mirror of
https://github.com/Lissy93/personal-security-checklist.git
synced 2024-12-26 07:49:25 -05:00
Merge pull request #133 from Lissy93/smashing-through-issues
Implementing User Suggestions... Closes #34 Closes #35 Closes #36 Closes #66 Closes #76 Closes #81 Closes #86 Closes #108 Closes #125 Closes #126 Closes #127 Closes #129 Closes #131 Closes #132 ....and sleep 😴
This commit is contained in:
commit
f0e211aea8
@ -1,4 +1,4 @@
|
||||
# Digital Privacy and Security- Why is Matters
|
||||
# Digital Privacy and Securit - Why is Matters
|
||||
|
||||
|
||||
**TLDR;** Privacy is a fundamental right, and essential to democracy, liberty, and freedom of speech. Our privacy is being abused by governments (with mass-surveillance), corporations (profiting from selling personal data), and cyber criminals (stealing our poorly-secured personal data and using it against us). Security is needed in order to keep your private data private, and good digital security is critical to stay protected from the growing risks associated with the war on data.
|
||||
@ -21,7 +21,7 @@ Data that has been collected is typically stored in databases on a server. These
|
||||
Data is collected, stored and used by governments, law enforcement, corporations and sometimes criminals:
|
||||
|
||||
### Government Mass Surveillance
|
||||
Intelligence and law enforcement agencies need surveillance powers to tackle serious crime and terrorism. However, since the Snowden revelations, we now know that this surveillance is not targeted at those suspected of wrongdoing- but instead the entire population. All our digital interactions are being logged and tracked by our very own governments.
|
||||
Intelligence and law enforcement agencies need surveillance powers to tackle serious crime and terrorism. However, since the Snowden revelations, we now know that this surveillance is not targeted at those suspected of wrongdoin - but instead the entire population. All our digital interactions are being logged and tracked by our very own governments.
|
||||
|
||||
Mass surveillance is a means of control and suppression, it takes away our inerrant freedoms and breeds conformity. When we know we are being watched, we subconsciously change our behavior. A society of surveillance is just one step away from a society of submission.
|
||||
|
||||
@ -48,7 +48,7 @@ Privacy is a fundamental right, and you shouldn't need to prove the necessity of
|
||||
Knowledge is power; Knowledge about you is power over you. Your information will be used to anticipate your actions and manipulate the way you shop, vote, and think. When you know you are being watched, you subconsciously change your behavior. Mass surveillance is an effective means of fostering compliance with social norms or with social orthodoxy. Without privacy, you might be afraid of being judged by others, even if you're not doing anything wrong. It can be a heavy burden constantly having to wonder how everything we do will be perceived by others.
|
||||
|
||||
#### Data Can Be Used Against You
|
||||
Your personal information and private communications can be "cherry-picked" to paint a certain one-sided picture. It can make you look like a bad person, or criminal, even if you are not. Data often results in people not being judged fairly- standards differ between cultures, organisations, and generations. Since data records are permanent, behavior that is deemed acceptable today, may be held against you tomorrow. Further to this, even things we don't think are worth hiding today, may later be used against us in unexpected ways.
|
||||
Your personal information and private communications can be "cherry-picked" to paint a certain one-sided picture. It can make you look like a bad person, or criminal, even if you are not. Data often results in people not being judged fairl - standards differ between cultures, organisations, and generations. Since data records are permanent, behavior that is deemed acceptable today, may be held against you tomorrow. Further to this, even things we don't think are worth hiding today, may later be used against us in unexpected ways.
|
||||
|
||||
#### Data Collection Has No Respect For Boundaries
|
||||
Data collection has no respect for social boundaries, you may wish to prevent some people (such as employers, family or former partners) from knowing certain things about you. Once you share personal data, even with a party you trust, it is then out of your control forever, and at risk of being hacked, leaked or sold. An attack on our privacy, also hurts the privacy of those we communicate with.
|
||||
|
@ -66,7 +66,7 @@ It's important to protect your email account, as if a hacker gains access to it
|
||||
### Networking
|
||||
- Use a reputable VPN to keep your IP protected and reduce the amount of browsing data your ISP can log, but understand their [limitations](5_Privacy_Respecting_Software.md#word-of-warning-4). Good options include [ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net), see [thatoneprivacysite.net](https://thatoneprivacysite.net/) for detailed comparisons
|
||||
- Change your routers default password. Anyone connected to your WiFi is able to listen to network traffic, so in order to prevent people you don't know from connecting, use WPA2 and set a strong password.
|
||||
- Use a [secure DNS](/5_Privacy_Respecting_Software.md#dns) provider, (such as [Cloudflare's 1.1.1.1](https://1.1.1.1/dns/) to reduce tracking. Ideally configure this on your router, but if that's not possible, then it can be done on each device.
|
||||
- Use a [secure DNS](/5_Privacy_Respecting_Software.md#dns) provider, (such as [Cloudflare's 1.1.1.1](https://1.1.1.1/dns/)) to reduce tracking. Ideally configure this on your router, but if that's not possible, then it can be done on each device.
|
||||
|
||||
|
||||
**📜 See More**: [The Complete Personal Security Checklist](https://github.com/Lissy93/personal-security-checklist/blob/master/README.md)
|
||||
@ -140,7 +140,7 @@ There are also some gadgets that can help improve your physical and digital secu
|
||||
- **Paranoid Gadgets!** [Orwl]- Self-destroying PC | [Hunter-Cat]- Card-skim detector | [Adversarial Fashion]- Anti-facial-recognition clothing | [DSTIKE Deauth Detector] - Detect deauth attacks, from [Spacehuhn] | [Reflectacles]- Anti-surveillance glasses | [Armourcard]- Active RFID jamming | [Bug-Detector]- Check for RF-enabled eavesdropping equipment | [Ultrasonic Microphone Jammer] - Emits signals that's silent to humans, but interfere with recording equipment.
|
||||
|
||||
|
||||
There's no need to spend money- Most of these products can be made at home with open source software. Here's a list of [DIY Security Gadgets](/6_Privacy_and-Security_Gadgets.md#diy-security-products).
|
||||
There's no need to spend mone - Most of these products can be made at home with open source software. Here's a list of [DIY Security Gadgets](/6_Privacy_and-Security_Gadgets.md#diy-security-products).
|
||||
|
||||
📜 **See More**: [Privacy and Security Gadgets](/6_Privacy_and-Security_Gadgets.md)
|
||||
|
||||
|
@ -128,7 +128,7 @@
|
||||
- How to Track a Cellphone Without GPS—or Consent: via [Gizmodo](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371)
|
||||
- Apps able to track device location, through power manager: via [Wired](https://www.wired.com/2015/02/powerspy-phone-tracking/)
|
||||
- Hackers and governments can see you through your phone’s camera: via [Business Insider](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)
|
||||
- Law Enforcement Geo-Fence Data Requests- How an Innocent cyclist became a suspect when cops accessed his Google location data: via [Daily Mail](https://www.dailymail.co.uk/news/article-8086095/Police-issue-warrant-innocent-mans-Google-information.html)
|
||||
- Law Enforcement Geo-Fence Data Request - How an Innocent cyclist became a suspect when cops accessed his Google location data: via [Daily Mail](https://www.dailymail.co.uk/news/article-8086095/Police-issue-warrant-innocent-mans-Google-information.html)
|
||||
- IBM Used NYPD Surveillance Footage to Develop Technology That Lets Police Search by Skin Color: via [TheIntercept](https://theintercept.com/2018/09/06/nypd-surveillance-camera-skin-tone-search/)
|
||||
- **Threats**
|
||||
- 23 reasons not to reveal your DNA: via [Internet Health Report](https://internethealthreport.org/2019/23-reasons-not-to-reveal-your-dna)
|
||||
@ -141,7 +141,7 @@
|
||||
- Big data privacy risks: via [CSO Online](https://www.csoonline.com/article/2855641/the-5-worst-big-data-privacy-risks-and-how-to-guard-against-them.html)
|
||||
- Anti-Doxing Guide (For Activists Facing Attacks): via [Equality Labs](https://medium.com/@EqualityLabs/anti-doxing-guide-for-activists-facing-attacks-from-the-alt-right-ec6c290f543c)
|
||||
- **Breaches**
|
||||
- Wired guide to data breaches- past, present and future: via [Wired](https://www.wired.com/story/wired-guide-to-data-breaches/)
|
||||
- Wired guide to data breache - past, present and future: via [Wired](https://www.wired.com/story/wired-guide-to-data-breaches/)
|
||||
- Grindr and OkCupid Spread Personal Details Study Says: via [NY Times](https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html)
|
||||
- The Asia-Pacific Cyber Espionage Campaign that Went Undetected for 5 Years: via [TheHackerNews](https://thehackernews.com/2020/05/asia-pacific-cyber-espionage.html)
|
||||
- ClearView AI Data Breach - 3 Billion Faces: via [Forbes](https://www.forbes.com/sites/kateoflahertyuk/2020/02/26/clearview-ai-the-company-whose-database-has-amassed-3-billion-photos-hacked/)
|
||||
@ -177,7 +177,7 @@
|
||||
- [The Hacker News](https://thehackernews.com/) - News and info covering Data Breaches, Cyber Attacks, Vulnerabilities, Malware. [RSS](https://feeds.feedburner.com/TheHackersNews)
|
||||
- [Sophos: Naked Security](https://nakedsecurity.sophos.com/) - Security news and updates, presented in an easy-to-digest format. [RSS](https://nakedsecurity.sophos.com/feed/)
|
||||
- [IT Security Guru](https://www.itsecurityguru.org/) - Combines top cyber security news from multiple sites, easier to stay up-to-date
|
||||
- [FOSS Bytes- Cyber Security](https://fossbytes.com/category/security) - News about the latest exploits and hacks
|
||||
- [FOSS Byte - Cyber Security](https://fossbytes.com/category/security) - News about the latest exploits and hacks
|
||||
- **Cyber Security Infomation**
|
||||
- [Heimdal](https://heimdalsecurity.com/blog) - Personal Cyber Security Tutorials and Articles
|
||||
- [Tech Crunch](https://techcrunch.com/tag/cybersecurity-101) - Cyber Security 101
|
||||
@ -420,7 +420,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
|
||||
- [OpenPhish](https://openphish.com) - A feed of current phishing endpoints
|
||||
- [HashToolkit](http://hashtoolkit.com) - Database of 'cracked' hashes
|
||||
- [SecLists](https://github.com/danielmiessler/SecLists) - Starter list of leaked databases, passwords, usernames etc (Great for programming)
|
||||
- [Qualys SSL Pulse](https://www.ssllabs.com/ssl-pulse) - A continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled websites, based on Alexa’s list of the most popular sites in the world
|
||||
- [Qualys SSL Pulse](https://www.ssllabs.com/ssl-pulse) - A continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SS - and TLS-enabled websites, based on Alexa’s list of the most popular sites in the world
|
||||
- [Tor Bulk Exit List](https://check.torproject.org/torbulkexitlist) - List of all exit nodes (IP) in use on the Tor network
|
||||
- **Fun with Live Data** 🌠
|
||||
- **Internet**
|
||||
@ -497,7 +497,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
|
||||
- Location Tracking using Mobile Device Power Analysis: [scribd.com](https://www.scribd.com/doc/256304846/PowerSpy-Location-Tracking-using-Mobile-Device-Power-Analysis)
|
||||
- HORNET, High-speed Onion Routing at the Network Layer: via [arxiv.org](https://arxiv.org/pdf/1507.05724v1.pdf)
|
||||
- Decoy Routing: Toward Unblockable Internet Communication: via [usenix.org](https://www.usenix.org/legacy/events/foci11/tech/final_files/Karlin.pdf)
|
||||
- Trackers Vs Firefox, Comparing different blocking utilities: via [GitHub- @jawz101](https://github.com/jawz101/TrackersVsFirefox)
|
||||
- Trackers Vs Firefox, Comparing different blocking utilities: via [GitHu - @jawz101](https://github.com/jawz101/TrackersVsFirefox)
|
||||
- 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy: via [ssrn.com](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
|
||||
- **Write-Ups**
|
||||
- Privacy - An Encyclopedic Definition and Background [stanford.edu](https://plato.stanford.edu/entries/privacy/)
|
||||
|
@ -148,7 +148,7 @@ If you are using a deprecated PM, you should migrate to something actively maint
|
||||
|
||||
[WinAuth](https://winauth.github.io/winauth) *(Windows)*, [mattrubin - authenticator](https://mattrubin.me/authenticator) *(iOS)*, [Authenticator by World](https://gitlab.gnome.org/World/Authenticator) *(GNOME, Linux)*, [OTPClient](https://github.com/paolostivanin/OTPClient) *(Linux)*, [gauth](https://github.com/gbraad/gauth) *(Self-Hosted, Web-based)*
|
||||
|
||||
For KeePass users, [TrayTop](https://keepass.info/plugins.html#traytotp) is a plugin for managing TOTP's- offline and compatible with Windows, Mac and Linux.
|
||||
For KeePass users, [TrayTop](https://keepass.info/plugins.html#traytotp) is a plugin for managing TOTP' - offline and compatible with Windows, Mac and Linux.
|
||||
|
||||
[Authy](https://authy.com/) (propriety) is a popular option among new users, due to it's ease of use and device sync capabilities. Cloud sync may be useful, but will also increase attack surface. Authy is not open source, and therefore can not recommended
|
||||
|
||||
@ -160,7 +160,7 @@ For KeePass users, [TrayTop](https://keepass.info/plugins.html#traytotp) is a pl
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[VeraCrypt](https://www.veracrypt.fr)** | VeraCrypt is open source cross-platform disk encryption software. You can use it to either encrypt a specific file or directory, or an entire disk or partition. VeraCrypt is incredibly feature-rich, with comprehensive encryption options, yet the GUI makes it easy to use. It has a CLI version, and a portable edition. VeraCrypt is the successor of (the now deprecated) TrueCrypt.
|
||||
**[Cryptomator](https://cryptomator.org)** | Open source client-side encryption for cloud files- Cryptomator is geared towards using alongside cloud-backup solutions, and hence preserves individual file structure, so that they can be uploaded. It too is easy to use, but has fewer technical customizations for how the data is encrypted, compared with VeraCrypt. Cryptomator works on Windows, Linux and Mac- but also has excellent mobile apps.
|
||||
**[Cryptomator](https://cryptomator.org)** | Open source client-side encryption for cloud file - Cryptomator is geared towards using alongside cloud-backup solutions, and hence preserves individual file structure, so that they can be uploaded. It too is easy to use, but has fewer technical customizations for how the data is encrypted, compared with VeraCrypt. Cryptomator works on Windows, Linux and Ma - but also has excellent mobile apps.
|
||||
|
||||
#### Notable Mentions
|
||||
[AES Crypt](https://www.aescrypt.com/) is a light-weight and easy file encryption utility. It includes applications for Windows, Mac OS, BSD and Linux, all of which can be interacted with either through the GUI, CLI or programatically though an API (available for Java, C, C# and Python). Although it is well estabilished, with an overall positive reputation, there have been some [security issues](https://www.reddit.com/r/privacytoolsIO/comments/b7riov/aes_crypt_security_audit_1_serious_issue_found/) raised recentley.
|
||||
@ -186,8 +186,8 @@ Although well-established encryption methods are usually very secure, if the pas
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[Librewolf](https://librewolf-community.gitlab.io/)** | Librewolf is an independent “fork” of Firefox, with the primary goals of privacy, security and user freedom. It is the community run successor to LibreFox
|
||||
**[Brave Browser](https://brave.com/?ref=ali721)** | Brave Browser, currently one of the most popular private browsers- it provides speed, security, and privacy by blocking trackers with a clean, yet fully-featured UI. It also pays you in [BAT tokens](https://basicattentiontoken.org/) for using it. Brave also has Tor built-in, when you open up a private tab/ window.
|
||||
**[FireFox](https://www.mozilla.org/firefox)** | Significantly more private, and offers some nifty privacy features than Chrome, Internet Explorer and Safari. After installing, there are a couple of small tweaks you will need to make, in order to secure Firefox. You can follow one of these guides by: [Restore Privacy](https://restoreprivacy.com/firefox-privacy/) or [12Bytes](https://12bytes.org/7750)
|
||||
**[Brave Browser](https://brave.com/?ref=ali721)** | Brave Browser, currently one of the most popular private browser - it provides speed, security, and privacy by blocking trackers with a clean, yet fully-featured UI. It also pays you in [BAT tokens](https://basicattentiontoken.org/) for using it. Brave also has Tor built-in, when you open up a private tab/ window.
|
||||
**[FireFox](https://www.mozilla.org/firefox)** | Significantly more private, and offers some nifty privacy features than Chrome, Internet Explorer and Safari. After installing, there are a couple of small tweaks you will need to make, in order to secure Firefox. For a though config, see [@arkenfox's user.js](https://github.com/arkenfox/user.js/). You can also follow one of these guides by: [Restore Privacy](https://restoreprivacy.com/firefox-privacy/) or [12Bytes](https://12bytes.org/7750)
|
||||
**[Tor Browser](https://www.torproject.org/)** | Tor provides an extra layer of anonymity, by encrypting each of your requests, then routing it through several nodes, making it near-impossible for you to be tracked by your ISP/ provider. It does make every-day browsing a little slower, and some sites may not work correctly. As with everything there are [trade-offs](https://github.com/Lissy93/personal-security-checklist/issues/19)
|
||||
|
||||
#### Notable Mentions
|
||||
@ -195,6 +195,8 @@ Mobile Browsers: [Bromite](https://www.bromite.org/) (Android), [Mull](https://f
|
||||
|
||||
Additional Desktop: [Nyxt](https://nyxt.atlas.engineer/), [WaterFox](https://www.waterfox.net), [Epic Privacy Browser](https://www.epicbrowser.com), [PaleMoon](https://www.palemoon.org), [Iridium](https://iridiumbrowser.de/), [Sea Monkey](https://www.seamonkey-project.org/), [Ungoogled-Chromium](https://github.com/Eloston/ungoogled-chromium), [Basilisk Browser](https://www.basilisk-browser.org/) and [IceCat](https://www.gnu.org/software/gnuzilla/)
|
||||
|
||||
12Bytes also maintains a list privacy & security [extensions](https://12bytes.org/articles/tech/firefox/firefox-extensions-my-picks/)
|
||||
|
||||
#### Word of Warning
|
||||
New vulnerabilities are being discovered and patched all the time - use a browser that is being actively maintained, in order to receive these security-critical updates.
|
||||
|
||||
@ -215,27 +217,29 @@ Google frequently modifies and manipulates search, and is in pursuit of eliminat
|
||||
#### Notable Mentions
|
||||
[MetaGear](https://metager.org), [YaCy](https://yacy.net). Alternativley, host your own instance of [Searx](https://asciimoo.github.io/searx/)
|
||||
|
||||
12Bytes also maintains a list of [privacy-respecting search engines](https://12bytes.org/articles/tech/alternative-search-engines-that-respect-your-privacy/)
|
||||
|
||||
**See also** [Browser & Search Security Checklist](/README.md#browser-and-search)
|
||||
|
||||
|
||||
## Encrypted Messaging
|
||||
|
||||
Without using a secure app for instant messaging, all your conversations, meta data and more are unprotected. Signal is one of the best options- it's easy, yet also highly secure and privacy-centric.
|
||||
Without using a secure app for instant messaging, all your conversations, meta data and more are unprotected. Signal is one of the best option - it's easy, yet also highly secure and privacy-centric.
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[Signal](https://signal.org/)** | Probably one of the most popular, secure private messaging apps that combines strong encryption (see [Signal Protocol](https://en.wikipedia.org/wiki/Signal_Protocol)) with a simple UI and plenty of features. It's widely used across the world, and easy-to-use, functioning similar to WhatsApp - with instant messaging, read-receipts, support for media attachments and allows for high-quality voice and video calls. It's cross-platform, open-source and totally free. Signal is [recommended](https://twitter.com/Snowden/status/661313394906161152) by Edward Snowden, and is a perfect solution for most users
|
||||
**[Session](https://getsession.org)** | Session is a fork of Signal, however unlike Signal it does not require a mobile number (or any other personal data) to register, instead each user is identified by a public key. It is also decentralized, with servers being run by the community though [Loki Net](https://loki.network), messages are encrypted and routed through several of these nodes. All communications are E2E encrypted, and there is no meta data.
|
||||
**[Silence](https://silence.im/)** | If you're restricted to only sending SMS/MMS, then Silence makes it easy to encrypt messages between 2 devices. This is important since traditional text messaging is inherently insecure. It's easy-to-use, reliable and secure- but has fallen in popularity, now that internet-based messaging is often faster and more flexible
|
||||
**[Silence](https://silence.im/)** | If you're restricted to only sending SMS/MMS, then Silence makes it easy to encrypt messages between 2 devices. This is important since traditional text messaging is inherently insecure. It's easy-to-use, reliable and secur - but has fallen in popularity, now that internet-based messaging is often faster and more flexible
|
||||
**[KeyBase](keybase.io/inv/6d7deedbc1)** | KeyBase allows encrypted real-time chat, group chats, and public and private file sharing. It also lets you cryptographically sign messages, and prove your ownership to other social identities (Twitter, Reddit, GitHub, etc), and send or receive Stella or BitCoin to other users. It's slightly more complex to use than Signal, but it's features extend much further than just a messaging app. Keybase core is built upon some great cryptography features, and it is an excellant choice for managing public keys, signing messages and for group chats.
|
||||
**[Off-The-Record](https://otr.cypherpunks.ca/)** | Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging/ [XMPP](https://xmpp.org). It has fallen in popularity in recent years, in favor for simpler, mobile-based messaging apps, but still widely used and secure. It provides: Encryption (so no one else can read your messages), Authentication (assurance that the correspondent is who you think they are), Deniability (After a conversation, it cannot be proved you took part), Perfect Forwards Secrecy (if your keys are compromised, no previous messages can be decrypted). The easiest way to use OTR, is with a [plugin](https://otr.cypherpunks.ca/software.php) for your IM client
|
||||
**[OpenPGP](https://www.openpgp.org/)** | Provides cryptographic privacy and authentication, PGP is used to encrypt messages sent over existing chat networks (such as email or message boards). Slightly harder to use (than IM apps), slower, but still widely used. Using [GnuPG](https://gnupg.org/download/index.html), encrypts messages following the OpenPGP standard, defined by the IETF, proposed in [RFC 4880](https://tools.ietf.org/html/rfc4880) (originally derived from the PGP software, created by Phil Zimmermann, now owned by [Symantec](https://www.symantec.com/products/encryption)). <br>**Note/ Issues with PGP** PGP is [not easy](https://restoreprivacy.com/let-pgp-die/) to use for beginners, and could lead to human error/ mistakes being made, which would be overall much worse than if an alternate, simpler system was used. Do not use [32-bit key IDs](https://evil32.com/) - they are too short to be secure. There have also been vulnerabilities found in the OpenPGP and S/MIME, defined in [EFAIL](https://efail.de/), so although it still considered secure for general purpose use, it may be better to use an encrypted messaging or email app instead- especially for sensitive communications.
|
||||
**[OpenPGP](https://www.openpgp.org/)** | Provides cryptographic privacy and authentication, PGP is used to encrypt messages sent over existing chat networks (such as email or message boards). Slightly harder to use (than IM apps), slower, but still widely used. Using [GnuPG](https://gnupg.org/download/index.html), encrypts messages following the OpenPGP standard, defined by the IETF, proposed in [RFC 4880](https://tools.ietf.org/html/rfc4880) (originally derived from the PGP software, created by Phil Zimmermann, now owned by [Symantec](https://www.symantec.com/products/encryption)). <br>**Note/ Issues with PGP** PGP is [not easy](https://restoreprivacy.com/let-pgp-die/) to use for beginners, and could lead to human error/ mistakes being made, which would be overall much worse than if an alternate, simpler system was used. Do not use [32-bit key IDs](https://evil32.com/) - they are too short to be secure. There have also been vulnerabilities found in the OpenPGP and S/MIME, defined in [EFAIL](https://efail.de/), so although it still considered secure for general purpose use, it may be better to use an encrypted messaging or email app instea - especially for sensitive communications.
|
||||
|
||||
#### Other Notable Mentions
|
||||
Other private, encrypted and open source messaging apps include: [Surespot](https://www.surespot.me), [Chat Secure](https://chatsecure.org/) (iOS only) and [Status](https://status.im/). Note that [Tor Messenger](https://blog.torproject.org/category/tags/tor-messenger)s been removed from the list, since development has halted.
|
||||
|
||||
#### Word of Warning
|
||||
Many messaging apps claim to be secure, but if they are not open source, then this cannot be verified- and they **should not be trusted**. This applies to [Telegram](https://telegram.org), [Threema](https://threema.ch), [Cypher](https://www.goldenfrog.com/cyphr), [Wickr](https://wickr.com/), [Silent Phone](https://www.silentcircle.com/products-and-solutions/silent-phone/) and [Viber](https://www.viber.com/), to name a few- these apps should not be used to communicate any sensitive data. [Wire](https://wire.com/) has also been been removed, due to a [recent acquisition](https://blog.privacytools.io/delisting-wire/)
|
||||
Many messaging apps claim to be secure, but if they are not open source, then this cannot be verifie - and they **should not be trusted**. This applies to [Telegram](https://telegram.org), [Threema](https://threema.ch), [Cypher](https://www.goldenfrog.com/cyphr), [Wickr](https://wickr.com/), [Silent Phone](https://www.silentcircle.com/products-and-solutions/silent-phone/) and [Viber](https://www.viber.com/), to name a fe - these apps should not be used to communicate any sensitive data. [Wire](https://wire.com/) has also been been removed, due to a [recent acquisition](https://blog.privacytools.io/delisting-wire/)
|
||||
|
||||
|
||||
## P2P Messaging
|
||||
@ -249,7 +253,7 @@ With [Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer) networks, there
|
||||
**[Briar](https://briarproject.org)** | Tor-based Android app for P2P encrypted messaging and forums. Where content is stored securely on your device (not in the cloud). It also allows you to connect directly with nearby contacts, without internet access (using Bluetooth or WiFi).
|
||||
**[Riochet](https://ricochet.im)** | Desktop instant messenger, that uses the Tor network to rendezvous with your contacts without revealing your identity, location/ IP or meta data. There are no servers to monitor, censor, or hack so Ricochet is secure, automatic and easy to use.
|
||||
**[Jami](https://jami.net)** | P2P encrypted chat network with cross-platform GNU client apps. Jami supports audio and video calls, screen sharing, conference hosting and instant messaging.
|
||||
**[Tox](https://tox.chat)** + **[qTox](https://qtox.github.io)** client | Open source, encrypted, distributed chat network, with clients for desktop and mobile- see [supported clients](https://tox.chat/clients.html). Clearly documented code and multiple language bindings make it easy for developers to integrate with Tox.
|
||||
**[Tox](https://tox.chat)** + **[qTox](https://qtox.github.io)** client | Open source, encrypted, distributed chat network, with clients for desktop and mobil - see [supported clients](https://tox.chat/clients.html). Clearly documented code and multiple language bindings make it easy for developers to integrate with Tox.
|
||||
|
||||
#### Other Notable Mentions
|
||||
[Cwtch](https://cwtch.im), [BitMessage](https://github.com/Bitmessage/PyBitmessage), [RetroShare](https://retroshare.cc), [Tor Messenger](https://blog.torproject.org/sunsetting-tor-messenger) *(deprecated)*, [TorChat2](https://github.com/prof7bit/TorChat) *(deprecated)*
|
||||
@ -257,7 +261,7 @@ With [Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer) networks, there
|
||||
|
||||
## Encrypted Email
|
||||
|
||||
Email is not secure- your messages can be easily intercepted and read. Corporations scan the content of your mail, to build up a profile of you, either to show you targeted ads or to sell onto third-parties. Through the [Prism Program](https://en.wikipedia.org/wiki/PRISM_(surveillance_program)), the government also has full access to your emails (if not end-to-end encrypted) - this applies to Gmail, Outlook Mail, Yahoo Mail, GMX, ZoHo, iCloud, AOL and more.
|
||||
Email is not secur - your messages can be easily intercepted and read. Corporations scan the content of your mail, to build up a profile of you, either to show you targeted ads or to sell onto third-parties. Through the [Prism Program](https://en.wikipedia.org/wiki/PRISM_(surveillance_program)), the government also has full access to your emails (if not end-to-end encrypted) - this applies to Gmail, Outlook Mail, Yahoo Mail, GMX, ZoHo, iCloud, AOL and more.
|
||||
|
||||
The below email providers are private, end-to-end encrypted (E2EE) and reasonably secure. This should be used in conjunction with [good email practices](/README.md#emails)
|
||||
|
||||
@ -269,7 +273,7 @@ The below email providers are private, end-to-end encrypted (E2EE) and reasonabl
|
||||
**[CTemplar](https://ctemplar.com/)** | Iclandic provider specializing in private & secure mail, with total 4096 bit RSA encryption, fully anonymous sign up, and full legal protection, anonymous crypto payment option
|
||||
**[MailBox.org](https://mailbox.org/)** | A Berlin-based, eco-friendly secure mail provider. There is no free plan, the standard service costs €12/year. You can use your own domain, with the option of a [catch-all alias](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). They provide good account security and email encryption, with OpenPGP, as well as encrypted storage. There is no dedicated app, but it works well with any standard mail client with SSL. There's also currently no anonymous payment option
|
||||
|
||||
See [OpenTechFund- Secure Email](https://github.com/OpenTechFund/secure-email) for more details.
|
||||
See [OpenTechFun - Secure Email](https://github.com/OpenTechFund/secure-email) for more details.
|
||||
|
||||
**See also** [Email Security Checklist](/README.md#emails)
|
||||
|
||||
@ -277,7 +281,7 @@ See [OpenTechFund- Secure Email](https://github.com/OpenTechFund/secure-email) f
|
||||
[HushMail](https://www.hushmail.com/tapfiliate/?tap_a=44784-d2adc0&tap_s=724845-260ce4&program=hushmail-for-small-business), [Soverin](https://soverin.net), [StartMail](https://www.startmail.com), [Posteo](https://posteo.de), [Lavabit](https://lavabit.com). For activists and journalists, see [Disroot](https://disroot.org/en), [Autistici](https://www.autistici.org) and [RiseUp](https://riseup.net/en)
|
||||
|
||||
**Beta Mail Providers**
|
||||
- **[CriptText](https://www.criptext.com/)** - CriptText is another option- it's encrypted, free and open source, but works a little differently from convectional mail. There is no cloud storage, and all email is instead stored on your devices. This greatly improves security- however you must be signed into the app (either on desktop or mobile) in order to receive mail. If you are not signed in, then mail sent to you will be permanently lost. For mobile users, your device can be offline or in airplane mode for up to 30 days before mail becomes discarded. The client apps are very good, email is synced seamless between devices, and you can enable automated and encrypted backups. Since your email is stored on your device, they are able to work offline- due to this, there is no web client. Encryption is done with the [Signal protocol](https://en.wikipedia.org/wiki/Signal_Protocol) (rather than PGP), and there are a bunch of really neat features that you can use while communicating to other Criptext users.
|
||||
- **[CriptText](https://www.criptext.com/)** - CriptText is another optio - it's encrypted, free and open source, but works a little differently from convectional mail. There is no cloud storage, and all email is instead stored on your devices. This greatly improves securit - however you must be signed into the app (either on desktop or mobile) in order to receive mail. If you are not signed in, then mail sent to you will be permanently lost. For mobile users, your device can be offline or in airplane mode for up to 30 days before mail becomes discarded. The client apps are very good, email is synced seamless between devices, and you can enable automated and encrypted backups. Since your email is stored on your device, they are able to work offlin - due to this, there is no web client. Encryption is done with the [Signal protocol](https://en.wikipedia.org/wiki/Signal_Protocol) (rather than PGP), and there are a bunch of really neat features that you can use while communicating to other Criptext users.
|
||||
Criptext is still in beta, but with an extremely smooth user experience, and no noticeable usability bugs.
|
||||
|
||||
### Word of Warning
|
||||
@ -298,7 +302,7 @@ Email clients are the programs used to interact with the mail server. For hosted
|
||||
**[RainLoop](http://www.rainloop.net)** (Web) | Simple, modern, fast web-based mail client
|
||||
**[RoundCube](https://roundcube.net)** (Web) | Browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking
|
||||
**[FairMail](https://email.faircode.eu/)** (Andoird) | Open source, fully-featured and easy mail client for Android. Supports unlimited accounts and email addresses with the option for a unified inbox. Clean user interface, with a dark mode option, it is also very lightweight and consumes minimal data usage
|
||||
**[K-9 Mail](https://k9mail.app/)** (Android) | K-9 is open source, very well supported and trusted- k9 has been around for nearly as long as Android itself! It supports multiple accounts, search, IMAP push email, multi-folder sync, flagging, filing, signatures, BCC-self, PGP/MIME & more. Install OpenKeychain along side it, in order to encrypt/ decrypt emails using OpenPGP
|
||||
**[K-9 Mail](https://k9mail.app/)** (Android) | K-9 is open source, very well supported and truste - k9 has been around for nearly as long as Android itself! It supports multiple accounts, search, IMAP push email, multi-folder sync, flagging, filing, signatures, BCC-self, PGP/MIME & more. Install OpenKeychain along side it, in order to encrypt/ decrypt emails using OpenPGP
|
||||
**[p≡p](https://www.pep.security/)** (Android/ iOS) | The Pretty Easy Privacy (p≡p) client is a fully decentralized and end-to-end encrypted mail client, for "automatic privacy". It has some nice features, however it is not open source
|
||||
|
||||
#### Word of Warning
|
||||
@ -356,7 +360,7 @@ Typical features of team collaboration software includes: instant messaging, clo
|
||||
**[Rocket.Chat](https://github.com/RocketChat/Rocket.Chat)** | Easy-to-deploy, self-hosted team collaboration platform with stable, feature-rich cross-platform client apps. The UI is fast, good looking and intuitive, so very little technical experience is needed for users of the platform. Rocket.Chat's feature set is similar to Slack's, making it a good replacement for any team looking to have greater control over their data
|
||||
**[RetroShare](https://retroshare.cc/)** | Secure group communications, with the option to be used over Tor or I2P. Fast intuitive group and 1-to-1 chats with text and rich media using decentralized chat rooms, with a mail feature for delivering messages to offline contacts. A channels feature makes it possible for members of different teams to stay up-to-date with each other, and to share files. Also includes built-in forums, link aggregations, file sharing and voice and video calling. RetroShare is a bit more complex to use than some alternatives, and the UI is quite *retro*, so may not be appropriate for a non-technical team
|
||||
**[Element](https://element.io/)** | Privacy-focused messenger using the Matrix protocol. The Element client allows for group chat rooms, media sharing voice and video group calls.
|
||||
**Internet Relay Chat** | An IRC-based solution is another option, being decentralized there is no point of failure, and it's easy to self-host. However it's important to keep security in mind while configuring your IRC instance and ensure that channels are properly encrypted- IRC tends to be better for open communications. There's a [variety of clients](https://en.wikipedia.org/wiki/Comparison_of_Internet_Relay_Chat_clients) to choose from- popular options include: [The Longe](https://thelounge.chat/) (Web-based), [HexChat](https://hexchat.github.io/) (Linux), [Pidgin](https://pidgin.im/help/protocols/irc/) (Linux), [WeeChat](https://weechat.org/) (Linux, terminal-based), [IceChat](https://www.icechat.net/) (Windows), [XChat Aqua](https://xchataqua.github.io/) (MacOS), [Palaver](https://palaverapp.com/) (iOS) and [Revolution](https://github.com/MCMrARM/revolution-irc) (Android)
|
||||
**Internet Relay Chat** | An IRC-based solution is another option, being decentralized there is no point of failure, and it's easy to self-host. However it's important to keep security in mind while configuring your IRC instance and ensure that channels are properly encrypte - IRC tends to be better for open communications. There's a [variety of clients](https://en.wikipedia.org/wiki/Comparison_of_Internet_Relay_Chat_clients) to choose fro - popular options include: [The Longe](https://thelounge.chat/) (Web-based), [HexChat](https://hexchat.github.io/) (Linux), [Pidgin](https://pidgin.im/help/protocols/irc/) (Linux), [WeeChat](https://weechat.org/) (Linux, terminal-based), [IceChat](https://www.icechat.net/) (Windows), [XChat Aqua](https://xchataqua.github.io/) (MacOS), [Palaver](https://palaverapp.com/) (iOS) and [Revolution](https://github.com/MCMrARM/revolution-irc) (Android)
|
||||
**[Mattermost](https://mattermost.org/)** | Mattermost has an open source eddition, which can be self-hosted. It makes a good Slack alternative, with native desktop, mobile and web apps and a wide variety of [integrations](https://integrations.mattermost.com/)
|
||||
**[Dialog](https://dlg.im/en/)** | A corporate secure collaborative messenger. A clean UI and all the basic features, including groups, file sharing, audio/ video calls, searching and chat bots
|
||||
|
||||
@ -372,7 +376,7 @@ The following browser add-ons give you better control over what content is able
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[Privacy Badger](https://www.eff.org/privacybadger)** | Blocks invisible trackers, in order to stop advertisers and other third-parties from secretly tracking where you go and what pages you look at. **Download**: [Chrome][privacy-badger-chrome] \ [Firefox][privacy-badger-firefox]
|
||||
**[HTTPS Everywhere](https://eff.org/https-everywhere)** | Forces sites to load in HTTPS, in order to encrypt your communications with websites, making your browsing more secure. **Download**: [Chrome][https-everywhere-chrome] \ [Firefox][https-everywhere-firefox]
|
||||
**[HTTPS Everywhere](https://eff.org/https-everywhere)** | Forces sites to load in HTTPS, in order to encrypt your communications with websites, making your browsing more secure (Similar to [Smart HTTPS](https://mybrowseraddon.com/smart-https.html)). Note this functionality is now included by default in most modern browsers. **Download**: [Chrome][https-everywhere-chrome] \ [Firefox][https-everywhere-firefox]
|
||||
**[uBlock Origin](https://github.com/gorhill/uBlock)** | Block ads, trackers and malware sites. **Download**: [Chrome][ublock-chrome] \ [Firefox][ublock-firefox]
|
||||
**[uMatrix](https://github.com/gorhill/uMatrix/wiki)** | Point & click to forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, facebook, etc. Similar to uBlock, but with more granular controls for advanced usage <br>**Download**: [Firefox](https://addons.mozilla.org/en-US/firefox/addon/umatrix/) \ [Chrome](https://chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf) \ [Opera](https://addons.opera.com/en-gb/extensions/details/umatrix/) \ [Source](https://github.com/gorhill/uMatrix)
|
||||
**[ScriptSafe](https://github.com/andryou/scriptsafe)** | Allows you yo block the execution of certain scripts. **Download**: [Chrome][script-safe-chrome] \ [Firefox][script-safe-firefox]
|
||||
@ -422,7 +426,7 @@ The following browser add-ons give you better control over what content is able
|
||||
**[Bouncer]** | Gives you the ability to grant permissions temporarily, so that you could for example use the camera to take a profile picture, but when you close the given app, those permissions will be revoked
|
||||
**[XPrivacyLua](https://github.com/M66B/XPrivacyLua/)** | Simple to use privacy manager for Android, that enables you to feed apps fake data when they request intimate permissions. Solves the problem caused by apps malfunctioning when you revoke permissions, and protects your real data by only sharing fake information. Enables you to hide call log, calendar, SMS messages, location, installed apps, photos, clipboard, network data plus more. And prevents access to camera, microphone, telemetry, GPS and other sensors
|
||||
**[SuperFreezZ]** | Makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background
|
||||
**[Haven]** | Allows you to protect yourself, your personal space and your possessions- without compromising on security. Leveraging device sensors to monitor nearby space, Haven was developed by [The Guardian Project](https://guardianproject.info/), in partnership with [Edward Snowden](https://techcrunch.com/2017/12/24/edward-snowden-haven-app/)
|
||||
**[Haven]** | Allows you to protect yourself, your personal space and your possession - without compromising on security. Leveraging device sensors to monitor nearby space, Haven was developed by [The Guardian Project](https://guardianproject.info/), in partnership with [Edward Snowden](https://techcrunch.com/2017/12/24/edward-snowden-haven-app/)
|
||||
**[XUMI Security]** | Checks for, and resolves known security vulnerabilities. Useful to ensure that certain apps, or device settings are not putting your security or privacy at risk
|
||||
**[Daedalus]** | No root required Android DNS modifier and hosts/DNSMasq resolver, works by creating a VPN tunnel to modify the DNS settings. Useful if you want to change your resolver to a more secure/ private provider, or use DNS over HTTPS
|
||||
**[Secure Task]** | Triggers actions, when certain security conditions are met, such as multiple failed login attempts or monitor settings changed. It does require [Tasker], and needs to be set up with ADB, device does not need to be rooted
|
||||
@ -443,7 +447,7 @@ The following browser add-ons give you better control over what content is able
|
||||
**[RethinkDNS + Firewall](https://github.com/celzero/rethink-app)** | An open-source ad-blocker and firewall app for Android 6+ (does not require root)
|
||||
|
||||
#### Word of Warning
|
||||
Too many installed apps will increase your attack surface- only install applications that you need
|
||||
Too many installed apps will increase your attack surfac - only install applications that you need
|
||||
|
||||
#### Other Notable Mentions
|
||||
For more open source security & privacy apps, check out these publishers: [The Guardian Project], [The Tor Project], [Oasis Feng], [Marcel Bokhorst], [SECUSO Research Group] and [Simple Mobile Tools]- all of which are trusted developers or organisations, who've done amazing work.
|
||||
@ -474,7 +478,7 @@ A selection of free online tools and utilities, to check, test and protect
|
||||
**[Virus Total](https://www.virustotal.com)** | Analyses a potentially-suspicious web resources (by URL, IP, domain or file hash) to detect types of malware (*note: files are scanned publicly*)
|
||||
**[Hardenize](https://www.hardenize.com/)** | Scan websites and shows a security overview, relating to factors such as HTTPS, domain info, email data, www protocols and so on
|
||||
**[Is Legit?](https://www.islegitsite.com/)** | Checks if a website or business is a scam, before buying something from it
|
||||
**[Deseat Me](https://www.deseat.me)** | Tool to help you clean up your online presence- Instantly get a list of all your accounts, delete the ones you are not using
|
||||
**[Deseat Me](https://www.deseat.me)** | Tool to help you clean up your online presenc - Instantly get a list of all your accounts, delete the ones you are not using
|
||||
**[Should I Remove It?](https://www.shouldiremoveit.com)** | Ever been uninstalling programs from your Windows PC and been unsure of what something is? Should I Remove It is a database of Windows software, detailing weather it is essential, harmless or dangerous
|
||||
**[10 Minute Mail](https://10minemail.com/)** | Generates temporary disposable email address, to avoid giving your real details
|
||||
**[MXToolBox Mail Headers](https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx)** | Tool for analyzing email headers, useful for checking the authenticity of messages, as well as knowing what info you are revealing in your outbound messages
|
||||
@ -503,9 +507,9 @@ VPNs are good for getting round censorship, increasing protection on public WiFi
|
||||
**Full VPN Comparison**: [thatoneprivacysite.net](https://thatoneprivacysite.net/).
|
||||
|
||||
#### Word of Warning
|
||||
- *A VPN does not make you anonymous- it merely changes your public IP address to that of your VPN provider, instead of your ISP. Your browsing session can still be linked back to your real identity either through your system details (such as user agent, screen resolution even typing patterns), cookies/ session storage, or by the identifiable data that you enter. [Read more about fingerprinting](https://pixelprivacy.com/resources/browser-fingerprinting/)*
|
||||
- *Logging- If you choose to use a VPN because you do not agree with your ISP logging your full browsing history, then it is important to keep in mind that your VPN provider can see (and mess with) all your traffic. Many VPNs claim not to keep logs, but you cannot be certain of this ([VPN leaks](https://vpnleaks.com/)). See [this article](https://gist.github.com/joepie91/5a9909939e6ce7d09e29) for more*
|
||||
- *IP Leaks- If configured incorrectly, your IP may be exposed through a DNS leak. This usually happens when your system is unknowingly accessing default DNS servers rather than the anonymous DNS servers assigned by an anonymity network or VPN. Read more: [What is a DNS leak](https://www.dnsleaktest.com/what-is-a-dns-leak.html), [DNS Leak Test](https://www.dnsleaktest.com), [How to Fix a DNS Leak](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html)*
|
||||
- *A VPN does not make you anonymou - it merely changes your public IP address to that of your VPN provider, instead of your ISP. Your browsing session can still be linked back to your real identity either through your system details (such as user agent, screen resolution even typing patterns), cookies/ session storage, or by the identifiable data that you enter. [Read more about fingerprinting](https://pixelprivacy.com/resources/browser-fingerprinting/)*
|
||||
- *Loggin - If you choose to use a VPN because you do not agree with your ISP logging your full browsing history, then it is important to keep in mind that your VPN provider can see (and mess with) all your traffic. Many VPNs claim not to keep logs, but you cannot be certain of this ([VPN leaks](https://vpnleaks.com/)). See [this article](https://gist.github.com/joepie91/5a9909939e6ce7d09e29) for more*
|
||||
- *IP Leak - If configured incorrectly, your IP may be exposed through a DNS leak. This usually happens when your system is unknowingly accessing default DNS servers rather than the anonymous DNS servers assigned by an anonymity network or VPN. Read more: [What is a DNS leak](https://www.dnsleaktest.com/what-is-a-dns-leak.html), [DNS Leak Test](https://www.dnsleaktest.com), [How to Fix a DNS Leak](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html)*
|
||||
- *Stealth - It will be visible to your adversary that you are using a VPN (usually from the IP address), but other system and browser data, can still reveal information about you and your device (such as your local time-zone, indicating which region you are operating from)*
|
||||
- *Many reviews are sponsored, and hence biased. Do your own research, or go with one of the above options*
|
||||
- *Using [Tor](https://www.torproject.org) (or another [Mix Network](/5_Privacy_Respecting_Software.md#mix-networks)) may be a better option for anonimity*
|
||||
@ -528,7 +532,7 @@ Fun little projects that you can run on a Raspberry Pi, or other low-powered com
|
||||
**[Pi-Hole](https://pi-hole.net)** | Network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. Pi-Hole can significantly speed up your internet, remove ads and block malware. It comes with a nice web interface and a mobile app with monitoring features, it's open source, easy to install and very widely used
|
||||
**[Technitium](https://technitium.com/dns/)** | Another DNS server for blocking privacy-invasive content at it's source. Technitium doesn't require much of a setup, and basically works straight out of the box, it supports a wide range of systems (and can even run as a portable app on Windows). It allows you to do some additional tasks, such as add local DNS addresses and zones with specific DNS records. Compared to Pi-Hole, Technitium is very lightweight, but lacks the deep insights that Pi-Hole provides, and has a significantly smaller community behind it
|
||||
**[IPFire](https://www.ipfire.org)** | A hardened, versatile, state-of-the-art open source firewall based on Linux. Its ease of use, high performance and extensibility make it usable for everyone
|
||||
**[PiVPN](https://pivpn.io)** | A simple way to set up a home VPN on a any Debian server. Supports OpenVPN and WireGuard with elliptic curve encryption keys up to 512 bit. Supports multiple DNS providers and custom DNS providers- works nicely along-side PiHole
|
||||
**[PiVPN](https://pivpn.io)** | A simple way to set up a home VPN on a any Debian server. Supports OpenVPN and WireGuard with elliptic curve encryption keys up to 512 bit. Supports multiple DNS providers and custom DNS provider - works nicely along-side PiHole
|
||||
**[E2guardian](http://e2guardian.org)** | Powerful open source web content filter
|
||||
**[SquidGuard](http://www.squidguard.org)** | A URL redirector software, which can be used for content control of websites users can access. It is written as a plug-in for Squid and uses blacklists to define sites for which access is redirected
|
||||
**[PF Sense](https://www.pfsense.org)** | Widley used, open source firewall/router
|
||||
@ -546,14 +550,14 @@ Don't want to build? See also: [Pre-configured security boxes](https://github.co
|
||||
**[I2P](https://geti2p.net)** | I2P offers great generic transports, it is well geared towards accessing hidden services, and has a couple of technical benefits over Tor: P2P friendly with unidirectional short-lived tunnels, it is packet-switched (instead of circuit-switched) with TCP and UDP, and continuously profiles peers, in order to select the best performing ones. <br>I2P is less mature, but fully-distributed and self-organising, it's smaller size means that it hasn't yet been blocked or DOSed much
|
||||
**[Freenet](https://freenetproject.org)** | Freenet is easy to setup, provides excellent friend To Friend Sharing vs I2P, and is great for publishing content anonymously. It's quite large in size, and very slow so not the best choice for casual browsing
|
||||
|
||||
Tor, I2P and Freenet are all anonymity networks- but they work very differently and each is good for specific purposes. So a good and viable solution would be to use all of them, for different tasks.
|
||||
Tor, I2P and Freenet are all anonymity network - but they work very differently and each is good for specific purposes. So a good and viable solution would be to use all of them, for different tasks.
|
||||
*You can read more about how I2P compares to Tor, [here](https://blokt.com/guides/what-is-i2p-vs-tor-browser)*
|
||||
|
||||
#### Notable Mentions
|
||||
See also: [GNUnet](https://gnunet.org/en/), [IPFS](https://ipfs.io/), [ZeroNet](https://zeronet.io/), [Panoramix](https://panoramix-project.eu), and [Nym](https://nymtech.neteu)
|
||||
|
||||
#### Word of Warning
|
||||
To provide low-latency browsing, Tor does not mix packets or generate cover traffic. If an adversary is powerful enough, theoretically they could either observe the entire network, or just the victims entry and exit nodes. It's worth mentioning, that even though your ISP can not see what you are doing, they will be able determine that you are using a mix net, to hide this- a VPN could be used as well. If you are doing anything which could put you at risk, then good OpSec is essential, as the authorities have traced criminals through the Tor network before, and [made arrests](https://techcrunch.com/2019/05/03/how-german-and-us-authorities-took-down-the-owners-of-darknet-drug-emporium-wall-street-market). Don't let Tor provide you a false sense of security- be aware of information leaks through DNS, other programs or human error. Tor-supported browsers may might lag behind their upstream forks, and include exploitable unpatched issues. See [#19](https://github.com/Lissy93/personal-security-checklist/issues/19)
|
||||
To provide low-latency browsing, Tor does not mix packets or generate cover traffic. If an adversary is powerful enough, theoretically they could either observe the entire network, or just the victims entry and exit nodes. It's worth mentioning, that even though your ISP can not see what you are doing, they will be able determine that you are using a mix net, to hide thi - a VPN could be used as well. If you are doing anything which could put you at risk, then good OpSec is essential, as the authorities have traced criminals through the Tor network before, and [made arrests](https://techcrunch.com/2019/05/03/how-german-and-us-authorities-took-down-the-owners-of-darknet-drug-emporium-wall-street-market). Don't let Tor provide you a false sense of securit - be aware of information leaks through DNS, other programs or human error. Tor-supported browsers may might lag behind their upstream forks, and include exploitable unpatched issues. See [#19](https://github.com/Lissy93/personal-security-checklist/issues/19)
|
||||
|
||||
Note: The Tor network is run by the community. If you benefit from using it and would like to help sustain uncensored internet access for all, consider [running a Tor relay](https://trac.torproject.org/projects/tor/wiki/TorRelayGuide)
|
||||
|
||||
@ -570,7 +574,7 @@ A proxy acts as a gateway between you and the internet, it can be used to act as
|
||||
[V2ray-core](https://github.com/v2ray/v2ray-core) is a platform for building proxies to bypass network restrictions and protect your privacy. See [more](https://github.com/hugetiny/awesome-vpn)
|
||||
|
||||
#### Word of Warning
|
||||
[Malicious Proxies](https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-edward_zaborowski-doppelganger.pdf) are all too common. Always use open source software, host it yourself or pay for a reputable cloud service. Never use a free proxy; it can monitor your connection, steal cookies and contain malware. VPNs are a better option, better still- use the Tor network.
|
||||
[Malicious Proxies](https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-edward_zaborowski-doppelganger.pdf) are all too common. Always use open source software, host it yourself or pay for a reputable cloud service. Never use a free proxy; it can monitor your connection, steal cookies and contain malware. VPNs are a better option, better stil - use the Tor network.
|
||||
|
||||
|
||||
## DNS
|
||||
@ -638,7 +642,7 @@ Even when properly configured, having a firewall enabled does not guarantee bad
|
||||
## Ad Blockers
|
||||
|
||||
|
||||
There are a few different ways to block ads- browser-based ad-blockers, router-based / device blockers or VPN ad-blockers. Typically they work by taking a maintained list of hosts, and filtering each domain/ IP through it. Some also have other methods to detect certain content based on pattern mathcing
|
||||
There are a few different ways to block ad - browser-based ad-blockers, router-based / device blockers or VPN ad-blockers. Typically they work by taking a maintained list of hosts, and filtering each domain/ IP through it. Some also have other methods to detect certain content based on pattern mathcing
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
@ -665,7 +669,7 @@ Some VPNs have ad-tracking blocking features, such as [TrackStop with PerfectPri
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[SomeoneWhoCares/ Hosts](https://someonewhocares.org/hosts/)** | An up-to-date host list, maintained by Dan Pollock- to make the internet not suck (as much)
|
||||
**[SomeoneWhoCares/ Hosts](https://someonewhocares.org/hosts/)** | An up-to-date host list, maintained by Dan Polloc - to make the internet not suck (as much)
|
||||
**[Hosts by StevenBlack](https://github.com/StevenBlack/hosts)** | Open source, community-maintained consolidated and extending hosts files from several well-curated sources. You can optionally pick extensions to block p0rn, Social Media, gambling, fake news and other categories
|
||||
**[No Google](https://github.com/nickspaargaren/no-google)** | Totally block all direct and indirect content from Google, Amazon, Facebook, Apple and Microsoft (or just some)
|
||||
**[EasyList](https://easylist.to)** | Comprehensive list of domains for blocking tracking, social scripts, bad cookies and annoying stuff
|
||||
@ -690,11 +694,11 @@ Flashing custom firmware may void your warrenty. If power is interupted mid-way
|
||||
|
||||
## Network Analysis
|
||||
|
||||
Weather you live in a country behind a firewall, or accessing the internet through a proxy- these tools will help you better understand the extent of blocking, deep packet inspection and what data is being analysed
|
||||
Weather you live in a country behind a firewall, or accessing the internet through a prox - these tools will help you better understand the extent of blocking, deep packet inspection and what data is being analysed
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[OONI](https://ooni.org)** | Open Observatory of Network Interference- A free tool and global observation network, for detecting censorship, surveillance and traffic manipulation on the internet. Developed by The Tor Project, and available for [Android](https://play.google.com/store/apps/details?id=org.openobservatory.ooniprobe), [iOS](https://apps.apple.com/us/app/id1199566366) and [Linux](https://ooni.org/install/ooniprobe)
|
||||
**[OONI](https://ooni.org)** | Open Observatory of Network Interferenc - A free tool and global observation network, for detecting censorship, surveillance and traffic manipulation on the internet. Developed by The Tor Project, and available for [Android](https://play.google.com/store/apps/details?id=org.openobservatory.ooniprobe), [iOS](https://apps.apple.com/us/app/id1199566366) and [Linux](https://ooni.org/install/ooniprobe)
|
||||
**[Mongol](https://github.com/mothran/mongol)** | A Python script, to pinpoint the IP address of machines working for the The Great Firewall of China. See also [gfwlist](https://github.com/gfwlist/gfwlist) which is the Chinese ban list, and [gfw_whitelist](https://github.com/n0wa11/gfw_whitelist). For a list of Russian government IP addresses, see [antizapret](https://github.com/AntiZapret/antizapret)
|
||||
**[Goodbye DPI](https://github.com/ValdikSS/GoodbyeDPI)** | Passive Deep Packet Inspection blocker and Active DPI circumvention utility, for Windows
|
||||
**[DPITunnel](https://github.com/zhenyolka/DPITunnel)** | An Android app to bypass deep packet inspection
|
||||
@ -715,7 +719,7 @@ An IDS is an application that monitors a network or computer system for maliciou
|
||||
|
||||
## Cloud Hosting
|
||||
|
||||
Weather you are hosting a website and want to keep your users data safe, or if you are hosting your own file backup, cloud productivity suit or VPN- then choosing a provider that respects your privacy and allows you to sign up anonymously, and will keep your files and data safe is be important.
|
||||
Weather you are hosting a website and want to keep your users data safe, or if you are hosting your own file backup, cloud productivity suit or VP - then choosing a provider that respects your privacy and allows you to sign up anonymously, and will keep your files and data safe is be important.
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
@ -764,7 +768,7 @@ Self-hosting your own mail server is not recommended for everyone, it can be tim
|
||||
**[Cryptee](https://crypt.ee/)** | Private & encrypted rich-text documents. Cryptee has encryption and anonymity at it's core, it also has a beautiful and minimalistic UI. You can use Cryptee from the browser, or download native Windows, Mac OS, Linux, Android and iOS apps. Comes with many additional features, such as support for photo albums and file storage. The disadvantage is that only the frontend is open source. Pricing is free for starter plan, $3/ month for 10GB, additional plans go up-to 2TB
|
||||
**[Standard Notes](https://standardnotes.com/?s=chelvq36)** | S.Notes is a free, open-source, and completely encrypted private notes app. It has a simple UI, yet packs in a lot of features, thanks to the [Extensions Store](https://standardnotes.com/features), allowing for: To-Do lists, Spreadsheets, Rich Text, Markdown, Math Editor, Code Editor and many more. You can choose between a number of themes (yay, dark mode!), and it features built-in secure file store, tags/ folders, fast search and more. There is a web app as well as native Windows, Mac OS, Linux, Android and iOS apps. Standard Notes is actively developed, and fully open-source, so you can host it yourself, or use their hosted version: free without using plug-ins or $3/ month for access to all features
|
||||
**[Turtle](https://turtlapp.com/)** | A secure, collaborative notebook. Self-host it yourself (see [repo](https://github.com/turtl)), or use their hosted plan (free edition or $3/ month for premium)
|
||||
**[Joplin](https://joplinapp.org)** | Cross-platform desktop and mobile note-taking and todo app. Easy organisation into notebooks and sections, revision history and a simple UI. Allows for easy import and export of notes to or from other services. Supports syncronisation with cloud services, implemented with E2EE- however it is only the backed up data that is encrypted
|
||||
**[Joplin](https://joplinapp.org)** | Cross-platform desktop and mobile note-taking and todo app. Easy organisation into notebooks and sections, revision history and a simple UI. Allows for easy import and export of notes to or from other services. Supports syncronisation with cloud services, implemented with E2E - however it is only the backed up data that is encrypted
|
||||
**[Notable](https://notable.md)** | Markdown-based note editior for desktop, with a simple, yet feature-rich UI. All notes are saved individually as .md files, making them easy to manage. No mobile app, or built-in cloud-sync or encryption
|
||||
|
||||
#### Notable Mentions
|
||||
@ -779,9 +783,9 @@ For a simple plain text note taking app, with strong encryption, see [Protected
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[CryptPad](https://cryptpad.fr)** | A zero knowledge cloud productivity suit. Provides Rich Text, Presentations, Spreadsheets, Kanban, Paint a code editor and file drive. All notes and user content, are encrypted by default, and can only be accessed with specific URL. The main disadvantage, is a lack of Android, iOS and desktop apps- CryptPad is entirely web-based. You can use their web service, or you can host your own instance (see [CryptPad GitHub](https://github.com/xwiki-labs/cryptpad) repo). Price for hosted: free for 50mb or $5/ month for premium
|
||||
**[CryptPad](https://cryptpad.fr)** | A zero knowledge cloud productivity suit. Provides Rich Text, Presentations, Spreadsheets, Kanban, Paint a code editor and file drive. All notes and user content, are encrypted by default, and can only be accessed with specific URL. The main disadvantage, is a lack of Android, iOS and desktop app - CryptPad is entirely web-based. You can use their web service, or you can host your own instance (see [CryptPad GitHub](https://github.com/xwiki-labs/cryptpad) repo). Price for hosted: free for 50mb or $5/ month for premium
|
||||
**[NextCloud](https://nextcloud.com/)** | A complete self-hosted productivity platform, with a strong community and growing [app store](https://apps.nextcloud.com). NextCloud is similar to (but arguably more complete than) Google Drive, Office 365 and Dropbox, origionally it was a fork from [OwnCloud](https://owncloud.org/), but since have diverged. Clear UI and stable native apps across all platforms, and also supports file sync. Supports encrypted files, but you need to configure this yourself. Fully open source, so you can self-host it yourself (or use a hosted solution, starting from $5/ month)
|
||||
**[Disroot](https://disroot.org)** | A platform providing online services based on principles of freedom, privacy, federation and decentralization. It is an implementation of NextCloud, with strong encryption configured- it is widely used by journalists, activists and whistle-blowers. It is fre to use, but there have been reported reliability issues of the cloud services
|
||||
**[Disroot](https://disroot.org)** | A platform providing online services based on principles of freedom, privacy, federation and decentralization. It is an implementation of NextCloud, with strong encryption configure - it is widely used by journalists, activists and whistle-blowers. It is fre to use, but there have been reported reliability issues of the cloud services
|
||||
**[Sandstorm](https://sandstorm.io/)** | An open source platform for self-hosting web apps. Once you've set it up, you can install items from the Sandstorm [App Market](https://apps.sandstorm.io/) with -click, similar to NextCloud in terms of flexibility
|
||||
|
||||
|
||||
@ -801,7 +805,7 @@ Alternatively, consider a headless utility such as [Duplicacy](https://duplicacy
|
||||
[FileRun](https://filerun.com) and [Pydio](https://pydio.com) are self-hosted file explorers, with cross-platform sync capabilities.
|
||||
|
||||
#### Word of Warning
|
||||
You should always ensure that any data stored in the cloud is encrypted. If you are hosting your own server, then take the necessary precautions to [secure the server](https://med.stanford.edu/irt/security/servers.html). For hosted solutions- use a strong password, keep your credentials safe and enable 2FA.
|
||||
You should always ensure that any data stored in the cloud is encrypted. If you are hosting your own server, then take the necessary precautions to [secure the server](https://med.stanford.edu/irt/security/servers.html). For hosted solution - use a strong password, keep your credentials safe and enable 2FA.
|
||||
|
||||
## Encrypted Cloud Storage
|
||||
|
||||
@ -820,7 +824,7 @@ It is recommended to encrypt files on your client machine, before syncing to the
|
||||
**[FileN](https://filen.io/)** | Zero knowledge end-to-end encrypted affordable cloud storage made in Germany. Open-source mobile and desktop apps. 10GB FREE with paid plans starting at €0.92/month for 100GB.
|
||||
|
||||
#### Notable Mentions
|
||||
An alternative option, is to use a cloud computing provider, and implement the syncing functionality yourself, and encrypt data locally before uploading it- this may work out cheaper in some situations. You could also run a local server that you physically own at a secondary location, that would mitigate the need to trust a third party cloud provider. Note that some knowledge in securing networks is required.
|
||||
An alternative option, is to use a cloud computing provider, and implement the syncing functionality yourself, and encrypt data locally before uploading i - this may work out cheaper in some situations. You could also run a local server that you physically own at a secondary location, that would mitigate the need to trust a third party cloud provider. Note that some knowledge in securing networks is required.
|
||||
|
||||
**See Also**:
|
||||
- [File Encryption Software](#file-encryption)
|
||||
@ -957,11 +961,11 @@ A VM is a sandboxed operating system, running within your current system. Useful
|
||||
|
||||
## Social Networks
|
||||
|
||||
Over the past decade, social networks have revolutionized the way we communicate and bought the world closer together- but it came at the [cost of our privacy](https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services). Social networks are built on the principle of sharing- but you, the user should be able to choose with whom you share what, and that is what the following sites aim to do.
|
||||
Over the past decade, social networks have revolutionized the way we communicate and bought the world closer togethe - but it came at the [cost of our privacy](https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services). Social networks are built on the principle of sharin - but you, the user should be able to choose with whom you share what, and that is what the following sites aim to do.
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[Aether](https://getaether.net)** | Self-governing communities with auditable moderation- a similar concept to Reddit, but more privacy-sensitive, democratic and transparent. Aether is open source and peer-to-peer, it runs on Windows, Mac and Linux
|
||||
**[Aether](https://getaether.net)** | Self-governing communities with auditable moderatio - a similar concept to Reddit, but more privacy-sensitive, democratic and transparent. Aether is open source and peer-to-peer, it runs on Windows, Mac and Linux
|
||||
**[Discourse](https://www.discourse.org/)** | A 100% open source and self-hostable discussion platform you can use as a mailing list, discussion forum or long-form chat room.
|
||||
**[Mastodon](https://mastodon.social/invite/A5JwL72F)** | A shameless Twitter clone, but open-source, distributed across independent servers, and with no algorithms that mess with users timelines
|
||||
**[Minds](https://www.minds.com/register?referrer=as93)** | A social media site, which aims to bring people together and support open conversations. Get paid for creating content
|
||||
@ -973,7 +977,7 @@ Over the past decade, social networks have revolutionized the way we communicate
|
||||
- [Pixelfed](https://pixelfed.org) - A free, ethical, federated photo sharing platform (FOSS alternative to Instagram)
|
||||
|
||||
#### Main-stream networks
|
||||
The content on many of these smaller sites tends to be more *niche*. To continue using Twitter, there are a couple of [tweaks](https://www.offensiveprivacy.com/blog/twitter-privacy), that will improve security. For Reddit, use a privacy-respecting client- such as [Reditr](http://reditr.com/). Other main-stream social networking sites do not respect your privacy, so should be avoided, but if you choose to keep using them see [this guide](https://proprivacy.com/guides/social-media-privacy-guide) for tips on protecting your privacy
|
||||
The content on many of these smaller sites tends to be more *niche*. To continue using Twitter, there are a couple of [tweaks](https://www.offensiveprivacy.com/blog/twitter-privacy), that will improve security. For Reddit, use a privacy-respecting clien - such as [Reditr](http://reditr.com/). Other main-stream social networking sites do not respect your privacy, so should be avoided, but if you choose to keep using them see [this guide](https://proprivacy.com/guides/social-media-privacy-guide) for tips on protecting your privacy
|
||||
|
||||
|
||||
## Video Platforms
|
||||
@ -1020,21 +1024,21 @@ Of course you could also host your blog on your own server, using a standard ope
|
||||
**[Feedly](https://feedly.com)** | A more premium option. Feedly displays news from your selected sources in an easy-to-digest clean and modern interface. It works with more than just RSS feeds, since it is well integrated with many major news outlets. It does not manipulate the stories you see, and is mostly open source
|
||||
|
||||
#### Notable Mentions
|
||||
For iPhone users in the US, [Tonic](https://canopy.cr/tonic) is a great little app that provides you with a selection of personalized new stories and articles daily. It is possible to us [Reddit](https://www.reddit.com) anonymously too- you can use throwaway accounts for posting.
|
||||
For iPhone users in the US, [Tonic](https://canopy.cr/tonic) is a great little app that provides you with a selection of personalized new stories and articles daily. It is possible to us [Reddit](https://www.reddit.com) anonymously to - you can use throwaway accounts for posting.
|
||||
|
||||
#### Word of Warning
|
||||
News reader apps don't have a good [reputation](https://vpnoverview.com/privacy/apps/privacy-risks-news-apps) when it comes to protecting users privacy, and often display biased content. Many have revenue models based on making recommendations, with the aim of trying to get you to click on sponsored articles- and for that a lot of data needs to have been collected about you, your habits, interests and routines.
|
||||
News reader apps don't have a good [reputation](https://vpnoverview.com/privacy/apps/privacy-risks-news-apps) when it comes to protecting users privacy, and often display biased content. Many have revenue models based on making recommendations, with the aim of trying to get you to click on sponsored article - and for that a lot of data needs to have been collected about you, your habits, interests and routines.
|
||||
|
||||
|
||||
## Proxy Sites
|
||||
|
||||
These are websites that enable you to access existing social media platforms, without using their primary website- with the aim of improving privacy & security and providing better user experience. The below options are open source (so can be self-hosted, if you wish), and they do not display ads or tracking (unless otherwise stated).
|
||||
These are websites that enable you to access existing social media platforms, without using their primary websit - with the aim of improving privacy & security and providing better user experience. The below options are open source (so can be self-hosted, if you wish), and they do not display ads or tracking (unless otherwise stated).
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[Nitter](https://nitter.net/)** (Twitter) | Nitter is a free and open source alternative Twitter front-end focused on privacy, it prevents Twitter from tracking your IP or browser fingerprint. It does not include any JavaScript, and all requests go through the backend, so the client never talks directly to Twitter. It's written in Nim, is super lightweight, with multiple themes and a responsive mobile version available, as well as customizable RSS feeds. Uses an unofficial API, with no rate limits or and no developer account required
|
||||
**[Invidio](https://invidio.us/)** (YouTube) | Privacy-focused, open source alternative frontend for YouTube. It prevents/ reduces Google tracking, and adds additional features, including an audio-only mode, Reddit comment feed, advanced video playback settings. It's super lightweight, and does not require JavaScript to be enabled, and you can import/ export your subscriptions list, and customize your feed. See list of [Invidious Public Instances](https://github.com/iv-org/invidious/wiki/Invidious-Instances)
|
||||
**[Bibliogram](https://bibliogram.art/)** (Instagram) | Enables you to view Instagram profiles through their proxy without any tracking, great for anonymity. Bibliogram also has several other benefits over using the official Instagram website- Pages also load much faster, it gives you downloadable images, eliminates ads, generates RSS feeds, and doesn't urge you to sign up. It can also easily be self-hosted. However, there is no functionality to create posts via this service
|
||||
**[Bibliogram](https://bibliogram.art/)** (Instagram) | Enables you to view Instagram profiles through their proxy without any tracking, great for anonymity. Bibliogram also has several other benefits over using the official Instagram websit - Pages also load much faster, it gives you downloadable images, eliminates ads, generates RSS feeds, and doesn't urge you to sign up. It can also easily be self-hosted. However, there is no functionality to create posts via this service
|
||||
**[Libreddit](https://libredd.it/)** (Reddit) | Private front-end for Reddit written in Rust. Massively [faster than Reddit](https://github.com/spikecodes/libreddit#speed) by not including ads, trackers or bloat. Libreddit can be deployed and selfhosted through `cargo`, Docker and Repl.it and proxies all requests through the back-end. Libreddit currently implements most of Reddit's functionalities that don't require users to be signed in.
|
||||
**[WebProxy](https://weboproxy.com/)** | Free proxy service, with Tor mode (which is recommended to enable). Designed to be used to evade censorship and access geo-blocked content. The service is maintained by [DevroLabs](https://devrolabs.com/), who also run the [OnionSite](https://onionsite.weboproxy.com/) web proxy, they claim to that all traffic is 256-bit SSL-encrypted, but this cannot be verified - never enter any potentially personally identifiable infomation, and use it purely for consuming content
|
||||
|
||||
@ -1061,7 +1065,7 @@ Other privacy-focused cryptocurrencies include: [PIVX](https://pivx.org), [Bitco
|
||||
#### Word of Warning
|
||||
Not all cryptocurrencies are anonymous, and without using a privacy-focused coin, a record of your transaction will live on a publicly available distributed ledger, forever. If you send of receive multiple payments, ensure you switch up addresses or use a mixer, to make it harder for anyone trying to trace your transactions. Store private keys somewhere safe, but offline and preferably cold.
|
||||
|
||||
Note: Cryptocurrency prices can go down. Storing any wealth in crypto may result in losses. If you are new to digital currencies- do your research first, don't invest more than you can afford, and be very weary of scams and cryptocurrency-related malware.
|
||||
Note: Cryptocurrency prices can go down. Storing any wealth in crypto may result in losses. If you are new to digital currencie - do your research first, don't invest more than you can afford, and be very weary of scams and cryptocurrency-related malware.
|
||||
|
||||
## Crypto Wallets
|
||||
|
||||
@ -1070,7 +1074,7 @@ Note: Cryptocurrency prices can go down. Storing any wealth in crypto may result
|
||||
**[Wasabi Wallet](https://www.wasabiwallet.io/)** (BitCoin) | An open source, native desktop wallet for Windows, Linux and MacOS. Wasabi implements trustless CoinJoins over the Tor network. Neither an observer nor the participants can determine which output belongs to which input. This makes it difficult for outside parties to trace where a particular coin originated from and where it was sent to, which greatly improves privacy. Since it's trustless, the CoinJoin coordinator cannot breach the privacy of the participants. Wasabi is compatible with cold storage, and hardware wallets, including OpenCard and Trezor.
|
||||
**[Trezor](https://trezor.io/)**<br>(All Coins) | Open source, cross-platform, offline, crypto wallet, compatible with 1000+ coins. Your private key is generated on the device, and never leaves it, all transactions are signed by the Trezor, which ensures your wallet is safe from theft. There are native apps for Windows, Linux, MacOS, Android and iOS, but Trezor is also compatible with other wallets, such as Wasabi. You can back the Trezor up, either by writing down the seed, or by duplicating it to another device. It is simple and intuitive to use, but also incredible customisable with a large range of advanced features.
|
||||
**[ColdCard](https://coldcardwallet.com/)** (BitCoin) | An easy-to-use, super secure, open source BitCoin hardware wallet, which can be used independently as an air-gapped wallet. ColdCard is based on partially signed Bitcoin transactions following the [BIP174](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki) standard. Built specifically for BitCoin, and with a variety of unique security features, ColdCard is secure, trustless, private and easy-to-use. Companion products for the ColdCard include: [BlockClock](http://blockclockmini.com/), [SeedPlate](http://bitcoinseedbackup.com/) and [ColdPower](http://usbcoldpower.com/)
|
||||
**[Electrum](https://electrum.org/)** (BitCoin) | Long-standing Python-based BitCoin wallet with good security features. Private keys are encrypted and do not touch the internet and balance is checked with a watch-only wallet. Compatible with other wallets, so there is no tie-in, and funds can be recovered with your secret seed. It supports proof-checking to verify transactions using SPV, multi-sig and add-ons for compatibility with hardware wallets. A decentralized server indexes ledger transactions, meaning it's fast and doesn't require much disk space. The potential security issue here would not be with the wallet, but rather your PC- you must ensure your computer is secure and your wallet has a long, strong passphrase to encrypt it with.
|
||||
**[Electrum](https://electrum.org/)** (BitCoin) | Long-standing Python-based BitCoin wallet with good security features. Private keys are encrypted and do not touch the internet and balance is checked with a watch-only wallet. Compatible with other wallets, so there is no tie-in, and funds can be recovered with your secret seed. It supports proof-checking to verify transactions using SPV, multi-sig and add-ons for compatibility with hardware wallets. A decentralized server indexes ledger transactions, meaning it's fast and doesn't require much disk space. The potential security issue here would not be with the wallet, but rather your P - you must ensure your computer is secure and your wallet has a long, strong passphrase to encrypt it with.
|
||||
**[Samourai Wallet](https://samouraiwallet.com/)** (BitCoin) | An open-source, BitCoin-only privacy-focused wallet, with some innovative features.<br>Samourai Wallet works under any network conditions, with a full offline mode, useful for cold storage. It also supports a comprehensive range of privacy features including: STONEWALL that helps guard against address clustering deanonymization attacks, PayNym which allows you to receive funds without revealing your public address for all to see, Stealth Mode which hides Samourai from your devices launcher, Remote SMS Commands to wipe or recover your wallet if device is seized or stolen, and Whirlpool which is similar to a coin mixer, and OpenDime is also supported for offline USB hardware wallets.
|
||||
**[Atomic Wallet](https://atomicwallet.io/)** (All Coins) | Atomic is an open source desktop and mobile based wallet, where you're private keys are stored on your local device, and do not touch the internet. Atomic has great feature sets, and supports swapping, staking and lending directly from the app. However, most of Atomic's features require an active internet connection, and Atomic [does not support](https://support.atomicwallet.io/article/160-does-atomic-wallet-offer-hardware-wallet-integration) hardware wallets yet. Therefor, it may only be a good choice as a secondary wallet, for storing small amounts of your actively used currency
|
||||
**[CryptoSteel](https://cryptosteel.com/how-it-works)**<br>(All Coins) | A steel plate, with engraved letters which can be permanently screwed - CryptoSteel is a good fire-proof, shock-proof, water-proof and stainless cryptocurrency backup solution.
|
||||
@ -1078,7 +1082,7 @@ Note: Cryptocurrency prices can go down. Storing any wealth in crypto may result
|
||||
**[ColdCard](https://coldcardwallet.com/)** (BitCoin) | Secure, open source BitCoin cold storage wallet, with the option for making encrypted backups on a MicroSD card.
|
||||
|
||||
#### Word of Warning
|
||||
Avoid using any online/ hot-wallet, as you will have no control over the security of your private keys. Offline paper wallets are very secure, but ensure you store it properly- to keep it safe from theft, loss or damage.
|
||||
Avoid using any online/ hot-wallet, as you will have no control over the security of your private keys. Offline paper wallets are very secure, but ensure you store it properl - to keep it safe from theft, loss or damage.
|
||||
|
||||
### Notable Mentions
|
||||
[Metamask](https://metamask.io/) (Ethereum and ERC20 tokens) is a bridge that allows you to visit and interact with distributed web apps in your browser. Metamask has good hardware wallet support, so you can use it to swap, stake, sign, lend and interact with dapps without you're private key ever leaving your device. However the very nature of being a browser-based app means that you need to stay vigilant with what services you give access to.
|
||||
@ -1133,7 +1137,7 @@ Note that credit card providers heavily track transaction metadata, which build
|
||||
**[GnuCash](https://www.gnucash.org)** (Desktop) | Full-featured cross-platform accounting application, which works well for both personal and small business finance. First released in 1998, GnuCash is long standing and very stable, and despite a slightly dated UI, it's still a very popular option. Originally developed for Linux, GnuCash is now available for Windows, Mac and Linux and also has a well rated official [Android app](https://play.google.com/store/apps/details?id=org.gnucash.android&hl=en)
|
||||
|
||||
#### Notable Mentions
|
||||
Spreadsheets remain a popular choice for managing budgets and financial planning. [Collabora](https://nextcloud.com/collaboraonline) or [OnlyOffice](https://nextcloud.com/onlyoffice) (on [NextCloud](https://nextcloud.com)), [Libre Office](https://www.libreoffice.org) and [EtherCalc](https://ethercalc.net) are popular open source spread sheet applications. [Mintable](https://github.com/kevinschaich/mintable) allows you to auto-populate your spreadsheets from your financial data, using publicly accessible APIs- mitigating the requirement for a dedicated budgeting application.
|
||||
Spreadsheets remain a popular choice for managing budgets and financial planning. [Collabora](https://nextcloud.com/collaboraonline) or [OnlyOffice](https://nextcloud.com/onlyoffice) (on [NextCloud](https://nextcloud.com)), [Libre Office](https://www.libreoffice.org) and [EtherCalc](https://ethercalc.net) are popular open source spread sheet applications. [Mintable](https://github.com/kevinschaich/mintable) allows you to auto-populate your spreadsheets from your financial data, using publicly accessible API - mitigating the requirement for a dedicated budgeting application.
|
||||
|
||||
Other notable open source budgeting applications include: [Smart Wallet](https://apps.apple.com/app/smart-wallet/id1378013954) (iOS), [My-Budget](https://rezach.github.io/my-budget) (Desktop), [MoneyManager EX](https://www.moneymanagerex.org), [Skrooge](https://skrooge.org), [kMyMoney](https://kmymoney.org)
|
||||
|
||||
@ -1152,7 +1156,7 @@ collecting a wealth of information, and logging your every move. A [custom ROM](
|
||||
**[GrapheneOS](https://grapheneos.org/)** | GrapheneOS is an open source privacy and security focused mobile OS with Android app compatibility. Developed by [Daniel Micay](https://twitter.com/DanielMicay). GrapheneOS is a young project, and currently only supports Pixel devices, partially due to their [strong hardware security](https://grapheneos.org/faq#device-support).
|
||||
**[CalyxOS](https://calyxos.org/)** | CalyxOS is an free and open source Android mobile operating system that puts privacy and security into the hands of everyday users. Plus, proactive security recommendations and automatic updates take the guesswork out of keeping your personal data personal. Also currently only supports Pixel devices and Xiaomi Mi A2 with Fairphone 4, OnePlus 8T, OnePlus 9 test builds available. Developed by the Calyx Foundation.
|
||||
**[DivestOS](https://divestos.org)** | DivestOS is a vastly diverged unofficial more secure and private soft fork of LineageOS. DivestOS primary goal is prolonging the life-span of discontinued devices, enhancing user privacy, and providing a modest increase of security where/when possible. Project is developed and maintained solely by Tad (SkewedZeppelin) since 2014.
|
||||
**[LineageOS](https://www.lineageos.org/)** | A free and open-source operating system for various devices, based on the Android mobile platform- Lineage is light-weight, well maintained, supports a wide range of devices, and comes bundled with [Privacy Guard](https://en.wikipedia.org/wiki/Android_Privacy_Guard)
|
||||
**[LineageOS](https://www.lineageos.org/)** | A free and open-source operating system for various devices, based on the Android mobile platfor - Lineage is light-weight, well maintained, supports a wide range of devices, and comes bundled with [Privacy Guard](https://en.wikipedia.org/wiki/Android_Privacy_Guard)
|
||||
|
||||
|
||||
#### Other Notable Mentions
|
||||
@ -1164,7 +1168,7 @@ To install apps on the Play Store without using the Play Store app see [Aurora S
|
||||
#### Word of Warning
|
||||
It is not recommended to root, or flash your device with a custom ROM if you are not an advanced user. There are risks involved
|
||||
- Although the above ROMs omit Google, they do open up other security issues: Without DM-verity on the system partition, the file system *could* be tampered with, and no verified boot stack, the kernel/initramfs also *could* be edited. You should understand the risks, before proceeding to flash a custom ROM to your device
|
||||
- You will need to rely on updates from the community, which could be slower to be released- this may be an issue for a time-urgent, security-critical patch
|
||||
- You will need to rely on updates from the community, which could be slower to be release - this may be an issue for a time-urgent, security-critical patch
|
||||
- It is also possible to brick your device, through interrupted install or bad software
|
||||
- Finally, rooting and flashing your device, will void your warranty
|
||||
|
||||
@ -1173,12 +1177,12 @@ It is not recommended to root, or flash your device with a custom ROM if you are
|
||||
|
||||
Windows 10 has many features that violate your privacy. Microsoft and Apple are able to collect all your data (including, but not limited to: keystrokes, searches and mic input, calendar data, music, photos, credit card information and purchases, identity, passwords, contacts, conversations and location data). Microsoft Windows is also more susceptible to malware and viruses, than alternative systems.
|
||||
|
||||
Switching to Linux is a great choice in terms of security and privacy- you don't need necessarily need to use a security distro, any well-maintained stable distro is going to be considerably better than a propriety OS
|
||||
Switching to Linux is a great choice in terms of security and privac - you don't need necessarily need to use a security distro, any well-maintained stable distro is going to be considerably better than a propriety OS
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[Qubes OS](https://www.qubes-os.org/)** (containerized apps) | Open-source security-oriented operating system for single-user desktop computing. It uses virtualisation, to run each application in it's own compartment to avoid data being leaked. It features [Split GPG](https://www.qubes-os.org/doc/split-gpg/), [U2F Proxy](https://www.qubes-os.org/doc/u2f-proxy/), and [Whonix integration](https://www.qubes-os.org/doc/whonix/). Qubes makes is easy to create [disposable VMs](https://www.qubes-os.org/doc/disposablevm/) which are spawned quickly and destroyed when closed. Qubes is [recommended](https://twitter.com/Snowden/status/781493632293605376) by Edward Snowden
|
||||
**[Whonix](https://www.whonix.org/)** (VM) | Whonix is an anonymous operating system, which can run in a VM, inside your current OS. It is the best way to use Tor, and provides very strong protection for your IP address. It comes bundled with other features too: Keystroke Anonymization, Time Attack Defences, Stream Isolation, Kernel Self Protection Settings and an Advanced Firewall. Open source, well audited, and with a strong community- Whonix is based on Debian, [KickSecure](https://www.whonix.org/wiki/Kicksecure) and [Tor](https://www.whonix.org/wiki/Whonix_and_Tor)
|
||||
**[Whonix](https://www.whonix.org/)** (VM) | Whonix is an anonymous operating system, which can run in a VM, inside your current OS. It is the best way to use Tor, and provides very strong protection for your IP address. It comes bundled with other features too: Keystroke Anonymization, Time Attack Defences, Stream Isolation, Kernel Self Protection Settings and an Advanced Firewall. Open source, well audited, and with a strong communit - Whonix is based on Debian, [KickSecure](https://www.whonix.org/wiki/Kicksecure) and [Tor](https://www.whonix.org/wiki/Whonix_and_Tor)
|
||||
**[Tails](https://tails.boum.org/)** (live) | Tails is a live operating system (so you boot into it from a USB, instead of installing). It preserves your privacy and anonymity through having no persistent memory/ leaving no trace on the computer. Tails has Tor built-in system-wide, and uses state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging. Open source, and built on top of Debian. Tails is simple to stup, configure and use
|
||||
**[Parrot](https://parrotlinux.org/)** (security)| Parrot Linux, is a full Debian-based operating system, that is geared towards security, privacy and development. It is fully-featured yet light-weight, very open. There are 3 edditions: General Purpose, Security and Forensic. The Secure distribution includes its own sandbox system obtained with the combination of [Firejail](https://firejail.wordpress.com/) and [AppArmor](https://en.wikipedia.org/wiki/AppArmor) with custom security profiles. While the Forensics Edition is bundled with a comprehensive suit of security/ pen-testing tools, similar to Kali and Black Arch
|
||||
**[Discreete Linux](https://www.privacy-cd.org/)** (offline)| Aimed at journalists, activists and whistle-blowers, Discreete Linux is similar to Tails, in that it is booted live from external media, and leaves no/ minimal trace on the system. The aim of the project, was to provide all required cryptographic tools offline, to protect against Trojan-based surveillance
|
||||
@ -1195,8 +1199,8 @@ Other security-focused distros include: [TENS OS](https://www.tens.af.mil/), [Fe
|
||||
|
||||
|
||||
#### General Purpose Linux Distros
|
||||
If you do not want to use a specalist security-based distro, or you are new to Unix- then just switching to any well-maintained Linux distro, is going to be significantly more secure and private than Windows or Mac OS.
|
||||
Since it is open source, major distros are constantly being audited by members of the community. Linux does not give users admin rights by default- this makes is much less likley that your system could become infected with malware. And of course, there is no proprietary Microsoft or Apple software constantly monitoring everything you do.
|
||||
If you do not want to use a specalist security-based distro, or you are new to Uni - then just switching to any well-maintained Linux distro, is going to be significantly more secure and private than Windows or Mac OS.
|
||||
Since it is open source, major distros are constantly being audited by members of the community. Linux does not give users admin rights by defaul - this makes is much less likley that your system could become infected with malware. And of course, there is no proprietary Microsoft or Apple software constantly monitoring everything you do.
|
||||
|
||||
Some good distros to consider would be: **[Fedora](https://getfedora.org/)**, **[Debian](https://www.debian.org/)**, or **[Arch](https://www.archlinux.org/)**- all of which have a large community behind them. **[Manjaro](https://manjaro.org/)** (based of Arch) is a good option, with a simple install process, used by new comers, and expers alike. **[POP_OS](https://pop.system76.com/)** and **[PureOS](https://www.pureos.net/)** are reasonably new general purpose Linux, with a strong focus on privacy, but also very user-firendly with an intuitive interfac and install process. See [Simple Comparison](https://computefreely.org/) or [Detailed Comparison](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions).
|
||||
|
||||
@ -1235,7 +1239,7 @@ After installing your new operating system, or if you have chosen to stick with
|
||||
**[ShutUp10](https://www.oo-software.com/en/shutup10)** | A portable app that lets you disable core Windows features (such as Cortana, Edge) and control which data is passed to Microsoft. (Note: Free, but not open source)
|
||||
**[WPD](https://wpd.app/)** | Portable app with a GUI, that makes it really easy to safely block key telemetry features, from sending data to Microsoft and other third parties (It uses the Windows API to interact with key features of Local Group Police, Services, Tasks Scheduler, etc)
|
||||
**[GhostPress]** | Anti low-level keylogger: Provides full system-wide key press protection, and target window screenshot protection
|
||||
**[KeyScrambler]** | Provides protection against software keyloggers. Encrypts keypresses at driver level, and decrypts at application level, to protect against common keyloggers- read more about [how it works](https://www.techrepublic.com/blog/it-security/keyscrambler-how-keystroke-encryption-works-to-thwart-keylogging-threats). Developed by Qian Wang
|
||||
**[KeyScrambler]** | Provides protection against software keyloggers. Encrypts keypresses at driver level, and decrypts at application level, to protect against common keylogger - read more about [how it works](https://www.techrepublic.com/blog/it-security/keyscrambler-how-keystroke-encryption-works-to-thwart-keylogging-threats). Developed by Qian Wang
|
||||
**[SafeKeys V3.0](http://www.aplin.com.au)** | Portable virtual keyboard. Useful for protecting from keyloggers when using a public computer, as it can run of a USB with no administrative permissions
|
||||
**[RKill]** | Useful utility, that attempts to terminate known malware processes, so that your normal security software can then run and clean your computer of infections
|
||||
**[IIS Crypto]** | A utility for configuring encryption protocols, cyphers, hashing methods, and key exchanges for Windows components. Useful for sysadmins on Windows Server
|
||||
@ -1251,10 +1255,10 @@ After installing your new operating system, or if you have chosen to stick with
|
||||
**[SpyDish](https://github.com/mirinsoft/spydish)** | Open source GUI app built upon PowerShell, allowing you to perform a quick and easy privacy check, on Windows 10 systems. Highlights many serious issues, and provides assistance with fixing
|
||||
**[SharpApp](https://github.com/mirinsoft/sharpapp)** | Open source GUI app built upon PowerShell, for disabling telemetry functions in Windows 10, uninstalling preinstalled apps, installing software packages and automating Windows tasks with integrated PowerShell scripting
|
||||
**[Debotnet](https://github.com/Mirinsoft/Debotnet)** | Light-weight, portable app for controlling the many privacy-related settings within Windows 10- with the aim of helping to keep private data, private
|
||||
**[PrivaZer](https://privazer.com/)** | Good alternative to CCleaner, for deleting unnecissary data- logs, cache, history, etc
|
||||
**[PrivaZer](https://privazer.com/)** | Good alternative to CCleaner, for deleting unnecissary dat - logs, cache, history, etc
|
||||
|
||||
#### Word of Warning
|
||||
(The above software was last tested on 01/05/20). Many of the above tools are not necessary or suitable for beginners, and can cause your system to break- only use sofware that you need, according to your threat moedl. Take care to only download from an official/ legitimate source, verify the executable before proceeding, and check reviews/ forums. Create a system restore point, before making any significant changes to your OS (such as disabling core features). From a security and privacy perspective, Linux may be a better option.
|
||||
(The above software was last tested on 01/05/20). Many of the above tools are not necessary or suitable for beginners, and can cause your system to brea - only use sofware that you need, according to your threat moedl. Take care to only download from an official/ legitimate source, verify the executable before proceeding, and check reviews/ forums. Create a system restore point, before making any significant changes to your OS (such as disabling core features). From a security and privacy perspective, Linux may be a better option.
|
||||
|
||||
#### See Also
|
||||
- [github.com/Awesome-Windows/Awesome#security]
|
||||
@ -1313,7 +1317,7 @@ If you have smart devices within your home, you should consider running the auto
|
||||
|
||||
| Provider | Description |
|
||||
| --- | --- |
|
||||
**[Home Assistant](https://www.home-assistant.io)** | Open source home automation that puts local control and privacy first- 1500+ integrations. Runs well on a Raspberry Pi, accessible though a web interface and CLI, as well as several controller apps (such as [HassKit](https://play.google.com/store/apps/details?id=com.thhkstudio.hasskit) and the official [Home Assistant App](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android))
|
||||
**[Home Assistant](https://www.home-assistant.io)** | Open source home automation that puts local control and privacy firs - 1500+ integrations. Runs well on a Raspberry Pi, accessible though a web interface and CLI, as well as several controller apps (such as [HassKit](https://play.google.com/store/apps/details?id=com.thhkstudio.hasskit) and the official [Home Assistant App](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android))
|
||||
**[OpenHAB](https://www.openhab.org)** | A vendor and technology agnostic open source automation software for your home, with 2000+ supported devices and addons. Works well on a Raspberry Pi, or low-powerd home server, and again there are some great apps for, such as the official [OpenHabb App](https://play.google.com/store/apps/details?id=org.openhab.habdroid) and the [HomeHabit](https://play.google.com/store/apps/details?id=app.homehabit.view) wall dashboard
|
||||
**[Domoticz](https://www.domoticz.com)** | Another home automation system, Domoticz is more geared towards connecting and monitoring sensors within your space. Allows you to monitor your environment without anyone but you having access to the data
|
||||
**[Node-RED](https://nodered.org)** | Node-RED is a programming tool for wiring together hardware devices, APIs and online services, it provides a browser-based editor that makes it easy to build flows with a wide range of supported nodes, and it is easy to deploy locally in your network
|
||||
@ -1474,7 +1478,7 @@ This list is intended to aid you in auditing the security of your own systems, a
|
||||
- [Kali Linux] - A Debian-based distro for security testing, bundled with 1000's of powerful packages and scripts. Saves a lot of time configuring sys-admin tools and drivers
|
||||
- [Lynis] - A security tool that performs an extensive health scan of your systems to support system hardening and compliance testing
|
||||
- [Masscan] - TCP port scanner, that checks packets asynchronously, configure it to check only your IP ranges and it completes in milliseconds
|
||||
- [Metasploit] - Popular and powerful penetration testing framework, for exploitation and vulnerability validation- bundled with a full suit of tools, it makes it easy to divide your penetration testing workflow into manageable sections. Very useful for testing your entire network E2E
|
||||
- [Metasploit] - Popular and powerful penetration testing framework, for exploitation and vulnerability validatio - bundled with a full suit of tools, it makes it easy to divide your penetration testing workflow into manageable sections. Very useful for testing your entire network E2E
|
||||
- [Moloch] - Full packet capture, indexing, and database system. The elastic search backend makes searching through pcaps fast, and the frontend displays captured data clearly with good support for protocol decoding
|
||||
- [Nikto2] - Well-established web server testing tool, useful for firing at your web server to find known vulnerable scripts, configuration mistakes and related security problems
|
||||
- [Nmap] - Powerful utility for network discovery and security auditing. Useful for your network inventory, managing service upgrade schedules, and monitoring host or service uptime
|
||||
@ -1561,17 +1565,17 @@ It is a good idea to keep your trusted software base small, to reduce potential
|
||||
There is often a trade-off between convenience and security. Construct a threat model, and choose a balance that is right for you. In a similar way in some situations there is privacy and security conflict (e.g. Find My Phone is great for security, but terrible for privacy, and anonymous payments may be good for privacy but less secure than insured fiat currency). Again it is about assessing your situation, understanding the risks and making an informed decision.
|
||||
|
||||
**Hosted Vs Self-Hosted Considerations**<br>
|
||||
When using a hosted or managed application that is open-source software- there is often no easyily way to tell if the version running is the same as that of the published source code (even published signatures can be faked). There is always the possibility that additional backdoors may have been knowingly or unknowingly implemented in the running instance. One way round this is to self-host software yourself. When self-hosting you will then know for sure which code is running, however you will also be responsible for the managing security of the server, and so may not be recommended for beginners.
|
||||
When using a hosted or managed application that is open-source softwar - there is often no easyily way to tell if the version running is the same as that of the published source code (even published signatures can be faked). There is always the possibility that additional backdoors may have been knowingly or unknowingly implemented in the running instance. One way round this is to self-host software yourself. When self-hosting you will then know for sure which code is running, however you will also be responsible for the managing security of the server, and so may not be recommended for beginners.
|
||||
|
||||
**Open Source Software Considerations**<br>
|
||||
Open source software has long had a reputation of being more secure than its closed source counterparts. Since bugs are raised transparently, fixed quickly, the code can be checked by experts in the community and there is usually little or no data collection or analytics.
|
||||
That being said, there is no piece of software that it totally bug free, and hence never truly secure or private. Being open source, is in no way a guarantee that something is safe. There is no shortage of poorly-written, obsolete or sometimes harmful open source projects on the internet. Some open source apps, or a dependency bundled within it are just plain malicious (such as, that time [Colourama was found in the PyPI Repository](https://hackaday.com/2018/10/31/when-good-software-goes-bad-malware-in-open-source/))
|
||||
|
||||
**Proprietary Software Considerations**<br>
|
||||
When using a hosted or proprietary solution- always check the privacy policy, research the reputation of the organisation, and be weary about which data you trust them with. It may be best to choose open source software for security-critical situations, where possible.
|
||||
When using a hosted or proprietary solutio - always check the privacy policy, research the reputation of the organisation, and be weary about which data you trust them with. It may be best to choose open source software for security-critical situations, where possible.
|
||||
|
||||
**Maintenance**<br>
|
||||
When selecting a new application, ensure it is still being regularly maintained, as this will allow for recently discovered security issues to be addressed. Software in an alpha or beta phase, may be buggy and lacking in features, but more importantly- it could have critical vulnerabilities open to exploit. Similarly, applications that are no longer being actively maintained may pose a security risk, due to lack of patching. When using a forked application, or software that is based on an upstream code base, be aware that it may receive security-critical patches and updates at a slightly later date than the original application.
|
||||
When selecting a new application, ensure it is still being regularly maintained, as this will allow for recently discovered security issues to be addressed. Software in an alpha or beta phase, may be buggy and lacking in features, but more importantl - it could have critical vulnerabilities open to exploit. Similarly, applications that are no longer being actively maintained may pose a security risk, due to lack of patching. When using a forked application, or software that is based on an upstream code base, be aware that it may receive security-critical patches and updates at a slightly later date than the original application.
|
||||
|
||||
**This List: Disclaimer**<br>
|
||||
This list contains packages that range from entry-level to advanced, a lot of the software here will not be appropriate for all audiences. It is in no way a definitive list of secure applications, and aims only to be a guide, a collection of software and services that myself and other contributers have used, and would recommend. There will always be new vulnerabilities discovered or introduced, bugs and security-critical glitches, malicious actors and poorly configured systems. It is up to you to do your research, draw up a threat model, and decide where and how your data are managed.
|
||||
@ -1592,9 +1596,9 @@ If you find something on this list that should no longer be deemed secure or pri
|
||||
|
||||
### Thank you
|
||||
|
||||
Thank you for checking out this project- I hope you found it somewhat useful 😊
|
||||
Thank you for checking out this projec - I hope you found it somewhat useful 😊
|
||||
|
||||
This list was started by myself- Alicia, with a lot of help + contributions from the community. You can get in contact with me below:
|
||||
This list was started by mysel - Alicia, with a lot of help + contributions from the community. You can get in contact with me below:
|
||||
|
||||
[![Alicia Sykes on Twitter](https://img.shields.io/twitter/follow/Lissy_Sykes?style=social&logo=twitter)](https://twitter.com/Lissy_Sykes)
|
||||
[![Alicia Sykes on GitHub](https://img.shields.io/github/followers/lissy93?label=Lissy93&style=social)](https://github.com/Lissy93)
|
||||
|
@ -85,7 +85,7 @@ If you are confident with electronics, then you could also make:
|
||||
- **USB Data Blocker** - By simple removing the data wires from a USB adapter, you can create a protector to keep you safe while charing your device in public spaces. See [this guide](https://www.instructables.com/id/Making-a-USB-Condom) for more info (note: fast charge will not work)
|
||||
- **Hardware Encrypted Password Manager** - Even better than a software-encrypted password manager, is the [hardpass0.2](https://bit.ly/3bg4Xi4) which is a very simple hardware-encrypted USB store, using [GnuPG Smart card](https://www.g10code.com/p-card.html), [GNU Password Standard](https://www.passwordstore.org/) and this [source code](https://github.com/girst/hardpass-passwordmanager) all running on a [Pi Zero](https://amzn.to/2Sz0vU4). See also the [Zamek Project](https://bit.ly/36ZJrec), using this [source code](https://github.com/jareklupinski/zamek) to achive a similar functioning hardware-password manager
|
||||
- **U2F USB Token** - Similar to the FIDO2 2-factor authentication USB keys, [U2f-Zero](https://github.com/conorpp/u2f-zero) by Conor Patrick, lets you turn a Pi Zero into a second-factor auth method. Note: project no longer activley maintained, see [NitroKey](https://github.com/nitrokey) instead
|
||||
- **True Random Number Generator- Standalone** - The [FST-01](https://www.gniibe.org/FST-01/fst-01.html) is an open source hardware RNG with good documentation, and see the [neug source code](https://salsa.debian.org/gnuk-team/gnuk/neug)
|
||||
- **True Random Number Generato - Standalone** - The [FST-01](https://www.gniibe.org/FST-01/fst-01.html) is an open source hardware RNG with good documentation, and see the [neug source code](https://salsa.debian.org/gnuk-team/gnuk/neug)
|
||||
- **PC auto-lock Flash Drive** - Turn a flash drive into a lock/ unlock key for your PC, allowing you to quickly lock your device when needed [deprecated]
|
||||
- **Headless Pi Zero SSH server** - Create an small test server, that you can SSH into for development, in order to not have to run risky or potentially dangerous code or software directly on your PC, see [this artticle](https://openpunk.com/post/5) for getting started
|
||||
|
||||
@ -155,7 +155,7 @@ Gadgets that help protect and anonamise your internet, detect & prevent intrusio
|
||||
#### DIY Networking Hardware
|
||||
- **[Pi-Hole](https://pi-hole.net)** - Network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. Pi-Hole can significantly speed up your internet, remove ads and block malware. It comes with a nice web interface and a mobile app with monitoring features, it's open source, easy to install and very widley used
|
||||
- **[IPFire](https://www.ipfire.org)** - A hardened, versatile, state-of-the-art open source firewall based on Linux. Its ease of use, high performance and extensibility make it usable for everyone
|
||||
- **[PiVPN](https://pivpn.io)** - A simple way to set up a home VPN on a any Debian server. Supports OpenVPN and WireGuard with elliptic curve encryption keys up to 512 bit. Supports multiple DNS providers and custom DNS provividers- works nicley along-side PiHole
|
||||
- **[PiVPN](https://pivpn.io)** - A simple way to set up a home VPN on a any Debian server. Supports OpenVPN and WireGuard with elliptic curve encryption keys up to 512 bit. Supports multiple DNS providers and custom DNS provivider - works nicley along-side PiHole
|
||||
- **[E2guardian](http://e2guardian.org)** - Powerful open source web content filter
|
||||
- **[OpenWRT](https://openwrt.org)** Powerful custom router firmware, with great security, performance and customization features. See more [custom router firmware](/5_Privacy_Respecting_Software.md#router-firmware)
|
||||
- **[SquidGuard](http://www.squidguard.org)** - A URL redirector software, which can be used for content control of websites users can access. It is written as a plug-in for Squid and uses blacklists to define sites for which access is redirected
|
||||
@ -232,7 +232,7 @@ Physical 2-factor authentication keys are a secure and convinient method of auth
|
||||
- **[NitroKey](https://www.nitrokey.com/)** - An open source secure USB, providing authentication (OTP, U2F and static passwords), email encryption (GnuPG, OpenGPG, S/MIME etc), file encryption (with VeraCrypt, GnuPG and more), key and certificate management and SSH keys for server administration. via [NitroKey.com](https://www.nitrokey.com/)
|
||||
- **[Secalot](https://www.secalot.com/)** - A small open source USB, that functions as a hardware Hardware crypto wallet, OpenPGP smart card, U2F authenticator, and one-time password generator. via [Secalot.com](https://www.secalot.com/)
|
||||
- **[Protectimus](https://www.protectimus.com/protectimus-slim-mini/)** - A credit-card sized, slim TOTP hardware token. Allows you to generate 6-digit OTP codes, without the need for a mobile device. Useful as a backup, in case your phone is not accessible. Via [Protectimus.com](https://www.protectimus.com/protectimus-slim-mini/)
|
||||
- **[Yubikey](https://www.yubico.com/products/)** - Extremely popular, easy-to-use and reliable authentication keys, availible in a variety of form factors- from Micro keys, USB-C, Slim USB-A, and dual lightning + USB. Note, that neither the hardware, nor software is open source. Via [yubico.com](https://www.yubico.com/products/)
|
||||
- **[Yubikey](https://www.yubico.com/products/)** - Extremely popular, easy-to-use and reliable authentication keys, availible in a variety of form factor - from Micro keys, USB-C, Slim USB-A, and dual lightning + USB. Note, that neither the hardware, nor software is open source. Via [yubico.com](https://www.yubico.com/products/)
|
||||
- **[Thetis](https://thetis.io)** - Extremely durable, mobile-friendly USB-A FIDO U2F Key. via [Thetis.io](https://thetis.io)
|
||||
- **[U2F Zero](https://u2fzero.com/)** - Simple, open source U2F token, with write-only keys, tamper-resistance and hardware true random number generator to ensure high entropy.
|
||||
|
||||
|
@ -7,7 +7,7 @@ This article explains the considerations you should be aware of when selecting a
|
||||
## Considerations
|
||||
|
||||
### End-to-end Encryption
|
||||
End-to-end encryption means that messages are encrypted locally on your device, before being sent to your recipient(s). Neither the service provider, nor any actor who intercepts messages can ever decrypt the content. This is important since your data is safe from a data breach, law enforcement warrant, rogue employee or a malicious actor. Avoid apps that offer E2E encryption as an optional feature, as this could increase the chance of a plain text accidentally message being sent. Be aware that some providers offer weak or backdore'd encryption- (often called [Snake Oil Encryption](https://en.wikipedia.org/wiki/Snake_oil_(cryptography))), if the platform is not open source, then there is no way of verifying weather this is the case.
|
||||
End-to-end encryption means that messages are encrypted locally on your device, before being sent to your recipient(s). Neither the service provider, nor any actor who intercepts messages can ever decrypt the content. This is important since your data is safe from a data breach, law enforcement warrant, rogue employee or a malicious actor. Avoid apps that offer E2E encryption as an optional feature, as this could increase the chance of a plain text accidentally message being sent. Be aware that some providers offer weak or backdore'd encryptio - (often called [Snake Oil Encryption](https://en.wikipedia.org/wiki/Snake_oil_(cryptography))), if the platform is not open source, then there is no way of verifying weather this is the case.
|
||||
|
||||
### Open Source
|
||||
The most secure designs, are the ones you do not have to trust. Without an app being open source, we can not verify that it is truly secure. It may have backdoors, weak cryptography or security vulnerabilities. This is one reason why apps which has fully-open and public source code can be more trustworthy But don't be fooled by false advertising; just because an app uses open source cryptography, does not mean it is fully open source, and hence cannot be verified. The published source code must be complete, and the security design system must be thoroughly documented.
|
||||
@ -31,7 +31,7 @@ Sending and receiving messages generates meta data, and this can reveal a lot of
|
||||
The app should be usable, salable and reliable. One of the biggest dangers is that if the platform fails to reliably deliver messages, users may be forced to fall back to less secure channels. Some smaller messaging services may not have the resources required to build a robust and reliable messaging platform, yet this is essential for security.
|
||||
|
||||
### Financing
|
||||
Building apps and maintaining servers is expensive. Ask yourself - who is paying for all that? Because usually, if a service is free- you're the product. This isn't always the case, as some open source apps are funded by non-profit organisations, who receive donations and sponsorship. But if you cannot easily find out who is behind the app, this should be a red flag.
|
||||
Building apps and maintaining servers is expensive. Ask yourself - who is paying for all that? Because usually, if a service is fre - you're the product. This isn't always the case, as some open source apps are funded by non-profit organisations, who receive donations and sponsorship. But if you cannot easily find out who is behind the app, this should be a red flag.
|
||||
|
||||
### Reputable Developers
|
||||
Developers should have a solid history of responding to technical problems and legal threats with the platform, as well as a realistic and transparent attitude toward government and law enforcement
|
||||
|
@ -481,47 +481,47 @@ Want to get involved? You can support the continued development of this project
|
||||
## References 📝
|
||||
|
||||
<blockquote>
|
||||
"2019 Data Breach Investigations Report - EMEA", Verizon Enterprise Solutions, 2020. [Online]. Available: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report-emea.pdf. [Accessed: 25- Apr- 2020]
|
||||
"2019 Data Breach Investigations Report - EMEA", Verizon Enterprise Solutions, 2020. [Online]. Available: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report-emea.pdf. [Accessed: 25- Ap - 2020]
|
||||
|
||||
"Web Browser Privacy: What Do Browsers Say When They Phone Home?", Feb 2020. [Online].
|
||||
Available: https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf. [Accessed: 27- Apr- 2020]
|
||||
Available: https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf. [Accessed: 27- Ap - 2020]
|
||||
|
||||
"Comments on the Competition and Markets Authority’s interim report on online platforms and digital advertising", Privacyinternational.org, Jan 2020. [Online].
|
||||
Available: https://privacyinternational.org/sites/default/files/2020-04/20.02.12_CMA_PI_Comments_Interim_Report_FINAL.pdf. [Accessed: 02- May- 2020]
|
||||
Available: https://privacyinternational.org/sites/default/files/2020-04/20.02.12_CMA_PI_Comments_Interim_Report_FINAL.pdf. [Accessed: 02- Ma - 2020]
|
||||
|
||||
"Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design", 1998. [Online].
|
||||
Available: https://dl.packetstormsecurity.net/cracked/des/cracking-des.htm. [Accessed: 25- Apr- 2020]
|
||||
Available: https://dl.packetstormsecurity.net/cracked/des/cracking-des.htm. [Accessed: 25- Ap - 2020]
|
||||
|
||||
"Digital Identity Guidelines", 2020. [Online].
|
||||
Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf. [Accessed: 25- Apr- 2020]
|
||||
Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf. [Accessed: 25- Ap - 2020]
|
||||
|
||||
"DNS Security - Getting it Right", Open Rights Group, 2020. [Online].
|
||||
Available: https://www.openrightsgroup.org/about/reports/dns-security-getting-it-right. [Accessed: 25- Apr- 2020]
|
||||
Available: https://www.openrightsgroup.org/about/reports/dns-security-getting-it-right. [Accessed: 25- Ap - 2020]
|
||||
|
||||
"DNS-over-HTTPS performance | SamKnows", Samknows.com, 2020. [Online].
|
||||
Available: https://www.samknows.com/blog/dns-over-https-performance. [Accessed: 25- Apr- 2020]
|
||||
Available: https://www.samknows.com/blog/dns-over-https-performance. [Accessed: 25- Ap - 2020]
|
||||
|
||||
J. Eckenrode and S. Friedman, "The state of cybersecurity at financial institutions", 2018. [Online].
|
||||
Available: https://www2.deloitte.com/us/en/insights/industry/financial-services/state-of-cybersecurity-at-financial-institutions.html. [Accessed: 25- Apr- 2020]
|
||||
Available: https://www2.deloitte.com/us/en/insights/industry/financial-services/state-of-cybersecurity-at-financial-institutions.html. [Accessed: 25- Ap - 2020]
|
||||
|
||||
E. Foundation, "Cracking DES", Shop.oreilly.com, 1998. [Online].
|
||||
Available: http://shop.oreilly.com/product/9781565925205.do. [Accessed: 25- Apr- 2020]
|
||||
Available: http://shop.oreilly.com/product/9781565925205.do. [Accessed: 25- Ap - 2020]
|
||||
|
||||
"Google data collection, research and findings", Digital Content Next, 2020. [Online].
|
||||
Available: https://digitalcontentnext.org/blog/2018/08/21/google-data-collection-research/. [Accessed: 25- Apr- 2020]
|
||||
Available: https://digitalcontentnext.org/blog/2018/08/21/google-data-collection-research/. [Accessed: 25- Ap - 2020]
|
||||
|
||||
S. Lekies, B. Stock, M. Wentzel and M. Johns, "The Unexpected Dangers of Dynamic JavaScript", UseNix & SAP, 2020. [Online]. Available: https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf. [Accessed: 25- Apr- 2020]
|
||||
S. Lekies, B. Stock, M. Wentzel and M. Johns, "The Unexpected Dangers of Dynamic JavaScript", UseNix & SAP, 2020. [Online]. Available: https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf. [Accessed: 25- Ap - 2020]
|
||||
|
||||
"Privacy concerns with social networking services", 2020. [Online]. Available: https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services. [Accessed: 25- Apr- 2020]
|
||||
"Privacy concerns with social networking services", 2020. [Online]. Available: https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services. [Accessed: 25- Ap - 2020]
|
||||
|
||||
D. Tian, G. Hernandez, J. Choi, V. Frost, C. Ruales, P. Traynor, H. Vijayakumar, L. Harrison, A. Rahmati, M. Grace and K. Butler, "Vulnerability Analysis of AT Commands Within the Android Ecosystem", Cise.ufl.edu, 2020. [Online].
|
||||
Available: https://www.cise.ufl.edu/~butler/pubs/usenix18-atcmd.pdf. [Accessed: 25- Apr- 2020]
|
||||
Available: https://www.cise.ufl.edu/~butler/pubs/usenix18-atcmd.pdf. [Accessed: 25- Ap - 2020]
|
||||
|
||||
S. Topuzov, "Phone hacking through SS7 is frighteningly easy and effective", Blog.securegroup.com, 2020. [Online].
|
||||
Available: https://blog.securegroup.com/phone-hacking-through-ss7-is-frighteningly-easy-and-effective. [Accessed: 25- Apr- 2020]
|
||||
Available: https://blog.securegroup.com/phone-hacking-through-ss7-is-frighteningly-easy-and-effective. [Accessed: 25- Ap - 2020]
|
||||
|
||||
J. Heidemann, Y. Pradkin, R. Govindan, C. Papadopoulos and J. Bannister, "Exploring Visible Internet Hosts through Census and Survey", Isi.edu, 2020. [Online].
|
||||
Available: https://www.isi.edu/~johnh/PAPERS/Heidemann07c.pdf. [Accessed: 10- May- 2020]
|
||||
Available: https://www.isi.edu/~johnh/PAPERS/Heidemann07c.pdf. [Accessed: 10- Ma - 2020]
|
||||
|
||||
Michalevsky, Y., Boneh, D. and Nakibly, G., 2014. Recognizing Speech From Gyroscope Signals. [online] Usenix.org. Available at: <https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-michalevsky.pdf> [Accessed 26 May 2020].
|
||||
|
||||
|
74
README.md
74
README.md
@ -40,22 +40,22 @@ Use long, strong and unique passwords, manage them in a secure password manager,
|
||||
|
||||
**Security** | **Priority** | **Details and Hints**
|
||||
--- | --- | ---
|
||||
**Use a Strong Password** | Recommended | If your password is too short, or contains dictionary words, places or names- then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with [HowSecureIsMyPassword.net](https://howsecureismypassword.net), to get an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: [securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/)
|
||||
**Don't reuse Passwords** | Recommended | If someone was to reuse a password, and one site they had an account with suffered a leak, then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect against- use a different password for each of your online accounts
|
||||
**Use a Strong Password** | Recommended | If your password is too short, or contains dictionary words, places or name - then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with [HowSecureIsMyPassword.net](https://howsecureismypassword.net), to get an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: [securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/)
|
||||
**Don't reuse Passwords** | Recommended | If someone was to reuse a password, and one site they had an account with suffered a leak, then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect agains - use a different password for each of your online accounts
|
||||
**Use a Secure Password Manager** | Recommended | For most people it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled. A good all-rounder is [BitWarden](https://bitwarden.com), or see [Recommended Password Managers](/5_Privacy_Respecting_Software.md#password-managers)
|
||||
**Enable 2-Factor Authentication** | Recommended | 2FA is where you must provide both something you know (a password) and something you have (such as a code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing, malware or a data breach), they will no be able to log into your account. It's easy to get started, download [an authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (it works without internet, and the code usually changes every 30-seconds)
|
||||
**Keep Backup Codes Safe** | Recommended | When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe to prevent loss or unauthorised access. You should store these on paper or in a safe place on disk (e.g. in offline storage or in an encrypted file/drive). Don't store these in your Password Manager as 2FA sources and passwords and should be kept separately.
|
||||
**Sign up for Breach Alerts** | Optional | After a website suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records, and allow you to search your email address to check if you are in any of their lists. [Firefox Monitor](https://monitor.firefox.com), [Have i been pwned](https://haveibeenpwned.com) and [DeHashed](https://dehashed.com) allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so that you can change your passwords for the affected accounts. Have i been pwned also has domain-wide notification, where you can receive alerts if any email addresses under your entire domain appear (useful if you use aliases for [anonymous forwarding](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding))
|
||||
**Shield your Password/ PIN** | Optional | When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on screen
|
||||
**Update Critical Passwords Periodically** | Optional | Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too often- annually should be sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes), as it encourages colleagues to select weaker passwords
|
||||
**Update Critical Passwords Periodically** | Optional | Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too ofte - annually should be sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes), as it encourages colleagues to select weaker passwords
|
||||
**Don’t save your password in browsers** | Optional | Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated password manager to store (and auto-fill) your passwords
|
||||
**Avoid logging in on someone else’s device** | Optional | Avoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking is more common here. Using someone else's device is especially dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials, cookies and browsing history.
|
||||
**Avoid password hints** | Optional | Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints are mandatory use random answers and record them in password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`)
|
||||
**Never answer online security questions truthfully** | Optional | If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager
|
||||
**Never answer online security questions truthfully** | Optional | If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than random characters, [explained here](https://news.ycombinator.com/item?id=29244870)
|
||||
**Don’t use a 4-digit PIN** | Optional | Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code)
|
||||
**Avoid using SMS for 2FA** | Optional | When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking) and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when you have signal, and can be slow
|
||||
**Avoid using your PM to Generate OTPs** | Advanced | Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) on your phone or laptop
|
||||
**Avoid Face Unlock** | Advanced | Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/) and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password- there are likely photos of your face on the internet, and videos recorded by surveillance cameras
|
||||
**Avoid Face Unlock** | Advanced | Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/) and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your passwor - there are likely photos of your face on the internet, and videos recorded by surveillance cameras
|
||||
**Watch out for Keyloggers** | Advanced | A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server. It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger, so if you are on a public computer, consider typing passwords with the on-screen keyboard
|
||||
**Consider a Hardware Token** | Advanced | A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and [NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
|
||||
**Consider Offline Password Manager** | Advanced | For increased security, an encrypted offline password manager will give you full control over your data. [KeePass](https://keepass.info) is a popular choice, with lots of [plugins](https://keepass.info/plugins.html) and community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org) (desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731) (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up, and store it securely
|
||||
@ -76,15 +76,15 @@ This section outlines the steps you can take, to be better protected from threat
|
||||
**Security** | **Priority** | **Details and Hints**
|
||||
--- | --- | ---
|
||||
**Block Ads** | Recommended | Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. [uBlock Origin](https://github.com/gorhill/uBlock) is a very efficient and open source browser addon, developed by Raymond Hill. <br>When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience
|
||||
**Ensure Website is Legitimate** | Basic | It may sound obvious, but when you logging into any online accounts, double check the URL is correct. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: [Virus Total URL Scanner](https://www.virustotal.com/gui/home/url), [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) if you are unsure
|
||||
**Ensure Website is Legitimate** | Basic | It may sound obvious, but when you logging into any online accounts, double check the URL is correct. Storing commonly visited sites in your bookmarks is a good way to ensure the URL is easy to find. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: [Virus Total URL Scanner](https://www.virustotal.com/gui/home/url), [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) if you are unsure
|
||||
**Watch out for Browser Malware** | Basic | Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common sighs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware), [how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides) and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal)
|
||||
**Use a Privacy-Respecting Browser** | Recommended | [Firefox](https://www.mozilla.org/en-US/firefox/new) and [Brave](https://brave.com) are secure, private-by-default browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Microsoft IE and Apple Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. See more: [Privacy Browsers](/5_Privacy_Respecting_Software.md#browsers)
|
||||
**Use a Privacy-Respecting Browser** | Recommended | [Firefox](https://www.mozilla.org/en-US/firefox/new) (with a few tweaks) and [Brave](https://brave.com) are secure, private-respecting browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Edge and Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. Firefox requires a few changes to achieve optimal security, for example - [arkenfox](https://github.com/arkenfox/user.js/wiki) or [12byte](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs/)'s user.js configs. See more: [Privacy Browsers](/5_Privacy_Respecting_Software.md#browsers)
|
||||
**Use a Private Search Engine** | Recommended | Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Qwant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine
|
||||
**Remove Unnecessary Browser Addons** | Recommended | Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while
|
||||
**Keep Browser Up-to-date** | Recommended | Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. Some browsers will auto-update to the latest stable version
|
||||
**Check for HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. <br>[HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/)
|
||||
**Check for HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. <br>[HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/). This is similar to [Smart HTTPS](https://mybrowseraddon.com/smart-https.html). Note that this functionality is now built-in to most modern browsers (re: [#126](https://github.com/Lissy93/personal-security-checklist/issues/126))
|
||||
**Use DNS-over-HTTPS** | Recommended | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is [Cloudflare's 1.1.1.1](https://1.1.1.1/help), or [compare providers](https://www.privacytools.io/providers/dns)- it is simple to [enable](https://www.maketecheasier.com/enable-dns-over-https-various-browsers) in-browser. Note that DoH comes with it's [own issues](https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-mozillas-dns-over-https-doh/), mostly preventing web filtering
|
||||
**Multi-Session Containers** | Recommended | Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of [Firefox Containers](https://support.mozilla.org/en-US/kb/containers) which is designed exactly for this purpose. Alternatively, you could use [different browsers for different tasks](https://medium.com/fast-company/incognito-mode-wont-keep-your-browsing-private-do-this-instead-dd64bc812010) (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use [Profiles](https://www.chromium.org/developers/creating-and-using-profiles), or an extension such as [SessionBox](https://sessionbox.io), however this addon is not open source
|
||||
**Multi-Session Containers** | Recommended | Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of [Firefox Containers](https://support.mozilla.org/en-US/kb/containers) which is designed exactly for this purpose. As mentioned in [#127](https://github.com/Lissy93/personal-security-checklist/issues/127), it's possible to use compartmentalize websites without containers, as done in [@arkenfox's user.js](https://github.com/arkenfox/user.js). Alternatively, you could use [different browsers for different tasks](https://medium.com/fast-company/incognito-mode-wont-keep-your-browsing-private-do-this-instead-dd64bc812010) (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use [Profiles](https://www.chromium.org/developers/creating-and-using-profiles), or an extension such as [SessionBox](https://sessionbox.io), however this addon is not open source
|
||||
**Use Incognito** | Recommended | When using someone else's machine, ensure that you're in a private/ incognito session (Use `Ctrl+Shift+N`/ `Cmd+Shift+N`). This will prevent browser history, cookies and some data being saved, but is not [fool-proof](https://www.howtogeek.com/117776/htg-explains-how-private-browsing-works-and-why-it-doesnt-offer-complete-privacy/)- you can still be tracked
|
||||
**Understand Your Browser Fingerprint** | Recommended | Browser [Fingerprinting](https://pixelprivacy.com/resources/browser-fingerprinting) is an incredibly accurate method of tracking, where a website identifies you based on your device information, including: browser and OS versions, headers, time zone, installed fonts, plugins and applications and sometimes device hardware among other data points. You can view your fingerprint at [amiunique.org](https://amiunique.org/fp)- The aim is to be as un-unique as possible
|
||||
**Manage Cookies** | Recommended | Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called [Session Hijacking](https://en.wikipedia.org/wiki/Session_hijacking)). <br>To mitigate this you should [clear cookies](https://kb.iu.edu/d/ahic) often. [Self Destructing Cookies](https://add0n.com/self-destructing-cookies.html) is a browser addon, which will kill cookies when you close the browser
|
||||
@ -129,7 +129,7 @@ Nearly 50 years since the first email was sent, it's still very much a big part
|
||||
|
||||
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety.
|
||||
|
||||
The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving [third parties full access](https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442) to user emails and also [tracking all of your purchases](https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase-history-how-to-delete-it.html). Yahoo was also caught scanning emails in real-time [for US surveillance agencies](http://news.trust.org/item/20161004170601-99f8c) Advertisers [were granted access](https://thenextweb.com/insider/2018/08/29/both-yahoo-and-aol-are-scanning-customer-emails-to-attract-advertisers) to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
|
||||
The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving [third parties full access](https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442) to user emails and also [tracking all of your purchases](https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase-history-how-to-delete-it.html). Yahoo was also caught scanning emails in real-time [for US surveillance agencies](http://news.trust.org/item/20161004170601-99f8c) Advertisers [were granted access](https://thenextweb.com/insider/2018/08/29/both-yahoo-and-aol-are-scanning-customer-emails-to-attract-advertisers) to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.” (disputed in [#46](https://github.com/Lissy93/personal-security-checklist/issues/46))
|
||||
|
||||
|
||||
**Security** | **Priority** | **Details and Hints**
|
||||
@ -148,11 +148,11 @@ The big companies providing "free" email service, don't have a good reputation f
|
||||
**Use a Custom Domain** | Advanced | Using a custom domain, means that even you are not dependent on the address assigned my your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued
|
||||
**Sync with a client for backup** | Advanced | Further to the above, to avoid loosing temporary or permanent access to your emails during an unplanned event (such as an outage or account lock). Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your primary device
|
||||
**Be Careful with Mail Signatures** | Advanced | You do not know how secure of an email environment the recipient of your message may have. There are several extensions (such as [ZoomInfo](https://www.zoominfo.com)) that automatically crawl messages, and create a detailed database of contact information based upon email signitures, and sometimes message content. If you send an email to someone who has something like this enabled, then you are unknowingly entering your details into this database
|
||||
**Be Careful with Auto-Replies** | Advanced | Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks
|
||||
**Be Careful with Auto-Replies** | Advanced | Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much informatio - which can be used in social engineering and targeted attacks
|
||||
**Choose the Right Mail Protocol** | Advanced | Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security.
|
||||
**Self-Hosting** | Advanced | Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge - [read more](https://www.reddit.com/r/selfhosted/comments/6h88qf/on_selfhosted_mail_servers/). That being said, if you run your own mail server, you will have full control over your emails. [Mail-in-a-box](https://github.com/mail-in-a-box/mailinabox) and [docker-mailserver](https://github.com/tomav/docker-mailserver) are ready-to-deploy correctly-configured mail servers that provide a good starting point
|
||||
**Always use TLS Ports** | Advanced | There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465
|
||||
**DNS Availability** | Advanced | For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails
|
||||
**DNS Availability** | Advanced | For self-hosted mail servers, to prevent DNS problems impacting availabilit - use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails
|
||||
**Prevent DDoS and Brute Force Attacks** | Advanced | For self-hosted mail servers (specifically SMTP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks
|
||||
**Maintain IP Blacklist** | Advanced | For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. You may also want to activate a [reverse DNS lookup](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) system
|
||||
|
||||
@ -166,17 +166,17 @@ The big companies providing "free" email service, don't have a good reputation f
|
||||
**Security** | **Priority** | **Details and Hints**
|
||||
--- | --- | ---
|
||||
**Only Use Fully End-to-End Encrypted Messengers** | Recommended | [End-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) is a system of communication where messages are encrypted on your device and not decrypted until they reach the intend recipient. This ensures that any actor who intercepts traffic cannot read the message contents, nor can the anybody with access to the central servers where data is stored. Note that if an app is not completely open source, the extent to which the encryption is implemented cannot be verified, and it should not be trusted.
|
||||
**Use only Open Source Messaging Platforms** | Recommended | If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore propriety applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by [doing a hash check](https://proprivacy.com/guides/how-why-and-when-you-should-hash-check) and comparing the digital signatures. It's important to note that, no piece of software that it totally bug free, and hence never truly secure or private- being open source, is in no way a guarantee that something is safe
|
||||
**Use only Open Source Messaging Platforms** | Recommended | If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore propriety applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by [doing a hash check](https://proprivacy.com/guides/how-why-and-when-you-should-hash-check) and comparing the digital signatures. It's important to note that, no piece of software that it totally bug free, and hence never truly secure or privat - being open source, is in no way a guarantee that something is safe
|
||||
**Use a "Trustworthy" Messaging Platform** | Recommended | When selecting an encrypted messaging app, ensure it's fully open source. It should be stable and actively maintained. Ideally it should be backed by reputable developers or at least be fully clear where funding originates from and/ or what their revenue model is. It should have undergone an independent code audit, with results publicly published
|
||||
**Check Security Settings** | Recommended | Enable security settings, including contact verification, security notifications and encryption. Disable optional non-security features such as read receipt, last online and typing notification. If the app supports cloud sync either for backup or for access through a desktop or web app companion, this increases the attack surface and so should be disabled
|
||||
**Ensure your Recipients Environment is Secure** | Recommended | Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a communications channel, is to target the individual or node with the least protection. They may not even be aware that their environment has been compromised, leading to sensitive information being captured by an adversary. The best solution to this is to educate and inform the participants in your conversation, about good security practices. Focus on secure authentication, device encryption, network security and malware prevention
|
||||
**Disable Cloud Services** | Recommended | Some mobile messaging apps offer a web or desktop companion. This not only increases attack surface, but it has been linked to several [critical security issues](https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/), and should therefore be avoided, if possible. Some messaging apps also offer a cloud backup feature. Again there a serious security issues with many of these implementations, for example WhatsApp [backups are not encrypted](https://www.ghacks.net/2018/09/04/whatsapp-backups-android/), and so with this feature available, you chat history may be breached. Again, this should be [disabled](https://www.techuntold.com/stop-whatsapp-backup-iphone-android/).
|
||||
**Disable Cloud Services** | Recommended | Some mobile messaging apps offer a web or desktop companion. This not only increases attack surface, but it has been linked to several [critical security issues](https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/), and should therefore be avoided, if possible. Some messaging apps also offer a cloud backup feature. Again there a serious security issues with many of these implementations, for example WhatsApp backups ~~[are not encrypted](https://www.ghacks.net/2018/09/04/whatsapp-backups-android/)~~ not encrypted by default and when enabled [the key still remains in control of WhatsApp](https://github.com/Lissy93/personal-security-checklist/issues/132#issuecomment-1094356009), and so with this feature available, you chat history may be breached. Again, where possible this should be [disabled](https://www.techuntold.com/stop-whatsapp-backup-iphone-android/).
|
||||
**Secure Group Chats** | Recommended | That the risk of compromise will rise exponentially, the more participants are in a group, as the attack surface increases. There is also a higher chance that an adversary lurking among the members can go unnoticed. Periodically check that all participants are legitimate, and ensure only trusted members have admin privileges. It may sometimes be worth only sharing sensitive information within smaller groups. Note that with some messengers, not all group chats are encrypted (especially if one recipient is on an [older](https://graziadaily.co.uk/life/real-life/whatsapp-group-chats-actually-encrypted-theres-way-find/) version)
|
||||
**Create a Safe Environment for Communication** | Recommended | There are several stages where your digital communications could be monitored or intercepted. This includes: Your or your participants device, your ISP, national gateway or government logging, the messaging provider, the servers. You can help protect from these risks by: paying attention to your surroundings, keeping your devices up-to-date, avoiding malware, watching out for phishing attacks, relying on trustworthy services, creating strong passwords and second-factor authentication, using encryption and helping those with whom you communicate do the same. If you are concerned about your communications being intercepted, consider using a reputable VPN provider, or routing traffic through Tor
|
||||
**Agree on a Communication Plan** | Optional | In certain situations (such as attending a protest, communicating with a source or traveling to a risky location), it may be worth making a communication plan. This should include primary and backup methods of securely getting in hold with each other, (in order to avoid falling back on insecure technologies). You may wish to include procedures to implement in potential situations, e.g. to signal for help or assistance
|
||||
**Strip Meta-Data from Media** | Optional | [Metadata](https://www.maketecheasier.com/understanding-metadata-and-privacy/) is "Data about Data" or additional information attached to a file or transaction. When you send a photo, audio recording, video or document you may be revealing more than you intended to, or [leaking your location](https://nakedsecurity.sophos.com/2012/12/03/john-mcafee-location-exif/). For example [Exif data](https://en.wikipedia.org/wiki/Exif) attached to images typically includes: Device name and model, author, time & date taken, GPS location (latitude & longitude) and photography information. In order to protect privacy, you should [remove](https://en.wikipedia.org/wiki/Metadata_removal_tool) this data before uploading and file or media item. Some apps strip this information out automatically, but they may be logging it before doing so
|
||||
**Defang URLs** | Optional | Sending links via WhatsApp, Slack, Apple Messenger, Wire, Facebook and other services can unintentionally [expose your personal information](https://hunch.ly/osint-articles/osint-article-how-to-blow-your-online-cover). This is because, when a thumbnail or preview is generated- it happens on the client-side, and therefore causes your IP, user-agent, device info to be logged. This broadcasts to the website owner that you are discussing that website. One way around this, is to [defang](https://privacymatters.ubc.ca/blocking-email-links-why-we-use-hxxp-emails) your URLs (e.g. `https://www.example.com` --> `hxxps://www[.]example[.]com`), using a VPN will also help protect your IP
|
||||
**Verify your Recipient** | Optional | Your communication is only as secure as it's weakest link- Always ensure you are talking to the intended recipient, and that they have not been compromised. One method for doing so is to use an app which supports contact verification. This is a powerful feature that enables users to trust the destination, and ensure the conversation has not been hijacked. It usually takes the form of comparing fingerprint codes, even over a phone call or in real life via scanning a QR code. If you believe you may be targeted, use a secure messenger that provides reliable indicators of compromise, where both parties will be notified if there have been any changes
|
||||
**Defang URLs** | Optional | Sending links via WhatsApp, Slack, Apple Messenger, Wire, Facebook and other services can unintentionally [expose your personal information](https://hunch.ly/osint-articles/osint-article-how-to-blow-your-online-cover). This is because, when a thumbnail or preview is generate - it happens on the client-side, and therefore causes your IP, user-agent, device info to be logged. This broadcasts to the website owner that you are discussing that website. One way around this, is to [defang](https://privacymatters.ubc.ca/blocking-email-links-why-we-use-hxxp-emails) your URLs (e.g. `https://www.example.com` --> `hxxps://www[.]example[.]com`), using a VPN will also help protect your IP
|
||||
**Verify your Recipient** | Optional | Your communication is only as secure as it's weakest lin - Always ensure you are talking to the intended recipient, and that they have not been compromised. One method for doing so is to use an app which supports contact verification. This is a powerful feature that enables users to trust the destination, and ensure the conversation has not been hijacked. It usually takes the form of comparing fingerprint codes, even over a phone call or in real life via scanning a QR code. If you believe you may be targeted, use a secure messenger that provides reliable indicators of compromise, where both parties will be notified if there have been any changes
|
||||
**Enable Ephemeral Messages** | Optional | You cannot always rely on the physical security of your device. Self-destructing messages is a really neat feature the causes your messages to automatically delete after a set amount of time. This means that if your device is lost, stolen or seized, an adversary will only have access to the most recent communications. Unlike remote erase, disappearing messages does not require your device to be remotely accessible or have signal. You are able to vary this time frame from weeks all the way down to just a few seconds, depending on your threat model. Without disappearing messages enabled, you should periodically delete conversation history, in case your device is breached
|
||||
**Avoid SMS** | Optional | SMS may be convenient, but it's [not secure](https://en.wikipedia.org/wiki/SMS#Vulnerabilities). It is susceptible to threats, such as [interception](https://en.wikipedia.org/wiki/IMSI-catcher), [sim swapping](https://www.schneier.com/blog/archives/2020/01/sim_hijacking.html), manipulation and [malware](https://www.securitynewspaper.com/2019/09/13/hack-any-mobile-phone-with-just-a-sms). If you must use SMS, then you should encrypt messages before sending. One option is to use [Silence](https://silence.im/), an Android app that provides end-to-end encryption for SMS
|
||||
**Watch out for Trackers** | Optional | A tracker is a piece of software meant to collect data about you or your usages. Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very evasive, and can sometimes reveal your identity as well as personal information that you would otherwise not intend to share. You can check how many, and which trackers a given app uses, by searching it in [Exodus Privacy](https://reports.exodus-privacy.eu.org/en/)
|
||||
@ -199,7 +199,7 @@ Secure your account, lock down your privacy settings, but know that even after d
|
||||
**Security** | **Priority** | **Details and Hints**
|
||||
--- | --- | ---
|
||||
**Secure your Account** | Recommended | Social media profiles get stolen or taken over all too often. To protect your account: use a unique and strong password, and enable 2-factor authentication. See the [Authentication](#authentication) section for more tips
|
||||
**Check Privacy Settings** | Recommended | Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social network- they do not shield you or your data from the owners of the network. See how to set privacy settings, with [this guide](https://securityinabox.org/en/guide/social-networking/)
|
||||
**Check Privacy Settings** | Recommended | Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social networ - they do not shield you or your data from the owners of the network. See how to set privacy settings, with [this guide](https://securityinabox.org/en/guide/social-networking/)
|
||||
**Think of All Interactions as Public** | Recommended | There are still numerous methods of viewing a users 'private' content across many social networks. Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?"
|
||||
**Think of All Interactions as Permanent** | Recommended | Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party services, who archive this data and make it indexable and publicly available almost [forever](https://www.inc.com/meredith-fineman/what-we-post-online-is-forever-and-we-need-a-reminder.html). Sites like Ceddit, and [/r/undelete](https://www.reddit.com/r/undelete/), [Politwoops](https://projects.propublica.org/politwoops/), The [Way Back Machine](https://archive.org/web/) allow anyone to search through deleted posts, websites and media. Therefore it's important to not unintentially reveal too much information, and to consider what the implications would be if it were to go 'viral'
|
||||
**Don't Reveal too Much** | Recommended | Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc)
|
||||
@ -207,11 +207,11 @@ Secure your account, lock down your privacy settings, but know that even after d
|
||||
**Don't Share Email or Phone Number** | Recommended | Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to use against you, and can also allow seperate alliases, profiles or data points to be connected
|
||||
**Don't Grant Unnecessary Permissions** | Recommended | By default many of the popular social networking apps will ask for permission to access your contacts, call log, location, messaging history etc.. If they don’t need this access, don’t grant it. For Android users, check out [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission) - an app that gives you the ability to grant permissions temporarily
|
||||
**Be Careful of 3rd-Party Integrations** | Recommended | Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer use, see instructions for: [Facebook](https://www.facebook.com/settings?tab=applications), [Twitter](https://twitter.com/settings/applications), [Insta](https://www.instagram.com/accounts/manage_access/) and [LinkedIn](https://www.linkedin.com/psettings/permitted-services)
|
||||
**Avoid Publishing Geo Data while still Onsite** | Recommended | If you plan to share any content that reveals a location (such as 'checking in', sharing photos, or status updates that reveal your location), then wait until you have left that place. This is particularly important when you are taking a trip, at a restaurant, campus, hotel/ resort, public building or airport- as it may alert the wrong people to your exact whereabouts
|
||||
**Avoid Publishing Geo Data while still Onsite** | Recommended | If you plan to share any content that reveals a location (such as 'checking in', sharing photos, or status updates that reveal your location), then wait until you have left that place. This is particularly important when you are taking a trip, at a restaurant, campus, hotel/ resort, public building or airpor - as it may alert the wrong people to your exact whereabouts
|
||||
**Remove metadata before uploading media** | Optional | Most smartphones and some cameras automatically attach a comprehensive set of additional data (called [EXIF data](https://en.wikipedia.org/wiki/Exif)) to each photograph. This usually includes things like time, date, location, camera model, user etc. It can reveal a lot more data than you intended to share. Remove this data before uploading. You can remove meta data [without any special software](https://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/), use [a CLI tool](https://www.funkyspacemonkey.com/how-to-remove-exif-metadata), or a desktop tool like [EXIF Tage Remover](https://rlvision.com/exif/)
|
||||
**Implement Image Cloaking** | Advanced | Tools like [Fawkes](http://sandlab.cs.uchicago.edu/fawkes/) can be used to very subtly, slightly change the structure of faces within photos in a way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize a given face. This can help prevent facial recognition search engines (such as PimEyes, Kairos, Amazon Rekognition etc) from linking your photos with your online profiles, identity or other photos
|
||||
**Consider Spoofing GPS in home visinity** | Advanced | Even if you yourself never use social media, strip geo-data from all media and disable device radios- there is always going to be others who are not as careful, and could reveal your location. For example, if you have guests, family members or visitors to your home residence, their device will likley be recording GPS and logging data. One method around this, is to use an SDR to [spoof GPS signals](https://www.rtl-sdr.com/tag/gps-spoofing/), causing all devices in the visinity to believe they are in a different, pre-defined location
|
||||
**Consider False Information** | Advanced | If you just want to read, and do not intend on posting too much- consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don't link accounts in any way- don't comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach)
|
||||
**Consider Spoofing GPS in home visinity** | Advanced | Even if you yourself never use social media, strip geo-data from all media and disable device radio - there is always going to be others who are not as careful, and could reveal your location. For example, if you have guests, family members or visitors to your home residence, their device will likley be recording GPS and logging data. One method around this, is to use an SDR to [spoof GPS signals](https://www.rtl-sdr.com/tag/gps-spoofing/), causing all devices in the visinity to believe they are in a different, pre-defined location
|
||||
**Consider False Information** | Advanced | If you just want to read, and do not intend on posting too muc - consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don't link accounts in any wa - don't comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach)
|
||||
**Don’t have any social media accounts** | Advanced | Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any mainstream social networks
|
||||
|
||||
**Recommended Software**
|
||||
@ -267,9 +267,9 @@ This section covers how you connect your devices to the internet securely, inclu
|
||||
|
||||
Smart phones have revolutionized so many aspects of life and brought the world to our fingertips. For many of us, smart phones are our primary means of communication, entertainment and access to knowledge. But while they've brought convenience to whole new level, there's some ugly things going on behind the screen.
|
||||
|
||||
Geo-tracking is used to trace our every move, and we have little control over who has this data- your phone is even able to [track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371). Over the years numerous reports that surfaced, outlining ways in which your phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html), and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoors.
|
||||
Geo-tracking is used to trace our every move, and we have little control over who has this dat - your phone is even able to [track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371). Over the years numerous reports that surfaced, outlining ways in which your phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html), and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoors.
|
||||
|
||||
Using a smart phone generates a lot of data about you- from information you intentionally share, to data silently generated from your actions. It can be scary to see what Google, Microsoft, Apple and Facebook know about us- sometimes they know more than our closest family. It's hard to comprehend what your data will reveal, especially in conjunction with other data.
|
||||
Using a smart phone generates a lot of data about yo - from information you intentionally share, to data silently generated from your actions. It can be scary to see what Google, Microsoft, Apple and Facebook know about u - sometimes they know more than our closest family. It's hard to comprehend what your data will reveal, especially in conjunction with other data.
|
||||
|
||||
This data is used for [far more than just advertising](https://internethealthreport.org/2018/the-good-the-bad-and-the-ugly-sides-of-data-tracking/) - more often it's used to rate people for finance, insurance and employment. Targeted ads can even be used for fine-grained surveillance (see [ADINT](https://adint.cs.washington.edu))
|
||||
|
||||
@ -284,8 +284,9 @@ More of us are concerned about how [governments use collect and use our smart ph
|
||||
**App Permissions** | Recommended | Don’t grant apps permissions that they don’t need. For Android, [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission) is an app that allows you you to grant temporary/ 1-off permissions.
|
||||
**Only install Apps from official source** | Recommended | Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading .apk or .ipa files from unverified source, unless you know it is safe. Also check the reviews, and app info before downloading a new application.
|
||||
**Be Careful of Phone Charging Threats** | Optional | [Juice Jacking](https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations) is when hackers use public charging stations to install malware on your smartphone or tablet through a compromised USB port. You can mitigate this, either by using a power bank or AC wall charger, or by using a simple data blocker device (See [USB Condom](https://shop.syncstop.com/products/usb-condom?variant=35430087052) or [PortaPow Blocker](http://portablepowersupplies.co.uk/))
|
||||
**Set up a mobile carrier PIN** | Recommended | [SIM hijacking](https://securelist.com/large-scale-sim-swap-fraud/90353/) is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. Using a non-SMS based 2FA method will reduce the damage, [Read more](https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html) about the sim swap scam.
|
||||
**Set up a mobile carrier PIN** | Recommended | [SIM hijacking](https://securelist.com/large-scale-sim-swap-fraud/90353/) is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), reset passwords, or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. This varies between cell providers, so consult your mobile carrier for setup instructions. Using a non-SMS based 2FA method will reduce the damage, [Read more](https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html) about the sim swap scam.
|
||||
**Opt-out of Caller ID Listings** | Optional | When one of your friends or colleagues has your number in their contacts, and also has a caller ID app, then your Name, Phone Number and any other saved contact details will be uploaded. To keep your details private, you can unlist it here: [TrueCaller](https://www.truecaller.com/unlisting), [CallApp](https://callapp.com/how-to/unlist-phone-number), [SyncMe](https://sync.me/optout), [cia-app](https://cia-app.com/self-service/delist-number), [Hiya](https://hiyahelp.zendesk.com/hc/en-us/requests/new?ticket_form_id=824667). Note that it is possible to opt-out, even before your number has been added, and this will prevent your details being uploaded in the future.
|
||||
**Use Offline Maps** | Optional | One of potential for data leaks is your map app which has access to your precise location, e.g. Google Maps which collects plenty of private data. Consider using an offline maps app, such as [OsmAnd](https://osmand.net/) or [Organic Maps](https://organicmaps.app/)
|
||||
**Opt-out of personalized ads** | Optional | In order for ads to be personalized, Google collects data about you, you can slightly reduce the amount they collect by opting-out of seeing personalized ads. See [this guide](https://www.androidguys.com/tips-tools/how-to-disable-personalized-ads-on-android/), for Android instructions.
|
||||
**Erase after too many login attempts** | Optional | To protect against an attacker brute forcing your pin, if you lose your phone, set your device to erase after too many failed login attempts. See [this iPhone guide](https://www.howtogeek.com/264369/how-to-erase-your-ios-device-after-too-many-failed-passcode-attempts/). You can also do this via Find my Phone, but this increased security comes at a cost of decreased privacy.
|
||||
**Monitor Trackers** | Optional | A tracker is a piece of software meant to collect data about you or your usages. [εxodus](https://reports.exodus-privacy.eu.org/en/) is a great service which lets you search for any app, by its name, and see which trackers are embedded in it. They also have [an app](https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy) which shows trackers and permissions for all your installed apps.
|
||||
@ -314,31 +315,31 @@ Although Windows and OS X are easy to use and convenient, they both are far from
|
||||
--- | --- | ---
|
||||
**Keep your System up-to-date** | Recommended | New vulnerabilities are constantly being discovered. System updates contain fixes/ patches for these security issues, as well as improve performance and sometimes add new features. You should install new updates when prompted, to avoid any critical issues on your system from being exploited
|
||||
**Encrypt your Device** | Recommended | If your computer is stolen, seized or falls into the wrong hands, without full disk encryption anyone is able to access all of your data, without a password (by booting to a live USB or removing the hard drive). You can enable encryption very easily, using [BitLocker](https://support.microsoft.com/en-us/help/4028713/windows-10-turn-on-device-encryption) for Windows, [FileVault](https://support.apple.com/en-us/HT204837) on MacOS, or by enabling [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) on Linux, during install. Or using an open source, program, such as [VeraCrypt](https://www.veracrypt.fr/en/Home.html) or [DiskCryptor](https://www.diskcryptor.org/). For encrypting cloud files, consider [Cryptomator](https://cryptomator.org/) or [CryFS](https://www.cryfs.org/). Note that you should select a long and strong password, and keep it somewhere safe, as there is no way to recover your password if you loose it
|
||||
**Backup Important Data** | Recommended | Maintaining a copy of important data will prevent loss in the case of ransomware, theft or damage to your system. You should encrypt these backups, to keep the data safe. One solution would be to use [Cryptomator](https://cryptomator.org/) to encrypt files, and then sync them to a regular cloud storage provider. Or you could have a USB drive, with an encrypted volume (e.g. using [VeraCrypt](https://www.veracrypt.fr/en/Home.html)). The best backup solution, should include 2 additional copies of your data- such as a physical off-site copy, and a cloud copy of your data
|
||||
**Backup Important Data** | Recommended | Maintaining a copy of important data will prevent loss in the case of ransomware, theft or damage to your system. You should encrypt these backups, to keep the data safe. One solution would be to use [Cryptomator](https://cryptomator.org/) to encrypt files, and then sync them to a regular cloud storage provider. Or you could have a USB drive, with an encrypted volume (e.g. using [VeraCrypt](https://www.veracrypt.fr/en/Home.html)). The best backup solution, should include 2 additional copies of your dat - such as a physical off-site copy, and a cloud copy of your data
|
||||
**Be Careful Plugging USB Devices into your Computer** | Recommended | Think before inserting a USB device into your PC, as there are many threats that come in the form of a USB device. Something like a [USB Killer](https://usbkill.com/products/usb-killer-v3) will destroy your computer, by rapidly charging and discharging capacitors. A Bad USB (such as [Malduino](https://malduino.com/) or [Rubber Ducky](https://shop.hak5.org/products/usb-rubber-ducky-deluxe)), will act as a keyboard, once plugged in, it will proceed to rapidly type commands at lighning speed, often with severe consequences. There's also remote access tools (such as the [OMG Cable](https://hackaday.com/tag/omg-cable/) or [P4wnP1_aloa](https://github.com/RoganDawes/P4wnP1_aloa)), giving a hacker full remote access to your PC, even after the device has been removed. And of course, there's traditional USB drives, that contain malware that infect your device once inserted. <br>One solution to this, is to make a USB sanitizer, using [CIRCLean](https://www.circl.lu/projects/CIRCLean/) on a Raspberry Pi. It allows you to plug an obtained USB device into the Pi, and it'll convert the untrusted documents into a readable but disarmed format, and save them on a new USB key, which you can then safely insert into your computer
|
||||
**Activate Screen-Lock when Idle** | Recommended | Get in the habit of locking your computer, whenever you step away from it. Reduce the amount of time that your computer is idle for, before the screensaver activates, and ensure that it will lock when the mouse is moved, so no one can access your data, when you step away from your desk. In Windows, check `Personalization --> Screensaver --> On resume, display login screen`, and in MacOS, check `Security & Privacy --> General --> Require password immediately after screensaver starts`. In Linux, `Brightness & Lock --> Require my password when waking up from suspend`. Better still, never leave your computer unattended, even in trusted environments
|
||||
**Disable Cortana or Siri** | Recommended | Using a voice-controlled assistant, sends commands back to Microsoft or Apple as well as data about your files for local search, which have some [serious privacy implications](https://www.theatlantic.com/technology/archive/2016/05/the-privacy-problem-with-digital-assistants/483950/). They're always listening, waiting for the trigger word, and this can lead to parts of conversations being accidentally recorded. To disable this, in Windows, navigate to `Settings --> Cortana` and switch it to `Off`. You should also stop your speech, typing and handwriting patterns being sent to Microsoft, since this can be used to identify you, as well as potentially leaking sensitive data - navigate to `Settings --> Privacy --> Speech, Inking, & Typing`, and click `Turn off`. In Mac it's not easy to fully disable Siri, but you can stop it from always listening, go to `System Preferences --> Siri`, and uncheck `Enable Siri`
|
||||
**Review your Installed Apps** | Recommended | It’s good practice to keep installed applications to a minimum. Not only does this keep your machine lean, it also reduces your exposure to vulnerabilities. You should also clear application cache's regularly. As well as looking through your application list manually, there are also tools that make this easier, such as [BleachBit](https://www.bleachbit.org/)
|
||||
**Manage Permissions** | Recommended | In a similar way to phones, your OS can grant certain permissions to applications. It's important to keep control over which apps and services have access to your location, camera, microphone, contacts, calendar and other account information. Some systems let you restrict which apps can send or recieve messages, as well as which apps can which processes can control radios such as Bluetooth and WiFi. In Windows, navigate to `Settings --> Privacy`, and for MacOS, go to `System Preferences --> Security & Privacy --> Privacy`. <br>Note that there are other methods that apps can use to access this data, and this is just one step towards protecting it. You should check back regularly, as sometimes system updates can cause some privacy settings to be modified or reverted
|
||||
**Disallow Usage Data from being sent to the Cloud** | Recommended | Both Windows and MacOS collect usage information or feedback, which is send to the cloud for analytics, diagnostics and research. Although this data should be anonymized, it can often be linked back to your identity when compared with other usage data. In Windows, there is no way to disable this fully, but you can limit it- navigate to `Settings --> Privacy --> Feedback & diagnostics`, and select `Basic`. You also have the option to disallow your advertising ID from being shared with apps on your system. In MacOS, it can be turned off fully, go to `System Preferences --> Privacy --> Diagnostics & Usage`, and untick both options
|
||||
**Disallow Usage Data from being sent to the Cloud** | Recommended | Both Windows and MacOS collect usage information or feedback, which is send to the cloud for analytics, diagnostics and research. Although this data should be anonymized, it can often be linked back to your identity when compared with other usage data. In Windows, there is no way to disable this fully, but you can limit i - navigate to `Settings --> Privacy --> Feedback & diagnostics`, and select `Basic`. You also have the option to disallow your advertising ID from being shared with apps on your system. In MacOS, it can be turned off fully, go to `System Preferences --> Privacy --> Diagnostics & Usage`, and untick both options
|
||||
**Avoid Quick Unlock** | Recommended | Use a password to unlock your computer, ensure it is long and strong. Avoid biometrics such as facial recognition and fingerprint. These can be spoofed, allowing an intruder access to your account. Also, for Windows devices, avoid using a short PIN to unlock your machine.
|
||||
**Power Off Computer, instead of Standby** | Recommended | You must shut down your device when not in use, in order for the disk to be encrypted. Leaving it in standby/ sleep mode keeps your data in an unencrypted state, and vulnerable to theft. Microsoft even recommends [disabling the sleep functionality](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-security-faq#what-are-the-implications-of-using-the-sleep-or-hibernate-power-management-options) all together, once BitLocker is enabled. This only applies to encrypted disks, and is true for FileVault (MacOS), BitLocker (Windows), VeraCrypt, Self-Encrypting Drives and most other disk encryption methods. Another reason to shut down, is because the machine is completely offline while it is off, and cannot be hacked remotely. It also can't communicate with a command and control server, if it has already been infected with an exploit
|
||||
**Don't link your PC with your Microsoft or Apple Account** | Optional | Create a local account only. This will prevent some data about your usage being uploaded and synced between devices. Avoid syncing your iPhone or Android device to your computer, as this will automatically lead to it being associated with your Apple, Microsoft or Google account. <br>If sync is important to you, there are open source services that encrypt you data, and sync between devices. For example [XBrowserSync](https://www.xbrowsersync.org/) for bookmarks, history and browser data, [ETESync](https://www.etesync.com/accounts/signup/?referrer=QK6g) for calendar, contacts and tasks, [Syncthing](https://syncthing.net/) for files, folders and filesystems
|
||||
**Check which Sharing Services are Enabled** | Optional | The ability to share files and services with other machines within your network, can be useful, but also acts as a gateway for common threats. You should disable the network sharing features that you are not using. For Windows, navigate to `Control Panel --> Network and Internet --> Network and Sharing Center --> Advanced sharing settings`, and for MacOS, just go to `System Preferences --> Sharing` and disable anything that you do not need. For Windows users, you should ensure that [remote desktop is disabled](https://www.laptopmag.com/articles/disable-remote-desktop). And also control apps’ ability to sync with non-pairing devices, such as beacons that transmit advertising information- this is also in the privacy settings
|
||||
**Check which Sharing Services are Enabled** | Optional | The ability to share files and services with other machines within your network, can be useful, but also acts as a gateway for common threats. You should disable the network sharing features that you are not using. For Windows, navigate to `Control Panel --> Network and Internet --> Network and Sharing Center --> Advanced sharing settings`, and for MacOS, just go to `System Preferences --> Sharing` and disable anything that you do not need. For Windows users, you should ensure that [remote desktop is disabled](https://www.laptopmag.com/articles/disable-remote-desktop). And also control apps’ ability to sync with non-pairing devices, such as beacons that transmit advertising informatio - this is also in the privacy settings
|
||||
**Don't use Root/ Admin Account for Non-Admin Tasks** | Optional | You should not use administrator / root account for general use. Instead, use an unprivileged user account, and temporarily elevate permissions when you need to make administrator changes. This will [mitigate a large proportion of vulnerabilities](https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/), because a malicious program or an attacker can do significantly less damage without an administrator power. See [this guide for Windows and MacOS](https://www.maketecheasier.com/why-you-shouldnt-use-admin-account/), on how to implement this. You should also ensure that a password is required for all system wide changes, as this helps protect against malware doing widespread damage. In Windows this is enabled by default, in MacOS, navigate to `System Preferences --> Security & Privacy --> General --> Advanced`
|
||||
**Block Webcam + Microphone** | Optional | To prevent the potential risk of [being watched](https://opendatasecurity.io/hackers-can-watch-you-via-your-webcam/) through your webcam, consider covering it with a sticker, slider or electrical tape, while it's not being used. There are also application solutions- such as [Oversight](https://objective-see.com/products/oversight.html) (MacOS) or [CamWings](https://schiffer.tech/camwings.html) (Windows) - for ultimate protection, consider physically [removing the webcam](https://www.wired.com/story/remove-the-mic-from-your-phone/) all together. Blocking unauthorized audio recording, can be done with a [mic block](https://mic-lock.com/), which works by disabling the primary sound input source- but is not fool proof
|
||||
**Use a Privacy Filter** | Optional | A lot of information can be gleaned just from glancing at someones screen over their shoulder. When working in a public space (train, coffee shop, share office), use a [screen privacy filter](https://www.3m.com/3M/en_US/company-us/all-3m-products/~/All-3M-Products/Privacy-Screen-Protectors/Privacy-Products/Black-Privacy/?N=5002385+8710873+8711017+8725317+8725356+8725359+3294857497). This will allow you to see the content of your screen when looking straight on, but for anyone looking at a slight angle, your screen will appear black.
|
||||
**Block Webcam + Microphone** | Optional | To prevent the potential risk of [being watched](https://opendatasecurity.io/hackers-can-watch-you-via-your-webcam/) through your webcam, consider covering it with a sticker, slider or electrical tape, while it's not being used. There are also application solution - such as [Oversight](https://objective-see.com/products/oversight.html) (MacOS) or [CamWings](https://schiffer.tech/camwings.html) (Windows) - for ultimate protection, consider physically [removing the webcam](https://www.wired.com/story/remove-the-mic-from-your-phone/) all together. Blocking unauthorized audio recording, can be done with a [mic block](https://mic-lock.com/), which works by disabling the primary sound input sourc - but is not fool proof
|
||||
**Use a Privacy Filter** | Optional | A lot of information can be gleaned just from glancing at someones screen over their shoulder. When working in a public space (train, coffee shop, share office), use a [screen privacy filter](https://www.3m.co.uk/3M/en_GB/privacy-protection-UK/products/privacy-filters/). This will allow you to see the content of your screen when looking straight on, but for anyone looking at a slight angle, your screen will appear black.
|
||||
**Physically Secure Device** | Optional | When working from a laptop think about using a [Kensington Lock](https://www.kensington.com/solutions/product-category/security/) to secure your device to a permanent fixture. To help protect against an opportunistic local attack, consider utilizing [port locks](https://lindy.com/en/technology/port-blockers/), to prevent or slow down an intruder from dropping a malicious payload onto your device. Ideally never leave your laptop or other devices unattended
|
||||
**Don't Charge Devices from your PC** | Optional | Connecting your smart phone to a computer can be a security risk, it's possible for [a self-signed malicious app](https://www.pcworld.com/article/2465320/the-biggest-iphone-security-risk-could-be-connecting-one-to-a-computer.html) to be installed, without your knowledge. Also both iPhone or Android device have sync capabilities, which can lead to data being unintentionally shared. If you need to charge your device, consider using a [USB data-blocker](/6_Privacy_and-Security_Gadgets.md#usb-data-blockers).
|
||||
**Randomize your hardware address on Wi-Fi** | Optional | A [MAC Address](https://en.wikipedia.org/wiki/MAC_address) is an identifier given to a device (specifically the Network Interface Controller), and is is one method used to identify, and track you across different WiFi networks. Some devices allow you to modify or randomize how this address appears. See how, on [Windows](https://support.microsoft.com/en-us/help/4027925/windows-how-and-why-to-use-random-hardware-addresses), [MacOS](https://poweruser.blog/how-to-spoof-the-wifi-mac-address-on-a-macbook-25e11594a932) and [Linux](https://itsfoss.com/change-mac-address-linux/). <br>You should also disallow you device from automatically connect to open Wi-Fi networks
|
||||
**Use a Firewall** | Optional | A firewall is a program which monitors incoming and outgoing traffic, and allows you to blocks internet access for certain applications. This is useful to stop apps from collecting data, calling home, or downloading unnecessary content- correctly configured, firewalls can help protect against remote access attacks, as well as protect your privacy. <br>Your system will have a built-in firewall (Check it's enabled: [Windows](https://support.microsoft.com/en-us/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off), [Mac OS](https://support.apple.com/en-us/HT201642), [Ubuntu](https://wiki.ubuntu.com/UncomplicatedFirewall) and other [Linux ditros](https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall)). Alternatively, for greater control, consider: [LuLu](https://objective-see.com/products/lulu.html) (MacOS), [gufw](http://gufw.org/) (Linux), [LittleSnitch](https://github.com/evilsocket/opensnitch), [SimpleWall](https://github.com/henrypp/simplewall) (Windows), there's plenty more [firewall apps](/5_Privacy_Respecting_Software.md#firewalls) available
|
||||
**Protect Against Software Keyloggers** | Optional | A software keylogger is a malicious application running in the background that logs (and usually relays to a server) every key you press, aka all data that you type (passwords, emails, search terms, financial details etc). The best way to stay protected, is to keep your systems security settings enabled, and periodically check for rootkits- which will detect most loggers. Another option, is to use a key stroke encryption tool. For Windows there is [GhostPress](https://schiffer.tech/ghostpress.html), [Spy Shelter](https://www.spyshelter.com/) or [KeyScrambler](https://www.qfxsoftware.com) (developed by Qian Wang) which encrypt your keystrokes at the keyboard driver level, and then decrypting them at the application level, meaning any software keylogger would just receive encrypted data.
|
||||
**Use a Firewall** | Optional | A firewall is a program which monitors incoming and outgoing traffic, and allows you to blocks internet access for certain applications. This is useful to stop apps from collecting data, calling home, or downloading unnecessary conten - correctly configured, firewalls can help protect against remote access attacks, as well as protect your privacy. <br>Your system will have a built-in firewall (Check it's enabled: [Windows](https://support.microsoft.com/en-us/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off), [Mac OS](https://support.apple.com/en-us/HT201642), [Ubuntu](https://wiki.ubuntu.com/UncomplicatedFirewall) and other [Linux ditros](https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall)). Alternatively, for greater control, consider: [LuLu](https://objective-see.com/products/lulu.html) (MacOS), [gufw](http://gufw.org/) (Linux), [LittleSnitch](https://github.com/evilsocket/opensnitch), [SimpleWall](https://github.com/henrypp/simplewall) (Windows), there's plenty more [firewall apps](/5_Privacy_Respecting_Software.md#firewalls) available
|
||||
**Protect Against Software Keyloggers** | Optional | A software keylogger is a malicious application running in the background that logs (and usually relays to a server) every key you press, aka all data that you type (passwords, emails, search terms, financial details etc). The best way to stay protected, is to keep your systems security settings enabled, and periodically check for rootkit - which will detect most loggers. Another option, is to use a key stroke encryption tool. For Windows there is [GhostPress](https://schiffer.tech/ghostpress.html), [Spy Shelter](https://www.spyshelter.com/) or [KeyScrambler](https://www.qfxsoftware.com) (developed by Qian Wang) which encrypt your keystrokes at the keyboard driver level, and then decrypting them at the application level, meaning any software keylogger would just receive encrypted data.
|
||||
**Check Keyboard Connection** | Optional | Check your keyboards USB cable before using, bring your own keyboard to work and watch out for signs that it may have been tampered with. A hardware keylogger is a physical device that either sits between your keyboard and the USB connection into your PC, or is implanted into a keyboard. It intercepts and stores keystrokes, and in some cases can remotely upload them. Unlike a software logger, they can not be detected from your PC, but also they can not intercept data from virtual keyboards (like [OSK](https://support.microsoft.com/en-us/help/10762/windows-use-on-screen-keyboard)), clipboard or auto-fill password managers.
|
||||
**Prevent Keystroke Injection Attacks** | Optional | Always lock your PC when you step away from it (however this is not fool-proof, and [can be circumvented](https://www.youtube.com/watch?v=a4OyqaqFDW0)). For Linux, there is [USBGuard](https://github.com/USBGuard/usbguard), and for Windows there's [DuckHunt](https://github.com/pmsosa/duckhunt), which will detect super fast (badUSB-level super-fast) it will block input until the attack stops. Alternatively, Windows Group Policy can also be [configured to not trust new devices by default](https://www.itechtics.com/enable-gpedit-windows-10-home/). [Port Blockers](https://lindy.com/en/technology/port-blockers/) provide some level of physical protection, which may prevent an opportunistic attack, but can be circumvented fairly easily
|
||||
**Don't use commercial "Free" Anti-Virus** | Optional | The included security tools, which come with bundled your operating system (such as Windows Defender), should be adequate at protecting against threats. Free anti-virus applications are often more of a hinder than a help- as they require admin permissions, full access to all data and settings, and internet access. They usually collect a lot of data, which is uploaded to the cloud and sometimes [sold to third-parties](https://www.forbes.com/sites/thomasbrewster/2019/12/09/are-you-one-of-avasts-400-million-users-this-is-why-it-collects-and-sells-your-web-habits/). Therefore, you should avoid non-libre closed source programs such as Avast, AVG, Norton, Kasperky, Avira etc- even the paid plans come with privacy concerns. If you need a dedicated anti-virus application, consider [ClamAV](https://www.clamav.net/), which is open source and libre meaning completely open. And for scanning 1-off files, [VirusTotal](https://www.virustotal.com/) is a useful tool
|
||||
**Don't use commercial "Free" Anti-Virus** | Optional | The included security tools, which come with bundled your operating system (such as Windows Defender), should be adequate at protecting against threats. Free anti-virus applications are often more of a hinder than a hel - as they require admin permissions, full access to all data and settings, and internet access. They usually collect a lot of data, which is uploaded to the cloud and sometimes [sold to third-parties](https://www.forbes.com/sites/thomasbrewster/2019/12/09/are-you-one-of-avasts-400-million-users-this-is-why-it-collects-and-sells-your-web-habits/). Therefore, you should avoid non-libre closed source programs such as Avast, AVG, Norton, Kasperky, Avira et - even the paid plans come with privacy concerns. If you need a dedicated anti-virus application, consider [ClamAV](https://www.clamav.net/), which is open source and libre meaning completely open. And for scanning 1-off files, [VirusTotal](https://www.virustotal.com/) is a useful tool
|
||||
**Periodically check for Rootkits** | Advanced | You should regularly check for rootkits (which may allow an attacker full control over your system), you can do this with a tool like [chkrootkit](http://www.chkrootkit.org/), once installed just run `sudo chkrootkit`. For Windows users, see [rootkit-revealer](https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer) or [gmer](http://www.gmer.net/)
|
||||
**BIOS Boot Password** | Advanced | A BIOS or UEFI password once enabled, will need to be entered before the system can be booted, which may help to prevent an inexperienced hacker from getting into your OS, booting from a USB, tampering with BIOS as well as other actions. However, it can be easy to bypass, don't put too much trust in this - it should only be used as an additional step, to exhaust your adversaries resources a little faster. [Here is a guide on how to enable password](https://www.howtogeek.com/186235/how-to-secure-your-computer-with-a-bios-or-uefi-password/).
|
||||
**Use a Security-Focused Operating System** | Advanced | Microsoft, Apple and Google all have practices that violate users privacy, switching to Linux will mitigate most of these issues. For more advanced users, consider a security-focused distro- such as [QubeOS](https://www.qubes-os.org/), which allows for compartmentalization of applications and data, and has strong encryption and Tor networking build in. For some actions, [Tails](https://tails.boum.org/) a live operating system with no memory persistence is as close as you can get to not leaving a data trail on your system. BSD is also great for security, see [FreeBSD](https://www.freebsd.org/) and [OpenBSD](https://www.openbsd.org/). Even a general purpose distro, will be much better for privacy compared to a propriety counterpart: [Fedora](https://getfedora.org/), [Debian](https://www.debian.org/), [Arch](https://www.archlinux.org/) / [Manjaro](https://manjaro.org/), [see more](/5_Privacy_Respecting_Software.md#pc-operating-systems)
|
||||
**Use a Security-Focused Operating System** | Advanced | Microsoft, Apple and Google all have practices that violate users privacy, switching to Linux will mitigate most of these issues. For more advanced users, consider a security-focused distr - such as [QubeOS](https://www.qubes-os.org/), which allows for compartmentalization of applications and data, and has strong encryption and Tor networking build in. For some actions, [Tails](https://tails.boum.org/) a live operating system with no memory persistence is as close as you can get to not leaving a data trail on your system. BSD is also great for security, see [FreeBSD](https://www.freebsd.org/) and [OpenBSD](https://www.openbsd.org/). Even a general purpose distro, will be much better for privacy compared to a propriety counterpart: [Fedora](https://getfedora.org/), [Debian](https://www.debian.org/), [Arch](https://www.archlinux.org/) / [Manjaro](https://manjaro.org/), [see more](/5_Privacy_Respecting_Software.md#pc-operating-systems)
|
||||
**Make Use of VMs** | Advanced | If your job, or any of your activity could endanger your system, or put you at risk, then virtual machines are a great tool to isolate this from your primary system. They allow you to test suspicious software, and analyse potentially dangerous files, while keeping your host system safe. They also provide a host of other features, from quick recovery using snapshots, to the ability to replicate configurations easily, and have multiple VMs running simultaneously. Taking this a step further, VMs can be use for compartmentalization, with a host system performing the single task of spawning VMs (systems like [ProxMox](https://www.proxmox.com/en/), is designed for exactly this). Be aware that virtual machines do not guarantee security, and vulnerabilities, named [VM-Escapes](https://en.wikipedia.org/wiki/Virtual_machine_escape), may allow for data in memory to leak into the host system
|
||||
**Compartmentalize** | Advanced | Security by [Compartmentalization](https://en.wikipedia.org/wiki/Compartmentalization_(information_security)) is a strategy, where you isolate different programs and data sources from one another as much as possible. That way, attackers who gain access to one part of the system are not able to compromise all of the user’s privacy, and corporate tracking or government surveillance shouldn't be able to link together different compartments. At the simplest level, you could use separate browsers or [multi-account containers](https://support.mozilla.org/en-US/kb/containers) for different activities, but taking it further you could have a virtual machine for each category (such as work, shopping, social etc). Alternativley, consider [Qubes OS](https://www.qubes-os.org), which is designed for exactly this, and sandboxes each app in it's own Xen Hypervisor VM, while still providing great user experience
|
||||
**Disable Undesired Features (Windows)** | Advanced | Microsoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as [HardenTools](https://github.com/securitywithoutborders/hardentools), or [ShutUp10](https://www.oo-software.com/en/shutup10). Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues
|
||||
@ -377,7 +378,7 @@ The most privacy-respecting option, would be to not use "smart" internet-connect
|
||||
**Protect your Network** | Recommended | On many smart home devices, anybody connected to your home WiFi is able to view the device content (such as camera footages, or motion statistics). So ensure that your WiFi and home networks are properly secured with a strong password and up-to-date firmware. (See the [Router Section](#your-router) for more details)
|
||||
**Be wary of wearables** | Optional | Wearable smart devices allow companies to log even more data than ever before; they can track your every move to know exactly where you are and what you are doing at any given time. Again, you as the consumer have no control over what is done with that data.
|
||||
**Don't connect your home's critical infrastructure to the Internet** | Optional | While a smart thermostat, burglar alarm, smoke detector and other appliances may seem convenient, they by design can be accessed remotely, meaning a hacker can gain control of your entire home, without even needing to be nearby. And by breaching multiple devices, the effects can be very serious.
|
||||
**Mitigate Alexa/ Google Home Risks** | Optional | It is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a mirage of security issues. Consider switching to [Mycroft](https://mycroft.ai/) which is an open source alternative, with much better privacy. Alternativley, if you wish to continue using your current voice assistant, check out [Project Alias](https://github.com/bjoernkarmann/project_alias), which prevents idle listening
|
||||
**Mitigate Alexa/ Google Home Risks** | Optional | It is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a myriad of security issues. Consider switching to [Mycroft](https://mycroft.ai/) which is an open source alternative, with much better privacy. Alternativley, if you wish to continue using your current voice assistant, check out [Project Alias](https://github.com/bjoernkarmann/project_alias), which prevents idle listening
|
||||
**Monitor your home network closely** | Optional | Check your local network for suspicious activity. One of the easier methods to do this is with [FingBox](https://amzn.to/38mdw8F), but you can also do it directly [through some routers](https://www.howtogeek.com/222740/how-to-the-monitor-the-bandwidth-and-data-usage-of-individual-devices-on-your-network/).
|
||||
**Deny Internet access where possible** | Advanced | If possible deny the device/ app internet access, and use it only on your local network. You can configure a firewall to block certain devices from sending or receiving from the internet.
|
||||
**Assess risks** | Advanced | Assess risks with your audience and data in mind: Be mindful of whose data is being collected, e.g. kids. Manage which devices can operate when (such as turning cameras off when you are at home, or disabling the internet for certain devices at specific times of day)
|
||||
@ -398,9 +399,8 @@ Note about credit cards: Credit cards have technological methods in place to det
|
||||
**Apply a Credit Freeze** | Recommended | A credit freeze will prevent anyone from requesting your credit report, hence stop someone applying for a financial product in your name, or a corporation requesting your details without your consent. You will need to temporarily disable your credit freeze before getting a loan, or any other financial product. You can freeze your credit through credit the bureau's website: [Experian](https://www.experian.com/freeze/center.html), [TransUnion](https://www.transunion.com/credit-freeze) and [Equifax](https://www.freeze.equifax.com/)
|
||||
**Use Virtual Cards** | Optional | Virtual card numbers let you pay for items without revealing your real card or banking details. They also offer additional features, such as single-use cards and spending limits for each card. This means you will not be charged more than you specified, or ongoing subscriptions or in the case of a data breach. [Privacy.com](https://privacy.com/join/VW7WC), [MySudo](https://mysudo.com/) and [others](/5_Privacy_Respecting_Software.md#virtual-credit-cards) offer this service
|
||||
**Use Cash for Local Transactions** | Optional | Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
|
||||
**Use Cryptocurrency for Online Transactions** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction metadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as [Monero](https://www.getmonero.org) or [ZCash](https://z.cash). If you are using a widley- supported currency (such as [Tether](https://tether.to/), [BitCoin](https://bitcoin.org/), [LiteCoin](https://litecoin.com/), [Ripple](https://ripple.com/xrp/), [Etherium](https://ethereum.org/en/) etc), take steps to [distance yourself from the transaction details](https://coinsutra.com/anonymous-bitcoin-transactions/). See more [privacy-respecting crypto currencies](/5_Privacy_Respecting_Software.md#cryptocurrencies).
|
||||
**Use Cash for Local Transactions** | Optional | Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
|
||||
**Use Cryptocurrency for Online Transactions** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction metadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as [Monero](https://www.getmonero.org) or [ZCash](https://z.cash). If you are using a widley- supported currency (such as [Tether](https://tether.to/), [BitCoin](https://bitcoin.org/), [LiteCoin](https://litecoin.com/), [Ripple](https://ripple.com/xrp/), [Etherium](https://ethereum.org/en/) etc), take steps to [distance yourself from the transaction details](https://coinsutra.com/anonymous-bitcoin-transactions/). See more [privacy-respecting crypto currencies](/5_Privacy_Respecting_Software.md#cryptocurrencies).
|
||||
**Use Cryptocurrency for Online Transactions** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction metadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as [Monero](https://www.getmonero.org). If you are using a widle - supported currency (such as [Tether](https://tether.to/), [BitCoin](https://bitcoin.org/), [LiteCoin](https://litecoin.com/), [Ripple](https://ripple.com/xrp/), [Etherium](https://ethereum.org/en/) etc), take steps to [distance yourself from the transaction details](https://coinsutra.com/anonymous-bitcoin-transactions/). See more [privacy-respecting crypto currencies](/5_Privacy_Respecting_Software.md#cryptocurrencies). Note that using crypto anonymously requires some background knowlegde, and the learning curve can be steep, so take care to ensure you're not putting your privacy at risk (see [#70](https://github.com/Lissy93/personal-security-checklist/issues/70))
|
||||
**Store Crypto Securely** | Advanced | Generate wallet address offline, never let your private key touch the internet and preferably avoid storing it on an internet-connected device. Use a secure wallet, such as [Wasabi](https://www.wasabiwallet.io/), or a hardware wallet, like [Trezor](https://trezor.io/) or [ColdCard](https://coldcardwallet.com/). For long-term storage consider a paper wallet, or a more robust alternative, such as [CryptoSteel](https://cryptosteel.com/how-it-works)
|
||||
**Buy Crypto Anonymously** | Advanced | If you are buying a common cryptocurrency (such as BitCoin), purchasing it from an exchange with your debit/ credit card, will link directly back to your real identity. Instead use a service like [LocalBitcoins](https://localbitcoins.com), an anonymous exchange, such as [Bisq](https://bisq.network), or buy from a local BitCoin ATM ([find one here](https://coinatmradar.com)). Avoid any exchange that implements [KYC](https://en.wikipedia.org/wiki/Know_your_customer)
|
||||
**Tumble/ Mix Coins** | Advanced | Before converting BitCoin back to currency, consider using a [bitcoin mixer](https://en.bitcoin.it/wiki/Mixing_service), or [CoinJoin](https://en.bitcoin.it/wiki/CoinJoin) to make your transaction harder to trace. (Some wallets, such as [Wasabi](https://www.wasabiwallet.io/) support this nativley)
|
||||
@ -427,11 +427,11 @@ Many data breaches, hacks and attacks are caused by human error. The following l
|
||||
**Never Leave Device Unattended** | Recommended | Even with a strong password, it's straight-forward to retrieve the data from your phone or computer (unless it is encrypted). If you lose your device, and have find my phone enabled, then remotely erase it
|
||||
**Prevent Camfecting** | Recommended | It is a good idea to invest in some webcam covers, and microphone blockers to protect against [*camfecting*](https://en.wikipedia.org/wiki/Camfecting), where a malicious actor, or app is able spy on you and your physical space, without your knowledge. See [this guide](https://blog.malwarebytes.com/hacking-2/2019/09/15000-webcams-vulnerable-how-to-protect-webcam-hacking/) for more tips. Mute home assistants, (Alexa, Google Home and Siri) when you are not using them, or at least when you are discussing anything sensitive or anything conversation involving personal details
|
||||
**Stay protected from shoulder surfers** | Recommended | Be sure to not let anyone 'shoulder surf' (read what is on your screen, when in public space). As they may be able to gather sensitive information about you. You could apply a privacy screen to your [laptop](https://amzn.to/2H7pOX7) and [mobile](https://amzn.to/39oHWrA), in order to restrict data being read from an angle
|
||||
**Educate yourself about phishing attacks** | Recommended | Phishing is an attempt to obtain sensitive information (like an account password) by disguising as a trustworthy person or company. In recent years phishing attacks have become increasingly sophisticated and hackers are learning to use data that people put on the web to create highly specific and targeted attacks. Check the URL before entering any information. Understand the context- were you expecting the email or message, does it feel normal? Employ general good security practices will also help: Use 2FA, don't reuse passwords, close accounts you no longer use and backup your data. See these guides on: [How to Protect against Common Phishing Attacks](https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them) and [The Anatomy of a Phishing Email](https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/)
|
||||
**Educate yourself about phishing attacks** | Recommended | Phishing is an attempt to obtain sensitive information (like an account password) by disguising as a trustworthy person or company. In recent years phishing attacks have become increasingly sophisticated and hackers are learning to use data that people put on the web to create highly specific and targeted attacks. Check the URL before entering any information. Understand the contex - were you expecting the email or message, does it feel normal? Employ general good security practices will also help: Use 2FA, don't reuse passwords, close accounts you no longer use and backup your data. See these guides on: [How to Protect against Common Phishing Attacks](https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them) and [The Anatomy of a Phishing Email](https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/)
|
||||
**Watch out for Stalkerware** | Recommended | This is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalker ware is on your device, the best way to get rid of it is through a factory reset
|
||||
**Install Reputable Software from Trusted Sources** | Recommended | It may seem obvious, but so much of the malware many PC users encounter is often as a result of accidentally downloading and installing bad software. Also, some legitimate applications try to offer you slightly dodgy freeware (such as toolbars, anti-virus, and other utilities). Be sure to pay attention while completing the installation process. Only download software from legitimate sources (often this isn't the top result in Google) so it's important to double check before downloading. Before installing, check it in [Virus Total](https://www.virustotal.com), which scans installable files using multiple AV checkers
|
||||
**Store personal data securely** | Recommended | Backing up important data is important. But ensure that all information that is stored on your phone/laptop, USB or in a cloud is encrypted. That way, if it is accessed by a hacker (which unfortunately is all too common), it will be almost impossible for them to get to your personal files. For USB devices, see [VeraCrypt](https://www.veracrypt.fr/en/Home.html). For cloud backup, see [Cryptomator](https://cryptomator.org), and for your phone and laptop, see [this guide](https://www.howtogeek.com/260507/psa-encrypt-your-pc-phone-and-tablet-now.-youll-regret-it-later-if-you-dont)
|
||||
**Obscure Personal Details from Documents** | Recommended | When sharing any document, photo or video- be sure to blank out text with an opaque rectangle. Be careful with blurring/ pixelating out text, as this could be recovered (using something like [Depix](https://github.com/beurtschipper/Depix)). This is especially true for video footage (such as with license plates), since an adversary has more frames to work with
|
||||
**Obscure Personal Details from Documents** | Recommended | When sharing any document, photo or vide - be sure to blank out text with an opaque rectangle. Be careful with blurring/ pixelating out text, as this could be recovered (using something like [Depix](https://github.com/beurtschipper/Depix)). This is especially true for video footage (such as with license plates), since an adversary has more frames to work with
|
||||
**Do not assume a site is secure, just because it is `HTTPS`** | Recommended | Unlike HTTP, data sent over HTTPS is encrypted. However that does not mean you should trust that website by default. HTTPS Certificates can be obtained by anybody, so a cloned or scam site may have a valid certificate (as denoted by the padlock icon). Always check the URL, and don't enter any personal details unless you are certain a website is legitimate. Avoid entering data on any site that is not HTTPS
|
||||
**Use Virtual Cards when paying online** | Optional | There are risks involved in entering your card details on any website. Credit cards have better consumer protection, compared to debit or bank cards, meaning you are more likely to be recompensated for fraudulent transactions, however they collect and sometimes sell your transaction history. A better option would be to pay with a virtual, 1-time card. This will mean that even if those credentials are compromised a hacker will not be able to lift any of your money. You can also set limits, or create single-use cards, to prevent being over-charged. [Privacy.com](https://privacy.com/join/VW7WC) offer virtual payment cards for that you can use anywhere on the internet, as does [Revolut Premium](revolut.ngih.net/Q9jdx)
|
||||
**Review application permissions** | Optional | Ensure that no app have unnecessary access to your photos, camera, location, contacts, microphone, call logs etc. See these guides for how to manage app permissions on [Android](https://www.howtogeek.com/230683/how-to-manage-app-permissions-on-android-6.0) and [iOS](https://www.howtogeek.com/211623/how-to-manage-app-permissions-on-your-iphone-or-ipad). On Android, there is a great app called [Exodus Privacy](https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy), that displays all permissions, and trackers for each of your installed apps
|
||||
|
Loading…
Reference in New Issue
Block a user