Internet security tips for staying safe online in a modern world.

  1. Security tips for staying safe online
  2. —Start of medium level security—
  3. —Measures that cost money—
  4. —Start of physical access measures—
  5. —Start of high level security—
  6. —Start of deterrent measures—
  7. Further reading

Security tips for staying safe online

Level 1: Avoid using your real name online and avoid giving away any personal information. You can use The Random Identity Generator (rig) to generate an online persona and/or login sites using passwords from bugmenot.com.

Level 2: Use your web browser with javascript, cookies and any telemetry (like “pocket”, geolocation and WebRTC) disabled by default and remove the browser fingerprinting. Enable javascript and cookies only on selected sites. IceCat is the best option, Firefox works too. Use IceCatMobile with AFWall+ (and maybe Android IMSI-Catcher Detector) on phones.

Level 3: Don’t save your passwords on a plaintext or in some “cloud” service like lastpass and don’t save logins on your phone or web browser. Create and remember one good main password (must have lowercase, uppercase, numbers and symbols, be longer than 8 characters and change bimonthly), use KeePassX (and I mean the one with an X) and use the option to generate different passwords for each account you have. Other options are kpcli, or pass with apg (for password generator). Use KeePassDroid on phones.

Level 4: Replace your e-mail provider with a more safe, more appropriate provider. A first option is cock.li, protonmail is another.

Level 5: Use an e-mail client that can to block web beacons (tracking pixels). Thunderbird is easy and has a plugin for this, Mutt is another great option.

Level 6: Encrypt your e-mails with GnuPG. Thunderbird has the Enigmail plugin for this.

Level 7: Delete any metadata from files you share on the internet. MAT is an easy tool for this, ExifTool is a better option.

Level 8: When possible opt for IRC (or try GNU Ring) instead of non-publicly auditable chat networks. A good and easy IRC application is Hexchat, another is irssi. You can use BitlBee to access regular networks through an IRC client if you need.

Level 9: When possible opt for GNU Social instead of non-publicly auditable social networks known to sell private information.

—Start of medium level security—

Level 10: Use GNU/Linux. Start with Lubuntu/Linux Mint/Linux Lite for easy mode (stay away from something called BSD).

Level 11: Use a GNU/Linux distro free from “systemd”. Devuan is a good option.

Level 12: Uninstall Avahi, Cups (replace with Line Printer if needed), Telnet, the R-tools (rlogin, rsh, rcp, rwho, rexec), and unused services like ssh/web/ftp/mail.

Level 13: Use Uncomplicated Firewall to block inbound AND outbound network traffic, permitting only what you need.

Level 14: Use DNSCrypt to prevent DNS Leaking with an OpenNIC provider known to not save logs.

Level 15: Use YaCy with collaborative database disabled when in need to search on the web.

Level 16: Use the Tor Browser to navigate the internet through Tor.

Level 17: Use Exim (plus Dovecot) in your own server for e-mail. OpenSMTPD is another option.

Level 18: Use Firejail with your applications.

Level 19: Give your applications a separate user account and use sudo, ulimit and quota with them.

—Measures that cost money—

Level 20: Buy a VPS in a non-extradition, privacy friendly country under a different name, with a good way of not getting traced with payments, then set up your own VPN server so you can audit all the traffic.

Level 21: Buy a phone with Replicant and libre firmware. Tehnoetic sells an S3 phone with Replicant and only libre firmware enabled, so far is the best option.

Level 22: Buy a router compatible with LibreCMC and install LibreCMC, keep it up to date and give it a strong password. OpenWrt is another option.

Level 23: Buy a computer compatible with the Libreboot firmware and the Linux-libre kernel, then install both or buy it preinstalled. Thinkpads are a good option. Models x200 are advised, t400 are another option.

—Start of physical access measures—

Level 24: Set a BIOS password (DON’T FORGET THIS PASSWORD!).

Level 25: Use USBGuard (for Anti Juice Jacking).

Level 26: Use disk encryption with dm-crypt, saving the key on a separate usb that you keep with yourself at all times.

Level 27: Encrypt your boot partition with cryptboot.

—Start of high level security—

Level 28: Use a source based distro, preferably without crypto libraries on its package manager. Source Mage is advised and it is easy to setup.

Level 29: Use the IRC, e-mail and torrent services available inside i2p, and use Tor as an outproxy for i2p when in need to access the regular web.

Level 30: Use Bastille Linux to harden your system.

Level 31: Use Lynis to audit your system.

Level 32: Use Arpalert/ArpON (for Man-In-The-Middle -MITM- Detection) and Suricata/Snort (for Network Intrusion Detection).

Level 33: Use a complete host intrusion detection framework like Tiger, which can work with Tripwire (for integrity check), Unhide/Chkrootkit/rkhunter (for rootkit detection), ClamAV/Linux Malware Detect and a system logger like sysklogd. Using Samhain is an alternative.

Level 34: Use grsecurity (for RBAC) with AppArmor (for filesystem ACL).

Level 35: Compile your own kernel and add only necessary modules.

—Start of deterrent measures—

Level 36: Learn to hack yourself first.

Level 37: Use only libre software (software “free as in freedom”).

Level 38: Reduce the amount of software installed in your computer.

Level 39: Opt for text-based programs with less library dependencies than their GUI counterparts.

Level 40: Support GPLv3 license as to prevent proprietary license wrapping (as with BSD/MIT/Apache licenses) and tivoization.

Level 41: Deduplicate efforts and converge strategies to achieve a “tight base system” in common (use the koan “if is not strictly necessary it should be strictly optional, but still optional”), and that means making things modular and avoiding unnecessary dependencies instead of trusting “crypto libraries”.

Level 42: Abandon traditional, non-publicly auditable, data mined networks and erase your online persona. Use exclusively peer-to-peer networks.

Level 43: Don’t screw up.

Further reading

Bypassing Internet censorship: http://www.securitronlinux.com/lc/Bypassing_Internet_Censorship.pdf.

Cyberdissedents handbook: http://www.securitronlinux.com/lc/handbook_bloggers_cyberdissidents-GB.pdf.

Linux HOWTO PDF archive: http://securitronlinux.com/lc/howto/PDFS/.

No comments have been made. Use this form to start the conversation :)

Leave a Reply