gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Lissy93/personal-security-checklist into gh-pages

pull/41/head
Alicia Sykes 2020-10-17 19:56:50 +01:00
parent 8a7771960d 6f9b58ee7d
commit 25869b1f1d
6 changed files with 236 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
0_Why_It_Matters.md
View File

@ -1,7 +1,7 @@
# Digital Privacy and Security- Why is Matters
**TLDR;** Privacy is a fundamental right, and essential to democracy, liberty, and freedom of speech. Our privacy is being abused by governments (with mass-surveillance), corporations (profiting from selling personal data), and cyber criminals (stealing our poorly-secured personal data and using it against us). Security is needed in order to keep your private data private, and good digital security is critical to stay protected from the growing risks of cybercrime.
**TLDR;** Privacy is a fundamental right, and essential to democracy, liberty, and freedom of speech. Our privacy is being abused by governments (with mass-surveillance), corporations (profiting from selling personal data), and cyber criminals (stealing our poorly-secured personal data and using it against us). Security is needed in order to keep your private data private, and good digital security is critical to stay protected from the growing risks associated with the war on data.
----
@ -14,11 +14,11 @@ This could be sensitive documents (such as medical records, bank statements, car
One of the most common data collection methods is web tracking. This is when websites use cookies, device fingerprints, and other methods to identify you, and follow you around the web. It is often done for advertising, analytics, and personalization. When aggregated together, this data can paint a very detailed picture of who you are.
## How is Data Stored?
Data that has been collected is stored in databases on a server. These servers are rarely owned by the companies managing them, [56% of servers](https://www.canalys.com/newsroom/global-cloud-market-Q3-2019) are owned by Amazon AWS, Google Cloud, and Microsoft Azure. If stored correctly the data will be encrypted, and authentication required to gain access. However that usually isn't the case, and large data leaks [occour almost dailey](https://selfkey.org/data-breaches-in-2019/). As well as that data breaches occur, when an adversary compromises a database storing personal data. In fact, you've probably already been caught up in a data breach (check your email, at [have i been pwned](https://haveibeenpwned.com))
Data that has been collected is typically stored in databases on a server. These servers are rarely owned by the companies managing them, [56% of servers](https://www.canalys.com/newsroom/global-cloud-market-Q3-2019) are owned by Amazon AWS, Google Cloud, and Microsoft Azure. If stored correctly the data will be encrypted, and authentication required to gain access. However that usually isn't the case, and large data leaks [occour almost dailey](https://selfkey.org/data-breaches-in-2019/). As well as that data breaches occur, when an adversary compromises a database storing personal data. In fact, you've probably already been caught up in a data breach (check your email, at [have i been pwned](https://haveibeenpwned.com))
## What is Personal Data Used For?
Data is collected, stored and used by governments, corporations and sometimes criminals:
Data is collected, stored and used by governments, law enforcement, corporations and sometimes criminals:
### Government Mass Surveillance
Intelligence and law enforcement agencies need surveillance powers to tackle serious crime and terrorism. However, since the Snowden revelations, we now know that this surveillance is not targeted at those suspected of wrongdoing- but instead the entire population. All our digital interactions are being logged and tracked by our very own governments.
@ -68,7 +68,7 @@ For online privacy to be effective, it needs to be adopted my the masses, and no
- Educate yourself about what's going on and why it matters
- Be aware of changes to policies, revelations, recent data breaches and related news
- Take steps to secure your online accounts, protect your devices
- Take steps to secure your online accounts and protect your devices
- Understand how to communicate privately, and how use the internet anonymously
- Use software and services that respect your privacy, and keep your data safe
- Support organisations that fight for your privacy and internet freedom

15
2_TLDR_Short_List.md
View File

@ -7,9 +7,7 @@
## PERSONAL SECURITY CHECKLIST
> This is the shortened version of [The Complete Personal Security Checklist](https://github.com/Lissy93/personal-security-checklist/blob/master/README.md).
It lays out the 20 most essential security + privacy tips, that you should complete to protect your digital life.
> This checklist of privacy and security tips, is a summarized version of [The Complete Personal Security Checklist](https://github.com/Lissy93/personal-security-checklist/blob/master/README.md). It lays out the most essential steps you should take to protect your digital life.
### Authentication
- Use a long, strong and unique password for each of your accounts (see [HowSecureIsMyPassword.net](https://howsecureismypassword.net))
@ -58,15 +56,16 @@ It's important to protect your email account, as if a hacker gains access to it
- Ensure that both your device, and that of your recipient(s) is secure (free from malware, encrypted and has a strong password)
- Disable cloud services, such as web app companion or cloud backup feature, both of which increases attack surface
- Strip meta data from media before sharing, as this can lead to unintentionally revealing more data than you intended
- Verify your recipient is who they claim to be, which can be done cryptographically by using an app that offers contact verification
- Opt for a stable and actively maintained messaging platform, that is backed by reputable developers and have a transparent revenue model or are able to account for where funding has originated from. It should ideally be based in a friendly jurisdiction and have undergone an independent security audit.
- In some situations, it may be appropriate to use an app that supports disappearing messages, and/ or allows for anonymous sign up (without phone number or email address). A [decentralized platform](/5_Privacy_Respecting_Software.md#p2p-messaging) can offer additional security and privacy benefits in some circumstances, as there is no single entity governing it, e.g. [Matrix](https://matrix.org/), [Session](https://getsession.org/), [Tox](https://tox.chat/) or [Briar](https://briarproject.org/)
- Verify your recipient is who they claim to be, either physically or cryptographically by using an app that offers contact verification
- Avoid SMS, but if you must use it then encrypt your messages, e.g. using the [Silence](https://silence.im/) app
- Opt for a stable and actively maintained messaging platform, that is backed by reputable developers and have a transparent revenue model or are able to account for where funding has originated from. It should ideally be based in a friendly jurisdiction and have undergone an independent security audit.
- In some situations, it may be appropriate to use an app that supports disappearing messages, and/ or allows for anonymous sign up (without any PII: phone number, email address etc). A [decentralized platform](/5_Privacy_Respecting_Software.md#p2p-messaging) can offer additional security and privacy benefits in some circumstances, as there is no single entity governing it, e.g. [Matrix](https://matrix.org/), [Session](https://getsession.org/), [Tox](https://tox.chat/) or [Briar](https://briarproject.org/)
### Networking
- Use a reputable VPN to keep your IP protected and reduce the amount of browsing data your ISP can log, but understand their [limitations](5_Privacy_Respecting_Software.md#word-of-warning-4). Good options include [ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net), see [thatoneprivacysite.net](https://thatoneprivacysite.net/) for detailed comparisons
- Change your routers default password. Anyone connected to your WiFi is able to listen to network traffic, so in order to prevent people you don't know from connecting, use WPA2 and set a strong password.
- Update your router settings to use a secure DNS, such as [Cloudflare's 1.1.1.1](https://1.1.1.1/dns/), this should also speed up your internet. If you cannot modify your roters settings, you can set the DNS on your phone (with the [1.1.1.1. app](https://1.1.1.1/)), or [Windows](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/windows/), [Mac](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/mac/) or [Linux](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/linux/). DNS is the system used to resolve URL's to their server addresses, many DNS providers collect data on your browsing habbits and use it to target you with ads or sell it on.
- Use a [secure DNS](/5_Privacy_Respecting_Software.md#dns) provider, (such as [Cloudflare's 1.1.1.1](https://1.1.1.1/dns/) to reduce tracking. Ideally configure this on your router, but if that's not possible, then it can be done on each device.
**📜 See More**: [The Complete Personal Security Checklist](https://github.com/Lissy93/personal-security-checklist/blob/master/README.md)
@ -194,7 +193,7 @@ http://www.linkedin.com/shareArticle?mini=true&url=https://github.com/Lissy93/pe
[//]: # (BROWSER EXTENSION LINKS)
[Privacy Badger]: https://www.eff.org/privacybadger
[HTTPS Everywhere]: https://eff.org/https-everywhere
[uBlock]: https://github.com/gorhill/uBlock
[uBlock Origin]: https://github.com/gorhill/uBlock
[ScriptSafe]: https://github.com/andryou/scriptsafe
[WebRTC Leak Prevent]: https://github.com/aghorler/WebRTC-Leak-Prevent
[Vanilla Cookie Manager]: https://github.com/laktak/vanilla-chrome

54
4_Privacy_And_Security_Links.md
View File

@ -22,7 +22,7 @@
- [Academic](#academic)
- **Organisations**
- [Foundations](#foundations)
- [Government Organisations](#government-organisations)
- [Government and Independant Organisations](#governance)
- **More Lists**
- [Mega Guides](#mega-guides)
- [Other GitHub Security Lists](#more-awesome-github-lists)
@ -43,17 +43,19 @@
- How to resolve DNS leak issue: via [DNSLeakTest](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html)
- Protect against WebRTC Leaks: via [Restore Privacy](https://restoreprivacy.com/webrtc-leaks)
- ISP and DNS privacy tips: via [bluz71](https://bluz71.github.io/2018/06/20/digital-privacy-tips.html)
- Complete guide to configureing Firefox for Privacy + Speed: via [12bytes](https://12bytes.org/7750)
- Beginners guide on getting started with Tor: via [ProPrivacy](https://proprivacy.com/privacy-service/guides/ultimate-tor-browser-guide)
- Beginners guide to I2P: via [The Tin Hat](https://thetinhat.com/tutorials/darknets/i2p.html)
- How to Use a VPN and Tor together: via [ProPrivacy](https://proprivacy.com/vpn/guides/using-vpn-tor-together)
- How to use `__nomap`, to reduce public exposure of SSID: via [ghacks](https://www.ghacks.net/2014/10/29/add-_nomap-to-your-routers-ssid-to-have-it-ignored-by-google-and-mozilla/)
- Detailed guide, outlining up-to-date router configurations for ultimate security: via [RouterSecurity.org](https://routersecurity.org/)
- **Communication**
- Email Self-Defense, Configure your mail client securly, from scratch - via [FSF.org](https://emailselfdefense.fsf.org)
- How to avoid Phishing Attacks: via [EFF](https://ssd.eff.org/en/module/how-avoid-phishing-attacks)
- How to use PGP: Via EFF - [Windows](https://ssd.eff.org/en/module/how-use-pgp-windows), [MacOS](https://ssd.eff.org/en/module/how-use-pgp-mac-os-x) and [Linux](https://ssd.eff.org/en/module/how-use-pgp-linux)
- A Step-by-Step Guide to Generating More Secure GPG Keys: via [spin.atomicobject.com](https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/)
- How to Maintain Anonyimity in BitCoin Transactions: [coinsutra.com](https://coinsutra.com/anonymous-bitcoin-transactions/)
- Beginners Guide to Signal (secure messaging app): via [Freedom of the Press Foundation](https://freedom.press/news/signal-beginners/)
- How to use OTR messaging with Adium (MacOS): via [CalyxiIstitute.org](https://calyxinstitute.org/docs/howto-encrypted-instant-messaging-with-osx-adium-and-otr)
- **Devices**
- How to Enable Encryption on your Devices: via [SpreadPrivacy.com](https://spreadprivacy.com/how-to-encrypt-devices/)
- How to Delete your Data Securely: Via EFF - [Windows](https://ssd.eff.org/en/module/how-delete-your-data-securely-windows), [MacOS](https://ssd.eff.org/en/module/how-delete-your-data-securely-macos) and [Linux](https://ssd.eff.org/en/module/how-delete-your-data-securely-linux)
@ -65,7 +67,10 @@
- Configuring Gboard for better Privacy: via [Ghacks](https://www.ghacks.net/2016/12/21/configure-gboard-privacy-google-keyboard/)
- Settings to update on iPhone, for better privacy: via [lifehacker](https://lifehacker.com/the-privacy-enthusiasts-guide-to-using-an-iphone-1792386831)
- How to check App Permissions (Android, iOS, Mac & Windows): via [Wired](https://www.wired.com/story/how-to-check-app-permissions-ios-android-macos-windows/)
- How to manage Self-Encrypting Drives: via [TechSpot](https://www.techspot.com/guides/869-self-encrypting-drives/)
- **Software**
- Complete guide to configuring Firefox for Privacy + Speed: via [12bytes](https://12bytes.org/7750)
- Firefox Configuration Guide for Beginners: via [12bytes](https://12bytes.org/articles/tech/firefox/the-firefox-privacy-guide-for-dummies)
- How to use Vera Crypt: via [howtogeek](https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt)
- How to use KeePassXC: via [EFF](https://ssd.eff.org/en/module/how-use-keepassxc)
- How to use uMatrix browser addon to block trackers: via [ProPrivacy](https://proprivacy.com/privacy-service/guides/lifehacks-setup-umatrix-beginners)
@ -73,21 +78,23 @@
- How to use DuckDuckGo advanced search features: via [Ghacks](https://www.ghacks.net/2013/03/24/duckduckgo-another-bag-of-tricks-to-get-the-most-out-of-it/)
- How to use Cryptomator (encrypt files on cloud storage): via [It's Foss](https://itsfoss.com/cryptomator/)
- **Physical Security**
- Guide to Living Anonymously, Personal Data Removal and Credit Freeze: via [IntelTechniques.com](https://inteltechniques.com/data/workbook.pdf)
- Hiding from Physical Surveillance: via [Snallabolaget](http://snallabolaget.com/hiding-from-surveillance-how-and-why)
- Guide to opting-out of public data listings and marketing lists: via [World Privacy Forum](https://www.worldprivacyforum.org/2015/08/consumer-tips-top-ten-opt-outs)
- Living Anonymously, Workbook: via [Intel Techniques](https://inteltechniques.com/data/workbook.pdf)
- **Enterprise**
- A basic checklist to harden GDPR compliancy: via [GDPR Checklist](https://gdprchecklist.io)
- **Reference Info**
- A direcory of websites, apps and services supporting 2FA: via [TwoFactorAuth.org](https://twofactorauth.org)
- A directory of direct links to delete your account from web services: via [JustDeleteMe.xyz](https://justdeleteme.xyz)
- Impartial VPN Comparison Data: via [ThatOnePrivacySite](https://thatoneprivacysite.net/#detailed-vpn-comparison)
- Terms of Service; Didn't Read - Vital resource that summarizes and extracts the key details from Privacy Policies/ Terms of Services, aiming to fix the issues caused by blindly agreeing to these Terms: via [tosdr.org](https://tosdr.org/)
- Free, open-source and privacy-respecting alternatives to popular software: via [Switching.Software](https://switching.software/)
- Product reviews from a privacy perspective, by Mozilla: via [Privacy Not Included](https://foundation.mozilla.org/en/privacynotincluded)
- Surveillance Catalogue - Database of secret government surveillance equipment, Snowden: via [The Intercept](https://theintercept.com/surveillance-catalogue)
- See also: The source code, on WikiLeaks [Vault7](https://wikileaks.org/vault7) and [Vault8](https://wikileaks.org/vault8), and the accompanying [press release](https://wikileaks.org/ciav7p1)
- Who Has Your Back? - Which companies hand over your comply with Government Data Requests 2019: via [EFF](https://www.eff.org/wp/who-has-your-back-2019)
- Open project to rate, annotate, and archive privacy policies: via [PrivacySpy.org](https://privacyspy.org)
- Check who your local and government representatives in your local area are [WhoAreMyRepresentatives.org](https://whoaremyrepresentatives.org)
- Impartial VPN Comparison Data: via [ThatOnePrivacySite](https://thatoneprivacysite.net/#detailed-vpn-comparison)
- Open project to rate, annotate, and archive privacy policies: via [PrivacySpy.org](https://privacyspy.org)
- Hosts to block: via [someonewhocares/ hosts](https://someonewhocares.org/hosts) / [StevenBlack/ hosts](https://github.com/StevenBlack/hosts)
- Magic Numbers - Up-to-date file signature table, to identify / verify files have not been tampered with: via [GaryKessler](https://www.garykessler.net/library/file_sigs.html)
- List of IP ranges per country: via [Nirsoft](https://www.nirsoft.net/countryip)
@ -116,6 +123,7 @@
- How a highly targeted ad can track your precise movements: via [Wired](https://www.wired.com/story/track-location-with-mobile-ads-1000-dollars-study/)
- Based on the paper, Using Ad Targeting for Surveillance on a Budget: via [Washington.edu](https://adint.cs.washington.edu/ADINT.pdf)
- Law Enforcement Geo-Fence Data Requests- How an Innocent cyclist became a suspect when cops accessed his Google location data: via [Daily Mail](https://www.dailymail.co.uk/news/article-8086095/Police-issue-warrant-innocent-mans-Google-information.html)
- IBM Used NYPD Surveillance Footage to Develop Technology That Lets Police Search by Skin Color: via [TheIntercept](https://theintercept.com/2018/09/06/nypd-surveillance-camera-skin-tone-search/)
- **Threats**
- 23 reasons not to reveal your DNA: via [Internet Health Report](https://internethealthreport.org/2019/23-reasons-not-to-reveal-your-dna)
- Security of Third-Party Keyboard Apps on Mobile Devices: via [Lenny Zelster](https://zeltser.com/third-party-keyboards-security)
@ -135,6 +143,13 @@
- Truecaller Data Breach 47.5 Million Indian Truecaller Records On Sale: via [GBHackers](https://gbhackers.com/truecaller-data-breach/)
- Hundreds of millions of Facebook user records were exposed on Amazon cloud server: via [CBS News](https://www.cbsnews.com/news/millions-facebook-user-records-exposed-amazon-cloud-server/)
- Microsoft data breach exposes 250 million customer support records: via [Graham Cluley](https://www.grahamcluley.com/microsoft-data-breach/)
- **Data Collection**
- Ring Doorbell App Packed with Third-Party Trackers: via [EFF](https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers)
- How websites can see your full personal details, from your phone contract info: via [Medium/@philipn](https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024)
- Facebook and Americas largest companies give worker data to Equifax: via [FastCompany](https://www.fastcompany.com/40485634/equifax-salary-data-and-the-work-number-database)
- Exfiltration of personal data by session-replay scripts: via [Freedom-to-Tinker](https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/)
- Apple's iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests: via [BleepingComputer](https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-hover-in-your-terminal-via-dns-requests/)
- Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking: via [propublica.org](https://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking)
## Blogs
@ -146,6 +161,7 @@
- [The Last Watch Dog](https://www.lastwatchdog.com/) - Privacy and Security articles, opinion and media by Byron Acohido
- [Daniel Miessler](https://danielmiessler.com/) - Summaries recent news and events, and focuses on security, technology and people. [RSS](https://danielmiessler.com/feed/)
- [Errata Security](https://blog.erratasec.com/) - Covers latest interesting news, and explains concepts clearly. By Robert Graham and David Maynor. [RSS](https://blog.erratasec.com/feeds/posts/default?alt=rss)
- [Underground Tradecraft](https://gru.gq/blog-feed/) - Counterintelligence, OPSEC and Tradecraft for everyone
- **Cyber Security News**
- [Dark Reading](https://www.darkreading.com/) - Well-known cyber security news site, with articles on a range of topics, ranging from data breaches, IoT, cloud security and threat intelligence. [RSS](https://www.darkreading.com/rss_simple.asp)
- [Threat Post](https://threatpost.com/) - News and Articles Cloud Security, Malware, Vulnerabilities, Waterfall Security and Podcasts. [RSS](https://threatpost.com/feed/)
@ -281,6 +297,7 @@ More Security Podcasts on [player.fm](https://player.fm/featured/security)
- [The Power of Privacy](https://youtu.be/KGX-c5BJNFk) by The Guardian
- [Why Privacy matters, even if you have nothing to hide](https://youtu.be/Hjspu7QV7O0) by The Hated One
- [The Unhackable Email Service](https://youtu.be/NM8fAnEqs1Q) by Freethink
- [NSA Whistleblower: Government Collecting Everything You Do](https://youtu.be/SjHs-E2e2V4) by Empire Files
- **Cryptography**
- [Advanced Into to GnuPGP](https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html) by Neal Walfield ([walfield.org](http://walfield.org/))
- **TED Talks**
@ -299,6 +316,7 @@ More Security Podcasts on [player.fm](https://player.fm/featured/security)
- [Administraitor.video](https://administraitor.video) - A regularly updated collection of new and interesting security confrence talks
- **Misc**
- [Through a PRISM, Darkly](https://youtu.be/e4woRYs0mM4) - Everything we know about NSA spying, by Kurt Opsahl
- [What it REALLY takes to have True Privacy in the 21st Cen](https://youtu.be/bxQSu06yuZc) by @MalcomVetter
See also: [awesome-sec-talks](https://github.com/PaulSec/awesome-sec-talks) by @PaulSec
@ -375,9 +393,12 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- [Web Tracking Data](https://webtransparency.cs.princeton.edu/webcensus/#data) by Princeton University - This is the largest and most detailed analysis of online tracking to date, and measures both stateful (cookie-based) and stateless (fingerprinting-based) tracking. The crawls were made with [OpenWPM](https://github.com/mozilla/OpenWPM)
- [Who has your Back?](https://www.eff.org/files/2019/06/11/whyb_2019_report.pdf) by EFF - Anual report assessing how companies handle personal data
- Historic Reports: [2012](https://www.eff.org/files/who-has-your-back-2012_0.pdf) | [2013](https://www.eff.org/sites/default/files/who-has-your-back-2013-report-20130513.pdf) | [2014](https://www.eff.org/files/2014/05/15/who-has-your-back-2014-govt-data-requests.pdf) | [2015](https://www.eff.org/files/2015/06/18/who_has_your_back_2015_protecting_your_data_from_government_requests_20150618.pdf) | [2016](https://www.eff.org/files/2016/05/04/who-has-your-back-2016.pdf) | [2017](https://www.eff.org/files/2017/07/08/whohasyourback_2017.pdf) | [2018](https://www.eff.org/files/2018/05/31/whyb_2018_report.pdf) | [2019](https://www.eff.org/files/2019/06/11/whyb_2019_report.pdf)
- [Lists of Websites Abusing Session Replay](https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html) - Third-party sesssion replay scripts, record all your acions and allow them to be watched by a human. This list of websites include this
- See also, the accompaniing [blog post](https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/) and the [WebTAP](https://webtap.princeton.edu/) project
- [Sensor Access Data](https://databank.illinois.edu/datasets/IDB-9213932) - A Crawl of the Mobile Web Measuring Sensor Accesses, Illinois
- [Canalys Newsroom](https://www.canalys.com/newsroom) - Research Studies on Security, Privacy, Technology and Finance
- [Data Never Sleeps](https://web-assets.domo.com/blog/wp-content/uploads/2019/07/data-never-sleeps-7-896kb.jpg) - An infographic visualizing how much data is generated every minute (2019)
- [What they Know about You](https://external-preview.redd.it/KU3pS4LIhLWqeYSluiYyJMhLQW1fEjTdh8lEKL2jafc.png?auto=webp&s=fe015c1e32731bc61cd0d57313f5a261173846ca) - An Infographic showing what information are Giant Tech Companies collecting from you (2020)
- **Databases**
- [Exodus](https://reports.exodus-privacy.eu.org/en/trackers/stats) - Trackers in Android Apps
- [Exploit Database](https://www.exploit-db.com) - A database or Current software vulnerabilities
@ -407,6 +428,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- [FlightRadar24](https://www.flightradar24.com) - World-wide map of live aircraft positions
- [Airport WiFi Map](https://www.google.com/maps/d/u/0/viewer?mid=1Z1dI8hoBZSJNWFx2xr_MMxSxSxY) - Shows WiFi networks and their passwords for airports around the world
- [Stuff in Space](http://stuffin.space) - Shows objects orbiting Earth
- [Grid Watch](https://www.gridwatch.templar.co.uk/) - Realtime energy ussage and demand
- [Wiggle](https://wigle.net) - Worlds largest WiFi Map showing personal hotspot statistics geographically
- **Threat Maps** - Real-time hack attempts (malware, phishing, exploit and spam), visualised geographically
- [Checkpoint](https://threatmap.checkpoint.com)
@ -441,6 +463,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- Characterizing the Use of Browser-Based Blocking Extensions To Prevent Online Tracking: via [aruneshmathur.co.in](http://aruneshmathur.co.in/files/publications/SOUPS18_Tracking.pdf)
- Privacy implications of email tracking: via [senglehardt.com](https://senglehardt.com/papers/pets18_email_tracking.pdf)
- Battery Status Not Included, Assessing Privacy in Web Standards: via [princeton.edu](https://www.cs.princeton.edu/~arvindn/publications/battery-status-case-study.pdf)
- Achieving Anonymity Against Major Face Recognition Algorithms: via [ruhr-uni-bochum.de](https://www.mobsec.ruhr-uni-bochum.de/media/ei/veroeffentlichungen/2016/01/15/2013-cms-face-recognition.pdf)
- De-anonymizing Web Browsing Data with Social Networks: via [princeton.edu](https://www.cs.princeton.edu/~arvindn/publications/browsing-history-deanonymization.pdf)
- The Surveillance Implications of Web Tracking: via [senglehardt.com](https://senglehardt.com/papers/www15_cookie_surveil.pdf)
- Understanding Facebook Connect login permissions: via [jbonneau.com](http://jbonneau.com/doc/RB14-fb_permissions.pdf)
@ -448,7 +471,11 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- Using Ad Targeting for Surveillance on a Budget: via [washington.edu](https://adint.cs.washington.edu/ADINT.pdf)
- Cross-Site WebSocket Hijacking: via [christian-schneider.net](http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html)
- Location Tracking using Mobile Device Power Analysis: [scribd.com](https://www.scribd.com/doc/256304846/PowerSpy-Location-Tracking-using-Mobile-Device-Power-Analysis)
- HORNET, High-speed Onion Routing at the Network Layer: via [arxiv.org](https://arxiv.org/pdf/1507.05724v1.pdf)
- Decoy Routing: Toward Unblockable Internet Communication: via [usenix.org](https://www.usenix.org/legacy/events/foci11/tech/final_files/Karlin.pdf)
- Trackers Vs Firefox, Comparing different blocking utilities: via [GitHub- @jawz101](https://github.com/jawz101/TrackersVsFirefox)
- 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy: via [ssrn.com](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
- **Implementations and Standards**
- [The GNU Privacy Guard](https://www.gnupg.org)
@ -456,6 +483,8 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- [WireGuard](https://www.wireguard.com/papers/wireguard.pdf)
- [Nym](https://as93.link/nym-blog-post) - Next Generation of Privacy infrastructure
- [REC-X.509](https://www.itu.int/rec/T-REC-X.509) - The standard defining the format of public key certificates, used across most internet protocols and applications
- [obfs4-spec](https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt) & [obfs3-protocol-spec](https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt) - The Tor obfourscator and Pluggable transport for obfuscated traffic
@ -478,24 +507,30 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- [Electronic Privacy Information Center](https://epic.org)
- [American Civil Liberties Union](https://www.aclu.org/issues/privacy-technology)
- [Free Software Foundation](https://www.fsf.org)
- [Calyx Institute](https://calyxinstitute.org/) - Brooklyn-based organisation, aiming to educate the public about privacy in digital communications
- [Courage Foundation](https://www.couragefound.org) - Supports those who risk life / liberty to make significant contributions to the historical record
- [Fight for the Future](https://www.fightforthefuture.org) - Fighting for a future where technology liberates
- [Public Citizen](https://www.citizen.org) - Standing up to corporate power and hold the government accountable
- [The DNS Privacy Project](https://dnsprivacy.org/wiki/display/DP) - Collaborative open project to promote, implement and deploy DNS Privacy
## Government Organisations
## Governance
- **Citizen/ Small business Advice and Infrormation**
- [UK National Cyber Security Center](https://www.ncsc.gov.uk)
- [US Cybersecurity - NIST](https://www.nist.gov/topics/cybersecurity)
- [Stay Safe Online](https://staysafeonline.org) - US government-backed project, aimed to inform and educate individuals and small businesses about basic digital security
- [Annual Credit Report](https://www.annualcreditreport.com) - US Free Credit Reports
- **Cybercrime**
- [Consumer Fraud Reporting](http://consumerfraudreporting.org) - US's Catalogue of online scams currently circulating, and a means to report cases
- [Action Fraud](https://www.actionfraud.police.uk) - UKs national reporting centre for fraud and cyber crime
- [Crime Stoppers](https://crimestoppers-uk.org/) - UK Independent Charity, for reporting crimes anonymously
- **Fact Checkling**
- [Full Fact](https://fullfact.org) - UK independent fact checking charity, campaigning to expose bad information, and the harm it does
- [Snopes](https://www.snopes.com/) - Transparent fact checking service, with documented sources. Their investigative reporting uses evidence-based and contextualized analysis
- [FactCheck.org](https://www.factcheck.org/fake-news/) - US Site debunking misinformation shared on social media
- [Media Bias Fact Check](https://mediabiasfactcheck.com/) - Focusing on media bias, and comparing different view points on each story from over 3000 sources
- [AP Fact Check](https://apnews.com/APFactCheck) - Fact checking service provided by AP News
- **CERT** - Your local jurisdiction will likely have a Computer emergency response team (historically known as [CERT](https://online.norwich.edu/academic-programs/resources/how-computer-emergency-response-teams-and-computer-security-incident-response-teams-combat-cyber-threats)). Who is in charge of handline handles domestic and international computer security incidents.
- **A-C** - Australia: [auscert.org.au](https://www.auscert.org.au) | Austria: [cert.at](https://www.cert.at) | Bangladesh: [cirt.gov.bd](https://www.cirt.gov.bd) | Bolivia: [cgii.gob.bo](https://cgii.gob.bo) | Brazil: [cert.br](https://www.cert.br) | Canada: [cyber.gc.ca](https://cyber.gc.ca/en/about-cyber-centre) | China: [cert.org.cn](https://www.cert.org.cn) | Columbia: [colcert.gov.co](http://www.colcert.gov.co) | Croatia: [carnet.hr](https://www.carnet.hr) | Czech Republic: [csirt.cz](https://csirt.cz)
- **D-G** - Denmark: [cert.dk](https://www.cert.dk) | Ecuador: [ecucert.gob.ec](https://www.ecucert.gob.ec) | Egypt: [egcert.eg](https://www.egcert.eg) | Estonia: [ria.ee / CERT-EE](https://ria.ee/en/cyber-security/cert-ee.html) | Finland: [kyberturvallisuuskeskus.fi](https://www.kyberturvallisuuskeskus.fi/en/homepage) | France: [cert.ssi.gouv.fr](https://www.cert.ssi.gouv.fr) | Germany: [cert-bund.de](https://www.cert-bund.de) | Ghana: [nca-cert.org.gh](https://nca-cert.org.gh)
@ -530,8 +565,10 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- [privacy-respecting-software](https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md) by @lissy93
- **Guides**
- [MacOS-Security-and-Privacy-Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide) by @drduh
- [YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) by @drduh
- [Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide) by @drduh
- [personal-security-checklist](https://github.com/Lissy93/personal-security-checklist) by @lissy93
- **Security (Hacking / Pen Testing / Threat Inteligence / CFTs)**
- **Security Links (Hacking / Pen Testing / Threat Inteligence / CFTs)**
- [Security_list](https://github.com/zbetcheckin/Security_list) by @zbetcheckin
- [awesome-security](https://github.com/sbilly/awesome-security) by @sbilly
- [awesome-sec-talks](https://github.com/PaulSec/awesome-sec-talks) by @PaulSec
@ -547,6 +584,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- [awesome-ctf](https://github.com/apsdehal/awesome-ctf) by @apsdehal
- [awesome-osint](https://github.com/jivoi/awesome-osint) by @jivoi
- [SecLists](https://github.com/danielmiessler/SecLists) by @danielmiessler
- [Infosec_Reference](https://github.com/rmusser01/Infosec_Reference) by @rmusser01
- **Misc**
- [awesome-crypto-papers](https://github.com/pFarb/awesome-crypto-papers) by @pFarb
- **Awesome Lists of Awesome Lists**

212
5_Privacy_Respecting_Software.md
View File

@ -21,16 +21,19 @@ corporations, governments, and hackers from logging, storing or selling your per
### Categories
- **Basics**
- **Essentials**
- [Password Managers](#password-managers)
- [2-Factor Authentication](#2-factor-authentication)
- [File Encryption](#file-encryption)
- [Private Browsers](#browsers)
- [Non-Tracking Search Engines](#search-engines)
- **Communication**
- [Encrypted Messaging](#encrypted-messaging)
- [P2P Messaging](#p2p-messaging)
- [Encrypted Email](#encrypted-email)
- [Email Clients](#email-clients)
- [Anonymous Mail Forwarding](#anonymous-mail-forwarding)
- [Private Browsers](#browsers)
- [Non-Tracking Search Engines](#search-engines)
- [Email Security Tools](#email-security-tools)
- **Security Tools**
- [Browser Extensions](#browser-extensions)
- [Mobile Apps](#mobile-apps)
@ -41,6 +44,7 @@ corporations, governments, and hackers from logging, storing or selling your per
- [Mix Networks](#mix-networks)
- [Proxies](#proxies)
- [DNS Providers](#dns)
- [DNS Clients](#dns-clients)
- [Firewalls](#firewalls)
- [Ad Blockers](#ad-blockers)
- [Host Block Lists](#host-block-lists)
@ -67,6 +71,7 @@ corporations, governments, and hackers from logging, storing or selling your per
- [Video Platforms](#video-platforms)
- [Blogging Platforms](#blogging-platforms)
- [News Readers](#news-readers-and-aggregation)
- [Proxy Sites](#proxy-sites)
- **Operating Systems**
- [Mobile Operating Systems](#mobile-operating-systems)
- [Desktop Operating Systems](#desktop-operating-systems)
@ -110,9 +115,13 @@ corporations, governments, and hackers from logging, storing or selling your per
#### Notable Mentions
**[Password Safe](https://www.pwsafe.org/)** is an offline, open source password manager designed by [Bruce Schneiser](https://www.schneier.com/academic/passsafe/), with native applications for Windows, Linux, MacOS, Android and iOS, and support for YubiKey. The UI is a little dated, and there is no official browser extension, making is slightly less convenient to use compared with other options
**[PassBolt](https://www.passbolt.com/)** is a good option for teams. It is free, open source, self-hosted, extensible and OpenPGP based. It is specifically good for development and DevOps ussage, with integrations for the terminal, browser and chat, and can be easily extended for custom usage, and deployed quickly with Docker
**[1Password](https://1password.com)** (proprietary) is a fully-featured cross-platform password manager with sync. Free for self-hosted data (or $3/ month hosted). Be aware that 1Password is not fully open source, but they do regularly publish results of their indepentand security [audits](https://support.1password.com/security-assessments), and they have a solid reputation for transparently disclosing and fixing vulnerabilities
**Other Open Source PM**: [Passbolt](https://www.passbolt.com), [Buttercup](https://buttercup.pw), [Firefox Loxkwise](https://www.mozilla.org/en-US/firefox/lockwise), [Clipperz](https://clipperz.is), [Password Safe](https://pwsafe.org), [Pass](https://www.passwordstore.org), [Encryptr](https://spideroak.com/encryptr), [Padloc](https://padloc.app), [TeamPass](https://teampass.net), [PSONO](https://psono.com), [UPM](http://upm.sourceforge.net), [Gorilla](https://github.com/zdia/gorilla/wiki), [Pass](https://www.passwordstore.org) (UNIX), [Seahorse](https://gitlab.gnome.org/GNOME/seahorse) (for GNOME), [GNOME Keyring](https://wiki.gnome.org/Projects/GnomeKeyring), [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager).
**Other Open Source PM**: [Buttercup](https://buttercup.pw), [Firefox Loxkwise](https://www.mozilla.org/en-US/firefox/lockwise), [Clipperz](https://clipperz.is), [Pass](https://www.passwordstore.org), [Encryptr](https://spideroak.com/encryptr), [Padloc](https://padloc.app), [TeamPass](https://teampass.net), [PSONO](https://psono.com), [UPM](http://upm.sourceforge.net), [Gorilla](https://github.com/zdia/gorilla/wiki), [Pass](https://www.passwordstore.org) (UNIX), [Seahorse](https://gitlab.gnome.org/GNOME/seahorse) (for GNOME), [GNOME Keyring](https://wiki.gnome.org/Projects/GnomeKeyring), [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager).
If you are using a deprecated PM, you should migrate to something actively maintained. This includes: [Mitro](https://www.mitro.co), [Rattic](https://spideroak.com/encryptr), [JPasswords](http://jpws.sourceforge.net/jpasswords.html), [Passopolis](https://passopolis.com), [KYPS](https://en.wikipedia.org/wiki/KYPS), [Factotum](http://man.9front.org/4/factotum).
@ -136,7 +145,7 @@ If you are using a deprecated PM, you should migrate to something actively maint
For KeePass users, [TrayTop](https://keepass.info/plugins.html#traytotp) is a plugin for managing TOTP's- offline and compatible with Windows, Mac and Linux.
[Authy](https://authy.com/) (propriety) is a popular option among new users, due to it's ease of use and device sync capabilities, however it is not open source, and therefore can not recommended.
[Authy](https://authy.com/) (propriety) is a popular option among new users, due to it's ease of use and device sync capabilities. Cloud sync may be useful, but will also increase attack surface. Authy is not open source, and therefore can not recommended
**See also** [2FA Security Checklist](/README.md#2-factor-authentication)
@ -157,6 +166,40 @@ data. With PGP, you can encrypt, decrypt, sign and verify files and folders: see
If you need to create a compressed archive, prior to encrypting your files, then [PeaZip](https://www.peazip.org/) is a great little cross-platform open source file archiver utility. It allows you to create, open, and extract RAR TAR ZIP archives.
## Browsers
| Provider | Description |
| --- | --- |
**[Brave Browser](https://brave.com/?ref=ali721)** | Brave Browser, currently one of the most popular private browsers- it provides speed, security, and privacy by blocking trackers with a clean, yet fully-featured UI. It also pays you in [BAT tokens](https://basicattentiontoken.org/) for using it. Brave also has Tor built-in, when you open up a private tab/ window.
**[FireFox](https://www.mozilla.org/firefox)** | Significantly more private, and offers some nifty privacy features than Chrome, Internet Explorer and Safari. After installing, there are a couple of small tweaks you will need to make, in order to secure Firefox. You can follow one of these guides by: [Restore Privacy](https://restoreprivacy.com/firefox-privacy/), [Security Gladiators](https://securitygladiators.com/firefox-privacy-tips/) or [12Bytes](https://12bytes.org/7750)
**[Tor Browser](https://www.torproject.org/)** | Tor provides an extra layer of anonymity, by encrypting each of your requests, then routing it through several nodes, making it near-impossible for you to be tracked by your ISP/ provider. It does make every-day browsing a little slower, and some sites may not work correctly. As with everything there are [trade-offs](https://github.com/Lissy93/personal-security-checklist/issues/19)
#### Notable Mentions
Mobile Browsers: [Bromite](https://www.bromite.org/) (Android), [Firefox Focus](https://support.mozilla.org/en-US/kb/focus) (Android/ iOS), [DuckDuckGo Browser](https://help.duckduckgo.com/duckduckgo-help-pages/mobile/ios/) (Android/ iOS), [Orbot](https://guardianproject.info/apps/orbot/) + [Tor](https://www.torproject.org/download/#android) (Android), [Onion Browser](https://onionbrowser.com/) (iOS),
Additional Desktop: [WaterFox](https://www.waterfox.net), [Epic Privacy Browser](https://www.epicbrowser.com), [PaleMoon](https://www.palemoon.org), [Iridium](https://iridiumbrowser.de/) and [Sea Monkey](https://www.seamonkey-project.org/).
#### Word of Warning
New vulnerabilities are being discovered and patched all the time - use a browser that is being actively maintained, in order to receive these security-critical updates
**See also** [Browser & Search Security Checklist](/README.md#browser-and-search) and recommended [Browser Extensions](#browser-extensions) for privacy & security.
## Search Engines
Google frequently modifies and manipulates search, and is in pursuit of eliminating competition and promoting their own services above others. They also track, collect, use and sell detailed user search and meta data.
| Provider | Description |
| --- | --- |
**[DuckDuckGo](https://duckduckgo.com/)** | DuckDuckGo is a very user-friendly, fast and secure search engine. It's totally private, with no trackers, cookies or ads. It's also highly customisable, with dark-mode, many languages and features. They even have a [.onion](https://3g2upl4pq6kufc4m.onion) URL, for use with Tor and a [no Javascript version](https://duckduckgo.com/html/)
**[Qwant](https://www.qwant.com/)** | French service that aggregates Bings results, with it's own results. Quant doesn't plant any cookies, nor have any trackers or third-party advertising. It returns non-biased search results, with no promotions. Quant has a unique, but nice UI.
**[Startpage](https://www.startpage.com/)** | Dutch search engine that searches on google and shows the results (slightly rearranged). It has several configurations that improve privacy during use (it is not open source)
#### Notable Mentions
[MetaGear](https://metager.org), [YaCy](https://yacy.net). Alternativley, host your own instance of [Searx](https://asciimoo.github.io/searx/)
**See also** [Browser & Search Security Checklist](/README.md#browser-and-search)
## Encrypted Messaging
Without using a secure app for instant messaging, all your conversations, meta data and more are unprotected. Signal is one of the best options- it's easy, yet also highly secure and privacy-centric.
@ -168,7 +211,7 @@ Without using a secure app for instant messaging, all your conversations, meta d
**[Silence](https://silence.im/)** | If you're restricted to only sending SMS/MMS, then Silence makes it easy to encrypt messages between 2 devices. This is important since traditional text messaging is inherently insecure. It's easy-to-use, reliable and secure- but has fallen in popularity, now that internet-based messaging is often faster and more flexible
**[KeyBase](keybase.io/inv/6d7deedbc1)** | KeyBase allows encrypted real-time chat, group chats, and public and private file sharing. It also lets you cryptographically sign messages, and prove your ownership to other social identities (Twitter, Reddit, GitHub, etc), and send or receive Stella or BitCoin to other users. It's slightly more complex to use than Signal, but it's features extend much further than just a messaging app. Keybase core is built upon some great cryptography features, and it is an excellant choice for managing public keys, signing messages and for group chats.
**[Off-The-Record](https://otr.cypherpunks.ca/)** | Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging/ [XMPP](https://xmpp.org). It has fallen in popularity in recent years, in favor for simpler, mobile-based messaging apps, but still widely used and secure. It provides: Encryption (so no one else can read your messages), Authentication (assurance that the correspondent is who you think they are), Deniability (After a conversation, it cannot be proved you took part), Perfect Forwards Secrecy (if your keys are compromised, no previous messages can be decrypted). The easiest way to use OTR, is with a [plugin](https://otr.cypherpunks.ca/software.php) for your IM client
**[OpenPGP](https://www.openpgp.org/)** | Provides cryptographic privacy and authentication, PGP is used to encrypt messages sent over existing chat networks (such as email or message boards). Slightly harder to use (than IM apps), slower, but still widely used. Using [GnuPG](https://gnupg.org/download/index.html), encrypts messages following the OpenPGP standard, defined by the IETF, proposed in [RFC 4880](https://tools.ietf.org/html/rfc4880) (originally derived from the PGP software, created by Phil Zimmermann, now owned by [Symantec](https://www.symantec.com/products/encryption)). **Note** there have been vulnerabilities found in the OpenPGP and S/MIME, defined in [EFAIL](https://efail.de/), so although it still considered secure for general purpose use, it may be better to use an encrypted messaging or email app instead- especially for sensitive communications.
**[OpenPGP](https://www.openpgp.org/)** | Provides cryptographic privacy and authentication, PGP is used to encrypt messages sent over existing chat networks (such as email or message boards). Slightly harder to use (than IM apps), slower, but still widely used. Using [GnuPG](https://gnupg.org/download/index.html), encrypts messages following the OpenPGP standard, defined by the IETF, proposed in [RFC 4880](https://tools.ietf.org/html/rfc4880) (originally derived from the PGP software, created by Phil Zimmermann, now owned by [Symantec](https://www.symantec.com/products/encryption)). <br>**Note/ Issues with PGP** PGP is [not easy](https://restoreprivacy.com/let-pgp-die/) to use for beginners, and could lead to human error/ mistakes being made, which would be overall much worse than if an alternate, simpler system was used. Do not use [32-bit key IDs](https://evil32.com/) - they are too short to be secure. There have also been vulnerabilities found in the OpenPGP and S/MIME, defined in [EFAIL](https://efail.de/), so although it still considered secure for general purpose use, it may be better to use an encrypted messaging or email app instead- especially for sensitive communications.
#### Other Notable Mentions
Other private, encrypted and open source messaging apps include: [Surespot](https://www.surespot.me), [Chat Secure](https://chatsecure.org/) (iOS only) and [Status](https://status.im/). Note that [Tor Messenger](https://blog.torproject.org/category/tags/tor-messenger)s been removed from the list, since development has halted.
@ -202,37 +245,46 @@ The below email providers are private, end-to-end encrypted (E2EE) and reasonabl
| Provider | Description |
| --- | --- |
**[ProtonMail](https://protonmail.com/)** | An open-source, end-to-end encrypted anonymous email service. ProtonMail has a modern easy-to-use and customizable UI, as well as fast, secure native mobile apps. ProtonMail has all the features that you'd expect from a modern email service and is based on simplicity without sacrificing security. It has a free plan or a premium option for using custom domains. ProtonMail requires no personally identifiable information for signup, they have a [.onion](https://protonirockerxow.onion) server, for access via Tor, and they accept anonymous payment: BTC and cash (as well as the normal credit card and PayPal).
**[ProtonMail](https://protonmail.com/)** | An open-source, end-to-end encrypted anonymous email service. ProtonMail has a modern easy-to-use and customizable UI, as well as fast, secure native mobile apps. ProtonMail has all the features that you'd expect from a modern email service and is based on simplicity without sacrificing security. It has a free plan or a premium option for using custom domains (starting at $5/mongh). ProtonMail requires no personally identifiable information for signup, they have a [.onion](https://protonirockerxow.onion) server, for access via Tor, and they accept anonymous payment: BTC and cash (as well as the normal credit card and PayPal).
**[Tutanota](https://tutanota.com/)** | Free and open source email service based in Germany. It has a basic intuitive UI, secure native mobile apps, anonymous signup, and a .onion site. Tutonota has a full-featured free plan or a premium subscription for businesses allowing for custom domains ($12/ month).<br>Tutanota [does not use OpenPGP](https://tutanota.com/blog/posts/differences-email-encryption/) like most encrypted mail providers, instead they use a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm (with 128 bit AES, and 2048 bit RSA). This causes compatibility issues when communicating with contacts using PGP. But it does allow them to encrypt much more of the header data (body, attachments, subject lines, and sender names etc) which PGP mail providers cannot do
**[Mailfence](https://mailfence.com?src=digitald)** | Mailfence supports OpenPGP so that you can manually exchange encryption keys independently from the Mailfence servers, putting you in full control. Mailfence has a simple UI, similar to that of Outlook, and it comes with bundled with calendar, address book, and files. All mail settings are highly customizable, yet still clear and easy to use. Sign up is not anonymous, since your name, and prior email address is required. There is a fully-featured free plan, or you can pay for premium, and use a custom domain ($2.50/ month, or $7.50/ month for 5 domains), where BitCoin, LiteCoin or credit card is accepted.
**[Mailfence](https://mailfence.com?src=digitald)** | Mailfence supports OpenPGP so that you can manually exchange encryption keys independently from the Mailfence servers, putting you in full control. Mailfence has a simple UI, similar to that of Outlook, and it comes with bundled with calendar, address book, and files. All mail settings are highly customizable, yet still clear and easy to use. Sign up is not anonymous, since your name, and prior email address is required. There is a fully-featured free plan, or you can pay for premium, and use a custom domain ($2.50/ month, or $7.50/ month for 5 domains), where BitCoin, LiteCoin or credit card is accepted
**[MailBox.org](https://mailbox.org/)** | A Berlin-based, eco-friendly secure mail provider. There is no free plan, the standard service costs €12/year. You can use your own domain, with the option of a [catch-all alias](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). They provide good account security and email encryption, with OpenPGP, as well as encrypted storage. There is no dedicated app, but it works well with any standard mail client with SSL. There's also currently no anonymous payment option
See [OpenTechFund- Secure Email](https://github.com/OpenTechFund/secure-email) for more details.
**See also** [Email Security Checklist](/README.md#emails)
#### Other Notable Mentions
[HushMail](https://www.hushmail.com/tapfiliate/?tap_a=44784-d2adc0&tap_s=724845-260ce4&program=hushmail-for-small-business), [StartMail](https://www.startmail.com), [Posteo](https://posteo.de), [Lavabit](https://lavabit.com). For activists and journalists, see [Disroot](https://disroot.org/en), [Autistici](https://www.autistici.org) and [RiseUp](https://riseup.net/en)
[HushMail](https://www.hushmail.com/tapfiliate/?tap_a=44784-d2adc0&tap_s=724845-260ce4&program=hushmail-for-small-business), [Soverin](https://soverin.net), [StartMail](https://www.startmail.com), [Posteo](https://posteo.de), [Lavabit](https://lavabit.com). For activists and journalists, see [Disroot](https://disroot.org/en), [Autistici](https://www.autistici.org) and [RiseUp](https://riseup.net/en)
**Beta Mail Providers**
- **[CTemplar](https://ctemplar.com/)** - Swiss provider specializing in private & secure mail, with total 4096 bit RSA encryption, anonymous sign up, and full legal protection. Due to it still being in beta, the apps are still a little buggy
- **[CriptText](https://www.criptext.com/)** - CriptText is another option- it's encrypted, free and open source, but works a little differently from convectional mail. There is no cloud storage, and all email is instead stored on your devices. This greatly improves security- however you must be signed into the app (either on desktop or mobile) in order to receive mail. If you are not signed in, then mail sent to you will be permanently lost. For mobile users, your device can be offline or in airplane mode for up to 30 days before mail becomes discarded. The client apps are very good, email is synced seamless between devices, and you can enable automated and encrypted backups. Since your email is stored on your device, they are able to work offline- due to this, there is no web client. Encryption is done with the [Signal protocol](https://en.wikipedia.org/wiki/Signal_Protocol) (rather than PGP), and there are a bunch of really neat features that you can use while communicating to other Criptext users.
Criptext is still in beta, but with an extremely smooth user experience, and no noticeable usability bugs.
### Word of Warning
- When using an end-to-end encryption technology like OpenPGP, some metadata in the email header will not be encrypted.
- OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. You should take great care to keep your private keys safe.
### Self-Hosted Email
If you do not want to trust an email provider with your messages, you can host your own mail server. Without experience, this can be notoriously hard to correctly configure, especially when it comes to security. You may also find that cost, performance and features make it a less attractive option. If you do decide to go down this route, [Mail-in-a-box](https://mailinabox.email/), is an easy to deploy, open source mail server. It aims to promote decentralization, innovation, and privacy on the web, as well as have automated, auditable, and idempotent system configuration. Other ready-to-go self-hosted mail options include [Mailu](https://mailu.io/1.7/) and [Mail Cow](https://mailcow.email/), both of which are docker containers.
### Mail Clients
Email clients are the programs used to interact with the mail server. For hosted email, then the web and mobile clients provided by your email service are usually adequate, and may be the most secure option. For self-hosted email, you will need to install and configure mail clients for web, desktop or mobile. A benefit of using an IMAP client, is that you will always have an offline backup of all email messages (which can then be encrypted and archived), and many applications let you aggregate multiple mailboxes for convenience.
## Email Clients
Email clients are the programs used to interact with the mail server. For hosted email, then the web and mobile clients provided by your email service are usually adequate, and may be the most secure option. For self-hosted email, you will need to install and configure mail clients for web, desktop or mobile. A benefit of using an IMAP client, is that you will always have an offline backup of all email messages (which can then be encrypted and archived), and many applications let you aggregate multiple mailboxes for convenience. Desktop mail clients are not vulnerable to the common browser attacks, that their web app counterparts are.
- **Desktop** - [Mozilla Thunderbird](https://www.thunderbird.net) is an open source, long-standing and secure desktop email client by Mozilla, for Windows, macOS, and Linux. If you are using ProtonMail, then you can use the [ProtonMail Bridge](https://protonmail.com/bridge/thunderbird), to sync your emails to either Thunderbird or Microsoft Outlook. In terms of security, the disadvantage, is that most desktop clients do not support 2FA, so it is important to keep your computer secured, however they are not vulnerable to the common browser attacks, that a web client would be. See also [eM Client](https://www.emclient.com)m which is a reputable but proprietary paid desktop client for Windows and Mac OS.
- **Web** - If you are self-hosting your mail server, you will probably want a web-based email client. [RainLoop](http://www.rainloop.net) and [RoundCube](https://roundcube.net) are both good open source options.
- **Mobile** - the most secure option is usually to use the app provided by your mail provider. If your mail server is self-hosted, then consider [FairMail](https://email.faircode.eu/) which is a fully featured, open source, privacy oriented email app for Android. There is also [pretty Easy privacy p≡p](https://play.google.com/store/apps/details?id=security.pEp), which has OpenPGP built in, and [K-9 Mail](https://play.google.com/store/apps/details?id=com.fsck.k9), (which has been around almost as long as Android!), has a solid reputation for privacy and security features.
[TorBirdy](https://trac.torproject.org/projects/tor/wiki/torbirdy) is a Thunderbird addon, that configures it to make connections over the Tor network
It is important to keep the device/ server running your mail client secure.
**See also** [Email Security Checklist](/README.md#emails)
| Provider | Description |
| --- | --- |
**[Mozilla Thunderbird](https://www.thunderbird.net)** (Desktop) | Free and open source email application developed and backed by Mozilla -it's secure, private easy and customizable. The [Enigmail](https://www.enigmail.net) add-on allows for easy encryption/ decryption of PGP messages, and the [TorBirdy](https://trac.torproject.org/projects/tor/wiki/torbirdy) extension routes all traffic through the Tor network.
**[eM Client](https://www.emclient.com/)** (Desktop) | Productivity-based email client, for Windows and MacOS. eM Client has a clean user interface, snappy performance and good compatibility. There is a paid version, with some handy features, including snoozing incoming emails, watching for replies for a specific thread, message translation, send later, and built-in Calendar, Tasks, Contacts and Notes. Note, eM Client is propriety, and not open source
**[RainLoop](http://www.rainloop.net)** (Web) | Simple, modern, fast web-based mail client
**[RoundCube](https://roundcube.net)** (Web) | Browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking
**[FairMail](https://email.faircode.eu/)** (Andoird) | Open source, fully-featured and easy mail client for Android. Supports unlimited accounts and email addresses with the option for a unified inbox. Clean user interface, with a dark mode option, it is also very lightweight and consumes minimal data usage
**[K-9 Mail](https://k9mail.app/)** (Android) | K-9 is open source, very well supported and trusted- k9 has been around for nearly as long as Android itself! It supports multiple accounts, search, IMAP push email, multi-folder sync, flagging, filing, signatures, BCC-self, PGP/MIME & more. Install OpenKeychain along side it, in order to encrypt/ decrypt emails using OpenPGP
**[p≡p](https://www.pep.security/)** (Android | iOS) | The Pretty Easy Privacy (p≡p) client is a fully decentralized and end-to-end encrypted mail client, for "automatic privacy". It has some nice features, however it is not open source
#### Word of Warning
One disadvantage of mail clients, is that many of them do not support 2FA, so it is important to keep your device secured and encrypted
## Anonymous Mail Forwarding
@ -249,38 +301,17 @@ Revealing your real email address online can put you at risk. Email aliasing all
Alternatively you could host your own catch-all email service. [Mailu](https://github.com/Mailu/Mailu) can be configured to accept wildcards, or for Microsoft Exchange see [exchange-catchall](https://github.com/Pro/exchange-catchall)
## Browsers
## Email Security Tools
| Provider | Description |
| --- | --- |
**[Brave Browser](https://brave.com/?ref=ali721)** | Brave Browser, currently one of the most popular private browsers- it provides speed, security, and privacy by blocking trackers with a clean, yet fully-featured UI. It also pays you in [BAT tokens](https://basicattentiontoken.org/) for using it. Brave also has Tor built-in, when you open up a private tab/ window.
**[FireFox](https://www.mozilla.org/firefox)** | Significantly more private, and offers some nifty privacy features than Chrome, Internet Explorer and Safari. After installing, there are a couple of small tweaks you will need to make, in order to secure Firefox. You can follow one of these guides by: [Restore Privacy](https://restoreprivacy.com/firefox-privacy/), [Security Gladiators](https://securitygladiators.com/firefox-privacy-tips/) or [12Bytes](https://12bytes.org/7750)
**[Tor Browser](https://www.torproject.org/)** | Tor provides an extra layer of anonymity, by encrypting each of your requests, then routing it through several nodes, making it near-impossible for you to be tracked by your ISP/ provider. It does make every-day browsing a little slower, and some sites may not work correctly. As with everything there are [trade-offs](https://github.com/Lissy93/personal-security-checklist/issues/19)
**[Enigmail](https://www.enigmail.net)** | Mail client add-on, enabling the use of OpenPGP to easily encrypt, decrypt, verify and sign emails. Free and open source, Enifmail is compatible with Mozilla Thunderbird, Interlink Mail & News and Postbox. Their website contains thorough documentation and quick-start guides, once set up it is extremely convenient to use
**[TorBirdy](https://trac.torproject.org/projects/tor/wiki/torbirdy)** | Thunderbird extension, that configures it to make connections over the Tor network, in order to provide an additional layer of anonymity and security
**[Email Privacy Tester](https://www.emailprivacytester.com/)** | Quick tool, that enables you to test whether your mail client "reads" your emails before you've opened them, and also checks what analytics, read-receipts or other tracking data your mail client allows to be sent back to the sender. The system is open source ([on GitLab](https://gitlab.com/mikecardwell/ept3)), developed by [Mike Cardwell](https://www.grepular.com/) and trusted, but if you do not want to use your real email, creating a second account with the same provider, should yield identical results
**[DKIM Verifier](https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/?collection_id=a5557f08-eafd-7a39-81c6-09127da790f7)** | Verifies DKIM signatures and shows the result in the e-mail header, in order to help spot spoofed emails (which do not come from the comain that claim to)
#### Notable Mentions
Mobile Browsers: [Bromite](https://www.bromite.org/) (Android), [Firefox Focus](https://support.mozilla.org/en-US/kb/focus) (Android/ iOS), [DuckDuckGo Browser](https://help.duckduckgo.com/duckduckgo-help-pages/mobile/ios/) (Android/ iOS), [Orbot](https://guardianproject.info/apps/orbot/) + [Tor](https://www.torproject.org/download/#android) (Android), [Onion Browser](https://onionbrowser.com/) (iOS),
Additional Desktop: [WaterFox](https://www.waterfox.net), [Epic Privacy Browser](https://www.epicbrowser.com), [PaleMoon](https://www.palemoon.org), [Iridium](https://iridiumbrowser.de/) and [Sea Monkey](https://www.seamonkey-project.org/).
#### Word of Warning
New vulnerabilities are being discovered and patched all the time - use a browser that is being actively maintained, in order to receive these security-critical updates
**See also** [Browser & Search Security Checklist](/README.md#browser-and-search) and recommended [Browser Extensions](#browser-extensions) for privacy & security.
## Search Engines
Google frequently modifies and manipulates search, and is in pursuit of eliminating competition and promoting their own services above others. They also track, collect, use and sell detailed user search and meta data.
| Provider | Description |
| --- | --- |
**[DuckDuckGo](https://duckduckgo.com/)** | DuckDuckGo is a very user-friendly, fast and secure search engine. It's totally private, with no trackers, cookies or ads. It's also highly customisable, with dark-mode, many languages and features. They even have a [.onion](https://3g2upl4pq6kufc4m.onion) URL, for use with Tor and a [no Javascript version](https://duckduckgo.com/html/)
**[Qwant](https://www.qwant.com/)** | French service that aggregates Bings results, with it's own results. Quant doesn't plant any cookies, nor have any trackers or third-party advertising. It returns non-biased search results, with no promotions. Quant has a unique, but nice UI.
#### Notable Mentions
[MetaGear](https://metager.org), [YaCy](https://yacy.net). Alternativley, host your own instance of [Searx](https://asciimoo.github.io/searx/)
**See also** [Browser & Search Security Checklist](/README.md#browser-and-search)
If you are using ProtonMail, then the [ProtonMail Bridge](https://protonmail.com/bridge/thunderbird) enables you to sync your emails to your own desktop mail client. It works well with Thunderbird, Microsoft Outlook and others
## Browser Extensions
@ -309,6 +340,7 @@ The following browser add-ons give you better control over what content is able
**[Self-Destructing Cookies](https://add0n.com/self-destructing-cookies.html)** | Prevents websites from tracking you by storing unique cookies (note Fingerprinting is often also used for tracking). It removes all related cookies whenever you end a session. **Download**: [Chrome][self-destructing-cookies-chrome] \ [Firefox][self-destructing-cookies-firefox] \ [Opera][self-destructing-cookies-opera] \ [Source][self-destructing-cookies-source]
**[Privacy Redirect](https://github.com/SimonBrazell/privacy-redirect)** | A simple web extension that redirects Twitter, YouTube, Instagram & Google Maps requests to privacy friendly alternatives <br>**Download**: [Firefox](https://addons.mozilla.org/en-US/firefox/addon/privacy-redirect/) / [Chrome](https://chrome.google.com/webstore/detail/privacy-redirect/pmcmeagblkinmogikoikkdjiligflglb)
**[Site Bleacher](https://github.com/wooque/site-bleacher)** | Remove automatically cookies, local storages, IndexedDBs and service workers <br>**Download**: [Firefox](https://addons.mozilla.org/en-US/firefox/addon/site-bleacher/) \ [Chrome](https://chrome.google.com/webstore/detail/site-bleacher/mlcfcepfmnjphcdkfbfgokkjodlkmemo) \ [Source](https://github.com/wooque/site-bleacher)
**[User Agent Switcher](https://add0n.com/useragent-switcher.html)** | Spoofs browser's User-Agent string, making it appear that you are on a different device, browser and version to what you are actually using. This alone does very little for privacy, but combined with other tools, can allow you to keep your fingerprint changing, and feed fake info to sites tracking you. Some websites show different content, depending on your user agent.<br>**Download**: [Chrome](https://chrome.google.com/webstore/detail/user-agent-switcher/bhchdcejhohfmigjafbampogmaanbfkg) \ [Fireforx](https://addons.mozilla.org/firefox/addon/user-agent-string-switcher/) \ [Edge](https://microsoftedge.microsoft.com/addons/detail/cnjkedgepfdpdbnepgmajmmjdjkjnifa) \ [Opera](https://addons.opera.com/extensions/details/user-agent-switcher-8/) \ [Source](https://github.com/ray-lothian/UserAgent-Switcher/)
**[PrivacySpy](https://privacyspy.org)** | The companian extension for PrivacySpy.org - an open project that rates, annotates, and archives privacy policies. The extension shows a score for the privacy policy of the current website.<br>**Download**: [Chrome](https://chrome.google.com/webstore/detail/privacyspy/ppembnadnhiknioggbglgiciihgmkmnd) \ [Fireforx](https://addons.mozilla.org/en-US/firefox/addon/privacyspy/)
**[HTTPZ](https://github.com/claustromaniac/httpz)** | Simplified HTTPS upgrades for Firefox (lightweight alternative to HTTPS-Everywhere) <br>**Download**: [Firefox](https://addons.mozilla.org/en-US/firefox/addon/httpz/)
**[Skip Redirect](https://github.com/sblask/webextension-skip-redirect)** | Some web pages use intermediary pages before redirecting to a final page. This add-on tries to extract the final url from the intermediary url and goes there straight away if successful <br>**Download**: [Firefox](https://addons.mozilla.org/en-US/firefox/addon/skip-redirect/) \ [Source](https://github.com/sblask/webextension-skip-redirect)
@ -355,7 +387,10 @@ The following browser add-ons give you better control over what content is able
**[CamWings](https://schiffer.tech/camwings-mobile.html)** | Prevent background processes gaining unauthorized access to your devices camera. Better still, use a [webcam sticker](https://supporters.eff.org/shop/laptop-camera-cover-set-ii)
**[ScreenWings](https://schiffer.tech/screenwings-mobile.html)** | Prevent background processes taking unauthorized screenshots, which could expose sensetive data
**[AFWall+](https://github.com/ukanth/afwall/)** | Android Firewall+ (AFWall+) is an advanced iptables editor (GUI) for rooted Android devices, which provides very fine-grained control over which Android apps are allowed to access the network
**[Catch the Man-in-the-Middle](https://play.google.com/store/apps/details?id=me.brax.certchecker)** | Simple tool, that compares SHA-1 fingerprints of the the SSL certificates seen fron your device, and the certificate seen from an external network. If they do not match, this may indicate a man-in-the-middle modifying requests
#### Word of Warning
Too many installed apps will increase your attack surface- only install applications that you need
#### Other Notable Mentions
For more open source security & privacy apps, check out these publishers: [The Guardian Project], [The Tor Project], [Oasis Feng], [Marcel Bokhorst], [SECUSO Research Group] and [Simple Mobile Tools]- all of which are trusted developers or organisations, who've done amazing work.
@ -377,6 +412,7 @@ A selection of free online tools and utilities, to check, test and protect
**[εxodus](https://reports.exodus-privacy.eu.org)** | Checks how many, and which trackers any Android app has. Useful to understand how data is being collected before you install a certain APK, it also shows which permissions the app asks for
**[Am I Unique?](https://amiunique.org)** | Show how identifiable you are on the Internet by generating a fingerprint based on device information. This is how many websites track you (even without cookies enabled), so the aim is to not be unique
**[Panopticlick](https://panopticlick.eff.org/)** | Check if your browser safe against tracking. Analyzes how well your browser and add-ons protect you against online tracking techniques, and if your system is uniquely configured—and thus identifiable
**[Phish.ly](https://phish.ly/)** | Analyzes emails, checking the URLs and creating a SHA256 and MD5 hash of attachments, with a link to VirusTotal. To use the service, just forward a potentially malicious or suspicious email to scan@phish.ly, and an automated reply will include the results. They claim that all email data is purged after analysis, but it would be wise to not include any sensitive information, and to use a forwarding address
**[Browser Leak Test](https://browserleaks.com)** | Shows which of personal identity data is being leaked through your browser, so you can better protect yourself against fingerprinting
**[IP Leak Test](https://ipleak.net)** | Shows your IP address, and other associated details (location, ISP, WebRTC check, DNS, and lots more)
**[EXIF Remove](https://www.exifremove.com)** | Displays, and removes Meta and EXIF data from an uploaded photo or document
@ -389,6 +425,7 @@ A selection of free online tools and utilities, to check, test and protect
**[10 Minute Mail](https://10minemail.com/)** | Generates temporary disposable email address, to avoid giving your real details
**[MXToolBox Mail Headers](https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx)** | Tool for analyzing email headers, useful for checking the authenticity of messages, as well as knowing what info you are revealing in your outbound messages
**[SimpleLogin](https://simplelogin.io?slref=bridsqrgvrnavso)** | Automatically generates new email aliases, the first time you use them, to avoid revealing your real email address. Unlike 10 Minute Mail, these email addresses are permanent, and get forwarded to your real email inbox. Other options include [33Mail](http://33mail.com/Dg0gkEA), [Anonaddy](https://anonaddy.com) and [ForwardEmail](https://forwardemail.net) (self-hosted)
**[BlackLight](https://themarkup.org/blacklight)** | Real-Time Website Privacy Inspector - Shows trackers, third-party cookies, session recoding services, keystroke capturing scripts and analytics services embedded on a given website
#### Word of Warning
*Browsers are inherently insecure, be careful when uploading, or entering personal details.*
@ -456,13 +493,12 @@ Tor, I2P and Freenet are all anonymity networks- but they work very differently
*You can read more about how I2P compares to Tor, [here](https://blokt.com/guides/what-is-i2p-vs-tor-browser)*
#### Notable Mentions
[Panoramix](https://panoramix-project.eu) is a European project, aiming to use mix-networks to provide anonymity.
[Nym](https://nymtech.neteu) uses Blockchain to reward node operators in order to keep the network sustainable.
See also: [GNUnet](https://gnunet.org/en/), [IPFS](https://ipfs.io/), [ZeroNet](https://zeronet.io/), [Panoramix](https://panoramix-project.eu), and [Nym](https://nymtech.neteu)
#### Word of Warning
To provide low-latency browsing, Tor does not mix packets or generate cover traffic. If an adversary is powerful enough, theoretically he could either observe the entire network, or just the victims entry and exit nodes. It's worth mentioning, that even though your ISP can not see what you are doing, they will be able determine that you are using a mix net, to hide this- a VPN could be used. If you are doing anything which could put you at risk, then good OpSec is essential, as the authorities have traced criminals through the Tor network before, and [made arrests](https://techcrunch.com/2019/05/03/how-german-and-us-authorities-took-down-the-owners-of-darknet-drug-emporium-wall-street-market). Don't let Tor provide a possible false sense of security- be aware of information leaks through DNS or other programs, and Tor-supported browsers may might lag behind their upstream forks, allowing for unpatched issues. See [#19](https://github.com/Lissy93/personal-security-checklist/issues/19)
To provide low-latency browsing, Tor does not mix packets or generate cover traffic. If an adversary is powerful enough, theoretically they could either observe the entire network, or just the victims entry and exit nodes. It's worth mentioning, that even though your ISP can not see what you are doing, they will be able determine that you are using a mix net, to hide this- a VPN could be used as well. If you are doing anything which could put you at risk, then good OpSec is essential, as the authorities have traced criminals through the Tor network before, and [made arrests](https://techcrunch.com/2019/05/03/how-german-and-us-authorities-took-down-the-owners-of-darknet-drug-emporium-wall-street-market). Don't let Tor provide you a false sense of security- be aware of information leaks through DNS, other programs or human error. Tor-supported browsers may might lag behind their upstream forks, and include exploitable unpatched issues. See [#19](https://github.com/Lissy93/personal-security-checklist/issues/19)
Note: The Tor network is run by the community. If you benefit from using it and would like to help sustain uncensored internet access for all, consider [running a Tor relay](https://trac.torproject.org/projects/tor/wiki/TorRelayGuide).
Note: The Tor network is run by the community. If you benefit from using it and would like to help sustain uncensored internet access for all, consider [running a Tor relay](https://trac.torproject.org/projects/tor/wiki/TorRelayGuide)
## Proxies
@ -492,9 +528,6 @@ Without using a secure, privacy-centric DNS all your web requests can be seen in
See also this [Full List of Public DoH Servers](https://github.com/curl/curl/wiki/DNS-over-HTTPS), you can then check the performance of your chosen server with [DNSPerf](https://www.dnsperf.com/). To read more about choosing secure DNS servers, see [this article](https://medium.com/@nykolas.z/dns-security-and-privacy-choosing-the-right-provider-61fc6d54b986), and [this article](https://geekwire.co.uk/privacy-and-security-focused-dns-resolver/).
#### DNS Protocols
DNS-over-TLS was proposed in [RTC-7858](https://tools.ietf.org/html/rfc7858) by the IETF, then 2 years later, the DNS-over-HTTPS specification was outlined in [RFC8484](https://tools.ietf.org/html/rfc8484) in October '18. [DNSCrypt](https://dnscrypt.info/), is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing, through using cryptographic signatures to verify that responses originate from the chosen DNS resolver, and havent been tampered with. DNSCrypt is a well battle-tested protocol, that has been in use since 2013, and is still widely used.
#### Notable Mentions
- [Quad9](https://www.quad9.net) is a well-funded, performant DNS with a strong focus on privacy and security and easy set-up, however questions have been raised about the motivation of some of the financial backers.
- [BlahDNS](https://blahdns.com) (Japan, Finland or Germany) is an excellent security-focused DNS
@ -505,6 +538,18 @@ DNS-over-TLS was proposed in [RTC-7858](https://tools.ietf.org/html/rfc7858) by
#### Word of Warning
Using an encrypted DNS resolver will not make you anonymous, it just makes it harder for third-partied to discover your domain history. If you are using a VPN, take a [DNS leak test](https://www.dnsleaktest.com/), to ensure that some requests are not being exposed.
#### DNS Protocols
DNS-over-TLS was proposed in [RTC-7858](https://tools.ietf.org/html/rfc7858) by the IETF, then 2 years later, the DNS-over-HTTPS specification was outlined in [RFC8484](https://tools.ietf.org/html/rfc8484) in October '18. [DNSCrypt](https://dnscrypt.info/), is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing, through using cryptographic signatures to verify that responses originate from the chosen DNS resolver, and havent been tampered with. DNSCrypt is a well battle-tested protocol, that has been in use since 2013, and is still widely used.
## DNS Clients
| Provider | Description |
| --- | --- |
**[DNScrypt-proxy 2](https://github.com/DNSCrypt/dnscrypt-proxy)** <br>(Desktop - BSD, Linux, Solaris, Windows, MacOS & Android) | A flexible DNS proxy, with support for modern encrypted DNS protocols including DNSCrypt V2, DNS-over-HTTPS and Anonymized DNSCrypt. Also allows for advanced monitoring, filtering, caching and client IP protection through Tor, SOCKS proxies or Anonymized DNS relays.
**[Unbound](https://nlnetlabs.nl/projects/unbound/about/)** <br>(Desktop - BSD, Linux, Windows & MacOS) | Validating, recursive, caching DNS resolve with support for DNS-over-TLS. Designed to be fast, lean, and secure Unbound incorporates modern features based on open standards. It's fully open source, and recently audited. *(For an in-depth tutorial, see [this article](https://dnswatch.com/dns-docs/UNBOUND/) by DNSWatch.)*
**[Nebulo](https://git.frostnerd.com/PublicAndroidApps/smokescreen/)**<br> (Android) | Non-root, small-sized DNS changer utilizing DNS-over-HTTPS and DNS-over-TLS. *(Note, since this uses Android's VPN API, it is not possible to run a VPN while using Nebulo)*
**[DNS_Cloak](https://github.com/s-s/dnscloak)**<br> (iOS) | Simple all that allows for the use for dnscrypt-proxy 2 on an iPhone.
**[Stubby](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby)**<br> (Desktop - Linux, Mac, OpenWrt & [Windows](https://dnsprivacy.org/wiki/display/DP/Windows+installer+for+Stubby)) | Acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby can be used in combination wtih Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections), [see example configuration](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients)
## Firewalls
A firewall is a program which monitors the incoming and outgoing traffic on your network, and blocks requests based on rules set during its configuration. Properly configured, a firewall can help protect against attempts to remotely access your computer, as well as control which applications can access which IPs.
@ -577,6 +622,8 @@ Installing a custom firmware on your Wi-Fi router gives you greater control over
#### Notable Mentions
[Tomato](https://www.polarcloud.com/tomato), [Gargoyle](https://www.gargoyle-router.com), [LibreCMC](https://librecmc.org) and [DebWRT](http://www.debwrt.net)
#### Word of Warning
Flashing custom firmware may void your warrenty. If power is interupted mid-way through a firmware install/ upgrade it is possible for your device to become bricked. So long as you follow a guide, and use a well supported system, on a supported router, than it should be safe
## Network Analysis
@ -907,6 +954,25 @@ For iPhone users in the US, [Tonic](https://canopy.cr/tonic) is a great little a
News reader apps don't have a good [reputation](https://vpnoverview.com/privacy/apps/privacy-risks-news-apps) when it comes to protecting users privacy, and often display biased content. Many have revenue models based on making recommendations, with the aim of trying to get you to click on sponsored articles- and for that a lot of data needs to have been collected about you, your habits, interests and routines.
## Proxy Sites
These are websites that enable you to access existing social media platforms, without using their primary website- with the aim of improving privacy & security and providing better user experience. The below options are open source (so can be self-hosted, if you wish), and they do not display ads or tracking (unless otherwise stated).
| Provider | Description |
| --- | --- |
**[Nitter](https://nitter.net/)** (Twitter) | Nitter is a free and open source alternative Twitter front-end focused on privacy, it prevents Twitter from tracking your IP or browser fingerprint. It does not include any JavaScript, and all requests go through the backend, so the client never talks directly to Twitter. It's written in Nim, is super lightweight, with multiple themes and a responsive mobile version available, as well as customizable RSS feeds. Uses an unofficial API, with no rate limits or and no developer account required
**[Invidio](https://invidio.us/)** (YouTube) | Privacy-focused, open source alternative frontend for YouTube. It prevents/ reduces Google tracking, and adds additional features, including an audio-only mode, Reddit comment feed, advanced video playback settings. It's super lightweight, and does not require JavaScript to be enabled, and you can import/ export your subscriptions list, and customize your feed. See list of [Invidious Public Instances](https://github.com/iv-org/invidious/wiki/Invidious-Instances)
**[Bibliogram](https://bibliogram.art/)** (Instagram) | Enables you to view Instagram profiles through their proxy without any tracking, great for anonymity. Bibliogram also has several other benefits over using the official Instagram website- Pages also load much faster, it gives you downloadable images, eliminates ads, generates RSS feeds, and doesn't urge you to sign up. It can also easily be self-hosted. However, there is no functionality to create posts via this service
**[WebProxy](https://weboproxy.com/)** | Free proxy service, with Tor mode (which is recommended to enable). Designed to be used to evade censorship and access geo-blocked content. The service is maintained by [DevroLabs](https://devrolabs.com/), who also run the [OnionSite](https://onionsite.weboproxy.com/) web proxy, they claim to that all traffic is 256-bit SSL-encrypted, but this cannot be verified - never enter any potentially personally identifiable infomation, and use it purely for consuming content
#### Notable Mentions
**[NewPipe](https://newpipe.schabi.org/)** is an open source, privacy-respecting YouTube client for Android.
**[FreeTube](https://freetubeapp.io/)** an open source YouTube client for Windows, MacOS and Linux, providing a more private experience, with a native-feel desktop app. It is built upon the [Invidio](https://invidio.us/) API.
#### Word of Warning
When proxies are involved - only use reputable services, and **never** enter any personal information
## Cryptocurrencies
| Provider | Description |
@ -929,10 +995,11 @@ Note: Cryptocurrency prices can go down. Storing any wealth in crypto may result
| Provider | Description |
| --- | --- |
**[Wasabi Wallet](https://www.wasabiwallet.io/)** (BitCoin) | An open source, native desktop wallet for Windows, Linux and MacOS. Wasabi implements trustless CoinJoins over the Tor network. Neither an observer nor the participants can determine which output belongs to which input. This makes it difficult for outside parties to trace where a particular coin originated from and where it was sent to, which greatly improves privacy. Since it's trustless, the CoinJoin coordinator cannot breach the privacy of the participants. Wasabi is compatible with cold storage, and hardware wallets, including OpenCard and Trezor.
**[Trezor](https://trezor.io/)** (All Coins) | Open source, cross-platform, offline, crypto wallet, compatible with 1000+ coins. Your private key is generated on the device, and never leaves it, all transactions are signed by the Trezor, which ensures your wallet is safe from theft. There are native apps for Windows, Linux, MacOS, Android and iOS, but Trezor is also compatible with other wallets, such as Wasabi. You can back the Trezor up, either by writing down the seed, or by duplicating it to another device. It is simple and intuitive to use, but also incredible customisable with a large range of advanced features
**[Trezor](https://trezor.io/)**<br>(All Coins) | Open source, cross-platform, offline, crypto wallet, compatible with 1000+ coins. Your private key is generated on the device, and never leaves it, all transactions are signed by the Trezor, which ensures your wallet is safe from theft. There are native apps for Windows, Linux, MacOS, Android and iOS, but Trezor is also compatible with other wallets, such as Wasabi. You can back the Trezor up, either by writing down the seed, or by duplicating it to another device. It is simple and intuitive to use, but also incredible customisable with a large range of advanced features
**[ColdCard](https://coldcardwallet.com/)** (BitCoin) | An easy-to-use, super secure, open source BitCoin hardware wallet, which can be used independently as an air-gapped wallet. ColdCard is based on partially signed Bitcoin transactions following the [BIP174](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki) standard. Built specifically for BitCoin, and with a variety of unique security features, ColdCard is secure, trustless, private and easy-to-use. Companion products for the ColdCard include: [BlockClock](http://blockclockmini.com/), [SeedPlate](http://bitcoinseedbackup.com/) and [ColdPower](http://usbcoldpower.com/)
**[CryptoSteel](https://cryptosteel.com/how-it-works)** | A steel plate, with engraved letters which can be permanently screwed - CryptoSteel is a good fire-proof, shock-proof, water-proof and stainless cryptocurrency backup solution
**[Electrum](https://electrum.org/)** (BitCoin) | Long-standing Python-based BitCoin wallet with good security features. Private keys are encrypted and do not touch the internet and balance is checked with a watch-only wallet. Compatible with other wallets, so there is no tie-in, and funds can be recovered with your secret seed. It supports proof-checking to verify transactions using SPV, multi-sig and add-ons for compatibility with hardware wallets. A decentralized server indexes ledger transactions, meaning it's fast and doesn't require much disk space. The potential security issue here would not be with the wallet, but rather your PC- you must ensure your computer is secure and your wallet has a long, strong passphrase to encrypt it with.
**[Samourai Wallet](https://samouraiwallet.com/)** (BitCoin) | An open-source, BitCoin-only privacy-focused wallet, with some innovative features.<br>Samourai Wallet works under any network conditions, with a full offline mode, useful for cold storage. It also supports a comprehensive range of privacy features including: STONEWALL that helps guard against address clustering deanonymization attacks, PayNym which allows you to receive funds without revealing your public address for all to see, Stealth Mode which hides Samourai from your devices launcher, Remote SMS Commands to wipe or recover your wallet if device is seized or stolen, and Whirlpool which is similar to a coin mixer, and OpenDime is also supported for offline USB hardware wallets.
**[CryptoSteel](https://cryptosteel.com/how-it-works)**<br>(All Coins) | A steel plate, with engraved letters which can be permanently screwed - CryptoSteel is a good fire-proof, shock-proof, water-proof and stainless cryptocurrency backup solution
#### Word of Warning
Avoid using any online/ hot-wallet, as you will have no control over the security of your private keys. Offline paper wallets are very secure, but ensure you store it properly- to keep it safe from theft, loss or damage.
@ -1004,7 +1071,7 @@ collecting a wealth of information, and logging your every move. A [custom ROM](
| Provider | Description |
| --- | --- |
**[LineageOS](https://www.lineageos.org/)** | A free and open-source operating system for various devices, based on the Android mobile platform- Lineage is light-weight, well maintained, supports a wide range of devices, and comes bundled with [Privacy Guard](https://en.wikipedia.org/wiki/Android_Privacy_Guard)
**[GrapheneOS](https://grapheneos.org/)** | GrapheneOS is an open source privacy and security focused mobile OS with Android app compatibility. Developed by the team behind [CoperheadOS](https://copperhead.co/android/). Graphene is a young project, and currently only supports Pixel devices, partially due to their strong hardware security
**[GrapheneOS](https://grapheneos.org/)** | GrapheneOS is an open source privacy and security focused mobile OS with Android app compatibility. Developed by [Daniel Micay](https://twitter.com/DanielMicay). GrapheneOS is a young project, and currently only supports Pixel devices, partially due to their [strong hardware security](https://grapheneos.org/faq#device-support).
#### Other Notable Mentions
[Replicant OS](https://www.replicant.us/) is a fully-featured distro, with an emphasis on freedom, privacy and security. [MmniRom](https://www.omnirom.org/), [Recursion Remix](https://forum.xda-developers.com/remix), and [Paranoid Android](http://paranoidandroid.co/) are also popular options. Alternativley, [Ubuntu Touch](https://ubports.com/) is a Linux (Ubuntu)- based OS. It is secure by design and runs on almost any device, - but it does fall short when it comes to the app store.
@ -1049,14 +1116,17 @@ Other security-focused distros include: [TENS OS](https://www.tens.af.mil/), [Fe
If you do not want to use a specalist security-based distro, or you are new to Unix- then just switching to any well-maintained Linux distro, is going to be significantly more secure and private than Windows or Mac OS.
Since it is open source, major distros are constantly being audited by members of the community. Linux does not give users admin rights by default- this makes is much less likley that your system could become infected with malware. And of course, there is no proprietary Microsoft or Apple software constantly monitoring everything you do.
Some good distros to consider would be: **[Fedora](https://getfedora.org/)**, **[Debian](https://www.debian.org/)**, or **[Arch](https://www.archlinux.org/)**- all of which have a large community behind them. **[Manjaro](https://manjaro.org/)** (based of Arch) is a good option, with a simple install process, used by new comers, and expers alike. **[POP_OS](https://pop.system76.com/)** and **[PureOS](https://www.pureos.net/)** are reasonably new general purpose Linux, with a strong focus on privacy, but also very user-firendly with an intuitive interfac and install process. See [comparison](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions).
Some good distros to consider would be: **[Fedora](https://getfedora.org/)**, **[Debian](https://www.debian.org/)**, or **[Arch](https://www.archlinux.org/)**- all of which have a large community behind them. **[Manjaro](https://manjaro.org/)** (based of Arch) is a good option, with a simple install process, used by new comers, and expers alike. **[POP_OS](https://pop.system76.com/)** and **[PureOS](https://www.pureos.net/)** are reasonably new general purpose Linux, with a strong focus on privacy, but also very user-firendly with an intuitive interfac and install process. See [Simple Comparison](https://computefreely.org/) or [Detailed Comparison](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions).
#### BSD
BSD systems arguably have far superior network stacks. **[OpenBSD](https://www.openbsd.org)** is designed for maximum security — not just with its features, but with its implementation practices. Its a commonly used OS by banks and critical systems. **[FreeBSD](https://www.freebsd.org)** is more popular, and aims for high performance and ease of use.
#### Improve the Security and Privacy of your current OS
#### Windows
One option for Windows users is the LTSC stream, that provides several security benefits over a standard Win 10 Installation. [Windows 10 LTSC](https://docs.microsoft.com/en-us/windows/whats-new/ltsc/) (or Long Term Servicing Channel) is a lightweight, low-cost Windows 10 version, that is intended for specialized systems, and receives less regular feature updates. What makes it appealing, is that it doesn't come with any bloatware or non-essential applications, and needs to be configured from the ground up by the user. This gives you much better control over what is running on your system, ultimately improving security and privacy. It also includes several enterprise-grade [security features](https://docs.microsoft.com/en-us/windows/whats-new/ltsc/whats-new-windows-10-2019#security), which are not available in a standard Windows 10 instance. It does require some technical knowledge to get started with, but once setup should perform just as any other Windows 10 system. Note that you should only download the LTSC ISO from the Microsoft's [official page](https://www.microsoft.com/en-in/evalcenter/evaluate-windows-10-enterprise)
If you have chosen to stick with your current OS, there are a couple of things you can do to improve security, see: [Windows 10 security guide](https://heimdalsecurity.com/en/windows-10-security-guide/privacy), [Mac OS security guide](https://spreadprivacy.com/mac-privacy-tips/) or [Linux security guide](https://spreadprivacy.com/linux-privacy-tips/).
#### Improve the Security and Privacy of your current OS
After installing your new operating system, or if you have chosen to stick with your current OS, there are a couple of things you can do to improve security. See: [Windows 10 security guide](https://heimdalsecurity.com/en/windows-10-security-guide/privacy), [Mac OS security guide](https://spreadprivacy.com/mac-privacy-tips/) or [Linux security guide](https://spreadprivacy.com/linux-privacy-tips/).
## Linux Defences
@ -1379,6 +1449,9 @@ I have a range of guides, checklists, links and tutorials, all aimed to provide
- [Further Links: Privacy & Security](/4_Privacy_And_Security_Links.md)
- [The Importance of Digital Security & Privacy](/0_Why_It_Matters.md)
## News & Updates
A custom Reddit feed covering news and updates for privacy-respecting apps, software & services can be found [here](https://www.reddit.com/user/lissy93/m/software_projects/)
## Final Notes
@ -1393,11 +1466,11 @@ adopt good networking practices and be mindful of data that are collected when b
### Important Considerations
**Compartmentalise**<br>
**Compartmentalise, Update and Be Ready**<br>
No piece of software is truly secure or private. Further to this, software can only as secure as the system it is running on. Vulnerabilities are being discovered and patched all the time, so you much keep your system up-to-date. Breaches occur regularly, so compartmentalise your data to minimise damage. It's not just about choosing secure software, you must also follow good security practices.
**Attack Surface**<br>
It is a good idea to keep your trusted software base small, to reduce potential attack surface. At the same time trusting a single application for too many tasks could be a weakness in your system. So you will need to judge the situation according to your threat model, and carefully plan which software and applications you trust with each segment of your data.
It is a good idea to keep your trusted software base small, to reduce potential attack surface. At the same time trusting a single application for too many tasks or too much personal data could be a weakness in your system. So you will need to judge the situation according to your threat model, and carefully plan which software and applications you trust with each segment of your data.
**Convenience Vs Security**<br>
There is often a trade-off between convenience and security. Construct a threat model, and choose a balance that is right for you. In a similar way in some situations there is privacy and security conflict (e.g. Find My Phone is great for security, but terrible for privacy, and anonymous payments may be good for privacy but less secure than insured fiat currency). Again it is about assessing your situation, understanding the risks and making an informed decision.
@ -1406,24 +1479,23 @@ There is often a trade-off between convenience and security. Construct a threat
When using a hosted or managed application that is open-source software- there is often no easyily way to tell if the version running is the same as that of the published source code (even published signatures can be faked). There is always the possibility that additional backdoors may have been knowingly or unknowingly implemented in the running instance. One way round this is to self-host software yourself. When self-hosting you will then know for sure which code is running, however you will also be responsible for the managing security of the server, and so may not be recommended for beginners.
**Open Source Software Considerations**<br>
Open source software has long had a reputation of being more secure than its closed source counterparts. Since bugs are raised transparently, fixed quickly, the code can be checked by experts in the community and there is usually little or no data collection or analytics. That being said, there is no piece of software that it totally bug free, and hence never truly secure or private. Being open source, is in no way a guarantee that something is safe. There is no shortage of poorly-written, obsolete or sometimes plain malicious open source projects on the internet.
Open source software has long had a reputation of being more secure than its closed source counterparts. Since bugs are raised transparently, fixed quickly, the code can be checked by experts in the community and there is usually little or no data collection or analytics.
That being said, there is no piece of software that it totally bug free, and hence never truly secure or private. Being open source, is in no way a guarantee that something is safe. There is no shortage of poorly-written, obsolete or sometimes harmful open source projects on the internet. Some open source apps, or a dependency bundled within it are just plain malicious (such as, that time [Colourama was found in the PyPI Repository](https://hackaday.com/2018/10/31/when-good-software-goes-bad-malware-in-open-source/))
**Proprietary Software Considerations**<br>
When using a hosted or proprietary solution- always check the privacy policy, research the reputation of the organisation, and be weary about which data you trust them with. Where possible choose open source software for security-critical situations.
When using a hosted or proprietary solution- always check the privacy policy, research the reputation of the organisation, and be weary about which data you trust them with. It may be best to choose open source software for security-critical situations, where possible.
**Maintenance**<br>
When selecting a new application, ensure it is still being regularly maintained, as this will allow for recently discovered security issues to be addressed. Software in an alpha or beta phase, may not only be buggy or lacking in features, but it could have critical vulnerabilities open to exploit. Similarly, applications that are no longer being actively maintained may pose a security risk. When using a forked application, or software that is based on an upstream code base, be aware that it may receive security-critical patches and updates at a slightly later date than the original application.
When selecting a new application, ensure it is still being regularly maintained, as this will allow for recently discovered security issues to be addressed. Software in an alpha or beta phase, may be buggy and lacking in features, but more importantly- it could have critical vulnerabilities open to exploit. Similarly, applications that are no longer being actively maintained may pose a security risk, due to lack of patching. When using a forked application, or software that is based on an upstream code base, be aware that it may receive security-critical patches and updates at a slightly later date than the original application.
**This List: Disclaimer**<br>
This list contains packages that range from entry-level to advanced, a lot of the software here will not be appropriate for all audiences. It is in no way a definitive list of secure applications, and aims only to be a guide, a collection of software and services that myself and others have used, and would recommend. There will always be new vulnerabilities discovered or introduced, bugs and poorly configured systems. It is up to you to do your research, and decide where and how your data are managed.
If you find something on this list that should no longer be deemed secure, please raise an issue. In the same way if you know of something that is missing, or would like to make an edit, the pull requests are welcome, and are much appreiciated!
This list contains packages that range from entry-level to advanced, a lot of the software here will not be appropriate for all audiences. It is in no way a definitive list of secure applications, and aims only to be a guide, a collection of software and services that myself and other contributers have used, and would recommend. There will always be new vulnerabilities discovered or introduced, bugs and security-critical glitches, malicious actors and poorly configured systems. It is up to you to do your research, draw up a threat model, and decide where and how your data are managed.
If you find something on this list that should no longer be deemed secure or private/ or should have a warning note attached, please raise an issue. In the same way if you know of something that is missing, or would like to make an edit, then pull requests are welcome, and are much appreiciated!
### Contributing
*Thanks for visiting! If you have suggestions, then you [open an issue](https://github.com/Lissy93/personal-security-checklist/issues/new/choose), or [submit a PR](https://github.com/Lissy93/personal-security-checklist/pull/new/master), see: [`CONTRIBUTING.md`](/.github/CONTRIBUTING.md). Contributions are welcome, and much appreciated* ☺️
*Thanks for visiting! If you have suggestions, then you [open an issue](https://github.com/Lissy93/personal-security-checklist/issues/new/choose), or [submit a PR](https://github.com/Lissy93/personal-security-checklist/pull/new/master), see: [`CONTRIBUTING.md`](/.github/CONTRIBUTING.md). Contributions are welcome, and always much appreciated* ☺️
### License

13
6_Privacy_and-Security_Gadgets.md
View File

@ -7,7 +7,9 @@ A curated list of (DIY and pre-built) devices, to help preserve privacy and impr
**Too long? 🦒** See the [TLDR version](/2_TLDR_Short_List.md#security-hardware) instead.
**Note**: This section is intended just to be a bit of fun, it is entirely possible to stay secure and anonymous, without having to build or buy anything
See Also, [The Hackers Hardware Toolkit](https://raw.githubusercontent.com/yadox666/The-Hackers-Hardware-Toolkit/master/TheHackersHardwareToolkit.pdf) by [@yadox666](https://github.com/yadox666)- Ultimate guide of gadgets for Red Team pentesters and security researchers
**Note**: This section is intended just to be a bit of fun, it is entirely possible to stay secure and anonymous, without having to build or buy anything. Now that more devices have been added, it's not been possible to test everything here, so these products should not be taken as recommendations, just interesting ideas, and a bit of fun
---
@ -25,6 +27,7 @@ A curated list of (DIY and pre-built) devices, to help preserve privacy and impr
## Basics
(All products in this section have been tested.)
**Item** | **Description**
--- | ---
@ -74,6 +77,7 @@ See Also [DIY Networking Hardware](#diy-networking-hardware)
- **Encrypted USB** - You can use [VeraCrypt](https://www.veracrypt.fr/en/Home.html) to create an encrypted USB drive, using any off-the shelf [USB drive](https://amzn.to/2RykcLD)
- **Home VPN** - [Pi_VPN](https://www.pivpn.io) lets you use [OpenVPN](https://openvpn.net) to connect to your home network from anywhere, through your [Pi](https://amzn.to/2uniPqa). See [this guide](https://pimylifeup.com/raspberry-pi-vpn-server) for set-up instructions. This will work particularly well in combination with Pi Hole.
- **USB Password Manager** - Storing your passwords in the cloud may be convinient, but you cannot ever be certain they won't be breached. [KeePass](https://keepass.info/help/v2/setup.html) is an offline password manager, with a portable ddition that can run of a USB. There's also an [app](https://play.google.com/store/apps/details?id=com.korovan.kpass). See also [KeePassX](https://www.keepassx.org) and [KeePassXC](https://keepassxc.org) which are popular communnity forks with additional functionality
- **Secure Chat Platform** Tinfoil Chat (TFC) is an onion-routed, endpoint secure messaging system, that relies on high assurance hardware architecture to protect users from passive collection, MITM attacks and most importantly, remote key exfiltration. See [TFC](https://github.com/maqp/tfc)
- **Automated Backups** - [Syncthing](https://syncthing.net) is a privacy-focused continuous file synchronization program. You can use it to make on-site backups as well as encrypted and sync your data with your chosen cloud storage provider
- **GPS Spoofer** - If you don't want to be tracked with GPS, then using a SDR you can send out spoof GPS signals, making near-by GPS-enabled devices think that they are in a totally different location. (Wouldn't recommend using this while on an airplane though!). You can use [gps-sdr-sim](https://github.com/osqzss/gps-sdr-sim) by [@osqzss](https://github.com/osqzss), and run it on a [Hacker RF](https://greatscottgadgets.com/hackrf) or similar SDR. Here's a [guide](https://www.rtl-sdr.com/tag/gps-spoofing) outlineing how to get started, you'll also need a [NooElec HackRF One](https://amzn.to/2Ta1s5J) or similar [SDR](https://amzn.to/39cLiOx). Check your local laws first, you may need a radio license.
- **No-Mic Laptop** - You can go one step further than using a mic-blcoker, and physically remove the microphone from your laptop. (And then use a removable external mic when needed). See how, for [Apple MacBook and iPhone](https://www.wired.com/story/remove-the-mic-from-your-phone/) | [Video Guide](https://www.youtube.com/watch?v=Eo-IwQMeVLc). If that seems to extreme, there are [other options](https://security.stackexchange.com/a/130402)
@ -92,7 +96,8 @@ If you are confident with electronics, then you could also make:
We can go even further, these products are far from essential and are maybe a little over-the-top. But fun to play around with, if you really want to avoid being tracked!
- **Self-Destroying PC** - The ORWL PC will wipe all data if it is compromised, and has many other safeguards to ensure no one other than you can access anything from your drive. Comes with QubeOS, Windows or Linux, and requires both a password and fob to log in. See more: [orwl.org](https://orwl.org)
- **Tor Travel-Router** - Plug-and-play travel router, providing WiFi with VPN or Tor for more private internet access, also has Wi-Fi uplink and range extender with a clear user interface. See more: [Anonabox.com](https://www.anonabox.com) | [Amazon](https://amzn.to/2HHV0fG)
- **Tor Travel-Router** - Plug-and-play travel router, providing WiFi with VPN or Tor for more private internet access, also has Wi-Fi uplink and range extender with a clear user interface. See more: [Anonabox.com](https://www.anonabox.com) | [Amazon](https://amzn.to/2HHV0fG) | [shop.itsfoss.com](https://shop.itsfoss.com/sales/anonabox-pro)
- **Hardware Data Encryption Token** - Savvi Solutions Purrtec Encryption Keys provide an extra layer of protection for ofline data encryption, requiring the USB to be inserted as well as the password, in order to encrypt or decrypt files and data. [Purrtec.com](http://www.purrtec.com/) | [shop.itsfoss.com](https://shop.itsfoss.com/sales/purrtec-encryption-keys-2-pack)
- **Active RFID Jamming** - Armour Card is a slim credit-card shaped device, which when in contact with any readers creates an electronic force field, strong enough to "jam" and readings from being taken by emmiting arbitrary data. Aimed at protecting cred cards, identity documents, key cards and cell phones. [US](https://amzn.to/38bJxB9) | [ArmourCard Website](https://armourcard.com)
- **Ultra-Sonic Microphone Jammer** - Blocks phones, dictaphones, voice assistants and other recording devices. Uses built-in transducers to generate ultrasonic signals that can not be heard by humans, but cause indistinct noise, on redording devices, making it impossible to distinguish any details of the conversations. See more [UK](https://amzn.to/2Hnk63s) | [US](https://amzn.to/2v2fwVG)
- **GPS Jammer** - In the DIY list, there was a link to how to build a GPS spoof device using an SDR. But you can also buy a GPS jammer, which may be useful if you fear that you are being tracked. They are aimed at preventing UAVs from operating in your area, but can also be used to confuse other tracking devices near by, there's a variety of models with varying power and range availible from $50 - $500. [AliExpress](https://www.aliexpress.com/item/4000214903055.html)
@ -131,7 +136,8 @@ We can go even further, these products are far from essential and are maybe a li
Gadgets that help protect and anonamise your internet, detect & prevent intrusions and provide additional network controlls, both at home and while traveling. There are many products like this availible, some of them are over-priced for what they are, others provide some really essential network security features. It is possible to re-create some of these solutions yourself, to save money [above](#diy-security-products).
- **Anonabox** - Plug-and-play Tor router. Wi-Fi uplink and range extender with user interface, also has VPN options and USB ports for local file sharing. [Amazon](https://amzn.to/38bwZIA) | [Anonabox.com](anonabox.com)
- **Anonabox** - Plug-and-play Tor router. Wi-Fi uplink and range extender with user interface, also has VPN options and USB ports for local file sharing. [Amazon](https://amzn.to/38bwZIA) | [Anonabox.com](anonabox.com) | [shop.itsfoss.com](https://shop.itsfoss.com/sales/anonabox-pro)
- **Turris Omnia Router** - Open source wireless router, running OpenWrt. Above average specs, and useful features including automatic updates, distributed adaptive firewall and virtual server. Via [turris.com](https://www.turris.com/en/omnia/overview/) | [Amazon](https://www.amazon.com/Turris-hi-Performance-printserver-Virtual-Dual-core/dp/B07XCKK146)
- **FingBox** - Network monitoring and security, for what it offers Fing is very affordable, and there is a free [app](https://www.fing.com/products/fing-app) that you can use before purchasing the hardware to get started. [Fing.com](https://www.fing.com/products/fingbox) | [US](https://amzn.to/2wlXfCT) | [UK](https://amzn.to/2I63hKP)
- **BitdefenderBox** - Cybersecurity home firewall hub, for protecting IoT and other devices. Has other features such as parental controlls and is easy to set up. [US](https://amzn.to/2vrurZJ) | [UK](https://amzn.to/34Ul54w)
- **Flashed-Routers** - Pre-configured branded routers, flashed with custom open source firmware, for better security, privacy and performance. [flashrouters.com](https://www.flashrouters.com/routers)
@ -141,6 +147,7 @@ Gadgets that help protect and anonamise your internet, detect & prevent intrusio
- **Firewalla Red** - An intrusion detection and intrusion prevention system, with a web and mobile interface. Also has Ad-block, VPN, internet controll features and insights. [US](https://amzn.to/388BlAw) | [Firewalla.com](https://firewalla.com)
- **LibertyShield** - Pre-configured, plug-and-play multi-country VPN router, note that after 1 year there is a monthly subscription. [US](https://amzn.to/2T89vzU) | [UK](https://amzn.to/2twJlwM)
- **Gigabit Travel AC VPN Router** - A fully-featured dual-band travel router with VPN capabilities. [US](https://amzn.to/32HD1zU) | [UK](https://amzn.to/2SkUxFg)
- **Helios 64** - ARM-powered fully open source NAS. Using a local backup solution mitigates a lot of the privacy concerns of popular cloud storage providers, and Kobol's Helios 64 is a great option in terms of cost, reliability, functionality and security. High capacity (up to 80TB across 5-bays), with good network throughput (2.5GB multi-Gigabit Ethernet and dual LAN), adequate computing power and memory, great reliability, (with a built-in UPS, dual DC input). [Kobol.io](https://kobol.io/)
- **InvizBox** - Tor router, that provides speed, privacy and security for all devices connected to it. [Invizbox.com](https://www.invizbox.com) | [Amazon](https://amzn.to/2w4v7V3)
- **InviziBox Go** - Portable VPN: https://amzn.to/386ikPT
- **WatchGuard Firebox** - Business-grade network firewall. [US](https://amzn.to/2VF0MqR) | [UK](https://amzn.to/2VF12WR)

39
README.md
View File

@ -142,6 +142,7 @@ The big companies providing "free" email service, don't have a good reputation f
**Dont connect third-party apps to your email account** | Optional | If you give a third-party app or plug-in (such as Unroll.me, Boomerang, SaneBox etc) full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses [significant security and privacy risks](https://zeltser.com/risks-of-email-search-services/)
**Don't Share Sensitive Data via Email** | Optional | Emails are very easily intercepted. Further to this you cant be sure of how secure your recipient's environment is. Therefore emails cannot be considered safe for exchanging confidential or personal information, unless it is encrypted/ or both parties are using a secure mail provider
**Consider Switching to a Secure Mail Provider** | Optional | Secure and reputable email providers such as [ProtonMail](https://protonmail.com) and [Tutanota](https://tutanota.com) allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, your mailbox cannot be read by anyone but you, since all messages are encrypted. Providers such as Google, Microsoft and Yahoo scan messages for advertising, analytics and law enforcement purposes, but this poses a serious security threat
**Use Smart Key** | Advanced | OpenPGP also [does not support](https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection) Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt messages, allowing you to do so without your private key leaving the USB device. Devices which support this include [NitroKey](https://www.nitrokey.com/), [YubiKey 5](https://www.yubico.com/products/yubikey-5-overview/) (See [Yubico Neo](https://developers.yubico.com/ykneo-openpgp/)), [Smart Card](https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3) (See [guide](https://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smartcard/)), [OnlyKey](https://onlykey.io/)
**Use Aliasing / Anonymous Forwarding** | Advanced | Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. More importantly, you do not need to reveal your real email address to any company. <br>[Anonaddy](https://anonaddy.com) and [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) are open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan
**Subaddressing** | Optional | An alternative to aliasing is [subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing), where anything after the `+` symbol is omitted during mail delivery, for example you the address yourname+tag@example.com denotes the same delivery address as yourname@example.com. This was defined in [RCF-5233](https://tools.ietf.org/html/rfc5233), and supported by most major mail providers (inc Gmail, YahooMail, Outlook, FastMail and ProtonMail). It enables you to keep track of who shared/ leaked your email address, but unlike aliasing it will not protect against your real address being revealed
**Use a Custom Domain** | Advanced | Using a custom domain, means that even you are not dependent on the address assigned my your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued
@ -200,13 +201,15 @@ Secure your account, lock down your privacy settings, but know that even after d
**Secure you Account** | Recommended | Profiles media profiles get stolen or taken over all too often. To protect your account: use a unique and strong password, and enable 2-factor authentication. See the [Authentication](#authentication) section for more tips
**Check Privacy Settings** | Recommended | Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social network- they do not shield you or your data from the owners of the network. See how to set privacy settings, with [this guide](https://securityinabox.org/en/guide/social-networking/web)
**Think of All Interactions as Public** | Recommended | There are still numerous methods of viewing a users 'private' content across many social networks. Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?"
**Think of All Interactions as Permanent** | Recommended | Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party services, who archive this data and make it indexable and publicly available almost [forever](https://www.inc.com/meredith-fineman/what-we-post-online-is-forever-and-we-need-a-reminder.html). Sites like Ceddit, and [/r/undelete](https://www.reddit.com/r/undelete/), [Politwoops](https://projects.propublica.org/politwoops/), The [Way Back Machine](https://archive.org/web/) allow anyone to search through deleted posts, websites and media. Therefore it's important to not unintentially reveal too much information, and to consider what the implications would be if it were to go 'viral'
**Don't Reveal too Much** | Recommended | Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc)
**Be Careful what you say** | Recommended | Status updates, comments and photos can unintentionally reveal a lot more than you intended them to (such as location, preferences, contacts etc)
**Don't Share Email or Phone Number** | Recommended | Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to use against you
**Be Careful what you Upload** | Recommended | Status updates, comments, check-ins and media can unintentionally reveal a lot more than you intended them to (such as location, preferences, contacts/ relationships etc). This is especially relevant to photos and videos, which may show things in the background (documents, road names/ signs, credit cards, electronic devices), even more so when there are multiple images uploaded
**Don't Share Email or Phone Number** | Recommended | Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to use against you, and can also allow seperate alliases, profiles or data points to be connected
**Don't Grant Unnecessary Permissions** | Recommended | By default many of the popular social networking apps will ask for permission to access your contacts, call log, location, messaging history etc.. If they dont need this access, dont grant it. For Android users, check out [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission) - an app that gives you the ability to grant permissions temporarily
**Be Careful of 3rd-Party Integrations** | Recommended | Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer use, see instructions for: [Facebook](https://www.facebook.com/settings?tab=applications), [Twitter](https://twitter.com/settings/applications), [Insta](https://www.instagram.com/accounts/manage_access/) and [LinkedIn](https://www.linkedin.com/psettings/permitted-services)
**Remove metadata before uploading media** | Optional | Most smartphones and some cameras automatically attach a comprehensive set of additional data (called [EXIF data](https://en.wikipedia.org/wiki/Exif)) to each photograph. This usually includes things like time, date, location, camera model, user etc. It can reveal a lot more data than you intended to share. Remove this data before uploading. You can remove meta data [without any special software](https://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/), use [a CLI tool](https://www.funkyspacemonkey.com/how-to-remove-exif-metadata), or a desktop tool like [EXIF Tage Remover](https://rlvision.com/exif/)
**Consider False Information** | Recommended | If you just want to read, and do not intend on posting too much- consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don't link accounts in any way- don't comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach)
**Consider Spoofing GPS in home visinity** | Advanced | Even if you yourself never use social media, strip geo-data from all media and disable device radios- there is always going to be others who are not as careful, and could reveal your location. For example, if you have guests, family members or visitors to your home residence, their device will likley be recording GPS and logging data. One method around this, is to use an SDR to [spoof GPS signals](https://www.rtl-sdr.com/tag/gps-spoofing/), causing all devices in the visinity to believe they are in a different, pre-defined location
**Consider False Information** | Advanced | If you just want to read, and do not intend on posting too much- consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don't link accounts in any way- don't comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach)
**Dont have any social media accounts** | Advanced | Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any mainstream social networks
**Recommended Software**
@ -223,7 +226,7 @@ This section covers how you connect your devices to the internet securely, inclu
--- | --- | ---
**Use a VPN** | Recommended | Use a reputable, paid-for VPN. This can help protect sites you visit logging your real IP, reduce the amount of data your ISP can collect and increase protection on public WiFi. However VPNs alone do not make you anonymous or stop tracking, it's important to understand their [limitations](/5_Privacy_Respecting_Software.md#word-of-warning-2). <br>[ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net) may be good options for many, but for an unbiased comparison, see: [That One Privacy Site](https://thatoneprivacysite.net). Select a service with a good reputation, that does not keep logs, and is not in the [5-eyes](https://en.wikipedia.org/wiki/Five_Eyes) jurisdiction
**Change your Router Password** | Recommended | After getting a new router, change the password. Default router passwords are publicly available (see [default-password.info](https://default-password.info)), meaning anyone within proximity would be able to connect. See [here](https://www.lifewire.com/how-to-change-your-wireless-routers-admin-password-2487652), for a guide on changing router password
**Use WPA2, and a strong password** | Recommended | There are different authentication protocols for connecting to WiFi. Currently the most secure is [WPA2](https://en.wikipedia.org/wiki/IEEE_802.11i-2004), since WEP and WPA are moderately [easy to crack](https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wep-passwords-with-aircrack-ng-0147340/). Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. You can set this within your routers admin panel
**Use WPA2, and a strong password** | Recommended | There are different authentication protocols for connecting to WiFi. Currently the most secure is options are [WPA2](https://en.wikipedia.org/wiki/IEEE_802.11i-2004) and [WPA3](https://www.pcmag.com/news/what-is-wpa3-more-secure-wi-fi) (on newer routers). WEP and WPA are moderately [easy to crack](https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wep-passwords-with-aircrack-ng-0147340/). Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. You can set this within your routers admin panel
**Keep router firmware up-to-date** | Recommended | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. <br>You can usually do this by navigating to [192.168.0.1](192.168.0.1) or [192.168.1.1](192.168.1.1), entering the admin credentials (on the back of you of your router, not your WiFi password!), and follow the instructions, see: [Asus](https://www.asus.com/support/FAQ/1005484/), [D-Link](https://eu.dlink.com/uk/en/support/faq/routers/mydlink-routers/dir-810l/how-do-i-upgrade-the-firmware-on-my-router), [Linksys (older models)](https://www.linksys.com/us/support-article?articleNum=140365), [NetGear](https://kb.netgear.com/23442/How-do-I-update-my-NETGEAR-router-s-firmware-using-the-Check-button-in-the-router-web-interface) and [TP-Link](https://www.tp-link.com/us/support/faq/688/). Some newer routers update automatically
**Implement a Network-Wide VPN** | Optional | If you configure your VPN on your router, firewall or home server, then traffic from all devices will be encrypted and routed through it, without needing individual VPN apps. This reduces the chance: of IP leaks, VPN app crashes, and provides VPN access to devices which don't support VPN clients (TV's, Smart Hubs, IoT devices etc)
**Protect against DNS leaks** | Optional | When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or secure service. For OpenVPN, you can add: `block-outside-dns` to your config file (which will have the extension `.ovn` or `.conf`). If you are unable to do this, then see [this article](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html) for further instructions. You can check for leaks, using a [DNS Leak Test](https://www.dnsleaktest.com/)
@ -231,11 +234,20 @@ This section covers how you connect your devices to the internet securely, inclu
**Secure DNS** | Optional | Use [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. Although DoH is [not perfect](https://www.netsparker.com/blog/web-security/pros-cons-dns-over-https/), it does remove the need for trust - see [CoudFlares 1.1.1.1 Docs](https://1.1.1.1/help) for more details
**Avoid the free router from your ISP** | Optional | Typically theyre manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't recieve regular security updates. Consider an open source router (such as [Turris MOX](https://www.turris.cz/en/mox/overview/)) or a comercial router with [secure firmware](/5_Privacy_Respecting_Software.md#router-firmware)
**Whitelist MAC Addresses** | Optional | You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. Note that a malicious actor may be able to bypass this, by cloning their address to appear the same as one of your trusted devices, but it will add an extra step
**Change the Routers Local IP Address** | Optional | It is possible for a malicious script in your web browser, to exploit a cross site scripting vulnerability, accessing known-vulnerable routers at their local IP address and tampering with them (known as [CSRF Attack](https://decoded.avast.io/threatintel/router-exploit-kits-an-overview-of-routercsrf-attacks-and-dns-hijacking-in-brazil/)). Updating your routers local IP address, so that it is not the default (usually 192.168.0.1 or [similar](https://www.softwaretestinghelp.com/default-router-ip-address-list/)), can help protect you from some of these automated attacks
**Don't Reveal Personal Info in SSID** | Optional | You should update your network name, choosing an SSID that does not identify you, include your flat number / address, and does not specify the device brand/ model. It may be beneficial to avoid something very unique, as services like [Wigle](https://www.wigle.net/)'s WiFi map can link an SSID directly back to your home address. This may also slightly aid in deterring an opportunistic attacker, as it indicates the router is being conscientiously administered. See, [how to update SSID](https://www.lifewire.com/change-the-wifi-name-ssid-on-a-router-818337)
**Opt-Out Router Listings** | Optional | WiFi SSIDs is scanned, logged and then published on various websites (such as [Wiggle WiFi SSID Map](https://www.wigle.net/)), which is a serious privacy concern for some. You can [opt-out of many of these listings](https://www.ghacks.net/2014/10/29/add-_nomap-to-your-routers-ssid-to-have-it-ignored-by-google-and-mozilla/), by adding `_nomap` to the end of your SSID (WiFi network name)
**Hide your SSID** | Optional | Your routers Service Set Identifier is simply the network name. If it is not visible, it may receive less abuse. However understand that finding hidden networks is a [trivial task](https://www.acrylicwifi.com/en/blog/hidden-ssid-wifi-how-to-know-name-of-network-without-ssid/) (e.g. with [Kismet](https://www.kismetwireless.net/)). See, [how to hide SSID](https://www.lifewire.com/hide-your-wireless-network-from-your-internet-leeching-neighbors-2487655)
**Disable WPS** | Optional | Wi-FI Protected Setup provides an easier method to connect, without entering a long WiFi password, it often involves a physical button on your router, entering an 8-digit PIN, or tapping an NFC. It may be convenient, but WPS introduces a series of [major security issues](https://www.computerworld.com/article/2476114/the-woops-of-wps--wi-fi-protected-setup--raises-its-ugly-head-again.html), allowing an attacker to bypass the password, and gain easy access into your network. See, [how to disable WPS](https://www.howtogeek.com/176124/wi-fi-protected-setup-wps-is-insecure-heres-why-you-should-disable-it/)
**Disable UPnP** | Optional | Universal Plug and Play allows applications to automatically forward a port on your router, saving you the hassle of forwarding ports manually. However, it has a long history of [serous security issues](https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/), and so it is recommended to turn this feature off. See, [how to disable UPnP](https://lifehacker.com/disable-upnp-on-your-wireless-router-already-1844012366)
**Use a Guest Network for Guests** | Optional | Do not grant access to your primary WiFi network to visitors, as it enables them to interact with other devices on the network (such as printers, IoT/ smart home devices, network-attached storage/ servers etc). Even if it is someone you trust, you cannot guarantee that their device has not been compromised in some way. Some routers offer the ability to enable a separate 'guest' network, which provides isolation and is able to expire after a given time frame. For a more comprehensive network, the same outcome can be achieved using [a VLAN and separate access point](http://alduras.com/wp/guest-wifi-network-why-vlans/). See, [how to enable guest network](https://www.lifewire.com/guest-network-for-home-tutorial-818204)
**Change your Router's Default IP** | Optional | Modifying your router admin panels default IP address will makes it more difficult for malicious scripts in your web browser targeting local IP addresses, as well as adding an extra step for local network hackers
**Kill unused processes and services on your router** | Optional | Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, [any service thats not used should be disabled](https://www.securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php) to reduce attack surface
**Disable UPnP** | Optional | Universal Plug and Play may allow you to save time with Port Forwarding, but it opens doors to many [security risks](https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/). It can be disabled from your routers admin panel
**Don't have Open Ports** | Optional | Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. You can use a port scanner (such as [AngryIP](https://angryip.org)), or a [web service](https://www.yougetsignal.com/tools/open-ports/)
**Disable Unused Remote Access Protocols** | Optional | When protocols such as PING, Telnet, SSH, UPnP and HNAP etc are enabled, they allow your router to be probed from anywhere in the world, and so should be disabled if not in use. Instead of setting their relevant ports to 'closed', set them to 'stealth' so that no response is given to unsolicited external communications that may come from attackers probing your network
**Disable Cloud-Based Management** | Optional | You should treat your routers admin panel with the upmost care, as considerable damage can be caused if an attacker is able to gain access. You should take great care when accessing this page, ensuring you always log out, or considering Incognito mode. Most routers offer a 'remote access' feature, allowing you to access the admin web interface from anywhere in the world, using your username and password. This greatly increases attack surface, and opens your network up to a host of threats, and should therefore be disabled. You could also take it a step further, disable the admin interface over WiFi, meaning the settings can only be modified when using a direct Ethernet connection. Note that disabling cloud management may not be possible on some modern mesh-based routers
**Manage Range Correctly** | Optional | It's common to want to pump your routers range to the max, and often this is necessary, especially if you live in a large house, or desire coverage in outdoor spaces. But if you reside in a smaller flat, and have neighbors close by, your attack surface is increased when your WiFi network can be picked up across the street. It maybe worth carefully configuring your networks, and device antennas to provide coverage only within your operating area/ apartment. One method of doing so, it to utilize the 5-GHz band, which provides a faster link speed, but a lesser range, and is easily blocked by thick walls
**Route all traffic through Tor** | Advanced | VPNs have their weaknesses- you are simply moving your trust from your ISP/ mobile carrier to a VPN provider- Tor is much more anonymous. For optimum security, route all your internet traffic through the Tor network. On Linux you can use [TorSocks](https://gitweb.torproject.org/torsocks.git) or [Privoxy](https://www.privoxy.org/), for Windows you can use [Whonix](https://www.whonix.org/), and on OSX [follow thsese instructions](https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/), for Kali see [TorGhost](https://github.com/SusmithKrishnan/torghost). Alternativley, you can use [OnionPi](https://learn.adafruit.com/onion-pi/overview) to use Tor for all your connected devices, by [configuring a Raspberry Pi to be a Tor Hotspot](https://lifehacker.com/how-to-anonymize-your-browsing-with-a-tor-powered-raspb-1793869805)
**Disable WiFi on all Devices** | Advanced | Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and connect each device via Ethernet, and turning off WiFi on your phone and using a USB-C/ Lightening to Ethernet cable will protect against WiFi exploits, as Edward Snowden [says here](https://twitter.com/snowden/status/1175431946958233600?lang=en).
@ -276,7 +288,7 @@ More of us are concerned about how [governments use collect and use our smart ph
**Opt-out of personalized ads** | Optional | In order for ads to be personalized, Google collects data about you, you can slightly reduce the amount they collect by opting-out of seeing personalized ads. See [this guide](https://www.androidguys.com/tips-tools/how-to-disable-personalized-ads-on-android/), for Android instructions.
**Erase after too many login attempts** | Optional | To protect against an attacker brute forcing your pin, if you lose your phone, set your device to erase after too many failed login attempts. See [this iPhone guide](https://www.howtogeek.com/264369/how-to-erase-your-ios-device-after-too-many-failed-passcode-attempts/). You can also do this via Find my Phone, but this increased security comes at a cost of decreased privacy.
**Monitor Trackers** | Optional | A tracker is a piece of software meant to collect data about you or your usages. [εxodus](https://reports.exodus-privacy.eu.org/en/) is a great service which lets you search for any app, by its name, and see which trackers are embedded in it. They also have [an app](https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy) which shows trackers and permissions for all your installed apps.
**Use Mobile a Firewall** | Optional | To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will allow you to block specific apps from making data requests, either in the background, or when on WiFi or mobile data. Consider [NetGuard](https://www.netguard.me/) (Android) or [LockDown](https://apps.apple.com/us/app/lockdown-apps/id1469783711) (iOS), or see more [Firewalls](/5_Privacy_Respecting_Software.md#firewalls)
**Use a Mobile Firewall** | Optional | To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will allow you to block specific apps from making data requests, either in the background, or when on WiFi or mobile data. Consider [NetGuard](https://www.netguard.me/) (Android) or [LockDown](https://apps.apple.com/us/app/lockdown-apps/id1469783711) (iOS), or see more [Firewalls](/5_Privacy_Respecting_Software.md#firewalls)
**Reduce Background Activity** | Optional | For Android, [SuperFreeze](https://f-droid.org/en/packages/superfreeze.tool.android) makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background
**Sandbox Mobile Apps** | Optional | Prevent permission-hungry apps from accessing your private data with [Island](https://play.google.com/store/apps/details?id=com.oasisfeng.island). It is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc.) even if related permissions are granted
**Tor Traffic** | Advanced | [Orbot](https://guardianproject.info/apps/orbot/) provides a system-wide [Tor](https://www.torproject.org/) connection, which will help protect you from surveillance and public WiFi threats
@ -284,8 +296,9 @@ More of us are concerned about how [governments use collect and use our smart ph
**Restart Device Regularly** | Optional | Over the years there have vulnerabilities relating to memory exploits (such as [CVE-2015-6639](https://www.cvedetails.com/cve/CVE-2015-6639) + [CVE-2016-2431](https://www.cvedetails.com/cve/CVE-2016-2431)). Restarting your phone at least once a week will clear the app state cached in memory. A side benefit is that your device may run more smoothly after a restart.
**Avoid SMS** | Optional | SMS may be convenient, but it's [not particularly secure](https://www.fortherecordmag.com/archives/0315p25.shtml). It is susceptible to threats, such as interception, sim swapping (see [this article](https://www.forbes.com/sites/kateoflahertyuk/2020/01/21/the-surprising-truth-about-sms-security)), manipulation and malware (see [this article](https://www.securitynewspaper.com/2019/09/13/hack-any-mobile-phone-with-just-a-sms)). <br>SMS should not be used to receive 2FA codes, (as demonstrated in the video in [this article](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin)), instead use an [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication). SMS should not be used for communication, instead use an [encrypted messaging app](/5_Privacy_Respecting_Software.md#encrypted-messaging), such as [Signal](https://signal.org)
**Keep your Number Private** | Optional | [MySudo](https://mysudo.com/) allows you to create and use virtual phone numbers for different people or groups. This is great for compartmentalisation. Alternativley, use a VOIP provider like [Google Voice](https://voice.google.com) or [Skype](https://www.skype.com/en/features/online-number/), or for temporary usage you can use a service like [iNumbr](https://www.inumbr.com). Where possible, avoid giving out your real phone number while creating accounts online.
**Watch out for Stalkerware** | Optional | This is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc.). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalkerware is on your device, the best way to get rid of it is through a factory reset. See [this guide](https://blog.malwarebytes.com/stalkerware/2019/10/how-to-protect-against-stalkerware-a-murky-but-dangerous-mobile-threat/) for more details.
**Consider running a custom ROM if you have an Android device** | Advanced | For Android users, if your concerned about your device manufacturer collecting too much personal information, consider a privacy-focused custom ROM, such as [Lineage](https://lineageos.org) or [CopperheadOS](https://copperhead.co/android/) - [see more](/5_Privacy_Respecting_Software.md#mobile-operating-systems)
**Watch out for Stalkerware** | Optional | This is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc.). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in `Settings --> Applications --> View All`). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalkerware is on your device, the best way to get rid of it is through a factory reset. See [this guide](https://blog.malwarebytes.com/stalkerware/2019/10/how-to-protect-against-stalkerware-a-murky-but-dangerous-mobile-threat/) for more details
**Favor the Browser, over Dedicated App** | Optional | Where possible, consider using a secure browser to access sites, rather than installing dedicatd applications. Both Android and iOS applications often have invasive permissions, allowing them intimate access to sensitive data and your devices sensors and radios. But [the extent to what these apps can access](https://www.wired.com/story/app-permissions/) is often not clear, and even [zero-permission apps](https://www.leviathansecurity.com/blog/zero-permission-android-applications) can see more data than you think: accessing phone sensors, vendor ID's and determine which other apps you have installed. All this is enough to identity you. In some situations you can still use a service, without having to install an application, through accessing it via the browser, and this can help mitigate a lot of the issues cause by untrustworthy apps
**Consider running a custom ROM (Android)** | Advanced | For Android users, if your concerned about your device manufacturer collecting too much personal information, consider a privacy-focused custom ROM, such as [Lineage](https://lineageos.org) or [GrapheneOS](https://grapheneos.org) - [see more](/5_Privacy_Respecting_Software.md#mobile-operating-systems)
**Recommended Software**
- [Mobile Apps, for Security + Privacy](/5_Privacy_Respecting_Software.md#mobile-apps)
@ -308,6 +321,7 @@ Although Windows and OS X are easy to use and convenient, they both are far from
**Manage Permissions** | Recommended | In a similar way to phones, your OS can grant certain permissions to applications. It's important to keep control over which apps and services have access to your location, camera, microphone, contacts, calendar and other account information. Some systems let you restrict which apps can send or recieve messages, as well as which apps can which processes can control radios such as Bluetooth and WiFi. In Windows, navigate to `Settings --> Privacy`, and for MacOS, go to `System Preferences --> Security & Privacy --> Privacy`. <br>Note that there are other methods that apps can use to access this data, and this is just one step towards protecting it. You should check back regularly, as sometimes system updates can cause some privacy settings to be modified or reverted
**Disallow Usage Data from being sent to the Cloud** | Recommended | Both Windows and MacOS collect usage information or feedback, which is send to the cloud for analytics, diagnostics and research. Although this data should be anonymized, it can often be linked back to your identity when compared with other usage data. In Windows, there is no way to disable this fully, but you can limit it- navigate to `Settings --> Privacy --> Feedback & diagnostics`, and select `Basic`. You also have the option to disallow your advertising ID from being shared with apps on your system. In MacOS, it can be turned off fully, go to `System Preferences --> Privacy --> Diagnostics & Usage`, and untick both options
**Avoid Quick Unlock** | Recommended | Use a password to unlock your computer, ensure it is long and strong. Avoid biometrics such as facial recognition and fingerprint. These can be spoofed, allowing an intruder access to your account. Also, for Windows devices, avoid using a short PIN to unlock your machine.
**Power Off Computer, instead of Standby** | Recommended | You must shut down your device when not in use, in order for the disk to be encrypted. Leaving it in standby/ sleep mode keeps your data in an unencrypted state, and vulnerable to theft. Microsoft even recommends [disabling the sleep functionality](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-security-faq#what-are-the-implications-of-using-the-sleep-or-hibernate-power-management-options) all together, once BitLocker is enabled. This only applies to encrypted disks, and is true for FileVault (MacOS), BitLocker (Windows), VeraCrypt, Self-Encrypting Drives and most other disk encryption methods. Another reason to shut down, is because the machine is completely offline while it is off, and cannot be hacked remotely. It also can't communicate with a command and control server, if it has already been infected with an exploit
**Don't link your PC with your Microsoft or Apple Account** | Optional | Create a local account only. This will prevent some data about your usage being uploaded and synced between devices. Avoid syncing your iPhone or Android device to your computer, as this will automatically lead to it being associated with your Apple, Microsoft or Google account. <br>If sync is important to you, there are open source services that encrypt you data, and sync between devices. For example [XBrowserSync](https://www.xbrowsersync.org/) for bookmarks, history and browser data, [ETESync](https://www.etesync.com/accounts/signup/?referrer=QK6g) for calendar, contacts and tasks, [Syncthing](https://syncthing.net/) for files, folders and filesystems
**Check which Sharing Services are Enabled** | Optional | The ability to share files and services with other machines within your network, can be useful, but also acts as a gateway for common threats. You should disable the network sharing features that you are not using. For Windows, navigate to `Control Panel --> Network and Internet --> Network and Sharing Center --> Advanced sharing settings`, and for MacOS, just go to `System Preferences --> Sharing` and disable anything that you do not need. For Windows users, you should ensure that [remote desktop is disabled](https://www.laptopmag.com/articles/disable-remote-desktop). And also control apps ability to sync with non-pairing devices, such as beacons that transmit advertising information- this is also in the privacy settings
**Don't use Root/ Admin Account for Non-Admin Tasks** | Optional | You should not use administrator / root account for general use. Instead, use an unprivileged user account, and temporarily elevate permissions when you need to make administrator changes. This will [mitigate a large proportion of vulnerabilities](https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/), because a malicious program or an attacker can do significantly less damage without an administrator power. See [this guide for Windows and MacOS](https://www.maketecheasier.com/why-you-shouldnt-use-admin-account/), on how to implement this. You should also ensure that a password is required for all system wide changes, as this helps protect against malware doing widespread damage. In Windows this is enabled by default, in MacOS, navigate to `System Preferences --> Security & Privacy --> General --> Advanced`
@ -323,6 +337,7 @@ Although Windows and OS X are easy to use and convenient, they both are far from
**Periodically check for Rootkits** | Advanced | You should regularly check for rootkits (which may allow an attacker full control over your system), you can do this with a tool like [chkrootkit](http://www.chkrootkit.org/), once installed just run `sudo chkrootkit`. For Windows users, see [rootkit-revealer](https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer) or [gmer](http://www.gmer.net/)
**BIOS Boot Password** | Advanced | A BIOS or UEFI password once enabled, will need to be entered before the system can be booted, which may help to prevent an inexperienced hacker from getting into your OS, booting from a USB, tampering with BIOS as well as other actions. However, it can be easy to bypass, don't put too much trust in this - it should only be used as an additional step, to exhaust your adversaries resources a little faster. [Here is a guide on how to enable password](https://www.howtogeek.com/186235/how-to-secure-your-computer-with-a-bios-or-uefi-password/).
**Use a Security-Focused Operating System** | Advanced | Microsoft, Apple and Google all have practices that violate users privacy, switching to Linux will mitigate most of these issues. For more advanced users, consider a security-focused distro- such as [QubeOS](https://www.qubes-os.org/), which allows for compartmentalization of applications and data, and has strong encryption and Tor networking build in. For some actions, [Tails](https://tails.boum.org/) a live operating system with no memory persistence is as close as you can get to not leaving a data trail on your system. BSD is also great for security, see [FreeBSD](https://www.freebsd.org/) and [OpenBSD](https://www.openbsd.org/). Even a general purpose distro, will be much better for privacy compared to a propriety counterpart: [Fedora](https://getfedora.org/), [Debian](https://www.debian.org/), [Arch](https://www.archlinux.org/) / [Manjaro](https://manjaro.org/), [see more](/5_Privacy_Respecting_Software.md#pc-operating-systems)
**Make Use of VMs** | Advanced | If your job, or any of your activity could endanger your system, or put you at risk, then virtual machines are a great tool to isolate this from your primary system. They allow you to test suspicious software, and analyse potentially dangerous files, while keeping your host system safe. They also provide a host of other features, from quick recovery using snapshots, to the ability to replicate configurations easily, and have multiple VMs running simultaneously. Taking this a step further, VMs can be use for compartmentalization, with a host system performing the single task of spawning VMs (systems like [ProxMox](https://www.proxmox.com/en/), is designed for exactly this). Be aware that virtual machines do not grantee security, and vulnerabilities, named [VM-Escapes](https://en.wikipedia.org/wiki/Virtual_machine_escape), may allow for data in memory to leak into the host system
**Compartmentalize** | Advanced | Security by [Compartmentalization](https://en.wikipedia.org/wiki/Compartmentalization_(information_security)) is a strategy, where you isolate different programs and data sources from one another as much as possible. That way, attackers who gain access to one part of the system are not able to compromise all of the users privacy, and corporate tracking or government surveillance shouldn't be able to link together different compartments. At the simplest level, you could use separate browsers or [multi-account containers](https://support.mozilla.org/en-US/kb/containers) for different activities, but taking it further you could have a virtual machine for each category (such as work, shopping, social etc). Alternativley, consider [Qubes OS](https://www.qubes-os.org), which is designed for exactly this, and sandboxes each app in it's own Xen Hypervisor VM, while still providing great user experience
**Disable Undesired Features (Windows)** | Advanced | Microsoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling are: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as [HardenTools](https://github.com/securitywithoutborders/hardentools), or [ShutUp10](https://www.oo-software.com/en/shutup10). Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues
**Secure Boot** | Advanced | For Windows users, ensure that [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) is enabled. This security standard, ensures that your device boots only to trusted software when the PC starts. It prevents malware, such as a rootkit from maliciously replacing your boot loader, which could have serious consequences. Some Linux distros also work with secure boot (if they've applied to have their boot loaders signed by Microsoft), while others are incompatible (in which case, secure boot will need to be disabled)
@ -345,7 +360,7 @@ Although Windows and OS X are easy to use and convenient, they both are far from
Home assistants (such as Google Home, Alexa and Siri) and other internet connected devices collect large amounts of personal data (including voice samples, location data, home details and logs of all interactions). Since you have limited control on what is being collected, how it's stored, and what it will be used for, this makes it hard to recommend any consumer smart-home products to anyone who cares about privacy and security.
Security vs Privacy: There are many smart devices on the market that claim to increase the security of your home while being easy and convenient to use (Such as [Cave Burglar Alarm](https://amzn.to/2Rx83Fb), [Blink Cam](https://amzn.to/30ylzg9), [Yale Lock](https://amzn.to/2tnQzDv) and [Ring Doorbell](https://amzn.to/2ufQ1zi) to name a few). These devices may appear to make security easier, but there is a trade-off in terms of privacy: as they collect large amounts of personal data, and leave you without control over how this is stored or used. The security of these devices is also questionable, since many of them can be (and are being) hacked, allowing an intruder to bypass detection with minimum effort.
Security vs Privacy: There are many smart devices on the market that claim to increase the security of your home while being easy and convenient to use (Such as Smart Burglar Alarms, Internet Security Cameras, Smart Locks and Remote access Doorbells to name a few). These devices may appear to make security easier, but there is a trade-off in terms of privacy: as they collect large amounts of personal data, and leave you without control over how this is stored or used. The security of these devices is also questionable, since many of them can be (and are being) hacked, allowing an intruder to bypass detection with minimum effort.
The most privacy-respecting option, would be to not use "smart" internet-connected devices in your home, and not to rely on a security device that requires an internet connection. But if you do, it is important to fully understand the risks of any given product, before buying it. Then adjust settings to increase privacy and security. The following checklist will help mitigate the risks associated with internet-connected home devices.
@ -360,7 +375,7 @@ The most privacy-respecting option, would be to not use "smart" internet-connect
**Protect your Network** | Recommended | On many smart home devices, anybody connected to your home WiFi is able to view the device content (such as camera footages, or motion statistics). So ensure that your WiFi and home networks are properly secured with a strong password and up-to-date firmware. (See the [Router Section](#your-router) for more details)
**Be wary of wearables** | Optional | Wearable smart devices allow companies to log even more data than ever before; they can track your every move to know exactly where you are and what you are doing at any given time. Again, you as the consumer have no control over what is done with that data.
**Don't connect your home's critical infrastructure to the Internet** | Optional | While a smart thermostat, burglar alarm, smoke detector and other appliances may seem convenient, they by design can be accessed remotely, meaning a hacker can gain control of your entire home, without even needing to be nearby. And by breaching multiple devices, the effects can be very serious.
**Don't use Alexa/ Google Home** | Optional | It is a known fact that voice-activated assistants collect a lot of personal data. Consider switching to [MyCroft](https://mycroft.ai/) which is an open source alternative, with much better privacy.
**Mitigate Alexa/ Google Home Risks** | Optional | It is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a mirage of security issues. Consider switching to [Mycroft](https://mycroft.ai/) which is an open source alternative, with much better privacy. Alternativley, if you wish to continue using your current voice assistant, check out [Project Alias](https://github.com/bjoernkarmann/project_alias), which prevents idle listening
**Monitor your home network closely** | Optional | Check your local network for suspicious activity. One of the easier methods to do this is with [FingBox](https://amzn.to/38mdw8F), but you can also do it directly [through some routers](https://www.howtogeek.com/222740/how-to-the-monitor-the-bandwidth-and-data-usage-of-individual-devices-on-your-network/).
**Deny Internet access where possible** | Advanced | If possible deny the device/ app internet access, and use it only on your local network. You can configure a firewall to block certain devices from sending or receiving from the internet.
**Assess risks** | Advanced | Assess risks with your audience and data in mind: Be mindful of whose data is being collected, e.g. kids. Manage which devices can operate when (such as turning cameras off when you are at home, or disabling the internet for certain devices at specific times of day)
@ -381,11 +396,11 @@ Note about credit cards: Credit cards have technological methods in place to det
**Apply a Credit Freeze** | Recommended | A credit freeze will prevent anyone from requesting your credit report, hence stop someone applying for a financial product in your name, or a corporation requesting your details without your consent. You will need to temporarily disable your credit freeze before getting a loan, or any other financial product. You can freeze your credit through credit the bureau's website: [Experian](https://www.experian.com/freeze/center.html), [TransUnion](https://www.transunion.com/credit-freeze) and [Equifax](https://www.freeze.equifax.com/)
**Use Virtual Cards** | Optional | Virtual card numbers let you pay for items without revealing your real card or banking details. They also offer additional features, such as single-use cards and spending limits for each card. This means you will not be charged more than you specified, or ongoing subscriptions or in the case of a data breach. [Privacy.com](https://privacy.com/join/VW7WC), [MySudo](https://mysudo.com/) and [others](/5_Privacy_Respecting_Software.md#virtual-credit-cards) offer this service
**Use Cash for Local Transactions** | Optional | Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
**Use Cryptocurrency** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. However many blockchains have a public ledger, where transaction details can be publicly viewed online. A privacy-focused currency, such as [Monero](https://www.getmonero.org) or [ZCash](https://z.cash) (see [more](/5_Privacy_Respecting_Software.md#cryptocurrencies)) will allow you to pay for goods and services without any direct link to your identity
**Store Crypto Securely** | Advanced | Generate wallet address offline, never let your private key touch the internet and preferably avoid storing it on an internet-connected device. Use a secure wallet, such as [Wasabi](https://www.wasabiwallet.io/), or a hardware wallet, like [Trezor](https://trezor.io/) or [ColdCard](https://coldcardwallet.com/). For long-term storage consider a paper wallet, or use [CryptoSteel](https://cryptosteel.com/how-it-works)
**Use Cryptocurrency for Online Transactions** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction matadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as [Monero](https://www.getmonero.org) or [ZCash](https://z.cash). If you are using a widley- supported currency (such as [Tether](https://tether.to/), [BitCoin](https://bitcoin.org/), [LiteCoin](https://litecoin.com/), [Ripple](https://ripple.com/xrp/), [Etherium](https://ethereum.org/en/) etc), take steps to [distance yourself from the transaction details](https://coinsutra.com/anonymous-bitcoin-transactions/). See more [privacy-respecting crypto currencies](/5_Privacy_Respecting_Software.md#cryptocurrencies).
**Store Crypto Securely** | Advanced | Generate wallet address offline, never let your private key touch the internet and preferably avoid storing it on an internet-connected device. Use a secure wallet, such as [Wasabi](https://www.wasabiwallet.io/), or a hardware wallet, like [Trezor](https://trezor.io/) or [ColdCard](https://coldcardwallet.com/). For long-term storage consider a paper wallet, or a more robust alternative, such as [CryptoSteel](https://cryptosteel.com/how-it-works)
**Buy Crypto Anonymously** | Advanced | If you are buying a common cryptocurrency (such as BitCoin), purchasing it from an exchange with your debit/ credit card, will link directly back to your real identity. Instead use a service like [LocalBitcoins](https://localbitcoins.com), an anonymous exchange, such as [Bisq](https://bisq.network), or buy from a local BitCoin ATM ([find one here](https://coinatmradar.com)). Avoid any exchange that implements [KYC](https://en.wikipedia.org/wiki/Know_your_customer)
**Tumble/ Mix Coins** | Advanced | Before converting BitCoin back to currency, consider using a [bitcoin mixer](https://en.bitcoin.it/wiki/Mixing_service), or [CoinJoin](https://en.bitcoin.it/wiki/CoinJoin) to make your transaction harder to trace. (Some wallets, such as [Wasabi](https://www.wasabiwallet.io/) support this nativley)
**Use an Alias Details for Online Shopping** | Advanced | When you pay for goods or services online, you do not know for sure who will have access to your data. Consider using an alias name, forwarding mail address (using a service like [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) or [Anonaddy](https://anonaddy.com)), or a VOIP number
**Use an Alias Details for Online Shopping** | Advanced | When you pay for goods or services online, you do not know for sure who will have access to your data, or weather it will be stored securley. Consider using an alias name, [forwarding email address](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding)/ VOIP number, and don't reveal any of your true information. (For Amazon purchases, you can an Amazon gift card with cash, and use an Amazon Locker or local pickup location)
**Use alternate delivery address** | Advanced | When online shopping, if possible get goods delivered to an address that is not associated to you. For example, using a PO Box, forwarding address, corner-shop collection or pickup box
**Recommended Software**