Go to the profile of Uzair Shamim
Uzair Shamim
A bit of everything

Privacy: What Not To Do

Disclaimer: I am not an expert. This post is my opinion, take it with a teaspoon of salt. I am still learning (a student if you will), don’t rely on my opinions to keep your privacy in tact.

I was browsing around the interwebs last night and came across a post that I felt provided some strange and bad advice for privacy conscious users. It seems to mislead readers into thinking simply the use of these tools will allow you to hide your identity when this is really not the case. The post in question can be found here. There are many posts on the Internet that provide the same or similar advice so this really is not an attack against the author, I am sure they meant well, I just want to highlight the issues that the article has.

To be honest, there is no silver bullet solution to ensuring privacy/anonymity in the Internet, particularly if you are trying to hide from an all powerful adversary. Many tools, even the ones that have good encryption leak metadata that can be used to fingerprint users. So the truth is you need to learn to compartmentalize (separate your identities) yourself if you really want to hide, using hipster services that have never been audited, or running them yourself is a terrible idea unless you really really know what you are doing (protip: you don't).

I have made a list below that covers all the issues I have with this article, hopefully it provides some useful insight:

  1. The article starts off with this:
Your selfies or any other stuff you have on your device or what ever sites you visit are nobody’s concern but yours, so here is my list of over 30 things to help keep your devices and communications private.
But why is privacy important if I am not doing anything wrong?
Well I am not saying that you would, but… if you did a search for spoty dick cream, do you really want 2000 companies around the globe tracking that information? Privacy is a human right and if you close your curtains at night, its because you really do expect some level of privacy.

The author implies that using certain tools will make you “go dark” on the Internet when this just isn't true (I will discuss this more in detail further down). Since it is not clear who we are trying to hide from (Google? Facebook? Your ISP?) it is difficult to know for sure how much effort we should put into trying to stay hidden.

2. VPNs

So lets get started by closing the curtains and using a VPN. This wont make you anonymous but will help keep you private. Importantly it should have a no logging policy and is based outside the US, support OpenVPN, use encryption as well as accept Bitcoin. Here are only four that I found that fit the criteria:

Here’s the thing with this suggestion, If the feds ask them for logs they will give them logs. I can guarantee there is no provider out there who truly does not log traffic, it would make it very tough for them to troubleshoot their services plus Law Enforcement (LE) would easily be able to make them do it. This brings up one of the most important rules for Operational Security, don’t expect other people to go to jail for you! Even if you are not doing any shenanigans on the VPN service, LE may demand logging from the provider or else they face consequences. Guess which one they will choose? Basically, make sure you understand VPNs (how they work, who can see what, etc) before you use them.

Also, going to VPN before Tor is a bad idea when you are trying to hide from a powerful adversary who has access to logs (presumably why you wanted no logging on the VPN right?). If you are going to use a VPN, connect to it after connecting to Tor so that it is not possible for the log to reveal your true IP. To be honest, if you are at this stage you are likely being paranoid or living in an oppressive country, in which case this is a valid reason to be paranoid.

For more info watch this talk by the grugq. While it is targeted for h̶a̶c̶k̶e̶r̶s̶ freedom fighters, one thing it does well is showing that service providers will not go to jail for their customers. This means they will log traffic, they will know who sends what and they will give it up if asked for it.

As for bitcoin, it can and has been traced to identify the users.

US investigators traced the bitcoin usage of a corrupt Secret Service agent during the Silk Road case

3. Web Browsers

For your browser use Firefox: https://www.firefox.com/ 
or for even better privacy use the Tor browser:https://www.torproject.org/projects/torbrowser.html

Here’s the thing, Firefox still does not implement a sandbox. If you want to be safe online its really best to stick to Chrome/Chromium which does implement a sandbox for all its processes (ideally Chromium but thats annoying to update on windows).

As far as Tor is concerned, the problem with the Tor browser is that you have to remember to use it. It’s pretty easy to forget you need the Tor browser when performing a certain task and so you accidentally open normal Firefox instead. A nicer solution would be to use something like P.O.R.T.A.L (old) or PORTAL of Pi (new) which forces all traffic to travel over Tor. However, you should think about if Tor is actually useful for your specific case, it may be overkill and it is always important to have an understanding of your threats before panicking and “going dark”.

4. Running Your Mailbox

Or become Your Own Email Provider with: “Mail-in-a-Box”. It lets you become your own mail service provider in a few easy steps. It’s sort of like making your own gmail, but one you control from top to bottom. Mail-in-a-Box turns a cloud computer into a working mail server. But you don’t need to be a expert to set it up. https://mailinabox.email/

This is a bad bad idea. Google and Microsoft have some of the best security teams in the world working for their email departments. Running your own mail is not a good idea unless you are a real pro, unfortunately most of us are not and are safer off sticking to Gmail. On top of that Gmail has a well established 2 factor auth system that you should use to protect your account.

Oh and as far as snooping on emails goes, email was never designed to be secure, if you want to keep messages safe use something modern to send messages like Signal (or WhatsApp if no one you know wants to use Signal). PGP is pointless for the most part because it is difficult to manage and almost impossible for non-technical users to grasp.

5. Threema

Encrypted Instant Messenger: “Threema” It encrypts all your communications end-to-end including messages, group chats, files and even status messages. Only the intended recipient can read your chats and nobody else. https://threema.ch/en

I am personally not familiar with Threema, I have never used it but the grugq seems to have a post about it so check it out. Spoilers: It doesn’t seem that bad.

PS: Don’t use Telegram, use Signal or WhatsApp.

6. Tox, aka I’m an idiot and I write things in C

Encrypted Video & Voice Messenger: “TOX” A free and open-source, peer-to-peer, encrypted instant messaging and video calling software. The ease of use is fantastic, I use it regularly and I cant fault it apart from the power usage. https://tox.chat/

Just do not use this. It’s never been properly audited, it has way too many clients (each which have never been audited), written in C (so its impossible to understand by sane human beings) and did I mention its never been audited? Stay away from this, use Signal (which has been audited) if you want to keep your messages secure, it even has a Chrome addon now for desktop usage.

7. KeePass

Password Manager Software: “KeePass” It’s a free open source password manager to manage your passwords in a secure way. All passwords are in one database, which is locked with one master key or a key file. The databases are encrypted using AES and Twofish. http://keepass.info/download.html

KeePass is a fine tool, I would maybe prefer KeePassX just so you don’t have to deal with Mono on non windows platforms but it’s not the end of the world. The only think you might want to consider with this is the value of an application like 1Password might provide if you need access to passwords on various devices as it allows syncing. 1Password is generally regarded to be safer than LastPass and other cloud alternatives so check it out if KeePass makes managing on multiple devices too difficult.

But wait, what things can I do to protect my privacy?

Well I would suggest reading this article by Troy Hunt, it has some good advice on how to create a virtual identity. Never ever forget to clearly define who you are trying to hide from! The more powerful the adversary the more serious your commitment needs to be. Please also never forget to have a realistic idea of what you need to protect, the NSA is seriously not interested in you unless you happen to be a ji̶h̶a̶d̶i̶s̶t̶ freedom fighter. One thing I highly recommend is using KeePassX or 1Password to manage your online identities (background, accounts, PII). As Troy suggests, you may find it useful to generate these online identities at random as needed. Remember that separation of identities is key to protecting yourself on the internet. If there is ever a breach on a service you registered for with a fake identity then the only data that will be leaked is data that does not impact you (besides that you may need to generate a new ID but thats not a big deal).

Conclusion

That’s pretty much it, some of the other items mentioned in the article were left out because I either did not have experience with the product or didnt have much of an issue with it. If you think I made any mistakes or have feedback please feel free to leave a comment or reach out to me on Twitter!