esmeralda reacted to bigbrosbitch in Dual boot Windoze with Linux Mint 17.2 in 25 steps ...
Additional Step #27: Put Skype in an Apparmor Box
If you must install Skype (do you really need it?), put this hostile binary in chains. Follow these steps for Linux:
Additional Step #28: Created a Hardened Firefox Profile
Follow the instructions here to create a new user.js profile that tears out a couple of hundred (?) privacy/security related weaknesses in FF 41.0.2:
Additional Step #29: Securely Configure Thunderbird for Desktop Email & Create a 4096 bit PGP Encryption Key-pair
Edward Snowden was recently quoted as acknowledging people must take back their universal human rights with the power of mathematics (encryption), rather than wait for hopelessly outdated laws - and corrupt political systems - to be reformed:
Thus, lets look at the basic steps to configure Thunderbird desktop email client securely on your new GNU/Linux system and use the laws of the universe to our benefit.
It is relatively simple to create a strong PGP encryption key-pair for your email account to at least protect its content and attachments, but unfortunately not its meta-data.
INSTALL THUNDERBIRD / GnuPG / ENIGMAIL
- Thunderbird is your desktop email client - a modified Firefox browser
- GnuPG is the software which uses the open PGP encryption standard
- Enigmail is the plug-in for Thunderbird which will allow us to encrypt/decrypt and digitally sign emails
In Linux Mint, run the following in a terminal:
For Debian users, Icedove is simply rebranded Thunderbird, so you can run:
Debian users can just replace 'Thunderbird' with 'Icedove' in the following instructions and everything should still work okay.
CREATE A PSEUDO-ANONYMOUS EMAIL ACCOUNT
As recommended by prism-break.org:
So, choose an alternative from the following list that preferably is free, is accessible via free mail clients, strips IP in sent mail/server logs, has encrypted data storage, a good SSL rating and other features you like. It is even better if you can create a new account via Tor; not all providers will allow this.
Use a 7-word (minimum) diceware passphrase for your password. Do not choose anything in the email account name that is linked to you or identifies you or your preferences/history/background in anyway. For example, ManchesterUnitedFan@xyz.com is bad opsec.
* Don't forget that common providers GMail, Yahoo and Hotmail are all part of NSA's PRISM program, meaning your shit goes straight to the Death Star. Choose not to be assimilated. Setting up Thunderbird with gmail also requires special settings due to two-factor authentification. See: https://support.google.com/mail/answer/1173270?hl=en
ADD NEW EMAIL ACCOUNT
When you run Thunderbird the first time, it can set up existing email addresses for most popular free email services. When it offers a new email address, select:
Enter your new (fake) name, email address and diceware passphrase. Uncheck "Remember password" and hit 'done'.
If you are lucky, your configuration will automatically be found in the Mozilla ISP database and you will be faced with the choice of IMAP (remote folders on email server) or POP3 (mail is kept on your computer).
Most users will want to use IMAP, since it is generally considered more secure and will allow many different email clients or interfaces to access emails on remote servers, rather than the inconvenience of one computer. Further, IMAP elimates the risk of a stolen/lost laptop with a treasure trove of emails inside.
If you need to manually set up your account, check with the provider's website re: standard SMTP and IMAP settings. You will need to know for IMAP:
For SMTP (outgoing server), you'll need to know:
STRENGTHEN GENERAL THUNDERBIRD SECURITY SETTINGS
1. Disable "Global Search and Indexer" feature to optimize performance:
2. Disable the Preview Pane (can triger malicious code in emails):
3. Disable HTML (threats similar to malicious web pages):
4. Under Menu | Options, click the security tab and check box for 'suspected email scam'
5. Confirm remote content is turned off (this is the default setting). Remote content leaks details about what app/platform you are using, your current rough IP approximation, that your email address is active ('alive'):
If the Allow remote content in messages checkbox is ticked, UNCHECK IT.
6. Don't use Thunderbird for anything else but email i.e. no browsing, news groups etc.
7. Configure what should happen to messages flagged as junk (for an account) - set to trash can and immediately delete on remote server:
8. Consider setting SpamAssassin or SpamPal headers for junk mail filtering*
* Possible risk on Fedora/FreeBSD with setuid set to root? Check manually.
9. Configure what should happen to messages flagged as junk (for local folders - set to immediately delete as best practice):
10. Under Account Server Settings, check "When I delete a message - Remove it immediately" & "Message Storage - Empty Trash on Exit":
11. Configure Cookies (you shouldn't need this, as you won't be browsing with Thunderbird, but set it to kill cookies anyway):
Specify which sites are allowed to set cookies (none):
12. View or delete passwords for email accounts:
13. (Re)configure any encryption settings for sending messages that you don't like (for the selected identity once it is set up by the Wizard):
14. Do NOT synchronize or store messages for the account on your local computer (this is the default setting)
15. Do NOT send return receipts (potential privacy/security risk):
16. Debian users should enforce the icedove apparmor profiles that ships with Jessie by default (check the profile names, I'm guessing here)* e.g:
*Advanced users can port this profile to Linux Mint by making minor changes to the available Icedove apparmor profiles (don't reinvent the wheel). If so, post it here in the forums so we can all use it. Hint, hint: OmniNegro, Troubadour, Mirimir and other geniuses....
CREATE A 4096-BIT ENCRYPTION KEY
Now we have a fresh email account, a strong passphrase and a solid email client to work with. We should check GnuPG was successfully installed, our Enigmail add-on is present, and we can create a suitable large encryption key to protect our future communications and attachments at our leisure.
All going well on your first run of Thunderbird, you will be offered an Enigmail Setup Wizard to allow for the creation of keys. If not, click on the 'hamburger menu' (three horizontal lines button in top right of screen) and manually select "Enigmail" -> "Setup Wizard".
If this is not present, select 'Add-ons' from the same hamburger menu and re-install Enigmail. Also double check that GnuGP is found by Thunderbird under the /usr/bin/gpg folder (see Enigmail preferences tab to confirm).
Wizard basic steps:
1. Choose "Convenient auto encryption" or "Don't encrypt messages by default"
2. Choose "Don't sign all my messages by default"*
3. Allow Thunderbird to change default settings to make Enigmail work better (disables flowed text, view message body in plain text, never compose HTML messages)**
4. Review changes and select OK button.
* Encryption protects content, but digital signing confirms that the contents of the message were not tampered with in transit and that the sender is not a imposter. NOTE: It is dangerous to signal to others that you use PGP (even with signing only) in parts of the world where encryption for personal use is illegal e.g. China, Iran, Belarus, some Middle-East states.
** HTML can cause problems in encryption/decryption of your email. However, you lose the ability to send bold, underlined, coloured text etc.
5. Select "I want to create a new key pair for signing and encrypting my email" (since we have a fresh new account and don't wish to import existing keys)
6. Choose a very strong passphrase for your new encryption keys - a 10 word diceware passphrase (approximating 400 bits+ in strength) should keep the computers at bay for a while
7. Choose a 4096 bit length key and lifespan of 5 years (should be set by default)*
* If you think that in your life-time, you won't lose your key, stop using PGP, or allow hostile/malicious parties unauthorised access to your private key, then by all means extend this lifespan to a greater length or even "never expire"
8. Key generation can take several minutes to complete at this stage. Well done! You have generated your private-public encryption keys (stored in the browser).
9 When it has finished, confirm that you DO want a revocation certificate for your key (if you ever lose your key or want to revoke it, this certificate is essential). Save the revocation certificate in a safe place e.g. USB or encrypted disk and back it up.
1. Identify both your short (8-digit), long (16-digit) and key ID fingerprints (40 digit) by selecting "Key Management" under Enigmail options.
2. Your name, email and short "Key ID" will be displayed by default. The short (public key) ID will be something like:
3. Select the small button next to the "Key ID" column and choose "Fingerprint".
4. Drag the width of this column to display your last 16 digits of your ID, and then your entire 40 digit fingerprint. Your ID should look something like:
Note that the long and short key IDs (of any key) are just the last 16 or 8 digits of its respective fingerprint.
OPTIONAL STEP - INCREASE THE STRENGTH OF YOUR PGP ENCRYPTION KEYS
* This also means that if you're encrypting to several people at the same time, you can only use the strongest algorithm that the weakest person uses!
1. View gpg algorithms supported by gpg in terminal:
The output will look something like:
2. Modify your public key's preferences by interactively editing your key:
3. At the gpg prompt, check your current algorithm preferences with:
You will see something like:
Protocols listed first are used first.
4. Set far stronger preferences with the setpref command.*
* This decision is informed by personal preferences for stronger hashes and more modern ciphers as per the GnuPG FAQ sections 7 & 8. Choose your own poison if you are not happy with the above selections.
5. Enter your encryption password to confirm your updated choice of algorithms. Check that it worked by entering the command:
5. Enter the command:
To make your changes permanent.
BEFORE SENDING ENCRYPTED EMAIL
Learn from the resources list how to:
- Send you public key as an attachment to an email
- Import a correspondent's public key
- Validate and sign a key pair safely (does the key really belong to the person who supposedly sent it? You MUST check digital fingerprints with eachother over VOIP or similar first!)
- Search for keys on the public key servers attached to specific email addresses
- Upload a public key to a key-server (not generally advisable)
Learn about critical encryption practices:
- Meta-data is not protected by encryption! Subject lines, times/dates of emails etc are vulnerable!
- Using inline PGP for attachments sends the names of the attached files in clear text!
- Use PGP/MIME option to ensure all email text, attached files and their names are encrypted and hidden
- Encryption AND digital signatures are necessary. Without signing, you can't be sure if someone is the 'real sender' they claim to be (could be spoofed) and whether the message has been tampered with on its way through the Matrix!
- Your private key is precious. Don't export the public-private key pair and have it sitting in your home folder or somewhere else retarded. If it is lost, stolen or likely fiddled with by an adversary, consider the keys tarnished, and start all over again (revoking the old pair).
- PGP is far safer from the terminal than from a GUI and Enigmail CAN be buggy. If you don't want to run a fancy plug-in that poses more attack vectors and potential data leakage than necessary, than manually encrypt/decrypt your messages and attachments from the terminal with this simple guide:
- Standard attachments encrypted with PGP/MIME or S/MIME can fail or best lost if the recipients email client can't handle them! Prevent this possibility by using ASCII-armored OpenPGP blocks in the email body, so any email client can handle it. For example, at the terminal:
Best of luck!
esmeralda reacted to bigbrosbitch in TAILS How To: High Endpoint Security ...
Using TAILS properly to communicate anonymously is easier said than done.*
* Note: I still think One-time Pads hiding secret ciphers in on-line forum posts (or similar) is the most secure and fully deniable method for communications, however, this is certainly not convenient or practical for most circumstances. Also, this is over-kill for 99.9% of the population. However, if the OTP concept is shared widely, the Global Gestapo will be wondering whether secret messages are hidden all over the place - increasing their fruitless searching and computational crunching by several orders of magnitude.
For instance, it is entirely feasible that I may have hidden several ciphers in this post for instance, and theoretically could be communicating with one or more persons. Indeed, the sender can potentially achieve one-way message authentification in this manner (a forum post that remains unedited)....
Tails WorkFlow for High Endpoint Security**
** By Micah Lee of The Intercept and Freedom of the Press Foundation
What Micah didn't mention in this particular article above is the necessity to also disguise your writing style (under his scenario) so that you cannot be identified by certain obvious patterns. This is particularly true if using email providers that scan your shit e.g. G-Mail.
Even if you are "Mr Robot" on-line, if any of your communications can be ripped from email servers or otherwise intercepted e.g. the provider is part of PRISM, then the great Eye of Sauron will be intently poring over your material if it is of interest and doing everything to work out who you are.
That is, even if you go to great lengths to disguise your on-line persona and achieve full or near-anonymity (no stuff-ups along the way - not easy), you can easily reveal your identity via typographical and dialectical style, spelling, pronunciation and grammar.
Another obvious case where you place yourself at risk would be a release of risky 'manifestos', controversial/critical texts slamming authoritarian/military governments, your favourite drug recipes you publish on the darknet, advocating for multi-party democracy in tinpot dictatorships (or whatever else is your fancy), which are all published under a pseudonym.
Yes, truly being anonymous is a real bitch, but wholly possible.
You should also NOT share any personal information with your secret readers/fanclub/secret cabal of conspirators e.g. dodgy darknet forums.
Many an egotistical hacker, drug peddler and so on have been undone by their own hand e.g. letting slip references to the weather, their backgrounds, habits and so on, which can uniquely identify them when cross-referenced by forum/email/other comms date and time stamps over a long enough period.
"Loose lips sink ships"
As a counter to true anonymity, this forum post is a perfect example of a non-anonymous communication, for I am fully aware that the author (me) is EASILY identified by the local Stasi. Why? Because I have not used washed bitcoins or a host of anonymising session, network and other measures when setting up this account, nor have I adequately separated personas when using it. Nor have I used measures to disguise my writing style.
But luckily I don't give a shit.
However, it might really matter for some of our AirVPN users, for example, those pushing for multi-party democracy or fearlessly reporting the actions of in hostile tin pot dictatorships.
The Hidden Wiki provides some good pointers for anonymous writing. Fail to heed this at your own peril if you are a serious activist or similar.
esmeralda reacted to bigbrosbitch in Dual boot Windoze with Linux Mint 17.2 in 25 steps ...
Additional Step #26: Install App-Armor Utils and Profiles (enforce and/or complain setting)
This step is overkill for the average desktop user, but since it is available in Linux Mint by default, we can install and enforce additional profiles for our most vulnerable programs e.g. Firefox, Pidgin, email programs.
What is Apparmor?
An easier alternative to SE (security-enhanced) Linux:
Apparmor is vailable in the following distros (note it is installed in Ubuntu by default, but we will fetch additional profiles shortly):
Why not use SE Linux instead?
Easy. SE Linux is too hard to set up and maintain. Really, SE Linux is for advanced users/administrators and the documentation is apalling for any low-end or intermediate users.
Key point: We can still achieve mandatory access control (MAC), without the above difficulties with SE Linux.
Why enforce additional Apparmor profiles in Linux Mint?
Several reasons. Only a few (basic) profiles are loaded by default. Also, many are set to only 'complain' which will not stop a process that is outside allowable parameters (just logging it instead), but we can change that to 'enforce' (will block restricted processes; also logged).
As a reminder to Linux users, check your logs regularly for suspicious behaviour, unauthorised login attempts, multiple users, connections to remote IP addresses, deletion of large segments of logs for no reasons etc. Any of these mean you may have been pwned. Keep your system up to date at all times too.
Another reason for enforcing further profiles is the fact that Firefox is not loaded by default in Ubuntu. The reason is:
What is the benefit of enforcing the Firefox profile?
From the above link:
Essentially, we don't want to give any more permissions to programs than is absolutely necessary (GRSecurity is another form of MAC, in the form of a kernel patch):
What are all the available profiles for Linux Mint?
See link below for 'main' and 'community supported' profiles. Linux Mint is based on Ubuntu 14.04 LTS:
How do I check/configure/set up additional profiles in Linux Mint?
The default configuration for Firefox really does not offer much in the way of protection so you will need to install some additional profiles. Once that is complete you will see a new list of profiles in /etc/apparmor.d.
Follow the steps below:
1. Install apparmor, additional profiles, utilities and notifications for Ubuntu. In terminal run:
Check your new available profile list by running in terminal:
You should see something like:
2. Check the current status of apparmor. In terminal run:
It should say something like (your list will be far longer, but for simplicity this example is used):
3. Set profiles to either 'enforce' or 'complain'
Note: it is not advisable to enforce all the available profiles at one time, as you will usually find you lose functionality in the internet connection, browsers may not work correctly and so forth. It is safer to set profiles to 'enforce' one (or a few) at a time, and then check functionality e.g. problems are often seen when enforcing the dhcp profile.
Profiles set to enforce must be debugged in the event they prevent the proper operation of the running program. This is not covered here for simplicity, but users who are interested can read further here:
To set a profile to complain (we will use the example of the Firefox profile, but anything can be substituted in its place), use the aa-complain command:
To set all profiles to complain, run:
To set a profile to enforce, use the aa-enforce command:
To set all profiles to enforce, run:
4. Reload apparmor profiles into the kernel.
Running processes are not protected by AppArmor. Therefore, either restarting the process/es or rebooting will fix this.
To reload apparmor profiles, in terminal run:
5. Check processes that are unconfined by apparmor and whether you are happy with this arrangement.
In terminal run:
6. Temporarily/permanently disabling profiles
Profiles can be temporarily disabled by performing (Firefox in this example):
To permanently disable, run:
6. Creating new profiles/other
This is too detailed to cover in this post, so for those that are interested see the link below for additional apparmor commands. Personally, I would recommend using existing profiles and debugging them, in preference to creating your own from scratch:
What about Tor Browser - does this ship with a default profile?
Not in Ubuntu that I can find. However, this profile below ships with Whonix, so it should also be compatible for Debian based systems or derivatives e.g. Linux Mint Debian Edition. I have tried unsuccessfully on Ubuntu when I imported it, but maybe others will have better luck by playing with the profile.
FOR DEBIAN USERS IN THE FIRST INSTANCE:
Cut and paste the text of the latest profile (they are updated over time due to broken functionality) and save into profiles directory. That is:
1) copy the content of "home.*.tor-browser_*.Browser.firefox" in an editor (most likely gedit for you)
2) Save and copy it (as root) in /etc/apparmor.d
Run in terminal:
Reload the profile in the kernel:
Now modify /etc/default/grub. The last line must be edited so appamor is set (=1)
Update grub by running in terminal:
For additional assistance with this profile, see the Whonix forums:
Apparmor is available to Linux users (Windows refugees) and provides some basic protection from zero days and other exploits, so it is worth installing basic profiles if you are security minded. Proper security requires you tighten up the profiles over time (especially Firefox), which are not overly restrictive in the first instance.
Debian users can also benefit from pre-existing Tor profiles that are easily incorporated and quite restrictive. Ubuntu (Mint) users can also modify this profile for their own use.
esmeralda reacted to bigbrosbitch in How To: Put Skype in a Box (Linux) ...
If you are a Windows refugee who has recently sought asylum by following these steps: https://airvpn.org/topic/14938-dual-boot-windoze-with-linux-mint-172-in-25-steps/
then you now have a dual boot Windoze-Linux system where you can limit your data leakage damage to Microhack enterprises at boot-up time.
For instance, you can probably limit Spyware O/S activity to certain games that do not run well in Virtualbox or with meta-compatibility layer technology e.g. Play on Linux/WINE.*
* Although the games support list looks very promising these days. Cross-platform software enhancements also mean that Windows' main advantage - superior gaming and range of titles - may soon be lost.
Despite the undeniable gains to your privacy and security in running a solid linux distro over Windows, there is a good chance your partner/room-mate/other will be addicted to VOIP, social media, jabbering, and stalking their ex-sweethearts or school friends on-line.
As a consequence, you will be probably be asked to install potentially hostile proprietary binary blobs just minutes after having established a clean system - Skype will be one of the stand-out requests statistically for the fairer sexes in all jurisdictions.
Why Care About Skype?
There are good reasons to be paranoid about Skype and its potentially damaging activities.
Briefly, Skype has been fully backdoored since February, 2011. Microsoft has been playing tag-team with the Stasi since at least 2007, allowing 'encrypted' communications to be laid open bare for authoritarian freaks:
Here is Microsoft getting 'the reach around' from the men-in-black on a pretty NSA slide:
Neither is Skype encrypted end-to-end. This means Microsoft can (and does) also read your messages and snoop on video chats.
Horrifying stuff right? Maybe those sex chats with transgender midgets in eastern Russia were a mistake after all?
So, how can we try and maintain the integrity of the Linux system that is otherwise 100% open-source software, except for the typical few codecs and drivers?
Firstly, before taking out two life insurance policies on your loved one and researching uncommon poisons via Tor Browser, try to convince them to to install and use secure open-source software as an alternative.
Several programs are available, but I prefer Jitsi for video/VOIP/chat because it is relatively easy to set up, open-source and provides military grade encryption. Other alternatives for Linux suggested by Prismbreak include:
Unfortunately, your better half will exclaim with 99% probably (Scrodingers cat is always dead in this particular universe):
This means you are stuck unless you want to boot Windoze or run Windows in a virtual environment for Skype purposes. This is a lot of stuffing around, particularly if you want Linux to be used most of the time as the defacto stable system.
You cannot suggest Skype for the Web (via a browser and suitable plug-ins), due to the plug-in's unavailability in Linux at this time. See:
So, in order to save your marriage and limit malicious activity by Skype on your local system (e.g. network/file scanning) it is worth enforcing an AppArmor profile.**
** Unless you wish to place complete trust in Bill "Snowden is a Traitor" Gate's special brand of malware, which is already known to turn every desktop from Win 7 onwards into a glorified i-phone-home.
Skype 4.3 Apparmor Profile for Ubuntu/Mint
Assuming you have installed 32 or 64 bit Skype and tested it without any video/sound problems in the first instance, then you are ready to enforce the profile to put chains around it.***
*** Sound problems are not uncommon for Linux in earlier versions, but easily rectified in most instances.
I have successfully imported into Linux Mint the recent github Skype profile below and enforced it without any voice or video problems. If you have not already installed apparmor-notify (to get on-screen notifications of activities blocked/complained about), then do so now via Synaptic Package Manager as this will assist in any debugging.
This profile below should be named usr.bin.skype and can sit in the /etc/apparmor.d/ directory.
Cut and paste text below and save (from https://gist.github.com/AgentME/5640268).
Then in terminal run:
Check the status of the Skype profile with:
Distros other than Ubuntu seem to regularly have these Skype profiles available in the 'extras' directory by default. They can therefore be manually turned on as required without these extra steps. For example, see:
In Debian https://packages.debian.org/jessie/all/apparmor-profiles/filelist
In ArchLinux https://wiki.archlinux.org/index.php/Skype
And so on.
When your back is to the wall and you face crushing child support payments unless you tolerate a vicious binary blob that taints your freshly installed Linux box, then the least you should do is put Microhack's Skypanopticon in a simple sandbox.
All going well, your partner can Skype all day long on the home network - happily sharing her biometrics, voice print and psychological problems with the invisible goon squad - without Bill Gate's deformed love child unnecessarily running his shit-stained fingers across all your precious electronic data.
esmeralda reacted to S.O.A. in My AirVPN Experience/Review ...
I have been using AirVPN for almost two years now. I would say that the service provided by AirVPN is very good.
Price: AirVPN is not the cheapest nor the most expensive. However, when AirVPN runs deals such as their Cyber Monday deal (38% off) and currently their Christmas deal, the price is very affordable. Especially considering the quality service you get in return.
Support: I have no complaints with the AirVPN support staff. I have contacted the support staff many times and they respond quickly and politely. The staff has a vast amount of knowledge and has answered all of my technical questions thoroughly.
Software: I was with AirVPN before their new "Eddie" client was released. Because I am a Mac user I have used a program called Viscosity since day one. It is a great program and I highly recommend it. I have used the AirVPN Eddie client and it is very nice. However, (this is where the staff and I will disagree) the Eddie client lacks a formal killswitch. I am aware that there is a "Network Lock" feature in Eddie that acts in a similar way. However, in OSX it is confusing (for me) to get it working. So, I still use Viscosity because I can implement a simple killswitch script that closes any program I specify. I have created a forum thread on this topic for Viscosity Mac and Windows users. The killswitch is extremely easy to setup. Despite this, I think the Eddie client works very well and AirVPN is improving it all the time.
Servers: I would say that AirVPN has a very good variety of servers to choose from. Considering the size of the company, they defiantly have a sufficient number of servers. Especially in the Netherlands.
Speeds: I am located in North America and I do not notice any deduction in speed while using the AirVPN servers in North America. I even get great speeds from some of the servers in Europe. When it comes to speeds, I have nothing to complain about at all!
I have tried other VPN services such as Private Internet Access, BTGuard, and Torguard. In my opinion, AirVPN beats those three in every aspect. When AirVPN includes features such as 3 simultaneous connections, p2p on every server, and very high levels of encryption, plus many other good features, AirVPN is very hard to beat.
So, all I have left to say is, keep up the great work AirVPN!
esmeralda got a reaction from snaggle in Eddie 2.7 available ...
Hi, sorry I was short on time. and thanks for the rapid response
Ok I downloaded the new 64 bit .rpm file. Installed it using SUSE's 1 click install and everything seemed fine, the installer asked for root privaliges and no errors where reported. so good so far.
The Airvpn Icon is installed in the app overview however when I click on it instead of Air asking for root privaliges and starting up nothing happens.
I tried this before and after uninstalling the previous version and before and after reboots.
Any more info I can provide please ask.
Thanks as always.
As stated previous I'm running OpenSUSE 13.2 RC and Gnome 3.14.
Edit: I can run the portable version.
(sorry I lost the quote formatting for the above message by snaggle - don't know how to get it back)
I run Linux Mint and was occasionally having this problem with Eddie 2.6.
To fix it I had to delete the .airvpn directory that was in my home directory. I had to do this before re-installing Eddie otherwise Air wouldn't start. In fact I had to often do this, and not just after re-installation, because many times Air wouldn't start and nothing would happen whichever way I tried to start it. This was the only way to fix it.
To delete the directory and its contents I typed the following command in the terminal: sudo rm -rf .airvpn (followed by user password when prompted for it)
Air always re-creates this directory the next time Air starts, so no problems are caused by deleting it. However the network lock and other settings needed to be redone in the Air client window.
I am having the same thing happen in Eddie 2.7
It seems to only happen if I have enabled logging in the advanced setings.
So before I start Air I delete the .airvpn/logs folder (or just the log files that are in it), this way my settings are kept and Air will start (it will recreate the logs folder if you enabled logging)
(sudo rm -r .airvpn/logs
The last lines of those log files always contain error notes
Sometimes I was loosing the Airvpn graphical client window from both the desktop and the bottom panel. When this happened Air was still running fine but I had no visual way to confirm this except by dnsleak.net or going to this air site and checking the bottom of the page (more capable users would probably have other methods of checking). Something to do with mono causes this.
Instead I now use the portable Eddie and have no problems except for occasionally have to delete the last log file before Eddie will start.
Thankyou Air - network lock is working great