Security

[mharrison]

With the recent influx of postings by one particular paranoid member over at FDN, my interest has been grabbed. Not by the fact that everyone is out to get me, from the government to corporations, but rather about data mining companies like Google and Facebook and just general data collection for targeted advertising.

I recently began using DoNotTrack Plus in Iceweasel and I have been amazed at the number of trackers on websites I visit frequently. While I do not see the need to lock down every aspect of my machine...I have been wondering if I could/should take additional measures to ensure some privacy online.

With that being said, I'm curious as to others opinions and/or methods when it comes to security online....besides the obvious "do not use Facebook or Google"

Myself, I've been playing around with the Tor bundle...mainly for educational purposes rather than trying to convince myself that it will meet my everyday needs.
I'm actually excited to see a technical discussion on this topic rather than the paranoid political discussions occurring at FDN....Just so it is known, I think that someone's heart is in the right place, they just aren't preaching to the right choir if you will.

[JohnDeere630]

I've been thinking about a vpn service; but I have to admit I'm too lazy to worry about it too much. I have a hard time getting too worked up about internet security, which is probably a mistake. The sites I visit would make some seriously boring reading for the NSA....

All that aside, I do not see why Ahtiga gets so much crap at FDN; I'm not talking about the attention of the mods, but other users. I have found his posts for the most part to be well-written and informative. I don't always agree with his overly pessimistic take, but I don't live in Syria, either. You have to admit he has a cool demeanor and is not easily offended; qualities I would do well to emulate.

I would not mind if he posted here, so long as he kept to the appropriate section, hell, I'd even put up a proposal to add a special section for security-related topics for him.

[nadir]

To me it looks as if the site https://help.riseup.net/ would be a good start.
(they got a clear political position, but the security info are valid this way or the other. Very straight, short enough, not too high level).

So what i try is:
encrypted email
tor for iceweasel
tor in .bashrc, so all and everything, including apt-get runs over tor
adblock, google-sharing and NoScript addons for iceweasel
i2p, but that is really for the basement-boys (it _is very different from the WWW)
duckduckgo or lxquick or seeks for searching, yacy is too strange for me.
encryption and/or tor for jabber, irc, and similar services is giving me hard times.
VPN i did not try yet.
for email i got an account at riseup, also one for and from i2p (all other email accounts are the usual gangsters)
to encrypt files i use "gpg -c name-of-file", cryptkeeper and cryptsetup
i del the cache of iceweasel when closing it, don't save passwords, etc.

I run tor with:
https://github.com/jvasile/freedombox-privoxy
and test all i am able to from the freedombox-project (most of what they talk about i am not able to test, very heavy stuff)

There have been several posts at diaspora how to replace google-services (many people seem to be not that happy with the new privacy-policy of Google)
I might add the proposals later (nothing that unusual).

There was a good summary about related tools by craigevil at forums.debian.net. I might add it later.

I wish i would understand more of security questions. I regulary read about it, but it is very difficult.

[mojoman]

I for one is mostly interested in this from a more principled position. The way things are headed, personal integrity is going down the drain. Think if someone come up with the idea that every snail mail letter sent should be indexed and catalogued in regard to who sent it, when, and to who, by the government for future reference in a potential but very unlikely criminal process? In just about any western democracy there would have been an uproar and the politician suggesting it would probably have been unelectable for years to come (and a liablilty to his or hers political party, regardless of colour). Not to mention had such a suggestion included that the actual content on the letter be photocopied and kept for future refence, just in case the person shows up in a criminal investigation, that may or may not pertain to national security? And to keep this for years? Yet this is what is happening in regard to electronic communication, and the sheeple is for most parts happily letting it happen, while they facebook away on their iphones.

The same goes with data mining being done by companies. That people know stuff about us is no big deal. It's the accumulation and cross referencing that makes it a bit scary, not to mention a clear breach of personal integrity. I don't mind the guy at the bank knowing how much I make. I don't mind the guy at the other bank knowing how much I have saved. I would object if they started sharing information about me. The woman at the licker store knows I'm a bit particular to Spanish brandy. But she has no business knowing how much I make or have saved, and the guys at the bank should keep their noses to themselves in regard to what, when and how much I drink. If someone is compiling this stuff and selling it, it makes me angry and I do take objection.

Having said that, I take litte action save opting out of certain "services", using adblock and noscript and not accepting cookies from strangers (It's a bad idea to do so on the Internet too, you know).

But I think integrity is like the air we breath. You take it for granted until it gets really polluted or someone is turning it off. Then you realize it was really nice to have around. Here in Sweden, I will most likely never again vote for any of the main stream parties. They seem to think that I'm a sheep in need of an ear tag.

edited for typo/clarity

[mharrison]

+1 to Uncle Mojo's post. I feel much the same way. For me, the fact that the government is trying to spy on me couldn't really bother me less. I tend to vote for the guys who whole the ideals that I do, or at least close to them and I feel that "if you aren't doing anything bad or illegal, let them spy". I do find it objectionable when companies work hard to compile data on me and then sell it. What honestly did it for me was the constant Facebook spam on how they are going to start charging, in which the company keeps telling people we will never charge....then a cartoon came out with some animals talking about the free food and the bar they got and the caption was something along the lines of "if you aren't paying for a service, you are the product" and since then I've tried to limit what they can collect on me. Was rather ignorant of the tracking aspect where they are actually looking at my history and cookies seeing where I have been and then using that to target ads when I am on their service. Not that I saw the ads thanks to adblock, but it is objectionable all the same.

I've been considering dropping Gmail as my primary e-mail account, but I don't really have any alternatives that I like, and I have done as much scrubbing of personal info on my Google Profile as I can do before the new privacy policy went live. Did the same thing with my Facebook account...I removed all photos, set my security preferences all by hand instead of using their prefabricated options, and scrubbed as much private data from the account as I could. Being fully aware of the old adage that if you don't want the public to know, don't put it on the Internet, I don't mind having accounts with Google or Facebook....but I'm not against alternatives to either.

Now, convincing my wife of these things is a whole new ballgame. I've been trying to inform her that my son will have an online presence compiled on him before he is even old enough to get on the Internet himself for the first time the way she is going, but that is one battle I may not win.

nadir's post was good. I'm going to have to look in to using tor for everything else other than web browsing. Since torbutton no longer works on the newer versions of Iceweasel, I had to download the torbundle, but that does not include privoxy and does not enable tor system wide...worth exploring to me, but I'm not overly concerned about people knowing what I pull in from apt-get or what questions I ask on IRC....maybe if I more casually chatted on IRC I would consider it, but at this point the only channel I get on in IRC is #Debian.

I use duckduckgo when I think about it, but I have just used google for so long that I have to break my habit. Although, when I was reading the ways to protect yourself from eff.org I've considered their 2 web browser approach, one of which I keep open with my e-mail account signed in (it might be easier to use an e-mail client, but I don't like that...I like having it all in one place accessible to me from anywhere) and possibly facebook, and then use my tor enabled browser for my general surfing and such...

Just hope I don't get to the point I need to buy several rolls of tinfoil to start making myself hats to wear.

[nadir]

Here is the list i spoke of above, written by craigevil
(not as a full list, but as a first idea, like he has put it. He has marked the tools tested with an asterisk):
Basic tools:
*lynis - security auditing tool for Unix based systems
*rkhunter - rootkit, backdoor, sniffer and exploit scanner
*chkrootkit - rootkit detector
*tripwire - file and directory integrity checker
*tiger - Report system security vulnerabilities
*bastille - Security hardening tool

Others:
unhide - Forensic tool to find hidden processes and ports
unhide.rb - Forensic tool to find processes hidden by rootkits
*aide - Advanced Intrusion Detection Environment
bsign - Corruption & intrusion detection using embedded hashes
systraq - monitor your system and warn when system files change
snort - flexible Network Intrusion Detection System
psad - Port Scan Attack Detector
samhain - Data integrity and host intrusion alert system
*acct - The GNU Accounting utilities for process and login accounting
pmacct - promiscuous mode traffic accountant
iotop - simple top-like I/O monitor
nmap - The Network Mapper
pads - Passive Asset Detection System
tshark - network traffic analyzer - console version
wireshark - network traffic analyzer - GTK+ version
clamassassin - email virus filter wrapper for ClamAV
*Iclamav - anti-virus utility for Unix - command-line interface

I think one can add "fail2ban" and "nagios" and "tcpdump". I for one am looking at network monitoring right now (darkstat, which is web-based, iftop and etherstatus) : http://wiki.ubuntuusers.de/Netzwerk-Mon ... t=darkstat
But for that i need to understand more of networking ... so that is what i read too (The TCP/IP guide by Charles M. Kozierok)

To someone like me that sounds like... say: 10 years of work, at minimum 5 (if i do nothing else).
And that is the problem as i see it: one needs to keep being able to do something (else one could/should remove the PC altogether).
No need to ignore the problem, but no need to make it more dramatic than it is.

[nadir]

"retroshare" looks like a good, and gpg-secure, replacement for social networks (file-sharing, email, chat, forums, channels, etc).
The bad news:
a) it is not in the Debian repos
b) you must convince your friends to use it too
c) lots of activities in the retroshare-forum (dedicated to usage of retroshare itself), seem to be in German. Official docu and all is English, sure.
d) the instant-messanger (or one other build-in-tool) is proprietary. Big-Buh from here.
e) like all good things out there (gnutet, i2p, whatnot): too little amount of people who use it.
f) qt

The good news:
a) secure, like said, as far i understand
b) it is friend-to-friend, but it can be peer-to-peer too (which means: you can download loads of stuff)
c) has a funny build in graphics, similar to etherape.
d) the freedombox director of board (?) has an eye on it, might well be it will be added (in, say, 42 years or so )
e) gpg-key-creation and storage is very comfortable. No knowledge needed (gets done during first start).

[cynwulf]

All that aside, I do not see why Ahtiga gets so much crap at FDN; I'm not talking about the attention of the mods, but other users. I have found his posts for the most part to be well-written and informative. I don't always agree with his overly pessimistic take, but I don't live in Syria, either. You have to admit he has a cool demeanor and is not easily offended

+1

I would not mind if he posted here

+1

Shall I attempt to invite him over...? Hmmm... I would need to send encrypted PMs and use tor - too much hassle...

[mharrison]

All that aside, I do not see why Ahtiga gets so much crap at FDN; I'm not talking about the attention of the mods, but other users. I have found his posts for the most part to be well-written and informative. I don't always agree with his overly pessimistic take, but I don't live in Syria, either. You have to admit he has a cool demeanor and is not easily offended

+1

I would not mind if he posted here

+1

Shall I attempt to invite him over...? Hmmm... I would need to send encrypted PMs and use tor - too much hassle...

He couldn't join anyways.....the captcha image stops him because he won't load images and cannot trust giving out any bit of information due to the possible discovery of his compound. Frankly I think he catches so much crap from the users because the vast majority of them don't care what he has to say yet he keeps on saying it. His choice...I just ignore posts for the most part he participates in as I don't feel like reading 20 page dissertations.

[mojoman]

"retroshare" looks like a good, and gpg-secure, replacement for social networks (file-sharing, email, chat, forums, channels, etc).
The bad news:
a) it is not in the Debian repos
b) you must convince your friends to use it too
c) lots of activities in the retroshare-forum (dedicated to usage of retroshare itself), seem to be in German. Official docu and all is English, sure.
d) the instant-messanger (or one other build-in-tool) is proprietary. Big-Buh from here.
e) like all good things out there (gnutet, i2p, whatnot): too little amount of people who use it.
f) qt

The good news:
a) secure, like said, as far i understand
b) it is friend-to-friend, but it can be peer-to-peer too (which means: you can download loads of stuff)
c) has a funny build in graphics, similar to etherape.
d) the freedombox director of board (?) has an eye on it, might well be it will be added (in, say, 42 years or so )
e) gpg-key-creation and storage is very comfortable. No knowledge needed (gets done during first start).

That's a nice list to start checking items off.

Earlier on, chinese script kiddes was rattling the locks on my ftp server about half a dozen times per day, doing brute force attacks on ssh. This was when I had port 22 open for ssh. Wasn't really a problem as I had fail2ban installed and running, so it was "three strikes and you're out" and there is no way someone is going to break a good password with a three tries brute force attack. Still, it sort of bugged me, because even if they don't break in it's a nuisance to have them rattling the lock all day, so I changed to a non-default port. I *never* have any problems with script kiddies doing brute force attacks any more.

It goes to show that even minor changes can improve security quite a lot.