Search the Community

For User-Agent there obviously is, but other ones are in your OS TCP stack and the sizes and sequence of your packets. The easiest solution in this case would be using a gateway that reassembles the TCP packets in it's own order of the OS, for example Tor exits do that - there are many usability and latency disadvantages in this implementation but if metadata elimination is absolutely critical you can use that. Also you have privacy focused distros like Whonix, Qubes and Tails which have identical stamps to all users around the world, something those suspects in 2004 obviously didn't have.

I've setup AirVPN on a Fedora VM in Qubes OS, as a Proxy VM. Unfortunately with Network Lock on, the traffic is blocked from the VM trying to proxy through the AirVPN VM. I will outline bellow for clarity. 0. The internet. 1. sys-net VM 2. sys-firewall VM 3. Sys-AirVPN proxy VM 4. Browsing VM With network lock on, 4 can not access the internet. With network lock off, 4. can surf internet, but FAILS Leak tests. Revealing real IP. Obviously some type of configuration needs changing in with the network lock config to allow traffic from 3 to 4, and 4 to 3. But locking down any leaks from 3 still. This is beyond my knowledge of linux. I hope someone more knowledgeable can solve. Thx.

How are you finding network lock? And leaks? I recomend running a leak test, if your not using network lock. Maybe you setup some customer IP tables? I would love to know what you did https://airvpn.org/topic/20157-problem-with-network-lock-on-qube-os/?hl=qubes

Im trying to Auto start Airvpn portable on a new version of Debian, that doesnt meet the momo dependency, I've been playing with the /etc/rc.local file to try get Airvpn to run at startup. But cant get it to work. This could be because im getting the syntax wrong? Or its the completely wrong place to try do this. The user is Root, so i dont need to edit the sudoers file i believe? BTW, i dont have a desktop GUI because im running Qubes OS. so i need instructions for terminal commands. Cheers for the help

Hello ! ​Welcome to AirVPN . ​Win10 can be tough to contain ^__^. It likes talking to its corporate master. I once met this guy who had contained it within a Qubes OS VM, with connections through Tor and all that. He just couldn't get it to be quiet, network-wise, so he got pretty annoyed at it haha.

I don't know if it was mentioned, but it is probably worth to look at a niche hardware vendor called Purism. This is probably the most open hardware x86 compatible laptop, yet with still modern CPUs. As of for me, I still prefer to use latest gen Macbooks with dual boot Arch and macOS. They have been a very hard target to attack, especially after the Thunderstrike patches in 2015. https://puri.sm/products/ https://www.qubes-os.org/news/2015/12/09/purism-partnership/

The chips are only a small part of a larger scope, which is your machine. You may have a theoretical "blob-free" CPU without latest security mechanisms, or you can have a modern one with ME, but also important features in place. Most attacks will exploit the low hanging fruit which are the kernel vulns in order to backdoor your system, and not a component that is signed and is very undocumented. So if you ask in terms of security, your most paranoid option would be running something like Qubes. The less paranoid option should be running Linux 3.7+ with grsec and SMAP CPU. That is of course if you prefer to use the x86 platform. Edit: There is a very interesting new local root exploit for Ubuntu 16.04 that is once again mitigated by SMEP/SMAP: https://www.exploit-db.com/exploits/40049/ if (check_smaep()) { printf("[-] SMEP/SMAP support dectected! Quitting...\n"); return -1; } Bottom line is...If you can use a newer CPU, you are probably safer from the common types of attacks. The adversaries who can subvert Intel firmware remotely, probably can also compromise you even with ME disabled

Interesting 32C3 talk on the matter, from the creator of Qubes OS: http://hackaday.com/2015/12/28/32c3-towards-trustworthy-x86-laptops/

Search Qubes/Subgraph. Protecting yourself from being hacked is not about installing one software or another, it's about constant threat modeling and compartmentalization. Software only makes a small difference. Even then, you are not 100% covered, this is why you have to know what you are doing, how you are doing it, and who knows about what you are doing. If none of the above makes any sense to you, you should probably not be worried that any adversary will "waste" very expensive exploits on you. After all, they don't just shoot them at random, in order to keep them as useful as possible for a longer period.

Don't just copy paste the threat model wiki. There are no "credentials" in Air, just certificates that anyone can buy for a small fee. The only risk of them being leaked, is that someone will maximize your 3 connections. The idea Qubes meant concerns VPNs with real access passwords, like private/corporate setups. Public VPNs are not in this scope. You can run Tor in the NetVM as well, with Eddie or without.

An easier method would be running it in the NetVM, not the ProxyVM. The proxyVM setup will require additional rules on AppVM's. You can use this as a reference: https://www.qubes-os.org/doc/vpn/

How far you go depends on how paranoid you are. Most of the browser fingerprinting that goes on relies on JavaScript. Install NoScript and be happy. I recommend removing all of the non-about: links in its whitelist and also turning off iframes, frames, WebGL in its settings. Only whitelist the bare-minimum of sites that you trust. Definitely never anything that might cause leaks and draw attention (Pirate Bay, for example). I also recommend UBlock origin, UMatrix. In UBlock, turn on as many filters as you are comfortable with. All the Disconnect ones, the Anti-Adblock ones and the complete set of social blockers. That blocks most of the third-party trackers completely in their tracks. UMatrix will also do the same job, but I found that some trackers that hide under the same domain as you're visiting (tracking.yahoo.com as an example) so you have to be a bit more selective about whitelisting domains.. UBlock takes care of them for you. In UMatrix, go to a trusted site then open its filters. Select the domain at the top and pull down the '*' entry. Turn off everything and save. Turn on first party CSS and Images. Save again. Now you only load CSS and images from the domain you're visiting. You can whitelist third-party content on domains as you go. It didn't take me long to have the regular list of sites I use sorted out. You might want to whitelist some sites for JavaScript. AirVPN is one. Firefox has a Privacy Settings addon. It adjusts away a lot of privacy and security-related settings. If you like turning on cookies to log into sites then self-destructing cookies can clean out some cruft after a timeout. Be warned this will log you out of a lot of sites if you just leave their window open in the background. HTTPS Everywhere is good to force HTTPS on sites that support it. It uses a policy list to know what sites to force HTTPS on. FlagFox puts an interesting little flag in the URL bar to show where the server you are looking at might be. It is the only one that works on a local database without making requests for every site you visit. If you're paranoid, turn off pdf.js - none of the above addons stop it. If you're even more paranoid, look into something like firejail on Linux or sandboxie on Windows. MacOS has sandboxing too, but I've not bothered to invest in it. I have setup for firejail that uses the --overlay-tmpfs option to make my Firefox instance completely throwaway. Every write goes into RAM. Mixing it with --private completely hides the rest of your system from the browser. You can go a lot further with it. Add an extra layer with a VM. Go all the way to Whonix or Qubes if you want a fully isolated environment that will do its best to prevent information leaks. Or you can use the Tor Browser Bundle and disable the TOR launcher if you want. Be warned there are some zero-days in Firefox that the FBI has been using to target TOR users. They won't disclose them so nobody knows where to begin looking. We can't tell if they are specific to the TBB or in the vanilla Firefox. We don't know if they've been fixed in the latest versions or not. Best guess is they are JavaScript based and still present in the latest firefox version. If the FBI is using zero-days to infect systems it's not too far to stretch to say they got them on the black market for a price and that other criminals also purchased them and are exploiting them.

​As a much smarter commentator than me summarised what this means in a nutshell: ​ ​ ​Just in case you don't believe me, lets look at the specific clauses again to make sure: ​ ​ See https://www.congress.gov/bill/114th-congress/senate-bill/754/text#toc-idc6842ed051194cfda77e2d250867c1f7 ​ ​What's the solution? ​ ​Answer: Major root and branch political reform along with a very firm oversight of the MIC and transparency in their activities. ​ ​Something like this is ideal: ​ https://blog.cyberwar.nl/2015/07/report-ten-standards-for-oversight-and-transparency-of-national-intelligence-services-july-2015-eskens-van-daalen-van-eijk/ ​ ​Conclusion: ​ ​The "tin-foil hatters" that have been screaming - FOSS! Linux! End-end encryption! No third party trust! TAILS! Tor! Qubes! Whonix! PGP! Don't trust the government! for years - have been proven exactly right. ​ ​If you are still willing to use US corporate platforms under this arrangement, then you need your head read. ​ ​We'll await our apologies since we have been confined to the fringe for sometime now as 'conspiracy theorists' ...

This concept already exists, and partially can be implemented by Whonix and/or Qubes images. Running a virtual machine inside an existing one will cause OpenVPN inside the second one to be very slow, and you will lose capabilities like AES-NI and other improvements, since your host of for the second machine (which is actually a guest of the workstation) will not expose those cpu flags. Besides, two VPNs and Tor is already a huge performance hit, and doubtfully necessery at all, you can do Tor over VPN or VPN with Tor, and there is a guide for this in the wiki section, depending on the case. Some members also posted their own setups. The general idea is that you will not achieve any meaningful layer of privacy/security just by randomly chaining more and more VPNs. A more practical approach might be learning about the various privacy technologies that exist today, and applying them for each and every task you encounter. For example, if you want to download some confidential documents, it's probably wise to do it in a virtual machine with Tor over VPN. If you are just into some P2P, a single VPN from a transparent provider like Air will be usually enough. If you are in a place where using VPN might be technically impossible or put you in a physical danger, you can use Tor to connect to VPN. P.S. your idea reminded me of this ha ha This made my morning and it was funny.

This concept already exists, and partially can be implemented by Whonix and/or Qubes images. Running a virtual machine inside an existing one will cause OpenVPN inside the second one to be very slow, and you will lose capabilities like AES-NI and other improvements, since your host of for the second machine (which is actually a guest of the workstation) will not expose those cpu flags. Besides, two VPNs and Tor is already a huge performance hit, and doubtfully necessery at all, you can do Tor over VPN or VPN with Tor, and there is a guide for this in the wiki section, depending on the case. Some members also posted their own setups. The general idea is that you will not achieve any meaningful layer of privacy/security just by randomly chaining more and more VPNs. A more practical approach might be learning about the various privacy technologies that exist today, and applying them for each and every task you encounter. For example, if you want to download some confidential documents, it's probably wise to do it in a virtual machine with Tor over VPN. If you are just into some P2P, a single VPN from a transparent provider like Air will be usually enough. If you are in a place where using VPN might be technically impossible or put you in a physical danger, you can use Tor to connect to VPN. P.S. your idea reminded me of this

ADDITIONAL STEP #30: RUNNING WHONIX 11 IN VIRTUALBOX PREAMBLE If you have followed me on this long journey, so far you have successfully achieved several major milestones: 1. Transitioned from pure Win10 Spyware Edition to a hardened Linux Mint 17.2 dual boot arrangement with encrypted home drive and latest software & kernel. 2. Created ridiculously hard to break passphrases on all accounts (diceware) and stored them all in KeyPass-X with a master passphrase (stored on separate air-gapped media). 3. Created a decent password on your BIOS system, disconnected webcams, disabled internal microphones, disabled UpNP, updated firmware (where possible and safe), password protected your router & disconnected wireless networking (or set to WPA2 at a minimum). 4. Removed all your personal, financial and other sensitive documents from your peripherals/drives connected to the military-Net, and stored them on air-gapped media that is suitably encrypted with FOSS (LUKS, ecryptfs). 5. Regularly shred documents on your HDD/SDD/USBs to prevent file recovery by miscreants (Bleachbit).* * FYI - best practice to safely and completely wipe peripherals is to delete pre-existing partitions, create one entire encrypted partition on your destination media that takes up the entire space, then wipe the media with various cleaning tools - see TAILS documentation for further information. 6. Wiped meta-data off all files that you share with Metadata Anonymisation Toolkit. 7. Disguised your OpenVPN fingerprint and set a network lock to prevent anything travelling outside the VPN tunnel. 8. Disabled IPv6. 9. Removed time/date stamps that are otherwise completely unique. 10. Reduced your attack surface significantly on your Mint 17.2 system via removal of unwanted software for a standard desktop user e.g. all server crap, remote logins/desktop sharing/viewing/file transfers etc. 11. Checked your network settings manually to confirm you are not inviting strangers to hack your ass with any open/listening ports (netstat etc). 12. Installed Tor safely by confirming the authenticity (non-corrupted) status of the file and checking cryptographic signatures. 13. Regularly run Tor over VPN (VPN -> Tor) due to multiple fingerprinting vectors with standard browsers THAT IDENTIFY YOUR ASS even if you sit behind a VPN; most probably due to a unique combination of FF settings, add-ons, themes, syncing behaviour, languages and multiple plug-ins leaking loads of information on every site you visit. 14. Run the latest version of Tor with the highest possible privacy and security settings set in the slider to make your signature indistinguishable from the 1-2 million other active, daily Tor users; .onion addresses are used whenever and wherever possible (to stay within the Tor network). 15. Created a hardened FF profile to go alongside your completely fingerprintable 'default' Mozilla settings profile (which is sub-standard for a company pretending to care about privacy/security). 16. Set Apprmor system wide to restrict dangerous behaviour by various software apps - you should now have 50+ Apparmor enforced profiles running in the kernel. 17. Set Apparmor to put chains on that hostile Windoze binary your 'better half' made you install (Skype). 18. Installed Thunderbird as your new email client with a pseudo-anonymous account that is not part of PRISM and configured it securely to reduce risks posed by HTML, malicious email scripts etc. 19. Created a 4096 bit PGP encryption public-private key pair, with the strongest available hashing and encryption algorithms available to protect your email content and attachments from the fascists at your discretion. 20. Installed a range of the best suitable FOSS to use as safe alternatives for encrypted communication e.g. OTR with Pidgin, Jitsi, Onionshare etc. 21. Have the best available FOSS to create encrypted stand alone folders, volumes, partitions and drives (LUKS, e-cryptfs). 22. Daily clean out your (many) electronic trails from your devices with Bleachbit, including zeroing out your HDD/SSDs on occasion. 23. Recently cloned your working dual boot system with Clonezilla or dd command to safeguard any catastrophic events with your current working system. Well done! In contrast, the regular "Joe the Plumber" (your neighbour) is running stand-alone Windoze 10 in default mode (post-CISA bill) and is a victim of: 1. Proprietary code that is backdoored harder than a platinum-blonde porn queen in all areas: full-disk encryption (FDE), O/S level privacy, (in)security of all files/folders stored on Windoze file systems, 'encrypted' apps / protocols / communications that are all "NSA-Approved TM". 2. Runs PRISM-mail and Snoop (Skype) almost every day - feeding the freshly booted Utah data centre with information in clear text/audio/video. 3. Is effectively 100% open to exfiltration of all browsing, O/S information, personal data/files and constitutionally protected communications via shameless 'privacy' and EULA arrangements, and the recent passage of a number of Stasi Bills. 4. Trusts data-fiddling, third-party corporate psychpaths with their entire digital life despite Micro$haft, Giggle, Yahooze, Fraudbook and other collaborators assisting the military-industrial complex daily in harvesting everything - in CLEAR violation of international and domestic laws, agreements and charters. TAKING PRIVACY, SECURITY & ANONYMITY TO THE NEXT LEVEL WITH WHONIX* * I have shamelessly ripped off the best work of Micah Lee, Patrick Schleizer (lead developer, whonix.org) and Whonix documentation for this post, instead of re-inventing the wheel. Significant support for Whonix can be found in available on-line documentation, the FAQ and forum posts. RESOURCES https://en.wikipedia.org/wiki/Whonix http://www.tecmint.com/install-virtualbox-on-redhat-centos-fedora/ https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad https://www.whonix.org/ https://www.whonix.org/wiki/Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services https://www.whonix.org/wiki/Comparison_with_Others https://www.whonix.org/wiki/Data_Collection_Techniques#Active_Web_Contents https://www.whonix.org/wiki/Features https://www.whonix.org/wiki/Post_Install_Advice INTRODUCTION While your current hardened dual-boot setup has significantly improved your security, privacy and anonymity, it is unlikely to be sufficient against global adversaries. Passive, global systems are already in place which harvest 100% of encrypted/unencrypted data they intercept. Since approximately 80% of the worlds internet traffic passes over US soil due to their dominant position in controlling internet infrastructure, this means 80% of YOUR data, right now, is being intercepted and kept in immense racks of data servers - possibly forever. Passive systems also search for possible unique signatures attached to things like emails, messaging, VOIP, browser profiles, O/S indicators, MAC addresses (if/when revealed), names of computers on LAN (if/when revealed), and even the potentially unique profiles generated by your system when it does your hourly updates (consider how many unique PPAs you might have installed!?). Therefore, resist the temptation to assume you are now secure in your computing activites solely because you run GNU/Linux in combination with OpenVPN and Tor. Carefully consider the advice of experts below, who STRONGLY advocate the use of a virtual environment for enhanced privacy, security and anonymity. UNDERSTANDING DATA MINING THREATS YOU FACE ON THE INTERNET EVERY DAY WHY ISN'T A TRUSTED VPN PROVIDER ENOUGH TO PROTECT ME ON THE INTERNET? ​ WHY USE A VIRTUAL MACHINE ENVIRONMENT OVER THE TOP OF LINUX MINT? WHY USE WHONIX? WHAT ABOUT OTHER DISTROS IN A VM? PRIMARY WHONIX ADVANTAGES INSTALL AND CONFIGURE WHONIX 11 IN LINUX MINT If you read the preceding material carefully, you should now be convinced that your 'rock-solid, anonymous' desktop system is perhaps a little frail, weak and infirm. In fact, there is a high likelihood you have been signalling your every move to the Stasi, even while sitting behind the AirVPN servers. So, without further delay, lets remove some of your understandable paranoia: 1. Install VirtualBox 5.0 In terminal, to remove any older version of VirtualBox run: ​ Install VBox 5.0 via Synaptic Manager:* * Earlier advice re: debian package is outdated. VBox5 is now available. VirtualBox can now be run from the terminal ("VirtualBox") or from the menu. 2. Download Whonix Gateway & Whonix Workstation (3.1GB in total) Download the necessary files and OpenPGP signatures from this location:* ​ * Anonymous downloads are possible using Tor Browser bundle. Download security without verfication is low (medium risk for torrent downloads). 3. Verify the Whonix images & import developer's PGP signing key* * Checking the integrity of the virtual machine images you just downloaded is critical to make sure no man-in-the-middle attack or file corruption happened. This can take several minutes.* * I forgot to add that you should download Patrick's key at this point here. So, do the following: https://www.whonix.org/wiki/Whonix_Signing_Key Download the PGP key used to sign off the software: Check fingerprints/owners without importing anything: It should show the following: pub 4096R/2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net> Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDAsub 4096R/CE998547 2014-01-16 [expires: 2016-10-05]sub 4096R/119B3FD6 2014-01-16 [expires: 2016-10-05]sub 4096R/77BB3C48 2014-01-16 [expires: 2016-10-05]Import the key: The output should look like: gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" importedgpg: Total number processed: 1gpg: imported: 1 (RSA: 1)To verify Whonix-Gateway, in terminal, run: ​ If the VM images are fine, you should see a message saying: ​ If you see a bad signature like below, delete the image, download and try again: ​ 4. Repeat step three for Whonix-Workstation: ​ 5. Run VirtualBox 5.0 and import Whonix images Open VirtualBox, click the “File” menu at the top, and click “Import Appliance.” Browse for the Whonix-Gateway file you just downloaded, and click “Continue.” Now click “Import,” read the warnings, and click “Agree.” Your Whonix gateway VM will automatically get set up.* * DO NOT CHANGE ANY OF THE DEFAULT IMAGE SETTINGS e.g. memory, display etc. Repeat these same steps with the Whonix-Workstation. When you’re done, you’ll have two new VMs (powered down) in your list of available VirtualBox images. 6. Start Whonix-Gateway and Whonix-Workstation* * The first load of each VM image will be lengthy Highlight each VM and click 'Start' from the top menu. 7. Change passwords on Whonix-Gateway and Whonix-Workstation The default passwords must be changed immediately - use diceware passphrases.* * The default username is: user The default password is: changeme Open a terminal such as Konsole ​ Login as root: ​ Change root and user password: ​ and follow the instructions. 8. Update your package lists on both Whonix-Gateway and Whonix-Workstation and install all available updates* * This will take some time as everything is downloaded via Tor. Never install packages that are unsigned (cannot be authenticated) or where there is a signature verification warning. In Konsole (terminal): ​ 9. Reboot both VMs In Konsole: ​ Both VMs will reboot at this time (may take a while). 10. Create multiple VM snapshots* * Do not use the master VMs for browsing or to open any unauthenticated communication channel to the internet! Only a Tor-browser install or update should be considered on the master VM images. The master VMs should remain 'clean' and 'updated' so they can always be used (snapshotted) for the creation of further (disposable) images you can discard after sessions of browsing and other activity. Once your clean, upgrade images have completed rebooted, shutdown the virtual machines and create snapshots of their clean state BEFORE browsing or initiating any connections with the outside world. To shutdown a virtual machine in VirtualBox, users can simply click the x in the top right corner of the running process or use the menu options. VirtualBox will provide you options to either: "Save the machine state", "Send the shutdown signal" or "Power off the machine". Select "Send the shutdown signal" - this saves all the updates you have made and sends the equivalent of an ACPI shutdown signal. DO NOT select "Power off the machine" by mistake - you will lose the state of changes to the VM images (all your hard work and updates!). This option is like pulling the plug out of the wall for a VM. Once both VMs have shutdown, you should now: 11. Restart your cloned VM images and enjoy Whonix! Simply: - Highlight both cloned Whonix images and press 'Start' from the menu - Conduct all your work in Whonix-Workstation - DO NOT USE WHONIX GATEWAY FOR GENERAL ACTIVITIES other than configuration of Tor settings - Select Tor Browser in Whonix-Workstation and immediately check for updates - including associated add-ons - before browsing - Turn off Javascript globally and set privacy slider to the highest position - Do not browse or conduct other activities until Timesync has completed and Tor connections have been confirmed (you will receive notifications to this effect) Enjoy your new system that protects you even if your Tor Browser is hacked! OPTIONAL: HARDEN VIRTUALBOX SETTINGS* * Paranoid users should also carefully read the Security Guide and Advanced Security Guide for Whonix to consider whether they want to make any additional changes to their host or guest systems. In VirtualBox, the less features, the smaller the attack surface. Here are some suggestions for features which you can remove and not impact core functionality: ​ For the best security, you can consider using multiple physical systems to provide greater isolation i.e. separate computers to run Whonix-Gateway and Whonix-Workstation. You can finally use that spare/old computer hardware you have lying around to improve your security! CONCLUSION: Running Whonix 11 in VirtualBox is a piece of cake for users that are capable of dual-booting their desktop system. You will SIGNIFICANTLY improve security, privacy and anonymity when using suitably hardened virtual environments in combination with GNU/Linux, OpenVPN and the Tor network. It is simply much more difficult (and expensive) for government or other attackers to take over your computer. If you can't beat them - bankrupt them! FINAL COMMENT: We may yet take another long journey to a dual-booted Debian/Qubes system in the near future if there is particular interest. ​

USER.JS ADDITIONAL NOTES RESOURCES http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/ https://github.com/pyllyukko/user.js https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles http://www.wilderssecurity.com/threads/firefox-lockdown.368003/ HARDENING FF RATIONALE WHAT FF INFORMATION IS STORED BY DEFAULT? Answer: A lot! SUMMARY OF KEY CHANGES IN THE FF 'ULTIMATE' PROFILE* * A summary of key changes can also be seen by running 'Troubleshooting Information' from the Help Menu in FF. OTHER KNOWN PROBLEMS WITH 'ULTIMATE' FF PROFILE TEST HARDENED FF BROWSER Use some of the following online tests and compare your 'ultimate' FF profile with your default. You should be pleasantly surprised. SECURE DESKTOP BROWSING ENVIRONMENTS - FINAL COMMENTS: * Download media files where possible in preference to using flash or other plug-ins for streaming. For example, in GNU/Linux you can use youtube-dl to play the media with your native video player at the O/S level instead. Youtube-dl and certain other apps can also be combined with torsocks to provide greater anonymity and security. * Ultimately, enhanced desktop browser security requires a minimum combination of: - a GNU/Linux host O/S (itself hardened with AppArmor, strict firewalls/network locks and significantly reduced attack vectors); and - OpenVPN and Tor Browser run in combination. * The BEST available O/S security for the average (capable) desktop user requires either running a hypervisor over the top e.g. Whonix running in Virtualbox from clean images, or (even better!) a Xen system running off the bare computer metal (e.g. Qubes). This SIGNIFICANTLY reduces attack vectors and limits the potential damage that can be caused by hackers, unless they are really, really good. * AFAIK, CRITICAL anonymous browsing with forensic considerations necessitates the use of TAILS with a non-persistent volume. Under normal circumstances, data trails are otherwise left on swap partitions and sectors of HDD/SSDs marked as 'dead/clean', even after 'secure, military-grade' wipes of the digital media! * TAILS can be used safely in infected computers, except (?) those pwned at the firmware level: double-check the TAILS forum for the latest security advice! * Using FOSS full disk encryption (e.g. LUKS) with a sufficiently large passphrase may be best practice if browsing directly from a standard Linux/Windoze/Mac operating system, or separately encrypting the swap, root and home partitions at the block level. * Semi-regularly zero out free space on your drives for greater security alongside thorough use of BleachBit. Good luck!

Hi Snaggle, ​ ​I have writing experience in other fields and would be keen to start drafting something for AirVPN and other users in the near-term. As a civil libertarian, I believe everyone has the right to be free of interference when using or communicating on the net. If they want our shit, they should get a warrant. Full stop. Maybe AirVPN could think about some free VPN hours to those putting a bit of time into this resource? ​In the first instance, users probably require a 'Threat Assessment Model' resource to determine what level of computer security they need to attempt for their own purposes. Models I have seen normally come down to about 7 levels, from the 1st level - just a normal user who uses VPN + basic firewalls etc (not really trying to hide) - all the way through to paranoid users who are the next Snowden or Silk Road 2.0 e.g. using virtual environments, chaining of virtual and VPN environments, + Tor, + identity separation, + PfSense + Tor Bridges + JonDoNym mixers + advanced hardware networking solutions + use of hidden onion addresses + MAC spoofing + intrusion detection + hidden encrypted containers inside encrypted volumes, encrypted swap, BIOS and other firmware updates etc etc. ​ ​After users know where they sit on the threat continuum, then the tools they need to use to achieve their preferred level of anonymity/psuedo-anonymity can be further explored in a solid document. This would use materials on this website, plus 100s of pages of info I have already collated across numerous security forums. It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc. ​ ​Anyway, if you like this idea, I can start on the preliminary threat assessment article in the next week or so. Shouldn't take too long. ​ ​PS Apparently the keyboard cadence finger-printing only works in Tor if you 'temporarily allow' scripts on that page. If you never allow scripts (not even for trusted websites), then apparently they CANNOT achieve this form of finger-printing (yet). Also, the mssfix value of 1360 also works for me, but agree the most common values need to be explored, so AirVPN users can 'hide in the crowd' and not make their signature MORE unique by accident i.e. very unusual directive in custom settings.

I consider The NoScript Misnomer to be a very important article. By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of: NoScript comes with a default, enabled whitelist.whitelists are inherently flawed, even more so if you don't even maintain them yourselfif you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of securityblocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxingI personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps). Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.

​ ​ ​ ​ ​FIREFOX ABOUT:CONFIG For all Firefox users out there, here is a collection of some useful about:config adjustments. For those who don't know what about:config is: it's like the heart of Firefox in which you can change a lot of settings which are not reachable through the normal preferences. To access it just type about:config in you address bar and read the notification which might pop up. It says that you should be careful, which is true because you can easily fuck up your whole Firefox if you don't know what you're doing. However I tested the following changes and my Firefox 38 is still working. But I'd recommend to back up you firefox folder because in case anything goes wrong you don't lose any data. If you have more about:config tips, list them here. It seems to include most of those outlined above. ​ SAFE FIREFOX 38 CHANGES i.e. won't cause major breaks in your system for those valuing privacy over security: breakpad.reportURL;"" // default=https://crash-stats.mozilla.com/report/index/ We stop crashes being reported back to the mothership browser.cache.disk.enable;false // disables caching on hardrive browser.cache.disk_cache_ssl;false // same with ssl connections browser.cache.memory.enable;false // same with cache in memory browser.cache.offline.enable;false // same with offline cache browser.fixup.alternate.enabled;false // disable URL keyword guessing browser.formfill.enable;false // disables saving of form data browser.menu.showCharacterEndcoding;false // hide encoding browser.newtab.url;about:newtab // new tabs default to this string browser.safebrowsing.enabled;false // disable Google Safe Browsing and phishing protection. Security risk, but privacy improvement browser.safebrowsing. // change variables to another database to avoid google (.enabled to true) browser.safebrowsing.malware.enabled;false // disables malware checking with Google service on downloded files. Security risk, but privacy improvement browser.safebrowsing.malware. // change variable to another database in order to avoid google browser.search.defaultenginename;"%" // name of default searchengine (must be installed; use Startpage SSL, Disconnect or other privacy conscious engine) browser.search.region;"US" // remove home country and use most generic value available browser.search.countryCode;"US" // ditto browser.send_pings;false // stop websites from tracking visitors’ clicks browser.send_pings.require_same_host; true // disable sending pings to 3rd party content hosts browser.sessionhistory.max_entries;5 // history of each tab (back/forward buttons) browser.sessionstore.resume_from_crash;false // prevent Firefox resuming a previous session before a crash browser.shell.shortcutFavicons;false // prevent shortcuts being placed on desktop browser.startup.homepage;about:newtab // homepage of browser (you could change to startpage.com etc) browser.startup.page;1 // start up page of browser (1 = blank) browser.urlbar.clickSelectsAll;true // to select the whole URL with a click on it browser.urlbar.trimURL; false // don't trim "http://" prefix in location bar - you want all parts of url to show. browser.zoom.siteSpecific;false // doesn't save zoom settings for specific sites camera.control.face_detection.enabled;false // disable camera settings content.notify.backoffcount;5 // limits page reloads while reciving data; speeds up the download time device.sensors.enabled;false // disable any sensors device.storage.enabled;false // disable sensor storage dom.allow_scripts_to_close_windows;false //scripts cant close windows dom.battery.enabled;false // fingerprinting due to differing OS implementations dom.disable_image_src_set;false // disables image manipulation by scripts (note this can screw with various web games etc) dom.disable_open_during_load;true // enables firefox built in popup blocker dom.disablewindow* // different possibilities of scripts to modify the window dom.event.clipboardevents.enabled;false // disable that websites can get notifications if you copy, paste, or cut something from a web page, and which part of the page had been selected dom.event.contextmenu.enabled;false // disables website control over rightclick context menu dom.popup_allowed_events // defines javascript events that are allowed to create popups dom.storage.enabled;false // can store per-session or domain-specific data as name/value pairs on the client using DOM Storage. experiments.enabled;false // we don't want any Mozilla 'enhancements' that sacrifice security for convenience extensions.update.enabled;true // defines if extensions are checked for updates daily or not geo.enabled;false // disables geolocation API to prevent websites from getting the exact location of the computer geo.wifi.logging.enabled;false // disables firefox logging geolocation requests geo.wifi.uri;"" // dataprovider of geolocation feature !(default Google service)!, overwrite it with a empty string keyword.enabled;false // disable URL auto fix up media.peerconnection.enabled;false // VPN cannot bypassed anymore (https://www.reddit.com/r/VPN/comments/2tva1o/websites_can_now_use_webrtc_to_determine_your/) media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled media.peerconnection.use_document_iceservers;false // makes sure WebRTC is really disabled media.peerconnection.video.enabled;false // makes sure WebRTC is really disabled media.peerconnection.identity.timeout;1 // makes sure WebRTC is really disabled network.cookie.alwaysAcceptSessionCookies;false // disables acceptance of session cookies network.cookie.cookieBehavior;1 or 2 // disables cookies (0 = accept all cookies by default, 1 = only accept from the originating site (block third party cookies), 2 = block all cookies by default) network.cookie.lifetimePolicy;2 // cookies are deleted at the end of the session (0 = Accept cookies normally, 1 = Prompt for each cookie, 2 = Accept for current session only, 3 = Accept for N days) network.dnsCacheEntries;0 // number of cached DNS entries (lower number = more requests but less data stored) network.dnsCacheExpiration;0 // time DNS entries are cached in seconds network.dns.disableIPv6;true // disables IPv6 DNS Lookups (not necessary if your O/S or ISP does not support IPv6) network.dns.disablePrefetch;true // to disable DNS prefetching network.dns.disablePrefetchfromHTTPS;true // to disable DNS prefetching network.http.pipelining;true // speeds up loading of websites; can cause Problems with some websites network.http.pipelining.ssl;true // enables pipelining only for ssl connections; avoids problems occurring with http network.http.pipelining.maxrequests;32 // number of requests sent at once network.http.proxy.pipelining;true // if a proxy is used network.http.sendRefererHeader = 0 // disable referrer headers. network.http.sendSecureXSiteReferrer = false // disable referrer headers between https websites (note: this may break functionality when navigating between https websites). network.http.spdy.enabled;false // we don't want protocols running that form persistent connections across sessions network.http.spdy.enabled.http2;false // ditto network.http.spdy.enabled.http2draft;false // ditto network.http.spdy.enabled.v3-1;false // ditto network.http.use-cache;false // disables caching of http requests network.prefetch-next;false // disables automatic download of linked sites which are recommended by the website permissions.default.image 3 // 3 = loading images from original server only (loss of aesthetics on many websites though, choose your poison), 1 = load all images places.history.enabled;false // disables recording of visited websites plugin.sessionPermissionNow.intervalInMinutes;15 (default 60) // you don't want to give the plug-in permissions to a domain for long periods plugin.persistentPermissionAlways.intervalInDays;1 (default 90) // "allow and remember" for plug-ins on a domain shouldn't be ridiculously long plugins.click_to_play;true // click-to-play for plugins plugins.notifyMissingFlash;false // block Flash notifications from appearing in the browser privacy.trackingprotection.enabled = true // this is Mozilla’s new built in tracking protection. ​ security.ssl3.dhe_rsa_aes_128_sha;false // cipher is susceptible to the logjam attack and will be disabled/fixed in FF39 ​ ​security.ssl3.dhe_rsa_aes_256_sha;false // as above security.tls.version // defines minimum and maximum of allowed SSL/TLS versions (0:SSL3.0; 1:TSL1.0; 2:TSL1.1; 3:TSL1.2) security.dialog_enable_delay;0 (or to another value in milliseconds) // changes the delay time for the installation dialog of a new addon toolkit.telemetry.enabled;false //don't send performance profile data to outward bound destination webgl.disabled;true // WebGL involves running code directly on the video card, and exposing APIs that provide direct access to video card APIs. The browser does attempt to sandbox this code (to a certain extent), and browsers do enforce a number of security restrictions designed to prevent malicious behavior ​ ADDITONAL KEY ADD-ON AGAINST DIGITAL FINGERPRINTING The Firefox addon Random Agent Spoofer takes care of a lot of these privacy issues under their (Extras) setting, as well as doing more. https://github.com/dillbyrne/random-agent-spoofer/ Double-click the XML file to install the latest version with even more options. Here's the RAS (Extras) list: Option to limit local dom storage Option to disable browser cache Option to limit fonts to a standard set (monospace, serif, times new roman) Option to limit tab history to two Option to disable geolocation support Option to disable dns prefetching Option to disable link prefetching Option to disable webGL Option to disable webRTC Option to disable canvas element support Option to set referer header Option to set do not track header Options to send spoofed headers including via, x-forwarded-for and if-none-match. Options to spoof the accept headers: documents, encoding and language (US English) so they match the spoofed profile. Option to override timezone offset to a random timezone, send nothing, specify one from a list or use the default one. Option to spoof screen and window sizes to a specific size or set at random Note: It is advisable to spoof headers, but remove uncommon desktop browsers and mobile browser types from the spoofing list, given Panoptoclick will otherwise give you a very close to unique signature. Check your score at Panoptoclick, with and without javascript running, to see the danger of javascript and how much more identifiable you can be be. To be really sure, also check using the tools at Browserleaks, and be sure to block the new threats e.g. canvas image data extraction, supercookies e.g. LSOs, E-tags and so forth. Also run checks at the free JonDoNym website and IPleaks. Check you are also not leaking Ipv6 anywhere with online checks. Note also that the Eddie client won't prevent IPv6 leaks in Linux, if I understood the guys correctly. ​So, it must be turned off at the operating system level, and specific checks run. KEY FIREFOX EXTENSIONS Also strongly consider as default extensions: - uBlock (replacing need for Adblock Plus and other derivatives when auto-filter and every category is selected and updated) - HTTPS Everywhere - Privacy Badger (EFF) - block invisible trackers, also uses algorithms in preference to blacklist/whitelist approach - No script (block scripts globally; temporarily allow only trust websites. Also disable i-frame; font@face etc for paranoid users) Other notables: - Better Privacy - Request Policy - Blur - Disconnect - CanvasBlocker - Calomel - DNSSEC/TLSA Validator (which reminds me, Airvpn.org could implement this for their website i.e. compliance). I also note that airvpn.org is not susceptible to the logjam attack... ;-) - Click&Clean - Self-destructing cookies OTHER CONSIDERATIONS Run Firefox in private browsing mode also. Try to limit the use of Flash (use HTML5 where possible; uninstall Flash if paranoid) and other assorted plug-ins. Use native players where possible. Disable themes and go with the Firefox default (remove an additional fingerprinting mechanism). Under preferences in Firefox, you may also want to remove the options for blocking reported web forgeries and attack sites, as these OSCP checks require cross-reference with Google servers. Not good. Run a linux distro in preference to back-doored, proprietary crap e.g. Mac OS/X and "Windows" (into your home; your life). Encrypt your drives, swap partitions, home folders and key data. Use open-source everywhere and everytime. Valuable personal/financial information would be stored with strong encryption on an air-gapped drive. Run Apparmor or SELinux, alongside bleachbit and other key tools e.g Snort, Aide, rootkit hunters. Consider further hardening with recompiled kernels or firejail (kernal restrictions on running programs). One-hop VPNs are trivial for passive adversaries with global reach (most governments these days) to do end to end correlation given their computing power. Don't be fooled into thinking this is adequate if you are wanting to be truly anonymous. The paranoid user will also chain VPNs via virtual environments to distribute risk of VPN honeypots. ​ ​They would also run a JonDoNym mixer in there, use Tor with an obfuscated bridge, and probably run their connection via a host Qubes system (using Xen isolation), with Whonix running in VirtualBox. A clean image would be used for each internet connection (what meta-data/browsing history?). And these extreme measures only MAY provide reasonable defence against aggressive passive surveillance, not active surveillance I'm afraid i.e. your screwed. Know that all standard email is backdoored, leaks a ton of meta-data, and using PGP email will make you instantly interesting to the Stasi, due to low statistical use of it. Also, friends/family aren't going to use experimental software. Therefore, get them to install opensource VOIP and chat software instead that goes across all platforms. Jitsi is perfect for this - military grade encryption (ZRTP) for VOIP + OTR for chat. Start shifting electronic contact to this medium instead of emails, given we live in a global police state (just remain logged in, ready to chat with friends who have been verified with secret Q&A and verification of their digital fingerprint). Separate your browsing modes e.g. 'normal' Youtube, reading, and so on versus your 'private sessions' using Tor i.e. don't mix the two sources. Behavioural correlation is a dead give-away otherwise. Don't use any identifiable information, logins or comments when using Tor. Never keep a same handle across sessions. Change circuits regularly and re-set clickjack protection with No-Script settings (we can live with false positives). If you must go to HTTP sites, use Startpage's proxy service to retrieve the data for you, or to avoid Cloudflare notices or CAPTCHAS. This will also prevent Tor-unfriendly websites from blocking you access to content. New tracking techniques are constantly evolving, so one must be diligent e.g. E-Tags, tracking via screen size & resolution, date/time stamps, TCP/IP stack fingerprinting and so forth. While none of the above changes to Firefox will come even close to using Tor Browser (digital signature-wise; 2 million+ users with similar fingerprint), its a lot better than a standard install of Firefox for privacy and security. HOWEVER, if you leave an extremely small digital fingerprint, this also makes you stand out from the sheeple, because they aren't blocking much except cookies and some ads/trackers. Thus, to the govt, you will appear sometimes more obvious e.g. "There's that guy with an exceptionally small entropy on his digital signature again". Runnig a christmas tree of extensions & plug-ins also makes you stand out from the crowd. So choose your poison. Be a corporate bitch or stand out to the spooks. I'll take the latter. FINAL NOTE This list is not exhaustive. Privacy 'extremists' would spend time looking at settings for privacy, auto data-reporting, gfx font rendering, other network and plug in settings, security, toolkits and whitelists. However, they would need to be aware that screwing with everything can make your browser both unstable, and not very useable. Back your data up first, and if it all goes bad, re-set the browser to default settings and start again (just be more careful). Firefox is also limiting the ability of users to check/change some key settings over time e.g. DRM, Websockets and other session-persistent tools, some experimental features and so on. If you really need privacy, use Tor, with default settings, no additional add-ons, run security slider in highest position, use HTTPS everywhere, use latest version to protect against keyword typing tracking and advanced forms. Use bridges if you have a hostile IP. Run an additional SSL/SSH tunnel with the VPN to protect against deep-packet inspection if you must. However, always know that end to end correlation can identify a host of users, particularly via malicious nodes in the Tor Network; the so-called Sybil attacks. Further, how disguised you are depends on how much Tor traffic is flowing over AirVPN servers, which we have no statistics on. You must remember if you run VPN -> Tor, then the AirVPN servers provide a limited subset of entries into the Tor system. If you are the only one running Tor off some obscure server, and they are watching you end to end because they think you are a bad-ass, then you can be identified. Latest studies were identifying a large % of users in this fashion. Unfortunately, this requires the improved circuiting system planned for Tor, which specifically guards against end-end correlation, and greater Tor traffic in general, along with a big boost in VPN customers to 'hide in the crowd'. Keep up the good work guys! The paranoid types hope and trust that you aren't simply a NSA honeypot, although you are doing a wonderful job if you are ;-)