at0m Posted September 21, 2015 I will provide information to the best of my knowledge however it is provided as is without any guarantees or assurances. Do your own research as well. The best way to use this is to understand it and build on it. I've been meaning to do something like this for quite a while but never really got around to it. With the metadata stuff coming into effect soon, I figured now is as good a time as any to start writing some things on the topics. I'll try cover as much as I can, as best I can, but let me know if you have any questions, suggestions, ideas, whatever. Some topics I'd like to cover include VPNs, Tor, Bitcoin, PGP/GPG encryption and general internet privacy. If you've got others you want me to cover, let me know. VPNs What is a VPN?VPN stands for Virtual Private Network. It's main use was to allow people/computers to securely remotely connect into a personal or private network (usually an office) from wherever they may be. This would allow them to safely access the internal services like printers, shared drives/folders, and most importantly and relevant to this post - the internet connection. Despite Bob being at home, their IP would still be the same as if they were in the office for all traffic routed through the VPN. People then started using VPNs solely for the previously mentioned purpose of routing traffic through remote locations. How do they stop my metadata being collected/how do they work?Well... they don't. But they stop the important stuff being collected. The only metadata that can be collected by Australian ISPs about your internet usage when you're using a VPN is, well, that you're using a VPN. The traffic is fairly easily identified but it's all end-to-end encrypted meaning that at no point along it's journey does your traffic become readable to any party.' Are there any drawbacks?Yup! The biggest one you will notice, especially living in Australia, is speed. Expect to lose atleast a 3rd of your internet speed. The second biggest thing you'll notice is the hassle if you're going all out. It's very easy to put it in the too hard basket because you've got to install it on all of your devices, make sure they're always connected to the VPN, keep your bills paid, get annoyed at how slow it gets sometimes, etc... Unfortunately privacy comes at a cost now days.Alright, I'm with ya, how do I get one of these VPNs?Short answer: Buy service from a reputable provider like IPVanish, PIA, IVPN or similar. Using a credit card or Paypal is fine. You're looking at about $10/month but (much) less if you buy in larger blocks (3 months, 6 months, 1 year). Long answer:Do a bit of research about the providers out there. Some questions to ask:Do they log? (Logging for VPNs is usually, amusingly, metadata which is often identifiable if given to certain parties)Do they use OpenVPN? (If they don't, don't use them)What are people saying about them?Where are their servers located? Where do the companies operate from?How much do they cost?Do they support multiple devices/connections?Do they look legit?How much info are they asking for?Once you've found one that ticks your boxes, sign up and pay for your plan. Use bitcoins if you want but realistically Paypal or credit card is likely going to be alright unless you're doing really nefarious things and want some anonymity with your privacy (they are not the same thing). Start with a single month and see how it goes for you. If all is well, consider longer billing periods. They usually have pretty extensive guides on how to connect from your difference devices so I won't cover that here. Once connected, run a few checks like see what DuckduckGo thinks your IP is, what DNSLeakTest says and maybe some speed tests if you're interested. Finally, go about your normal browsing. Some interesting links World War II information security: Navajo VPN - Kaspersky Blog I Am Anonymous When I Use a VPN - VPN Myths (I wouldn't go with them as a provider but the info is interesting) VPN - Wikipedia Tor - Wikipedia List of privacy conscious VPN providers by a torrenting/piracy blog (trustworthy) - TorrentFreak 14 Share this post Link to post Share on other sites
Sallubrious Posted September 25, 2015 Nothing beats good old open source encrytion through a VPN if you are trying to fly under the radar. The figurhead known as Snowden documents revealed how important an issue penetrating VPN's is to the international intel orgnisations. I wouldn't place much faith in one myself, these days there's an ever growing list of ways to exploit and crack VPN encryption keys. As Atom stated though most of the exploits are commercial exploits and open source keygens are the only way to go. The way things are these days I wouldn't even trust a VPN until I'd MTM'd or wiresharked the authenticatication process. The metadata sent by many VPN's is enough to crack the keygen process (particularly commercial VPN's running proprietry software) and if it isn't cracked it will be stored for at least a month. This is a fucking deep rabbit hole. https://fveydocs.org/document/intro-vpn-exploitation/ https://fveydocs.org/document/vpn-sigdev-basics/ or for the layman http://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/ 1 Share this post Link to post Share on other sites
at0m Posted September 25, 2015 Nothing beats good old open source encrytion through a VPN if you are trying to fly under the radar. The figurhead known as Snowden documents revealed how important an issue penetrating VPN's is to the international intel orgnisations. I wouldn't place much faith in one myself, these days there's an ever growing list of ways to exploit and crack VPN encryption keys. As Atom stated though most of the exploits are commercial exploits and open source keygens are the only way to go. The way things are these days I wouldn't even trust a VPN until I'd MTM'd or wiresharked the authenticatication process. The metadata sent by many VPN's is enough to crack the keygen process (particularly commercial VPN's running proprietry software) and if it isn't cracked it will be stored for at least a month. This is a fucking deep rabbit hole. https://fveydocs.org/document/intro-vpn-exploitation/ https://fveydocs.org/document/vpn-sigdev-basics/ or for the layman http://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/ Realistically, against the NSA, you're kind of fucked. I did note in the post is that the only VPN protocol any trust should be put in is OpenVPN but I'll give you that against the NSA and similar, you're probably fucked anyway. Best you can hope for is to not be a big enough target for them. I'd be highly doubtful that AU has access to those tools for non-international cases tbh. Share this post Link to post Share on other sites
Slocombe Posted September 25, 2015 The point is to keep ordinary people in line. This doesn't hurt terrorists, but it does censor the public Share this post Link to post Share on other sites
waterboy 2.0 Posted September 26, 2015 I think the point is we as Australians are all considered suspects in one form or another by current "government". 1 Share this post Link to post Share on other sites
Yeti101 Posted September 26, 2015 Now we just need ways to guard against behavioral nudges, infiltration and manipulation by socialbots and persona-managed sockpuppets etc. (My reading material is making me paranoid). 2 Share this post Link to post Share on other sites
at0m Posted April 12, 2016 Minor bump for this image. I'm a big believer in Signal. Solid encryption and team behind it. Encrypted messages and phone calls. There is a desktop messenger client coming soon too. https://whispersystems.org/ 3 Share this post Link to post Share on other sites
Yeti101 Posted April 12, 2016 A reasonably secure desktop messenger client - that doesn't require a linked phone like the signal client - is exactly what I'm looking for. Share this post Link to post Share on other sites
at0m Posted April 12, 2016 (edited) A reasonably secure desktop messenger client - that doesn't require a linked phone like the signal client - is exactly what I'm looking for. XMPP/jabber client + OTR + well run server. Pidgin + OTR + Dukgo server (From the great guys at Duckduckgo) Setup guide: https://securityinabox.org/en/guide/pidgin/windows Dukgo guide: https://duck.co/blog/post/2/using-pidgin-with-xmpp-jabber Alternatively, something a little more experimental: ricochet.im. It uses the tor network quite cleverly. Alternatively-er: Go back to the good old IRC servers All the usual warnings here about being careful about what you say either way, nothing is 100%, etc. We should do key signing parties at meetups. Edit: I also feel like the title of this thread should really be read more as "Digital Privacy Guide". Opsec implies you've got something to hide and if they're perusing you, these won't help all that much. They're more to stop passive surveillance. Edited April 12, 2016 by at0m Share this post Link to post Share on other sites
Yeti101 Posted April 12, 2016 TBH, anything I'd install would mostly (hopefully) be used as a substitute for the now non-functioning forum chat, so security isn't a massive deal. Share this post Link to post Share on other sites
ThunderIdeal Posted April 13, 2016 Then its really a matter of which protocol the other parties are willing to use. I believe the cool kids are using ICQ and MSN messenger these days........ 1 Share this post Link to post Share on other sites
at0m Posted April 13, 2016 I could get us another IRC room going or we could all start using jabber/xmpp. I'm personally leaning toward jabber/xmpp as we can them all use our own servers/server we trust (but I'll be setting my own up in the next week, In the mean time I'm [email protected]) Share this post Link to post Share on other sites
