Jump to content
Not connected, Your IP: 3.129.42.198
bigbrosbitch

Dual boot Windoze with Linux Mint 17.2 in 25 steps

Recommended Posts

Hi AirVPN users,

As you will be aware by now, recent reports show Win 10 is pure malware (Spyware O/S TM).

So, I'd like to write a basic guide for the Windows users who are newbies to Linux and want to make the transition easily, instead of just getting the age-old old advice - "Just install Linux!" - which is not particularly useful. This guide will take the Win 7/8/8.1/10 user to a dual boot system - providing the option of two worlds.

The theory is that once you see how good Linux is - Linux Mint in this example, since it is very easy to use and friendly for beginners - you will gravitate over by realising you don't need spyware to get 99% of your tasks done. So here we go. In advance, any mistakes are my own (I'm no guru) and I will gladly change any incorrect information.


1) Back up all your SSD/HDD data first to a separate drive. You can also clone Windows states and save the file elsewhere

 

For instance:

http://windows.microsoft.com/en-us/windows/back-up-programs-system-settings-files#1TC=windows-7

To back up your programs, system settings, and files
 

Open Backup and Restore by clicking the Start button Picture of the Start button, clicking Control Panel, clicking System and Maintenance, and then clicking Backup and Restore.

In the left pane, click Create a system image, and then follow the steps in the wizard. Administrator permission required If you're prompted for an administrator password for confirmation, type the password or provide confirmation.



OR

Using Clonezilla

http://www.techrepublic.com/blog/windows-and-office/how-do-i-clone-a-hard-drive-with-clonezilla/


2) Shrink down your Windows partition (in half) as per instructions here (a million other guides also on line)

http://www.makeuseof.com/tag/shrink-extend-volumes-partitions-windows-7/


3) Download Linux Mint ISO for 32 or 64 bit here (obviously 32 bit if you have older hardware)

http://www.linuxmint.com/download.php

If you are not sure about 32 or 64 bit architecture, in Windows:

View the System Information window
 

Click Start/Start button , type system in the Start Search box, and then click System Information in the Programs list. When System Summary is selected in the navigation pane, the operating system is displayed as follows:

        For a 64-bit version operating system, x64-based PC appears for the System type under Item.
        For a 32-bit version operating system, x86-based PC appears for the System type under Item.


I recommend the MATE or Cinnamon editions that are generally preferred. XFCE is used with older machines with less resources, and I'm not fond of KDE, although many users like the Plasma desktop. Each to their own.

Linux Mint is somewhat similar to Windows in terms of the desktop and basic interfaces, so this is an easy choice for the beginner. Plus it has all the necessary video, multi-media and other codecs installed by default.


4) Verify the ISO image i.e. is not corrupted or a fake binary by downloading the MD5 hash for the file from the downloads page

Download and install winmd5 or similar program to cross check the MD5.

http://winmd5.com/

If the hash produced by the above program does not match the ISO hash on linuxmint.com download page then the file is corrupted. Delete and download again.


5) Create a bootable USB disk to run Linux Mint first time (no changes will be made to your SSD/HD yet)

Download pendrivelinux (or Unetbootin) and write the ISO file to USB. Follow the directions below.

http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

If the USB won't boot (see below), you can re-write the USB stick again, or use an alternative. Some makes/models of USB don't work well, and generally use something at least 4GB in size (8GB is better).


6) Reboot the computer and hit F12 or whatever function button brings up your optional boot screen on your system

 

Select 'USB' and Linux Mint will start loading.


7) Once you have the main desktop screen, double click "Install Linux Mint"

 

SEE NOTE ON PASSPHRASES AT STEP 8 before setting them.

NOTE: UEFI SYSTEMS ARE FULLY SUPPORTED BUT SECURE BOOT MUST BE TURNED OFF BEFORE INSTALL.

See below - it is not compatible with Linux grub bootloader.

http://linuxmint.com/rel_rafaela_cinnamon.php
 

"Note: Linux Mint does not use digital signatures and does not register to be certified by Microsoft as being a "secure" OS. As such, it will not boot with SecureBoot. If your system is using secureBoot, turn it off.

Note: Linux Mint places its boot files in /boot/efi/EFI/ubuntu to work around this bug. This does not prevent the installation of multiple releases or distributions, or dual-boots between Ubuntu and Linux Mint, as they can all be bootable from the same grub menu."



DO NOT have internet connected as you install Mint. The firewall IS NOT ON BY DEFAULT, so your system can otherwise be infected before it has even finished installing.

Follow installation procedures as per steps 1-4 in link below. At step 5, you can select the option to "Install Linux Mint alongside Windows X" (7, 8, 10 etc). This will automatically create a dual boot system and you won't have to manually create partitions and so on. Only manually set partitions if you intend to leave room for a 3rd operating system later on e.g. a triple-boot system.

 

If you auto install as recommended, Mint will take up the remaining half of the available drive.

http://www.everydaylinuxuser.com/2014/07/how-to-install-linux-mint-alongside.html

Don't select the "encrypt whole disk option" (not possible when sharing with Windows), but do select "encrypt home folder" option. Note: once you are logged in, your home folder is decrypted by default, meaning it can be potentially seen, copied, deleted by adverseries who are good enough.

Now every time you load the computer, you can choose to load Windoze or a relatively secure open-source O/S system.

 

Without starting another distro war, Debian or Linux Mint Debian Edition would arguably be a more secure O/S to dual boot, due to signed packages and Ubuntu-Amazon debacle of 2012. However, for simplicity, they are not used in this guide. For intermediate users, I would personally recommended LMDE2 as part of their dual boot configuration.


8) Passwords/passphrases

Forget your current methods and pissweak passphrases that are probably insecure and broken down by rainbow tables or other brute-forcing within minutes e.g. if less than 12-15 characters in length and not generated completely randomly.

The solution my paranoid friends is dice-ware. These are theoretically impossible to crack if you use a 7 word pass phrase and choose them randomly using the entropy present in a six-sided die. Yes, you heard me correctly.

http://world.std.com/~reinhold/diceware.html

Follow these instructions above to generate suitable passphrases for root password, your main user password, and other critical computer accounts.

Do not re-use these passphrases - different passphrases should be used for everything - and store them all in your KeyPass encrypted passphrase master file OFF-LINE.

35 dice-rolls = one secure passphrase the NSA can't crack by brute force (they'll just hack your computer directly instead)...


9) Once Mint has finished installing, it will want to reboot. Keep the internet disconnected until we set up the basic firewall (next step).

 

Reboot.

All going well, you will see a new grub screen showing an option to load Win 7 or Linux Mint 17.2 Rafaela.

Select Linux Mint 17.2. Do not use the recovery option unless you get a prolonged black screen on first boot attempt i.e. it will drop to very basic system drivers only.


10) Linux Mint will take a while on first boot, but will come to the desktop environment eventually, after you have logged in

Your key steps now are to:

- Load firewall

- Install and connect to AirVPN and lock down the network
- Connect to internet and update all system files (full update and upgrade)
- Update the Linux kernel to the recommended option
- Install software you will regularly use

- Remove software that poses an unnecessary attack vector


11) Load the firewall

Open the terminal from the menu or panel and enter the following command:
 

sudo ufw enable

Press enter.

Check the status of the firewall with:

sudo ufw status verbose

It should say something like:

pjotr@netbook:~ sudo ufw status verbose
[sudo] password for pjotr:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
pjotr@netbook:


Now reconnect the internet connection. DHCP in linux will automatically detect your modem/cable settings and you don't have to do it manually thankfully.

We the commands above, we have denied all incoming requests (we are not a server), but allow outgoing connections for the internet, email and so on. AirVPN IPTables via the Eddie client will enforce far stricter requirements - nothing travelling outside the VPN tunnel - so that is the next priority.


12) Before updating system files we want to install AirVPN on the system so the Stasi don't know what we are doing on our fresh install

So, go to the following page:

https://airvpn.org/linux/

Download the option .deb Debian/Ubuntu package 64-bit (Linux Mint is based on Ubuntu; 32 bit if you have older hardware). Check the MD5sum with "md5sum FILE" at the terminal. Check the match with the AirVPN website download page.

Double click on the file in the downloaded files. Let it install all the necessary packages and dependencies. Run AirVPN Eddit client the first time and enter your name and passphrase. You shouldn't save/remember the passphrase if you are suitably paranoid.

Once connected, select "Network lock" and options to 'Disable IPv6'. Other defaults should be fine for now.

Check AirVPN connects (fingers crossed). If you have problems try either the experimental version of Eddie or earlier 'stable' editions to successfully connect in the first instance.


13) Update/upgrade system files

For system updates we click on the 'shield' in the bottom right hand corner of the desktop. This is where all the updates happen (upgrades via terminal - see below). Before refreshing to get all system file updates, we go to preferences and select all 'security updates'. Do this:
 

Menu button - Administration - Update Manager

Panel Update Manager: Edit - Preferences

Tab Options (first tab): tick:

Always show security updates

And also:

Always select and trust security updates



Now hit the refresh button the on the shield. It will download a lot of security and other program updates and install them all. To keep your system fully up to date in Linux Mint, you must occasionally run terminal and use the following command:

sudo apt-get update && sudo apt-get upgrade




14) Update the linux kernel

Either because you have a multiple core CPU system or want the latest security patches and drivers for your computer hardware, you should update the linux kernel (the core of your system).
 

Launch Update Manager. In the toolbar of Update Manager: View - Linux kernels



We want to see if the kernel we are running is the latest one recommended. If you see three ticks against your kernel (loaded, recommended, installed) then you are fine. If not, select the latest 3.16.x kernel that your system is recommending.

You will see a warning against installing new kernels. This warning is a bit exaggerated: the risk of problems is certainly there, but it's not as big as the warning implies. After installation, reboot your system. Now from the grub bootloader screen, you should see the option to boot with the latest Linux mint kernel 3.16.x PAE or whatever you have installed.

Use that option. All going well, it will boot to the desktop. You now have a fully updated system.

If for any reason your system is unstable with the latest recommended kernel, sometimes downgrading will solve driver and other issues. Look online if this is the case e.g. certain chipsets are notorious for periodic problems. Also, occasionally upgrading to later (unstable) kernels can solve driver issues.


15) As Linux is often set up as a server, you should remove programs that you will never use and which poses unnecessary attack vectors

Go to 'Administration -> Synaptic Manager'



Search for these programs and remove e.g.:

- ssh
- rsync
- ftp
- samba
- telnet
- etc

There are many others that are not necessary for the standard desktop user (see online guides). I would search for 'server' in the search box at a minimum, and remove anything dubious. DO NOT remove anything related to X11-server, as this is necessary for running video and other outputs on your system.

Anything that relates to remote connections/file transfers/viewing, email servers and the like can be safely removed as rule (obviously not apt/apt-get, wget).

Install and run GUFW to check whether your system is 'listening' on ports with any other programs installed. In terminal:
 

sudo apt-get install gufw

sudo gufw



You shouldn't see anything else except DHCP, OpenVPN (used for AirVPN), and connections you have running for browsers and so on.

Netstat (or nmap) should be used at the terminal to make absolutely sure your system doesn't have ports open that shouldn't be. For example, a few netstat parameters that are useful for this include:
 

-l or --listening shows only the sockets currently listening for incoming connection.
-a or --all shows all sockets currently in use.
-t or --tcp shows the tcp sockets.
-u or --udp shows the udp sockets.
-n or --numeric shows the hosts and ports as numbers, instead of resolving in dns and looking in /etc/services.



You use a mix of these to get what you want. To know which port numbers are currently in use, use one of these:
 

netstat -atn           # For tcp
netstat -aun           # For udp
netstat -atun          # For both



In the output all port mentioned are in use either listening for incoming connection or connected to a peer - all others are closed. TCP and UDP ports are 16 bits wide (they go from 1-65535)

If you see something odd - particularly if it is an unknown external (not local) IP address connecting with some weird program - then research and probably remove immediately from your system, as you've probably been pwned.


16) Install software you will use regularly
 

Select "Administration -> Software Manager"


You can find most programs you need here.

I would recommend at a minimum:

- GUFW (GUI for firewall)

- Thunderbird (for desktop email, based on Firefox)

- Evince PDF document viewer

- Microsoft fonts

- Enigmail for thunderbird - allows for encrypted emails once you have generated an encryption key and have a suitable recipient also with an encryption key.

- Play on Linux (will work as meta-compatibility layer). For example, I have used POL for Microsoft Office 2010, Adobe Photoshop/Illustrator and a number of popular Win games. Don't believe most of the hype: emulators and virtualised environments can solve most software problems and run things you 'must' use in your work or home life (e.g. Virtualbox 5.0 GPU support). Many 'unsupported' programs will still work with tweaking of WINE. Note: WINE technically gives your Linux host some vulnerability to Windows malware, so again, the paranoid would never install it

- Deluge as bittorent client in preference to Transmission

- VLC and SMPlayer as your media players - they will play almost everything, although some additional DVD codecs may be required

- Bleachbit to clean up your system and to shred files/folders/wipe free disk space

- MAT (Meta-data Anonymisation Toolkit) to wipe meta-data from files e.g. EXIF data from photos, data from LibreOffice files and so on

- Cryptkeeper to create encrypted volumes to hide your personal/financial stuff in. Note: this should be done only temporarily and stored permanently on  afully encrypted external drive that is air-gapped and potentially shielded. Careful users would not keep critical information on only one external, encrypted drive, due to the threat of data corruption and being locked out completely. Thus, they may wish to use two identical drives to prevent catastrophic loss of information

- Virtualbox to run Windows spyware in a virtual environment instead of polluting your hard-drive. VMWare Player is an alternative option

- KeypassX to store all your passwords in a master file. Once done, the master password file MUST be stored on external, air-gapped drive that is fully encrypted, even though the password file is itself encrypted


17) Go through all your linux settings under 'Control Panel'

Make sure all options like 'sharing of remote folders', 'remote connections/logins/SSH/reviewing', samba, NFTS and so on are all TURNED OFF. 

 

​Otherwise, you are inviting someone to hack your ass. DConfEditor can also be installed to finetune your Linux system for system-wide settings. Make sure nothing is being run automatically during start-up that poses a security risk and there are no shared services configured or installed that pose security threats.

Set AirVPN to connect automaticaly during boot-up.

It is also critical to install the proprietary driver for your video card if you want proper performance from your latest NVIDIA and other models. However, the paranoid who refuses to ever use proprietary (closed-source) code would persist with open-source drivers and modules and probably uninstall flash, java and other things in the first place.

You should also diable IPv6 system wide for it is a key security weakness. For Linux Mint (Ubuntu) users:

 

To disable ipv6 open a terminal and type the following lines:

echo "#disable ipv6" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
 
or open /etc/sysctl.conf in a text editor and add the following lines to the end of the file:

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#

Afterwards, reboot the network interfaces (sysctl) by typing this in the terminal:

sudo sysctl -p

If this doesn't work, you can always brute force it at grub level:

sudo gedit /etc/default/grub

​​Find the GRUB_CMDLINE_LINUX line and edit:

​GRUB_CMDLINE_LINUX="ipv6.disable=1"

​ sudo update-grub2



​Reboot. IPv6 should now be disabled and the Eddie client should be working fine. Check you can use local resources such as printers, which are uncommonly blocked by the Eddie network lock.

Also disable time-stamps which are recorded down to the milli-second and announce your presence, and fake/disguise your OpenVPN settings so they can't be detected by programs like WITCH. If you look on AirVPN forums, you will see this has already been discussed:

https://airvpn.org/topic/14801-%EF%BD%97%EF%BD%89%EF%BD%94%EF%BD%83%EF%BD%88%EF%BC%9F-%E2%80%94-vpn-and-proxy-detector-can-detect-openvpn-cipher-mac-and-compression-usage/
 

To dynamically disable TCP timestamping on Linux...

Become root.

sudo su

Disable TCP timestamping.

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

Permanently

To make that change permanent...

Become root.

sudo su

You need to add the following line to /etc/sysctl.conf or /etc/sysctl.d/tcp_timestamps.conf:

net.ipv4.tcp_timestamps = 0

To do that, you could use the following command.

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

To apply the sysctl settings without reboot, run the following command.

sysctl -p

Check if it's really set.

sysctl -a | grep net.ipv4.tcp_timestamps




Finally, change the mssfix setting in OpenVPN directives/custom settings to 1250, 1400, or other values that change your MTU value and prevent OpenVPN fingerprinting. Test your new config works here:

https://airvpn.org/external_link/?url=http%3A%2F%2Fwitch.valdikss.org.ru%2F


18) Tor browser

Tor should be downloaded separately (Linux platform, latest experimental 5.0.a4) and you MUST use GNU/gpg to check signatures, because the spooks love modifying Tor software. For example, have fake Tor software is present in the wild and attacks have been used to force people to download something suspect.

The link below from the Tor website shows how to install Tor safely. Never run unverified/unsigned packages in Linux if you can manage it.

https://www.torproject.org/docs/verifying-signatures.html.en

Important:
 

Download the signing key for Tor software by running at terminal:

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

Check the fingerprint of the key you just imported by running at terminal:

gpg --fingerprint 0x4E2C6E8793298290

You should see:

    pub   4096R/93298290 2014-12-15
          Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
    uid                  Tor Browser Developers (signing key)
    sub   4096R/F65C2036 2014-12-15
    sub   4096R/D40814E0 2014-12-15
    sub   4096R/589839A3 2014-12-15
    
To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run in terminal:

gpg --verify ~/Desktop/tor-browser-linux32-4.5.3_en-US.tar.xz{.asc*,}

The output should say "Good signature":

    gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
    gpg: Good signature from "Tor Browser Developers (signing key) "
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

Currently valid subkey fingerprints are:

    5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3



If you ever get a 'bad signature' DO NOT install and run this software. It may be corrupted, or worse, an enhanced NSA edition brought to you by your hard taxpayer dollars.

When runnning Tor:

- NEVER use flash, it leaks your real IP. In the case of Tor over VPN, this means your VPN entry IP. Flash and other plug-ins are not configured properly for Tor

- Run security slider in the highest position

- NEVER allow Javascript if you can afford to. Most attacks are based on dodgy javascript so you run it at your own peril. For example, the latest font fingerprinting can even uniquely identify Tor users who run Javascript

- The super-paranoid would never go to HTTP sites (only HTTPS) due to sniffing, malicious Tor nodes, Sybil attacks and so forth

- The super, super paranoid would never go beyond onion addresses (the Tor network) and configure Tor via Whonix, and a chain of VPNs + potentially JonDoNym (although this last step or other steps may actually HURT your anonymity due to bottlenecks)

- Don't type directly into the Tor Browser if you can avoid it. Type into your O/S notepad/text editor and cut and paste into the browser. The latest fingerprinting methods can match your typing cadence uniquely after only 10 minutes. Yes, 10 minutes....

- If you want that video or other multi-media file, don't stream it, but download it instead and play it on your home system. This is much safer.

This list above is not exhaustive. If you really want to use Tor safely, then browse the Tor security forums intently, particularly if your life depends on it or you live in Iran or somewhere politically hostile.

Dissidents, political activists, whistleblowers and others at risk should really also be using Tor-bridges in the mix to hide Tor signatures from deep packet inspection that the spooks and ISPs are proven to be capable of.

 

Further, it is better for those in Tor-hostile countries to request unique bridges from Tor (even though the Tor email address is also a key indicator for X-KeyScore) and/or connect to the VPN FIRST, and then Tor. Not the other way around. That is, hide your Tor use behind the VPN instead of announcing it to anybody that is watching for the unique Tor signature.

Importantly, don't ever mix up your normal internet browsing e.g. Firefox, with places you visit with Tor. Behavioural correlation is a dead give-away, and your uniqueness could probably be identified with you only visiting a small number of sites that you have commonly visited due to the huge number of websites that exist.

If you are a high-profile target, you would engage all these security measures, and possibly also run multiple (clean) virtual machine images to prevent any leakage of meta-data over time. Virtualisation will also prevent hardware serial leaks and the cross-correlation of different online identities if implemented correctly (see virtualisation considerations further below).

 

A high-profile target would also consider running the VPN connection through an additional SSH or SSL tunnel (see Eddie client config) to provide another layer of encrypted tunneling.


19) Using Firefox safely

Use Firefox in preference to backdoored IE, Chrome, and Chromium (which dodgy binaries keep 'accidentally' landing in). Firefox cares more about privacy than the other corporate psychopaths, plus latest Tor is based on Firefox 38.1 ESR

Consider many, many changes to Firefox if you want to be 'psuedo-anonymous'. If you want to try and be truly anonymous, then I repeat, USE TOR BROWSER AT ALL TIMES.

 

There are 1000s of options in Firefox that potentially leak data, and you're unlikely to get them all, compared to Tor developers like Jacob Appelbaum and co. Further, Palemoon, JonDoNym (commercial) and other 'privacy options' are unproven, whilst we know the NSA struggles with Tor and has their spook operatives use it regularly. That is therefore an endorsement of its strength.

https://airvpn.org/topic/9933-browser-configuration-to-be-anonymous/

In the above link, no one mentioned that when using normal firefox you should also disable all plug-ins by default, use the default 'theme', and not install any additional fonts or languages. These are all used for fingerprinting and the Java component of plug-ins e.g. Iced-Tea Ubuntu plug-in, makes you vulnerable to various attacks.

Instead, just use Firefox's native video player and use an add on to enforce higher quality settings for video output. If you are paranoid, DOWNLOAD the file as a .mpeg, .avi etc and then play it with the Linux native video player.

Avoid Flash like the plague and embedded/downloaded PDFs. Around 90% of exploits occur when you run flash, use/download a dodgy media player (which is really malware) or you load a poisoned PDF that escalates priveleges on your system, creates a root shell, and ulimately some low-life is persistently embedded in your system because you streamed "Funny Cats.avi".

DO NOT install additional 'features' like Silverlight, applets and so on, which also add to your finger-printing signature when enabled by default. Check your digital signature at Panoptoclick and Browserleaks to reduce your footprint as much as possible. Note also how javascript dramatically increases your fingerprintability when enabled.

We also know from Black Hat conferences and research that something like 60% of exploits of your O/S come through browser exploits. The rest involve a lot of spear-phising attacks, for example, malicious URLs and attachments via emails (particularly .doc, .xls, .pdf) and base O/S weaknesses e.g. Heartbleed SSL bugs, kernel exploits and the like.

So, your own security destiny is mostly in your browsing behaviour hands. Be sensible and cautious if you are a legitimate target.


20) Anti-virus software

You don't need it in Linux. Really.

If you run trusted and signed packages, don't install malware from the net, verify your packages e.g. Tor, and run the system with proper priveleges i.e. NEVER run the system or install as root, then you should be fine from most unsophisticated privelege escalation and other attacks.

You may however wish to run a host of rootkit and intrusion detection systems e.g. rkhunter, Snort, Aide and so forth as additional security measures.


21) Network e.g. PnP, wireless security, BIOS, webcams, microphones etc

Install a decent BIOS password on your host system. You can consider flashing the BIOS to upgrade it, but be aware that many firmware upgrades can leave you 'bricked' (locked out). Plus, firmware updates may introduce as many vulnerabilities as they patch. Proceed with caution.

Do not have webcams connected if they are not in use. They are a microphone and video camera into your living space for decent hackers or spooks. Disable all internal computer microphones - physically if possible (cut connections), but at a minimum with software.

Keep the router firmware updated at all times. Make sure the router is protected with a proper passphrase, and default settings are changed e.g. usually 'admin' and 'password' or similar.

Disable UPnP in your router. UPnP opens a huge security hole, which is not really manageable. It's better to disable it permanently, because UPnP is inherently insecure. First, find the user manual of your router; if you no longer have it, then you'll probably be able to download a copy from the website of the router manufacturer.

Then access the configuration of your router and disable the UPnP feature, and also the accompanying feature, usually called something like "Allow user to configure".

Note: this might require you to take some extra measures for enabling VPN, P2P file sharing and the like (namely opening some ports manually). This isn't always necessary though, and depends on how your router manufacturer has configured the firmware defaults.

Regarding wireless - it is universally weak (see below). If you have a dual cable/wireless modem, you may consider unscrewing the antennae to prevent any wireless connections.

Key issues for wireless are:

- Do not use WEP or WPA standard (broken easily, even with Kali Linux). Use WPA2 encryption

- Do not attempt MAC spoofing

- Change the default SSID, but don't hide it (needs to be broadcast)

- Use AES encryption standard and not TKIP

- Enable the firewall in your router, if it is not already on. Most have a basic one

- Disable WPS (wifi protected set up) in the router if you can

https://sites.google.com/site/easylinuxtipsproject/securitywireless

Ultimately, you really want a router you can install Tomato on, or DD-WRT or Pf-Sense. For the hardcore, install PfSense firewall (commercial grade) on your router or extra computer hardware, as per instructions on the forums here. Not for the faint-hearted:

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/


22) Personal/financial files, photos, senstive documents

Keep all your personal and financial information off your drive connected to the internet AT ALL TIMES.

Preferably you would have a separate computer, that is never connected to the internet, which you use for working with personal, financial or other secure information. If/when you require documents be emailed or whatevever, you can copy them to a FRESH USB and then use on the unsafe (connected) computer. The safe computer must have all network cards removed, plus any other possible communication channels.

Of course, technically you risk your 'safe' computer being cross-infected by the same USB if re-used, so you would only use fresh usbs if really paranoid. This is the Bruce Schneier method - who IS surveilled by the NSA due to his involvement in Snowden disclosures.

​Your 'safe' computer can act as the tool to encrypt/decrypt all sensitive documents - meaning you are reasonably confident nobody has maliciously changed RNG (random number generation) or other encryption protocols which are used to secure your documents.

Anything important should be encrypted to start with; Cryptkeeper vaults should suffice for most people. If you are a high-profile target, you know that these vaults are vulnerable to side channel cryptanalysis and would investigate other solutions.

Other options for 'normal users' are TrueCrypt or VeraCrypt (open-source) which are capable or encrypting whole disks or containers and work across all major O/S platforms.

The really paranoid may consider utilising steganography password-protected files for critical information that can then be cryptographically hidden inside innocent looking files. These could then be stored within an encrypted vault that contains thousands of files, for example, 'holiday snaps', to better hide critical information.  This is another method that can be POTENTIALLY used to hide secret information in 'normal' looking emails (see below).

Hidden containers within encrypted vaults are possible, but apparently these are easily detectible by modern forensic software. Don't depend on them to absolutely to hide your data, particularly since encryption keys can be compelled in many jurisdictions.

If one was really paranoid, there are scripts around that can delete the encryption headers within seconds (around 128K in size). This should prevent encrypted material being obtained by strangers unless they can work magic. This might be suitable for the hard-core who constantly worry about the cops knocking down their door, for they can technically destroy the encryption headers in seconds and boot down any open containers, instead of the hours it would normally require to securely wipe it.

In general, don't make your internet-connected system a honeypot for hackers. If they get in, they won't get anything valuable, except possibly the fun of using your system as part of a bot network or similar.

Try to keep your home folder empty as a rule (documents, photos folders etc) except for completely innocous files e.g. GoT you are currently watching, music you are curently listening to and so on. Nothing should remain on your 'unsafe' computer that provides critical or identifying information, other than your horrible artistic tastes.

After you have finished watching your pirated stuff or reading your secretive files, you may want to securely delete them (shred) by writing over them several times. Multiple linux programs are available and military grade wiping requires 7-15 write overs with random data and zeros.

Note: SSD secure deletion is problematic. Older HDDs are more reliably wiped, so if you have dodgy info on your SSD and you REALLY want to wipe it, I suggest you invest in a sledgehammer, acid and a blow torch when you are done with it.

Consider regularly wiping the free space of your HDD/SDD which accumulates piles of information about your activity, and non-securely deleted files etc. This is possible with Bleach Bit for example.

23) Alternatives to unsafe email communcation e.g. Jitsi, steganography

Consider Jitsi for open-source encrypted communications that cover Video (ZRTP), VOIP (ditto) and OTR (encrypted messaging). If you are really paranoid, you would use one time accounts and never use video or VOIP, due to possible voice-print matching if configured incorrectly or encryption session broken i.e. only written communications.

Download Jitsi (32 bit = i386, 64 bit = amd64) from here:

https://download.jit...g/jitsi/debian/

Create an XMPP/Jabber account you will use with Jitsi here:

https://jabber.hot-c...account/create/

Once you have installed Jitsi and configured correctly for security in preferences - enforce encrypted connections for all communications, verify other contacts with secret Q&A, set no logging, no remembered passphrases - you have a non-backdoored Skype equivalent that the Stasi can't stand. Great. But do remember that this will not hide meta-data associated with the use of Jitsi.

All email is backdoored and PGP encryption gets you a lot of notice due to it being an X-KeyScore Indicator and statistically rare amongst all emails. Therefore, if you must use this method of communication, consider using Steganography to hide your secret message/data/file in a plain looking email attachment.

From your terminal run:

 

sudo apt-get install steghide

To cryptographically embed data (a file) into a jpeg image, use a command like the following. You will be prompted to set a passphrase.

steghide embed -cf tux.jpg -ef mytext.txt
Enter passphrase:
Re-Enter passphrase:
embedding "mytext.txt" in "tux.jpg"... done

To extract the embedded file, use a command like the following:

steghide extract -sf tux.jpg
Enter passphrase:
wrote extracted data to "mytext.txt".


This is the tux.jpg which contains the hidden text file.

So, potentially you could hide your data in friendly holiday snaps and have your friend decode with a shared secret passphrase e.g. previously shared in person, potentially over a Jitsi OTR session etc.

 

Another possible option of sharing critical information securely, using the Tor network, is Onionshare:

https://onionshare.org/

 

 

 

Ubuntu
If you are using Ubuntu, open a terminal and type:

sudo add-apt-repository ppa:micahflee/ppasudo apt-get updatesudo apt-get install onionshare
​How to use:

 

https://github.com/micahflee/onionshare/blob/master/README.md

 

Before you can share files, you need to open Tor Browser in the background. This will provide the Tor service that OnionShare uses to start the hidden service.

Open OnionShare and drag and drop files and folders you wish to share, and start the server. It will show you a long, random-looking URL such as http://cfxipsrhcujgebmu.onion/7aoo4nnzj3qurkafvzn7kket7u and copy it to your clipboard. This is the secret URL that can be used to download the file you're sharing. If you'd like multiple people to be able to download this file, uncheck the "close automatically" checkbox.

Send this URL to the person you're trying to send the files to. If the files you're sending aren't secret, you can use normal means of sending the URL: emailing it, posting it to Facebook or Twitter, etc. If you're trying to send secret files then it's important to send this URL securely. I recommend you use Off-the-Record encrypted chat to send the URL.

The person who is receiving the files doesn't need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.


 

24) Clone your dual-boot drive when you finally happy with your (working) dual boot system

If you have a critical error, discover rootkits, or otherwise stuff up your configuration, it makes sense to have a slave drive that you periodically use to clone your master drive. This way, when a catastrophe ensues you only need to slot your other drive in and reboot and re-clone over the corrupted drive.

To clone a hard-drive completely (hard drive X to hard drive Y), this is easily achieved via the terminal and the dd command (there are other ways, but this is simple and works for me). See below for an example. Partitions can also be cloned. Make sure you use G-Parted to confirm which drives you are copying from and to. It is easy to lose everything if you stuff it up.

The classic method using 'dd'

dd is very powerful and can be used to write from disks to files and files to partitions or volumes.

    To copy a disk, run (for example):
 

sudo bs=512 dd if=/dev/old_disk of=/dev/new_disk conv=noerror,sync



conv=noerror,sync is used for disks with bad blocks, where the intent is to replace bad blocks with zero placeholders and continue copying.

As a user under Ubuntu, always prepend the sudo command to dd and add your user password to validate the command.

Be careful! If you are copying a disk, the destination must also be a disk, not a partition. If you are copying a partition, the destination partition must be large enough. Copying the whole disk is recommended.

Disks should be copied on sector boundaries. The sector size of most hard drives is currently 512 bytes but the industry is starting to move (post 1999) to a 4KB (4096 byte) sector size. Check your disk specifications to find out.

NB: The UNIX/Linux communities employ the term block to refer to a sector or group of sectors. For example, the Linux fdisk utility normally displays partition table information using 512-byte blocks while also using sector to help describe a disk's size with its phrase, 63 sectors/track. You want the block size for dd to be a power of 2 multiple of the disk sector size.

The default block size for dd is 512 bytes, the operand bs= is used to increase the block size. Bigger block sizes will greatly increase the speed of the copy to a point. That point depends on many factors, but 256K - 500K will be pretty good for most systems. If the block size ends with a ``b, ``k, ``m, or ``g, the number is multiplied by 512, 1024 (1K), 1048576 (1M), or 1073741824 (1G) respectively.

 A larger block size with increase the speed of the clone, but if errors are found, you can end up with a larger portion of your cloned drive that is corrupted.

If you detect rootkits or other measures, then the only real safe method is to wipe the entire drive and start again. To prevent this becoming a time-intensive nightmare, just use the dd command to wipe over the suspect drive.


25) Miscellaneous (known) installations problems with Linux Mint 17.2
 

http://www.linuxmint.com/rel_rafaela_cinnamon.php

 

Solving freezes with NVIDIA GeForce GPUs

The open-source drivers present in Linux Mint do not support some of the NVIDIA cards very well. You might experience black screens, freezes or kernel panics.

The best way to solve the issue is to keep trying, until it eventually works. Once the system is installed:
 

- Run the Driver Manager
- Choose the NVIDIA drivers and wait for them to be installed
- Reboot the computer



With these drivers the system should now be stable.

If you're using an Optimus card, you've nothing more to do. Upon reboot, a systray icon should show up indicating which GPU is currently active. Click on it to switch GPUs.

Note: If no matter how many times you try, you cannot boot or install with the open-source drivers, try one of the following solutions:
 

- At the boot menu of the live DVD/USB, press Tab to edit the boot arguments and add "nomodeset" at the end of the line.
- Remove "quiet splash --" from that same line.
- Append "nouveau.noaccel=1" at the end of the line.



Booting with non-PAE CPUs

To boot Linux Mint 17.2 on CPU which do not officially support PAE (Pentium M processors for instance), please use the "Start Linux Mint with PAE forced" option from the boot menu.

Also, if you have multiple CPUs, from memory they can only be utilised by booting with the PAE linux kernel during boot up (from the grub boot loader).


26) Virtualisation - to do!

I might cover this in another article if people are interested.

Basically, if you have an advanced system and decent RAM you can easily run Windows straight through Virtualbox (on top of the Linux host system), rather than using Spware O/S straight off your SDD/HDD.

Other benefits include the ability to run Whonix in a virtual environment, meaning you get more protection from spying activity. For example, no hardware serials, no meta-data due to use of multiple cloned images used over and over at initial state, no possibility of DNS leaks, truly anonymnous downloads with Tor, faked time-syncing data and so on. VMWare can be used in place of Virtualbox too, to remove possible taint of using an Oracle product. ​

I have already successfully run Whonix over Tor over AirVPN and the speed is not unreasonable (certainly not fast either).


CONCLUSION

If you do all of the above, you can operate far more securely with your system and not leak tons of info to MicroHack on a hourly basis. You can EASILY run Microsoft Office 2010, Adobe Photoshop, Adobe Illustrator and millions of popular Windows games either through emulators or virtual machines. The latest Virtualbox supports straight-through GPU support also, meaning a host of 'Windoze advantages' are being quickly lost.

Therefore, there is almost no need for most desktop users to run "Spyware O/S TM" at all, unless it is to use some obscure, poorly coded piece of software that won't run in WINE (Linux's emulator).

Linux Mint is really a piece of cake for most Windows refugees. Once you have made the change, seen the speed increase, and note your HDD/SDD is almost completely quiet instead of constantly active with Windows, you will feel more assured that your computer's data is not being hoovered up at the system level at breakneck speed.

However, never forget that 100% of what the spooks can grab will sit in their servers for years, if not forever, and most of their data harvesting sucks up data straight from the internet backbone. If it ain't encrypted - it's owned.

Cheers

Bigbrosbitch

Share this post


Link to post

Additional Step #26: Install App-Armor Utils and Profiles (enforce and/or complain setting)

This step is overkill for the average desktop user, but since it is available in Linux Mint by default, we can install and enforce additional profiles for our most vulnerable programs e.g. Firefox, Pidgin, email programs.


What is Apparmor?

An easier alternative to SE (security-enhanced) Linux:

http://wiki.apparmor.net/index.php/Main_Page
 

AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.


Apparmor is vailable in the following distros (note it is installed in Ubuntu by default, but we will fetch additional profiles shortly):
 

Distributions that include/support AppArmor:

    Annvix
    Arch Linux
    Debian
    Gentoo
    Mandriva
    openSUSE (integrated in default install)
    Pardus Linux
    PLD
    Ubuntu (integrated in default install)

Any derivatives of these distributions should also have AppArmor available. Updated RPMS can be found at the openSUSE Build Service. These are not limited to SUSE distributions.




Why not use SE Linux instead?

Easy. SE Linux is too hard to set up and maintain. Really, SE Linux is for advanced users/administrators and the documentation is apalling for any low-end or intermediate users.

https://en.wikipedia.org/wiki/AppArmor
 

AppArmor is offered in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain.[1] Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux.[2] They also claim that AppArmor requires fewer modifications to work with existing systems:[citation needed] for example, SELinux requires a filesystem that supports "security labels", and thus cannot provide access control for files mounted via NFS. AppArmor is filesystem-agnostic.



Key point: We can still achieve mandatory access control (MAC), without the above difficulties with SE Linux.


Why enforce additional Apparmor profiles in Linux Mint?

Several reasons. Only a few (basic) profiles are loaded by default. Also, many are set to only 'complain' which will not stop a process that is outside allowable parameters (just logging it instead), but we can change that to 'enforce' (will block restricted processes; also logged).

As a reminder to Linux users, check your logs regularly for suspicious behaviour, unauthorised login attempts, multiple users, connections to remote IP addresses, deletion of large segments of logs for no reasons etc. Any of these mean you may have been pwned. Keep your system up to date at all times too.

Another reason for enforcing further profiles is the fact that Firefox is not loaded by default in Ubuntu. The reason is:

https://wiki.ubuntu.com/SecurityTeam/FAQ
 

Firefox, like all browsers, is a very complex piece of software that can do much more than simply surf web pages. As such, enabling the profile in the default install could affect the overall usability of Firefox in Ubuntu, which could end up decreasing the security of the overall system. Users who know nothing about AppArmor who encounter AppArmor denials might turn off AppArmor entirely, losing the protections afforded by the existing profiles. Enabling the profile for all users must be very carefully considered....

Firefox is a very complex application on its own, and when you consider third-party plugins, extensions, helper applications and Ubuntu derivatives, it becomes very difficult to ensure that the profile provides the proper level of usability and confinement. It is known to work well in the default Ubuntu installation with extensions, plugins and helper applications provided in the Ubuntu archive.  




What is the benefit of enforcing the Firefox profile?

From the above link:
 

The goals of the profile are to provide a good usability experience with strong additional protection. The profile allows for the use of plugins and extensions, various helper applications, and access to files in the user's HOME directory, removable media and network filesystems. The profile prevents execution of arbitrary code, malware, reading and writing to sensitive files such as ssh and gpg keys, and writing to files in the user's default PATH. It also prevents reading of system and kernel files. All of this provides a level of protection far exceeding that of normal UNIX permissions.



Essentially, we don't want to give any more permissions to programs than is absolutely necessary (GRSecurity is another form of MAC, in the form of a kernel patch):

https://en.wikipedia.org/wiki/Mandatory_access_control
 

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed.




What are all the available profiles for Linux Mint?

See link below for 'main' and 'community supported' profiles. Linux Mint is based on Ubuntu 14.04 LTS:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles



How do I check/configure/set up additional profiles in Linux Mint?

The default configuration for Firefox really does not offer much in the way of protection so you will need to install some additional profiles. Once that is complete you will see a new list of profiles in /etc/apparmor.d.

Follow the steps below:


1. Install apparmor, additional profiles, utilities and notifications for Ubuntu. In terminal run:
 

sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify




Check your new available profile list by running in terminal:
 

ls /etc/apparmor.d/




You should see something like:
 

abstractions sbin.dhclient3.dpkg-old usr.lib.dovecot.imap usr.sbin.mdnsd

apache2.d sbin.klogd usr.lib.dovecot.imap-login usr.sbin.nmbd

bin.ping sbin.syslogd usr.lib.dovecot.managesieve-login usr.sbin.nscd

cache sbin.syslog-ng usr.lib.dovecot.pop3 usr.sbin.smbd

disable tunables usr.lib.dovecot.pop3-login usr.sbin.tcpdump

force-complain usr.bin.chromium-browser usr.sbin.avahi-daemon usr.sbin.traceroute

local usr.bin.ssh usr.sbin.dnsmasq

program-chunks usr.lib.dovecot.deliver usr.sbin.dovecot

sbin.dhclient usr.lib.dovecot.dovecot-auth usr.sbin.identd



2. Check the current status of apparmor. In terminal run:

sudo apparmor_status




It should say something like (your list will be far longer, but for simplicity this example is used):

 

apparmor module is loaded.

29 profiles are loaded.

6 profiles are in enforce mode.

/sbin/dhclient

/usr/lib/NetworkManager/nm-dhcp-client.action

/usr/lib/chromium-browser/chromium-browser//browser_java

/usr/lib/chromium-browser/chromium-browser//browser_openjdk

/usr/lib/connman/scripts/dhclient-script

/usr/sbin/tcpdump


23 profiles are in complain mode.

/bin/ping

/sbin/klogd

/sbin/syslog-ng

/sbin/syslogd

/usr/bin/ssh

/usr/lib/chromium-browser/chromium-browser

/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox

/usr/lib/dovecot/deliver

/usr/lib/dovecot/dovecot-auth

/usr/lib/dovecot/imap

/usr/lib/dovecot/imap-login

/usr/lib/dovecot/managesieve-login

/usr/lib/dovecot/pop3

/usr/lib/dovecot/pop3-login

/usr/sbin/avahi-daemon

/usr/sbin/dnsmasq

/usr/sbin/dovecot

/usr/sbin/identd

/usr/sbin/mdnsd

/usr/sbin/nmbd

/usr/sbin/nscd

/usr/sbin/smbd

/usr/sbin/traceroute


1 processes have profiles defined.

1 processes are in enforce mode :

/sbin/dhclient (635)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.




3. Set profiles to either 'enforce' or 'complain'

Note: it is not advisable to enforce all the available profiles at one time, as you will usually find you lose functionality in the internet connection, browsers may not work correctly and so forth. It is safer to set profiles to 'enforce' one (or a few) at a time, and then check functionality e.g. problems are often seen when enforcing the dhcp profile.

Profiles set to enforce must be debugged in the event they prevent the proper operation of the running program. This is not covered here for simplicity, but users who are interested can read further here:

https://wiki.ubuntu.com/DebuggingApparmor


To set a profile to complain (we will use the example of the Firefox profile, but anything can be substituted in its place), use the aa-complain command:
 

sudo aa-complain /etc/apparmor.d/usr.bin.firefox



To set all profiles to complain, run:
 

sudo aa-complain /etc/apparmor.d/*




To set a profile to enforce, use the aa-enforce command:
 

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox



To set all profiles to enforce, run:
 

sudo aa-enforce /etc/apparmor.d/*




4. Reload apparmor profiles into the kernel.

Running processes are not protected by AppArmor. Therefore, either restarting the process/es or rebooting will fix this.
 

To reload apparmor profiles, in terminal run:
 

sudo invoke-rc.d apparmor reload



5. Check processes that are unconfined by apparmor and whether you are happy with this arrangement.

In terminal run:
 

sudo aa-unconfined




6. Temporarily/permanently disabling profiles

Profiles can be temporarily disabled by performing (Firefox in this example):
 

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox



To permanently disable, run:
 

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox




6. Creating new profiles/other

This is too detailed to cover in this post, so for those that are interested see the link below for additional apparmor commands. Personally, I would recommend using existing profiles and debugging them, in preference to creating your own from scratch:

https://help.ubuntu.com/community/AppArmor


What about Tor Browser - does this ship with a default profile?

Not in Ubuntu that I can find. However, this profile below ships with Whonix, so it should also be compatible for Debian based systems or derivatives e.g. Linux Mint Debian Edition. I have tried unsuccessfully on Ubuntu when I imported it, but maybe others will have better luck by playing with the profile.

FOR DEBIAN USERS IN THE FIRST INSTANCE:

https://github.com/troubadoour/apparmor-profile-start-tor-browser/blob/master/etc/apparmor.d/home.*.tor-browser_*.Browser.start-tor-browser


Cut and paste the text of the latest profile (they are updated over time due to broken functionality) and save into profiles directory. That is:

1) copy the content of "home.*.tor-browser_*.Browser.firefox" in an editor (most likely gedit for you)
2) Save and copy it (as root) in /etc/apparmor.d


Run in terminal:

sudo aa-enforce /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox



Reload the profile in the kernel:
 

sudo apparmor_parser -r home.*.tor-browser_*.Browser.firefox




Now modify /etc/default/grub. The last line must be edited so appamor is set (=1)

 

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="vga=0x0317"
#GRUB_CMDLINE_LINUX=" selinux=1 security=selinux"
GRUB_CMDLINE_LINUX="security=apparmor apparmor=1"


Update grub by running in terminal:
 

sudo update-grub

sudo reboot




For additional assistance with this profile, see the Whonix forums:

https://www.whonix.org/forum/index.php?topic=423.0


CONCLUSION

Apparmor is available to Linux users (Windows refugees) and provides some basic protection from zero days and other exploits, so it is worth installing basic profiles if you are security minded. Proper security requires you tighten up the profiles over time (especially Firefox), which are not overly restrictive in the first instance.

Debian users can also benefit from pre-existing Tor profiles that are easily incorporated and quite restrictive. Ubuntu (Mint) users can also modify this profile for their own use.

Cheers

Bigbrosbitch

 












 

Share this post


Link to post

Additional Step #27: Put Skype in an Apparmor Box

If you must install Skype (do you really need it?), put this hostile binary in chains. Follow these steps for Linux:

https://airvpn.org/topic/15181-how-to-put-skype-in-a-box-linux/


Additional Step #28: Created a Hardened Firefox Profile

Follow the instructions here to create a new user.js profile that tears out a couple of hundred (?) privacy/security related weaknesses in FF 41.0.2:

https://airvpn.org/topic/15769-how-to-harden-firefox-extreme-edition/


Additional Step #29: Securely Configure Thunderbird for Desktop Email & Create a 4096 bit PGP Encryption Key-pair


RESOURCES

https://www.futureboy.us/pgp.html
https://ssd.eff.org/en/module/how-use-pgp-linux
https://www.securityinabox.org/en/guide/thunderbird/windows
https://alexcabal.com/creating-the-perfect-gpg-keypair/
https://www.gnupg.org/faq/gnupg-faq.html
https://micahflee.com/2014/06/the-universe-believes-in-encryption/
https://prism-break.org/en/subcategories/gnu-linux-email-accounts/
http://www.prxbx.com/email/

https://support.mozilla.org/en-US/kb/configuration-options-security

INTRODUCTION

Edward Snowden was recently quoted as acknowledging people must take back their universal human rights with the power of mathematics (encryption), rather than wait for hopelessly outdated laws - and corrupt political systems - to be reformed:
 

Today, we can begin the work of effectively shutting down the collection of our online communications, even if the US Congress fails to do the same. That’s why I’m asking you to join me on June 5th for Reset the Net, when people and companies all over the world will come together to implement the technological solutions that can put an end to the mass surveillance programs of any government. This is the beginning of a moment where we the people begin to protect our universal human rights with the laws of nature rather than the laws of nations.

Thus, lets look at the basic steps to configure Thunderbird desktop email client securely on your new GNU/Linux system and use the laws of the universe to our benefit.

It is relatively simple to create a strong PGP encryption key-pair for your email account to at least protect its content and attachments, but unfortunately not its meta-data.


INSTALL THUNDERBIRD / GnuPG / ENIGMAIL

- Thunderbird is your desktop email client - a modified Firefox browser
- GnuPG is the software which uses the open PGP encryption standard
- Enigmail is the plug-in for Thunderbird which will allow us to encrypt/decrypt and digitally sign emails

In Linux Mint, run the following in a terminal:

sudo apt-get install gnupg thunderbird enigmail

For Debian users, Icedove is simply rebranded Thunderbird, so you can run:
 

sudo apt-get install gnupg icedove enigmail

Debian users can just replace 'Thunderbird' with 'Icedove' in the following instructions and everything should still work okay.


CREATE A PSEUDO-ANONYMOUS EMAIL ACCOUNT

As recommended by prism-break.org:
 

Switching from a proprietary service like Gmail to one of the more transparently-run email services on PRISM Break is the first step to a secure email account.*

So, choose an alternative from the following list that preferably is free, is accessible via free mail clients, strips IP in sent mail/server logs, has encrypted data storage, a good SSL rating and other features you like. It is even better if you can create a new account via Tor; not all providers will allow this.

http://www.prxbx.com/email/

Use a 7-word (minimum) diceware passphrase for your password. Do not choose anything in the email account name that is linked to you or identifies you or your preferences/history/background in anyway. For example, ManchesterUnitedFan@xyz.com is bad opsec.

* Don't forget that common providers GMail, Yahoo and Hotmail are all part of NSA's PRISM program, meaning your shit goes straight to the Death Star. Choose not to be assimilated. Setting up Thunderbird with gmail also requires special settings due to two-factor authentification. See: https://support.google.com/mail/answer/1173270?hl=en


ADD NEW EMAIL ACCOUNT

When you run Thunderbird the first time, it can set up existing email addresses for most popular free email services. When it offers a new email address, select:
 

Skip this and use my existing email

Enter your new (fake) name, email address and diceware passphrase. Uncheck "Remember password" and hit 'done'.

If you are lucky, your configuration will automatically be found in the Mozilla ISP database and you will be faced with the choice of IMAP (remote folders on email server) or POP3 (mail is kept on your computer).

Most users will want to use IMAP, since it is generally considered more secure and will allow many different email clients or interfaces to access emails on remote servers, rather than the inconvenience of one computer. Further, IMAP elimates the risk of a stolen/lost laptop with a treasure trove of emails inside.

If you need to manually set up your account, check with the provider's website re: standard SMTP and IMAP settings. You will need to know for IMAP:
 

- Account username e.g. your_new_account@provider.com;
- IMAP (incoming) mail server settings i.e. server name e.g. imap.emailprovider.com;
- IMAP connection security (SSL/TLS is better than STARTTLS protoocol);
- IMAP associated port defaults (143 is common for STARTTLS, 993 for SSL/TLS); and
- Password authentification protocol (usually "normal password").

For SMTP (outgoing server), you'll need to know:
 

- Account username (obviously);
- SMTP (outgoing) server settings i.e. server name e.g. smtp.emailprovider.com;
- SMTP connection security (SSL/TLS is better than STARTTLS protoocol);
- SMTP associated port defaults (25 is common for STARTLS, 465 for SSL/TLS); and
- Password authentification protocol (usually "normal password").


STRENGTHEN GENERAL THUNDERBIRD SECURITY SETTINGS

1. Disable "Global Search and Indexer" feature to optimize performance:

 

Tools | Options | Advanced Tab

 

2. Disable the Preview Pane (can triger malicious code in emails):

 

Options | Layout | Message Pane

 

3. Disable HTML (threats similar to malicious web pages):

 

Options | View | Message Body As | Plain Text)

4. Under Menu | Options, click the security tab and check box for 'suspected email scam'

5. Confirm remote content is turned off (this is the default setting). Remote content leaks details about what app/platform you are using, your current rough IP approximation, that your email address is active ('alive'):
 

Thunderbird | PreferencesTools | OptionsEdit | Preferences, followed by selecting the Privacy panel.

If the Allow remote content in messages checkbox is ticked, UNCHECK IT.

6. Don't use Thunderbird for anything else but email i.e. no browsing, news groups etc.

7. Configure what should happen to messages flagged as junk (for an account) - set to trash can and immediately delete on remote server:
 

Menu location: ToolsEdit | Account Settings | <account name> | Junk Settings

8. Consider setting SpamAssassin or SpamPal headers for junk mail filtering*
* Possible risk on Fedora/FreeBSD with setuid set to root? Check manually.

9. Configure what should happen to messages flagged as junk (for local folders - set to immediately delete as best practice):
 

Menu location: ToolsEdit | Account Settings | Local Folders | Junk Settings

10. Under Account Server Settings, check "When I delete a message - Remove it immediately" & "Message Storage - Empty Trash on Exit":
 

Menu location: Account Settings | Server Settings

11. Configure Cookies (you shouldn't need this, as you won't be browsing with Thunderbird, but set it to kill cookies anyway):
 

Menu location: Thunderbird | PreferencesTools | OptionsEdit | Preferences | Security | Web Content

Specify which sites are allowed to set cookies (none):
 

Menu location: Thunderbird | PreferencesTools | OptionsEdit | Preferences | Security | Web Content

12. View or delete passwords for email accounts:
 

Menu location: Thunderbird | PreferencesTools | OptionsEdit | Preferences | Security | Passwords

13. (Re)configure any encryption settings for sending messages that you don't like (for the selected identity once it is set up by the Wizard):
 

Menu location: ToolsEdit | Account Settings | <account name> | Manage Identities | <identity> | Security

14. Do NOT synchronize or store messages for the account on your local computer (this is the default setting)

15. Do NOT send return receipts (potential privacy/security risk):

 

Account Settings | Return Receipts | "Never send a return receipt"

16. Debian users should enforce the icedove apparmor profiles that ships with Jessie by default (check the profile names, I'm guessing here)* e.g:
 

sudo aa-enforce /etc/apparmor.d/usr.bin.icedove
sudo aa-enforce /etc/apparmor.d/usr.lib.icedove.icedove

*Advanced users can port this profile to Linux Mint by making minor changes to the available Icedove apparmor profiles (don't reinvent the wheel). If so, post it here in the forums so we can all use it. Hint, hint: OmniNegro, Troubadour, Mirimir and other geniuses....

CREATE A 4096-BIT ENCRYPTION KEY

Now we have a fresh email account, a strong passphrase and a solid email client to work with. We should check GnuPG was successfully installed, our Enigmail add-on is present, and we can create a suitable large encryption key to protect our future communications and attachments at our leisure.

All going well on your first run of Thunderbird, you will be offered an Enigmail Setup Wizard to allow for the creation of keys. If not, click on the 'hamburger menu' (three horizontal lines button in top right of screen) and manually select "Enigmail" -> "Setup Wizard".

If this is not present, select 'Add-ons' from the same hamburger menu and re-install Enigmail. Also double check that GnuGP is found by Thunderbird under the /usr/bin/gpg folder (see Enigmail preferences tab to confirm).

Wizard basic steps:

1. Choose "Convenient auto encryption" or "Don't encrypt messages by default"
2. Choose "Don't sign all my messages by default"*
3. Allow Thunderbird to change default settings to make Enigmail work better (disables flowed text, view message body in plain text, never compose HTML messages)**
4. Review changes and select OK button.

* Encryption protects content, but digital signing confirms that the contents of the message were not tampered with in transit and that the sender is not a imposter. NOTE: It is dangerous to signal to others that you use PGP (even with signing only) in parts of the world where encryption for personal use is illegal e.g. China, Iran, Belarus, some Middle-East states.

** HTML can cause problems in encryption/decryption of your email. However, you lose the ability to send bold, underlined, coloured text etc.

5. Select "I want to create a new key pair for signing and encrypting my email" (since we have a fresh new account and don't wish to import existing keys)
6. Choose a very strong passphrase for your new encryption keys - a 10 word diceware passphrase (approximating 400 bits+ in strength) should keep the computers at bay for a while
7. Choose a 4096 bit length key and lifespan of 5 years (should be set by default)*

* If you think that in your life-time, you won't lose your key, stop using PGP, or allow hostile/malicious parties unauthorised access to your private key, then by all means extend this lifespan to a greater length or even "never expire"

8. Key generation can take several minutes to complete at this stage. Well done! You have generated your private-public encryption keys (stored in the browser).

9 When it has finished, confirm that you DO want a revocation certificate for your key (if you ever lose your key or want to revoke it, this certificate is essential). Save the revocation certificate in a safe place e.g. USB or encrypted disk and back it up.


KEY IDS

1. Identify both your short (8-digit), long (16-digit) and key ID fingerprints (40 digit) by selecting "Key Management" under Enigmail options.
2. Your name, email and short "Key ID" will be displayed by default. The short (public key) ID will be something like:
 

ED873D23

3. Select the small button next to the "Key ID" column and choose "Fingerprint".
4. Drag the width of this column to display your last 16 digits of your ID, and then your entire 40 digit fingerprint. Your ID should look something like:
 

Short Key ID: ED873D23
Long Key ID:  5F2B4756ED873D23
Fingerprint:  EC2392F2EDE74488680DA3CF5F2B4756ED873D23

Note that the long and short key IDs (of any key) are just the last 16 or 8 digits of its respective fingerprint.


OPTIONAL STEP - INCREASE THE STRENGTH OF YOUR PGP ENCRYPTION KEYS
 

By default, gpg uses weaker encryption (and hashing) algorithms than it could. This is to ensure compatibility with older versions. Part of your public key specifies your preferences for the encryption algorithms that you want people to use when communicating with you. These are, by default, somewhat weak. You can view and modify these preferences to make your communications stronger.*

* This also means that if you're encrypting to several people at the same time, you can only use the strongest algorithm that the weakest person uses!

1. View gpg algorithms supported by gpg in terminal:
 

gpg --version

The output will look something like:
 

gpg (GnuPG) 1.4.18
Copyright © 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

2. Modify your public key's preferences by interactively editing your key:
 

 gpg --interactive --edit-key your@email.address

3. At the gpg prompt, check your current algorithm preferences with:
 

showpref

You will see something like:
 

Cipher: AES, TWOFISH, CAST5, BLOWFISH, 3DES
Digest: RIPEMD160, SHA1
Compression: ZLIB, ZIP, Uncompressed
Features: Keyserver no-modify

Protocols listed first are used first.

4. Set far stronger preferences with the setpref command.*
 

setpref AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 TWOFISH CAST5 3DES SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 ZLIB BZIP2 ZIP Uncompressed

* This decision is informed by personal preferences for stronger hashes and more modern ciphers as per the GnuPG FAQ sections 7 & 8. Choose your own poison if you are not happy with the above selections.

5. Enter your encryption password to confirm your updated choice of algorithms. Check that it worked by entering the command:
 

show pref

5. Enter the command:
 

Save

To make your changes permanent.


BEFORE SENDING ENCRYPTED EMAIL

Learn from the resources list how to:

- Send you public key as an attachment to an email
- Import a correspondent's public key
- Validate and sign a key pair safely (does the key really belong to the person who supposedly sent it? You MUST check digital fingerprints with eachother over VOIP or similar first!)
- Search for keys on the public key servers attached to specific email addresses
- Upload a public key to a key-server (not generally advisable)

Learn about critical encryption practices:

https://www.futureboy.us/pgp.html#GoodPractices
 

- Don't be predictable
- Don't be polite
- Don't send HTML-formatted encrypted emails
- Don't include .sig (signature) attributes in your emails
- Don't quote previously unencrypted text
- Don't encrypt the same message multiple times
- Don't have encrypted and unencrypted versions of the same information
- Garbage is good
- If it's received encrypted, store it encrypted
- Don't encrypt stuff from untrusted sources

WARNING

- Meta-data is not protected by encryption! Subject lines, times/dates of emails etc are vulnerable!
- Using inline PGP for attachments sends the names of the attached files in clear text!
- Use PGP/MIME option to ensure all email text, attached files and their names are encrypted and hidden
- Encryption AND digital signatures are necessary. Without signing, you can't be sure if someone is the 'real sender' they claim to be (could be spoofed) and whether the message has been tampered with on its way through the Matrix!
- Your private key is precious. Don't export the public-private key pair and have it sitting in your home folder or somewhere else retarded. If it is lost, stolen or likely fiddled with by an adversary, consider the keys tarnished, and start all over again (revoking the old pair).
- PGP is far safer from the terminal than from a GUI and Enigmail CAN be buggy. If you don't want to run a fancy plug-in that poses more attack vectors and potential data leakage than necessary, than manually encrypt/decrypt your messages and attachments from the terminal with this simple guide:

https://www.futureboy.us/pgp.html#ManuallyEncrypting

- Standard attachments encrypted with PGP/MIME or S/MIME can fail or best lost if the recipients email client can't handle them! Prevent this possibility by using ASCII-armored OpenPGP blocks in the email body, so any email client can handle it. For example, at the terminal:
 

gpg --armor --encrypt --sign -r your@email.com -r recipient@email.com filename

 

Best of luck!

Share this post


Link to post

ADDITIONAL STEP #30: RUNNING WHONIX 11 IN VIRTUALBOX

PREAMBLE

If you have followed me on this long journey, so far you have successfully achieved several major milestones:

1. Transitioned from pure Win10 Spyware Edition to a hardened Linux Mint 17.2 dual boot arrangement with encrypted home drive and latest software & kernel.

2. Created ridiculously hard to break passphrases on all accounts (diceware) and stored them all in KeyPass-X with a master passphrase (stored on separate air-gapped media).

3. Created a decent password on your BIOS system, disconnected webcams, disabled internal microphones, disabled UpNP, updated firmware (where possible and safe), password protected your router & disconnected wireless networking (or set to WPA2 at a minimum).

4. Removed all your personal, financial and other sensitive documents from your peripherals/drives connected to the military-Net, and stored them on air-gapped media that is suitably encrypted with FOSS (LUKS, ecryptfs).

5. Regularly shred documents on your HDD/SDD/USBs to prevent file recovery by miscreants (Bleachbit).*

* FYI - best practice to safely and completely wipe peripherals is to delete pre-existing partitions, create one entire encrypted partition on your destination media that takes up the entire space, then wipe the media with various cleaning tools - see TAILS documentation for further information.

6. Wiped meta-data off all files that you share with Metadata Anonymisation Toolkit.

7. Disguised your OpenVPN fingerprint and set a network lock to prevent anything travelling outside the VPN tunnel.

8. Disabled IPv6.

9. Removed time/date stamps that are otherwise completely unique.

10. Reduced your attack surface significantly on your Mint 17.2 system via removal of unwanted software for a standard desktop user e.g. all server crap, remote logins/desktop sharing/viewing/file transfers etc.

11. Checked your network settings manually to confirm you are not inviting strangers to hack your ass with any open/listening ports (netstat etc).

12. Installed Tor safely by confirming the authenticity (non-corrupted) status of the file and checking cryptographic signatures.

13. Regularly run Tor over VPN (VPN -> Tor) due to multiple fingerprinting vectors with standard browsers THAT IDENTIFY YOUR ASS even if you sit behind a VPN; most probably due to a unique combination of FF settings, add-ons, themes, syncing behaviour, languages and multiple plug-ins leaking loads of information on every site you visit.

14. Run the latest version of Tor with the highest possible privacy and security settings set in the slider to make your signature indistinguishable from the 1-2 million other active, daily Tor users; .onion addresses are used whenever and wherever possible (to stay within the Tor network).

15. Created a hardened FF profile to go alongside your completely fingerprintable 'default' Mozilla settings profile (which is sub-standard for a company pretending to care about privacy/security).

16. Set Apprmor system wide to restrict dangerous behaviour by various software apps - you should now have 50+ Apparmor enforced profiles running in the kernel.

17. Set Apparmor to put chains on that hostile Windoze binary your 'better half' made you install (Skype).

18. Installed Thunderbird as your new email client with a pseudo-anonymous account that is not part of PRISM and configured it securely to reduce risks posed by HTML, malicious email scripts etc.

19. Created a 4096 bit PGP encryption public-private key pair, with the strongest available hashing and encryption algorithms available to protect your email content and attachments from the fascists at your discretion.

20. Installed a range of the best suitable FOSS to use as safe alternatives for encrypted communication e.g. OTR with Pidgin, Jitsi, Onionshare etc.

21. Have the best available FOSS to create encrypted stand alone folders, volumes, partitions and drives (LUKS, e-cryptfs).

22. Daily clean out your (many) electronic trails from your devices with Bleachbit, including zeroing out your HDD/SSDs on occasion.

23. Recently cloned your working dual boot system with Clonezilla or dd command to safeguard any catastrophic events with your current working system.

Well done!

In contrast, the regular "Joe the Plumber" (your neighbour) is running stand-alone Windoze 10 in default mode (post-CISA bill) and is a victim of:

1. Proprietary code that is backdoored harder than a platinum-blonde porn queen in all areas: full-disk encryption (FDE), O/S level privacy, (in)security of all files/folders stored on Windoze file systems, 'encrypted' apps / protocols / communications that are all "NSA-Approved TM".

2. Runs PRISM-mail and Snoop (Skype) almost every day - feeding the freshly booted Utah data centre with information in clear text/audio/video.

3. Is effectively 100% open to exfiltration of all browsing, O/S information, personal data/files and constitutionally protected communications via shameless 'privacy' and EULA arrangements, and the recent passage of a number of Stasi Bills.

4. Trusts data-fiddling, third-party corporate psychpaths with their entire digital life despite Micro$haft, Giggle, Yahooze, Fraudbook and other collaborators assisting the military-industrial complex daily in harvesting everything - in CLEAR violation of international and domestic laws, agreements and charters.


TAKING PRIVACY, SECURITY & ANONYMITY TO THE NEXT LEVEL WITH WHONIX*

* I have shamelessly ripped off the best work of Micah Lee, Patrick Schleizer (lead developer, whonix.org) and Whonix documentation for this post, instead of re-inventing the wheel. Significant support for Whonix can be found in available on-line documentation, the FAQ and forum posts.


RESOURCES

https://en.wikipedia.org/wiki/Whonix
http://www.tecmint.com/install-virtualbox-on-redhat-centos-fedora/
https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad
https://www.whonix.org/
https://www.whonix.org/wiki/Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services
https://www.whonix.org/wiki/Comparison_with_Others
https://www.whonix.org/wiki/Data_Collection_Techniques#Active_Web_Contents
https://www.whonix.org/wiki/Features
https://www.whonix.org/wiki/Post_Install_Advice


INTRODUCTION

While your current hardened dual-boot setup has significantly improved your security, privacy and anonymity, it is unlikely to be sufficient against global adversaries.

Passive, global systems are already in place which harvest 100% of encrypted/unencrypted data they intercept. Since approximately 80% of the worlds internet traffic passes over US soil due to their dominant position in controlling internet infrastructure, this means 80% of YOUR data, right now, is being intercepted and kept in immense racks of data servers - possibly forever.

Passive systems also search for possible unique signatures attached to things like emails, messaging, VOIP, browser profiles, O/S indicators, MAC addresses (if/when revealed), names of computers on LAN (if/when revealed), and even the potentially unique profiles generated by your system when it does your hourly updates (consider how many unique PPAs you might have installed!?).

Therefore, resist the temptation to assume you are now secure in your computing activites solely because you run GNU/Linux in combination with OpenVPN and Tor. Carefully consider the advice of experts below, who STRONGLY advocate the use of a virtual environment for enhanced privacy, security and anonymity.


UNDERSTANDING DATA MINING THREATS YOU FACE ON THE INTERNET EVERY DAY

 

Cookies:

Cookies are used to identify and remember a web surfer. Without cookies, certain services would be complicated or impossible to implement. If a user requests a page from a webserver, it cannot readily match requests of previous pages requested from this server to that same user: HTTP is a stateless protocol.
...
But cookies can also be abused to track your steps on the Internet. This works exceptionally well with web portals (e.g. Yahoo) and search engines (e.g. Google), for you use these a lot in order to reach other websites. With cookies, a web host can record large parts of your surfing behavior over a span of years and easily relate it to you as a person with your "accumulated" profile data. Most Internet users have collected hundreds of cookies from various websites on their PC without their knowledge.

Evercookies

Ad and tracking networks are moving on to use more sophisticated methods to distinguish each user. Flash-Cookies (LSOs) have been deployed for the last several years to recover deleted cookies with the same identification properties. Clearspring Technologies, Inc. had been using this technique successfully (until it got sued in 2010) and boasts of its precise data collection of 200 million Internet users.

In a study of the University of California, Berkeley the methods of Space Pencil, Inc., aka KISSmetrics, were exposed which, in addition to cookies and flash cookies, used cache cookies via ETags, DOMStorage and IE-userData in order to distinguish each user. KISSmetrics got sued as well and is going to dispense with using Etags. It is also going to respect the "Do Not Track" HTTP header.

The tracking service Yahoo! Web Analytics is making claims about being able to set cookies on 99.9% of the users. This indicates that cookie-generating JavaScript and/or Flash cookies are deployed.

Active Web Contents

Web content accessible by browser plugins such as Flash, Java, ActiveX and Silverlight renders the Web more dynamic and colorful but also more dangerous, for they allow websites to execute code on your PC. If executed, these plugins are able to read many details about your computer and network configuration and send it to a remote server. By certain techniques, they can also read and edit files on your machine and in an extreme case even gain complete control over it.

Especially beware of signed Java applets: by accepting its signature, and by extension the applet, the visited webserver automatically receives all user rights on your machine. In particular, it may then read your IP address, your MAC address and even hard disk contents.

JavaScript

The browser is a bit better protected against attacks on your privacy using JavaScript ("scripts", "active scripting") than against those using the aforementioned plugins. but also it is not completely safe, though. Do not confuse JavaScript with Java or the active Java plugin, respectively, which is a completely different thing despite the similar name (see above).

It is possible to compromise the browser or operating system using software exploits or a maliciously-crafted website. An attacker can, for example, inject malicious JavaScript code by Cross Site Scripting and thus try phishing for login creditials, bank accounts or other sensitive data.

Using JavaScript, it is possible for web masters to access lots of information about your browser, your desktop settings, and your hardware. All this information may be accumulated into an individual fingerprint of a particular user. A user may be recognized by this fingerprint.

Fingerprinting of Browser (HTTP) Header

With every request for a webpage, browsers send information within the framework of the HTTP protocol that can be analyzed by the visited site: language, browser name and version, operating system and version, supported character sets, files, codecs and the last visited webpage. Sending these headers is usually not necessary for rendering websites, but it can be exploited for reidentifying, profiling, and analyzing websurfers.

Browser History and Cache

1% of the top 50,000 websites collect information about web surfers via history sniffing. Using malicious JavaScript code and CSS hacks, information about previously visited websites is collected. Webmasters who are not familiar with sniffing technologies can use services like Tealium or Beencounter for real-time history sniffing.

Collected information is not only used for advertisements. It can be used for de-anonymization of surfers too. A publication from Isec shows one possible way. Using the browser history the visited groups of the social network site Xing were collected. Because there are generally no two people who are members of the exact same set of groups in a social network, it was possible to get the real names and e-mail addresses of the users.

By certain trickery, websites can tell which websites are saved in your browser history. For this, the visited website embeds special formatting commands (CSS Stylesheets) that contain external links "of interest" on the pages you visit. If you have visited one of the external websites before, your browser will react by executing a command defined in the format, e.g. download a small picture from the website. The website can thereby largely guess the contents of your browser history.

From the contents of your browser cache one can conclude already cached, thus previously visited, websites. Together with every website an ETag is sent by the server and stored in the browser cache. If the website was called again, the Etag is sent first to ask for changes. This tag may contain a unique user ID. KISSmetrics was using ETags in this way to identify visitors of some TOP100 websites.

Additionally, the time required for loading a website changes when part of it is already in the browser cache. By subtle placement of the images on the website, the server can analyze the cache one by one.

Webbugs and Banner Ads

Very likely, you will find one or more cookies in your browser from data miners such as doubleclick.com, advertisement.com or Google, although you may have never even visited their websites. This is due to the fact that these enterprises use, on other web sites, a simple trick to nevertheless plant cookies in your browser and watch your browsing: Webbugs.

"Webbugs" are usually pictures of 1 pixel by 1 pixel which are therefore invisible to the viewer. However, they can also be coded into banner ads embedded in a website. The website contains a picture (webbug) that is loaded from another server running a statistics service (such as Doubleclick or Google Analytics). Thereby the statistics service may set or edit a cookie in your browser unnoticeably. The browser will then send this cookie back to the statistics service with every new request for a site where any webbug of this service is embedded. If the service is used on many different websites, it can now track large parts of your browsing session. If the owner of the statistics service moreover collaborates with the owner of your preferred search engine, he gets an almost complete picture of your Internet activities.

...

Another nasty feature of webbugs is, that they send, besides cookies, also your #IP address to the statistics service upon request. Even with a very good browser configuration, including switching off cookies and using webbug filters, you are never able to reliably prevent this. The only effective methods of protection against this are anonymization services like Tor.

TCP Timestamps

The Transmission Control Protocol (TCP) is a session-layer protocol for transferring data between computers. It is necessary for using Internet protocols like http (WWW), smtp (E-Mail) and ftp. When your computer sends a request for a web site, for example, this data is sent within many small TCP packets. Besides that request data, a TCP packet also contains some optional information fields in the header (metadata). One of those optional fields is the TCP timestamp. The value of this timestamp is proportional to the current time of your computer and is incremented according to your computer's internal clock.

The timestamp may be used by the client and/or server machine for performance metrics and optimization. However, an Internet server may recognize and track your computer by observing those timestamps: By measuring the clock skew of the timestamps, it may calculate an individual clock skew profile for your computer. Moreover, it may estimate the time when your machine was last booted. These tricks work even if you have otherwise perfectly anonymised your Internet connections.

IP Address

The IP address is given to you by your provider on dialing into the Internet. The provider usually saves it for months or even years together with your customer data and your online time. It is your distinct identifier on the Internet which is sent along whenever you make a direct connection to any Internet service. The IP address tells the server where to send his response. As long as your IP does not change, it is easy to monitor when and what website you have contacted. The IP also reveals your provider, your location (many times) and sometimes (in case of a company or computer center) even what terminal you are on. In many cases, an IP address relates directly to one person.

All that your IP-address is revealing:

    Your current whereabouts

The country and the city/region where you are. With the help of databases free of charge or with costs even districts and office buildings can be identified. This is called geolocation.

    Your Internet-provider

Personal data can be retrieved using your provider.

    Your access technology

With the help of databases one can find out whether you are using, for instance, DSL, a modem or a mobile device to surf the Web.

    Your company / your authority

In the case where you are surfing from within the network of a company or an authority, its name can be find out.

MAC Address

The MAC address (MAC=Media-Access-Control, sometimes also called Ethernet-ID, Airport-ID or physical address) is the hardware address of each individual network device. Each computer may have several of such physical or virtual network devices (bound to a cable (LAN), wireless (WLAN), mobile (GPRS, UMTS), virtual (VPS), ...). The MAC address serves as a unique identifier for the respective device in a local area network. On the Internet, it is neither used nor transmitted. Also, your access provider may only see it if your computer is not connected to the Internet over a router, but directly, for example by a modem.



WHY ISN'T A TRUSTED VPN PROVIDER ENOUGH TO PROTECT ME ON THE INTERNET?

 

1. If you run the VPN software directly on the same machine where client software such as the web browser runs, Active Web Contents can read your real IP address. This can be prevented, if you use a virtual or physical VPN-Gateway or your router, but a lot of data about your computer and network configuration may still be read.

Some providers force the user to use their proprietary closed source software or don't allow for reputable VPN software, such as OpenVPN.

 

2. On one hand, their software usually does not ensure that users have a uniform appearance on the Web alongside their IP address. The users are thus distinguishable and easily identifiable by merging the data. And on the other hand, a local observer on your network (ISP, WLAN) could guesstimate websites requested over VPN simply by analyzing size and timing of the encrypted VPN data stream (Website Fingerprinting Attacks). Tor is quite resilient against this attack (a scientific article which demonstrates the attack is found here; the success rates are over 90% for VPNs).

 

3. Moreover, VPN systems, as inherent to their functional principle, normally do not filter or replace your computer's TCP packets. They thereby do not protect you from TCP timestamp attacks as Tor does.

 

4. Even when using a virtual or physical VPN-Gateway, due to browser fingerprinting problems it's only pseudonymous rather than anonymous.

 

5. Its trivial to trick client applications behind a VPN to connect in the clear.

 

6. Most VPNs fail open and don't configure basic crypto properly - if they even use a proper cipher at all.

 

7. The Snowden Documents describes a successful internet-wide campaign by Intelligence Agencies for covert access to VPN providers' servers.

 

8. You should also keep in mind that VPN hosts can, unlike Tor, track and save every step of yours, since they control all servers in the VPN. They and anyone else who has access to their servers, either knowingly or unknowingly, will have this information as well.

9. VPN providers only offer privacy by policy, while Tor offers privacy by design. A VPN provider can claim not to log, but you'll never know until it's too late. When using Tor, you also never know, if any of the three hops keeps logs. One malicious node will have less impact. The entry guard will not know where you are connecting to, thus it's not a fatal problem if they log. The exit relay won't know who you are, but can see your unencrypted traffic, which can be a problem if you send sensitive data (which you are advised not to do), but if you act accordingly, it isn't a problem. It's unlikely (thus not impossible), that you choose a circuit where an adversary controls all three nodes. However, while using VPN providers you're putting all trust into the policy of one provider, using Tor distributes trust.

10. Don't get fooled by advertisements for Double, Triple or Multi Hop VPNs. Unless it's the user, who builds it's own custom VPN chain by carefully choosing different VPN providers, owned by different companies, you're still fully trusting only one provider. 



WHY USE A VIRTUAL MACHINE ENVIRONMENT OVER THE TOP OF LINUX MINT?
 

All major consumer operating systems, including Windows, Mac OS X, and Linux, are way too easy to hack. One mishap — opening the wrong email attachment, installing malware that pretends to be Flash, not updating your software quickly enough — and you’ve given the keys to the kingdom to an attacker.

If that attacker gets the ability to run programs of their choice on your computer, as they often aim to do, they have access to all of your files. They can start logging your keystrokes, taking screenshots, and even listening to your microphone and watching through your webcam.

A virtual machine (VM) is a fake computer running inside your real computer. Each VM gets to use a chunk of your computer’s memory while it’s running and has its own virtual hard drive, which is just a file on your real hard drive. You can install operating systems in them and you can install and run software in them. You can save snapshots before you do something potentially dangerous and restore the snapshot when you’re done, returning your VM to its previous state.

In virtualization lingo, the operating system that you’re running right now is called your “host,” and every VM that you run is a “guest.”

If a guest VM gets hacked, your host remains safe. For this reason, security researchers often use VMs to study viruses: They unleash them on their guest VMs to safely monitor what they’re trying to do and how they work, without risking their host computer. They “isolate” the viruses from the rest of their computer.



WHY USE WHONIX? WHAT ABOUT OTHER DISTROS IN A VM?
 

Whonix is an operating system that you can install on your existing computer inside VirtualBox, and that forces all network traffic to go over the anonymity network Tor.

Whonix uses two VMs, called Whonix-Gateway and Whonix-Workstation, to maximize anonymity protections. The gateway VM acts as the upstream internet provider for the workstation VM, and it forces all network traffic to go over the Tor network. The workstation VM is where you use Tor Browser, as well as any other software that you wish to use anonymously.

If you get hacked, for example with a Tor Browser exploit like the one that the FBI used, not only is the attacker contained inside of this VM and unable to access your host machine, but the attacker can’t deanonymize you either. All network connections that the attacker makes will go through the gateway VM, which forces them to go through Tor.

Whonix is great because you can be confident that everything you do in the workstation VM is anonymously going through the Tor network. This means that hackers won’t be able to deanonymize you, unless they can escape from your VM.

You can use chat software like XChat to connect to IRC servers anonymously, or Pidgin to connect to Jabber servers for anonymous encrypted chats, or Icedove and Enigmail to send anonymous, encrypted email.

PRIMARY WHONIX ADVANTAGES
 

The greatest benefits of Whonix include a far smaller attack surface (Virtualbox), IP or DNS leaks are impossible, and your unique MAC address serials are hidden from malicious software and applications (MAC addresses are hidden from destination servers by default):

1. All applications, including those, which do not support proxy settings, will automatically be routed through Tor.

2. Installation of any software package possible.

3. Safe hosting of Hidden Services possible.

4. Protection against side channel attacks, no IP or DNS leaks possible.

5. Advantage over Live CD's - Tor's data directory is still available after reboot, due to persistent storage. Tor requires persistent storage to save its Entry Guards.

6. Java / JavaScript / flash / Browser Plugins / misconfigured applications cannot leak your real external IP.

7. Protection against IP/location discovery through root exploits (Malware with root rights) inside Whonix-Workstation.

8. Uses only Free Software.

9. Building Whonix from source is easy.

10. Tor + Vidalia and Tor Browser are not running inside the same machine. That means that for example an exploit in the browser can't affect the integrity of the Tor process.

11. It is possible to use Whonix in conjunction with VPNs, ssh and other proxies. Everything is possible, as first chain or last chain, or both.
    
12. Best possible Protocol-Leak-Protection and Fingerprinting-Protection.

13. Private obfuscated Bridges (obfs2/3/4) can be added to /etc/tor/torrc.

14. Whonix-Gateway can also torify Windows.

15. VM host time differs from operating system time.

16. Works on 32 and 64 bit builds.


INSTALL AND CONFIGURE WHONIX 11 IN LINUX MINT

If you read the preceding material carefully, you should now be convinced that your 'rock-solid, anonymous' desktop system is perhaps a little frail, weak and infirm. In fact, there is a high likelihood you have been signalling your every move to the Stasi, even while sitting behind the AirVPN servers.

So, without further delay, lets remove some of your understandable paranoia:

1. Install VirtualBox 5.0

In terminal, to remove any older version of VirtualBox run:
 

sudo apt-get remove virtualbox-4*


Install VBox 5.0 via Synaptic Manager:*

* Earlier advice re: debian package is outdated. VBox5 is now available.

 

Menu | Administration | Synaptic Package Manager

 

Search for "VirtualBox" & Install v5.0

VirtualBox can now be run from the terminal ("VirtualBox") or from the menu.

2. Download Whonix Gateway & Whonix Workstation (3.1GB in total)

Download the necessary files and OpenPGP signatures from this location:*
 



* Anonymous downloads are possible using Tor Browser bundle. Download security without verfication is low (medium risk for torrent downloads).

3. Verify the Whonix images & import developer's PGP signing key*

* Checking the integrity of the virtual machine images you just downloaded is critical to make sure no man-in-the-middle attack or file corruption happened. This can take several minutes.*

 

*  I forgot to add that you should download Patrick's key at this point here. So, do the following:

 

https://www.whonix.org/wiki/Whonix_Signing_Key

 

Download the PGP key used to sign off the software:

 

https://www.whonix.org/patrick.asc

 

Store it as ~/patrick.asc.

 

Check fingerprints/owners without importing anything:

 

gpg --with-fingerprint patrick.asc

 

It should show the following:

pub  4096R/2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDAsub  4096R/CE998547 2014-01-16 [expires: 2016-10-05]sub  4096R/119B3FD6 2014-01-16 [expires: 2016-10-05]sub  4096R/77BB3C48 2014-01-16 [expires: 2016-10-05]

Import the key:

 

gpg --import patrick.asc

 

The output should look like:

 

gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" importedgpg: Total number processed: 1gpg:               imported: 1  (RSA: 1)

To verify Whonix-Gateway, in terminal, run:
 

cd [the directory in which you downloaded the .ova and the .asc]

gpg --verify-options show-notations --verify Whonix-Gateway-*.ova.asc Whonix-Gateway-*.ova


If the VM images are fine, you should see a message saying:
 

gpg: Signature made Mon 19 Jan 2015 11:45:41 PM CET using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [unknown]
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=Whonix-Gateway-9.6.ova
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
     Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48


If you see a bad signature like below, delete the image, download and try again:
 

gpg: Signature made Sun Nov 25 21:48:54 2012 UTC
gpg:                using RSA key 77BB3C48
gpg: BAD signature from "Patrick Schleizer <adrelanos@riseup.net>"


4. Repeat step three for Whonix-Workstation:
 

cd [the directory in which you downloaded the .ova and the .asc]

gpg --verify-options show-notations --verify Whonix-Workstation-*.ova.asc Whonix-Workstation-*.ova


5. Run VirtualBox 5.0 and import Whonix images

Open VirtualBox, click the “File” menu at the top, and click “Import Appliance.” Browse for the Whonix-Gateway file you just downloaded, and click “Continue.”

Now click “Import,” read the warnings, and click “Agree.” Your Whonix gateway VM will automatically get set up.*

* DO NOT CHANGE ANY OF THE DEFAULT IMAGE SETTINGS e.g. memory, display etc.

Repeat these same steps with the Whonix-Workstation. When you’re done, you’ll have two new VMs (powered down) in your list of available VirtualBox images.

6. Start Whonix-Gateway and Whonix-Workstation*

* The first load of each VM image will be lengthy

Highlight each VM and click 'Start' from the top menu.

7. Change passwords on Whonix-Gateway and Whonix-Workstation

The default passwords must be changed immediately - use diceware passphrases.*

* The default username is: user
The default password is: changeme

Open a terminal such as Konsole
 

Start menu | Applications | System | Terminal



Login as root:
 

sudo su



Change root and user password:
 

passwd

passwd user



and follow the instructions.

8. Update your package lists on both Whonix-Gateway and Whonix-Workstation and install all available updates*

* This will take some time as everything is downloaded via Tor. Never install packages that are unsigned (cannot be authenticated) or where there is a signature verification warning.

In Konsole (terminal):
 

sudo apt-get update

sudo apt-get dist-upgrade



9. Reboot both VMs

In Konsole:
 

sudo reboot



Both VMs will reboot at this time (may take a while).

10. Create multiple VM snapshots*

* Do not use the master VMs for browsing or to open any unauthenticated communication channel to the internet! Only a Tor-browser install or update should be considered on the master VM images.

The master VMs should remain 'clean' and 'updated' so they can always be used (snapshotted) for the creation of further (disposable) images you can discard after sessions of browsing and other activity.

Once your clean, upgrade images have completed rebooted, shutdown the virtual machines and create snapshots of their clean state BEFORE browsing or initiating any connections with the outside world.

To shutdown a virtual machine in VirtualBox, users can simply click the x in the top right corner of the running process or use the menu options. VirtualBox will provide you options to either: "Save the machine state", "Send the shutdown signal" or "Power off the machine".

Select "Send the shutdown signal" - this saves all the updates you have made and sends the equivalent of an ACPI shutdown signal.

DO NOT select "Power off the machine" by mistake - you will lose the state of changes to the VM images (all your hard work and updates!). This option is like pulling the plug out of the wall for a VM.

Once both VMs have shutdown, you should now:
 

- Select Machine | Clone

- Select Full Clone (all data, not just a symbolic link)
- Save the throw-away images as "Whonix-Gateway Clone" & "Whonix-Workstation Clone" or similar to distinguish them from the master copies


11. Restart your cloned VM images and enjoy Whonix!

Simply:

- Highlight both cloned Whonix images and press 'Start' from the menu
- Conduct all your work in Whonix-Workstation - DO NOT USE WHONIX GATEWAY FOR GENERAL ACTIVITIES other than configuration of Tor settings
- Select Tor Browser in Whonix-Workstation and immediately check for updates - including associated add-ons - before browsing
- Turn off Javascript globally and set privacy slider to the highest position
- Do not browse or conduct other activities until Timesync has completed and Tor connections have been confirmed (you will receive notifications to this effect)

Enjoy your new system that protects you even if your Tor Browser is hacked!


OPTIONAL: HARDEN VIRTUALBOX SETTINGS*

* Paranoid users should also carefully read the Security Guide and Advanced Security Guide for Whonix to consider whether they want to make any additional changes to their host or guest systems.

In VirtualBox, the less features, the smaller the attack surface. Here are some suggestions for features which you can remove and not impact core functionality:
 

Disable Audio
Do not enable Shared Folders
Do not enable video acceleration
Do not enable 3d acceleration
Do not enable Serial Port
Do not install VirtualBox Guest Additions (generally weaken security and provide access to host microphone)
Remove Floppy drive
Remove CD/DVD drive
Do not attach USB devices
Disable USB controller (enabled by default). Requires setting Pointing Device to "PS/2 Mouse" or changes will revert
Do not enable Remote Display server



For the best security, you can consider using multiple physical systems to provide greater isolation i.e. separate computers to run Whonix-Gateway and Whonix-Workstation. You can finally use that spare/old computer hardware you have lying around to improve your security!


CONCLUSION:

Running Whonix 11 in VirtualBox is a piece of cake for users that are capable of dual-booting their desktop system.

You will SIGNIFICANTLY improve security, privacy and anonymity when using suitably hardened virtual environments in combination with GNU/Linux, OpenVPN and the Tor network.

It is simply much more difficult (and expensive) for government or other attackers to take over your computer. If you can't beat them - bankrupt them!


FINAL COMMENT:

We may yet take another long journey to a dual-booted Debian/Qubes system in the near future if there is particular interest.  ​

 

Share this post


Link to post

ADDITIONAL STEP #31 DOWNLOADING SYSTEM UPDATES / UPGRADES / INSTALLS OVER TOR

REFERENCES

https://blog.torproject.org/comment/reply/1054/104358
https://github.com/diocles/apt-transport-tor
https://www.whonix.org/wiki/Advanced_Security_Guide#apt-transport-tor


WHY BOTHER?

https://blog.torproject.org/comment/reply/1054/104358
 

... Debian users have typically used a utility such as synaptic which runs the venerable apt package manager to contact Debian repositories to fetch upgraded packages including security patches. Unfortunately, packages are generally downloaded via cleartext http protocol.

Long ago Debian introduced automatic strong cryptographic package verification by apt, a very important mechanism for reducing the possibility of an attacker injecting malware into an http download of software, including security patches. (Such behavior has been spotted "in the wild", and the Snowden leaks confirm NSA has been one of the worst offenders.)

However, apt still "leaks" an enormous amount of information about what versions of what packages are installed on a given computer, and the Snowden leaks confirm the longstanding concern that the most dangerous state level attackers maintain huge databases of which software packages are installed on the computer at the other end of every IP address, including PCs used by ordinary citizens. This information can be exploited by attackers such as NSA/TAO, or murky and possibly state-sponsored groups apparently working in countries such as Russia, China, Iran, Syria, and even North Korea. Or by anyone who intrudes into *their* networks and copies *their* code. However, because of its extensive intrusion into virtually every backbone network on the planet, NSA appears to pose the greatest threat here.

 

Summary:

 

Just doing updates, new installs, editing your repositories list or adding PPAs on your freshly 'Minted' system can identify your ass, due to the "specific packages/protocols/OS" database maintained by the Feds.

This makes it easier to identify your from the crowd, especially since < 1-2% of desktop users have a Linux distro installed. In the end game, exploits can be run by badasses which have an increased likelihood of success on your host system. But I'm sure you are all running Whonix over the top now, right??*

*This reminds me - we still haven't considered the fingerprinting vectors that are inherent to OS vendor TCP/IP stack implementation.

DISGUISING YOUR SYSTEM UPDATES / INSTALLS / PARAMETERS WITH APT-TRANSPORT-TOR

This is a very simple process for Debian or LMDE users, who simply pull the package from their stable Debian repositories:*

* If you don't want to download over Tor, at least consider enforcing https connections to as many APT repositories as possible. Use apt-transport-https and manually set https debian (or other) compatible mirrors in your /etc/apt/sources.list This should also work find for Debian derivatives like Ubunutu, Mint etc.

In DEBIAN and LMDE:

https://github.com/diocles/apt-transport-tor
https://www.whonix.org/wiki/Advanced_Security_Guide#apt-transport-tor

 

apt-get install apt-transport-tor

 

and then edit the /etc/apt/sources.list to include only tor:// URLs for every entry:
 

sudo nano edit /etc/apt/sources.list

 

replace "http://" with "tor://" for every entry

exit and save

It is NOT necessary to adjust SOCKS settings, as the default setting for the proxy matches the default Tor SOCKS port:

 

socks5h://apt:apt@localhost:9050

 

If you want to use a different port, you can edit the Acquire::tor::proxy apt preference:
 

Acquire::tor::proxy "socks5h://apt:apt@localhost:9050";

 

Refresh update manager and check it loads through the tor network (shows "tor:// header for each repository entry as it downloads)*

* This will be slower than normal of course. On system reboot and in system logs you will notice a tor-daemon is now running.

IN LINUX MINT 17.2:

apt-transport-tor is not available in the 'Trusty/Tahr' (14.04) Ubuntu base that Mint depends on. I understand it is planned for 14.10 or later. But the following work-around works:*

*Vivid developer base. Therefore potentially 'buggy'...

Download the file from a suiable mirror:
 

 

check sha256 checksum with website:
 

sha256sum apt-transport-tor_0.2.1-1_i386.deb

 

Double click on the file and it should install correctly.

Now edit your /etc/apt/sources.list.d/official-package-repositories.list (and any others you have created here) as root and replace http:// with tor:// for every entry
 

sudo -i
sudo nano /etc/apt/sources.list.d/official-repositories.list

 

replace http:// with tor:// for every entry

save and exit

Run update manager or sudo apt-update && sudo apt-get upgrade at the terminal

You should now see tor being used for everything, which is a big improvement on standard http://

NOTES:

https://github.com/diocles/apt-transport-tor

 

apt-transport-tor does not protect you against:

a global passive adversary (who could potentially correlate the exit node's traffic with your local Tor traffic)
an attacker looking at the size of your downloads, and making an educated guess about the contents
an attacker who has broken into your machine

 

 

ADDITIONAL STEP #32 - SECURE DELETION OF FREE SPACE, SWAP, FILES / DIRECTORIES AND RAM FREE SPACE

Install secure-delete:
 

sudo apt-get install secure-delete

 

https://delightlylinux.wordpress.com/2012/06/14/secure-delete/

secure-delete programs:
 

srm      wipe existing files
sfill    wipe free space
sswap    wipe the swap space
sdmem    wipe the RAM

 

 

SRM

 

This deletes files like the rm command, but it does so by overwriting the file and its inode with random bytes.
 

srm file

 

Each overwrite is called a pass. By default, the Gutmann 35-pass method is used, but this might be overkill. In my experience, one pass of random data wipes files to the point where neither Recuva or Photorec can recover them. The larger the file, the longer it takes to wipe it.

One quick but useful operation is this:
 

srm -vrll directory

 

This deletes files and directories recursively with one random pass and displays progress in the terminal, something useful for large files to avoid wondering if the computer froze or not.
 

Wipe Free Space

 

No matter what file system is used, files remain on hard drives, USB devices, and flash media long after deletion. Deleting a file only marks its data blocks as free for use; it does not actually remove the file from the media. The file’s directory entry is gone, but its contents are still there.

Until the file’s data blocks are overwritten with new or random data, they exist for recovery.

This is where sfill enters the picture.
 

sfill .

 

(Include the dot ‘.‘ to indicate the current directory.)

sfill works by creating a very large file (named oooooooo.ooo) of random data that fills all available free space. Doing this overwrites everything in the free space but leaves existing files alone. Once all free space is exhausted, sfill deletes oooooooo.ooo and the free space is recovered.

You need to run this as root:
 

sudo sfill .

 

to gain access to all areas of the hard drive, but if not, at least you can delete the free space from the area your user account has access to.

sswap – Wipe the Swap Space

The swap area used for virtual memory is beyond the touch of users. Just like deleted files, data swapped into and out of the swap space persists in the swap area. To wipe the swap area, use sswap, but disable the swap area first.

 

1. Find the swap partition.
 

sudo fdisk -l

 

The swap partition will read Linux swap in the listing. Find which device contains the swap space. It will read something like /dev/sda5 or /dev/sdc2.

 

2. Disable the swap partition by its device
 

sudo swapoff /dev/sda5 (or whatever device was found in step 1)

 

3. Wipe the swap space by its device (one-pass random used for speed- change settings mannually for greater number of passes)
 

sudo sswap -vll /dev/sda5

 

4. When finished, enable the swap partition
 

sudo swapon /dev/sda5

 

Wiping the swap space is more involving than wiping a file, so use it if you think you need to be extra cautious. Like srm and sfill, man sswap provides a list of options.

To manually wipe free space in RAM (helping to prevent later cold boot attack), just before shutdown use:
 

sdmem -vll

 

This will produce a terminal filled with asterisks **** to show activity while the free space in RAM is being overwritten. The computer is still functional while the RAM wiping is occurring. Simple scripts can also be generated or found on-line to have this automatically occur on shutdown.

 

Note: More to come. This document in v2 will incorporate other Linux material from the AirVPN forums and be approriately credited by author. Consider it a AirVPN Linux wiki of sorts.

 

Due to high level of Linux expertise in forums, PM me if there any other mistakes (I've found a bunch already) and I will fix it up.

Share this post


Link to post

ADDITIONAL STEP #33: TORRIFY REMAINING HOST ACTIVITIES WITH TORSOCKS

In both Debian, Ubuntu and Mint torsocks is available via the Synaptic Package Manager:
 

Menu | Administration | Synaptic Package Manager


If you want to use the terminal instead, issue this command:*
 

sudo apt-get install torsocks


*We don't need to install the Tor TCP overlay, as this was done in earlier steps.

Fetch Webpages or Files

Lets run a torrified and normal test webpage download with torproject.org to confirm that torsocks is actually working properly:
 


This will save two html files in your home directory.

Open them with a text editor the first shows your normal (AirVPN) server address. It will look something like:
 

Sorry. You are not using Tor.

Your IP address appears to be: XXX.XXX.XXX.XX (resolving to AirVPN server)

Your second htmil file should say:
 

Congratulations. This browser is configured to use Tor.

Your IP address appears to be: XX.XX.XXX.X (a Tor node)


You can also check by using another socks5 compatible application - Firefox. At the terminal, run:
 

torsocks firefox


Check your IP at airvpn.org or one of the sites like "whatismyip.com"

airvpn.org should state that you are not currently connected to their servers - because you are running via a Tor node. whatismyip.com should say that you are connected to a Tor node.*

*Don't run FF in this mode normally. It will hurt your anonymity. Use Tor instead.

Retrieve music or videos from youtube / internet with torsocks and youtube-dl

If you are running Debian or LMDE/2:

 

sudo apt-get install youtube-dl


Then point torsocks and youtube-dl at the music / video file link from youtube (or elsewhere). Just use the link from a search engine so you don't have to visit their spyware sites directly.

In this instance, we will celebrate first with a wicked cover of Another Brick in the (Surveillance) Wall (I've broken the url link to prevent embed):

 

torsocks youtube-dl https://www.youtube.co m/watch?v=XyEsSVXbPc8

You will see something like:

Setting language
XyEsSVXbPc8: Downloading webpage
XyEsSVXbPc8: Downloading video info webpage
XyEsSVXbPc8: Extracting video information
[download] Destination: Gavino Loche - Another Brick in the Wall-XyEsSVXbPc8.mp4
[download] 100% of 67.00MiB in 0X:XX (min:sec)

 

A quality mp4 will now be sitting in your home folder that you can safely watch with vlc or your native GNU/Linux player.

Best of all, you hid your download from the electronic stalkers!

Lets now try a video they definitely would be watching on youtube (100% guaranteed) and tracking IP addresses against it - Citizen Four Q&A*

* In fact, HTML5 readout was faked three times even before playing it, FF apparmor had a fit and the clear click jacking warning came on via No Script. Coincidence?   I've broken the url link to prevent imbed...

 

torsocks youtube-dl https://www.youtube.co m/watch?v=Op9CRU05llo

 

You should now see something like this:

Op9CRU05llo: Downloading webpage
Op9CRU05llo: Downloading video info webpage
Op9CRU05llo: Extracting video information
Op9CRU05llo: Downloading DASH manifest
Op9CRU05llo: Downloading DASH manifest
[download] Destination: NYFF52 - 'CITIZENFOUR' Q&A _ Laura Poitras (Full)-Op9CRU05llo.mp4
[download]  80.7% of 295.02MiB at XXX.XXKiB/s ETA XX:XX (min:sec)

 

When it finishes, enjoying playing it safely with your native Linux video player in full screen!


LINUX MINT 17.2

We need to download youtube-dl from github (anonymously wth torsocks), change user permissions, verify the download against the available PGP cryptographic signature and then install:

Download (anonymously):
 

sudo torsocks wget https://yt-dl.org/downloads/2015.11.01/youtube-dl -O /usr/local/bin/youtube-dl


Change permissions:
 

sudo chmod a+rx /usr/local/bin/youtube-dl


Get signature anonymously and GPG keys used to sign youtube-dl from the keyserver:
 

sudo torsocks wget https://yt-dl.org/downloads/2015.11.01/youtube-dl.sig -O youtube-dl.sig


Retrieve the public key from the keyserver:

We search for and receive the following GPG keys which are used to sign binaries (using last 16 digits as the fingerprint identifier):

4096R/A4826A18 Philipp Hagemeister Key fingerprint = 7D33 D762 FD6C 3513 0481 347F DB4B 54CB A482 6A18

4096R/BCF05F6B Filippo Valsorda Key fingerprint = 428D F5D6 3EF0 7494 BB45 5AC0 EBF0 1804 BCF0 5F6B
 

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0xDB4B54CBA4826A18


If it all goes well, you should see Philipp Hagemeister's key and the following output:

gpg: requesting key A4826A18 from hkp server pool.sks-keyservers.net
gpg: key A4826A18: public key "Philipp Hagemeister <phihag@phihag.de>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

 

Let's doublecheck the public ID fingerprint to be sure:
 

gpg --fingerprint 0xDB4B54CBA4826A18


It should say:

pub   4096R/A4826A18 2013-01-11 [expires: 2033-01-06]
      Key fingerprint = 7D33 D762 FD6C 3513 0481  347F DB4B 54CB A482 6A18
uid                  Philipp Hagemeister <phihag@phihag.de>
uid                  Philipp Hagemeister <hagemeister@cs.uni-duesseldorf.de>
uid                  Philipp Hagemeister <philipp.hagemeister@uni-duesseldorf.de>
sub   4096R/825E38B8 2013-01-11 [expires: 2033-01-06]


Verify the file with gpg:
 

gpg --verify youtube-dl.sig /usr/local/bin/youtube-dl


It should say:

gpg: Signature made Sun 01 Nov 2015 08:21:26 AM EST using RSA key ID A4826A18
gpg: Good signature from "Philipp Hagemeister <phihag@phihag.de>"
gpg:                 aka "Philipp Hagemeister <hagemeister@cs.uni-duesseldorf.de>"
gpg:                 aka "Philipp Hagemeister <philipp.hagemeister@uni-duesseldorf.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7D33 D762 FD6C 3513 0481  347F DB4B 54CB A482 6A18


Dispose of the extraneous .sig file:
 

rm youtube-dl.sig



Test download (anonymously) a couple of files from youtube to see that it works!*

 

* I've broken the link to prevent embed.
 

torsocks youtube-dl https://www.youtube.co m/watch?v=XyEsSVXbPc8


And
 

torsocks youtube-dl https://www.youtube.co m/watch?v=Op9CRU05llo


You should see something like this for each file:
 

youtube] XyEsSVXbPc8: Downloading webpage
XyEsSVXbPc8: Downloading video info webpage
XyEsSVXbPc8: Extracting video information
XyEsSVXbPc8: Downloading DASH manifest
[download] Destination: Gavino Loche - Another Brick in the Wall-XyEsSVXbPc8.mp4
[download] 100% of 67.00MiB in 0X:XX (min:sec)

If it all works, then well done, you have torrified most of the common remaining activities on your host O/S.


OTHER YOUTUBE-DL CONFIGURATIONS

https://github.com/rg3/youtube-dl/blob/master/README.md#readme

There are a significant number of download, video selection, network and general options. Explore this powerful tool!


OTHER COMMON TORSOCKS USAGE

https://trac.torproject.org/projects/tor/wiki/doc/torsocks
 

Usage

Once you have installed torsocks, just launch it like so:

  usewithtor [application]

So, for example you can use ssh to a some.ssh.com by doing:

  usewithtor ssh username @ some.ssh.com

or launch pidgin by doing:

  usewithtor pidgin

An alternative to usewithtor is torsocks:

  torsocks pidgin

Security

The tables below list applications that usewithtor/torsocks will send through Tor. At the moment a 100% guarantee of safe interoperability with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.

The following administrative applications are known to be compatible with usewithtor:
Application     100% Safe    DNS    Comments
ssh     M     Y     Potential for identity leaks through login.
telnet     M     Y     Potential for identity leaks through login and password.
svn     M     Y     
gpg     M     Y     gpg --refresh-keys works well enough.

The following messaging applications are known to be compatible with usewithtor:
Application     100% Safe    DNS     Comments
pidgin     M     Y     Potential for identity leaks through login and password.
kopete     M     Y     Potential for identity leaks through login and password.
konversation     M     Y     Potential for identity leaks through login and password.
irssi     M     Y     Potential for identity leaks through login and password.
silc     M     Y     Potential for identity leaks through login and password.

The following email applications are known to be compatible with usewithtor:
Application     100% Safe    DNS     Comments
claws-mail     *     *     Use TorBirdy (Tor Button for Thunderbird) instead!
thunderbird     *     *     Use TorBirdy (Tor Button for Thunderbird) instead!

The following file transfer applications are known to be compatible with usewithtor:
Application     100% Safe     DNS     Comments
wget     N     N     Probable identity leaks through http headers. Leaks DNS and connects directly in certain cases when used with polipo and torsocks. ​http://pastebin.com/iTHbjfqMhttp://pastebin.com/akbRifQX
ftp     M     Y     Passive mode works well generally.

Table legend:

DNS: DNS requests safe for Tor?
           N - The application is known to leak DNS requests when used with torsocks.
           Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
           N - Anonymity issues suspected, see comments column.
           M - Safe enough in theory, but either not fully researched or anonymity can be compromised
               through indiscreet use (e.g. email address, login, passwords).
           Y - Application has been researched and documented to be safe with Tor.

 

 

Enjoy!

Share this post


Link to post

ADDITIONAL STEP #34: ENFORCE WHONIX APPARMOR PROFILES ON GATEWAY AND WORKSTATION

https://www.whonix.org/wiki/AppArmor

The most recent apparmor profiles are actually in the testers Whonix repository. To install them safely without updating all other software, we temporarily set the testors repository:
 

sudo whonix_repository


In terminal (Konsole) on both the Gateway and Workstation.

Next, update both Gateway / Workstation package lists (so we can see the more recent apparmor profiles):
 

sudo apt-get update


I recommend you install all the apparmor profiles, and then just remove them manually if / when they work. Install them all via the following command:
 

sudo apt-get install apparmor-profiles-whonix


If you want to install them manually one by one, examine the contents of your /etc/apparmor.d/ folder. Then you can simply substitute the relevant apparmor profile into apt-get to get the latest edition.

For example:
 

sudo apt-get install apparmor-profile-NAME_OF_APPLICATION


Where "NAME_OF_APPLICATION" is either torbrowser, pidgin, sdwdate, timesync, xchat, icedove, whonixcheck or virtualbox.

You will usually find they all work except for Tor browser and / or whonixcheck.

In that instance, come prepared to set them to complain or disable so you can actually run Tor browser and check the running status of both the gateway and workstation.

Disabling requires a reboot to remove it from the kernel, while setting to complain will allow you to keepworking immediately.

For example:
 

sudo aa-complain /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox
sudo aa-complain /etc/apparmor.d/home.*.tor-browser_*.Browser.start-tor-browser

 

 

or
 

sudo aa-disable /etc/apparmor.d/usr.bin.whonixcheck


Once you have the updated apparmor profiles for both the Gateway and Workstation you should set your repositories back to the stable version:
 

sudo whonix_repository


ADDITIONAL STEP #35: Prevent Network Time Protocol (NTP) Attacks*

*We already disabled TCP timestamps on the host at an earlier step.

Did you know there are multiple clock leak vectors associated with insecure time synchronization clients - opening you up to multiple attacks?

Whonix instructs us yet again (we love you guys!):

https://www.whonix.org/wiki/Time_Attacks
 

Replay Attacks

Replaying older time allows:

    Feeding old Tor consensus.
    Feeding old/outdated/known vulnerable updates and (https) certificates. Cryptographic verification depends on system clock, i.e. a clock two years in past will accept certificates/updates, which have been expired/revoked for two years.

Remote Device Fingerprinting

Clock leaks from software on the host and clock leaks from application-level protocols on Whonix-Workstation allow a passive adversary to easily link the anonymous and non-anonymous traffic to the same machine. Active clock skew attacks can trivially be mounted to deanonymize users.

Denial of Service

The UDP based NTP protocol can be abused to send much larger replies that can overwhelm a system. These are known as amplification attacks.

Locating Onion Services

Timers can leak data about CPU. related activity data that can allow deanonymization of an Onion Service under some circumstances.

Remote Code Execution

NTP is a buggy and ancient protocol. Flaws in NTP clients can be remotely exploited to give an attacker control over the system. The unencrypted and unauthenticated nature of NTP makes this trivial for network adversaries of any size.


To solve this problem on your GNU/Linux HOST (Linux Mint 17.2; not the VMs), simply remove NTP clients and disable systemd's timdatectl NTP synchronization feature:
 

sudo timedatectl set-ntp 0

 

 

or
 

sudo systemctl disable systemd-timesyncd.service


ADDITIONAL STEP #36: DISGUISE MUSIC / VIDEO / OTHER STREAMING WITH VLC & WHONIX

Why bother to do this?

GCHQ has been tracking the internet radio tastes of 100s of thousands of people under project KARMA POLICE and BLAZING SADDLES since 2009.*

 

* Does the karma refer to everybody now hiding their pirated music tastes from the police? Like in ecryptfs folders?

Since you should have now torrified almost all your activities on your host and guest (Whonix by default), then it makes sense to hide your music / video / other media tastes from the paranoic data hoarders:

1. In Whonix Workstation, run VLC from the multimedia applications menu
 

Menu | Applications | Multimedia | VLC

 

2. In VLC, select from the menu:
 

Media | Open Network Stream


3. Enter the URL pointing to a compatible live music / internet radio / other streaming site e.g. .asx .avi

For example:

BBC 1:

http://bbcmedia.ic.llnwd.net/stream/bbcmedia_radio1_mf_p

BBC World Service

http://www.bbc.co.uk/worldservice/meta/live/mp3/eneuk.pls

Etc.

Have fun enjoying your stream being pushed over the tor network!
 

Share this post


Link to post

ADDITIONAL STEP #37: TORRIFY YOUR EMAILS WITH TORBRIDY

For completeness, we should torify your emails on the host Linux Mint 17.2 system and install Icedove / Enigmail / Torbirdy in Whonix Workstation.

WHAT IS TORBIRDY?

https://thetinhat.com/tutorials/messaging/torbirdy.html
https://trac.torproject.org/projects/tor/wiki/torbirdy

 

TorBirdy is an extension for ​Mozilla Thunderbird (Icedove) that configures it to make connections over the Tor network. TorBirdy automatically enhances the privacy settings of Thunderbird and configures it for use over Tor; think of it as ​Torbutton for Thunderbird.

Routing your mail through Tor means that your emails will be bounced around three different computers across the globe before finally being sent to your email service. What this accomplishes is anonymity, meaning that your email provider, and the recipient of the email, will see your IP address as being from a random location on some part of the Earth instead of coming from your actual location. The obvious use of this is that if you set up an email account over Tor, and check it using TorBirdy, then there is no way to relate it back to you other than by reading the contents of the emails themselves (so obviously don't send emails to, or receive emails from, anyone that correlates the hidden Tor identity to your real one).

 

This means someone looking at your email would lose meta-data related to location, thus making it more difficult for corporates and governments to complete a profile of our lives.

HTML will be disabled, your email times will be set to UTC instead of your local time zone and emails are prevented from being automatically retrieved (you must click "Get Mail").

CAUTIONARY NOTE

If you have used email accounts (even pseudo-anonymous ones) without Tor in the past then they offer LESS privacy / anoymity / weaker pseudonyms than accounts always used with Tor!

 

Thus, for best security, create a new pseudo-anonymous account with Tor Browser, install this plug-in, and then consistently use it.*

* Do not use this plug-in for 'normal' personal email you know the Stasi are reading e.g. standard SSL encrypted emails, gmail, yahoo mail, AOL mail etc as throwing it over the Tor network will put you on a 'special list' as far as indicators go. Ditto PGP encryption.

 

The goal of TorBirdy is to help disguise your location, not signal you as a person of interest forevermore to the spooks (they don't discriminate and are equally suspicious of everybody who doesn't 'conform').

INSTALL TORBIRDY ON THE HOST SYSTEM (MINT)

Debian / LMDE/2*

 

* Notice how easy everything is in big daddy distro Debian? Intermediate - advanced users should be using LMDE2 or straight Debian for greater performance, but increased complexity (at times).
 

apt-get install xul-ext-torbirdy

 

Linux Mint 17.2

The easy (less secure) way:

1. Open Thunderbird

2. Use the hamburger (three horizontal stripes) button and select:

 

Tools | Add-ons

 

3. Search for TorBirdy and install

See also: https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/
 

The harder (more secure) way:*

* It is possible to specify a file for multiple wget url requests at the same time. We can cover this off in v2 of this document.

1. Download the latest torbirdy.xpi and GPG signatures from https://dist.torproject.org/torbirdy/
 

 

2. Confirm the signature matches Jacob Appelbaum's PGP Key - 0x744301A2, long key ID: 0xD255D3F5C868227F. Download Jacob's key:
 

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0xD255D3F5C868227F

 

3. Fingerprint the key:
 

gpg --fingerprint 0xD255D3F5C868227F

 

4. Confirm the stable TorBirdy software matches Jacob's PGP key:
 

gpg --verify torbirdy-current.xpi.asc torbirdy-current.xpi

Your output should give you a good signature by Jacob for 12th March 2015 for the latest release. It has already been noted with Tor bug tracker that this version is signed with an expired key. So, you will see something like "This key has expired!" - don't freak out, but good that you noticed...

5. To install the .xpi:

Run Thunderbird

Install the add-on as local .xml file:

 

Install Add-on from File

 

INSTALL ICEDOVE / ENIGMAIL (PGP) / TORBIRDY ON YOUR WHONIX WORKSTATION*

*This is far safer than running Thunderbird / Enigmail / Torbirdy straight off your host (Mint) system.

 

Also, Whonix's time-syncing will disguise the exact time that an email was sent from your pseudo-anonymous account.

This is very simple to set up. On your master copy, run in terminal:
 

sudo apt-get install icedove enigmail xul-ext-torbirdy

 

Shut down the master, and clone for later email activities - with these clones being destroyed after critical communication.

Make sure you have also enforced the Icedove apparmor profile in Whonix Gateway and Workstation as outlined at an earlier step.

TROUBLE-SHOOTING

Tor must be running for TorBirdy to work! That is, Tor must be installed on your system via the Tor Browser bundle or as per Tor daemons installed at earlier steps for apt-get purposes. If they are not running (e.g. daemon or Tor Browser), then Torbirdy will not work.

OTHER KNOWN ISSUES

https://trac.torproject.org/projects/tor/wiki/torbirdy#KnownTorBirdyIssues

 

Info Leaks

#6314 leak via Date header field (local timestamp disclosure)
#6315 leak via Message-ID header field (local timestamp disclosure)

Usenet

This section is only relevant for Usenet / NNTP users.

For NNTP accounts that were created before TorBirdy was installed, NNTPS is enabled, but if you create a NNTP account after installing TorBirdy, please enable SSL manually.
(See #8069) Connections over SSL to NNTP servers are failing (with or without TorBirdy installed). We are not sure why this is happening. Try it and tell us if it works for you.

Proxy Obedience

Except GnuPG which requires a HTTP proxy (fail-closed), all other content in Thunderbird obeys the SOCKS proxy.

Disk Avoidance

TorBirdy does not leave any trace of its installation. Caching is also disabled.

 

Location Neutrality

The time zone is set to UTC.

Anonymity Set Preservation

No information about the user-agent or locale is leaked.

NOTE: It may however be possible to find out that Thunderbird is being used by looking at the format of the message-ID header in the outgoing messages.

 

More to come. Decent security / privacy / anonymity is a journey of a million steps grasshopper, not a destination...

Share this post


Link to post

ADDITIONAL STEP #38 - ENCRYPT EXTERNAL DEVICES / REMOVABLE STORAGE WITH LUKS

RESOURCES

https://askubuntu.com/questions/500981/how-to-encrypt-external-devices
https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption
https://www.loganmarchione.com/2015/05/encrypted-external-drive-with-luks/
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery
https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage
https://wiki.archlinux.org/index.php/Disk_encryption


RATIONALE

Valuable personal and financial data, photos, sensitive commercial / business documents and anything else precious to you (e.g. Game of Thrones Seasons 1-5) should be securely stored OFF-LINE (air-gapped and encrypted) to prevent any remote hacker (government, private sector or otherwise) exfiltrating, corrupting, deleting or snooping on your data.

In the current hacker-fest climate where every week sees another Big Brother bill pass, it is advisable to use encrypted LUKS drives / partitions / containers to store sensitive information that you'd prefer not to share with the world.

 

Your security is greatly improved by using block level encryption in combination with a strong passphrase (diceware). Further, you should only open LUKS containers / volumes when not connected to the internet (minimum) or preferably with a computer reserved only for off-line use.*

* Those in hostile countries should also consider a shielded, air-gapped computer if they are a legitimate target e.g. journalist in the Middle East.

On the current trajectory, if you leave important information in your home drive, sooner or later somebody with superior skills or tools is likely to penetrate your defences and potentially use this data to for blackmail, stealing your personal identity, theft of money / assets, embarassment (think porn, cheating and more), harassment, impersonation of you in real life / on-line, and other possibilities.

So, in addition to having an EMPTY HOME DRIVE on anything attached to the military-net (zero items in each home folder is ideal), LUKS will give a solid additional layer of protection for theft of external media that is probably sitting there on your computer desk, without any safeguards at all.

 

Tell me I'm wrong.

 

Reminder: never forget that a mounted (open) LUKS container / volume / drive is potentially open to viewing by adversaries. Until it is unmounted, your session key purged from ram (probably after a cold boot), then I wouldn't consider the drive secure. There are other risks, see further below.

WARNING

Following these instructions will DESTROY any data on the devices where we create an encrypted partition. You must BACK IT UP FIRST before doing anything potentially stupid.

 

LUKS CAN NOT take existing data and created an encrypted block partition in the same position and maintain the integrity of the data.

Fail to heed this advice at your own risk.

WHAT IS LUKS?
 

LUKS is a block device encryption method that operates below the file system layer. Consequently, a whole disk / partition / volume looks like a huge blob of random data and it is not possible to determine what kind of file system, type of data (or how much) is contained within.


This is more secure than stacked file system encryption e.g. eCryptfs and EncFS (Cryptkeeper is one example), because all files written to an encryption-enabled folder leak a host of file meta-data. Further, eCryptfs and EncFS cannot create encrypted disks or partitions - only directories.

 

LUKS main downside is that it cannot be used without pre-allocating a fixed amount of space for the encrypted data container, nor with existing file systems. Neither is a decent GUI provided.

 

LUKS has many other key benefits that outweigh these disadvantages:
 

- File metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted in LUKS. Only file and directory names can be encrypted in EncFS and eCryptfs.
- LUKS can be used to encrypt swap space*
- LUKS can be used with either a keyfile and/or passphrase. The former provides the ability to provide two-factor authentification for
opening a LUKS volume i.e. the keyfile can be kept separately from the encrypted device.
- Non-root users cannot create/destroy LUKS containers for encrypted data.
- Every modern cipher is supported, and support for salting is provided.
- Key slot diffusion is possible.
- Protection against key scrubbing.
- Support for multiple (independently revokable) keys for the same encrypted data.
- Multi-threading support.
- Encrypted data can also be accessed from Windoze.

 

* Many background processes may cache/store information about user data or parts of the data itself in non-encrypted areas of the hard drive, like:
     

swap partitions
            (potential remedies: disable swapping, or use encrypted swap as well)
        /tmp (temporary files created by user applications)
            (potential remedies: avoid such applications; mount /tmp inside a ramdisk)
        /var (log files and databases and such; for example, mlocate stores an index of all file names in /var/lib/mlocate/mlocate.db)


This is why encrypting your swap space is also a good idea or considering full disk encryption.

PREPARING AND ENCRYPTING AN EXTERNAL DRIVE WITH LUKS

In this example, we are going to consider encrypting an entire data drive with LUKS, backing up the LUKS header if the original is damaged, and securely preparing the disk beforehand.

1. Correctly identify the disk for secure wiping

 

In terminal:
 

sudo lsblk


You will see something like:

NAME                      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                         8:0    0 298.1G  0 disk  
├─sda1                      8:1    0  1007K  0 part  
├─sda2                      8:2    0   128M  0 part  /boot
└─sda3                      8:3    0   298G  0 part  
  └─VolGroup00            254:0    0   298G  0 crypt
    ├─VolGroup00-lvolswap 254:1    0     8G  0 lvm   [sWAP]
    ├─VolGroup00-lvolroot 254:2    0    25G  0 lvm   /
    └─VolGroup00-lvolhome 254:3    0   265G  0 lvm   /home
sdb                         8:16   0 931.5G  0 disk

In this instance, sdb is the physical external drive (1 TB in size). You must correctly identify your own, or you can wipe out your operating system in two seconds flat.

2. Securely wipe the disk

This can take a very long time, depending on your method and the size of your drive. Tough luck - proper security takes sweat.

 

Note: you can just wipe the header off an already encrypted drive, or use dd to destroy the drive by zeroing it out. For example, this command will nuke the 1 TB drive identified at step 1:
 

sudo dd if=/dev/zero of=/dev/sdb iflag=nocache oflag=direct bs=4096


Be sure to point to the correct partition!

3. Create a primary Linux partition on your external drive

Use fdisk as follows:
 

sudo fdisk /dev/sdb


At the command line, create a new (n) primary (p) partition taking up entire space (1), and write (w) the changes:
 

n


then
 

p


then
 

w


Run sudo lsblk again, you should now see a new volume 'sdb1' (yours may be different).

4. Encrypt the partition

The following command will give you:

- verbose output
- ask you to verify a passphrase twice
- specify aes as the cipher
- specify a 512 key size*
- use sha512 for hashing
- use 5000 milliseconds for passphrase processing
- uses /dev/random for the source of randomness**
- specify the random number generator
- this encryption effort is pointed towards partition sdb1

* Due to splitting of the key in half by XTS, you actually end up with AES-256 bit key strength, which is used by the NSA for Top Security documents.

** It is understood that a master key should not be generated if your system is low on entropy. You can manually check with:
# cat /proc/sys/kernel/random/entropy_avail A figure of less than 200 is a concern.
 

sudo cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat /dev/sdb1


Make sure you point to the correct partition on your system!

You can see the configuration of the header with the following command:
 

sudo cryptsetup luksDump /dev/sdb1


5. Back up the LUKS header

The LUKS partition header contains all the essential information related to the used cipher, cipher mode, key length, a UUID, a master key checksum, and available key slots. Key slots are critical in storing an encrypted copy of the master key, which are essential for the decryption of the key material (all your data).

In short, if this is damaged, you will be screwed. Big time. You could probably send it off to Fort Meade, and they wouldn't be able to open it.

Run in terminal (point to a destination area that is NOT on the same drive that is encrypted):
 

sudo cryptsetup luksHeaderBackup --header-backup-file /path/to/file.img /dev/sdb1


This header file will be several Mb in size and SHOULD BE STORED ENCRYPTED AND IN A SAFE PLACE. You could use Cryptkeeper with a USB directory for instance.

6. Unlock the LUKS device

This example will open the LUKS volume and ask for the passphrase you just set. It will be mounted at "volume 01" - change this label to suit your needs:
 

sudo cryptsetup luksOpen /dev/sdb1 volume01


7. Create an ext4 filesystem on the LUKS device

Change the volume name as appropriate:
 

sudo mkfs.ext4 /dev/mapper/volume01


8. Create a mount point and mount the device

Change the mount point directory and volume label as appropriate to your circumstances:
 

sudo mkdir -p /mnt/drive01
sudo mount /dev/mapper/volume01 /mnt/drive01


9. Unmount and close the LUKS device
 

sudo umount /mnt/drive01
sudo cryptsetup luksClose /dev/mapper/volume01

 

Well done! You have created a solid encrypted drive that you can now put your precious data inside of.

USING THE LUKS DRIVE / CONTAINER / DEVICE

If you want to impress your friends at the terminal, you simply open the LUKS volume, mount it, do your work of copying stuff inside, unmount and close:
 

sudo cryptsetup luksOpen /dev/sdb1 volume01
sudo mount /dev/mapper/volume01 /mnt/drive01
##DO YOUR WORK HERE##
sudo umount /mnt/drive01
sudo cryptsetup luksClose /dev/mapper/volume01


If you want to be efficient instead:*

* In some distros, enabling volume management and or auto-mount removable drive options must be selected in the file manager options first.

1. Use your graphical file manager and point to "Computer".

2. You will now see a padlock on the LUKS encrypted device. Click on it.

3. Enter your ridiculously long diceware passphrase. Don't remember the passphrase for the session. Don't open the device while connected to the military-net.

4. Voila - your drive is open! Use root permissions to shift files around and other activities (right click and open drive with administrator priveleges).

5. When you are finished, right click on the drive and select 'unmount'.

6. If it is an external drive in a dock, make sure to also select 'safely remove drive'.

7. Your LUKS device is again safely locked down. You can check by double clicking on the LUKS device - it should ask you for a passphrase.

PREPARING FOR QUICK DESTRUCTION OF LUKS DEVICES

If you are worried about somebody accessing your data on a LUKS device, then the easiest and quickest way to kill the drive so it can't be opened, is to nuke the LUKS header and key slot area.

A suitable overwrite of the first few Mb will be very fast and effective, and this command can be set as an emergency script. For example, this command would overwrite with a single runs of zeros on sdb1 for several Mb, guaranteeing that an attacker will never get access:
 

head -c 1052672 /dev/zero > /dev/sdb1; sync


If you have time to nuke the entire drive, then this will work:*
 

dd_rescue -w /dev/zero /dev/sdb1


*SSDs require multiple over-writes due to wear leveling and insecure defect management.

BEFORE USING LUKS ENCRYPTION

Understand:

 

BACK UP AND DATA RECOVERY: Many people manage to damage the start of their LUKS partitions, i.e. the LUKS header. In most cases, there is nothing that can be done to help these poor souls recover their data. Make sure you understand the problem and limitations imposed by the LUKS security model BEFORE you face such a disaster! In particular, make sure you have a current header backup before doing any potentially dangerous operations.

SSDs/FLASH DRIVES: SSDs and Flash are different. Currently it is unclear how to get LUKS or plain dm-crypt to run on them with the full set of security features intact. This may or may not be a problem, depending on the attacker model.

BACKUP: Yes, encrypted disks die, just as normal ones do. A full backup is mandatory.

CLONING/IMAGING: If you clone or image a LUKS container, you make a copy of the LUKS header and the master key will stay the same! That means that if you distribute an image to several machines, the same master key will be used on all of them, regardless of whether you change the passphrases. Do NOT do this! If you do, a root-user on any of the machines with a mapped (decrypted) container or a passphrase on that machine can decrypt all other copies, breaking security.

DISTRIBUTION INSTALLERS: Some distribution installers offer to create LUKS containers in a way that can be mistaken as activation of an existing container. Creating a new LUKS container on top of an existing one leads to permanent, complete and irreversible data loss. It is strongly recommended to only use distribution installers after a complete backup of all LUKS containers has been made.

UBUNTU INSTALLER: In particular the Ubuntu installer seems to be quite willing to kill LUKS containers in several different ways. Those responsible at Ubuntu seem not to care very much (it is very easy to recognize a LUKS container), so treat the process of installing Ubuntu as a severe hazard to any LUKS container you may have.

NO WARNING ON NON-INTERACTIVE FORMAT: If you feed cryptsetup from STDIN (e.g. via GnuPG) on LUKS format, it does not give you the warning that you are about to format (and e.g. will lose any pre-existing LUKS container on the target), as it assumes it is used from a script. In this scenario, the responsibility for warning the user and possibly checking for an existing LUKS header is shifted to the script. This is a more general form of the previous item.

LUKS PASSPHRASE IS NOT THE MASTER KEY: The LUKS passphrase is not used in deriving the master key. It is used in decrypting a master key that is randomly selected on header creation. This means that if you create a new LUKS header on top of an old one with exactly the same parameters and exactly the same passphrase as the old one, it will still have a different master key and your data will be permanently lost.

PASSPHRASE CHARACTER SET: Some people have had difficulties with this when upgrading distributions. It is highly advisable to only use the 95 printable characters from the first 128 characters of the ASCII table, as they will always have the same binary representation. Other characters may have different encoding depending on system configuration and your passphrase will not work with a different encoding. A table of the standardized first 128 ASCII characters can, e.g. be found on http://en.wikipedia.org/wiki/ASCII

KEYBOARD NUM-PAD: Apparently some pre-boot authentication environments (these are done by the distro, not by cryptsetup, so complain there) treat digits entered on the num-pad and ones entered regularly different. This may be because the BIOS USB keyboard driver is used and that one may have bugs on some computers. If you cannot open your device in pre-boot, try entering the digits over the regular digit keys.


WHAT LUKS DOES NOT PROTECT YOU AGAINST

LUKS and other forms of encryption will not protect you against these vulnerabilities:
 

Attackers who can break into your system (e.g. over the Internet) while it is running and after you have already unlocked and mounted the encrypted parts of the disk.

Attackers who are able to gain physical access to the computer while it is running (even if you use a screenlocker), or very shortly after it was running, if they have the resources to perform a cold boot attack.

A government entity, which not only has the resources to easily pull off the above attacks, but also may simply force you to give up your keys/passphrases using various techniques of coercion. In most non-democratic countries around the world, as well as in the USA and UK, it may be legal for law enforcement agencies to do so if they have suspicions that you might be hiding something of interest.


A very strong disk encryption setup (e.g. full system encryption with authenticity checking and no plaintext boot partition) is required to stand a chance against professional attackers who are able to tamper with your system before you use it. And even then it is doubtful whether it can really prevent all types of tampering (e.g. hardware keyloggers). The best remedy might be hardware-based full disk encryption and Trusted Computing.

RECOVERING A BROKEN LUKS DEVICE
 

 In many cases the data is still recoverable. Do not do anything hasty! Steps:

Take some deep breaths. Maybe add some relaxing music. This may sound funny, but I am completely serious. Often, critical damage is done only after the initial problem.

Do not reboot. The keys may still be in the kernel if the device is mapped.

Make sure others do not reboot the system.

Do not write to your disk without a clear understanding why this will not make matters worse. Do a sector-level backup before any writes. Often you do not need to write at all to get enough access to make a backup of the data.


OTHER POSSIBLE LUKS & ENCFS / ECRYPTFS COMBINATIONS
 

Example 1
    Simple data encryption (internal hard drive) using a virtual folder called ~/Private in the user's home directory encrypted with EncFS
    └──> encrypted versions of the files stored on-disk in ~/.Private
    └──> unlocked on demand with dedicated passphrase

Example 2
    Simple data encryption (removable media), an USB drive encrypted with TrueCrypt
    └──> unlocked when attached to the computer (using dedicated passphrase plus using a covert keyfile such as ~/photos/2006-09-04a.jpg)

Example 3
    Partial system encryption with each user's home directory encrypted with ECryptfs
    └──> unlocked on respective user login, using login passphrase
    └──> swap and /tmp partitions encrypted with Dm-crypt with LUKS, using an automatically generated per-session throwaway key
    └──> indexing/caching of contents of /home by slocate (and similar apps) disabled.

Example 4
    System encryption - whole hard drive except /boot partition (however, /boot can be encrypted with GRUB) encrypted with Dm-crypt with LUKS
    └──> unlocked during boot, using passphrases or USB stick with keyfiles
    └──> Maybe different passphrases/keys per user - independently revocable
    └──> Maybe encryption spanning multiple drives or partition layout flexibility with LUKS on LVM

Example 5
    Hidden/plain system encryption - whole hard drive encrypted with plain dm-crypt
    └──> USB-boot, using dedicated passphrase plus USB stick with keyfile
    └──> data integrity checked before mounting
    └──> /boot partition located on aforementioned USB stick

 

Many other combinations are of course possible.

CONCLUSION

LUKS block level encryption is one of the most powerful tools available to every Linux distro. We have barely touched on its capabilities.

 

It is a waste not to use it to protect your most valuable data like you really mean it.

Give your attackers nothing to chew on (like encrypted file meta-data) if they break in to your network or access your encrypted drives physically. They can enjoy theoretical cryptographic problems instead!
 

Share this post


Link to post

ADDITIONAL STEP #39: SET A WORKING TOR BROWSER APPARMOR PROFILE & INSTALL 'HARDENED' TOR-BROWSER*

* Unfortunately the recently released, hardened Tor Browser is only availble for Linux 64-bit architecture. Future releases will include 64-bit Windoze and Mac versions.

RESOURCES

https://torproject.org
https://github.com/micahflee/torbrowser-launcher/blob/master/apparmor/torbrowser.Browser.firefox
https://github.com/micahflee/torbrowser-launcher/blob/master/apparmor/torbrowser.Tor.tor
https://github.com/micahflee/torbrowser-launcher/blob/master/apparmor/usr.bin.torbrowser-launcher


Set Working Tor Browser / Tor Launcher Apparmor Profiles

Fortunately Micah Lee comes to our rescue again!

As the Tor browser and launcher profiles don't work (easily) when installing them from the Whonix stable / developer repositories, we'll just copy Micah's hard work instead, and look at an easy way of fixing any apparmor messages that prevent it starting.

Note that we can use these same profiles on both the base machine (Linux Mint) and in the Whonix-Workstation, as I have them working fine. Ditto Debian / Debian derivatives.

1. Create three empty files for our needed apparmor profiles:*

* Do this twice - for Linux Mint O/S and then for your whonix workstation master copy, which you will then immediately clone for future use. Tor Browser must also NOT be stored in a hidden ("./") directory in your home folder, or the profile won't apply.
 

cd /etc/apparmor.d
sudo nano torbrowser.Browser.firefox             (exit and save)
sudo nano torbrowser.Tor.torbrowser              (exit and save)
sudo nano usr.bin.tor-browser-launcher           (exit and save)

 

2. Cut and paste Micah's apparmor profiles EXACTLY* and save

* For example, if you leave spaces at the end of apparmor profiles, this often causes errors.

torbrowser.Browser.firefox
 

# Last modified
#include <tunables/global>

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
  #include <abstractions/gnome>

  # Uncomment the following line if you don't want the Tor Browser
  # to have direct access to your sound hardware. Note that this is not
  # enough to have working sound support in Tor Browser.
  # #include <abstractions/audio>

  # Uncomment the following lines if you want to give the Tor Browser read-write
  # access to most of your personal files.
  # #include <abstractions/user-download>
  # @{HOME}/ r,

  #dbus,
  network tcp,

  deny /etc/host.conf r,
  deny /etc/hosts r,
  deny /etc/nsswitch.conf r,
  deny /etc/resolv.conf r,
  deny /etc/passwd r,
  deny /etc/group r,
  deny /etc/mailcap r,

  deny /etc/machine-id r,
  deny /var/lib/dbus/machine-id r,

  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  @{PROC}/[0-9]*/task/*/stat r,
  @{PROC}/sys/kernel/random/uuid r,

  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profiles.ini r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/ r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Data/Browser/profile.default/** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor Px,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/libstdc++.so.6 m,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/ rw,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Desktop/** rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/ rw,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/Downloads/** rwk,

  /etc/mailcap r,
  /etc/mime.types r,

  /usr/share/ r,
  /usr/share/mime/ r,
  /usr/share/themes/ r,
  /usr/share/applications/** rk,
  /usr/share/gnome/applications/ r,
  /usr/share/gnome/applications/kde4/ r,
  /usr/share/poppler/cMap/ r,

  # Distribution homepage
  /usr/share/homepage/ r,
  /usr/share/homepage/** r,

  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/present r,
  deny /sys/devices/virtual/block/*/uevent r,

  # Should use abstractions/gstreamer instead once merged upstream
  /etc/udev/udev.conf r,
  /run/udev/data/+pci:* r,
  /sys/devices/pci[0-9]*/**/uevent r,
  owner /{dev,run}/shm/shmfd-* rw,

  # KDE 4
  owner @{HOME}/.kde/share/config/* r,

  # Xfce4
  /etc/xfce4/defaults.list r,
  /usr/share/xfce4/applications/ r,
}


torbrowser.Tor.tor
 

#include <tunables/global>

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor {
  #include <abstractions/base>

  network tcp,
  network udp,

  /etc/host.conf r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/* rw,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Tor/lock rwk,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Lib/*.so mr,
  owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Lib/*.so.* mr,
  @{PROC}/meminfo r,
  @{PROC}/sys/kernel/random/uuid r,
  /sys/devices/system/cpu/ r,

  # OnionShare compatibility
  /tmp/onionshare/** rw,
}


usr.bin.torbrowser-launcher
 

# Last Modified: Thu Jan  2 15:12:38 2014
#include <tunables/global>

/usr/bin/torbrowser-launcher {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/python>
  #include <abstractions/consoles>
  #include <abstractions/gnome>
  #include <abstractions/fonts>
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/freedesktop.org>

  capability sys_ptrace,

  # This script doesn't really need to read the interpreter that's running it.
  deny /usr/bin/python{2,3}.[0-7]* r,

  /bin/{dash,grep,ps} rix,
  /dev/ r,
  /etc/magic r,
  @{HOME}/.config/torbrowser/ rw,
  @{HOME}/.config/torbrowser/** mrwk,
  @{HOME}/.cache/torbrowser/ rw,
  @{HOME}/.cache/torbrowser/** mrwk,
  @{HOME}/.local/share/torbrowser/ rw,
  @{HOME}/.local/share/torbrowser/** mrwk,
  @{HOME}/.local/share/torbrowser/gnupg_homedir/* l,
  @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/start-tor-browser.desktop Ux,

  @{PROC}/ r,
  @{PROC}/[0-9]*/{cmdline,mountinfo,stat,status} r,
  @{PROC}/[0-9]*/task/** r,
  @{PROC}/sys/kernel/pid_max r,
  @{PROC}/tty/drivers r,
  @{PROC}/uptime r,
  /usr/bin/ r,
  /usr/bin/{gpg,dirname,expr,file,getconf,id} rix,
  /usr/bin/torbrowser-launcher r,
  /usr/share/file/magic.mgc r,
  /usr/share/file/magic/ r,
  /usr/share/themes/** r,
  /usr/share/torbrowser-launcher/** r,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  owner @{HOME}/.config/dconf/user r,
  owner /{,var/}run/user/*/dconf/user rw,

  # including abstractions/audio is not enough to play modem sound
  /usr/bin/pulseaudio Pixr,
}


3. Enforce these new apparmor profiles in both Whonix Workstation (master) and Linux Mint
 

sudo aa-enforce torbrowser.Browser.firefox
sudo aa-enforce torbrowser.Tor.tor
sudo aa-enforce usr.bin.torbrowser-launcher

 

4. Check these profiles are enforced and re-loaded in the kernel
 

sudo invoke-rc.d apparmor reload
sudo apparmor_status


OR

Access active profiles as root in /sys/kernel/security/apparmor/profiles

In terminal, after sudo apparmor_status you should see among your many enforced profiles:
 

/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox
/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor
/usr/bin/torbrowser-launcher


5. Run Tor Browser to see if it works and debug

All going well, Tor browser will launch okay for your in both Linux Mint and Whonix Workstation. If it doesn't, examine your apparmor messages in /var/log/kern.log to see what is being blocked and why.*

*Installing apparmor-notify via Synaptic Package Manger will also give you a visual read out of apparmor messages as they occur.

If you are okay with changing your security preferences in line with what Tor browser / launcher is trying to read, write, execute or map to memory etc, then you use aa-logprof to do this automatically.
 

aa-logprof


Basically it will scan the log file and find existing events not covered by the existing profiles set, and then allow you to make modifications to augment the file.

Alternatively, you can manually edit the apparmor profiles directly, in line with the error messages.

Well done!

 

You now have completely torrified your Mint system, and should have working apparmor profiles on Firefox and Tor Browser on the base system, as well as Tor Browser for Whonix-Workstation. This is a big achievement, as many people new to Linux give up before succeeding.

 

Setting Other Apparmor Profiles

 

In general, apparmor profile generation for other unconfined programs that do not have community-led profiles is easy. For those who are keen, one general process is to use aa-autodep and aal-logprof.

1. Create an empty profile and set it to complain mode
 

sudo aa-autodep PROGRAM_NAME


2. Run the program as normal e.g. editing, priting, browsing or whatever. Examine the logs and see what actions are being taken by the program.

3. Quit the program.

4. Run aa-logprof and select appropriate suggestions based on the output of the program. This can include 'abstractions' for things like directory usage, /tmp permissions, directory (tree) permissions and so on.

5. When all errors have been audited, save the file.

6. Set the profile to enforce
 

sudo aa-enforce PROGRAM_NAME


INSTALL HARDENED TOR BROWSER v5.5a4

For 64-bit Linux users, install the hardened Tor Browser in Linux Mint (not Whonix; it is a 32 bit set-up).

 

This browser will provide greater protection against exploitation of memory corruption bugs by using an address sanitizer.

Use high-security verification procedures as per earlier steps, but this time you won't need to download the public key (.asc) or fingerprint it (it's already imported into your keyring).

1. Retrieve the necessary compressed file and signature
 


2. Verify the package against your previously imported key for the Tor Project
 

gpg --verify ~/Downloads/tor-browser-linux64-5.5a4-hardened_ALL.tar.xz{.asc*,}


Make sure you see "Good signature" from "Tor Browser Developers" and that the date of signing makes sense (not in the future, way in the past etc), and the key has not expired.

3. Extract and enjoy the best browser on the market!

CONCLUSION

Black hats, corporate / academic scum and the electronic stalker girlfriends on the government payroll - that you didn't know you had - love de-anonymising / hacking Tor users, so it makes very good sense to run Tor Browser in a straight jacket at all times.

If / when Tor Browser goes haywire that one time you hit a poisoned script on a http page, you will be hopefully notified and can shutdown your system immediately. 

 

In the case of Whonix, this means pulling the virtual plug on both the Workstation and Gateway straight away and deleting the images. Always start again with clean images cloned from the master copies.

Share this post


Link to post

ADDITIONAL STEP #40: INSTALL TAILS TO A NON-PERSISTENT USB

WHAT IS TAILS?

https://tails.boum.org/index.en.html
 

Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

1. Use the Internet anonymously and circumvent censorship;
2. All connections to the Internet are forced to go through the Tor network;
3. Leave no trace on the computer you are using unless you ask it explicitly;
4. Use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

 

WHY DO YOU WANT TAILS ALONGSIDE YOUR HARDENED DUAL-BOOT SETUP?

It is useful for numerous activities:

- Truly anonymous browsing when you really need it;
- Like Whonix, everything is configured to run through Tor and anything trying to connect in the clear is blocked;
- Use a computer at a library, a friend's house and other places and then leave no trace of your activity upon shut-down (no hard-drive / swap space is used by design);
- TAILS is set with no persistence by default - there are no files to recover or other digital traces unless you change these settings;
- Creating anonymous email accounts and associated PGP keys in high security crypto-parties is easy with TAILS;
- If you suspect your base system is infected with viruses / malware, then you can still safely use it with TAILS in many cases (but see next section - not recommended);
- TAILS limits many of the numerous security holes in your normal set-up that advanced attackers find; and
- TAILS does not require a fully-secured host to run securely, as is the case in Whonix - this is why whistleblowers and journalists with awareness often defer to TAILS and use it in conjunction with OTR-enabled messaging tools.

WHEN WILL TAILS FAIL?

https://tails.boum.org/doc/about/warning/index.en.html

Key points:
 

- Tails does not protect against compromised hardware
- Tails can be compromised if installed or plugged in untrusted systems
- Tails does not protect against BIOS or firmware attacks
- Tor exit nodes can still eavesdrop on communications
- Tails makes it clear that you are using Tor and probably Tails
- Man in the middle attacks can still occur between the exit node and destination server*
- Confirmation attacks are possible (trivial correlational analysis by govt/ISP measuring traffic going into/out of the Tor network. ISPs or your local network administrators can even cooperate to attack you)
- Tails doesn't encrypt your documents by default
- Tails doesn't clear the metadata of your documents for you and doesn't encrypt the Subject: and other headers of your encrypted e-mail messages
- Reminder: Tor doesn't protect you from a global adversary monitoring all traffic at the same time between computers on a specific network
- Tails doesn't magically separate your different contextual identities
- Tails doesn't make your crappy passwords stronger
- Tails is a work in progress and may contain errors / security holes
- Tails can probably be fingerprinted from standard Tor activity on the internet**


* MITM attacks ARE POSSIBLE on https connections due to the possibility of fraudulently issued certificates from major SSL certificate authorities to malicious third-parties. Staying within the .onion network is far safer.

** Due to: plug-in extensions for Tor Browser that are unique to Tails, sole Tor activity on the network (usually non-Tor traffic is generated by other applications), the removal of Tor entry guard mechanisms, and specific time synchronization behaviours.

TAILS documentation addresses these issues and more:

https://tails.boum.org/doc/index.en.html

INSTALLING TAILS

1. Required computer architecture

https://tails.boum.org/doc/about/requirements/index.en.html
 

Tails should work on any reasonably recent computer, say manufactured after 2005. Here is a detailed list of requirements:

- Either an internal or external DVD reader or the possibility to boot from a USB stick or SD card.
- Tails requires an x86 compatible processor: IBM PC compatible and others but not PowerPC nor ARM. Mac computers are IBM PC compatible since 2006.
- 2 GB of RAM to work smoothly. Tails is known to work with less memory but you might experience strange behaviours or crashes.


2. Download the latest TAILS 1.7 ISO & signature*

https://tails.boum.org/download/index.en.html#first_time

* Only the latest TAILS version should be used. Numerous security issues are patched with each release. Fake TAILS software is probably common in the wild, due to extreme government interest in those using it.
 

 

3. Download and import the TAILS signing key
 

torsocks wget https://tails.boum.org/tails-signing.key
cd [the directory in which you downloaded the key]
gpg --keyid-format long --import tails-signing.key

 

You should see:

gpg: key DBB802B258ACD84F: public key "Tails developers (offline long-term identity key) <tails@boum.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

4. Verify the TAILS ISO image
 

cd [the ISO image directory]
gpg --keyid-format 0xlong --verify tails-i386-1.7.iso.sig tails-i386-1.7.iso


Make sure you see one of the following two outputs:

pg: Signature made Sun 08 Feb 2015 08:17:03 PM UTC
gpg:                using RSA key 98FEC6BC752A3DB6
gpg: Good signature from "Tails developers (offline long-term identity key) <tails@boum.org>" [unknown]
Primary key fingerprint: A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
     Subkey fingerprint: BA2C 222F 44AC 00ED 9899  3893 98FE C6BC 752A 3DB6

OR

pg: Signature made Sun 08 Feb 2015 08:17:03 PM UTC
gpg:                using RSA key 3C83DCB52F699C56
gpg: Good signature from "Tails developers (offline long-term identity key) <tails@boum.org>" [unknown]
Primary key fingerprint: A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC D84F
     Subkey fingerprint: A509 1F72 C746 BA6B 163D  1C18 3C83 DCB5 2F69 9C56

Delete the image if you get a bad signature and try again. Cross-verification of primary fingerprints with others installing TAILS on seperate devices is recommended for those exposed to high risk.

5. Manually install TAILS to a non-persistent USB*

* For greater security and ease of installation

Note: USB (or SD) cards should generally be at least 4GB. Burning to a CD is also possible. Using Tails installer allows you to later create a persistent volume in free space if you so desire.

https://tails.boum.org/doc/first_steps/installation/manual/linux/index.en.html

From memory, TAILS ISO can be written to a USB device with the "USB Image Writer" program under Linux Mint / Debian and successfully boot. Since this is not recommended in the documentation, we will use the recommended method:

Run from the menu:
 

Applications | Accessories | Disk Utility


Plug in the USB

A new device will appear - click on it

Note the device size and location matches: capacity 4GB, /dev/sdc (or similar)

In terminal, copy TAILS ISO to the identified target USB (replace file path and source USB destination to match your system outputs):
 

dd if='/home/USR_NAME/Downloads/tails-i386-1.7.iso' of=/dev/sdc bs=16M && sync      (yours will be different)*


* If you get 'permission denied' or 'no such file or directory' errors, you have incorrectly specified devices or path names.

Wait a few minutes. Once the command prompt re-appears, shut down your computer and boot TAILS from this new device.

BEFORE USING TAILS

Read the documentation carefully. Regarding start-up options:
 

- Failsafe mode disables some kernel features and will work better on some computers;
- Additional boot options can be added by hitting 'Tab' when the boot menu appears (see documentation);
- At the 'Tails greeter' option, to start Tails without options, click on the Login button, or just press Enter.
- To start Tails in languages other than English, select the one you want from the menu at the bottom of the screen. You can also adapt your country and keyboard layout. When you do that, Tails Greeter itself switches language.
- To set more options, click on the Yes button. Then click on the Forward button:

-- Administration password: In Tails, an administration password is required to perform system administration tasks. For example:

    To install additional software
    To access the internal hard disks of the computer
    To execute commands with sudo

By default, the administration password is disabled for better security. This can prevent an attacker with physical or remote access to your Tails system to gain administration privileges and perform administration tasks against your will.

-- Windows camouflage: If you are using a computer in public you may want to avoid attracting unwanted attention by changing the way Tails looks into something that resembles Microsoft Windows 8.

-- MAC address spoofing: Tails can temporarily change the MAC address of your network interfaces to random values for the time of a working session. This is what we call "MAC address spoofing". MAC address spoofing in Tails hides the serial number of your network interface, and so to some extend, who you are, to the local network.

MAC address spoofing is enabled by default in Tails because it is usually beneficial. But in some situations it might also lead to connectivity problems or make your network activity look suspicious e.g. using a public computer in an Internet cafe or library, attempting to connect on networks only allowing connections from a list of authorise MAC addresses etc*

* Don't forget than when using wi-fi, anybody within range of you Wi-Fi interface can see your MAC address, even though not connected to the same Wi-Fi access point.

-- Network configuration: If you require a proxy, have restrictive firewalls or want to use Tor bridges to hide obvious Tor activity

-- Tor bridge mode: Use this if Tor is blocked by censorship in your country or using Tor is dangerous or suspicious (this is not fool-proof!)

-- Disabling all networking (offline mode)

-- Encrypted persistence: Although possible, setting a persistent volume in an amnesic system is recommended against (hurts your anonymity)

 

CONCLUSION

If you really want to take it to the next level - install TAILS as a useful adjunct to your hardened dual-boot system.

Your potential adversaries will then have to start wasting precious resources (FinFisher et al., TAO tools, end-to-end analysis) if they want to violate your privacy that badly on your home system.

And once they have done that - they will soon discover you having been "hiding" a Twilight fetish or obsession with garden gnomes. Hardly the stuff of national security!

If you can't beat your privacy-invading, electronic girlfriends (likely) and they simply won't take the hint that you're breaking up with them - teach them an expensive lesson and help to bankrupt the sector.

"Oh no, it's not you, it's me"

They simply can't track every freshly installed TAILS USB across the military net, plugged into random computers, and hope to consistently keep a track of you. Ain't physics a bitch.*

* Until they implement Phase 2 of "Owning the Net", which will probably necessitate every peripheral / computer attached to net be given a "NSA TM firware upgrade" by force...

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...