Defeating the Surveillance State

7/29/2019 Defeating the Surveillance State

1/30

THE ABBREVIATED GUIDE TO

DEFEATING THE SURVEILLANCE STATE


DEFEATING THE

SURVEILLANCE STATE

A C A P I TA L I S T E X P L O I T S R E P O R T

PA R T O N E

A N D

PA R T T W O


2/30

www.capitalistexploits.at



Privacy is paramount to reedom and both are under attack.

In the analog world, privacy is ingrained into society. We wear clothing and live in homeswith doors, windows, curtains and locks. Even in public places, we inherently understandprivacy cameras in public restrooms, or example, are obviously considered violations.Yet with new technologies becoming commonplace cameras, microphones,trackingsystems (and now, drones, street lights and eventrash cans) there is little to no public outcry because thepublic is not very aware o what is occurring. Its the boiling rog analogy at work.

In the digital world, though the revelations recently rom whistleblower Edward Snowden have rightullymade many people aware o the attacks on their privacy, they still do not correlate the collection o seeminglyinnocuous inormation with the risk to their privacy, and ultimately their reedom.

I reedom is important to you, then privacy must be important. You cannot maintain your reedom i youcannot maintain your personal privacy. I privacy is important, then a comprehensive strategy to protect yourselis a necessity. The history o mankind is one replete with the abuses o power. Today, the arm o abuse residesin the unrestricted growth o the Surveillance State, whose reach is global.

This guide is written or the person that intuitively understands why we have doors on our homes, curtains onour windows, envelopes on our letters, and unlisted telephone numbers, but may not understand how ourinnate privacy needs, risks, and strategies translate into the digital world. By the ast-moving nature o technologyitsel, it is important to stay abreast o new developments on an ongoing basis.

This guide is more than a highlight o currently available technologies its designed to be a starting point oryour journey to changing the way you think about the world and the relationship o your personal privacy andsecurity to it.

Its equally important to state what this is guide is NOT. I you are a person that doesnt believe in personalreedom and privacy, then this guide isnt or you. I you are all or transparency or the individual and morepower or governments and corporations, or you dont believe in the axiom power corrupts, and absolutepower corrupts absolutely, then Id kindly suggest you remove your door, throw away your curtains, mailyour letters without envelopes, publish your email address and phone number to the world and invite theSurveillance State to monitor everything you do.

Finally, you must understand the battle that is going on behind the scenes, and accept that protecting your privacyis going to take some work. There are political and economic advantages or companies and governments towant to invade your privacy. On the other hand, the number o people and organizations working hard toprotect it are small and underunded.

Strong government-corporate ties with major technology providers like AT&T, Google, Facebook, Microsot,
http://www.telegraph.co.uk/technology/10172298/One-surveillance-camera-for-every-11-people-in-Britain-says-CCTV-survey.htmlhttp://www.wired.com/threatlevel/2012/12/public-bus-audio-surveillance/http://www.fastcolabs.com/3014365/future-of-retail/retail-stores-are-tracking-you-like-crazyhttp://gizmodo.com/5615901/the-end-of-privacy-has-started-in-the-city-of-leonhttps://www.eff.org/issues/surveillance-droneshttp://www.thenewamerican.com/usnews/constitution/item/8080-intellistreets-street-lights-big-brother-intrusionhttp://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/http://www.thenewamerican.com/usnews/constitution/item/8080-intellistreets-street-lights-big-brother-intrusionhttps://www.eff.org/issues/surveillance-droneshttp://gizmodo.com/5615901/the-end-of-privacy-has-started-in-the-city-of-leonhttp://www.fastcolabs.com/3014365/future-of-retail/retail-stores-are-tracking-you-like-crazyhttp://www.wired.com/threatlevel/2012/12/public-bus-audio-surveillance/http://www.telegraph.co.uk/technology/10172298/One-surveillance-camera-for-every-11-people-in-Britain-says-CCTV-survey.html


3/30




Apple and others allow massive nancial and political gain by willully shredding your privacy and splitting thespoils. You need to support the groups and individuals that are ghting the battle or your reedom and privacy,and to the most realistic extent possible, de-und those entities that seek to violate your reedom and privacy.

A portion o this guide will serve to provide you with strategies to deend yoursel and weaken your opponents.Remember, in almost all cases globally, tax dollars are being used by governments to und the destruction o yourprivacy which ultimately puts your reedom at risk. Do not patronize entities that put you at personal risk. Donot subsidize your electronic slavery. Like the Hippocratic oath says, First do no harm. Buying products romcompanies that want to strip you o your reedom is doing yoursel and the rest o us harm!

There is denitely an American bias in the general discussion about security and mindset. Please do not thinkthat this only an American matter. There is plenty o incentive and evidence that shows a willingness o allknown governments and corporations to willully participate in destroying your privacy. However, the abuseso power by the American government should be especially inuriating. These abuses are nothing new, but thescope and magnitude o the Surveillance State has become an all-to-obvious threat to everyone. It simply can

no longer be ignored.

The American political system was initially ounded on the notion o limited government and individual rights.The reality today is rampant, abusive, overreaching government that results in crushing individual rights. Theunrestricted searches and seizure o property was a primary reason or the American Revolution and theseabuses now occur every day in both the physical and electronic worlds in the United States.

The Land o the Free and the Home o the Brave has become the Land o the Imprisoned and the Home o theSurveilled. I you want to protect yoursel rom the Surveillance State, you must take action because the majorityo the population appears anxious to live in slavery as long as they have relative comort.

Now that the preliminaries are over, its important to introduce a ew concepts that, in the opinion o this author,are much more important than the specics o any one technology. The rst is the notion o Control Points, thesecond is the Two Yous, and the third are The Ten Rules.

It is very difcult to discuss the idea o using security technology to protect your reedom and

privacy i we do not frst substantiate that you probably need to change your mindset.

You cannot deend against threats which you cannot dene. You must start looking at your own personalsituation and evaluate where you are vulnerable to risking your privacy and reedom because o your

dependency on the various political, legal, nancial, and technological systems that exist in modern society.

I reer to these vulnerable areas as control points - areas where you should be taking some action to removeyour dependency on external systems because these are the points where you have the weakest links to privacyand reedom. One example o such control points is the modern banking system. As recent events in countrieslike Cyprus have shown, i all o your money is in a bank and you get bailed in, then you have little or norecourse. Smart usage o technology, like nancial diversication with bitcoins, is one tactic that could minimizeexposure to this vulnerability.


4/30




Increasingly, technology alone isnt enough. You will need a combination o political, legal, nancial and technicalstrategies to protect your privacy. As in the above example, another strategy could be diversication out o thebanking system with gold held in an oshore jurisdiction thats not particularly politically riendly to your home

country. Own the gold in a trust or corporate structure and only access your account rom a secure computerover an OpenVPN-based virtual private network and you have about as much protection as you can reasonablyexpect.

Control points are those areas o lie in which all modern societies are orced to interact.

Think about the modern nancial system, your retirement accounts, your ood and water supply, medicalcare, and all o the other areas to which you have risk exposure. Developing a secure mindset which criticallyexamines and minimizes your risk to these systemic vulnerabilities is a skill set that you should ocus ondeveloping.

A ew actions, certainly not comprehensive, that you can take immediately to minimize your risk: Get a mailing address that is not attached to your home address. Stop receiving any orm o snail mail all o your bills and most o your correspondence exist in electronic

orm, anyway. No reason to double the risk by receiving paper bills that sit in a mailbox you have enoughrisk with the electronic copies.

Diversiy your nancial risk by moving some money and assets out o the electronic banking system.Counterparty risk is very high in our current economic environment.

Get a secure email account. Get a good VPN account well discuss what that means later. Move your assets into LLCs and trusts. I you can aord it, purchase some personal real estate in cash owned by an LLC or trust and never, ever

associate your name with the property. One o the biggest control points is the ability to nd out where youlive i you can keep everything o the record, your risk o assault or other attack on physical person dropstoward zero.

Secure as many dierent travel documents as possible the ability to pick up and leave when you want isan innate natural right and is one o the areas o highest risk. I you cant leave when you wish, your risk toprivacy and reedom rises dramatically.

The list goes on and on. The key point here is that i you realize your privacy, and thereore your reedom, areunder assault, it is your duty to examine your areas o risk and determine how to minimize that risk. Once yourreedom and privacy are completely lost, it is too late to take an action. You MUST be proactive.

I you think this is overkill, but you agree that your privacy is under assault and you agree that the SurveillanceState is on the rise, then you must ask yoursel why? Why is there a growing political, legal, and technicalSurveillance State obsessively interested in closely monitoring everything about you? To assume that everythingis ne and you have no need to take action is to willully put your head in the sand. Your strategy or personalprivacy is based on hope. Good luck with that youre going to need a lot o it...luck that is!

Closely examine what threats to your privacy and reedom exist. Start thinking about how to minimize your riskto these threats. You are now training your secure mindset.


5/30




This is an unusual notion once relegated to Mafosos, criminals, and those in Witness

Protection. Today, unortunately, it is becoming an all too necessary strategy. To execute a plan that

minimizes your risk to threats, you should begin to create a mental divide between the idea o the Electronic(ormerly known as paper) You and the Real You.

In the US, or example, there is no legal requirement to have a social security number toobtain employment, open a bank account, or do most any other activity. In practice, try todo anythingwithout a social security number its near impossible to get a job or opena bank account. Try getting paid without having a bank account or demanding paymentin cash or via check. Over the last decade or two, most people not being paid via directdeposit dont get paid.

People have been red or things posted to Facebook and denied jobs or not turning over

Facebook passwords. Google Earth can show anyone that asks a close-up o your ront door. Municipal policedepartments can determine i you have insurance, up-to-date inspection stickers or warrants without everpulling you over. Property records that used to at least require a trip to the court house are accessible withinseconds. For less than $20, you can run an online report on just about anyone and pull up inormation that usedto take signicant investigative skills, time and money. Soon, Google Glass will allow everyone to lm and uploadeverything all o the time. The trend is not your riend!

The Surveillance State is growing by leaps and bounds. Law means very little as the new standard is proveyoure not doing something wrong instead o innocent until proven guilty. Soon, youll be a suspect i youdont have a long electronic paper trail. You wont be able to get a job without a social networking account (try

working in the tech sector without a Linked-In prole...), a Gmail account, and a long public paper trail. There isa growing requirement or an Electronic You to exist.

On the other hand, there is large personal risk in the existence o the Electronic You. One o the rst things totask yoursel with is to begin to separate the Electronic You rom the Real You. As part o your core strategy toshore up your exposure to threats, you must leave the right electronic paper trail a trail to nothing but deadends about the Real You. Understanding privacy technology is essential to moving this strategy orward.

Understand what paper trail you are willing to leave, and leave just that. Divide your lie between those thingsdesignated to be track-able vs. those things you will keep private. Leave only what you want to leave, and utilizesome o the technology products and strategies later in this guide to create this clear delineation.


6/30




As we begin to look specifcally at the role o technology in your private aairs, it is important to set

some basic rules to live by. As stated earlier, technology changes quickly. Product X, which may be great

today, could be compromised tomorrow. You need a ramework a set o rules to provide guidance in makinggood decisions about what technology choices to make.

Theres a lot youre going to need to change how you think about your privacy and security, the ways in whichyoure vulnerable, how to pick the right products and services, how to use those products and services, and more.Theres a lot to it. Its not particularly dicult when you get to know it, but you should accept the act there theresa learning curve and proceed slowly. Invest the time it takes to learn to use the new technologies and dontoverwhelm yoursel expecting to solve everything too quickly. Ater all, youre insecure and vulnerable to everythingright now. Your goal is to clear that up so that in time, there are easier targets out there than you.

This guide may be your rst step. At the end o it, well be ocusing on implementation things you can dostarting today. We will discuss specic technologies and provide reerences where you can dig deeper. Investin your education with time most o this doesnt cost anything, and the services out there are not out o thereach o anyone.

You must recognize that there will be a cost primarily in terms o time and education. The rst time people setup and send a PGP-encrypted email, the level o conusion seems to grow exponentially. Theres no real reasonor this ater a ew uses, its not much more complicated than sending a regular email. But it does introducenew habits and requirements on the user, and to be successul, you will have to accept that there will be alearning curve and youll need to work through it all.

Remember, staying educated is a continual process. Technology evolves, and so must you.

As implied in rule #1, everything has a price. Your ree Hotmail, Gmail, Yahoo or other email account issearched, cataloged, and the results are used to build a prole about you that is sold, or given to the NSA/FBI/CIA/or any other government agency on request.

Hows ree treating you? The value o your data greatly exceeds the cost that you pay to have a truly privateemail account.

The same is true or your Internet search engine. Using Google? Google knows where youare based on your IP address, and i youre logged in, your searches are captured, stored, andused to prole you.

How is that ree social networking site, Facebook, working or you?

Nothing in lie is ree, and most responsible adults learn that at some point in their lives.However, it seems we all orget lie lessons when it applies to our electronic lives. The rulesare the same in both: there is no ree lunch.


7/30




Its time to pay or services that will support your privacy rights. Since these services wont make money byselling your inormation, they must support themselves some other way. Dont orget that when you use yourcredit card or PayPal account to purchase service, youre leaving a digital paper trail that says this person ispaying or privacy sotware. Thats not necessarily a bad thing, but dont orget that unless you use something

like bitcoins or pay in cash or such services, there will be a permanent record that you preer to not be trackedor proled. The nancial system is watching you as well get used to it or get out o it. Dene your controlpoints.

Weve generally covered this, but it bears repeating: you must spend time thinking about potential threats to yourom the various political, nancial, legal and technology systems around us. As noted in the above example, youare being monitored constantly by many dierent systems. Simply using your credit card reward points, makinga purchase with your PayPal account, or traveling on your requent fyer miles leaves behind a treasure trove oinormation about you inormation that may one day be used against you. Think about the services you relyon. Dene your weaknesses and establish a plan to minimize your risk.

I corporations and governments are hellbent on tagging and ollowing you around in the digital world, consider whatkind o paper trail you want to leave. This is a massive topic in and o itsel, but the primary point is that leaving thekind o paper trail that benets you the most should be a strong part o any strategy. At a minimum, you should alwaysconsider what your paper trail is saying about you. I you suddenly spend a lot o money on privacy technology andyou drop o o the ISP/Google/Facebook radar, its going to be noticed. In practice, the system considers you guiltyuntil proven innocent, so you will become suspect since you are interested in your privacy.

Purchasing products in cash or bitcoin helps avoid leaving a trail. Slowly starting to use a VPN, Tor, I2P, or otherprivacy technology is better than jumping in with both eet. Occasionally leaving the trail you want to leave willonly benet you in time.

Demonstrated transparency in government is good (not just claiming transparency, but demonstrating it.) Thesame goes or sotware proprietary sotware is, generally speaking, a bad idea. Evidence shows that as earlyas 1999, the NSA had a backdoor built into Microsot Windows. Apple regularly violatesend users privacy. DowereallyevenneedtodiscussGoogle? It wouldtake volumesto discuss Facebooksprivacy violations. All othese companies are complicit in the NSAs broad sweeping surveillance.

The takeaway is simple. I you dont know what the sotware is doing, you cant trust it. The way you can know

what its doing is i you can review the source code. Even i you are not a programmer, the act that the sourcecode is published and available means that there are people that can review it and point out both security andprivacy problems. Utilize this open source sotware whenever you can especially in your operating systemand any encryption sotware.

Proprietary operating systems like those rom Apple, Microsot and Google have been clearly shown to, at least,leak data and at worst, send data about your usage back to company headquarters where it is obviously shared
http://www.heise.de/tp/artikel/5/5263/1.htmlhttp://www.heise.de/tp/artikel/5/5263/1.htmlhttp://www.testosteronepit.com/home/2013/8/21/leaked-german-government-warns-key-entities-not-to-use-windo.htmlhttp://www.pcworld.com/article/218351/article.htmlhttp://news.techeye.net/security/apple-patents-tech-to-let-cops-switch-off-iphone-video-camera-and-wi-fi#ixzz2cW2xdIc5http://money.cnn.com/2013/03/12/technology/google-privacy-settlement/index.htmlhttp://phys.org/news/2013-04-germany-fines-google-privacy-violations.htmlhttp://rt.com/usa/google-privacy-android-app-429/https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmidt-dismisses-privacyhttp://www.pcworld.com/article/206597/android_apps_leak_private_data.htmlhttp://mashable.com/2010/09/03/google-buzz-lawsuit-settlement/http://www.wired.com/threatlevel/2012/05/google-nsa-secrecy-upheld/http://googlemonitor.com/bySubject/privacy/http://precursorblog.com/content/why-google-lost-formal-debate-over-its-ethics-and-a-compendium-googles-ethical-lapseshttp://abcnews.go.com/Technology/facebook-privacy-policy-analyze-profile-photo/story?id=20120896https://en.wikipedia.org/wiki/Criticism_of_Facebookhttp://www.forbes.com/sites/chunkamui/2011/08/08/facebooks-privacy-issues-are-even-deeper-than-we-knew/https://epic.org/privacy/facebook/https://epic.org/privacy/facebook/http://www.forbes.com/sites/chunkamui/2011/08/08/facebooks-privacy-issues-are-even-deeper-than-we-knew/https://en.wikipedia.org/wiki/Criticism_of_Facebookhttp://abcnews.go.com/Technology/facebook-privacy-policy-analyze-profile-photo/story?id=20120896http://precursorblog.com/content/why-google-lost-formal-debate-over-its-ethics-and-a-compendium-googles-ethical-lapseshttp://googlemonitor.com/bySubject/privacy/http://www.wired.com/threatlevel/2012/05/google-nsa-secrecy-upheld/http://mashable.com/2010/09/03/google-buzz-lawsuit-settlement/http://www.pcworld.com/article/206597/android_apps_leak_private_data.htmlhttps://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmidt-dismisses-privacyhttp://rt.com/usa/google-privacy-android-app-429/http://phys.org/news/2013-04-germany-fines-google-privacy-violations.htmlhttp://money.cnn.com/2013/03/12/technology/google-privacy-settlement/index.htmlhttp://news.techeye.net/security/apple-patents-tech-to-let-cops-switch-off-iphone-video-camera-and-wi-fi#ixzz2cW2xdIc5http://www.pcworld.com/article/218351/article.htmlhttp://www.testosteronepit.com/home/2013/8/21/leaked-german-government-warns-key-entities-not-to-use-windo.htmlhttp://www.heise.de/tp/artikel/5/5263/1.htmlhttp://www.heise.de/tp/artikel/5/5263/1.html


8/30




with the NSA on request. Move to a Linux-based system like Linux Mint, Debian, Fedora, OpenSUSE or manyothers the exceptionbeing Ubuntu.

Encryption and cryptographic algorithms are another area where using proprietary technology is an absolute no-

no. With a proprietary algorithm, how can you veriy it is secure? Unless youre a world-class cryptographer,you cant. Odds are youre using snake oil. Stick to well known, published algorithms that are peer-reviewedand open source. Security by obscurity is no security at all.

You should start slowly implementing this rule because there will be a learning curve. A bit later in the guidewell go over some practical, immediately implementable steps or making such a move. It will pay hugedividends or you in time.

As stated or implied several times throughout this guide, technology alone is not enough. Recently, a very highlyrespected and cost eective secure email account provider, Lavabit, out o Dallas, Texaswas orced to shut down

due to government pressure. This put pressure on other providers and orced a round o Internet seppukupacts by some companies that would rather go out o business than put your privacy at risk.

While these companies, andthose that are stepping in to ll the void, as well as some less obviously techie oneslike Groklaw, should all under your Internet Company Heroes list, theres a subtle lesson here: US companies,in particular, are at risk o government bullying and any company operating rom your country o residence orcitizenship presents a potential privacy threat to you. Again, you must consider legal and political angles whenchoosing providers or services, especially when your privacy is a consideration.

Because the root o much o the global spying is in the US, courtesy o the NSA/FBI/CIA and a corrupt andcomplicit Congress and Administration (among others...), all US-based tech companies should be consideredsuspect and a potential risk. Unless the company is part o the seppuku pact and has a stellar reputation,proceed cautiously or choose elsewhere.

There are two possible solutions to this issue. The rst is that these companies should relocate their operationsoutside o the US. The second option, which is equally valuable, is to run the technology portion o thecompany outside o the US with a US-based operation that simply handles billing and does not correlatecustomer purchases with users. I these operations are separate, distinct, and rewalled, then a US-basedcompany is more trustworthy.

Jurisdiction matters, and it matters a lot. Its part o the legal and political ramework that can be used against you

that will circumvent all o the technology protection you can muster, or it can work in your avor to saeguard it.Know the company that youre doing business with. Vet them thoroughly, and understand how their corporatestructure may aect your privacy.
https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leakshttp://www.insanitybit.com/2012/12/07/the-ubuntu-amazon-privacy-issue/https://lavabit.com/https://www.eff.org/deeplinks/2013/08/lavabit-encrypted-email-service-shuts-down-cant-say-whyhttp://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowdenhttp://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowdenhttp://gigaom.com/2013/08/09/another-u-s-secure-email-service-shuts-down-to-protect-customers-from-authorities/https://internetganesha.wordpress.com/2013/08/10/lavabit-privacy-seppuku-and-game-theory/http://rt.com/news/mega-secure-email-lavabit-359/http://www.groklaw.net/http://www.groklaw.net/http://rt.com/news/mega-secure-email-lavabit-359/https://internetganesha.wordpress.com/2013/08/10/lavabit-privacy-seppuku-and-game-theory/http://gigaom.com/2013/08/09/another-u-s-secure-email-service-shuts-down-to-protect-customers-from-authorities/http://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowdenhttp://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowdenhttps://www.eff.org/deeplinks/2013/08/lavabit-encrypted-email-service-shuts-down-cant-say-whyhttps://lavabit.com/http://www.insanitybit.com/2012/12/07/the-ubuntu-amazon-privacy-issue/https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks


9/30




When in doubt, encrypt it. Use https connections instead o http connections across your WPA encryptedWiFi. Send GPG encrypted emails through encrypted connections across encrypted servers whenever possible.When it doubt, make them work or it. Give nothing up easily.

Well show you how to do this practically later in this guide.

Tor, I2P and VPN solutions all work (in dierent ways and in diering levels o protection) to hide your location.Your physical location is easy to narrow down your physical protection may depend on successully hiding yourlocation inormation.

I youre not amiliar with it, go to and see what what the web sites you visit and the emailservers that your mail passes through know about you. Except in the case o intentional disinormation, youshould neverdisclose your IP address. Always use a VPN, Tor or I2P, or at least a proxy server. And make sure

that youre encrypting everything.

Bugs are ever present in sotware. Mistakes happen. One mistake, and tracing inormation back to youbecomes easy. Layer your security to provide maximum protection.

Encrypt mail beore sending it. Use an encrypted email service. Connect via VPN. Use Tor over VPN in caseo aJavascript or other exploit or data leakage.

This is an ever evolving situation, but its important to understand how youre being tracked and observed.

I youre connecting without a VPN or other data encrypting technology, the data you transmit the web sitesyou visit, the commands you send to them, many o your account usernames and passwords, etc its allavailable to anyone that wishes to see it. Your ISP sees all your data whenever you connect, and especially iyoureusing AT&Tas a service provider, then rest assured that the NSA and any other government agency thatwishes can probably view it.

Cookies, IP addresses, even your MAC address are used to track your computer location and correlate thatmovement back to you. You will want to obscure all o these whenever possible.

Your mobile phone contains a SIM card and IMEI / IMSI numbers. This makesmobile phones essentially impossible to hide on a carriers network. Your phone is atracking device, complete with the ability to remotely turn on location trackingand themicrophone. Keep a prepaid phone or two around or important conversations, paidor in cash, and preerably with SIM cards rom other countries.

The number o ways they track you continues to grow. RFID chips are in credit cards,passports and identication cards, but also now in company and school identication
http://www.pcworld.com/article/2046013/tor-project-stop-using-windows-disable-javascript.htmlhttp://www.wired.com/science/discoveries/news/2006/04/70619http://www.wired.com/science/discoveries/news/2006/04/70619http://lifehacker.com/what-the-nsa-spying-scandal-means-to-you-511808090http://www.nytimes.com/interactive/2013/09/02/us/hemisphere-project.html?_r=0#p19http://blogs.howstuffworks.com/2009/08/11/super-cookies-lurk-in-your-browser/http://www.theatlantic.com/technology/archive/2013/06/government-phone-surveillance-for-dummies/276629/http://www.theatlantic.com/technology/archive/2013/06/government-phone-surveillance-for-dummies/276629/https://publicintelligence.net/harris-corporations-stingray-used-by-fbi-for-warrantless-mobile-phone-tracking/https://publicintelligence.net/harris-corporations-stingray-used-by-fbi-for-warrantless-mobile-phone-tracking/https://www.techdirt.com/articles/20130802/01262424042/fbi-increasingly-using-malware-to-remotely-turn-phonelaptop-microphones.shtmlhttp://www.theblaze.com/stories/2013/08/02/report-fbi-can-remotely-turn-on-phone-microphones-for-spying/http://www.theblaze.com/stories/2013/08/02/report-fbi-can-remotely-turn-on-phone-microphones-for-spying/http://cnsnews.com/blog/craig-bannister/judge-grants-reprieve-student-expelled-refusing-wear-tracking-device-badgehttp://cnsnews.com/blog/craig-bannister/judge-grants-reprieve-student-expelled-refusing-wear-tracking-device-badgehttp://www.theblaze.com/stories/2013/08/02/report-fbi-can-remotely-turn-on-phone-microphones-for-spying/http://www.theblaze.com/stories/2013/08/02/report-fbi-can-remotely-turn-on-phone-microphones-for-spying/https://www.techdirt.com/articles/20130802/01262424042/fbi-increasingly-using-malware-to-remotely-turn-phonelaptop-microphones.shtmlhttps://publicintelligence.net/harris-corporations-stingray-used-by-fbi-for-warrantless-mobile-phone-tracking/https://publicintelligence.net/harris-corporations-stingray-used-by-fbi-for-warrantless-mobile-phone-tracking/http://www.theatlantic.com/technology/archive/2013/06/government-phone-surveillance-for-dummies/276629/http://www.theatlantic.com/technology/archive/2013/06/government-phone-surveillance-for-dummies/276629/http://blogs.howstuffworks.com/2009/08/11/super-cookies-lurk-in-your-browser/http://www.nytimes.com/interactive/2013/09/02/us/hemisphere-project.html?_r=0#p19http://lifehacker.com/what-the-nsa-spying-scandal-means-to-you-511808090http://www.wired.com/science/discoveries/news/2006/04/70619http://www.wired.com/science/discoveries/news/2006/04/70619http://www.pcworld.com/article/2046013/tor-project-stop-using-windows-disable-javascript.htmlhttp://iplocation.net/


10/30




badges, Obviously, you dont want everything you own transmitting insecure data about you to anyone willing toread it, do you?

Your smartphone camera pictures probably contain EXIF data containing location inormation about where and

when the picture was taken. Just lovely or posting on Facebook...

Drones, cameras, citizen spies (hat tip) youre being watched and tracked all o the time. All o this data aboutyou is being aggregated and stored. I thats unnerving well, it should be. This type o situation is ripe or abuse,and theres plenty o evidencethat the abuse o this data is growing every day.

The inormed and diligent individual can protect himsel rom the Surveillance State. But it requires more than justinstalling a ew pieces o sotware. Technology is only a tool.

Now that the oundation has been laid, its time to talk about specic technology and a transition plan to allow youto implement realistic and practical changes. Hopeully its clear that theres more to protecting your electronicprivacy than installing a piece o sotware on your laptop.

Everything starts with education. Here are a ew homework assignments you can undertake beore Part II comesyour way:

Stop getting snail mail and secure your existing online accounts. I youre like everyone else, you probably have1-4 passwords you use or every online site you visit. The passwords are probably all related to something youcan remember easily.

Guess what. Youre a target. Its time to secure your existing online accounts and start implementing a basicsecurity program.

Go to and download a password sae or your operating system. From now on, every newonline account you create should have a dierent password, and when possible a dierent username. Keepass isa piece o sotware well discuss in Part II in more detail that lets you save every unique web site, username andpassword you use in a convenient, encrypted database. It runs on most every operating system, including theone on your smartphone.

Pick a really complex passphrase that will take you some time to memorize and type using something like thediceware method. It needs to be long, and it needs to be completely unrelated to you. It will take some workto remember it and type it, but practice. Soon, this will be the only passphrase you need to know. Now, createa new Keepass database and protect it with that password. Go to all o your online accounts and change thepassword to something random that is generated with Keepass. While youre there, i you receive some snail mail(utility bills, nancial statements, etc) rom those accounts, stop the paper delivery and move to electronic only. Iyou have access to a secure email account today, have your statements sent there. Otherwise, use your Gmail orother ree account Google already knows a lot about you. Well change that later.
http://cnsnews.com/blog/craig-bannister/judge-grants-reprieve-student-expelled-refusing-wear-tracking-device-badgehttp://www.wired.com/wired/archive/14.05/rfid.htmlhttp://www.wired.com/wired/archive/14.05/rfid.htmlhttp://exifdata.com/http://www.examiner.com/article/citizen-spieshttp://www.theguardian.com/commentisfree/2012/nov/13/petraeus-surveillance-state-fbihttp://www.bostonglobe.com/opinion/2013/07/21/edward-snowden-case-reveals-lax-oversight-congress-surveillance-state/Ldav8iIMta7XERVUbE1K5K/story.htmlhttps://www.eff.org/deeplinks/2012/12/2012-in-review-state-surveillance-around-globehttp://world.std.com/~reinhold/diceware.htmlhttp://world.std.com/~reinhold/diceware.htmlhttp://keepass.info/https://www.eff.org/deeplinks/2012/12/2012-in-review-state-surveillance-around-globehttp://www.bostonglobe.com/opinion/2013/07/21/edward-snowden-case-reveals-lax-oversight-congress-surveillance-state/Ldav8iIMta7XERVUbE1K5K/story.htmlhttp://www.theguardian.com/commentisfree/2012/nov/13/petraeus-surveillance-state-fbihttp://www.examiner.com/article/citizen-spieshttp://exifdata.com/http://www.wired.com/wired/archive/14.05/rfid.htmlhttp://www.wired.com/wired/archive/14.05/rfid.htmlhttp://cnsnews.com/blog/craig-bannister/judge-grants-reprieve-student-expelled-refusing-wear-tracking-device-badge


11/30




Now, back up your Keepass database to an external USB drive that you keep in storage someplace sae.Whenever you make changes to your Keepass database, back up a copy to a USB drive well cover sae cloudstorage later. First, we go with the basics.

This will take some time, but i any o your accounts are ever compromised, the damage will be mitigated.Commit to yoursel that you will use the database and work through the learning curve. Ater a while, it will besecond nature, and because it can run on tablets, smartphones and other devices, you can always have a copywith you sae and encrypted.

Take a look at open source operating system alternatives. Its time to ditch Google, Apple, and Microsot onany devices you own. Most people really want to be able to web sur, read email, work with documents,presentations and spreadsheets, and perhaps run a ew proprietary programs. Linux will meet most, i not all, othese needs while providing you with more protection than you get with other proprietary operating system.

The easiest way try it out is to run a live CD with a version o Linux on your desktop computer or laptop. Alive CD gives you a way o trying the sotware without wiping out your existing machine. I you nd burninga CD or DVD and booting your computer up to it too complex, dont despair at the end o Part II there willbe some resources to do this work or you. I its not too complex, try it out by burning a CD rom Debian orLinux Mint and booting your computer rom it:

Youll nd that or most tasks, the dierences between using a purely open source solution are negligible romusing a proprietary solution, but it is much more secure. You have very similar browser, productivity and emailsolutions as you do or proprietary systems. For more advanced tasks, this is not the case, but understanding willcome in time.

We will cover more on moving to Linux later, but this will give you a chance to experiment.

We want to know what you think about the guide thus ar. Likes and dislikes? Level o inormation? Generalquestions youd like to see addressed?

Its time to put those ree email accounts to use. This is best i you have a VPN or know how to use Tor or

I2P, but its not critical at this stage. Open a new Gmail, Yahoo or other ree account. Better yet, try Hushmailor other secure email service. Set up a new username that has nothing to do with you, and a secure password preerably with something like Keepass as discussed in Assignment #1.

Send an email to [email protected] your eedback. Yes, were keeping the email address oruture correspondence, so i you want to create some paper separate between the real you and the electronicyou, nows the time to start.
mailto:[email protected]:[email protected]://www.linuxmint.com/download.htmlhttp://www.debian.org/CD/live/


12/30




In Part II, well look at specic secure technologies and related homework assignments to provide you withexposure to those technologies. Well discuss secure web browsing, VPN services, secure email, GPGencryption, Linux, and a host o other specic sotware you can use going orward. Plus, or those people

that preer to not invest signicant time and energy into implementing al l o these technologies themselves,well provide some resources or private companies that will set up secure sotware and devices or you. Youwill still have to invest the time to learn to use the technology, but this will simpl iy and jump start the journeyor some.


13/30


Two men were walking through the woods when a large bear walked out into the clearing no

more than 50 eet in ront o them.

The frst man dropped his backpack and dug out a pair o running shoes, then began to uriouslyattempt to lace them up as the bear slowly approached them.

The second man looked at the frst, conused, and said, What are you doing? Running shoes

arent going to help, you cant out run that bear.

I dont need to, said the frst man, I just need to out run you.

Its the joke that everyone knows, but ew people recognize truth in it. It is impossible to guarantee yourselabsolute privacy and reedom with technology alone. As stated repeatedly in Part I, your best strategy is touse layers o deense to provide the highest degree o privacy and security. This includes not only technology

strategies, but also legal, political and nancial strategies.

The result is not a guarantee that your privacy and reedom are preserved, but like the joke above, there will beeasier targets than you to abuse. I you ocus your strategy on making it more dicult, expensive, and challengingto assault your privacy, the odds avor that the bear(s) will pick other, easier targets.

To take a simple, non-technical example. Lets say you own a car and are involved in an accident or which youhave insucient insurance coverage. Your counter-party sues you personally and goes ater your home. Itspossible to lose most everything with rivolous lawsuits.

In contrast, i the vehicle was owned by an LLC, the suing party would be very limited (criminal negligence issues

aside) in what assets where available to them during a lawsuit. Plaintis would have access to the assets o the LLC ina judgment in their avor, but nothing more. I the vehicle was the only thing owned by the LLC, then only the vehicleinvolved in the accident would be at risk. Further, because o this degree o protection, attorneys or the plainti aremuch less likely to pursue a rivolous lawsuit - it simply doesnt pay because the upside is limited.

This is how you evade the bear. Its not possible to guarantee you will be lawsuit-ree in your lietime, but its possibleto make yoursel a dicult, expensive, and time consuming target so that the bear chooses easier prey. The concept isthe same in looking at technical solutions to preserving you privacy and reedom you cant guarantee you wont be atarget, but become an expensive, challenging target and your adversary will choose easier prey.

PA R T T W O


14/30




Aside rom user error, the biggest risk you have with technology especiallyencryption is it being proprietary. When the sotware is closed and inaccessible, thereis no way to veriy exactly what it is doing. As a result, making the transition to opensource sotware may be the most important and sustainable move you can make.

Open source sotware is sotware where the underlying source code developed by the programmer(s) isavailable publicly and is NOT proprietary. You should be able to take this source code and recreate the sotwarebinary the sotware that actually executes on your machine.

The benet o open source is it can be reviewed and altered by anyone. By having more eyes on the sourcecode, it is much more dicult (though not impossible) to create back doors, intentional data leakage, and other

privacy-destroying unctions in the sotware. In essence, all o the benets and faws o the sotware are availableor review by everyone, so the bad guys have a harder time hiding things.

The operating system is the core o your sotware strategy. An operating system is a set o inter-workingsotware that manages your computers hardware and provides various services or other sotware on yoursystem to access.

Wikipedia has a an interesting list o open source operating systems you may want to investigate, but or newusers to open source sotware, the recommendation would be to use one o the Linux distributions or BSD..

Linux, even as described in this document, is requently incorrectly described as an operating system. Linuxis actually a kernel the brain o the operating system that manages all o the hardware eatures and systemrequests or your computer.

To make a complete operating system, the kernel needs to be augmented with other sotware services and havethe ability to run dierent applications. This service sotware, called GNU sotware, is provided rom the FreeSotware Foundation. [You are strongly encouraged to visit those sites and understand the philosophy behindthe development o the sotware.] As a result, GNU/Linux is the actual name o the complete operating system,

though we will incorrectly use Linux interchangeably with GNU/Linux.

Understanding this dierentiation is critical because some operating systems, notably Googles Android operatingsystem, leverages the Linux kernel but proprietary sotware around it. Its important to ocus on completelyopen sotware.

One o the challenges with open source sotware is that by publishing sources, dierent groups tend to orm andtake various projects in dierent directions. As a result, requently you will nd variations o sotware that are builton the same undamental pieces, but implement them and solve other issues in very dierent ways.
https://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systemshttps://www.gnu.org/https://fsf.org/https://fsf.org/https://fsf.org/https://fsf.org/https://www.gnu.org/https://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems


15/30


16/30




For more advanced users, well take not only Rule #5 into account, but well add a dose o Rule #9

(Layer Your Security).

By running a virtual machine with another operating system, you can create additional security or privacy-centrictasks. For example, i you run Tails or FreeBSD in a virtual machine likeVirtualBox orVMWare running inside oa Debian Linux environment, the tasks you perorm within that virtual environment are essentially isolated andsandboxed rom the rest o your system.

As a practical example, i you are particularly concerned about your banking secrecy, you could always access yourbanking site rom within a Tails distribution installed in a virtual machine. You would always be connected rom thatvirtual machine via Tor even i connected with a VPN in your host system, and i anything negative occurred on yourvirtual/guest system, you can wipe the slate clean and start over without damaging the host system that contains thebulk o your data. You are, in essence, compartmentalizing your sotware to minimize risks.

Alternatively, you can also run a Windows or Mac OS guest in your virtual machine so that you can access anyneeded sotware that only runs on those systems, but shut them down or the rest o your day-to-day activities,limiting what inormation is leaked about your system and minimizing any negative eects rom viruses or othermalware.

Layering is a critically important acet o sotware security.

Finally, utilize encryption or your hard disks (or solid-state drives). Debian-based Linux distributions supportLUKS encryption out-o-the-box (choose the encrypted LVM options when installing) and FreeBSD supportsZFS. Though the author recommends AES encryption, it is typically beyond the skill set or most new users toinstall, and LUKS or ZFS will be sucient or most all uses.

I you are even remotely serious about privacy, you should always utilize disk encryption and always

encrypt your backups!You have a lousy security plan i you dont plan against physical thet, conscation, orinltration o unencrypted backups.

When you connect to the Internet, you are providing a data connection over theTCP/IP protocol suite to other machines. The Internet was designed as adecentralized, ault-tolerant network or machines to transmit data it was not

inherently designed to provide privacy or security to the machines on the network.The Internet is not inherently anonymous, private, or secure.

You probably have an Internet Service Provider (ISP) that connects your computer or series o computers via arouter to a gateway. The gateway, is then connected to the ISPs servers, which are in turn connected to the resto the Internet backbone.

Whenever you access a web page, send an email, download a le, watch a streaming video, or just about any
https://www.virtualbox.org/https://www.vmware.com/https://www.vmware.com/https://www.virtualbox.org/


17/30




other unction that requires an Internet connection (or connection to any network, in act), you must share certain datawith those machines. Your machine will have to nd that remote machine among the hundreds o millions out thereon the Internet. To do this, it will nd the remote servers unique Internet Protocol (IP) address and disclose its ownIP address to ensure the two machines can locate one another. I applicable, it will also divulge the operating system

and version it is running, the web browser and version it is running, cookie inormation in the browser as requested,possibly you computers WiFi or Ethernet Media Access Control (MAC) address, and a host o other inormation.

In addition, unless specically encrypted, all o the data you transmit to and rom a remote server is readableby anyone that can intercept the data transmission like your ISP. Your ISP knows everything you do that is notencrypted. No wonder that penetration o ISPs is a critical component o spy agencies like the NSA.

All o this inormation is privacy-crushing. Point your web browser to a service like iplocation.net and you willsee that it is easy or a remote site to determine your ISP, and thereore your location. Click the Google Map linkand see how closely iplocation.net can determine your physical location.

Since your ISP provides your IP address on the Internet, it doesnt take much to determine your physical location(that is, your physical street address) since your ISP must know this to provide service to your home or business.

Unless youve taken appropriate steps, your ISP knows just about everything youve ever done online. It knowsat which web sites you shop. It knows where you bank. Much like Google, it knows the things youve searchedor and possibly the contents o your email. Worse yet, it knows how to direct people to your doorstep. YourISP is a huge security and privacy risk, and your privacy is only as secure as theirs.

I you havent realized it by now, nothing you do online (which is more and more o your lie...) is private withouttaking specic steps to provide your own security.

Avirtual private network(VPN) is an extremely valuable tool in your privacy technology arsenal. A VPN createsa virtual encrypted network among multiple private computers across a public network like the Internet. Itsa sotware-based strategy that attempts to connect multiple machines and protect their data transmission essentially tying them together as i theyre on their own private network. A VPN utilizes the public Internetinrastructure to connect computers in a private network space.

VPNs provide a ew very important privacy saeguards:

Your IP address will match that o the VPN server, not your actual, physical location. I you are locatedin New York, your public IP address will be one supplied by your local, New York-based ISP. I you are

connecting to a VPN server in Los Angeles, your public IP address will be Los Angeles based all o thewebsites you visit will be incorrect about your location.

Once connected to a VPN server, the data transmitted between your computer and the VPN server isencrypted. Your ISP will know, or example, that you are connecting to a remote machine (your VPNserver) because it will see you connect to the IP address o that server, but it will not be able to read thedata you transmit to or rom that server as that data will be encrypted. The ISP wont be able to read email,see your browsing history, or otherwise monitor the actual content o your transmissions.
http://iplocation.net/https://en.wikipedia.org/wiki/Virtual_private_networkhttps://en.wikipedia.org/wiki/Virtual_private_networkhttp://iplocation.net/


18/30




Note that there are other techniques that can be used by your ISP to spy on you, but they are less direct. Forexample, i you are watching a lot o streaming video, your ISP wont necessarily see that content (know whatvideos youre watching), but it will probably be able to assume by the volume o content that you are watchingvideos as compared to sending a lot o emails. All in all, however, a good VPN solution will go a long away,

especially when combined with an open source operating system, in providing much needed privacy.

This begs the question: what is a good VPN solution?

As weve seen rom the Snowden revelations, much o the NSAs attacks on individual privacy have beenthrough manipulating corporate relationships. So choosing a VPN provider is an amalgam o technical, legal,political, and possibly nancial issues.

From a technical standpoint, there are many types o VPNs that can be implemented including PPTP (actually atunneling protocol, but considered to be a VPN by many), VTun, CIPE, tinc, L2TP with IPsec and OpenVPN,among others. There is considerable debate as to what a VPN protocol is or isnt.

Point-to-Point Tunneling Protocol (PPTP) is a Microsot-ocused tunneling protocol that is oten used byMicrosot-based systems as a secure VPN. While this is better than transmitting clear text, it should not beconsidered secure enough or stopping elite attackers, whether theyre hackers or institutions like the NSA. Itis considered here because it is very prevalent, but there are much better, more secure VPN options out thereyou should consider.

The only recommended, cost eective VPN solution is one that utilizes OpenVPN.

OpenVPN is an open source VPN standard that can be implemented several dierent ways. All OpenVPN

implementations have keys to encrypt and decrypt, but not all have HMAC authentication. The most secureversion is one that utilizes our total keys to authenticate and encrypt/decrypt data. Try to utilize providers thatmake use o separate HMAC authentication keys.

Also, one particular attack can be used against any VPN to spy on the user. Consider this example. Lets say thatyoure the only VPN user on a server perhaps its a server you own in a remote location. Every time you connectto the VPN server, your ISP will know where you connect but cannot understand the data transmission. However, ithe VPN server is also under surveillance (and just about everything is under surveillance these days), then when youconnect, the ISP or the VPN server will see your connection and the corresponding connection to the websites, emailservers, and other IP addresses that the VPN server connects to. In essence, youve only create some jurisdictionalseparation, but youre still easy to track because youre the only user on a given server.

Thus, wed recommend using commercial, multi-hop VPN services when possible. A multi-hop service is onein which you connect to a VPN server, and it in turn connects to other VPN servers. At each connection, youreurther removed rom a single point o surveillance. In addition, by utilizing a commercial service that has manydierent users, it becomes dicult i not impossible to correlate the outbound trac rom the VPN serverwith the users that are connecting to the servers.

Finally, theres a legal and jurisdictional angle to all o this. Weve seen that government spying is much more
http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/https://en.wikipedia.org/wiki/Openvpnhttps://en.wikipedia.org/wiki/Openvpnhttp://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/


19/30




about about penetrating well known, commercial services than breaking encryption. Math works. Peopleail. The weakest link in your protection schema is the individual or company that provides your service. Thetechnical solution may work, but i the company headquarters is located next to the NSA, you can probably betthat youre being spied upon.

To avoid this problem, pick companies that operate their VPN services outside o your home country preerably countries that have a political track record o not being riendly with your home country. Serversshould be outside o the US and UK entirely. I the service provider oers anything domestically or you, makesure that its only a billing relationship. There should be no legal ties between the companies that operate theservers and the company that takes your money or the service. Its best to pay or services in cash or with acurrency like bitcoins to break any paperwork ties between you and what you use to secure yoursel technically.

Proxy servers are servers that you can connect to and that will act as proxies or web surng, email, and other

unctions. They are not nearly as secure as a VPN solution, and most o the time the ree ones are simplyhoneypots set up by hackers or spy agencies to gather inormation on your passwords, surng habits, etc.Plus, your trac and location data are not nearly as secure. As a general rule, avoid proxy servers unless youpersonally know the owner o the server and its security conguration.

Torand I2P are powerul anonymity networks that allow access to remote, secretive areas o the Internet calleddark nets or the deep web. These are powerul technologies that are really beyond the scope o this guide, butthere are instructions at each o the links above or obtaining, installing and conguring the sotware.

Whats important to realize is that these are not replacements or VPNs. They do oer strong anonymity, butthey are also very restrictive in their usage. For example, VPNs will encrypt all trac leaving your machine. Tor

and I2P will only encrypt trac on a per-application basis. Incorrectly congured sotware, as highlighted by therecent FBI attacks on Tor utilizing Javascript exploits, can be a very high risk proposition to a new user.

Usage o I2P and Tor, particularly when logged into a VPN, is a strong layered security approach but is or moreadvanced users. It takes time to learn to use both pieces o sotware, but the time is well spent.

As a public document, we wont be making any recommendations on specic VPN providers at the risk odrawing undue attention to them. But rest assured that with a little research there are many providers and plansthat will meet the typical users needs. Just remember:

Provider should be OpenVPN-based, and preerably support separate HMAC authentication keys.

Provider should be multi-hop.

Provider should have its servers located in a dierent legal and political jurisdiction than where you arelocated.
https://en.wikipedia.org/wiki/Honeypot_(computing)https://www.torproject.org/http://www.i2p2.de/http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/http://www.i2p2.de/https://www.torproject.org/https://en.wikipedia.org/wiki/Honeypot_(computing)


20/30




Provider will ideally accept cash or anonymous payments o some sort and/or will have its payment systemstructurally isolated rom its technology deployment system. That is, you do not want billing inormationcorrelated with user accounts or anyone that accesses the billing inormation. Jurisdictional awareness ispart o complete privacy protection.

Please contact us at: [email protected] or specic recommendations.

Aah... The Cloud. The ever-present buzzword o our time.

Lets ocus on what the cloud is and isnt.

The cloud is simply a server or series o servers which you have access to or someservice. Theres no magic in the cloud concept its been around or more than 20 years. Whats changed isthe marketing and the hype level.

You should consider all cloud applications to be high privacy risks. Companies like Dropbox have been implicatedin spyingon your contentin many dierent ways.

Remember Rule #2: there is no ree lunch.

There are many services that you can purchase or remote, encrypted backup a recent review was postedhere. Unortunately, none o them can be recommended by the authors o this document at least without

encrypting your data rst and then sending it to the cloud.

Encryption programs like Truecrypt can be used to encrypt your data beore it is sent anywhere. Avoid theservices rom Microsot, Apple, Google, Amazon, and any other large, US-based companies like the plague.

Alternatively, i what you really want is remote storage, synchronization capability, and backups, you shouldconsider setting up your own private cloud. These days, this is not nearly as dicult as it may sound.

Network-attached storage (NAS) devices have come a long way over the years and are no longer simply harddrives that sit on your local network (aka: home oce, or even your living room). They have evolved into ullservers that can manage remote backups, sync, and a host o cloud services like streaming audio and video,e-book servers, VPNs, and much, much more.

Plus, these NAS servers run Linux as an operating system with very easy-to-use interaces or managing them,and they oer at least le-level encryption so your stored data is protected rom thet. They will also backthemselves up to other remote servers, including commercial services, so your data can be in sync in multiplelocations or maximum protection.

Synology and QNAP are the leaders in the space and oer very solid, robust, and reasonably secure products.Make sure you are using encrypted le systems and only connect your NAS server via HTTPS all options easilycongurable with the equipment.
mailto:[email protected]://thenextweb.com/us/2013/06/07/facebook-apple-google-microsoft-dropbox-and-yahoo-deny-participation-in-us-government-spying-program-prism/http://thenextweb.com/us/2013/06/07/facebook-apple-google-microsoft-dropbox-and-yahoo-deny-participation-in-us-government-spying-program-prism/http://fox2now.com/2013/03/28/fbi-makes-gmail-dropbox-spying-powers-top-priority/http://www.pcworld.com/article/224857/is_dropbox_cloud_storage_insecure_by_design.htmlhttp://www.hacker10.com/computer-security/list-of-non-usa-cloud-storage-services-with-client-side-encryption/http://www.truecrypt.org/http://www.synology.com/index.php?lang=defaulthttp://www.qnap.com/index.htmlhttp://www.qnap.com/index.htmlhttp://www.synology.com/index.php?lang=defaulthttp://www.truecrypt.org/http://www.hacker10.com/computer-security/list-of-non-usa-cloud-storage-services-with-client-side-encryption/http://www.pcworld.com/article/224857/is_dropbox_cloud_storage_insecure_by_design.htmlhttp://fox2now.com/2013/03/28/fbi-makes-gmail-dropbox-spying-powers-top-priority/http://thenextweb.com/us/2013/06/07/facebook-apple-google-microsoft-dropbox-and-yahoo-deny-participation-in-us-government-spying-program-prism/http://thenextweb.com/us/2013/06/07/facebook-apple-google-microsoft-dropbox-and-yahoo-deny-participation-in-us-government-spying-program-prism/mailto:[email protected]


21/30




Firewalls are important to block communications to or rom your computer ornetwork. All o the applications you use to communicate with the outside worldcommunicate through a port a communications interace between an applicationon your computer and the entry to the operating system. The purpose o a rewallis or you to control appropriate permission or an application to communicatethrough its designated port to another computer. This has the eect o allowingsome applications, which you deem are sae, to communicate while stopping thecommunication rom others.

Usage o rewalls can cause some conusion as a secure rewall setup blocks all applications rom accessing portson your machine unless you specically allow them. That means that every time you install a new application

which uses a port or external communication, the rewall will block it by deault until you explicitly allow it. Iyou orget to adjust the rewall, it will appear as i your installed applications do not unction correctly, so there isa good chance or conusion.

Dierent operating systems use dierent rewalls. For Linux-based machines, iptables is a very powerul rewallbuilt into the Linux kernel itsel which is oten best controlled with an easier-to-use program like Shorewall.FreeBSD users can access PF, IPFILTER, and IPFW rewalls. Unortunately, all o these options are command linedriven and not immediately intuitive to the new user coming rom a Mac or Windows environment.

Expect to spend some time here in conguration start simply and learn how the sotware works. A goodwalkthrough example o setting up Shorewall is available at Cyberciti.

Though it has become a laggard or HTML5 and other new evolving standards, Fireox is the best option todayor secure browsing (aside rom some really secure and simple but less-eature-rich browsers like Links thatinstalls and runs very easily in both BSD and Linux) and is very eature rich largely because o the available add-ons. Fireox conguration is very important, however.

For Linux users o Fireox (including Iceweasel), you will need to congure your browser to minimize any dataleakage as ollows:

Under the Edit Preerences Privacy tab

Under Tracking, check Tell websites I do not want to be tracked

Under History, Fireox (Iceweasel) will: Use custom settings or history

- UNcheck Accept third-party cookies, or choose Never rom the dropdown menu

- Keep until: I close Fireox (Iceweasel)
https://en.wikipedia.org/wiki/Iptableshttp://shorewall.net/http://www.cyberciti.biz/faq/debian-ubuntu-linux-shorewall-firewall-configuration/https://www.mozilla.org/en-US/http://links.twibright.com/http://links.twibright.com/https://www.mozilla.org/en-US/http://www.cyberciti.biz/faq/debian-ubuntu-linux-shorewall-firewall-configuration/http://shorewall.net/https://en.wikipedia.org/wiki/Iptables


22/30




- Check Clear history when Fireox (Iceweasel) closes, and under Settings:

Check everything except Saved Passwords or maximum protection

Note that using Keepass and KeeFox may be a better solution than having Fireox save

your passwords!

I you opt to save passwords, set a Master Password under Edit Preerences Security

In the URL bar, type:

about:cong

- Accept the warning: Ill be careul, I promise!

- Search or network.proxy.socks_remote_dns and double-click it to set it to true

- Search or geo.enabled and double-click it to set it to alse

For the Linux versions o FireFox (including Iceweasel), choose the Tools Add-ons option to nd and install aseries o security-minded add-ons. Search or and install the ollowing add-ons:

NoScript

- NoScript blocks Javascripts, which are a major source o privacy issues and installation o malware. Thiscan cause some unexpected behavior at rst things like logins to banking may stop working. Whenyou visit web sites that you trust, you can tell NoScript to Allow All o This Page to allows scripts torun. Next time you visit the page, FireFox will remember your NoScript preerences. It will take a

little time to get used to working with NoScript, but the security benets are tremendous.

BetterPrivacy

- BetterPrivacy removes hard-to-remove Flash cookies, called LSOs.

Ghostery

- Ghostery builds a database o tracking sites and prevents them rom tracking you. This is somewhatredundant with NoScript installed, but there are occasions where you may need to run all Javascrips ona site, and Ghostery will continue to block the trackers.

Adblock Plus

- Adblock Plus will block banner ads, advertising, and trackers. Like Ghostery, this is somewhatredundant with NoScript, but i scripts must be allowed, Adblock will block incoming ads no matterwhat.

HTTPS-Everywhere

- This add-on is available rom the Debian (and Linux Mint) repositories. When possible, it will orce
https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/betterprivacy/https://addons.mozilla.org/en-US/firefox/addon/ghostery/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/adblock-plus/?src=searchhttps://www.eff.org/https-everywherehttps://www.eff.org/https-everywherehttps://addons.mozilla.org/en-US/firefox/addon/adblock-plus/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/ghostery/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/betterprivacy/https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search


23/30




the website you are connecting to to use a secure socket layer (SSL) connection which will encrypt alltrac to and rom that site by deault. Again, while somewhat redundant i youre using a VPN, this isan added layer o protection especially i your VPN connection drops.

- Other alternatives include HTTPS Finder

Other add-ons that are very useul and should be strongly considered include:

KeeFox

- This will allow you to use a Keepass password database, which will be discussed later, in lieu o usingFireox to save passwords. This makes password management much easier and removes passwordthet risk rom Fireox.

Priv3

- Prevents social networks rom tracking you

Certifcate Patrol

- Advises you on website certicate changes and inconsistencies (which should be a red fag!)

RequestPolicy

- Prevents cross-site tracking

ReControl

- Allows you to tell a site what site reerenced your visit

SaeCache

- Helps guard against remote sites seeing your browsing history

May o these add-ons are redundant or perorm a similar unction in dierent ways. End users are encouragedto mix and match many o the optional add-ons with the recommended ones to nd eatures and capabilitiesthat they are comortable with.

Email is the most widely used Internet application, and unortunately, is also one o the most insecure. Sendingemail is much like sending snail mail. An email must have a source IP address and a destination IP address justlike snail mail needs a physical address or the sender and an address or the receiver.

The email travels through mail transer agents (MTAs), analogous to snail mail traveling through post oces enroute to their nal destination. At each leg o the journey, the path that the email has taken is recorded, and anMTA may record your entire email along the way.
https://r.duckduckgo.com/l/?kh=-1&uddg=https://addons.mozilla.org/en-US/firefox/addon/keefox/https://addons.mozilla.org/en-US/firefox/addon/priv3/https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/requestpolicy/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/refcontrol/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/safecache/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/safecache/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/refcontrol/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/requestpolicy/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/?src=searchhttps://addons.mozilla.org/en-US/firefox/addon/priv3/https://r.duckduckgo.com/l/?kh=-1&uddg=https://addons.mozilla.org/en-US/firefox/addon/keefox/


24/30




Tracing an email is not dicult, and will oten provide a lot o data about the senders physical location. Plus,unlike snail mail, email is oten sent unencrypted analogous to sending snail mail without an envelope.

Free email providers like Google, Yahoo and Microsot make money by having your emails, eventhose with encrypted storage, scanned or key words so that they may build proiles o yourrelationships, interests, and habits. This data is sold to advertising and marketing companies, andcoincidentally, provides an excellent, permanent proile o you or use by any company or agency thatcan access it. No wonder that the law requires archiving o email as well, so avoid providers that donot speciically provide secure email or oer ree accounts (rule #2 in eect again...). The exceptionis or email accounts where you may want to leave a particular impression disinormation can bevaluable in creating an appropriate online proile.

Its pretty obvious rom just this small amount o inormation that email is terribly, terribly insecure.

Much like sending any data, the security issues with email are:

securing your IP address

securing the destination accounts IP address

securing the content o your email message

providing a secure connection to the email server

Your connection to the mail server should be over TLS or SSL encrypted connections. The sender IP addressin the headero the email message will be within the IP address domain o the mail server. In some cases orsome email providers (Microsot and Google are examples), part o the email header, called X-Originating-IP, will

show your actual IP address (or the IP address o the VPN, i youre using one).

Lesson one: always connect to email via your VPN, even i there is a SSL/TLS connection to the email server.The VPN will secure your IP address and ensure your connection to the mail server is encrypted, thuslyencrypting the content o the email itsel while in transit.

This still leaves the destination IP address exposed to the mail servers en route. There is no way to securethis the email has to nd its destination. This shows one shortcoming o email: theres going to be a record ocommunications between you and another party, which are probably readily identiable (particularly i one orboth parties are using ree email).

Finally, even i your connection to an email server is encrypted, theres no guarantee that the entire paththe email will ollow to its destination will be encrypted. Once the email leaves your mail server, it is likelyunencrypted (unless all parties are on the same encrypted mail system) and other MTA servers may record themessage in transit. Plus, the recipient party may not have an encrypted connection to their mail server. Thatsa lot o potential exposure or the content o your message even i youve taken precautions to ensure yourmessage was protected en route to your mail server.
http://www.itworld.com/security/55954/law-requires-email-archivinghttp://whatismyipaddress.com/email-headerhttp://whatismyipaddress.com/email-headerhttp://www.itworld.com/security/55954/law-requires-email-archiving


25/30




This can happen whether you are using webmail or an email client.

The solution to part o this problem is to encrypt the text content o your message beore you ever even send itto your mail server. You want the encryption to take place on your computer beore you send it. (Note that youcannot encrypt the header inormation or the email, which includes the Subject heading.)

The best way to do this securely is to use an email client and integrate OpenPGP encryption.

The subject o OpenPGP tends to be challenging or new users, but i youre going to use email and you wantsecurity, its one o the most important technologies to leverage.As Edward Snowden recently commented onthe subject o encrypting email:

Encryption works. Properly implemented strong crypto systems are one o the ew things that you can rely on.

Unortunately, endpoint security is so terrifcally weak that NSA can requently fnd ways around it.

An entire book can (and many have) been written about Pretty Good Privacy (PGP) and its open sourcedescendant, OpenPGP.

To summarize, the concept works like this:

1. You have a set o keys. One is your public key, which is designed to be given out to anyone that you wouldlike to communicate with via OpenPGP encryption. The second is a private (secret) key which you keep toyoursel.

2. Your riend, Bob, a person with whom you wish to communicate must also adopt OpenPGP and create a

set o public and private keys.

3. To communicate with Bob, you must send him your public key and he must send you his public key.

4. You write an email message to Bob and use OpenPGP sotware to encrypt that message using Bobspublic key. This is the part that people tend to miss. I you want to communicate with Bob, you need Bobspublic key and must use that key to encrypt a message. The same goes or Bob. To respond to you, Bobmust use your public key and use it to encrypt a message using OpenPGP.

5. Once the message is encrypted, you just send it. When Bob gets your message, his OpenPGP sotware willuse his private keyto decrypt the message. When you get a message rom Bob, you will decrypt thatmessage with your private key. Thats why its private whomever has access to that key can read any emaildesignated or that recipient.

In concept, its simple, but in reality there are a lot o steps going on. I you have 100 people withwhom you need to communicate, you can only send encrypted messages using OpenPGP i thosepeople are also using OpenPGP and you have their public keys. Otherwise, the contents o youremail will be exposed.
http://openpgp.org/http://techcrunch.com/2013/06/17/encrypting-your-email-works-says-nsa-whistleblower-edward-snowden/http://techcrunch.com/2013/06/17/encrypting-your-email-works-says-nsa-whistleblower-edward-snowden/http://www.pgpi.org/doc/books/https://en.wikipedia.org/wiki/Pretty_Good_Privacyhttps://en.wikipedia.org/wiki/Pretty_Good_Privacyhttp://www.pgpi.org/doc/books/http://techcrunch.com/2013/06/17/encrypting-your-email-works-says-nsa-whistleblower-edward-snowden/http://techcrunch.com/2013/06/17/encrypting-your-email-works-says-nsa-whistleblower-edward-snowden/http://openpgp.org/


26/30




To simpliy the process o creating public and private keys, managing those keys, matching keys with emailaddresses, and otherwise creating rules so that you can communicate with encryption to some people and notwith others (ater all, many people will never secure themselves), it is convenient to utilize an email client withintegrated support or OpenPGP.

The recommended way to manage this process is to utilize an email client or both POP and IMAP mail.Mozillas Thunderbird (Icedove) is the recommended email client because o its add-on support, notablyEnigmail, and strong integration GnuPG (OpenPGP)

Thunderbird will be set up to check all o your email accounts. It can be customized to oer calendar supportand other eatures. Like Fireox, youll need to open Edit Preerences Advanced Cong Editor and:

search or geo.enabled and change to alse

network.proxy.socks_remote_dns and change to true

Youll want to install the ollowing add-ons:

Adblock Plus

Enigmail (critically important or encrypted mail)

HTTPS-Everywhere (or similar)

Lightning Calendar (Iceowl)

GnuPG tracks the OpenPGP standard and provides a completely open source option or utilizing PGPencryption, and it is completely interoperable with PGP. GnuPG is a separate application that will be used to takemessages and encrypt or decrypt them with the appropriate public and private keys.

Enigmail is the glue that integrates GnuPG with Thunderbird so that the number o manual steps or encrypting,decrypting and managing keys is greatly reduced. Enigmail makes the entire process seamless, once its set upcorrectly.

The Enigmail Project has a good document on conguring this collection o sotware, and you should start usingthis system today even i youre on Windows or Mac OS.

It will take a little time to get used to conguring and using this setup. Take some time to set it up and send us anemail with your public key at [email protected]. Well return your response with our public keyor secure communications.

You should avoid Webmail and ocus on setting up a working email client system like Thunderbird/GnuPG/Enigmail. There are other alternatives, but this conguration is tried and true.

Again, avoid the ree email providers like Google, Yahoo, and Microsot.

Ideally, your secure email provider will provide the same political, legal, and nancial protections that your VPNprovider allows. Their servers should be outside o your home country jurisdiction and outside o the US andUK entirely. Private billing options, or at least segregated billing and customer accounts, should be available.
https://en.wikipedia.org/wiki/Post_Office_Protocolhttps://en.wikipedia.org/wiki/Imaphttps://www.mozilla.org/en-US/thunderbirdhttps://en.wikipedia.org/wiki/Mozilla_Corporation_software_rebranded_by_the_Debian_projecthttps://addons.mozilla.org/en-US/thunderbird/addon/enigmail/https://en.wikipedia.org/wiki/GNU_Privacy_Guardhttps://en.wikipedia.org/wiki/Openpgp#OpenPGPhttp://gnupg.org/https://r.duckduckgo.com/l/?kh=-1&uddg=https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/https://www.enigmail.net/documentation/quickstart-ch1.phpmailto:[email protected]:[email protected]://www.enigmail.net/documentation/quickstart-ch1.phphttps://r.duckduckgo.com/l/?kh=-1&uddg=https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/http://gnupg.org/https://en.wikipedia.org/wiki/Openpgp#OpenPGPhttps://en.wikipedia.org/wiki/GNU_Privacy_Guardhttps://addons.mozilla.org/en-US/thunderbird/addon/enigmail/https://en.wikipedia.org/wiki/Mozilla_Corporation_software_rebranded_by_the_Debian_projecthttps://www.mozilla.org/en-US/thunderbirdhttps://en.wikipedia.org/wiki/Imaphttps://en.wikipedia.org/wiki/Post_Office_Protocol


27/30




As with VPN recommendations, we wont make a public recommendation list or encrypted email providersso as to minimize any unwanted exposure, but contact us at: [email protected] orrecommendations.

For more advanced users, there are anonymous remailers that will completely obscure the email send trail. Ingeneral, the use o cypherpunk remailers, mixmasters, mixminions and nymservers is a more advanced topic,but understanding that such technologies exist is valuable or all users.

Consider setting up and using secure chat or most communications. Chat and instantmessaging (IM), supported through o-the-record (OTR) encryption, is one o the morepowerul and private means o sending written communications. Again, orget using IM

services rom the big players. Online services like Cryptocat provide secure, encryptedchat, or you may use other XMPP-based public chat services likeJabber. In most cases,setting up Pidgin as your chat client and using OTRencryption will be much more securethan utilizing email.

I youre comortable with Tor, Torchat is a antastic application or securing your messaging communications.

Theres a revolution underway providing numerous ways to transmit and receive messages privately.

Here are a couple that may be o interest:

Sometimes, it may make more sense to hide a message to someone in plain sight. This can attract much lessattention than sending obviously encrypted messages. Steganography is the science o hiding messages in othermedia so that only the recipient knows a hidden message is available. With utilities like steghide and outguess,you can hide messages or entire les inside o image and audio les, stegsnow hides text in the whitespace otext les,

Bitmessage allows you to send send encrypted messages in a peer-2-peer network utilizing the sameundamental concepts as the bitcoin network.

Most people dont realize their mobile phone is little more than a tracking device. In addition to your SIM card,your phone carries IMEI and IMSI identiers or the proprietary networks (aka, the carrier network) it operateson. I youre transmitting data over a carrier network, consider it insecure. It is impossible to obuscate yourphysical location and identity the most you can do is hide the content o the data transmission (i you congurethe right sotware correctly). Do that enough and youre raising a red fag.

Your phones microphone can be remotely powered on, and your phones operating system leaks data back tothe manuacturer. You may install OpenPGP applications or email and even connect to other parties via SRTP/ZRTP to encrypt you voice communications, but can never completely remain anonymous as long as your
mailto:[email protected]://en.wikipedia.org/wiki/Anonymous_remailerhttps://crypto.cat/http://www.jabber.org/http://www.pidgin.im/http://www.cypherpunks.ca/otr/https://github.com/prof7bit/TorChathttps://en.wikipedia.org/wiki/Steganography_toolshttp://steghide.sourceforge.net/http://www.outguess.org/http://www.darkside.com.au/snow/https://bitmessage.org/wiki/Main_Pagehttps://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocolhttps://en.wikipedia.org/wiki/ZRTPhttps://en.wikipedia.org/wiki/ZRTPhttps://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocolhttps://bitmessage.org/wiki

Documents

Defeating the Surveillance State