault 2 requires OS X Lion or Mountain Lion and Recovery HD installed on your startup drive, which the OS X Lion installer will attempt to create at installation.

Learn and Use

LUKS

LUKS is the Linux system for encrypted disks. It can be selected as an install option on most distributions. (Available in Ubuntu as of version 12.10).

Learn and Use

A detailed step-by-step how to set up an encrypted LUKS partition with Gnome Disks Utility:

https://github.com/mdik/handbook/blob/master/src/chapter_10_disk_encryption/04_LUKS.md

Ubuntu

Ubuntu allows you to encrypt your whole drive as an option when you freshly set it up.

Learn and Use

Integrity Checks

In order to check that you're actually using the right program and not a fake or modified/backdoor'ed one it's recommended to do integrity checks (for things such as the Tor Browser Bundle at least). A 'hash' is a unique number generated using a published algorithm on a particular file. For example, if I have file1.txt, which has no text in it, and I run it through a hashing algorithm, I will get mathematical_value_1. If I then add text to the file, it has now changed and if I hash it again I will get a different result, mathematical_value_2.

Windows:

  • Download HashMyFiles (scroll down a bit)
  • Extract and open it.
  • Now drag and drop the file you want to check into it. We're checking GPG4win as an example here. So download the .exe from here and then drag&drop it into HashMyFiles.
  • Now go to http://www.gpg4win.org/package-integrity.html and compare the SHA1 checksum & the File length. Usually you can find such checksums right on the download pages of files or linked somewhere.
  • Now to also check the PGP signature open up a command prompt by going to start→entering “cmd”→enter→”cd desktop“ and make sure you got the file you want to check on your desktop.
  • Download the .sig file on the page to your desktop (works the same with .asc files)
  • Import their public key by entering:
       gpg --recv-keys EC70B1B8
       (You can find the last few numbers on the website)
  • Or for .key files (first download to desktop):
       gpg --import tails-signing.key
       (the last bit is the filename of the .key file of course)
  • Then enter this and check the result:
      gpg2 --verify gpg4win-2.1.1.exe.sig gpg4win-2.1.1.exe
      (first the .sig/.asc key then the corresponding file)

Linux:

  • sha1sum and md5sum are included in most Unix/Linux based operating systems (including MacOSX) → Go to 'Terminal' in Applications→Utilities, navigate to the file you wish to use and type 'md5sum ' where 'filename' is the filename, to get the md5sum.
  • Compare with expected values from the site you downloaded from.

FIXME Please add variations for Linux&Mac and add tutorials for http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html

About

Also available as an eepsite on I2P:
http://crzh6busgh4v2kon66ant2fgscq6scj4apceqii2rstglaztfk2q.b32.i2p/en/wiki/Tutorials
And as a hidden service on Tor:
http://5nklpqfgczvtjrlg.onion/wiki/index.php/Tutorials
FIXME These 2 sites need to be updated to the present state of this tutorial-series.


If these tutorials helped you please pass it on - share this page (or its contents)!