Why Privacy is Important?

First, the definition of privacy according to the Cyphepunk Manifesto:

Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.

Privacy is not just a personal preference but a fundamental right that is essential for protecting individual freedom, democracy, and the integrity of the digital world.

Privacy is also important because it allows individuals to express themselves freely without fear of reprisal. In a world where dissent is not tolerated, privacy allows people to speak out against the system without putting themselves in danger. It also allows people to explore their identities and beliefs without fear of judgment or persecution.

Furthermore, privacy is essential for maintaining trust in relationships. In a world where everything is monitored and recorded, privacy is the only way to maintain intimacy and trust in personal relationships. Without privacy, relationships become transactional and superficial, devoid of the emotional connection that makes them meaningful.

Finally, privacy is important for democracy. In a world where information is power, privacy ensures that everyone has access to the same information and is not unfairly disadvantaged. Without privacy, those in power can use their access to information to manipulate elections and undermine democracy.

How to migrate to a secure and private tools?

NOTE: most of the recommendations here are in sync with the recommendations of privacyguides.org. I highly recommend their recommendations and guides.

  1. Get a Linux-capable notebook. Framework Laptops seems a nice addition with the user customization, upgradable and repairable. System76 hardware is also great with the open firmware, native coreboot and Intel’s Management Engine (IME) (avoid AMD machines since System76 cannot disable the ADM Platform Security Processor - PSP.) Also don’t forget to disable Intel’s ME with corna/me_cleaner.
  2. Get a Google Pixel smartphone. Install GrapheneOS. It is more secure than any Linux distribution.

GrapheneOS should be your default high-secure medium, and Linux coming close as a second-best alternative.

Linux/Qubes

Linux is not a silver bullet.

Linux is not safe.

That’s why I recommend Qubes OS.

Qubes OS

This is the most secure persistent-storage OS. It uses level-1 virtualization to compartmentalize everything. There’s a great guide on how to install Qubes at anonymousplanet.org. For the extra paranoid there’s a detached encrypted boot and header guide. By using a detached header the encrypted blockdevice itself only carries encrypted data, which gives deniable encryption as long as the existence of a header is unknown to the attackers. Deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists

Some suggestions on how to run your Qubes OS:

  1. Disable Bluetooth. Disable, preferably in BIOS, bluetooth, fingerprint scanner, and any other useless stuff that enhances your attack surface.

    Alternatively, you can start dom0 and edit the /etc/modprobe.d/blacklist-bluetooth.conf:

    blacklist bnep
blacklist bluetooth
blacklist btusb

  2. Activate Anti Evil Maid, if your hardware supports it (TPM 1.2).

  3. Use Btrfs filesystem. The default Qubes filesystem is LVM-enabled ext4. If you have very large (in space) VMs you might experience issues. dom0 really hogs up the cpu after shutdown of huge app VMs. Btrfs solves this issue.

  4. Split Everything:

Linux

Don’t forget to check my NixOS paranoid build with root on tmpfs. This means that everything outside some directories of /etc and /home will be wiped out.

Knowing that if you still want to use Linux, go ahead. Linux is much better than Windows. There are some nice information on how to harden your Linux system (additional resource here) If you want the maximum available privacy and security in your Linux distribution:

  1. Use Private and Secure Distributions! Avoid telemetry that often comes with proprietary operating systems. Maintain software freedom. Encrypt your system (ALWAYS).

  2. Use Secure Boot. Secure Boot can be used to secure the boot process by preventing the loading of unsigned UEFI drivers or boot loaders. This is specially useful against evil maid attacks.

  3. Don’t use Swap partition. Consider using ZRAM to avoid potential security issues with sensitive data being pushed to swap space.

  4. Use Wayland. It is more secure than Xorg, because it is developed with security in mind, supporting GUI isolation, allowing none of the windows to record screen, log and inject inputs in other window.

  5. Use Network Manager MAC randomization. Create a file /etc/NetworkManager/conf.d/wifi_rand_mac.conf:

    [device-mac-randomization]
# "yes" is already the default for scanning
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
# Randomize MAC for every ethernet connection
ethernet.cloned-mac-address=random
# Generate a randomized value upon each connection
wifi.cloned-mac-address=random
# Generate a random MAC for each WiFi and associate the two permanently
#wifi.cloned-mac-address=stable

  6. Use a /etc/hosts file to block spyware, adware and malware system-wide. I recommend StevenBlack/hosts.

  7. If you need VPN, use mullvad, or IVPN

  8. Use a custom DNS Resolver. I sometimes use mullvad’s adblock DNS over TLS: adblock.doh.mullvad.net; or adguard’s adblock DNS over TLS: dns.adguard-dns.com. You can find the list at mullvad/dns-blocklists.

  9. Use a firewall. You could also set your default firewall zone to drop packets:

    firewall-cmd --set-default-zone=drop;
firewall-cmd --add-protocol=ipv6-icmp --permanent;
firewall-cmd --add-service=dhcpv6-client --permanent;

  10. Use Full Disk Encryption. Also make sure that you PBKDF is argon2i as detailed below.

  11. Secure your bootloader (generally GRUB) with a password.

  12. Never leave your master GPG key in your computer. The files in our home directory are not as well protected as we like to think. They can be leaked or stolen. Remove your master key from your home directory and store it on offline storage. Use subkeys. Follow the Linux Kernel Maintainer PGP Guide, and also the Riseup OpenPGP Best Practices (which are at Jacob Appelbaum’s duraconf “collection of hardened configuration files”). This means getting a PGP Smart card. Yubikey are prevalent all over the world, and you can have easy access to buying them. Use it.

  13. If you are accessing through SSH, turn on a stronger authentication based on public key encryption.

  14. Sandbox almost everything that you don’t trust. If you need to use proprietary crap, run in flatpak and use flatseal for a simple GUI to sandbox permissions.

  15. Disable Bluetooth: You can disable at OS level with systemd and at kernel level with modprobe.

    • systemd:

      systemctl stop bluetooth.service
systemctl disable bluetooth.service
systemctl mask bluetooth.service

    • modprobe: You may instead want to tell your kernel not to load the driver for these wireless devices at all. This means your OS and kernel won’t know how to interface with these devices, and they will remain unpowered.

      First, check what kernel modules are currently loaded with lsmod:

      cat@rt~ $ sudo lsmod
Module                  Size  Used by
btusb                  57344  0
btrtl                  20480  1 btusb
btbcm                  16384  1 btusb
btintel                28672  1 btusb
bluetooth             577536  5 btrtl,btintel,btbcm,btusb
ecdh_generic           16384  1 bluetooth
ecc                    32768  1 ecdh_generic
[...]

      We can see on my machine there are several bluetooth drivers running. btusb, btrtl, btbcm, btintel, and bluetooth.

      btusb is the generic driver that each of the other modules relies on. It should be sufficient just to unload btusb, but since I know the others aren’t going to be used either, I like to be thorough and make sure none of these drivers load.

      We will do this with modprobe by telling its configuration file to ignore these kernel modules with the blacklist command. This will go in /etc/modprobe.d/blacklist.conf:

      blacklist btusb
blacklist btrtl
blacklist btbcm
blacklist btintel
blacklist bluetooth

      To avoid GNOME crashes install the gnome-shell-extension-remove-bluetooth-icon package.

Open Source Alternatives

Here are some of my suggestions for you to migrate your proprietary tools to open source tools:

GrapheneOS

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project.

GrapheneOS improves the privacy and security of the OS from the bottom up. It deploys technologies to mitigate whole classes of vulnerabilities and make exploiting the most common sources of vulnerabilities substantially more difficult. It improves the security of both the OS and the apps running on it. The app sandbox and other security boundaries are fortified. GrapheneOS tries to avoid impacting the user experience with the privacy and security features. Ideally, the features can be designed so that they’re always enabled with no impact on the user experience and no additional complexity like configuration options. It’s not always feasible, and GrapheneOS does add various toggles for features like the Network permission, Sensors permission, restrictions when the device is locked (USB peripherals, camera, quick tiles), etc. along with more complex user-facing privacy and security features with their own UX.

GrapheneOS is recommended as one of the most secure and private option on Android.

How to install

GrapheneOS has two officially supported installation methods. You can either use the WebUSB-based installed recommended for most users or the command-line installation guide aimed at more technical users.

A note regarding battery life

You don’t need to do battery optimizations. Modern phones with built-in batteries have their own computers onboard the computer, which can take into account the number of charge cycles the battery has undergone and automatically reallocate overprovisioning as required to ensure they automatically and transparently set the charging and cutoff thresholds to give the best health of the battery over time. This makes the old school of thought of charging to 80% obsolete.

Take a look at the GrapheneOS battery recommendations

Apps

It already comes with a nice browser (Vanadium) and a good Camera App.

You can also sandbox Google Play apps in GrapheneOS

The vital apps to have:

A good list can be found at brainfucksec.github.io.

  1. F-Droid.
  2. Aurora Store for Google Play Apps:
  3. Emails with FairEmail It supports PGP sign/encrypt.
  4. Privacy Browser with Bromite (additionally check brainfucksec.github.io for Bromite hardening tips)
  5. Calendar with DAVx5:
  6. Passwords and TOPT with KeePassDX.
  7. GPG Keys with OpenKeyChain.
  8. If you need VPN use mullvad, or IVPN.
  9. Email alises with SimpleLogin.
  10. YouTube with NewPipe.
  11. Spotify with SpotiFlyer. Note that you can also download Spotify playlists with SpotDL. There’s an open source frontend for Spotify called Spotube. There’s an open source frontend for YouTube Music called ViMusic.
  12. Videos with VLC or mpv.
  13. RSS Feeds with Feeder.
  14. PDF Scanner with Open Note Scanner or OpenScan.
  15. TorBrowser with Guardian Project’s F-Droid Repository.
  16. Navigation with OsmAnd+ and Organic Maps.
  17. Messaging with Signal, Session, and SimpleX.
  18. Removing EXIF and compressing Images with ImagePipe, ObscuraCam or Scrambled Exif.
  19. Weather with Forecastie.
  20. Online Meetings with Jami.
  21. PDF and ebooks with Librera Reader.
  22. Torrents and General downloads with Aria2App LibreTorrent.
  23. FTPClient.
  24. Control your Smartphone Internet with NetGuard. You don’t need to install this. The most effective way to block network access is to revoke the network permission from the app like GrapheneOS allows you to do.
  25. Block Adware, Spyware and Malware with AdAway (it uses StevenBlack/hosts under the hood).
  26. Block unwanted calls with Yet Another Call Blocker.
  27. Simple Mobile Tools.

What about VPN?

If you are using a VPN, check if you are leaking your DNS with https://dnsleaktest.com/.

VPNs are no silver bullet. Do not trust all the VPN ads. They are made for you to buy stuff. You are just transferring the trust from your ISP (Internet Service Provider) to your VPN service provider.

But they are useful, specifically for:

  1. You need to have a specific geolocated IP address.
  2. You need to hide some stuff from your ISP (this is most important if you are a person of interest in a f*****-up country).
  3. You need to increase your anonymity set, i.e. have a plausible deniability that you might or might not be someone. This is recommended when downloading and seeding torrents.

Suggestions:

  • If you want a simple solution just use Mullvad or IVPN. They are notorious private VPN services that claims to do no logging and also no personal information. Also, Mullvad is located in Sweden which has very good privacy-respecting laws. Buy a subscription using cryptocurrency with obfuscation techniques, such as Monero or coinjoined Bitcoin. If you need something quick and dirty, IVPN offers IVPN Light which gives you VPN access for 3 hours, 1 day, 1 week, or 1 month. You can pay with lightning.
  • If you want to do it yourself see this video guide by mental outlaw. It teaches you how to make your own VPN with OpenBSD (a VERY secure Unix-based OS) and WireGuard. For the VPS hosting, use either 1984 or orange. Both are located in Iceland which has very good privacy-respecting laws.
  • You can also just use Tor to obfuscate you traffic.

If you need to use a VPN but somehow either obfuscate even further or bypass some restriction or firewall block, use Shadowsocks.

VPN Setup

Sources: manpage of wg-quick, Mullvad WireGuard on Linux terminal IVPN Autostart WireGuard in systemd, and IVPN WireGuard Kill Switch

For the extra paranoid, you can use VPNs without installing their apps. You will WireGuard, which is available in almost all Linux distributions. Depending on circumstances, just installing wireguard-tools will suffice (where all necessary dependencies will be installed).

  1. Create your configuration in /etc/wireguard/wg0.conf. You can also name wg0.conf whatever you want. Any free-form string [a-zA-Z0-9_=+.-]{1,15} will work. These configs are generally provided by your VPN provider. They generally look something like this:

    [Interface]
PrivateKey = abcdefghijklmnopqrstuvwxyz0123456789=
Address = x.y.z.w/32
DNS = x.y.z.w
[Peer]
PublicKey = abcdefghijklmnopqrstuvwxyz0123456789=
Endpoint = sub.wg.domain.tld:9999
AllowedIPs = 0.0.0.0/0

  2. Add “kill switch” configs. Add the following two lines to the [Interface] section, just before the [Peer] section:

    PostUp  = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

    You may get a problem to connect to your local network. You can modify the kill switch, so it includes an exception for your local network, for example ! -d 192.168.1.0/24:

    PostUp  = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

  3. Make sure that you have the correct permissions, so only root can read them:

    sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard

  4. Start the WireGuard connection with:

    sudo wg-quick up wg0
# to disconnect
sudo wg-quick down wg0

Autostart WireGuard in systemd

If you are using a Linux distribution that comes with systemd, you can autostart a WireGuard connection with:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload
sudo systemctl start wg-quick@wg0

To check status: sudo systemctl status wg-quick@wg0

To remove the service and clean up the system:

sudo systemctl stop wg-quick@wg0
sudo systemctl disable wg-quick@wg0.service
sudo rm -i /etc/systemd/system/wg-quick@wg0*
sudo systemctl daemon-reload
sudo systemctl reset-failed

Testing the Kill Switch

One way to test a down tunnel is to delete the IP address from the WireGuard network interface, like this via the Terminal:

sudo ip a del [IP address] dev [interface]

In this example, it’s possible to remove x.y.z.w from the wg0 interface:

sudo ip a del x.y.z.w/32 dev wg0

The PostUP iptables rule from above restricts all traffic to the tunnel, and all outgoing attempts to get traffic out fail. To gracefully recover from this, you will likely have to use the wg-quick command to take the connection down, then bring it back up.

Browser Extensions

Remember that the browser is pretty much a glorified remote code execution machine. That pretty much means a privacy and security nightmare. So you need to have sane defaults. The idea here is to block everything (opt-out) by default and whitelist (opt-in) as necessary.

uBlock Origin, the only one you need! I recommend using the Hard Mode, with disabled JavaScript and whitelist sites as necessary.

Email Aliasing

It is one of the most powerful privacy devices that you have. I use simplelogin.

File Sharing

Send is a fork from the discontinued project Firefox Send. It provides end-to-end encryption with optional password. You can run your own instance. The author of this fork also provides a command-line client to send files from your terminal to the Firefox Send instances.

Many instances are available, with different characteristics, such as more storage or longer available time.

Backups

It is important to backup your data. First, a note about cloud solutions. Stay away! Most cloud solutions will scan your data or keep copies of your data for years after deletion. If you want to backup to the cloud use an encrypted cloud solution, such as Proton Drive or Cryptee. Both have good cryptographic standards and zero-knowledge encryption, but Cryptee has amazing features like no-KYC and plausible deniability, apart from being hosted on Estonia (privacy-respecting country).

Said that, I highly advocate you do offline encrypted backups. You can use open source and widely-available tools such as GnuPG/VeraCrypt and rsync. Or you can use automated open source tools (that might not be widely-available, i.e. you would need to install manually) such as rbackup. rbackup is a simple (with an easy-to-read codebase) shell script for making backup of your Linux system with rsync. Uses tar and gzip for compression and GnuPG for encryption.

Alternative Frontends

There are several FOSS alternative frontends such as Nitter, Libreddit, Invidious, Wikiless, Bibliogram, and ProxiTok. Use them whenever possible for a privacy-oriented consumption of those services.

Farside is redirecting service for FOSS alternative frontends.

Farside provides links that automatically redirect to working instances of privacy-oriented alternative frontends, such as Nitter, Libreddit, etc. This allows for users to have more reliable access to the available public instances for a particular service, while also helping to distribute traffic more evenly across all instances and avoid performance bottlenecks and rate-limiting.

Farside’s links work with the following structure: farside.link/<service>/<path>. Examples:

  • https://farside.link/https://www.youtube.com/watch?v=dQw4w9WgXcQ will redirect to a Piped or Invidious instance.
  • https://farside.link/reddit.com/r/popular will redirect to a Libreddit or Teddit instance.

Password Policy

Always generate strong passwords. That means at least 200 bits of entropy for quantum secure. You can easily generate this with 15 words from the EFF wordlist.

NOTE: KeepassXC comes already with the EFF wordlist.

Cryptography

Encryption of data is the only way to control who can access it. Always encrypt sensitive data!

A note about Quantum Computers

Quantum computers are a threat to modern cryptographic algorithms and softwares. Grover’s algorithm shows that a quantum computer speeds up these attacks to effectively halve the key length. This would mean that a 256-bit key is as strong against a quantum computer as a 128-bit key is against a conventional computer; both are secure for the foreseeable future.

NOTE: Passwords for LUKS FDE are secured using a key-stretching implementation known as a Password-Based Key Derivation Function (PBKDF). The older HMAC-SHA* algorithm is less effective against parallelization by GPUs and ASICs – the same weaknesses suffered by Bitcoin against dedicated mining hardware. Argon2id is the winner of the Password Hashing Competition and the state-of-the-art hashing algorithm of choice when protecting encryption keys. Its memory-hard properties introduce a large penalty for brute-search on general computers and even more so on GPUs and ASICs. Current versions of LUKS uses argon2i as the PBKDF. To check this run sudo cryptsetup luksDump /dev/<luks-device> | grep -E 'Version|cipher|key|PBKDF|Hash'.

VeraCrypt

I recommend VeraCrypt. It is open source, works on Windows/Mac/Linux, You can encrypt a file, a partition, or a whole storage device.

In case an adversary forces you to reveal your password, VeraCrypt provides and supports plausible deniability. You can create Hidden Volumes. It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, due to extortion). Using a so-called hidden volume allows you to solve such situations without revealing the password to your volume. If you type your default password you unlock the “standard volume”, and if you type another password you unlock the “hidden volume”. The hidden volume is where you would put all of your sensitive information.

Steganography

Steganography is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. This is a very interesting technique where you can easily hide sensitive data into an innocent picture, text file or video.

You have a couple of options for steganography software:

  1. steghide: CLI available in almost every distro (Fedora, Debian, etc.) written in C++.
  2. tomb: a minimalist and easy to use CLI written as a simple shell script (Zsh) using standard filesystem tools (GNU) and the cryptographic API of the Linux kernel (cryptsetup and LUKS).

Financial Sovereignty with Bitcoin

If you don’t know the case for Bitcoin, check bitcoiner.guide. For a quick intro on how to use it privately and safely check bitcoin-intro.com.

This list is always evolving. Check kycnot.me.

Regarding Bitcoin, you can:

  1. Coinjoin to enhance your on-chain privacy with Jam.
  2. Use a prepaid Visa card with Moon.
  3. Use a prepaid gift card with CoinCards.
  4. Swap Bitcoin for cash in Bitcoins ATM.
  5. Swap cash for Bitcoin using Azte.co. They are accepted in a lot of countries. In Brazil, they are accepted in every lotérica. All you need is a CPF number. There’s a 7% flat rate over the current exchange rate for BTC purchases. You can withdraw to on-chain (USD 2.5 fee) or lightning (free).
  6. P2P decentralized exchange of crypto with bisq, robosats, localmonero or agoradesk.
  7. Swap Bitcoin for Monero with atomic swaps, fixed float, sideshift or majesticbank; see best rates at orangefren.

Wallets

In case of losing your wallet, you are pretty much f***ed. You might try your luck, in that case check walletsrecovery.org.

We have software wallets and hardware wallets.

Software wallets put your seed into the same device they are running. So, if your device is compromised, so potentally is your seed. Your precious cryptocurrencies could be in danger.

Hardware wallets are dedicated hardware to hold, with tons of security features, your private keys. So, if your device is compromised, your keys are probably safe from danger. Or at least, way safer than if it were a software wallet.

If you are not running your own node (some reasons why you should do it here), you should either use a trusted VPN (which none are) or the Tor network to connect to a trusted node (which again none are).

Hardware Wallets

The only one I recommend are the ones from coinkite which are Bitcoin-only. They are very well-designed and almost impossible to breach.

There are two options:

Software Wallets

The best software wallet alternatives are to use Samourai and Monerujo, for Bitcoin and Monero respectively, in your GrapheneOS phone. But you can also use any of these:

  1. Bitcoin: Sparrow (Linux/MacOS/Windows), Electrum (Linux/MacOS/Windows/Android/iOS), BlueWallet (F-Droid/iOS), Nunchuk (Android/iOS), Samourai (Android/F-droid), or Mutiny (Android/iOS but there’s a PWA that runs in the browser).
  2. Monero: Monero Wallet CLI/GUI (Linux/MacOS/Windows), Cake (Android, iOS), Monerujo (F-Droid) or MyMonero (Android/iOS).

Honorable Mentions

License

This post is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International.

CC BY-NC-SA 4.0