diff --git a/guide.md b/guide.md index 542edf5..98c1299 100644 --- a/guide.md +++ b/guide.md @@ -886,6 +886,10 @@ We will mitigate some of these issues in this guide by recommending the use of v **In addition, we recommend the use of AMD CPUs instead of Intel CPUs.** +- CPU vulnerabilities found in the past few years: + + - [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Æpic](https://aepicleak.com/), [SGAxe](https://en.wikipedia.org/wiki/Software_Guard_Extensions#SGAxe), [LVI](https://en.wikipedia.org/wiki/Software_Guard_Extensions#LVI), [Plundervolt](https://en.wikipedia.org/wiki/Software_Guard_Extensions#Plundervolt), [MicroScope replay attack](https://en.wikipedia.org/wiki/Software_Guard_Extensions#MicroScope_replay_attack), [Enclave](https://en.wikipedia.org/wiki/Software_Guard_Extensions#Enclave_attack), [Prime+Probe](https://en.wikipedia.org/wiki/Software_Guard_Extensions#Prime+Probe_attack), [Crosstalk](https://www.vusec.net/projects/crosstalk/), [Hertzbleed](https://en.wikipedia.org/wiki/Hertzbleed), [Squip attack](https://www.securityweek.com/amd-processors-expose-sensitive-data-new-squip-attack/), [Zenbleed](https://lock.cmpxchg8b.com/zenbleed.html) + ## Your Operating Systems and Apps telemetry services: Whether it is Android, iOS, Windows, macOS, or even Ubuntu. Most popular Operating Systems now collect telemetry information by default even if you never opt-in or opted-out[^112] from the start. Some like Windows will not even allow disabling telemetry completely without some technical tweaks. This information collection can be extensive and include a staggering number of details (metadata and data) on your devices and their usage. @@ -1961,19 +1965,21 @@ There are some forums and subreddits (like r/phoneverification/) where users wil To this date, we do not know any reputable service that would offer this service and accept cash payments (by post for instance) like some VPN providers. But a few services are providing online phone numbers and do accept Monero which could be reasonably anonymous (yet less recommended than that physical way in the earlier chapter) that you could consider: -- **Recommended**: Do not require any identification (even e-mail): +- **Recommended**: Providers which accept Monero (XMR) and don't require verification: - - (Iceland based, accepts Monero) [[Tor Mirror]](http://cryptonx6nsmspsnpicuihgmbbz3qvro4na35od3eht4vojdo7glm6yd.onion) [[Archive.org]](https://web.archive.org/web/https://crypton.sh/) + - (Iceland based) [[Tor Mirror]](http://cryptonx6nsmspsnpicuihgmbbz3qvro4na35od3eht4vojdo7glm6yd.onion) [[Archive.org]](https://web.archive.org/web/https://crypton.sh/) - - (Ukraine based, accepts Monero) [[Archive.org]](https://web.archive.org/web/https://virtualsim.net/) + - (Ukraine based) [[Archive.org]](https://web.archive.org/web/https://virtualsim.net/) -- Do require identification (valid e-mail): + - (Many countries) [[Archive.org]](https://web.archive.org/web/20230718123605/https://silent.link/) (my favorite) - - (US California based, accepts Monero) [[Archive.org]](https://web.archive.org/web/https://mobilesms.io/) +- Do require e-mail verification, but accept Monero: - - (Germany based, accepts Monero) [[Archive.org]](https://web.archive.org/web/https://www.sms77.io/) + - (US California based) [[Archive.org]](https://web.archive.org/web/https://mobilesms.io/) - - (Russia based, accepts Monero) [[Archive.org]](https://web.archive.org/web/https://onlinesim.ru/) + - (Germany based) [[Archive.org]](https://web.archive.org/web/https://www.sms77.io/) + + - (Russia based) [[Archive.org]](https://web.archive.org/web/https://onlinesim.ru/) There are some other possibilities listed here [[Archive.org]](https://web.archive.org/web/https://cryptwerk.com/companies/sms/xmr/). **Use at your own risk.** @@ -10195,7 +10201,7 @@ If you want to use an external SSD drive for sensitive storage: - Always use full disk encryption on those disks -- **Use the manufacturer-provided tools to securely erase them if possible (see [Appendix K: Considerations for using external SSD drives]).** +- **Use the manufacturer-provided tools to securely erase them if possible.** - Consider manually wiping data on them after use by doing a full decryption/encryption or filling them completely with random data. @@ -11199,7 +11205,7 @@ The following are the recommended safest routes for each browser according to th - Go into **Settings** > **Appearances** (`brave://settings/appearance`) - - **Disable** "Show Top Sites" + - (optional) **Disable** "Show autocomplete suggestions in address bar" - **Disable** "Show Brave Suggested Sites" @@ -11213,25 +11219,31 @@ The following are the recommended safest routes for each browser according to th - Set "Trackers and Ads blocking" to **Aggressive** - - Set Upgrade connections to HTTPS to **Enabled** + - Set "Upgrade connections to HTTPS" to **Strict** - - Set Cookie blocking to **Only cross-site** + - **Enable** "Block scripts" - - Set Fingerprinting blocking to **Standard** or **Strict** + - Set "Block fingerprinting" to **Standard** or **Strict, may break sites** + + - Set "Block cookies" to **Only cross-site** - Go into **Settings** > **Social media blocking** (`brave://settings/socialBlocking`) - - **Uncheck** everything unless needed + - **Uncheck** the Facebook, Twitter, and LinkedIn embeds - Go to **Settings** > **Search engine** (`brave://settings/search`) - - See [Appendix A3: Search Engines] + - Set "Normal Window" and "Private Window" to use a more private and trackerless search engine + + - See [Appendix A3: Search Engines] for best options + + - **Disable** "Web Discovery Project" + + - **Disable** "Index other search engines" - Go into **Settings** > **Extensions** (`brave://settings/extensions`) - - **Disable** everything except "Private Window with Tor" - - - Set both **Resolve** methods to "Ask" + - **Disable** everything - Go into **Settings** > **Wallet** (`brave://settings/wallet`) @@ -11243,13 +11255,13 @@ The following are the recommended safest routes for each browser according to th - Go into **Settings** > **Privacy and Security** (`brave://settings/privacy`) - - Leave **WebRTC** to "Default" + - **Disable** everything except "Private window with Tor" - - **Disable** "Allow privacy-preserving product analytics (P3A)" + - (optional) Turn on **Automatically redirect .onion sites** - - **Disable** "Automatically send daily usage ping to Brave" + - Set **WebRTC handling policy** to "Disable non-proxied UDP" - - Go into "Clear Browsing Data" + - Go into **Clear Browsing Data** (`brave://settings/clearBrowserData`) - Select **On Exit** @@ -11257,27 +11269,35 @@ The following are the recommended safest routes for each browser according to th - **Click** "Save" + - Go into **Cookies and other site data** (`brave://settings/cookies`) + + - **Check** "Block third-party cookies" or "Block all cookies" (not recommended) + + - **Enable** "Clear cookies and site data when you close all windows" + + - Under "Sites that can always use cookies", check that you need any of these + - Open a new Tab - **Click** "Customize" in the lower right corner - **Disable** everything in Customize Dashboard except maybe the clock -- Go into **Settings** > **Shields** > **Content filters** (`brave://settings/shields/filters`) +- Go into **Settings** > **Shields** > **Content filtering** (`brave://settings/shields/filters`) - Select any additional adblocking filter you want - - Recommended: **CJX's Annoyance List**, **Easylist-Cookie List**, **Fanboy Annoyances List**, **Fanboy Social List**, **Fanboy's Mobile Notifications List**, and **uBlock Annoyances List** + - Recommended: **CJX's Annoyance**, **Easylist-Cookie**, **Fanboy's Annoyances**, **Fanboy's Social**, **Fanboy's Mobile Notifications**, and **uBlock Annoyances** - Add custom filter lists - - Add the [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/ClearURLs%20for%20uBo/clear_urls_uboified.txt) which uses the rules found in ClearURLs below + - Add the [ClearURLs for uBo (unofficial)](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/ClearURLs%20for%20uBo/clear_urls_uboified.txt) which uses the rules found in ClearURLs below - Add the [AdGuard URL Tracking Protection](https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_17_TrackParam/filter.txt) which enables generic `$removeparam` rules - To keep all applied filters, **click** "Save" -- Do not ever enable Brave Rewards (button should be hidden on all sites) +- Do not ever enable Brave Rewards (button should now be hidden on all sites) Addons to consider on Brave if you want additional protections: @@ -11293,7 +11313,7 @@ Addons to consider on Brave if you want additional protections: - LibRedirect () -That's it and you should be pretty much covered. For full paranoia, you can also just "Block Scripts" to disable Javascript. Note that even disabling Javascript might not protect you fully[^517]. +That's it and you should be pretty much covered. For full paranoia, you can also just "Block Scripts" to disable Javascript. Note that even disabling Javascript might not protect you fully[^517]. If you choose to disable JS, use the NoScript extension, not the Brave setting. ## Ungoogled-Chromium: